selinux April 2010

selinux@lists.fedoraproject.org

31 participants
39 discussions

Re: Impact?
by mark 23 Apr '10

23 Apr '10

> Date: Thu, 22 Apr 2010 22:53:01 +0200 > From: Dominick Grift <domg472(a)gmail.com> > On Thu, Apr 22, 2010 at 04:25:58PM -0400, m.roth(a)5-cent.us wrote: >> I've got the java wants to write, and execmem errors. audit2allow gives >> me >> this: >> allow httpd_sys_script_t nfs_t:file { execute execute_no_trans }; >> allow httpd_sys_script_t self:process { execmem getsched }; >> allow httpd_sys_script_t usr_t:file { execute execute_no_trans }; > > By allowing the second line of policy you allow all generic httpd system > scripts to execute anonymous memory and you allow then to set schedule > on its own process. <snip> Looking futher: that second one, I see, is also being caused by matlab, which is not an unintelligent package. How serious is it to allow that... or is there a policy rule that's been tightened recently that used to allow this? mark

2 3

Building a modified selinux source rpm
by Alan Rouse 23 Apr '10

23 Apr '10

I'm trying to get selinux working in a different linux distribution where the directory structure differs from the fedora / redhat pattern. I'm attempting to use the fedora selinux src rpm as a starting point, but of course lots of files are being labelled incorrectly due to the directory differences. I can identify the incorrectly labelled files and I know how to get them labelled correctly. But I need to be able to make a new source rpm based on the fedora selinux src rpm, including the necessary changes, so I can distribute and maintain the policy over time. I can execute "rpmbuild -bp SPECS/selinux-policy.spec" to generate the fedora patched policy source in the BUILD directory. Then I can make my changes there. But I need to be able to regenerate the src rpm including those changes. And I need to be able to maintain this over time as the reference policy evolves, by dropping in a new reference policy tgz and regenerating the patch files. Surely there's a better way than "vi policy-F12.patch"! I presume there are tools / scripts / instructions to help with this. Can someone point me in the right direction? Thanks! -- My PGP public key: http://rouses.net/public_key/alan.asc

4 3

Impact?
by mark 23 Apr '10

23 Apr '10

I've got the java wants to write, and execmem errors. audit2allow gives me this: allow httpd_sys_script_t nfs_t:file { execute execute_no_trans }; allow httpd_sys_script_t self:process { execmem getsched }; allow httpd_sys_script_t usr_t:file { execute execute_no_trans }; What would be the impact of implementing this policy on a server visible to the world? Would it open up some huge, known hole? mark

2 5

Audit messages being disabled
by Robert Nichols 22 Apr '10

22 Apr '10

Any ideas how I can track down what might be blocking the logging of audit messages to /var/log/audit/audit.log? The last entry there is at 12:56:16 today, which is just as the system was coming up after a reboot (matches the timestamps for the never-used LOGIN entries in /var/run/utmp). I do see these lines in /var/log/messages right afterward: Apr 21 12:56:26 omega-3a kernel: type=1305 audit(1271872586.681:17143): auid=4294967295 ses=4294967295 subj=system_u:system_r:readahead_t:s0 op="remove rule" key=(null) list=4 res=0 Apr 21 12:56:26 omega-3a kernel: type=1305 audit(1271872586.681:17144): audit_enabled=0 old=1 auid=4294967295 ses=4294967295 subj=system_u:system_r:readahead_t:s0 res=1 Thereafter, there are "dbus: Can't send to audit system" messages. The auditd service shows as running. If I restart auditd, audit.log shows "auditd normal halt" and "auditd start" messages, and after that messages do get logged to audit.log. I have no clue what might be setting audit_enabled=0 in the kernel, but that "remove rule" message just before makes me suspicious that it's SElinux related. -- Bob Nichols "NOSPAM" is really part of my email address. Do NOT delete it.

2 2

setroubleshootd not running
by Robert Nichols 21 Apr '10

21 Apr '10

What, in the hopelessly complex chain of process startups, is supposed to start setroubleshootd? I find it is either not getting started or silently dieing on my Fedora 12 system. I find I've been getting a bunch of AVCs logged, with no alert of course, and no way to get those AVCs translated with human-readable timestamps so that I have the slightest chance of correlating those with anything else going on in the system. ("sealert -a /var/log/audit/audit.log" just dies with "NameError: global name 'avc' is not defined".) The manpage for sealert mentions a GUI browser. That must have been in somebody's wet dream, because there is no such thing. Regardless of how sealert is started, the GUI menu discussed in the manpage does not exist. Again, SElinux turns out to be a bigger pain than anything it is supposedly protecting against. -- Bob Nichols "NOSPAM" is really part of my email address. Do NOT delete it.

3 6

Any log entries from semodule???
by Robert Nichols 21 Apr '10

21 Apr '10

Does the loading and removing of modules by semodule get logged anywhere? Apparently not. That would seem to be pretty important information. -- Bob Nichols "NOSPAM" is really part of my email address. Do NOT delete it.

3 4

system-config-selinux doesn't show policy modules
by Robert Nichols 21 Apr '10

21 Apr '10

In the system-config-selinux utility, when you select "Policy Module" nothing is displayed. Worthless! -- Bob Nichols "NOSPAM" is really part of my email address. Do NOT delete it.

2 1

SELinux Apache and Symbolic Links...GGGrrrr
by Another Sillyname 20 Apr '10

20 Apr '10

Hi All OK I've been playing with this for nearly two days now and cannot seem to get it working at all. In a nutshell. Standard Apache Server setup... in /var/www/html I have a subdirectory called reststop and within that is a symbolic link to a directory at /mnt/anotherdrive/newpath/nearlythere/reststop I have set the permissions chcon -R 775 /var/www/html/reststop I have set the permissions chcon -R 775 /mnt/anotherdrive/newpath/nearlythere/reststop I have set the se permissions chcon -R -h -t httpd_sys_content_t /var/www/html/reststop I have set the se permissions chcon -R -h -t httpd_sys_content_t /mnt/anotherdrive/newpath/nearlythere/reststop I have checked the settings using ls -Z and they are correct I have set the http.conf to allow followsymlinks If I set selinux to permissive I DO get an error message:- ------------------------------------------------------------ Summary: SELinux is preventing access to files with the label, file_t. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux permission checks on files labeled file_t are being denied. file_t is the context the SELinux kernel gives to files that do not have a label. This indicates a serious labeling problem. No files on an SELinux box should ever be labeled file_t. If you have just added a disk drive to the system you can relabel it using the restorecon command. For example if you saved the home directory from a previous installation that did not use SELinux, 'restorecon -R -v /home' will fix the labels. Otherwise you should relabel the entire file system. Allowing Access: You can execute the following command as root to relabel your computer system: "touch /.autorelabel; reboot" Additional Information: Source Context unconfined_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:file_t:s0 Target Objects reststop [ dir ] Source httpd Source Path /usr/sbin/httpd Port <Unknown> Host secretsquirrel.com Source RPM Packages httpd-2.2.14-1.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-108.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name file Host Name secretsquirrel.com Platform Linux secretsquirrel.com 2.6.32.11-99.fc12.x86_64 #1 SMP Mon Apr 5 19:59:38 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Mon 19 Apr 2010 03:45:40 PM BST Last Seen Mon 19 Apr 2010 03:45:40 PM BST Local ID yadayadayada Line Numbers Raw Audit Messages node=secretsquirrel.com type=AVC msg=audit(1288463622.694:23321): avc: denied { read } for pid=3605 comm="httpd" name="reststop" dev=dm-0 ino=340012822 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:file_t:s0 tclass=dir node=secretsquirrel.com type=SYSCALL msg=audit(1288463622.694:23321): arch=c000003e syscall=2 success=yes exit=16 a0=7f2f691d91c0 a1=90800 a2=7f2f691d5198 a3=7f2f691da150 items=0 ppid=3600 pid=3605 auid=500 uid=48 gid=489 euid=48 suid=48 fsuid=48 egid=489 sgid=489 fsgid=489 tty=(none) ses=2 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) ---------------------------------------------------------------- Why is the error message telling me files are labelled file_t when they are labelled httpd_sys_content_t? To confirm that I ls -RZ | grep file_t in the two directories I get no files returned. What am I missing here guys? and before anyone suggests it I don't just want to turn selinux off, I want to actually protect my system properly though. Thanks in advance

3 2

Re: snmp Permission denied on mounted filesystems
by Sandro Janke 19 Apr '10

19 Apr '10

On 04/16/2010 01:51 AM, Paul Ward wrote: > I have run the command as follows but I am still getting the permission issues. > > Apr 16 11:48:13 sargas snmpd[23987]: /home/work/exports: Permission denied > > # restorecon -v /home/work/exports > restorecon reset context /home/work/exports:->system_u:object_r:user_home_t Without the -R switch only the directory itself will be labeled. I'm pretty sure you want to run restorecon as suggested by dwalsh. What does 'ausearch -m -ts recent' tell? You can pipe the output to audit2why or audit2allow like: ausearch -m avc -ts recent | audit2why ausearch -m avc -ts recent | audit2allow -M mysnmp The latter will generate a loadable module. There is some documentation at [1] about creating and loading your own modules. [1] http://docs.fedoraproject.org/selinux-user-guide/f12/en-US/sect-Security-En… > ls -lZd /home/work/exports > > drwxrwxr-x oracle dba system_u:object_r:user_home_t > /home/work/exports > > Whats next? > Do I need to restart something? > > > > > On 16 April 2010 11:11, Sandro Janke <gui1ty_fedora(a)penguinpee.nl> wrote: >> On 04/16/2010 12:33 AM, Paul Ward wrote: >>>> What does 'rpm -qv selinux-policy-targeted' say? >>>> What are the settings in /etc/selinux/config? >>> >>> My server shows the following selinux packages. >>> >>> selinux-policy-targeted-1.17.30-2.152.el4 >>> selinux-policy-targeted-sources-1.17.30-2.152.el4 >>> >>> I have run: >>> snmpwalk -v 2c -c public .iso >>> cd /etc/selinux/targeted/src/policy >>> audit2allow -d -l -o domains/misc/local.te >>> make load >>> >>> Until no more errors were found, this fixed theoriginal errors from >>> selinux, but not the permissions. >>> >>>> Try running restorecon -R -v /home >>> >>> If I run >>> >>> restorecon -R -v /home >>> >>> Would this affect a production servers running or should I do this in >>> a mainaintance window? >> >> Well, you can try to run it with the -n switch first to show you what >> would happen. According to the man page: "It can be run at any time to >> correct errors..." >> >>> On 15 April 2010 19:05, Sandro Janke <gui1ty_fedora(a)penguinpee.nl> wrote: >>>> On 04/15/2010 06:49 AM, Paul Ward wrote: >>>>> Hi all, >>>>> >>>>> I am sure this comes up a lot but have spent hours trying to find th >>>>> eanswers with no success apart from disabling selinux which I don't >>>>> want to do. >>>>> >>>>> Apr 15 16:48:26 sargas snmpd[23987]: /home/appl: Permission denied >>>>> >>>>> The following filesystems are mounted with same issue. >>>>> >>>>> /dev/sda7 3.9G 427M 3.3G 12% /home/appl >>>>> /dev/sda6 4.0G 2.7G 1.2G 71% /home/users >>>>> /dev/sda8 3.9G 2.5G 1.2G 68% /home/work >>>>> >>>>> ls -ldZ /home/appl/ >>>>> drwxr-xr-x root root /home/appl/ >>>> >>>> This shows that the directory has not been labeled, yet. >>>> >>>>> /usr/sbin/sestatus >>>>> SELinux status: enabled >>>>> SELinuxfs mount: /selinux >>>>> Current mode: enforcing >>>>> >>>> >>>> Could it be that you don't have any policy package installed? >>>> >>>> What does 'rpm -qv selinux-policy-targeted' say? >>>> What are the settings in /etc/selinux/config? >>>> >>>>> What do I need to do to fix this chcon? If so what is the full comman >>>>> / context to enter? >>>>> >>>>> Thanks >>>>> -- >>>>> selinux mailing list >>>>> selinux(a)lists.fedoraproject.org >>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>>> >>>> >>> -- >>> selinux mailing list >>> selinux(a)lists.fedoraproject.org >>> https://admin.fedoraproject.org/mailman/listinfo/selinux >> >>

3 5

postfix + dovecot, could these use fuse_t - designer/developer question
by lejeczek 18 Apr '10

18 Apr '10

maybe with a help of a boolean/s? cheers

2 3

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux April 2010