Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi,
SELinux has blocked my internet, and i did not under the logs. Can someone help me out.
Code:
LOG
Summary:
SELinux is preventing NetworkManager (NetworkManager_t) "execute" to ./udevadm
(udev_exec_t).
Detailed Description:
SELinux denied access requested by NetworkManager. It is not expected that this
access is required by NetworkManager and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./udevadm,
restorecon -v './udevadm'
If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:NetworkManager_t:s0
Target Context system_u:object_r:udev_exec_t:s0
Target Objects ./udevadm [ file ]
Source NetworkManager
Source Path /usr/sbin/NetworkManager
Port <Unknown>
Host xpro.blackperl
Source RPM Packages NetworkManager-0.7.0.99-1.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.13-45.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name xpro.blackperl
Platform Linux xpro.blackperl 2.6.27.15-170.2.24.fc10.i686
#1 SMP Wed Feb 11 23:58:12 EST 2009 i686 i686
Alert Count 1
First Seen Tuesday 10 March 2009 09:34:49 AM IST
Last Seen Tuesday 10 March 2009 10:08:33 AM IST
Local ID 8c570041-c0c3-4a34-9d4d-6089784e2a03
Line Numbers
Raw Audit Messages
node=xpro.blackperl type=AVC msg=audit(1236659913.44:22): avc: denied { execute } for pid=3526 comm="NetworkManager" name="udevadm" dev=dm-0 ino=655611 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:udev_exec_t:s0 tclass=file
node=xpro.blackperl type=SYSCALL msg=audit(1236659913.44:22): arch=40000003 syscall=11 success=no exit=-13 a0=809eb60 a1=bfd9ec0c a2=bfda0020 a3=809eb60 items=0 ppid=2190 pid=3526 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
Are you using a server or a desktop / workstation ? i.e. do you absolutely have to have SELinux enabled, because I think you should turn it off, it's a PITA. Unless, of course, your company tells you to keep it on.
I am sorry but please disregard the statement above. The last thing we should do on LQ is tell members to disable security services because they are "hard to use"/"lack of knowledge".
It just looks like selinux does not have a policy for it.
I am guessing you are running the default policy so we should be able to create a module for selinux to allow it.
type
setenforce 0
the try and start network manager again and it should be successful. ( it will log that it is not allowed but it will allow it to work)
then cd to a tmp dir. like /tmp
run audit2allow -a -l -m netmanager
that will create a module for selinux to use ( as long as you have a modular policy and not a monolithic policy)
then in the same directory run
semodule -i netmanager.pp ( i think it is .pp there are 3 files that audit2allow creates but it will only allow one to work with semodule)
then you can type setenforce 1 and it should work from then on.
I too agree the subjective opinion of one person (who might not even run SE Linux, GRSecurity, LIDS or equivalent himself) shouldn't keep you from running SE Linux. There is no realistic equivalent in the GNU/Linux world that is maintained and supported like this, gains adaptation and helps distributions get EAL certified. What's more is that SE Linux has proven itself by actually mitigating or stopping malicious activity (see Dan Walsh web log). Also everyone enabling it can help make it better just by running it, getting bugs resolved and policies updated. And unlike other solutions you get the upstream policies so you don't have to build any from scratch (unless you need MLS or like that) to work with SE Linux. And even if you would need to adjust your policy there's lots of tools and documentation to help you get going in no time.
In short: yes, SE Linux is worthwhile enabling. Offering only the opinion it's a PITA for not running SE Linux is not about progress and community but stagnation, standstill. It is not objective nor does it actually help anybody.
While there may be other ways, to target the above AVC message 8c570041-c0c3-4a34-9d4d-6089784e2a03 only one local policy adjustment rule is needed. To get the code below run 'sealert -l 8c570041-c0c3-4a34-9d4d-6089784e2a03|audit2allow -r'. Full module code:
Code:
module local 1.0;
require {
type NetworkManager_t;
type udev_exec_t;
class file execute;
}
#============= NetworkManager_t ==============
allow NetworkManager_t udev_exec_t:file execute;
Thanks for the reply, I am using Fedora 10 desktop edition, I use it for my java development. I am new to Linux and did not understand why it stop. I will try option give above.
Unless you're running a mission critical server I see this as over-complication and with minimal benefit. It's more likely to mess things up than keep things secure. Yeah, sure, it's IMO. I have used it, BTW, and this is not the worst that can happen if you misconfigure it accidentally, so do be careful.
i run the setenforce 0 and bang it is working gre8!!
If you read slimm609's reply well you will see that running "setenforce 0" is just the first step and that putting SE Linux in permissive mode is not the full solution.
Quote:
Originally Posted by H_TeXMeX_H
Unless you're running a mission critical server I see this as over-complication and with minimal benefit. It's more likely to mess things up than keep things secure. Yeah, sure, it's IMO.
Not only that, but unless you manage to post actual examples it amounts to FUD. And that is something we will not have in this forum. Here's some R/L facts: HPLIP, Mambo, Apache, OpenPegasus and Flash.
Thanks unSpawn,
I tried next step,
I have created a test directory into /tmp
then run the
audit2allow -a -l -m netmanager
and get following output and no file is generated.
Code:
module netmanager 1.0;
require {
type NetworkManager_t;
type udev_exec_t;
type xdm_t;
type root_t;
class dir create;
class file execute;
}
#============= NetworkManager_t ==============
allow NetworkManager_t udev_exec_t:file execute;
#============= xdm_t ==============
allow xdm_t root_t:dir create;
What i need to do next. Sorry i am totally new to this.
Are you using a server or a desktop / workstation ? i.e. do you absolutely have to have SELinux enabled, because I think you should turn it off, it's a PITA. Unless, of course, your company tells you to keep it on.
I agree that SELinux is a PITA, however, unless you're an expert admin its better to keep all the security active that you can and in this case the problem is relatively easy to fix.
Hi,
SELinux has blocked my internet, and i did not under the logs. Can someone help me out.
Code:
LOG
Summary:
SELinux is preventing NetworkManager (NetworkManager_t) "execute" to ./udevadm
(udev_exec_t).
Detailed Description:
SELinux denied access requested by NetworkManager. It is not expected that this
access is required by NetworkManager and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./udevadm,
restorecon -v './udevadm'
If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:NetworkManager_t:s0
Target Context system_u:object_r:udev_exec_t:s0
Target Objects ./udevadm [ file ]
Source NetworkManager
Source Path /usr/sbin/NetworkManager
Port <Unknown>
Host xpro.blackperl
Source RPM Packages NetworkManager-0.7.0.99-1.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.13-45.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name xpro.blackperl
Platform Linux xpro.blackperl 2.6.27.15-170.2.24.fc10.i686
#1 SMP Wed Feb 11 23:58:12 EST 2009 i686 i686
Alert Count 1
First Seen Tuesday 10 March 2009 09:34:49 AM IST
Last Seen Tuesday 10 March 2009 10:08:33 AM IST
Local ID 8c570041-c0c3-4a34-9d4d-6089784e2a03
Line Numbers
Raw Audit Messages
node=xpro.blackperl type=AVC msg=audit(1236659913.44:22): avc: denied { execute } for pid=3526 comm="NetworkManager" name="udevadm" dev=dm-0 ino=655611 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:udev_exec_t:s0 tclass=file
node=xpro.blackperl type=SYSCALL msg=audit(1236659913.44:22): arch=40000003 syscall=11 success=no exit=-13 a0=809eb60 a1=bfd9ec0c a2=bfda0020 a3=809eb60 items=0 ppid=2190 pid=3526 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
Thanks unSpawn,
I tried next step,
I have created a test directory into /tmp
then run the
audit2allow -a -l -m netmanager
and get following output and no file is generated.
Code:
module netmanager 1.0;
require {
type NetworkManager_t;
type udev_exec_t;
type xdm_t;
type root_t;
class dir create;
class file execute;
}
#============= NetworkManager_t ==============
allow NetworkManager_t udev_exec_t:file execute;
#============= xdm_t ==============
allow xdm_t root_t:dir create;
What i need to do next. Sorry i am totally new to this.
sorry about that. did not have a redhat/fedora box by me only solaris boxes so i just had to go off of memory. its audit2allow -a -l -M netmanager
the M is the one you want not the lowercase. That should fix the problem
I agree that SELinux is a PITA, however, unless you're an expert admin its better to keep all the security active that you can and in this case the problem is relatively easy to fix.
Hi I am not the expert admin, I am running a desktop system, I am Java Developer, run several servers(tomcat, mysql,php, weblogic, glassfish, jboss). And I just migrated from my Vista to Fedora 10.
Thanks slimm609, I tried
Code:
audit2allow -a -l -M netmanager
and it worked.
The output of
Code:
root@fedora# getsebool -a |grep -i network
Code:
httpd_can_network_connect --> off
httpd_can_network_connect_db --> off
httpd_can_network_relay --> off
nsplugin_can_network --> on
qemu_full_network --> on
spamassassin_can_network --> off
xguest_connect_network --> on
I played around with Fedora 10 on my old laptop. When I got an SE Linux alert, I would copy the alert from the popup, and then copy it to a file.
e.g.
cat >netmanager
[PRESS CTRL-V to paste alert to file & press CTRL-D]
Then I would run "audit2allow -M netmanager". This created a netmanager.te and netmanager.pp file (IIRC)
Next I would run "sudo semodule -i netmanager.pp"
This way, I only included the last exception that I knew I triggered myself in the audit2allow command. I hadn't learned how to analyse what the policy audit exceptions meant, so I didn't trust myself to use the entire audit log to generate a policy.
I created a directory to store the policy files so they wouldn't cause clutter.
It was a little frustrating at first because I had to repeat the process several times before I could run flash in Firefox. But after the first couple days, it settled down and it was so long before my next exception that I forgot how to do it! I do wish that they hadn't changed the Fedora web site, because the link embedded in the GUI alert used to take you directly to the instructions for dealing with it. Now you end up at a page with a myriad of options instead.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.