Selinux breaks samba with no AVC's...
by Tom Lisjac
I'm trying to make samba shares available on a new FC4 server I've
just built that's running selinux-policy-targeted-1.27.1-2.1. I
relabelled after the update the other day, ran permissive until
everything worked, added the following to local.te and recompiled the
policy sources:
allow smbd_t home_root_t:dir { getattr search };
allow smbd_t httpd_sys_content_t:dir { getattr read remove_name search write };
allow smbd_t httpd_sys_content_t:file { getattr lock read unlink };
allow smbd_t samba_net_tmp_t:file { getattr read write };
allow smbd_t user_home_dir_t:dir { getattr read };
allow smbd_t user_home_t:dir getattr;
allow smbd_t user_home_t:file getattr;
When I switched to enforcing, I couldn't connect... and there were no
new AVC's. Switching back to permissive worked.
I've never seen this behavior before. In the past when enforcing,
there has always been an AVC to explain a denial of service. This time
there wasn't. Turning off selinux fixes the problem so there must be a
relationship.
Disabling selinux seems to be my only alternative... but I'd rather
not. Any suggestions would be appreciated.
-Tom
17 years, 6 months
AWStats and SELinux Permissions
by Steven Stromer
Ever change a configuration setting, and forget what it originally was?
I need help. If anyone is running AWStats with SELinux on Fedora, can
you let me know the SELinux permissions (ls -Z) on the directory
/etc/awstats, and on the .conf files contained in this directory? In
getting AWStats working I changed these settings from their defaults,
and don't know SELinux well enough yet to know what the default settings
likely were.
Thanks!
Steven Stromer
17 years, 6 months
Yum SELINUX Updates.
by Tomas Larsson
I have seen that there have been several updates of selinux policy.
Do I need to do anything to make it valid, like reboot, relabel or something
similar.
Another "stupid" question, all posts from the list originates from
fedora-selinux-list-bounces(a)redhat.com, I would assume that it means that
the mails are bouncing in my mailbox, but I am not aware that should be the
case, and my isp is telling me that everything is working OK.
With best regards
Tomas Larsson
Sweden
Verus Amicus Est Tamquam Alter Idem
17 years, 6 months
apache denied access to sendmail
by Amin Astaneh
Hello-
And the plot thickens as well..
Evidently the email denied by SELinux eventually gets out on the network anyway through
sendmail. The denial only defers the mail, so around ten minutes later the mail is sent again-
successfully however, due to sendmail making it's own request.
Here are the logs, grepping for the same set of timestamps and mail id's-
/var/log/messages
Sep 27 12:43:34 apache02 kernel: audit(1127839414.325:10): avc: denied { name_connect } for
pid=3948 comm="sendmail" dest=25 scontext=user_u:system_r:system_mail_t
tcontext=system_u:object_r:smtp_port_t tclass=tcp_socket
Sep 27 12:43:34 apache02 kernel: audit(1127839414.326:11): avc: denied { name_connect } for
pid=3948 comm="sendmail" dest=25 scontext=user_u:system_r:system_mail_t
tcontext=system_u:object_r:smtp_port_t tclass=tcp_socket
/var/log/maillog
Sep 27 12:43:34 apache02 sendmail[3948]: j8RGhYfY003948: from=apache, size=505, class=0,
nrcpts=1, msgid=<200509271643.j8RGhYfY003948(a)apache02.qwik.net>, relay=apache@localhost
Sep 27 12:43:34 apache02 sendmail[3948]: j8RGhYfY003948: to=aastaneh(a)cmax2.com, ctladdr=apache
(48/48), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30505, relay=[127.0.0.1] [127.0.0.1],
dsn=4.0.0, stat=Deferred: Permission denied
Sep 27 12:52:04 apache02 sendmail[3953]: j8RGq3n2003953: from=<apache(a)apache02.qwik.net>,
size=702, class=0, nrcpts=1, msgid=<200509271643.j8RGhYfY003948(a)apache02.qwik.net>, proto=ESMTP,
daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Sep 27 12:52:04 apache02 sm-msp-queue[3952]: j8RGhYfY003948: to=aastaneh(a)cmax2.com,
ctladdr=apache (48/48), delay=00:08:30, xdelay=00:00:01, mailer=relay, pri=120505,
relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (j8RGq3n2003953 Message accepted for
delivery)
-Amin Astaneh
17 years, 6 months
Re: 2.6.14-rc2-git6 vs FC3
by Stephen Smalley
On Tue, 2005-09-27 at 18:01 +0200, Zoltan Boszormenyi wrote:
> Tony Nelson írta:
> > At 1:08 PM +0200 9/27/05, Zoltan Boszormenyi wrote:
> >
> >>Hi,
> >>
> >>I have an FC3/x86-64 system and I wanted to try
> >>the latest-greatest mainstream test kernel.
> >>The compilation went OK but it didn't boot successfully,
> >>which seems to be an FC3 bug. The last lines on the
> >>console are:
> >>
> >>-------------------------------------------------
> >>Switching to new root
> >>Enforcing mode requested but no policy loaded. Halting now.
> >>Kernel panic - not syncing: Attempted to kil init!
> >>-------------------------------------------------
> >>
> >>At that point, the initrd userspace already started up
> >>and loaded the required modules, e.g. ext3, SATA drivers, etc.
> >>
> >>Is FC3 (or its mkinitrd) that old to be incompatible with
> >>the latest kernel? At this moment I cannot upgrade to FC4
> >>to confirm this.
> >
> >
> > That's SELinux. Note that the name SELinux doesn't appear in SELinux error
> > messages; this may be the Security Mindset at work. The key words in the
> > error message are "enforcing mode" and "policy". Turn off SELinux'
> > enforcing mode. If you run any servers you will want to be behind some
> > other firewall and pay attention to the machine's firewall.
>
> Yes, thank you. I know it's SELinux, I already switched off
> enforcing mode, but I cannot reboot to try it at the moment.
> My machine is the only computer in the house, so I am a bit
> uneasy about switching it off.
>
> BTW, I am running 2.6.13-rc1-mm1 (kernel-2.6.11-1.14_FC3 is installed)
> and setting enforcing mode on boot works with these kernel versions.
/sbin/init tries to load the current policy version (for the binary
policy format, not the package version) supported by the kernel (based
on reading /selinux/policyvers), and then tries the next oldest version
if that doesn't exist. I think the issue here is that the policy
version has changed twice from what shipped in FC3, and /sbin/init
doesn't keep trying older policy versions if the current one and its
predecessor don't exist. The kernel itself will always accept older
binary policy versions, so it would take the policy if /sbin/init loaded
it. Naturally, there could be permission denials due to new permissions
being introduced in the newer kernel that weren't allowed by the older
policy, but you should at least be able to boot the system.
/sbin/init should likely keep trying older versions down to the oldest
supported version in the 2.6 series. It would then ultimately load the
policy that you have in FC3, which would likely work modulo new
permission check denials.
cc'd fedora-selinux-list, as that is the best place to ask questions re
SELinux.
--
Stephen Smalley
National Security Agency
17 years, 6 months
apache denied access to sendmail
by Amin Astaneh
Hello-
System: Fedora Core 3, current
I am using a trouble ticketing system written in PHP (phpSupport) which uses sendmail through
calling a perl script provided by the package. Every time phpSupport passes a mail request to
sendmail, this audit appears:
Sep 27 12:43:34 apache02 kernel: audit(1127839414.326:11): avc: denied { name_connect } for
pid=3948 comm="sendmail" dest=25 scontext=user_u:system_r:system_mail_t
tcontext=system_u:object_r:smtp_port_t tclass=tcp_socket
In /var/log/maillog, sendmail logs this for the email transaction:
Sep 27 12:43:34 apache02 sendmail[3948]: j8RGhYfY003948: from=apache, size=505, class=0,
nrcpts=1, msgid=<200509271643.j8RGhYfY003948(a)apache02.qwik.net>, relay=apache@localhost
Sep 27 12:43:34 apache02 sendmail[3948]: j8RGhYfY003948: to=aastaneh(a)cmax2.com, ctladdr=apache
(48/48), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30505, relay=[127.0.0.1] [127.0.0.1],
dsn=4.0.0, stat=Deferred: Permission denied
I have already submitted a bug report https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168874
and this problem was fixed in FC4... with no real note of fixing it for FC3.
I have already did a touch /.autorelabel and rebooted, but to no avail..
The only fix is to take the results of audit2allow and recompile policy (which worked on my
development box).
I am a little wary of building policy from policy-sources on a production machine in order to
insert dontaudit rules to stop this denial.. is it possible to build policy on a development
server (with the exact architecture) and transplant it into the production machine? If so- what
procedure must I follow?
Are there any other solutions?
Amin Astaneh
17 years, 6 months
Simulating a hacker attack
by pedro esteban
Hi, im having problems with the audit of denail messages with the
targeted policy
Im using runcon with a shell script to simulate what would happen if a
hacker was successfull hacking the web server, so i execute the next
command: runcon -u system_u -r system_r -t httpd_t /bin/bash
I can only get this to work in permissive mode because if i execute it
in enforcing mode i get an error (execvp: Permission denied)
When i execute the command in permissive mode and im running in the
new "httpd-shell", i execute 'id -Z' and get this:
"system_u:system_r:httpd_t", so i think i running in the correct web
server security context.
The problem is that i dont recieve any error message in the
/var/log/messages when i try to do not-alloweds operations (like to
delete a file under /etc)
(I have enabled all-auditing with make enableaudit;makeload under policy src)
thanks in advance
17 years, 6 months
Mozilla needs to create lock (link) file
by Tom London
Running strict enforcing, latest rawhide.
Mozilla wants to create a lock/link file:
type=AVC msg=audit(1127586026.834:4165): avc: denied { create } for
pid=3407 comm="firefox-bin" name="lock"
scontext=tbl:staff_r:staff_mozilla_t:s0
tcontext=tbl:object_r:staff_untrusted_content_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1127586026.834:4165): arch=40000003 syscall=83
success=yes exit=0 a0=9d800d0 a1=9d7fd68 a2=8067d00 a3=0 items=2
pid=3407 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 comm="firefox-bin"
exe="/usr/lib/firefox-1.5/firefox-bin"
type=CWD msg=audit(1127586026.834:4165): cwd="/home/tbl"
type=PATH msg=audit(1127586026.834:4165): item=0
name="127.0.0.1:+3407" flags=101
type=PATH msg=audit(1127586026.834:4165): item=1
name="/home/tbl/.mozilla/firefox/yz68q13i.default/lock" flags=10
inode=2786580 dev=03:02 mode=040700 ouid=500 ogid=500 rdev=00:00
allow staff_mozilla_t staff_untrusted_content_t:lnk_file create;
Not sure which macro needs to be fiddled.....
tom
--
Tom London
17 years, 6 months
acpid
by Matthew Saltzman
I have ACPI scripts that are supposed to run when Fn-Fx is pressed (for
various values of x). The scripts run fine when invoked from a shell,
but they fail when invoked by keypress. For example,
/etc/acpi/actions/Fn-F3.sh contains:
#!/bin/sh
if [ -f /var/tmp/acpi-lightoff ]; then
/usr/sbin/radeontool light on
/bin/rm /var/tmp/acpi-lightoff
else
/usr/sbin/radeontool light off
/bin/touch /var/tmp/acpi-lightoff
fi
When invoked by keypress, I get the following audit messages, and no
action is taken (light stays on, no file touched). Should I be doing
something different or is there something in selinux-policy-targeted that
needs to be fixed?
TIA.
type=AVC msg=audit(1126826853.791:2631316): avc: denied { search } for
pid=4112 comm="Fn-F3.sh" name="tmp" dev=dm-0 ino=906756
scontext=root:system_r:apmd_t tcontext=system_u:object_r:tmp_t tclass=dir
type=SYSCALL msg=audit(1126826853.791:2631316): arch=40000003 syscall=195
success=no exit=-13 a0=88fcda0 a1=bfffb488 a2=960ff4 a3=88fce30 items=1
pid=4112 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 comm="Fn-F3.sh" exe="/bin/bash"
type=CWD msg=audit(1126826853.791:2631316): cwd="/"
type=PATH msg=audit(1126826853.791:2631316): item=0
name="/var/tmp/acpi-lightoff" flags=1 inode=906756 dev=fd:00 mode=041777
ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1126826853.800:2631748): avc: denied { read } for
pid=4114 comm="lspci" name="pci.ids" dev=dm-0 ino=809685
scontext=root:system_r:apmd_t tcontext=system_u:object_r:usr_t tclass=file
type=SYSCALL msg=audit(1126826853.800:2631748): arch=40000003 syscall=5
success=no exit=-13 a0=8054e5c a1=0 a2=fbad8001 a3=0 items=1 pid=4114
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="lspci" exe="/sbin/lspci"
type=CWD msg=audit(1126826853.800:2631748): cwd="/"
type=PATH msg=audit(1126826853.800:2631748): item=0
name="/usr/share/hwdata/pci.ids" flags=101 inode=809685 dev=fd:00
mode=0100644 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1126826853.804:2631869): avc: denied { search } for
pid=4115 comm="touch" name="tmp" dev=dm-0 ino=906756
scontext=root:system_r:apmd_t tcontext=system_u:object_r:tmp_t tclass=dir
type=SYSCALL msg=audit(1126826853.804:2631869): arch=40000003 syscall=5
success=no exit=-13 a0=bfefbf71 a1=8941 a2=1b6 a3=8941 items=1 pid=4115
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="touch" exe="/bin/touch"
type=CWD msg=audit(1126826853.804:2631869): cwd="/"
type=PATH msg=audit(1126826853.804:2631869): item=0
name="/var/tmp/acpi-lightoff" flags=310 inode=906756 dev=fd:00
mode=041777 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1126826853.804:2631870): avc: denied { search } for
pid=4115 comm="touch" name="tmp" dev=dm-0 ino=906756
scontext=root:system_r:apmd_t tcontext=system_u:object_r:tmp_t tclass=dir
type=SYSCALL msg=audit(1126826853.804:2631870): arch=40000003 syscall=30
success=no exit=-13 a0=bfefbf71 a1=0 a2=804f8bc a3=bfefbf71 items=1
pid=4115 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 comm="touch" exe="/bin/touch"
type=CWD msg=audit(1126826853.804:2631870): cwd="/"
type=PATH msg=audit(1126826853.804:2631870): item=0
name="/var/tmp/acpi-lightoff" flags=1 inode=906756 dev=fd:00 mode=041777
ouid=0 ogid=0 rdev=00:00
--
Matthew Saltzman
Clemson University Math Sciences
mjs AT clemson DOT edu
http://www.math.clemson.edu/~mjs
17 years, 6 months
Problems creating a user
by Armando Aznar
Hello, i want to do various security tests with selinux.
I have enabled the targeted policy, so all the users run with the user "user_u" (then all the users have all the permissions in SELinux).
How could i create a user who run with the user "system_u" so this user dont have all the permissions?
Thanxx in advance
17 years, 6 months
