(Apologies in advance for the length of this mail. I am a total noob at SELinux so my vocabulary is probably not correct. Hopefully you will be able to understand from context what I am trying to say.)
I have been setting up x11vnc on some of my machines. It looks like there are a hundred different ways of setting it up but I have chosen to follow the spirit of this entry in the Fedora Forum:
http://forums.fedoraforum.org/showpost.php?p=1448696&postcount=2
This works with SELinux permissive but fails completely when enforcing.
Even when running permissively there are so many SELinux events in the first few seconds that many are dropped as shown here:
Jan 29 03:44:10 ecafe audispd: queue is full - dropping event
After several hours of scouring the system log, running sealert and creating policies, rinsing and repeating I think I have generated the command line that will identify all the events which occur during an x11vnc session:
egrep ps|x11vnc|tcpd|mission-control /var/log/audit/audit.log | audit2allow -M mypol
By repetitively running that line, applying the generated policy then restarting the computer and launching a new vnc session eventually all the events are able to be recorded without filling the queue.
I will put my questions here together where they are easy to find and will post logs and other data below in case anyone wants to look at them...
1) I have copied the mypol.te file below. Could someone tell me if anything in there opens up a huge security risk? 2) Can I copy the mypol.pp file to another computer and apply the policy directly? 3) If yes can I also copy it to a computer running Fedora 16 or 17? 4) Is there a simple way to convert a .te file to a .pp file? 5) If I put up this informaton as a How-To on the forum is there a preferred way of defining the policy? For example: a) publish this line... egrep ps|x11vnc|tcpd|mission-control /var/log/audit/audit.log | audit2allow -M mypol ... and tell them to work from that b) Publish the contents of the .te file (assuming there is a neat way to create a .pp file) and say "Trust me" c) Put the .pp file somewhere accessible from the internet and say "Trust me even more" d) Something else??? 6) I have copied one of the outputs from sealert -l GUID below in case it is useful. I have kept copies of all the others. Please let me know if it would be useful to see them. I can supply them with no problem. There are seventeen different outputs. 7) Is there a simpler way of having x11vnc "running as a service" like Windows?
Thanks to anyone who can respond...
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
mypol.te (For brevity I have removed several lines saying #!!!! This avc is allowed in the current policy )
module mypol9 1.0;
require { type modemmanager_t; type ksmtuned_t; type shell_exec_t; type initrc_t; type fprintd_t; type telepathy_mission_control_exec_t; type user_devpts_t; type dhcpc_t; type cupsd_t; type inetd_t; type fsdaemon_t; type keyboardd_t; type udev_t; type admin_home_t; type xserver_t; type audisp_t; type policykit_t; type dnsmasq_t; type tcpd_t; type virtd_t; type bin_t; type rpcd_t; type crond_t; type apmd_t; type rtkit_daemon_t; type sysctl_kernel_t; type NetworkManager_t; type colord_t; type unconfined_t; type unconfined_dbusd_t; type rpcbind_t; type init_t; type auditd_t; type devpts_t; type syslogd_t; type xserver_port_t; type tty_device_t; type xdm_var_lib_t; type setroubleshootd_t; type system_dbusd_t; type var_log_t; type config_home_t; type accountsd_t; type passwd_file_t; type xdm_dbusd_t; type avahi_t; type proc_t; type bluetooth_t; type xdm_var_run_t; type xdm_tmp_t; type abrt_watch_log_t; type mcelog_t; type iscsid_t; type kernel_t; type rpm_t; type consolekit_t; type firewalld_t; type chronyd_t; type xdm_t; type systemd_logind_t; type sendmail_t; type sshd_t; type devicekit_power_t; type devicekit_disk_t; type tmpfs_t; class process setsched; class unix_stream_socket connectto; - class chr_file getattr; class shm { write unix_read unix_write read destroy create }; class capability { sys_ptrace dac_override }; class tcp_socket name_connect; class file { rename execute read create ioctl execute_no_trans write getattr unlink open }; class netlink_route_socket { bind create setopt nlmsg_read getattr }; class lnk_file read; class udp_socket { create connect getattr }; class dir { write getattr read remove_name create search add_name }; }
#============= tcpd_t ==============
allow tcpd_t NetworkManager_t:dir { getattr search };
allow tcpd_t NetworkManager_t:file { read open };
allow tcpd_t abrt_watch_log_t:dir { getattr search };
allow tcpd_t abrt_watch_log_t:file { read open };
allow tcpd_t accountsd_t:dir { getattr search };
allow tcpd_t accountsd_t:file { read open };
allow tcpd_t admin_home_t:dir search;
allow tcpd_t admin_home_t:file { read getattr open };
allow tcpd_t apmd_t:dir { getattr search };
allow tcpd_t apmd_t:file { read open };
allow tcpd_t audisp_t:dir { getattr search };
allow tcpd_t audisp_t:file { read open };
allow tcpd_t auditd_t:dir { getattr search };
allow tcpd_t auditd_t:file { read open };
allow tcpd_t avahi_t:dir { getattr search };
allow tcpd_t avahi_t:file { read open };
allow tcpd_t bin_t:file { ioctl execute read open getattr execute_no_trans };
allow tcpd_t bluetooth_t:dir { getattr search };
allow tcpd_t bluetooth_t:file { read open };
allow tcpd_t chronyd_t:dir { getattr search };
allow tcpd_t chronyd_t:file { read open };
allow tcpd_t colord_t:dir { getattr search };
allow tcpd_t colord_t:file { read open };
allow tcpd_t consolekit_t:dir { getattr search };
allow tcpd_t consolekit_t:file { read open };
allow tcpd_t crond_t:dir { getattr search };
allow tcpd_t crond_t:file { read open };
allow tcpd_t cupsd_t:dir { getattr search };
allow tcpd_t cupsd_t:file { read open };
allow tcpd_t devicekit_disk_t:dir { getattr search };
allow tcpd_t devicekit_disk_t:file { read open };
allow tcpd_t devicekit_power_t:dir { getattr search };
allow tcpd_t devicekit_power_t:file { read open };
allow tcpd_t devpts_t:dir { getattr search };
allow tcpd_t dhcpc_t:dir { getattr search };
allow tcpd_t dhcpc_t:file { read open };
allow tcpd_t dnsmasq_t:dir { getattr search };
allow tcpd_t dnsmasq_t:file { read open };
allow tcpd_t firewalld_t:dir { getattr search };
allow tcpd_t firewalld_t:file { read open };
allow tcpd_t fprintd_t:dir { getattr search };
allow tcpd_t fprintd_t:file { read open };
allow tcpd_t fsdaemon_t:dir { getattr search };
allow tcpd_t fsdaemon_t:file { read open };
allow tcpd_t inetd_t:dir { getattr search };
allow tcpd_t inetd_t:file { read open };
allow tcpd_t init_t:dir { getattr search };
allow tcpd_t init_t:file { read open };
allow tcpd_t initrc_t:dir { getattr search };
allow tcpd_t initrc_t:file { read open };
allow tcpd_t iscsid_t:dir { getattr search };
allow tcpd_t iscsid_t:file { read open };
allow tcpd_t kernel_t:dir { getattr search };
allow tcpd_t kernel_t:file { read open };
allow tcpd_t keyboardd_t:dir { getattr search };
allow tcpd_t keyboardd_t:file { read open };
allow tcpd_t ksmtuned_t:dir { getattr search };
allow tcpd_t ksmtuned_t:file { read open };
allow tcpd_t mcelog_t:dir { getattr search };
allow tcpd_t mcelog_t:file { read open }; allow tcpd_t modemmanager_t:dir { getattr search };
allow tcpd_t modemmanager_t:file { read open };
allow tcpd_t passwd_file_t:file { read getattr open };
allow tcpd_t policykit_t:dir { getattr search };
allow tcpd_t policykit_t:file { read open };
allow tcpd_t proc_t:dir read;
allow tcpd_t proc_t:file { read getattr open };
allow tcpd_t rpcbind_t:dir { getattr search };
allow tcpd_t rpcbind_t:file { read open };
allow tcpd_t rpcd_t:dir { getattr search };
allow tcpd_t rpcd_t:file { read open };
allow tcpd_t rpm_t:dir { getattr search };
allow tcpd_t rpm_t:file { read open };
allow tcpd_t rtkit_daemon_t:dir { getattr search };
allow tcpd_t rtkit_daemon_t:file { read open };
allow tcpd_t self:capability { sys_ptrace dac_override };
allow tcpd_t self:netlink_route_socket { bind create setopt nlmsg_read getattr };
allow tcpd_t self:shm { write unix_read unix_write read destroy create };
allow tcpd_t self:udp_socket { create connect getattr };
allow tcpd_t sendmail_t:dir { getattr search };
allow tcpd_t sendmail_t:file { read open };
allow tcpd_t setroubleshootd_t:dir { getattr search }; allow tcpd_t setroubleshootd_t:file { read open };
allow tcpd_t shell_exec_t:file { read execute open };
allow tcpd_t sshd_t:dir { getattr search };
allow tcpd_t sshd_t:file { read open };
allow tcpd_t sysctl_kernel_t:dir search;
allow tcpd_t sysctl_kernel_t:file { read open };
allow tcpd_t syslogd_t:dir { getattr search };
allow tcpd_t syslogd_t:file { read open };
allow tcpd_t system_dbusd_t:dir { getattr search };
allow tcpd_t system_dbusd_t:file { read open };
allow tcpd_t systemd_logind_t:dir { getattr search };
allow tcpd_t systemd_logind_t:file { read open };
allow tcpd_t tmpfs_t:file { read write };
allow tcpd_t tty_device_t:chr_file getattr;
allow tcpd_t udev_t:dir { getattr search };
allow tcpd_t udev_t:file { read open };
allow tcpd_t unconfined_dbusd_t:dir { getattr search };
allow tcpd_t unconfined_dbusd_t:file { read open };
allow tcpd_t unconfined_t:dir { getattr search };
allow tcpd_t unconfined_t:file { read open };
allow tcpd_t unconfined_t:lnk_file read;
allow tcpd_t user_devpts_t:chr_file getattr;
allow tcpd_t var_log_t:dir { write add_name };
allow tcpd_t var_log_t:file { write create open };
allow tcpd_t virtd_t:dir { getattr search };
allow tcpd_t virtd_t:file { read open };
allow tcpd_t xdm_dbusd_t:dir { getattr search };
allow tcpd_t xdm_dbusd_t:file { read open };
allow tcpd_t xdm_t:dir { getattr search };
allow tcpd_t xdm_t:file { read open };
allow tcpd_t xdm_tmp_t:dir search;
allow tcpd_t xdm_var_run_t:dir search;
allow tcpd_t xdm_var_run_t:file { read getattr open };
allow tcpd_t xserver_port_t:tcp_socket name_connect;
allow tcpd_t xserver_t:dir { getattr search };
allow tcpd_t xserver_t:file { read open };
allow tcpd_t xserver_t:unix_stream_socket connectto;
#============= xdm_dbusd_t ==============
allow xdm_dbusd_t config_home_t:file write;
allow xdm_dbusd_t self:process setsched;
allow xdm_dbusd_t telepathy_mission_control_exec_t:file { read open execute_no_trans };
allow xdm_dbusd_t xdm_var_lib_t:dir { write remove_name create add_name };
allow xdm_dbusd_t xdm_var_lib_t:file { rename write getattr read create unlink open };
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ SELinux is preventing /usr/bin/bash from execute access on the file /usr/bin/bash.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that bash should be allowed execute access on the bash file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep x11vnc_sh /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Additional Information: Source Context system_u:system_r:tcpd_t:s0-s0:c0.c1023 Target Context system_u:object_r:shell_exec_t:s0 Target Objects /usr/bin/bash [ file ] Source x11vnc_sh Source Path /usr/bin/bash Port <Unknown> Host ecafe.hogwarts.local Source RPM Packages bash-4.2.42-1.fc18.i686 Target RPM Packages bash-4.2.42-1.fc18.i686 Policy RPM selinux-policy-3.11.1-73.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name ecafe.hogwarts.local Platform Linux ecafe.hogwarts.local 3.7.4-204.fc18.i686.PAE #1 SMP Wed Jan 23 16:58:41 UTC 2013 i686 i686 Alert Count 1 First Seen 2013-01-29 04:34:05 CET Last Seen 2013-01-29 04:34:05 CET Local ID 0215ecf1-f067-4475-a2ff-3810697a0c55
Raw Audit Messages type=AVC msg=audit(1359430445.962:387): avc: denied { execute } for pid=1740 comm="tcpd" name="bash" dev="sda5" ino=2123061 scontext=system_u:system_r:tcpd_t:s0-s0\ :c0.c1023 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1359430445.962:387): arch=i386 syscall=execve success=yes exit=0 a0=bfcc93fc a1=bfccb4b4 a2=bfccb4bc a3=bfcc90c0 items=0 ppid=780 pid=1740 auid\ =4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=x11vnc_sh exe=/usr/bin/bash subj=system_u:system_r:tcpd_t:s0-s0:c0.\ c1023 key=(null)
Hash: x11vnc_sh,tcpd_t,shell_exec_t,file,execute
audit2allow
#============= tcpd_t ============== allow tcpd_t shell_exec_t:file execute;
audit2allow -R
#============= tcpd_t ============== allow tcpd_t shell_exec_t:file execute;
Andrew Jones wrote:
(Apologies in advance for the length of this mail. I am a total noob at SELinux so my vocabulary is probably not correct. Hopefully you will be able to understand from context what I am trying to say.)
I have been setting up x11vnc on some of my machines. It looks like there are a hundred different ways of setting it up but I have chosen to follow the spirit of this entry in the Fedora Forum:
http://forums.fedoraforum.org/showpost.php?p=1448696&postcount=2
This works with SELinux permissive but fails completely when enforcing.
Even when running permissively there are so many SELinux events in the first few seconds that many are dropped as shown here:
Jan 29 03:44:10 ecafe audispd: queue is full - dropping event
After several hours of scouring the system log, running sealert and creating policies, rinsing and repeating I think I have generated the command line that will identify all the events which occur during an x11vnc session:
egrep ps|x11vnc|tcpd|mission-control /var/log/audit/audit.log | audit2allow -M mypol
By repetitively running that line, applying the generated policy then restarting the computer and launching a new vnc session eventually all the events are able to be recorded without filling the queue.
Andrew,
First of all, how did you install x11vnc? Did you use yum, or is this from a tarball. You should ALWAYS prefer yum install, since this will get all dependencies, and install policy as part of the package.
Secondly, you should be looking at what it wants to do. For example, the fact that mcelog is in there worries me, a *lot*, since mcelog records ->hardware errors<-, meaning that you could be having hardware issues.
Third, read the man page for audit2allow. It tells you how to convert from text policy to compiled and install it. It's not complicated.
Fourth, the "dropped" indicates that there are so many errors the queue can't keep up. From an old closed bug, one note for this problem is: -b 8192 in auditd.conf priority_boost = 4 in auditd.conf priority_boost = 8 in audispd.conf q_depth = 2048 in audispd.conf
mark
On Tue, 2013-01-29 at 10:07 -0500, m.roth@5-cent.us wrote:
Andrew Jones wrote:
(Apologies in advance for the length of this mail. I am a total noob at SELinux so my vocabulary is probably not correct. Hopefully you will be able to understand from context what I am trying to say.)
I have been setting up x11vnc on some of my machines. It looks like there are a hundred different ways of setting it up but I have chosen to follow the spirit of this entry in the Fedora Forum:
http://forums.fedoraforum.org/showpost.php?p=1448696&postcount=2
This works with SELinux permissive but fails completely when enforcing.
Even when running permissively there are so many SELinux events in the first few seconds that many are dropped as shown here:
Jan 29 03:44:10 ecafe audispd: queue is full - dropping event
After several hours of scouring the system log, running sealert and creating policies, rinsing and repeating I think I have generated the command line that will identify all the events which occur during an x11vnc session:
egrep ps|x11vnc|tcpd|mission-control /var/log/audit/audit.log | audit2allow -M mypol
By repetitively running that line, applying the generated policy then restarting the computer and launching a new vnc session eventually all the events are able to be recorded without filling the queue.
Andrew,
First of all, how did you install x11vnc? Did you use yum, or is this from a tarball. You should ALWAYS prefer yum install, since this will get all dependencies, and install policy as part of the package.
Installed from yum. Having read the x11vnc man page I got the impression it's a bit of a swiss army knife and I had *assumed* that as it was so hard to predict how it would be used it would not make sense to enforce any particular policy. Is there a way of extracting and examining the policies in an rpm?
Secondly, you should be looking at what it wants to do. For example, the fact that mcelog is in there worries me, a *lot*, since mcelog records ->hardware errors<-, meaning that you could be having hardware issues.
It is necessary for x11vnc to discover the name of an X11 authorization file and the trick to do so is to do a `ps wwwaux | grep '/X.*-auth'` , followed by a bit more grep and sed trickery to isolate the name of the file that appears on the command line that launched xorg.
The command above has this for output... root 26003 0.4 1.1 24184 12120 tty9 Ss+ 12:34 2:46 /usr/bin/Xorg :0 -br -verbose -logverbose 7 -auth /var/run/gdm/auth-for-gdm-xpIgEt/database -nolisten tcp
... and the sed and grep trickery isolates the string '/var/run/gdm/auth-for-gdm-xpIgEt/database' which is a required parameter for x11vnc
It did seem that many, many of the AVCs were caused by ps trying to get attributes of or open directories in /proc.
Why have I told you all this?
grep type=AVC audit.log.1 | grep mcelog | grep -v comm="ps" has no output grep type=AVC audit.log.1 | grep mcelog has 21 lines of output
So all the AVCs which mention mcelog include comm="ps" Here is a typical sequence type=AVC msg=audit(1359035800.677:1209): avc: denied { getattr } for pid=2248 comm="ps" path="/proc/539" dev="proc" ino=14875 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:mcelog_t:s0 tclass=dir
type=AVC msg=audit(1359035800.677:1210): avc: denied { search } for pid=2248 comm="ps" name="539" dev="proc" ino=14875 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:mcelog_t:s0 tclass=dir
type=AVC msg=audit(1359035800.677:1210): avc: denied { read } for pid=2248 comm="ps" name="stat" dev="proc" ino=14058 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:mcelog_t:s0 tclass=file
type=AVC msg=audit(1359035800.677:1210): avc: denied { open } for pid=2248 comm="ps" path="/proc/539/stat" dev="proc" ino=14058 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:mcelog_t:s0 tclass=file
There were just 3 /proc directories that prompted this sequence of AVCs containing mcelog and these were 539 (shown above), 517 and 509, but having rebooted since I don't now know what processes they correspond to and I suspect many other AVCs may have been omitted due to queue overflow. Audit.log currently contains 900 lines of AVCs related to ps accessing the /proc directory
I tried to replicate the generation of AVCs by running ps from a command prompt but nothing happened. Could ps be running from the wrong context? Can you tell I hadn't a clue what I was talking about when I asked that question??
Third, read the man page for audit2allow. It tells you how to convert from text policy to compiled and install it. It's not complicated.
Thanks for that.
Fourth, the "dropped" indicates that there are so many errors the queue can't keep up. From an old closed bug, one note for this problem is: -b 8192 in auditd.conf priority_boost = 4 in auditd.conf priority_boost = 8 in audispd.conf q_depth = 2048 in audispd.conf
Thanks also for that.
mark
Andy
On Wed, 2013-01-30 at 01:14 +0100, Andrew Jones wrote:
On Tue, 2013-01-29 at 10:07 -0500, m.roth@5-cent.us wrote:
Andrew Jones wrote:
(Apologies in advance for the length of this mail. I am a total noob at SELinux so my vocabulary is probably not correct. Hopefully you will be able to understand from context what I am trying to say.)
I have been setting up x11vnc on some of my machines. It looks like there are a hundred different ways of setting it up but I have chosen to follow the spirit of this entry in the Fedora Forum:
http://forums.fedoraforum.org/showpost.php?p=1448696&postcount=2
This works with SELinux permissive but fails completely when enforcing.
Even when running permissively there are so many SELinux events in the first few seconds that many are dropped as shown here:
Jan 29 03:44:10 ecafe audispd: queue is full - dropping event
After several hours of scouring the system log, running sealert and creating policies, rinsing and repeating I think I have generated the command line that will identify all the events which occur during an x11vnc session:
egrep ps|x11vnc|tcpd|mission-control /var/log/audit/audit.log | audit2allow -M mypol
By repetitively running that line, applying the generated policy then restarting the computer and launching a new vnc session eventually all the events are able to be recorded without filling the queue.
Andrew,
First of all, how did you install x11vnc? Did you use yum, or is this from a tarball. You should ALWAYS prefer yum install, since this will get all dependencies, and install policy as part of the package.
Installed from yum. Having read the x11vnc man page I got the impression it's a bit of a swiss army knife and I had *assumed* that as it was so hard to predict how it would be used it would not make sense to enforce any particular policy. Is there a way of extracting and examining the policies in an rpm?
Secondly, you should be looking at what it wants to do. For example, the fact that mcelog is in there worries me, a *lot*, since mcelog records ->hardware errors<-, meaning that you could be having hardware issues.
It is necessary for x11vnc to discover the name of an X11 authorization file and the trick to do so is to do a `ps wwwaux | grep '/X.*-auth'` , followed by a bit more grep and sed trickery to isolate the name of the file that appears on the command line that launched xorg.
The command above has this for output... root 26003 0.4 1.1 24184 12120 tty9 Ss+ 12:34 2:46 /usr/bin/Xorg :0 -br -verbose -logverbose 7 -auth /var/run/gdm/auth-for-gdm-xpIgEt/database -nolisten tcp
... and the sed and grep trickery isolates the string '/var/run/gdm/auth-for-gdm-xpIgEt/database' which is a required parameter for x11vnc
It did seem that many, many of the AVCs were caused by ps trying to get attributes of or open directories in /proc.
Why have I told you all this?
grep type=AVC audit.log.1 | grep mcelog | grep -v comm="ps" has no output grep type=AVC audit.log.1 | grep mcelog has 21 lines of output
So all the AVCs which mention mcelog include comm="ps" Here is a typical sequence type=AVC msg=audit(1359035800.677:1209): avc: denied { getattr } for pid=2248 comm="ps" path="/proc/539" dev="proc" ino=14875 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:mcelog_t:s0 tclass=dir
type=AVC msg=audit(1359035800.677:1210): avc: denied { search } for pid=2248 comm="ps" name="539" dev="proc" ino=14875 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:mcelog_t:s0 tclass=dir
type=AVC msg=audit(1359035800.677:1210): avc: denied { read } for pid=2248 comm="ps" name="stat" dev="proc" ino=14058 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:mcelog_t:s0 tclass=file
type=AVC msg=audit(1359035800.677:1210): avc: denied { open } for pid=2248 comm="ps" path="/proc/539/stat" dev="proc" ino=14058 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:mcelog_t:s0 tclass=file
There were just 3 /proc directories that prompted this sequence of AVCs containing mcelog and these were 539 (shown above), 517 and 509, but having rebooted since I don't now know what processes they correspond to and I suspect many other AVCs may have been omitted due to queue overflow. Audit.log currently contains 900 lines of AVCs related to ps accessing the /proc directory
Having checked the timestamps in the system log I see that each set of AVCs occurred just once between re-boots (I rebooted after every launch of vnc / generation of new policies) so they could all be referring to the same process.
I also noted that on my Fedora 18 machines mcelog is running as a daemon: $ ps -A www | grep mcelog 528 ? Ss 0:00 /usr/sbin/mcelog --ignorenodev --daemon --foreground
mcelog is not running as a daemon on my Fedora 16 machine ... So I could be easily persuaded that the AVCs which mention mcelog refer to the attempts of ps to access the mcelog process.
I tried to replicate the generation of AVCs by running ps from a command prompt but nothing happened. Could ps be running from the wrong context? Can you tell I hadn't a clue what I was talking about when I asked that question??
Third, read the man page for audit2allow. It tells you how to convert from text policy to compiled and install it. It's not complicated.
Thanks for that.
Fourth, the "dropped" indicates that there are so many errors the queue can't keep up. From an old closed bug, one note for this problem is: -b 8192 in auditd.conf priority_boost = 4 in auditd.conf priority_boost = 8 in audispd.conf q_depth = 2048 in audispd.conf
Thanks also for that.
mark
Andy
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/30/2013 02:13 AM, Andrew Jones wrote:
On Wed, 2013-01-30 at 01:14 +0100, Andrew Jones wrote:
On Tue, 2013-01-29 at 10:07 -0500, m.roth@5-cent.us wrote:
Andrew Jones wrote:
(Apologies in advance for the length of this mail. I am a total noob at SELinux so my vocabulary is probably not correct. Hopefully you will be able to understand from context what I am trying to say.)
I have been setting up x11vnc on some of my machines. It looks like there are a hundred different ways of setting it up but I have chosen to follow the spirit of this entry in the Fedora Forum:
http://forums.fedoraforum.org/showpost.php?p=1448696&postcount=2
This works with SELinux permissive but fails completely when enforcing.
Even when running permissively there are so many SELinux events in the first few seconds that many are dropped as shown here:
Jan 29 03:44:10 ecafe audispd: queue is full - dropping event
After several hours of scouring the system log, running sealert and creating policies, rinsing and repeating I think I have generated the command line that will identify all the events which occur during an x11vnc session:
egrep ps|x11vnc|tcpd|mission-control /var/log/audit/audit.log | audit2allow -M mypol
By repetitively running that line, applying the generated policy then restarting the computer and launching a new vnc session eventually all the events are able to be recorded without filling the queue.
Andrew,
First of all, how did you install x11vnc? Did you use yum, or is this from a tarball. You should ALWAYS prefer yum install, since this will get all dependencies, and install policy as part of the package.
Installed from yum. Having read the x11vnc man page I got the impression it's a bit of a swiss army knife and I had *assumed* that as it was so hard to predict how it would be used it would not make sense to enforce any particular policy. Is there a way of extracting and examining the policies in an rpm?
Secondly, you should be looking at what it wants to do. For example, the fact that mcelog is in there worries me, a *lot*, since mcelog records ->hardware errors<-, meaning that you could be having hardware issues.
It is necessary for x11vnc to discover the name of an X11 authorization file and the trick to do so is to do a `ps wwwaux | grep '/X.*-auth'` , followed by a bit more grep and sed trickery to isolate the name of the file that appears on the command line that launched xorg.
The command above has this for output... root 26003 0.4 1.1 24184 12120 tty9 Ss+ 12:34 2:46 /usr/bin/Xorg :0 -br -verbose -logverbose 7 -auth /var/run/gdm/auth-for-gdm-xpIgEt/database -nolisten tcp
... and the sed and grep trickery isolates the string '/var/run/gdm/auth-for-gdm-xpIgEt/database' which is a required parameter for x11vnc
It did seem that many, many of the AVCs were caused by ps trying to get attributes of or open directories in /proc.
Why have I told you all this?
grep type=AVC audit.log.1 | grep mcelog | grep -v comm="ps" has no output grep type=AVC audit.log.1 | grep mcelog has 21 lines of output
So all the AVCs which mention mcelog include comm="ps" Here is a typical sequence type=AVC msg=audit(1359035800.677:1209): avc: denied { getattr } for pid=2248 comm="ps" path="/proc/539" dev="proc" ino=14875 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:mcelog_t:s0 tclass=dir
type=AVC msg=audit(1359035800.677:1210): avc: denied { search } for pid=2248 comm="ps" name="539" dev="proc" ino=14875 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:mcelog_t:s0 tclass=dir
type=AVC msg=audit(1359035800.677:1210): avc: denied { read } for pid=2248 comm="ps" name="stat" dev="proc" ino=14058 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:mcelog_t:s0 tclass=file
type=AVC msg=audit(1359035800.677:1210): avc: denied { open } for pid=2248 comm="ps" path="/proc/539/stat" dev="proc" ino=14058 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:mcelog_t:s0 tclass=file
There were just 3 /proc directories that prompted this sequence of AVCs containing mcelog and these were 539 (shown above), 517 and 509, but having rebooted since I don't now know what processes they correspond to and I suspect many other AVCs may have been omitted due to queue overflow. Audit.log currently contains 900 lines of AVCs related to ps accessing the /proc directory
Having checked the timestamps in the system log I see that each set of AVCs occurred just once between re-boots (I rebooted after every launch of vnc / generation of new policies) so they could all be referring to the same process.
I also noted that on my Fedora 18 machines mcelog is running as a daemon: $ ps -A www | grep mcelog 528 ? Ss 0:00 /usr/sbin/mcelog --ignorenodev --daemon --foreground
mcelog is not running as a daemon on my Fedora 16 machine ... So I could be easily persuaded that the AVCs which mention mcelog refer to the attempts of ps to access the mcelog process.
I tried to replicate the generation of AVCs by running ps from a command prompt but nothing happened. Could ps be running from the wrong context? Can you tell I hadn't a clue what I was talking about when I asked that question??
Third, read the man page for audit2allow. It tells you how to convert from text policy to compiled and install it. It's not complicated.
Thanks for that.
Fourth, the "dropped" indicates that there are so many errors the queue can't keep up. From an old closed bug, one note for this problem is: -b 8192 in auditd.conf priority_boost = 4 in auditd.conf priority_boost = 8 in audispd.conf q_depth = 2048 in audispd.conf
Thanks also for that.
mark
Andy
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Lets try this.
chcon -t xserver_exec_t /usr/bin/x11vnc
And create myvnc.te that looks like the following:
cat myvnc.te #========================================================================== policy_module(myvnc,1.0)
gen_require(` type xserver_exec_t, xserver_t; ')
tcpd_wrapped_domain(xserver_t, xserver_exec_t) #=======================================================================
make -f /usr/share/selinux/devel/Makefile myvnc.pp semodule -i myvpnc.pp
Then try it again.
The reason you are getting all the AVC's about random domains is the x11vnc is doing the equivalent of the ps command, it it is walking through /proc and looking at every process. The SELinux interface to handle this would have been:
domain_read_all_domains_state(tcpd_t)
But what we really want is tcpd_t to transition to xserver_t when running x11vnc.
On Wed, 2013-01-30 at 08:33 -0500, Daniel J Walsh wrote:
On 01/30/2013 02:13 AM, Andrew Jones wrote:
On Wed, 2013-01-30 at 01:14 +0100, Andrew Jones wrote:
On Tue, 2013-01-29 at 10:07 -0500, m.roth@5-cent.us wrote:
Andrew Jones wrote:
(Apologies in advance for the length of this mail. I am a total noob at SELinux so my vocabulary is probably not correct. Hopefully you will be able to understand from context what I am trying to say.)
I have been setting up x11vnc on some of my machines. It looks like there are a hundred different ways of setting it up but I have chosen to follow the spirit of this entry in the Fedora Forum:
http://forums.fedoraforum.org/showpost.php?p=1448696&postcount=2
This works with SELinux permissive but fails completely when enforcing.
Even when running permissively there are so many SELinux events in the first few seconds that many are dropped as shown here:
Jan 29 03:44:10 ecafe audispd: queue is full - dropping event
After several hours of scouring the system log, running sealert and creating policies, rinsing and repeating I think I have generated the command line that will identify all the events which occur during an x11vnc session:
egrep ps|x11vnc|tcpd|mission-control /var/log/audit/audit.log | audit2allow -M mypol
By repetitively running that line, applying the generated policy then restarting the computer and launching a new vnc session eventually all the events are able to be recorded without filling the queue.
Andrew,
First of all, how did you install x11vnc? Did you use yum, or is this from a tarball. You should ALWAYS prefer yum install, since this will get all dependencies, and install policy as part of the package.
Installed from yum. Having read the x11vnc man page I got the impression it's a bit of a swiss army knife and I had *assumed* that as it was so hard to predict how it would be used it would not make sense to enforce any particular policy. Is there a way of extracting and examining the policies in an rpm?
Secondly, you should be looking at what it wants to do. For example, the fact that mcelog is in there worries me, a *lot*, since mcelog records ->hardware errors<-, meaning that you could be having hardware issues.
It is necessary for x11vnc to discover the name of an X11 authorization file and the trick to do so is to do a `ps wwwaux | grep '/X.*-auth'` , followed by a bit more grep and sed trickery to isolate the name of the file that appears on the command line that launched xorg.
The command above has this for output... root 26003 0.4 1.1 24184 12120 tty9 Ss+ 12:34 2:46 /usr/bin/Xorg :0 -br -verbose -logverbose 7 -auth /var/run/gdm/auth-for-gdm-xpIgEt/database -nolisten tcp
... and the sed and grep trickery isolates the string '/var/run/gdm/auth-for-gdm-xpIgEt/database' which is a required parameter for x11vnc
It did seem that many, many of the AVCs were caused by ps trying to get attributes of or open directories in /proc.
Why have I told you all this?
grep type=AVC audit.log.1 | grep mcelog | grep -v comm="ps" has no output grep type=AVC audit.log.1 | grep mcelog has 21 lines of output
So all the AVCs which mention mcelog include comm="ps" Here is a typical sequence type=AVC msg=audit(1359035800.677:1209): avc: denied { getattr } for pid=2248 comm="ps" path="/proc/539" dev="proc" ino=14875 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:mcelog_t:s0 tclass=dir
type=AVC msg=audit(1359035800.677:1210): avc: denied { search } for pid=2248 comm="ps" name="539" dev="proc" ino=14875 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:mcelog_t:s0 tclass=dir
type=AVC msg=audit(1359035800.677:1210): avc: denied { read } for pid=2248 comm="ps" name="stat" dev="proc" ino=14058 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:mcelog_t:s0 tclass=file
type=AVC msg=audit(1359035800.677:1210): avc: denied { open } for pid=2248 comm="ps" path="/proc/539/stat" dev="proc" ino=14058 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:mcelog_t:s0 tclass=file
There were just 3 /proc directories that prompted this sequence of AVCs containing mcelog and these were 539 (shown above), 517 and 509, but having rebooted since I don't now know what processes they correspond to and I suspect many other AVCs may have been omitted due to queue overflow. Audit.log currently contains 900 lines of AVCs related to ps accessing the /proc directory
Having checked the timestamps in the system log I see that each set of AVCs occurred just once between re-boots (I rebooted after every launch of vnc / generation of new policies) so they could all be referring to the same process.
I also noted that on my Fedora 18 machines mcelog is running as a daemon: $ ps -A www | grep mcelog 528 ? Ss 0:00 /usr/sbin/mcelog --ignorenodev --daemon --foreground
mcelog is not running as a daemon on my Fedora 16 machine ... So I could be easily persuaded that the AVCs which mention mcelog refer to the attempts of ps to access the mcelog process.
I tried to replicate the generation of AVCs by running ps from a command prompt but nothing happened. Could ps be running from the wrong context? Can you tell I hadn't a clue what I was talking about when I asked that question??
Third, read the man page for audit2allow. It tells you how to convert from text policy to compiled and install it. It's not complicated.
Thanks for that.
Fourth, the "dropped" indicates that there are so many errors the queue can't keep up. From an old closed bug, one note for this problem is: -b 8192 in auditd.conf priority_boost = 4 in auditd.conf priority_boost = 8 in audispd.conf q_depth = 2048 in audispd.conf
Thanks also for that.
mark
Andy
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Lets try this.
chcon -t xserver_exec_t /usr/bin/x11vnc
And create myvnc.te that looks like the following:
cat myvnc.te #========================================================================== policy_module(myvnc,1.0)
gen_require(` type xserver_exec_t, xserver_t; ')
tcpd_wrapped_domain(xserver_t, xserver_exec_t) #=======================================================================
make -f /usr/share/selinux/devel/Makefile myvnc.pp semodule -i myvpnc.pp
Then try it again.
The reason you are getting all the AVC's about random domains is the x11vnc is doing the equivalent of the ps command, it it is walking through /proc and looking at every process. The SELinux interface to handle this would have been:
domain_read_all_domains_state(tcpd_t)
But what we really want is tcpd_t to transition to xserver_t when running x11vnc.
Thank you for that - the difference was phenomenal!
At first it didn't seem to do anything because it was a bash script, not x11vnc, that was running ps. However, I read the x11vnc manual again and finally realized how to make it run ps for me.
Once I had made the change the AVCs reduced from several hundred to a large handful.
(Removing your myvnc.pol policy returned it to producing hundreds of AVCs again)
So I ran sealert and audit2allow again and produced two more policies.
Would it be possible to optimize them further knowing what they are trying to do, or at least combine the policy for x11vnc into the existing myvncpol? (I still haven't worked out the syntax of these things so I can't do it myself yet)
The policies created were as follows:
# grep "x11vnc" /var/log/audit/audit.log | audit2allow -M myx11vncpol Gave:
module myx11vncpol 1.0;
require { type tcpd_t; type var_log_t; type passwd_file_t; type shell_exec_t; type admin_home_t; type tmpfs_t; type xserver_exec_t; class dir search; class shm { write unix_read unix_write read destroy create }; class file { write getattr read open execute execute_no_trans }; }
#============= tcpd_t ============== allow tcpd_t admin_home_t:dir search; allow tcpd_t admin_home_t:file { read getattr open }; allow tcpd_t passwd_file_t:file { read getattr open }; allow tcpd_t self:shm { write unix_read unix_write read destroy create }; allow tcpd_t shell_exec_t:file { execute execute_no_trans }; allow tcpd_t tmpfs_t:file { read write }; #!!!! The source type 'tcpd_t' can write to a 'file' of the following type: # tcpd_tmp_t
allow tcpd_t var_log_t:file { write open }; #!!!! This avc is allowed in the current policy
allow tcpd_t xserver_exec_t:file execute;
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
(x11vnc_sh is the bash file that calls x11vnc)
# grep x11vnc_sh /var/log/audit/audit.log | audit2allow -M myx11vnc_shpol Gave:
module myx11vnc_shpol 1.0;
require { type tcpd_t; type bin_t; type passwd_file_t; type proc_t; type xdm_var_run_t; type xserver_exec_t; class dir search; class file { execute read open getattr execute_no_trans }; }
#============= tcpd_t ============== allow tcpd_t bin_t:file { execute execute_no_trans }; allow tcpd_t passwd_file_t:file { read getattr open }; allow tcpd_t proc_t:file { read getattr open }; allow tcpd_t xdm_var_run_t:dir search; allow tcpd_t xdm_var_run_t:file read; allow tcpd_t xserver_exec_t:file execute_no_trans; #!!!! This avc is allowed in the current policy
allow tcpd_t xserver_exec_t:file { read execute open };
In case it helps I will include the sealert messages below. If it doesn't help there is no need to continue reading
x11vnc SELinux is preventing /usr/bin/x11vnc from getattr access on the file /etc/passwd.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that x11vnc should be allowed getattr access on the passwd file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep x11vnc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Additional Information: Source Context system_u:system_r:tcpd_t:s0-s0:c0.c1023 Target Context system_u:object_r:passwd_file_t:s0 Target Objects /etc/passwd [ file ] Source x11vnc Source Path /usr/bin/x11vnc Port <Unknown> Host ecafe.hogwarts.local Source RPM Packages bash-4.2.42-1.fc18.i686 Target RPM Packages setup-2.8.57-1.fc18.noarch Policy RPM selinux-policy-3.11.1-73.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name ecafe.hogwarts.local Platform Linux ecafe.hogwarts.local 3.7.4-204.fc18.i686.PAE #1 SMP Wed Jan 23 16:58:41 UTC 2013 i686 i686 Alert Count 9 First Seen 2013-01-30 18:37:03 CET Last Seen 2013-01-31 00:12:40 CET Local ID 9b00da1e-2a33-4110-a6da-b4330452daf5
Raw Audit Messages type=AVC msg=audit(1359587560.172:432): avc: denied { getattr } for pid=2320 comm="x11vnc_sh" path="/etc/passwd" dev="sda5" ino=1314967 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=SYSCALL msg=audit(1359587560.172:432): arch=i386 syscall=fstat64 success=yes exit=0 a0=3 a1=bfe91060 a2=42896000 a3=82aa728 items=0 ppid=724 pid=2320 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=x11vnc_sh exe=/usr/bin/bash subj=system_u:system_r:tcpd_t:s0-s0:c0.c1023 key=(null)
Hash: x11vnc,tcpd_t,passwd_file_t,file,getattr
audit2allow
#============= tcpd_t ============== allow tcpd_t passwd_file_t:file getattr;
audit2allow -R
#============= tcpd_t ============== allow tcpd_t passwd_file_t:file getattr;
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
SELinux is preventing /usr/bin/x11vnc from read access on the file /etc/passwd.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that x11vnc should be allowed read access on the passwd file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep x11vnc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Additional Information: Source Context system_u:system_r:tcpd_t:s0-s0:c0.c1023 Target Context system_u:object_r:passwd_file_t:s0 Target Objects /etc/passwd [ file ] Source x11vnc Source Path /usr/bin/x11vnc Port <Unknown> Host ecafe.hogwarts.local Source RPM Packages bash-4.2.42-1.fc18.i686 Target RPM Packages setup-2.8.57-1.fc18.noarch Policy RPM selinux-policy-3.11.1-73.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name ecafe.hogwarts.local Platform Linux ecafe.hogwarts.local 3.7.4-204.fc18.i686.PAE #1 SMP Wed Jan 23 16:58:41 UTC 2013 i686 i686 Alert Count 9 First Seen 2013-01-30 18:37:03 CET Last Seen 2013-01-31 00:12:40 CET Local ID 48950c77-d55b-4222-9021-f93116a68a66
Raw Audit Messages type=AVC msg=audit(1359587560.170:431): avc: denied { read } for pid=2320 comm="x11vnc_sh" name="passwd" dev="sda5" ino=1314967 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=AVC msg=audit(1359587560.170:431): avc: denied { open } for pid=2320 comm="x11vnc_sh" path="/etc/passwd" dev="sda5" ino=1314967 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=SYSCALL msg=audit(1359587560.170:431): arch=i386 syscall=open success=yes exit=ESRCH a0=b7554ef5 a1=80000 a2=1b6 a3=82aa728 items=0 ppid=724 pid=2320 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=x11vnc_sh exe=/usr/bin/bash subj=system_u:system_r:tcpd_t:s0-s0:c0.c1023 key=(null)
Hash: x11vnc,tcpd_t,passwd_file_t,file,read
audit2allow
#============= tcpd_t ============== allow tcpd_t passwd_file_t:file { read open };
audit2allow -R
#============= tcpd_t ============== allow tcpd_t passwd_file_t:file { read open };
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ x11vnc_sh SELinux is preventing /usr/bin/bash from read access on the file meminfo.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that bash should be allowed read access on the meminfo file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep x11vnc_sh /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Additional Information: Source Context system_u:system_r:tcpd_t:s0-s0:c0.c1023 Target Context system_u:object_r:proc_t:s0 Target Objects meminfo [ file ] Source x11vnc_sh Source Path /usr/bin/bash Port <Unknown> Host ecafe.hogwarts.local Source RPM Packages bash-4.2.42-1.fc18.i686 Target RPM Packages Policy RPM selinux-policy-3.11.1-73.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name ecafe.hogwarts.local Platform Linux ecafe.hogwarts.local 3.7.4-204.fc18.i686.PAE #1 SMP Wed Jan 23 16:58:41 UTC 2013 i686 i686 Alert Count 3 First Seen 2013-01-30 18:50:12 CET Last Seen 2013-01-31 00:12:40 CET Local ID fc347cac-8bf1-47a6-a192-f46949682732
Raw Audit Messages type=AVC msg=audit(1359587560.136:429): avc: denied { read } for pid=2320 comm="x11vnc_sh" name="meminfo" dev="proc" ino=4026532026 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=AVC msg=audit(1359587560.136:429): avc: denied { open } for pid=2320 comm="x11vnc_sh" path="/proc/meminfo" dev="proc" ino=4026532026 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=SYSCALL msg=audit(1359587560.136:429): arch=i386 syscall=open success=yes exit=ESRCH a0=4285661e a1=80000 a2=1b6 a3=82a8a68 items=0 ppid=724 pid=2320 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=x11vnc_sh exe=/usr/bin/bash subj=system_u:system_r:tcpd_t:s0-s0:c0.c1023 key=(null)
Hash: x11vnc_sh,tcpd_t,proc_t,file,read
audit2allow
#============= tcpd_t ============== allow tcpd_t proc_t:file { read open };
audit2allow -R
#============= tcpd_t ============== allow tcpd_t proc_t:file { read open };
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
SELinux is preventing /usr/bin/bash from execute access on the file /usr/local/bin/x11vnc_sh.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that bash should be allowed execute access on the x11vnc_sh file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep x11vnc_sh /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Additional Information: Source Context system_u:system_r:tcpd_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:bin_t:s0 Target Objects /usr/local/bin/x11vnc_sh [ file ] Source x11vnc_sh Source Path /usr/bin/bash Port <Unknown> Host ecafe.hogwarts.local Source RPM Packages bash-4.2.42-1.fc18.i686 Target RPM Packages Policy RPM selinux-policy-3.11.1-73.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name ecafe.hogwarts.local Platform Linux ecafe.hogwarts.local 3.7.4-204.fc18.i686.PAE #1 SMP Wed Jan 23 16:58:41 UTC 2013 i686 i686 Alert Count 3 First Seen 2013-01-30 18:50:12 CET Last Seen 2013-01-31 00:12:40 CET Local ID f7cdf02d-2812-43cf-8a63-b3b389fd825a
Raw Audit Messages type=AVC msg=audit(1359587560.130:428): avc: denied { execute } for pid=2320 comm="tcpd" name="x11vnc_sh" dev="sda5" ino=2110225 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1359587560.130:428): avc: denied { execute_no_trans } for pid=2320 comm="tcpd" path="/usr/local/bin/x11vnc_sh" dev="sda5" ino=2110225 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1359587560.130:428): avc: denied { execute } for pid=2320 comm="tcpd" name="bash" dev="sda5" ino=2123061 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1359587560.130:428): arch=i386 syscall=execve success=yes exit=0 a0=bf9783ec a1=bf97a4a4 a2=bf97a4ac a3=bf9780b0 items=0 ppid=724 pid=2320 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=x11vnc_sh exe=/usr/bin/bash subj=system_u:system_r:tcpd_t:s0-s0:c0.c1023 key=(null)
Hash: x11vnc_sh,tcpd_t,bin_t,file,execute
audit2allow
#============= tcpd_t ============== allow tcpd_t bin_t:file { execute execute_no_trans }; allow tcpd_t shell_exec_t:file execute;
audit2allow -R
#============= tcpd_t ============== allow tcpd_t bin_t:file { execute execute_no_trans }; allow tcpd_t shell_exec_t:file execute;
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
SELinux is preventing /usr/bin/bash from getattr access on the file /proc/meminfo.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that bash should be allowed getattr access on the meminfo file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep x11vnc_sh /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Additional Information: Source Context system_u:system_r:tcpd_t:s0-s0:c0.c1023 Target Context system_u:object_r:proc_t:s0 Target Objects /proc/meminfo [ file ] Source x11vnc_sh Source Path /usr/bin/bash Port <Unknown> Host ecafe.hogwarts.local Source RPM Packages bash-4.2.42-1.fc18.i686 Target RPM Packages Policy RPM selinux-policy-3.11.1-73.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name ecafe.hogwarts.local Platform Linux ecafe.hogwarts.local 3.7.4-204.fc18.i686.PAE #1 SMP Wed Jan 23 16:58:41 UTC 2013 i686 i686 Alert Count 3 First Seen 2013-01-30 18:50:12 CET Last Seen 2013-01-31 00:12:40 CET Local ID db259bd3-49de-4e22-837d-efc6a403b604
Raw Audit Messages type=AVC msg=audit(1359587560.143:430): avc: denied { getattr } for pid=2320 comm="x11vnc_sh" path="/proc/meminfo" dev="proc" ino=4026532026 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=SYSCALL msg=audit(1359587560.143:430): arch=i386 syscall=fstat64 success=yes exit=0 a0=3 a1=bfe8f0d0 a2=42896000 a3=82a8a68 items=0 ppid=724 pid=2320 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=x11vnc_sh exe=/usr/bin/bash subj=system_u:system_r:tcpd_t:s0-s0:c0.c1023 key=(null)
Hash: x11vnc_sh,tcpd_t,proc_t,file,getattr
audit2allow
#============= tcpd_t ============== allow tcpd_t proc_t:file getattr;
audit2allow -R
#============= tcpd_t ============== allow tcpd_t proc_t:file getattr;
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
SELinux is preventing /usr/bin/bash from execute access on the file /usr/bin/bash.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that bash should be allowed execute access on the bash file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep x11vnc_sh /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Additional Information: Source Context system_u:system_r:tcpd_t:s0-s0:c0.c1023 Target Context system_u:object_r:shell_exec_t:s0 Target Objects /usr/bin/bash [ file ] Source x11vnc_sh Source Path /usr/bin/bash Port <Unknown> Host ecafe.hogwarts.local Source RPM Packages bash-4.2.42-1.fc18.i686 Target RPM Packages bash-4.2.42-1.fc18.i686 Policy RPM selinux-policy-3.11.1-73.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name ecafe.hogwarts.local Platform Linux ecafe.hogwarts.local 3.7.4-204.fc18.i686.PAE #1 SMP Wed Jan 23 16:58:41 UTC 2013 i686 i686 Alert Count 1 First Seen 2013-01-31 00:11:10 CET Last Seen 2013-01-31 00:11:10 CET Local ID a1ab3c5f-f530-4432-b696-25745895a33e
Raw Audit Messages type=AVC msg=audit(1359587470.242:384): avc: denied { execute } for pid=1739 comm="tcpd" name="bash" dev="sda5" ino=2123061 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1359587470.242:384): arch=i386 syscall=execve success=yes exit=0 a0=bf9b3bfc a1=bf9b5cb4 a2=bf9b5cbc a3=bf9b38c0 items=0 ppid=724 pid=1739 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=x11vnc_sh exe=/usr/bin/bash subj=system_u:system_r:tcpd_t:s0-s0:c0.c1023 key=(null)
Hash: x11vnc_sh,tcpd_t,shell_exec_t,file,execute
audit2allow
#============= tcpd_t ============== allow tcpd_t shell_exec_t:file execute;
audit2allow -R
#============= tcpd_t ============== allow tcpd_t shell_exec_t:file execute;
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/30/2013 08:11 PM, Andrew Jones wrote:
On Wed, 2013-01-30 at 08:33 -0500, Daniel J Walsh wrote:
On 01/30/2013 02:13 AM, Andrew Jones wrote:
On Wed, 2013-01-30 at 01:14 +0100, Andrew Jones wrote:
On Tue, 2013-01-29 at 10:07 -0500, m.roth@5-cent.us wrote:
Andrew Jones wrote:
(Apologies in advance for the length of this mail. I am a total noob at SELinux so my vocabulary is probably not correct. Hopefully you will be able to understand from context what I am trying to say.)
I have been setting up x11vnc on some of my machines. It looks like there are a hundred different ways of setting it up but I have chosen to follow the spirit of this entry in the Fedora Forum:
http://forums.fedoraforum.org/showpost.php?p=1448696&postcount=2
This works with SELinux permissive but fails completely when enforcing.
Even when running permissively there are so many SELinux events in the first few seconds that many are dropped as shown here:
Jan 29 03:44:10 ecafe audispd: queue is full - dropping event
After several hours of scouring the system log, running sealert and creating policies, rinsing and repeating I think I have generated the command line that will identify all the events which occur during an x11vnc session:
egrep ps|x11vnc|tcpd|mission-control /var/log/audit/audit.log | audit2allow -M mypol
By repetitively running that line, applying the generated policy then restarting the computer and launching a new vnc session eventually all the events are able to be recorded without filling the queue.
Andrew,
First of all, how did you install x11vnc? Did you use yum, or is this from a tarball. You should ALWAYS prefer yum install, since this will get all dependencies, and install policy as part of the package.
Installed from yum. Having read the x11vnc man page I got the impression it's a bit of a swiss army knife and I had *assumed* that as it was so hard to predict how it would be used it would not make sense to enforce any particular policy. Is there a way of extracting and examining the policies in an rpm?
Secondly, you should be looking at what it wants to do. For example, the fact that mcelog is in there worries me, a *lot*, since mcelog records ->hardware errors<-, meaning that you could be having hardware issues.
It is necessary for x11vnc to discover the name of an X11 authorization file and the trick to do so is to do a `ps wwwaux | grep '/X.*-auth'` , followed by a bit more grep and sed trickery to isolate the name of the file that appears on the command line that launched xorg.
The command above has this for output... root 26003 0.4 1.1 24184 12120 tty9 Ss+ 12:34 2:46 /usr/bin/Xorg :0 -br -verbose -logverbose 7 -auth /var/run/gdm/auth-for-gdm-xpIgEt/database -nolisten tcp
... and the sed and grep trickery isolates the string '/var/run/gdm/auth-for-gdm-xpIgEt/database' which is a required parameter for x11vnc
It did seem that many, many of the AVCs were caused by ps trying to get attributes of or open directories in /proc.
Why have I told you all this?
grep type=AVC audit.log.1 | grep mcelog | grep -v comm="ps" has no output grep type=AVC audit.log.1 | grep mcelog has 21 lines of output
So all the AVCs which mention mcelog include comm="ps" Here is a typical sequence type=AVC msg=audit(1359035800.677:1209): avc: denied { getattr } for pid=2248 comm="ps" path="/proc/539" dev="proc" ino=14875 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:mcelog_t:s0 tclass=dir
type=AVC msg=audit(1359035800.677:1210): avc: denied { search } for pid=2248 comm="ps" name="539" dev="proc" ino=14875 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:mcelog_t:s0 tclass=dir
type=AVC msg=audit(1359035800.677:1210): avc: denied { read } for pid=2248 comm="ps" name="stat" dev="proc" ino=14058 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:mcelog_t:s0 tclass=file
type=AVC msg=audit(1359035800.677:1210): avc: denied { open } for pid=2248 comm="ps" path="/proc/539/stat" dev="proc" ino=14058 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:mcelog_t:s0 tclass=file
There were just 3 /proc directories that prompted this sequence of AVCs containing mcelog and these were 539 (shown above), 517 and 509, but having rebooted since I don't now know what processes they correspond to and I suspect many other AVCs may have been omitted due to queue overflow. Audit.log currently contains 900 lines of AVCs related to ps accessing the /proc directory
Having checked the timestamps in the system log I see that each set of AVCs occurred just once between re-boots (I rebooted after every launch of vnc / generation of new policies) so they could all be referring to the same process.
I also noted that on my Fedora 18 machines mcelog is running as a daemon: $ ps -A www | grep mcelog 528 ? Ss 0:00 /usr/sbin/mcelog --ignorenodev --daemon --foreground
mcelog is not running as a daemon on my Fedora 16 machine ... So I could be easily persuaded that the AVCs which mention mcelog refer to the attempts of ps to access the mcelog process.
I tried to replicate the generation of AVCs by running ps from a command prompt but nothing happened. Could ps be running from the wrong context? Can you tell I hadn't a clue what I was talking about when I asked that question??
Third, read the man page for audit2allow. It tells you how to convert from text policy to compiled and install it. It's not complicated.
Thanks for that.
Fourth, the "dropped" indicates that there are so many errors the queue can't keep up. From an old closed bug, one note for this problem is: -b 8192 in auditd.conf priority_boost = 4 in auditd.conf priority_boost = 8 in audispd.conf q_depth = 2048 in audispd.conf
Thanks also for that.
mark
Andy
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Lets try this.
chcon -t xserver_exec_t /usr/bin/x11vnc
And create myvnc.te that looks like the following:
cat myvnc.te #==========================================================================
policy_module(myvnc,1.0)
gen_require(` type xserver_exec_t, xserver_t; ')
tcpd_wrapped_domain(xserver_t, xserver_exec_t) #=======================================================================
make -f /usr/share/selinux/devel/Makefile myvnc.pp semodule -i myvpnc.pp
Then try it again.
The reason you are getting all the AVC's about random domains is the x11vnc is doing the equivalent of the ps command, it it is walking through /proc and looking at every process. The SELinux interface to handle this would have been:
domain_read_all_domains_state(tcpd_t)
But what we really want is tcpd_t to transition to xserver_t when running x11vnc.
Thank you for that - the difference was phenomenal!
At first it didn't seem to do anything because it was a bash script, not x11vnc, that was running ps. However, I read the x11vnc manual again and finally realized how to make it run ps for me.
Once I had made the change the AVCs reduced from several hundred to a large handful.
(Removing your myvnc.pol policy returned it to producing hundreds of AVCs again)
So I ran sealert and audit2allow again and produced two more policies.
Would it be possible to optimize them further knowing what they are trying to do, or at least combine the policy for x11vnc into the existing myvncpol? (I still haven't worked out the syntax of these things so I can't do it myself yet)
The policies created were as follows:
# grep "x11vnc" /var/log/audit/audit.log | audit2allow -M myx11vncpol Gave:
module myx11vncpol 1.0;
require { type tcpd_t; type var_log_t; type passwd_file_t; type shell_exec_t; type admin_home_t; type tmpfs_t; type xserver_exec_t; class dir search; class shm { write unix_read unix_write read destroy create }; class file { write getattr read open execute execute_no_trans }; }
#============= tcpd_t ============== allow tcpd_t admin_home_t:dir search; allow tcpd_t admin_home_t:file { read getattr open }; allow tcpd_t passwd_file_t:file { read getattr open }; allow tcpd_t self:shm { write unix_read unix_write read destroy create }; allow tcpd_t shell_exec_t:file { execute execute_no_trans }; allow tcpd_t tmpfs_t:file { read write }; #!!!! The source type 'tcpd_t' can write to a 'file' of the following type: # tcpd_tmp_t
allow tcpd_t var_log_t:file { write open }; #!!!! This avc is allowed in the current policy
allow tcpd_t xserver_exec_t:file execute;
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
(x11vnc_sh is the bash file that calls x11vnc)
# grep x11vnc_sh /var/log/audit/audit.log | audit2allow -M myx11vnc_shpol Gave:
module myx11vnc_shpol 1.0;
require { type tcpd_t; type bin_t; type passwd_file_t; type proc_t; type xdm_var_run_t; type xserver_exec_t; class dir search; class file { execute read open getattr execute_no_trans }; }
#============= tcpd_t ============== allow tcpd_t bin_t:file { execute execute_no_trans }; allow tcpd_t passwd_file_t:file { read getattr open }; allow tcpd_t proc_t:file { read getattr open }; allow tcpd_t xdm_var_run_t:dir search; allow tcpd_t xdm_var_run_t:file read; allow tcpd_t xserver_exec_t:file execute_no_trans; #!!!! This avc is allowed in the current policy
allow tcpd_t xserver_exec_t:file { read execute open };
In case it helps I will include the sealert messages below. If it doesn't help there is no need to continue reading
x11vnc SELinux is preventing /usr/bin/x11vnc from getattr access on the file /etc/passwd.
***** Plugin catchall (100. confidence) suggests
If you believe that x11vnc should be allowed getattr access on the passwd file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep x11vnc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Additional Information: Source Context system_u:system_r:tcpd_t:s0-s0:c0.c1023 Target Context system_u:object_r:passwd_file_t:s0 Target Objects /etc/passwd [ file ] Source x11vnc Source Path /usr/bin/x11vnc Port <Unknown> Host ecafe.hogwarts.local Source RPM Packages bash-4.2.42-1.fc18.i686 Target RPM Packages setup-2.8.57-1.fc18.noarch Policy RPM selinux-policy-3.11.1-73.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name ecafe.hogwarts.local Platform Linux ecafe.hogwarts.local 3.7.4-204.fc18.i686.PAE #1 SMP Wed Jan 23 16:58:41 UTC 2013 i686 i686 Alert Count 9 First Seen 2013-01-30 18:37:03 CET Last Seen 2013-01-31 00:12:40 CET Local ID 9b00da1e-2a33-4110-a6da-b4330452daf5
Raw Audit Messages type=AVC msg=audit(1359587560.172:432): avc: denied { getattr } for pid=2320 comm="x11vnc_sh" path="/etc/passwd" dev="sda5" ino=1314967 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=SYSCALL msg=audit(1359587560.172:432): arch=i386 syscall=fstat64 success=yes exit=0 a0=3 a1=bfe91060 a2=42896000 a3=82aa728 items=0 ppid=724 pid=2320 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=x11vnc_sh exe=/usr/bin/bash subj=system_u:system_r:tcpd_t:s0-s0:c0.c1023 key=(null)
Hash: x11vnc,tcpd_t,passwd_file_t,file,getattr
audit2allow
#============= tcpd_t ============== allow tcpd_t passwd_file_t:file getattr;
audit2allow -R
#============= tcpd_t ============== allow tcpd_t passwd_file_t:file getattr;
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
SELinux is preventing /usr/bin/x11vnc from read access on the file /etc/passwd.
***** Plugin catchall (100. confidence) suggests
If you believe that x11vnc should be allowed read access on the passwd file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep x11vnc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Additional Information: Source Context system_u:system_r:tcpd_t:s0-s0:c0.c1023 Target Context system_u:object_r:passwd_file_t:s0 Target Objects /etc/passwd [ file ] Source x11vnc Source Path /usr/bin/x11vnc Port <Unknown> Host ecafe.hogwarts.local Source RPM Packages bash-4.2.42-1.fc18.i686 Target RPM Packages setup-2.8.57-1.fc18.noarch Policy RPM selinux-policy-3.11.1-73.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name ecafe.hogwarts.local Platform Linux ecafe.hogwarts.local 3.7.4-204.fc18.i686.PAE #1 SMP Wed Jan 23 16:58:41 UTC 2013 i686 i686 Alert Count 9 First Seen 2013-01-30 18:37:03 CET Last Seen 2013-01-31 00:12:40 CET Local ID 48950c77-d55b-4222-9021-f93116a68a66
Raw Audit Messages type=AVC msg=audit(1359587560.170:431): avc: denied { read } for pid=2320 comm="x11vnc_sh" name="passwd" dev="sda5" ino=1314967 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=AVC msg=audit(1359587560.170:431): avc: denied { open } for pid=2320 comm="x11vnc_sh" path="/etc/passwd" dev="sda5" ino=1314967 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=SYSCALL msg=audit(1359587560.170:431): arch=i386 syscall=open success=yes exit=ESRCH a0=b7554ef5 a1=80000 a2=1b6 a3=82aa728 items=0 ppid=724 pid=2320 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=x11vnc_sh exe=/usr/bin/bash subj=system_u:system_r:tcpd_t:s0-s0:c0.c1023 key=(null)
Hash: x11vnc,tcpd_t,passwd_file_t,file,read
audit2allow
#============= tcpd_t ============== allow tcpd_t passwd_file_t:file { read open };
audit2allow -R
#============= tcpd_t ============== allow tcpd_t passwd_file_t:file { read open };
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ x11vnc_sh SELinux is preventing /usr/bin/bash from read access on the file meminfo.
***** Plugin catchall (100. confidence) suggests
If you believe that bash should be allowed read access on the meminfo file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep x11vnc_sh /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Additional Information: Source Context system_u:system_r:tcpd_t:s0-s0:c0.c1023 Target Context system_u:object_r:proc_t:s0 Target Objects meminfo [ file ] Source x11vnc_sh Source Path /usr/bin/bash Port <Unknown> Host ecafe.hogwarts.local Source RPM Packages bash-4.2.42-1.fc18.i686 Target RPM Packages Policy RPM selinux-policy-3.11.1-73.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name ecafe.hogwarts.local Platform Linux ecafe.hogwarts.local 3.7.4-204.fc18.i686.PAE #1 SMP Wed Jan 23 16:58:41 UTC 2013 i686 i686 Alert Count 3 First Seen 2013-01-30 18:50:12 CET Last Seen 2013-01-31 00:12:40 CET Local ID fc347cac-8bf1-47a6-a192-f46949682732
Raw Audit Messages type=AVC msg=audit(1359587560.136:429): avc: denied { read } for pid=2320 comm="x11vnc_sh" name="meminfo" dev="proc" ino=4026532026 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=AVC msg=audit(1359587560.136:429): avc: denied { open } for pid=2320 comm="x11vnc_sh" path="/proc/meminfo" dev="proc" ino=4026532026 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=SYSCALL msg=audit(1359587560.136:429): arch=i386 syscall=open success=yes exit=ESRCH a0=4285661e a1=80000 a2=1b6 a3=82a8a68 items=0 ppid=724 pid=2320 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=x11vnc_sh exe=/usr/bin/bash subj=system_u:system_r:tcpd_t:s0-s0:c0.c1023 key=(null)
Hash: x11vnc_sh,tcpd_t,proc_t,file,read
audit2allow
#============= tcpd_t ============== allow tcpd_t proc_t:file { read open };
audit2allow -R
#============= tcpd_t ============== allow tcpd_t proc_t:file { read open };
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
SELinux is preventing /usr/bin/bash from execute access on the file /usr/local/bin/x11vnc_sh.
***** Plugin catchall (100. confidence) suggests
If you believe that bash should be allowed execute access on the x11vnc_sh file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep x11vnc_sh /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Additional Information: Source Context system_u:system_r:tcpd_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:bin_t:s0 Target Objects /usr/local/bin/x11vnc_sh [ file ] Source x11vnc_sh Source Path /usr/bin/bash Port <Unknown> Host ecafe.hogwarts.local Source RPM Packages bash-4.2.42-1.fc18.i686 Target RPM Packages Policy RPM selinux-policy-3.11.1-73.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name ecafe.hogwarts.local Platform Linux ecafe.hogwarts.local 3.7.4-204.fc18.i686.PAE #1 SMP Wed Jan 23 16:58:41 UTC 2013 i686 i686 Alert Count 3 First Seen 2013-01-30 18:50:12 CET Last Seen 2013-01-31 00:12:40 CET Local ID f7cdf02d-2812-43cf-8a63-b3b389fd825a
Raw Audit Messages type=AVC msg=audit(1359587560.130:428): avc: denied { execute } for pid=2320 comm="tcpd" name="x11vnc_sh" dev="sda5" ino=2110225 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1359587560.130:428): avc: denied { execute_no_trans } for pid=2320 comm="tcpd" path="/usr/local/bin/x11vnc_sh" dev="sda5" ino=2110225 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1359587560.130:428): avc: denied { execute } for pid=2320 comm="tcpd" name="bash" dev="sda5" ino=2123061 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1359587560.130:428): arch=i386 syscall=execve success=yes exit=0 a0=bf9783ec a1=bf97a4a4 a2=bf97a4ac a3=bf9780b0 items=0 ppid=724 pid=2320 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=x11vnc_sh exe=/usr/bin/bash subj=system_u:system_r:tcpd_t:s0-s0:c0.c1023 key=(null)
Hash: x11vnc_sh,tcpd_t,bin_t,file,execute
audit2allow
#============= tcpd_t ============== allow tcpd_t bin_t:file { execute execute_no_trans }; allow tcpd_t shell_exec_t:file execute;
audit2allow -R
#============= tcpd_t ============== allow tcpd_t bin_t:file { execute execute_no_trans }; allow tcpd_t shell_exec_t:file execute;
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
SELinux is preventing /usr/bin/bash from getattr access on the file /proc/meminfo.
***** Plugin catchall (100. confidence) suggests
If you believe that bash should be allowed getattr access on the meminfo file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep x11vnc_sh /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Additional Information: Source Context system_u:system_r:tcpd_t:s0-s0:c0.c1023 Target Context system_u:object_r:proc_t:s0 Target Objects /proc/meminfo [ file ] Source x11vnc_sh Source Path /usr/bin/bash Port <Unknown> Host ecafe.hogwarts.local Source RPM Packages bash-4.2.42-1.fc18.i686 Target RPM Packages Policy RPM selinux-policy-3.11.1-73.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name ecafe.hogwarts.local Platform Linux ecafe.hogwarts.local 3.7.4-204.fc18.i686.PAE #1 SMP Wed Jan 23 16:58:41 UTC 2013 i686 i686 Alert Count 3 First Seen 2013-01-30 18:50:12 CET Last Seen 2013-01-31 00:12:40 CET Local ID db259bd3-49de-4e22-837d-efc6a403b604
Raw Audit Messages type=AVC msg=audit(1359587560.143:430): avc: denied { getattr } for pid=2320 comm="x11vnc_sh" path="/proc/meminfo" dev="proc" ino=4026532026 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=SYSCALL msg=audit(1359587560.143:430): arch=i386 syscall=fstat64 success=yes exit=0 a0=3 a1=bfe8f0d0 a2=42896000 a3=82a8a68 items=0 ppid=724 pid=2320 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=x11vnc_sh exe=/usr/bin/bash subj=system_u:system_r:tcpd_t:s0-s0:c0.c1023 key=(null)
Hash: x11vnc_sh,tcpd_t,proc_t,file,getattr
audit2allow
#============= tcpd_t ============== allow tcpd_t proc_t:file getattr;
audit2allow -R
#============= tcpd_t ============== allow tcpd_t proc_t:file getattr;
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
SELinux is preventing /usr/bin/bash from execute access on the file /usr/bin/bash.
***** Plugin catchall (100. confidence) suggests
If you believe that bash should be allowed execute access on the bash file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep x11vnc_sh /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Additional Information: Source Context system_u:system_r:tcpd_t:s0-s0:c0.c1023 Target Context system_u:object_r:shell_exec_t:s0 Target Objects /usr/bin/bash [ file ] Source x11vnc_sh Source Path /usr/bin/bash Port <Unknown> Host ecafe.hogwarts.local Source RPM Packages bash-4.2.42-1.fc18.i686 Target RPM Packages bash-4.2.42-1.fc18.i686 Policy RPM selinux-policy-3.11.1-73.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name ecafe.hogwarts.local Platform Linux ecafe.hogwarts.local 3.7.4-204.fc18.i686.PAE #1 SMP Wed Jan 23 16:58:41 UTC 2013 i686 i686 Alert Count 1 First Seen 2013-01-31 00:11:10 CET Last Seen 2013-01-31 00:11:10 CET Local ID a1ab3c5f-f530-4432-b696-25745895a33e
Raw Audit Messages type=AVC msg=audit(1359587470.242:384): avc: denied { execute } for pid=1739 comm="tcpd" name="bash" dev="sda5" ino=2123061 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1359587470.242:384): arch=i386 syscall=execve success=yes exit=0 a0=bf9b3bfc a1=bf9b5cb4 a2=bf9b5cbc a3=bf9b38c0 items=0 ppid=724 pid=1739 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=x11vnc_sh exe=/usr/bin/bash subj=system_u:system_r:tcpd_t:s0-s0:c0.c1023 key=(null)
Hash: x11vnc_sh,tcpd_t,shell_exec_t,file,execute
audit2allow
#============= tcpd_t ============== allow tcpd_t shell_exec_t:file execute;
audit2allow -R
#============= tcpd_t ============== allow tcpd_t shell_exec_t:file execute;
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Well I am happy it is working for you, but we prefer the solution to get tcpd_t to transition to xserver_t, when running x11vnc.
Which hopefully will be showing up in an update release.
On Thu, 2013-01-31 at 10:04 -0500, Daniel J Walsh wrote:
On 01/30/2013 08:11 PM, Andrew Jones wrote:
On Wed, 2013-01-30 at 08:33 -0500, Daniel J Walsh wrote:
On 01/30/2013 02:13 AM, Andrew Jones wrote:
On Wed, 2013-01-30 at 01:14 +0100, Andrew Jones wrote:
On Tue, 2013-01-29 at 10:07 -0500, m.roth@5-cent.us wrote:
Andrew Jones wrote: > (Apologies in advance for the length of this mail. I am a total > noob at SELinux so my vocabulary is probably not correct. > Hopefully you will be able to understand from context what I am > trying to say.) > > I have been setting up x11vnc on some of my machines. It looks > like there are a hundred different ways of setting it up but I > have chosen to follow the spirit of this entry in the Fedora > Forum: > > http://forums.fedoraforum.org/showpost.php?p=1448696&postcount=2 > > This works with SELinux permissive but fails completely when > enforcing. > > Even when running permissively there are so many SELinux events > in the first few seconds that many are dropped as shown here: > > Jan 29 03:44:10 ecafe audispd: queue is full - dropping event > > After several hours of scouring the system log, running sealert > and creating policies, rinsing and repeating I think I have > generated the command line that will identify all the events > which occur during an x11vnc session: > > egrep ps|x11vnc|tcpd|mission-control /var/log/audit/audit.log > | audit2allow -M mypol > > By repetitively running that line, applying the generated policy > then restarting the computer and launching a new vnc session > eventually all the events are able to be recorded without filling > the queue. > Andrew,
First of all, how did you install x11vnc? Did you use yum, or is this from a tarball. You should ALWAYS prefer yum install, since this will get all dependencies, and install policy as part of the package.
Installed from yum. Having read the x11vnc man page I got the impression it's a bit of a swiss army knife and I had *assumed* that as it was so hard to predict how it would be used it would not make sense to enforce any particular policy. Is there a way of extracting and examining the policies in an rpm?
Secondly, you should be looking at what it wants to do. For example, the fact that mcelog is in there worries me, a *lot*, since mcelog records ->hardware errors<-, meaning that you could be having hardware issues.
It is necessary for x11vnc to discover the name of an X11 authorization file and the trick to do so is to do a `ps wwwaux | grep '/X.*-auth'` , followed by a bit more grep and sed trickery to isolate the name of the file that appears on the command line that launched xorg.
The command above has this for output... root 26003 0.4 1.1 24184 12120 tty9 Ss+ 12:34 2:46 /usr/bin/Xorg :0 -br -verbose -logverbose 7 -auth /var/run/gdm/auth-for-gdm-xpIgEt/database -nolisten tcp
... and the sed and grep trickery isolates the string '/var/run/gdm/auth-for-gdm-xpIgEt/database' which is a required parameter for x11vnc
It did seem that many, many of the AVCs were caused by ps trying to get attributes of or open directories in /proc.
Why have I told you all this?
grep type=AVC audit.log.1 | grep mcelog | grep -v comm="ps" has no output grep type=AVC audit.log.1 | grep mcelog has 21 lines of output
So all the AVCs which mention mcelog include comm="ps" Here is a typical sequence type=AVC msg=audit(1359035800.677:1209): avc: denied { getattr } for pid=2248 comm="ps" path="/proc/539" dev="proc" ino=14875 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:mcelog_t:s0 tclass=dir
type=AVC msg=audit(1359035800.677:1210): avc: denied { search } for pid=2248 comm="ps" name="539" dev="proc" ino=14875 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:mcelog_t:s0 tclass=dir
type=AVC msg=audit(1359035800.677:1210): avc: denied { read } for pid=2248 comm="ps" name="stat" dev="proc" ino=14058 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:mcelog_t:s0 tclass=file
type=AVC msg=audit(1359035800.677:1210): avc: denied { open } for pid=2248 comm="ps" path="/proc/539/stat" dev="proc" ino=14058 scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:mcelog_t:s0 tclass=file
There were just 3 /proc directories that prompted this sequence of AVCs containing mcelog and these were 539 (shown above), 517 and 509, but having rebooted since I don't now know what processes they correspond to and I suspect many other AVCs may have been omitted due to queue overflow. Audit.log currently contains 900 lines of AVCs related to ps accessing the /proc directory
Having checked the timestamps in the system log I see that each set of AVCs occurred just once between re-boots (I rebooted after every launch of vnc / generation of new policies) so they could all be referring to the same process.
I also noted that on my Fedora 18 machines mcelog is running as a daemon: $ ps -A www | grep mcelog 528 ? Ss 0:00 /usr/sbin/mcelog --ignorenodev --daemon --foreground
mcelog is not running as a daemon on my Fedora 16 machine ... So I could be easily persuaded that the AVCs which mention mcelog refer to the attempts of ps to access the mcelog process.
I tried to replicate the generation of AVCs by running ps from a command prompt but nothing happened. Could ps be running from the wrong context? Can you tell I hadn't a clue what I was talking about when I asked that question??
Third, read the man page for audit2allow. It tells you how to convert from text policy to compiled and install it. It's not complicated.
Thanks for that.
Fourth, the "dropped" indicates that there are so many errors the queue can't keep up. From an old closed bug, one note for this problem is: -b 8192 in auditd.conf priority_boost = 4 in auditd.conf priority_boost = 8 in audispd.conf q_depth = 2048 in audispd.conf
Thanks also for that.
mark
Andy
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Lets try this.
chcon -t xserver_exec_t /usr/bin/x11vnc
And create myvnc.te that looks like the following:
cat myvnc.te #==========================================================================
policy_module(myvnc,1.0)
gen_require(` type xserver_exec_t, xserver_t; ')
tcpd_wrapped_domain(xserver_t, xserver_exec_t) #=======================================================================
make -f /usr/share/selinux/devel/Makefile myvnc.pp semodule -i myvpnc.pp
Then try it again.
The reason you are getting all the AVC's about random domains is the x11vnc is doing the equivalent of the ps command, it it is walking through /proc and looking at every process. The SELinux interface to handle this would have been:
domain_read_all_domains_state(tcpd_t)
But what we really want is tcpd_t to transition to xserver_t when running x11vnc.
Thank you for that - the difference was phenomenal!
At first it didn't seem to do anything because it was a bash script, not x11vnc, that was running ps. However, I read the x11vnc manual again and finally realized how to make it run ps for me.
Once I had made the change the AVCs reduced from several hundred to a large handful.
(Removing your myvnc.pol policy returned it to producing hundreds of AVCs again)
SNIP
Well I am happy it is working for you, but we prefer the solution to get tcpd_t to transition to xserver_t, when running x11vnc.
Which hopefully will be showing up in an update release.
Sorry I think I did not make myself clear. I removed your policy just to see what a difference it made (HUGE), and then I re-applied it.
The policies I generated afterwards were for the things that weren't already fixed by your policy.
selinux@lists.fedoraproject.org