[Bug 164992] New: Mod_proxy does not work with SElinux default policy
by Joe Orton
I wonder whether this boolean should really just be "on" by default.
----- Forwarded message from bugzilla(a)redhat.com -----
From: bugzilla(a)redhat.com
To: jorton(a)redhat.com
Date: Wed, 3 Aug 2005 08:02:27 -0400
Subject: [Bug 164992] New: Mod_proxy does not work with SElinux default policy
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=164992
Summary: Mod_proxy does not work with SElinux default policy
Product: Fedora Core
Version: fc4
Platform: i386
OS/Version: Linux
Status: NEW
Severity: low
Priority: normal
Component: httpd
AssignedTo: jorton(a)redhat.com
ReportedBy: trash_alias(a)swing.be
Estimated Hours: 0.0
>From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050720 Fedora/1.0.6-1.1.fc4 Firefox/1.0.6
Description of problem:
Bad: mod_proxy fail if selinux is enabled
[Wed Aug 03 13:52:12 2005] [debug] proxy_http.c(67): proxy: HTTP: canonicalising URL //webmail.XXX.be/exchange/
[Wed Aug 03 13:52:12 2005] [debug] mod_proxy.c(419): Trying to run scheme_handler
[Wed Aug 03 13:52:12 2005] [debug] proxy_http.c(1062): proxy: HTTP: serving URL https://webmail.XXX.be/exchange/
[Wed Aug 03 13:52:12 2005] [debug] proxy_http.c(186): proxy: HTTP connecting https://webmail.XXX.be/exchange/ to webmail.XXX.be:443
[Wed Aug 03 13:52:12 2005] [debug] proxy_util.c(1139): proxy: HTTP: fam 2 socket created to
connect to webmail.XXX.be
Bad: [Wed Aug 03 13:52:12 2005] [error] (13)Permission denied: proxy: HTTP: attempt to connect to 123.123.123.123:443 (webmail.XXX.be) failed
Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.25.3-9 httpd-2.0.54-10.1
How reproducible:
Always
Steps to Reproduce:
1.setenforce 1
2.access your http server configured ro reverse proxying
3.fail with message: BAD gateway
4. setenforce 0
5. it work.
Expected Results: I would expect the default policy to allow proxying and Message is not explicit and I had to search a long time to understand....
Additional info:
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
----- End forwarded message -----
18 years, 8 months
Questions about /net and /proc
by James Z. Li
Hi all,
I have several root shell scripts which need create directories
under /net or /proc. They are running well under Fedora Core 2.
After I upgrate to FC4 with targeted SELinux policy, those
scripts are not running under either enforcing or permissive mode.
Error messages like Unable to create directories under /net or /proc.
I used "ls -Z" to check security contexts for /net and /proc,
they both have empty security labels.
As a root (root:system_r:unconfined_t), I cannot manually create
anything under those two directories.
What should I do in order to make /net and /proc writtable?
Thanks,
James
18 years, 8 months
Vsftpd in a chrooted environement
by Roger Grosswiler
Hi,
i run vsftpd in a chrooted environement. Since yesterday, again in
targeted mode. Loggin in, gives a 500 OOPS - Message
according to audit.log, the following is missing:
type=AVC msg=audit(1123825815.048:14086489): avc: denied {
dac_override } for pid=21576 comm="vsftpd" capability=1
scontext=system_u:system_r:ftpd_t tcontext=system_u:system_r:ftpd_t
tclass=capability
i inserted in local.te the following (according to audit2allow)
allow ftpd_t self:capability { dac_override dac_read_search };
...and now it works. Can anybody check this for other securiy holes? Or
did i just do an error in my config now? using the ftpd_home...-boolean,
this did not help, nor did ftpd_disable_trans=1 (what was not my wish)
Thanks for your reply
Roger
18 years, 8 months
update from fc3 -> fc4: cyrus/sasl-errors
by Roger Grosswiler
hi,
i recently updated from fc3 to fc4. i use this machine as a mailserver
with cyrus. 1st problem was the database - fixed issue. now, on
authentication, i get errors, will say, with selinux enforcing i cannot
authenticate at all.
from the fc-list i got some help, with a few commands, that should help
better understanding. What can i do, to have this box with selinux
enforcing enabled? ah, yes, in permissive mode it works fine.
here a sniplet of my logs:
> [root@link ~]# ausearch -i -a 9657218
> ----
> type=PATH msg=audit(07/30/05 16:21:20.281:9657218) : item=0 flags=follow inode=262199 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00
> type=SOCKETCALL msg=audit(07/30/05 16:21:20.281:9657218) : nargs=3 a0=b a1=bfd308fa a2=6e
> type=SOCKADDR msg=audit(07/30/05 16:21:20.281:9657218) : saddr=local /var/run/saslauthd/mux
> type=SYSCALL msg=audit(07/30/05 16:21:20.281:9657218) : arch=i386 syscall=socketcall(connect) success=no exit=-13(Permission denied) a0=3 a1=bfd2e4b0 a2=dd0228 a3=bfd2e513 items=1 pid=28898 auid=root uid=cyrus gid=mail euid=cyrus suid=cyrus fsuid=cyrus egid=mail sgid=mail fsgid=mail comm=imapd exe=/usr/lib/cyrus-imapd/imapd
> type=AVC msg=audit(07/30/05 16:21:20.281:9657218) : avc: denied { search } for pid=28898 comm=imapd name=saslauthd dev=dm-0 ino=262199 scontext=root:system_r:cyrus_t tcontext=system_u:object_r:saslauthd_var_run_t tclass=dir
>
>> ausearch -i -a 9659874
>>
>>
> [root@link ~]# ausearch -i -a 9659874
> ----
> type=PATH msg=audit(07/30/05 16:21:24.635:9659874) : item=0 flags=follow inode=262199 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00
> type=SOCKETCALL msg=audit(07/30/05 16:21:24.635:9659874) : nargs=3 a0=b a1=bfd308fa a2=6e
> type=SOCKADDR msg=audit(07/30/05 16:21:24.635:9659874) : saddr=local /var/run/saslauthd/mux
> type=SYSCALL msg=audit(07/30/05 16:21:24.635:9659874) : arch=i386 syscall=socketcall(connect) success=no exit=-13(Permission denied) a0=3 a1=bfd2e4b0 a2=dd0228 a3=bfd2e513 items=1 pid=28898 auid=root uid=cyrus gid=mail euid=cyrus suid=cyrus fsuid=cyrus egid=mail sgid=mail fsgid=mail comm=imapd exe=/usr/lib/cyrus-imapd/imapd
> type=AVC msg=audit(07/30/05 16:21:24.635:9659874) : avc: denied { search } for pid=28898 comm=imapd name=saslauthd dev=dm-0 ino=262199 scontext=root:system_r:cyrus_t tcontext=system_u:object_r:saslauthd_var_run_t tclass=dir
i hope, you can help.
Thanks a lot
Roger
18 years, 8 months
... is not a valid context
by Todd Merritt
I'm having trouble adding a new role to selinux on FC4. I added the
following lines to domains/user.te:
limited_user_role(ua_pw_user)
role_tty_type_change(user, ua_pw_user)
role_tty_type_change(sysadm, ua_pw_user)
and to macros/user_macros.te added
role ua_pw_user_r types $1;
to in_user_role.
and to appconfig/default_type:
ua_pw_user_r:ua_pw_user_t
and to users:
user tmerritt roles { user_r ua_pw_user_r };
Now when I try to switch to that role I get:
[tmerritt@host ~]$ id -Z
tmerritt:user_r:user_t
[tmerritt@host ~]$ newrole -r ua_pw_user_r
Authenticating tmerritt.
Password:
tmerritt:ua_pw_user_r:ua_pw_user_t is not a valid context
Am I missing something obvious ?
Thanks,
Todd
18 years, 8 months
vsftpd non-anonymous chrooting
by Ted Rule
Whilst using vsftpd in chroot'ed mode for non-anonymous usage, I've
found that I appear to have to add this to my SELinux strict policy:
allow ftpd_t self:capability { dac_override dac_read_search };
or possibly just this:
allow ftpd_t self:capability { dac_read_search };
Without at least the dac_read_search, an ftp login always seems to fail.
The description of these "dac" permissions on Tresys' site suggests to
me that vsftpd is being too "greedy" in requiring these permissions to
chroot successfully. Since anonymous ftp with SELinux surely works Ok
without this capability, (or too many other people would have
complained ), does this mean that the correct fix for this is a minor
rewrite to vsftpd, rather than a change in SELinux policy?
My current ftpd/SELinux/chroot related configuration:
$ sudo grep ftp /etc/selinux/strict/booleans
ftpd_is_daemon=1
ftp_home_dir=1
$
$ sudo grep chroot /etc/vsftpd/vsftpd.conf | grep -v "^#"
chroot_list_enable=YES
passwd_chroot_enable=YES
chroot_list_file=/etc/vsftpd/vsftpd.chroot_user_list
userlist_file=/etc/vsftpd/vsftpd.chroot_user_list
$
--
Ted Rule
Director, Layer3 Systems Ltd
W: http://www.layer3.co.uk/
18 years, 8 months
Getting started with Fedora SE Linux
by Craig Burrell
Hello, all.
I have recently installed Fedora Core 3 and begun exploring the SE
Linux security model. I have a number of questions, but perhaps I'll
begin with something simple.
I have been reading Bill McCarty's book on SE Linux (O'Reilly), which
is written for Fedora Core 2. He makes frequent reference to files
(*.fc and *.te files, for instance) in the source directory
(/etc/security/selinux/src/). In my installation, however, I don't
have that directory, nor can I find elsewhere on my system any of the
files to which he refers.
Have I made an error in my installation, or is Fedora Core 3 that
different from Core 2? Where in my installation are the security
policy source files to be kept?
Thanks for your help,
Craig Burrell
18 years, 8 months
cant create dirs from vsftpd
by Peter Magnusson
selinux-policy-targeted-1.25.3-9 in FC4 surely isnt perfect. Cant create
dirs when I login over ftp:
type=CWD msg=audit(1123375603.524:11258814): cwd="/home/iocc"
type=PATH msg=audit(1123375603.524:11258814): item=0 name="mp3" flags=10
inode=5046274 dev=03:01 mode=040755 ouid=636 ogid=636 rdev=00:00
type=AVC msg=audit(1123375603.539:11258878): avc: denied { getattr } for
pid=10556 comm="vsftpd" name="/" dev=0:10 ino=49161
scontext=root:system_r:ftpd_t tcontext=system_u:object_r:nfs_t tclass=dir
type=SYSCALL msg=audit(1123375603.539:11258878): arch=40000003 syscall=196
success=no exit=-13 a0=9527930 a1=9523328 a2=3a3ff4 a3=797eec items=1
pid=10556 auid=636 uid=636 gid=636 euid=636 suid=636 fsuid=636 egid=636
sgid=636 fsgid=636 comm="vsftpd" exe="/usr/sbin/vsftpd"
Cant find what I should turn off in /etc/selinux/targeted/booleans to make
it work. So I need a little help. Later, I want to upload files in that dir
also.
Also, Im not so sure that I like that I cant see alot of dirs when Im
logged in at the ftp.
18 years, 8 months
