Boolean support in latest SELinux policy.
by Daniel J Walsh
There is a new feature in SELinux that allows you to modify a running
policy. Basically you can define booleans in policy that an admin can
then decide to turn on or off. To allow users to ping you can execute
the following command.
> ping 4.2.2.2
ping: icmp open socket: Permission denied
> show_bools
user_ping --> active: 0 pending: 0
As root
# change_bool user_ping 1
> show_bools
user_ping --> active: 1 pending: 1
>ping 4.2.2.2
PING 4.2.2.2 (4.2.2.2) 56(84) bytes of data.
64 bytes from 4.2.2.2: icmp_seq=0 ttl=248 time=10.0 ms
64 bytes from 4.2.2.2: icmp_seq=1 ttl=248 time=10.6 ms
To show the available booleans you can use show_bools.
show_bools
user_ping --> active: 0 pending: 0
19 years, 8 months
SELinux and ReiserFS
by nate@mountaintimes.com
I just had the idea to install FC2 Test 2 with the Reiser file system.
Boot off CD, run "linux reiserfs", format, install everything looks good, but on
boot there's nothing but AVC errors about /sbin/init.
I am suspecting that the Reiser FS problems with SELinux aren't fixed, and this
is an impossible combination.
Am I wrong? Is there a way to install FC2 without issues on a Reiser file
system, if not the option to should be removed and some documentation should be
referenced.
Thanks for a great distro guys.
Nate Solberg
Information Systems Admin
High Country Media Group, LLC
Boone, NC
-------------------------------------------------
This webmail service provided by Appalachian Technologies
DSL, Dial-up, Networking and Expert Hosting
services for the High-Country and Western NC
http://www.apptechnc.net
19 years, 8 months
policy rules for use as Xterminal
by Herald van der Breggen
Hello,
I just installed FC2 on my laptop and changed /etc/inittab for use as
Xterminal:
removed the line
#x:5:respawn:/etc/X11/prefdm -nodaemon
added the line
x:5:respawn:/usr/X11R6/bin/X -query 192.168.1.12
The current policy files don't allow init to start X (which is a symlink
to XFree in the same direcory).
avc: denied { execute } for pid=3058 exe=/sbin/init name=XFree86
dev=hda5 ino=395703 scontext=system_u:system_r:init_t
tcontext=system_u:object_r:policy_config_t tclass=file
Question one: should the default set of policy rules not allow this?
Question two: what is the best way to allow to start the X server by
init? I am new to selinux and have trouble to find my way. I struggled
with the newrules.pl script (which not seemed to right way to solve this
problem) and tried rules like
can_exec(init_t, xserver_exec_t);
can_exec(init_t, xserver_log_t);
which are not enough (still: avc: denied { search } for pid=5116
exe=/usr/X11R6/bin/XFree86 name=tmp dev=hda5 ino=273633
scontext=system_u:system_r:init_t tcontext=system_u:object_r:tmp_t
tclass=dir).
Any help is appreciated!
Herald
--
Herald van der Breggen <herald(a)breggen.xs4all.nl>
19 years, 8 months
kernel install and policy
by Gene Czarcinski
I am not sure which bugzilla report this applies to but ...
1. With the latest policy installed (1.10.2-5) and
2. after running setfiles /etc/security/selinux/file... /dev because the
/dev/loop devices are a variety of selinux attributes
3. I successfully was able to install a kernel with enforcing=1
Progress!
Of course I found another bug but ... that is expected.
Gene
19 years, 8 months
List of selinux issues
by Warren Togami
This is my first time running with selinux enforcement enabled and this
system has been apt upgraded from FC2test1 to latest rawhide, so please
forgive me that some of these will be duplicates and others may be
errors. Please let me know which are not duplicates, and if you want me
to bugzilla them.
To be clear, I did the following in order to ensure that my labels are
correct during runtime. I hope this was correct.
setenforce off
fixfiles relabel
setenforce 1
1) Infinite Loop of these messages when using "/sbin/ifup eth0" as
non-root user. This is allowed when enforcement is disabled. CTRL-C is
abled to stop the looping.
Apr 5 21:07:28 ibmlaptop kernel: audit(1081235248.571:0): avc: denied
{ setuid } for pid=2463 exe=/bin/bash capability=7
scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t
tclass=capability
Apr 5 21:07:28 ibmlaptop kernel: audit(1081235248.589:0): avc: denied
{ setuid } for pid=2463 exe=/usr/sbin/usernetctl capability=7
scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t
tclass=capability
2) "su -" from my non-root user caused this error. I was however
allowed to work as root.
Apr 5 21:07:42 ibmlaptop su(pam_unix)[12399]: session opened for user
root by warren(uid=500)
Apr 5 21:07:42 ibmlaptop su[12399]: pam_xauth: error creating temporary
file `/root/.xauthsDAz4e': Permission denied
Apr 5 21:07:42 ibmlaptop kernel: audit(1081235262.772:0): avc: denied
{ write } for pid=12399 exe=/bin/su name=root dev=hda2 ino=1291809
scontext=user_u:user_r:user_su_t tcontext=root:object_r:staff_home_dir_t
tclass=dir
3) Then as root, I used "ifup eth0" which succeeded, but with the
following in /var/log/messages.
Apr 5 21:07:45 ibmlaptop kernel: audit(1081235265.089:0): avc: denied
{ search } for pid=12493 exe=/sbin/dhclient name=lib dev=hda2
ino=1389922 scontext=root:system_r:dhcpc_t
tcontext=system_u:object_r:home_root_t tclass=dir
Apr 5 21:07:45 ibmlaptop kernel: audit(1081235265.089:0): avc: denied
{ search } for pid=12493 exe=/sbin/dhclient name=lib dev=hda2
ino=1389922 scontext=root:system_r:dhcpc_t
tcontext=system_u:object_r:home_root_t tclass=dir
Apr 5 21:07:45 ibmlaptop dhclient: can't create
/var/lib/dhcp/dhclient-eth0.leases: Permission denied
Apr 5 21:07:46 ibmlaptop dhclient: sit0: unknown hardware address type 776
Apr 5 21:07:48 ibmlaptop dhclient: DHCPDISCOVER on eth0 to
255.255.255.255 port 67 interval 4
Apr 5 21:07:48 ibmlaptop dhclient: DHCPOFFER from 172.31.16.1
Apr 5 21:07:48 ibmlaptop dhclient: DHCPREQUEST on eth0 to
255.255.255.255 port 67
Apr 5 21:07:48 ibmlaptop dhclient: DHCPACK from 172.31.16.1
Apr 5 21:07:48 ibmlaptop dhclient: can't create
/var/lib/dhcp/dhclient-eth0.leases: Permission denied
Apr 5 21:07:48 ibmlaptop dhclient: bound to 172.31.16.101 -- renewal in
356918 seconds.
Apr 5 21:07:48 ibmlaptop kernel: audit(1081235268.039:0): avc: denied
{ search } for pid=12493 exe=/sbin/dhclient name=lib dev=hda2
ino=1389922 scontext=root:system_r:dhcpc_t
tcontext=system_u:object_r:home_root_t tclass=dir
4) GNOME mixer_applet2 is unable to reach the device. Strangely this
began failing in permissive mode too, but it works when selinux is
totally disabled and not loaded.
Apr 5 21:07:10 ibmlaptop kernel: audit(1081235230.797:0): avc: denied
{ setattr } for pid=2435 exe=/usr/libexec/mixer_applet2
name=registry.xml dev=hda2 ino=1425367 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:var_t tclass=file
5) This is vmware from the VMWare WS 4.5.1 service startup. The issues
are ... complicated, numerous, and scary looking.
Apr 5 21:06:08 ibmlaptop kernel: vmmon: module license 'unspecified'
taints kernel.
Apr 5 21:06:08 ibmlaptop kernel: vmnet: module license 'unspecified'
taints kernel.
Apr 5 21:06:08 ibmlaptop kernel: audit(1081235168.858:0): avc: denied
{ search } for pid=1909 exe=/usr/bin/vmnet-netifup name=net dev=
ino=344 scontext=system_u:system_r:vmware_t
tcontext=system_u:object_r:sysfs_t tclass=dir
Apr 5 21:06:08 ibmlaptop kernel: audit(1081235168.867:0): avc: denied
{ search } for pid=1910 exe=/usr/bin/vmnet-netifup name=net dev=
ino=344 scontext=system_u:system_r:vmware_t
tcontext=system_u:object_r:sysfs_t tclass=dir
Apr 5 21:06:09 ibmlaptop kernel: audit(1081235169.047:0): avc: denied
{ node_bind } for pid=1931 exe=/usr/bin/vmnet-natd
scontext=system_u:system_r:vmware_t
tcontext=system_u:object_r:node_inaddr_any_t tclass=rawip_socket
Apr 5 21:06:09 ibmlaptop kernel: audit(1081235169.048:0): avc: denied
{ create } for pid=1931 exe=/usr/bin/vmnet-natd name=vmnat.1931
scontext=system_u:system_r:vmware_t tcontext=system_u:object_r:var_run_t
tclass=sock_file
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Internet Software Consortium DHCP
Server 2.0
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Copyright 1995, 1996, 1997, 1998,
1999 The Internet Software Consortium.
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: All rights reserved.
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd:
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Please contribute if you find
this software useful.
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: For info, please visit
http://www.isc.org/dhcp-contrib.html
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd:
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Internet Software Consortium DHCP
Server 2.0
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Copyright 1995, 1996, 1997, 1998,
1999 The Internet Software Consortium.
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: All rights reserved.
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd:
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Internet Software Consortium DHCP
Server 2.0
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Copyright 1995, 1996, 1997, 1998,
1999 The Internet Software Consortium.
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: All rights reserved.
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd:
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Configured subnet: 173.31.18.0
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Please contribute if you find
this software useful.
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Setting vmnet-dhcp IP address:
173.31.18.254
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: For info, please visit
http://www.isc.org/dhcp-contrib.html
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Recving on
VNet/vmnet1/173.31.18.0
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd:
Apr 5 21:06:10 ibmlaptop vmnet-dhcpd: Sending on
VNet/vmnet1/173.31.18.0
Apr 5 21:06:11 ibmlaptop vmnet-dhcpd: Configured subnet: 173.31.17.0
Apr 5 21:06:12 ibmlaptop vmnet-dhcpd: Setting vmnet-dhcp IP address:
173.31.17.254
Apr 5 21:06:12 ibmlaptop vmnet-dhcpd: Recving on
VNet/vmnet8/173.31.17.0
Apr 5 21:06:12 ibmlaptop vmnet-dhcpd: Sending on
VNet/vmnet8/173.31.17.0
Apr 5 21:06:15 ibmlaptop kernel: audit(1081235175.873:0): avc: denied
{ create } for pid=2253 exe=/usr/bin/vmware-nmbd
scontext=system_u:system_r:vmware_t tcontext=system_u:system_r:vmware_t
tclass=udp_socket
Apr 5 21:06:15 ibmlaptop kernel: audit(1081235175.873:0): avc: denied
{ create } for pid=2253 exe=/usr/bin/vmware-nmbd
scontext=system_u:system_r:vmware_t tcontext=system_u:system_r:vmware_t
tclass=udp_socket
Apr 5 21:06:16 ibmlaptop kernel: audit(1081235176.460:0): avc: denied
{ read } for pid=2254 exe=/usr/bin/vmware-smbd name=urandom dev=hda2
ino=1270748 scontext=system_u:system_r:vmware_t
tcontext=system_u:object_r:urandom_device_t tclass=chr_fileApr 5
21:06:16 ibmlaptop kernel: audit(1081235176.461:0): avc: denied { read
} for pid=2254 exe=/usr/bin/vmware-smbd name=shadow dev=hda2
ino=1963867 scontext=system_u:system_r:vmware_t
tcontext=system_u:object_r:shadow_t tclass=file
Apr 5 21:06:16 ibmlaptop kernel: audit(1081235176.804:0): avc: denied
{ setgid } for pid=2254 exe=/usr/bin/vmware-smbd capability=6
scontext=system_u:system_r:vmware_t tcontext=system_u:system_r:vmware_t
tclass=capability
Apr 5 21:06:16 ibmlaptop kernel: audit(1081235176.804:0): avc: denied
{ setgid } for pid=2254 exe=/usr/bin/vmware-smbd capability=6
scontext=system_u:system_r:vmware_t tcontext=system_u:system_r:vmware_t
tclass=capability
Apr 5 21:06:16 ibmlaptop kernel: audit(1081235176.805:0): avc: denied
{ setgid } for pid=2254 exe=/usr/bin/vmware-smbd capability=6
scontext=system_u:system_r:vmware_t tcontext=system_u:system_r:vmware_t
tclass=capability
Apr 5 21:06:16 ibmlaptop last message repeated 2 times
Apr 5 21:06:16 ibmlaptop kernel: audit(1081235176.899:0): avc: denied
{ read } for pid=2254 exe=/usr/bin/vmware-smbd name=printcap dev=hda2
ino=1962265 scontext=system_u:system_r:vmware_t
tcontext=system_u:object_r:cupsd_rw_etc_t tclass=file
Apr 5 21:06:16 ibmlaptop kernel: audit(1081235176.899:0): avc: denied
{ create } for pid=2254 exe=/usr/bin/vmware-smbd
scontext=system_u:system_r:vmware_t tcontext=system_u:system_r:vmware_t
tclass=udp_socket Apr 5 21:06:17 ibmlaptop kernel:
audit(1081235177.041:0): avc: denied { sys_resource } for pid=2254
exe=/usr/bin/vmware-smbd capability=24
scontext=system_u:system_r:vmware_t tcontext=system_u:system_r:vmware_t
tclass=capability
19 years, 8 months
Re: Another dumb question...
by Jonathan Rawle
On Fri, 02 Apr 2004 Stephen Smalley wrote:
>> Everything that I've read says that the 'su' command will change my
>> Linux user ID but not my identity. Here's what I see:
>>
>> # id -Z
>> root:staff_r:staff_t
>> # su fred
>> Your default context is fred:sysadm_r:sysadm_t.
>>
>> Do you want to choose a different one? [n]n
>> $ id -Z
>> fred:sysadm_r:sysadm_t
>>
>> My identity changed from 'root' to 'fred'. Bug? That seems a pretty
>> fundamental flaw considering that every document that I've read uses
>> 'su' to explain the difference between a user ID and an identity.
>>
>> By the way, I see the same result whether I use 'su' or 'su -'. I see
>> the same result (a change in identity) whether I su from root to fred
>> or from fred to root.
>>
>> So which one is right? The documentation or the code?
>
> RedHat chose to integrate security context transitions into su (via
> pam_selinux). The NSA documentation and externally developed
> sourceforge selinux HOWTOs/FAQs were written prior to that change.
Unlike some posters here, I think SELinux is great, and I don't mean this
to be a flame.
But reading the existing documentation, I thought the idea of a SELinux
identity being separate from the Unix user ID was that it couldn't change,
so that it was possible to track people's activity, hold administrators to
account, and to ensure users couldn't obtain escalating privileges.
If RedHat have made the SELinux identity change with su, then it is
identical to the Unix ID. Surely this weakens some of the security
provided by SELinux? Hopefully someone can explain why I'm wrong!
P.S. please can we add this list to Gmane? I read other Fedora lists
there, but I've avoided subscribing to this one as I prefer to use a
newsgroup interface.
Jonathan
19 years, 8 months
/sbin/service and /usr/sbin/run_init
by Gene Czarcinski
The various selinux documentation states that /usr/sbin/run_init should be
used to start the various scripts in /etc/init.d/ to ensure that that have
the correct selinux charactertics.
I notice that service does not use run_init. Is this a problem?
Gene
19 years, 8 months
cups package upgrade
by Warren Togami
Apr 6 13:11:20 ibmlaptop cups: cupsd shutdown succeeded
Apr 6 13:11:20 ibmlaptop kernel: audit(1081293080.182:0): avc: denied
{ read } for pid=15075 exe=/usr/sbin/cupsd path=pipe:[20082] dev=
ino=20082 scontext=root:system_r:cupsd_t tcontext=root:sysadm_r:rpm_t
tclass=fifo_file
Apr 6 13:11:21 ibmlaptop cups: cupsd startup succeeded
During cups package upgrade with enforcement enabled.
Warren
19 years, 8 months
nsupdate and netlink_socket AVCs
by Aleksey Nogin
If I attempt to use nsupdate from under an ordinary user (which
shouldn't be a problem, should it?), then I see
audit(1079022100.499:0): avc: denied { bind } for pid=18759
exe=/usr/bin/nsupdate scontext=user_u:user_r:user_t
tcontext=user_u:user_r:user_t tclass=netlink_socket
audit(1079022100.499:0): avc: denied { getattr } for pid=18759
exe=/usr/bin/nsupdate scontext=user_u:user_r:user_t
tcontext=user_u:user_r:user_t tclass=netlink_socket
audit(1079022100.499:0): avc: denied { write } for pid=18759
exe=/usr/bin/nsupdate scontext=user_u:user_r:user_t
tcontext=user_u:user_r:user_t tclass=netlink_socket
audit(1079022100.500:0): avc: denied { read } for pid=18759
exe=/usr/bin/nsupdate scontext=user_u:user_r:user_t
tcontext=user_u:user_r:user_t tclass=netlink_socket
Not sure what this is all about.
--
Aleksey Nogin
Home Page: http://nogin.org/
E-Mail: nogin(a)cs.caltech.edu (office), aleksey(a)nogin.org (personal)
Office: Jorgensen 70, tel: (626) 395-2907
19 years, 8 months
