gmane.linux.redhat.fedora.selinux
http://blog.gmane.org/gmane.linux.redhat.fedora.selinux
hourly11901-01-01T00:00+00:00Gmanehttp://gmane.org/img/gmane-25t.png
http://gmane.org
ImportError: No module named selinux
http://comments.gmane.org/gmane.linux.redhat.fedora.selinux/14211
<pre>I am trying to compile and build version 3.10.0-86 of the selinux policy, but during compilation I get the following:
/usr/bin/semodule_expand tmp/test.lnk tmp/policy.bin
/usr/bin/sepolgen-ifgen -p tmp/policy.bin -i policy -o tmp/output
Traceback (most recent call last):
File "/usr/bin/sepolgen-ifgen", line 34, in <module>
import selinux
ImportError: No module named selinux
make: *** [validate] Error 1
error: Bad exit status from /var/tmp/rpm-tmp.bEqivE (%install)
RPM build errors:
Bad exit status from /var/tmp/rpm-tmp.bEqivE (%install)
What could be the cause for this?
--
selinux mailing list
selinux< at >lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux</pre>Mr Dash Four2012-05-25T01:48:08Policy version mismatch
http://comments.gmane.org/gmane.linux.redhat.fedora.selinux/14207
<pre>I've got a policy module which works fine when I build and load it on CentOS
5. When I build and try to load it on CentOS 6 it complains:
SELinux: Could not downgrade policy file
/etc/selinux/targeted/policy/policy.24, searching for an older version.
SELinux: Could not open policy file <=
/etc/selinux/targeted/policy/policy.24: No such file or directory
There's nothing in the policy source specifying version so I would have
expected the module automatically to build for the correct policy version
when built on CentOS 6. Any pointers where to look or what to do next?
Moray.
"To err is human; to purr, feline."
--
selinux mailing list
selinux< at >lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux</pre>Moray Henderson2012-05-24T15:05:59EL6: procmail vs. /home/*/bin/shellscript.sh
http://comments.gmane.org/gmane.linux.redhat.fedora.selinux/14204
<pre>I'm using EL 6.2 with sendmail & procmail. I'm having trouble with
calling custom scripts in my home directory from .procmailrc such as
this recipe:
######################################################
#
# BACKUP INCOMING MAIL
#
# Stores the last 16 messages in a backup folder.
# "Just in Case"
#
# Create a folder in your $MAILDIR called "backup"
# BEFORE you execute this procmail recipe.
#
:0 c
backup
:0 ic
| /home/cra/bin/procmail-prune-backup-msg
The script is labeled with home_bin_t:
-rwxr-xr-x. cra cra system_u:object_r:home_bin_t:s0 /home/cra/bin/procmail-prune-backup-msg
which is a Bourne Shell script similar to this:
#!/bin/sh
cd /home/cra/mail/backup
/bin/ls -t | /bin/grep ^msg\. | /bin/sed -e 1,256d | /usr/bin/xargs -n 256 /bin/rm -f
In my procmail log I get:
/bin/sh: /home/cra/bin/procmail-prune-backup-msg: Permission denied
It works if I "setenforce 0".
With Enforcing, here is the AVC I get (after enabling dontaudit rules
with semodule -DB):
# ausearch -i -m AVC
type=SYSCALL msg=audit(05/17/2012 19:17:15.773:273) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=1c8d460 a1=0 a2=1c8d487 a3=28 items=0 ppid=5252 pid=5257 auid=root uid=cra gid=cra euid=cra suid=cra fsuid=cra egid=cra sgid=cra fsgid=cra tty=(none) ses=1 comm=sh exe=/bin/bash subj=unconfined_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(05/17/2012 19:17:15.773:273) : avc: denied { search } for pid=5257 comm=sh name=bin dev=dm-10 ino=2760827 scontext=unconfined_u:system_r:procmail_t:s0 tcontext=user_u:object_r:home_bin_t:s0 tclass=dir
I did a bunch of research on this and found this old changelog entry
and the discussions/bugzillas leading up to it:
#rpm -q selinux-policy
selinux-policy-3.7.19-126.el6_2.10.noarch
#rpm -q --changelog selinux-policy
...
* Tue May 25 2010 Dan Walsh <dwalsh< at >redhat.com> 3.7.19-22
- Allow procmail to execute scripts in the users home dir that are labeled home_bin_t
- Fix /var/run/abrtd.lock label
Was there a recent regression that broke this functionality or did it
not really make it into Enterprise Linux despite this changelog? Any
ideas on how to fix this cleanly without having to disable Enforcing
mode?
Thanks.
--
selinux mailing list
selinux< at >lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux</pre>Chuck Anderson2012-05-17T23:32:21No audit lines produced
http://comments.gmane.org/gmane.linux.redhat.fedora.selinux/14200
<pre>I'm trying to debug a Nagios plugin that isn't playing nicely with
SELinux. It executes a system binary to get statistics about DHCP pool
usage, and obviously SELinux stamps on that access and the plugin only
returns partial data.
In Permissive mode the plugin works, it Enforcing it doesn't. But in
neither mode are there any debug messages in audit.log
[jg4461< at >dhcp1 ~]$ sudo setenforce 0
[jg4461< at >dhcp1 ~]$ /usr/lib64/nagios/plugins/check_nrpe -H localhost -c
check_dhcpd_pools
OK - all pools less than 80% full | MAYHEM! rnw-652=45.491%;80;90,
rnw-653=47.619%;80;90, rnw-654=51.570%;80;90, rnw-655=45.998%;80;90,
rnw-656=49.949%;80;90, rnw-657=48.126%;80;90, rnw-658=45.390%;80;90,
rnw-659=0.101%;80;90, rnw-ratelimited-660=0.811%;80;90,
rnw-onlinepayment-661=0.507%;80;90, rnw-onlinepayment-662=0.304%;80;90,
rnw-onlinepayment-663=0.405%;80;90, rnw-consoles-665=1.317%;80;90,
rnw-message-666=0.101%;80;90, rnw-instructions-667=9.411%;80;90
[jg4461< at >dhcp1 ~]$ sudo setenforce 1
[jg4461< at >dhcp1 ~]$ /usr/lib64/nagios/plugins/check_nrpe -H localhost -c
check_dhcpd_pools
OK - all pools less than 80% full |
Regardless of the SELinux mode, the same 3 log lines are printed in
audit.log:
type=USER_CMD msg=audit(1337077807.188:273642): user pid=1593 uid=0
auid=56933 ses=12137 subj=unconfined_u:system_r:nrpe_t:s0 msg='cwd="/"
cmd="/usr/lib64/nagios/plugins/check_dhcpd_pools" terminal=? res=success'
type=CRED_ACQ msg=audit(1337077807.191:273643): user pid=1594 uid=0
auid=56933 ses=12137 subj=unconfined_u:system_r:nrpe_t:s0
msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=?
terminal=? res=success'
type=USER_START msg=audit(1337077807.191:273644): user pid=1594 uid=0
auid=56933 ses=12137 subj=unconfined_u:system_r:nrpe_t:s0
msg='op=PAM:session_open acct="root" exe="/usr/bin/sudo" hostname=?
addr=? terminal=? res=success'
Anyone have any idea how I can see the deny messages and make a policy
from them?
Cheers,
Jonathan
--
selinux mailing list
selinux< at >lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux</pre>Jonathan Gazeley2012-05-15T10:37:24Creating multiple constrained admin roles
http://comments.gmane.org/gmane.linux.redhat.fedora.selinux/14197
<pre>Hi,
I was wondering if it is possible to create a number of admin roles,
each with limited access to specified admin features, e.g. package
management only, NIC / Firewall management only, policy management only
etc and to effectively completely remove the root account as a system
wide administrator using selinux?
I have seen mention of Kiosk Users and the SELinux play machine (sadly
my corporate network does not allow global ssh access) so I believe this
is entirely possible, but am not entirely sure of the best resources to
delve into so any pointers would be very welcome.
Many Thanks,
Tim
This email and any attachments to it may be confidential and are
intended solely for the use of the individual to whom it is addressed.
If you are not the intended recipient of this email, you must neither
take any action based upon its contents, nor copy or show it to anyone.
Please contact the sender if you believe you have received this email in
error. QinetiQ may monitor email traffic data and also the content of
email for the purposes of security. QinetiQ Limited (Registered in
England & Wales: Company Number: 3796233) Registered office: Cody Technology
Park, Ively Road, Farnborough, Hampshire, GU14 0LX http://www.qinetiq.com.
--
selinux mailing list
selinux< at >lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux</pre>Tim Sheppard2012-05-09T14:17:57VirtualGL/TurboVNC and selinux
http://comments.gmane.org/gmane.linux.redhat.fedora.selinux/14193
<pre>I was not able to get VirtualGL and selinux to work together.
It is something during boot time it seems. I have tried generating
rules based on audit/audit.log.
The VirtualGL web http://www.virtualgl.org/Documentation/RHEL6
states they don't know how to make it work either.
I have tried in permissive mode after boot and that did not work either,
which is why I think it is something during boot time. Like the device
setup. My guess is related to: /dev/dri as it sets up these and then
access to the /dev/nvidia0 and /dev/nvidiactl are restricted to vglusers
group (in my case it can be configured with/without group restriction).
From VirtualGL website they also have:
vglgenkey Issues
Currently, the only known way to make|vglgenkey|work (|vglgenkey|is used
to grant 3D X Server access to members of the|vglusers|group) is to
disable SELinux. With SELinux enabled, the*//usr/bin/xauth/*file is
hidden within the context of the GDM startup scripts, so|vglgenkey|has
no way of generating or importing an xauth key
to*//etc/opt/VirtualGL/vgl_xauth_key/*(and, for that matter, access is
denied to*//etc/opt/VirtualGL/*as well.)
Perhaps someone with a greater knowledge of SELinux can explain how to
disable enforcement only for GDM and not the whole system.
I had reinstalled that previous machine and don't
have the other rules I applied.
I repeated this on another machine, and did not run any audit2allow.
Also there are 2 problems:
1. Boot time problem with the VirtualGL which seems to generate a
avc message. (Fails if the machine is not booted in permissive or
disabled mode)
2. A problem with xauth when setenforce is enforcing.
(This works if setenforce is permissive or disabled regardless
of the boot time settings).
The machine policy is set to targeted.
Attached is the longer data with strace. The xauth does not seem
to generate any audit.log messages even with semodule -DB, but if
I turn selinux to permissive the xauth commands succeed.
To clarify:
- It works if the system is booted with /etc/selinux/config
SELINUX=permissive
or
SELINUX=disable
- It fails if the system is booted with /etc/selinux/config
SELINUX=enforcing
* Even if after the boot 'setenforce 0' is run
- My
I do get avc message, note this is running in permissive mode.
[root< at >amelie mdalton]# grep -i avc /var/log/audit/audit.log
type=USER_AVC msg=audit(1331199802.711:70545): user pid=4970 uid=28
auid=0 ses=3756 subj=system_u:system_r:nscd_t:s0 msg='avc: received
policyload notice (seqno=4) : exe="?" sauid=28 hostname=? addr=?
terminal=?'
[root< at >amelie mdalton]# ls -Z /dev/dri /dev/nvidia*
ls: cannot access /dev/dri: No such file or directory
crw-rw----. root vglusers system_u:object_r:device_t:s0 /dev/nvidia0
crw-rw----. root vglusers system_u:object_r:device_t:s0 /dev/nvidiactl
Mark
I did not see any messages in the /var/log/audit/audit.log when running xauth
even with semodule -DB.
[root< at >mymachine ~]# ls -Z /home/myuser/.Xauthority
-rw-------. myuser cses unconfined_u:object_r:xauth_home_t:s0 /home/myuser/.Xauthority
[root< at >mymachine ~]# semodule -DB
[root< at >mymachine ~]# strace xauth -f /etc/opt/VirtualGL/vgl_xauth_key generate :0.0 . trusted timeout 0
execve("/usr/bin/xauth", ["xauth", "-f", "/etc/opt/VirtualGL/vgl_xauth_key", "generate", ":0.0", ".", "trusted", "timeout", "0"], [/* 33 vars */]) = 0
brk(0) = 0x1a40000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f696bd82000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=161072, ...}) = 0
mmap(NULL, 161072, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f696bd5a000
close(3) = 0
open("/usr/lib64/libXau.so.6", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320\r`\3747\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=13168, ...}) = 0
mmap(0x37fc600000, 2106112, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37fc600000
mprotect(0x37fc602000, 2097152, PROT_NONE) = 0
mmap(0x37fc802000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x37fc802000
close(3) = 0
open("/usr/lib64/libXext.so.6", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\2005\240\3747\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=76848, ...}) = 0
mmap(0x37fca00000, 2170120, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37fca00000
mprotect(0x37fca11000, 2097152, PROT_NONE) = 0
mmap(0x37fcc11000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x11000) = 0x37fcc11000
close(3) = 0
open("/usr/lib64/libXmuu.so.1", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360\22 \3727\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=16400, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f696bd59000
mmap(0x37fa200000, 2109200, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37fa200000
mprotect(0x37fa203000, 2093056, PROT_NONE) = 0
mmap(0x37fa402000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x37fa402000
close(3) = 0
open("/usr/lib64/libX11.so.6", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200\335\341\3737\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1308600, ...}) = 0
mmap(0x37fbe00000, 3403160, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37fbe00000
mprotect(0x37fbf39000, 2097152, PROT_NONE) = 0
mmap(0x37fc139000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x139000) = 0x37fc139000
close(3) = 0
open("/lib64/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360\355a\3717\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1908792, ...}) = 0
mmap(0x37f9600000, 3733672, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37f9600000
mprotect(0x37f9786000, 2097152, PROT_NONE) = 0
mmap(0x37f9986000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x186000) = 0x37f9986000
mmap(0x37f998b000, 18600, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x37f998b000
close(3) = 0
open("/usr/lib64/libxcb.so.1", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\206 \3747\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=112760, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f696bd58000
mmap(0x37fc200000, 2205608, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37fc200000
mprotect(0x37fc21b000, 2093056, PROT_NONE) = 0
mmap(0x37fc41a000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1a000) = 0x37fc41a000
close(3) = 0
open("/lib64/libdl.so.2", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\r\340\3717\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=22536, ...}) = 0
mmap(0x37f9e00000, 2109696, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37f9e00000
mprotect(0x37f9e02000, 2097152, PROT_NONE) = 0
mmap(0x37fa002000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x37fa002000
close(3) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f696bd57000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f696bd56000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f696bd55000
arch_prctl(ARCH_SET_FS, 0x7f696bd56700) = 0
mprotect(0x37f9986000, 16384, PROT_READ) = 0
mprotect(0x37fa002000, 4096, PROT_READ) = 0
mprotect(0x37f941f000, 4096, PROT_READ) = 0
munmap(0x7f696bd5a000, 161072) = 0
rt_sigaction(SIGINT, {0x403f40, [INT], SA_RESTORER|SA_RESTART, 0x37f9632900}, {SIG_DFL, [], 0}, 8) = 0
rt_sigaction(SIGTERM, {0x403f40, [TERM], SA_RESTORER|SA_RESTART, 0x37f9632900}, {SIG_DFL, [], 0}, 8) = 0
rt_sigaction(SIGHUP, {0x403f40, [HUP], SA_RESTORER|SA_RESTART, 0x37f9632900}, {SIG_DFL, [], 0}, 8) = 0
rt_sigaction(SIGPIPE, {0x403f40, [PIPE], SA_RESTORER|SA_RESTART, 0x37f9632900}, {SIG_DFL, [], 0}, 8) = 0
stat("/etc/opt/VirtualGL/vgl_xauth_key-c", {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
open("/etc/opt/VirtualGL/vgl_xauth_key-c", O_WRONLY|O_CREAT|O_EXCL, 0600) = -1 EEXIST (File exists)
write(2, "xauth: error in locking authori"..., 73xauth: error in locking authority file /etc/opt/VirtualGL/vgl_xauth_key
) = 73
exit_group(1) = ?
[root< at >mymachine ~]# rm /etc/opt/VirtualGL/vgl_xauth_key-c
rm: remove regular empty file `/etc/opt/VirtualGL/vgl_xauth_key-c'? y
[root< at >mymachine ~]# strace xauth -vvv -f /etc/opt/VirtualGL/vgl_xauth_key generate :0.0 . trusted timeout 0
execve("/usr/bin/xauth", ["xauth", "-vvv", "-f", "/etc/opt/VirtualGL/vgl_xauth_key", "generate", ":0.0", ".", "trusted", "timeout", "0"], [/* 33 vars */]) = 0
brk(0) = 0x12cc000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f80b13dc000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=161072, ...}) = 0
mmap(NULL, 161072, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f80b13b4000
close(3) = 0
open("/usr/lib64/libXau.so.6", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320\r`\3747\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=13168, ...}) = 0
mmap(0x37fc600000, 2106112, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37fc600000
mprotect(0x37fc602000, 2097152, PROT_NONE) = 0
mmap(0x37fc802000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x37fc802000
close(3) = 0
open("/usr/lib64/libXext.so.6", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\2005\240\3747\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=76848, ...}) = 0
mmap(0x37fca00000, 2170120, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37fca00000
mprotect(0x37fca11000, 2097152, PROT_NONE) = 0
mmap(0x37fcc11000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x11000) = 0x37fcc11000
close(3) = 0
open("/usr/lib64/libXmuu.so.1", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360\22 \3727\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=16400, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f80b13b3000
mmap(0x37fa200000, 2109200, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37fa200000
mprotect(0x37fa203000, 2093056, PROT_NONE) = 0
mmap(0x37fa402000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x37fa402000
close(3) = 0
open("/usr/lib64/libX11.so.6", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200\335\341\3737\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1308600, ...}) = 0
mmap(0x37fbe00000, 3403160, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37fbe00000
mprotect(0x37fbf39000, 2097152, PROT_NONE) = 0
mmap(0x37fc139000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x139000) = 0x37fc139000
close(3) = 0
open("/lib64/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360\355a\3717\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1908792, ...}) = 0
mmap(0x37f9600000, 3733672, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37f9600000
mprotect(0x37f9786000, 2097152, PROT_NONE) = 0
mmap(0x37f9986000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x186000) = 0x37f9986000
mmap(0x37f998b000, 18600, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x37f998b000
close(3) = 0
open("/usr/lib64/libxcb.so.1", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\206 \3747\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=112760, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f80b13b2000
mmap(0x37fc200000, 2205608, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37fc200000
mprotect(0x37fc21b000, 2093056, PROT_NONE) = 0
mmap(0x37fc41a000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1a000) = 0x37fc41a000
close(3) = 0
open("/lib64/libdl.so.2", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\r\340\3717\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=22536, ...}) = 0
mmap(0x37f9e00000, 2109696, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37f9e00000
mprotect(0x37f9e02000, 2097152, PROT_NONE) = 0
mmap(0x37fa002000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x37fa002000
close(3) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f80b13b1000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f80b13b0000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f80b13af000
arch_prctl(ARCH_SET_FS, 0x7f80b13b0700) = 0
mprotect(0x37f9986000, 16384, PROT_READ) = 0
mprotect(0x37fa002000, 4096, PROT_READ) = 0
mprotect(0x37f941f000, 4096, PROT_READ) = 0
munmap(0x7f80b13b4000, 161072) = 0
rt_sigaction(SIGINT, {0x403f40, [INT], SA_RESTORER|SA_RESTART, 0x37f9632900}, {SIG_DFL, [], 0}, 8) = 0
rt_sigaction(SIGTERM, {0x403f40, [TERM], SA_RESTORER|SA_RESTART, 0x37f9632900}, {SIG_DFL, [], 0}, 8) = 0
rt_sigaction(SIGHUP, {0x403f40, [HUP], SA_RESTORER|SA_RESTART, 0x37f9632900}, {SIG_DFL, [], 0}, 8) = 0
rt_sigaction(SIGPIPE, {0x403f40, [PIPE], SA_RESTORER|SA_RESTART, 0x37f9632900}, {SIG_DFL, [], 0}, 8) = 0
stat("/etc/opt/VirtualGL/vgl_xauth_key-c", 0x7fff3f1050a0) = -1 ENOENT (No such file or directory)
open("/etc/opt/VirtualGL/vgl_xauth_key-c", O_WRONLY|O_CREAT|O_EXCL, 0600) = -1 EACCES (Permission denied)
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({2, 0}, 0x7fff3f105060) = 0
open("/etc/opt/VirtualGL/vgl_xauth_key-c", O_WRONLY|O_CREAT|O_EXCL, 0600) = -1 EACCES (Permission denied)
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({2, 0}, 0x7fff3f105060) = 0
open("/etc/opt/VirtualGL/vgl_xauth_key-c", O_WRONLY|O_CREAT|O_EXCL, 0600) = -1 EACCES (Permission denied)
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({2, 0}, 0x7fff3f105060) = 0
open("/etc/opt/VirtualGL/vgl_xauth_key-c", O_WRONLY|O_CREAT|O_EXCL, 0600) = -1 EACCES (Permission denied)
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({2, 0}, 0x7fff3f105060) = 0
open("/etc/opt/VirtualGL/vgl_xauth_key-c", O_WRONLY|O_CREAT|O_EXCL, 0600) = -1 EACCES (Permission denied)
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({2, 0}, 0x7fff3f105060) = 0
open("/etc/opt/VirtualGL/vgl_xauth_key-c", O_WRONLY|O_CREAT|O_EXCL, 0600) = -1 EACCES (Permission denied)
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({2, 0}, 0x7fff3f105060) = 0
open("/etc/opt/VirtualGL/vgl_xauth_key-c", O_WRONLY|O_CREAT|O_EXCL, 0600) = -1 EACCES (Permission denied)
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({2, 0}, 0x7fff3f105060) = 0
open("/etc/opt/VirtualGL/vgl_xauth_key-c", O_WRONLY|O_CREAT|O_EXCL, 0600) = -1 EACCES (Permission denied)
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({2, 0}, 0x7fff3f105060) = 0
open("/etc/opt/VirtualGL/vgl_xauth_key-c", O_WRONLY|O_CREAT|O_EXCL, 0600) = -1 EACCES (Permission denied)
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({2, 0}, 0x7fff3f105060) = 0
open("/etc/opt/VirtualGL/vgl_xauth_key-c", O_WRONLY|O_CREAT|O_EXCL, 0600) = -1 EACCES (Permission denied)
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({2, 0}, 0x7fff3f105060) = 0
write(2, "xauth: timeout in locking autho"..., 75xauth: timeout in locking authority file /etc/opt/VirtualGL/vgl_xauth_key
) = 75
exit_group(1) = ?
[root< at >mymachine ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
[root< at >mymachine ~]# setenforce permissive
[root< at >mymachine ~]# strace xauth -vvv -f /etc/opt/VirtualGL/vgl_xauth_key generate :0.0 . trusted timeout 0
execve("/usr/bin/xauth", ["xauth", "-vvv", "-f", "/etc/opt/VirtualGL/vgl_xauth_key", "generate", ":0.0", ".", "trusted", "timeout", "0"], [/* 33 vars */]) = 0
brk(0) = 0x1fc1000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9067658000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=161072, ...}) = 0
mmap(NULL, 161072, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f9067630000
close(3) = 0
open("/usr/lib64/libXau.so.6", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320\r`\3747\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=13168, ...}) = 0
mmap(0x37fc600000, 2106112, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37fc600000
mprotect(0x37fc602000, 2097152, PROT_NONE) = 0
mmap(0x37fc802000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x37fc802000
close(3) = 0
open("/usr/lib64/libXext.so.6", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\2005\240\3747\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=76848, ...}) = 0
mmap(0x37fca00000, 2170120, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37fca00000
mprotect(0x37fca11000, 2097152, PROT_NONE) = 0
mmap(0x37fcc11000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x11000) = 0x37fcc11000
close(3) = 0
open("/usr/lib64/libXmuu.so.1", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360\22 \3727\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=16400, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f906762f000
mmap(0x37fa200000, 2109200, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37fa200000
mprotect(0x37fa203000, 2093056, PROT_NONE) = 0
mmap(0x37fa402000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x37fa402000
close(3) = 0
open("/usr/lib64/libX11.so.6", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200\335\341\3737\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1308600, ...}) = 0
mmap(0x37fbe00000, 3403160, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37fbe00000
mprotect(0x37fbf39000, 2097152, PROT_NONE) = 0
mmap(0x37fc139000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x139000) = 0x37fc139000
close(3) = 0
open("/lib64/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360\355a\3717\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1908792, ...}) = 0
mmap(0x37f9600000, 3733672, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37f9600000
mprotect(0x37f9786000, 2097152, PROT_NONE) = 0
mmap(0x37f9986000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x186000) = 0x37f9986000
mmap(0x37f998b000, 18600, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x37f998b000
close(3) = 0
open("/usr/lib64/libxcb.so.1", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\206 \3747\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=112760, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f906762e000
mmap(0x37fc200000, 2205608, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37fc200000
mprotect(0x37fc21b000, 2093056, PROT_NONE) = 0
mmap(0x37fc41a000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1a000) = 0x37fc41a000
close(3) = 0
open("/lib64/libdl.so.2", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\r\340\3717\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=22536, ...}) = 0
mmap(0x37f9e00000, 2109696, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37f9e00000
mprotect(0x37f9e02000, 2097152, PROT_NONE) = 0
mmap(0x37fa002000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x37fa002000
close(3) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f906762d000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f906762c000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f906762b000
arch_prctl(ARCH_SET_FS, 0x7f906762c700) = 0
mprotect(0x37f9986000, 16384, PROT_READ) = 0
mprotect(0x37fa002000, 4096, PROT_READ) = 0
mprotect(0x37f941f000, 4096, PROT_READ) = 0
munmap(0x7f9067630000, 161072) = 0
rt_sigaction(SIGINT, {0x403f40, [INT], SA_RESTORER|SA_RESTART, 0x37f9632900}, {SIG_DFL, [], 0}, 8) = 0
rt_sigaction(SIGTERM, {0x403f40, [TERM], SA_RESTORER|SA_RESTART, 0x37f9632900}, {SIG_DFL, [], 0}, 8) = 0
rt_sigaction(SIGHUP, {0x403f40, [HUP], SA_RESTORER|SA_RESTART, 0x37f9632900}, {SIG_DFL, [], 0}, 8) = 0
rt_sigaction(SIGPIPE, {0x403f40, [PIPE], SA_RESTORER|SA_RESTART, 0x37f9632900}, {SIG_DFL, [], 0}, 8) = 0
stat("/etc/opt/VirtualGL/vgl_xauth_key-c", 0x7fff037ae1e0) = -1 ENOENT (No such file or directory)
open("/etc/opt/VirtualGL/vgl_xauth_key-c", O_WRONLY|O_CREAT|O_EXCL, 0600) = 3
close(3) = 0
statfs("/etc/opt/VirtualGL/vgl_xauth_key-c", {f_type="EXT2_SUPER_MAGIC", f_bsize=4096, f_blocks=37797427, f_bfree=22169622, f_bavail=20249622, f_files=9601024, f_ffree=9018205, f_fsid={1618940619, -282490467}, f_namelen=255, f_frsize=4096}) = 0
link("/etc/opt/VirtualGL/vgl_xauth_key-c", "/etc/opt/VirtualGL/vgl_xauth_key-l") = 0
access("/etc/opt/VirtualGL/vgl_xauth_key", F_OK) = -1 ENOENT (No such file or directory)
umask(077) = 022
brk(0) = 0x1fc1000
brk(0x1fe2000) = 0x1fe2000
open("/etc/opt/VirtualGL/vgl_xauth_key", O_RDONLY) = -1 ENOENT (No such file or directory)
access("/etc/opt/VirtualGL/vgl_xauth_key", F_OK) = -1 ENOENT (No such file or directory)
write(2, "xauth: creating new authority f"..., 69xauth: creating new authority file /etc/opt/VirtualGL/vgl_xauth_key
) = 69
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 3), ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9067657000
write(1, "Using authority file /etc/opt/Vi"..., 54Using authority file /etc/opt/VirtualGL/vgl_xauth_key
) = 54
socket(PF_FILE, SOCK_STREAM, 0) = 3
connect(3, {sa_family=AF_FILE, path=< at >"/tmp/.X11-unix/X0"}, 20) = 0
getpeername(3, {sa_family=AF_FILE, path=< at >"/tmp/.X11-unix/X0"}, [20]) = 0
uname({sys="Linux", node="mymachine.domain.org", ...}) = 0
access("/var/run/gdm/auth-for-myuser-8uJHLe/database", R_OK) = 0
open("/var/run/gdm/auth-for-myuser-8uJHLe/database", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0600, st_size=65, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9067656000
read(4, "\1\0\0\24mymachine.domain.org\0\0010\0\22MIT"..., 4096) = 65
close(4) = 0
munmap(0x7f9067656000, 4096) = 0
getsockname(3, {sa_family=AF_FILE, NULL}, [2]) = 0
fcntl(3, F_GETFL) = 0x2 (flags O_RDWR)
fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0
fcntl(3, F_SETFD, FD_CLOEXEC) = 0
poll([{fd=3, events=POLLIN|POLLOUT}], 1, -1) = 1 ([{fd=3, revents=POLLOUT}])
writev(3, [{"l\0\v\0\0\0\22\0\20\0\0\0", 12}, {"", 0}, {"MIT-MAGIC-COOKIE-1", 18}, {"\0\0", 2}, {"\5\342\233\2637\16\266\371\366\21\307\210z<Bz", 16}, {"", 0}], 6) = 48
read(3, 0x1fc75b0, 8) = -1 EAGAIN (Resource temporarily unavailable)
poll([{fd=3, events=POLLIN}], 1, -1) = 1 ([{fd=3, revents=POLLIN}])
read(3, "\1\0\v\0\0\0\2\3", 8) = 8
read(3, "`\350\247\0\0\0< at >\3\377\377\37\0\0\1\0\0\r\0\377\377\1\7\0\0 \10\377\0\0\0\0"..., 3080) = 3080
poll([{fd=3, events=POLLIN|POLLOUT}], 1, -1) = 1 ([{fd=3, revents=POLLOUT}])
writev(3, [{"b\0\5\0\f\0\0\0BIG-REQUESTS", 20}], 1) = 20
poll([{fd=3, events=POLLIN}], 1, -1) = 1 ([{fd=3, revents=POLLIN}])
read(3, "\1\0\1\0\0\0\0\0\1\222\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096) = 32
poll([{fd=3, events=POLLIN|POLLOUT}], 1, -1) = 1 ([{fd=3, revents=POLLOUT}])
writev(3, [{"\222\0\1\0", 4}], 1) = 4
poll([{fd=3, events=POLLIN}], 1, -1) = 1 ([{fd=3, revents=POLLIN}])
read(3, "\1\0\2\0\0\0\0\0\377\377?\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096) = 32
read(3, 0x1fc2414, 4096) = -1 EAGAIN (Resource temporarily unavailable)
poll([{fd=3, events=POLLIN|POLLOUT}], 1, -1) = 1 ([{fd=3, revents=POLLOUT}])
writev(3, [{"7\0\5\0\0\0< at >\3\255\1\0\0\10\0\0\0\377\377\377\0\24\0\6\0\255\1\0\0\27\0\0\0"..., 44}, {NULL, 0}, {"", 0}], 3) = 44
poll([{fd=3, events=POLLIN}], 1, -1) = 1 ([{fd=3, revents=POLLIN}])
read(3, "\1\10\4\0(\0\0\0\37\0\0\0\0\0\0\0\237\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 4096) = 192
read(3, 0x1fc2414, 4096) = -1 EAGAIN (Resource temporarily unavailable)
poll([{fd=3, events=POLLIN|POLLOUT}], 1, -1) = 1 ([{fd=3, revents=POLLOUT}])
writev(3, [{"b\0\5\0\t\0< at >\3", 8}, {"XKEYBOARD", 9}, {"\0\0\0", 3}], 3) = 20
poll([{fd=3, events=POLLIN}], 1, -1) = 1 ([{fd=3, revents=POLLIN}])
read(3, "\1\0\5\0\0\0\0\0\1\224w\253\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096) = 32
read(3, 0x1fc2414, 4096) = -1 EAGAIN (Resource temporarily unavailable)
poll([{fd=3, events=POLLIN|POLLOUT}], 1, -1) = 1 ([{fd=3, revents=POLLOUT}])
writev(3, [{"\224\0\2\0\1\0\0\0", 8}, {NULL, 0}, {"", 0}], 3) = 8
poll([{fd=3, events=POLLIN}], 1, -1) = 1 ([{fd=3, revents=POLLIN}])
read(3, "\1\1\6\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096) = 32
read(3, 0x1fc2414, 4096) = -1 EAGAIN (Resource temporarily unavailable)
poll([{fd=3, events=POLLIN|POLLOUT}], 1, -1) = 1 ([{fd=3, revents=POLLOUT}])
writev(3, [{"b\0\4\0\10\0\0\0", 8}, {"SECURITY", 8}, {"", 0}], 3) = 16
poll([{fd=3, events=POLLIN}], 1, -1) = 1 ([{fd=3, revents=POLLIN}])
read(3, "\1\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096) = 32
read(3, 0x1fc2414, 4096) = -1 EAGAIN (Resource temporarily unavailable)
write(2, "xauth: (argv):1: ", 18xauth: (argv):1: ) = 18
write(2, "couldn't query Security extensio"..., 52couldn't query Security extension on display ":0.0"
) = 52
unlink("/etc/opt/VirtualGL/vgl_xauth_key-c") = 0
unlink("/etc/opt/VirtualGL/vgl_xauth_key-l") = 0
umask(022) = 077
exit_group(1) = ?
[root< at >mymachine ~]# semodule -B
And normally this is what vglgenkey would do, it is a script that calls xauth, this is the
script with -x and strace of the second xauth.
[root< at >mymachine myuser]# vglgenkey
+ XAUTH=xauth
+ '[' -x /usr/X11R6/bin/xauth ']'
+ '[' -x /usr/openwin/bin/xauth ']'
+ '[' '!' -d /etc/opt/VirtualGL ']'
+ '[' -f /etc/opt/VirtualGL/vgl_xauth_key ']'
+ rm /etc/opt/VirtualGL/vgl_xauth_key
+ xauth -f /etc/opt/VirtualGL/vgl_xauth_key generate :0.0 . trusted timeout 0
xauth: creating new authority file /etc/opt/VirtualGL/vgl_xauth_key
xauth: (argv):1: couldn't query Security extension on display ":0.0"
++ xauth list
++ awk '{print $3}'
+ strace xauth -f /etc/opt/VirtualGL/vgl_xauth_key add :0.0 . 05e29bb3370eb6f9f611c7887a3c427a
execve("/usr/bin/xauth", ["xauth", "-f", "/etc/opt/VirtualGL/vgl_xauth_key", "add", ":0.0", ".", "05e29bb3370eb6f9f611c7887a3c427a"], [/* 32 vars */]) = 0
brk(0) = 0xbd5000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f30a4e21000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=161072, ...}) = 0
mmap(NULL, 161072, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f30a4df9000
close(3) = 0
open("/usr/lib64/libXau.so.6", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320\r`\3747\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=13168, ...}) = 0
mmap(0x37fc600000, 2106112, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37fc600000
mprotect(0x37fc602000, 2097152, PROT_NONE) = 0
mmap(0x37fc802000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x37fc802000
close(3) = 0
open("/usr/lib64/libXext.so.6", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\2005\240\3747\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=76848, ...}) = 0
mmap(0x37fca00000, 2170120, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37fca00000
mprotect(0x37fca11000, 2097152, PROT_NONE) = 0
mmap(0x37fcc11000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x11000) = 0x37fcc11000
close(3) = 0
open("/usr/lib64/libXmuu.so.1", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360\22 \3727\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=16400, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f30a4df8000
mmap(0x37fa200000, 2109200, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37fa200000
mprotect(0x37fa203000, 2093056, PROT_NONE) = 0
mmap(0x37fa402000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x37fa402000
close(3) = 0
open("/usr/lib64/libX11.so.6", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200\335\341\3737\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1308600, ...}) = 0
mmap(0x37fbe00000, 3403160, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37fbe00000
mprotect(0x37fbf39000, 2097152, PROT_NONE) = 0
mmap(0x37fc139000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x139000) = 0x37fc139000
close(3) = 0
open("/lib64/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360\355a\3717\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1908792, ...}) = 0
mmap(0x37f9600000, 3733672, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37f9600000
mprotect(0x37f9786000, 2097152, PROT_NONE) = 0
mmap(0x37f9986000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x186000) = 0x37f9986000
mmap(0x37f998b000, 18600, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x37f998b000
close(3) = 0
open("/usr/lib64/libxcb.so.1", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\206 \3747\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=112760, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f30a4df7000
mmap(0x37fc200000, 2205608, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37fc200000
mprotect(0x37fc21b000, 2093056, PROT_NONE) = 0
mmap(0x37fc41a000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1a000) = 0x37fc41a000
close(3) = 0
open("/lib64/libdl.so.2", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\r\340\3717\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=22536, ...}) = 0
mmap(0x37f9e00000, 2109696, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37f9e00000
mprotect(0x37f9e02000, 2097152, PROT_NONE) = 0
mmap(0x37fa002000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x37fa002000
close(3) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f30a4df6000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f30a4df5000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f30a4df4000
arch_prctl(ARCH_SET_FS, 0x7f30a4df5700) = 0
mprotect(0x37f9986000, 16384, PROT_READ) = 0
mprotect(0x37fa002000, 4096, PROT_READ) = 0
mprotect(0x37f941f000, 4096, PROT_READ) = 0
munmap(0x7f30a4df9000, 161072) = 0
rt_sigaction(SIGINT, {0x403f40, [INT], SA_RESTORER|SA_RESTART, 0x37f9632900}, {SIG_DFL, [], 0}, 8) = 0
rt_sigaction(SIGTERM, {0x403f40, [TERM], SA_RESTORER|SA_RESTART, 0x37f9632900}, {SIG_DFL, [], 0}, 8) = 0
rt_sigaction(SIGHUP, {0x403f40, [HUP], SA_RESTORER|SA_RESTART, 0x37f9632900}, {SIG_DFL, [], 0}, 8) = 0
rt_sigaction(SIGPIPE, {0x403f40, [PIPE], SA_RESTORER|SA_RESTART, 0x37f9632900}, {SIG_DFL, [], 0}, 8) = 0
stat("/etc/opt/VirtualGL/vgl_xauth_key-c", 0x7fffc2278980) = -1 ENOENT (No such file or directory)
open("/etc/opt/VirtualGL/vgl_xauth_key-c", O_WRONLY|O_CREAT|O_EXCL, 0600) = 3
close(3) = 0
statfs("/etc/opt/VirtualGL/vgl_xauth_key-c", {f_type="EXT2_SUPER_MAGIC", f_bsize=4096, f_blocks=37797427, f_bfree=22169618, f_bavail=20249618, f_files=9601024, f_ffree=9018201, f_fsid={1618940619, -282490467}, f_namelen=255, f_frsize=4096}) = 0
link("/etc/opt/VirtualGL/vgl_xauth_key-c", "/etc/opt/VirtualGL/vgl_xauth_key-l") = 0
access("/etc/opt/VirtualGL/vgl_xauth_key", F_OK) = -1 ENOENT (No such file or directory)
umask(077) = 022
brk(0) = 0xbd5000
brk(0xbf6000) = 0xbf6000
open("/etc/opt/VirtualGL/vgl_xauth_key", O_RDONLY) = -1 ENOENT (No such file or directory)
access("/etc/opt/VirtualGL/vgl_xauth_key", F_OK) = -1 ENOENT (No such file or directory)
write(2, "xauth: creating new authority f"..., 69xauth: creating new authority file /etc/opt/VirtualGL/vgl_xauth_key
) = 69
uname({sys="Linux", node="mymachine.domain.org", ...}) = 0
unlink("/etc/opt/VirtualGL/vgl_xauth_key-n") = -1 ENOENT (No such file or directory)
open("/etc/opt/VirtualGL/vgl_xauth_key-n", O_WRONLY|O_CREAT|O_EXCL, 0600) = 3
fcntl(3, F_GETFL) = 0x8001 (flags O_WRONLY|O_LARGEFILE)
fstat(3, {st_mode=S_IFREG|0600, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f30a4e20000
lseek(3, 0, SEEK_CUR) = 0
write(3, "\1\0\0\24mymachine.domain.org\0\0010\0\22MIT"..., 65) = 65
close(3) = 0
munmap(0x7f30a4e20000, 4096) = 0
unlink("/etc/opt/VirtualGL/vgl_xauth_key") = -1 ENOENT (No such file or directory)
link("/etc/opt/VirtualGL/vgl_xauth_key-n", "/etc/opt/VirtualGL/vgl_xauth_key") = 0
unlink("/etc/opt/VirtualGL/vgl_xauth_key-n") = 0
unlink("/etc/opt/VirtualGL/vgl_xauth_key-c") = 0
unlink("/etc/opt/VirtualGL/vgl_xauth_key-l") = 0
umask(022) = 077
exit_group(0) = ?
+ chmod 644 /etc/opt/VirtualGL/vgl_xauth_key
[root< at >mymachine myuser]# ls -Z /etc/opt/VirtualGL/vgl_xauth_key
-rw-r--r--. root root unconfined_u:object_r:etc_t:s0 /etc/opt/VirtualGL/vgl_xauth_key
--
selinux mailing list
selinux< at >lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux</pre>Mark Dalton2012-05-07T18:29:55Can't login the embedded linux with seliux support
http://comments.gmane.org/gmane.linux.redhat.fedora.selinux/14192
<pre>hello,
i build a linux system with selinux support for my embedded device. It
now can login as the root user automatically when it is powered on.
Then i copy the fiels( shadow ,group and passwd) in my PC linux system
to the embedded system, and add the login to it. But after i input the
username and pass word, it output like this :
login:root
password:
login:Can’t get SID for root
The output comes from the file login.c in busybox, how can i sovle
this problem?
Does this problem comes from the error in my policy? or the lib
related to the selinux?
--
selinux mailing list
selinux< at >lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux</pre>casinee app2012-05-03T09:03:12MySQL and ldconif avcs
http://comments.gmane.org/gmane.linux.redhat.fedora.selinux/14189
<pre>Getting two avc's that trouble shooter indicates there is policy to
allow the operations.
I believe the sebool "mysql_connect_any" may correct the following avc:
time->Tue May 1 18:17:25 2012
type=SYSCALL msg=audit(1335921445.082:4514): arch=c000003e syscall=21
success=no exit=-13 a0=7f406ac5d9f0 a1=4 a2=7f406ac5d9fe a3=1c items=0
ppid=1 pid=24416 auid=4294967295 uid=27 gid=27 euid=27 suid=27 fsuid=27
egid=27 sgid=27 fsgid=27 tty=(none) ses=4294967295 comm="mysqld"
exe="/usr/libexec/mysqld" subj=system_u:system_r:mysqld_t:s0 key=(null)
type=AVC msg=audit(1335921445.082:4514): avc: denied { read } for
pid=24416 comm="mysqld" name="unix" dev="proc" ino=4026532000
scontext=system_u:system_r:mysqld_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=file
But I have no clue which bool would correct the following:
time->Tue May 1 19:01:13 2012
type=SYSCALL msg=audit(1335924073.146:4554): arch=c000003e syscall=59
success=yes exit=0 a0=f293b0 a1=f294b0 a2=f283b0 a3=18 items=0
ppid=25927 pid=25928 auid=4294967295 uid=989 gid=983 euid=989 suid=989
fsuid=989 egid=983 sgid=983 fsgid=983 tty=(none) ses=4294967295
comm="ldconfig" exe="/sbin/ldconfig"
subj=system_u:system_r:ldconfig_t:s0 key=(null)
type=AVC msg=audit(1335924073.146:4554): avc: denied { write } for
pid=25928 comm="ldconfig"
path=2F746D702F666669536752617269202864656C6574656429 dev="dm-1"
ino=1836898 scontext=system_u:system_r:ldconfig_t:s0
tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
--
selinux mailing list
selinux< at >lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux</pre>David Highley2012-05-02T04:26:02Bootup avc, "systemd-tmpfile" important?
http://comments.gmane.org/gmane.linux.redhat.fedora.selinux/14178
<pre>Box was set to "fixfiles onboot"
Saw this avc:
*** Warning -- SELinux targeted policy relabel is required.
*** Relabeling could take a very long time, depending on file
*** system size and speed of hard drives.
[ 8.566136] type=1400 audit(1335687882.859:7): avc: denied {
relabelfrom } for pid=489 comm="systemd-tmpfile" name="lp2"
dev="devtmpfs" ino=11419
scontext=system_u:system_r:systemd_tmpfiles_t:s0
tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
[ 8.588374] type=1400 audit(1335687882.881:8): avc: denied {
relabelto } for pid=489 comm="systemd-tmpfile" name="lp2"
dev="devtmpfs" ino=11419
scontext=system_u:system_r:systemd_tmpfiles_t:s0
tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
selinux-policy-targeted-3.10.0-118.fc17.noarch
</pre>Frank Murphy2012-04-29T08:38:42several denials that don't get noticed by seatrouble shoot alerts
http://comments.gmane.org/gmane.linux.redhat.fedora.selinux/14177
<pre>Dear folks,
I have some denials that don't appear in sea alert tool:
[ 26.964346] SELinux: initialized (dev sda5, type ext4), uses xattr
[ 37.206747] EXT4-fs (dm-2): mounted filesystem with ordered data mode. Opts: (null)
[ 37.211983] SELinux: initialized (dev dm-2, type ext4), uses xattr
[ 37.608076] type=1400 audit(1335642984.005:4): avc: denied { relabelfrom } for pid=607 comm="systemd-tmpfile" name="lp0" dev="devtmpfs" ino=12221 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
[ 37.620822] type=1400 audit(1335642984.017:5): avc: denied { relabelfrom } for pid=607 comm="systemd-tmpfile" name="lp1" dev="devtmpfs" ino=12223 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
[ 37.635066] type=1400 audit(1335642984.031:6): avc: denied { relabelfrom } for pid=607 comm="systemd-tmpfile" name="lp2" dev="devtmpfs" ino=12224 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
[ 37.650084] type=1400 audit(1335642984.046:7): avc: denied { relabelfrom } for pid=607 comm="systemd-tmpfile" name="lp3" dev="devtmpfs" ino=12225 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
Also I have a gut feeling that this in some way is contributing to the system not shutting down and hanging, having oneself to resort to "pressing and holding power button to make sure system is shutdown".
How do I take care of these?
Thanks and sorry for the noise.
Regards,
Antonio
--
selinux mailing list
selinux< at >lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux</pre>Antonio Olivares2012-04-28T20:02:26How to change the default context for files in the home directory
http://comments.gmane.org/gmane.linux.redhat.fedora.selinux/14174
<pre>I'm trying to set up F17 SELinux to accept the Swedish electronic
identity system called "BankID". I had it working under F16 with only
a few file context specifications for its libraries. (They need
textrel_shlib_t). But it seems like the policy has been tightened up
a bit in F17, which made some more tunings necessary. And I fail on
one of them.
This thing runs as a browser plugin, which starts a program, and
creates a few files in the user's home directory. My question is how
to define the context for these files. BankID creates a file called
".personal-<username>" and a directory tree ".personal/...". I added
a file context like this with semanage:
/home/[^/]*/\.personal.* all files system_u:object_r:mozilla_home_t:s0
After relabeling things in the .personal tree gets the mozilla_home_t,
but the file .personal-<username> directly in the home directory
doesn't. If it exists, it gets the right context when I do
restorecon. But it is created and removed each time the plugin is
run, and the next time the file is created, it gets user_home_dir_t.
Which the plugin in the mozilla_plugin_t context isn't allowed to
access, of course.
What am I doing wrong?
--
selinux mailing list
selinux< at >lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux</pre>goeran< at >uddeborg.se2012-04-27T20:10:17Runtime flexibility of SELInux
http://comments.gmane.org/gmane.linux.redhat.fedora.selinux/14166
<pre>Hi,
I am looking to use SELinux to secure a process that is made up of a
number of discrete, sequential stages. One stage communicates to the
next by writing results to a file and then an external process modifies
the SELinux context of the file to allow the next stage to read the file
and so on until the final stage is reached and the processing stops.
The problem I have is that the number of stages is variable and can
change with each invocation of the process, i.e. when I create the
process I know the number of stages that will be required in it, but the
number of stages could change with each invocation. I think therefore,
that I need a means of creating new contexts on the fly and assigning
them to the processes. Is it possible with SELinux to create a new
security context (domain for the output file, and user/role for the
stage process) on the fly and execute a process within that context such
that it could poll a directory for input files and, if it is permitted
to read the file perform its operation?
Many Thanks,
Tim Sheppard
This email and any attachments to it may be confidential and are
intended solely for the use of the individual to whom it is addressed.
If you are not the intended recipient of this email, you must neither
take any action based upon its contents, nor copy or show it to anyone.
Please contact the sender if you believe you have received this email in
error. QinetiQ may monitor email traffic data and also the content of
email for the purposes of security. QinetiQ Limited (Registered in
England & Wales: Company Number: 3796233) Registered office: Cody Technology
Park, Ively Road, Farnborough, Hampshire, GU14 0LX http://www.qinetiq.com.
--
selinux mailing list
selinux< at >lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux</pre>Tim Sheppard2012-04-24T17:16:47https://bugzilla.redhat.com/show_bug.cgi?id=812100
http://comments.gmane.org/gmane.linux.redhat.fedora.selinux/14160
<pre>Dear folks,
The title has been reported as NOT A BUG, but it is annoying :(
without doing anything but logging in, the setroubleshooter kicks in and displays the message. I have tried numerous times to report it, but it came back empty. Then I click enough times and see that it is there, but it is NOT A BUG :(, I don't agree but can't do shite.
--- Running report_Bugzilla ---
Logging into Bugzilla at https://bugzilla.redhat.com
Checking for duplicates
Bug is already reported: 812100
Logging out
Status: CLOSED NOTABUG https://bugzilla.redhat.com/show_bug.cgi?id=812100
--- Running report_Bugzilla ---
This problem was already reported to Bugzilla (see 'https://bugzilla.redhat.com/show_bug.cgi?id=812100'). Do you still want to create a new bug? NO
SELinux is preventing dmesg from 'read' accesses on the file /etc/ld.so.cache.
***** Plugin restorecon (94.8 confidence) suggests *************************
If you want to fix the label.
/etc/ld.so.cache default label should be ld_so_cache_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /etc/ld.so.cache
***** Plugin catchall_labels (5.21 confidence) suggests ********************
If you want to allow dmesg to have read access on the ld.so.cache file
Then you need to change the label on /etc/ld.so.cache
Do
# semanage fcontext -a -t FILE_TYPE '/etc/ld.so.cache'
where FILE_TYPE is one of the following: cpu_online_t, afs_cache_t, abrt_helper_exec_t, textrel_shlib_t, rpm_script_tmp_t, user_cron_spool_t, puppet_tmp_t, ld_so_cache_t, abrt_var_run_t, udev_var_run_t, sysctl_kernel_t, abrt_var_run_t, sysctl_crypto_t, locale_t, dmesg_t, proc_t, sysfs_t, dmesg_exec_t, abrt_t, lib_t, ld_so_t.
Then execute:
restorecon -v '/etc/ld.so.cache'
***** Plugin catchall (1.44 confidence) suggests ***************************
If you believe that dmesg should be allowed read access on the ld.so.cache file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep dmesg /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:dmesg_t:s0
Target Context unconfined_u:object_r:etc_t:s0
Target Objects /etc/ld.so.cache [ file ]
Source dmesg
Source Path dmesg
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages glibc-2.15-32.fc17.i686
Policy RPM selinux-policy-3.10.0-116.fc17.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux acer-aspire-1 3.3.2-1.fc17.i686 #1 SMP Fri
Apr 13 21:06:40 UTC 2012 i686 i686
Alert Count 1
First Seen Thu 19 Apr 2012 09:30:20 PM CDT
Last Seen Thu 19 Apr 2012 09:30:20 PM CDT
Local ID db50d35a-1a8c-4e53-a4ae-98765dcb81db
Raw Audit Messages
type=AVC msg=audit(1334889020.147:6): avc: denied { read } for pid=633 comm="dmesg" name="ld.so.cache" dev="dm-1" ino=54745 scontext=system_u:system_r:dmesg_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file
Hash: dmesg,dmesg_t,etc_t,file,read
audit2allowunable to open /sys/fs/selinux/policy: Permission denied
audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied
What do I do, please advice. I am getting annoyed, frustrated and I would hate to kill off selinux, because I actually like it, but the NOT A BUG does bother me. I have had the past three or four days dealing with this, and now I am finally doing something about it :(
Thanks for listening.
Regards,
Antonio
--
selinux mailing list
selinux< at >lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux</pre>Antonio Olivares2012-04-20T02:42:07runcon Invalid argument
http://comments.gmane.org/gmane.linux.redhat.fedora.selinux/14152
<pre>I'm trying to debug an httpd-nfs-selinux issue, and it would be _really_
useful to be able to execute commands in context httpd_t while trying out
combinations of the nfs_export_all_rw Boolean and public_content_rw_t type.
If I can do
[root< at >kojihub ~]# runcon unconfined_u:unconfined_r:unconfined_t:s0 bash
[root< at >kojihub ~]# exit
why can't I do
[root< at >kojihub ~]# runcon unconfined_u:unconfined_r:httpd_t:s0 bash
runcon: invalid context: unconfined_u:unconfined_r:httpd_t:s0: Invalid
argument
The actual issue is that I've set up a new koji hub with /mnt/koji on an nfs
mount; with SELinux in permissive mode I get
AVC Report
========================================================
# date time comm subj syscall class permission obj event
========================================================
1. 04/13/2012 14:23:36 httpd unconfined_u:system_r:httpd_t:s0 4 dir getattr
system_u:object_r:nfs_t:s0 denied 494
2. 04/13/2012 14:23:36 httpd unconfined_u:system_r:httpd_t:s0 4 dir search
system_u:object_r:nfs_t:s0 denied 493
3. 04/13/2012 14:23:36 httpd unconfined_u:system_r:httpd_t:s0 83 dir write
system_u:object_r:nfs_t:s0 denied 495
4. 04/13/2012 14:23:36 httpd unconfined_u:system_r:httpd_t:s0 83 dir
add_name system_u:object_r:nfs_t:s0 denied 495
5. 04/13/2012 14:23:36 httpd unconfined_u:system_r:httpd_t:s0 83 dir create
unconfined_u:object_r:nfs_t:s0 denied 495
6. 04/13/2012 14:23:36 httpd unconfined_u:system_r:httpd_t:s0 2 file create
unconfined_u:object_r:nfs_t:s0 denied 496
7. 04/13/2012 14:23:36 httpd unconfined_u:system_r:httpd_t:s0 2 file open
system_u:object_r:nfs_t:s0 denied 496
Moray.
"To err is human; to purr, feline."
OM International Limited - Unit B Clifford Court, Cooper Way - Carlisle CA3 0JG - United Kingdom
Charity reg no: 1112655 - Company reg no: 5649412 (England and Wales)
--
selinux mailing list
selinux< at >lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux</pre>Moray Henderson (ICT2012-04-13T14:39:16Selinux and mailman via postfix pipe
http://comments.gmane.org/gmane.linux.redhat.fedora.selinux/14149
<pre>Hi,
I'm setting up a new server based on CentOS 6.2. It is meant to replace
a CentOS 5 server. The old server had selinux running in permissive
mode, but I figured it would be a good thing to enforce it on the new
server. This has revealed some selinux violations in my old
configurations. Most of them I managed to fix so far, with one exception:
Part of the setup involves a mailman based mailing list service. This is
configured using a postfix pipe into a python script called
postfix-to-mailman.py [1]. This is convenient, as it saves our admins
the hassle of managing the aliases required for each list. The problem
is though that this doesn't seem to work with selinux enabled.
Here are the relevant error messages:
In the maillog:
pipe[11266]: fatal: pipe_command: execvp
/usr/lib/mailman/bin/postfix-to-mailman.py: Permission denied
And the SELinux AVC:
type=AVC msg=audit(1334239608.305:371794): avc: denied { search } for
pid=10858 comm="python" name="mailman" dev=xvda ino=5833449
scontext=unconfined_u:system_r:postfix_pipe_t:s
0 tcontext=system_u:object_r:mailman_data_t:s0 tclass=dir
type=SYSCALL msg=audit(1334239608.305:371794): arch=c000003e syscall=80
success=no exit=-13 a0=12a8f00 a1=1 a2=34ae5b3dc8 a3=20 items=0
ppid=10857 pid=10858 auid=501 uid=41 gid=41
euid=41 suid=41 fsuid=41 egid=41 sgid=41 fsgid=41 tty=(none) ses=6491
comm="python" exe="/usr/bin/python"
subj=unconfined_u:system_r:postfix_pipe_t:s0 key=(null)
SELinux is preventing /usr/bin/python from search access on the
directory /var/lib/mailman.
***** Plugin catchall (100. confidence) suggests
***************************
If you believe that python should be allowed search access on the
mailman directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep python /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
I am not sure how to proceed here. I already tried to change the
fcontext for postfix-to-mailman.py to mailman_mail_exec_t or
mailman_data_t, but that simply results in a denial that prevents
postfix' pipe to execute postfix-to-mailman.py.
I searched the web, but the closest I came is an old bugreport against
Fedora [2] suggesting this should have been fixed. Perhaps it is for
Fedora, but it's not for CentOS 6 at least.
What should I do to get this running ?
Geert
[1] http://www.gurulabs.com/downloads/postfix-to-mailman-2.1.py
[2] https://bugzilla.redhat.com/show_bug.cgi?id=183928
--
selinux mailing list
selinux< at >lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux</pre>Geert Janssens2012-04-12T16:24:34SELinux preventing login (Fedora 16)
http://comments.gmane.org/gmane.linux.redhat.fedora.selinux/14148
<pre>[I posted this first to the users list by mistake; but I meant for it to
go here.]
I have a Fedora 16 box where something seems to have gone sideways with
SELinux. I am unable to log into the box with SELinux enabled. I see
messages in /var/log/messages that look like this:
Apr 11 02:40:06 rail setroubleshoot: SELinux is preventing /usr/libexec/accounts-daemon from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l aeded892-dec1-4e6d-87ce-7c10a4e42e2b
Apr 11 02:40:06 rail setroubleshoot: SELinux is preventing /usr/libexec/accounts-daemon from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l aeded892-dec1-4e6d-87ce-7c10a4e42e2b
Apr 11 02:40:07 rail setroubleshoot: SELinux is preventing /usr/libexec/accounts-daemon from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l aeded892-dec1-4e6d-87ce-7c10a4e42e2b
Apr 11 02:40:10 rail setroubleshoot: SELinux is preventing /usr/libexec/accounts-daemon from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l aeded892-dec1-4e6d-87ce-7c10a4e42e2b
Apr 11 02:40:26 rail setroubleshoot: SELinux is preventing /usr/libexec/accounts-daemon from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l aeded892-dec1-4e6d-87ce-7c10a4e42e2b
Apr 11 02:40:58 rail setroubleshoot: SELinux is preventing /usr/libexec/accounts-daemon from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l aeded892-dec1-4e6d-87ce-7c10a4e42e2b
Apr 11 02:42:02 rail setroubleshoot: SELinux is preventing /usr/libexec/accounts-daemon from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l aeded892-dec1-4e6d-87ce-7c10a4e42e2b
Apr 11 02:42:02 rail setroubleshoot: SELinux is preventing /usr/libexec/accounts-daemon from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l aeded892-dec1-4e6d-87ce-7c10a4e42e2b
Apr 11 02:42:02 rail setroubleshoot: SELinux is preventing /usr/libexec/accounts-daemon from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l aeded892-dec1-4e6d-87ce-7c10a4e42e2b
Apr 11 02:42:06 rail setroubleshoot: SELinux is preventing /usr/libexec/accounts-daemon from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l aeded892-dec1-4e6d-87ce-7c10a4e42e2b
Apr 11 02:42:14 rail setroubleshoot: SELinux is preventing /usr/libexec/accounts-daemon from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l aeded892-dec1-4e6d-87ce-7c10a4e42e2b
Apr 11 02:42:30 rail setroubleshoot: SELinux is preventing /usr/libexec/accounts-daemon from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l aeded892-dec1-4e6d-87ce-7c10a4e42e2b
Apr 11 02:43:02 rail setroubleshoot: SELinux is preventing /usr/libexec/accounts-daemon from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l aeded892-dec1-4e6d-87ce-7c10a4e42e2b
I tried doing a full relabel; but that had no noticeable effect. If I
boot to single user mode and disable SELinux (via /etc/selinux/config),
I'm able to log in and things appear to be functional. Well, with the
caveat that the suggestion in the message to run sealert yields this:
# sealert -l aeded892-dec1-4e6d-87ce-7c10a4e42e2b
Opps, sealert hit an error!
Traceback (most recent call last):
File "/usr/bin/sealert", line 668, in <module>
proxy_obj = bus.get_object(dbus_system_bus_name, dbus_system_object_path)
File "/usr/lib/python2.7/site-packages/dbus/bus.py", line 244, in get_object
follow_name_owner_changes=follow_name_owner_changes)
File "/usr/lib/python2.7/site-packages/dbus/proxies.py", line 241, in __init__
self._named_service = conn.activate_name_owner(bus_name)
File "/usr/lib/python2.7/site-packages/dbus/bus.py", line 183, in activate_name_owner
self.start_service_by_name(bus_name)
File "/usr/lib/python2.7/site-packages/dbus/bus.py", line 281, in start_service_by_name
'su', (bus_name, flags)))
File "/usr/lib/python2.7/site-packages/dbus/connection.py", line 630, in call_blocking
message, timeout)
DBusException: org.freedesktop.DBus.Error.Spawn.ChildExited: Launch helper exited with unknown return code 3
Any idea what happened here and how I might actually fix it?
</pre>Braden McDaniel2012-04-11T18:01:48Permission denied to cgi-script when enforcing selinux on RHEL6
http://comments.gmane.org/gmane.linux.redhat.fedora.selinux/14138
<pre>Greetings all,
I've set up a simple apache webserver with cgi-script executing
python code on RHEL6. With selinux disabled, the script returns
output fine to a browser but with selinux enforced I receive a 500
Internal Server error and permission denied in ssl_error_log with
nothing logged to audit.log even though don't audit rules is disabled.
audit2allow -a -l is clean as well. I am able to successfully
execute the script on the command line under apache's context httpd_t,
so it's only when returning the content to the browser that the 500
Internal Server error occurs. Anyone have any idea to help
troubleshoot?
Pertinent information below, any help is greatly appreciated.
Thanks in advance,
[Tue Apr 10 09:37:43 2012] [error] (13)Permission denied: exec of
'/var/www/cgi-bin/index.py' failed
[Tue Apr 10 09:37:43 2012] [error] Premature end of script headers: index.py
# /bin/ps axZ | grep http
unconfined_u:system_r:httpd_t:s0 12716 ? Ss 0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 12719 ? S 0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 12720 ? S 0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 12721 ? S 0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 12722 ? S 0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 12723 ? S 0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 12724 ? S 0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 12725 ? S 0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 12726 ? S 0:00 /usr/sbin/httpd
# sudo -u apache -t httpd_t ./index.py
Content-Type: text/plain;charset=utf-8
Hello World!
# getsebool -a | grep http | grep "\-\-> on"
httpd_builtin_scripting --> on
httpd_dbus_avahi --> on
httpd_enable_cgi --> on
httpd_execmem --> on
httpd_tty_comm --> on
httpd_unified --> on
# ls -lZd /var/www/
drwxr-xr-x. root apache system_u:object_r:httpd_sys_content_t:s0 /var/www/
# ls -lZd /var/www/*
drwxr-xr-x. root apache system_u:object_r:httpd_sys_script_exec_t:s0
/var/www/cgi-bin
drwxr-xr-x. root apache system_u:object_r:httpd_sys_content_t:s0 /var/www/html
# ls -lZd /var/www/cgi-bin/*
-rwxr-xr-x. root apache system_u:object_r:httpd_sys_script_exec_t:s0
/var/www/cgi-bin/index.py
--
selinux mailing list
selinux< at >lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux</pre>Dark Sinclair2012-04-10T13:59:10force audit log rotation?
http://comments.gmane.org/gmane.linux.redhat.fedora.selinux/14134
<pre>Hi all,
How do I force an audit.log rotation in a systemd world (F16)?
"service auditd rotate" no longer works, of course.
- Mike
--
selinux mailing list
selinux< at >lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux</pre>Dr. Michael J. Chudobiak2012-04-10T12:26:59How to get a .te file from an existing .pp file?
http://comments.gmane.org/gmane.linux.redhat.fedora.selinux/14129
<pre>Hi all,
I've installed a software from the sources on a CentOS 6.2 box
and would like to setup a SELinux policy for it.
As I already use the software on my Fedora 15 server
Source RPM : BackupPC-3.2.1-7.fc15.src.rpm
I would like to use the wisdom from the existing policy module:
/usr/share/selinux/packages/BackupPC/BackupPC.pp
I found this forum thread:
http://www.linuxquestions.org/questions/showthread.php?p=4548316#post4548316
which ended with the hint:
"Use the tools from the setools package."
I tried this, but wasn't successful.
All the time running into errors telling me,
that these cannot open the policy file,
as it is no "base policy"
Can you help with instructions?
Or tell me, where to find the .te file of the Fedora package?
Thanks in advance and kind regards
Gabriele
PS: I found this instruction on how to generate the .pp
from the audit messages. So if there is really no way
to /decompile/ the .pp I will go this way:
http://www.advisorbits.com/2011/03/backuppc_on_centos_5_selinux_fix.html
--
selinux mailing list
selinux< at >lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux</pre>Gabriele Pohl2012-04-09T17:38:54Would the F17 policy have problems with a 3.2.7 kernel?
http://comments.gmane.org/gmane.linux.redhat.fedora.selinux/14124
<pre>I would like to move on towards an F17 system. I'm stuck, however
with an 3.2.7 kernel because of bugzilla 795141. (The test kernel
that was provided in the bugzilla works for me, but so far the fix
doesn't seem to have been included in any released kernel package.)
And the standard F17 kernel is 3.3.0.
Most things won't actually depend on the newer kernel in F17, but from
experience I've learned that the selinux-policy is one of the more
sensitive parts. Are you aware of any reason it will fail with the
slightly older kernel? Or is there a chance it might work? At least
reasonably well?
I'm of course not asking for any kind of official support. Whatever
that would mean for an alpha of Fedora. :-) But before I do the
attempt I wanted to check if you saw any obvious reasons things would
crash completely if I tried the combination.
--
selinux mailing list
selinux< at >lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux</pre>Göran Uddeborg2012-04-03T17:37:14denied despite allow rule
http://comments.gmane.org/gmane.linux.redhat.fedora.selinux/14119
<pre>I'm confused about a situation where I'm getting denied avc messages
even though there is an allow rule in place. What am I missing?
This is on RHEL 5.8 using the targeted policy. Here's an example. I
have this avc message from this morning:
type=AVC msg=audit(1333372681.227:20002): avc: denied { append }
for pid=3480 comm="vsftpd" path="/LTS/eng-ng/snip/2012/03/20/
STORY_Letters_for_Sun._3-4_1_66_610389Z/
IMG_Cartoon_for_3-4.jpg_1_1_8F1363GR/
IMG_Cartoon_for_3-4.jpg_1_1_8F1363GR.xml" dev=dm-8 ino=227640612
scontext=system_u:system_r:ftpd_t:s0
tcontext=system_u:object_r:public_content_t:s0 tclass=file
but when I do sesearch it shows a matching allow rule:
# sesearch -s ftpd_t -t public_content_t -c file -p append -a
Found 1 av rules:
allow ftpd_t public_content_t : file { ioctl read write create
getattr setattr lock append unlink link rename };
Found 5 role allow rules:
allow system_r sysadm_r ;
allow user_r sysadm_r ;
allow user_r system_r ;
allow sysadm_r user_r ;
allow sysadm_r system_r ;
Thanks for any help you can give,
Maria
--
selinux mailing list
selinux< at >lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux</pre>Maria Iano2012-04-02T14:42:26Search EngineSearch the mailing list at Gmanequery
http://search.gmane.org/?group=$group=gmane.linux.redhat.fedora.selinux