SELinux and stunnel
by W. Michael Petullo
I am using stunnel to create an encrypted tunnel for SMTP connections to
my ISP. I have configured xinetd to execute stunnel appropriately when a
connection is made to localhost:465. This has stopped working when using
recent strict policies. I now see the following errors in my system logs:
Jul 19 20:42:16 imp kernel: audit(1090287736.954:0): avc: denied {
execute } for pid=6363 exe=/usr/sbin/xinetd name=stunnel dev=dm-0
ino=48915 scontext=root:system_r:inetd_t tcontext=system_u:object_r:sbin_t
tclass=file
Jul 19 20:42:16 imp kernel: audit(1090287736.954:0): avc: denied {
execute_no_trans } for pid=6363 exe=/usr/sbin/xinetd
path=/usr/sbin/stunnel dev=dm-0 ino=48915 scontext=root:system_r:inetd_t
tcontext=system_u:object_r:sbin_t tclass=file
Jul 19 20:42:16 imp kernel: audit(1090287736.956:0): avc: denied { read
} for pid=6363 exe=/usr/sbin/xinetd path=/usr/sbin/stunnel dev=dm-0
ino=48915 scontext=root:system_r:inetd_t tcontext=system_u:object_r:sbin_t
tclass=file
Jul 19 20:42:17 imp kernel: audit(1090287737.391:0): avc: denied {
getattr } for pid=6363 exe=/usr/sbin/stunnel path=/dev/urandom dev=dm-0
ino=272235 scontext=root:system_r:inetd_t
tcontext=system_u:object_r:urandom_device_t tclass=chr_file
Jul 19 20:42:17 imp kernel: audit(1090287737.395:0): avc: denied { read
} for pid=6363 exe=/usr/sbin/stunnel name=urandom dev=dm-0 ino=272235
scontext=root:system_r:inetd_t tcontext=system_u:object_r:urandom_device_t
tclass=chr_file
Jul 19 20:42:17 imp kernel: audit(1090287737.395:0): avc: denied { ioctl
} for pid=6363 exe=/usr/sbin/stunnel path=/dev/urandom dev=dm-0
ino=272235 scontext=root:system_r:inetd_t
tcontext=system_u:object_r:urandom_device_t tclass=chr_file
I am using:
selinux-policy-strict-sources-1.15.5-2
selinux-policy-strict-1.15.5-2
policycoreutils-1.15.1-1
checkpolicy-1.14.1-1
libselinux-devel-1.15.1-1
libselinux-1.15.1-1
Should I put this in bugzilla?
--
Mike
19 years, 10 months
/etc/exports, /usr/sbin/exportfs ...
by Tom London
My log shows the following failure:
Jul 19 18:58:38 fedora kernel: audit(1090288718.937:0): avc: denied {
read } for pid=2363 exe=/usr/sbin/exportfs name=exports dev=hda2
ino=4472848 scontext=system_u:system_r:nfsd_t
tcontext=system_u:object_r:exports_t tclass=file
Jul 19 18:58:38 fedora exportfs[2363]: can't open /etc/exports for reading
Jul 19 18:58:38 fedora exportfs: exportfs: can't open /etc/exports for
reading
I'm running strict/enforcing.
tom
19 years, 10 months
SELinux installation!
by Sajed Miremadi
Hi,
I have a little problem in installing SELinux.
I begin with writing "linux selinux" at the boot prompt and then after
some steps I see that the SELinux has been actived. But when I choose
"custom", I don't know which package include "/etc/security/selinux/src"(I
mean the "src" directory). Because the "src" directory exist whenever I
choose "everything" and installing in this mode will take very long time.
thanx,
19 years, 10 months
genhomedircon
by Russell Coker
The attached patch fixes a bug in genhomedircon.
Without this if you create system users with "useradd -r" and give them home
directories in unusual locations (such as /usr/DIR or /var/run/DIR) then a
file_contexts file will be generated that will mess up your system.
This match makes it check /etc/login.defs for the value of UID_MIN.
Also perhaps we should make STARTING_UID default to 500. 500 is the default
value for this in Fedora.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
19 years, 10 months
Major problems after upgrade from FC1
by A. Gautier
I am about to pull what little is left of my hair out. I decided to
upgrade from FC1 to FC2 by pointing yum to a FC2 repository and upgrading
all packages. This worked for the most part but I am having massive
problems with SELinux. I am not sure that SELinux got setup properly. One
of this biggest problems that I have is that crond now no longer runs. I
have been following the Fedora SELinux FAQ to get up to speed with lots of
google searches and watching this list but I have not been able to solve
my problem. My first problem is that system crond is not running. My
user crontab is running fine. So, my question is could someone help me
1.) Make sure my setup is correct.
2.) Get the correct policies setup (I am also having a problem with
postfix, but I think if I get #1 then there is enough info on the web to
solve that problem).
Also, the reason I think there is a configuration problem was because when
following the FAQ to add a user:
------------------------------
EXCERPT:
http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/index.html#id30...
Q: How can I create a new Linux user account with the user's home
directory having the proper context?
A: You can create your new user with the standard useradd command, but
first you must become root with a context of sysadm_r. This context switch
has been incorporated into the su command:
%>su - root
Your default context is root:sysadm_r:sysadm_t.
Do you want to choose a different one? [n] n
%>useradd auser
%>ls -Z /home
drwxr-xr-x auser auser root:object_r:user_home_dir_t
/home/auser
------------------------------
So I thought if I ran ls -Z /home I would get a similar result?
------------------------------
OUTPUT: ls -Z /home
drwxr--r--+ <user> <group> (null) <user>
Also, I get the (null) report on all directories in /root.
------------------------------
OUTPUT: sudo /usr/sbin/sestatus -v
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Policy version: 17
Policy booleans:
user_ping inactive
Process contexts:
Current context: user_u:sysadm_r:sysadm_t
Init context: system_u:system_r:kernel_t
/sbin/mingetty system_u:system_r:kernel_t
/usr/sbin/sshd system_u:system_r:kernel_t
File contexts:
Controlling term: user_u:object_r:devpts_t
-----------------
EXCERPT: /var/log/messages
Jul 12 12:00:00 sun kernel: audit(1089651600.583:0): avc: denied {
compute_user } for pid=27396 exe=/usr/sbin/crond
scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:security_t
tclass=security
Jul 12 12:00:00 sun kernel: audit(1089651600.584:0): avc: denied {
compute_av
} for pid=27396 exe=/usr/sbin/crond scontext=system_u:system_r:kernel_t
tcontext=system_u:object_r:security_t tclass=security
Jul 12 12:00:00 sun kernel: audit(1089651600.586:0): avc: denied {
check_context } for pid=27396 exe=/usr/sbin/crond
scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:security_t
tclass=security
Jul 12 12:00:00 sun kernel: audit(1089651600.586:0): avc: denied { write
} for pid=27396 exe=/usr/sbin/crond name=exec dev=proc ino=1795424277
scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:kernel_t
tclass=file
Jul 12 12:00:00 sun kernel: audit(1089651600.587:0): avc: denied {
setexec } for pid=27396 exe=/usr/sbin/crond
scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:kernel_t
tclass=process
Jul 12 12:00:00 sun kernel: audit(1089651600.587:0): avc: denied {
transition
} for pid=27396 exe=/usr/sbin/crond path=/bin/bash dev=hda3 ino=3850263
scontext=system_u:system_r:kernel_t tcontext=user_u:sysadm_r:sysadm_t
tclass=process
Jul 12 12:00:00 sun kernel: audit(1089651600.590:0): avc: denied {
siginh } for pid=27396 exe=/bin/bash scontext=system_u:system_r:kernel_t
tcontext=user_u:sysadm_r:sysadm_t tclass=process
Jul 12 12:00:00 sun kernel: audit(1089651600.590:0): avc: denied {
rlimitinh } for pid=27396 exe=/bin/bash
scontext=system_u:system_r:kernel_t tcontext=user_u:sysadm_r:sysadm_t
tclass=process
Jul 12 12:00:00 sun kernel: audit(1089651600.590:0): avc: denied {
noatsecure
} for pid=27396 exe=/bin/bash scontext=system_u:system_r:kernel_t
tcontext=user_u:sysadm_r:sysadm_t tclass=process
Jul 12 12:00:01 sun kernel: audit(1089651601.074:0): avc: denied {
execute } for pid=27400 exe=/usr/sbin/crond name=sendmail.postfix
dev=hda3 ino=3391852 scontext=system_u:system_r:kernel_t
tcontext=system_u:object_r:sendmail_exec_t tclass=file
Jul 12 12:00:01 sun kernel: audit(1089651601.074:0): avc: denied {
execute_no_trans } for pid=27400 exe=/usr/sbin/crond
path=/usr/sbin/sendmail.postfix dev=hda3 ino=3391852
scontext=system_u:system_r:kernel_t
tcontext=system_u:object_r:sendmail_exec_t tclass=file
19 years, 10 months
install of kernel-2.6.7-1.492: mkinitrd fails in strict/enforcing .......
by Tom London
'yum update' for the kernel-2.6.7-1.492 doesn't work
(strict/enforcing mode, selinux-policy-strict-1.15.5-2):
kernel 100 % done 18/47
/bin/bash: /root/.bashrc: Permission denied
/lib/modules/2.6.7-1.492 is not a directory.
mkinitrd failed
/
[I checked, and no initrd-2.6.7-1.492.img in /boot]
I found this message in /var/log/messages:
Jul 16 07:52:15 fedora kernel: audit(1089989535.207:0): avc:
denied { getattr } for pid=3420 exe=/bin/bash
path=/lib/modules/2.6.7-1.492 dev=hda2 ino=3671053
scontext=root:sysadm_r:bootloader_t
tcontext=system_u:object_r:modules_object_t tclass=dir
I set 'strict/permissive', did 'rpm -e kernel-2.6.7-1.492'
and did the 'yum update' again and got:
Dependencies resolved
I will do the following:
[install: kernel 2.6.7-1.492.i686]
Is this ok [y/N]: y
Downloading Packages
Running test transaction:
WARNING: Multiple same specifications for /halt.
WARNING: Multiple same specifications for /\.autofsck.
Test transaction complete, Success!
WARNING: Multiple same specifications for /halt.
WARNING: Multiple same specifications for /\.autofsck.
kernel 100 % done 1/1
/
Kernel Updated/Installed, checking for bootloader
Grub found - making this kernel the default
Installed: kernel 2.6.7-1.492.i686
Transaction(s) Complete
Something change?
tom
19 years, 10 months
selinux-policy-strict-1.15.5-2 breaks mozilla....
by Tom London
selinux-policy-strict-1.15.5-2 mislabels /usr/lib/mozilla-1.7/mozilla-*
as lib_t,
instead of as mozilla_exec_t.
mozilla.fc now has:
/usr/lib(64)?/mozilla/mozilla-.* -- system_u:object_r:mozilla_exec_t
but the files are in /usr/lib/mozilla-1.7/
Should the line in mozilla.fc be something like:
/usr/lib(64)?/mozilla(-[0-9].*)?/mozilla-* --
system_u:object_r:mozilla_exec_t
tom
19 years, 10 months
Policy Management
by Kirk Vogelsang
I'm contemplating rolling my own policy.conf, using the latest strict
as a base and trimming it down and wondering if others have gone
this route as well.
I'm well aware of the implications in doing this and moving away from
the standard m4-based config. But what seem to be trivial tasks in
modifying the policy file directly appear to become somewhat non-trivial
in trying to make the same modification in the macro files.
For example, I wish to disallow user_r any access to selinux_config_t.
It appears as though access is granted to selinux_config_t via
via full_user_role() via base_file_read_access(). full_user_role(user)
adds quite a bit of functionality I want to keep as does
base_file_read_access(user). So I'm not quite sure where to go from
here. Removing this access from the policy.conf directly appears to
be a matter of removing one or two lines.
Maybe I'm going about things incorrectly? Do other's write and maintain
their own policies independent of the policy*.rpm's?
Thanx for and insight...
-----
Kirk M. Vogelsang <kvogelsa(a)ccs.neu.edu>
Northeastern University College of Computer Science
19 years, 10 months