SELinux is preventing pidof (hotplug_t) "ptrace" to <Unknown> (hotplug_t)
by Dan Thurman
The most recent yum update changed, and I have no
clue what this is. Obtained from the system logs.
I get:
sealert -l 3f210834-3d3f-4247-a909-cd1219519138
==========================================
Summary:
SELinux is preventing pidof (hotplug_t) "ptrace" to <Unknown> (hotplug_t).
Detailed Description:
SELinux denied access requested by pidof. It is not expected that this
access is
required by pidof and this access may signal an intrusion attempt. It is
also
possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:hotplug_t:s0
Target Context system_u:system_r:hotplug_t:s0
Target Objects None [ process ]
Source pidof
Source Path /sbin/killall5
Port <Unknown>
Host bronze.cdkkt.com
Source RPM Packages sysvinit-tools-2.86-24
Target RPM Packages
Policy RPM selinux-policy-3.3.1-74.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name bronze.cdkkt.com
Platform Linux bronze.cdkkt.com
2.6.25.9-76.fc9.i686 #1 SMP
Fri Jun 27 16:14:35 EDT 2008 i686 i686
Alert Count 4
First Seen Mon Jul 14 08:07:44 2008
Last Seen Mon Jul 14 16:45:58 2008
Local ID 3f210834-3d3f-4247-a909-cd1219519138
Line Numbers
Raw Audit Messages
host=bronze.cdkkt.com type=AVC msg=audit(1216079158.438:534): avc:
denied { ptrace } for pid=12710 comm="pidof"
scontext=system_u:system_r:hotplug_t:s0
tcontext=system_u:system_r:hotplug_t:s0 tclass=process
host=bronze.cdkkt.com type=SYSCALL msg=audit(1216079158.438:534):
arch=40000003 syscall=85 success=no exit=-13 a0=bfe68728 a1=a022ba8
a2=1000 a3=bfe6862f items=0 ppid=12675 pid=12710 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="pidof" exe="/sbin/killall5"
subj=system_u:system_r:hotplug_t:s0 key=(null)
15 years, 10 months
kerberos server + enforcing mode?
by Robert Story
Hi,
I'm trying to set up a kerberos KDC on a clean up-to-date F9 box in
enforcing mode. I'm following an online tutorial, and I get to the
point where I'm trying to set the default policy, and the command fails
with "modify_principal: Insufficient access to lock database". Some
googling turned up 2 suggestions: switcing to permissive mode, or
stopping kadmin and restarting it manually, instead of using the
service command. Both of those solutions worked. Is there some policy
piece missing?
Also, I get an error when starting krb5kdc:
Starting Kerberos 5 KDC: Couldn't open log file /var/log/krb5kdc.log: Permission denied
The accompanying avc is:
Jul 1 18:04:55 tib kernel: type=1400 audit(1214949895.536:4): avc: denied { create } for pid=1839 comm="krb5kdc" name="krb5kdc.log" scontext=unconfined_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:krb5kdc_log_t:s0 tclass=file
kadmind starts fine, and kadmind.log is created without a problem...
--
Robert Story
SPARTA
15 years, 10 months
Can an ISO be specified allow mount "setsebool -P allow_mount_iso=1" insted of "setsebool -P allow_mount_anyfile=1" SE context samba share
by Frank Murphy
Summary:
SELinux prevented mount from mounting on the file or directory
"./Fedora-9-Everything-i386-DVD1.iso" (type "samba_share_t").
Detailed Description:
SELinux prevented mount from mounting a filesystem on the file or
directory
"./Fedora-9-Everything-i386-DVD1.iso" of type "samba_share_t". By
default
SELinux limits the mounting of filesystems to only some files or
directories
(those with types that have the mountpoint attribute). The type
"samba_share_t"
does not have this attribute. You can either relabel the file or
directory or
set the boolean "allow_mount_anyfile" to true to allow mounting on any
file or
directory.
Allowing Access:
Changing the "allow_mount_anyfile" boolean to true will allow this
access:
"setsebool -P allow_mount_anyfile=1."
The following command will allow this access:
setsebool -P allow_mount_anyfile=1
Additional Information:
Source Context system_u:system_r:mount_t
Target Context user_u:object_r:samba_share_t
Target Objects ./Fedora-9-Everything-i386-DVD1.iso
[ file ]
Source mount
Source Path /bin/mount
Port <Unknown>
Host server-01
Source RPM Packages util-linux-2.13-0.47.el5
Target RPM Packages
Policy RPM selinux-policy-2.4.6-137.1.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name allow_mount_anyfile
Host Name server-01
Platform Linux server-01 2.6.18-92.1.6.el5 #1 SMP
Wed Jun
25 13:49:24 EDT 2008 i686 athlon
Alert Count 3
First Seen Sun 13 Jul 2008 10:26:26 IST
Last Seen Sun 13 Jul 2008 11:07:49 IST
Local ID 268bdb54-5d8d-4c81-b7ba-0392b5cea34e
Line Numbers
Raw Audit Messages
host=server-01 type=AVC msg=audit(1215943669.186:14): avc: denied
{ write } for pid=2898 comm="mount"
name="Fedora-9-Everything-i386-DVD1.iso" dev=md2 ino=8585227
scontext=system_u:system_r:mount_t:s0
tcontext=user_u:object_r:samba_share_t:s0 tclass=file
host=server-01 type=SYSCALL msg=audit(1215943669.186:14): arch=40000003
syscall=5 success=no exit=-13 a0=9fd5450 a1=8002 a2=0 a3=8002 items=0
ppid=2877 pid=2898 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount"
exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null)
15 years, 10 months
./xauth?
by Dan Thurman
I am not sure what this is, and /.xauth does not
exist, but here is the log:
================================
Summary:
SELinux is preventing su (initrc_su_t) "execute" to ./xauth (xauth_exec_t).
Detailed Description:
SELinux denied access requested by su. It is not expected that this
access is
required by su and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to
restore
the default system file context for ./xauth,
restorecon -v './xauth'
If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:initrc_su_t:s0
Target Context system_u:object_r:xauth_exec_t:s0
Target Objects ./xauth [ file ]
Source su
Source Path /bin/su
Port <Unknown>
Host bronze.cdkkt.com
Source RPM Packages coreutils-6.10-25.fc9
Target RPM Packages
Policy RPM selinux-policy-3.3.1-74.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name bronze.cdkkt.com
Platform Linux bronze.cdkkt.com
2.6.25.9-76.fc9.i686 #1 SMP
Fri Jun 27 16:14:35 EDT 2008 i686 i686
Alert Count 4
First Seen Thu 10 Jul 2008 10:55:02 AM PDT
Last Seen Fri 11 Jul 2008 07:37:29 AM PDT
Local ID bb7e73a6-b94e-4bf3-9ada-46a9ff2ad486
Line Numbers
Raw Audit Messages
host=bronze.cdkkt.com type=AVC msg=audit(1215787049.815:33): avc:
denied { execute } for pid=8831 comm="su" name="xauth" dev=sda6
ino=3121978 scontext=system_u:system_r:initrc_su_t:s0
tcontext=system_u:object_r:xauth_exec_t:s0 tclass=file
host=bronze.cdkkt.com type=SYSCALL msg=audit(1215787049.815:33):
arch=40000003 syscall=33 success=no exit=-13 a0=160642 a1=1 a2=161b80
a3=160642 items=0 ppid=8823 pid=8831 auid=4294967295 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="su"
exe="/bin/su" subj=system_u:system_r:initrc_su_t:s0 key=(null)
15 years, 10 months
awstats
by Dan Thurman
Not sure what to do with this one... a fix please?
======================================
Summary:
SELinux is preventing sh (awstats_t) "getattr" to / (fs_t).
Detailed Description:
SELinux denied access requested by sh. It is not expected that this
access is
required by sh and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:awstats_t:s0-s0:c0.c1023
Target Context system_u:object_r:fs_t:s0
Target Objects / [ filesystem ]
Source awstats.pl
Source Path <Unknown>
Port <Unknown>
Host bronze.cdkkt.com
Source RPM Packages
Target RPM Packages filesystem-2.4.13-1.fc9
Policy RPM selinux-policy-3.3.1-74.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name bronze.cdkkt.com
Platform Linux bronze.cdkkt.com
2.6.25.9-76.fc9.i686 #1 SMP
Fri Jun 27 16:14:35 EDT 2008 i686 i686
Alert Count 4
First Seen Fri 11 Jul 2008 08:01:08 AM PDT
Last Seen Fri 11 Jul 2008 08:01:09 AM PDT
Local ID b2a086fa-2d4d-4819-a560-b8f0049272c6
Line Numbers
Raw Audit Messages
host=bronze.cdkkt.com type=AVC msg=audit(1215788469.468:354): avc:
denied { getattr } for pid=14761 comm="sh" name="/" dev=sda6 ino=2
scontext=system_u:system_r:awstats_t:s0-s0:c0.c1023
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
15 years, 10 months
Local modifications best practices?
by Jan Kasprzak
Hello,
are there any best practices for storing local modifications to the
security policy? Where to put local *.fc and *.te files and how to
create and install the binary modules from them?
For example - on my router I keep the state data
(arpwatch, dhcpd.leases, etc) on a shared DRBD volume, so I need
to add local *.fc file for this volume, in order arpwatch and dhcpd
can access it.
So far I have put the local *.te and *.fc files into /root/selinux,
created /root/selinux/Makefile, and I use "make" for compiling the
modules, and "make install" for installing them. Is there any canonical
way of doing this on Fedora?
Thanks,
-Yenya
--
| Jan "Yenya" Kasprzak <kas at {fi.muni.cz - work | yenya.net - private}> |
| GPG: ID 1024/D3498839 Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E |
| http://www.fi.muni.cz/~kas/ Journal: http://www.fi.muni.cz/~kas/blog/ |
>> If you find yourself arguing with Alan Cox, you’re _probably_ wrong. <<
>> --James Morris in "How and Why You Should Become a Kernel Hacker" <<
15 years, 10 months
Problems with mod_mono on httpd
by Dan Thurman
The issue relates to using the mod_mono module (I think):
Jul 9 17:28:31 bronze kernel: mono[8896]: segfault at 0 ip 08069d02 sp
bf8a6540 error 6 in mono[8047000+1f4000]
Jul 9 17:28:32 bronze setroubleshoot: SELinux is preventing mono
(httpd_t) "execmem" to <Unknown> (httpd_t). For complete SELinux
messages. run sealert -l 2cb69eb1-baf7-4631-936c-9f6c80436e2e
Jul 9 17:28:32 bronze setroubleshoot: SELinux is preventing mono
(httpd_t) "execmem" to <Unknown> (httpd_t). For complete SELinux
messages. run sealert -l 2cb69eb1-baf7-4631-936c-9f6c80436e2e
# sealert -l 2cb69eb1-baf7-4631-936c-9f6c80436e2e
==========================================
Summary:
SELinux is preventing mono (httpd_t) "execmem" to <Unknown> (httpd_t).
Detailed Description:
SELinux denied access requested by mono. It is not expected that this
access is
required by mono and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects None [ process ]
Source mono
Source Path /usr/bin/mono
Port <Unknown>
Host bronze.cdkkt.com
Source RPM Packages mono-core-1.9.1-2.fc9
Target RPM Packages
Policy RPM selinux-policy-3.3.1-74.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name bronze.cdkkt.com
Platform Linux bronze.cdkkt.com
2.6.25.9-76.fc9.i686 #1 SMP
Fri Jun 27 16:14:35 EDT 2008 i686 i686
Alert Count 26
First Seen Tue Jul 8 16:54:41 2008
Last Seen Wed Jul 9 17:28:31 2008
Local ID 2cb69eb1-baf7-4631-936c-9f6c80436e2e
Line Numbers
Raw Audit Messages
host=bronze.cdkkt.com type=AVC msg=audit(1215649711.436:45): avc:
denied { execmem } for pid=8896 comm="mono"
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:system_r:httpd_t:s0 tclass=process
host=bronze.cdkkt.com type=SYSCALL msg=audit(1215649711.436:45):
arch=40000003 syscall=192 per=400000 success=no exit=-13 a0=0 a1=10000
a2=7 a3=22 items=0 ppid=1 pid=8896 auid=4294967295 uid=48 gid=48 euid=48
suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
comm="mono" exe="/usr/bin/mono" subj=system_u:system_r:httpd_t:s0 key=(null)
How can I fix this please?
Dan
15 years, 10 months
F9: Problems with named logging files
by Dan Thurman
I have not been able to solve this issue but was able to 'get around' it
via F8.
Below is the named.conf, just for the logging group:
=========================================
logging {
channel my_syslog { file "/var/log/named/named.log" versions 25;
severity info;
print-category yes;
print-time yes;
};
channel my_lame { file "/var/log/named/lame.log" versions 25;
severity info;
print-category yes;
print-time yes;
// size 50M;
};
channel my_xfer { file "/var/log/named/xfer.log" versions 25;
severity info;
print-category yes;
print-time yes;
// size 50M;
};
channel my_update { file "/var/log/named/named.update" versions 25;
severity info;
print-category yes;
print-time yes;
// size 50M;
};
channel my_db { file "/var/log/named/db.log" versions 25;
severity info;
print-category yes;
print-time yes;
// size 50M;
};
channel my_query { file "/var/log/named/query.log" versions 25;
severity info;
print-category yes;
print-time yes;
// size 50M;
};
channel my_security { file "/var/log/named/security.log" versions 99;
severity info;
print-category yes;
print-time yes;
// size 50M;
};
channel my_debug { file "/var/log/named/named.debug" versions 20;
severity dynamic;
print-category yes;
print-time yes;
// size 50M;
};
category security { my_security; };
category default { my_syslog; };
category queries { my_query; };
category lame-servers { my_lame; };
category update { my_update; };
// category db { my_db; };
category xfer-in { my_xfer; };
category xfer-out { my_xfer; };
// category packet { null; };
// category eventlib { my_syslog; };
};
=========================================
Please note that the pathname is chrooted and is actually
found in: /var/named/chroot/var/log/named and the files
are initially set there with proper context of named_log_t
and the directory permissions set with user named with
access and context set accordingly.
Below is the selinux complaint:
=========================================
From: /var/log/messages:
-------------------------------
Jul 9 18:43:27 bronze named[10903]: unable to rename log file
'/var/log/named/named.log' to '/var/log/named/named.log.0': permission
denied
Jul 9 18:43:27 bronze setroubleshoot: SELinux is preventing named
(named_t) "write" to ./named (named_conf_t). For complete SELinux
messages. run sealert -l ebd583dd-e96e-49ad-b6ce-72eda7273b09
# sealert -l ebd583dd-e96e-49ad-b6ce-72eda7273b09
=========================================
Summary:
SELinux is preventing named (named_t) "write" to ./named (named_conf_t).
Detailed Description:
SELinux denied access requested by named. It is not expected that this
access is
required by named and this access may signal an intrusion attempt. It is
also
possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to
restore
the default system file context for ./named,
restorecon -v './named'
If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context unconfined_u:system_r:named_t:s0
Target Context system_u:object_r:named_conf_t:s0
Target Objects ./named [ dir ]
Source named
Source Path /usr/sbin/named
Port <Unknown>
Host bronze.cdkkt.com
Source RPM Packages bind-9.5.0-32.rc1.fc9
Target RPM Packages
Policy RPM selinux-policy-3.3.1-74.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name bronze.cdkkt.com
Platform Linux bronze.cdkkt.com
2.6.25.9-76.fc9.i686 #1 SMP
Fri Jun 27 16:14:35 EDT 2008 i686 i686
Alert Count 1
First Seen Wed Jul 9 18:43:27 2008
Last Seen Wed Jul 9 18:43:27 2008
Local ID ebd583dd-e96e-49ad-b6ce-72eda7273b09
Line Numbers
Raw Audit Messages
host=bronze.cdkkt.com type=AVC msg=audit(1215654207.611:139): avc:
denied { write } for pid=10904 comm="named" name="named" dev=sda6
ino=2023442 scontext=unconfined_u:system_r:named_t:s0
tcontext=system_u:object_r:named_conf_t:s0 tclass=dir
host=bronze.cdkkt.com type=SYSCALL msg=audit(1215654207.611:139):
arch=40000003 syscall=38 success=no exit=-13 a0=b547a4e8 a1=b7ee488a
a2=4932fc a3=b7ee488a items=0 ppid=10902 pid=10904 auid=500 uid=25
gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none)
ses=2 comm="named" exe="/usr/sbin/named"
subj=unconfined_u:system_r:named_t:s0 key=(null)
=========================================
I have tried changing the context, permissions, restorecon and nothing
seemed to help.
Advice please?
Thanks!
Dan
15 years, 10 months
SELinux DoS?
by David
Hey Guys!
Some colleagues and I tested the behavior of SELinux due to a project on
the university. So we wrote a little test program and the necessary
policies.
Overall it works fine, but we build in a bug in our test program which
offers the exploitation through a stack based buffer overflow.
When we tried to getting a root shell based on this bug (the demo tool
has set suid bit), SELinux prevents the execution of the shell, but the
demo program will not be quitted.
It hangs at the point of trying to open the shell and SELinux writes
endless log entries to /var/log/audit/audit.log.
We assumed that this behavior will occur due to following actions:
- demo tool tries to open a shell via shellcode, occurred through a
buffer overflow.
- selinux prevents this execution.
- the function-call in demo tool tries to jump back to the return address,
- but the address is overwritten through the bof.
- so, it jumps to the buffer and tries to open a shell again.
All together in a endless loop.
This behavior seems to be alright from technical aspect, but should this
be the behavior of selinux? Or is there an option which instructs
selinux to kill processes which tries pass over there contexts too often?
For instance, this manner could be easy used for DoS Attacks. Our tests
exhibits that the execution of many demo program instances will make the
system unusable.
Any ideas about this behavior, or any solution?
David
(Tested on FC9.)
15 years, 10 months
Enabling SELinux on a custom kernel
by Jan Kasprzak
Hello,
how do I enable SELinux on a custom kernel? I have looked into
the system initrd, and it seems the policy is loaded by the "loadpolicy"
command in nash. Is it possible to use SELinux with Fedora without
having to use initrd?
Thanks,
-Yenya
--
| Jan "Yenya" Kasprzak <kas at {fi.muni.cz - work | yenya.net - private}> |
| GPG: ID 1024/D3498839 Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E |
| http://www.fi.muni.cz/~kas/ Journal: http://www.fi.muni.cz/~kas/blog/ |
>> If you find yourself arguing with Alan Cox, you’re _probably_ wrong. <<
>> --James Morris in "How and Why You Should Become a Kernel Hacker" <<
15 years, 10 months