Squirrelmail forward plugin
by Nicklas Norling
Hi.
Just noted a user tried to add .forward by using the forwarding module
in squirrelmail.
Jul 20 00:56:52 spock kernel: audit(1121813812.917:1844): avc: denied
{ setgid } for pid=24466 comm="wfwd" capability=6
scontext=root:system_r:httpd_sys_script_t
tcontext=root:system_r:httpd_sys_script_t tclass=capability
httpd log:
/usr/local/sbin/wfwd: Operation not permitted
[root@spock html]# audit2allow -d -l
allow httpd_sys_script_t self:capability setgid;
The tool used is wfwd.
httpd booleans:
httpd_builtin_scripting active
httpd_can_network_connect active
httpd_disable_trans inactive
httpd_enable_cgi active
httpd_enable_homedirs active
httpd_ssi_exec active
httpd_suexec_disable_trans inactive
httpd_tty_comm inactive
httpd_unified active
I wonder what will happen when a user tries to change the password using
the change password plugin...
/Nicke
18 years, 9 months
strict policy
by Todd Merritt
I'm getting started with selinux on FC 4. I'm using the strict policy,
but I'd like to restrict it further so that users can only execute a
handful of commands. I've tried replacing full_user_role(user_t) with
limit_user role, but the drew assertion errors when trying to load the
policy, and I tried removing restricting the can_exec in both full and
limited_user_role macros in macros/user_macros.te, but (at least from
looking at audit to allow) none of this seems to be getting me where I
want to be. What is the beast way to remove all access from user_t so
that I can add in the commands I want them to be able to run ?
Thanks,
Todd
18 years, 10 months
audit errors on shutdown in FC4
by Claude Jones
First post here (my apology to the moderator - first post actually was from
the wrong email address and is awaiting your approval)
I hope someone knows what the following is about. When I
shutdown or reboot, I'm getting the following messages:
--------------------- Selinux Audit Begin ------------------------
**Unmatched Entries** (Only first 10 out of 24 are printed)
The audit daemon is exiting.
audit: *NO* daemon at audit_pid=1920
audit(1122429286.858:9676498): arch=40000003 syscall=102 success=no exit=-22
a0=b a1=bf9e3470 a2=80510f8 a3=0 items=0 pid=29548 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="auditctl"
exe="/sbin/auditctl"
audit(1122429286.858:9676498): saddr=100000000000000000000000
audit(1122429286.858:9676498): nargs=6 a0=3 a1=bf9e55cc a2=10 a3=0
a4=bf9e7768 a5=c
audit(1122429286.959:9676518): SELinux: unrecognized netlink message
type=1009 for sclass=49
audit(1122429286.959:9676518): arch=40000003 syscall=102 success=no exit=-22
a0=b a1=bf9e3450 a2=80510f8 a3=0 items=0 pid=29548 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="auditctl"
exe="/sbin/auditctl"
audit(1122429286.959:9676518): saddr=100000000000000000000000
audit(1122429286.959:9676518): nargs=6 a0=3 a1=bf9e55ac a2=10 a3=0
a4=bf9e7748 a5=c
Init complete, auditd 0.9.15 listening for events
This is from my logs, but it looks just like this on my screen as the shutdown
is occurring. I did some research on this and have gained a layman's
understanding of netlink, but I couldn't figure out how to troubleshoot the
problem.
--
Claude Jones
Bluemont, VA, USA
18 years, 10 months
audit errors on FC4 shutdown
by Claude Jones
First post here - hope someone knows what the following is about. When I
shutdown or reboot, I'm getting the following messages:
--------------------- Selinux Audit Begin ------------------------
**Unmatched Entries** (Only first 10 out of 24 are printed)
The audit daemon is exiting.
audit: *NO* daemon at audit_pid=1920
audit(1122429286.858:9676498): arch=40000003 syscall=102 success=no exit=-22
a0=b a1=bf9e3470 a2=80510f8 a3=0 items=0 pid=29548 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="auditctl"
exe="/sbin/auditctl"
audit(1122429286.858:9676498): saddr=100000000000000000000000
audit(1122429286.858:9676498): nargs=6 a0=3 a1=bf9e55cc a2=10 a3=0
a4=bf9e7768 a5=c
audit(1122429286.959:9676518): SELinux: unrecognized netlink message
type=1009 for sclass=49
audit(1122429286.959:9676518): arch=40000003 syscall=102 success=no exit=-22
a0=b a1=bf9e3450 a2=80510f8 a3=0 items=0 pid=29548 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="auditctl"
exe="/sbin/auditctl"
audit(1122429286.959:9676518): saddr=100000000000000000000000
audit(1122429286.959:9676518): nargs=6 a0=3 a1=bf9e55ac a2=10 a3=0
a4=bf9e7748 a5=c
Init complete, auditd 0.9.15 listening for events
This is from my logs, but it looks just like this on my screen as the shutdown
is occurring. I did some research on this and have gained a layman's
understanding of netlink, but I couldn't figure out how to troubleshoot the
problem.
--
Claude Jones
Bluemont, VA, USA
18 years, 10 months
pam-0.79-9.1 breakage with FC4 strict policy.
by Ted Rule
I have recently updated the pam rpm on my FC4 machine from:
pam-0.79-8
to
pam-0.79-9.1
The machine was orginally built as FC3 running SELinux strict/enforcing,
upgraded to FC4, "/.autorelabel"'ed, and thereafter gradually patched up
with FC4 updates using yum. The SELinux policy is using:
selinux-policy-strict-1.23.16-6
The current pam misbehaviour for a variety of authentication sequences
is as follows:
========================================
With SELinux enforcing and pam-0.79-9.1:
"su -" works Ok. ( both su-ing to root and non-root users. )
"sudo" fails every time with:
sudo: pam_authenticate: System error
"/bin/login" fails every time with only these messages in syslog:
Jul 25 08:45:31 topaz login: FAILED LOGIN SESSION FROM (null) FOR ejtr,
System error
Jul 25 08:45:31 topaz kernel: audit(1122277531.083:24): avc: denied
{ lock } for pid=5704 comm="login" name="btmp" dev=hda7 ino=339558
scontext=system_u:system_r:local_login_t
tcontext=system_u:object_r:faillog_t tclass=file
"ssh localhost" fails every time with:
Jul 25 08:48:31 topaz sshd[14927]: error: Could not get shadow
information for ejtr
Jul 25 08:48:31 topaz sshd[14927]: Failed password for ejtr from
127.0.0.1 port 50117 ssh2
=========================================
With SELinux permissive and pam-0.79-9.1:
"su -" works Ok. ( both su-ing to root and non-root users. )
"sudo" fails 1st time with:
sudo: pam_authenticate: System error
and then succeeds 2nd time - but still asks for password. On the 3rd
attempt it caches the authentication from the 2nd attempt and works Ok.
"/bin/login" appears to fail twice and then succeed.
Jul 25 08:53:07 topaz login: FAILED LOGIN SESSION FROM (null) FOR ejtr,
System error
Jul 25 08:53:07 topaz kernel: audit(1122277987.276:26): avc: denied
{ lock } for pid=5767 comm="login" name="btmp" dev=hda7 ino=339558
scontext=system_u:system_r:local_login_t
tcontext=system_u:object_r:faillog_t tclass=file
Jul 25 08:53:11 topaz login: FAILED LOGIN SESSION FROM (null) FOR ejtr,
System error
Jul 25 08:53:11 topaz kernel: audit(1122277991.339:27): avc: denied
{ lock } for pid=10278 comm="login" name="btmp" dev=hda7 ino=339558
scontext=system_u:system_r:local_login_t
tcontext=system_u:object_r:faillog_t tclass=file
Jul 25 08:53:15 topaz login(pam_unix)[10621]: session opened for user
ejtr by (uid=0)
Jul 25 08:53:15 topaz -- ejtr[10621]: LOGIN ON tty2 BY ejtr
Jul 25 08:53:19 topaz login(pam_unix)[10621]: session closed for user
ejtr
Jul 25 08:53:25 topaz login(pam_unix)[11502]: session opened for user
ejtr by (uid=0)
Jul 25 08:53:25 topaz -- ejtr[11502]: LOGIN ON tty2 BY ejtr
Jul 25 08:53:27 topaz login(pam_unix)[11502]: session closed for user
ejtr
"ssh localhost" works 1st time.
===============================================
When I saw the "shadow" error on sshd, I tried adding some "debug" to
SELinux policy to double check that the correct domain was trying to
read shadow_t. That proved to be a red-herring, as did tracking the lock
access denial on /var/log/btmp.
I've checked SELinux file_contexts on the pam installed files - seems
Ok. I've tried downgrading pam to 0.79-8 and back to 0.79-9.1 again. The
system consistently works every time with 0.79-8 and misbehaves every
time with 0.79-9.1
Amongst the trail of debugging, I've found a couple of pam errors which
are seemingly unrelated to the overall failure, but probably need
fixing:
This:
allow crond_t self:capability { audit_control } ;
seems to be needed to allow per-user crontab's to audit correctly.
There seems to be some inconsistency in the use and non-use of
pam_loginuid.so and pam_selinux.so in /etc/pam.d/XXXX as between
/etc/pam.d/su
/etc/pam.d/sudo
/etc/pam.d/login
/etc/pam.d/gdm
/etc/pam.d/sshd
I would have thought that most, if not all, of the pam.d configurations
should have pam_loginuid.so and pam_selinux.so references, but I could
so easily be wrong about this.
I also noticed that the FC3 -> FC4 upgrade process failed to
automatically install the "audit" rpm. I manually added it via yum
whilst tracking the pam problem, but the lack of the auditd service also
seems to be a red-herring. I currently have it installed but
chkconfig'ed off - mainly so as to ensure all the logs are in one place
for ease of debugging.
I've tried temporarily disabling various clauses in /etc/pam.d/login -
such as pam_console - to try and isolate the issue, but I haven't had
much luck with that either. With "debug" enabled on the pam_stack.so
entry in /etc/pam.d/login, it seems that "system-auth" always returns
SUCCESS, which seems to eliminate most of pam as a source of error.
Can anyone throw any light on the problem or give me some other ideas
for debugging the issue?
Thanks,
--
Ted Rule
Director, Layer3 Systems Ltd
W: http://www.layer3.co.uk/
18 years, 10 months
HOME_DIR in apache.fc
by James Z. Li
Hi all,
I am using targeted policy on FC4. In the apache.fc file, the first line is
HOME_DIR/((www)|(web)|(public_html))(/.+)?
system_u:object_r:httpd_ROLE_content_t
I want to know where "HOME_DIR" is defined? The "apol" tool did not show
the definition of HOME_DIR. Btw, is HOME_DIR related to
attribute user_home_dir_type;
attribute home_dir_type;
type user_home_dir_t;
Thanks,
James
18 years, 10 months
ANN: SELinux Policy Editor 1.0
by Yuichi Nakamura
We are glad to announce that SELinux Policy Editor 1.0 has been released.
In this release,
our policy called "Simplified policy" can be used without GUI.
To try, visit http://seedit.sourceforge.net/ .
Install manual, how to and specification documentations are ready.
SELinux Policy Editor and Simplified policy works on Fedora Core4 and 3.
Our tool does not affect existing SELinux, you can go back to default
SELinux easily. Feel free to try.
If you have question, suggestion or something email to
seedit-admin(a)lists.sourceforge.net.
* About SELinux Policy Editor
SELinux Policy Editor is a tool to edit and view SELinux policy,
originally developed by Hitachi Softwarek, not developed in
SELinux Policy Editor Project(seedit.sourceforge.net).
The tool is composed of simplified policy and GUI.
Simplified policy hides detail of SELinux configuration,
and GUI makes configuration much easier.
It is not just a GUI tool, the important component is simplified policy.
You can also configure simplified policy without GUI.
Following is example of simplified policy for Apache.
domain httpd_t;
domain_trans initrc_t /usr/sbin/httpd;
allow /var/www r,s;
allownet -tcp -port 80;
As you see, type is not used. You can use file name, port number in
configuration.
For detail about simplified policy, see
http://seedit.sourceforge.net/doc/simplified_policy_manual.pdf
* TODO
- Review the security of simplified policy
- Extend syntax of simplified policy for detailed configuration
- Auto generation of simplified policy
- Write more policy by simplified policy
- Test on other distributions
---
Yuichi Nakamura
Hitachi Software, The George Washington University
Japan SELinux Users Group(JSELUG)
Japan Open Source Advocacy Organization(JOSAO)
SELinux Policy Editor: http://seedit.sourceforge.net/
18 years, 10 months
users public_html access
by John Griffiths
I cannot get users public_html content to publish in FC4. I keep getting
"You don't have permission to access /~<user>/ on this server." I can
access the user's public_html when I change SELinux to Permissive.
I searched the archives and did not find anything, and I followed the
direction in section 4 of "Understanding and Customizing the Apache HTTP
SELinux Policy" which was written for FC3.
The httpd booleans are:
httpd_builtin_scripting active
httpd_can_network_connect active
httpd_disable_trans inactive
httpd_enable_cgi active
httpd_enable_homedirs active
httpd_ssi_exec active
httpd_suexec_disable_trans inactive
httpd_tty_comm inactive
httpd_unified active
The security setting on the user's public_html and the files in the
directory is user_u:object_r:httpd_sys_content_t . Obviously the
standard UGW permissions are OK since turning off SELinux allows the
content to be accessed.
What am I missing, or is this a bug?
Thanks,
John Griffiths
18 years, 10 months
Is selinux breaking up syslogd
by Tomas Larsson
As mentioned before, I cant get syslogd to run properly.
It seems that selinux is blocking syslogd.
type=AVC msg=audit(1122120398.858:801833): avc: denied { read } for
pid=4595 comm="syslogd" name="syslog.conf" dev=dm-0 ino=653814
scontext=root:system_r:syslogd_t tcontext=system_u:object_r:etc_runtime_t
tclass=file
type=SYSCALL msg=audit(1122120398.858:801833): arch=40000003 syscall=5
success=no exit=-13 a0=d448c6 a1=0 a2=1b6 a3=9cd1298 items=1 pid=4595
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="syslogd" exe="/sbin/syslogd"
If I understand this correctly selinux is stopping syslogd to read
syslog.conf.
How do I do to get it to work, there is no reference in the selinux
man-pages to syslogd.
With best regards
Tomas Larsson
Sweden
Verus Amicus Est Tamquam Alter Idem
18 years, 10 months
Java apps can't use network
by Igor Wawrzyniak
Hi,
I tried running some Java apps on Fedora Core 4 with SELinux enabled and they
can't connect to network. The symptoms are strange (at least for me, I'm new
to SELinux):
1) I use TARGETED policy - I thought it shouldn't restrict applications unless
they were explicitly listed?
2) I tried setting SELINUX to PERMISSIVE - the apps still couldn't use
network.
3) The apps are blocked silently - no info in syslog, regardless of SELINUX
mode.
All non-Java apps can use the network. All non-network related Java functions
seem to work just fine. I tried 2 versions of Sun JRE.
Am I doing something wrong or is it a bug? Can I use my Java software without
totally disabling SELinux?
Regards,
Igor Wawrzyniak
18 years, 10 months