* how to enable se linux for my app? @ 2007-02-09 18:56 Greger 2007-02-09 19:12 ` Michael C Thompson 0 siblings, 1 reply; 6+ messages in thread From: Greger @ 2007-02-09 18:56 UTC (permalink / raw) To: selinux well just a quickie: I wrote an application, but can not run the linux executable nor libraries when selinux is activated. what command should i use to "include" the libraries and executable under selinux? -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: how to enable se linux for my app? 2007-02-09 18:56 how to enable se linux for my app? Greger @ 2007-02-09 19:12 ` Michael C Thompson 2007-02-09 20:25 ` Greger 0 siblings, 1 reply; 6+ messages in thread From: Michael C Thompson @ 2007-02-09 19:12 UTC (permalink / raw) To: Greger; +Cc: selinux Greger wrote: > well just a quickie: > I wrote an application, but can not run the linux executable nor libraries > when selinux is activated. what command should i use to "include" the > libraries and executable under selinux? Its most likely a type enforcement issue. Your application need not be "SELinux aware" for it to execute at all. However, it must be labeled appropriately in the file system, with a type that is executable (e.g. bin_t). Common library types are lib_t and shlib_t. What policy are you using (strict/targeted/custom)? -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: how to enable se linux for my app? 2007-02-09 19:12 ` Michael C Thompson @ 2007-02-09 20:25 ` Greger 2007-02-09 20:39 ` Stephen Smalley 0 siblings, 1 reply; 6+ messages in thread From: Greger @ 2007-02-09 20:25 UTC (permalink / raw) To: Michael C Thompson; +Cc: selinux On Fri, 09 Feb 2007 13:12:48 -0600, Michael C Thompson wrote > Greger wrote: > > well just a quickie: > > I wrote an application, but can not run the linux executable nor libraries > > when selinux is activated. what command should i use to "include" the > > libraries and executable under selinux? > > Its most likely a type enforcement issue. Your application need not > be "SELinux aware" for it to execute at all. However, it must be > labeled appropriately in the file system, with a type that is > executable (e.g. bin_t). Common library types are lib_t and shlib_t. > > What policy are you using (strict/targeted/custom)? > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to > majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without > quotes as the message. hi, well not sure, I have these options in the settings dialog: 1)"upprätthållande"( swedish) means sort of "maintained or 'protected' in english) 2)"tillåtande", which means "allowing" 3)"inactiverad", inactivated. I'd like to have protection with the first option, but with that I can't run the app. So, what do I need to do on the executable and libs when I install them, to make them runnable? many thank's for any advice. -- http://www.gregerhaga.net/ http://hack-space.biz/ -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: how to enable se linux for my app? 2007-02-09 20:25 ` Greger @ 2007-02-09 20:39 ` Stephen Smalley 2007-02-09 22:36 ` Greger 0 siblings, 1 reply; 6+ messages in thread From: Stephen Smalley @ 2007-02-09 20:39 UTC (permalink / raw) To: Greger; +Cc: Michael C Thompson, selinux On Fri, 2007-02-09 at 22:25 +0200, Greger wrote: > On Fri, 09 Feb 2007 13:12:48 -0600, Michael C Thompson wrote > > Greger wrote: > > > well just a quickie: > > > I wrote an application, but can not run the linux executable nor libraries > > > when selinux is activated. what command should i use to "include" the > > > libraries and executable under selinux? > > > > Its most likely a type enforcement issue. Your application need not > > be "SELinux aware" for it to execute at all. However, it must be > > labeled appropriately in the file system, with a type that is > > executable (e.g. bin_t). Common library types are lib_t and shlib_t. > > > > What policy are you using (strict/targeted/custom)? > > > > -- > > This message was distributed to subscribers of the selinux mailing list. > > If you no longer wish to subscribe, send mail to > > majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without > > quotes as the message. > hi, well not sure, > I have these options in the settings dialog: > 1)"upprätthållande"( swedish) means sort of "maintained or 'protected' in english) > 2)"tillåtande", which means "allowing" > 3)"inactiverad", inactivated. > I'd like to have protection with the first option, but with that I can't run > the app. So, what do I need to do on the executable and libs when I install > them, to make them runnable? > many thank's for any advice. i.e. enforcing/permissive/disabled. Those are system-wide settings, not per-application. What you should do is look at your audit logs (either /var/log/messages if not running auditd or /var/log/audit/audit.log if running it) to see the particular denials, and then we can decide how best to proceed with your application. Look for "avc: denied" messages. What is your base distribution (e.g. Fedora Core 6?)? -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: how to enable se linux for my app? 2007-02-09 20:39 ` Stephen Smalley @ 2007-02-09 22:36 ` Greger 2007-02-10 8:19 ` Russell Coker 0 siblings, 1 reply; 6+ messages in thread From: Greger @ 2007-02-09 22:36 UTC (permalink / raw) To: Stephen Smalley; +Cc: Michael C Thompson, selinux On Fri, 09 Feb 2007 15:39:58 -0500, Stephen Smalley wrote > On Fri, 2007-02-09 at 22:25 +0200, Greger wrote: > > On Fri, 09 Feb 2007 13:12:48 -0600, Michael C Thompson wrote > > > Greger wrote: > > > > well just a quickie: > > > > I wrote an application, but can not run the linux executable nor libraries > > > > when selinux is activated. what command should i use to "include" the > > > > libraries and executable under selinux? > > > > > > Its most likely a type enforcement issue. Your application need not > > > be "SELinux aware" for it to execute at all. However, it must be > > > labeled appropriately in the file system, with a type that is > > > executable (e.g. bin_t). Common library types are lib_t and shlib_t. > > > > > > What policy are you using (strict/targeted/custom)? > > > > > > -- > > > This message was distributed to subscribers of the selinux mailing list. > > > If you no longer wish to subscribe, send mail to > > > majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without > > > quotes as the message. > > hi, well not sure, > > I have these options in the settings dialog: > > 1)"upprätthållande"( swedish) means sort of "maintained or 'protected' in english) > > 2)"tillåtande", which means "allowing" > > 3)"inactiverad", inactivated. > > I'd like to have protection with the first option, but with that I can't run > > the app. So, what do I need to do on the executable and libs when I install > > them, to make them runnable? > > many thank's for any advice. > > i.e. enforcing/permissive/disabled. Those are system-wide settings, > not per-application. > > What you should do is look at your audit logs (either /var/log/messages > if not running auditd or /var/log/audit/audit.log if running it) to see > the particular denials, and then we can decide how best to proceed with > your application. Look for "avc: denied" messages. What is your base > distribution (e.g. Fedora Core 6?)? yes, fc6, found this in /var/log/messages Feb 10 02:35:41 localhost kernel: audit(1171067741.422:18): avc: denied { execmod } for pid=29429 comm="x" name="libqxrssapp.so" dev=dm-0 ino=2588491 scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file qxrssapp is a library taht the application uses, the app is made of six libraries plus the main func in the executable. h > > -- > Stephen Smalley > National Security Agency > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to > majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without > quotes as the message. -- http://www.gregerhaga.net/ http://hack-space.biz/ -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: how to enable se linux for my app? 2007-02-09 22:36 ` Greger @ 2007-02-10 8:19 ` Russell Coker 0 siblings, 0 replies; 6+ messages in thread From: Russell Coker @ 2007-02-10 8:19 UTC (permalink / raw) To: Greger; +Cc: Stephen Smalley, Michael C Thompson, selinux On Saturday 10 February 2007 09:36, "Greger" <boss@gregerhaga.net> wrote: > Feb 10 02:35:41 localhost kernel: audit(1171067741.422:18): avc: denied { > execmod } for pid=29429 comm="x" name="libqxrssapp.so" dev=dm-0 > ino=2588491 scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:object_r:user_home_t:s0 tclass=file > > qxrssapp is a library taht the application uses, the app is made of six > libraries plus the main func in the executable. http://etbe.blogspot.com/2007/02/execmod.html Your shared object needs to be compiled with -fpic or -fPIC. The command eu-findtextrel can be used to discover which functions were compiled incorrectly. See the above URL for more information. -- russell@coker.com.au http://etbe.blogspot.com/ My Blog http://www.coker.com.au/sponsorship.html Sponsoring Free Software development -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2007-02-10 8:19 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2007-02-09 18:56 how to enable se linux for my app? Greger 2007-02-09 19:12 ` Michael C Thompson 2007-02-09 20:25 ` Greger 2007-02-09 20:39 ` Stephen Smalley 2007-02-09 22:36 ` Greger 2007-02-10 8:19 ` Russell Coker
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.