SELinux Module Packaging in FC5
by Paul Howarth
Is there any documentation anywhere on including SELinux Policy Modules
in packages (e.g. for Extras) in FC5? For instance, is there a directory
where modules can be dropped into so that they get picked up
aotomatically? Where should they live?
Consider an example. I have an LDAP-backed addressbook frontend written
in PHP that runs on apache. So I install the files in /var/www/someplace
in my package and I need to provide an SELinux module that:
* Includes the appropriate file contexts for the application's cache
directory, which needs to be writable by httpd
* Gives httpd permission to contact LDAP servers over the network (i.e.
ports 389 and 636)
Is it possible to turn on the httpd_builtin_scripting boolean from a
module (the app is written in PHP and needs this)? Is it even sensible
to try to do this, or there just be a README.SELinux telling people they
need to do this themselves?
Should the module be loaded in a %post script?
Some guidelines would no doubt be appreciated by many people.
Paul.
17 years, 10 months
hplip needs /dev/random.... ?
by Tom London
Running latest rawhide, targeted/enforcing.
Noticed the folowing AVC (when I printed from Firefox to an old HP5MP):
type=AVC msg=audit(1150647750.373:32): avc: denied { read } for
pid=2140 comm="python" name="random" dev=tmpfs ino=5947
scontext=system_u:system_r:hplip_t:s0
tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1150647750.373:32): arch=40000003 syscall=33
success=no exit=-13 a0=42a982b8 a1=4 a2=42aa92c4 a3=2 items=1 pid=2140
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) comm="python" exe="/usr/bin/python"
subj=system_u:system_r:hplip_t:s0
type=CWD msg=audit(1150647750.373:32): cwd="/"
type=PATH msg=audit(1150647750.373:32): item=0 name="/dev/random"
inode=5947 dev=00:10 mode=020666 ouid=0 ogid=0 rdev=01:08
obj=system_u:object_r:random_device_t:s0
Printing seemed to work regardless.
/usr/share/hplip/base/slp.py appears to import random and call
'random.randint()'
tom
--
Tom London
17 years, 10 months
new user domain
by Stefan
Hi,
I'd like to create an user with a type of e.g. backup. So when the
user logs in and types "id -Z"
backup:user_r:backup_t:SystemLow-SystemHigh
should be the right context.
In the past I did this like that:
full_user_role(backup)
allow system_r backup_r
allow sysadm_r backup_r
undefine(`in_user_role')
define(`in_user_role', `
role user_r types $1;
role second_r types $1;
')
But now I'm using FC5 and things have changed. I searched a while and
found the macro "unpriv_user_template". So I created a policy module:
policy_module(backup,1.0.0)
unpriv_user_template(backup)
and tried to compile it. But I get an error message:
Compiling mls backup module
/usr/bin/checkmodule: loading policy configuration from tmp/backup.tmp
backup.te:4:ERROR 'attribute userdomain is not declared' at token ';'
on line 57013:
#line 4
type backup_t, userdomain;
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/backup.mod] Error 1
Isn't this the right way? Did I something wrong? Or how do you create
a new user domain?
Best regards,
Stefan
PS: I'm using FC5 with the latest updates and the mls policy.
17 years, 10 months
suppress success messages from dmesg & co
by Stefan
Hi,
is it possible to suppress success messages like:
audit(1150460352.961:685): user pid=10323 uid=500 auid=500 msg='PAM:
setcred acct=root : exe="/bin/su" (hostname=?, addr=?, terminal=pts/0
res=success)'
audit(1150460352.961:686): user pid=10323 uid=500 auid=500 msg='PAM:
session close acct=root : exe="/bin/su" (hostname=?, addr=?,
terminal=pts/0 res=success)'
audit(1150462861.629:687): user pid=10507 uid=0 auid=4294967295
msg='PAM: accounting acct=root : exe="/usr/sbin/crond" (hostname=?,
addr=?, terminal=cron res=success)'
audit(1150462861.629:688): login pid=10507 uid=0 old auid=4294967295
new auid=0
audit(1150462861.629:689): user pid=10507 uid=0 auid=0 msg='PAM:
session open acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?,
terminal=cron res=success)'
audit(1150465564.666:694): login pid=10695 uid=0 old auid=4294967295
new auid=500
audit(1150465564.666:695): user pid=10695 uid=0 auid=500 msg='PAM:
session open acct=foobar : exe="/usr/sbin/
sshd" (hostname=2001:6f8:1294:1::3, addr=?, terminal=ssh res=success)'
Everytime someone uses 'su' or newrole or ... a audit message is
created. This spams my logfiles so I would like to turn such "success
messages" of. I'm using FC5 with latest updates and selinux-policy-mls.
Best regards,
Stefan
17 years, 10 months
postfix_pipe_t ... execute_no_trans
by QingLong
Hello!
Would you be so kind as to give me a hint why postfix's pipe command
tries to execute a custom script with execute_no_trans? Details follow.
Here we have a combination of Spamassassin and DrWeb virus scaner.
Due to lame DrWeb programs stupidity one has to create a shell script
that first passes a mail through spamassassin and then throws it to DrWeb.
I have created a custom selinux module of my own named ql_spamassassin
to (try to) put this combination under selinux control.
So I have defined my own type `ql_spamassassin_client_exec_t' for the script
and ql_spamassassin_client_t domain type. And I have
|
| domain_entry_file(ql_spamassassin_client_t,ql_spamassassin_client_exec_t)
| domain_auto_trans(postfix_pipe_t,ql_spamassassin_client_exec_t,ql_spamassassin_client_t)
|
to allow postfix_pipe_t execute the script and perform the type transition.
The module has been compiled and loaded into the kernel quite successfully,
but I still get the execution denials:
|
| type=AVC msg=audit(1150125191.592:740): avc: denied { execute_no_trans } for pid=2793 comm="pipe" name="PostFix.mail.SpamAssassin.spamfilter.sh" dev=md9 ino=56842 scontext=system_u:system_r:postfix_pipe_t:s0 tcontext=system_u:object_r:ql_spamassassin_client_exec_t:s0 tclass=file
| type=SYSCALL msg=audit(1150125191.592:740): arch=40000003 syscall=11 success=no exit=-13 a0=804e410 a1=804e0a8 a2=804e550 a3=3d09 items=1 pid=2793 auid=4294967295 uid=15625 gid=15625 euid=15625 suid=15625 fsuid=15625 egid=15625 sgid=15625 fsgid=15625 comm="pipe" exe="/usr/libexec/postfix/pipe"
| type=AVC_PATH msg=audit(1150125191.592:740): path="/usr/local/sbin/PostFix.mail.SpamAssassin.spamfilter.sh"
| type=CWD msg=audit(1150125191.592:740): cwd="/var/spool/postfix"
| type=PATH msg=audit(1150125191.592:740): item=0 name="/usr/local/sbin/PostFix.mail.SpamAssassin.spamfilter.sh" flags=101 inode=56842 dev=09:09 mode=0100555 ouid=0 ogid=0 rdev=00:00
|
The system is FC5. SElinux related packages:
checkpolicy-1.30.3-1.fc5
libselinux-1.30-1.fc5
libselinux-python-1.30-1.fc5
libsepol-1.12.6-1.fc5
policycoreutils-1.30.10-1.fc5
selinux-policy-2.2.40-1.fc5
selinux-policy-targeted-2.2.40-1.fc5
kernel-smp-2.6.16-1.2133_FC5
Please, give me a hint, what's wrong here. Thank you.
QingLong.
17 years, 10 months
Re: CGI Script permissions
by Jochen Wiedmann
Paul Howarth wrote:
> The simplest fix might be to change the file context of this particular
> CGI script to httpd_unconfined_script_exec_t instead of
> httpd_sys_script_t. That would effectively turn off SELinux protection
> for that particular script.
> The alternative approach of using audit2allow to create a local policy
> to allow these capabilities would turn on these capabilities for *all*
> of your CGI scripts, which IMHO would be worse than turning off
> protection for just that one script (particularly if that script was
> well-audited for security issues).
> Ideally it would be easy to create a subclass of CGI scripts and assign
> special capabilities to those (I have a similar issue with FastCGI
> scripts that need slightly more capabilities than regular CGI scripts),
> but that's beyond me at this moment.
As the script in question can indeed be called well-audited (basically, it
just allows to trigger a certain action by calling another script with
fixed attributes), I have decided to go with httpd_unconfined_script_exec_t.
That did the trick neatly.
Thanks very much,
Jochen
17 years, 10 months
spamd binding on strange ports
by Paul Howarth
Anyone got any ideas why this is happening and how to fix it (i.e. stop
it happening rather than allow it)?
type=AVC msg=audit(1149425260.649:225271): avc: denied { name_bind }
for pid=968 comm="spamd" src=64006 scontext=user_u:system_r:spamd_t:s0
tcontext=system_u:object_r:traceroute_port_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1149425260.649:225271): arch=40000003 syscall=102
success=no exit=-13 a0=2 a1=bf8cb460 a2=c095c8 a3=10 items=0 pid=968
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="spamd" exe="/usr/bin/perl"
type=SOCKADDR msg=audit(1149425260.649:225271):
saddr=0200FA06000000000000000000000000
type=SOCKETCALL msg=audit(1149425260.649:225271): nargs=3 a0=b
a1=a3bc740 a2=10
Paul.
17 years, 10 months
Re: AVC's and Xen
by Gawain Lynch
On Tue, 2006-06-13 at 11:51 -0400, James Antill wrote:
> On Tue, 2006-06-13 at 22:24 +1000, Gawain Lynch wrote:
> > audit(1150200957.379:95): avc: denied { use } for pid=4853 comm="xm"
> > name="console" dev=tmpfs ino=838 scontext=system_u:system_r:xm_t:s0
> > tcontext=system_u:system_r:init_t:s0 tclass=fd
>
> What xm command were you doing for this?
xm list
xm create
xm save
All of these were triggering the avc's
> You can use setbool xm_disable_trans=no, as a temporary workaround.
Is that maybe supposed to be setsebool xm_disable_trans=false
I obviously need to do a *lot* more reading on selinux before going down
this path. :-)
> Until recently combining Xen and SELinux basically didn't work at all,
> so we are improving a lot :).
That is OK, I thought it was up and running and just wanted to report
issues. I'll leave it be for the time being and study up so I can be of
more use in reporting/fixing these things.
Thanks kindly for your help,
Gawain
17 years, 10 months
Problem to get FC$ sepolicy in FC5
by Pranav Vishnoi
In the past I M using FC4 & selinux on it, but switch to FC5. I m unable to use my old configuration of FC4 in Fc5.
Please tell me the proper step to use FC4 selinux setting in FC5.
********************************************************************
Regards,
Pranav Vishnoi
Network Programs India Ltd.
B-1-C, Sec-10, Noida-201301, India
Ph:-0120-2536622 (O) Ext.:1209,
9899290712 (M)
********************************************************************
17 years, 10 months
