lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 1 Aug 2008 09:39:04 -0400
From:	Gene Heskett <gene.heskett@...il.com>
To:	"Rafael J. Wysocki" <rjw@...k.pl>
Cc:	James Morris <jmorris@...ei.org>, linux-kernel@...r.kernel.org,
	Eric Paris <eparis@...hat.com>,
	Stephen Smalley <sds@...ho.nsa.gov>
Subject: Re: 2.6.27-rc1: strange fstab issue (Re: 2.6.27-rc1 + selinux new options = no httpd)

On Thursday 31 July 2008, Rafael J. Wysocki wrote:
Update by Gene below.
>On Thursday, 31 of July 2008, James Morris wrote:
>> On Thu, 31 Jul 2008, Gene Heskett wrote:
>> > >Which new options?
>> >
>> > Make xconfig-->security options:
>> >
>> > XFRM Networking security hooks
>> >
>> >  and several others just below it.  Unforch, I can't copy/paste the
>> > screen.
>>
>> I can't really imagine what that is (although if you enable the secmark
>> controls under the main SELinux menu, which are disabled by default,
>> there could be problems).
>
>On a possibly related note, I've been observing a strange issue on one of
>my test boxes with OpenSUSE 10.3 recently.   Namely, the fsck complains
>that there's no passno value in the fstab, although it obviously is present.
>
>Strangely enough, if the kernel is compiled with CONFIG_SECURITY_SELINUX
> unset, the fsck doesn't complain about the missing passno field any more.
>
>Thanks,
>Rafael

I just did a 2.6.27-rc1 rebuild on a pure, all defaults 'make oldconfig' from
my 2.6.26 final .config moved to that src tree.

httpd is still being denied access to its log files and dies during the bootup.

This is a showstopper for me.

>From the log:
Aug  1 09:12:13 coyote setroubleshoot: SELinux prevented httpd reading and writing access to http files. For complete 
SELinux messages. run sealert -l ecd4e1d6-59fa-47ff-830d-3fb7d9114805

>From the output of that report:
The following command will allow this access:

setsebool -P httpd_unified=1
(Gene: but it is not effective)
Additional Information:

Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:httpd_log_t:s0
Target Objects                ./error_log [ file ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          coyote.coyote.den
Source RPM Packages           httpd-2.2.8-1.fc8
Target RPM Packages
Policy RPM                    selinux-policy-3.0.8-109.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   httpd_unified
Host Name                     coyote.coyote.den
Platform                      Linux coyote.coyote.den 2.6.27-rc1 #2 PREEMPT Wed
                              Jul 30 19:05:14 EDT 2008 i686 athlon
Alert Count                   11
First Seen                    Tue Jul 29 15:51:41 2008

There is more but you've seen it previously I believe.

Thanks for any help/solution.

-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Advertising may be described as the science of arresting the human
intelligence long enough to get money from it.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ