Greetings;
I just had to reboot backwards to 2.6.26 as I don't seem to be able to turn
off enough selinux stuff to allow apache (httpd) to run, on 2.6.27-rc1 it
cannot get perms to access its log files so it exits.
Is there a specific fix for this?
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Heuristics are bug ridden by definition. If they didn't have bugs,
then they'd be algorithms.
On Wed, 30 Jul 2008 22:54:25 EDT, Gene Heskett said:
> Greetings;
>
> I just had to reboot backwards to 2.6.26 as I don't seem to be able to turn
> off enough selinux stuff to allow apache (httpd) to run, on 2.6.27-rc1 it
> cannot get perms to access its log files so it exits.
Oddness indeed - booting with 'permissive' should at least let things work
so you can diagnose the problem.
Do you have any of the AVC messages that got generated when apache failed?
On Wed, 30 Jul 2008, Gene Heskett wrote:
> Greetings;
>
> I just had to reboot backwards to 2.6.26 as I don't seem to be able to turn
> off enough selinux stuff to allow apache (httpd) to run, on 2.6.27-rc1 it
> cannot get perms to access its log files so it exits.
Which new options?
What AVC messages are you seeing?
Which distro are you using and what is the policy package version?
> Is there a specific fix for this?
This is the first I've heard of this.
- James
--
James Morris
<[email protected]>
On Thursday 31 July 2008, James Morris wrote:
>On Wed, 30 Jul 2008, Gene Heskett wrote:
>> Greetings;
>>
>> I just had to reboot backwards to 2.6.26 as I don't seem to be able to
>> turn off enough selinux stuff to allow apache (httpd) to run, on
>> 2.6.27-rc1 it cannot get perms to access its log files so it exits.
>
>Which new options?
Make xconfig-->security options:
XFRM Networking security hooks
and several others just below it. Unforch, I can't copy/paste the screen.
My next build will be with the above option turned off for grins & giggles.
However, I have about 16 bundles of shingles yet to sail up onto a roof & nail
down in the cooler parts of the day till I'm done. Taken last evening, I'm
on the right.
<http://gene.homelinux.net:85/gene/Garage-pix/p7300002.jpg>
>What AVC messages are you seeing?
I posted the whole screen from setroubleshoot earlier.
>Which distro are you using and what is the policy package version?
F8, selinux-policy-targeted-3.0.8-109.fc8
selinux-policy-3.0.8-109.fc8
policycoreutils-gui-2.0.33-3.fc8
checkpolicy-2.0.4-1.fc8
policycoreutils-2.0.33-3.fc8
selinux-policy-devel-3.0.8-109.fc8
System has been relabeled twice now, no change, and the setroubleshoot command
suggested doesn't fix it.
>> Is there a specific fix for this?
>
>This is the first I've heard of this.
>
Caught me out too. :)
>
>- James
Thanks James.
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
"More software projects have gone awry for lack of calendar time than for all
other causes combined."
-- Fred Brooks, Jr., _The Mythical Man Month_
On Thu, 2008-07-31 at 09:09 -0400, Gene Heskett wrote:
> On Thursday 31 July 2008, James Morris wrote:
> >What AVC messages are you seeing?
>
> I posted the whole screen from setroubleshoot earlier.
I'm sorry but I can't seem to find it in your original message...
http://marc.info/?l=linux-kernel&m=121747333012971&w=2
Do you have another pointer? I can't think of anything that went into
2.6.27 related to SELinux that should have in any way changed file
access checks but I'll poke through the changelog and see if something
stands out...
-Eric
On Thu, 31 Jul 2008, Gene Heskett wrote:
> >Which new options?
>
> Make xconfig-->security options:
>
> XFRM Networking security hooks
>
> and several others just below it. Unforch, I can't copy/paste the screen.
I can't really imagine what that is (although if you enable the secmark
controls under the main SELinux menu, which are disabled by default,
there could be problems).
Please post your .config.
- James
--
James Morris
<[email protected]>
On Thursday, 31 of July 2008, James Morris wrote:
> On Thu, 31 Jul 2008, Gene Heskett wrote:
>
> > >Which new options?
> >
> > Make xconfig-->security options:
> >
> > XFRM Networking security hooks
> >
> > and several others just below it. Unforch, I can't copy/paste the screen.
>
> I can't really imagine what that is (although if you enable the secmark
> controls under the main SELinux menu, which are disabled by default,
> there could be problems).
On a possibly related note, I've been observing a strange issue on one of
my test boxes with OpenSUSE 10.3 recently. Namely, the fsck complains
that there's no passno value in the fstab, although it obviously is present.
Strangely enough, if the kernel is compiled with CONFIG_SECURITY_SELINUX unset,
the fsck doesn't complain about the missing passno field any more.
Thanks,
Rafael
On Thursday 31 July 2008, Rafael J. Wysocki wrote:
Update by Gene below.
>On Thursday, 31 of July 2008, James Morris wrote:
>> On Thu, 31 Jul 2008, Gene Heskett wrote:
>> > >Which new options?
>> >
>> > Make xconfig-->security options:
>> >
>> > XFRM Networking security hooks
>> >
>> > and several others just below it. Unforch, I can't copy/paste the
>> > screen.
>>
>> I can't really imagine what that is (although if you enable the secmark
>> controls under the main SELinux menu, which are disabled by default,
>> there could be problems).
>
>On a possibly related note, I've been observing a strange issue on one of
>my test boxes with OpenSUSE 10.3 recently. Namely, the fsck complains
>that there's no passno value in the fstab, although it obviously is present.
>
>Strangely enough, if the kernel is compiled with CONFIG_SECURITY_SELINUX
> unset, the fsck doesn't complain about the missing passno field any more.
>
>Thanks,
>Rafael
I just did a 2.6.27-rc1 rebuild on a pure, all defaults 'make oldconfig' from
my 2.6.26 final .config moved to that src tree.
httpd is still being denied access to its log files and dies during the bootup.
This is a showstopper for me.
>From the log:
Aug 1 09:12:13 coyote setroubleshoot: SELinux prevented httpd reading and writing access to http files. For complete
SELinux messages. run sealert -l ecd4e1d6-59fa-47ff-830d-3fb7d9114805
>From the output of that report:
The following command will allow this access:
setsebool -P httpd_unified=1
(Gene: but it is not effective)
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:httpd_log_t:s0
Target Objects ./error_log [ file ]
Source httpd
Source Path /usr/sbin/httpd
Port <Unknown>
Host coyote.coyote.den
Source RPM Packages httpd-2.2.8-1.fc8
Target RPM Packages
Policy RPM selinux-policy-3.0.8-109.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name httpd_unified
Host Name coyote.coyote.den
Platform Linux coyote.coyote.den 2.6.27-rc1 #2 PREEMPT Wed
Jul 30 19:05:14 EDT 2008 i686 athlon
Alert Count 11
First Seen Tue Jul 29 15:51:41 2008
There is more but you've seen it previously I believe.
Thanks for any help/solution.
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Advertising may be described as the science of arresting the human
intelligence long enough to get money from it.
On Fri, 2008-08-01 at 09:39 -0400, Gene Heskett wrote:
> On Thursday 31 July 2008, Rafael J. Wysocki wrote:
> Update by Gene below.
> >On Thursday, 31 of July 2008, James Morris wrote:
> >> On Thu, 31 Jul 2008, Gene Heskett wrote:
> >> > >Which new options?
> >> >
> >> > Make xconfig-->security options:
> >> >
> >> > XFRM Networking security hooks
> >> >
> >> > and several others just below it. Unforch, I can't copy/paste the
> >> > screen.
> >>
> >> I can't really imagine what that is (although if you enable the secmark
> >> controls under the main SELinux menu, which are disabled by default,
> >> there could be problems).
> >
> >On a possibly related note, I've been observing a strange issue on one of
> >my test boxes with OpenSUSE 10.3 recently. Namely, the fsck complains
> >that there's no passno value in the fstab, although it obviously is present.
> >
> >Strangely enough, if the kernel is compiled with CONFIG_SECURITY_SELINUX
> > unset, the fsck doesn't complain about the missing passno field any more.
> >
> >Thanks,
> >Rafael
>
> I just did a 2.6.27-rc1 rebuild on a pure, all defaults 'make oldconfig' from
> my 2.6.26 final .config moved to that src tree.
>
> httpd is still being denied access to its log files and dies during the bootup.
>
> This is a showstopper for me.
Stephen Smalley just sent me a private note. Apparently he is having
e-mail trouble but he did point out the most likely problem. Can you
add the patch from
http://marc.info/?l=linux-kernel&m=121726661110266&w=2
And give it a whirl? Sorry, but we think the problem is that the VFS
stopped passing all of the relevant information down to the security
system. https is only allowed to append to its log files, not actually
'write.' Since the VFS is longer differentiating those two operations
you are getting then denial for write.
I'll try to get this pushed into linus's tree quickly.
-Eric
On Fri, Aug 01, 2008 at 09:47:59AM -0400, Eric Paris wrote:
> On Fri, 2008-08-01 at 09:39 -0400, Gene Heskett wrote:
> > On Thursday 31 July 2008, Rafael J. Wysocki wrote:
> > Update by Gene below.
> > >On Thursday, 31 of July 2008, James Morris wrote:
> > >> On Thu, 31 Jul 2008, Gene Heskett wrote:
> > >> > >Which new options?
> > >> >
> > >> > Make xconfig-->security options:
> > >> >
> > >> > XFRM Networking security hooks
> > >> >
> > >> > and several others just below it. Unforch, I can't copy/paste the
> > >> > screen.
> > >>
> > >> I can't really imagine what that is (although if you enable the secmark
> > >> controls under the main SELinux menu, which are disabled by default,
> > >> there could be problems).
> > >
> > >On a possibly related note, I've been observing a strange issue on one of
> > >my test boxes with OpenSUSE 10.3 recently. Namely, the fsck complains
> > >that there's no passno value in the fstab, although it obviously is present.
> > >
> > >Strangely enough, if the kernel is compiled with CONFIG_SECURITY_SELINUX
> > > unset, the fsck doesn't complain about the missing passno field any more.
> > >
> > >Thanks,
> > >Rafael
> >
> > I just did a 2.6.27-rc1 rebuild on a pure, all defaults 'make oldconfig' from
> > my 2.6.26 final .config moved to that src tree.
> >
> > httpd is still being denied access to its log files and dies during the bootup.
> >
> > This is a showstopper for me.
>
> Stephen Smalley just sent me a private note. Apparently he is having
> e-mail trouble but he did point out the most likely problem. Can you
> add the patch from
>
> http://marc.info/?l=linux-kernel&m=121726661110266&w=2
>
> And give it a whirl? Sorry, but we think the problem is that the VFS
> stopped passing all of the relevant information down to the security
> system. https is only allowed to append to its log files, not actually
> 'write.' Since the VFS is longer differentiating those two operations
> you are getting then denial for write.
>
> I'll try to get this pushed into linus's tree quickly.
It's in linux-next, BTW. I'll push the next set to Linus in an hour or so.
On Friday 01 August 2008, Eric Paris wrote:
>On Fri, 2008-08-01 at 09:39 -0400, Gene Heskett wrote:
>> On Thursday 31 July 2008, Rafael J. Wysocki wrote:
>> Update by Gene below.
>>
>> >On Thursday, 31 of July 2008, James Morris wrote:
>> >> On Thu, 31 Jul 2008, Gene Heskett wrote:
>> >> > >Which new options?
>> >> >
>> >> > Make xconfig-->security options:
>> >> >
>> >> > XFRM Networking security hooks
>> >> >
>> >> > and several others just below it. Unforch, I can't copy/paste the
>> >> > screen.
>> >>
>> >> I can't really imagine what that is (although if you enable the secmark
>> >> controls under the main SELinux menu, which are disabled by default,
>> >> there could be problems).
>> >
>> >On a possibly related note, I've been observing a strange issue on one of
>> >my test boxes with OpenSUSE 10.3 recently. Namely, the fsck complains
>> >that there's no passno value in the fstab, although it obviously is
>> > present.
>> >
>> >Strangely enough, if the kernel is compiled with CONFIG_SECURITY_SELINUX
>> > unset, the fsck doesn't complain about the missing passno field any
>> > more.
>> >
>> >Thanks,
>> >Rafael
>>
>> I just did a 2.6.27-rc1 rebuild on a pure, all defaults 'make oldconfig'
>> from my 2.6.26 final .config moved to that src tree.
>>
>> httpd is still being denied access to its log files and dies during the
>> bootup.
>>
>> This is a showstopper for me.
>
>Stephen Smalley just sent me a private note. Apparently he is having
>e-mail trouble but he did point out the most likely problem. Can you
>add the patch from
>
>http://marc.info/?l=linux-kernel&m=121726661110266&w=2
Bingo!
The first version there was off about 10 line numbers so I just added the "|
MAY_APPEND", as the second version shows and that was it. Thanks.
>And give it a whirl? Sorry, but we think the problem is that the VFS
>stopped passing all of the relevant information down to the security
>system. https is only allowed to append to its log files, not actually
>'write.' Since the VFS is longer differentiating those two operations
>you are getting then denial for write.
>
>I'll try to get this pushed into linus's tree quickly.
Looks like its a good to go fix from this angle. Thanks Eric.
You could even put a tested by: Gene Heskett in it I suppose. :)
>-Eric
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Fashion is a form of ugliness so intolerable that we have to alter it
every six months.
-- Oscar Wilde
On Thu, 2008-07-31 at 10:44 -0400, Eric Paris wrote:
> On Thu, 2008-07-31 at 09:09 -0400, Gene Heskett wrote:
> > On Thursday 31 July 2008, James Morris wrote:
>
> > >What AVC messages are you seeing?
> >
> > I posted the whole screen from setroubleshoot earlier.
>
> I'm sorry but I can't seem to find it in your original message...
>
> http://marc.info/?l=linux-kernel&m=121747333012971&w=2
>
> Do you have another pointer? I can't think of anything that went into
> 2.6.27 related to SELinux that should have in any way changed file
> access checks but I'll poke through the changelog and see if something
> stands out...
It could be the append bug introduced by the vfs changes.
See:
http://marc.info/?l=linux-kernel&m=121726661110266&w=2
That would break any case where only append permission is granted (not
full write access), as would be typical for httpd log files.
--
Stephen Smalley
National Security Agency
On Fri, Aug 01, 2008 at 08:51:08AM -0400, Stephen Smalley wrote:
>
> On Thu, 2008-07-31 at 10:44 -0400, Eric Paris wrote:
> > On Thu, 2008-07-31 at 09:09 -0400, Gene Heskett wrote:
> > > On Thursday 31 July 2008, James Morris wrote:
> >
> > > >What AVC messages are you seeing?
> > >
> > > I posted the whole screen from setroubleshoot earlier.
> >
> > I'm sorry but I can't seem to find it in your original message...
> >
> > http://marc.info/?l=linux-kernel&m=121747333012971&w=2
> >
> > Do you have another pointer? I can't think of anything that went into
> > 2.6.27 related to SELinux that should have in any way changed file
> > access checks but I'll poke through the changelog and see if something
> > stands out...
>
> It could be the append bug introduced by the vfs changes.
> See:
> http://marc.info/?l=linux-kernel&m=121726661110266&w=2
>
> That would break any case where only append permission is granted (not
> full write access), as would be typical for httpd log files.
commit d54bb7a971b41b8a4baba6e3d9adf14ce035947f
Author: Stephen Smalley <[email protected]>
Date: Mon Jul 28 13:32:38 2008 -0400
Re: BUG at security/selinux/avc.c:883 (was: Re: linux-next: Tree
for July 17: early crash on x86-64)
in vfs-2.6.git/for-next (and for-linus as well)
On Thu, 2008-07-31 at 10:44 -0400, Eric Paris wrote:
> On Thu, 2008-07-31 at 09:09 -0400, Gene Heskett wrote:
> > On Thursday 31 July 2008, James Morris wrote:
>
> > >What AVC messages are you seeing?
> >
> > I posted the whole screen from setroubleshoot earlier.
>
> I'm sorry but I can't seem to find it in your original message...
>
> http://marc.info/?l=linux-kernel&m=121747333012971&w=2
>
> Do you have another pointer? I can't think of anything that went into
> 2.6.27 related to SELinux that should have in any way changed file
> access checks but I'll poke through the changelog and see if something
> stands out...
I suspect it is the append bug introduced by the vfs changes, fixed by
http://marc.info/?l=linux-kernel&m=121726661110266&w=2
httpd would only be allowed append permission to its log file by policy.
--
Stephen Smalley
National Security Agency
On Thursday 31 July 2008, Stephen Smalley wrote:
>On Thu, 2008-07-31 at 10:44 -0400, Eric Paris wrote:
>> On Thu, 2008-07-31 at 09:09 -0400, Gene Heskett wrote:
>> > On Thursday 31 July 2008, James Morris wrote:
>> > >What AVC messages are you seeing?
>> >
>> > I posted the whole screen from setroubleshoot earlier.
>>
>> I'm sorry but I can't seem to find it in your original message...
>>
>> http://marc.info/?l=linux-kernel&m=121747333012971&w=2
>>
>> Do you have another pointer? I can't think of anything that went into
>> 2.6.27 related to SELinux that should have in any way changed file
>> access checks but I'll poke through the changelog and see if something
>> stands out...
>
>I suspect it is the append bug introduced by the vfs changes, fixed by
>http://marc.info/?l=linux-kernel&m=121726661110266&w=2
>
>httpd would only be allowed append permission to its log file by policy.
This fixed it right up a few hours ago, Steven. Thanks.
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Keep the phase, baby.
