mailq.postfix.gz.1 incorrectly labeled in FC6T1
by Jay Cliburn
After installing postfix under FC6T1, I kept getting this avc:
audit(1152836951.218:8): avc: denied { getattr } for pid=3130
comm="sh" name="mailq.postfix.1.gz" dev=dm-0 ino=1084752
scontext=user_u:system_r:postfix_master_t:s0
tcontext=system_u:object_r:man_t:s0 tclass=file
It's a manpage and it looks to me like it came from the factory labeled
incorrectly. A chcon to system_u:object_r:man_t seems to have fixed it.
17 years, 9 months
Re: mailq.postfix.gz.1 incorrectly labeled in FC6T1
by Paul Howarth
James Antill wrote:
> On Fri, 2006-07-14 at 07:59 +0100, Paul Howarth wrote:
>> On Thu, 2006-07-13 at 19:44 -0500, Jay Cliburn wrote:
>>> After installing postfix under FC6T1, I kept getting this avc:
>>>
>>> audit(1152836951.218:8): avc: denied { getattr } for pid=3130
>>> comm="sh" name="mailq.postfix.1.gz" dev=dm-0 ino=1084752
>>> scontext=user_u:system_r:postfix_master_t:s0
>>> tcontext=system_u:object_r:man_t:s0 tclass=file
>>>
>>> It's a manpage and it looks to me like it came from the factory labeled
>>> incorrectly. A chcon to system_u:object_r:man_t seems to have fixed it.
>> This has been seen before on FC5:
>>
>> http://www.redhat.com/archives/fedora-selinux-list/2006-June/msg00021.html
>>
>> It appears to happen when postfix is started. The AVC suggests that the
>> manpage already has the correct context, and the strange thing is that
>> the postfix master program is tying to access it (why should that be?).
>
> AIUI postfix looks for where the documentation is for error messages to
> the user (Ie. look at the documentation at X to help solve problem Y).
Excellent! A sane explanation :-)
I suggest adding the following to the postfix policy:
# Postfix master process looking for its man pages so that it can refer
# to them in error messages
# (e.g. look at the documentation at X to help solve problem Y)
miscfiles_read_man_pages(postfix_master_t)
Paul.
17 years, 9 months
gdm-binary AVCs in current rawhide
by Jay Cliburn
[jcliburn@osprey ~]$ uname -rm
2.6.17-1.2391.fc6 x86_64
The following avcs appear in an updated FC6T1 system.
Jul 14 06:54:35 osprey kernel: audit(1152878073.967:5): avc: denied
{ write } for pid=2234 comm="gdm-binary"
scontext=system_u:system_r:xdm_t:s0-s0:c0.c255
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=key
Jul 14 06:54:35 osprey kernel: audit(1152878073.967:6): avc: denied
{ link } for pid=2234 comm="gdm-binary"
scontext=system_u:system_r:xdm_t:s0-s0:c0.c255
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=key
17 years, 9 months
Re: error
by Joshua Brindle
netpython wrote:
> Sry to bother you with my n00b questions.
>
> I used lsof to get a better understanding on what files
> are opened.The te files are now: run-mozilla.te and firefox-bin.te
> However the checkpolicy tool complains about an error in
> the policy made by the policygentool.
>
Keep questions on list for the benefit of others.
the immediate error is that you can't have a '-' in a module name. Just
out of curiosity why aren't you just using the mozilla/firefox policies
in refpolicy? you should be able to build the module (make mozilla.pp)
and then insert it with semodule -i mozilla.pp
> run-mozilla.te:
> -------------------
> policy_module(run-mozilla,1.0.0)
>
> ########################################
> #
> # Declarations
> #
>
> type run-mozilla_t;
> type run-mozilla_exec_t;
> domain_type(run-mozilla_t)
> init_daemon_domain(run-mozilla_t, run-mozilla_exec_t)
>
> ########################################
> #
> # run-mozilla local policy
> #
> # Check in /etc/selinux/refpolicy/include for macros to use instead of
> allow rules.
>
> # Some common macros (you might be able to remove some)
> files_read_etc_files(run-mozilla_t)
> libs_use_ld_so(run-mozilla_t)
> libs_use_shared_libs(run-mozilla_t)
> miscfiles_read_localization(run-mozilla_t)
> ## internal communication is often done using fifo and unix sockets.
> allow run-mozilla_t self:fifo_file { read write };
> allow run-mozilla_t self:unix_stream_socket create_stream_socket_perms;
>
> # Init script handling
> init_use_fds(run-mozilla_t)
> init_use_script_ptys(run-mozilla_t)
> domain_use_interactive_fds(run-mozilla_t)
> ------------------------------------------------------
>
> firefox-bin.te:
>
> policy_module(firefox-bin,1.0.0)
>
> ########################################
> #
> # Declarations
> #
>
> type firefox-bin_t;
> type firefox-bin_exec_t;
> domain_type(firefox-bin_t)
> init_daemon_domain(firefox-bin_t, firefox-bin_exec_t)
>
> ########################################
> #
> # firefox-bin local policy
> #
> # Check in /etc/selinux/refpolicy/include for macros to use instead of
> allow rules.
>
> # Some common macros (you might be able to remove some)
> files_read_etc_files(firefox-bin_t)
> libs_use_ld_so(firefox-bin_t)
> libs_use_shared_libs(firefox-bin_t)
> miscfiles_read_localization(firefox-bin_t)
> ## internal communication is often done using fifo and unix sockets.
> allow firefox-bin_t self:fifo_file { read write };
> allow firefox-bin_t self:unix_stream_socket create_stream_socket_perms;
>
> # Init script handling
> init_use_fds(firefox-bin_t)
> init_use_script_ptys(firefox-bin_t)
> domain_use_interactive_fds(firefox-bin_t)
> ------------------------------------------------------
>
> Errors i get:
>
> Compiling targeted firefox-bin module
> /usr/bin/checkmodule: loading policy configuration from
> tmp/firefox-bin.tmp
> firefox-bin.te:1:ERROR 'syntax error' at token 'firefox-bin' on line
> 57284:
> module firefox-bin 1.0.0;
> #line 1
> /usr/bin/checkmodule: error(s) encountered while parsing configuration
> make: *** [tmp/firefox-bin.mod] Error 1
>
>
> In /usr/share/selinux/devel/include/apps there's a mozilla.if file.
> What could i do with it? I searched in the doc's and now know it's
> an interface file,but other than that...
>
> kind regards,
>
> Peter
>
>
>
17 years, 9 months
RHEL5 Security Documentation Scope Statement
by David O'Brien
I've prepared the following Scope Statement to help those involved in the
project to update the RHEL5 Security Documentation. Please feel free to offer
any suggestions, ask questions or get clarification. As we move forward there
may be minor changes, but this should be pretty close.
Apologies for the cross-post and to those who receive multiple copies. Please
forward this to interested parties who may not be on any of these lists.
----
The RHEL5 Security Guide integrates two previously separate guides: The Red
Hat Enterprise Linux 4 Security Guide and the Red Hat Enterprise Linux 4
SELinux Guide. These guides are being integrated and updated to provide a
single source of information for all security-related topics for Red Hat
Enterprise Linux.
The RHEL5 Security Guide provides a general introduction to security, and from
the perspective of Red Hat Linux in particular. It provides conceptual
information in the areas of security assessment, common exploits, and
intrusion and incident response. It also provides conceptual and specific
configuration information for hardening Workstation, Server, VPN, firewall
and other implementations using SELinux. A Troubleshooting section provides
information on common problems and how to resolve them.
The RHEL5 Security Guide assumes a basic knowledge of IT security, and
consequently provides only minimal coverage of common security practices such
as controlling physical access, sound account-keeping policies and
procedures, auditing, etc. Neither does it cover the intricacies of SELinux
in detail, such as writing policies for certain 3rd party applications. Where
appropriate, reference is made to external resources for this and related
information.
----
regards,
David O'Brien
Red Hat Asia Pacific Pty Ltd
Tel: +61-7-3514-8189
Fax: +61-7-3514-8199
email: daobrien(a)redhat.com
web: http://apac.redhat.com/
17 years, 9 months
SELinux opensource server online
by Joshua Brindle
During the SELinux Symposium developer summit we discussed moving
Tresys' SELinux related projects to a new server with anonymous
subversion access. The server is now up and the reference policy pages
and subversion repository have been moved. The server's address is
http://oss.tresys.com. Instructions for checking out reference policy
subversion tree are on the reference policy page. Additionally, our
other projects will be moving to the server soon.
The press release is available at http://www.tresys.com/news/press32
17 years, 9 months
Running two named processes in selinux
by Faisal Ali
Hi,
Is it possible to run two named process in selinux each having different
file permissions. Instead of using DNS Views Iam thinking about running two
named processes, one for external and one for internal. Ofcourse external
named process will have access to different set of files versus internal
named process.
Can this be done.
Its security-of-Xen-Vm-isolation vs SELinux-isolation comparision.
Should I run two Xen VMs one for external DNS and the other for Internal DNS
or run two named processes each isolated and jailed by SELinux.
Faisal Ali
17 years, 9 months
pam_console_t wants access to device_t:chr_file ?
by Tom London
Running targeted/enforcing, latest Rawhide.
Noticed this in /var/log/messages, before auditd is started I guess:
Jun 29 06:43:48 localhost kernel: audit(1151588567.562:102): avc:
denied { getattr } for pid=1526 comm="pam_console_app"
name="usbdev5.5_ep02" dev=tmpfs ino=5143
scontext=system_u:system_r:pam_console_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Jun 29 06:43:48 localhost kernel: audit(1151588567.562:103): avc:
denied { getattr } for pid=1526 comm="pam_console_app"
name="usbdev5.5_ep81" dev=tmpfs ino=5120
scontext=system_u:system_r:pam_console_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Jun 29 06:43:48 localhost kernel: audit(1151588567.562:104): avc:
denied { getattr } for pid=1526 comm="pam_console_app"
name="usbdev5.5_ep00" dev=tmpfs ino=5068
scontext=system_u:system_r:pam_console_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
<< actually many, many copies of these....>>
tom
--
Tom London
17 years, 9 months
dovecot 1.0.rc1
by Paul Howarth
New in rc1 is a directory /var/lib/dovecot where the SSL parameters
files are generated before they are copied to the login directory.
The following additions to policy support this:
::::::::::::::
dovecot.fc
::::::::::::::
/var/lib/dovecot(/.*)?
gen_context(system_u:object_r:dovecot_var_lib_t,s0)
::::::::::::::
dovecot.te
::::::::::::::
policy_module(dovecot, 0.1.4)
########################################
#
# Declarations
#
require {
type dovecot_t;
};
# /var/lib/dovecot holds SSL parameters file
type dovecot_var_lib_t;
files_type(dovecot_var_lib_t)
########################################
#
# Local policy
#
# Allow dovecot to read the routing table (in selinux-policy 2.2.43-4.fc5)
#allow dovecot_t self:netlink_route_socket { r_netlink_socket_perms };
# Allow dovecot to create and read SSL parameters file
files_search_var_lib(dovecot_t)
allow dovecot_t dovecot_var_lib_t:dir { rw_dir_perms };
allow dovecot_t dovecot_var_lib_t:file { manage_file_perms };
Paul.
17 years, 9 months
AVCs when printing from firefox...
by Tom London
Running targeted/enforcing, latest rawhide.
Trying to print from firefox, I get:
type=AVC msg=audit(1151341517.216:697): avc: denied { recv } for
pid=2965 comm="firefox-bin" saddr=127.0.0.1 src=50209 daddr=127.0.0.1
dest=631 netif=lo scontext=system_u:system_r:cupsd_t:s0-s0:c0.c255
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
type=AVC msg=audit(1151341520.217:698): avc: denied { recv } for
saddr=127.0.0.1 src=50209 daddr=127.0.0.1 dest=631 netif=lo
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c255
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
type=AVC msg=audit(1151341526.217:699): avc: denied { recv } for
saddr=127.0.0.1 src=50209 daddr=127.0.0.1 dest=631 netif=lo
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c255
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
type=AVC msg=audit(1151341538.217:700): avc: denied { recv } for
saddr=127.0.0.1 src=50209 daddr=127.0.0.1 dest=631 netif=lo
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c255
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
type=AVC msg=audit(1151341562.219:701): avc: denied { recv } for
saddr=127.0.0.1 src=50209 daddr=127.0.0.1 dest=631 netif=lo
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c255
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
Doing a 'setenforce 0' and retrying yields:
type=AVC msg=audit(1151342357.528:780): avc: denied { recv } for
pid=3943 comm="firefox-bin" saddr=127.0.0.1 src=47782 daddr=127.0.0.1
dest=631 netif=lo scontext=system_u:system_r:cupsd_t:s0-s0:c0.c255
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
type=AVC msg=audit(1151342357.528:780): avc: denied { send } for
pid=3943 comm="firefox-bin" saddr=127.0.0.1 src=631 daddr=127.0.0.1
dest=47782 netif=lo scontext=system_u:system_r:cupsd_t:s0-s0:c0.c255
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
type=SYSCALL msg=audit(1151342357.528:780): arch=40000003 syscall=102
success=yes exit=0 a0=3 a1=bfbf8db0 a2=4703c3f4 a3=0 items=0 ppid=3938
pid=3943 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500
sgid=500 fsgid=500 tty=(none) comm="firefox-bin"
exe="/usr/lib/firefox-1.5.0.4/firefox-bin"
subj=user_u:system_r:unconfined_t:s0
type=SOCKADDR msg=audit(1151342357.528:780):
saddr=020002777F0000010000000000000000
type=SOCKETCALL msg=audit(1151342357.528:780): nargs=3 a0=27 a1=b6d875c a2=10
type=AVC msg=audit(1151342370.197:781): avc: denied { send } for
pid=4108 comm="hp" saddr=127.0.0.1 src=43162 daddr=127.0.0.1
dest=50000 netif=lo scontext=system_u:system_r:cupsd_t:s0-s0:c0.c255
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
type=AVC msg=audit(1151342370.197:781): avc: denied { recv } for
pid=4108 comm="hp" saddr=127.0.0.1 src=43162 daddr=127.0.0.1
dest=50000 netif=lo scontext=system_u:system_r:hplip_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
type=AVC msg=audit(1151342370.197:781): avc: denied { send } for
pid=4108 comm="hp" saddr=127.0.0.1 src=50000 daddr=127.0.0.1
dest=43162 netif=lo scontext=system_u:system_r:hplip_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
type=AVC msg=audit(1151342370.197:781): avc: denied { recv } for
pid=4108 comm="hp" saddr=127.0.0.1 src=50000 daddr=127.0.0.1
dest=43162 netif=lo scontext=system_u:system_r:cupsd_t:s0-s0:c0.c255
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
type=SYSCALL msg=audit(1151342370.197:781): arch=40000003 syscall=102
success=yes exit=0 a0=3 a1=bf86ac50 a2=804d110 a3=804d1a4 items=0
ppid=2246 pid=4108 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4
egid=7 sgid=7 fsgid=7 tty=(none) comm="hp"
exe="/usr/lib/cups/backend/hp"
subj=system_u:system_r:cupsd_t:s0-s0:c0.c255
type=SOCKADDR msg=audit(1151342370.197:781):
saddr=0200C3507F0000010000000000000000
type=SOCKETCALL msg=audit(1151342370.197:781): nargs=3 a0=4 a1=bf86ac78 a2=10
tom
--
Tom London
17 years, 9 months
