Fedora Security :: Get The SELINUX Authors To Consider Re-labeling Files When They Are Moved From One Place To Another?
Feb 17, 2010
I have a Fedora 12 box with a fresh install. I use ktorrent to download something, eg a series, into my home folder. Now, as root, I move (not copy) the folder with the downloaded files to /var/www/html/bob so that when someone opens http://myserver/bob/ they see the list of folders and files I have placed there. I also chmod the whole folder to 755 and chown to root.root. The folder I have just moved there is not displayed. So to work around it (before I realised it was SELINUX) I created a new folder. Now the folder is visible. Good. So now I move the files into the new folder and delete the old one. The files are displayed ... good. But wait, there's more: you cannot access (download) the files, even though they are visible.
1. How do I VIEW what context is assigned to these files?
2. How do I correct the context so that http server can allow people to access them?
3. How do we get the SELINUX authors to consider re-labeling files when they are moved from one place to another so as not to cause this fault?
I have SELinux set to permissive and am getting lots of errors because the contexts are incorrect after a filesystem relabel. e.g.
[root@fileserver2 var]# ls -alZ /data/serverlogs/messages -rw-------. root root system_u:object_r:default_t:s0 /data/serverlogs/messages
I believe that this file should be var_log_t.How can I restore the correct context to all of the files in /var/log?I've tried running:
restorecon -vR /var/log/
But this does not change the contexts, I guess because the files are now in the 'incorrect' location. I've looked through the file: /etc/selinux/targeted/contexts/files/file_contexts which I believe contains the original/default settings - maybe I need to alter this file to fix the problem? I've also tried modifying /data/serverlogs using:
semanage fcontext -a -t var_log_t /data/serverlogs
which fixes the directory itself, but not the contents,
I'm new in Selinux , and I want to label the URLs of the tabs of Chromium browser with label security . For example , If I want to access the sites of "[URL]" , then the tab will get the label SElinux "search_engine_t".
I went to print something and I get this message: Summary: SELinux is preventing access to files with the default label, default_t.
Detailed Description: SELinux permission checks on files labeled default_t are being denied. These files/directories have the default label on them. This can indicate a labeling problem, especially if the files being referred to are not top level directories. Any files/directories under standard system directories, /usr, /var. /dev, /tmp, ..., should not be labeled with the default label. The default label is for files/directories which do not have a label on a parent directory. So if you create a new directory in / you might legitimately get this label.
I have scoured the 'ls' man page, but I don't think it has the capability to do this. Specifically, I would like a command/program that will output a list of all of the files in "/home/anthony/Music/" in the following format:
this is the allert i got:Code:Summary:Your system may be seriously compromised! /usr/sbin/NetworkManager tried to loada kernel module.Detailed Description:SELinux has prevented NetworkManager from loading a kernel module. All confinedprograms that need to load kernel modules should have already had policy writtenfor them. If a compromised application tries to modify the kernel this AVC willbe generated. This is a serious issue.Your system may very well be compromised.Allowing Access:Contact your security administrator and report this issue.Additional Information:
I have an assignment question that I have been making no progress on.
I need a single line command to concatenate a group of files together and clearly label those files in the output.
I assume that just cramming a bunch of commands onto one line will not be considered OK.
and it has to work on some old version of Solaris (which I have been having trouble with normal commands not working the same all day on), but if you just have solutions for any normal Linux shell at least I would have an idea of what I am looking for.
I have looked though cat's man page up and down and I am pretty sure it cannot do what I want, and cannot seem to find any other commands that even concatenate a grouping of files together.
I'm attempting to get MapServer running on my Fedora 13 computer. I was able to install with the package manager, and the executable (mapserv) was originally placed in /usr/sbin. But I need it in /var/www/cgi-bin to work on the webserver. So I copied the file to the right location. Unfortunately, it doesn't have the correct SELinux context. Here's the message from the troubleshooter:
SELinux denied access requested by /var/www/cgi-bin/mapserv. /var/www/cgi-bin/mapserv is mislabeled. /var/www/cgi-bin/mapserv default type is httpd_sys_script_exec_t, but its current type is httpd_sys_script_exec_t. Changing this file back to the default type, may fix your problem.
How's that for circular logic? Does anyone have an idea what the correct SELinux context for a cgi-bin executable might be?
Trying to keep selinux enabled. When I start SeLinux Troubleshooter from the menu, which is inautostart as well, It tells me SELinux not enabled, sealert will not run on nonSELinus systems".How do I get SELinux permanently started then
My newly installed Fedora-14 (64-bit) has SELinux disabled. I can't find any way to enable it. I tried to set it manually in /etc/selinux/config to enforcing or permissive but nothing happens after reboot. In GUI configuration tool it is set to disabled and grayed out so that there is no way to enable it there. Is there another way to enable SELinux?
I tried to log in to my xguest account and it asked for a password, which it shouldn't, so there's a problem with SELinux.When I type getenforce it says it is disabled, yet when I go to /etc/selinux and look at the config, it is in enforcing mode and not commented out, type is strict.When I go to the SELinux management GUI I can't change the current enforcing mode and it's set to disabled and default to enforcing.
I get a SELinux relabel often even without changing stuff. SELinux troubleshoot doesn't show any error nor are there any messages in /log/messages that give any clue. Where should I look to see whats happening ?
I wonder if SELinux really are necessary for a home desktop ? It only makes my computer use more problematic than it already is. What can happend if I uninstall it on my Fedora 13 dist ? Is the hole Internet going to come in to my computer and destroy it ?
If I uninstall SELinux, is the firewall uninstalled also ?
I have recently upgraded from FC12 to FC13, and last week I updated all packages using YUM. The system is running as a VM inside CentOS 5.5 using KVM. SELinux is enforcing, using the targeted policy. Bugzilla is version 3.6.1 and was NOT installed using RPM or YUM.
Bugzilla was working OK on this machine until SELinux was upgraded last week from 3.7.19-28 to 3.7.19-33, and is still broken after testing 3.7.19-37 from the testing repo. With SELinux in enforcing mode, apache returns error 500 when I browse to the main bugzilla page. The apache error log shows this:-
Code: [Mon Jul 19 13:15:08 2010] [error] [client 192.168.40.1] (13)Permission denied: exec of '/var/www/html/bugzilla/index.cgi' failed Nothing, and I mean absolutely nothing, is recorded in /var/log/audit/audit.log, /var/log/messages or /var/log/secure.
I just install Fedora 15 and I see the SELinux Policy Genertation Tool and the SELinux Administration application in the app launcher but I do not see the SELinux Troubleshooter app. I seems to be missing. How do I get it on my system?
I need to change SELinux policy to permissive and then back to enforced for an installation. I understand that I should be able to do that through the SELinux Administration window accessed through System -> Administration ->SELinux Management. But I do not have any real sysadmin tools available in my Fedora 15 Gnome Gui interface. Am I missing something, or should I use some sort of similar command line tool to do this?
I know very little about SE Linux and I've heard that in some situations it's better to disable it. For a home user, is it important? Does it improve your life ? or does it get in the way ?
Last week some update stopped my printing and I had to install the new hplip from HP because it wasn't in the Fedora repos to correct the problem. I don't know if SELinux had anything to do with it, but today when I disabled SELinux a few minutes later I get a star up on the toolbar and when I clicked on it it mentioned something about hplip. It wouldn't make any sense to me but maybe this has happened to others.
Currently working on the targeted policy, I need a help in doing the following things as quick as possible:
1- How to create a totally new SELinux user (not mapping new linux user to SELinux user) I want a new user with no roles or with a maximum of 1 role. I also need how to compile the new user so I can used it for mapping users. At the time, I've tried creating a new file inside /etc/selinux/targeted/contexts/users similar to the other users inside this directory, but it did not actually seem to appear when using the command semanage to list SELinux users : semanage user -l 2- How to create a totally new SELinux role (empty for now) ? and how to make the relation between this new role and domains or types. 3- How to create new domain, actually following some old instructions I created the .fc and .te files, but not the .if file, which is more complicated than the other 2 file.
I've got a question about chattr command. is it possible to restrict a root access for this command. what i want is something similar to freebsd behaviour aka the kernel secure level. setting a particular security level results in limiting some operations (i.e changing immutable flags on files) by root. well, if someone gained an access to a machine in some way, nothing would stop him changing the file's flags. so the question is if it can be achieved with selinux?
well after spending most of the morning getting help with my internet connection hanging when I dial up we discover that SELinux is causing it so when I set it to passive I can connect so how can I get it to allow me to connect while being set to enforcing?
I plan to install vmware but I had some problems...So I looked over the internet and I found that I must disable selinux....is this true? It means that I must have to disable the selinux for ever? And then, will my System be safe?
I want to be able to created directories and upload files (images mostly) via a php web page. The directory structure is a throwback to windows and I really really don't want to have to change it because there are so many files/links already there.
/cust/cust_name/site/version/web (all html/php files go here)
I want to be able to edit the files with a 3rd party tool (SSH based). These are small orgs, like my church, local community club, sports team, etc., so file ownership needs to sync with the editor, not apache.
I have a removable USB drive formated with NTFS. I enabled all the samba boolians in the SElinux GUI but it still doesn't seem to work. If i put it on permissive it will work. What more is there that i need to do to get my directories to show up on samba with selinux enabled?
I'm suspicious that the context of /etc/sudoers is wrong. During the last upgrade to Fedora 14, RPM dropped /etc/sudoers.rpmnew, which had a different context than the real sudoers file. But, when I try to get SELinux to relabel the file (using restorecon or fixfiles), it refuses to make a change.
the next time I boot, I have to add the rule again. How would I make this permanent? Can this only be done with the SELinux Policy Generation Tool? I've tried making bug reports for some SELinux warnings.