allow execmod and execmem for self debugging process [targeted]
by John Reiser
A self-debugging process wants arbitrary mmap() and mprotect() on itself,
but gets EACCES with "avc: denied { execmod }" when it tries.
What needs to be done to allow this? There are three cases:
a) well-known named filesystem path as most-recent execve()
b) process with "self-debug" as leaf name of most-recent execve()
c) any execve() of a file with some assignable attribute [context]
Using selinux-policy-targeted-1.23.16-6 enforcing under Fedora Core 4
kernel-2.6.11-1.1369_FC4, I see complaints such as
----
type=AVC_PATH msg=audit(1119151560.280:466428): \
path="/path/to/self-debugger/shared-library"
type=SYSCALL msg=audit(1119151560.280:466428): arch=40000003 syscall=125 per=400000 \
success=no exit=-13 a0=3000 a1=1000 a2=5 a3=0 items=0 pid=2701 auid=4294967295 \
uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 \
comm="self-debug" exe="/path/to/self-debugger/self-debug"
type=AVC msg=audit(1119151560.280:466428): avc: denied { execmod } for pid=2701 \
comm="self-debug" name=shared-library dev=hda7 ino=4104583 \
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:file_t tclass=file
----
Booting the kernel with "enforcing=0" allows the mprotect() to succeed;
auditd.log still shows similar messages, except with "success=yes exit=0".
I'd like to retain the safeguards of the targeted enforcing policy,
but allow "known cases" the capabilities that they need.
[Yes, this is a technique that malware may try to exploit.
"Bonware" deserves the chance to exploit it, too.]
/etc/selinux/targeted/booleans has
-----
allow_execmod=1
allow_execmem=1
-----
Shouldn't these two values have allowed any mprotect?
The self-debugger wants to re-write PROT_EXEC + MAP_PRIVATE pages
of itself and other files that have been mmap()ed into the same process.
Code in .a archive library such as http://BitWagon.com/tub/tub.html
gives an application more control over its address space by "hooking"
all mmap(), etc. Complicated watchpoints run thousands of times faster
in contrast to requiring ptrace() by a second process [gdb], etc.
--
17 years, 9 months
Re: not installing SELinux with Fedora
by stewartetcie@canada.com
On 6/9/05, I <stewartetcie(a)canada.com> wrote:
Users of Fedora Core 4 want to know, how do we not,
repeat not, install SELinux?
Steve Grubb <linux_4ever(a)yahoo.com> replied:
>Why would you want to do that? Its better to fix
>problems than avoid them.
>SE Linux has to be installed. libselinux is linked to
>many apps and the KERNEL is compiled with support for
>SE Linux. You can disable it, but you have to install
>it.
Chris Bell <christofer.c.bell(a)gmail.com> replied:
>Since you're already familiar how to disable SELinux,
>the short answer to your question is, "you can't."
Please allow me to reply to these responses.
Steve, take a look at "sHype: Secure Hypervisor
Approach to Trusted Virtualized Systems" an IBM
research report published on February 2, 2005. On page
6, the authors say:
"Mandatory access control has been designed and
implemented for the Linux operating system (cf. SELinux
[1]). However, controlling access of processes to
kernel data structures has led to an extremely complex
security policy. Therefore, SELinux does not enforce
strong isolation properties equivalent to those offered
when running applications on separate hardware
platforms. Operating system security controls such as
those offered by SELinux are more appropriate for
enforcing mandatory access control among a set of
closely cooperating applications, which naturally share
a hardware platform. In a hypervisor system, there are
few resources shared on the virtualization level. This
results in simple security policies when compared to
those for operating system controls."
The point is that SELinux is: (1) so complex as to be
unmanageable; (2) inappropriate for all cases,
virtualization being a case in point. By the way, sHype
is available as a patch for Xen, which is distributed
with Fedora Core 4.
On a more general note Steve, take a look at Ken
Thompson's 1984 ACM Turing Award lecture, "Reflections
on Trusting Trust" wherein the author of the UNIX
operating system illustrates why you shouldn't trust
sneaky folks like him. By extension, I'm a little
suspicious of the NSA's motives in distributing a
system for mandatory access control that is needlessly
complex and, essentially, unmanageable at a time when
snort and tripwire, for example, are widely available
and a stateful firewall is built into the Linux kernel.
Chris and Steve, you're abolutely correct. Fedora is
the only widely used Linux distribution to incorporate
SELinux in such a manner that it cannot be removed. If
its so important, how come everybody else can get along
without it? Perhaps we might consider an alternative
Fedora Core 4 distro that is free of this one-stop
security panacea?
Yours truly,
STEWART & CIE.
Steve Stewart
17 years, 9 months
Problem building new rpm's for FC4...
by Tom Lisjac
I've been using the checkinstall utility
(http://asic-linux.com.mx/~izto/checkinstall/) to build RPM's from
source packages since RH9. It's been recently fixed to work with a few
changes in FC4... but there is a lingering SELinux issue that I'm
hoping someone here can shed some light on.
After building a few RPM's, I noticed these two lines in the file
lists of the RPM's I generated:
/selinux
/selinux/context
This causes the following error during the RPM install:
root@fc4-builder:~ # rpm -i /usr/src/redhat/RPMS/i386/fwlogwatch-1.0-1.i386.rpm
error: unpacking of archive failed on file /selinux/context;42b5e311:
cpio: open failed - Permission denied
Does anyone know why selinux/context has been inserted into the file list? Is
this a new thing that's been added to rpmbuild in FC4?
Best regards,
-Tom
17 years, 9 months
Re: having trouble getting dhcpd started
by Jon August
Ah ha! So it is SELinux. How do I tell SELinux to let this happen?
(major SELinux newbie)
Thanks!
type=AVC msg=audit(1119209957.460:1957770): avc: denied
{ name_bind } for pid=3636 comm="dhcpd" src=67
scontext=root:system_r:dhcpd_t
tcontext=system_u:object_r:reserved_port_t tclass=udp_socket
type=SYSCALL msg=audit(1119209957.460:1957770): arch=c000003e
syscall=49 success=no exit=-13 a0=6 a1=7ffffff31010 a2=10
a3=7ffffff3102c items=0 pid=3636 auid=4294967295 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="dhcpd" exe="/usr/sbin/dhcpd"
On Jun 19, 2005, at 3:59 PM, Ivan Gyurdiev wrote:
> On Sun, 2005-06-19 at 15:53 -0400, Jon August wrote:
>
>> Hi there,
>>
>> I just installed FC4 and I'm trying to get DHCP started, so I pulled
>> my dhcpd.conf from the machine we're moving it from, and checked to
>> see if any of the syntax had changed. All looks good, but when I try
>> to start dhcpd I get the following.
>>
>> Is SELinux preventing dhcp from binding to the port? I don't see any
>> audit messages in /var/log/messages.
>>
>
> What about /var/log/audit.log ?
> Is audit running?
>
> You can run SELinux in permissive mode to check.
> (/usr/sbin/setenforce 0;
> /etc/init.d/dhcpd restart;
> /usr/sbin/setenforce 1;)
>
>
>
17 years, 9 months
selinux & external hd permissions.
by Justin Conover
Currently I have a server with a raid 5 for my wifes photography
backups and some other stuff I keep. I want to get an exteranl hd
like a LaCie 500GB firewire/usb for backup of that file system for
extra safety.
Question is, if that server is running SELinux on CentOS 4.0 and I
back stuff up to that exteranl drive, will other box's be able to read
that exteranl drive? In the chance that hardware fails and I need to
be able to look at that data on another box?
Or, would it just be better to format the external with fat32 or
something my wife can use her box to pull the data off?
17 years, 9 months
httpd fails to start with latest policy
by Bob Kashani
httpd fails to start with the latest FC3 policy.
selinux-policy-targeted-1.17.30-3.9
Here is the AVC message:
Jun 17 10:04:48 sorcerer kernel: audit(1119027888.944:0): avc: denied
{ name_bind } for pid=3265 exe=/usr/sbin/httpd src=2121
scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:port_t
tclass=tcp_socket
Jun 17 10:04:48 sorcerer httpd: (13)Permission denied: make_sock: could
not bind to address [::]:2121
Jun 17 10:04:48 sorcerer httpd: no listening sockets available, shutting
down
Jun 17 10:04:48 sorcerer httpd: Unable to open logs
Jun 17 10:04:48 sorcerer httpd: httpd startup failed
I normally use port 80 and 2121. How do I fix this?
Bob
--
Bob Kashani
http://www.ocf.berkeley.edu/~bobk/garnome
17 years, 9 months
Module compilation issues in Fedore core 3
by Narayan Krishnamurthy
Hi all,
I ran make modules from the Linux--- directory and after some time I go the following error.
drivers/scsi/qla2xxx/qla_os.c: In function `qla2x00_queuecommand':
drivers/scsi/qla2xxx/qla_os.c:315: sorry,
unimplemented: inlining failed in call to 'qla2x00_callback': function not considered for inlining
drivers/scsi/qla2xxx/qla_os.c:269: sorry,
unimplemented: called from here
drivers/scsi/qla2xxx/qla_os.c:315: sorry,
unimplemented: inlining failed in call to 'qla2x00_callback': function not considered for inlining
drivers/scsi/qla2xxx/qla_os.c:269: sorry,
unimplemented: called from here
make[3]: *** [drivers/scsi/qla2xxx/qla_os.o] Error 1
make[2]: *** [drivers/scsi/qla2xxx] Error 2
make[1]: *** [drivers/scsi] Error 2
Anybody know how to handle this error. I am using the native compiler which came with Fedora core 3 (gcc ver 3.4.2)
Thanks for any help
-Narayan
---------------------------------
Yahoo! Mail Mobile
Take Yahoo! Mail with you! Check email on your mobile phone.
17 years, 9 months
How to build modules
by Narayan Krishnamurthy
Hi,
I just installed Fedora Core 3 on my desktop which is a Dell Dimension XPS T450.
Pentium III 450 Mhz.
How do I build modules? viz. USB modules?
Any detailed assistance would be appreciated
-regards
Narayan
---------------------------------
Yahoo! Sports
Rekindle the Rivalries. Sign up for Fantasy Football
17 years, 9 months
not installing SELinux with Fedora
by stewartetcie@canada.com
Hi folks,
Controlling SELinux, Fedora Core 3 SELinux FAQ at
http://fedora.redhat.com/docs/selinux-faq-fc3/
says:
"Q: How do I install/not install SELinux?"
"A: The installer handles this based on the choice
you make in the Firewall Configuration screen. The
default running policy is the targeted policy, and
it is on by default."
Doesn't this beg the question? In fact, doesn't the
Firewall Configuration screen merely determine whether
SELinux is enabled/disabled?
Users of Fedora Core 4 want to know, how do we not,
repeat not, install SELinux?
Yours truly
STEWART & CIE.
Steve Stewart
17 years, 9 months
