selinux February 2010

selinux@lists.fedoraproject.org

22 participants
23 discussions

Re: Policy for authenticating domain users
by Scott Salley 18 Feb '10

18 Feb '10

> On 02/15/2010 01:27 PM, Scott Salley wrote: >> I'm working on a set of patches to integrate Likewise Open (Active >> Directory authentication for Unix/Linux/Mac) into Fedora/SELinux. >> >> I am having trouble defining how a user's home directory should be >> handled. >> >> We don't place users directly in /home as the domain user account name >> may conflict with an existing account. Instead, we use /home/%D/%U >> where %D is the domain and %U is the user account. (We may have users >> with the same account name in different domains.) >> >> I want to make sure that if users are joined while SELinux is not >> enabled, and then SELinux is re-enabled, the files get the proper >> contexts. > Do you know the name of all domains? > > In Fedora 12 > > for d in $DOMAINS; do > semanage fcontext -a -e /home /home/$d > done I don't know the names of all the domains ahead of time, but I can call semanage with those arguments as we set up a user's environment. I already tried running semanage twice with the same arguments for adding the equivalence and it correctly errors out. I've now run into this message: type=AVC msg=audit(1266523695.550:22225): avc: denied { relabelto } for pid=3158 comm="lsassd" name="CORPQA" dev=dm-0 ino=195681 scontext=unconfined_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir type=SYSCALL msg=audit(1266523695.550:22225): arch=c000003e syscall=188 success=yes exit=0 a0=7fab640399f0 a1=3ea9415649 a2=7fab64027990 a3=21 items=0 ppid=2790 pid=3158 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="lsassd" exe="/usr/sbin/lsassd" subj=unconfined_u:system_r:lsassd_t:s0 key=(null) which does not go away with the addition of this rule: allow lsassd_t home_root_t:dir relabelto; Is there something special for 'relabelto' or 'home_root_t' that I'm not aware of? (I'm trying to create /home/DOMAIN and apply the appropriate label on /home/DOMAIN via matchpathcon/setfilecon).

2 1

Re: how to set permissions to files with a patern in the file hame
by ESGLinux 18 Feb '10

18 Feb '10

> > > > ESG, Take a step back and explain to us what process is creating these > files. What procesess are you > trying to prevent from reading these files? > > any process that can create a file, touch, vim... > Who is creating the files? > any user that can log in the system. > > If it is one process creating the files then you can add SELinux awareness > to the tool and get the files created with the "correct" context. > Hope my answer explain a bit more the problem Thanks ESG

2 2

Policy for authenticating domain users
by Scott Salley 16 Feb '10

16 Feb '10

I'm working on a set of patches to integrate Likewise Open (Active Directory authentication for Unix/Linux/Mac) into Fedora/SELinux. I am having trouble defining how a user's home directory should be handled. We don't place users directly in /home as the domain user account name may conflict with an existing account. Instead, we use /home/%D/%U where %D is the domain and %U is the user account. (We may have users with the same account name in different domains.) I want to make sure that if users are joined while SELinux is not enabled, and then SELinux is re-enabled, the files get the proper contexts. Suggestions?

3 2

New networking controls - FYI
by mantaray_1 16 Feb '10

16 Feb '10

List members, I have recently upgraded to the 2.6.30 kernel, and I am now using the new networking controls. I have noticed difficulties that seem to me to be similar difficulties in some other recent posts, so I wanted to make a brief post regarding the matter. I tested the packet rules by creating packet labels for the local ipv6 (::1), my printer, my router, and general internet addresses. I did not give my son's user permission to access the printer. When his user attempted to access the printer, the application being used would hang and need to be shut down. Allowing local ipv6 packets to be sent/received by his user prevented the application from hanging, but also allowed his user to access the printer - with no packet access allowed to the printer. When this did not restrict his access, I added a constraint in the constraints file: constrain packet { recv send } ( r1 != his_user_name_r or t2 == allow_packet ); This constraint prevented access to the local ipv6 packets until I added the attribute type to those packets, but access to the printer was not affected. For now my packet rules for Internet access appear to work and I am limiting printer access through the print service directly. I do not presently have time to troubleshoot the matter, so for now this will do as a solution; but I am curious why the packet controls (especially combined with the constraint) are not preventing printer access. I know that there are other controls that are intended to restrict network access, and I have not yet had the time to explore using these controls. I am hopeful that by combining these controls with the SECMARK controls, I will have better control of network traffic; however one recent post (by Jason on February 2) seems to indicate that there may still be some difficulty getting these other controls to properly restrict network traffic as well: "I found that my test app (with the allow rule below), could still read and display packet data coming in on any interface even with all interfaces assigned a unique peer_t...." I really appreciate the efforts of everyone involved in the development of SELinux, and I hope my comments will help the developers to make the new controls as effective and easy to implement as the previous controls were. -Ken-

2 1

Why can't I set /mnt/path to samba_share_t ?
by Shintaro Fujiwara 16 Feb '10

16 Feb '10

Hi, I'm now making server at my office with f12. I'm moved by how easy SELinux became to configure anythinng after all these years. I have mounted HDs on /mnt/path or /media/path. The HDs are mounted on /mnt/path which reside valuable data inside, and on /media/path which has backup tar balls. The one on /mnt/path are shared data by samba so that some organization unit guys can read and write through network. First,I set #chmod 777 /mnt/path and this is just a test, so it's not controversial. Second, after I read smb.conf, and I found SELinux configuration telling to set path to samba_share_t by chcon. I made it and it was a success, I could read and write from network to /mnt/path. Next, I commanded, # restorecon -R -v /mnt and /mnt/path became mnt_t. In that, I failed both read nor write. I made local module by audit2allow and installed by semodule -i. Of course, I restoreconed. I failed again. I did # touch /.autorelabel # shutdown -r now I failed. security context of /mnt/path is still mnt_t. How can I set security context of /mnt/path to samba_share_t not using chcon ? Thanks in advance. ----SELinux tool----- http://sourceforge.net/projects/segatex/

4 6

how to set permissions to files with a patern in the file hame
by ESGLinux 16 Feb '10

16 Feb '10

Hi All, I´m a bit newbie with SELinux (nothing more than watch to sealert -b and do what it says...) and now I want to learn more about it because I have a problem: I need to set the permissions to files that are going to be created, but this permissions depends on the name of the file. Is it possible? by the way, any doc about SELinux for begginers? the oficial doc scares ;-) Thanks in advance, ESG

2 3

Check out my photos on Facebook
by Rituraj Goswami 13 Feb '10

13 Feb '10

Hi Fedora, I set up a Facebook profile where I can post my pictures, videos and events and I want to add you as a friend so you can see it. First, you need to join Facebook! Once you join, you can also create your own profile. Thanks, Rituraj To sign up for Facebook, follow the link below: http://www.facebook.com/p.php?i=100000084056671&k=Z6E3Y5WSQ52AYEEJPB63RVSVP… Already have an account? Add this email address to your account http://www.facebook.com/n/?merge_accounts.php&e=fedora-selinux-list@redhat.… was invited to join Facebook by Rituraj Goswami. If you do not wish to receive this type of email from Facebook in the future, please click on the link below to unsubscribe. http://www.facebook.com/o.php?k=fca54f&u=1000322530&mid=1e0a2fbG3b9fb5e2G0G8 Facebook's offices are located at 1601 S. California Ave., Palo Alto, CA 94304.

2 1

Kernel's AVC
by Vadym Chepkov 11 Feb '10

11 Feb '10

Hi, I missed this, because it has never got to any of the logs. I noticed it in dmesg output. type=1400 audit(1265486014.752:4): avc: denied { setsched } for pid=995 comm="quotacheck" scontext=system_u:system_r:quota_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process type=1400 audit(1265486022.533:5): avc: denied { setsched } for pid=995 comm="quotacheck" scontext=system_u:system_r:quota_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process Sincerely yours, Vadym Chepkov

3 2

Gitweb and SELinux
by Michael Cronenworth 10 Feb '10

10 Feb '10

I am attempting to use gitweb to display git repos that live in /home directories. The developers use ssh to push changes to their home directory. It seems every Fedora release gitweb and SELinux have changes. With Fedora 12, I cannot get SELinux to be happy about accessing the git repos. Gitweb is pointing to: /srv/git/ Inside of that directory live symlinks to the git repos that live in /home/user1/git /home/user2/git etc. I've attached the sealert output about the denial. I tried to assign a context of httpd_git_content_ra_t to my git repo, but that did not allow access. I realize this may not be "100%" secure, but this setup was functioning in Fedoras 11 and under. I'd create a bug, but I'm not sure if this setup would be considered a bug of SELinux. Additional info: $ ls -Z /var/www/git/ -rw-r--r--. root root system_u:object_r:httpd_git_content_t:s0 git-favicon.png -rw-r--r--. root root system_u:object_r:httpd_git_content_t:s0 git-logo.png -rwxr-xr-x. root root system_u:object_r:httpd_git_script_exec_t:s0 gitweb.cgi -rw-r--r--. root root system_u:object_r:httpd_git_content_t:s0 gitweb_config.perl -rw-r--r--. root root system_u:object_r:httpd_git_content_t:s0 gitweb.css Any ideas to allow access? Thanks, Michael

3 12

SELinux best practices
by Leif Thuresson 05 Feb '10

05 Feb '10

Is there a "recommended" way to setup access for privileged admin tasks with sudo? In Dominick Grift's blog article http://selinux-mac.blogspot.com/2009/06/selinux-lockdown-part-seven-su-newr… the user assigned the webadm_r role gets a sudo access with match "ALL" so in this example you trust SELinux solely to protect the system from unauthorized access. Is this way you would normally do it on a production machine? If you make the sudoers rules more specific for the actual commands the admin user need to run you will gain some initial lock-down from sudo, but at the expense of the sudoers file requiring significantly more maintenance. Administrators generally like scripting to automate task, but by allowing a sub-admin to run a shell with uid=0 we are again left with only SELinux to prevent unauthorized access. Is the general feeling that SELinux in say fedora12 is mature enough so that we can trust that it will protect the system from unauthorized access if we allow sub-administrators to run scripts as uid=0 ? I see that support for capabilities on files has finally found its way into fedora12. It that something that is being used to achieve some sort of middle ground between the two alternatives I listed above? /Leif

3 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux February 2010