/dev/dri/* and SE Linux
by Russell Coker
In the latest CVS SE Linux policy xserver_macros.te has:
# Create and access /dev/dri devices.
allow $1_xserver_t device_t:dir { setattr rw_dir_perms };
allow $1_xserver_t dri_device_t:chr_file create_file_perms;
[...]
# Do not flood audit logs due to device node creation attempts.
dontaudit $1_xserver_t device_t:chr_file create;
[...]
allow $1_xserver_t device_t:dir { create };
It seems that the first and second sections don't work well together. Since
we changed /dev/dri to have type device_t instead of dri_device_t it seems
that attempts to create /dev/dri/whatever will be permitted on the
device_t:dir access but dontaudit'd on the device_t:chr_file access.
Does it even make sense to allow creating device nodes under /dev/dri now that
we have udev doing so much? Can't udev do this for us?
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
19 years, 7 months
SELinux & apache/httpd access to /home/*/www
by Cream
Hello,
My problem is this:
I host some small PHP & MySQL websites for friends and family, they have
their VirtualHost DocumentRoot's in "/home/[name]/www" (and is working
fine with SELinux disabled).
I am running SELinux with SELINUX=enforcing, SELINUXTYPE=targeted.
SELinux seems to be blocking httpd from accessing /home/name/www,
atleast when trying to start apache it complains:
Starting httpd: Warning: DocumentRoot [/home/xxxxxx/www] does not exist
Warning: DocumentRoot [/home/yyyyy/www] does not exist
[FAILED]
(The non virtualhost root in /var/www/html works fine, but if moved to
/home/xxxxxx/www it fails)
/etc/selinux/targeted/contexts/files/file_contexts contains:
# apache
/home/[^/]+/((www)|(web)|(public_html))(/.+)?
system_u:object_r:httpd_user_content_t
Which to me would seem to match the /home/[name]/www
(I have tried upgrading to selinux-policy-targeted-1.17.12-1, but it
didnt fix the problem)
(I have the individual logfiles in /home/[name]/log, which probably
presents another problem.)
I dont quite understand the quirks of SELinux, so I'd certainly
appriciate some direction.
Regards
Kris
PS. If what I'm asking is simple, please bare with me, i installed
Fedora Core 3 test1 only 2 days ago, and its my first experience with
SELinux (I spent most of yesterday google'ing for answers to my problem,
and reading up on SELinux permissions. Without learning much.)
PPS. Does anyone have context files for Qmail / QmailAdmin / SQWebmail /
Vpopmail / courier-imap Qmail-Scanner / SpamAssassin / ClamAV / maildrop
/ daemontools / ucspi-tcp-0.88 (tcpserver) / ezmlm ? :) (I wouldn't
building them if i could only figure out how)
19 years, 7 months
cups, /dev/fd
by Tom London
Running strict/enforcing, latest from Dan's tree.
Printing (say, from openoffice) yields:
Sep 16 18:01:39 fedora kernel: audit(1095382899.718:0): avc: denied {
read } for pid=10941 exe=/usr/bin/perl name=fd dev=tmpfs ino=2794
scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:device_t
tclass=lnk_file
Sep 16 18:01:39 fedora kernel: audit(1095382899.718:0): avc: denied {
read } for pid=10941 exe=/usr/bin/perl name=fd dev=tmpfs ino=2794
scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:device_t
tclass=lnk_file
inode 2794 is /dev/fd.
Make sense to add?
dontaudit cupsd_t device_t:lnk_file { read };
tom
19 years, 7 months
Bug in audit2allow?
by Cream
I think i found a bug in audit2allow, when parsing this line:
Sep 15 21:10:45 DONut kernel: audit(1095275445.237:0): avc: denied {
write } for pid=3463 exe=/usr/sbin/httpd
path=/home/iced/www/thumbs/albums/Iced does Greece/parga2003-1 019.jpg
dev=hda2 ino=1459429 scontext=root:system_r:httpd_t
tcontext=root:object_r:httpd_user_content_t tclass=file
(running in permissive mode)
it turns it into this:
allow httpd_t httpd_user_content_t:dir { add_name create write };
#EXE=/usr/sbin/httpd NAME=albums : write
#EXE=/usr/sbin/httpd NAME=Iced : add_name
#EXE=/usr/sbin/httpd NAME=Iced : create
#EXE=/usr/sbin/httpd NAME=Iced : write
#EXE=/usr/sbin/httpd NAME=parga2003-1 : add_name
as you can see the spaces in the dir name seems to cause problems.
19 years, 7 months
haldaemon, run_init
by Tom London
Running strict/enforcing w/ latest from Dan's tree.
When haldaemon starts:
Sep 16 07:52:29 fedora haldaemon: haldaemon startup succeeded
Sep 16 07:52:30 fedora fstab-sync[3132]: removed all generated mount points
Sep 16 07:52:30 fedora kernel: audit(1095346350.044:0): avc: denied {
execute } for pid=3134 exe=/usr/sbin/hald name=bash dev=hda2 ino=229395
scontext=system_u:system_r:hald_t
tcontext=system_u:object_r:shell_exec_t tclass=file
Sep 16 07:52:30 fedora mdmonitor: mdadm startup succeeded
Believe the AVC is generated when hald tries to run hal_lpadmin from
/etc/hal/device.d/printer_remove.hal
When I put system into permissive mode and restart haldaemon, I get
(sorry for running this as root, but run_init seems busted:
Sep 16 11:03:12 fedora kernel: audit(1095357792.163:0): avc: denied {
use } for pid=4262 exe=/usr/sbin/run_init path=/dev/pts/2 dev=devpts
ino=4 scontext=root:sysadm_r:run_init_t tcontext=user_u:user_r:user_t
tclass=fd
Sep 16 11:03:12 fedora last message repeated 2 times
Sep 16 11:03:12 fedora run_init(pam_unix)[4262]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost= user=root
)
Here are the permissive AVCs:
Sep 16 10:44:43 fedora kernel: audit(1095356683.853:0): avc: denied {
relabelfrom } for pid=8333 exe=/usr/sbin/fstab-sync name=fstab dev=hda2
ino=4475247 scontext=root:system_r:updfstab_t
tcontext=root:object_r:etc_t tclass=file
Sep 16 10:44:43 fedora kernel: audit(1095356683.854:0): avc: denied {
relabelto } for pid=8333 exe=/usr/sbin/fstab-sync name=fstab dev=hda2
ino=4475247 scontext=root:system_r:updfstab_t
tcontext=system_u:object_r:etc_t tclass=file
Sep 16 10:44:43 fedora fstab-sync[8333]: removed all generated mount points
Sep 16 10:44:43 fedora kernel: audit(1095356683.893:0): avc: denied {
execute } for pid=8335 exe=/usr/sbin/hald name=bash dev=hda2 ino=229395
scontext=root:system_r:hald_t tcontext=system_u:object_r:shell_exec_t
tclass=file
Sep 16 10:44:43 fedora kernel: audit(1095356683.894:0): avc: denied {
read } for pid=8335 exe=/usr/sbin/hald path=/bin/bash dev=hda2
ino=229395 scontext=root:system_r:hald_t
tcontext=system_u:object_r:shell_exec_t tclass=file
Sep 16 10:44:43 fedora kernel: audit(1095356683.899:0): avc: denied {
execute } for pid=8336 exe=/bin/bash name=hal_lpadmin dev=hda2
ino=278545 scontext=root:system_r:hald_t
tcontext=system_u:object_r:sbin_t tclass=file
Sep 16 10:44:43 fedora kernel: audit(1095356683.900:0): avc: denied {
execute_no_trans } for pid=8336 exe=/bin/bash
path=/usr/sbin/hal_lpadmin dev=hda2 ino=278545
scontext=root:system_r:hald_t tcontext=system_u:object_r:sbin_t tclass=file
Sep 16 10:44:43 fedora kernel: audit(1095356683.900:0): avc: denied {
read } for pid=8336 exe=/bin/bash path=/usr/sbin/hal_lpadmin dev=hda2
ino=278545 scontext=root:system_r:hald_t
tcontext=system_u:object_r:sbin_t tclass=file
Sep 16 10:44:44 fedora kernel: audit(1095356684.672:0): avc: denied {
search } for pid=8381 exe=/usr/libexec/hal-hotplug-map name=hotplug
dev=hda2 ino=4472955 scontext=root:system_r:hald_t
tcontext=system_u:object_r:hotplug_etc_t tclass=dir
Sep 16 10:44:44 fedora kernel: audit(1095356684.674:0): avc: denied {
read } for pid=8381 exe=/usr/libexec/hal-hotplug-map name=usb.usermap
dev=hda2 ino=4474609 scontext=root:system_r:hald_t
tcontext=system_u:object_r:hotplug_etc_t tclass=file
Sep 16 10:44:44 fedora kernel: audit(1095356684.674:0): avc: denied {
getattr } for pid=8381 exe=/usr/libexec/hal-hotplug-map
path=/etc/hotplug/usb.usermap dev=hda2 ino=4474609
scontext=root:system_r:hald_t tcontext=system_u:object_r:hotplug_etc_t
tclass=file
Sep 16 10:44:45 fedora kernel: audit(1095356685.450:0): avc: denied {
use } for pid=8430 exe=/bin/mount path=pipe:[13184] dev=pipefs
ino=13184 scontext=user_u:user_r:user_mount_t
tcontext=system_u:system_r:xdm_t tclass=fd
Sep 16 10:44:45 fedora kernel: audit(1095356685.450:0): avc: denied {
write } for pid=8430 exe=/bin/mount path=pipe:[13184] dev=pipefs
ino=13184 scontext=user_u:user_r:user_mount_t
tcontext=system_u:system_r:xdm_t tclass=fifo_file
Sep 16 10:44:46 fedora kernel: audit(1095356686.042:0): avc: denied {
execute } for pid=8330 exe=/usr/sbin/hald name=printer_update.hal
dev=hda2 ino=280646 scontext=root:system_r:hald_t
tcontext=system_u:object_r:etc_t tclass=file
Sep 16 10:44:46 fedora kernel: audit(1095356686.075:0): avc: denied {
read write } for pid=8330 exe=/usr/sbin/hald name=lp0 dev=tmpfs
ino=6883 scontext=root:system_r:hald_t
tcontext=system_u:object_r:printer_device_t tclass=chr_file
Sep 16 10:44:46 fedora kernel: audit(1095356686.121:0): avc: denied {
execute_no_trans } for pid=8479 exe=/usr/sbin/hald
path=/etc/hal/capability.d/printer_update.hal dev=hda2 ino=280646
scontext=root:system_r:hald_t tcontext=system_u:object_r:etc_t tclass=file
Sep 16 10:44:46 fedora kernel: audit(1095356686.140:0): avc: denied {
ioctl } for pid=8479 exe=/bin/bash
path=/etc/hal/capability.d/printer_update.hal dev=hda2 ino=280646
scontext=root:system_r:hald_t tcontext=system_u:object_r:etc_t tclass=file
19 years, 7 months
Problems with NFS
by Christopher R. Swope
Hi all,
I have a little linux box which I pretty much use as a firewall box. I
also use it as a server, because I have too many hard drives.
I just enabled SELinux on it, using the instructions found on the Fedora
page. Most things went fine, but I am having some trouble using files
that I export over NFS.
The directory at issue is a directory that I use for development (for
homework). I have regular executable files (that are compiled from C++
source code), and perl scripts in this directory. I can't run either,
as I get a permission denied error message. I tried to do the
relabeling thing, and also deleting the files and rebuilding them, but
to no avail.
I know nothing about SELinux other than what I read on the Fedora page.
Can someone please tell me how to fix this problem?
Thanks,
Christopher
19 years, 7 months
firefox and /usr/tmp
by Tom London
When firefox starts it seems to access /usr/tmp:
Sep 14 09:35:49 fedora kernel: audit(1095179749.095:0): avc: denied
{ read } for pid=4728 exe=/usr/lib/firefox-0.9.3/firefox-bin name=tmp
dev=hda2 ino=4112460 scontext=user_u:user_r:user_mozilla_t
tcontext=system_u:object_r:tmp_t tclass=lnk_file
donaudit, e.g.?
dontaudit $1_mozilla_t tmp_t:lnk_file read;
--
Tom London
19 years, 7 months
dumb question / idea
by josh baverstock
I must first admit that I am new to linux, I am not qualified to suggest a
feature, so please consider this a question.
IF its true that when SELinux is fully enabled the restrictions can cause
some problems when programs do things they are supposed to do but normally
don't, THEN I have an idea.
What if an intrusion detection system were to inform the SELinux server that
an intrusion is likely happening, which triggers a change from
non-enforcement mode to enforcement mode?
Would this "raise the shields" method be useful for situations where
enforcement mode just isnt right, or is this more of a fundamental
misunderstanding on my part of how SELinux works...?
I think in the future this NSA project will be an example of the government
receiving a 100 fold return on their investment, even considering that
SELinux isn't likely to be used in classified systems.
_________________________________________________________________
Check out Election 2004 for up-to-date election news, plus voter tools and
more! http://special.msn.com/msn/election2004.armx
19 years, 7 months
SELinux Enabled - Can't mount SMB shares
by Vamsee Krishna Gomatam
Hello,
I've enabled SELinux on my machine running FC2. Everything went well
and I didn't get any "avc: denied" messages after I did a "relabel"
and reboot. But now, I can't mount any SMB shares. I'm able to give
the login and password for mounting and it seems to work. But then, I
can't access those mounted drives. What is going wrong? This is my
first time with SELinux.
regards,
GVK
--
Real programmers don't work 9 to 5. If any real programmers are around
at 9, it's because they were up all night
19 years, 7 months
tmpfs /dev
by Russell Coker
I have got a working system with tmpfs /dev and with udev in the initrd. I
modified /sbin/init to run the following script immediately after loading the
policy:
#!/bin/sh
. /etc/selinux/config
/sbin/setfiles-mine /etc/selinux/$SELINUXTYPE/contexts/files/file_contexts /dev
Naturally we need to change the location of setfiles to /sbin from /usr/sbin
if this is the solution we choose as this script will run before any file
systems are mounted.
Below is the policy I added. I had already changed the type declarations to
use the dev_filesystem attribute for everything that may occur under /dev
(patch sent to the main SE Linux list). I have setfiles being run as
kernel_t because I feel that running setfiles as kernel_t is better than
granting setfiles_t more access than is otherwise required. This means that
I have to grant kernel_t access to relabel the device nodes, no big deal IMHO
as kernel_t generally has ultimate access anyway.
I relabeled /sbin/MAKEDEV as udev_exec_t so that it runs as udev_t when run
from /sbin/start_udev and can do the things that it wants to do. This is a
minor hack. Maybe it would be better to label /sbin/start_udev as
udev_exec_t? That would remove the need to allow initrc_t to create
sym-links under /dev.
avc: denied { getattr } for pid=1641 exe=/sbin/lvm.static
path=/sbin/MAKEDEV dev=dm-0 ino=196261 scontext=system_u:system_r:lvm_t
tcontext=system_u:object_r:udev_exec_t tclass=file
Why does lvm.static want to stat /sbin/MAKEDEV? Seems strange to me.
Below is the policy I wrote to allow tmpfs /dev and udev in initrd. I haven't
split it into all the relevant .te files because it's still an experiment at
this stage. After some discussion I'll produce a release version.
# for tmpfs /dev
allow dev_filesystem tmpfs_t:filesystem associate;
allow kernel_t tmpfs_t:chr_file rw_file_perms;
allow kernel_t tmpfs_t:{ dir file lnk_file chr_file blk_file } { getattr
relabel
from };
allow kernel_t device_t:{ dir lnk_file chr_file blk_file } relabelto;
allow kernel_t device_type:{ chr_file blk_file } relabelto;
allow kernel_t udev_tbl_t:file relabelto;
can_exec(kernel_t, { sbin_t setfiles_exec_t })
# for /dev/pts on tmpfs
allow mount_t tmpfs_t:dir mounton;
# for /sbin/MAKEDEV - why?
allow lvm_t udev_exec_t:file getattr;
# allow /sbin/start_udev to run ln
allow initrc_t device_t:lnk_file create_lnk_perms;
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
19 years, 7 months
