Gnome Boxes
by David Highley
Attempted an install of Fedora 20 Beta using Gnome Boxes. Install
appeared to work but the image would not boot. We see the following avc
logged:
time->Wed Nov 13 18:42:44 2013
type=SYSCALL msg=audit(1384396964.830:7237): arch=c000003e syscall=101
success=no exit=-13 a0=10 a1=2873 a2=0 a3=0 items=0 ppid=11756 pid=11762
auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000
sgid=1000 fsgid=1000 ses=887 tty=(none) comm="gdb" exe="/usr/bin/gdb"
subj=unconfined_u:system_r:svirt_t:s0:c320,c528 key=(null)
type=AVC msg=audit(1384396964.830:7237): avc: denied { ptrace } for
pid=11762 comm="gdb" scontext=unconfined_u:system_r:svirt_t:s0:c320,c528
tcontext=unconfined_u:system_r:svirt_t:s0:c320,c528 tclass=process
10 years, 6 months
subversion configuration files
by mark
Running on CentOS 6.4, we've got one website fronting a subversion repo.
There's a directory that contains configuration files - access files, etc.
I've tried httpd_config_t, and selinux doesn't like apache trying to get
there.
What is the correct fcontext that will make apache and selinux both happy?
All I can find googling are the contexts for the executables and the
repos.
mark
10 years, 6 months
[PATCH 1/5] adding seadmin support
by Leonidas Da Silva Barbosa
Signed-off-by: Leonidas Da Silva Barbosa <leosilva(a)linux.vnet.ibm.com>
---
policycoreutils/sepolicy/sepolicy/seadmin.py | 83 ++++++++++++++++++++++++++++
1 file changed, 83 insertions(+)
create mode 100644 policycoreutils/sepolicy/sepolicy/seadmin.py
diff --git a/policycoreutils/sepolicy/sepolicy/seadmin.py b/policycoreutils/sepolicy/sepolicy/seadmin.py
new file mode 100644
index 0000000..96cab8a
--- /dev/null
+++ b/policycoreutils/sepolicy/sepolicy/seadmin.py
@@ -0,0 +1,83 @@
+#! /usr/bin/python -Es
+
+import os
+import sys
+import selinux
+import seobject
+import sepolicy
+
+from shutil import copy2
+from os import chmod as set_permissions
+from selinux import selinux_user_contexts_path, selinux_policy_root
+
+# PATH to staff_u that will be base to new users created.
+STAFF_U = "staff_u"
+COMMON_PATH = selinux_user_contexts_path()
+
+# These are constants used to create SEADM user to an Isolate Admin environment.
+SELEVEL = "s0"
+PREFIX = "user"
+SERANGE = "s0-s0:c0.c1023"
+
+SUDOERS_PATH = "/etc/sudoers.d/"
+SUDOERS_ENTRY = "\n%s ALL=(ALL) ROLE=%s TYPE=%s %s"
+
+# Initialize adm roles list.
+ADM_ROLES = [adm_r for adm_r in sepolicy.get_all_roles() if (adm_r[:-2]).
+ endswith('adm')]
+# Initialize a dictionary of se_adm_users with adm_role as key.
+ADM_USERS = {key: 'se_'+key[:-2]+'_u' for key in ADM_ROLES}
+
+__user = seobject.seluserRecords()
+__link = seobject.loginRecords()
+
+
+def create_user(adm_role, login, user=None):
+ import pwd
+ try:
+ pwd.getpwnam(login)
+ except KeyError:
+ print("User/Login %s doesn't exist" % login)
+ sys.exit(1)
+
+ if adm_role in ADM_ROLES:
+ seadm_user = ADM_USERS[adm_role] if not user else user
+ roles = "staff_r {role1} {role2}".format(role1=adm_role,
+ role2="system_r" if adm_role == "sysadm_r" else "")
+
+ if not seadm_user in sepolicy.get_all_users():
+ __user.add(seadm_user, roles.split(), SELEVEL,
+ SERANGE, PREFIX)
+ copy2(COMMON_PATH+STAFF_U, COMMON_PATH+seadm_user)
+ else:
+ print("%s is not an ADM_ROLE" % adm_role)
+ sys.exit(1)
+
+
+def modify_user(seadm_user, roles):
+ if seadm_user in sepolicy.get_all_users():
+ __user.modify(seadm_user, roles.split(), SELEVEL,
+ SERANGE, PREFIX)
+ else:
+ print("SELinux user not found")
+ sys.exit(1)
+
+# sepolicy admin -d -user se_auditadm_u -login leosilva
+def delete_user(seadm_user, login):
+ if seadm_user in sepolicy.get_all_users():
+ __link.delete(login)
+ __user.delete(seadm_user)
+
+ else:
+ print("SELinux user not found")
+
+
+def create_link(adm_role, login, commands, user=None):
+ seadm_user = ADM_USERS[adm_role] if not user else user
+ adm_domain = adm_role.replace("_r", "_t")
+
+ __link.add(login, seadm_user, SERANGE)
+ with open(SUDOERS_PATH+login, 'a') as f:
+ f.write(SUDOERS_ENTRY % (login, adm_role, adm_domain, commands))
+
+ set_permissions(SUDOERS_PATH+login, 0440)
--
1.8.3.1
10 years, 6 months
Re: one-script policy
by mark
Sorry for breaking threading, but this is personal/professional email...
and I POP-3 d/l it at home.
Anyway, following Dominick's instructions, I tried
cat > myapp.te <<EOF
policy_module(myapp, 1.0.0)
apache_content_template(myapp)
EOF
make -f /usr/share/selinux/devel/Makefile myapp.pp
and that didn't work:
m4:<myapp>.te:2: ERROR: end of file in argument list
make: *** [tmp/<myapp>.mod] Error 1
My google-foo isn't doing well. What did I do wrong? CentOS 6.4, and
libselinux-devel-2.0.94-5.3.el6_4.1.x86_64 is installed.
mark
10 years, 6 months
[PATCH 0/5] sepolicy admin feature
by Leonidas Da Silva Barbosa
These patches provides support to a new tool in sepolicy (admin).
The goal here is to give an user the hability to create new SELinux users,
named here as users admin, using admin roles, e.g. secadm_r, logadm_r,
dbadm_r, etc.
Since sepolicy also intends to be used to create admin roles, I believe
admin tool can be used to complement the creation of those roles.
sepolicy admin, works creating admin users and linking a SELinux user admin
to UNIX LOGIN that can transit from staff_r to 'adm_r' through sudo.
----
Leonidas Da Silva Barbosa (5):
adding seadmin support
adding changes to sepolicy argparse, seadmin option
Adding seadmin manpage
Adding seadmin manpage info into sepolicy.8
adding completion to seadmin feature
policycoreutils/sepolicy/sepolicy-admin.8 | 40 +++++++++++
.../sepolicy/sepolicy-bash-completion.sh | 18 ++++-
policycoreutils/sepolicy/sepolicy.8 | 5 ++
policycoreutils/sepolicy/sepolicy.py | 52 ++++++++++++++
policycoreutils/sepolicy/sepolicy/seadmin.py | 83 ++++++++++++++++++++++
5 files changed, 197 insertions(+), 1 deletion(-)
create mode 100644 policycoreutils/sepolicy/sepolicy-admin.8
create mode 100644 policycoreutils/sepolicy/sepolicy/seadmin.py
--
1.8.3.1
10 years, 6 months
[PATCH 3/5] Adding seadmin manpage
by Leonidas Da Silva Barbosa
This manpage give information to new seadmin feature.
Signed-off-by: Leonidas Da Silva Barbosa <leosilva(a)linux.vnet.ibm.com>
---
policycoreutils/sepolicy/sepolicy-admin.8 | 40 +++++++++++++++++++++++++++++++
1 file changed, 40 insertions(+)
create mode 100644 policycoreutils/sepolicy/sepolicy-admin.8
diff --git a/policycoreutils/sepolicy/sepolicy-admin.8 b/policycoreutils/sepolicy/sepolicy-admin.8
new file mode 100644
index 0000000..26301c5
--- /dev/null
+++ b/policycoreutils/sepolicy/sepolicy-admin.8
@@ -0,0 +1,40 @@
+.TH "sepolicy-admin" "8" "20131028" "" ""
+.SH "NAME"
+sepolicy-admim \- Give support to create admin users
+
+.SH "SYNOPSIS"
+
+.br
+.B sepolicy admin [\-h] [\-a] [\-u USER] [\-l LOGIN] [\-r ADMIN_ROLE] [\-m] [\-d] [\-e COMMANDS]
+
+.SH "DESCRIPTION"
+Use sepolicy admin to create and link SELinux admin user to UNIX LOGIN.
+
+.SH "OPTIONS"
+.TP
+.I \-a, \-\-add
+Add a new SELinux admin user to local settings.
+.TP
+.I \-d, \-\-delete
+Delete a given SELinux admin user.
+.TP
+.I \-e, \-\-extend
+Receives commands to be runned as root.
+.TP
+.I \-h, \-\-help
+Display help message.
+.TP
+.I \-l, \-\-login
+Receives a LOGIN to link SELinux admin user.
+.TP
+.I \-m, \-\-modify
+Modify a given SELinux user admin.
+.TP
+.I \-r, \-\-role
+Receives a role admin.
+
+.SH "AUTHOR"
+This man page was written by Leonidas .S Barbosa <leosilva(a)linux.vnet.ibm.com>
+
+.SH "SEE ALSO"
+sepolicy(8), selinux(8)
--
1.8.3.1
10 years, 6 months
Re: unable to access a mounted partition as guest
by Lakshmipathi.G
Setting appropriate context to /common_pool resolved my problem :) .Thanks
a lot Mark!.
On 8 November 2013 21:59, <m.roth(a)5-cent.us> wrote:
> Lakshmipathi.G wrote:
> >>
> >> ls -laZ /common_pool?
> >>
> >> Thanks for the reply. It shows this :
> >
> > $ls -ldaZ /common_pool/
> > drwxrwsrwx+ root betausers system_u:object_r:default_t:s0 /common_pool/
> >
> > Is that the problem?
>
> I suspect that selinux in enforcing mode doesn't like just anyone getting
> into default_t. You should
> semanage fcontect -a -t <an appropriate context type> "/common_pool(/.*)?"
> restorecon -Rv /common_pool
>
> mark
>
>
--
----
Cheers,
Lakshmipathi.G
FOSS Programmer.
www.giis.co.in
10 years, 6 months
one-script policy?
by mark
We've got a server that, among other web things, is serving SVN. For one
function, we have a cgi scipt that using sudo - my manager tells me it was
the simplest way of dealing with certain complexities.
Is there a way to create a local policy that would apply to that script
*only*, not to everything apache's serving?
CentOS 6.4
mark
10 years, 6 months
unable to access a mounted partition as guest
by Lakshmipathi.G
Hi -
We have ext4 partition (/common_pool) which was accessed by guest_u. Last
week, while changing from "Enforcing->Permissive->disabled" to Enforcing
again. Some auto-rebeling happened during reboot.
After that, guest_u can't access /common_pool.I'm not quite sure what
changed in-between. If I disable selinux (setenforce 0) ls /common_pool
works properly from guest_u.
'ls' works on other places like /home/<user> or /tmp /usr /etc but not on
mounted directory /common_pool
$mount
/dev/sda2 on /common_pool type ext4
(rw,noexec,nosuid,nodev,usrjquota=aquota.user,jqfmt=vfsv0,usrjquota=aquota.user,jqfmt=vfsv0)
Here's the log message which appears while running 'ls' command:
type=SYSCALL msg=audit(1383674901.945:516253): arch=40000003 syscall=5
success=no exit=-13 a0=b77c9a18 a1=98800 a2=8063f78 a3=0 items=1 ppid=2963
pid=3562 auid=13578 uid=13578 gid=13578 euid=13578 suid=13578 fsuid=13578
egid=13578 sgid=13578 fsgid=13578 tty=pts0 ses=55568 comm="ls"
exe="/bin/ls" subj=guest_u:guest_r:guest_t:s0 key="open2-acl"
type=CWD msg=audit(1383674901.945:516253): cwd="/common_pool"
type=PATH msg=audit(1383674901.945:516253): item=0 name="." inode=2
dev=08:02 mode=042777 ouid=0 ogid=507 rdev=00:00
obj=system_u:object_r:default_t:s0
type=SYSCALL msg=audit(1383674901.945:516254): arch=40000003 syscall=5
success=no exit=-2 a0=b77c9ab0 a1=0 a2=46e3a0 a3=b77c9af0 items=1 ppid=2963
pid=3562 auid=13578 uid=13578 gid=13578 euid=13578 suid=13578 fsuid=13578
egid=13578 sgid=13578 fsgid=13578 tty=pts0 ses=55568 comm="ls"
exe="/bin/ls" subj=guest_u:guest_r:guest_t:s0 key="open2-acl"
type=CWD msg=audit(1383674901.945:516254): cwd="/common_pool"
type=PATH msg=audit(1383674901.945:516254): item=0
name="/usr/share/locale/en_US.UTF-8/LC_MESSAGES/coreutils.mo"
type=SYSCALL msg=audit(1383674901.946:516255): arch=40000003 syscall=5
success=no exit=-2 a0=b77ca790 a1=0 a2=46e3a0 a3=b77ca7d0 items=1 ppid=2963
pid=3562 auid=13578 uid=13578 gid=13578 euid=13578 suid=13578 fsuid=13578
egid=13578 sgid=13578 fsgid=13578 tty=pts0 ses=55568 comm="ls"
exe="/bin/ls" subj=guest_u:guest_r:guest_t:s0 key="open2-acl"
type=CWD msg=audit(1383674901.946:516255): cwd="/common_pool"
type=PATH msg=audit(1383674901.946:516255): item=0
name="/usr/share/locale/en_US.utf8/LC_MESSAGES/coreutils.mo"
type=SYSCALL msg=audit(1383674901.946:516256): arch=40000003 syscall=5
success=no exit=-2 a0=b77c9b18 a1=0 a2=46e3a0 a3=b77c9b50 items=1 ppid=2963
pid=3562 auid=13578 uid=13578 gid=13578 euid=13578 suid=13578 fsuid=13578
egid=13578 sgid=13578 fsgid=13578 tty=pts0 ses=55568 comm="ls"
exe="/bin/ls" subj=guest_u:guest_r:guest_t:s0 key="open2-acl"
type=CWD msg=audit(1383674901.946:516256): cwd="/common_pool"
type=PATH msg=audit(1383674901.946:516256): item=0
name="/usr/share/locale/en_US/LC_MESSAGES/coreutils.mo"
type=SYSCALL msg=audit(1383674901.946:516257): arch=40000003 syscall=5
success=no exit=-2 a0=b77ca700 a1=0 a2=46e3a0 a3=b77ca738 items=1 ppid=2963
pid=3562 auid=13578 uid=13578 gid=13578 euid=13578 suid=13578 fsuid=13578
egid=13578 sgid=13578 fsgid=13578 tty=pts0 ses=55568 comm="ls"
exe="/bin/ls" subj=guest_u:guest_r:guest_t:s0 key="open2-acl"
type=CWD msg=audit(1383674901.946:516257): cwd="/common_pool"
type=PATH msg=audit(1383674901.946:516257): item=0
name="/usr/share/locale/en.UTF-8/LC_MESSAGES/coreutils.mo"
type=SYSCALL msg=audit(1383674901.946:516258): arch=40000003 syscall=5
success=no exit=-2 a0=b77ca758 a1=0 a2=46e3a0 a3=b77ca7f8 items=1 ppid=2963
pid=3562 auid=13578 uid=13578 gid=13578 euid=13578 suid=13578 fsuid=13578
egid=13578 sgid=13578 fsgid=13578 tty=pts0 ses=55568 comm="ls"
exe="/bin/ls" subj=guest_u:guest_r:guest_t:s0 key="open2-acl"
type=CWD msg=audit(1383674901.946:516258): cwd="/common_pool"
type=PATH msg=audit(1383674901.946:516258): item=0
name="/usr/share/locale/en.utf8/LC_MESSAGES/coreutils.mo"
type=SYSCALL msg=audit(1383674901.947:516259): arch=40000003 syscall=5
success=no exit=-2 a0=b77ca968 a1=0 a2=46e3a0 a3=b77ca9a0 items=1 ppid=2963
pid=3562 auid=13578 uid=13578 gid=13578 euid=13578 suid=13578 fsuid=13578
egid=13578 sgid=13578 fsgid=13578 tty=pts0 ses=55568 comm="ls"
exe="/bin/ls" subj=guest_u:guest_r:guest_t:s0 key="open2-acl"
type=CWD msg=audit(1383674901.947:516259): cwd="/common_pool"
type=PATH msg=audit(1383674901.947:516259): item=0
name="/usr/share/locale/en_US.UTF-8/LC_MESSAGES/libc.mo"
type=SYSCALL msg=audit(1383674901.947:516260): arch=40000003 syscall=5
success=no exit=-2 a0=b77caaf0 a1=0 a2=46e3a0 a3=b77cab28 items=1 ppid=2963
pid=3562 auid=13578 uid=13578 gid=13578 euid=13578 suid=13578 fsuid=13578
egid=13578 sgid=13578 fsgid=13578 tty=pts0 ses=55568 comm="ls"
exe="/bin/ls" subj=guest_u:guest_r:guest_t:s0 key="open2-acl"
type=CWD msg=audit(1383674901.947:516260): cwd="/common_pool"
type=PATH msg=audit(1383674901.947:516260): item=0
name="/usr/share/locale/en_US.utf8/LC_MESSAGES/libc.mo"
type=SYSCALL msg=audit(1383674901.947:516261): arch=40000003 syscall=5
success=no exit=-2 a0=b77ca9c8 a1=0 a2=46e3a0 a3=b77ca9f8 items=1 ppid=2963
pid=3562 auid=13578 uid=13578 gid=13578 euid=13578 suid=13578 fsuid=13578
egid=13578 sgid=13578 fsgid=13578 tty=pts0 ses=55568 comm="ls"
exe="/bin/ls" subj=guest_u:guest_r:guest_t:s0 key="open2-acl"
type=CWD msg=audit(1383674901.947:516261): cwd="/common_pool"
type=PATH msg=audit(1383674901.947:516261): item=0
name="/usr/share/locale/en_US/LC_MESSAGES/libc.mo"
type=SYSCALL msg=audit(1383674901.947:516262): arch=40000003 syscall=5
success=no exit=-2 a0=b77caa68 a1=0 a2=46e3a0 a3=b77caaa0 items=1 ppid=2963
pid=3562 auid=13578 uid=13578 gid=13578 euid=13578 suid=13578 fsuid=13578
egid=13578 sgid=13578 fsgid=13578 tty=pts0 ses=55568 comm="ls"
exe="/bin/ls" subj=guest_u:guest_r:guest_t:s0 key="open2-acl"
type=CWD msg=audit(1383674901.947:516262): cwd="/common_pool"
type=PATH msg=audit(1383674901.947:516262): item=0
name="/usr/share/locale/en.UTF-8/LC_MESSAGES/libc.mo"
type=SYSCALL msg=audit(1383674901.947:516263): arch=40000003 syscall=5
success=no exit=-2 a0=b77cab50 a1=0 a2=46e3a0 a3=b77cab88 items=1 ppid=2963
pid=3562 auid=13578 uid=13578 gid=13578 euid=13578 suid=13578 fsuid=13578
egid=13578 sgid=13578 fsgid=13578 tty=pts0 ses=55568 comm="ls"
exe="/bin/ls" subj=guest_u:guest_r:guest_t:s0 key="open2-acl"
type=CWD msg=audit(1383674901.947:516263): cwd="/common_pool"
type=PATH msg=audit(1383674901.947:516263): item=0
name="/usr/share/locale/en.utf8/LC_MESSAGES/libc.mo"
type=SYSCALL msg=audit(1383674901.947:516264): arch=40000003 syscall=5
success=no exit=-2 a0=b77caa18 a1=0 a2=46e3a0 a3=b77caa48 items=1 ppid=2963
pid=3562 auid=13578 uid=13578 gid=13578 euid=13578 suid=13578 fsuid=13578
egid=13578 sgid=13578 fsgid=13578 tty=pts0 ses=55568 comm="ls"
exe="/bin/ls" subj=guest_u:guest_r:guest_t:s0 key="open2-acl"
type=CWD msg=audit(1383674901.947:516264): cwd="/common_pool"
type=PATH msg=audit(1383674901.947:516264): item=0
name="/usr/share/locale/en/LC_MESSAGES/libc.mo"
We are still using very very old and outdated fedora-14. But i guess this
problem is not related to using old version as it was working few days
back. Thanks for any help.
--
----
Cheers,
Lakshmipathi.G
FOSS Programmer.
www.giis.co.in
10 years, 6 months
[PATCH 5/5] adding completion to seadmin feature
by Leonidas Da Silva Barbosa
Signed-off-by: Leonidas Da Silva Barbosa <leosilva(a)linux.vnet.ibm.com>
---
policycoreutils/sepolicy/sepolicy-bash-completion.sh | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/policycoreutils/sepolicy/sepolicy-bash-completion.sh b/policycoreutils/sepolicy/sepolicy-bash-completion.sh
index 779fd75..2b85ad9 100644
--- a/policycoreutils/sepolicy/sepolicy-bash-completion.sh
+++ b/policycoreutils/sepolicy/sepolicy-bash-completion.sh
@@ -60,6 +60,9 @@ __get_all_domain_types () {
__get_all_domains () {
seinfo -adomain -x 2>/dev/null | sed 's/_t$//g'
}
+__get_all_roles () {
+ seinfo -r 2>/dev/null | tail -n +3
+}
_sepolicy () {
local command=${COMP_WORDS[1]}
local cur=${COMP_WORDS[COMP_CWORD]} prev=${COMP_WORDS[COMP_CWORD-1]}
@@ -74,6 +77,7 @@ _sepolicy () {
[MANPAGE]='manpage'
[NETWORK]='network'
[TRANSITION]='transition'
+ [ADMIN]='admin'
)
COMMONOPTS='-P --policy -h --help'
@@ -86,6 +90,7 @@ _sepolicy () {
[manpage]='-h --help -p --path -a -all -o --os -d --domain -w --web -r --root'
[network]='-h --help -d --domain -l --list -p --port -t --type '
[transition]='-h --help -s --source -t --target'
+ [admin]='-h --help -a --add -u --user -r --role -l --login -m --modify -d --delete -e --extend'
)
for ((i=0; $i <= $COMP_CWORD; i++)); do
@@ -189,7 +194,18 @@ _sepolicy () {
fi
COMPREPLY=( $(compgen -W '${OPTS[$verb]}' -- "$cur") )
return 0
- fi
+ elif [ "$verb" = "admin" ]; then
+ if [ "$prev" = "-u" -o "$prev" = "--user" ]; then
+ COMPREPLY=( $(compgen -W "$( __get_all_users ) " -- "$cur") )
+ return 0
+ fi
+ if [ "$prev" = "-r" -o "$prev" = "--role" ]; then
+ COMPREPLY=( $(compgen -W "$( __get_all_roles ) " -- "$cur") )
+ return 0
+ fi
+ COMPREPLY=( $(compgen -W '${OPTS[$verb]}' -- "$cur") )
+ return 0
+ fi
COMPREPLY=( $(compgen -W "$comps" -- "$cur") )
return 0
}
--
1.8.3.1
10 years, 6 months
