another AVC....
by Tom London
running rawhide, targeted/enforcing.
Get this one after the last mctransd AVC:
type=AVC msg=audit(1158434197.103:120): avc: denied { search } for
pid=2617 comm="killall" name="2251" dev=proc ino=147521538
scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c255 tclass=dir
type=SYSCALL msg=audit(1158434197.103:120): arch=40000003 syscall=5
success=no exit=-13 a0=87540b0 a1=8000 a2=1b6 a3=87540c8 items=0
ppid=2477 pid=2617 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) comm="killall" exe="/usr/bin/killall"
subj=system_u:system_r:NetworkManager_t:s0 key=(null)
tom
--
Tom London
17 years, 7 months
FC5 - changing security context to sockets
by Sandra Rueda
Hello,
I am currently working with SElinux FC5 and I want an application to be
able to switch security context. The application uses sockets, so they
inherit the security context from the application.
To allow the application to switch security context (domain) I will add a
transition rule in the list of selinux policies.
However, I also want the application to be able to relabel the socket with
the new security context. So far I have not found a direct way to do it so
I am planning to modify the sys_setsockopt function in the socket file and
other functions related to that one. I was wondering if there is a direct
way to do it, instead of having to modify the kernel.
Thanks,
Sandra
17 years, 7 months
latest vixie-cron update
by Stefan
Hi,
since the last vixie-cron update the following errors appear in /var/
log/cron:
Sep 18 16:01:01 troll crond[12489]: (*system*) NULL security context
for user, but SELinux in permissive mode, continuing ()
Sep 18 16:01:01 troll crond[12492]: (root) CMD (run-parts /etc/
cron.hourly)
Any ideas?
Best regards,
Stefan
17 years, 7 months
restorecon seg fault on 'no such file'
by Tom London
Running latest rawhide, targeted/enforcing.
There is a entry in /etc/rc.sysinit that segfaults on my system (line 678):
# Clean up SELinux labels
if [ -n "$SELINUX_STATE" ]; then
restorecon /etc/mtab /etc/ld.so.cache /etc/blkid.tab
/etc/resolv.conf >/dev/null 2>&1
fi
[root@localhost rc.d]# restorecon /etc/mtab /etc/ld.so.cache
/etc/blkid.tab /etc/resolv.conf
Segmentation fault
[root@localhost rc.d]#
The problem is that there is on /etc/blkid.tab. This seems to confuse
restorecon (tail of strace):
munmap(0xb7f38000, 4096) = 0
lstat64("/etc/blkid.tab", 0xbff4c02c) = -1 ENOENT (No such file or directory)
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++
Process 4031 detached
tom
--
Tom London
17 years, 7 months
Typo in /usr/lib/python2.4/site-packages/setroubleshoot/Plugin.py
by Tom London
Today's rawhide:
2006-09-15 12:58:00,126 [plugin.ERROR] failed to load use_nfs_home_dirs plugin
Traceback (most recent call last):
File "/usr/lib/python2.4/site-packages/setroubleshoot/util.py", line
312, in load_plugins
mod = imp.load_module(module_name, *imp.find_module(plugin_name,
[plugin_dir]))
File "/usr/share/setroubleshoot/plugins/use_nfs_home_dirs.py", line 22, in ?
from setroubleshoot.Plugin import Plugin
File "/usr/lib/python2.4/site-packages/setroubleshoot/Plugin.py", line 123
rpm = get_rpm_nvr_by_file_path(self.path.strip('"')))
^
SyntaxError: invalid syntax
Extra ')' at end of line 123.
tom
--
Tom London
17 years, 7 months
please review my firefox policy?
by Peter Pun
Hi Everyone,
I created this firefox policy; it is probably allowing too many unecessary
things. If anyone could comment on it, I'd appreciate it.
The matter is, someone was able to break out to unconfined and disable a 000
ACL on /bin/su. This is a surf machine, with no listening daemons, postfix
is blocked by firewall and unconfigured, not even cups is running. So I
think the hole must be through firefox.
------------------------------------------------------------
policy_module(foxpol,1.0.5)
########################################
#
# Declarations
#
require {
type fonts_t;
type inotifyfs_t;
type proc_net_t;
type proc_t;
type urandom_device_t;
type user_home_dir_t;
type user_home_t;
type xdm_t;
type sysctl_kernel_t;
type sysctl_net_t;
type sysctl_t;
type home_root_t;
type fs_t;
type autofs_t;
type unconfined_execmem_t;
};
type foxpol_t;
type foxpol_exec_t;
domain_type(foxpol_t)
init_daemon_domain(foxpol_t, foxpol_exec_t)
# log files
type foxpol_var_log_t;
logging_log_file(foxpol_var_log_t)
# download dir, which firefox has write access to
type foxpol_down_t;
# private_t dir - a labled dir which fox cannot read, made because
# - fox has read access to home dir
type private_t;
########################################
#
# foxpol local policy
#
# Check in /etc/selinux/refpolicy/include for macros to use instead of allow
rules.
# Some common macros (you might be able to remove some)
files_read_etc_files(foxpol_t)
libs_use_ld_so(foxpol_t)
libs_use_shared_libs(foxpol_t)
miscfiles_read_localization(foxpol_t)
## internal communication is often done using fifo and unix sockets.
allow foxpol_t self:fifo_file { read write };
allow foxpol_t self:unix_stream_socket create_stream_socket_perms;
# log files
allow foxpol_t foxpol_var_log_t:file create_file_perms;
allow foxpol_t foxpol_var_log_t:sock_file create_file_perms;
allow foxpol_t foxpol_var_log_t:dir { rw_dir_perms setattr };
logging_log_filetrans(foxpol_t,foxpol_var_log_t,{ sock_file file dir })
## Networking basics (adjust to your needs!)
sysnet_dns_name_resolve(foxpol_t)
corenet_tcp_sendrecv_all_if(foxpol_t)
corenet_tcp_sendrecv_all_nodes(foxpol_t)
corenet_tcp_sendrecv_all_ports(foxpol_t)
corenet_non_ipsec_sendrecv(foxpol_t)
corenet_tcp_connect_http_port(foxpol_t)
#corenet_tcp_connect_all_ports(foxpol_t)
## if it is a network daemon, consider these:
#corenet_tcp_bind_all_ports(foxpol_t)
#corenet_tcp_bind_all_nodes(foxpol_t)
allow foxpol_t self:tcp_socket { listen accept };
# Init script handling
init_use_fds(foxpol_t)
init_use_script_ptys(foxpol_t)
domain_use_interactive_fds(foxpol_t)
# ok copy files to download dir
allow unconfined_t foxpol_down_t:dir { add_name getattr setattr read
relabelto remove_name search write rmdir };
allow unconfined_t foxpol_down_t:file { execute create getattr setattr read
write append rename link unlink ioctl lock };
# ok unconfined processes to open files in download dir
allow unconfined_execmem_t foxpol_down_t:dir { create getattr setattr read
write link unlink rename search add_name remove_name reparent rmdir lock
ioctl } ;
allow unconfined_execmem_t foxpol_down_t:file { create getattr setattr read
write append rename link unlink ioctl lock };
# ok fox to write to download dir
allow foxpol_t foxpol_down_t:dir { add_name create getattr read search write
remove_name };
allow foxpol_t foxpol_down_t:file { create setattr getattr read write rename
unlink append };
# ok unconfined process to open files in private dir
allow unconfined_execmem_t private_t:dir { create getattr setattr read write
link unlink rename search add_name remove_name reparent rmdir lock ioctl };
allow unconfined_execmem_t private_t:file { create getattr setattr read
write append rename link unlink ioctl lock };
allow unconfined_t private_t:dir { create getattr setattr read write link
unlink rename search add_name remove_name reparent relabelfrom relabelto
rmdir lock ioctl };
allow unconfined_t private_t:file { relabelto create getattr setattr read
write append rename link unlink ioctl lock };
allow private_t fs_t:filesystem associate;
# ok fox to create new stuff in .mozilla
allow foxpol_t foxpol_var_log_t:dir create;
#
# audit2allow says it wants all the stuff below, it also wanted exec rights
to bin_t which I removed
#
allow foxpol_down_t fs_t:filesystem associate;
allow foxpol_t autofs_t:dir getattr;
allow foxpol_t fonts_t:dir { getattr read search };
allow foxpol_t fonts_t:file { getattr read };
allow foxpol_t foxpol_down_t:dir { add_name create getattr read search write
};
allow foxpol_t foxpol_down_t:file { create getattr write };
allow foxpol_t self:fifo_file getattr;
allow foxpol_t self:netlink_route_socket { bind create getattr nlmsg_read
read write };
allow foxpol_t self:process { getsched setsched signal };
allow foxpol_t self:shm { create destroy read unix_read unix_write write };
allow foxpol_t self:unix_dgram_socket create;
allow foxpol_t foxpol_var_log_t:lnk_file { create unlink };
allow foxpol_t home_root_t:dir { getattr read search };
allow foxpol_t inotifyfs_t:dir { getattr read };
allow foxpol_t proc_net_t:dir { read search };
allow foxpol_t proc_net_t:file { getattr read };
allow foxpol_t proc_t:file { getattr read };
allow foxpol_t sysctl_kernel_t:dir search;
allow foxpol_t sysctl_kernel_t:file read;
allow foxpol_t sysctl_net_t:dir search;
allow foxpol_t sysctl_t:dir search;
allow foxpol_t tmp_t:dir { add_name getattr read remove_name search setattr
write };
allow foxpol_t tmp_t:file { create getattr lock read unlink write };
allow foxpol_t tmp_t:sock_file { create unlink write };
allow foxpol_t tmpfs_t:file { read write };
# allow foxpol_t unconfined_t:unix_stream_socket connectto;
allow foxpol_t urandom_device_t:chr_file { getattr ioctl read };
allow foxpol_t user_home_dir_t:dir { getattr read search };
allow foxpol_t user_home_t:dir { getattr read search };
allow foxpol_t user_home_t:file { getattr read };
allow foxpol_t usr_t:file { getattr read };
allow foxpol_t usr_t:lnk_file read;
allow foxpol_t xdm_t:unix_stream_socket connectto;
17 years, 7 months
Preventing homedir relabel of Oracle XE files
by Andrew Kroeger
Greetings:
I just updated to the latest FC5 policy (2.3.7-2), and saw all of the
files in my Oracle XE installation get relabeled to
user_u:object_r:user_home_t. I was able to get Oracle XE installed and
running with SELinux enabled (details available at
http://forums.oracle.com/forums/message.jspa?messageID=1344572 --
registration required), and that got hosed by the relabel.
I initially thought something Oracle-specific had been added to the new
policy and caused the relabel. After some searching, I discovered
entries in /etc/selinux/targeted/contexts/files/file_contexts.homedirs
(which is generated by genhomedircon) that had caused the relabel.
Further investigation showed that genhomedircon ignores "system" users
(UID < 500), but the Oracle RPM creates the "oracle" user as a
non-system user during the install.
Is there any way to provide an exception to the "oracle" user for future
policy updates? I was able to get things working again by re-labeling
the affected files, but I would like to avoid that step for each policy
update that comes out. Also, if specific policies are created for
Oracle XE in the future, would those override the homedir policies for
the non-system "oracle" user, or would there be potential conflicts that
would need to be resolved in that case?
I appreciate any assistance that can be provided in this matter.
Thanks,
Andrew Kroeger
17 years, 7 months
MCS printing
by Matt Anderson
I've been working on adding SELinux labeling support to the CUPS service
with the goal of meeting all the requirements of an LSPP evaluation.
Even though my goal is a system running the MLS policy I realize that
many users will be using targeted policy and could be interested in
these features.
Specifically one addition is forced page labels. On an MLS system its
common to see SystemLow-SystemHigh added to the top and bottom of each
printed page, corresponding to the user's level when they sent the job.
For a targeted system there is no level, so "(null)" was being added.
If the system was configured for compartments however that would be
printed, "Reception" or "Lab" could be applied to each page. This is a
configurable option, and not enabled by default, but it seems like it
could be useful for some MCS users. My main question is in the case of
no compartments would you want a marker saying that there wasn't a
compartment, or should the label be left off? Is there any MCS specific
things I should be aware of that I might otherwise overlook coming at
this from an MLS direction?
thanks
-matt
17 years, 7 months
Re: ati driver and selinux
by redhatdude@bellsouth.net
On Sep 14, 2006, at 4:14 PM, Stephen Smalley wrote:
> On Thu, 2006-09-14 at 16:03 -0400, redhatdude(a)bellsouth.net wrote:
>> These are the errors I got
>>
>> type=AVC msg=audit(1158255182.936:396): avc: denied { execmod }
>> for pid=7074 comm="X" name="fglrx_drv.so" dev=dm-0 ino=2328943
>> scontext=user_u:system_r:xdm_xserver_t:s0
>> tcontext=user_u:object_r:lib_t:s0 tclass=file
>> type=SYSCALL msg=audit(1158255182.936:396): arch=40000003 syscall=125
>> success=no exit=-13 a0=f64000 a1=661000 a2=5 a3=bfeb46d0
>> items=0 pid=7074 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
>> egid=0 sgid=0 fsgid=0 tty=tty7 comm="X" exe="/usr/bin/Xorg"
>> subj=user_u:system_r:xdm_xserver_t:s0
>> type=AVC_PATH msg=audit(1158255182.936:396): path="/usr/lib/xorg/
>> modules/drivers/fglrx_drv.so"
>
> Ok, looks like this one has already been added to upstream policy.
> You should be able to do the following:
>
> # /usr/sbin/semanage fcontext -a -t textrel_shlib_t /usr/lib/xorg/
> modules/drivers/fglrx_drv.so
> # /sbin/restorecon -v /usr/lib/xorg/modules/drives/fglrx_drv.so
>
> This marks the DSO as requiring text relocations.
>
> --
> Stephen Smalley
> National Security Agency
>
Hi Stephen,
Thanks for helping.
Well. I ran those commands in the terminal and the avc errors are
gone from the audit.log. However, I lost the display. KDM starts but
all I get is a blank screen with or without selinux.
EJ.
17 years, 7 months
ati driver and selinux
by redhatdude@bellsouth.net
Hi,
I installed the ati driver and now selinux doesn't let me start kdm.
I ran audit2allow on the avc errors and this is what I got:
allow xdm_xserver_t lib_t:file execmod;
So, what am I supposed to do with this now?
Please advice.
Thanks,
EJ
17 years, 7 months