List of operations
by Göran Uddeborg
Maybe this is a FAQ, but I haven't found it answered in any of the
FAQ:s I've looked through:
Is there some kind of documentation list over the available classes
and operations (permissions)?
Other concepts, like types and roles are defined in the policy, with
some luck together with a comment. In some cases there are even
manual pages, like httpd_selinux.
But the list of available classes and operations must be defined by
the kernel module if I understand things correctly. I could extract a
list from the flask/access_vectors file. But I would have liked
something with a sentence or so of explanation. Some names may be
self-explanatory, but many are not obvious. I'm imagining some kind
of list like the appendices of the O'Reilley book, but updated for the
current version. Does such a list exist somewhere? Or is it just in
my imagination? :-)
16 years, 7 months
Curious Behavior doing routine redirection of ping output to file...
by selinux.funchords@spameater.org
I'm not exactly a "newbie," but I'm diving a lot deeper than
I ever have. This one has me a little wrapped around the axel, and
if someone could help clear the fog, I'd appreciate it.
The short version:
I'm trying to redirect the output of ping to a file. I get a 0
byte file as a result.
Where I am now:
When selinux is permissive, it works as I expect it to.
When this started, I had no idea that selinux was running or even what
it was, exactly (I've been running this system for about two weeks).
I've learned a lot since then. But I haven't figured out how to do
anything other than flip bits on existing boolean rules and change
the sestatus mode. For example, how do I fix the above problem?
Current version: 2.6.14-1.1653_FC4 with selinux in targeted/enforced.
When this began, I posted a message to www.fedoraforum.org
( http://www.fedoraforum.org/forum/showthread.php?t=88238 )
with the title, "BASH: How to redirect ping output to file?"
Later, I found this from from /var/log/audit/audit.log ...
type=AVC msg=audit(1134599953.748:32): avc: denied { write } for
pid=5503 comm="ping" name="pingoutput2" dev=dm-0 ino=916895
scontext=root:system_r:ping_t tcontext=root:object_r:user_home_t tclass=file
type=SYSCALL msg=audit(1134599953.748:32): arch=40000003 syscall=11
success=yes exit=0 a0=8d64360 a1=8d56400 a2=8d51520 a3=1 items=2
pid=5503 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 comm="ping" exe="/bin/ping"
type=AVC_PATH msg=audit(1134599953.748:32): path="/root/pingoutput2"
type=CWD msg=audit(1134599953.748:32): cwd="/root"
type=PATH msg=audit(1134599953.748:32): item=0 name="/bin/ping"
flags=101 inode=5499653 dev=fd:00 mode=0104755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1134599953.748:32): item=1 flags=101 inode=5892482
dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
... and I discovered the commands audit2why and audit2allow, which has
this example in the audit2allow man pages ...
$ cd /etc/selinux/$(SELINUXTYPE)/src/policy
$ /usr/bin/audit2allow -i < /var/log/audit/audit.log >>
domains/misc/local.te <review domains/misc/local.te and customize as
desired>
$ make load
... and that's where my zero-byte stack blows.
I have no src directory under /etc/selinux/targeted, nor do I have
anything at all on my system named domains. Still, I tried to follow
the advice by mdkir'ing the necessary directories and creating a
local.te file with the recommended "allow ping_t user_home_t:file write;"
line in it.
Then I typed 'make load' and I really think I actually heard something
laugh at me.
This is the way I learn best, and this isn't anything more than a
curiousity to me. But from what I've told you so far, can you point
me into the right direction?
I did search the archive for this list, as well as the FC3 (which
also seemed to point to these directories that I don't have).
Thanks!
Robb Topolski
robb(at)funchords(dot)com
http://www.funchords.com
17 years, 3 months
reiser4 +selinux
by Justin Conover
Does anyone know if reiser4 has the XATTRs added to handle selinux now?
17 years, 5 months
Selinux warning?
by Tom Diehl
Hi all,
I have an EL4 box that every time I do su - vmail I get the following warnings
in the log:
Dec 31 12:25:22 roger su(pam_unix)[2055]: session opened for user vmail by root(uid=0)
Dec 31 12:25:22 roger su[2055]: Warning! Could not relabel /dev/pts/3 with user_u:object_r:initrc_devpts_t, not relabeling.Operation not permitted
This started after I changed the UID in /etc/passwd and the gid in /etc/group.
(roger pts4) # ll -Z /dev/pts/3
crw------- root tty root:object_r:initrc_devpts_t /dev/pts/3
(roger pts4) #
Is there something that needs to be done for selinux when I change a u/gid??
Regards,
Tom Diehl tdiehl(a)rogueind.com Spamtrap address mtd123(a)rogueind.com
17 years, 5 months
selinux kills SM
by Nicolas Mailhot
Hi,
I don't really have the time to do a proper bug report, but today's
selinux update in rawhide killed squirelmail+dovecot.
Regards,
--
Nicolas Mailhot
17 years, 5 months
selinux policy upgrade avcs
by Steve G
Hi,
When yum updates my rawhide policy, I get these avcs:
type=PATH msg=audit(12/29/2005 08:26:52.659:120) : item=0 name=/etc/mtab
inode=11403372 dev=03:07 mode=file,644 ouid=root ogid=root rdev=00:00
obj=system_u:object_r:etc_runtime_t:s0
type=CWD msg=audit(12/29/2005 08:26:52.659:120) : cwd=/
type=SYSCALL msg=audit(12/29/2005 08:26:52.659:120) : arch=x86_64 syscall=open
success=no exit=-13(Permission denied) a0=3446313756 a1=0 a2=1b6 a3=0 items=1
pid=2472 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root
sgid=root fsgid=root tty=tty1 comm=load_policy exe=/usr/sbin/load_policy
subj=root:system_r:load_policy_t:s0-s0:c0.c255
type=AVC msg=audit(12/29/2005 08:26:52.659:120) : avc: denied { read } for
pid=2472 comm=load_policy name=mtab dev=hda7 ino=11403372
scontext=root:system_r:load_policy_t:s0-s0:c0.c255
tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
-Steve
__________________________________________
Yahoo! DSL Something to write home about.
Just $16.99/mo. or less.
dsl.yahoo.com
17 years, 5 months
logwatch/pidof avcs
by Steve G
Hi,
I'm using today's rawhide and see these scroll occasionally:
type=PATH msg=audit(12/28/2005 09:47:17.210:107) : item=0 name=/proc/2675/stat
inode=175308814 dev=00:03 mode=file,444 ouid=root ogid=root rdev=00:00
obj=system_u:system_r:local_login_t:s0-s0:c0.c255
type=CWD msg=audit(12/28/2005 09:47:17.210:107) : cwd=/
type=SYSCALL msg=audit(12/28/2005 09:47:17.210:107) : arch=x86_64 syscall=open
success=no exit=-13(Permission denied) a0=7fffffbaa110 a1=0 a2=1b6 a3=0 items=1
pid=3204 auid=unknown(4294967295) uid=root gid=root euid=root suid=root
fsuid=root egid=root sgid=root fsgid=root comm=pidof exe=/sbin/killall5
subj=system_u:system_r:crond_t:s0
type=AVC msg=audit(12/28/2005 09:47:17.210:107) : avc: denied { read } for
pid=3204 comm=pidof name=stat dev=proc ino=175308814
scontext=system_u:system_r:crond_t:s0
tcontext=system_u:system_r:local_login_t:s0-s0:c0.c255 tclass=file
This occurs for a number of /prod/pid/stat entries. It appears to be coming from
logwatch.
-Steve
__________________________________
Yahoo! for Good - Make a difference this year.
http://brand.yahoo.com/cybergivingweek2005/
17 years, 5 months
logwatch 7 breakage
by Ted Rule
Version 7 of logwatch includes a major restructure of its directory
layout compared to version 6.
For SELinux enforcing machines, there are 2 problems; scripts have moved
from /etc/log.d/scripts to /usr/share/logwatch/scripts, and temporary
file creation has moved to /var/cache/logwatch.
It seems that version 6 worked by dint of Cron already having sufficient
SELinux permissions to /etc and /tmp; logwatch has no domain of its own.
I've added a couple of tweaks to my local strict policy as shown below,
which seem to cover off its requirements for both Cron'ed and Manual
invocations.
TE ....
# Allow Cron and Sudo invocations of logwatch to create temporary files
type logwatch_tmp_t, file_type, sysadmfile, tmpfile;
allow system_crond_t logwatch_tmp_t:file create_file_perms;
allow system_crond_t logwatch_tmp_t:dir create_dir_perms;
allow sysadm_t logwatch_tmp_t:file create_file_perms;
allow sysadm_t logwatch_tmp_t:dir create_dir_perms;
FC ....
# Executable scripts belonging to the logwatch package outside
of /usr/sbin
/usr/share/logwatch/scripts/logwatch.pl -- system_u:object_r:sbin_t
# Logwatch version 7 temporary spool area
/var/cache/logwatch(/.*)? system_u:object_r:logwatch_tmp_t
--
Ted Rule
Director, Layer3 Systems Ltd
W: http://www.layer3.co.uk/
17 years, 5 months
Sun Java browser plugin fixup
by Ted Rule
SELinux strict policy:
selinux-policy-strict-sources-1.27.1-2.16
has a problem with the Sun Java Plugin to Firefox in this RPM:
jre-1.5.0_06-fcs.i586.rpm
I'm reasonably sure that the SELinux policy used to work with the Sun
Java 1.4.2 plugin. As best I can judge, an earlier SELinux policy
upgrade broke the functionality; the issue only came to light when I
upgraded and tested the later Java 1.5 RPM on my workstation. FWIW, Java
1.4.2 also breaks without the fixup.
As best I can judge, no extra tweaks of boolean settings - with the
possible exception of disable_mozilla_trans itself - provide an
alternative fixup.
My current boolean settings which appear to be Browser/Java relevant:
[root@workstation policy]# getsebool -a | egrep 'content|mozilla|java|
exec' | grep -v httpd
allow_execmem --> active
allow_execmod --> active
allow_execstack --> inactive
allow_java_execstack --> inactive
allow_mplayer_execstack --> inactive
cdrecord_read_content --> active
disable_mozilla_trans --> inactive
mail_read_content --> active
mozilla_read_content --> inactive
read_untrusted_content --> active
write_untrusted_content --> active
[root@workstation policy]#
Using the test page at "http://javatester.org", I've tweaked my SELinux
policy to stop it Firefox crashing when SELinux is enforcing.
The fixup below allows the Firefox process itself to create this socket:
/tmp/jpsock.150_06.<pidno>
and then let the Java VM process talk to it:
[root@workstation misc]# tail -20 localpolicy.te
...
# Java Socket problem fixup
type_transition user_mozilla_t tmp_t:sock_file
user_untrusted_content_tmp_t;
allow user_mozilla_t { user_untrusted_content_tmp_t }:sock_file { read
setattr getattr write unlink create };
auditallow user_mozilla_t { user_untrusted_content_tmp_t }:sock_file
{ read setattr getattr write unlink create };
allow user_mozilla_javaplugin_t
{ user_untrusted_content_tmp_t }:sock_file { read getattr write };
auditallow user_mozilla_javaplugin_t
{ user_untrusted_content_tmp_t }:sock_file { read getattr write };
....
Presumably a more complete macro fix would change either mozilla_domain
itself:
define(`mozilla_domain',
...
######### Java plugin
ifdef(`java.te', `
type_transition $1_mozilla_t tmp_t:sock_file $1_untrusted_content_tmp_t;
allow $1_mozilla_t { $1_untrusted_content_tmp_t }:sock_file
{ create getattr setattr read write unlink };
allow $1_mozilla_javaplugin_t { $1_untrusted_content_tmp_t }:sock_file
{ getattr read write };
javaplugin_domain($1_mozilla, $1)
') dnl java.te
...
or the javaplugin_domain macro itself with:
define(`javaplugin_domain',`
...
type_transition $1_t tmp_t:sock_file $2_untrusted_content_tmp_t;
allow $1_t { $2_untrusted_content_tmp_t }:sock_file
{ create getattr setattr read write unlink };
allow $1_javaplugin_t { $2_untrusted_content_tmp_t }:sock_file
{ getattr read write };
...
Ted
Firefox startup and Java related messages:
Dec 23 15:24:19 workstation kernel: audit(1135351459.515:529): avc:
granted { create } for pid=6022 comm="firefox-bin"
name="jpsock.150_06.6022" scontext=user_u:user_r:user_mozilla_t
tcontext=user_u:object_r:user_untrusted_content_tmp_t tclass=sock_file
Dec 23 15:24:19 workstation kernel: audit(1135351459.515:530): avc:
granted { setattr } for pid=6022 comm="firefox-bin"
name="jpsock.150_06.6022" dev=hda10 ino=33
scontext=user_u:user_r:user_mozilla_t
tcontext=user_u:object_r:user_untrusted_content_tmp_t tclass=sock_file
Dec 23 15:24:19 workstation kernel: audit(1135351459.551:531): avc:
denied { execute } for pid=6042 comm="java_vm" name="classes.jsa"
dev=hda6 ino=652990 scontext=user_u:user_r:user_mozilla_javaplugin_t
tcontext=root:object_r:lib_t tclass=file
Dec 23 15:24:20 workstation kernel: audit(1135351460.007:532): avc:
denied { search } for pid=6042 comm="java_vm" name=".icons" dev=hda8
ino=323381 scontext=user_u:user_r:user_mozilla_javaplugin_t
tcontext=user_u:object_r:user_home_t tclass=dir
Dec 23 15:24:20 workstation kernel: audit(1135351460.007:533): avc:
denied { search } for pid=6042 comm="java_vm" name=".icons" dev=hda8
ino=323381 scontext=user_u:user_r:user_mozilla_javaplugin_t
tcontext=user_u:object_r:user_home_t tclass=dir
Dec 23 15:24:20 workstation kernel: audit(1135351460.483:534): avc:
granted { execmem } for pid=6022 comm="firefox-bin"
scontext=user_u:user_r:user_mozilla_t
tcontext=user_u:user_r:user_mozilla_t tclass=process
Dec 23 15:24:20 workstation kernel: audit(1135351460.487:535): avc:
granted { write } for pid=6042 comm="java_vm"
name="jpsock.150_06.6022" dev=hda10 ino=33
scontext=user_u:user_r:user_mozilla_javaplugin_t
tcontext=user_u:object_r:user_untrusted_content_tmp_t tclass=sock_file
Dec 23 15:24:20 workstation kernel: audit(1135351460.655:536): avc:
denied { search } for pid=6042 comm="java_vm" name=".icons" dev=hda8
ino=323381 scontext=user_u:user_r:user_mozilla_javaplugin_t
tcontext=user_u:object_r:user_home_t tclass=dir
Dec 23 15:24:20 workstation kernel: audit(1135351460.655:537): avc:
denied { search } for pid=6042 comm="java_vm" name=".icons" dev=hda8
ino=323381 scontext=user_u:user_r:user_mozilla_javaplugin_t
tcontext=user_u:object_r:user_home_t tclass=dir
Dec 23 15:24:23 workstation kernel: audit(1135351463.767:538): avc:
denied { listen } for pid=6064 comm="java_vm"
scontext=user_u:user_r:user_mozilla_javaplugin_t
tcontext=user_u:user_r:user_mozilla_javaplugin_t tclass=tcp_socket
--
Ted Rule
Director, Layer3 Systems Ltd
W: http://www.layer3.co.uk/
17 years, 5 months
