No type=PATH record in FC6 audit?
by Yuichi Nakamura
Hi,
I am playing with FC6-test3.
I installed audit,
and found that type=PATH record does not appear in audit.log,
when access is denied by SELinux.
Will type=PATH record disappear in FC6?
Yuichi Nakamura
17 years, 1 month
SELinux Symposium CFP extended
by Joshua Brindle
We have extended the SELinux Symposium call for papers to Next Monday,
October 16, 2006. At that time all papers must be submitted to be
considered.
Thank you and we look forward to seeing your submissions.
Joshua Brindle
17 years, 1 month
/media/\.hal-.*
by Tom London
Get this after today's policy update:
/etc/selinux/targeted/contexts/files/file_contexts: Multiple same
specifications for /media/\.hal-.*.
--
Tom London
17 years, 2 months
AVCs from today's update...
by Tom London
Running rawhide, targeted/enforcing.
pirut update (selected 'update' from tray icon) of today's packages
produced the following AVCs:
type=AVC msg=audit(1160241847.264:23): avc: denied { use } for
pid=3510 comm="groupadd" name="[12624]" dev=pipefs ino=12624
scontext=system_u:system_r:groupadd_t:s0
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fd
type=AVC msg=audit(1160241847.264:23): avc: denied { use } for
pid=3510 comm="groupadd" name="[12624]" dev=pipefs ino=12624
scontext=system_u:system_r:groupadd_t:s0
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fd
type=SYSCALL msg=audit(1160241847.264:23): arch=40000003 syscall=11
success=yes exit=0 a0=9b23160 a1=9b22580 a2=9b232c0 a3=9b22f58 items=0
ppid=3509 pid=3510 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="groupadd" exe="/usr/sbin/groupadd"
subj=system_u:system_r:groupadd_t:s0 key=(null)
type=AVC_PATH msg=audit(1160241847.264:23): path="pipe:[12624]"
type=AVC_PATH msg=audit(1160241847.264:23): path="pipe:[12624]"
type=AVC msg=audit(1160241932.886:24): avc: denied { use } for
pid=3563 comm="depmod" name="[12624]" dev=pipefs ino=12624
scontext=system_u:system_r:depmod_t:s0
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fd
type=AVC msg=audit(1160241932.886:24): avc: denied { use } for
pid=3563 comm="depmod" name="[12624]" dev=pipefs ino=12624
scontext=system_u:system_r:depmod_t:s0
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fd
type=SYSCALL msg=audit(1160241932.886:24): arch=40000003 syscall=11
success=yes exit=0 a0=8b94460 a1=8b864d8 a2=8b89d78 a3=8b946c8 items=0
ppid=3550 pid=3563 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="depmod" exe="/sbin/depmod"
subj=system_u:system_r:depmod_t:s0 key=(null)
type=AVC_PATH msg=audit(1160241932.886:24): path="pipe:[12624]"
type=AVC_PATH msg=audit(1160241932.886:24): path="pipe:[12624]"
type=AVC msg=audit(1160241933.218:25): avc: denied { use } for
pid=3564 comm="mkinitrd" name="[12624]" dev=pipefs ino=12624
scontext=system_u:system_r:bootloader_t:s0
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fd
type=AVC msg=audit(1160241933.218:25): avc: denied { use } for
pid=3564 comm="mkinitrd" name="[12624]" dev=pipefs ino=12624
scontext=system_u:system_r:bootloader_t:s0
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fd
type=SYSCALL msg=audit(1160241933.218:25): arch=40000003 syscall=11
success=yes exit=0 a0=8b93fb0 a1=8b864d8 a2=8b89d78 a3=8b942f0 items=0
ppid=3550 pid=3564 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="mkinitrd" exe="/bin/bash"
subj=system_u:system_r:bootloader_t:s0 key=(null)
type=AVC_PATH msg=audit(1160241933.218:25): path="pipe:[12624]"
type=AVC_PATH msg=audit(1160241933.218:25): path="pipe:[12624]"
type=AVC msg=audit(1160241947.891:26): avc: denied { use } for
pid=5039 comm="semodule" name="[12624]" dev=pipefs ino=12624
scontext=system_u:system_r:semanage_t:s0
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fd
type=AVC msg=audit(1160241947.891:26): avc: denied { use } for
pid=5039 comm="semodule" name="[12624]" dev=pipefs ino=12624
scontext=system_u:system_r:semanage_t:s0
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fd
type=SYSCALL msg=audit(1160241947.891:26): arch=40000003 syscall=11
success=yes exit=0 a0=8d527e0 a1=8d54828 a2=8d54768 a3=8d53090 items=0
ppid=5038 pid=5039 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="semodule" exe="/usr/sbin/semodule"
subj=system_u:system_r:semanage_t:s0 key=(null)
type=AVC_PATH msg=audit(1160241947.891:26): path="pipe:[12624]"
type=AVC_PATH msg=audit(1160241947.891:26): path="pipe:[12624]"
type=MAC_POLICY_LOAD msg=audit(1160241953.404:27): policy loaded auid=500
type=SYSCALL msg=audit(1160241953.404:27): arch=40000003 syscall=4
success=yes exit=988177 a0=4 a1=b7ed6000 a2=f1411 a3=bfa84ff8 items=0
ppid=5039 pid=5041 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="load_policy"
exe="/usr/sbin/load_policy" subj=system_u:system_r:load_policy_t:s0
key=(null)
type=AVC msg=audit(1160241954.796:28): avc: denied { write } for
pid=5073 comm="restorecon" name="[12624]" dev=pipefs ino=12624
scontext=system_u:system_r:restorecon_t:s0
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file
type=AVC msg=audit(1160241954.796:28): avc: denied { write } for
pid=5073 comm="restorecon" name="[12624]" dev=pipefs ino=12624
scontext=system_u:system_r:restorecon_t:s0
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file
type=SYSCALL msg=audit(1160241954.796:28): arch=40000003 syscall=11
success=yes exit=0 a0=8550998 a1=8550c18 a2=8545bd8 a3=85506c0 items=0
ppid=5045 pid=5073 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="restorecon" exe="/sbin/restorecon"
subj=system_u:system_r:restorecon_t:s0 key=(null)
type=AVC_PATH msg=audit(1160241954.796:28): path="pipe:[12624]"
type=AVC_PATH msg=audit(1160241954.796:28): path="pipe:[12624]"
--
Tom London
17 years, 2 months
How do I fix the following denied avc's
by Antonio Olivares
System Fedora Core 6 Test updated as of 10/06/2006
[olivares@localhost ~]$ cat /etc/fedora-release
Fedora Core release 5.92 (FC6 Test3)
SELinux: initialized (dev autofs, type autofs), uses genfs_contexts
SELinux: initialized (dev autofs, type autofs), uses genfs_contexts
audit(1160161820.458:4): avc: denied { name_bind } for pid=1994 comm="hpiod" src=2208 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
audit(1160161825.798:5): avc: denied { search } for pid=2152 comm="hald" name="irq" dev=proc ino=-268435212 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir
audit(1160161825.798:6): avc: denied { search } for pid=2152 comm="hald" name="irq" dev=proc ino=-268435212 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir
audit(1160161825.798:7): avc: denied { search } for pid=2152 comm="hald" name="irq" dev=proc ino=-268435212 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir
audit(1160161825.798:8): avc: denied { search } for pid=2152 comm="hald" name="irq" dev=proc ino=-268435212 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir
audit(1160161825.798:9): avc: denied { search } for pid=2152 comm="hald" name="irq" dev=proc ino=-268435212 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir
Thanks,
Antonio
17 years, 2 months
Re: Trouble with module
by Joshua Brindle
On Fri, 2006-10-06 at 21:14 +0200, Pierre JUHEN wrote:
> I cleaned the /etc/selinux/targeted/modules/active/modules directory
>
> Transcript session under root directory
>
> root@pierre ~]# cat /var/log/audit/audit.log | audit2allow -M local
> Generating type enforcment file: local.te
> Compiling policy
> checkmodule -M -m -o local.mod local.te
> semodule_package -o local.pp -m local.mod
>
> ******************** IMPORTANT ***********************
>
> In order to load this newly created policy package into the kernel,
> you are required to execute
>
> semodule -i local.pp
>
>
> [root@pierre ~]# semodule -i local.pp
> semodule: Could not read file 'local.pp':
>
> ls -l local*
> -rw-r--r-- 1 root root 1961 oct 6 21:06 local.mod
> -rw-r--r-- 1 root root 1977 oct 6 21:06 local.pp
> -rw-r--r-- 1 root root 496 oct 6 21:06 local.te
>
> Local.pp is here, but semodule can not read it.
>
>
> What shoul I try now
you are probably getting a denial for semanage_t to read user_home_t.
Try copying local.pp to /usr/share/selinux/targeted and then running
semodule -i /usr/share/selinux/targeted/local.pp
17 years, 2 months
Re: Trouble with module
by Pierre JUHEN
No, I didn't skip the middle step.
I have turned around this problem for days, googleized a lot,
I didnt find a clue.
Why is semodule looking in a inexistant directory ?
I suspect a configuration problem, but where ?????
> Message du 06/10/06 04:28
> De : "Joshua Brindle" <method(a)gentoo.org>
> A : "Pierre JUHEN" <pierre.juhen(a)wanadoo.fr>
> Copie à : fedora-selinux-list(a)redhat.com
> Objet : Re: Trouble with module
>
> Pierre JUHEN wrote:
> > To correct error messages appearing in the audit.log, I ran the
> > procedure described in the audit2allow manual page.
> >
> > Here is the .te file :
> >
> > module local 1.0;
> >
> > require {
> > class dir search;
> > class fd use;
> > class fifo_file write;
> > class file { read write };
> > class netlink_route_socket create;
> > class unix_stream_socket { read write };
> > type apmd_log_t;
> > type cupsd_config_t;
> > type cupsd_t;
> > type dovecot_auth_t;
> > type dovecot_t;
> > type etc_mail_t;
> > type etc_runtime_t;
> > type hald_t;
> > type home_root_t;
> > type hostname_t;
> > type restorecon_t;
> > type semanage_t;
> > type unconfined_t;
> > type user_home_dir_t;
> > type usr_t;
> > type xdm_t;
> > role system_r;
> > };
> >
> > allow cupsd_config_t apmd_log_t:file { read write };
> > allow cupsd_t apmd_log_t:file { read write };
> > allow dovecot_auth_t self:netlink_route_socket create;
> > allow dovecot_t etc_runtime_t:file read;
> > allow dovecot_t unconfined_t:fifo_file write;
> > allow dovecot_t xdm_t:fd use;
> > allow hald_t home_root_t:dir search;
> > allow hostname_t etc_mail_t:file read;
> > allow hostname_t unconfined_t:fifo_file write;
> > allow hostname_t usr_t:file read;
> > allow hostname_t xdm_t:fd use;
> > allow restorecon_t xdm_t:fd use;
> > allow semanage_t unconfined_t:unix_stream_socket { read write };
> > allow semanage_t user_home_dir_t:dir search;
> >
> > When I try to load the module using "semodule -i local.pp"
> >
> > Iget :
> >
> > libsepol.module_package_read_offsets: wrong magic number for module
> > package: expected 4185718671, got 4185718669
> > libsemanage.semanage_load_module: Error while reading from module
> > file/etc/ selinux/targeted/modules/tmp/modules/toto.mod.
> >
> did you build a policy package correctly using the following commands:
>
> checkmodule -M -m local.te -o local.mod
> semodule_package -m local.mod -o local.pp
> semodule -i local.pp
>
>
> it looks like you probably skipped the middle step..
>
>
17 years, 2 months
Trouble with module
by Pierre JUHEN
To correct error messages appearing in the audit.log, I ran the
procedure described in the audit2allow manual page.
Here is the .te file :
module local 1.0;
require {
class dir search;
class fd use;
class fifo_file write;
class file { read write };
class netlink_route_socket create;
class unix_stream_socket { read write };
type apmd_log_t;
type cupsd_config_t;
type cupsd_t;
type dovecot_auth_t;
type dovecot_t;
type etc_mail_t;
type etc_runtime_t;
type hald_t;
type home_root_t;
type hostname_t;
type restorecon_t;
type semanage_t;
type unconfined_t;
type user_home_dir_t;
type usr_t;
type xdm_t;
role system_r;
};
allow cupsd_config_t apmd_log_t:file { read write };
allow cupsd_t apmd_log_t:file { read write };
allow dovecot_auth_t self:netlink_route_socket create;
allow dovecot_t etc_runtime_t:file read;
allow dovecot_t unconfined_t:fifo_file write;
allow dovecot_t xdm_t:fd use;
allow hald_t home_root_t:dir search;
allow hostname_t etc_mail_t:file read;
allow hostname_t unconfined_t:fifo_file write;
allow hostname_t usr_t:file read;
allow hostname_t xdm_t:fd use;
allow restorecon_t xdm_t:fd use;
allow semanage_t unconfined_t:unix_stream_socket { read write };
allow semanage_t user_home_dir_t:dir search;
When I try to load the module using "semodule -i local.pp"
Iget :
libsepol.module_package_read_offsets: wrong magic number for module
package: expected 4185718671, got 4185718669
libsemanage.semanage_load_module: Error while reading from module
file/etc/ selinux/targeted/modules/tmp/modules/toto.mod.
"/etc/ selinux/targeted/modules/tmp" does not exist.
Module local is in "/etc/selinux/targeted/modules/active/modules".
I run a Fedora Core 5 x86_64, strictly up to date (policy: targeted)
(kernel-2.6.17-1.2187_FC5).
policycoreutils-1.30.10-2.fc5
Thanks fot the hints.
17 years, 2 months
Problem with upgrading a file sensitivity level with mls policy
by Suchoski, Andrew
Hello,
I've been trying to get a simple piece of code to work to upgrade a
file's sensitivity level. I wrote a simple policy to have the process
run in a new domain and assigned mlsfileupgrade to the domain. I thought
I did everything needed to make it work but apparently not. The program
does work in permissive mode so this isn't a DAC problem. (The target
file is owned by andy, modebits 644 and the process runs as EUID=andy.)
The kernel is 2.6.17.2178_FC5 and I'm using the
selinux-policy-mls-2.3.7-2.fc5 policy.
Thanks.
Following is the AVC, code, policy, and example output.
------------------------------------------------------------------------------------------------------
type=AVC msg=audit(1160002208.475:477): avc: denied { relabelfrom }
for pid=5282 comm="setfsc1" name="foobar" dev=hda3 ino=817610
scontext=andy_u:user_r:andy_t:s0-s15:c0.c255
tcontext=user_u:object_r:user_t:s0 tclass=file
-----------------------------------------------------------------------------------------------------------------------
#include <stdio.h>
#include <selinux/selinux.h>
#include <selinux/context.h>
main()
{
int retval;
security_context_t secconstr,con;
context_t seconstrct;
char * newlabel;
/* Get file context */
retval=getfilecon("/app/foobar", &secconstr);
/* Print the context */
printf("Security context is %s\n", secconstr);
/* Convert the security_context_t to a context_t */
seconstrct=context_new(secconstr);
/* Assign new Sensitivity label */
retval=context_range_set(seconstrct,"s0:c5");
if (retval < 0) perror ("context_range_set");
secconstr=context_str(seconstrct);
printf("NEW Security context is %s\n",secconstr);
retval=setfilecon("/app/foobar",secconstr);
if (retval < 0) perror ("setfilecon");
retval=getfilecon("/app/foobar", &con);
if (retval < 0) perror ("getfilecon");
printf("Read NEW security context %s\n", con);
}
-------------------------------------------------------------------------------------------------------------------------
The policy:
policy_module(localmisc, 0.1.12)
require {
type user_t;
type user_tty_device_t;
};
type andy_t;
type andy_exec_t;
domain_type(andy_t)
mls_file_upgrade(andy_t)
domain_entry_file(andy_t, andy_exec_t)
domain_use_interactive_fds(andy_t)
allow andy_t user_tty_device_t:chr_file { read write };
domain_auto_trans(user_t, andy_exec_t, andy_t)
libs_use_ld_so(andy_t)
libs_use_shared_libs(andy_t)
role user_r types andy_t;
allow andy_t user_t: file { read getattr relabelfrom relabelto };
allow andy_t user_t:process sigchld;
---------------------------------------------------------------------------------------------------------------------
Output of the program:
[andy@localhost examples]$ ./setfsc1
Security context is user_u:object_r:user_t:s0
NEW Security context is user_u:object_r:user_t:s0:c5
setfilecon: Permission denied
Read NEW security context user_u:object_r:user_t:s0
[andy@localhost examples]$
----------------------------------------------------------------------------------------------------------------------
17 years, 2 months
