Has the boot param syntax/semantics changed?
by Bob Gustafson
I have been using 'selinux=1 enforcing=0' with the thought that my system
will work, but if things are not right, an avc message will appear in my
log files.
The /etc/selinux/config file had the contents
[root@hoho2 user1]# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcinfg - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
#SELINUX=disabled
SELINUX=enforcing
SELINUXTYPE=strict
POLICYTYPE=strict
[root@hoho2 user1]#
I was dutifully going to 'init 1' and doing 'fixfiles relabel' after every
update of policy or selinux related software - and then rebooting.
[I still got lots of avc messages]
Then I changed the /etc/selinux/config to the version shown below and rebooted.
I got far less messages, and I was even able to go to root when clicking on
gnome applications that required higher priority (with above config
contents, whatever I typed was not enough, gnome kept coming back for more)
[root@hoho2 user1]# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcinfg - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
#SELINUX=disabled
SELINUX=enforcing
#SELINUXTYPE=strict
SELINUXTYPE=permissive
POLICYTYPE=strict
[root@hoho2 user1]#
My assumption has been that the boot parameters override the contents of
the /etc/selinux/config file, and that the boot param 'enforcing=0' will
make the selinux a permissive one.
Have these assumptions changed?
19 years, 10 months
How to properly upgrade policy
by Ivan Gyurdiev
What's the proper way to upgrade the selinux policy?
yum and rpm leave me with .rpmnew files every single time.
I assume I'm supposed to manually overwrite the old ones. Is that so?
warning: /etc/selinux/strict/contexts/files/file_contexts created as /
etc/selinux/strict/contexts/files/file_contexts.rpmnew
selinux-policy-strict 39 % done warning: /etc/selinux/strict/policy/
policy.17 created as /etc/selinux/strict/policy/policy.17.rpmnew
selinux-policy-strict 100 % done 30/144
warning: /etc/selinux/targeted/contexts/files/file_contexts created as /
etc/selinux/targeted/contexts/files/file_contexts.rpmnew
selinux-policy-targeted 100 % done 31/144
Do I need to run make relabel?
19 years, 10 months
VMWare config issue (Newbie)
by Earl
All,
I'm just learning so forgive the trivial nature of the
question:
FC2, Installed VMWare workstation 4.5x, unable to run
configuration script, just "yum-ed" so I'm up to date,
relableled, rebooted, still cannot run configuration
script...
[root@host root]# id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=root:sysadm_r:sysadm_t
[root@host root]# /usr/bin/vmware-config.pl
Can't open perl script "/usr/bin/vmware-config.pl":
Permission denied
[root@host root]# ls -Z /usr/bin/vmware-config.pl
-r-xr-xr-x+ root root
system_u:object_r:vmware_exec_t
/usr/bin/vmware-config.pl
Looks like a context problem to me but I am unsure
what to change... my context, that of the script
itself or modify context files and relabel?
I have the docs, have been reading, but I have not
been able to understand some of the genreal concepts.
Any advice will be appreciated.
Earl
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail
19 years, 10 months
Policy for webalizer
by Yuichi Nakamura
Hi.
I found that webalizer does not work from cron on FedoraCore2.
It seems that there is no policy for webalizer.
I wrote policy for webalizer.
I tested it from command line and cron.
Please use.
(1) copy webalizer policies to policy source dir.
#cp webalizer.te /etc/security/selinux/src/policy/domains/program
#cp webalizer.fc /etc/security/selinux/src/policy/file_contexts/program
(2) append the following to /etc/security/selinux/src/policy/domains/program/apache.te .
r_dir_file(httpd_t,webalizer_usage_t)
(3) reload and relabel
#cd /etc/security/selinux/src/policy/
#make reload
#setfiles file_contexts/file_contexts /usr/bin /var /etc
Thank you.
---
Yuichi Nakamura
Japan SELinux Users Group(JPSEG)
http://www.selinux.gr.jp/
19 years, 10 months
typo in src/policy/file_contexts/types.fc ???
by Tom London
I'm not certain about this, but types.fc has an entry:
/var/lib(64)?/nfs/rpc_pipes(/*)? <<none>>
I don't have such a file/directory, but I do have one
called /var/lib/nfs/rpc_pipefs. Should that entry be:
/var/lib(64)?/nfs/rpc_pipefs(/*)? <<none>>
tom
19 years, 10 months
avc denied message from booting
by Richard Hally
Below is part of the syslog messages from booting in enforcing mode with
the latest policy. Perhaps it will be useful.
Richard Hally
Jun 26 04:39:43 new2 rc: Starting readahead: succeeded
Jun 26 04:39:44 new2 messagebus: messagebus startup succeeded
Jun 26 04:39:45 new2 kernel: audit(1088239185.333:0): avc: denied {
read write } for pid=2385 exe=/bin/umount path=/dev/ptmx dev=hda2
ino=1064807 scontext=system_u:system_r:mount_t
tcontext=system_u:object_r:ptmx_t tclass=chr_file
Jun 26 04:39:45 new2 udev[2511]: creating device node '/dev/vcs3'
19 years, 10 months
Strict policy test, 1.13.7-1, denies: lvm.static, klogd, udev, httpd, xfs, xorg, dmesg
by Ivan Gyurdiev
Hi, these are the results of running strict policy selinux.
Kernel: 2.6.7-1.448
Selinux-strict: 1.13.7-1
Filesystems: / is xfs, /tmp is tmpfs (is that a problem? xattrs?),
/boot is ext3
I relabeled prior to running this test.
I know there's a new version released today and I'll try that soon.
I'm sorry if any of this are duplicates or have been fixed.
==================================================================
audit2allow:
allow dmesg_t staff_home_t:file { write };
allow dmesg_t user_home_t:file { write };
allow httpd_t bin_t:dir { getattr };
allow httpd_t httpd_log_t:file { write };
allow httpd_t sbin_t:dir { getattr };
allow httpd_t snmpd_var_lib_t:file { getattr write };
allow klogd_t boot_t:lnk_file { read };
allow lvm_t device_t:file { getattr };
allow lvm_t selinux_config_t:dir { search };
allow udev_t var_lock_t:dir { search };
allow xdm_xserver_t xdm_tmpfs_t:dir { getattr };
allow xfs_t tmpfs_t:dir { search };
====================================================================
Denies summary - all of those occur during normal startup,
and the dmesg ones are me trying to pipe dmesg to a log file in my home
folder as root.
LVM.STATIC
1)
name = selinux
tclass = dir
denied { search } exe=lvm.static
scontext = system_u:system_r:lvm_t
tcontext = system_u:object_r:selinux_config_t
2)
path = /dev/vcsa01 or /dev/vcsa05
tclass = file
denied { getattr } exe=lvm.static
scontext = system_u:system_r:lvm_t
tcontext = system_u:object_r:device_t
KLOGD
3)
name = System.map
tclass = lnk_file
denied { read } exe=/sbin/klogd
scontext = system_u:system_r:klog_t
tcontext = system_u:object_r:boot_t
UDEV
4)
name = lock
tclass = dir
denied { search } exe=/bin/bash
scontext = system_u:system_r:udev_t
tcontext = system_u:object_r:var_lock_t
HTTPD
5)
name = /sbin or /usr/sbin
tclass = dir
denied { getattr } exe = /usr/sbin/httpd
scontext = system_u:system_r:httpd_t
tcontext = system_u:object_r:sbin_t
6) name = /bin or /usr/bin or /usr/X11R6/bin
tclass = dir
denied { getattr } exe = /usr/sbin/httpd
scontext = system_u:system_r:httpd_t
tcontext = system_u:object_r:bin_t
7) name = jk2.shm
tclass = file
denied { write } exe = /usr/sbin/httpd
scontext = system_u:system_r:httpd_t
tcontext = system_u:object_r:httpd_log_t
8) path = /usr/share/snmp/mibs/.index
tclass = file
denied { getattr } exe = /usr/sbin/httpd
scontext = system_u:system_r:httpd_t
tcontext = system_u:object_r:snmpd_var_lib_t
name = .index
tclass = file
denied { write } exe = /usr/sbin/httpd
scontext = system_u:system_r:httpd_t
tcontext = system_u:object_r:snmpd_var_lib_t
XFS
9)
dev = tmpfs
tclass = dir
denied { search } exe = /usr/X11R6/bin/xfs
scontext = system_u:system_r:xfs_t
tcontext = system_u:object_r:tmpfs_t
Xorg
10)
dev = tmpfs
path = /tmp/.X11-unix
tclass = dir
denied { getattr } exe = /usr/X11R6/bin/Xorg
scontext = system_u:system_r:xdm_xserver_t
tcontext = system_u:object_r:xdm_tmpfs_t
Dmesg
11)
path = /home/-username-/log
tclass = file
denied { write } exe = /bin/dmesg
scontext = root:system_r:dmesg_t
tcontext = root:object_r:user_home_t
19 years, 10 months
Re: How to properly upgrade policy
by Tom London
These are VERY nice changes, automating what I've been doing manually.
An observation: the package 'install' process has gotten much better
with file
contexts.
Any thoughts on automating the assignment of file contexts to the
files created by package scripts (e.g., /boot/grub/grub.conf, depmod files,
/etc/selinux/config, ...)? Would be nice to have a 'SELinux package
description' that describes the package's desired/default contexts. That
would allow inspection prior to install, tools to check consistency with
installed file_contexts, etc. 'rpm -q --filecontext' is almost
it. Any way to add the other stuff to it, or something like it?
tom
[Sorry if this is old hat....]
Dan Walsh wrote:
> Setfiles and restorecon have a new qualifier (-o filename) which will
> record the file paths of any files that the tools find with the
> incorrect security context. So if you run setfiles -n -v -o
> /tmp/badfilecontexts, you would have a report and a file with all the
> paths of files with bad file contexts. If everything looks ok, you
> could run restorecon -f /tmp/badfilecontexts and clean them up quickly.
19 years, 10 months
