x11vnc on Fedora 18

Andrew Jones selinuxlistuser at andyjones.eu
Tue Jan 29 13:47:25 UTC 2013 

(Apologies in advance for the length of this mail.  I am a total noob at
SELinux so my vocabulary is probably not correct.  Hopefully you will be
able to understand from context what I am trying to say.)

I have been setting up x11vnc on some of my machines.  It looks like
there are a hundred different ways of setting it up but I have chosen to
follow the spirit of this entry in the Fedora Forum:

http://forums.fedoraforum.org/showpost.php?p=1448696&postcount=2

This works with SELinux permissive but fails completely when enforcing.

Even when running permissively there are so many SELinux events in the
first few seconds that many are dropped as shown here:

Jan 29 03:44:10 ecafe audispd: queue is full - dropping event

After several hours of scouring the system log, running sealert and
creating policies, rinsing and repeating I think I have generated the
command line that will identify all the events which occur during an
x11vnc session:

egrep  ps\|x11vnc\|tcpd\|mission-control /var/log/audit/audit.log |
audit2allow -M mypol

By repetitively running that line, applying the generated policy then
restarting the computer and launching a new vnc session eventually all
the events are able to be recorded without filling the queue.

I will put my questions here together where they are easy to find and
will post logs and other data below in case anyone wants to look at
them...

1)  I have copied the mypol.te file below.  Could someone tell me if
anything in there opens up a huge security risk?
2)  Can I copy the mypol.pp file to another computer and apply the
policy directly?
3) If yes can I also copy it to a computer running Fedora 16 or 17?
4) Is there a simple way to convert a .te file to a .pp file?
5) If I put up this informaton as a How-To on the forum is there a
preferred way of defining the policy?  For example:
a) publish this line...
egrep  ps\|x11vnc\|tcpd\|mission-control /var/log/audit/audit.log |
audit2allow -M mypol
... and tell them to work from that
b) Publish the contents of the .te file (assuming there is a neat way to
create a .pp file) and say "Trust me"
c) Put the .pp file somewhere accessible from the internet and say
"Trust me even more"
d) Something else???
6) I have copied one of the outputs from sealert -l GUID below in case
it is useful.  I have kept copies of all the others.  Please let me know
if it would be useful to see them.  I can supply them with no problem.
There are seventeen different outputs.
7) Is there a simpler way of having x11vnc "running as a service" like
Windows?

Thanks to anyone who can respond...

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

mypol.te (For brevity I have removed
several lines saying #!!!! This avc is allowed in the current policy )

module mypol9 1.0;

require {
 type modemmanager_t;
 type ksmtuned_t;
 type shell_exec_t;
 type initrc_t;
 type fprintd_t;
 type telepathy_mission_control_exec_t;
 type user_devpts_t;
 type dhcpc_t;
 type cupsd_t;
 type inetd_t;
 type fsdaemon_t;
 type keyboardd_t;
 type udev_t;
 type admin_home_t;
 type xserver_t;
 type audisp_t;
 type policykit_t;
 type dnsmasq_t;
 type tcpd_t;
 type virtd_t;
 type bin_t;
 type rpcd_t;
 type crond_t;
 type apmd_t;
 type rtkit_daemon_t;
 type sysctl_kernel_t;
 type NetworkManager_t;
 type colord_t;
 type unconfined_t;
 type unconfined_dbusd_t;
 type rpcbind_t;
 type init_t;
 type auditd_t;
 type devpts_t;
 type syslogd_t;
 type xserver_port_t;
 type tty_device_t;
 type xdm_var_lib_t;
 type setroubleshootd_t;
 type system_dbusd_t;
 type var_log_t;
 type config_home_t;
 type accountsd_t;
 type passwd_file_t;
 type xdm_dbusd_t;
 type avahi_t;
 type proc_t;
 type bluetooth_t;
 type xdm_var_run_t;
 type xdm_tmp_t;
 type abrt_watch_log_t;
 type mcelog_t;
 type iscsid_t;
 type kernel_t;
 type rpm_t;
 type consolekit_t;
 type firewalld_t;
 type chronyd_t;
 type xdm_t;
 type systemd_logind_t;
 type sendmail_t;
 type sshd_t;
 type devicekit_power_t;
 type devicekit_disk_t;
 type tmpfs_t;
 class process setsched;
 class unix_stream_socket connectto;
- class chr_file getattr;
 class shm { write unix_read unix_write read destroy create };
 class capability { sys_ptrace dac_override };
 class tcp_socket name_connect;
 class file { rename execute read create ioctl execute_no_trans write
getattr unlink open };
 class netlink_route_socket { bind create setopt nlmsg_read getattr };
 class lnk_file read;
 class udp_socket { create connect getattr };
 class dir { write getattr read remove_name create search add_name };
}

#============= tcpd_t ==============

allow tcpd_t NetworkManager_t:dir { getattr search };

allow tcpd_t NetworkManager_t:file { read open };

allow tcpd_t abrt_watch_log_t:dir { getattr search };

allow tcpd_t abrt_watch_log_t:file { read open };

allow tcpd_t accountsd_t:dir { getattr search };

allow tcpd_t accountsd_t:file { read open };

allow tcpd_t admin_home_t:dir search;

allow tcpd_t admin_home_t:file { read getattr open };

allow tcpd_t apmd_t:dir { getattr search };

allow tcpd_t apmd_t:file { read open };

allow tcpd_t audisp_t:dir { getattr search };

allow tcpd_t audisp_t:file { read open };

allow tcpd_t auditd_t:dir { getattr search };

allow tcpd_t auditd_t:file { read open };

allow tcpd_t avahi_t:dir { getattr search };

allow tcpd_t avahi_t:file { read open };

allow tcpd_t bin_t:file { ioctl execute read open getattr
execute_no_trans };

allow tcpd_t bluetooth_t:dir { getattr search };

allow tcpd_t bluetooth_t:file { read open };

allow tcpd_t chronyd_t:dir { getattr search };

allow tcpd_t chronyd_t:file { read open };

allow tcpd_t colord_t:dir { getattr search };

allow tcpd_t colord_t:file { read open };

allow tcpd_t consolekit_t:dir { getattr search };

allow tcpd_t consolekit_t:file { read open };

allow tcpd_t crond_t:dir { getattr search };

allow tcpd_t crond_t:file { read open };

allow tcpd_t cupsd_t:dir { getattr search };

allow tcpd_t cupsd_t:file { read open };

allow tcpd_t devicekit_disk_t:dir { getattr search };

allow tcpd_t devicekit_disk_t:file { read open };

allow tcpd_t devicekit_power_t:dir { getattr search };

allow tcpd_t devicekit_power_t:file { read open };

allow tcpd_t devpts_t:dir { getattr search };

allow tcpd_t dhcpc_t:dir { getattr search };

allow tcpd_t dhcpc_t:file { read open };

allow tcpd_t dnsmasq_t:dir { getattr search };

allow tcpd_t dnsmasq_t:file { read open };

allow tcpd_t firewalld_t:dir { getattr search };

allow tcpd_t firewalld_t:file { read open };

allow tcpd_t fprintd_t:dir { getattr search };

allow tcpd_t fprintd_t:file { read open };

allow tcpd_t fsdaemon_t:dir { getattr search };

allow tcpd_t fsdaemon_t:file { read open };

allow tcpd_t inetd_t:dir { getattr search };

allow tcpd_t inetd_t:file { read open };

allow tcpd_t init_t:dir { getattr search };

allow tcpd_t init_t:file { read open };

allow tcpd_t initrc_t:dir { getattr search };

allow tcpd_t initrc_t:file { read open };

allow tcpd_t iscsid_t:dir { getattr search };

allow tcpd_t iscsid_t:file { read open };

allow tcpd_t kernel_t:dir { getattr search };

allow tcpd_t kernel_t:file { read open };

allow tcpd_t keyboardd_t:dir { getattr search };

allow tcpd_t keyboardd_t:file { read open };

allow tcpd_t ksmtuned_t:dir { getattr search };

allow tcpd_t ksmtuned_t:file { read open };

allow tcpd_t mcelog_t:dir { getattr search };

allow tcpd_t mcelog_t:file { read open };
allow tcpd_t modemmanager_t:dir { getattr search };

allow tcpd_t modemmanager_t:file { read open };

allow tcpd_t passwd_file_t:file { read getattr open };

allow tcpd_t policykit_t:dir { getattr search };

allow tcpd_t policykit_t:file { read open };

allow tcpd_t proc_t:dir read;

allow tcpd_t proc_t:file { read getattr open };

allow tcpd_t rpcbind_t:dir { getattr search };

allow tcpd_t rpcbind_t:file { read open };

allow tcpd_t rpcd_t:dir { getattr search };

allow tcpd_t rpcd_t:file { read open };

allow tcpd_t rpm_t:dir { getattr search };

allow tcpd_t rpm_t:file { read open };

allow tcpd_t rtkit_daemon_t:dir { getattr search };

allow tcpd_t rtkit_daemon_t:file { read open };

allow tcpd_t self:capability { sys_ptrace dac_override };

allow tcpd_t self:netlink_route_socket { bind create setopt nlmsg_read
getattr };

allow tcpd_t self:shm { write unix_read unix_write read destroy
create };

allow tcpd_t self:udp_socket { create connect getattr };

allow tcpd_t sendmail_t:dir { getattr search };

allow tcpd_t sendmail_t:file { read open };

allow tcpd_t setroubleshootd_t:dir { getattr search };
allow tcpd_t setroubleshootd_t:file { read open };

allow tcpd_t shell_exec_t:file { read execute open };

allow tcpd_t sshd_t:dir { getattr search };

allow tcpd_t sshd_t:file { read open };

allow tcpd_t sysctl_kernel_t:dir search;

allow tcpd_t sysctl_kernel_t:file { read open };

allow tcpd_t syslogd_t:dir { getattr search };

allow tcpd_t syslogd_t:file { read open };

allow tcpd_t system_dbusd_t:dir { getattr search };

allow tcpd_t system_dbusd_t:file { read open };

allow tcpd_t systemd_logind_t:dir { getattr search };

allow tcpd_t systemd_logind_t:file { read open };

allow tcpd_t tmpfs_t:file { read write };

allow tcpd_t tty_device_t:chr_file getattr;

allow tcpd_t udev_t:dir { getattr search };

allow tcpd_t udev_t:file { read open };

allow tcpd_t unconfined_dbusd_t:dir { getattr search };

allow tcpd_t unconfined_dbusd_t:file { read open };

allow tcpd_t unconfined_t:dir { getattr search };

allow tcpd_t unconfined_t:file { read open };

allow tcpd_t unconfined_t:lnk_file read;

allow tcpd_t user_devpts_t:chr_file getattr;

allow tcpd_t var_log_t:dir { write add_name };

allow tcpd_t var_log_t:file { write create open };

allow tcpd_t virtd_t:dir { getattr search };

allow tcpd_t virtd_t:file { read open };

allow tcpd_t xdm_dbusd_t:dir { getattr search };

allow tcpd_t xdm_dbusd_t:file { read open };

allow tcpd_t xdm_t:dir { getattr search };

allow tcpd_t xdm_t:file { read open };

allow tcpd_t xdm_tmp_t:dir search;

allow tcpd_t xdm_var_run_t:dir search;

allow tcpd_t xdm_var_run_t:file { read getattr open };

allow tcpd_t xserver_port_t:tcp_socket name_connect;

allow tcpd_t xserver_t:dir { getattr search };

allow tcpd_t xserver_t:file { read open };

allow tcpd_t xserver_t:unix_stream_socket connectto;

#============= xdm_dbusd_t ==============

allow xdm_dbusd_t config_home_t:file write;

allow xdm_dbusd_t self:process setsched;

allow xdm_dbusd_t telepathy_mission_control_exec_t:file { read open
execute_no_trans };

allow xdm_dbusd_t xdm_var_lib_t:dir { write remove_name create
add_name };

allow xdm_dbusd_t xdm_var_lib_t:file { rename write getattr read create
unlink open };

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
SELinux is preventing /usr/bin/bash from execute access on the
file /usr/bin/bash.

*****  Plugin catchall (100. confidence) suggests
***************************

If you believe that bash should be allowed execute access on the bash
file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep x11vnc_sh /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:tcpd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:shell_exec_t:s0
Target Objects                /usr/bin/bash [ file ]
Source                        x11vnc_sh
Source Path                   /usr/bin/bash
Port                          <Unknown>
Host                          ecafe.hogwarts.local
Source RPM Packages           bash-4.2.42-1.fc18.i686
Target RPM Packages           bash-4.2.42-1.fc18.i686
Policy RPM                    selinux-policy-3.11.1-73.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     ecafe.hogwarts.local
Platform                      Linux ecafe.hogwarts.local
3.7.4-204.fc18.i686.PAE
                              #1 SMP Wed Jan 23 16:58:41 UTC 2013 i686
i686
Alert Count                   1
First Seen                    2013-01-29 04:34:05 CET
Last Seen                     2013-01-29 04:34:05 CET
Local ID                      0215ecf1-f067-4475-a2ff-3810697a0c55

Raw Audit Messages
type=AVC msg=audit(1359430445.962:387): avc:  denied  { execute } for
pid=1740 comm="tcpd" name="bash" dev="sda5" ino=2123061
scontext=system_u:system_r:tcpd_t:s0-s0\
:c0.c1023 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1359430445.962:387): arch=i386 syscall=execve
success=yes exit=0 a0=bfcc93fc a1=bfccb4b4 a2=bfccb4bc a3=bfcc90c0
items=0 ppid=780 pid=1740 auid\
=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
ses=4294967295 tty=(none) comm=x11vnc_sh exe=/usr/bin/bash
subj=system_u:system_r:tcpd_t:s0-s0:c0.\
c1023 key=(null)

Hash: x11vnc_sh,tcpd_t,shell_exec_t,file,execute

audit2allow

#============= tcpd_t ==============
allow tcpd_t shell_exec_t:file execute;

audit2allow -R

#============= tcpd_t ==============
allow tcpd_t shell_exec_t:file execute;

More information about the selinux mailing list