List of operations
by Göran Uddeborg
Maybe this is a FAQ, but I haven't found it answered in any of the
FAQ:s I've looked through:
Is there some kind of documentation list over the available classes
and operations (permissions)?
Other concepts, like types and roles are defined in the policy, with
some luck together with a comment. In some cases there are even
manual pages, like httpd_selinux.
But the list of available classes and operations must be defined by
the kernel module if I understand things correctly. I could extract a
list from the flask/access_vectors file. But I would have liked
something with a sentence or so of explanation. Some names may be
self-explanatory, but many are not obvious. I'm imagining some kind
of list like the appendices of the O'Reilley book, but updated for the
current version. Does such a list exist somewhere? Or is it just in
my imagination? :-)
16 years, 7 months
Re: Apache/PHP module boot restriction?
by Stephen Smalley
On Wed, 2006-02-22 at 16:41 -0800, Andrew JH Ring wrote:
> I've recently set up a Fedora Core 4 web server running Apache 2.2.0
> with PHP 5.1.2. I've managed to get Apache loading the module, after
> setting libphp5.so to shlib_t, however Apache seems to still be unable
> to access the module during boot. I'm getting a Cannot load libphp5
> cannot restore segment prot after reloc. Is this a known problem, and
> if so, how is it fixed?
cc'd fedora-selinux-list as well above, since you mentioned you were
using FC4.
This usually indicates a text relocation, which is undesirable if it can
be avoided. The stock FC4 php doesn't appear to have any text
relocations in its libphp (readelf -d libphp5.so.1 | grep TEXTREL).
Possibly it has a patch to avoid the problem.
Ideally, it would be best if you could similarly patch or fix the build
for PHP 5.1.2. If you truly need to allow it, then you can label
the .so file with the texrel_shlib_t type (since you are using FC4, I
used the old type name).
Some discussion of the SELinux memory protection tests can be found in:
http://people.redhat.com/drepper/selinux-mem.html
--
Stephen Smalley
National Security Agency
16 years, 11 months
SELinux Module Packaging in FC5
by Paul Howarth
Is there any documentation anywhere on including SELinux Policy Modules
in packages (e.g. for Extras) in FC5? For instance, is there a directory
where modules can be dropped into so that they get picked up
aotomatically? Where should they live?
Consider an example. I have an LDAP-backed addressbook frontend written
in PHP that runs on apache. So I install the files in /var/www/someplace
in my package and I need to provide an SELinux module that:
* Includes the appropriate file contexts for the application's cache
directory, which needs to be writable by httpd
* Gives httpd permission to contact LDAP servers over the network (i.e.
ports 389 and 636)
Is it possible to turn on the httpd_builtin_scripting boolean from a
module (the app is written in PHP and needs this)? Is it even sensible
to try to do this, or there just be a README.SELinux telling people they
need to do this themselves?
Should the module be loaded in a %post script?
Some guidelines would no doubt be appreciated by many people.
Paul.
16 years, 11 months
Re: CGI Script permissions
by Jochen Wiedmann
Paul Howarth wrote:
> The simplest fix might be to change the file context of this particular
> CGI script to httpd_unconfined_script_exec_t instead of
> httpd_sys_script_t. That would effectively turn off SELinux protection
> for that particular script.
> The alternative approach of using audit2allow to create a local policy
> to allow these capabilities would turn on these capabilities for *all*
> of your CGI scripts, which IMHO would be worse than turning off
> protection for just that one script (particularly if that script was
> well-audited for security issues).
> Ideally it would be easy to create a subclass of CGI scripts and assign
> special capabilities to those (I have a similar issue with FastCGI
> scripts that need slightly more capabilities than regular CGI scripts),
> but that's beyond me at this moment.
As the script in question can indeed be called well-audited (basically, it
just allows to trigger a certain action by calling another script with
fixed attributes), I have decided to go with httpd_unconfined_script_exec_t.
That did the trick neatly.
Thanks very much,
Jochen
16 years, 11 months
setsebool generates error message....
by Tom London
Running today's rawhide, targeted/enforcing:
[root@localhost files]# setsebool allow_execmem=1
libsemanage.semanage_install_active: setfiles returned error code 1.
libsemanage.semanage_install_active: setfiles returned error code 1.
Could not change policy booleans
[root@localhost files]#
Appears that boolean has changed:
[root@localhost files]# getsebool -a | grep exec
allow_execheap --> off
allow_execmem --> on
allow_execmod --> off
allow_execstack --> on
allow_java_execstack --> on
httpd_ssi_exec --> off
httpd_suexec_disable_trans --> off
[root@localhost files]#
tom
--
Tom London
16 years, 11 months
FC5/SELinux: Possibilty to enforce an "second set of eyes" method for admins?
by Michael Decker
Hi!
I wonder, if I can setup this kind of scenario:
An admin has to change e.g. some SELinux policies. But if an admin can
change all SELinux policies, he could change his own or others in a way,
so he can do anything. So a second admin/user has to allow that action.
Is there a way to setup that?
Thanks...
--
Michael Decker Michael.Decker(a)tesis.de
TESIS SYSware GmbH http://www.tesis.de
Baierbrunnerstr. 15 * 81379 Muenchen * Tel. +49 89 747377-0
16 years, 11 months
postgresql AVC errors
by Ben
I get this a LOT on my fedora postgres server:
kernel: audit(1148742297.318:91630): avc: denied { create } for
pid=29176 comm="postmaster"
scontext=system_u:system_r:postgresql_t:s0
tcontext=system_u:system_r:postgresql_t:s0 tclass=netlink_route_socket
It doesn't seem to harm anything, but it hardly seems like it
should be there, either. Ideas?
16 years, 11 months
Another mount issue
by Paul Howarth
On my file/web/samba/nfs server I have a software archive, which I serve
out using both samba and httpd. So the whole thing as
public_content_rw_t, and the appropriate boolean set so that samba can
write to it.
On the software archive I have DVD ISO images of FC4 and FC5. I have
fstab entries for these to loopback mount them as follows:
/srv/softlib/fedora/stentz/FC4-i386-DVD.iso /srv/softlib/fedora/stentz/dvd iso9660 ro,loop,fscontext=system_u:object_r:public_content_t 0 0
/srv/softlib/fedora/bordeaux/FC-5-i386-DVD.iso /srv/softlib/fedora/bordeaux/dvd iso9660 ro,loop,fscontext=system_u:object_r:public_content_t 0 0
Unfortunately the mount won't work at boot time because mount is
confined to the mount_t domain, which can't read public_content_rw_t:
Apr 21 08:40:21 badby kernel: audit(1145605218.512:331): avc: denied
{ read } for pid=1469 comm="mount" name="FC4-i386-DVD.iso" dev=dm-5
ino=1032205 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:public_content_rw_t:s0 tclass=file
Apr 21 08:40:21 badby kernel: audit(1145605218.564:332): avc: denied
{ read } for pid=1469 comm="mount" name="FC-5-i386-DVD.iso" dev=dm-5
ino=606259 scontext=system_u:system_r:mount_t:s0
tcontext=root:object_r:public_content_rw_t:s0 tclass=file
A "mount -a" after booting works fine as it then runs unconfined.
Is this something that should be generally allowed or should I just
write local policy to fix this?
Paul.
16 years, 11 months
noexec mount-option with selinux?
by Marten Lehmann
Hello,
I would like to mount the /tmp directory with the noexec option, so that no
files can be executed directly from /tmp. But the problem is, that I don't
have a separate partition for /tmp. It would be useless to create one, because
the users on this system have strict quota limits, which wouldn't apply on a
separate /tmp partition.
Lots of example policies only show ways to restrict certain applications. But
is there a way to restrict access to the /tmp directory in general, too?
Regards
Marten
16 years, 11 months
postfix, procmail and SELinux - No Go
by Marc Schwartz
Hi all,
I took advantage of the long weekend here in the States to finally
update to FC5. All went well in general, however it has become apparent
that procmail is problematic with SELinux enabled.
fetchmail and postfix work fine in terms of getting my e-mail from
multiple POP3 accounts. However local (~/.procmailrc) procmail filtering
does not.
My FC4 configuration files, with a few edits to reflect some path
changes for postfix, now work fine with SELinux disabled. I was not
running SELinux on FC4 and all worked fine there.
I found other FC5/SELinux posts where others have had similar problems
and disabling SELinux solved them.
This is on a fully updated FC5 system as of the writing of this post.
Is there a policy update pending to resolve this issue or some temporary
steps that can be used in the interim, short of disabling SELinux entirely?
Thanks,
Marc Schwartz
16 years, 11 months
