List of operations
by Göran Uddeborg
Maybe this is a FAQ, but I haven't found it answered in any of the
FAQ:s I've looked through:
Is there some kind of documentation list over the available classes
and operations (permissions)?
Other concepts, like types and roles are defined in the policy, with
some luck together with a comment. In some cases there are even
manual pages, like httpd_selinux.
But the list of available classes and operations must be defined by
the kernel module if I understand things correctly. I could extract a
list from the flask/access_vectors file. But I would have liked
something with a sentence or so of explanation. Some names may be
self-explanatory, but many are not obvious. I'm imagining some kind
of list like the appendices of the O'Reilley book, but updated for the
current version. Does such a list exist somewhere? Or is it just in
my imagination? :-)
17 years, 5 months
1105 fails to boot....
by Tom London
Running strict/enforcing, latest rawhide:
After installing latest packages, relabeling /etc, /bin, /lib, ....
and rebooting, the system produces lots of udev type errors
(cannot remove /dev/.udev_tdb/classSTUFF) and hangs
on 'adding hardware'
Boots (with messages) in permissive mode.
Here are the 'early' AVCs:
Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev bdev, type
bdev), uses genfs_contexts
Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev rootfs, type
rootfs), uses genfs_contexts
Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev sysfs, type
sysfs), uses genfs_contexts
Jan 21 07:24:30 fedora kernel: audit(1106292231.919:0): avc: denied
{ read } for pid=478 exe=/bin/hostname path=/init dev=rootfs ino=17
scontext=system_u:system_r:hostname_t
tcontext=system_u:object_r:root_t tclass=file
Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev usbfs, type
usbfs), uses genfs_contexts
Jan 21 07:24:30 fedora kernel: audit(1106292233.809:0): avc: denied
{ read } for pid=576 exe=/sbin/restorecon path=/init dev=rootfs
ino=17 scontext=system_u:system_r:restorecon_t
tcontext=system_u:object_r:root_t tclass=file
Jan 21 07:24:30 fedora kernel: audit(1106292234.081:0): avc: denied
{ read } for pid=576 exe=/sbin/restorecon name=customizable_types
dev=hda2 ino=4506184 scontext=system_u:system_r:restorecon_t
tcontext=system_u:object_r:default_context_t tclass=file
Jan 21 07:24:30 fedora kernel: audit(1106292235.062:0): avc: denied
{ use } for pid=702 exe=/bin/dmesg path=/init dev=rootfs ino=17
scontext=system_u:system_r:dmesg_t tcontext=system_u:system_r:kernel_t
tclass=fd
Jan 21 07:24:30 fedora kernel: audit(1106292235.062:0): avc: denied
{ read } for pid=702 exe=/bin/dmesg path=/init dev=rootfs ino=17
scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:root_t
tclass=file
Jan 21 07:24:30 fedora kernel: audit(1106292235.086:0): avc: denied
{ read } for pid=703 exe=/bin/bash path=/init dev=rootfs ino=17
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:root_t
tclass=file
Jan 21 07:24:30 fedora kernel: audit(1106292239.427:0): avc: denied
{ use } for pid=1233 exe=/sbin/kmodule path=/init dev=rootfs ino=17
scontext=system_u:system_r:kudzu_t tcontext=system_u:system_r:kernel_t
tclass=fd
Jan 21 07:24:30 fedora kernel: audit(1106292239.428:0): avc: denied
{ read } for pid=1233 exe=/sbin/kmodule path=/init dev=rootfs ino=17
scontext=system_u:system_r:kudzu_t tcontext=system_u:object_r:root_t
tclass=file
Jan 21 07:24:30 fedora ptal-mlcd: SYSLOG at ExMgr.cpp:652,
dev=<mlc:usb:PSC_900_Series>, pid=2629, e=2, t=1106321070
ptal-mlcd successfully initialized.
Jan 21 07:24:30 fedora ptal-printd:
ptal-printd(mlc:usb:PSC_900_Series) successfully initialized using
/var/run/ptal-printd/mlc_usb_PSC_900_Series*.
Jan 21 07:24:30 fedora kernel: Floppy drive(s): fd0 is 1.44M
I'll probe a bit, but any help is welcome!
tom
--
Tom London
18 years, 4 months
AWStats
by Mickey Hill
Hi all,
I have installed awstats (an httpd log file analyzer) from Extras and am
having some SELinux issues. I've gotten the same results on FC4 and
Rawhide, using current packages and unchanged config files. Below are
the steps I went through to get it working. Could someone more
knowledgeable provide some feedback on this, or point me in the right
direction? Is there a better or more correct way to do this? Is this
something that could or should be added to the policy?
/usr/share/awstats/wwwroot/cgi-bin/awstats.pl is run as a CGI script by
httpd, but is denied.
# ls -Z /usr/share/awstats/wwwroot/cgi-bin/
-rwxr-xr-x root root system_u:object_r:usr_t
awredir.pl
-rwxr-xr-x root root system_u:object_r:usr_t
awstats.pl
Changing the type gets the script running:
# chcon -t httpd_sys_script_exec_t /usr/share/awstats/wwwroot/cgi-bin/*
# ls -Z /usr/share/awstats/wwwroot/cgi-bin/
-rwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t
awredir.pl
-rwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t
awstats.pl
However, the script reports an error.
Error: AWStats database directory defined in config file by 'DirData'
parameter (/var/lib/awstats) does not exist or is not writable.
# ls -Z /var/lib
...
drwxr-xr-x root root system_u:object_r:var_lib_t awstats
...
Changing the type allows the script to run:
# chcon -t httpd_sys_script_rw_t /var/lib/awstats
# ls -Z /var/lib
...
drwxr-xr-x root root system_u:object_r:httpd_sys_script_rw_t
awstats
...
Any thoughts?
Thanks,
--
Mickey Hill <mickey(a)mickeyhill.com>
18 years, 4 months
cant create dirs from vsftpd
by Peter Magnusson
selinux-policy-targeted-1.25.3-9 in FC4 surely isnt perfect. Cant create
dirs when I login over ftp:
type=CWD msg=audit(1123375603.524:11258814): cwd="/home/iocc"
type=PATH msg=audit(1123375603.524:11258814): item=0 name="mp3" flags=10
inode=5046274 dev=03:01 mode=040755 ouid=636 ogid=636 rdev=00:00
type=AVC msg=audit(1123375603.539:11258878): avc: denied { getattr } for
pid=10556 comm="vsftpd" name="/" dev=0:10 ino=49161
scontext=root:system_r:ftpd_t tcontext=system_u:object_r:nfs_t tclass=dir
type=SYSCALL msg=audit(1123375603.539:11258878): arch=40000003 syscall=196
success=no exit=-13 a0=9527930 a1=9523328 a2=3a3ff4 a3=797eec items=1
pid=10556 auid=636 uid=636 gid=636 euid=636 suid=636 fsuid=636 egid=636
sgid=636 fsgid=636 comm="vsftpd" exe="/usr/sbin/vsftpd"
Cant find what I should turn off in /etc/selinux/targeted/booleans to make
it work. So I need a little help. Later, I want to upload files in that dir
also.
Also, Im not so sure that I like that I cant see alot of dirs when Im
logged in at the ftp.
18 years, 5 months
FC4 last updates kill postfix+postgrey
by Andy Green
Hi Folks -
Using FC4 postfix with 'postgrey', a greylisting service that
communicates via a unix socket:
# ll -Z /var/spool/postfix/postgrey/socket
srw-rw-rw- postgrey nobody root:object_r:postfix_spool_t
/var/spool/postfix/postgrey/socket
After recent updates:
Sep 27 09:25:17 Updated: audit-libs.i386 1.0.4-1.fc4
Sep 27 09:25:31 Updated: audit.x86_64 1.0.4-1.fc4
Sep 27 09:25:34 Updated: selinux-policy-targeted.noarch 1.27.1-2.2
Sep 27 09:25:35 Updated: audit-libs.x86_64 1.0.4-1.fc4
and a reboot, the socket is not available for postfix to open:
Sep 27 14:08:56 siamese postfix/smtpd[13486]: warning: connect to
/var/spool/postfix/postgrey/socket: Permission denied
Sep 27 14:08:56 siamese postfix/smtpd[13486]: warning: problem talking
to server /var/spool/postfix/postgrey/socket: Permission denied
Mail is then getting kicked because of this with, eg:
Sep 27 14:08:57 siamese postfix/smtpd[13486]: NOQUEUE: reject: RCPT from
hormel.redhat.com[209.132.177.30]: 450 Server configuration problem;
from=<fedora-list-bounces(a)redhat.com> to=<andy(a)warmcat.com> proto=ESMTP
helo=<hormel.redhat.com>
However there are no avc complaints in /var/log/messages. Turning off
enforcing (of the targetted mode this is) in system-config-securitylevel
enables mail to work, therefore I deduce it is to do with selinux
despite the lack of complaints.
The socket is live alright as it appears (twice?) on:
# lsof -n | grep postgrey\/socket
postgrey 12989 postgrey 5u unix 0xffff81007995d800
77801 /var/spool/postfix/postgrey/socket
postgrey 12989 postgrey 9u unix 0xffff810005ed3800
92050 /var/spool/postfix/postgrey/socket
Any advice?
-Andy
18 years, 5 months
Selinux in FC4 is blocking SCTP
by Gregory Maxwell
type=AVC msg=audit(1128050967.120:12221195): avc: denied { name_bind
} for pid=10749 comm="sctp_test" src=1234
scontext=root:system_r:unconfined_t tcontext=system_u:object_r:port_t
tclass=socket
type=SYSCALL msg=audit(1128050967.120:12221195): arch=40000003
syscall=102 success=no exit=-13 a0=2 a1=bfc003f0 a2=2 a3=1 items=0
pid=10749 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 comm="sctp_test" exe="/usr/bin/sctp_test"
type=AVC msg=audit(1128050975.796:12243576): avc: denied { name_bind
} for pid=10752 comm="sctp_test" src=1234
scontext=root:system_r:unconfined_t tcontext=system_u:object_r:port_t
tclass=socket
type=AVC msg=audit(1128050975.796:12243576): avc: denied { 0x400000
} for pid=10752 comm="sctp_test" saddr=192.168.16.64 src=1234
scontext=root:system_r:unconfined_t tcontext=system_u:object_r:node_t
tclass=socket
type=SYSCALL msg=audit(1128050975.796:12243576): arch=40000003
syscall=102 success=yes exit=0 a0=2 a1=bfd283d0 a2=2 a3=1 items=0
pid=10752 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 comm="sctp_test" exe="/usr/bin/sctp_test"
18 years, 5 months
Re: Simulating a hacker attack
by pedro esteban
> >>Ok here is how I have simulated what you are trying to do.
> >>
> >>cp /bin/sh /var/www/httpdsh
> >>chcon -t httpd_exec_t /var/www/httpdsh
> >>
> >>Add the following lines to
> >>/etc/selinux/targeted/src/policy/domains/misc/local.te
> >>
> >>
> >>domain_auto_trans(unconfined_t,httpd_exec_t, httpd_t)
> >>allow httpd_t devpts_t:chr_file rw_file_perms;
> >>
> >>cd /etc/selinux/targeted/src/policy/
> >>make load
> >>setsebool httpd_tty_comm=1
> >>
> >>Then run
> >>/var/www/httpdsh
> >>as root.
> >>
> >> /var/www/httpdsh
> >>httpdsh: /root/.bashrc: Permission denied
> >># id
> >>uid=0(root) gid=0(root)
> >>groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
> >>context=root:system_r:httpd_t:s0-s0:c0.c127
> >># cat /etc/shadow
> >>cat: /etc/shadow: Permission denied
> >># cat /var/log/messages
> >>cat: /var/log/messages: Permission denied
> >>
> >>
> >>
> >
> >Ok, thx for the lines. It works fine when im in Xmode (xterm), but
> >when i change to console mode (tty1) if i execute /var/www/httpdsh it
> >doesnot work. Its like if i dont execute the program. I dont get to
> >the httpd bash. I dont receive any message in the console. I dont
> >receive any message in /var/log/message. I dont receive any message in
> >/var/log/audit/audit.log. Its like if it had not done anything
> >
> >What happen?
> >
> >
> You need to add getattr and ioctl to your tty. I am adding it to Policy.
>
> You could add
>
> allow httpd_t tty_device_t:chr_file { getattr ioctl };
>
> to local.te
Ok, i have solved the problem.
I did not receive messages because i have dontaudit rules in
policy.conf. I solved this problem compililng with "make enableaudit".
(i thoug that i have done it before, sorry)
Then i add this lines to policy and now i cant execute in console.
allow httpd_t tty_device_t:chr_file { getattr ioctl }; #As Daniel J Walsh said
allow httpd_t tty_device_t:chr_file { read write };
18 years, 5 months
Re: Simulating a hacker attack
by pedro esteban
>Ok here is how I have simulated what you are trying to do.
>
> cp /bin/sh /var/www/httpdsh
> chcon -t httpd_exec_t /var/www/httpdsh
>
> Add the following lines to
> /etc/selinux/targeted/src/policy/domains/misc/local.te
>
>
> domain_auto_trans(unconfined_t,httpd_exec_t, httpd_t)
> allow httpd_t devpts_t:chr_file rw_file_perms;
>
> cd /etc/selinux/targeted/src/policy/
> make load
> setsebool httpd_tty_comm=1
>
> Then run
> /var/www/httpdsh
> as root.
>
> /var/www/httpdsh
> httpdsh: /root/.bashrc: Permission denied
> # id
> uid=0(root) gid=0(root)
> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
> context=root:system_r:httpd_t:s0-s0:c0.c127
> # cat /etc/shadow
> cat: /etc/shadow: Permission denied
> # cat /var/log/messages
> cat: /var/log/messages: Permission denied
>
Ok, thx for the lines. It works fine when im in Xmode (xterm), but
when i change to console mode (tty1) if i execute /var/www/httpdsh it
doesnot work. Its like if i dont execute the program. I dont get to
the httpd bash. I dont receive any message in the console. I dont
receive any message in /var/log/message. I dont receive any message in
/var/log/audit/audit.log. Its like if it had not done anything
What happen?
18 years, 5 months
Re: Simulating a hacker attack
by pedro esteban
>Ok, thx for the lines. It works fine when im in Xmode (xterm), but
> >when i change to console mode (tty1) if i execute /var/www/httpdsh it
> >doesnot work. Its like if i dont execute the program. I dont get to
> >the httpd bash. I dont receive any message in the console. I dont
> >receive any message in /var/log/message. I dont receive any message in
> >/var/log/audit/audit.log. Its like if it had not done anything
> >
> >What happen?
> >
> >
> You need to add getattr and ioctl to your tty. I am adding it to Policy.
>
> You could add
>
> allow httpd_t tty_device_t:chr_file { getattr ioctl };
>
> to local.te
>
>
Thx again for your answer :), but it dosent work
I think something is broken because like i said in my previous
message, i dont receive any message from the system.
When i execute the /var/www/httpdsh in Xmode (for example xterm) it
works fine, but if i execute it in console mode (for example tty1) is
like if i dont execute absolutely NOTHING. Nothing in console,
nothing in /var/log/messages, nothing in /var/log/audit/audit.log,
nothing in /var/log/* and after the execute im not in the new shell.
its very strange
18 years, 5 months