Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've installed a live version of Fedora 10 which also has SELinux installed on it. After I log in and try and connect to the network I receive an error stating
Quote:
nm-dhcp-client. (dhcpc_t) "read" to libdbus-glib-1.so.2 (usr_t).
I have done absolutely nothing to my system yet. Is this normal behavior for SElinux?
Any suggestions on how to fix it?
===================================
Edit:
Simply putting SELinux in permissive mode is not what I am looking for. It's my understanding that SELinux is a good security measure. I should also state that the message is less of an error and more of a warning or explanation.
I can't be the only one with this issue. It's literally a fresh install. I know my network card is working I had a non-live version of FC10 on just a few hours ago and it was working fine.
I notice also that during boot there are some issues starting NFS ...statd..... RPC IDMAP... I can post more on that if you think its helpful.
If I can't get this to work than I feel like either SELinux is way more trouble than its worth... which is a shame considering the amount of work that has gone into it, or I have a peculiar setup compared to other people.
type setenforce 0 and that will put the policy in a passive mode. I don't know if you can update the policy if it is a live version of fc10
Also Please be patient for people to respond. I have noticed that there are few regulars that
are familiar with SELinux on the forums. SELinux can be a handful
I've installed a live version of Fedora 10 which also has SELinux installed on it. After I log in and try and connect to the network I receive an error stating
I have done absolutely nothing to my system yet. Is this normal behavior for SElinux?
Any suggestions on how to fix it?
===================================
Edit:
Simply putting SELinux in permissive mode is not what I am looking for. It's my understanding that SELinux is a good security measure. I should also state that the message is less of an error and more of a warning or explanation.
are you running it live off a cd or from an install?
getsebool is a good way to check but can be useless if your selinux booleans file is empty(like mine). Since the booleans file is not required for the system to work you can blank the booleans file and just let the policy decide what is and is not allowed.
(this will only work if you have a modular policy, if you have a monolithc policy then set booleans is the way to go)
if it is installed and not a live cd
put the system into permissive mode with setenforce then
then cd to a tmp dir. like /tmp
run audit2allow -a -l -m netmanager
that will create a module for selinux to use ( as long as you have a modular policy and not a monolithic policy)
then in the same directory run
semodule -i netmanager.pp ( i think it is .pp there are 3 files that audit2allow creates but it will only allow one to work with semodule)
I installed FC10 off of a live version disc. So in other words it is booting off of the hard drive. I Should also point out that the network was working fine when I had booted the live version off of the disc.
# getsebool -a | grep -i network
httpd_can_network_connect --> off
httpd_can_network_connect_db --> off
httpd_can_network_relay --> off
qemu_full_network --> on
spamassassin_can_network --> off
xguest_connect_network --> off
# getsebool -a | grep -i tcp
user_tcp_server --> off
# getsebool -a | grep -i network
httpd_can_network_connect --> off
httpd_can_network_connect_db --> off
httpd_can_network_relay --> off
qemu_full_network --> on
spamassassin_can_network --> off
xguest_connect_network --> off
# getsebool -a | grep -i tcp
user_tcp_server --> off
Hmm...it seems that they changed it in F10...I may need the whole output...
# getsebool -a
allow_console_login --> off
allow_cvs_read_shadow --> off
allow_daemons_dump_core --> on
allow_daemons_use_tty --> on
allow_domain_fd_use --> on
allow_execheap --> off
allow_execmem --> off
allow_execmod --> off
allow_execstack --> on
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
allow_gssd_read_tmp --> on
allow_guest_exec_content --> off
allow_httpd_anon_write --> off
allow_httpd_mod_auth_ntlm_winbind --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
allow_kerberos --> off
allow_mount_anyfile --> on
allow_mplayer_execstack --> off
allow_nfsd_anon_write --> off
allow_nsplugin_execmem --> on
allow_polyinstantiation --> off
allow_postfix_local_write_mail_spool --> on
allow_ptrace --> off
allow_rsync_anon_write --> off
allow_saslauthd_read_shadow --> off
allow_smbd_anon_write --> off
allow_ssh_keysign --> off
allow_staff_exec_content --> on
allow_sysadm_exec_content --> on
allow_unconfined_exec_content --> on
allow_unconfined_mmap_low --> off
allow_unconfined_nsplugin_transition --> on
allow_unconfined_qemu_transition --> off
allow_user_exec_content --> on
allow_user_postgresql_connect --> off
allow_write_xshm --> off
allow_xguest_exec_content --> off
allow_xserver_execmem --> on
allow_ypbind --> off
allow_zebra_write_config --> on
browser_confine_xguest --> off
browser_write_xguest_data --> off
cdrecord_read_content --> off
exim_can_connect_db --> off
exim_manage_user_files --> off
exim_read_user_files --> off
fcron_crond --> off
ftp_home_dir --> off
global_ssp --> off
gpg_agent_env_file --> off
httpd_builtin_scripting --> on
httpd_can_network_connect --> off
httpd_can_network_connect_db --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> off
httpd_enable_cgi --> off
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_ssi_exec --> off
httpd_tty_comm --> on
httpd_unified --> off
httpd_use_cifs --> off
httpd_use_nfs --> off
init_upstart --> on
named_write_master_zones --> off
nfs_export_all_ro --> on
nfs_export_all_rw --> on
openvpn_enable_homedirs --> off
pppd_can_insmod --> off
pppd_for_user --> off
qemu_full_network --> on
qemu_use_cifs --> on
qemu_use_nfs --> on
read_default_t --> on
read_untrusted_content --> off
rsync_export_all_ro --> off
samba_create_home_dirs --> off
samba_domain_controller --> off
samba_enable_home_dirs --> off
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_run_unconfined --> on
samba_share_fusefs --> off
samba_share_nfs --> off
secure_mode --> off
secure_mode_insmod --> off
secure_mode_policyload --> off
sepgsql_enable_users_ddl --> on
spamassassin_can_network --> off
spamd_enable_home_dirs --> on
squid_connect_any --> off
ssh_sysadm_login --> off
tftp_anon_write --> off
use_lpd_server --> off
use_nfs_home_dirs --> on
use_samba_home_dirs --> off
user_direct_mouse --> off
user_ping --> on
user_rw_noexattrfile --> on
user_tcp_server --> off
user_ttyfile_stat --> off
virt_use_nfs --> off
virt_use_samba --> off
webadm_manage_user_files --> off
webadm_read_user_files --> off
write_untrusted_content --> off
xdm_sysadm_login --> off
xen_use_nfs --> off
xguest_connect_network --> off
xguest_mount_media --> off
xguest_use_bluetooth --> off
xserver_object_manager --> off
xserver_rw_x_device --> on
These should all be default values, for better or for worse
# getsebool -a
allow_console_login --> off
allow_cvs_read_shadow --> off
allow_daemons_dump_core --> on
allow_daemons_use_tty --> on
allow_domain_fd_use --> on
allow_execheap --> off
allow_execmem --> off
allow_execmod --> off
allow_execstack --> on
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
allow_gssd_read_tmp --> on
allow_guest_exec_content --> off
allow_httpd_anon_write --> off
allow_httpd_mod_auth_ntlm_winbind --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
allow_kerberos --> off
allow_mount_anyfile --> on
allow_mplayer_execstack --> off
allow_nfsd_anon_write --> off
allow_nsplugin_execmem --> on
allow_polyinstantiation --> off
allow_postfix_local_write_mail_spool --> on
allow_ptrace --> off
allow_rsync_anon_write --> off
allow_saslauthd_read_shadow --> off
allow_smbd_anon_write --> off
allow_ssh_keysign --> off
allow_staff_exec_content --> on
allow_sysadm_exec_content --> on
allow_unconfined_exec_content --> on
allow_unconfined_mmap_low --> off
allow_unconfined_nsplugin_transition --> on
allow_unconfined_qemu_transition --> off
allow_user_exec_content --> on
allow_user_postgresql_connect --> off
allow_write_xshm --> off
allow_xguest_exec_content --> off
allow_xserver_execmem --> on
allow_ypbind --> off
allow_zebra_write_config --> on
browser_confine_xguest --> off
browser_write_xguest_data --> off
cdrecord_read_content --> off
exim_can_connect_db --> off
exim_manage_user_files --> off
exim_read_user_files --> off
fcron_crond --> off
ftp_home_dir --> off
global_ssp --> off
gpg_agent_env_file --> off
httpd_builtin_scripting --> on
httpd_can_network_connect --> off
httpd_can_network_connect_db --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> off
httpd_enable_cgi --> off
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_ssi_exec --> off
httpd_tty_comm --> on
httpd_unified --> off
httpd_use_cifs --> off
httpd_use_nfs --> off
init_upstart --> on
named_write_master_zones --> off
nfs_export_all_ro --> on
nfs_export_all_rw --> on
openvpn_enable_homedirs --> off
pppd_can_insmod --> off
pppd_for_user --> off
qemu_full_network --> on
qemu_use_cifs --> on
qemu_use_nfs --> on
read_default_t --> on
read_untrusted_content --> off
rsync_export_all_ro --> off
samba_create_home_dirs --> off
samba_domain_controller --> off
samba_enable_home_dirs --> off
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_run_unconfined --> on
samba_share_fusefs --> off
samba_share_nfs --> off
secure_mode --> off
secure_mode_insmod --> off
secure_mode_policyload --> off
sepgsql_enable_users_ddl --> on
spamassassin_can_network --> off
spamd_enable_home_dirs --> on
squid_connect_any --> off
ssh_sysadm_login --> off
tftp_anon_write --> off
use_lpd_server --> off
use_nfs_home_dirs --> on
use_samba_home_dirs --> off
user_direct_mouse --> off
user_ping --> on
user_rw_noexattrfile --> on
user_tcp_server --> off
user_ttyfile_stat --> off
virt_use_nfs --> off
virt_use_samba --> off
webadm_manage_user_files --> off
webadm_read_user_files --> off
write_untrusted_content --> off
xdm_sysadm_login --> off
xen_use_nfs --> off
xguest_connect_network --> off
xguest_mount_media --> off
xguest_use_bluetooth --> off
xserver_object_manager --> off
xserver_rw_x_device --> on
These should all be default values, for better or for worse
Re-reading the thread caused me to think that this is a not a Boolean problem...but a context problem (sorry I lead you down the wrong path earlier but I guess that's why pencils have erasers)...you need to either do
Code:
root@host# restorecon -v 'libdbus-glib-1.so.2'
NOTE: you need to "cd" into the path of libdbus-glib-1.so.2
OR
If you don't know where it is do the following...
Code:
root@host# touch /.autorelabel
root@host# shutdown -r now
If that doesn't work, you need to manually set the con on the lib. Something like
Code:
root@host# chcon -t dhcpc_t libdbus-glib-1.so.2
Your best bet is to try to find the path of libdbus-glib-1.so.2 and user the restorecon command...
I have only recently started reading up on SELinux. I haven't found too much for resources that contain practical examples.
My basic understanding is that the context was somehow incorrect. Perhaps it was confined in some way? I wonder what the issue is in going from the live [off disc] version, to the installed on hard drive version.
My knowledge of SELinux is limited (to say the least). I just know enough to make it work
Basically DHCP was trying to access libdbus-glib-1.so.2.1.0 and SELinux didn't like that (for whatever reason...I'm pretty sure the logs will tell you specifically why).
Also note that SELinux acts "funny" with symbolic links. So you just have to watch the logs and turn on the SELinux troubleshooter.
Running "chcon -t dhcpc_t libdbus-glib-1.so.2" would not have been a good thing to do. Sure it alleviates things but that would be like treating symptoms instead of addressing the cause. Recall that SELinux by default does not allow any access (and that includes root AFAIK) and that it's only rules that shape access, transitions, et cetera. So if a process with context "dhcpc_t" is not allowed to access a resource with context "usr_t" (see /etc/selinux/${POLICY}/contexts/files/file_contexts) then you get a denial. So restoring the context on the library was a Good first Thing to do in terms of troubleshooting. Not that I know anything about SELinux of course.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
