selinux January 2005

selinux@lists.fedoraproject.org

50 participants
68 discussions

Hi,my e- mail for the list
by abdul ayub 24 Jan '05

24 Jan '05

Hi, This is abdul ayub.i am sending you the e-mail for adding and the e-mail is abdul3003(a)yahoo.com thanks abdul ayub. --------------------------------- Do you Yahoo!? Yahoo! Search presents - Jib Jab's 'Second Term'

1 0

Exim
by David Hampton 24 Jan '05

24 Jan '05

Does anyone have file context and type enforcement files for exim? I'd like to lock exim down, but I'd rather not have to start from scratch if I can help it. Google did produce a reference to an exim.te file on NSA's SELinux mailing list archive, but it seems that the file attachment has already been deleted. Thanks. David

4 3

MySQL 4.1.9 avc denied messages
by Robert L Cochran 21 Jan '05

21 Jan '05

The following "avc denied" messages were recorded after upgrading MySQL-client-4.1.8 and MySQL-devel-4.1.8 to the corresponding 4.1.9 versions. After upgrading these, I additionally installed (for the first time) MySQL-server-4.1.9 and MySQL-shared-4.1.9. These are all binary x86 RPM packages downloaded from MySQL.com. They are running on a Fedora Core 3 system fully updated including the 741 kernel. My question is: can I fix the problems brought up by these avc denied messages by following the same advice given earlier to the poster named "dragoran" from 11/10/2004 through 11/16/2004, in several messages with the subject line "PHP cannot connect to mysql server?" I wish to allow MySQL execute permission. Any help gratefully accepted. Thanks! Bob Cochran Greenbelt, Maryland And here are the avc messages: audit(1106189173.580:0): avc: denied { append } for pid=4051 exe=/usr/sbin/mysqld path=/var/lib/mysql/rachelsp4.lingpgmr.com.err dev=dm-0 ino=3260518 scontext=user_u:system_r:mysqld_t tcontext=root:object_r:var_lib_t tclass=file audit(1106189174.329:0): avc: denied { write } for pid=4051 exe=/usr/sbin/mysqld name=mysql dev=dm-0 ino=3260470 scontext=user_u:system_r:mysqld_t tcontext=root:object_r:var_lib_t tclass=dir audit(1106189174.329:0): avc: denied { add_name } for pid=4051 exe=/usr/sbin/mysqld name=rachelsp4.lower-test scontext=user_u:system_r:mysqld_t tcontext=root:object_r:var_lib_t tclass=dir audit(1106189174.329:0): avc: denied { create } for pid=4051 exe=/usr/sbin/mysqld name=rachelsp4.lower-test scontext=user_u:system_r:mysqld_t tcontext=user_u:object_r:var_lib_t tclass=file audit(1106189174.408:0): avc: denied { remove_name } for pid=4051 exe=/usr/sbin/mysqld name=rachelsp4.lower-test dev=dm-0 ino=3260519 scontext=user_u:system_r:mysqld_t tcontext=root:object_r:var_lib_t tclass=dir audit(1106189174.408:0): avc: denied { unlink } for pid=4051 exe=/usr/sbin/mysqld name=rachelsp4.lower-test dev=dm-0 ino=3260519 scontext=user_u:system_r:mysqld_t tcontext=user_u:object_r:var_lib_t tclass=file audit(1106189174.449:0): avc: denied { create } for pid=4051 exe=/usr/sbin/mysqld name=mysql.sock scontext=user_u:system_r:mysqld_t tcontext=user_u:object_r:var_lib_t tclass=sock_file audit(1106189174.711:0): avc: denied { read write } for pid=4051 exe=/usr/sbin/mysqld name=ibdata1 dev=dm-0 ino=3260520 scontext=user_u:system_r:mysqld_t tcontext=root:object_r:var_lib_t tclass=file audit(1106189174.711:0): avc: denied { lock } for pid=4051 exe=/usr/sbin/mysqld path=/var/lib/mysql/ibdata1 dev=dm-0 ino=3260520 scontext=user_u:system_r:mysqld_t tcontext=root:object_r:var_lib_t tclass=file audit(1106189175.480:0): avc: denied { write } for pid=4109 exe=/usr/sbin/mysqld path=/var/lib/mysql/rachelsp4.lingpgmr.com.pid dev=dm-0 ino=3260523 scontext=user_u:system_r:mysqld_t tcontext=user_u:object_r:var_lib_t tclass=file audit(1106189175.845:0): avc: denied { getattr } for pid=4051 exe=/usr/sbin/mysqld path=/var/lib/mysql/mysql/host.MYI dev=dm-0 ino=3260477 scontext=user_u:system_r:mysqld_t tcontext=root:object_r:var_lib_t tclass=file

2 5

PA Security Conference
by Eric Andreychek 21 Jan '05

21 Jan '05

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, (if you are on the SELinux mailing list, this is the same message that was sent there -- but you did sign up, right? :-) On Saturday March 5, 2005, the Central PA Linux Users Group will be hosting a Security Conference near Harrisburg Pennsylvania. The conference will be geared toward individuals, organizations, and businesses with a technical interest in Linux related networking and security. You may recognize the date -- this conference is the day after the SELinux Symposium. So, if you can't get off work for three days, or find the SELinux Symposium difficult to afford, this conference might be right up your alley. And, if you are going to the SELinux Symposium, what a better way to end the week than by going to this one as well? :-) We booked a room at a local college, and will be able to accomodate up to 200 people. We have a number of really neat folks coming to speak. The speaker lineup is as follows: * Ed Reed, Novell's "Security Tzar", will be delivering the keynote titled "2005: The Platform Hardening Revival". * Russell Coker (RedHat), you know him, you love him, he will be giving an SELinux presentation. * Marcus Ranum (Tenable), known as the inventor of the proxy firewall and implementor of the first commercial firewall product, will be speaking on "System Logging Tools and Tricks for Geeks". * Jon Nelson, of the PA State Police Computer Crimes Unit and a member of the Philly LUG, will be speaking on "Computer Crime Law, Trends, and Security Basics". * Brandon Hale, a Hardened Gentoo developer, will be discussing "Advanced Memory Protections with Linux". * Eric Andreychek (CPLUG), will be speaking on "Getting Started with SELinux". We'll have 5-6 hours worth of presentations, as well as informal discussions before, after, and throughout the conference. At the end of the day, we also are planning a number of Lightning Talks, 5 minute talks from various conference attendees regarding a number of Linux and security related topics. If you or anyone you know are interested, you can get more information as well as register at the conference website: http://cplug.net/conference/ Seating is limited, so if you are interested, be sure to register soon. If you have any questions, please feel free to let us know. We look forward to seeing you there! -Eric -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFB8WHxR5UKaDAjAG4RAvm9AKDRfpW/MlUxv3keOtzsbHlwpVMM9wCgnKiZ Wou3dXLXb/TX0+L4HgGNSGY= =Xdzh -----END PGP SIGNATURE-----

1 0

SELinux: home dir is symlink, httpd from files in home dir
by Nick Urbanik 20 Jan '05

20 Jan '05

Dear Folks, I'm totally new to SELinux, and am quite confused on a number of points. I took the plunge and enabled SELinux on this FC3 box. Problem is with Apache. I have symlinks pointing to my home directory, and to the pub directory, publicly served by Apache. $ ls -l /home/nicku /var/ftp/pub lrwxrwxrwx 1 root root 12 Oct 26 14:36 /home/nicku -> ../opt/nicku lrwxrwxrwx 1 root root 13 Oct 26 14:48 /var/ftp/pub -> ../../opt/pub ls -Zd /opt/nicku /home/nicku lrwxrwxrwx root root system_u:object_r:default_t /home/nicku -> ../opt/nicku drwx-----x nicku nicku system_u:object_r:user_home_dir_t /opt/nicku I have three main questions: 1. How do I solve my problem about httpd access to /opt/nicku/work/teaching/ict/ossi securely? 2. Where should I put my modifications to the policy? 3. What attribute should I give to the symlink /home/nicku? Here is what I did: After enabling SELinux, access to http://localhost/ossi was forbidden. I then proceeded to try to make this work. However, my fairly random messing about is certainly not right. I don't know where I should put my modifications. I would prefer not to change the original policy files, but would prefer to make new ones. Contents of /etc/selinux/targeted/src/policy/file_contexts/misc/nicks-opt.fc: /opt/lost\+found(/.*)? system_u:object_r:lost_found_t /opt/nicku -d system_u:object_r:user_home_dir_t /opt/nicku/.+ system_u:object_r:user_home_t /opt/ogg(/.*)? system_u:object_r:default_t /opt/pub(/.*)? system_u:object_r:default_t /opt/nicku/public_htm(/.*)? system_u:object_r:httpd_user_content_t /opt/backup(/.*)? system_u:object_r:default_t /opt/cdimage(/.*)? system_u:object_r:default_t /opt/nicku/photos(/.*)? system_u:object_r:httpd_user_content_t /opt/nicku/work/teaching/ict/snm(/.*)? system_u:object_r:httpd_user_content_t /opt/nicku/work/teaching/ict/ossi(/.*)? system_u:object_r:httpd_user_content_t THIS IS CERTAINLY IN THE WRONG PLACE? WHERE SHOULD IT GO? cat /etc/selinux/targeted/src/policy/domains/program/apache-nicks-opt-extra.te # Extra stuff for apache to cope with the symbolic links to # /opt/nicku and /opt/pub These came from audit2allow. The first one is certainly wrong. I should change the attribute on the symlink /home/nicku. What should I change it to? # to give access to /home/nicku: # This looks BAD by removing SELinux protection of all symlinks: allow httpd_t default_t:lnk_file { getattr read }; # to give access to /opt/pub: allow httpd_t var_t:lnk_file { getattr read }; # to give access to /opt/nicku/{photos,work/{ossi,snm}} allow httpd_t user_home_t:lnk_file { getattr read }; make reload complained till I touched this file: ls -l /etc/selinux/targeted/src/policy/file_contexts/program/apache-nicks-opt-extra.fc -rw-r--r-- 1 root root 0 Jan 20 07:51 /etc/selinux/targeted/src/policy/file_contexts/program/apache-nicks-opt-extra.fc From httpd configuration: Alias /ossi /home/nicku/work/teaching/ict/ossi <Location "/ossi"> Options Indexes MultiViews FollowSymLinks AllowOverride None Order allow,deny Allow from all </Location> What should I do to enable httpd access to /ossi? Here's what SELinux says: Jan 20 10:53:20 nicku kernel: audit(1106178800.510:0): avc: denied { search } for pid=6133 exe=/usr/sbin/httpd name=work dev=sda1 ino=5620038 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:user_home_t tclass=dir Jan 20 10:53:20 nicku kernel: audit(1106178800.510:0): avc: denied { getattr } for pid=6133 exe=/usr/sbin/httpd path=/opt/nicku/work dev=sda1 ino=5620038 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:user_home_t tclass=dir When I do: tail -20 /var/log/messages | audit2allow -v -i - allow httpd_t user_home_t:dir { getattr search }; #EXE=/usr/sbin/httpd NAME=work : search #EXE=/usr/sbin/httpd PATH=/opt/nicku/work : getattr Where should this rule go? I would prefer not to modify the installed /etc/selinux/targeted/src/policy/domains/program/apache.te and /etc/selinux/targeted/src/policy/file_contexts/program/apache.fc; I would rather put my own customised changes in their own files so updates to the policies can be easily installed. -- Nick Urbanik RHCE http://nicku.org nicku(at)nicku.org Proud ex-member of Dept. of Information & Communications Technology in Hong Kong IVE (Tsing Yi), Home of Visual Paradigm: Jolt Productivity Award winner, programmed by ICT's own graduates! GPG: 7FFA CDC7 5A77 0558 DC7A 790A 16DF EC5B BB9D 2C24 ID: BB9D2C24

3 5

latest targeted policy: missing types....?
by Tom London 20 Jan '05

20 Jan '05

Running targeted/enforcing, latest rawhide: The latest policy: selinux-policy-targeted-1.21.2-4 seems to be missing some types. Get this on 'restorecon .....'. Did I mess up the update? tom /etc/selinux/targeted/contexts/files/file_contexts: line 874 has invalid context system_u:object_r:login_exec_t /etc/selinux/targeted/contexts/files/file_contexts: line 875 has invalid context system_u:object_r:login_exec_t /etc/selinux/targeted/contexts/files/file_contexts: line 1035 has invalid context system_u:object_r:rlogind_exec_t /etc/selinux/targeted/contexts/files/file_contexts: line 1036 has invalid context system_u:object_r:rlogind_exec_t /etc/selinux/targeted/contexts/files/file_contexts: line 1037 has invalid context system_u:object_r:rlogind_exec_t /etc/selinux/targeted/contexts/files/file_contexts: line 1158 has invalid context system_u:object_r:telnetd_exec_t /etc/selinux/targeted/contexts/files/file_contexts: line 1159 has invalid context system_u:object_r:telnetd_exec_t -- Tom London

2 2

SELinux settings for a program run either by apache or user?
by Nick Urbanik 20 Jan '05

20 Jan '05

Dear Folks, I have written a program that I use both run by Apache and by normal users as a command line application. When I changed the attribute of the program file to httpd_sys_script_exec_t, It no longer had permission to write to the console. What is the simplest way to handle this properly in SELinux? -- Nick Urbanik RHCE http://nicku.org nicku(at)nicku.org Proud ex-member of Dept. of Information & Communications Technology in Hong Kong IVE (Tsing Yi), Home of Visual Paradigm: Jolt Productivity Award winner, programmed by ICT's own graduates! GPG: 7FFA CDC7 5A77 0558 DC7A 790A 16DF EC5B BB9D 2C24 ID: BB9D2C24

3 6

Re: SELinux settings for a program run either by apache or user?
by Colin Walters 20 Jan '05

20 Jan '05

On Thu, 2005-01-20 at 11:21 -0500, Stephen Smalley wrote: > On Thu, 2005-01-20 at 11:19, Colin Walters wrote: > > Right; but studying the policy a bit more, there are definitely > > permissions given to CGI scripts not given to ordinary userdomains, > > e.g.: > > > > ############################################ > > # Allow scripts to append to http logs > > ######################################### > > allow httpd_$1_script_t httpd_log_t:file { getattr append }; > > Append-only access should be relatively benign, although I'm not sure > whether it is justified here. But if it allowed to httpd_user_script_t, > then user_t effectively has those permissions anyway, as he can always > create a CGI script with arbitrary code and then access the URL to > invoke it from httpd, whether or not he can directly transition to the > domain or not. Agreed; I was bringing this up primarily to point out that simply removing the automatic transition would introduce other issues. I have a feeling that there's another issue having to do with preserving file contexts, but I can't put my finger on it. > > So that's something to consider. Perhaps what we really want is a > > domain derived from httpd_$1_script_t, e.g. httpd_$1_test_script_t, > > which is allowed to write to the terminal as well. That would be fairly > > complex though... > > Could certainly be done via shared macros for these testing domains and > the normal script domain. But not clear it is worth it... Yeah. It might be nice if the policy language had an easy "subclass" mechanism. That's a whole other topic though... For now anyways, we could probably just change it to a domain_trans; a quick look at the policy seems to show the httpd_log_t access being the only obvious additional permission granted. Presumably a majority of setups with CGI scripts and users are using suEXEC and do not allow ordinary uids any kind of write access to the main httpd logs.

1 0

FEDORA CORE 3.0 : MANUAL
by Debasis_Ghosh_-_Indal_Kolkata_Library＠adityabirla.com 20 Jan '05

20 Jan '05

Dear Friends, I am a non-techie beginner to Fedora Core 3.0. Could you please guide me whether there is any online reference manual or command summary (and interpretations) on Fedora Core 3.0 is available. Look forward to your kind help. Regards Debasis Ghosh ghoshd(a)adityabirla.com Disclaimer: The information contained in this communication is intended solely for the individual or entity to which it is addressed. It may contain confidential and/or legally privileged information. Any review, retransmission, dissemination or other use of, or taking any action in reliance on the contents of this information by persons or entities other than the intended recipient is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by responding to this email and then delete it from your system. Aditya Birla Group Companies attempts to sweep e-mails and attachments for viruses, it does not guarantee that either are virus free and that we accept no liability for any damage sustained as a result of viruses.

2 1

honeypot risks?
by Justin Conover 20 Jan '05

20 Jan '05

What are the risk of opening a box on then net to use as a honeypot for testing/learning? As in, would it be easy for a "hacker/script kiddie" to take the box and use it to hack the NSA and blame me ;-) I was thinking of using honeyd: http://dag.wieers.com/packages/honeyd/ http://www.citi.umich.edu/u/provos/honeyd/ Anyone recommend any good books for honeypots, I have found the following on amazon.com Honeypots: Tracking Hackers Know Your Enemy : Learning about Security Threats (2nd Edition) Network Intrusion Detection (3rd Edition) I'm pretty sure I have that ladder sitting on my bookshelf at home and will look when I get home tonight.

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux January 2005