test
by Jim
Just making sure I'm here , sorry for the inconvenience of having to
read this.
19 years, 8 months
New AVCs from Rawhide...
by Tom London
Running strict/enforcing, and running
Rawhide (selinux-policy-strict-1.15.11-1 and kernel-2.6.7-1.509),
some new AVCs logged. [Sorry if I'm 'amid updates']
tom
First, early in boot sequence:
Aug 5 06:58:02 fedora autofs: automount startup succeeded
Aug 5 06:58:02 fedora kernel: SELinux: initialized (dev rootfs, type
rootfs), uses genfs_contexts
Aug 5 06:58:02 fedora kernel: SELinux: initialized (dev sysfs, type
sysfs), uses genfs_contexts
Aug 5 06:58:02 fedora kernel: audit(1091689038.197:0): avc: denied {
read write } for pid=1 exe=/sbin/init path=/dev/console dev=rootfs
ino=5 scontext=system_u:system_r:init_t
tcontext=system_u:object_r:unlabeled_t tclass=chr_file
Aug 5 06:58:02 fedora last message repeated 2 times
Aug 5 06:58:02 fedora smartd[2124]: smartd version 5.30 Copyright (C)
2002-4 Bruce Allen
Aug 5 06:58:02 fedora kernel: audit(1091689038.318:0): avc: denied {
read } for pid=1 exe=/sbin/init path=/init dev=rootfs ino=14
scontext=system_u:system_r:init_t tcontext=system_u:object_r:unlabeled_t
tclass=file
then, many, many like these (approx. 64 of them):
Aug 5 06:58:02 fedora kernel: audit(1091689040.452:0): avc: denied {
dac_read_search } for pid=397 exe=/bin/bash capability=2
scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t
tclass=capability
Aug 5 06:58:02 fedora smartd[2124]: Configuration file /etc/smartd.conf
parsed.
Aug 5 06:58:02 fedora kernel: audit(1091689040.452:0): avc: denied {
dac_read_search } for pid=411 exe=/bin/bash capability=2
scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t
tclass=capability
Aug 5 06:58:02 fedora smartd[2124]: Device: /dev/hda, opened
Aug 5 06:58:02 fedora kernel: audit(1091689040.452:0): avc: denied {
dac_read_search } for pid=399 exe=/bin/bash capability=2
scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t
tclass=capability
Aug 5 06:58:03 fedora smartd[2124]: Device: /dev/hda, found in smartd
database.
Aug 5 06:58:03 fedora kernel: audit(1091689040.452:0): avc: denied {
dac_read_search } for pid=391 exe=/bin/bash capability=2
scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t
tclass=capability
Aug 5 06:58:03 fedora kernel: audit(1091689040.453:0): avc: denied {
dac_read_search } for pid=398 exe=/bin/bash capability=2
scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t
tclass=capability
Aug 5 06:58:03 fedora kernel: audit(1091689040.453:0): avc: denied {
dac_read_search } for pid=413 exe=/bin/bash capability=2
scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t
tclass=capability
.....
Repeat of above while bringing up USB:
Aug 5 06:58:07 fedora kernel: hub 1-0:1.0: 6 ports detected
Aug 5 06:58:07 fedora kernel: audit(1091714243.675:0): avc: denied {
dac_read_search } for pid=775 exe=/bin/bash capability=2
scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t
tclass=capability
Aug 5 06:58:07 fedora kernel: ACPI: PCI interrupt 0000:00:03.0[A] ->
GSI 5 (level, low) -> IRQ 5
Aug 5 06:58:07 fedora kernel: ohci_hcd 0000:00:03.0: OHCI Host Controller
Aug 5 06:58:07 fedora kernel: ohci_hcd 0000:00:03.0: irq 5, pci mem
30848000
Aug 5 06:58:07 fedora kernel: hub 1-0:1.0: over-current change on port 3
Aug 5 06:58:07 fedora kernel: ohci_hcd 0000:00:03.0: new USB bus
registered, assigned bus number 2
Aug 5 06:58:07 fedora kernel: hub 2-0:1.0: USB hub found
Aug 5 06:58:07 fedora kernel: hub 2-0:1.0: 2 ports detected
Aug 5 06:58:07 fedora kernel: audit(1091714244.021:0): avc: denied {
dac_read_search } for pid=809 exe=/bin/bash capability=2
scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t
tclass=capability
Aug 5 06:58:07 fedora kernel: audit(1091714244.036:0): avc: denied {
dac_read_search } for pid=813 exe=/bin/bash capability=2
scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t
tclass=capability
Aug 5 06:58:07 fedora kernel: ACPI: PCI interrupt 0000:00:03.1[B] ->
GSI 11 (level, low) -> IRQ 11
This one also seems new....:
Aug 5 06:58:07 fedora kernel: SELinux: initialized (dev tmpfs, type
tmpfs), uses transition SIDs
Aug 5 06:58:07 fedora kernel: audit(1091714256.876:0): avc: denied {
search } for pid=1476 exe=/sbin/pam_console_apply name=console dev=hda2
ino=4456494 scontext=system_u:system_r:pam_console_t
tcontext=system_u:object_r:xdm_var_run_t tclass=dir
Finally, some like this
Aug 5 06:59:19 fedora udev[3632]: creating device node '/dev/mixer'
Aug 5 06:59:19 fedora kernel: audit(1091714359.597:0): avc: denied {
dac_read_search } for pid=3642 exe=/bin/bash capability=2
scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t
tclass=capability
Aug 5 06:59:19 fedora kernel: audit(1091714359.607:0): avc: denied {
dac_read_search } for pid=3644 exe=/bin/bash capability=2
scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t
tclass=capability
Aug 5 06:59:19 fedora kernel: audit(1091714359.611:0): avc: denied {
read write } for pid=3646 exe=/sbin/restorecon path=socket:[1168]
dev=sockfs ino=1168 scontext=system_u:system_r:restorecon_t
tcontext=system_u:system_r:udev_t tclass=unix_dgram_socket
Aug 5 06:59:19 fedora kernel: audit(1091714359.611:0): avc: denied {
read write } for pid=3646 exe=/sbin/restorecon path=socket:[1225]
dev=sockfs ino=1225 scontext=system_u:system_r:restorecon_t
tcontext=system_u:system_r:udev_t tclass=unix_dgram_socket
Aug 5 06:59:19 fedora kernel: audit(1091714359.614:0): avc: denied {
search } for pid=2754 exe=/usr/bin/dbus-daemon-1 name=console dev=hda2
ino=4456494 scontext=system_u:system_r:dbusd_t
tcontext=system_u:object_r:xdm_var_run_t tclass=dir
19 years, 8 months
about a new policy file in SELinux!
by Sajed Miremadi
Hi,
I have asked this question several times before but haven't got the answer
I really want.
I'll ask it again but more clearly:
Does anybody ever write a new policy file except those which is defult in
selinux(I mean those in /etc/security/selinux/src/policy/domains/program).
When I say a policy file I mean the files with ".te". For example there
are some for "ping","innd","tcpdump" and ... .
If someone has a .te file with this condition, I would be very glad if
he/she could send me that.
thanx,
Sajed
19 years, 8 months
file access audits (NISPOM Chapter 8)
by david colbert
Hello,
Does anyone out there have policy config files that
bring a Fedora Core 2 system into compliance with
Chapter 8 of Defense Security Service's (DSS) National
Industrial Security Program Operating Manual (NISPOM)?
The gist of my problem is that I need to get more
strict access and auditing of any attempted access to
system files by non-root users. I am trying to get
selinux to log every failed attempt of every non-root
user to r/w/x all system files. I can get it working
by commenting out the following line in
/etc/security/selinux/src/policy/tunable.te:
#define(`read_default_t')
which gives users acess to all default files
The problem is, it disallows access to all users,
including root. This means that once I start
enforcing, I have to reboot into single user mode to
make any system changes as root.
I need something which leaves sysadmin alone and only
sets restrictions and audits on staff and users (or
just users). With the above line still commented out,
I tried inserting the following lines in
/etc/security/selinux/src/policy/domains/admin.te to
open the system files bacck up to root again:
general_file_read_access(sysadmin_t)
general_file_write_access(sysadmin_t)
general_domain_access(sysadmin_t)
(Found in the "Configuring the SELinux Policy" doc by
Smalley)
However, the read and write access lines generated
syntax errors when I tried to make the new policy.
Anyone know what I am doing wrong? Version mismatch?
Mutually exclusive parameters? Anyone actually know
how to do what I am trying to do?
I am new to selinux, so I am hoping that I am just
missing something obvious.
Also, is there any other documentation besides the
pdf's on the NSA site?
Thanks in Advance,
David Colbert
__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail
19 years, 8 months
cups... new avcs?
by Tom London
I noticed what I think are new avcs coming from starting cups:
Aug 1 13:49:59 fedora kernel: audit(1091393399.153:0): avc: denied {
write }
for pid=2117 exe=/usr/bin/python name=util dev=hda2 ino=4309019
scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:usr_t
tclass=dir
Aug 1 13:49:59 fedora kernel: audit(1091393399.432:0): avc: denied {
write }
for pid=2117 exe=/usr/bin/python name=util dev=hda2 ino=4309019
scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:usr_t
tclass=dir
ino#4309019 is /usr/share/printconf/util
(not sure why cups wants to write there ....)
tom
19 years, 8 months
gnome settings manager failure.... (X0?)
by Tom London
Running strict/enforcing off of Rawhide, I now get
a error window popping up on graphical login saying
that the Gnome settings manager can't start.
Here is the only avc that looks even close....
Aug 1 13:51:02 fedora kernel: audit(1091393462.647:0): avc:
denied { write } for pid=3366
exe=/usr/X11R6/bin/xscreensaver name=X0 dev=hda2 ino=4657817
scontext=user_u:user_r:user_screensaver_t
tcontext=system_u:object_r:xdm_tmp_t tclass=sock_file
When I try this in permissive mode, I get:
Aug 1 14:28:10 fedora kernel: audit(1091395690.098:0): avc:
denied { search } for pid=4015
exe=/usr/X11R6/bin/xscreensaver name=run dev=hda2 ino=4456484
scontext=user_u:user_r:user_screensaver_t
tcontext=system_u:object_r:var_run_t tclass=dir
Aug 1 14:28:10 fedora kernel: audit(1091395690.114:0): avc:
denied { write } for pid=4015
exe=/usr/X11R6/bin/xscreensaver name=X0 dev=hda2 ino=4657817
scontext=user_u:user_r:user_screensaver_t
tcontext=system_u:object_r:xdm_tmp_t tclass=sock_file
Not sure if this is connected. Is there a know problem,
or should I do the 'enableaudit' thing?
tom
19 years, 8 months
install of dev-3.8.3-1.i386 fails w/ strict/enforcing
by Tom London
Attempting to 'yum update' to dev-3.8.3-1.i386
from dev-3.8.2-1 produces:
dev 100 % done 50/101
error: unpacking of archive failed: cpio: lstat
and the update fails. No avc's in log.
Rerunning 'yum update dev' in permissive mode
succeeds.
Avc's from permissive mode run:
Jul 31 10:56:04 fedora kernel: audit(1091296564.101:0): avc: denied {
getattr } for pid=9419 exe=/usr/bin/python path=/dev/dri dev=hda2
ino=2689470 scontext=root:sysadm_r:rpm_t
tcontext=system_u:object_r:dri_device_t tclass=dir
Jul 31 10:56:19 fedora kernel: audit(1091296579.901:0): avc: denied {
search } for pid=9421 exe=/usr/sbin/groupadd name=selinux dev=hda2
ino=4509743 scontext=root:sysadm_r:groupadd_t
tcontext=system_u:object_r:selinux_config_t tclass=dir
Jul 31 10:56:19 fedora kernel: audit(1091296579.901:0): avc: denied {
read } for pid=9421 exe=/usr/sbin/groupadd name=config dev=hda2
ino=4509759 scontext=root:sysadm_r:groupadd_t
tcontext=system_u:object_r:selinux_config_t tclass=file
Jul 31 10:56:19 fedora kernel: audit(1091296579.902:0): avc: denied {
getattr } for pid=9421 exe=/usr/sbin/groupadd path=/etc/selinux/config
dev=hda2 ino=4509759 scontext=root:sysadm_r:groupadd_t
tcontext=system_u:object_r:selinux_config_t tclass=file
Jul 31 10:56:20 fedora kernel: audit(1091296580.078:0): avc: denied {
search } for pid=9422 exe=/usr/sbin/useradd name=run dev=hda2
ino=4456484 scontext=root:sysadm_r:useradd_t
tcontext=system_u:object_r:var_run_t tclass=dir
Jul 31 10:56:29 fedora kernel: audit(1091296589.978:0): avc: denied {
relabelfrom } for pid=9419 exe=/usr/bin/python name=dri dev=hda2
ino=2689470 scontext=root:sysadm_r:rpm_t
tcontext=system_u:object_r:dri_device_t tclass=dir
Jul 31 10:56:29 fedora kernel: audit(1091296589.979:0): avc: denied {
relabelto } for pid=9419 exe=/usr/bin/python name=dri dev=hda2
ino=2689470 scontext=root:sysadm_r:rpm_t
tcontext=system_u:object_r:dri_device_t tclass=dir
Jul 31 10:56:30 fedora kernel: audit(1091296590.011:0): avc: denied {
setattr } for pid=9419 exe=/usr/bin/python name=dri dev=hda2
ino=2689470 scontext=root:sysadm_r:rpm_t
tcontext=system_u:object_r:dri_device_t tclass=dir
Jul 31 10:56:30 fedora kernel: audit(1091296590.017:0): avc: denied {
search } for pid=9419 exe=/usr/bin/python name=dri dev=hda2 ino=2689470
scontext=root:sysadm_r:rpm_t tcontext=system_u:object_r:dri_device_t
tclass=dir
Jul 31 10:56:30 fedora kernel: audit(1091296590.083:0): avc: denied {
write } for pid=9419 exe=/usr/bin/python name=dri dev=hda2 ino=2689470
scontext=root:sysadm_r:rpm_t tcontext=system_u:object_r:dri_device_t
tclass=dir
Jul 31 10:56:30 fedora kernel: audit(1091296590.083:0): avc: denied {
add_name } for pid=9419 exe=/usr/bin/python name=card0;410bdd3f
scontext=root:sysadm_r:rpm_t tcontext=system_u:object_r:dri_device_t
tclass=dir
Jul 31 10:56:30 fedora kernel: audit(1091296590.136:0): avc: denied {
remove_name } for pid=9419 exe=/usr/bin/python name=card0;410bdd3f
dev=hda2 ino=2689465 scontext=root:sysadm_r:rpm_t
tcontext=system_u:object_r:dri_device_t tclass=dir
Jul 31 10:57:49 fedora kernel: audit(1091296669.135:0): avc: denied {
search } for pid=9419 exe=/usr/bin/python name=dri dev=hda2 ino=2689470
scontext=root:sysadm_r:rpm_t tcontext=system_u:object_r:dri_device_t
tclass=dir
Jul 31 10:57:49 fedora kernel: audit(1091296669.136:0): avc: denied {
getattr } for pid=9419 exe=/usr/bin/python path=/dev/dri dev=hda2
ino=2689470 scontext=root:sysadm_r:rpm_t
tcontext=system_u:object_r:dri_device_t tclass=dir
Audit2allow on the above produces:
allow groupadd_t selinux_config_t:dir { search };
allow groupadd_t selinux_config_t:file { getattr read };
allow rpm_t dri_device_t:dir { add_name getattr relabelfrom relabelto
remove_name search setattr write };
allow useradd_t var_run_t:dir { search };
Hope this helps,
tom
19 years, 9 months
Re: rhgb....still no graphical boot when strict/enforcing
by Tom London
Hey, now we're talking.... A security related performance
speedup! ;)
tom
> ------------------------------------------------------------------------
>
> * /From/: Stephen Smalley <sds epoch ncsc mil>
>
> ------------------------------------------------------------------------
>
>On Sat, 2004-07-31 at 16:48, Tom London wrote:
>> I'm still getting only text-based boots when running with strict/enforcing,
>> but graphical boots if I set 'enforcing=0'
>
>That's a feature, not a bug ;)
>
>--
>Stephen Smalley <sds epoch ncsc mil>
>National Security Agency
>
>
>
19 years, 9 months
rhgb....still no graphical boot when strict/enforcing
by Tom London
I'm still getting only text-based boots when running with strict/enforcing,
but graphical boots if I set 'enforcing=0'
Here are entries from the log from a strict/enforcing boot:
Jul 31 11:16:23 fedora kernel: SELinux: initialized (dev sockfs, type
sockfs), uses task SIDs
Jul 31 11:16:23 fedora kernel: SELinux: initialized (dev proc, type
proc), uses
genfs_contexts
Jul 31 11:16:23 fedora kernel: SELinux: initialized (dev bdev, type
bdev), uses
genfs_contexts
Jul 31 11:16:23 fedora kernel: SELinux: initialized (dev rootfs, type
rootfs), uses genfs_contexts
Jul 31 11:16:23 fedora kernel: SELinux: initialized (dev sysfs, type
sysfs), uses genfs_contexts
Jul 31 11:16:23 fedora kernel: audit(1091272545.625:0): avc: denied {
mounton
} for pid=533 exe=/usr/bin/rhgb path=/initrd dev=ram0 ino=2
scontext=system_u:system_r:rhgb_t tcontext=system_u:object_r:file_t
tclass=dir
Jul 31 11:16:23 fedora kernel: audit(1091272545.625:0): avc: denied {
sys_admin } for pid=533 exe=/usr/bin/rhgb capability=21
scontext=system_u:system_r:rhgb_t tcontext=system_u:system_r:rhgb_t
tclass=capability
Here are log entries from an 'enforcing=0' boot:
Jul 29 20:40:38 fedora kernel: SELinux: initialized (dev sockfs, type
sockfs), uses task SIDs
Jul 29 20:40:38 fedora kernel: SELinux: initialized (dev proc, type
proc), uses
genfs_contexts
Jul 29 20:40:38 fedora kernel: SELinux: initialized (dev bdev, type
bdev), uses
genfs_contexts
Jul 29 20:40:38 fedora kernel: SELinux: initialized (dev rootfs, type
rootfs), uses genfs_contexts
Jul 29 20:40:38 fedora kernel: SELinux: initialized (dev sysfs, type
sysfs), uses genfs_contexts
Jul 29 20:40:38 fedora kernel: audit(1091133597.795:0): avc: denied {
mounton
} for pid=533 exe=/usr/bin/rhgb path=/initrd dev=ram0 ino=2
scontext=system_u:system_r:rhgb_t tcontext=system_u:object_r:file_t
tclass=dir
Jul 29 20:40:38 fedora kernel: SELinux: initialized (dev ramfs, type
ramfs), uses genfs_contexts
Jul 29 20:40:38 fedora kernel: audit(1091133597.795:0): avc: denied {
mount }
for pid=533 exe=/usr/bin/rhgb name=/ dev=ramfs ino=1291
scontext=system_u:system_r:rhgb_t tcontext=system_u:object_r:ramfs_t
tclass=filesystem
Jul 29 20:40:38 fedora kernel: audit(1091133598.713:0): avc: denied {
search } for pid=534 exe=/usr/bin/rhgb name=run dev=hda2 ino=4456484
scontext=system_u:system_r:rhgb_t tcontext=system_u:object_r:var_run_t
tclass=dir
tom
19 years, 9 months