Hi,
here is a sample policy for Tomcat5. Could we integrate this (or a reviewed and much better version) into fedora?
regards
christoph
I'm very excited to learn more about SELinux as I jump in configuring this amazing tool. So I hope you folks don't mind a beginner question or two. Right now I'm attempting to better understand AVC logs. I've got SAMBA setup to do standard file sharing on CentOS 5.1. Default targeted policy is set in enforcing mode. When set to permissive, no problem. However, enforcing is giving me the following error below. I've already set the following booleans to 1, which has not helped.
samba_enable_home_dirs on use_samba_home_dirs on
Could a kind soul share with me what the log below is telling me?
Thanks!
lance
PS: Is there anyway to configure SELinux/auditd to use regular dates, as sylogd does?
type=AVC msg=audit(1199209100.230:984): avc: denied { read } for pid=26929 comm="smbd" name="home" dev=sdb1 ino=92504065 scontext=user_u:system_r:smbd_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=SYSCALL msg=audit(1199209100.230:984): arch=40000003 syscall=5 success=no exit=-13 a0=93f9288 a1=18800 a2=bf85dccc a3=93f9268 items=0 ppid=22310 pid=26929 auid=500 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) comm="smbd" exe="/usr/sbin/smbd" subj=user_u:system_r:smbd_t:s0 key=(null)
Thanks for the tremendous feedback so far, I appreciate it! I hope this is not bad form, but I would like to answer my own question, but then I have more questions. The error below shows that Samba SMB service could not access 'home' which turns out to be /home.
System #ls -ldZ /home drwxr-xr-x root root system_u:object_r:home_root_t /home
For some reason smbd_t cannot access home_root_t. So I did a chcon on /home which fixed the problem. My question is, by fixing the error have I made Samba more insecure, was this a bug, is there something I could do instead?
chcon system_u:object_r:user_home_dir_t /home
Thanks!
lance
type=AVC msg=audit(1199209100.230:984): avc: denied { read } for pid=26929 comm="smbd" name="home" dev=sdb1 ino=92504065 scontext=user_u:system_r:smbd_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=SYSCALL msg=audit(1199209100.230:984): arch=40000003 syscall=5 success=no exit=-13 a0=93f9288 a1=18800 a2=bf85dccc a3=93f9268 items=0 ppid=22310 pid=26929 auid=500 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) comm="smbd" exe="/usr/ sbin/smbd" subj=user_u:system_r:smbd_t:s0 key=(null)
On Tue, 2008-01-01 at 11:47 -0600, Lance Spitzner wrote:
PS: Is there anyway to configure SELinux/auditd to use regular dates, as sylogd does?
Stop looking at audit logs directly. (I'll leave the policy questions to the policy people, sorry)
ausearch -m AVC -i
-Eric
PS: Is there anyway to configure SELinux/auditd to use regular dates, as sylogd does?
Stop looking at audit logs directly. (I'll leave the policy questions to the policy people, sorry)
ausearch -m AVC -i
Very cool, thanks! One other outstanding suggestion I received was the RPM pkg 'setroubleshoot'. It does a mind blowing / amazing job of taking AVC error messages and explaining to you exactly what they mean and suggested actions. Not only does it help troubleshooting, but it helps to better understand SElinux in general. Now only if there was such a utlity for the rest of Linux logging (dmesg anyone? :).
Thanks!
lance
Summary SELinux is preventing /usr/sbin/named (named_t) "getattr" access to /dev/random (tmpfs_t).
Detailed Description SELinux denied access requested by /usr/sbin/named. It is not expected that this access is required by /usr/sbin/named and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /dev/random, restorecon -v /dev/random. There is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you can disable SELinux protection entirely for the application. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Changing the "named_disable_trans" boolean to true will disable SELinux protection this application: "setsebool -P named_disable_trans=1."
The following command will allow this access: setsebool -P named_disable_trans=1
Additional Information
Source Context user_u:system_r:named_t Target Context system_u:object_r:tmpfs_t Target Objects /dev/random [ chr_file ] Affected RPM Packages Policy RPM Selinux Enabled Policy Type MLS Enabled Enforcing Mode Plugin Name plugins.disable_trans Host Name Platform Alert Count 1 Line Numbers 1689,1690
Raw Audit Messages
avc: denied { getattr } for comm="named" dev=sdb1 egid=25 euid=25 exe="/usr/sbin/named" exit=-13 fsgid=25 fsuid=25 gid=25 items=0 path="/dev/random" pid=10791 scontext=user_u:system_r:named_t:s0 sgid=25 subj=user_u:system_r:named_t:s0 suid=25 tclass=chr_file tcontext=system_u:object_r:tmpfs_t:s0 tty=(none) uid=25
On Tue, 2008-01-01 at 20:59 -0600, Lance Spitzner wrote:
PS: Is there anyway to configure SELinux/auditd to use regular dates, as sylogd does?
Stop looking at audit logs directly. (I'll leave the policy questions to the policy people, sorry)
ausearch -m AVC -i
Very cool, thanks! One other outstanding suggestion I received was the RPM pkg 'setroubleshoot'. It does a mind blowing / amazing job of taking AVC error messages and explaining to you exactly what they mean and suggested actions. Not only does it help troubleshooting, but it helps to better understand SElinux in general. Now only if there was such a utlity for the rest of Linux logging (dmesg anyone? :).
Thanks!
lance
Summary SELinux is preventing /usr/sbin/named (named_t) "getattr" access to /dev/random (tmpfs_t).
ummm, how did it get mislabled? hmmm, anyway, if you followed the restorecon suggestion i assume it started working....
-Eric
has no one a comment?
I'd never thought, that tomcat was _that_ secure.
Am Montag, den 31.12.2007, 16:44 +0100 schrieb Christoph Höger:
Hi,
here is a sample policy for Tomcat5. Could we integrate this (or a reviewed and much better version) into fedora?
regards
christoph
fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
selinux@lists.fedoraproject.org