RE: Is there a SELinux tutorial for ISVs ?
by chanson@TrustedCS.com
>
> This string of messages brings up something I wanted to get a
> conversation going on how to handle non OS Provided policy.
>
> We all know we need a better mechanism for handling "binary"
> policy in
> the future. ( I think the future is now.)
> I see three people providing policy.
>
I agree, as an ISV we need a way to add custom policy to support our
applications. We currently use a processed version to the policy to have
source modules until the binary modules are part of Fedora.
> 1. OS Provider with base policy. (It would also be nice if the base
> policy got broken into several policies and only the policy
> of the running service would be loaded. If we got to this state we
> would need a new mechanism for restoring file context since
> file_context might not meet the currently loaded policy.
>
> 2. Third Party application developers. As the use of targeted policy
> has begun to take off, Third Party ISV have started to question
> how they can play in this world.
>
Exactly, see statement above.
> I see Tresys Stuff solving the problems of both of the above.
>
> 3 Local User customization and minor policies. Currently we
> have people
Along with local user policy, there needs to be local network policy
customizations as well. This is required from an MLS perspective and I would
think be useful for TE network restrictions as well.
19 years
RE: selinux_socket_bind hook
by Steve Brueckner
Stephen Smalley wrote:
> On Thu, 2005-04-28 at 12:32 -0400, Steve Brueckner wrote:
>> In trying to segment networking into two domains I seem to have
>> overlooked that name_bind doesn't get enforced for ports within the
>> machine's local port range (i.e. ports assigned by the kernel). I
>> suppose I could try to hack the LSM selinux_socket_bind hook to
>> enforce name_bind for all ports; would that be possible? I'd rather
>> not, though, since I've never ventured deeper than SELinux policy,
>> and delving into the mechanism scares me. Is it possible to somehow
>> implement a boolean that would toggle whether name_bind was enforced
>> for all ports or just for ports outside the local port range?
>
> That hook is only applied for explicit bind(2) calls by applications.
> auto-binding of unbound sockets by the kernel (e.g. when sending on
> an unbound socket) will never hit that hook at all. You would need
> to modify udp_v4_get_port and tcp_v4_get_port to check permission and
> keep scanning for another available port until one is allowed. Not
> likely to make much headway upstream.
Darn. But thank you for the clarification.
- Steve Brueckner, ATC-NY
19 years
selinux_socket_bind hook
by Steve Brueckner
In trying to segment networking into two domains I seem to have overlooked
that name_bind doesn't get enforced for ports within the machine's local
port range (i.e. ports assigned by the kernel). I suppose I could try to
hack the LSM selinux_socket_bind hook to enforce name_bind for all ports;
would that be possible? I'd rather not, though, since I've never ventured
deeper than SELinux policy, and delving into the mechanism scares me. Is it
possible to somehow implement a boolean that would toggle whether name_bind
was enforced for all ports or just for ports outside the local port range?
Thanks,
- Steve Brueckner, ATC-NY
19 years
hald_t self:unix_stream_socket connectto?
by Tom London
Running targeted/permissive; today's Rawhide.
I get the following when inserting a USB device:
Apr 28 08:04:02 localhost kernel: usb 3-2: new full speed USB device
using uhci_hcd and address 4
Apr 28 08:04:02 localhost kernel: drivers/usb/class/usblp.c: usblp0:
USB Bidirectional printer dev 4 if 0 alt 1 proto 2 vid 0x03F0 pid
0x1E11
Apr 28 08:04:03 localhost kernel: audit(1114700643.013:0): avc:
denied { connectto } for path=@
/tmp/hald-local/dbus-DX2FiLUq6n scontext=system_u:system_r:hald_t
tcontext=system_u:system_r:hald_t tclass=unix_stream_socket
I get this running either permissive or enforcing.
Is
allow hald_t self:unix_stream_socket connectto;
appropriate?
tom
--
Tom London
19 years
Is there a SELinux tutorial for ISVs ?
by Davide Bolcioni
Greetings,
I was looking for directions about how would an ISV rool own policy for
the packages it ships. A very basic and step-by-step tutorial, for tiny
minds :-)
Thank you for your consideration,
Davide Bolcioni
--
There is no place like /home.
19 years
Policy for ntp using nonstandard clock device links
by Eric Paris
Some ntp clocks like the the wwvb1 which are configured with a line like
server 127.127.4.1 minpoll 3 maxpoll 4
in ntp.conf will need to talk to a "clock device" at /dev/wwvb1. In
reality the clock is connected to something like /dev/ttyS0 where ntpd
would normally have permissions. But for these types of clocks we have
to create a sym link ln -s /dev/ttyS0 /dev/wwvb1 because ntp recognizes
the clock as being at /dev/wwvb1.
We get denials like
audit(1114388976.276:0): avc: denied { read } for pid=23691
exe=/usr/sbin/ntpd name=wwvb1 dev=tmpfs ino=148116
scontext=root:system_r:ntpd_t tcontext=root:object_r:device_t
tclass=lnk_file
which can be fixed with
allow ntpd_t device_t:lnk_file read;
It might also want write permission, I'm not sure right now. I'm
looking for comments on the right way to fix this. Is adding this or
maybe rw_file_perms the way we really should go about this?
Eric
19 years
Policy files
by John Dean
I've been reading the FAQ for selinux, and it refers to policy files
under /etc/selinux/policy/scr.
Looking at the policy directory on my system, there is only one file
under there called policy.18.
I'm trying to get the squirrelmail module called change_passwd to work
but not sure how too.
19 years
Re: Home Dir labels (manifested as a failed Flash install)
by Ivan Gyurdiev
> -rw-r--r-- smearp smearp user_u:object_r:user_home_t flashplayer.xpt
> -rwxr-xr-x smearp smearp user_u:object_r:texrel_shlib_t
This is correct, but it's not done automatically, because /home is
entirely skipped when changing the contexts after a policy upgrade.
Personally, I think this is a major problem, but Daniel Walsh points out
that (1) automatic restorecon on /home presents a security risk of
mislabeled files ( like gpg keys and such in the wrong place), and (2)
automatic restorecon on /home might take a very long time.
I think if we are to introduce more fine-grained labeling of "$HOME" in
the future (which we should), this problem needs to be solved somehow.
--
Ivan Gyurdiev <ivg2(a)cornell.edu>
Cornell University
19 years
Rawhide update gone awry
by Steve Brueckner
I appear to have borked my SELinux installation. I wanted to experiment
with the new name_connect permission, which I read was available with the
latest rawhide kernel and selinux policy. So, in my first-ever attempt to
use rawhide, I enabled my /etc/yum.repos.d/fedora-devel.repo file and then
yum updated to the following:
kernel.i686 2.6.11-1.1267_FC4 installed
selinux-policy-targeted.noarch 1.23.12-4 installed
selinux-policy-targeted-sources.noarch 1.23.12-4 installed
selinux-policy-strict.noarch 1.23.12-4 installed
selinux-policy-strict-sources.noarch 1.23.12-4 installed
libselinux.i386 1.23.7-3 installed
libselinux-devel.i386 1.23.7-3 installed
libselinux-debuginfo.i386 1.23.7-3 installed
libsepol.i386 1.5.5-2 installed
policycoreutils.i386 1.23.6-1 installed
checkpolicy.i386 1.23.1-1 installed
setools.i386 2.1.0-2 installed
selinux-doc.noarch 1.19.5-1 installed
I then did a touch /.autorelabel; reboot, then after rebooting a make
reload. I'm using the targeted policy in permissive mode (things freeze up
when I setenforce 1). Policy version is 19.
I get a lot of avc denied messages on boot; enough to make me think I did
something wrong with my policy update or kernel update. Did I even go about
this the right way? Is there anything obviously wrong with the steps I
took? I'm running FC3, and I wasn't certain about updating to an FC4 kernel
but yum seemed to think it was OK so I went for it. I get the same errors
when I revert to 2.6.11-1.14_FC3.
Thanks for any ideas. My boot log is included below, with anything
non-SELinux related snipped out.
- Steve Brueckner, ATC-NY
$ dmesg
Linux version 2.6.11-1.1267_FC4 (bhcompile(a)porky.build.redhat.com) (gcc
version 4.0.0 20050423 (Red Hat 4.0.0-1)) #1 Mon Apr 25 19:22:44 EDT 2005
...
Security Framework v1.0.0 initialized
SELinux: Initializing.
SELinux: Starting in permissive mode
selinux_register_security: Registering secondary module capability
Capability LSM initialized as secondary
...
audit: initializing netlink socket (disabled)
audit(1114514592.659:0): initialized
...
SELinux: Registering netfilter hooks
...
security: 3 users, 6 roles, 684 types, 75 bools
security: 55 classes, 126760 rules
SELinux: Completing initialization.
SELinux: Setting up existing superblocks.
SELinux: initialized (dev dm-0, type ext3), uses xattr
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
SELinux: initialized (dev mqueue, type mqueue), not configured for labeling
SELinux: initialized (dev hugetlbfs, type hugetlbfs), not configured for
labeling
SELinux: initialized (dev devpts, type devpts), uses transition SIDs
SELinux: initialized (dev eventpollfs, type eventpollfs), uses
genfs_contexts
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts
SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
SELinux: initialized (dev proc, type proc), uses genfs_contexts
SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
audit(1114514601.951:0): avc: denied { use } for path=/init dev=rootfs
ino=8 scontext=system_u:system_r:syslogd_t
tcontext=system_u:system_r:kernel_t tclass=fd
...
SELinux: initialized (dev ramfs, type ramfs), uses genfs_contexts
...
SELinux: initialized (dev hda1, type ext3), uses xattr
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Adding 2031608k swap on /dev/VolGroup00/LogVol01. Priority:-1 extents:1
SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses
genfs_contexts
...
audit(1114529038.066:0): avc: denied { read } for name=config dev=dm-0
ino=3837327 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:selinux_config_t tclass=file
audit(1114529038.066:0): avc: denied { getattr } for
path=/etc/selinux/config dev=dm-0 ino=3837327
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:selinux_config_t tclass=file
audit(1114529038.092:0): avc: denied { execute } for name=restorecon
dev=dm-0 ino=1802308 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:restorecon_exec_t tclass=file
audit(1114529038.092:0): avc: denied { execute_no_trans } for
path=/sbin/restorecon dev=dm-0 ino=1802308
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:restorecon_exec_t tclass=file
audit(1114529038.092:0): avc: denied { read } for path=/sbin/restorecon
dev=dm-0 ino=1802308 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:restorecon_exec_t tclass=file
audit(1114529038.093:0): avc: denied { search } for name=contexts
dev=dm-0 ino=3834258 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:default_context_t tclass=dir
audit(1114529038.093:0): avc: denied { search } for name=files dev=dm-0
ino=3834262 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:file_context_t tclass=dir
audit(1114529038.093:0): avc: denied { read } for name=file_contexts
dev=dm-0 ino=3834260 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:file_context_t tclass=file
audit(1114529038.093:0): avc: denied { getattr } for
path=/etc/selinux/targeted/contexts/files/file_contexts dev=dm-0 ino=3834260
scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:file_context_t
tclass=file
audit(1114529038.096:0): avc: denied { search } for name=/ dev=selinuxfs
ino=232 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:security_t tclass=dir
audit(1114529038.096:0): avc: denied { read write } for name=context
dev=selinuxfs ino=5 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:security_t tclass=file
audit(1114529038.096:0): avc: denied { check_context } for
scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:security_t
tclass=security
audit(1114529038.479:0): avc: denied { use } for path=/init dev=rootfs
ino=8 scontext=system_u:system_r:named_t tcontext=system_u:system_r:kernel_t
tclass=fdSELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses
genfs_contexts
audit(1114529040.947:0): avc: denied { use } for path=/init dev=rootfs
ino=8 scontext=system_u:system_r:howl_t tcontext=system_u:system_r:kernel_t
tclass=fd
audit(1114529043.069:0): avc: denied { use } for path=/init dev=rootfs
ino=8 scontext=system_u:system_r:cupsd_config_t
tcontext=system_u:system_r:kernel_t tclass=fd
...
audit(1114529047.672:0): avc: denied { read } for path=/init dev=rootfs
ino=8 scontext=system_u:system_r:restorecon_t
tcontext=system_u:object_r:root_t tclass=file
audit(1114529050.126:0): avc: denied { use } for path=/init dev=rootfs
ino=8 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:kernel_t
tclass=fdaudit(1114529052.770:0): avc: denied { write } for name=etc
dev=dm-0 ino=3833857 scontext=system_u:system_r:hald_t
tcontext=system_u:object_r:etc_t tclass=dir
audit(1114529052.770:0): avc: denied { add_name } for name=.fstab.hal.S
scontext=system_u:system_r:hald_t tcontext=system_u:object_r:etc_t
tclass=dir
audit(1114529052.770:0): avc: denied { create } for name=.fstab.hal.S
scontext=system_u:system_r:hald_t tcontext=system_u:object_r:etc_t
tclass=file
audit(1114529053.042:0): avc: denied { write } for name=media dev=dm-0
ino=8552449 scontext=system_u:system_r:hald_t
tcontext=system_u:object_r:mnt_t tclass=dir
audit(1114529053.042:0): avc: denied { remove_name } for name=cdrecorder
dev=dm-0 ino=8552450 scontext=system_u:system_r:hald_t
tcontext=system_u:object_r:mnt_t tclass=dir
audit(1114529053.042:0): avc: denied { rmdir } for name=cdrecorder
dev=dm-0 ino=8552450 scontext=system_u:system_r:hald_t
tcontext=system_u:object_r:mnt_t tclass=dir
audit(1114529053.157:0): avc: denied { write } for path=/etc/.fstab.hal.S
dev=dm-0 ino=3837358 scontext=system_u:system_r:hald_t
tcontext=system_u:object_r:etc_t tclass=file
audit(1114529053.157:0): avc: denied { remove_name } for
name=.fstab.hal.S dev=dm-0 ino=3837358 scontext=system_u:system_r:hald_t
tcontext=system_u:object_r:etc_t tclass=dir
audit(1114529053.157:0): avc: denied { rename } for name=.fstab.hal.S
dev=dm-0 ino=3837358 scontext=system_u:system_r:hald_t
tcontext=system_u:object_r:etc_t tclass=file
audit(1114529053.157:0): avc: denied { unlink } for name=fstab dev=dm-0
ino=3834553 scontext=system_u:system_r:hald_t
tcontext=system_u:object_r:etc_t tclass=file
audit(1114529053.179:0): avc: denied { write } for name=rhgb-socket
dev=ramfs ino=4929 scontext=system_u:system_r:init_t
tcontext=system_u:object_r:ramfs_t tclass=sock_file
audit(1114529053.179:0): avc: denied { connectto } for
path=/etc/rhgb/temp/rhgb-socket scontext=system_u:system_r:init_t
tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket
audit(1114529053.577:0): avc: denied { getattr } for
path=/dev/VolGroup00/LogVol00 dev=tmpfs ino=5807
scontext=system_u:system_r:hald_t tcontext=system_u:object_r:device_t
tclass=lnk_file
audit(1114529053.653:0): avc: denied { add_name } for name=cdrecorder
scontext=system_u:system_r:hald_t tcontext=system_u:object_r:mnt_t
tclass=dir
audit(1114529053.654:0): avc: denied { create } for name=cdrecorder
scontext=system_u:system_r:hald_t tcontext=system_u:object_r:mnt_t
tclass=dir
audit(1114529053.674:0): avc: denied { getattr } for
path=/dev/mapper/VolGroup00-LogVol00 dev=tmpfs ino=1128
scontext=system_u:system_r:hald_t tcontext=system_u:object_r:device_t
tclass=blk_file
audit(1114529053.674:0): avc: denied { getattr } for path=/dev/pts
dev=devpts ino=1 scontext=system_u:system_r:hald_t
tcontext=system_u:object_r:devpts_t tclass=dir
...
audit(1114529081.451:0): avc: denied { getattr } for path=/dev/pts
dev=devpts ino=1 scontext=system_u:system_r:hald_t
tcontext=system_u:object_r:devpts_t tclass=dir
19 years
proper samba labeling
by Farkas Levente
hi,
we just upgrade some of our server to selinux enabled kernel. but the
date files are on a raid array which just remounted. this samba server's
files are also on that array and they are not labeled at all. what is
the right labeling for samba shares? i look trough policy source files
but i can't find any proper type for samba. or it's the right way to not
label sabma files at all?
yours.
--
Levente "Si vis pacem para bellum!"
19 years