What to do after building a kernel.
by Justin Conover
After I built a new kernel based of of ck-overloaded, I rebooted and a
ton of SELinux errors/messages, kept comeing across the screen? What
do need to do to make a home-grown-kernel work with SELinux.
18 years, 9 months
xfs file system w/ selinux?
by Justin Conover
Is there any downside to running xfs with selinux?
I'm just testing(playing) with test2 and I was thinking of using
lvm/xfs/selinux. Choosing xfs because it is a good fs and easier to
grow online than ext3. Plus I'm just testing :)
18 years, 9 months
A few policy changes I had to make
by Rodrigo Damazio
Hello. I started playing with SELinux on FC2, and recently moved
to FC3, and I must say it's much better now, with the targeted policy.
Congrats on this.
I still had to change a few things in my policies, though.
Following is a collection of the avc errors justifying my changes. I'm
not experienced with SElinux yet, so I may be doing something
wrong...please let me know if these changes are correct or not. Also,
the unlink allow for httpd_t is because, for some reason, when I try to
remove a file from within PHP, it uses httpd_t instead of
httpd_sys_script_t . I would also like a rule(which I'm not sure how to
write) to allow PHP programs to execute external programs, since I have
a script which receives an uploaded file, does a lot of processing with
it through external programs, and stores it in the database - when I run
that, it gives me avc execute errors trying to run bash and the other
utilities.
Apache:
Nov 12 16:50:46 fireball kernel: audit(1100285446.637:0): avc: denied
{ connectto } for pid=2522 exe=/usr/sbin/httpd path=/tmp/.s.PGSQL.5432
scontext=user_u:system_r:httpd_t tcontext=user_u:system_r:unconfined_t
tclass=unix_stream_socket
NTPd:
Nov 11 19:51:49 fireball kernel: audit(1100209909.743:0): avc: denied
{ create } for pid=2293 exe=/usr/sbin/ntpd
scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t
tclass=netlink_route_socket
Nov 11 19:51:49 fireball kernel: audit(1100209909.745:0): avc: denied
{ bind } for pid=2293 exe=/usr/sbin/ntpd
scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t
tclass=netlink_route_socket
Nov 11 19:51:49 fireball kernel: audit(1100209909.745:0): avc: denied
{ getattr } for pid=2293 exe=/usr/sbin/ntpd
scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t
tclass=netlink_route_socket
Nov 11 19:51:49 fireball kernel: audit(1100209909.747:0): avc: denied
{ write } for pid=2293 exe=/usr/sbin/ntpd
scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t
tclass=netlink_route_socket
Nov 11 19:51:49 fireball kernel: audit(1100209909.749:0): avc: denied
{ net_admin } for pid=2293 exe=/usr/sbin/ntpd capability=12
scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t
tclass=capability
Nov 11 19:51:49 fireball kernel: audit(1100209909.750:0): avc: denied
{ nlmsg_read } for pid=2293 exe=/usr/sbin/ntpd
scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t
tclass=netlink_route_socket
Nov 11 19:51:49 fireball kernel: audit(1100209909.752:0): avc: denied
{ read } for pid=2293 exe=/usr/sbin/ntpd
scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t
tclass=netlink_route_socket
DHCPd:
Nov 12 23:37:25 fireball kernel: audit(1100309845.314:0): avc: denied
{ create } for pid=10002 exe=/usr/sbin/dhcpd
scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t
tclass=netlink_route_socket
Nov 12 23:37:25 fireball kernel: audit(1100309845.317:0): avc: denied
{ bind } for pid=10002 exe=/usr/sbin/dhcpd
scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t
tclass=netlink_route_socket
Nov 12 23:37:25 fireball kernel: audit(1100309845.320:0): avc: denied
{ getattr } for pid=10002 exe=/usr/sbin/dhcpd
scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t
tclass=netlink_route_socket
Nov 12 23:37:25 fireball kernel: audit(1100309845.323:0): avc: denied
{ write } for pid=10002 exe=/usr/sbin/dhcpd
scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t
tclass=netlink_route_socket
Nov 12 23:37:25 fireball kernel: audit(1100309845.325:0): avc: denied
{ net_admin } for pid=10002 exe=/usr/sbin/dhcpd capability=12
scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t
tclass=capability
Nov 12 23:37:25 fireball kernel: audit(1100309845.326:0): avc: denied
{ nlmsg_read } for pid=10002 exe=/usr/sbin/dhcpd
scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t
tclass=netlink_route_socket
Nov 12 23:37:25 fireball kernel: audit(1100309845.327:0): avc: denied
{ read } for pid=10002 exe=/usr/sbin/dhcpd
scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t
tclass=netlink_route_socket
Nov 12 23:37:25 fireball kernel: audit(1100309845.909:0): avc: denied
{ unlink } for pid=10008 exe=/usr/sbin/dhcpd name=dhcpd.leases~
dev=hda1 ino=425472 scontext=root:system_r:dhcpd_t
tcontext=system_u:object_r:file_t tclass=file
named:
Nov 12 23:41:25 fireball kernel: audit(1100310085.797:0): avc: denied
{ create } for pid=10183 exe=/usr/sbin/named
scontext=root:system_r:named_t tcontext=root:system_r:named_t
tclass=netlink_route_socket
Nov 12 23:41:25 fireball kernel: audit(1100310085.798:0): avc: denied
{ bind } for pid=10183 exe=/usr/sbin/named
scontext=root:system_r:named_t tcontext=root:system_r:named_t
tclass=netlink_route_socket
Nov 12 23:41:25 fireball kernel: audit(1100310085.799:0): avc: denied
{ getattr } for pid=10183 exe=/usr/sbin/named
scontext=root:system_r:named_t tcontext=root:system_r:named_t
tclass=netlink_route_socket
Nov 12 23:41:25 fireball kernel: audit(1100310085.803:0): avc: denied
{ write } for pid=10183 exe=/usr/sbin/named
scontext=root:system_r:named_t tcontext=root:system_r:named_t
tclass=netlink_route_socket
Nov 12 23:41:25 fireball kernel: audit(1100310085.806:0): avc: denied
{ nlmsg_read } for pid=10183 exe=/usr/sbin/named
scontext=root:system_r:named_t tcontext=root:system_r:named_t
tclass=netlink_route_socket
Nov 12 23:41:25 fireball kernel: audit(1100310085.809:0): avc: denied
{ read } for pid=10183 exe=/usr/sbin/named
scontext=root:system_r:named_t tcontext=root:system_r:named_t
tclass=netlink_route_socket
Thanks,
Rodrigo
18 years, 9 months
rpm -V selinux-policy-targeted
by Joe Orton
Should I expect output like this from rpm -V from a fresh install, even
if I haven't touched the policy myself?
[root@blane ~]# rpm -V selinux-policy-targeted
.......TC c /etc/selinux/targeted/contexts/default_contexts
.......TC c /etc/selinux/targeted/contexts/default_type
.......TC c /etc/selinux/targeted/contexts/failsafe_context
..5....TC c /etc/selinux/targeted/contexts/files/file_contexts
.......TC c /etc/selinux/targeted/contexts/files/media
.......TC c /etc/selinux/targeted/contexts/initrc_context
.......TC c /etc/selinux/targeted/contexts/removable_context
.......TC c /etc/selinux/targeted/contexts/userhelper_context
.......TC c /etc/selinux/targeted/contexts/users/root
..5....T. c /etc/selinux/targeted/policy/policy.18
Since policy/policy.18 is marked %config(noreplace) the new policy.18
file is installed as policy.18.rpmnew and hence it seems manual
intervention is needed to load the new policy, it's not a simple rpm -U
or up2date run away - is this desirable?
joe
18 years, 10 months
Re: httpd avc denied problem
by Arthur Stephens
>> I am new to SELinux and Fedora 3 - setting up a replacement server for
the one that got hacked
>> I transfered our websites over and discovered I had to have them all
under /usr/www/
>>Who or what does tell you this should be this way? /usr/ is the wrong
>>place.
Ok I moved everything under /var/www..
ran fixfiles
changed everything under httpd.conf to point to /var/www/...
I got the same error messages just different directories
Being desperate to get this working I copied the error_log from a directory
that was working
ran fixfiles
and got avc: denied { append }
(13)Permission denied: httpd: could not open error log file
/var/www/spokanewines.com/logs/error_log.
Unable to open logs
[root@webmail ~]# cd /var/www/spokanewines.com/logs/
[root@webmail logs]# ls -alZ
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t ..
-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
access_log
-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
error_log
I tried to run
system-config-securitylevel
but there are no references to Boolean options for Apache HTTP
just firewall options.
Arthur Stephens
Sales Technician
Ptera Wireless Internet
astephens(a)ptera.net
509-927-Ptera
----- Original Message -----
From: "Alexander Dalloz" <ad+lists(a)uni-x.org>
To: "For users of Fedora Core releases" <fedora-list(a)redhat.com>
Sent: Monday, November 29, 2004 11:25 AM
Subject: Re: httpd avc denied problem
> --
> fedora-list mailing list
> fedora-list(a)redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
18 years, 10 months
SELinux/httpd integration
by Joe Orton
I think one thing that would help would be making the sets of example
httpd module configurations self-documentating w.r.t. SELinux for some
of the modules.
So for instance, how do I get Subversion/mod_dav_svn working with an
SELinux-enabled httpd? Can we make it such that an SVN repos is as easy
to set up as:
# cd /src/svn
# svnadmin create mystuff
# vi /etc/httpd/conf.d/subversion.conf
- uncomment the defaults?
even with SELinux enabled? The commented default in subversion.conf
here could be:
<Location /repos>
DAV svn
SVNParentPath /srv/svn
</Location>
A more generic example would be if we provide a /srv/www directory or
something to which the httpd domain is allowed read+write access by
default; somewhere to put the PHP webapps.
Does this make sense?
joe
18 years, 10 months
init labeling question for targeted policy
by Karsten Wade
My question about the targeted policy presumes that init re-execs itself
after loading the policy, whereby it picks up the unconfined_t domain
from the policy, as defined by a rule in
/etc/selinux/targeted/src/policy/domains/unconfined.te.
role system_r types unconfined_t;
What rule tells init to re-exec itself in the targeted policy? Or is
init doing something differently now?
Here is how far I've gotten in figuring this out.
In the strict policy there is an explicit transition rule for init. The
file programs/misc/kernel.te has this rule:
domain_auto_trans(kernel_t, init_exec_t, init_t)
In the targeted policy, kernel.te is in domains/misc/unused, so is not
called into play. Correct? The transition behavior certainly isn't
used, i.e., init transitions to unconfined_t instead of init_t.
Therefore, I'm looking for a default behavior that init falls back on
since it doesn't have specific SELinux coverage.
In macros/global_macros.te the macro domain_auto_trans(init_t,
$1_exec_t, $1_t) is defined. However, I don't find that macro used,
i.e., domain_auto_trans(init_t) or somesuch. In addition, I'm not even
sure that init would be in the domain init_t to qualify for this macro
since in targeted it's in unconfined_t.
In define(`unconfined_domain', there is this rule:
allow $1 self:process transition;
That says that init is allowed to transition to itself, but it doesn't
tell init to do the transition and seems otherwise unrelated.
Which one of these paths, if any, is leading in the right direction?
thx - Karsten
--
Karsten Wade, RHCE, Tech Writer
a lemon is just a melon in disguise
http://people.redhat.com/kwade/
gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41
18 years, 10 months
/etc/rc.sysinit: restorecon being run even when selinux disabled
by Robert P. J. Day
this might be irrelevant, but in FC3's /etc/rc.sysinit, right near
the top, there's some shell code that handles selinux:
=====
# Check SELinux status
selinuxfs=`awk '/ selinuxfs / { print $2 }' /proc/mounts`
SELINUX=
if [ -n "$selinuxfs" ] && [ "`cat /proc/self/attr/current`" != "kernel" ]; then
if [ -r $selinuxfs/enforce ] ; then
SELINUX=`cat $selinuxfs/enforce`
else
# assume enforcing if you can't read it
SELINUX=1
fi
fi
=====
so far, so good. if selinux is disabled, i'm assuming there won't
be any entry with "selinuxfs" in the output of /proc/mounts. but the
very next check is:
=====
if [ -x /sbin/restorecon ] && LC_ALL=C fgrep -q " /dev " /proc/mounts ; then
/sbin/restorecon -R /dev 2>/dev/null
fi
=====
which will *apparently* be run regardless of whether or not selinux is
enabled or not. if selinux is disabled, is there any point in even
checking whether or not to run restorecon? (from what i read, the
"rectorecon" program is clearly related to selinux.)
rday
18 years, 10 months
proc_net .... kudzu.te, rpcd.te, mozilla_macros.te
by Tom London
Running strict/enforcing, latest Rawhide.
Looks like some changes to policy
for proc_net_t is causing some denials.
Nov 28 09:06:51 fedora kernel: audit(1101661600.402:0): avc: denied
{ search } for pid=1520 exe=/usr/sbin/kudzu name=net dev=proc
ino=-268435434 scontext=system_u:system_r:kudzu_t
tcontext=system_u:object_r:proc_net_t tclass=dir
Nov 28 10:28:12 fedora kernel: audit(1101666486.919:0): avc: denied
{ search } for pid=1843 exe=/usr/sbin/rpc.idmapd name=net dev=proc
ino=-268435434 scontext=system_u:system_r:rpcd_t
tcontext=system_u:object_r:proc_net_t tclass=dir
Nov 28 10:29:38 fedora kernel: audit(1101666578.571:0): avc: denied
{ read } for pid=3146 exe=/bin/netstat name=net dev=proc
ino=-268435434 scontext=user_u:user_r:user_mozilla_t
tcontext=system_u:object_r:proc_net_t tclass=dir
Nov 28 10:29:39 fedora kernel: audit(1101666579.074:0): avc: denied
{ search } for pid=3146 exe=/bin/netstat name=net dev=proc
ino=-268435434 scontext=user_u:user_r:user_mozilla_t
tcontext=system_u:object_r:proc_net_t tclass=dir
Made the following changes to
kudzu.te, rpcd.te and mozilla_macros.te
Please correct as needed....
tom
--- SAVE/kudzu.te 2004-11-28 10:23:18.000000000 -0800
+++ ./kudzu.te 2004-11-28 10:25:43.000000000 -0800
@@ -18,7 +18,8 @@
allow kudzu_t modules_object_t:dir r_dir_perms;
allow kudzu_t { modules_object_t modules_dep_t }:file { getattr read };
allow kudzu_t mouse_device_t:chr_file { read write };
-allow kudzu_t proc_t:file { getattr read };
+allow kudzu_t proc_net_t:dir r_dir_perms;
+allow kudzu_t { proc_t proc_net_t }:file { getattr read };
allow kudzu_t { fixed_disk_device_t removable_device_t }:blk_file
rw_file_perms;
allow kudzu_t scsi_generic_device_t:chr_file r_file_perms;
allow kudzu_t { bin_t sbin_t }:dir { getattr search };
--- SAVE/rpcd.te 2004-11-28 10:43:20.801436658 -0800
+++ ./rpcd.te 2004-11-28 10:45:04.285886135 -0800
@@ -126,3 +126,4 @@
r_dir_file(rpcd_t, rpc_pipefs_t)
allow rpcd_t rpc_pipefs_t:sock_file { read write };
dontaudit rpcd_t selinux_config_t:dir { search };
+allow rpcd_t proc_net_t:dir search;
--- SAVE/mozilla_macros.te 2004-11-28 10:47:54.527909494 -0800
+++ ./mozilla_macros.te 2004-11-28 10:47:57.741626903 -0800
@@ -48,6 +48,7 @@
# for bash
allow $1_mozilla_t device_t:dir r_dir_perms;
allow $1_mozilla_t devpts_t:dir r_dir_perms;
+allow $1_mozilla_t proc_net_t:dir r_dir_perms;
+allow $1_mozilla_t proc_net_t:file r_file_perms;
allow $1_mozilla_t proc_t:file { getattr read };
dontaudit $1_mozilla_t tty_device_t:chr_file getattr;
--
Tom London
18 years, 10 months
cups-config-daemon ?
by Tom London
Running strict/enforcing, latest Rawhide.
I think the following is coming from cups-config-daemon
I'm always a bit suspicious of fd denials....
these are to /dev/null...
Is this an open file leaking across an exec?
Help welcomed.....
tom
Nov 28 10:12:25 fedora cups: cupsd shutdown succeeded
Nov 28 10:12:25 fedora kernel: audit(1101665545.088:0): avc: denied
{ use } for pid=4223 exe=/usr/bin/python path=/dev/null dev=tmpfs
ino=3516 scontext=system_u:system_r:cupsd_config_t
tcontext=system_u:system_r:system_crond_t tclass=fd
Nov 28 10:12:25 fedora kernel: audit(1101665545.088:0): avc: denied
{ use } for pid=4223 exe=/usr/bin/python path=/dev/null dev=tmpfs
ino=3516 scontext=system_u:system_r:cupsd_config_t
tcontext=system_u:system_r:logrotate_t tclass=fd
Nov 28 10:12:25 fedora kernel: audit(1101665545.088:0): avc: denied
{ use } for pid=4223 exe=/usr/bin/python path=/dev/null dev=tmpfs
ino=3516 scontext=system_u:system_r:cupsd_config_t
tcontext=system_u:system_r:logrotate_t tclass=fd
Nov 28 10:12:25 fedora kernel: audit(1101665545.232:0): avc: denied
{ use } for pid=4226 exe=/usr/sbin/cupsd path=/dev/null dev=tmpfs
ino=3516 scontext=system_u:system_r:cupsd_t
tcontext=system_u:system_r:system_crond_t tclass=fd
Nov 28 10:12:25 fedora cups: cupsd startup succeeded
--
Tom London
18 years, 10 months
