August 2004 - selinux - Fedora Mailing-Lists

by Russell Coker

http://www.coker.com.au/selinux/talks/ibmtu-2004/ I recently gave some lectures and tutorials at the IBM Technical university in Cairns on SE Linux. At the above URL there are lecture and lab notes, the lab exercises could be completed with help from the #fedora-selinux channel. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page

19 years, 8 months

4
5
0 / 0

test

by Jim

Just making sure I'm here , sorry for the inconvenience of having to read this.

19 years, 8 months

1
0
0 / 0

New AVCs from Rawhide...

by Tom London

Running strict/enforcing, and running Rawhide (selinux-policy-strict-1.15.11-1 and kernel-2.6.7-1.509), some new AVCs logged. [Sorry if I'm 'amid updates'] tom First, early in boot sequence: Aug 5 06:58:02 fedora autofs: automount startup succeeded Aug 5 06:58:02 fedora kernel: SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts Aug 5 06:58:02 fedora kernel: SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts Aug 5 06:58:02 fedora kernel: audit(1091689038.197:0): avc: denied { read write } for pid=1 exe=/sbin/init path=/dev/console dev=rootfs ino=5 scontext=system_u:system_r:init_t tcontext=system_u:object_r:unlabeled_t tclass=chr_file Aug 5 06:58:02 fedora last message repeated 2 times Aug 5 06:58:02 fedora smartd[2124]: smartd version 5.30 Copyright (C) 2002-4 Bruce Allen Aug 5 06:58:02 fedora kernel: audit(1091689038.318:0): avc: denied { read } for pid=1 exe=/sbin/init path=/init dev=rootfs ino=14 scontext=system_u:system_r:init_t tcontext=system_u:object_r:unlabeled_t tclass=file then, many, many like these (approx. 64 of them): Aug 5 06:58:02 fedora kernel: audit(1091689040.452:0): avc: denied { dac_read_search } for pid=397 exe=/bin/bash capability=2 scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=capability Aug 5 06:58:02 fedora smartd[2124]: Configuration file /etc/smartd.conf parsed. Aug 5 06:58:02 fedora kernel: audit(1091689040.452:0): avc: denied { dac_read_search } for pid=411 exe=/bin/bash capability=2 scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=capability Aug 5 06:58:02 fedora smartd[2124]: Device: /dev/hda, opened Aug 5 06:58:02 fedora kernel: audit(1091689040.452:0): avc: denied { dac_read_search } for pid=399 exe=/bin/bash capability=2 scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=capability Aug 5 06:58:03 fedora smartd[2124]: Device: /dev/hda, found in smartd database. Aug 5 06:58:03 fedora kernel: audit(1091689040.452:0): avc: denied { dac_read_search } for pid=391 exe=/bin/bash capability=2 scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=capability Aug 5 06:58:03 fedora kernel: audit(1091689040.453:0): avc: denied { dac_read_search } for pid=398 exe=/bin/bash capability=2 scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=capability Aug 5 06:58:03 fedora kernel: audit(1091689040.453:0): avc: denied { dac_read_search } for pid=413 exe=/bin/bash capability=2 scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=capability ..... Repeat of above while bringing up USB: Aug 5 06:58:07 fedora kernel: hub 1-0:1.0: 6 ports detected Aug 5 06:58:07 fedora kernel: audit(1091714243.675:0): avc: denied { dac_read_search } for pid=775 exe=/bin/bash capability=2 scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=capability Aug 5 06:58:07 fedora kernel: ACPI: PCI interrupt 0000:00:03.0[A] -> GSI 5 (level, low) -> IRQ 5 Aug 5 06:58:07 fedora kernel: ohci_hcd 0000:00:03.0: OHCI Host Controller Aug 5 06:58:07 fedora kernel: ohci_hcd 0000:00:03.0: irq 5, pci mem 30848000 Aug 5 06:58:07 fedora kernel: hub 1-0:1.0: over-current change on port 3 Aug 5 06:58:07 fedora kernel: ohci_hcd 0000:00:03.0: new USB bus registered, assigned bus number 2 Aug 5 06:58:07 fedora kernel: hub 2-0:1.0: USB hub found Aug 5 06:58:07 fedora kernel: hub 2-0:1.0: 2 ports detected Aug 5 06:58:07 fedora kernel: audit(1091714244.021:0): avc: denied { dac_read_search } for pid=809 exe=/bin/bash capability=2 scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=capability Aug 5 06:58:07 fedora kernel: audit(1091714244.036:0): avc: denied { dac_read_search } for pid=813 exe=/bin/bash capability=2 scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=capability Aug 5 06:58:07 fedora kernel: ACPI: PCI interrupt 0000:00:03.1[B] -> GSI 11 (level, low) -> IRQ 11 This one also seems new....: Aug 5 06:58:07 fedora kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs Aug 5 06:58:07 fedora kernel: audit(1091714256.876:0): avc: denied { search } for pid=1476 exe=/sbin/pam_console_apply name=console dev=hda2 ino=4456494 scontext=system_u:system_r:pam_console_t tcontext=system_u:object_r:xdm_var_run_t tclass=dir Finally, some like this Aug 5 06:59:19 fedora udev[3632]: creating device node '/dev/mixer' Aug 5 06:59:19 fedora kernel: audit(1091714359.597:0): avc: denied { dac_read_search } for pid=3642 exe=/bin/bash capability=2 scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=capability Aug 5 06:59:19 fedora kernel: audit(1091714359.607:0): avc: denied { dac_read_search } for pid=3644 exe=/bin/bash capability=2 scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=capability Aug 5 06:59:19 fedora kernel: audit(1091714359.611:0): avc: denied { read write } for pid=3646 exe=/sbin/restorecon path=socket:[1168] dev=sockfs ino=1168 scontext=system_u:system_r:restorecon_t tcontext=system_u:system_r:udev_t tclass=unix_dgram_socket Aug 5 06:59:19 fedora kernel: audit(1091714359.611:0): avc: denied { read write } for pid=3646 exe=/sbin/restorecon path=socket:[1225] dev=sockfs ino=1225 scontext=system_u:system_r:restorecon_t tcontext=system_u:system_r:udev_t tclass=unix_dgram_socket Aug 5 06:59:19 fedora kernel: audit(1091714359.614:0): avc: denied { search } for pid=2754 exe=/usr/bin/dbus-daemon-1 name=console dev=hda2 ino=4456494 scontext=system_u:system_r:dbusd_t tcontext=system_u:object_r:xdm_var_run_t tclass=dir

19 years, 8 months

2
1
0 / 0

about a new policy file in SELinux!

by Sajed Miremadi

Hi, I have asked this question several times before but haven't got the answer I really want. I'll ask it again but more clearly: Does anybody ever write a new policy file except those which is defult in selinux(I mean those in /etc/security/selinux/src/policy/domains/program). When I say a policy file I mean the files with ".te". For example there are some for "ping","innd","tcpdump" and ... . If someone has a .te file with this condition, I would be very glad if he/she could send me that. thanx, Sajed

19 years, 8 months

4
4
0 / 0

file access audits (NISPOM Chapter 8)

by david colbert

Hello, Does anyone out there have policy config files that bring a Fedora Core 2 system into compliance with Chapter 8 of Defense Security Service's (DSS) National Industrial Security Program Operating Manual (NISPOM)? The gist of my problem is that I need to get more strict access and auditing of any attempted access to system files by non-root users. I am trying to get selinux to log every failed attempt of every non-root user to r/w/x all system files. I can get it working by commenting out the following line in /etc/security/selinux/src/policy/tunable.te: #define(`read_default_t') which gives users acess to all default files The problem is, it disallows access to all users, including root. This means that once I start enforcing, I have to reboot into single user mode to make any system changes as root. I need something which leaves sysadmin alone and only sets restrictions and audits on staff and users (or just users). With the above line still commented out, I tried inserting the following lines in /etc/security/selinux/src/policy/domains/admin.te to open the system files bacck up to root again: general_file_read_access(sysadmin_t) general_file_write_access(sysadmin_t) general_domain_access(sysadmin_t) (Found in the "Configuring the SELinux Policy" doc by Smalley) However, the read and write access lines generated syntax errors when I tried to make the new policy. Anyone know what I am doing wrong? Version mismatch? Mutually exclusive parameters? Anyone actually know how to do what I am trying to do? I am new to selinux, so I am hoping that I am just missing something obvious. Also, is there any other documentation besides the pdf's on the NSA site? Thanks in Advance, David Colbert __________________________________ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. http://promotions.yahoo.com/new_mail

19 years, 8 months

3
2
0 / 0

cups... new avcs?

by Tom London

I noticed what I think are new avcs coming from starting cups: Aug 1 13:49:59 fedora kernel: audit(1091393399.153:0): avc: denied { write } for pid=2117 exe=/usr/bin/python name=util dev=hda2 ino=4309019 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:usr_t tclass=dir Aug 1 13:49:59 fedora kernel: audit(1091393399.432:0): avc: denied { write } for pid=2117 exe=/usr/bin/python name=util dev=hda2 ino=4309019 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:usr_t tclass=dir ino#4309019 is /usr/share/printconf/util (not sure why cups wants to write there ....) tom

19 years, 8 months

3
4
0 / 0

gnome settings manager failure.... (X0?)

by Tom London

Running strict/enforcing off of Rawhide, I now get a error window popping up on graphical login saying that the Gnome settings manager can't start. Here is the only avc that looks even close.... Aug 1 13:51:02 fedora kernel: audit(1091393462.647:0): avc: denied { write } for pid=3366 exe=/usr/X11R6/bin/xscreensaver name=X0 dev=hda2 ino=4657817 scontext=user_u:user_r:user_screensaver_t tcontext=system_u:object_r:xdm_tmp_t tclass=sock_file When I try this in permissive mode, I get: Aug 1 14:28:10 fedora kernel: audit(1091395690.098:0): avc: denied { search } for pid=4015 exe=/usr/X11R6/bin/xscreensaver name=run dev=hda2 ino=4456484 scontext=user_u:user_r:user_screensaver_t tcontext=system_u:object_r:var_run_t tclass=dir Aug 1 14:28:10 fedora kernel: audit(1091395690.114:0): avc: denied { write } for pid=4015 exe=/usr/X11R6/bin/xscreensaver name=X0 dev=hda2 ino=4657817 scontext=user_u:user_r:user_screensaver_t tcontext=system_u:object_r:xdm_tmp_t tclass=sock_file Not sure if this is connected. Is there a know problem, or should I do the 'enableaudit' thing? tom

19 years, 8 months

1
1
0 / 0

install of dev-3.8.3-1.i386 fails w/ strict/enforcing

by Tom London

Attempting to 'yum update' to dev-3.8.3-1.i386 from dev-3.8.2-1 produces: dev 100 % done 50/101 error: unpacking of archive failed: cpio: lstat and the update fails. No avc's in log. Rerunning 'yum update dev' in permissive mode succeeds. Avc's from permissive mode run: Jul 31 10:56:04 fedora kernel: audit(1091296564.101:0): avc: denied { getattr } for pid=9419 exe=/usr/bin/python path=/dev/dri dev=hda2 ino=2689470 scontext=root:sysadm_r:rpm_t tcontext=system_u:object_r:dri_device_t tclass=dir Jul 31 10:56:19 fedora kernel: audit(1091296579.901:0): avc: denied { search } for pid=9421 exe=/usr/sbin/groupadd name=selinux dev=hda2 ino=4509743 scontext=root:sysadm_r:groupadd_t tcontext=system_u:object_r:selinux_config_t tclass=dir Jul 31 10:56:19 fedora kernel: audit(1091296579.901:0): avc: denied { read } for pid=9421 exe=/usr/sbin/groupadd name=config dev=hda2 ino=4509759 scontext=root:sysadm_r:groupadd_t tcontext=system_u:object_r:selinux_config_t tclass=file Jul 31 10:56:19 fedora kernel: audit(1091296579.902:0): avc: denied { getattr } for pid=9421 exe=/usr/sbin/groupadd path=/etc/selinux/config dev=hda2 ino=4509759 scontext=root:sysadm_r:groupadd_t tcontext=system_u:object_r:selinux_config_t tclass=file Jul 31 10:56:20 fedora kernel: audit(1091296580.078:0): avc: denied { search } for pid=9422 exe=/usr/sbin/useradd name=run dev=hda2 ino=4456484 scontext=root:sysadm_r:useradd_t tcontext=system_u:object_r:var_run_t tclass=dir Jul 31 10:56:29 fedora kernel: audit(1091296589.978:0): avc: denied { relabelfrom } for pid=9419 exe=/usr/bin/python name=dri dev=hda2 ino=2689470 scontext=root:sysadm_r:rpm_t tcontext=system_u:object_r:dri_device_t tclass=dir Jul 31 10:56:29 fedora kernel: audit(1091296589.979:0): avc: denied { relabelto } for pid=9419 exe=/usr/bin/python name=dri dev=hda2 ino=2689470 scontext=root:sysadm_r:rpm_t tcontext=system_u:object_r:dri_device_t tclass=dir Jul 31 10:56:30 fedora kernel: audit(1091296590.011:0): avc: denied { setattr } for pid=9419 exe=/usr/bin/python name=dri dev=hda2 ino=2689470 scontext=root:sysadm_r:rpm_t tcontext=system_u:object_r:dri_device_t tclass=dir Jul 31 10:56:30 fedora kernel: audit(1091296590.017:0): avc: denied { search } for pid=9419 exe=/usr/bin/python name=dri dev=hda2 ino=2689470 scontext=root:sysadm_r:rpm_t tcontext=system_u:object_r:dri_device_t tclass=dir Jul 31 10:56:30 fedora kernel: audit(1091296590.083:0): avc: denied { write } for pid=9419 exe=/usr/bin/python name=dri dev=hda2 ino=2689470 scontext=root:sysadm_r:rpm_t tcontext=system_u:object_r:dri_device_t tclass=dir Jul 31 10:56:30 fedora kernel: audit(1091296590.083:0): avc: denied { add_name } for pid=9419 exe=/usr/bin/python name=card0;410bdd3f scontext=root:sysadm_r:rpm_t tcontext=system_u:object_r:dri_device_t tclass=dir Jul 31 10:56:30 fedora kernel: audit(1091296590.136:0): avc: denied { remove_name } for pid=9419 exe=/usr/bin/python name=card0;410bdd3f dev=hda2 ino=2689465 scontext=root:sysadm_r:rpm_t tcontext=system_u:object_r:dri_device_t tclass=dir Jul 31 10:57:49 fedora kernel: audit(1091296669.135:0): avc: denied { search } for pid=9419 exe=/usr/bin/python name=dri dev=hda2 ino=2689470 scontext=root:sysadm_r:rpm_t tcontext=system_u:object_r:dri_device_t tclass=dir Jul 31 10:57:49 fedora kernel: audit(1091296669.136:0): avc: denied { getattr } for pid=9419 exe=/usr/bin/python path=/dev/dri dev=hda2 ino=2689470 scontext=root:sysadm_r:rpm_t tcontext=system_u:object_r:dri_device_t tclass=dir Audit2allow on the above produces: allow groupadd_t selinux_config_t:dir { search }; allow groupadd_t selinux_config_t:file { getattr read }; allow rpm_t dri_device_t:dir { add_name getattr relabelfrom relabelto remove_name search setattr write }; allow useradd_t var_run_t:dir { search }; Hope this helps, tom

19 years, 9 months

2
1
0 / 0

Re: rhgb....still no graphical boot when strict/enforcing

by Tom London

Hey, now we're talking.... A security related performance speedup! ;) tom > ------------------------------------------------------------------------ > > * /From/: Stephen Smalley <sds epoch ncsc mil> > > ------------------------------------------------------------------------ > >On Sat, 2004-07-31 at 16:48, Tom London wrote: >> I'm still getting only text-based boots when running with strict/enforcing, >> but graphical boots if I set 'enforcing=0' > >That's a feature, not a bug ;) > >-- >Stephen Smalley <sds epoch ncsc mil> >National Security Agency > > >

19 years, 9 months

1
0
0 / 0

rhgb....still no graphical boot when strict/enforcing

by Tom London

I'm still getting only text-based boots when running with strict/enforcing, but graphical boots if I set 'enforcing=0' Here are entries from the log from a strict/enforcing boot: Jul 31 11:16:23 fedora kernel: SELinux: initialized (dev sockfs, type sockfs), uses task SIDs Jul 31 11:16:23 fedora kernel: SELinux: initialized (dev proc, type proc), uses genfs_contexts Jul 31 11:16:23 fedora kernel: SELinux: initialized (dev bdev, type bdev), uses genfs_contexts Jul 31 11:16:23 fedora kernel: SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts Jul 31 11:16:23 fedora kernel: SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts Jul 31 11:16:23 fedora kernel: audit(1091272545.625:0): avc: denied { mounton } for pid=533 exe=/usr/bin/rhgb path=/initrd dev=ram0 ino=2 scontext=system_u:system_r:rhgb_t tcontext=system_u:object_r:file_t tclass=dir Jul 31 11:16:23 fedora kernel: audit(1091272545.625:0): avc: denied { sys_admin } for pid=533 exe=/usr/bin/rhgb capability=21 scontext=system_u:system_r:rhgb_t tcontext=system_u:system_r:rhgb_t tclass=capability Here are log entries from an 'enforcing=0' boot: Jul 29 20:40:38 fedora kernel: SELinux: initialized (dev sockfs, type sockfs), uses task SIDs Jul 29 20:40:38 fedora kernel: SELinux: initialized (dev proc, type proc), uses genfs_contexts Jul 29 20:40:38 fedora kernel: SELinux: initialized (dev bdev, type bdev), uses genfs_contexts Jul 29 20:40:38 fedora kernel: SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts Jul 29 20:40:38 fedora kernel: SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts Jul 29 20:40:38 fedora kernel: audit(1091133597.795:0): avc: denied { mounton } for pid=533 exe=/usr/bin/rhgb path=/initrd dev=ram0 ino=2 scontext=system_u:system_r:rhgb_t tcontext=system_u:object_r:file_t tclass=dir Jul 29 20:40:38 fedora kernel: SELinux: initialized (dev ramfs, type ramfs), uses genfs_contexts Jul 29 20:40:38 fedora kernel: audit(1091133597.795:0): avc: denied { mount } for pid=533 exe=/usr/bin/rhgb name=/ dev=ramfs ino=1291 scontext=system_u:system_r:rhgb_t tcontext=system_u:object_r:ramfs_t tclass=filesystem Jul 29 20:40:38 fedora kernel: audit(1091133598.713:0): avc: denied { search } for pid=534 exe=/usr/bin/rhgb name=run dev=hda2 ino=4456484 scontext=system_u:system_r:rhgb_t tcontext=system_u:object_r:var_run_t tclass=dir tom

19 years, 9 months

2
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux August 2004