[gentoo-user] SELinux errors
I just finished putting a new test box after the old one finally gave up the ghost. Everything seems to be working okay, EXCEPT for selinux. To be safe, I started with selinux in permissive mode. And I'm glad I did because of all the errors showing up for things that had BETTER not show errors. Things like auth, sshd, etc... Here's a sample of the errors I'm seeing Apr 25 19:36:09 jupiter kernel: audit: type=1400 audit(1619400969.224:485): avc: denied { getattr } for pid=8100 comm="auth" path="/etc/mysql/mariadb.d" dev="vda1" ino=271985181 scontext=system_u:system_r:dovecot_auth_t tcontext=system_u:object_r:mysqld_etc_t tclass=dir permissive=1 Apr 25 19:36:09 jupiter kernel: audit: type=1400 audit(1619400969.224:486): avc: denied { search } for pid=8100 comm="auth" name="mysqld" dev="tmpfs" ino=160 scontext=system_u:system_r:dovecot_auth_t tcontext=system_u:object_r:mysqld_runtime_t tclass=dir permissive=1 Apr 25 19:36:09 jupiter kernel: audit: type=1400 audit(1619400969.224:487): avc: denied { write } for pid=8100 comm="auth" name="mysqld.sock" dev="tmpfs" ino=161 scontext=system_u:system_r:dovecot_auth_t tcontext=system_u:object_r:mysqld_runtime_t tclass=sock_file permissive=1 Apr 25 19:36:09 jupiter kernel: audit: type=1400 audit(1619400969.224:488): avc: denied { connectto } for pid=8100 comm="auth" path="/run/mysqld/mysqld.sock" scontext=system_u:system_r:dovecot_auth_t tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket permissive=1 Apr 25 19:36:50 jupiter kernel: audit: type=1400 audit(1619401010.244:490): avc: denied { create } for pid=8172 comm="smbd" name="8172" scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:var_lock_t tclass=file permissive=1 Apr 25 19:36:50 jupiter kernel: audit: type=1400 audit(1619401010.244:491): avc: denied { read write open } for pid=8172 comm="smbd" path="/run/lock/samba/msg.lock/8172" dev="tmpfs" ino=669 scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:var_lock_t tclass=file permissive=1 Apr 25 19:36:50 jupiter kernel: audit: type=1400 audit(1619401010.244:492): avc: denied { lock } for pid=8172 comm="smbd" path="/run/lock/samba/msg.lock/8172" dev="tmpfs" ino=669 scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:var_lock_t tclass=file permissive=1 Apr 25 19:36:50 jupiter kernel: audit: type=1400 audit(1619401010.444:493): avc: denied { unlink } for pid=8175 comm="smbd" name="8175" dev="tmpfs" ino=670 scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:var_lock_t tclass=file permissive=1 Apr 25 19:38:35 jupiter kernel: audit: type=1400 audit(1619401115.314:494): avc: denied { connectto } for pid=4350 comm="apache2" path="/run/mysqld/mysqld.sock" scontext=system_u:system_r:httpd_t tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket permissive=1 Apr 25 19:39:44 jupiter kernel: audit: type=1400 audit(1619401184.815:495): avc: denied { read } for pid=8450 comm="smbd" name="lock" dev="vda1" ino=492466 scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:var_lock_t tclass=lnk_file permissive=1 Apr 25 19:42:00 jupiter kernel: audit: type=1400 audit(1619401320.875:496): avc: denied { write } for pid=8852 comm="lpqd" name="msg.lock" dev="tmpfs" ino=516 scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:var_lock_t tclass=dir permissive=1 Apr 25 19:42:00 jupiter kernel: audit: type=1400 audit(1619401320.875:497): avc: denied { remove_name } for pid=8852 comm="lpqd" name="8852" dev="tmpfs" ino=697 scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:var_lock_t tclass=dir permissive=1 Apr 25 19:42:00 jupiter kernel: audit: type=1400 audit(1619401320.875:498): avc: denied { sendto } for pid=5984 comm="lpqd" path="/var/lib/samba/private/msg.sock/5797" scontext=system_u:system_r:smbd_t tcontext=system_u:system_r:initrc_t tclass=unix_dgram_socket permissive=1 Apr 25 19:42:00 jupiter kernel: audit: type=1400 audit(1619401320.875:499): avc: denied { sendto } for pid=5984 comm="lpqd" path="/var/lib/samba/private/msg.sock/5919" scontext=system_u:system_r:smbd_t tcontext=system_u:system_r:winbind_t tclass=unix_dgram_socket permissive=1 Apr 25 19:42:12 jupiter kernel: audit: type=1400 audit(1619401332.945:500): avc: denied { add_name } for pid=8865 comm="smbd" name="8865" scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:var_lock_t tclass=dir permissive=1 Apr 25 19:44:31 jupiter kernel: audit: type=1400 audit(1619401471.206:501): avc: denied { read } for pid=9056 comm="winbindd" name="lock" dev="vda1" ino=492466 scontext=system_u:system_r:winbind_t tcontext=system_u:object_r:var_lock_t tclass=lnk_file permissive=1 Apr 25 19:44:31 jupiter kernel: audit: type=1400 audit(1619401471.206:502): avc: denied { search } for pid=9056 comm="winbindd" name="lock" dev="tmpfs" ino=454 scontext=system_u:system_r:winbind_t tcontext=system_u:object_r:var_lock_t tclass=dir permissive=1 Apr 25
Re: [gentoo-user] SELinux issues
On Saturday, 26 September 2020 17:41:06 BST Dan Egli wrote: > Questions regarding SELinux. Two of them actually. First is how the HECK > to I get it enabled!? I compiled my kernel to support it, and I do not > have the disabling line in my boot config. But after rebooting to the > new kernel, getenforce says disabled. So why is it disabled and how do I > enable it? There are a number of steps you need to follow to configure a selinux kernel and utilities. Have you walked through these guides? https://wiki.gentoo.org/wiki/SELinux In particular, the Installation guide? https://wiki.gentoo.org/wiki/SELinux/Installation > Next, whenever I try to install a SELinux policy that portage missed > during it's install (not many, but a couple) I get an error. I've > already created a bug on this > (https://bugs.gentoo.org/show_bug.cgi?id=744736), but I was wondering if > anyone on the list had any ideas as to what's wrong. > > > Thanks! In the first instance set 'SELINUX=permissive' in the selinux config and see if it works as expected. Address any errors/warnings and then try switching to enforcing. signature.asc Description: This is a digitally signed message part.
[gentoo-user] SELinux issues
Questions regarding SELinux. Two of them actually. First is how the HECK to I get it enabled!? I compiled my kernel to support it, and I do not have the disabling line in my boot config. But after rebooting to the new kernel, getenforce says disabled. So why is it disabled and how do I enable it? Next, whenever I try to install a SELinux policy that portage missed during it's install (not many, but a couple) I get an error. I've already created a bug on this (https://bugs.gentoo.org/show_bug.cgi?id=744736), but I was wondering if anyone on the list had any ideas as to what's wrong. Thanks! -- Dan Egli On my Test server OpenPGP_0xF8A7B3F2AAB08F9D.asc Description: application/pgp-keys OpenPGP_signature Description: OpenPGP digital signature
Re: [gentoo-user] SELinux policy problem
On Thursday, 24 September 2020 19:06:11 BST Dan Egli wrote: > On 9/23/2020 11:36 PM, Dan Egli wrote: > > Maybe I just need a day or two off, but I'm having an issue and the > > Wiki page doesn't seem to help me. > > > > > > I'm installing a new system. It's the same one I was having Grub > > issues on. Now that those issues are resolved, I am adding the extra > > packages on the list. One (or several really) of those packages is > > SELinux and it's policies. I've found all the policies I want to add, > > but when I emerge them I ALWAYS get an error about not being able to > > resolve typesetattribute. For example, from the policy for clamav: > > > > > > With the exception of the base-policy package, EVERY SELinux policy > > said that. I've looked and what I see online doesn't seem to make > > sense to me. Then again, I AM brand new to SELinux. Anyone got any > > tips as to making sure they emerge okay? > > Odd, I just noticed the line didn't appear. Let's try this again. Here's > the message I get from selinux-clamav: > > > Failed to resolve typeattributeset statement at > /var/lib/selinux/targeted/tmp/modules/400/clamav/cil:41 > > > Anyone got tips on this? I haven't implemented selinux for some years now to be able to advise. Did you have a look at this post in case it gives you a pointer? https://forums.gentoo.org/viewtopic-t-1036790-start-0.html Also see this part of the wiki for creating an empty policy module if you need to: https://wiki.gentoo.org/wiki/SELinux/FAQ#How_to_I_load_an_entire_policy_set.3F signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] SELinux policy problem
On 9/23/2020 11:36 PM, Dan Egli wrote: Maybe I just need a day or two off, but I'm having an issue and the Wiki page doesn't seem to help me. I'm installing a new system. It's the same one I was having Grub issues on. Now that those issues are resolved, I am adding the extra packages on the list. One (or several really) of those packages is SELinux and it's policies. I've found all the policies I want to add, but when I emerge them I ALWAYS get an error about not being able to resolve typesetattribute. For example, from the policy for clamav: With the exception of the base-policy package, EVERY SELinux policy said that. I've looked and what I see online doesn't seem to make sense to me. Then again, I AM brand new to SELinux. Anyone got any tips as to making sure they emerge okay? Odd, I just noticed the line didn't appear. Let's try this again. Here's the message I get from selinux-clamav: Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/400/clamav/cil:41 Anyone got tips on this?
Re: [gentoo-user] SELinux policy problem
No one has any ideas? I was hoping SOMEONE could help within 12 hours On 9/23/2020 11:36 PM, Dan Egli wrote: Maybe I just need a day or two off, but I'm having an issue and the Wiki page doesn't seem to help me. I'm installing a new system. It's the same one I was having Grub issues on. Now that those issues are resolved, I am adding the extra packages on the list. One (or several really) of those packages is SELinux and it's policies. I've found all the policies I want to add, but when I emerge them I ALWAYS get an error about not being able to resolve typesetattribute. For example, from the policy for clamav: With the exception of the base-policy package, EVERY SELinux policy said that. I've looked and what I see online doesn't seem to make sense to me. Then again, I AM brand new to SELinux. Anyone got any tips as to making sure they emerge okay?
[gentoo-user] SELinux policy problem
Maybe I just need a day or two off, but I'm having an issue and the Wiki page doesn't seem to help me. I'm installing a new system. It's the same one I was having Grub issues on. Now that those issues are resolved, I am adding the extra packages on the list. One (or several really) of those packages is SELinux and it's policies. I've found all the policies I want to add, but when I emerge them I ALWAYS get an error about not being able to resolve typesetattribute. For example, from the policy for clamav: With the exception of the base-policy package, EVERY SELinux policy said that. I've looked and what I see online doesn't seem to make sense to me. Then again, I AM brand new to SELinux. Anyone got any tips as to making sure they emerge okay?
Re: [gentoo-user] SELinux change from 2005.1 to 2006.1 policy update fails
In [EMAIL PROTECTED] [EMAIL PROTECTED] (Mick) writes: --nextPart1695717.Xy3eqH9OGj Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 18 June 2007 20:38, Konstantinos Agouros wrote: In [EMAIL PROTECTED] [EMAIL PROTECTED] om=20 (Mick) writes: On Sunday 17 June 2007 12:22, Konstantinos Agouros wrote: Hi, I tried upgrading from the 2005.1 to the 2006.1 profile. Updating selinux-base-policy-20070329 fails with the following message: Setting SELinux security labels /etc/selinux/targeted/contexts/files/file_contexts: No such file or directory What is listed under /etc/selinux/targeted/contexts/files/ ? /etc/selinux is empty. When I started with hardened sources this was all put to /etc/security/selinux so it seems I need some kind of migration script or is a simple softlink good enough? Sorry Konstantin, last time I used SELinux for a very short time was more t= han=20 three years ago . . . I've forgotten most of it since then and things most= =20 likely have moved on. Perhaps someone more versed in SELinux could help=20 here? If the file is there then can you check that you are not emerging this whil=3D e=3D20 using FEATURES=3D3Duserpriv in your make.conf. Aargh! Why was my previous message received like so whil=3D e=3D20? What= email=20 client are you using? I have the mailinglist transferred to a local news server and use good old nn as newsreader, which does not seem to cope well with utf-8 as transfer encoding \:) Cheers, Konstantin =2D-=20 Regards, Mick --nextPart1695717.Xy3eqH9OGj Content-Type: application/pgp-signature -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQBGeBZD5Fp0QerLYPcRAqFfAJ9YDDvz8jCwv1m7ZyjlQKC0mg37MwCeIGEl nCbzxef2UoZKpXXTj15z+Xo= =tjIP -END PGP SIGNATURE- --nextPart1695717.Xy3eqH9OGj-- -- [EMAIL PROTECTED] mailing list -- Dipl-Inf. Konstantin Agouros aka Elwood Blues. Internet: [EMAIL PROTECTED] Otkerstr. 28, 81547 Muenchen, Germany. Tel +49 89 69370185 Captain, this ship will not survive the forming of the cosmos. B'Elana Torres -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] SELinux change from 2005.1 to 2006.1 policy update fails
On Monday 18 June 2007 20:38, Konstantinos Agouros wrote: In [EMAIL PROTECTED] [EMAIL PROTECTED] (Mick) writes: On Sunday 17 June 2007 12:22, Konstantinos Agouros wrote: Hi, I tried upgrading from the 2005.1 to the 2006.1 profile. Updating selinux-base-policy-20070329 fails with the following message: Setting SELinux security labels /etc/selinux/targeted/contexts/files/file_contexts: No such file or directory What is listed under /etc/selinux/targeted/contexts/files/ ? /etc/selinux is empty. When I started with hardened sources this was all put to /etc/security/selinux so it seems I need some kind of migration script or is a simple softlink good enough? Sorry Konstantin, last time I used SELinux for a very short time was more than three years ago . . . I've forgotten most of it since then and things most likely have moved on. Perhaps someone more versed in SELinux could help here? If the file is there then can you check that you are not emerging this whil= e=20 using FEATURES=3Duserpriv in your make.conf. Aargh! Why was my previous message received like so whil= e=20? What email client are you using? -- Regards, Mick pgpo40DlvHfc9.pgp Description: PGP signature
Re: [gentoo-user] SELinux change from 2005.1 to 2006.1 policy update fails
On Sunday 17 June 2007 12:22, Konstantinos Agouros wrote: Hi, I tried upgrading from the 2005.1 to the 2006.1 profile. Updating selinux-base-policy-20070329 fails with the following message: Setting SELinux security labels /etc/selinux/targeted/contexts/files/file_contexts: No such file or directory What is listed under /etc/selinux/targeted/contexts/files/ ? If the file is there then can you check that you are not emerging this while using FEATURES=userpriv in your make.conf. If the above does not help, you could ask for more informed advice in the irc channel for gentoo kernel devs. -- Regards, Mick pgpLmpAGQxl30.pgp Description: PGP signature
Re: [gentoo-user] SELinux change from 2005.1 to 2006.1 policy update fails
In [EMAIL PROTECTED] [EMAIL PROTECTED] (Mick) writes: --nextPart13142306.RAMmR4N7DJ Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Sunday 17 June 2007 12:22, Konstantinos Agouros wrote: Hi, I tried upgrading from the 2005.1 to the 2006.1 profile. Updating selinux-base-policy-20070329 fails with the following message: Setting SELinux security labels /etc/selinux/targeted/contexts/files/file_contexts: No such file or directory What is listed under /etc/selinux/targeted/contexts/files/ ? /etc/selinux is empty. When I started with hardened sources this was all put to /etc/security/selinux so it seems I need some kind of migration script or is a simple softlink good enough? Regards, Konstantin If the file is there then can you check that you are not emerging this whil= e=20 using FEATURES=3Duserpriv in your make.conf. If the above does not help, you could ask for more informed advice in the i= rc=20 channel for gentoo kernel devs. =2D-=20 Regards, Mick --nextPart13142306.RAMmR4N7DJ Content-Type: application/pgp-signature -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQBGdjZd5Fp0QerLYPcRAnnUAJ9StOt71YoZczDDSVTn/2Pa9aioAQCgza7X QK+IF6Ew9FbqHMSjO2oEO8c= =nQVs -END PGP SIGNATURE- --nextPart13142306.RAMmR4N7DJ-- -- [EMAIL PROTECTED] mailing list -- Dipl-Inf. Konstantin Agouros aka Elwood Blues. Internet: [EMAIL PROTECTED] Otkerstr. 28, 81547 Muenchen, Germany. Tel +49 89 69370185 Captain, this ship will not survive the forming of the cosmos. B'Elana Torres -- [EMAIL PROTECTED] mailing list
[gentoo-user] SELinux change from 2005.1 to 2006.1 policy update fails
Hi, I tried upgrading from the 2005.1 to the 2006.1 profile. Updating selinux-base-policy-20070329 fails with the following message: Setting SELinux security labels /etc/selinux/targeted/contexts/files/file_contexts: No such file or directory !!! ERROR: sec-policy/selinux-base-policy-20070329 failed. Call stack: misc-functions.sh, line 570: Called preinst_selinux_labels misc-functions.sh, line 492: Called die !!! Failed to set SELinux security labels. !!! If you need support, post the topmost build error, and the call stack if relevant. Is there some manual stuff I need to do before this upgrade works? /etc/make.profile points to /usr/portage/profiles/selinux/x86/2006.1 Regards, Konstantin -- Dipl-Inf. Konstantin Agouros aka Elwood Blues. Internet: [EMAIL PROTECTED] Otkerstr. 28, 81547 Muenchen, Germany. Tel +49 89 69370185 Captain, this ship will not survive the forming of the cosmos. B'Elana Torres -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] SELinux
On 3/9/06, Steve B [EMAIL PROTECTED] wrote: Hey everybody,Quick question.How can I disable SELinux without modifing(recompiling) the kernel?The reason I ask is because my kernel wascompiled with SELinux support, however its not active.Apparent vpopmail has issues with SELinux and I believe that I am havingproblems because of this.I don't have the luxury of recompiling thekernel because this is a virutal server running under Xen 2.0.Thanks! V/RSteve--gentoo-user@gentoo.org mailing listSteve,If the kernel has been configured to allow it, there is a boot command parameter that can disable SElinux. This parameter is 'selinux=0' by default, 'selinux=1' enables it. If not you'll have to find another way. From the kernel config:config SECURITY_SELINUX_BOOTPARAM bool NSA SELinux boot parameter depends on SECURITY_SELINUX default n help This option adds a kernel parameter 'selinux', which allows SELinux to be disabled at boot. If this option is selected, SELinux functionality can be disabled with selinux=0 on the kernel command line. The purpose of this option is to allow a single kernel image to be distributed with SELinux built in, but not necessarily enabled. If you are unsure how to answer this question, answer N.config SECURITY_SELINUX_BOOTPARAM_VALUE int NSA SELinux boot parameter default value depends on SECURITY_SELINUX_BOOTPARAM range 0 1 default 1 help This option sets the default value for the kernel parameter 'selinux', which allows SELinux to be disabled at boot. If this option is set to 0 (zero), the SELinux kernel parameter will default to 0, disabling SELinux at bootup. If this option is set to 1 (one), the SELinux kernel parameter will default to 1, enabling SELinux at bootup. If you are unsure how to answer this question, answer 1. config SECURITY_SELINUX_DISABLE bool NSA SELinux runtime disable depends on SECURITY_SELINUX default n help This option enables writing to a selinuxfs node 'disable', which allows SELinux to be disabled at runtime prior to the policy load. SELinux will then remain disabled until the next boot. This option is similar to the selinux=0 boot parameter, but is to support runtime disabling of SELinux, e.g. from /sbin/init, for portability across platforms where boot parameters are difficult to employ. If you are unsure how to answer this question, answer N.HTH,Simon
[gentoo-user] SELinux
Hey everybody, Quick question. How can I disable SELinux without modifing (recompiling) the kernel? The reason I ask is because my kernel was compiled with SELinux support, however its not active. Apparent vpopmail has issues with SELinux and I believe that I am having problems because of this. I don't have the luxury of recompiling the kernel because this is a virutal server running under Xen 2.0. Thanks! V/R Steve -- gentoo-user@gentoo.org mailing list
[gentoo-user] selinux how to boot with enforce=1
Hi, can SELinux be booted properly if /selinux/enforce=1? Konstantin -- Dipl-Inf. Konstantin Agouros aka Elwood Blues. Internet: elwood@agouros.de Otkerstr. 28, 81547 Muenchen, Germany. Tel +49 89 69370185 Captain, this ship will not survive the forming of the cosmos. B'Elana Torres -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] selinux how to boot with enforce=1
On (20/12/05 16:56), Konstantinos Agouros wrote: Hi, can SELinux be booted properly if /selinux/enforce=1? Konstantin -- Dipl-Inf. Konstantin Agouros aka Elwood Blues. Internet: elwood@agouros.de Otkerstr. 28, 81547 Muenchen, Germany. Tel +49 89 69370185 Captain, this ship will not survive the forming of the cosmos. B'Elana Torres -- gentoo-user@gentoo.org mailing list Hi, Think (not sure) that you can, after properly configuring your programs. Only some changes/settings are done in permissive mode. Have some experience with grsecurity RSBAC, the latter also have such mode - softmode (permissive in SELinux). Better post on: gentoo-hardened ML. HTH.Rumen pgpi05I0zq9WH.pgp Description: PGP signature