Skip top menus
National Security Agency and Central Security Service with agency logos.NSA/CSS Memorial Wall
Home    About NSA    Research    Business    Careers    Public Info    History
Introduction to Research    Security-Enhanced Linux    Information Assurance Research    Technology Transfer    Publications    Related Links

>>SELinux Mailing List: by thread

Search
What's new?
Contents
Overview
What's New
Frequently Asked Questions
Background
Documentation
License
Download
Participating
Mail List
Archive Summary
Archive by Thread
Archive by Author
Archive by Date
Archive by Subject
Remaining Work
Contributors
Related Work
Press Releases
  • Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
From: B $BE/ <tmasuda_at_chi.it.teu.ac.jp>
subject: Japanese Document
Date: Thu, 20 Dec 2001 11:41:01 +0900
  • This message: [ Message body ]
  • Next message: Russell Coker: "Re: Debian SE Linux ?"
  • Previous message: Stephen Smalley: "Re: setting up new test user domain?"
  • Next in thread: Stephen Smalley: "Re: Japanese Document"
  • Reply: Stephen Smalley: "Re: Japanese Document"
  • Reply: Noah silva: "Re: Japanese Document"


Hello!

My name is Tetsuji Masuda , I`m university student in Japan.

I installed SELinux(2.4.9) in RH7.1. However I can`t use `kon` command in console window. When I pushed returen button after I typed `kon`, the window was, somehow, freezed. What's the problem about that?

This is log of kon in /var/log/messages. 

Dec 17 14:20:27 pc07 kernel: 
Dec 17 14:20:27 pc07 kernel: avc:  denied  { read write } for  pid=12513 exe=/usr/bin/kon path=/dev/mem dev=03:06 ino=198216
Dec 17 14:20:27 pc07 kernel:    scontext=root:sysadm_r:sysadm_t
Dec 17 14:20:27 pc07 kernel:    tcontext=system_u:object_r:memory_device_t
Dec 17 14:20:27 pc07 kernel:    tclass=chr_file
Dec 17 14:20:27 pc07 kernel: 
Dec 17 14:20:27 pc07 kernel: avc:  denied  { read write } for  pid=12513 exe=/usr/bin/kon path=/dev/ptyp0 dev=03:06 ino=198701
Dec 17 14:20:27 pc07 kernel:    scontext=root:sysadm_r:sysadm_t
Dec 17 14:20:27 pc07 kernel:    tcontext=system_u:object_r:device_t
Dec 17 14:20:27 pc07 kernel:    tclass=chr_file
Dec 17 14:20:27 pc07 kernel: 
Dec 17 14:20:27 pc07 kernel: avc:  denied  { ioctl } for  pid=12513 exe=/usr/bin/kon path=/dev/ptyp0 dev=03:06 ino=198701
Dec 17 14:20:27 pc07 kernel:    scontext=root:sysadm_r:sysadm_t
Dec 17 14:20:27 pc07 kernel:    tcontext=system_u:object_r:device_t
Dec 17 14:20:27 pc07 kernel:    tclass=chr_file
Dec 17 14:20:27 pc07 kernel: Unable to handle kernel paging request at virtual address 66207369
Dec 17 14:20:27 pc07 kernel:  printing eip:
Dec 17 14:20:27 pc07 kernel: c018f303
Dec 17 14:20:27 pc07 kernel: *pde = 00000000
Dec 17 14:20:27 pc07 kernel: Oops: 0000
Dec 17 14:20:27 pc07 kernel: CPU:    0
Dec 17 14:20:28 pc07 kernel: EIP:    0010:[ipc_precondition+19/96]
Dec 17 14:20:28 pc07 kernel: EIP:    0010:[<c018f303>]
Dec 17 14:20:28 pc07 kernel: EFLAGS: 00010206
Dec 17 14:20:28 pc07 kernel: eax: 66207369   ebx: c3286420   ecx: c764f3e0   edx: c02bb098
Dec 17 14:20:28 pc07 kernel: esi: 0000001c   edi: c3286420   ebp: c75fc000   esp: c75fdedc
Dec 17 14:20:28 pc07 kernel: ds: 0018   es: 0018   ss: 0018
Dec 17 14:20:28 pc07 kernel: Process kon (pid: 12513, stackpage=c75fd000)
Dec 17 14:20:28 pc07 kernel: Stack: c3286420 c764f3e0 c75fc000 c019095f c3286420 0000001c 00000000 00000000 
Dec 17 14:20:28 pc07 kernel:        c7f9c720 c02a3a18 bffff980 c1894460 00000004 00000000 00000000 00000000 
Dec 17 14:20:28 pc07 kernel:        00000000 00000000 00000000 000342c3 0000001c c764f3e0 00000124 c764f3e0 
Dec 17 14:20:28 pc07 kernel: Call Trace: [selinux_shm_associate+47/560] [selinux_ipc_permission+77/96] [ipcperms+143/160] [sys_shmget+273/336] [sys_ipc+564/624] 
Dec 17 14:20:28 pc07 kernel: Call Trace: [<c019095f>] [<c019111d>] [<c017d05f>] [<c0180761>] [<c010c314>] 
Dec 17 14:20:28 pc07 kernel:    [system_call+51/56] 
Dec 17 14:20:28 pc07 kernel:    [<c0106edb>] 
Dec 17 14:20:28 pc07 kernel: 
Dec 17 14:20:28 pc07 kernel: Code: 81 38 8c ff 7c f9 75 07 b8 01 00 00 00 eb 2b bb 00 e0 ff ff 

==========================================================================================

I translated the policy document with Japanese as research. I'm not sure it was correct or not. However I want to use it for report of it. If you agreed of it or disagreed, please let me know. And If you have a good idea instend of it, it's also tell me the detale of it.

--

$BA}ED(B $BE/<!(B /Tetsuji Masuda
$BEl5~9)2JBg3X9)3XIt>pJs9)3X2J(B4$BG/(B /Tokyo University of Technology
$B@i<o8&5f<<(B /Chigusa Laboratory

MAIL:tmasuda@chi.it.teu.ac.jp

--

You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.

From: Stephen Smalley <sds_at_tislabs.com>
subject: Re: Japanese Document
Date: Thu, 20 Dec 2001 09:04:48 -0500 (EST)
  • This message: [ Message body ]
  • Next message: Stephen Smalley: "Re: Debian SE Linux ?"
  • Previous message: Russell Coker: "Re: setting up new test user domain?"
  • In reply to: B $BE/: "Japanese Document"
  • Next in thread: Noah silva: "Re: Japanese Document"

On Thu, 20 Dec 2001, [ISO-2022-JP] $BA}ED(B $BE/<!(B wrote:

> My name is Tetsuji Masuda , I`m university student in Japan.
>
> I installed SELinux(2.4.9) in RH7.1. However I can`t use `kon` command in console window. When I pushed returen button after I typed `kon`, the window was, somehow, freezed. What's the problem about that?

First, you should upgrade to the latest SELinux release and apply all patches that have been posted on the mailing list since that release. The 2.4.9-based SELinux is quite old (August) and there have been many fixes and improvements since it was released. Download the latest release (based on 2.4.16) from http://www.nsa.gov/selinux/download2.html and then apply the following patches: 

http://marc.theaimsgroup.com/?l=selinux&m=100808452800605&w=2
http://marc.theaimsgroup.com/?l=selinux&m=100808453300620&w=2
http://marc.theaimsgroup.com/?l=selinux&m=100861319315772&w=2

> This is log of kon in /var/log/messages.
> ==========================================================================================
> Dec 17 14:20:27 pc07 kernel:
> Dec 17 14:20:27 pc07 kernel: avc: denied { read write } for pid=12513 exe=/usr/bin/kon path=/dev/mem dev=03:06 ino=198216
> Dec 17 14:20:27 pc07 kernel: scontext=root:sysadm_r:sysadm_t
> Dec 17 14:20:27 pc07 kernel: tcontext=system_u:object_r:memory_device_t
> Dec 17 14:20:27 pc07 kernel: tclass=chr_file

I'm not familiar with the 'kon' command, but it appears that it tries to access the /dev/mem device. That has obvious security implications. If you really want to permit it to access this device, you'll need to put it into a domain with the corresponding permissions and put the "privmem" type attribute on the domain so that the assertion won't fail.

> Dec 17 14:20:27 pc07 kernel: Unable to handle kernel paging request at virtual address 66207369
> Dec 17 14:20:27 pc07 kernel: printing eip:
> Dec 17 14:20:27 pc07 kernel: c018f303
> Dec 17 14:20:27 pc07 kernel: *pde = 00000000
> Dec 17 14:20:27 pc07 kernel: Oops: 0000
> Dec 17 14:20:27 pc07 kernel: CPU: 0
> Dec 17 14:20:28 pc07 kernel: EIP: 0010:[ipc_precondition+19/96]
> Dec 17 14:20:28 pc07 kernel: EIP: 0010:[<c018f303>]
> Dec 17 14:20:28 pc07 kernel: EFLAGS: 00010206
> Dec 17 14:20:28 pc07 kernel: eax: 66207369 ebx: c3286420 ecx: c764f3e0 edx: c02bb098
> Dec 17 14:20:28 pc07 kernel: esi: 0000001c edi: c3286420 ebp: c75fc000 esp: c75fdedc
> Dec 17 14:20:28 pc07 kernel: ds: 0018 es: 0018 ss: 0018
> Dec 17 14:20:28 pc07 kernel: Process kon (pid: 12513, stackpage=c75fd000)
> Dec 17 14:20:28 pc07 kernel: Stack: c3286420 c764f3e0 c75fc000 c019095f c3286420 0000001c 00000000 00000000
> Dec 17 14:20:28 pc07 kernel: c7f9c720 c02a3a18 bffff980 c1894460 00000004 00000000 00000000 00000000
> Dec 17 14:20:28 pc07 kernel: 00000000 00000000 00000000 000342c3 0000001c c764f3e0 00000124 c764f3e0
> Dec 17 14:20:28 pc07 kernel: Call Trace: [selinux_shm_associate+47/560] [selinux_ipc_permission+77/96] [ipcperms+143/160] [sys_shmget+273/336] [sys_ipc+564/624]
> Dec 17 14:20:28 pc07 kernel: Call Trace: [<c019095f>] [<c019111d>] [<c017d05f>] [<c0180761>] [<c010c314>]
> Dec 17 14:20:28 pc07 kernel: [system_call+51/56]
> Dec 17 14:20:28 pc07 kernel: [<c0106edb>]
> Dec 17 14:20:28 pc07 kernel:
> Dec 17 14:20:28 pc07 kernel: Code: 81 38 8c ff 7c f9 75 07 b8 01 00 00 00 eb 2b bb 00 e0 ff ff

Hmmm...This is a bug. I was initially assuming that it was something that we had already fixed since the 2.4.9 release, but in looking at the code, I see that this bug is still present in the current code. We'll get a patch out later today for the current (2.4.16) release. 

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
From: Noah silva <nsilva_at_atari-source.com>
subject: Re: Japanese Document
Date: Thu, 20 Dec 2001 10:28:25 -0500 (EST)
  • This message: [ Message body ]
  • Next message: Stephen Smalley: "[PATCH] Bug fix for ipc_precondition calls"
  • Previous message: Stephen Smalley: "Re: Debian SE Linux ?"
  • In reply to: B $BE/: "Japanese Document"


Hi,

I sometimes use Kon. My guess is that perhaps the policy in effect prevents something Kon tries to do. I havn't examined the policies well enough to know exactly what. I can tell you Kon is a bit touchy anyhow (f.e. it won't work as a login shell).

(for those who don't know, Kon is a program that allows japanese text on the console. It will switch the console to graphics mode, and load japanese fonts. The console then works [mostly] normally, except that japanese charicter (kana, kanji) escape sequences are interpreted and the relevent charicters are displayed. English text displays as normal.)

I would guess it probably has something to do with how it uses the screen.

  • noah silva

On Thu, 20 Dec 2001, [ISO-2022-JP] $BA}ED(B $BE/<!(B wrote:

> Hello!
>
> My name is Tetsuji Masuda , I`m university student in Japan.
>
> I installed SELinux(2.4.9) in RH7.1. However I can`t use `kon` command in console window. When I pushed returen button after I typed `kon`, the window was, somehow, freezed. What's the problem about that?
>
> This is log of kon in /var/log/messages.
> ==========================================================================================
> Dec 17 14:20:27 pc07 kernel:

...
> ==========================================================================================
>
> I translated the policy document with Japanese as research. I'm not
>sure it was correct or not. However I want to use it for report of it. If
>you agreed of it or disagreed, please let me know. And If you have a good
>idea instend of it, it's also tell me the detale of it.
>
> --
> $BA}ED(B $BE/<!(B /Tetsuji Masuda
> $BEl5~9)2JBg3X9)3XIt>pJs9)3X2J(B4$BG/(B /Tokyo University of Technology
> $B@i<o8&5f<<(B /Chigusa Laboratory
> MAIL:tmasuda@chi.it.teu.ac.jp
>
> 

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
  • Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

This archive was generated by hypermail 2.2.0 on Wed 11 Jun 2008 - 08:10:54 EDT

Information Assurance | Signals & Intelligence        Links | Accessibility | Privacy & Security