selinux September 2005

selinux@lists.fedoraproject.org

42 participants
53 discussions

Selinux breaks samba with no AVC's...
by Tom Lisjac 29 Sep '05

29 Sep '05

I'm trying to make samba shares available on a new FC4 server I've just built that's running selinux-policy-targeted-1.27.1-2.1. I relabelled after the update the other day, ran permissive until everything worked, added the following to local.te and recompiled the policy sources: allow smbd_t home_root_t:dir { getattr search }; allow smbd_t httpd_sys_content_t:dir { getattr read remove_name search write }; allow smbd_t httpd_sys_content_t:file { getattr lock read unlink }; allow smbd_t samba_net_tmp_t:file { getattr read write }; allow smbd_t user_home_dir_t:dir { getattr read }; allow smbd_t user_home_t:dir getattr; allow smbd_t user_home_t:file getattr; When I switched to enforcing, I couldn't connect... and there were no new AVC's. Switching back to permissive worked. I've never seen this behavior before. In the past when enforcing, there has always been an AVC to explain a denial of service. This time there wasn't. Turning off selinux fixes the problem so there must be a relationship. Disabling selinux seems to be my only alternative... but I'd rather not. Any suggestions would be appreciated. -Tom

2 4

AWStats and SELinux Permissions
by Steven Stromer 28 Sep '05

28 Sep '05

Ever change a configuration setting, and forget what it originally was? I need help. If anyone is running AWStats with SELinux on Fedora, can you let me know the SELinux permissions (ls -Z) on the directory /etc/awstats, and on the .conf files contained in this directory? In getting AWStats working I changed these settings from their defaults, and don't know SELinux well enough yet to know what the default settings likely were. Thanks! Steven Stromer

2 1

Yum SELINUX Updates.
by Tomas Larsson 28 Sep '05

28 Sep '05

I have seen that there have been several updates of selinux policy. Do I need to do anything to make it valid, like reboot, relabel or something similar. Another "stupid" question, all posts from the list originates from fedora-selinux-list-bounces(a)redhat.com, I would assume that it means that the mails are bouncing in my mailbox, but I am not aware that should be the case, and my isp is telling me that everything is working OK. With best regards Tomas Larsson Sweden Verus Amicus Est Tamquam Alter Idem

4 5

apache denied access to sendmail
by Amin Astaneh 27 Sep '05

27 Sep '05

Hello- And the plot thickens as well.. Evidently the email denied by SELinux eventually gets out on the network anyway through sendmail. The denial only defers the mail, so around ten minutes later the mail is sent again- successfully however, due to sendmail making it's own request. Here are the logs, grepping for the same set of timestamps and mail id's- /var/log/messages Sep 27 12:43:34 apache02 kernel: audit(1127839414.325:10): avc: denied { name_connect } for pid=3948 comm="sendmail" dest=25 scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:smtp_port_t tclass=tcp_socket Sep 27 12:43:34 apache02 kernel: audit(1127839414.326:11): avc: denied { name_connect } for pid=3948 comm="sendmail" dest=25 scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:smtp_port_t tclass=tcp_socket /var/log/maillog Sep 27 12:43:34 apache02 sendmail[3948]: j8RGhYfY003948: from=apache, size=505, class=0, nrcpts=1, msgid=<200509271643.j8RGhYfY003948(a)apache02.qwik.net>, relay=apache@localhost Sep 27 12:43:34 apache02 sendmail[3948]: j8RGhYfY003948: to=aastaneh(a)cmax2.com, ctladdr=apache (48/48), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30505, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Permission denied Sep 27 12:52:04 apache02 sendmail[3953]: j8RGq3n2003953: from=<apache(a)apache02.qwik.net>, size=702, class=0, nrcpts=1, msgid=<200509271643.j8RGhYfY003948(a)apache02.qwik.net>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1] Sep 27 12:52:04 apache02 sm-msp-queue[3952]: j8RGhYfY003948: to=aastaneh(a)cmax2.com, ctladdr=apache (48/48), delay=00:08:30, xdelay=00:00:01, mailer=relay, pri=120505, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (j8RGq3n2003953 Message accepted for delivery) -Amin Astaneh

1 0

Re: 2.6.14-rc2-git6 vs FC3
by Stephen Smalley 27 Sep '05

27 Sep '05

On Tue, 2005-09-27 at 18:01 +0200, Zoltan Boszormenyi wrote: > Tony Nelson írta: > > At 1:08 PM +0200 9/27/05, Zoltan Boszormenyi wrote: > > > >>Hi, > >> > >>I have an FC3/x86-64 system and I wanted to try > >>the latest-greatest mainstream test kernel. > >>The compilation went OK but it didn't boot successfully, > >>which seems to be an FC3 bug. The last lines on the > >>console are: > >> > >>------------------------------------------------- > >>Switching to new root > >>Enforcing mode requested but no policy loaded. Halting now. > >>Kernel panic - not syncing: Attempted to kil init! > >>------------------------------------------------- > >> > >>At that point, the initrd userspace already started up > >>and loaded the required modules, e.g. ext3, SATA drivers, etc. > >> > >>Is FC3 (or its mkinitrd) that old to be incompatible with > >>the latest kernel? At this moment I cannot upgrade to FC4 > >>to confirm this. > > > > > > That's SELinux. Note that the name SELinux doesn't appear in SELinux error > > messages; this may be the Security Mindset at work. The key words in the > > error message are "enforcing mode" and "policy". Turn off SELinux' > > enforcing mode. If you run any servers you will want to be behind some > > other firewall and pay attention to the machine's firewall. > > Yes, thank you. I know it's SELinux, I already switched off > enforcing mode, but I cannot reboot to try it at the moment. > My machine is the only computer in the house, so I am a bit > uneasy about switching it off. > > BTW, I am running 2.6.13-rc1-mm1 (kernel-2.6.11-1.14_FC3 is installed) > and setting enforcing mode on boot works with these kernel versions. /sbin/init tries to load the current policy version (for the binary policy format, not the package version) supported by the kernel (based on reading /selinux/policyvers), and then tries the next oldest version if that doesn't exist. I think the issue here is that the policy version has changed twice from what shipped in FC3, and /sbin/init doesn't keep trying older policy versions if the current one and its predecessor don't exist. The kernel itself will always accept older binary policy versions, so it would take the policy if /sbin/init loaded it. Naturally, there could be permission denials due to new permissions being introduced in the newer kernel that weren't allowed by the older policy, but you should at least be able to boot the system. /sbin/init should likely keep trying older versions down to the oldest supported version in the 2.6 series. It would then ultimately load the policy that you have in FC3, which would likely work modulo new permission check denials. cc'd fedora-selinux-list, as that is the best place to ask questions re SELinux. -- Stephen Smalley National Security Agency

1 0

apache denied access to sendmail
by Amin Astaneh 27 Sep '05

27 Sep '05

Hello- System: Fedora Core 3, current I am using a trouble ticketing system written in PHP (phpSupport) which uses sendmail through calling a perl script provided by the package. Every time phpSupport passes a mail request to sendmail, this audit appears: Sep 27 12:43:34 apache02 kernel: audit(1127839414.326:11): avc: denied { name_connect } for pid=3948 comm="sendmail" dest=25 scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:smtp_port_t tclass=tcp_socket In /var/log/maillog, sendmail logs this for the email transaction: Sep 27 12:43:34 apache02 sendmail[3948]: j8RGhYfY003948: from=apache, size=505, class=0, nrcpts=1, msgid=<200509271643.j8RGhYfY003948(a)apache02.qwik.net>, relay=apache@localhost Sep 27 12:43:34 apache02 sendmail[3948]: j8RGhYfY003948: to=aastaneh(a)cmax2.com, ctladdr=apache (48/48), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30505, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Permission denied I have already submitted a bug report https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168874 and this problem was fixed in FC4... with no real note of fixing it for FC3. I have already did a touch /.autorelabel and rebooted, but to no avail.. The only fix is to take the results of audit2allow and recompile policy (which worked on my development box). I am a little wary of building policy from policy-sources on a production machine in order to insert dontaudit rules to stop this denial.. is it possible to build policy on a development server (with the exact architecture) and transplant it into the production machine? If so- what procedure must I follow? Are there any other solutions? Amin Astaneh

1 0

Simulating a hacker attack
by pedro esteban 27 Sep '05

27 Sep '05

Hi, im having problems with the audit of denail messages with the targeted policy Im using runcon with a shell script to simulate what would happen if a hacker was successfull hacking the web server, so i execute the next command: runcon -u system_u -r system_r -t httpd_t /bin/bash I can only get this to work in permissive mode because if i execute it in enforcing mode i get an error (execvp: Permission denied) When i execute the command in permissive mode and im running in the new "httpd-shell", i execute 'id -Z' and get this: "system_u:system_r:httpd_t", so i think i running in the correct web server security context. The problem is that i dont recieve any error message in the /var/log/messages when i try to do not-alloweds operations (like to delete a file under /etc) (I have enabled all-auditing with make enableaudit;makeload under policy src) thanks in advance

3 3

Mozilla needs to create lock (link) file
by Tom London 26 Sep '05

26 Sep '05

Running strict enforcing, latest rawhide. Mozilla wants to create a lock/link file: type=AVC msg=audit(1127586026.834:4165): avc: denied { create } for pid=3407 comm="firefox-bin" name="lock" scontext=tbl:staff_r:staff_mozilla_t:s0 tcontext=tbl:object_r:staff_untrusted_content_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1127586026.834:4165): arch=40000003 syscall=83 success=yes exit=0 a0=9d800d0 a1=9d7fd68 a2=8067d00 a3=0 items=2 pid=3407 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="firefox-bin" exe="/usr/lib/firefox-1.5/firefox-bin" type=CWD msg=audit(1127586026.834:4165): cwd="/home/tbl" type=PATH msg=audit(1127586026.834:4165): item=0 name="127.0.0.1:+3407" flags=101 type=PATH msg=audit(1127586026.834:4165): item=1 name="/home/tbl/.mozilla/firefox/yz68q13i.default/lock" flags=10 inode=2786580 dev=03:02 mode=040700 ouid=500 ogid=500 rdev=00:00 allow staff_mozilla_t staff_untrusted_content_t:lnk_file create; Not sure which macro needs to be fiddled..... tom -- Tom London

5 8

acpid
by Matthew Saltzman 26 Sep '05

26 Sep '05

I have ACPI scripts that are supposed to run when Fn-Fx is pressed (for various values of x). The scripts run fine when invoked from a shell, but they fail when invoked by keypress. For example, /etc/acpi/actions/Fn-F3.sh contains: #!/bin/sh if [ -f /var/tmp/acpi-lightoff ]; then /usr/sbin/radeontool light on /bin/rm /var/tmp/acpi-lightoff else /usr/sbin/radeontool light off /bin/touch /var/tmp/acpi-lightoff fi When invoked by keypress, I get the following audit messages, and no action is taken (light stays on, no file touched). Should I be doing something different or is there something in selinux-policy-targeted that needs to be fixed? TIA. type=AVC msg=audit(1126826853.791:2631316): avc: denied { search } for pid=4112 comm="Fn-F3.sh" name="tmp" dev=dm-0 ino=906756 scontext=root:system_r:apmd_t tcontext=system_u:object_r:tmp_t tclass=dir type=SYSCALL msg=audit(1126826853.791:2631316): arch=40000003 syscall=195 success=no exit=-13 a0=88fcda0 a1=bfffb488 a2=960ff4 a3=88fce30 items=1 pid=4112 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="Fn-F3.sh" exe="/bin/bash" type=CWD msg=audit(1126826853.791:2631316): cwd="/" type=PATH msg=audit(1126826853.791:2631316): item=0 name="/var/tmp/acpi-lightoff" flags=1 inode=906756 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1126826853.800:2631748): avc: denied { read } for pid=4114 comm="lspci" name="pci.ids" dev=dm-0 ino=809685 scontext=root:system_r:apmd_t tcontext=system_u:object_r:usr_t tclass=file type=SYSCALL msg=audit(1126826853.800:2631748): arch=40000003 syscall=5 success=no exit=-13 a0=8054e5c a1=0 a2=fbad8001 a3=0 items=1 pid=4114 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="lspci" exe="/sbin/lspci" type=CWD msg=audit(1126826853.800:2631748): cwd="/" type=PATH msg=audit(1126826853.800:2631748): item=0 name="/usr/share/hwdata/pci.ids" flags=101 inode=809685 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1126826853.804:2631869): avc: denied { search } for pid=4115 comm="touch" name="tmp" dev=dm-0 ino=906756 scontext=root:system_r:apmd_t tcontext=system_u:object_r:tmp_t tclass=dir type=SYSCALL msg=audit(1126826853.804:2631869): arch=40000003 syscall=5 success=no exit=-13 a0=bfefbf71 a1=8941 a2=1b6 a3=8941 items=1 pid=4115 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="touch" exe="/bin/touch" type=CWD msg=audit(1126826853.804:2631869): cwd="/" type=PATH msg=audit(1126826853.804:2631869): item=0 name="/var/tmp/acpi-lightoff" flags=310 inode=906756 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1126826853.804:2631870): avc: denied { search } for pid=4115 comm="touch" name="tmp" dev=dm-0 ino=906756 scontext=root:system_r:apmd_t tcontext=system_u:object_r:tmp_t tclass=dir type=SYSCALL msg=audit(1126826853.804:2631870): arch=40000003 syscall=30 success=no exit=-13 a0=bfefbf71 a1=0 a2=804f8bc a3=bfefbf71 items=1 pid=4115 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="touch" exe="/bin/touch" type=CWD msg=audit(1126826853.804:2631870): cwd="/" type=PATH msg=audit(1126826853.804:2631870): item=0 name="/var/tmp/acpi-lightoff" flags=1 inode=906756 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00:00 -- Matthew Saltzman Clemson University Math Sciences mjs AT clemson DOT edu http://www.math.clemson.edu/~mjs

3 6

Problems creating a user
by Armando Aznar 26 Sep '05

26 Sep '05

Hello, i want to do various security tests with selinux. I have enabled the targeted policy, so all the users run with the user "user_u" (then all the users have all the permissions in SELinux). How could i create a user who run with the user "system_u" so this user dont have all the permissions? Thanxx in advance

4 5

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux September 2005