nsupdate and netlink_socket AVCs
by Aleksey Nogin
If I attempt to use nsupdate from under an ordinary user (which
shouldn't be a problem, should it?), then I see
audit(1079022100.499:0): avc: denied { bind } for pid=18759
exe=/usr/bin/nsupdate scontext=user_u:user_r:user_t
tcontext=user_u:user_r:user_t tclass=netlink_socket
audit(1079022100.499:0): avc: denied { getattr } for pid=18759
exe=/usr/bin/nsupdate scontext=user_u:user_r:user_t
tcontext=user_u:user_r:user_t tclass=netlink_socket
audit(1079022100.499:0): avc: denied { write } for pid=18759
exe=/usr/bin/nsupdate scontext=user_u:user_r:user_t
tcontext=user_u:user_r:user_t tclass=netlink_socket
audit(1079022100.500:0): avc: denied { read } for pid=18759
exe=/usr/bin/nsupdate scontext=user_u:user_r:user_t
tcontext=user_u:user_r:user_t tclass=netlink_socket
Not sure what this is all about.
--
Aleksey Nogin
Home Page: http://nogin.org/
E-Mail: nogin(a)cs.caltech.edu (office), aleksey(a)nogin.org (personal)
Office: Jorgensen 70, tel: (626) 395-2907
19 years, 1 month
Postfix and SELinux
by Rudi Chiarito
I successfully - or so it seems - convinced a box to work in enforcing
mode, but as of today I still see these error messages whenever postfix
is started:
Mar 29 17:33:35 pizza kernel: audit(1080603215.577:0): avc: denied {
write } for pid=5102 exe=/usr/sbin/postalias name=aliases.db dev=sda3
ino=245461 scontext=root:system_r:postfix_master_t
tcontext=system_u:object_r:postfix_etc_t tclass=file
Mar 29 17:33:36 pizza kernel: audit(1080603216.592:0): avc: denied {
search } for pid=5103 exe=/bin/bash dev= ino=1
scontext=root:system_r:postfix_master_t
tcontext=system_u:object_r:devpts_t tclass=dir
Mar 29 17:33:36 pizza kernel: audit(1080603216.597:0): avc: denied {
execute } for pid=5104 exe=/bin/bash name=master dev=sda3 ino=1407396
scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:lib_t
tclass=file
Does this ring a bell? As far as I can tell, all contexts are properly
set. To play safe, I even removed and reinstalled the postfix RPM. The
system has all the latest Raw Hide packages.
Rudi
19 years, 2 months
install of kernel 2.6.4-1.298 does not work
by Richard Hally
when I ran up2date today it appeared to install kernel 2.6.4-1.298.
There were no errors reported. But it did not update grub as usual, it
did not put any files in /boot, and when I do rpm -q kernel it does not
show 2.6.4-1.298 (It shows the other kernels 253 etc)
[root@old1 boot]# rpm -q kernel
kernel-2.6.3-2.1.242
kernel-2.6.3-2.1.253
kernel-2.6.3-2.1.246
kernel-2.6.3-2.1.253.2.1
Below are the messages in the up2date log file.
[Tue Mar 30 20:50:28 2004] up2date installing packages:
['GConf2-2.6.0-1', 'GConf2-devel-2.6.0-1', 'Guppi-0.40.3-18',
'Guppi-devel-0.40.3-18', 'ImageMagick-5.5.7.15-1.3',
'ImageMagick-c++-5.5.7.15-1.3', 'ImageMagick-c++-devel-5.5.7.15-1.3',
'ImageMagick-devel-5.5.7.15-1.3', 'ImageMagick-perl-5.5.7.15-1.3',
'Maelstrom-3.0.6-3', 'a2ps-4.13b-37', 'amanda-2.4.4p2-3',
'amanda-client-2.4.4p2-3', 'amanda-devel-2.4.4p2-3',
'amanda-server-2.4.4p2-3', 'anaconda-9.92-0.20040323181753',
'anaconda-runtime-9.92-0.20040323181753', 'apr-0.9.4-11',
'apr-devel-0.9.4-11', 'apr-util-0.9.4-12', 'apr-util-devel-0.9.4-12',
'aumix-2.8-8', 'beecrypt-3.1.0-3', 'beecrypt-devel-3.1.0-3',
'beecrypt-python-3.1.0-3', 'bind-9.2.3-13', 'bind-chroot-9.2.3-13',
'bind-devel-9.2.3-13', 'bind-libs-9.2.3-13', 'bind-utils-9.2.3-13',
'binutils-2.15.90.0.1.1-2', 'busybox-1.00.pre8-2',
'busybox-anaconda-1.00.pre8-2', 'control-center-2.5.4-2',
'dhclient-3.0.1rc12-4', 'dhcp-3.0.1rc12-4', 'dhcp-devel-3.0.1rc12-4',
'esound-0.2.34-1', 'esound-devel-0.2.34-1', 'file-4.07-3',
'freeglut-2.2.0-11', 'freeglut-devel-2.2.0-11',
'gaim-0.75.99-20040328cvs', 'gedit-2.5.92-1', 'gedit-devel-2.5.92-1',
'glibc-2.3.3-20', 'glibc-common-2.3.3-20', 'glibc-devel-2.3.3-20',
'glibc-headers-2.3.3-20', 'glibc-profile-2.3.3-20',
'glibc-utils-2.3.3-20', 'gnome-mime-data-2.4.1-3', 'gnome-vfs2-2.6.0-1',
'gnome-vfs2-devel-2.6.0-1', 'gnome-vfs2-smb-2.6.0-1', 'gok-0.9.10-2',
'gpm-1.20.1-45', 'gpm-devel-1.20.1-45', 'hotplug-2004_03_11-1',
'htdig-3.2.0b5-7', 'htdig-web-3.2.0b5-7', 'httpd-2.0.49-1',
'httpd-devel-2.0.49-1', 'httpd-manual-2.0.49-1', 'hwdata-0.114-1',
'initscripts-7.49-1', 'ipxutils-2.2.4-1', 'kdebase-3.2.1-1.5',
'kdebase-devel-3.2.1-1.5', 'kdegames-3.2.1-2', 'kdegames-devel-3.2.1-2',
'kdenetwork-3.2.1-3', 'kdenetwork-devel-3.2.1-3', 'kdepim-3.2.1-4',
'kdepim-devel-3.2.1-4', 'kernel-2.6.4-1.298', 'kernel-doc-2.6.4-1.298',
'kernel-source-2.6.4-1.298', 'kernel-utils-2.4-9.1.126',
'kinput2-canna-wnn6-v3.1-17', 'less-382-3', 'libbonobo-2.6.0-2',
'libbonobo-devel-2.6.0-2', 'libselinux-1.6-5', 'libselinux-devel-1.6-5',
'libwnck-2.5.90-3', 'libwnck-devel-2.5.90-3', 'libxml2-2.6.8-1',
'libxml2-devel-2.6.8-1', 'libxml2-python-2.6.8-1', 'lm_sensors-2.8.3-5',
'lm_sensors-devel-2.8.3-5', 'man-1.5m2-5', 'mod_ssl-2.0.49-1',
'modutils-2.4.26-14', 'ncpfs-2.2.4-1', 'neon-0.24.4-4',
'neon-devel-0.24.4-4', 'net-snmp-5.1.1-1', 'net-snmp-devel-5.1.1-1',
'net-snmp-perl-5.1.1-1', 'net-snmp-utils-5.1.1-1',
'nptl-devel-2.3.3-20', 'nscd-2.3.3-20', 'nss_ldap-217-1',
'openssl-0.9.7a-35', 'openssl-devel-0.9.7a-35',
'openssl-perl-0.9.7a-35', 'pcre-4.5-2', 'pcre-devel-4.5-2',
'policy-1.9.1-2', 'policy-sources-1.9.1-2', 'policycoreutils-1.9-16',
'qt-3.3.1-0.7', 'qt-MySQL-3.3.1-0.7', 'qt-ODBC-3.3.1-0.7',
'qt-PostgreSQL-3.3.1-0.7', 'qt-designer-3.3.1-0.7',
'qt-devel-3.3.1-0.7', 'rhythmbox-0.7.1-2', 'rp-pppoe-3.5-12',
'rpmdb-fedora-1.91-0.20040330', 'samba-3.0.3-1.pre1',
'samba-client-3.0.3-1.pre1', 'samba-common-3.0.3-1.pre1',
'samba-swat-3.0.3-1.pre1', 'sash-3.7-3', 'setools-1.2.1-3',
'setools-devel-1.2.1-3', 'setools-gui-1.2.1-3',
'shared-mime-info-0.14-1', 'slocate-2.7-8', 'sylpheed-0.9.10-2',
'system-config-bind-2.0.2-4', 'system-config-date-1.7.3-1',
'system-config-display-1.0.12-1', 'system-config-netboot-0.1.3-4',
'system-config-printer-0.6.98-1', 'system-config-printer-gui-0.6.98-1',
'system-config-samba-1.2.9-1', 'system-config-securitylevel-1.3.9-1',
'system-config-securitylevel-tui-1.3.9-1',
'system-config-services-0.8.8-4', 'tetex-2.0.2-13',
'tetex-afm-2.0.2-13', 'tetex-doc-2.0.2-13', 'tetex-dvips-2.0.2-13',
'tetex-fonts-2.0.2-13', 'tetex-latex-2.0.2-13', 'tetex-xdvi-2.0.2-13',
'udev-023-1', 'util-linux-2.12-15', 'vim-X11-6.2.403-1',
'vim-common-6.2.403-1', 'vim-enhanced-6.2.403-1',
'vim-minimal-6.2.403-1', 'vnc-4.0-1.beta4.9',
'vnc-server-4.0-1.beta4.9', 'w3m-0.5-1', 'webalizer-2.01_10-22',
'xinitrc-3.38-1', 'zip-2.3-22']
[Tue Mar 30 22:05:51 2004] up2date Modifying bootloader config to
include the new kernel info
[Tue Mar 30 22:05:51 2004] up2date Adding 2.6.4-1.298 to bootloader config
[Tue Mar 30 22:05:51 2004] up2date Adding 2.6.4-1.298 to bootloader config
[Tue Mar 30 22:05:52 2004] up2date Running lilo with the new configuration
[Tue Mar 30 22:05:53 2004] up2date Modifying bootloader config to
include the new kernel info
[Tue Mar 30 22:05:53 2004] up2date Adding 2.6.4-1.298 to bootloader config
[Tue Mar 30 22:05:53 2004] up2date Running lilo with the new configuration
[root@old1 boot]#
This shows (supposedly) that all those packages were updated. If the
kernel was not installed when the log says it was, how many others were
not really updated?
another problem is that I use grub! ( have never used lilo on this
box) and it was not updated. the log shows that the kernel install
tried to update lilo.
btw I am running in enforcing mode as root (with role sysmgr_r):
Where do I start with the bug reports?
the kernel 'cause it did not install?
up2date because it did not report any errors when something was very worng?
selinux policy? there are hundreds of avc denied messages...
please let me know how to proceed with getting my system updated in
enforcing mode
and if there is additional information I can provide. the messages file
is 796261 bytes and I have saved a copy.
thanks,
Richard Hally
Richard Hally
19 years, 2 months
Is arbitrary access to rpm_t by sysadm_r a security problem?
by Aleksey Nogin
I would imagine sysadm_r can do a lot anyway, but just in case it is a
problem, here it is:
% id
uid=500(aleksey) gid=500(aleksey) groups=500(aleksey)
context=aleksey:sysadm_r:sysadm_t
% rpm -q rpm --pipe id
uid=500(aleksey) gid=500(aleksey) groups=500(aleksey)
context=aleksey:sysadm_r:rpm_t
Basically, the --pipe option to rpm seems to be giving sysadm_r full
access to sysadm_r:rpm_t
--
Aleksey Nogin
Home Page: http://nogin.org/
E-Mail: nogin(a)cs.caltech.edu (office), aleksey(a)nogin.org (personal)
Office: Jorgensen 70, tel: (626) 395-2907
19 years, 2 months
udev and SELinux.
by Aleksey Nogin
I briefly tried installing udev and it seems that it was creating
devices with the default device_t type instead of the one dictated by
SELinux policies. Is this a known issue? Should I file a Bugzilla report?
--
Aleksey Nogin
Home Page: http://nogin.org/
E-Mail: nogin(a)cs.caltech.edu (office), aleksey(a)nogin.org (personal)
Office: Jorgensen 70, tel: (626) 395-2907
19 years, 2 months
Should Yum and up2date understand SELinux roles
by Tom Mitchell
Should yum check "id" for sysadm_r role?
Since %pre and %post actions are problematic a partial install could
result that may not be simple to fix.
Here is a yum session that shows the interaction that is prompting my
question. Note the scriptlet error followed by "Transaction(s) Complete".
# yum install xorg-x11-100dpi-fonts
Gathering header information file(s) from server(s)
Server: Fedora Core 1.91 - Development Tree
Finding updated packages
Downloading needed headers
Resolving dependencies
Dependencies resolved
I will do the following:
[install: xorg-x11-100dpi-fonts 0.0.6.6-0.0.2004_03_11.9.i386]
Is this ok [y/N]: y
Downloading Packages
Getting xorg-x11-100dpi-fonts-0.0.6.6-0.0.2004_03_11.9.i386.rpm
xorg-x11-100dpi-fonts-0.0 100% |=========================| 4.2 MB 05:26
Running test transaction:
Test transaction complete, Success!
xorg-x11-100dpi-fonts 100 % done 1/1
error: setexeccon(root:staff_r:rpm_script_t) fails from context "root:staff_r:staff_t": Invalid argument
error: %post(xorg-x11-100dpi-fonts-0.0.6.6-0.0.2004_03_11.9) scriptlet failed, exit status 255
Installed: xorg-x11-100dpi-fonts 0.0.6.6-0.0.2004_03_11.9.i386
Transaction(s) Complete
# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:staff_r:staff_t
# newrole -r sysadm_r
Authenticating root.
Password:
# rpm -e xorg-x11-100dpi-fonts
# yum install xorg-x11-100dpi-fonts
Gathering header information file(s) from server(s)
Server: Fedora Core 1.91 - Development Tree
Finding updated packages
Downloading needed headers
Resolving dependencies
Dependencies resolved
I will do the following:
[install: xorg-x11-100dpi-fonts 0.0.6.6-0.0.2004_03_11.9.i386]
Is this ok [y/N]: y
Downloading Packages
Running test transaction:
Test transaction complete, Success!
xorg-x11-100dpi-fonts 100 % done 1/1
Installed: xorg-x11-100dpi-fonts 0.0.6.6-0.0.2004_03_11.9.i386
Transaction(s) Complete
--
T o m M i t c h e l l
/dev/null the ultimate in secure storage.
19 years, 2 months
selinux and NFS?
by Dave Alden
Hi,
I'm wondering how selinux is going to interact with non-FC2 machines? My
mail server and "home" server are both running RedHat 8.0 for now and this
summer I'm planning on taking them to RHEL 3. My users login to 3 different
systems (Mac OS X, Solaris and RedHat/Fedora linux) and get the same home
directory. Am I going to have to disable selinux?
...thnx,
...dave
19 years, 2 months
SELinux vs. sudo and usermode
by Matthew Miller
In many ways, the sudo and usermode programs are kludgy attempts to achieve
what SE Linux does for real -- separate out root powers. Certain users can
be delegated to run only certain programs with root privileges.
Sudo also acts as the sysadmin's swiss army knife. Common practice here is
to have all sysadmins use sudo for _anything_ that needs to be run as root.
This has the advantage of documenting all actions (by agreement, not
enforced, of course), and the convenience of not needing to actually know
the root password.
Likewise, the usermode program allows any user to provide the root password
in order to run the various system-config-* programs. I have a patch (see
<https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=86188>) which allows
members of a given group ("wheel", typically) to authenticate with their
*own* credentials to gain access to these programs. (Other users are
prompted for the root password.)
There's an obvious security tradeoff, here: instead of needing to know two
passwords, one only needs one's own. On the other hand, it removes the need
to manage root passwords for desktop users or for large numbers of machines,
and is an undeniable convenience.
So, since I'm just diving into SE Linux -- how does this _work_ in the Brave
New World?
Is sudo obsolete? Is my usermode patch now pointless? Can this be
accomplished another way? *Should* it be accomplished at all?
Thanks!
--
Matthew Miller mattdm(a)mattdm.org <http://www.mattdm.org/>
Boston University Linux ------> <http://linux.bu.edu/>
19 years, 2 months
Pb installing Policy
by Nic¤
Hi all,
Im getting trouble installing policy on my Fedora Core
1. I have upgraded the list of packages present on
Daniel Walsh ftp server
(ftp://people.redhat.com/dwalsh/SELinux/) using the
selUpgrade script.
When I try to load the policy here is what I get :
root]# make -C /etc/security/selinux/src/policy
relabel
make: Entre dans le répertoire
`/etc/security/selinux/src/policy'
/usr/sbin/setfiles file_contexts/file_contexts `mount
| awk '/(ext[23]| xfs).*rw/{print $3}'`
/usr/sbin/setfiles: read 423 specifications
/usr/sbin/setfiles: invalid context
system_u:object_r:default_t on line number 39
/usr/sbin/setfiles: invalid context
system_u:object_r:root_t on line number 44
/usr/sbin/setfiles: invalid context
system_u:object_r:home_root_t on line number 53
/usr/sbin/setfiles: invalid context
system_u:object_r:user_home_dir_t on line number 54
/usr/sbin/setfiles: invalid context
system_u:object_r:user_home_t on line number 55
/usr/sbin/setfiles: invalid context
system_u:object_r:mnt_t on line number 59
/usr/sbin/setfiles: invalid context
system_u:object_r:var_t on line number 64
/usr/sbin/setfiles: invalid context
system_u:object_r:catman_t on line number 65
/usr/sbin/setfiles: invalid context
system_u:object_r:catman_t on line number 66
/usr/sbin/setfiles: invalid context
system_u:object_r:var_yp_t on line number 67
Nico
__________________________________________________________
Lèche-vitrine ou lèche-écran ?
magasinage.yahoo.ca
19 years, 2 months