List of operations
by Göran Uddeborg
Maybe this is a FAQ, but I haven't found it answered in any of the
FAQ:s I've looked through:
Is there some kind of documentation list over the available classes
and operations (permissions)?
Other concepts, like types and roles are defined in the policy, with
some luck together with a comment. In some cases there are even
manual pages, like httpd_selinux.
But the list of available classes and operations must be defined by
the kernel module if I understand things correctly. I could extract a
list from the flask/access_vectors file. But I would have liked
something with a sentence or so of explanation. Some names may be
self-explanatory, but many are not obvious. I'm imagining some kind
of list like the appendices of the O'Reilley book, but updated for the
current version. Does such a list exist somewhere? Or is it just in
my imagination? :-)
16 years, 11 months
Re: Apache/PHP module boot restriction?
by Stephen Smalley
On Wed, 2006-02-22 at 16:41 -0800, Andrew JH Ring wrote:
> I've recently set up a Fedora Core 4 web server running Apache 2.2.0
> with PHP 5.1.2. I've managed to get Apache loading the module, after
> setting libphp5.so to shlib_t, however Apache seems to still be unable
> to access the module during boot. I'm getting a Cannot load libphp5
> cannot restore segment prot after reloc. Is this a known problem, and
> if so, how is it fixed?
cc'd fedora-selinux-list as well above, since you mentioned you were
using FC4.
This usually indicates a text relocation, which is undesirable if it can
be avoided. The stock FC4 php doesn't appear to have any text
relocations in its libphp (readelf -d libphp5.so.1 | grep TEXTREL).
Possibly it has a patch to avoid the problem.
Ideally, it would be best if you could similarly patch or fix the build
for PHP 5.1.2. If you truly need to allow it, then you can label
the .so file with the texrel_shlib_t type (since you are using FC4, I
used the old type name).
Some discussion of the SELinux memory protection tests can be found in:
http://people.redhat.com/drepper/selinux-mem.html
--
Stephen Smalley
National Security Agency
17 years, 3 months
SELinux Module Packaging in FC5
by Paul Howarth
Is there any documentation anywhere on including SELinux Policy Modules
in packages (e.g. for Extras) in FC5? For instance, is there a directory
where modules can be dropped into so that they get picked up
aotomatically? Where should they live?
Consider an example. I have an LDAP-backed addressbook frontend written
in PHP that runs on apache. So I install the files in /var/www/someplace
in my package and I need to provide an SELinux module that:
* Includes the appropriate file contexts for the application's cache
directory, which needs to be writable by httpd
* Gives httpd permission to contact LDAP servers over the network (i.e.
ports 389 and 636)
Is it possible to turn on the httpd_builtin_scripting boolean from a
module (the app is written in PHP and needs this)? Is it even sensible
to try to do this, or there just be a README.SELinux telling people they
need to do this themselves?
Should the module be loaded in a %post script?
Some guidelines would no doubt be appreciated by many people.
Paul.
17 years, 3 months
Re: fc5: several troubles at my first attempt
by Ron Yorston
Stephen Smalley wrote:
>On Wed, 2006-03-15 at 19:08 +0200, Maxim Britov wrote:
>> I have installed current fc5 by http about week or two ago. It updated from rawhide.
>> It currently installed on hda2 and it ran from qemu.
>>
>> I see many avc denied messages in dmesg (repeated 210 times with different pids):
>> audit(1142439027.188:2): avc: denied { search } for pid=349 comm="pam_console_app" name="var" dev=hda2 ino=210081 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=dir
>> hda2 here is /
>
>Hmmm.../var should be labeled with system_u:object_r:var_t, not file_t.
>Need to relabel?
I'm seeing these too. My /var is on a separate partition. Could this be
the cause of the problem?
Mar 31 20:04:18 random kernel: audit(1143831757.360:451): avc: denied { search } for pid=1384 comm="pam_console_app" name="var" dev=hde3 ino=62785 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=dir
Mar 31 20:04:18 random kernel: EXT3 FS on hde3, internal journal
Mar 31 20:04:18 random kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Mar 31 20:04:18 random kernel: kjournald starting. Commit interval 5 seconds
Mar 31 20:04:18 random kernel: EXT3 FS on hde8, internal journal
Mar 31 20:04:18 random kernel: EXT3-fs: mounted filesystem with ordered data mode.
Mar 31 20:04:18 random kernel: SELinux: initialized (dev hde8, type ext3), uses xattr
# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/hde3 972564 353452 568912 39% /
/dev/hde8 972532 290180 632152 32% /var
# ls -Zd /var
drwxr-xr-x root root system_u:object_r:var_t /var
# ls -id /var
2 /var
Ron
17 years, 5 months
Empty trash in Gnome
by Dawid Gajownik
Hi!
My friend noticed that with SELinux in enforcing mode ~/.Trash is full
of the files but he cannot remove them -- clicking on trash icon placed
on the desktop shows empty directory.
I reproduced this bug on my machine (FC5,
selinux-policy-targeted-2.2.25-2.fc5, Gnome 2.14) and found this avc
message:
Mar 30 19:19:47 X kernel: audit(1143739187.507:65): avc: denied {
getattr } for pid=1810 comm="hald" name="/" dev=hda6 ino=2
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:home_root_t:s0 tclass=dir
Using audit2allow I created kosz.pp module and this resolved the problem
(you need to reboot or restart haldaemon service). Here's the content of
te file:
[root@X ~]# cat kosz.te
module kosz 1.0;
require {
role object_r;
role system_r;
class dir getattr;
type hald_t;
type home_root_t;
};
allow hald_t home_root_t:dir getattr;
[root@X ~]#
Maybe default policy should be fixed?
Thanks,
Dawid
--
^_*
17 years, 6 months
FC5 LDAP issues
by Jason L Tibbitts III
I've noticed that the behavior of my FC5 system differs dramatically
depending on whether nscd is running. User info is stored in LDAP,
and if nscd is running then applications talk to it. But if it's not
running then the applications (or libc, at least) talk to the network
themselves. This gets denied by selinux and things break. Most
notably, the system won't even boot, because dbus just hangs forever
spewing AVC messages to the console.
So I wonder if the intention is to make nscd mandatory, or if failures
due to a lack of nscd are considered problematic. I have nothing
against nscd, but I don't generally turn it on until after the system
boots and has time to pull down configuration information so that
encrypted ldap works. Obviously I'll be reworking my installation
scripts to work around this.
- J<
17 years, 6 months
AVC Decision Tree.
by Daniel J Walsh
http://fedoraproject.org/wiki/SELinux/Troubleshooting/AVCDecisions#preview
Trying to build a analysys tool to be able to translate avc messages
into possible boolean/file_context solutions.
The idea is that we can look at the AVC messages that are generated and
figure out what the servers were trying to do. Then we can give some
advise to the administrator on the corrective measures. So what we are
looking for are expected code paths where there is a file context of
boolean available.
Additional suggestions are welcome.
Dan
17 years, 6 months
SELinux denying chcon -- OUCH!
by Ian Pilcher
A little background -- I have my music collection stored on 5 reiserfs
filesystems, on top of five separate software RAID devices (md4-md8). I
use httpd to make them available on my *home* network (and if the RIAA
has a problem with that they can kiss my lilly-white...sorry). I
generally mount them as /var/www/html/music/music{0,1,2,3,4}.
Today I rebooted my system (Fedora Core 5, fully updated) and got some
bizarre warnings about being unable to mount a block device read-only.
Sure enough...
audit(1143570731.388:11): avc: denied { mounton } for pid=1703
comm="mount" name="music0" dev=md1 ino=131232
scontext=system_u:system_r:mount_t:s0
tcontext=root:object_r:httpd_sys_content_t:s0 tclass=dir
Hmm, looks like a special context is now needed for mount points. I can
see why that might be a good idea, so...
chcon system_u:system_r:mount_t /var/www/html/music/*
chcon: failed to change context of /var/www/html/music/music0 to
system_u:system_r:mount_t: Permission denied
type=AVC msg=audit(1143571740.714:59): avc: denied { relabelto } for
pid=3036 comm="chcon" name="music0" dev=md1 ino=131232
scontext=user_u:system_r:unconfined_t:s0-s0:c0.c255
tcontext=system_u:system_r:mount_t:s0 tclass=dir
This is either a learning opportunity for me, or a serious problem. I
can't wait to find out which.
Thanks!
--
========================================================================
Ian Pilcher i.pilcher(a)comcast.net
========================================================================
17 years, 6 months
Targeted strategy guidance needed
by Gary Kopp
Would someone on this list be able to take a moment to give me a sanity
check and tell me if I'm on the right track? I'm configuring a RHEL4 server
to be an Internet-facing web/mail server. It will run httpd, postfix, and
courier-imap. Most application logic (including any requirement for SQL
access) will live on other servers that I'm not concerned about in the
context of SELinux, but this web server will probably have to run one PHP
application (Blog:CMS). I desire this web server to be as secure as
possible.
I have not yet mastered the intricacies of SELinux (but I'm working on
that), and I thought that by using Red Hat's targeted SELinux policy I'd
have a head start. I also thought this would leverage my investment in the
Red Hat Enterprise Linux support contract, being able to turn to Red Hat
support for help. I have since found out that my support agreement (SLA)
does not cover any SELinux issues arising from a modified targeted policy.
And right out of the chute I see that I can't live with the targeted policy
as delivered, and need to tweak it. For example, this server uses syslog-ng,
and the targeted policy is already complaining. Red Hat's SELinux Guide
offers instructions on how to add rules to local.te to get around minor
issues like this, and I'm willing to do that, but then I'll have no support
from Red Hat directly. I also anticipate that my httpd config may require
some policy tweaks (e.g., I'm thinking of putting Apache logs in a
non-standard location).
Next, the delivered targeted policy doesn't constrain postfix (it seems to
reference postfix, but then aliases it to unconfined). Again, the Guide
suggests I could write new policy specifically for something like postfix,
in essence extending the targeted policy. Interestingly, I see that the
gentoo project has a whole bunch of SELinux policies available, including
one for postfix. A side question I have is: does it make sense to adapt/use
the policies available in the gentoo project to extend the targeted policy
for new processes, or is that a bad idea?
I'm assuming that the RHEL targeted policy and the FC policy, the subject of
this mailing list, are one and the same, and therefore I'm not out of line
coming to this list. Am I correct? As a RHEL user rather than a FC user
can I still use this list as a resource?
OK, here's my fundamental question: Given what I'm trying to achieve, is my
proper approach to start tweaking and extending the delivered targeted
policy? Is that commonly done, or should I be looking at some other strategy
to meet my needs?
I'll be grateful for any advice anyone would like to offer. TIA
--Gary Kopp
17 years, 6 months
