updated SELinux FAQ
by Karsten Wade
http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/
There have been some useful changes:
* Table of contents for questions
* Questions divided by subject
* Content updated
Now is a good time to give me suggestions for the Fedora Core 2 final
release. File a bugzilla report with a new question (and answer, if you
can) -- there is a link in the FAQ in the "Making changes/additions to
the Fedora SELinux FAQ" box.
Use the same link if you find any errors.
Thanks - Karsten
--
Karsten Wade, Tech Writer
this .signature subject to random changes
http://people.redhat.com/kwade/
gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41
19 years, 10 months
Humpty Dumpty
by Bob Gustafson
I have newly arrived at the dangerous stage of SElinux testing - and have a
few questions.
Some recent history:
Yesterday I downloaded some of the SELinux tool stuff and rebuilt it
from the SRPMS. (This may not have been necessary).
I was able to get the apol application up and running (but I think I
need glasses - font size is a bit small) [- rich, thin, big enough screen]
The application 'seuser' did not seem to be able to find the policy.conf
file. I found the .tcl file and hacked a bit on that, but tcl is not a
native language for me. (Today I found the /usr/share/setools/seuser.conf
file with the missing 'policy' in the policy.conf path)
Also there was something about the file_contexts - it was a file instead
of a directory at one point - so I deleted the file and redid some steps
and found a populated directory afterwards - so I must have done
something (correctly?).
[Sorry about the lack of specifics - I was just playing around - thinking
that I would probably have to do it over again later - once I knew what
I was doing]
------
Then I found an application 'System Settings -> Security Level' With
this tool, I could turn my firewall on and also turn on something in
SELinux. The SELinux button said 'Active'. I clicked on it and
saw options 'Warn' and 'Disabled'. Then I went back to the Firewall
settings and decided not to do anything there. Clicking the OK button at
the bottom
gave me a dialog box - something about 'do you want security to be on'.
Since I thought security was already on, I clicked on yes...
It was soon after that I attempted to 'su' -- and found out that I could
not. This was (fortunately) not a production system. Even though I knew
that Humpty had fallen off the wall, I figured that after a reboot - the
problems would go away.
Not. The reboot only progressed about half way. There were extra
messages on the console screen. (This message repeated 63067847
times...) The messages stopped. I was concerned that the log files had
filled up the remaining 35G of disk space. I hit the power switch.
I mounted the root SCSI disk on another (non SELinux) system and saw the
file:
[root@hoho2 sysconfig]# pwd
/etc/sysconfig
[root@hoho2 sysconfig]# cat system-config-securitylevel
# Configuration file for system-config-securitylevel
--enabled
[root@hoho2 sysconfig]#
I went in with vim and changed the last line to read '--disabled' and
then attempted to reboot the SELinux enabled system.
No go - there was still something set that was preventing me from
booting. I did not even get far enough to try to log on.
-----
Fortunately, I had printed out some of the SELinux documentation
(printed out, not read as yet). I noticed an email message from Hannes
Mayer saying to pass 'selinux=0' to grub at boot time.
This I did, and wonderfully my system booted up. It did not even have
the pesky extra error messages which I had noticed for awhile when
booting my running system - 'avc denied', etc.
Reading a bit more of the email archive this morning, particularly the
helpful message from Tom Mitchell - Mon, 3 May 2004 17:36:30 -0700
I went into grub.conf and added 'enforcing=0 selinux=1' to the kernel
line and then rebooted.
Success - it looks like things are back to the point where I can do more
testing.
My immediate objective is to configure things so that I can turn
enforcing on and successfully boot my system. Maybe this is not yet
possible (not enough file_contexts set?).
A lesser goal would be to dynamically set and (hopefully) unset the
enforcing parameter as mentioned later in Tom Mitchell's timely and very
helpful email message - and then see what problems develop - in a
(hopefully) controlled environment.
Questions:
What versions of what software are currently SElinux enabled. I have rpm
4.3.1 - does that rpm do the right thing as far as installing the extra
file contexts?
What happens if I do an up2date. Will I load in non-SELinux programs which
will undo everything learned up to that point?
[I have FC2(Test3) installed and updated to the point where there are no
more updates available - and this is with a few extra 'source' paths]
How do I determine whether essential programs are still SELinux enabled?
What is rawhide? Is that a collection of setools? (or an ancient Fedora image?)
(I would like to creep up on the concept of SecurityEnabled with lots of
log messages, but not too many.. :-) )
How can I make the file context messages go away -correctly- (i.e., by
setting the file contexts)? Is there a mass process that will tweek all
files?
Fedora Core release 1.92 (FC2 Test 3)
Kernel 2.6.5-1.327custom on an i686
hoho2 login: user1
Password:
Last login: Tue May 4 10:41:38 from TZ
[user1@hoho2 user1]$ su
Password:
audit(1083685732.396:0): avc: denied { transition } for pid=2176
exe=/bin/su
path=/bin/bash dev=sda2 ino=2605063 scontext=user_u:sysadm_r:sysadm_t
tcontext=r
oot:sysadm_r:sysadm_t tclass=process
I can guess that something is objectionable here, but see below when I did
it again
[root@hoho2 user1]# exit
[user1@hoho2 user1]$ date
Tue May 4 10:50:49 CDT 2004
[user1@hoho2 user1]$ su
Password:
[root@hoho2 user1]#
See, here I did another su, but did not get log messages. Why?
..
..
Could someone comment on the 'meaning' of some of these log messages (the
SELinux generated ones - the other lines are left for context.
[root@hoho2 sysconfig]# date
Tue May 4 10:54:45 CDT 2004
[root@hoho2 sysconfig]# tail /var/log/messages
May 4 10:48:33 hoho2 messagebus: messagebus startup succeeded
May 4 10:48:44 hoho2 login(pam_unix)[2136]: session opened for user
user1 by LOGIN(uid=0)
May 4 10:48:44 hoho2 login[2136]: Warning! Could not get current
context for /dev/tty1, not relabeling.
May 4 10:48:45 hoho2 -- user1[2136]: LOGIN ON tty1 BY user1
May 4 10:48:52 hoho2 su(pam_unix)[2175]: session opened for user
root by user1(uid=500)
May 4 10:48:52 hoho2 su[2175]: Warning! Could not get current
context for /dev/tty1, not relabeling.
May 4 10:48:52 hoho2 kernel: audit(1083685732.396:0): avc: denied
{ transition } for pid=2176 exe=/bin/su path=/bin/bash dev=sda2
ino=2605063
scontext=user_u:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t
tclass=process
May 4 10:50:23 hoho2 su(pam_unix)[2175]: session closed for user root
May 4 10:50:55 hoho2 su(pam_unix)[2204]: session opened for user
root by user1(uid=500)
May 4 10:50:55 hoho2 su[2204]: Warning! Could not get current
context for /dev/tty1, not relabeling.
[root@hoho2 sysconfig]#
Thanks much. SELinux seems as though it might become a usable standard.
The human path/process is important for newbie testers though. Too many
rocks and the extra eyeballs get discouraged.
19 years, 10 months
nVIDIA binary driver audits generated by OpenGL apps
by Andrew Farris
I am working toward getting Enforcing mode to work with the nvidia
binary drivers, and having some difficulties. I see that there is some
policy with this intention , but it is not quite adequate yet, as below.
Some hints how to proceed, or solutions to this would be appreciated.
Running enforcing with /dev/nvidia* labeled as xserver_misc_device_t:
Apr 26 17:13:59 CirithUngol kernel: audit(1083024839.937:0): avc:
denied { read write } for pid=15200 exe=/usr/X11R6/bin/glxinfo
name=nvidiactl dev=hdb8 ino=65738 scontext=LordMorgul:user_r:user_t
tcontext=system_u:object_r:xserver_misc_device_t tclass=chr_file
Apr 26 17:14:04 CirithUngol kernel: audit(1083024844.641:0): avc:
denied { read write } for pid=15209 exe=/usr/X11R6/bin/glxgears
name=nvidiactl dev=hdb8 ino=65738 scontext=LordMorgul:user_r:user_t
tcontext=system_u:object_r:xserver_misc_device_t tclass=chr_file
The X server can start up as normal user without any audit of X itself
startinghen X is started in permissive mode only these audits appear,
but glxgears and glxinfo work as expected. These programs, and all my
other openGL apps, need access to /dev/nvidiactl.
The error message generated at command prompt in enforcing mode is:
Error: Could not open /dev/nvidiactl because the permissions
are too resticitive. Please see the FREQUENTLY ASKED QUESTIONS
section of /usr/share/doc/NVIDIA_GLX-1.0/README for steps
to correct.
Although the unix perms of the device nodes are all identical as below:
crw-rw-rw- 0 0 system_u:object_r:xserver_misc_device_t /dev/nvidiactl
crw-rw-rw- 1 0 0 195, 255 Apr 17 16:28 /dev/nvidiactl
To relabel the devices I uncommented the definition of
xserver_misc_device_t from ./types/device.te, and added the following
line to ./file_contexts/program/xserver.fc (then make reload, followed
by setfiles on these devices).
/dev/nvidia.* system_u:object_r:xserver_misc_device_t
And I rely on these (there are 4) lines in policy.conf after the make (I
do not understand how these are generated yet).
allow user_xserver_t xserver_misc_device_t:chr_file { ioctl read getattr
lock write append };
When running enforcing with the /dev/nvidia* devices labeled as
dri_device_t (had to try), the same behavior exists, X runs.. but
glxgears/glxinfo (and GL games) cannot access the nvidiactl device.
--
Andrew Farris, CPE senior (California Polytechnic State University, SLO)
fedora(a)andrewfarris.com :: lmorgul on irc.freenode.net
"The only thing necessary for the triumph of evil is for good men
to do nothing." (Edmond Burke)
19 years, 10 months
Cron daily denials
by Leonard den Ottolander
Hi,
Recently installed FC2t3 on an old Pentium 166 with a screwy clock
(guess I got to change the battery), so my daily cron job just ran.
This system hasn't been updated to rawhide yet, but I thought I'd
mention the denied messages for the cron job anyway:
May 6 04:02:08 a3aan kernel: audit(1083808928.538:0): avc: denied {
read } for pid=1276 exe=/bin/cat name=access_log dev=hda2 ino=390182
scontext=system_u:system_r:system_crond_t
tcontext=root:object_r:httpd_log_t tclass=file
May 6 04:02:13 a3aan kernel: audit(1083808933.148:0): avc: denied {
read } for pid=1311 exe=/usr/bin/webalizer name=access_log dev=hda2
ino=390182 scontext=system_u:system_r:system_crond_t
tcontext=root:object_r:httpd_log_t tclass=file
May 6 04:02:14 a3aan kernel: audit(1083808934.725:0): avc: denied {
read } for pid=1323 exe=/sbin/consoletype path=pipe:[2533] dev=
ino=2533 scontext=system_u:system_r:consoletype_t
tcontext=system_u:system_r:crond_t tclass=fifo_file
May 6 04:02:14 a3aan kernel: audit(1083808934.725:0): avc: denied {
use } for pid=1323 exe=/sbin/consoletype path=/dev/null dev=hda2
ino=66292 scontext=system_u:system_r:consoletype_t
tcontext=system_u:system_r:logrotate_t tclass=fd
Apache was started for the first time just 10 minutes ago, maybe that
explains the denials on access_log?
Leonard.
--
mount -t life -o ro /dev/dna /genetic/research
19 years, 10 months
Staff X server should be able to output to staff tty.
by Aleksey Nogin
allow staff_xserver_t staff_devpts_t:chr_file { read write };
audit(1083717236.610:0): avc: denied { read write } for pid=3337
exe=/usr/X11R6/bin/Xorg path=/dev/pts/5 dev= ino=7
scontext=aleksey:staff_r:staff_xserver_t
tcontext=aleksey:object_r:staff_devpts_t tclass=chr_file
audit(1083717236.610:0): avc: denied { read write } for pid=3337
exe=/usr/X11R6/bin/Xorg path=/dev/pts/5 dev= ino=7
scontext=aleksey:staff_r:staff_xserver_t
tcontext=aleksey:object_r:staff_devpts_t tclass=chr_file
policy-sources-1.11.2-21
--
Aleksey Nogin
Home Page: http://nogin.org/
E-Mail: nogin(a)cs.caltech.edu (office), aleksey(a)nogin.org (personal)
Office: Jorgensen 70, tel: (626) 395-2907
19 years, 10 months
Setools 1.3.1 released
by Karl MacMillan
Setools version 1.3.1 has been released and is available from the SELinux
SourceForge cvs repository and http://www.tresys.com/selinux/index.html.
This is a minor release that fixes the following bugs:
- Changed default policy location for seuser.
- Fixed object class filtering in transitive information flow.
- Minor bug fix for sepcut and libseuser.
Karl
Karl MacMillan
Tresys Technology
http://www.tresys.com
(410)290-1411 ext 134
19 years, 10 months
avc denied messages from setfiles
by Richard Hally
Below are some avc denied messages produced from running "fixfiles
restore" in enforcing mode with updated policy-1.11.2-21.
Richard Hally
May 2 14:38:19 localhost kernel: audit(1083523099.396:0): avc: denied
{ getattr } for pid=31565 exe=/usr/sbin/setfiles
path=/var/named/chroot/var/named/chroot/dev/null dev=hdc3 ino=2453550
scontext=root:sysadm_r:setfiles_t
tcontext=system_u:object_r:named_conf_t tclass=chr_file
May 2 14:38:19 localhost kernel: audit(1083523099.397:0): avc: denied
{ getattr } for pid=31565 exe=/usr/sbin/setfiles
path=/var/named/chroot/var/named/chroot/dev/null dev=hdc3 ino=2453550
scontext=root:sysadm_r:setfiles_t
tcontext=system_u:object_r:named_conf_t tclass=chr_file
May 2 14:38:19 localhost kernel: audit(1083523099.397:0): avc: denied
{ getattr } for pid=31565 exe=/usr/sbin/setfiles
path=/var/named/chroot/var/named/chroot/dev/random dev=hdc3 ino=2453551
scontext=root:sysadm_r:setfiles_t
tcontext=system_u:object_r:named_conf_t tclass=chr_file
May 2 14:38:19 localhost kernel: audit(1083523099.398:0): avc: denied
{ getattr } for pid=31565 exe=/usr/sbin/setfiles
path=/var/named/chroot/var/named/chroot/dev/random dev=hdc3 ino=2453551
scontext=root:sysadm_r:setfiles_t
tcontext=system_u:object_r:named_conf_t tclass=chr_file
19 years, 10 months
experimental relaxed policy
by Colin Walters
Hi,
There has been some work done on a "relaxed" policy. The intention of
this policy is to simply protect system daemons, and not user logins.
Right now there is just a policy for apache (which doesn't really work
due to a kernel bug). Everything else runs in an "unconfined_t" domain,
which essentially has every SELinux permission, and thus you are back to
relying on DAC.
But we'll be working on improving this policy. Right now the binary
packages are called policy-relaxed and policy-relaxed-sources. This is
likely to change.
If you want to experiment with this, please see:
http://people.redhat.com/~walters/selinux/
Again, much is likely to change, so you should basically only try this
now if you are willing to help hack on it :)
19 years, 10 months
Policy file for 'aide' and/or 'tripwire'?
by Valdis.Kletnieks@vt.edu
Has anybody already done a policy file for Tripwire or its
open-sourced replacement 'aide'?
Trying to run 'tripwire --check' from a cron job gets this:
Apr 27 04:03:37 orange kernel: audit(1083053017.355:0): avc: denied { write }
for pid=14045 exe=/usr/sbin/tripwire name=tripwire dev=dm-5 ino=22529
scontext=system_u:system_r:system_crond_t tcontext=system_u:object_r:var_t tclass=dir
when trying to open the TEMPDIRECTORY directory:
# ls -ld --context /var/tripwire/
drwx------+ root root system_u:object_r:var_t /var/tripwire/
(The actual database files are here:
# ls --context /var/lib/tripwire
-rw-------+ root root system_u:object_r:var_lib_t orange.cirt.vt.edu.twd
-rw------- root root system_u:object_r:var_lib_t orange.cirt.vt.edu.twd.bak
drwxr-xr-x+ root root system_u:object_r:var_lib_t report
It occurs to me that it would be simple but incorrect to just use setfilecon
to coerce the contexts into something that works, and that a separate
set of tripwire_t and/or aide_t contexts is probably desired. Having no wish
to reinvent the wheel, has anybody done this already?
19 years, 10 months
Core 2 SELinux installation
by Nick
>From the message titled 'Fedora Core 2 and SELinux'
> SELinux *will* be included in Fedora Core 2 test 3 and the final
> Fedora Core 2 release. However, SELinux will be disabled by default.
> To install with SELinux support, pass 'selinux' to the installer
> on the command line. (Or, configure it appropriately in kickstart).
Why are we using the command line option to install SELinux process. I
provided to the SEL list, a comp.xml skeleton that I used to add SEL to
Core 1. In the original framework I just added dependencies that were
not on the std Linux install (i.e. sharutils). A follow through to this
could provide a separate selection within the group for policy tools and
source to allow the installer to put the source in place as well (as
shown in the category section below)
<group>
<id>selinux</id>
<uservisible>true</uservisible>
<default>true</default>
<name>SELinux Installation</name>
<description>Install this group of packages to configure the system
for SELinux installation.</description>
<grouplist>
</grouplist>
<packagelist>
<packagereq type="mandatory">sharutils</packagereq>
<packagereq type="mandatory">linuxdoc-tools</packagereq>
<packagereq type="mandatory">netpbm-progs</packagereq>
<packagereq type="mandatory">tetex-latex</packagereq>
<packagereq type="mandatory">autoconf213</packagereq>
<packagereq type="mandatory">elfutils-devel</packagereq>
<packagereq type="mandatory">libcroco-devel</packagereq>
</packagelist>
</group>
<category>
<name>SELinux</name>
<subcategories>
<subcategory>selinux</subcategory>
<subcategory>policy tools/source</subcategory>
</subcategories>
</category>
--
Nick Gray
Senior Systems Engineer
Bruzenak Inc.
nagray(a)austin.rr.com
(512) 331-7998
19 years, 10 months