Domains, interpreted languages, and Cron scripts
by Bill McCarty
Hi all,
I've run into an architectural headache that someone else must already have
visited, and perhaps solved. But, I find no mention of the problem in list
archives or elsewhere.
I have several Python scripts that run under Cron. Some of these scripts
access or modify sensitive data, and so I'd like to define one or more
domains by means of which to limit their privileges. However, the exe name
associated with such scripts is /usr/bin/python2.3, rather than the name of
the script. Consistent with the principle of least privilege, I'd prefer to
define distinct domains for each script, rather than an overly broad
python_t domain, for instance.
Has anyone else been here already? What techniques are useful for
constraining the privileges given to scripts?
One idea: Would it be a good thing to modify Run-parts to transition to a
domain named for the Cron script it launches? Doing so would seem to solve
my problem, but it might create others <g>.
Thanks,
--
Bill McCarty, Ph.D.
Professor of Information Technology
Azusa Pacific University
19 years
[idea] udev + selinux
by Nigel Kukard
Just an idea, but why not have udev set the context on its root path?
I have a simplistic patch for this if its a good idea.
Regards
Nigel Kukard
19 years, 2 months
Progress! .532 boots! -- but dbus/hotplug/udev problems remain?
by Tom London
Newest Rawhide updates (including udev-030-10, mkinitrd-4.1.8-1,
kernel-2.6.8-1.532, and selinux-policy-strict-1.17.5-2)
now boots in strict/enforcing.
Many AVCs, and there is a problem
with runlevel 5 (graphical login, etc.) preventing
login, (but text login works).
Here are the first, early AVCs: (I'll dig for more later.)
Aug 28 10:23:40 fedora kernel: usbcore: registered new driver usblp
Aug 28 10:23:40 fedora kernel: drivers/usb/class/usblp.c: v0.13: USB
Printer Device Class driver
Aug 28 10:23:40 fedora acpid: acpid startup succeeded
Aug 28 10:23:40 fedora kernel: ACPI: Power Button (FF) [PWRF]
Aug 28 10:23:40 fedora kernel: ACPI: Sleep Button (CM) [FUTS]
Aug 28 10:23:40 fedora kernel: EXT3 FS on hda2, internal journal
Aug 28 10:23:41 fedora kernel: audit(1093713783.757:0): avc: denied {
search } for pid=1264 exe=/sbin/udev name=contexts dev=hda2 ino=4509745
scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:default_context_t tclass=dir
Aug 28 10:23:41 fedora kernel: audit(1093713783.790:0): avc: denied {
execute_no_trans } for pid=1271 exe=/sbin/udev
path=/etc/udev/scripts/pam_console.dev dev=hda2 ino=574019
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:etc_t
tclass=file
Aug 28 10:23:41 fedora kernel: audit(1093713783.790:0): avc: denied {
write }
for pid=1264 exe=/sbin/udev name=fscreate dev=proc ino=82837526
scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t
tclass=file
There repeat many times. When run in permissive mode, this sequence
becomes:
Aug 28 10:32:25 fedora kernel: EXT3 FS on hda2, internal journal
Aug 28 10:32:25 fedora kernel: audit(1093714297.852:0): avc: denied {
search } for pid=1283 exe=/sbin/udev name=contexts dev=hda2 ino=4509745
scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:default_context_t tclass=dir
Aug 28 10:32:25 fedora kernel: audit(1093714297.859:0): avc: denied {
search } for pid=1283 exe=/sbin/udev name=files dev=hda2 ino=4509746
scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:file_context_t tclass=dir
Aug 28 10:32:25 fedora kernel: audit(1093714297.872:0): avc: denied {
read } for pid=1283 exe=/sbin/udev name=file_contexts dev=hda2
ino=4505700 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:file_context_t tclass=file
Aug 28 10:32:25 fedora kernel: audit(1093714297.872:0): avc: denied {
getattr
} for pid=1283 exe=/sbin/udev
path=/etc/selinux/strict/contexts/files/file_contexts dev=hda2
ino=4505700 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:file_context_t tclass=file
Aug 28 10:32:25 fedora kernel: audit(1093714298.077:0): avc: denied {
execute_no_trans } for pid=1285 exe=/sbin/udev
path=/etc/udev/scripts/pam_console.dev dev=hda2 ino=574019
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:etc_t
tclass=file
Aug 28 10:32:25 fedora kernel: audit(1093714298.109:0): avc: denied {
search } for pid=1285 exe=/bin/bash name=console dev=hda2 ino=4456494
scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:pam_var_console_t tclass=dir
Aug 28 10:32:25 fedora kernel: audit(1093714298.113:0): avc: denied {
write }
for pid=1283 exe=/sbin/udev name=fscreate dev=proc ino=84082710
scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t
tclass=file
Aug 28 10:32:25 fedora kernel: audit(1093714298.113:0): avc: denied {
setfscreate } for pid=1283 exe=/sbin/udev
scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t
tclass=process
Aug 28 10:32:25 fedora kernel: audit(1093714317.126:0): avc: denied {
search } for pid=1671 exe=/sbin/udev name=files dev=hda2 ino=4509746
scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:file_context_t tclass=dir
Audit2allow on this says:
allow : { write };
allow udev_t default_context_t:dir { search };
allow udev_t etc_t:file { execute_no_trans };
allow udev_t file_context_t:dir { search };
allow udev_t file_context_t:file { read };
allow udev_t pam_var_console_t:dir { search };
allow udev_t udev_t:process { setfscreate };
The funny 'allow : { write };' is for the write of 'fscreate' in /proc.
After obtaining the graphical login screen, here is the offending AVC:
Aug 28 10:24:42 fedora gdm(pam_unix)[3888]: session opened for user tbl
by (uid=0)
Aug 28 10:24:43 fedora kernel: audit(1093713883.626:0): avc: denied {
create } for pid=4042 exe=/usr/bin/dbus-daemon-1
scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t
tclass=netlink_selinux_socket
An error window pops up reporting an SELinux/AVC type failure. It then
returns to the login screen.
Just prior to that, there are many 'denied's from udev and hald. Here
are a few:
Aug 28 10:24:21 fedora dbus: avc: denied { send_msg } for
scontext=system_u:system_r:hald_t tcontext=system_u:system_r:updfstab_t
tclass=dbus
Aug 28 10:24:21 fedora kernel: audit(1093713853.755:0): avc: denied {
execute
} for pid=3466 exe=/usr/sbin/hald name=hal-hotplug-map dev=hda2
ino=606213 scontext=system_u:system_r:hald_t
tcontext=system_u:object_r:bin_t tclass=file
Aug 28 10:24:21 fedora udev[3953]: creating device node '/dev/vcs7'
Aug 28 10:24:22 fedora dbus: avc: denied { send_msg } for
scontext=system_u:system_r:hald_t tcontext=system_u:system_r:updfstab_t
tclass=dbus
Aug 28 10:24:22 fedora kernel: audit(1093713853.817:0): avc: denied {
search } for pid=3798 exe=/sbin/udev name=contexts dev=hda2 ino=4509745
scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:default_context_t tclass=dir
Aug 28 10:24:22 fedora dbus: avc: denied { send_msg } for
scontext=system_u:system_r:hald_t tcontext=system_u:system_r:updfstab_t
tclass=dbus
Aug 28 10:24:22 fedora kernel: audit(1093713853.819:0): avc: denied {
execute_no_trans } for pid=3846 exe=/sbin/udev
path=/etc/udev/scripts/pam_console.dev dev=hda2 ino=574019
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:etc_t
tclass=file
Aug 28 10:24:22 fedora dbus: avc: denied { send_msg } for
scontext=system_u:system_r:updfstab_t tcontext=system_u:system_r:hald_t
tclass=dbus
Aug 28 10:24:22 fedora kernel: audit(1093713853.820:0): avc: denied {
write }
for pid=3798 exe=/sbin/udev name=fscreate dev=proc ino=248905750
scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t
tclass=file
[BTW: When I reboot, /etc/fstab has been relabeled to type tmp_t.
Is the above causing this?]
I rebooted strict/permissive, and things appear OK, including loading
of sound modules.
However, as noted above, something is relabeling /etc/fstab to tmp_t:
Aug 28 10:33:21 fedora gdm(pam_unix)[3786]: session opened for user tbl
by (uid=0)
Aug 28 10:33:21 fedora kernel: audit(1093714401.349:0): avc: denied {
read } for pid=3786 exe=/usr/bin/gdm-binary name=fstab dev=hda2
ino=4654141 scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:tmp_t tclass=file
Aug 28 10:33:21 fedora kernel: audit(1093714401.350:0): avc: denied {
getattr
} for pid=3786 exe=/usr/bin/gdm-binary path=/etc/fstab dev=hda2
ino=4654141 scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:tmp_t tclass=file
I believe I'm running a 'stock' Rawhide system.
tom
19 years, 3 months
hald/hal-hotplug-map
by Tom London
hald seems to need to execute /usr/libexec/hal-hotplug-map:
Aug 29 12:45:46 fedora kernel: audit(1093808744.270:0): avc: denied {
execute
} for pid=3436 exe=/usr/sbin/hald name=hal-hotplug-map dev=hda2
ino=4123436 scontext=system_u:system_r:hald_t
tcontext=system_u:object_r:bin_t tclass=file
Aug 29 12:45:46 fedora kernel: audit(1093808744.284:0): avc: denied {
execute
} for pid=3436 exe=/usr/sbin/hald name=hal-hotplug-map dev=hda2
ino=4123436 scontext=system_u:system_r:hald_t
tcontext=system_u:object_r:bin_t tclass=file
Does it make sense to label /usr/libexec/hal* as hald_exec_t and add
'canexec(hald_t, hald_exec_t)' to hald.te ?
Also, seems that hald and updfstab need to do their dbus thing,
and hald wants to access printer_device_t.
Suggested patches to hald.te and hald.fc
--- hald.te 2004-08-27 14:37:17.000000000 -0700
+++ /etc/selinux/strict/src.old/policy/domains/program/hald.te
2004-08-28 13:40:57.000000000 -0700
@@ -37,7 +37,12 @@
ifdef(`udev.te', `
domain_auto_trans(hald_t, udev_exec_t, udev_t)
allow udev_t hald_t:unix_dgram_socket sendto;
+allow hald_t updfstab_t:dbus { send_msg };
+allow updfstab_t hald_t:dbus { send_msg };
')
allow hald_t usbdevfs_t:dir search;
allow hald_t usbdevfs_t:file { getattr read };
+
+allow hald_t printer_device_t:chr_file { read write };
+can_exec(hald_t, hald_exec_t)
---
/etc/selinux/strict/src.old/policy/domains/program/../../file_contexts/program/hald.fc
2004-08-27 14:37:17.000000000 -0700
+++ hald.fc 2004-08-29 13:36:44.147534409 -0700
@@ -1,2 +1,3 @@
# hald - hardware informationd daemon
/usr/sbin/hald -- system_u:object_r:hald_exec_t
+/usr/libexec/hal-.* -- system_u:object_r:hald_exec_t
Please correct/improve,
tom
tom
19 years, 3 months
SELinux stops new X11?
by Richard Hally
The new xorg-X11(6.7.99.902-1) will not start with the current strict
SELinux policy(1.15.16-1) in enforcing mode. (xorg-x11-*6.7.0-7.2 works
just fine). I have not tried permissive mode.
It looks like something has changed in X11 that has to do with the
fonts and the SE policy has not been updated to handle it but that is
just speculation.
from my Xorg.0.log:
<snip>
(II) Mouse0: ps2EnableDataReporting: succeeded
Could not init font path element unix/:7100, removing from list!
Fatal server error:
could not open default font 'fixed'
Please consult the The X.Org Foundation support
at http://wiki.X.Org
for help.
Please also check the log file at "/var/log/Xorg.0.log" for additional
information.
*** If unresolved symbols were reported above, they might not
*** be the reason for the server aborting.
FatalError re-entered, aborting
Caught signal 11. Server aborting
----------------------------------------------------------------------end
of xorg log-----------------------------------------
From /var/log/messages:
Aug 19 17:34:53 new2 kernel: audit(1092951293.022:0): avc: denied {
getattr }
for pid=2578 exe=/usr/X11R6/bin/xfs path=/tmp/.font-unix dev=hda2
ino=1840549 scontext=system_u:system_r:xfs_t
tcontext=system_u:object_r:initrc_tmp_t tclass=dir
Aug 19 17:34:53 new2 xfs[2578]: cannot establish any listening sockets
Aug 19 17:34:53 new2 xfs: xfs startup succeeded
Aug 19 17:34:53 new2 xfs[2578]: ignoring font path element
/usr/X11R6/lib/X11/fonts/Speedo (unreadable)
Aug 19 17:35:13 new2 kernel: audit(1092951313.544:0): avc: denied {
read } for pid=2995 exe=/usr/X11R6/bin/Xorg name=fb dev=hda2
ino=1061221 scontext=system_u:system_r:xdm_xserver_t
tcontext=system_u:object_r:device_t tclass=lnk_file
Aug 19 17:35:13 new2 last message repeated 2 times
Aug 19 17:35:13 new2 kernel: audit(1092951313.545:0): avc: denied {
read } for pid=2995 exe=/usr/X11R6/bin/Xorg name=fb dev=hda2
ino=1061221 scontext=system_u:system_r:xdm_xserver_t
tcontext=system_u:object_r:device_t tclass=lnk_file
Aug 19 17:35:13 new2 last message repeated 4 times
Aug 19 17:35:15 new2 kernel: audit(1092951315.876:0): avc: denied {
search } for pid=2995 exe=/usr/X11R6/bin/Xorg name=.font-unix dev=hda2
ino=1840549 scontext=system_u:system_r:xdm_xserver_t
tcontext=system_u:object_r:initrc_tmp_t tclass=dir
Aug 19 17:35:19 new2 kernel: audit(1092951319.457:0): avc: denied {
read } for pid=3329 exe=/usr/X11R6/bin/Xorg name=fb dev=hda2
ino=1061221 scontext=system_u:system_r:xdm_xserver_t
tcontext=system_u:object_r:device_t tclass=lnk_file
Aug 19 17:35:19 new2 last message repeated 3 times
Aug 19 17:35:19 new2 kernel: audit(1092951319.458:0): avc: denied {
read } for pid=3329 exe=/usr/X11R6/bin/Xorg name=fb dev=hda2
ino=1061221 scontext=system_u:system_r:xdm_xserver_t
tcontext=system_u:object_r:device_t tclass=lnk_file
Aug 19 17:35:19 new2 last message repeated 3 times
Aug 19 17:35:21 new2 kernel: audit(1092951321.333:0): avc: denied {
search } for pid=3329 exe=/usr/X11R6/bin/Xorg name=.font-unix dev=hda2
ino=1840549 scontext=system_u:system_r:xdm_xserver_t
tcontext=system_u:object_r:initrc_tmp_t tclass=dir
Aug 19 17:35:21 new2 gdm[3304]: gdm_slave_xioerror_handler: Fatal X
error - Restarting :0
Aug 19 17:35:24 new2 kernel: audit(1092951324.885:0): avc: denied {
read } for pid=3494 exe=/usr/X11R6/bin/Xorg name=fb dev=hda2
ino=1061221 scontext=system_u:system_r:xdm_xserver_t
tcontext=system_u:object_r:device_t tclass=lnk_file
Aug 19 17:35:24 new2 kernel: audit(1092951324.886:0): avc: denied {
read } for pid=3494 exe=/usr/X11R6/bin/Xorg name=fb dev=hda2
ino=1061221 scontext=system_u:system_r:xdm_xserver_t
tcontext=system_u:object_r:device_t tclass=lnk_file
Aug 19 17:35:24 new2 last message repeated 6 times
FWIW
Richard Hally
19 years, 3 months
ssh.te - more needed?
by t l
After augmenting ssh.te with
can_exec(sshd_t, sshd_exec_t)
as suggested by Stephen S., inbound
ssh to strict/enforcing system still fails.
Here are avc's (running permissive):
Aug 30 09:49:44 fedora kernel: audit(1093884584.213:0): avc: denied { ioctl } for pid=4998 exe=/bin/su path=/dev/pts/4 dev=devpts ino=6 scontext=user_u:user_r:user_su_t tcontext=system_u:object_r:sshd_devpts_t tclass=chr_file
Aug 30 09:49:46 fedora kernel: audit(1093884586.516:0): avc: denied { getattr } for pid=4998 exe=/bin/su name=4 dev=devpts ino=6 scontext=user_u:user_r:user_su_t tcontext=system_u:object_r:sshd_devpts_t tclass=chr_file
Aug 30 09:49:46 fedora kernel: audit(1093884586.542:0): avc: denied { read write } for pid=5013 exe=/bin/hostname name=4 dev=devpts ino=6 scontext=root:sysadm_r:hostname_t tcontext=root:object_r:sshd_devpts_t tclass=chr_file
audit2allow says:
allow hostname_t sshd_devpts_t:chr_file { read write };
allow user_su_t sshd_devpts_t:chr_file { getattr ioctl };
tom
--
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm
19 years, 3 months
Re: Cleaned up udev-selinux patch
by Daniel J Walsh
Greg KH wrote:
>On Thu, Aug 26, 2004 at 11:15:07AM -0400, Daniel J Walsh wrote:
>
>
>>This will create the security contexts on the fly.
>>
>>Please comment on what would be needed to get this acceptable?
>>
>>
>
>Same things I said on the mailing list:
> - fix coding style
> - no ifdefs in .c files
> - make the selinux stuff all be in its own file
> - make the build flag look like the other build flags
> - not make the makefile changes have silly line continuations
> when not needed :)
> - post the patch on the mailing list (linux-hotplug-devel) for
> others to comment on after fixing the above.
>
>thanks,
>
>greg k-h
>
>
Another pass at a cleaned up patch. This time attempting to folow Greg
guidelines.
Dan
19 years, 3 months
bug in presently-developed selinux patch to udev: no acknowledgement received
by Luke Kenneth Casson Leighton
i noticed a bug in the last udev-selinux patch that went past
[these?] lists last week.
i sent a request for acknowldgement, and unfortunately i am very
sorry to say that i have not received an acknowledgement, and
so unfortunately i will continue to request an acknowledgement
from the people doing the redhat-based development until i
receive one.
if it wasn't important - namely that the bug in the patch will result
in incorrect policy file development for udev.te - i wouldn't bother.
the bug is that the patch merged three near-identical sections of
code that use matchpathcon(..., mode) into a function,
where mode was S_IFDIR, SF_IFLNK and S_IFsomething ...
... and the person who reworked the patch forgot to pass the mode
argument down to matchpathcon.
result: on all three instances of calling matchpathcon, the
file_contexts for DIRECTORIES will be looked up.
it was either dan or colin, and i can't remember who.
anyone who is doing udev selinux development who is NOT using
my original patch, non-optimised as it is, please be advised.
l.
--
--
Truth, honesty and respect are rare commodities that all spring from
the same well: Love. If you love yourself and everyone and everything
around you, funnily and coincidentally enough, life gets a lot better.
--
<a href="http://lkcl.net"> lkcl.net </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl(a)lkcl.net </a> <br />
19 years, 3 months
xdm.te - patch to allow 'graphical shutdown/reboot'
by Tom London
Clicking on 'shutdown' on the login screen doesn't 'work'.
/sbin/shutdown (running in xdm_t) wants to execute init (init_exec_t).
Here's a patch that fixes....
Not sure about the 'allow xdm_t devpts_t:dir { search };'. dontaudit?
Please correct/improve/...
tom
--- /root/src.package/policy/domains/program/xdm.te 2004-08-29
11:38:27.000000000 -0700
+++ ./xdm.te 2004-08-30 07:13:32.000000000 -0700
@@ -331,3 +331,7 @@
allow xdm_t crack_db_t:file r_file_perms;
')
r_dir_file(xdm_t, selinux_config_t)
+
+# let xdm do shutdown
+allow xdm_t devpts_t:dir { search };
+can_exec(xdm_t, init_exec_t)
19 years, 3 months
