gmane.linux.redhat.fedora.selinux

ImportError: No module named selinux

Mr Dash Four — 2012-05-25T01:48:08

I am trying to compile and build version 3.10.0-86 of the selinux policy, but during compilation I get the following:

/usr/bin/semodule_expand tmp/test.lnk tmp/policy.bin
/usr/bin/sepolgen-ifgen -p tmp/policy.bin -i policy -o tmp/output
Traceback (most recent call last):
  File "/usr/bin/sepolgen-ifgen", line 34, in <module>
    import selinux
ImportError: No module named selinux
make: *** [validate] Error 1
error: Bad exit status from /var/tmp/rpm-tmp.bEqivE (%install)


RPM build errors:
    Bad exit status from /var/tmp/rpm-tmp.bEqivE (%install)


What could be the cause for this?
--
selinux mailing list
selinux< at >lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Policy version mismatch

Moray Henderson — 2012-05-24T15:05:59

I've got a policy module which works fine when I build and load it on CentOS
5.  When I build and try to load it on CentOS 6 it complains:

SELinux:  Could not downgrade policy file
/etc/selinux/targeted/policy/policy.24, searching for an older version.
SELinux:  Could not open policy file <=
/etc/selinux/targeted/policy/policy.24:  No such file or directory

There's nothing in the policy source specifying version so I would have
expected the module automatically to build for the correct policy version
when built on CentOS 6.  Any pointers where to look or what to do next?


Moray.
"To err is human; to purr, feline."





--
selinux mailing list
selinux< at >lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

EL6: procmail vs. /home/*/bin/shellscript.sh

Chuck Anderson — 2012-05-17T23:32:21

I'm using EL 6.2 with sendmail & procmail.  I'm having trouble with
calling custom scripts in my home directory from .procmailrc such as
this recipe:

######################################################
#
# BACKUP INCOMING MAIL
#
# Stores the last 16 messages in a backup folder.
# "Just in Case"
#
# Create a folder in your $MAILDIR called "backup"
# BEFORE you execute this procmail recipe.
#
:0 c
backup

:0 ic
| /home/cra/bin/procmail-prune-backup-msg

The script is labeled with home_bin_t:

-rwxr-xr-x. cra cra system_u:object_r:home_bin_t:s0  /home/cra/bin/procmail-prune-backup-msg

which is a Bourne Shell script similar to this:

#!/bin/sh
cd /home/cra/mail/backup
/bin/ls -t | /bin/grep ^msg\. | /bin/sed -e 1,256d | /usr/bin/xargs -n 256 /bin/rm -f

In my procmail log I get:

/bin/sh: /home/cra/bin/procmail-prune-backup-msg: Permission denied

It works if I "setenforce 0".

With Enforcing, here is the AVC I get (after enabling dontaudit rules
with semodule -DB):

# ausearch -i -m AVC
type=SYSCALL msg=au

No audit lines produced

Jonathan Gazeley — 2012-05-15T10:37:24

I'm trying to debug a Nagios plugin that isn't playing nicely with 
SELinux. It executes a system binary to get statistics about DHCP pool 
usage, and obviously SELinux stamps on that access and the plugin only 
returns partial data.

In Permissive mode the plugin works, it Enforcing it doesn't. But in 
neither mode are there any debug messages in audit.log

[jg4461< at >dhcp1 ~]$ sudo setenforce 0
[jg4461< at >dhcp1 ~]$ /usr/lib64/nagios/plugins/check_nrpe -H localhost -c 
check_dhcpd_pools
OK - all pools less than 80% full | MAYHEM! rnw-652=45.491%;80;90, 
rnw-653=47.619%;80;90, rnw-654=51.570%;80;90, rnw-655=45.998%;80;90, 
rnw-656=49.949%;80;90, rnw-657=48.126%;80;90, rnw-658=45.390%;80;90, 
rnw-659=0.101%;80;90, rnw-ratelimited-660=0.811%;80;90, 
rnw-onlinepayment-661=0.507%;80;90, rnw-onlinepayment-662=0.304%;80;90, 
rnw-onlinepayment-663=0.405%;80;90, rnw-consoles-665=1.317%;80;90, 
rnw-message-666=0.101%;80;90, rnw-instructions-667=9.411%;80;90

[jg4461< at >dhcp1 ~]$ sudo setenforce 1
[jg4461< at >dhcp1 ~]$ /usr/lib64/

Creating multiple constrained admin roles

Tim Sheppard — 2012-05-09T14:17:57

Hi,

I was wondering if it is possible to create a number of admin roles, 
each with limited access to specified admin features, e.g. package 
management only, NIC / Firewall management only, policy management only 
etc and to effectively completely remove the root account as a system 
wide administrator using selinux?

I have seen mention of Kiosk Users and the SELinux play machine (sadly 
my corporate network does not allow global ssh access) so I believe this 
is entirely possible, but am not entirely sure of the best resources to 
delve into so any pointers would be very welcome.

Many Thanks,

Tim

This email and any attachments to it may be confidential and are
intended solely for the use of the individual to whom it is addressed.
If you are not the intended recipient of this email, you must neither
take any action based upon its contents, nor copy or show it to anyone.
Please contact the sender if you believe you have received this email in
error. QinetiQ may monitor email traffic data and also the co

VirtualGL/TurboVNC and selinux

Mark Dalton — 2012-05-07T18:29:55

I was not able to get VirtualGL and selinux to work together.
It is something during boot time it seems.  I have tried generating
rules based on audit/audit.log.

The VirtualGL web http://www.virtualgl.org/Documentation/RHEL6
states they don't know how to make it work either.

I have tried in permissive mode after boot and that did not work either,
which is why I think it is something during boot time.  Like the device
setup. My guess is related to: /dev/dri as it sets up these and then
access to the /dev/nvidia0 and /dev/nvidiactl are restricted to vglusers
group (in my case it can be configured with/without group restriction).

 From VirtualGL website they also have:


      vglgenkey Issues

Currently, the only known way to make|vglgenkey|work (|vglgenkey|is used 
to grant 3D X Server access to members of the|vglusers|group) is to 
disable SELinux. With SELinux enabled, the*//usr/bin/xauth/*file is 
hidden within the context of the GDM startup scripts, so|vglgenkey|has 
no way of generating or importing a

Can't login the embedded linux with seliux support

casinee app — 2012-05-03T09:03:12

hello,
i build a linux system with selinux support for my embedded device. It
now can login as the root user automatically when it is powered on.
Then i copy the fiels( shadow ,group and passwd) in my PC linux system
to the embedded system, and add the login to it. But after i input the
username and pass word, it output like this :

login:root
password:
login:Can’t get SID for root

The output comes from the file  login.c in busybox, how can i sovle
this problem?
Does this problem comes from the error in my policy? or the lib
related to the selinux?
--
selinux mailing list
selinux< at >lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

MySQL and ldconif avcs

David Highley — 2012-05-02T04:26:02

Getting two avc's that trouble shooter indicates there is policy to
allow the operations.

I believe the sebool "mysql_connect_any" may correct the following avc:
time->Tue May  1 18:17:25 2012
type=SYSCALL msg=audit(1335921445.082:4514): arch=c000003e syscall=21
success=no exit=-13 a0=7f406ac5d9f0 a1=4 a2=7f406ac5d9fe a3=1c items=0
ppid=1 pid=24416 auid=4294967295 uid=27 gid=27 euid=27 suid=27 fsuid=27
egid=27 sgid=27 fsgid=27 tty=(none) ses=4294967295 comm="mysqld"
exe="/usr/libexec/mysqld" subj=system_u:system_r:mysqld_t:s0 key=(null)
type=AVC msg=audit(1335921445.082:4514): avc:  denied  { read } for
pid=24416 comm="mysqld" name="unix" dev="proc" ino=4026532000
scontext=system_u:system_r:mysqld_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=file

But I have no clue which bool would correct the following:
time->Tue May  1 19:01:13 2012
type=SYSCALL msg=audit(1335924073.146:4554): arch=c000003e syscall=59
success=yes exit=0 a0=f293b0 a1=f294b0 a2=f283b0 a3=18 items=0
ppid=25927 pid=25928 auid=4294967

Bootup avc, "systemd-tmpfile" important?

Frank Murphy — 2012-04-29T08:38:42

Box was set to "fixfiles onboot"

Saw this avc:
*** Warning -- SELinux targeted policy relabel is required.
*** Relabeling could take a very long time, depending on file
*** system size and speed of hard drives.
[    8.566136] type=1400 audit(1335687882.859:7): avc:  denied  {
relabelfrom } for  pid=489 comm="systemd-tmpfile" name="lp2"
dev="devtmpfs" ino=11419
scontext=system_u:system_r:systemd_tmpfiles_t:s0
tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
[    8.588374] type=1400 audit(1335687882.881:8): avc:  denied  {
relabelto } for  pid=489 comm="systemd-tmpfile" name="lp2"
dev="devtmpfs" ino=11419
scontext=system_u:system_r:systemd_tmpfiles_t:s0
tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file


selinux-policy-targeted-3.10.0-118.fc17.noarch

several denials that don't get noticed by seatrouble shoot alerts

Antonio Olivares — 2012-04-28T20:02:26

Dear folks,

I have some denials that don't appear in sea alert tool:

[   26.964346] SELinux: initialized (dev sda5, type ext4), uses xattr
[   37.206747] EXT4-fs (dm-2): mounted filesystem with ordered data mode. Opts: (null)
[   37.211983] SELinux: initialized (dev dm-2, type ext4), uses xattr
[   37.608076] type=1400 audit(1335642984.005:4): avc:  denied  { relabelfrom } for  pid=607 comm="systemd-tmpfile" name="lp0" dev="devtmpfs" ino=12221 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
[   37.620822] type=1400 audit(1335642984.017:5): avc:  denied  { relabelfrom } for  pid=607 comm="systemd-tmpfile" name="lp1" dev="devtmpfs" ino=12223 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
[   37.635066] type=1400 audit(1335642984.031:6): avc:  denied  { relabelfrom } for  pid=607 comm="systemd-tmpfile" name="lp2" dev="devtmpfs" ino=12224 scontext=system_u:system_r:systemd_tmpfiles_t

How to change the default context for files in the home directory

2012-04-27T20:10:17

I'm trying to set up F17 SELinux to accept the Swedish electronic
identity system called "BankID".  I had it working under F16 with only
a few file context specifications for its libraries.  (They need
textrel_shlib_t).  But it seems like the policy has been tightened up
a bit in F17, which made some more tunings necessary.  And I fail on
one of them.

This thing runs as a browser plugin, which starts a program, and
creates a few files in the user's home directory.  My question is how
to define the context for these files.  BankID creates a file called
".personal-<username>" and a directory tree ".personal/...".  I added
a file context like this with semanage:

/home/[^/]*/\.personal.*       all files    system_u:object_r:mozilla_home_t:s0 

After relabeling things in the .personal tree gets the mozilla_home_t,
but the file .personal-<username> directly in the home directory
doesn't.  If it exists, it gets the right context when I do
restorecon.  But it is created and removed each time the plugin is
run, and

Runtime flexibility of SELInux

Tim Sheppard — 2012-04-24T17:16:47

Hi,

I am looking to use SELinux to secure a process that is made up of a 
number of discrete, sequential stages. One stage communicates to the 
next by writing results to a file and then an external process modifies 
the SELinux context of the file to allow the next stage to read the file 
and so on until the final stage is reached and the processing stops.

The problem I have is that the number of stages is variable and can 
change with each invocation of the process, i.e. when I create the 
process I know the number of stages that will be required in it, but the 
number of stages could change with each invocation. I think therefore, 
that I need a means of creating new contexts on the fly and assigning 
them to the processes. Is it possible with SELinux to create a new 
security context (domain for the output file, and user/role for the 
stage process) on the fly and execute a process within that context such 
that it could poll a directory for input files and, if it is permitted 
to read the file perform

https://bugzilla.redhat.com/show_bug.cgi?id=812100

Antonio Olivares — 2012-04-20T02:42:07

Dear folks,

The title has been reported as NOT A BUG, but it is annoying :(
without doing anything but logging in, the setroubleshooter kicks in and displays the message.  I have tried numerous times to report it, but it came back empty.  Then I click enough times and see that it is there, but it is NOT A BUG :(, I don't agree but can't do shite.

--- Running report_Bugzilla ---
Logging into Bugzilla at https://bugzilla.redhat.com
Checking for duplicates
Bug is already reported: 812100
Logging out
Status: CLOSED NOTABUG https://bugzilla.redhat.com/show_bug.cgi?id=812100

--- Running report_Bugzilla ---
This problem was already reported to Bugzilla (see 'https://bugzilla.redhat.com/show_bug.cgi?id=812100'). Do you still want to create a new bug? NO


SELinux is preventing dmesg from 'read' accesses on the file /etc/ld.so.cache.

*****  Plugin restorecon (94.8 confidence) suggests  *************************

If you want to fix the label. 
/etc/ld.so.cache default label should be ld_so_cache_t.
Then you can ru

runcon Invalid argument

Moray Henderson (ICT — 2012-04-13T14:39:16

I'm trying to debug an httpd-nfs-selinux issue, and it would be _really_
useful to be able to execute commands in context httpd_t while trying out
combinations of the nfs_export_all_rw Boolean and public_content_rw_t type.

If I can do

[root< at >kojihub ~]# runcon unconfined_u:unconfined_r:unconfined_t:s0 bash
[root< at >kojihub ~]# exit

why can't I do

[root< at >kojihub ~]# runcon unconfined_u:unconfined_r:httpd_t:s0 bash
runcon: invalid context: unconfined_u:unconfined_r:httpd_t:s0: Invalid
argument

The actual issue is that I've set up a new koji hub with /mnt/koji on an nfs
mount; with SELinux in permissive mode I get

AVC Report
========================================================
# date time comm subj syscall class permission obj event
========================================================
1. 04/13/2012 14:23:36 httpd unconfined_u:system_r:httpd_t:s0 4 dir getattr
system_u:object_r:nfs_t:s0 denied 494
2. 04/13/2012 14:23:36 httpd unconfined_u:system_r:httpd_t:s0 4 dir search
system_u:object_r:nfs_t:s0 denie

Selinux and mailman via postfix pipe

Geert Janssens — 2012-04-12T16:24:34

Hi,

I'm setting up a new server based on CentOS 6.2. It is meant to replace 
a CentOS 5 server. The old server had selinux running in permissive 
mode, but I figured it would be a good thing to enforce it on the new 
server. This has revealed some selinux violations in my old 
configurations. Most of them I managed to fix so far, with one exception:

Part of the setup involves a mailman based mailing list service. This is 
configured using a postfix pipe into a python script called 
postfix-to-mailman.py [1]. This is convenient, as it saves our admins 
the hassle of managing the aliases required for each list. The problem 
is though that this doesn't seem to work with selinux enabled.

Here are the relevant error messages:
In the maillog:
pipe[11266]: fatal: pipe_command: execvp 
/usr/lib/mailman/bin/postfix-to-mailman.py: Permission denied

And the SELinux AVC:
type=AVC msg=audit(1334239608.305:371794): avc:  denied  { search } for  
pid=10858 comm="python" name="mailman" dev=xvda ino=5833449 
scontext=unc

SELinux preventing login (Fedora 16)

Braden McDaniel — 2012-04-11T18:01:48

[I posted this first to the users list by mistake; but I meant for it to
go here.]

I have a Fedora 16 box where something seems to have gone sideways with
SELinux.  I am unable to log into the box with SELinux enabled.  I see
messages in /var/log/messages that look like this:

        Apr 11 02:40:06 rail setroubleshoot: SELinux is preventing /usr/libexec/accounts-daemon from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l aeded892-dec1-4e6d-87ce-7c10a4e42e2b
        Apr 11 02:40:06 rail setroubleshoot: SELinux is preventing /usr/libexec/accounts-daemon from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l aeded892-dec1-4e6d-87ce-7c10a4e42e2b
        Apr 11 02:40:07 rail setroubleshoot: SELinux is preventing /usr/libexec/accounts-daemon from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l aeded892-dec1-4e6d-87ce-7c10a4e42e2b
        Apr 11 02:40:10 rail setroubleshoot: SELinux is preventing /usr/

Permission denied to cgi-script when enforcing selinux on RHEL6

Dark Sinclair — 2012-04-10T13:59:10

Greetings all,

I've set up a  simple apache webserver with cgi-script executing
python code on RHEL6.  With selinux disabled, the script returns
output fine to a browser but with selinux enforced I receive a 500
Internal Server error and permission denied in ssl_error_log with
nothing logged to audit.log even though don't audit rules is disabled.
 audit2allow -a -l is clean as well.  I am able to successfully
execute the script on the command line under apache's context httpd_t,
so it's only when returning the content to the browser that the 500
Internal Server error occurs.  Anyone have any idea to help
troubleshoot?

Pertinent information below, any help is greatly appreciated.

Thanks in advance,


[Tue Apr 10 09:37:43 2012] [error] (13)Permission denied: exec of
'/var/www/cgi-bin/index.py' failed
[Tue Apr 10 09:37:43 2012] [error] Premature end of script headers: index.py


# /bin/ps axZ | grep http
unconfined_u:system_r:httpd_t:s0 12716 ?       Ss     0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:

force audit log rotation?

Dr. Michael J. Chudobiak — 2012-04-10T12:26:59

Hi all,

How do I force an audit.log rotation in a systemd world (F16)?

"service auditd rotate" no longer works, of course.

- Mike
--
selinux mailing list
selinux< at >lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

How to get a .te file from an existing .pp file?

Gabriele Pohl — 2012-04-09T17:38:54

Hi all,

I've installed a software from the sources on a CentOS 6.2 box
and would like to setup a SELinux policy for it.

As I already use the software on my Fedora 15 server
Source RPM  : BackupPC-3.2.1-7.fc15.src.rpm
I would like to use the wisdom from the existing policy module:
/usr/share/selinux/packages/BackupPC/BackupPC.pp

I found this forum thread:
http://www.linuxquestions.org/questions/showthread.php?p=4548316#post4548316


which ended with the hint:
"Use the tools from the setools package."

I tried this, but wasn't successful.
All the time running into errors telling me,
that these cannot open the policy file,
as it is no "base policy"

Can you help with instructions?
Or tell me, where to find the .te file of the Fedora package?

Thanks in advance and kind regards

Gabriele

PS: I found this instruction on how to generate the .pp
from the audit messages. So if there is really no way
to /decompile/ the .pp I will go this way:
http://www.advisorbits.com/2011/03/backuppc_on_centos_5_selinux_fix.htm

Would the F17 policy have problems with a 3.2.7 kernel?

Göran Uddeborg — 2012-04-03T17:37:14

I would like to move on towards an F17 system.  I'm stuck, however
with an 3.2.7 kernel because of bugzilla 795141.  (The test kernel
that was provided in the bugzilla works for me, but so far the fix
doesn't seem to have been included in any released kernel package.)
And the standard F17 kernel is 3.3.0.

Most things won't actually depend on the newer kernel in F17, but from
experience I've learned that the selinux-policy is one of the more
sensitive parts.  Are you aware of any reason it will fail with the
slightly older kernel?  Or is there a chance it might work?  At least
reasonably well?

I'm of course not asking for any kind of official support.  Whatever
that would mean for an alpha of Fedora. :-) But before I do the
attempt I wanted to check if you saw any obvious reasons things would
crash completely if I tried the combination.
--
selinux mailing list
selinux< at >lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

denied despite allow rule

Maria Iano — 2012-04-02T14:42:26

I'm confused about a situation where I'm getting denied avc messages  
even though there is an allow rule in place. What am I missing?

This is on RHEL 5.8 using the targeted policy. Here's an example. I  
have this avc message from this morning:

type=AVC msg=audit(1333372681.227:20002): avc:  denied  { append }  
for  pid=3480 comm="vsftpd" path="/LTS/eng-ng/snip/2012/03/20/ 
STORY_Letters_for_Sun._3-4_1_66_610389Z/ 
IMG_Cartoon_for_3-4.jpg_1_1_8F1363GR/ 
IMG_Cartoon_for_3-4.jpg_1_1_8F1363GR.xml" dev=dm-8 ino=227640612  
scontext=system_u:system_r:ftpd_t:s0  
tcontext=system_u:object_r:public_content_t:s0 tclass=file

but when I do sesearch it shows a matching allow rule:

# sesearch -s ftpd_t -t public_content_t -c file -p append -a
Found 1 av rules:
    allow ftpd_t public_content_t : file { ioctl read write create  
getattr setattr lock append unlink link rename };

Found 5 role allow rules:
    allow system_r sysadm_r ;
    allow user_r sysadm_r ;
    allow user_r system_r ;
    allow sysadm_r user_r ;