setroubleshoot message in Anacron mail to root
by Tom London
Running latest rawhide, targeted/enforcing.
Get this in Anacron email to root:
/etc/cron.daily/logrotate:
error: setroubleshoot:6 unknown option 'endscript' -- ignoring line
Appears this is referring to line 6 of /etc/logrotate.d/setroubleshoot.
tom
--
Tom London
17 years, 9 months
20060723 rawhide: sealert pegs my cpu
by Jay Cliburn
After applying rawhide updates for 20060723, sealert misbehaves.
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
2237 jcliburn 25 0 311m 23m 11m R 99.6 2.3 2:32.64 python
1 root 18 0 10284 688 572 S 0.0 0.1 0:00.76 init
2 root RT 0 0 0 0 S 0.0 0.0 0:00.00
migration/0
3 root 34 19 0 0 0 S 0.0 0.0 0:00.00
ksoftirqd/0
jcliburn 2237 1 90 18:32 ? 00:02:52 python /usr/sbin/sealert
[jcliburn@osprey ~]$ rpm -qf /usr/sbin/sealert
setroubleshoot-0.13-1
17 years, 9 months
AVC on restore from hibernation...
by Tom London
Running rawhide, targeted/enforcing.
Follow AVC when restoring (I think) from hibernation:
type=AVC msg=audit(1153604898.510:100): avc: denied { execmem } for
pid=22517 comm="grub" scontext=system_u:system_r:hald_t:s0
tcontext=system_u:system_r:hald_t:s0 tclass=process
type=SYSCALL msg=audit(1153604898.510:100): arch=40000003 syscall=192
success=no exit=-13 a0=0 a1=403000 a2=7 a3=1022 items=0 ppid=22508
pid=22517 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="grub" exe="/sbin/grub"
subj=system_u:system_r:hald_t:s0 key=(null)
tom
--
Tom London
17 years, 9 months
setroubleshoot: syntax error...
by Tom London
Running latest rawhide, targeted/enforcing.
>From /var/log/setroubleshoot/setroubleshoot.log (No setroubleshoot
package listed in bugzilla):
2006-07-20 07:16:34,740 [avc.ERROR] Unexpected exception invalid
syntax (secure_mode_insmod.py, line 35)
Traceback (most recent call last):
File "/usr/lib/audit/setroubleshoot_dispatcher", line 96, in ?
analyze_thread = Analyze()
File "/usr/lib/audit/setroubleshoot_dispatcher", line 19, in __init__
self.plugins = LoadPlugins()
File "/usr/lib/python2.4/site-packages/setroubleshoot/util.py", line
175, in LoadPlugins
mod = imp.load_module(moduleName, *imp.find_module(pluginName,
[plugin_dir]))
File "/usr/share/setroubleshoot/plugins/secure_mode_insmod.py", line 35
fix_cmd = 'setsebool -P secure_mode_insmod=0'.
^
SyntaxError: invalid syntax
2006-07-20 07:16:34,992 [avc.ERROR] Traceback (most recent call last):
File "/usr/lib/audit/setroubleshoot_dispatcher", line 96, in ?
analyze_thread = Analyze()
File "/usr/lib/audit/setroubleshoot_dispatcher", line 19, in __init__
self.plugins = LoadPlugins()
File "/usr/lib/python2.4/site-packages/setroubleshoot/util.py", line
175, in LoadPlugins
mod = imp.load_module(moduleName, *imp.find_module(pluginName,
[plugin_dir]))
File "/usr/share/setroubleshoot/plugins/secure_mode_insmod.py", line 35
fix_cmd = 'setsebool -P secure_mode_insmod=0'.
^
SyntaxError: invalid syntax
Traceback (most recent call last):
File "/usr/lib/audit/setroubleshoot_dispatcher", line 96, in ?
analyze_thread = Analyze()
File "/usr/lib/audit/setroubleshoot_dispatcher", line 19, in __init__
self.plugins = LoadPlugins()
File "/usr/lib/python2.4/site-packages/setroubleshoot/util.py", line
175, in LoadPlugins
mod = imp.load_module(moduleName, *imp.find_module(pluginName,
[plugin_dir]))
File "/usr/share/setroubleshoot/plugins/secure_mode_insmod.py", line 35
fix_cmd = 'setsebool -P secure_mode_insmod=0'.
^
SyntaxError: invalid syntax
-------
--
Tom London
17 years, 9 months
/etc/named.rfc1912.zones - etc_t?
by Tom London
Running latest rawhide, targeted/enforcing.
restorecon seems to want to relabel '/etc/named.rfc1912.zones' as etc_t:
restorecon reset /etc/named.rfc1912.zones context
system_u:object_r:named_conf_t:s0->system_u:object_r:etc_t:s0
That right?
tom
--
Tom London
17 years, 9 months
writing a firefox policy
by Peter Pun
Hi
I want to write a policy for firefox, as to me, it is almost an
always-on always-running network daemon.
I think there will always be another vulnerability leading to remote
code execution. But how can a policy protect against that?
Using policygentool, I created a policy for firefox-bin. It created a
domain. And I labeled the starter script /usr/bin/firefox as
"initrc_exec_t" . The ".mozilla" dir became the log dir. I also
created a dir labeled "download_t" so I can save files there. I think
I should take away "read" for "user_home_t" too.
So I guess the new domain will prevent transition into bin_t, sbin_t
and others. But I notice the generated te allows exec of all "lib_t"
libraries. That is an awful lot of libraries with lots of functions
and probably a lot of bugs. Should I be worried? If I follow the
doctrine of whitelisting everything and least privilege, I ought to
label and specifically permit only the libraries that are needed,
right? I am starting on identifying and labelling, but I have a
feeling that it will become a maintenance nightmare.
Maybe I don't fully understand "remote code execution". To me, it just
means being able to conjure up a shell and running some hacker magic
to gain root. Maybe the exploit doesn't even require a shell, and can
wiggle its way through the vast lib_t for its own end. :(
Apart from minimal library usage, what other correct behaviours should
I restrict firefox to?
Peter
17 years, 9 months
selinux-policy-strict-2.3.3-3 - definition conflict
by Valdis.Kletnieks@vt.edu
Seen during an update to 2.3.3-3:
/etc/selinux/strict/contexts/files/file_contexts: Multiple different specifications for /usr/bin/apt-get (system_u:object_r:rpm_exec_t:s0 and system_u:object_r:apt_exec_t:s0).
/etc/selinux/strict/contexts/files/file_contexts: Multiple different specifications for /usr/bin/apt-shell (system_u:object_r:rpm_exec_t:s0 and system_u:object_r:apt_exec_t:s0).
Not a biggie to me, I don't have apt-get installed. Probably will matter to
somebody trying to actually use it though. :)
17 years, 9 months
New projects on SELinux open source server
by David Sugar
Tresys is happy to announce that we have moved our SELinux IDE (SLIDE)
and CDS Framework projects to their new home on the Tresys Open Source
website (http://oss.tresys.com).
Information about each of the projects is available from there along
with the ability to anonymously checkout source directly from the
subversion tree.
17 years, 9 months
restorecond
by Paul Howarth
Just came across restorecond and noticed a few things:
policycoreutils doesn't do "chkconfig --add restorecond" in %post, nor
"chkconfig --del restorecond" in %preun (if the package is about to be
deleted). If it did this, restorecond would be enabled by default, which
is probably not what was wanted, but changing the initscript to have:
# chkconfig: - 10 90
instead of:
# chkconfig: 2345 10 90
then the service would not be enabled by default and could safely be
"chkconfig --add"-ed. It would then show up properly in the output of
"chkconfig --list"
Is the config file /etc/selinux/restorecond.conf (as per the contents of
the policycoreutils package and the string in the binary of
restorecond), or /etc/selinux/POLICYTYPE/restorconfiles.conf (as per the
manpage)?
Why does the restorecond service sometimes take so long to start up?
Well, it took a minute or so on one machine I have, and started almost
immediately on another, slower machine. I suspect that the answer may be
something to do with the fact that the fast machine has NFS-mounted home
directories and it tried accessing ~/public_html for all of them. Which
resulted in lots of these:
type=AVC msg=audit(1153227661.751:51137): avc: denied { create } for
pid=17967 comm="restorecond" scontext=user_u:system_r:restorecond_t:s0
tcontext=user_u:system_r:restorecond_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1153227661.751:51137): arch=40000003 syscall=102
success=no exit=-13 a0=1 a1=bfc93224 a2=d47ff4 a3=999c378 items=0
pid=17967 auid=1012 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 comm="restorecond" exe="/usr/sbin/restorecond"
type=SOCKETCALL msg=audit(1153227661.751:51137): nargs=3 a0=10 a1=3 a2=0
type=AVC msg=audit(1153227661.751:51138): avc: denied { create } for
pid=17967 comm="restorecond" scontext=user_u:system_r:restorecond_t:s0
tcontext=user_u:system_r:restorecond_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1153227661.751:51138): arch=40000003 syscall=102
success=no exit=-13 a0=1 a1=bfc9336c a2=3bf0a8 a3=999c378 items=0
pid=17967 auid=1012 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 comm="restorecond" exe="/usr/sbin/restorecond"
Removing the home directory references from
/etc/selinux/restorecond.conf certainly made it faster.
Paul.
17 years, 9 months