I am trying to allow OpenVPN to use Amazon Simple Notification Service (SNS), so that each time a client connects to the VPN, OpenVPN triggers a bash script that will use Amazon SNS.
Amazon SNS is a Java program launched via bash scripts. It is in aws/SimpleNotificationServiceCli/bin/ for the .sh and /lib for the .jar
OpenVPN launches a script in /etc/openvpn/client-connect.
OpenVPN runs confined and I don't want to poke a big hole just to run SNS.
So I tried to "confine" SNS and allow the transition from OpenVPN, but it didn't went well. (config files bellow) I wonder if it could be just as good to allow OpenVPN to escape its confine to only call the relevant SNS script ?
From documentation and audit2allow I got to these configuration files.
But it still doesn't authorize the script to run and now the messages triggers errors in audit2allow:
libsepol.mls_from_string: invalid MLS context libsepol.mls_from_string: could not construct mls context structure libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:object_r:proc_t: to sid libsepol.context_from_record: type op is not defined libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:object_r:op:s0 to sid libsepol.context_from_record: type openvpn_ is not defined libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:object_r:openvpn_:s0 to sid libsepol.context_from_record: type shell_e is not defined libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:object_r:shell_e:s0 to sid
$ cat amz_sns.fc /opt/aws/SimpleNotificationServiceCli.*/bin/.* -- gen_context(system_u:object_r:amz_sns_exec_t,s0) /opt/aws/SimpleNotificationServiceCli.*/lib(/.*)? gen_context(system_u:object_r:amz_sns_lib_t,s0)
$ cat amz_sns.te policy_module( amz_sns, 1.0.0)
require { type openvpn_t; type openvpn_tmp_t; type shell_exec_t; }
type amz_sns_t; type amz_sns_exec_t; type amz_sns_lib_t;
files_type(amz_sns_lib_t);
domain_type(amz_sns_t) domain_entry_file(amz_sns_t, amz_sns_exec_t)
allow amz_sns_t amz_sns_exec_t:file { read execute entrypoint }; domain_auto_trans( openvpn_t, amz_sns_exec_t, amz_sns_t );
role system_r types amz_sns_t; # ???
# The child process sends a signal to its parent as it dies allow amz_sns_t openvpn_t:process sigchld;
allow amz_sns_t openvpn_tmp_t:file write; # For /tmp/debug
allow amz_sns_t shell_exec_t:file { read open execute execute_no_trans }; # Bash exec
Bruno
On Fri, 2013-01-11 at 10:50 +0100, Bruno Vernay wrote:
I am trying to allow OpenVPN to use Amazon Simple Notification Service (SNS), so that each time a client connects to the VPN, OpenVPN triggers a bash script that will use Amazon SNS.
Amazon SNS is a Java program launched via bash scripts. It is in aws/SimpleNotificationServiceCli/bin/ for the .sh and /lib for the .jar
OpenVPN launches a script in /etc/openvpn/client-connect.
OpenVPN runs confined and I don't want to poke a big hole just to run SNS.
So I tried to "confine" SNS and allow the transition from OpenVPN, but it didn't went well. (config files bellow) I wonder if it could be just as good to allow OpenVPN to escape its confine to only call the relevant SNS script ?
From documentation and audit2allow I got to these configuration files. But it still doesn't authorize the script to run and now the messages triggers errors in audit2allow:
libsepol.mls_from_string: invalid MLS context libsepol.mls_from_string: could not construct mls context structure libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:object_r:proc_t: to sid libsepol.context_from_record: type op is not defined libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:object_r:op:s0 to sid libsepol.context_from_record: type openvpn_ is not defined libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:object_r:openvpn_:s0 to sid libsepol.context_from_record: type shell_e is not defined libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:object_r:shell_e:s0 to sid
Strange question maybe but what test editor did you use to create this policy?
It almost seems that your amz_sns.fc messes up the file context specifications (some clients append hidden symbols)
Also make sure you end your fc file with a newline
$ cat amz_sns.fc /opt/aws/SimpleNotificationServiceCli.*/bin/.* -- gen_context(system_u:object_r:amz_sns_exec_t,s0) /opt/aws/SimpleNotificationServiceCli.*/lib(/.*)? gen_context(system_u:object_r:amz_sns_lib_t,s0)
$ cat amz_sns.te policy_module( amz_sns, 1.0.0)
require { type openvpn_t; type openvpn_tmp_t; type shell_exec_t; }
type amz_sns_t; type amz_sns_exec_t; type amz_sns_lib_t;
files_type(amz_sns_lib_t);
domain_type(amz_sns_t) domain_entry_file(amz_sns_t, amz_sns_exec_t)
allow amz_sns_t amz_sns_exec_t:file { read execute entrypoint }; domain_auto_trans( openvpn_t, amz_sns_exec_t, amz_sns_t );
role system_r types amz_sns_t; # ???
# The child process sends a signal to its parent as it dies allow amz_sns_t openvpn_t:process sigchld;
allow amz_sns_t openvpn_tmp_t:file write; # For /tmp/debug
allow amz_sns_t shell_exec_t:file { read open execute execute_no_trans }; # Bash exec
Bruno
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On Fri, Jan 11, 2013 at 1:29 PM, Dominick Grift dominick.grift@gmail.com wrote:
On Fri, 2013-01-11 at 10:50 +0100, Bruno Vernay wrote:
I am trying to allow OpenVPN to use Amazon Simple Notification Service (SNS), so that each time a client connects to the VPN, OpenVPN triggers a bash script that will use Amazon SNS.
Amazon SNS is a Java program launched via bash scripts. It is in aws/SimpleNotificationServiceCli/bin/ for the .sh and /lib for the .jar
OpenVPN launches a script in /etc/openvpn/client-connect.
OpenVPN runs confined and I don't want to poke a big hole just to run SNS.
So I tried to "confine" SNS and allow the transition from OpenVPN, but it didn't went well. (config files bellow) I wonder if it could be just as good to allow OpenVPN to escape its confine to only call the relevant SNS script ?
From documentation and audit2allow I got to these configuration files. But it still doesn't authorize the script to run and now the messages triggers errors in audit2allow:
libsepol.mls_from_string: invalid MLS context libsepol.mls_from_string: could not construct mls context structure libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:object_r:proc_t: to sid libsepol.context_from_record: type op is not defined libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:object_r:op:s0 to sid libsepol.context_from_record: type openvpn_ is not defined libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:object_r:openvpn_:s0 to sid libsepol.context_from_record: type shell_e is not defined libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:object_r:shell_e:s0 to sid
Strange question maybe but what test editor did you use to create this policy?
It almost seems that your amz_sns.fc messes up the file context specifications (some clients append hidden symbols)
Also make sure you end your fc file with a newline
$ cat amz_sns.fc /opt/aws/SimpleNotificationServiceCli.*/bin/.* -- gen_context(system_u:object_r:amz_sns_exec_t,s0) /opt/aws/SimpleNotificationServiceCli.*/lib(/.*)? gen_context(system_u:object_r:amz_sns_lib_t,s0)
$ cat amz_sns.te policy_module( amz_sns, 1.0.0)
require { type openvpn_t; type openvpn_tmp_t; type shell_exec_t; }
type amz_sns_t; type amz_sns_exec_t; type amz_sns_lib_t;
files_type(amz_sns_lib_t);
domain_type(amz_sns_t) domain_entry_file(amz_sns_t, amz_sns_exec_t)
allow amz_sns_t amz_sns_exec_t:file { read execute entrypoint }; domain_auto_trans( openvpn_t, amz_sns_exec_t, amz_sns_t );
role system_r types amz_sns_t; # ???
# The child process sends a signal to its parent as it dies allow amz_sns_t openvpn_t:process sigchld;
allow amz_sns_t openvpn_tmp_t:file write; # For /tmp/debug
allow amz_sns_t shell_exec_t:file { read open execute execute_no_trans }; # Bash exec
Bruno
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
- I used vi (it is a headless Amazon AMI free tier). - it ends with a new line - I even checked with hexdump for alien characters and it seems clean to me
On Mon, 2013-01-14 at 11:05 +0100, Bruno Vernay wrote:
On Fri, Jan 11, 2013 at 1:29 PM, Dominick Grift dominick.grift@gmail.com wrote:
On Fri, 2013-01-11 at 10:50 +0100, Bruno Vernay wrote:
I am trying to allow OpenVPN to use Amazon Simple Notification Service (SNS), so that each time a client connects to the VPN, OpenVPN triggers a bash script that will use Amazon SNS.
Amazon SNS is a Java program launched via bash scripts. It is in aws/SimpleNotificationServiceCli/bin/ for the .sh and /lib for the .jar
OpenVPN launches a script in /etc/openvpn/client-connect.
OpenVPN runs confined and I don't want to poke a big hole just to run SNS.
So I tried to "confine" SNS and allow the transition from OpenVPN, but it didn't went well. (config files bellow) I wonder if it could be just as good to allow OpenVPN to escape its confine to only call the relevant SNS script ?
From documentation and audit2allow I got to these configuration files. But it still doesn't authorize the script to run and now the messages triggers errors in audit2allow:
libsepol.mls_from_string: invalid MLS context libsepol.mls_from_string: could not construct mls context structure libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:object_r:proc_t: to sid libsepol.context_from_record: type op is not defined libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:object_r:op:s0 to sid libsepol.context_from_record: type openvpn_ is not defined libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:object_r:openvpn_:s0 to sid libsepol.context_from_record: type shell_e is not defined libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:object_r:shell_e:s0 to sid
Strange question maybe but what test editor did you use to create this policy?
It almost seems that your amz_sns.fc messes up the file context specifications (some clients append hidden symbols)
Also make sure you end your fc file with a newline
$ cat amz_sns.fc /opt/aws/SimpleNotificationServiceCli.*/bin/.* -- gen_context(system_u:object_r:amz_sns_exec_t,s0) /opt/aws/SimpleNotificationServiceCli.*/lib(/.*)? gen_context(system_u:object_r:amz_sns_lib_t,s0)
$ cat amz_sns.te policy_module( amz_sns, 1.0.0)
require { type openvpn_t; type openvpn_tmp_t; type shell_exec_t; }
type amz_sns_t; type amz_sns_exec_t; type amz_sns_lib_t;
files_type(amz_sns_lib_t);
domain_type(amz_sns_t) domain_entry_file(amz_sns_t, amz_sns_exec_t)
allow amz_sns_t amz_sns_exec_t:file { read execute entrypoint }; domain_auto_trans( openvpn_t, amz_sns_exec_t, amz_sns_t );
role system_r types amz_sns_t; # ???
# The child process sends a signal to its parent as it dies allow amz_sns_t openvpn_t:process sigchld;
allow amz_sns_t openvpn_tmp_t:file write; # For /tmp/debug
allow amz_sns_t shell_exec_t:file { read open execute execute_no_trans }; # Bash exec
Bruno
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
- I used vi (it is a headless Amazon AMI free tier).
- it ends with a new line
- I even checked with hexdump for alien characters and it seems clean to me
Strange, ok shot in the dark but you might try cleaning up the TE file a bit:
policy_module(amz_sns, 1.0.0)
gen_require(` type openvpn_t; type openvpn_tmp_t; ')
type amz_sns_t; type amz_sns_exec_t; domain_type(amz_sns_t) domain_entry_file(amz_sns_t, amz_sns_exec_t) role system_r types amz_sns_t;
domtrans_pattern(openvpn_t, amz_sns_exec_t, amz_sns_t)
allow amz_sns_t openvpn_tmp_t:file write;
corecmd_exec_shell(amz_sns_t)
Also i am not sure how selinux deals with the underscore in module and type names (amz_sns)
On Mon, Jan 14, 2013 at 12:42 PM, Dominick Grift dominick.grift@gmail.com wrote:
On Mon, 2013-01-14 at 11:05 +0100, Bruno Vernay wrote:
On Fri, Jan 11, 2013 at 1:29 PM, Dominick Grift dominick.grift@gmail.com wrote:
On Fri, 2013-01-11 at 10:50 +0100, Bruno Vernay wrote:
I am trying to allow OpenVPN to use Amazon Simple Notification Service (SNS), so that each time a client connects to the VPN, OpenVPN triggers a bash script that will use Amazon SNS.
Amazon SNS is a Java program launched via bash scripts. It is in aws/SimpleNotificationServiceCli/bin/ for the .sh and /lib for the .jar
OpenVPN launches a script in /etc/openvpn/client-connect.
OpenVPN runs confined and I don't want to poke a big hole just to run SNS.
So I tried to "confine" SNS and allow the transition from OpenVPN, but it didn't went well. (config files bellow) I wonder if it could be just as good to allow OpenVPN to escape its confine to only call the relevant SNS script ?
From documentation and audit2allow I got to these configuration files. But it still doesn't authorize the script to run and now the messages triggers errors in audit2allow:
libsepol.mls_from_string: invalid MLS context libsepol.mls_from_string: could not construct mls context structure libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:object_r:proc_t: to sid libsepol.context_from_record: type op is not defined libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:object_r:op:s0 to sid libsepol.context_from_record: type openvpn_ is not defined libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:object_r:openvpn_:s0 to sid libsepol.context_from_record: type shell_e is not defined libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:object_r:shell_e:s0 to sid
Strange question maybe but what test editor did you use to create this policy?
It almost seems that your amz_sns.fc messes up the file context specifications (some clients append hidden symbols)
Also make sure you end your fc file with a newline
$ cat amz_sns.fc /opt/aws/SimpleNotificationServiceCli.*/bin/.* -- gen_context(system_u:object_r:amz_sns_exec_t,s0) /opt/aws/SimpleNotificationServiceCli.*/lib(/.*)? gen_context(system_u:object_r:amz_sns_lib_t,s0)
$ cat amz_sns.te policy_module( amz_sns, 1.0.0)
require { type openvpn_t; type openvpn_tmp_t; type shell_exec_t; }
type amz_sns_t; type amz_sns_exec_t; type amz_sns_lib_t;
files_type(amz_sns_lib_t);
domain_type(amz_sns_t) domain_entry_file(amz_sns_t, amz_sns_exec_t)
allow amz_sns_t amz_sns_exec_t:file { read execute entrypoint }; domain_auto_trans( openvpn_t, amz_sns_exec_t, amz_sns_t );
role system_r types amz_sns_t; # ???
# The child process sends a signal to its parent as it dies allow amz_sns_t openvpn_t:process sigchld;
allow amz_sns_t openvpn_tmp_t:file write; # For /tmp/debug
allow amz_sns_t shell_exec_t:file { read open execute execute_no_trans }; # Bash exec
Bruno
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
- I used vi (it is a headless Amazon AMI free tier).
- it ends with a new line
- I even checked with hexdump for alien characters and it seems clean to me
Strange, ok shot in the dark but you might try cleaning up the TE file a bit:
policy_module(amz_sns, 1.0.0)
gen_require(` type openvpn_t; type openvpn_tmp_t; ')
type amz_sns_t; type amz_sns_exec_t; domain_type(amz_sns_t) domain_entry_file(amz_sns_t, amz_sns_exec_t) role system_r types amz_sns_t;
domtrans_pattern(openvpn_t, amz_sns_exec_t, amz_sns_t)
allow amz_sns_t openvpn_tmp_t:file write;
corecmd_exec_shell(amz_sns_t)
Also i am not sure how selinux deals with the underscore in module and type names (amz_sns)
Sorry for the delay ...
- I renamed "amz_sns" to "amzsns" - I applied your changes - I relaunched to go further each time, until I have no more messages. But it doesn't mean that it is working either.
Now, I have no more messages in audit.log (selinux enabled or not). My script works only when selinux is disabled.
What could I do now ??
/*************************************************************************************/ $ cat amzsns.fc /opt/aws/SimpleNotificationServiceCli.*/bin/.* -- gen_context(system_u:object_r:amzsns_exec_t,s0) /opt/aws/SimpleNotificationServiceCli.*/lib(/.*)? gen_context(system_u:object_r:amzsns_lib_t,s0)
$ cat amzsns.te policy_module( amzsns, 1.0.0)
require { type openvpn_t; type openvpn_tmp_t; type shell_exec_t; type unlabeled_t; type etc_t; type openvpn_etc_t; type openvpn_etc_rw_t; type proc_t; type usr_t; type java_exec_t; type tmp_t; type locale_t; type net_conf_t; type proc_net_t; type ephemeral_port_t; type http_port_t; type random_device_t; type urandom_device_t; type cert_t; }
type amzsns_t; type amzsns_exec_t; type amzsns_lib_t; domain_type(amzsns_t) domain_entry_file(amzsns_t, amzsns_exec_t) role system_r types amzsns_t;
domtrans_pattern(openvpn_t, amzsns_exec_t, amzsns_t)
allow amzsns_t openvpn_tmp_t:file write;
corecmd_exec_shell(amzsns_t) allow openvpn_t unlabeled_t:file { execute getattr };
allow amzsns_t etc_t:file { read open getattr }; allow amzsns_t openvpn_etc_t:dir { search getattr }; allow amzsns_t proc_t:file { read open getattr }; allow amzsns_t usr_t:lnk_file { read getattr }; allow amzsns_t usr_t:file { getattr read open };
allow amzsns_t amzsns_exec_t:file execute_no_trans;
allow amzsns_t bin_t:file { read open execute getattr execute_no_trans };
allow amzsns_t amzsns_lib_t:dir { read open search getattr }; allow amzsns_t amzsns_lib_t:file { read getattr open }; allow amzsns_t etc_t:lnk_file read; allow amzsns_t self:fifo_file { read ioctl write getattr }; allow amzsns_t self:process execmem;
allow amzsns_t tmp_t:dir { write add_name create read remove_name } ; allow amzsns_t tmp_t:file { create read write open unlink }; allow amzsns_t locale_t:file { read open getattr }; allow amzsns_t locale_t:dir { read open search getattr }; allow amzsns_t openvpn_etc_rw_t:file { read write };
allow amzsns_t net_conf_t:file { read open getattr }; allow amzsns_t proc_net_t:file { read open getattr }; allow amzsns_t self:tcp_socket { create listen getattr connect accept shutdown getopt setopt }; allow amzsns_t self:udp_socket { create connect getattr }; allow amzsns_t self:netlink_route_socket { create bind getattr nlmsg_read }; allow amzsns_t ephemeral_port_t:tcp_socket name_connect; allow amzsns_t http_port_t:tcp_socket name_connect;
allow amzsns_t random_device_t:chr_file { read getattr open }; allow amzsns_t cert_t:dir search; allow amzsns_t cert_t:file { getattr read open };
allow amzsns_t urandom_device_t:chr_file { getattr read open };
allow amzsns_t java_exec_t:file { read open execute getattr execute_no_trans };
/*************************************************************************************/
Here are the different steps using audit2allow: 1/ allow openvpn_t unlabeled_t:file { execute getattr }; 2/ #============= amzsns_t ============== allow amzsns_t etc_t:file read; allow amzsns_t openvpn_etc_t:dir { search getattr }; allow amzsns_t proc_t:file read; allow amzsns_t usr_t:lnk_file read; 3/ #============= amzsns_t ============== allow amzsns_t amzsns_exec_t:file execute_no_trans; allow amzsns_t etc_t:file open; allow amzsns_t proc_t:file open; 4/#============= amzsns_t ============== allow amzsns_t bin_t:file execute; allow amzsns_t etc_t:file getattr; allow amzsns_t proc_t:file getattr; 5/#============= amzsns_t ============== allow amzsns_t bin_t:file { read open }; 6/#============= amzsns_t ============== allow amzsns_t amzsns_lib_t:dir read; allow amzsns_t bin_t:file getattr; allow amzsns_t etc_t:lnk_file read; allow amzsns_t self:fifo_file read; 7/ #============= amzsns_t ============== allow amzsns_t amzsns_lib_t:dir open; allow amzsns_t bin_t:file execute_no_trans; allow amzsns_t java_exec_t:file { execute getattr }; 8/ #============= amzsns_t ============== allow amzsns_t amzsns_lib_t:dir search; allow amzsns_t java_exec_t:file { read open }; allow amzsns_t self:fifo_file ioctl; 9/ #============= amzsns_t ============== allow amzsns_t amzsns_lib_t:file getattr; allow amzsns_t java_exec_t:file execute_no_trans; 10/ #============= amzsns_t ============== allow amzsns_t self:fifo_file { write getattr }; allow amzsns_t self:process execmem; allow amzsns_t tmp_t:dir write; 11/ #============= amzsns_t ============== allow amzsns_t amzsns_lib_t:file read; allow amzsns_t locale_t:file read; allow amzsns_t openvpn_etc_rw_t:file { read write }; allow amzsns_t tmp_t:dir add_name; allow amzsns_t usr_t:lnk_file getattr; 12/ #============= amzsns_t ============== allow amzsns_t amzsns_lib_t:dir getattr; allow amzsns_t amzsns_lib_t:file open; allow amzsns_t locale_t:file open; allow amzsns_t tmp_t:dir create; 13/ #============= amzsns_t ============== allow amzsns_t locale_t:file getattr; allow amzsns_t net_conf_t:file read; allow amzsns_t proc_net_t:file read; allow amzsns_t random_device_t:chr_file { read getattr }; allow amzsns_t self:tcp_socket create; allow amzsns_t tmp_t:file create; allow amzsns_t usr_t:file getattr; 13/ #============= amzsns_t ============== allow amzsns_t cert_t:dir search; allow amzsns_t locale_t:dir read; allow amzsns_t net_conf_t:file open; allow amzsns_t proc_net_t:file open; allow amzsns_t random_device_t:chr_file open; allow amzsns_t self:tcp_socket listen; allow amzsns_t tmp_t:dir read; allow amzsns_t tmp_t:file { read write open }; #!!!! This avc can be allowed using the boolean 'global_ssp'
allow amzsns_t urandom_device_t:chr_file getattr; allow amzsns_t usr_t:file read; 14/ #============= amzsns_t ============== allow amzsns_t net_conf_t:file getattr; allow amzsns_t proc_net_t:file getattr; allow amzsns_t self:netlink_route_socket create; allow amzsns_t self:udp_socket create; allow amzsns_t tmp_t:dir remove_name; #!!!! This avc can be allowed using the boolean 'global_ssp'
allow amzsns_t urandom_device_t:chr_file read; 15/ #============= amzsns_t ============== allow amzsns_t cert_t:file getattr; allow amzsns_t locale_t:dir open; allow amzsns_t self:netlink_route_socket bind; allow amzsns_t self:tcp_socket getattr; allow amzsns_t self:udp_socket connect; allow amzsns_t tmp_t:file unlink; #!!!! This avc can be allowed using the boolean 'global_ssp'
allow amzsns_t urandom_device_t:chr_file open; allow amzsns_t usr_t:file open; 16/ #============= amzsns_t ============== allow amzsns_t locale_t:dir search; allow amzsns_t self:netlink_route_socket getattr; allow amzsns_t self:tcp_socket connect; 17/ #============= amzsns_t ============== allow amzsns_t ephemeral_port_t:tcp_socket name_connect; allow amzsns_t locale_t:dir getattr; 18/ #============= amzsns_t ============== allow amzsns_t self:tcp_socket accept; 19/ #============= amzsns_t ============== allow amzsns_t self:tcp_socket shutdown;
At this point, I have no more messages in audit.log, but the script isn't working either. So I setenforce 0 to continue: 20/ #============= amzsns_t ============== allow amzsns_t http_port_t:tcp_socket name_connect; allow amzsns_t self:netlink_route_socket nlmsg_read; allow amzsns_t self:tcp_socket { getopt setopt }; allow amzsns_t self:udp_socket getattr;
By the way, do I have to uninstall the previous module or can I just install the new one "semodule -i amzsns.pp" wihtout issuing a "semodule -r amzsns" ??? (It takes quite a time)
Regards Bruno
On Thu, 2013-02-07 at 14:55 +0100, Bruno Vernay wrote:
You can use underscores in module names without problems
You do not have to uninstall the previous module if you use semodule -i
I encountered issues similar to yours. It is annoying. However eventually they stop here
I am not sure about the exact pattern but:
if enforcing if running semodule -B after installing the module
So try it out
see if it still spits out those messages if you are enforcing and ran semodule -B
regardless , the messages can be ignored because the types do exists: you can verify with seinfo : seinfo -t | grep $TYPE
its some weird non-fatal bug
By the way, do I have to uninstall the previous module or can I just install the new one "semodule -i amzsns.pp" wihtout issuing a "semodule -r amzsns" ??? (It takes quite a time)
Regards Bruno
OK, I found "semodule -DB" (http://selinux-mac.blogspot.fr/2009/07/faq-selinux-denies-access-but-avc.htm...) Also thanks for allowing me to skip "semodule -r"
So I can continue ... 21/ #============= amzsns_t ============== allow amzsns_t self:netlink_route_socket { write read }; allow amzsns_t self:tcp_socket { write read }; allow amzsns_t self:udp_socket { write read };
#============= openvpn_t ============== allow openvpn_t amzsns_t:process { siginh rlimitinh noatsecure };
and below is my working result. Problem is: what does it do ?? (I will do some research, but if you have some idea to simplify or some warning, do not hesitate to comment)
policy_module( amzsns, 1.0.0)
require { type openvpn_t; type openvpn_tmp_t; type shell_exec_t; type unlabeled_t; type etc_t; type openvpn_etc_t; type openvpn_etc_rw_t; type proc_t; type usr_t; type java_exec_t; type tmp_t; type locale_t; type net_conf_t; type proc_net_t; type ephemeral_port_t; type http_port_t; type random_device_t; type urandom_device_t; type cert_t; }
type amzsns_t; type amzsns_exec_t; type amzsns_lib_t; domain_type(amzsns_t) domain_entry_file(amzsns_t, amzsns_exec_t) role system_r types amzsns_t;
domtrans_pattern(openvpn_t, amzsns_exec_t, amzsns_t)
allow openvpn_t unlabeled_t:file { execute getattr }; # Execute unlabeled files ? But why ?
allow openvpn_t amzsns_t:process { siginh rlimitinh noatsecure }; # Necessary for transition
allow amzsns_t openvpn_tmp_t:file write;
corecmd_exec_shell(amzsns_t)
# Read some files: allow amzsns_t etc_t:file { read open getattr }; allow amzsns_t etc_t:lnk_file read; allow amzsns_t openvpn_etc_t:dir { search getattr }; allow amzsns_t openvpn_etc_rw_t:file { read write }; # This is openVPN ipp.txt (I will move it) allow amzsns_t proc_t:file { read open getattr }; allow amzsns_t usr_t:lnk_file { read getattr }; allow amzsns_t usr_t:file { getattr read open };
allow amzsns_t amzsns_exec_t:file execute_no_trans; # ?
allow amzsns_t bin_t:file { read open execute getattr execute_no_trans }; # ???
allow amzsns_t amzsns_lib_t:dir { read open search getattr }; allow amzsns_t amzsns_lib_t:file { read getattr open };
allow amzsns_t self:fifo_file { read ioctl write getattr }; # ?? allow amzsns_t self:process execmem;
# Network access: allow amzsns_t net_conf_t:file { read open getattr }; allow amzsns_t proc_net_t:file { read open getattr }; allow amzsns_t self:tcp_socket { create listen getattr connect accept shutdown getopt setopt read write }; allow amzsns_t self:udp_socket { create connect getattr read write }; allow amzsns_t self:netlink_route_socket { create bind getattr nlmsg_read read write }; allow amzsns_t ephemeral_port_t:tcp_socket name_connect; allow amzsns_t http_port_t:tcp_socket name_connect;
allow amzsns_t tmp_t:dir { write add_name create read remove_name } ; allow amzsns_t tmp_t:file { create read write open unlink }; allow amzsns_t locale_t:dir { read open search getattr }; allow amzsns_t locale_t:file { getattr read open }; allow amzsns_t cert_t:dir search; allow amzsns_t cert_t:file { getattr read open };
allow amzsns_t random_device_t:chr_file { getattr read open }; allow amzsns_t urandom_device_t:chr_file { getattr read open };
allow amzsns_t java_exec_t:file { read open execute getattr execute_no_trans }; # ???
On Thu, 2013-02-07 at 16:40 +0100, Bruno Vernay wrote:
Some quick comments in-line
OK, I found "semodule -DB" (http://selinux-mac.blogspot.fr/2009/07/faq-selinux-denies-access-but-avc.htm...) Also thanks for allowing me to skip "semodule -r"
So I can continue ... 21/ #============= amzsns_t ============== allow amzsns_t self:netlink_route_socket { write read }; allow amzsns_t self:tcp_socket { write read }; allow amzsns_t self:udp_socket { write read };
#============= openvpn_t ============== allow openvpn_t amzsns_t:process { siginh rlimitinh noatsecure };
its probably inheriting those sockets from openvpn or else it may signal a leaked file descriptor. You would need to look in the audit.log to see if the SYSCALL succeeds.
If things do not work without the above permissions then i' am pretty certain that its some inheritance from openvpn or some other process.
and below is my working result. Problem is: what does it do ?? (I will do some research, but if you have some idea to simplify or some warning, do not hesitate to comment)
policy_module( amzsns, 1.0.0)
require { type openvpn_t; type openvpn_tmp_t; type shell_exec_t; type unlabeled_t; type etc_t; type openvpn_etc_t; type openvpn_etc_rw_t; type proc_t; type usr_t; type java_exec_t; type tmp_t; type locale_t; type net_conf_t; type proc_net_t; type ephemeral_port_t; type http_port_t; type random_device_t; type urandom_device_t; type cert_t; }
type amzsns_t; type amzsns_exec_t; type amzsns_lib_t; domain_type(amzsns_t) domain_entry_file(amzsns_t, amzsns_exec_t) role system_r types amzsns_t;
domtrans_pattern(openvpn_t, amzsns_exec_t, amzsns_t)
allow openvpn_t unlabeled_t:file { execute getattr }; # Execute unlabeled files ? But why ?
See the avc denials for clues. There should be no unlabeled files
allow openvpn_t amzsns_t:process { siginh rlimitinh noatsecure }; #
The above should not be needed and you can/should probably dontaudit that (there are a few cases where it is needed but not many so see if you can do without
Necessary for transition
allow amzsns_t openvpn_tmp_t:file write;
Either a leaked file descriptor or inherited See if the SYSCALL succeeds. If it doesnt even though you allowed access then chances are that its a leaked file descriptor that you can dontaudit instead.
corecmd_exec_shell(amzsns_t)
# Read some files: allow amzsns_t etc_t:file { read open getattr }; allow amzsns_t etc_t:lnk_file read; allow amzsns_t openvpn_etc_t:dir { search getattr }; allow amzsns_t openvpn_etc_rw_t:file { read write }; # This is openVPN ipp.txt (I will move it)
Its also either a leak or inherited since amzsns does not actually " open" it
allow amzsns_t proc_t:file { read open getattr }; allow amzsns_t usr_t:lnk_file { read getattr }; allow amzsns_t usr_t:file { getattr read open };
allow amzsns_t amzsns_exec_t:file execute_no_trans; # ?
I guess it re-executes itself or executes a command that is also labeled amzsns_exec_t
allow amzsns_t bin_t:file { read open execute getattr execute_no_trans }; # ???
Its running generic binaries (stuff like ls etc, no problem)
allow amzsns_t amzsns_lib_t:dir { read open search getattr }; allow amzsns_t amzsns_lib_t:file { read getattr open };
Not sure what amzsns_lib_t is for content but it might not be needed to create a private type for this content
allow amzsns_t self:fifo_file { read ioctl write getattr }; # ??
Internal communication is often done with fifo files (this is common and no problem)
allow amzsns_t self:process execmem;
The above sucks, but i guess if you need it, you need it
# Network access: allow amzsns_t net_conf_t:file { read open getattr }; allow amzsns_t proc_net_t:file { read open getattr }; allow amzsns_t self:tcp_socket { create listen getattr connect accept shutdown getopt setopt read write }; allow amzsns_t self:udp_socket { create connect getattr read write }; allow amzsns_t self:netlink_route_socket { create bind getattr nlmsg_read read write }; allow amzsns_t ephemeral_port_t:tcp_socket name_connect;
Should probably figure out which port it is and see if you can give it a label that is more appropriate because this is kind of coarse
allow amzsns_t http_port_t:tcp_socket name_connect;
allow amzsns_t tmp_t:dir { write add_name create read remove_name } ; allow amzsns_t tmp_t:file { create read write open unlink }; allow amzsns_t locale_t:dir { read open search getattr }; allow amzsns_t locale_t:file { getattr read open }; allow amzsns_t cert_t:dir search; allow amzsns_t cert_t:file { getattr read open };
allow amzsns_t random_device_t:chr_file { getattr read open }; allow amzsns_t urandom_device_t:chr_file { getattr read open };
allow amzsns_t java_exec_t:file { read open execute getattr execute_no_trans }; # ???
I guess it executes java ( is this some java app?) anyways no problem
selinux@lists.fedoraproject.org