default deny for uncofined_t using targeted?
by Steve Brueckner
Can anyone tell me if there is a way to use SELinux under the targeted
policy to enforce a default deny rule that prevents all processes from
accessing the network? That is to say, all types including unconfined_t may
not access eth0, with just a few excepted types that are allowed to network?
I'm trying to lock down a system from the inside without having to deal with
the strict policy.
Thanks,
Stephen Brueckner, ATC-NY
18 years, 5 months
SELinux and Big Brother
by Stephen Walton
I just got Big Brother working on Fedora Core 4 with SELinux enabled.
The key steps:
1. With SELinux turned on, apache adamantly refuses to follow symbolic
links, even if FollowSymLinks is set in httpd.conf. (Is this a bug?) The
only workaround I've been able to find is a bind mount:
# mkdir /var/www/html/bb
# mount -o bind /home/bb/bb/www /var/www/html/bb
2. Change the context:
# chcon -R -h -t httpd_user_content_t /home/bb/bb/www
3. Change the two 'mv' commands in bb-display.sh to 'cp' commands so
that the contexts get preserved when the page is regenerated.
Of course in the above I'm assuming DocumentRoot in apache is set to
/var/www/html and that your Big Brother server files are in
/home/bb/bb. Change as appropriate for your setup.
18 years, 5 months
selinux-policy-targeted-2.0.0-1 is very raw
by Nicolas Mailhot
Hi,
Is selinux-policy-targeted-2.0.0-1 really ready for use ? Basic stuff
like udev access to /dev/.udevdb and su seems to be blocked
Regards,
--
Nicolas Mailhot
18 years, 5 months
Is this a place for stupid user questions?
by Craig White
If not, please ignore this question.
If so...
CentOS 4.2 (recently updated from CentOS 4.1)
I am getting tons of these messages since I updated to 4.2
Nov 12 12:21:39 srv1 dbus: Can't send to audit system: USER_AVC pid=2839
uid=81 loginuid=-1 message=avc: denied { send_msg } for
scontext=user_u:system_r:unconfined_t tcontext=user_u:system_r:initrc_t
tclass=dbus
Now I can see this process...
# ps aux|grep 2839
dbus 2839 0.0 0.3 16168 1888 ? Ssl Nov11 0:13 dbus-
daemon-1 --system
root 17173 0.0 0.1 3748 668 pts/2 S+ 12:22 0:00 grep 2839
but I'm wondering how do I fix selinux so that it doesn't 'deny' this?
I have 'relabeled' the system during a reboot but nothing changed.
I haven't done that much to the system except that I have compiled and
installed my own appletalk and megaraid kernel modules and perhaps they
are the cause.
I have raid through the SELinux documentation on both RHEL & Fedora
SELinux guides and am apparently lacking the smarts to get it.
Thanks
Craig
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
18 years, 5 months
Seaudit in fedora Core 4
by Ma. Alejandra Castillo
I am occupying the tool seaudit in fedora core 4, but the fields host
and executablee they appear always empty, what is very strange. I am
charging /var/log/audit.log, some suggestion so that these fields
appear?
Saludos
--
Ma. Alejandra Castillo M.
18 years, 5 months
Auditing file access
by Eric Howard
Following up on some instructions I found in the list archives (posted by Stephen Smalley), I set up the following policy (local.te) for a stock RHEL AS 4 build (using the targeted policy source)
# Allow all user domains to create and modify these files.
allow userdomain audited_file_t:dir create_dir_perms;
allow userdomain audited_file_t:{ file lnk_file } create_file_perms;
# Audit all accesses by user domains to these files.
auditallow userdomain audited_file_t:{ dir file lnk_file } *
I also set my grub.conf to set audit=1 and also set 'auditctl -e 1'
I created a directory off of root called /testdir and assigned it the following context: user_u:object_r:audited_file_t
I was hoping that all file activity in this directory would be logged but this does not seem to be happening. Is there something I am missing?
Thanks!
Eric Howard
18 years, 5 months
No more selinux-policy-targeted?
by Tom London
Noticed in today's rawhide updates that selinux-policy-targeted is to
be deleted, apparently replaced by selinux-policy.
Besides punning the package name, any changes to be aware of?
thanks,
tom
--
Tom London
18 years, 5 months
SELinux silently disabled on boot under 2.6.14/2.6.14.2 on FC3 system ?
by rhp
12-nov-05
Hello:
I have a FC3 box which requires compiling the kernel from source to accomodate
acpi & ec.c related hardware quirks, (its a generic laptop).
When compiling & installing the latest kernels, I have discovered an apparent
problem with both the 2.6.14 & 2.6.14.2 kernels and SELinux.
After compiling these kernels, SELinux is silently disabled on boot;
e.g.:
sestatus shows SELinux as disabled regardless of /etc/selinux/config
being set for 'Permissive-targeted'.
ps -Z & ls -Z show no xattributes but returns these values/messages:
torus:~/selinux/kernel-tests> ps -Z
LABEL PID TTY TIME CMD
kernel 3979 pts/6 00:00:00 tcsh
kernel 4005 pts/6 00:00:00 ps
torus:~/selinux/kernel-tests> ls -Z
Sorry, this option can only be used on a SELinux kernel.
dmesg does not have any further SELinux entries after these four:
SELinux: Initializing.
SELinux: Starting in permissive mode
selinux_register_security: Registering secondary module capability
SELinux: Registering netfilter hooks
nor are there any error messages in /var/log/messages.
Kernels built from the 2.6.13.4 & 2.6.12-1.1381_FC3, source trees both work
normally with regard to SELinux.
After a comparison of the '.config' files from the related builds,
I've noticed that the 2.6.14 and 2.6.14.2 kernels no longer support
extended attributes for the pseudo filesystems, while the 2.6.13.4 and
2.6.12-1.1381_FC3 kernels do support the extended attributes, this is
the only significant difference I could find between these kernels'
'.config' files.
i.e. Referring to 'make xconfig': in linux-2.6.14/linux-2.6.14.2 these
two filesystems no longer exist:
'Psuedo Filesystems -> /dev/pts Extended Attributes -> /dev/pts
Security Labels''Psuedo Filesystems -> Virtual memory file system
support ->
tmpfs Extended Attributes -> tmpfs Security Lables'.
Note these error messages were returned when using the '.config' from 2.6.13.4
as a starting point for the '.config' in the 2.6.14/2.6.14.2 trees:
/boot/config-2.6.13.4:2649: trying to assign nonexistent symbol DEVPTS_FS_XATTR
/boot/config-2.6.13.4:2650: trying to assign nonexistent symbol
DEVPTS_FS_SECURITY
The Help sections for these options from the 2.6.13.4 kernel indicate these are
used by Selinux:
Help for /dev/pts Security Labels (DEVPTS_FS_SECURITY)
"Security labels support alternative access control models
implemented by security modules like SELinux. This option
enables an extended attribute handler for file security
label in the /dev/pts filesystem.
If you are not using a security module that requires using
extended attributes for file security labels, say N."
Help for tmpfs Security Labels (TMPFS_SECURITY)
"Security labels support alternative access control models
implemented by security modules like SELinux. This option
enables an extended attribute handler for file security
labels in the tmpfs filesystem.
If you are not using a security module that requires using
extended attributes for file security labels, say N."
I would like to stress that _All_ previous 2.6 kernels that I have
tried prior to 2.6.14 work as expected with regard to SELinux.
Has there been a change to SELinux in the FC4 tree but not in the FC3
tree which anticipated this disappearance of the extended attributes
in the 2.6.14 kernel's pseudo filesystems - or am I on the wrong track
?
Here is my current selinux configuration:
selinux-doc-1.14.1-1
selinux-policy-targeted-sources-1.17.30-3.16
libselinux-1.23.10-2
libselinux-devel-1.23.10-2
selinux-policy-targeted-1.17.30-3.16
setools-gui-2.1.1-2
setools-2.1.1-2
checkpolicy-1.23.1-1
I intend to upgrade to FC4/FC5 when I can get the disks, and wonder if
the problem could be
due to subtle conflicts in the above configuration rather than the
disappearance of the extended attributes in the psuedo filesystem in
the 2.6.14 kernel series.
Thank you,
Brgds
Bob
--
rhp.lpt(a)gmail.com
18 years, 5 months
simplified question
by Craig White
I have selinux-targeted-policy-sources installed.
I am trying to make entries that fix these two errors
in //etc/selinux/targeted/src/policy/domains/local.te
#1
Nov 14 10:43:14 srv1 dbus: Can't send to audit system: USER_AVC pid=3024
uid=81 loginuid=-1 message=avc: denied { send_msg } for
scontext=user_u:system_r:unconfined_t tcontext=user_u:system_r:initrc_t
tclass=dbus
#2
Nov 14 10:43:14 srv1 kernel: audit(1131990194.347:11): avc: denied
{ connectto } for pid=2941 comm="httpd" name="mysql.sock"
scontext=user_u:system_r:httpd_t tcontext=user_u:system_r:initrc_t
tclass=unix_stream_socket
Can anyone tell me what might work here? This doesn't work...
# cat /etc/selinux/targeted/src/policy/domains/local.te
## http to mysql
allow httpd_t var_t:sock_file write;
allow httpd_t unconfined_t:unix_stream_socket connectto;
I need selinux for dummies - any thoughts where I can find such info if
not here?
Thanks
Craig
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
18 years, 5 months
Apache, Virtual Servers and SELinux
by Michael Shaw
Hi all,
I installed Apache on an FC4 machine, and I was trying to get Virtual
servers working. To do so, I had the following name based virtual
servers. I placed the following directives (among others) in my
httpd.conf file:
~~~~~~~~~~~~
# Virtual host default
<VirtualHost 192.168.1.25>
ServerName default
DocumentRoot "/var/www/html"
DirectoryIndex index.php index.html index.htm index.shtml
LogLevel debug
HostNameLookups off
</VirtualHost>
# Virtual host michael
<VirtualHost 192.168.1.25>
ServerAdmin mshaw(a)dowco.com
DocumentRoot /home/michael/public_html/www
ServerName michael
DirectoryIndex index.html index.php
</VirtualHost>
<Directory "/var/www/html">
Options Indexes Includes FollowSymLinks
AllowOverride None
Allow from all
Order allow,deny
</Directory>
<Directory "/home/*/public_html/www">
Options Indexes Includes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
~~~~~~~~~~~~
I was very fristrated that the virtual server michael get giving me
access denied errors. I disabled SELinux and everythign worked. So I
tried fiddling away with all the HTTPD settings but cou;dn't get it to
work with SELinux on, including "Allow HTTPD to read home directories".
I have seen references to this on the Internet but not a cure. Which
check box am I missing?
18 years, 5 months
