* how to enable se linux for my app?
@ 2007-02-09 18:56 Greger
2007-02-09 19:12 ` Michael C Thompson
0 siblings, 1 reply; 6+ messages in thread
From: Greger @ 2007-02-09 18:56 UTC (permalink / raw)
To: selinux
well just a quickie:
I wrote an application, but can not run the linux executable nor libraries
when selinux is activated. what command should i use to "include" the
libraries and executable under selinux?
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: how to enable se linux for my app?
2007-02-09 18:56 how to enable se linux for my app? Greger
@ 2007-02-09 19:12 ` Michael C Thompson
2007-02-09 20:25 ` Greger
0 siblings, 1 reply; 6+ messages in thread
From: Michael C Thompson @ 2007-02-09 19:12 UTC (permalink / raw)
To: Greger; +Cc: selinux
Greger wrote:
> well just a quickie:
> I wrote an application, but can not run the linux executable nor libraries
> when selinux is activated. what command should i use to "include" the
> libraries and executable under selinux?
Its most likely a type enforcement issue. Your application need not be
"SELinux aware" for it to execute at all. However, it must be labeled
appropriately in the file system, with a type that is executable (e.g.
bin_t). Common library types are lib_t and shlib_t.
What policy are you using (strict/targeted/custom)?
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: how to enable se linux for my app?
2007-02-09 19:12 ` Michael C Thompson
@ 2007-02-09 20:25 ` Greger
2007-02-09 20:39 ` Stephen Smalley
0 siblings, 1 reply; 6+ messages in thread
From: Greger @ 2007-02-09 20:25 UTC (permalink / raw)
To: Michael C Thompson; +Cc: selinux
On Fri, 09 Feb 2007 13:12:48 -0600, Michael C Thompson wrote
> Greger wrote:
> > well just a quickie:
> > I wrote an application, but can not run the linux executable nor libraries
> > when selinux is activated. what command should i use to "include" the
> > libraries and executable under selinux?
>
> Its most likely a type enforcement issue. Your application need not
> be "SELinux aware" for it to execute at all. However, it must be
> labeled appropriately in the file system, with a type that is
> executable (e.g. bin_t). Common library types are lib_t and shlib_t.
>
> What policy are you using (strict/targeted/custom)?
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to
> majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without
> quotes as the message.
hi, well not sure,
I have these options in the settings dialog:
1)"upprätthållande"( swedish) means sort of "maintained or 'protected' in english)
2)"tillåtande", which means "allowing"
3)"inactiverad", inactivated.
I'd like to have protection with the first option, but with that I can't run
the app. So, what do I need to do on the executable and libs when I install
them, to make them runnable?
many thank's for any advice.
--
http://www.gregerhaga.net/
http://hack-space.biz/
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: how to enable se linux for my app?
2007-02-09 20:25 ` Greger
@ 2007-02-09 20:39 ` Stephen Smalley
2007-02-09 22:36 ` Greger
0 siblings, 1 reply; 6+ messages in thread
From: Stephen Smalley @ 2007-02-09 20:39 UTC (permalink / raw)
To: Greger; +Cc: Michael C Thompson, selinux
On Fri, 2007-02-09 at 22:25 +0200, Greger wrote:
> On Fri, 09 Feb 2007 13:12:48 -0600, Michael C Thompson wrote
> > Greger wrote:
> > > well just a quickie:
> > > I wrote an application, but can not run the linux executable nor libraries
> > > when selinux is activated. what command should i use to "include" the
> > > libraries and executable under selinux?
> >
> > Its most likely a type enforcement issue. Your application need not
> > be "SELinux aware" for it to execute at all. However, it must be
> > labeled appropriately in the file system, with a type that is
> > executable (e.g. bin_t). Common library types are lib_t and shlib_t.
> >
> > What policy are you using (strict/targeted/custom)?
> >
> > --
> > This message was distributed to subscribers of the selinux mailing list.
> > If you no longer wish to subscribe, send mail to
> > majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without
> > quotes as the message.
> hi, well not sure,
> I have these options in the settings dialog:
> 1)"upprätthållande"( swedish) means sort of "maintained or 'protected' in english)
> 2)"tillåtande", which means "allowing"
> 3)"inactiverad", inactivated.
> I'd like to have protection with the first option, but with that I can't run
> the app. So, what do I need to do on the executable and libs when I install
> them, to make them runnable?
> many thank's for any advice.
i.e. enforcing/permissive/disabled. Those are system-wide settings, not
per-application.
What you should do is look at your audit logs (either /var/log/messages
if not running auditd or /var/log/audit/audit.log if running it) to see
the particular denials, and then we can decide how best to proceed with
your application. Look for "avc: denied" messages. What is your base
distribution (e.g. Fedora Core 6?)?
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: how to enable se linux for my app?
2007-02-09 20:39 ` Stephen Smalley
@ 2007-02-09 22:36 ` Greger
2007-02-10 8:19 ` Russell Coker
0 siblings, 1 reply; 6+ messages in thread
From: Greger @ 2007-02-09 22:36 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Michael C Thompson, selinux
On Fri, 09 Feb 2007 15:39:58 -0500, Stephen Smalley wrote
> On Fri, 2007-02-09 at 22:25 +0200, Greger wrote:
> > On Fri, 09 Feb 2007 13:12:48 -0600, Michael C Thompson wrote
> > > Greger wrote:
> > > > well just a quickie:
> > > > I wrote an application, but can not run the linux executable nor libraries
> > > > when selinux is activated. what command should i use to "include" the
> > > > libraries and executable under selinux?
> > >
> > > Its most likely a type enforcement issue. Your application need not
> > > be "SELinux aware" for it to execute at all. However, it must be
> > > labeled appropriately in the file system, with a type that is
> > > executable (e.g. bin_t). Common library types are lib_t and shlib_t.
> > >
> > > What policy are you using (strict/targeted/custom)?
> > >
> > > --
> > > This message was distributed to subscribers of the selinux mailing list.
> > > If you no longer wish to subscribe, send mail to
> > > majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without
> > > quotes as the message.
> > hi, well not sure,
> > I have these options in the settings dialog:
> > 1)"upprätthållande"( swedish) means sort of "maintained or 'protected' in
english)
> > 2)"tillåtande", which means "allowing"
> > 3)"inactiverad", inactivated.
> > I'd like to have protection with the first option, but with that I can't run
> > the app. So, what do I need to do on the executable and libs when I install
> > them, to make them runnable?
> > many thank's for any advice.
>
> i.e. enforcing/permissive/disabled. Those are system-wide settings,
> not per-application.
>
> What you should do is look at your audit logs (either /var/log/messages
> if not running auditd or /var/log/audit/audit.log if running it) to see
> the particular denials, and then we can decide how best to proceed with
> your application. Look for "avc: denied" messages. What is your base
> distribution (e.g. Fedora Core 6?)?
yes, fc6,
found this in /var/log/messages
Feb 10 02:35:41 localhost kernel: audit(1171067741.422:18): avc: denied {
execmod } for pid=29429 comm="x" name="libqxrssapp.so" dev=dm-0 ino=2588491
scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:object_r:user_home_t:s0 tclass=file
qxrssapp is a library taht the application uses, the app is made of six
libraries plus the main func in the executable.
h
>
> --
> Stephen Smalley
> National Security Agency
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to
> majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without
> quotes as the message.
--
http://www.gregerhaga.net/
http://hack-space.biz/
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: how to enable se linux for my app?
2007-02-09 22:36 ` Greger
@ 2007-02-10 8:19 ` Russell Coker
0 siblings, 0 replies; 6+ messages in thread
From: Russell Coker @ 2007-02-10 8:19 UTC (permalink / raw)
To: Greger; +Cc: Stephen Smalley, Michael C Thompson, selinux
On Saturday 10 February 2007 09:36, "Greger" <boss@gregerhaga.net> wrote:
> Feb 10 02:35:41 localhost kernel: audit(1171067741.422:18): avc: denied {
> execmod } for pid=29429 comm="x" name="libqxrssapp.so" dev=dm-0
> ino=2588491 scontext=user_u:system_r:unconfined_t:s0
> tcontext=user_u:object_r:user_home_t:s0 tclass=file
>
> qxrssapp is a library taht the application uses, the app is made of six
> libraries plus the main func in the executable.
http://etbe.blogspot.com/2007/02/execmod.html
Your shared object needs to be compiled with -fpic or -fPIC. The command
eu-findtextrel can be used to discover which functions were compiled
incorrectly. See the above URL for more information.
--
russell@coker.com.au
http://etbe.blogspot.com/ My Blog
http://www.coker.com.au/sponsorship.html Sponsoring Free Software development
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2007-02-10 8:19 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2007-02-09 18:56 how to enable se linux for my app? Greger
2007-02-09 19:12 ` Michael C Thompson
2007-02-09 20:25 ` Greger
2007-02-09 20:39 ` Stephen Smalley
2007-02-09 22:36 ` Greger
2007-02-10 8:19 ` Russell Coker
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.