NSA accreditation
by Christine Ridgeway
Hi:
I was wondering if there are any C&A documents that we could
review in regards to SELinux and Fedora. If so, could you please point
me in the right direction or forward them to me at this address?
Thank you very much in advance!
V/R,
Christine Ridgeway
Maxim Systems, Inc.
Tel: 619-574-2275
Fax: 619-692-3597
20 years
VMware + SELinux
by Efthym
Hi all
I've recently installed VMware 4.5.1 on Fedora 2 Test 2 with SELinux in
enforcing mode. The configuration process only works while enforce=0 and
after every reboot I get a message that VMware has not been configured yet
and I have to rerun the configuration and recreate the vmmon and vmnet
modules. During this I get a hell of a lot avc denied messages.
I'm quite new to SELinux but i'm guessing this is because there is no
default permission for VMware in the policy. Has anyone else tried this,
or perhaps get some help how to configure VMware to work alongside SELinux
?
VMware-workstation-4.5.1-7568
policy-1.11.2-8
kernel-2.6.5-1.326
Thanx
20 years
relabeling needed
by Colin Walters
Hi,
If you are running into AVC denials, remember to try relabeling first.
There have been several renames and new types recently. For example:
New file /root/.default_contexts needs to be labeled default_context_t
/usr/X11R6/bin/XFree86 is now Xorg
/var/spool/at now has type crond_spool_t
And there's more. /home/$USER/.gconf may have a separate type shortly
too.
The other thing is to be sure you're grabbing the latest policy-sources
RPM from rawhide.
20 years
Re: .te file in RPMs
by W. Michael Petullo
>> I would like to learn the proper way for a package to install an
associated
>> te file, rebuild the SELinux policy and load the new policy. Could
someone
>> point me in the proper direction? Is there something better than "make
>> reload" in the post-install script?
> Currently there is no proper method.
>
> Loading the policy in the post-install alone won't do it. Any policy that
> is significant will add new file types, and the package which contains the
> policy (*) will have files that need to be labeled with those types. This
> means that you would have to not only load the policy but label the files
> in the post-install script. This is ugly.
Does this mean that this is not a blocker for Fedora Core 2, as the entry in
the SELinux roadmap at http://fedora.redhat.com/projects/selinux/ seems to
imply ("Fedora Core 2 release may happen after item 9 or 10...")?
--
Mike
20 years
mkinitrd problems - 2 slightly different ones...
by Valdis.Kletnieks@vt.edu
Running the fedora-devel code as of 0419.. hitting some issues
with installing a new kernel due to mkinitrd failing.
System has 1 disk, using LVM for the root filesystem - the bigger error seems
to be LVM-specific (looks like bootloader_t needs to be able to do stuff
with lvm_exec_t and lvm_etc_t).
First, a quick example of shooting yourself in the foot:
# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10
(wheel) context=root:sysadm_r:sysadm_t
# /sbin/mkinitrd -v /boot/initrd-2.6.5-1.327.img 2.6.5-1.327
Looking for deps of module ide-disk
/sbin/mkinitrd: line 1: /bin/ls: Permission denied
Looking for deps of module ext3 jbd
Looking for deps of module jbd
Looking for deps of module dm-mod
Using modules: ./kernel/fs/jbd/jbd.ko ./kernel/fs/ext3/ext3.ko ./kernel/drivers/md/dm-mod.ko
Using loopback device /dev/loop0
rm: cannot get current directory: Permission denied
/sbin/nash -> /tmp/initrd.Y15570/bin/nash
/sbin/insmod.static -> /tmp/initrd.Y15570/bin/insmod
copy from /lib/modules/2.6.5-1.327/./kernel/fs/jbd/jbd.ko(elf32-i386) to /tmp/initrd.Y15570/lib/jbd.ko(elf32-i386)
copy from /lib/modules/2.6.5-1.327/./kernel/fs/ext3/ext3.ko(elf32-i386) to /tmp/initrd.Y15570/lib/ext3.ko(elf32-i386)
copy from /lib/modules/2.6.5-1.327/./kernel/drivers/md/dm-mod.ko(elf32-i386) to /tmp/initrd.Y15570/lib/dm-mod.ko(elf32-i386)
/sbin/lvm.static -> /tmp/initrd.Y15570/bin/lvm
cp: cannot open `/sbin/lvm.static' for reading: Permission denied
/etc/lvm -> /tmp/initrd.Y15570/etc/lvm
`/etc/lvm/lvm.conf' -> `/tmp/initrd.Y15570/etc/lvm/lvm.conf'
cp: cannot open `/etc/lvm/lvm.conf' for reading: Permission denied
Loading module jbd
Loading module ext3
Loading module dm-mod
rm: cannot get current directory: Permission denied
rm: remove.c:378: AD_pop_and_chdir: Assertion `AD_stack_height (ds)' failed.
/sbin/mkinitrd: line 678: 15649 Aborted rm -rf $MNTIMAGE $MNTPOINT $IMAGE
#
Ouch. Gotta love that final 'rm' error. :)
How did I cause that? I was stupidly still cd'ed into /etc/security/selinux/src/policy at the time. ;)
Got *tons* of these:
Apr 19 22:31:27 orange kernel: audit(1082428287.917:0): avc: denied { search } for pid=15434 exe=/bin/bash name=policy dev=dm-0 ino=85034 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:policy_src_t tclass=dir
and here's the one that killed the rm command, I think:
Apr 19 22:31:28 orange kernel: audit(1082428288.257:0): avc: denied { search } for pid=15649 exe=/bin/rm name=policy dev=dm-0 ino=85034 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:policy_src_t tclass=dir
(total of 88 failed 'search' - odd part is that I did NOT have '.' in my $PATH).
OK, so take 2 - this gets rid of the 88 failed search requests:
# cd /
# /sbin/mkinitrd -v /boot/initrd-2.6.5-1.327.img 2.6.5-1.327
Looking for deps of module ide-disk
/sbin/mkinitrd: line 1: /bin/ls: Permission denied
Looking for deps of module ext3 jbd
Looking for deps of module jbd
Looking for deps of module dm-mod
Using modules: ./kernel/fs/jbd/jbd.ko ./kernel/fs/ext3/ext3.ko ./kernel/drivers/md/dm-mod.ko
Using loopback device /dev/loop0
/sbin/nash -> /tmp/initrd.f15792/bin/nash
/sbin/insmod.static -> /tmp/initrd.f15792/bin/insmod
copy from /lib/modules/2.6.5-1.327/./kernel/fs/jbd/jbd.ko(elf32-i386) to /tmp/initrd.f15792/lib/jbd.ko(elf32-i386)
copy from /lib/modules/2.6.5-1.327/./kernel/fs/ext3/ext3.ko(elf32-i386) to /tmp/initrd.f15792/lib/ext3.ko(elf32-i386)
copy from /lib/modules/2.6.5-1.327/./kernel/drivers/md/dm-mod.ko(elf32-i386) to /tmp/initrd.f15792/lib/dm-mod.ko(elf32-i386)
/sbin/lvm.static -> /tmp/initrd.f15792/bin/lvm
cp: cannot open `/sbin/lvm.static' for reading: Permission denied
/etc/lvm -> /tmp/initrd.f15792/etc/lvm
`/etc/lvm/lvm.conf' -> `/tmp/initrd.f15792/etc/lvm/lvm.conf'
cp: cannot open `/etc/lvm/lvm.conf' for reading: Permission denied
Loading module jbd
Loading module ext3
Loading module dm-mod
A bit better - here's the remaining avc messages:
Apr 19 22:36:44 orange kernel: audit(1082428604.698:0): avc: denied { execute } for pid=15696 exe=/bin/bash name=dmsetup dev=dm-0 ino=65548 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:lvm_exec_t tclass=file
Apr 19 22:36:44 orange kernel: audit(1082428604.698:0): avc: denied { read } for pid=15696 exe=/bin/bash name=dmsetup dev=dm-0 ino=65548 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:lvm_exec_t tclass=file
Apr 19 22:36:44 orange kernel: audit(1082428604.729:0): avc: denied { execute } for pid=15711 exe=/bin/bash name=ls dev=dm-0 ino=16424 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:ls_exec_t tclass=file
Apr 19 22:36:44 orange kernel: audit(1082428604.729:0): avc: denied { read } for pid=15711 exe=/bin/bash name=ls dev=dm-0 ino=16424 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:ls_exec_t tclass=file
Apr 19 22:36:46 orange kernel: SELinux: initialized (dev loop0, type ext2), uses xattr
Apr 19 22:36:47 orange kernel: audit(1082428607.002:0): avc: denied { read } for pid=15834 exe=/bin/cp name=lvm.static dev=dm-0 ino=72206 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:lvm_exec_t tclass=file
Apr 19 22:36:47 orange kernel: audit(1082428607.007:0): avc: denied { read } for pid=15835 exe=/bin/cp name=lvm.conf dev=dm-0 ino=82396 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:lvm_etc_t tclass=file
20 years
.te file in RPMs
by W. Michael Petullo
The Fedora SELinux roadmap states:
> rpm should handle packages which contain their own .te files
> jbj owns this
> Right now this will mean installing doing a 'make reload' or whatever.
dwalsh
> can work with jbj to make that happen inside rpm.
> A big problem is having to use make+m4
I would like to learn the proper way for a package to install an associated
te file, rebuild the SELinux policy and load the new policy. Could someone
point me in the proper direction? Is there something better than "make
reload" in the post-install script?
--
Mike
20 years
Re: SELinux issues
by W. Michael Petullo
>> * fam & nautilus are the ones spewing out the most avc messages in
>> dmesg.
> fam is known to be incompatible with SELinux. I'm working on a patch to
> disable it if SELinux is enabled. What nautilus AVC messages are you
> seeing? the /initrd one is a known issue, also on my queue of stuff to
> fix.
Is there a plan to replace fam's functionality? If I do a "touch
/home/mike/foo" and have a nautilus window displaying /home/mike/foo then
this file immediately appears in the nautilus window (without manually
telling nautilus to reload the directory's contents). Will this be
impossible with SELinux running in enforcing mode? Or is there something
coming down the pipe to handle this?
I think fam is required by the nautilus package. Will this requirement be
relaxed?
--
Mike
20 years
Locally defined file contexts
by Gene Czarcinski
Before I go and submit an RFE, I thought I would put this message out to see
if what I am asking for is reasonable and/or I am missing something and it is
already available.
I have a need/want to be able to define some file contexts for directories and
possibly separately mounted partitions which will have different attributes
from what is currently defined.
For example, I may want to mount one or more partitions under /home/ or
/usr/local/ or even / which are to be shared read-only to anyone but writable
only by root and one user. An example in my current situation on a FC1 system
is where I have a very large partition for vmware in /home/vmware/ and I want
this r/w by one user running as staff_r or user_r.
As I currently understand things, only the tunable.te and users files are
intended for modification by the user or local installation. The rest or the
files are for policy-sources and will be updated when the package is updated.
I want some place to put rules similar to those in file_contexts or types.fc
which will be used to build the master files_contexts but not be replaced
when policy-sources is updated.
I am hoping that this capability already exists and I just do not understand
that it is there.
Gene
20 years
SELinux and gtkam
by W. Michael Petullo
The digital camera application gtkam does not seem to want to play nicely
with SELinux. Gtkam needs to access /proc/bus/usb because it uses libusb.
When I try to run gtkam as a user (user_u:user_r:user_t) I get:
Apr 17 09:57:47 imp kernel: avc: denied { read } for pid=3620 exe=/usr/bin/gtkam dev= ino=724 scontext=user_u:user_r:user_t tcontext=system_u:object_r:usbfs_t tclass=dir
Apr 17 09:57:47 imp kernel:
Apr 17 09:57:47 imp kernel: avc: denied { search } for pid=3620 exe=/usr/bin/gtkam dev= ino=1 scontext=user_u:user_r:user_t tcontext=system_u:object_r:sysfs_t tclass=dir
Do we need a new domain like gtkam_t, gphoto_t or libusb_t?
--
Mike
:wq
20 years
Failed CD mount as normal user (enforcing), works in permissive
by Andrew Farris
Mounting FC1 cd1 as normal user fails when in enforcing mode, but is
allowed (with audit) when in permissive mode.
Note: I relinked files in a modified way, it is straightforward, but I
apologize if it confuses (/mnt/cdrom1 is not used, but links
to /mnt/cdrw).
/mnt/cdrw: directory
/dev/hdd: block special (22/64)
426829 8 drwxr-xr-x 2 system_u:object_r:mnt_t 0 0 4 Mar 29 17:33 cdrw/
66236 4 brw------- 1 system_u:object_r:fixed_disk_device_t 502 6
22, 64 Feb 23 13:02 hdd
$-> getenforce
enforcing
$-> mount /mnt/cdrw
mount: only root can mount /dev/hdd on /mnt/cdrw
(root runs setenforce 0)
(normal user)
$-> mount /mnt/cdrw
(success mounting)
-- audit generated
Apr 18 18:17:07 CirithUngol kernel: audit(1082326627.383:0): avc:
denied { getattr } for pid=20162 exe=/bin/mount path=/dev/hdd dev=hdb8
ino=66236 scontext=user_u:user_r:user_mount_t
tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
/etc/fstab entry:
/dev/hdd /mnt/cdrw iso9660 noauto,owner,ro 0 0
policy version:
policy-1.11.2-9
(a full relabel was not performed since this policy was updated)
--
Andrew Farris, CPE senior (California Polytechnic State University, SLO)
fedora(a)andrewfarris.com :: lmorgul on irc.freenode.net
"The only thing necessary for the triumph of evil is for good men
to do nothing." (Edmond Burke)
20 years
