RE: FC5, Apache, Bugzilla, SELinux issues
by R Edmonds
Indeed I did. Oh well at least I got 3 posts in before making an ass of
myself..
OK, next hurdle. The step in Pauls instructions:
# ln -s /usr/share/selinux/devel/Makefile .
I don't have a devel directory in that path. Again, some prerequisite
i'm missing? I double checked for typos this time ;)
Bear with me folks!
>
> You typed "sgi" rather than "cgi"?
>
> getsebool -a will display all booleans and their settings.
>
> --
> Stephen Smalley
> National Security Agency
>
>
17 years, 3 months
FC5, Apache, Bugzilla, SELinux issues
by R Edmonds
Greetings out there in Penguin-land!
I'm going through the rather painful process of installing Bugzilla on an
SELinux FC5 box. I'm almost there now, I think, however I'm trying to add a
local policy to SELinux for allowing Apache to execute .cgi scripts, and
have hit a brick wall.
When I try to hit the Bugzilla page from a browser on the network I get
this:
tail -f /var/log/messages output:
kernel: audit(1167911234.610:20): avc: denied { execute_no_trans } for
pid=28833 comm="httpd" name=" index.cgi" dev=dm-0 ino=34931972
scontext=root:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file
So, following the guide in the fedora docs
Here<http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385>I
generated a
local.te using *audit2allow -m local -l -i /var/log/messages > local.te *,
compiled it using *checkmodule -M -m -o local.mod local.te*, packaged it
using *semodule_package -o local.pp -m local.mod*, then attempted to add it
to the current running policy using *semodule -i local.pp *. This point is
where I get stuck. i'm seeing this output when I execute the command:
tail -f /var/log/messages output:
Jan 4 11:56:13 svn kernel: security: 3 users, 6 roles, 1481 types, 152
bools, 1 sens, 256 cats
Jan 4 11:56:13 svn kernel: security: 58 classes, 43474 rules
Jan 4 11:56:13 svn dbus: Can't send to audit system: USER_AVC avc:
received policyload notice (seqno=7) : exe="?" (sauid=81, hostname=?,
addr=?, terminal=?)
Jan 4 11:56:13 svn dbus: Can't send to audit system: USER_AVC avc: 0 AV
entries and 0/512 buckets used, longest chain length 0 : exe="?" (sauid=81,
hostname=?, addr=?, terminal=?)
Jan 4 11:56:13 svn kernel: audit( 1167911773.820:21): policy loaded
auid=4294967295
After looking around, I saw on this mailing list that this might be a bug in
SELinux-Policy that was fixed in version 2.3.14-3. Yum doesn't seem to know
about this newer version. Am I barking up the wrong tree?
17 years, 3 months
Problems with sudo on FC6
by Ted Rule
I'm trying to build a new FC6 machine to replace my aging FC4 box.
As with the FC4 box, I'd like to retain SELinux's strict policy in
enforcing mode.
Eventually, I would like to run the machine up to run-level 5 in strict
enforcing as I had done with FC4. For the present, all the testing is in
run-level 3 on the console itself, as GDM login currently fails with
SELinux enforcing and I haven't yet enabled sshd.
The first big hurdle I'm facing is sudo. On my old FC4 machine, I was
able to add a user to /etc/sudoers, enable the "user_canbe_sysadm"
tunable and recompile and reload the policy. Admittedly, I had to tweak
policy to allow sudo's stdout to be pipeable, but asides from that I
mostly had the ability to leave the machine permanently in
strict/enforcing.
The FC6 machine was installed on a fresh disk, whereafter I
reset /etc/sysconfig/selinux SELINUXTYPE=strict, touched /.autorelabel
and rebooted.
I've updated the machine to all the latest FC6-Updates, in particular:
kernel-2.6.18-1.2869.i686.rpm
selinux-policy-strict-2.4.6-13.fc6.noarch.rpm
Having amended /etc/sudoers to grant a "fred" test user sudo permission,
I saw AVC's indicating the inability of sudo to write
into /var/run/sudo, as well as an AVC indicating that sudo wasn't
allowed to execute /bin/cat, i.e.:
type=USER_AUTH msg=audit(1167906300.693:29): user pid=3072 uid=0
auid=500 subj=user_u:user_r:user_sudo_t:s0 msg='PAM: authentication
acct=fred : exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=tty2
res=success)'
type=USER_ACCT msg=audit(1167906300.700:30): user pid=3072 uid=0
auid=500 subj=user_u:user_r:user_sudo_t:s0 msg='PAM: accounting
acct=fred : exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=tty2
res=success)'
type=AVC msg=audit(1167906300.700:31): avc: denied { write } for
pid=3072 comm="sudo" name="fred" dev=hda7 ino=420634
scontext=user_u:user_r:user_sudo_t:s0
tcontext=user_u:object_r:pam_var_run_t:s0 tclass=dir
type=SYSCALL msg=audit(1167906300.700:31): arch=40000003 syscall=5
success=no exit=-13 a0=8c1afd0 a1=241 a2=180 a3=8c1afd0 items=0
ppid=3013 pid=3072 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=0
sgid=500 fsgid=0 tty=tty2 comm="sudo" exe="/usr/bin/sudo"
subj=user_u:user_r:user_sudo_t:s0 key=(null)
type=CRED_ACQ msg=audit(1167906300.702:32): user pid=3072 uid=0 auid=500
subj=user_u:user_r:user_sudo_t:s0 msg='PAM: setcred acct=root :
exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=tty2 res=success)'
type=AVC msg=audit(1167906300.702:33): avc: denied { search } for
pid=3072 comm="sudo" scontext=user_u:user_r:user_sudo_t:s0
tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=key
type=SYSCALL msg=audit(1167906300.702:33): arch=40000003 syscall=288
success=no exit=-13 a0=0 a1=fffffffd a2=0 a3=0 items=0 ppid=3013
pid=3072 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=tty2 comm="sudo" exe="/usr/bin/sudo"
subj=user_u:user_r:user_sudo_t:s0 key=(null)
type=USER_START msg=audit(1167906300.703:34): user pid=3072 uid=0
auid=500 subj=user_u:user_r:user_sudo_t:s0 msg='PAM: session open
acct=root : exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=tty2
res=success)'
type=USER_END msg=audit(1167906300.703:35): user pid=3072 uid=0 auid=500
subj=user_u:user_r:user_sudo_t:s0 msg='PAM: session close acct=root :
exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=tty2 res=success)'
type=AVC msg=audit(1167906300.704:36): avc: denied { execute } for
pid=3072 comm="sudo" name="cat" dev=hda2 ino=323546
scontext=user_u:user_r:user_sudo_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=file
type=SYSCALL msg=audit(1167906300.704:36): arch=40000003 syscall=11
success=no exit=-13 a0=806e2e0 a1=bfd618e8 a2=8c26500 a3=8c26500 items=0
ppid=3013 pid=3072 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=tty2 comm="sudo" exe="/usr/bin/sudo"
subj=user_u:user_r:user_sudo_t:s0 key=(null)
Somewhat bizarrely, of course, sudo continues to run even if it fails to
write into /var/run/sudo. I guess this is arguably a bug in sudo itself,
albeit relatively harmless.
Setting SELinux to permissive, sudo worked Ok.
I also tried changing "fred" from user_u to staff_u, since FC4 defaulted
to only allowing for staff_u to use sudo, as in:
# semanage login -a -s staff_u fred
I then rm -rf'ed /var/run/sudo/*, and restorecon'ed /home/fred to
correct the home directory labelling.
This also failed with SELinux enforcing, and worked in permissive,
giving similar AVC's where previous references to "user_..." appeared
instead as "staff_..."
I had a look at the various booleans available in the policy, and none
seem to be relevant to this problem.
All in all, I can't see an easy way of making sudo work, but the fact
that the user_sudo_t and staff_sudo_t domains exist implies that the
policy contains support for running sudo from either user_r or staff_r.
Can anyone assist me in getting sudo to work on FC6/strict?
Thanks,
--
Ted Rule
Director, Layer3 Systems Ltd
W: http://www.layer3.co.uk/
17 years, 3 months
vmware beta....needs mount/unmount?
by Tom London
Running latest rawhide, targeted/enforcing.
I'm testing the latest vmware beta (6?).
Seems to want to mount on /proc/fs/vmware-block/mountPoint:
none on /proc/fs/vmware-block/mountPoint type vmware-block (rw)
This produces the following AVC during boot:
type=AVC msg=audit(1167500297.368:6): avc: denied { mount } for
pid=2225 comm="mount" name="/" dev=vmware-block ino=1
scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1167500297.368:6): arch=40000003 syscall=21
success=yes exit=0 a0=937cdd8 a1=937ce00 a2=937cde8 a3=c0ed0000
items=0 ppid=2212 pid=2225 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="mount" exe="/bin/mount"
subj=system_u:system_r:mount_t:s0 key=(null)
I believe this is the associated AVC from 'unmount' during shutdown:
type=AVC msg=audit(1167502331.621:34): avc: denied { unmount } for
pid=4269 comm="umount" scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1167502331.621:34): arch=40000003 syscall=22
success=yes exit=0 a0=9f20120 a1=bffc51f0 a2=9f20148 a3=9f20121
items=0 ppid=4268 pid=4269 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="umount"
exe="/bin/umount" subj=system_u:system_r:mount_t:s0 key=(null)
This appears to be the script from /etc/init.d/vmware:
# Start the file system blocking driver
vmware_start_vmblock() {
mkdir -p /tmp/VMwareDnD && chmod 777 /tmp/VMwareDnD
vmware_exec 'Loading module' vmware_load_module $vmblock
exitcode=`expr $exitcode + $?`
mount -t vmware-block none /proc/fs/vmware-block/mountPoint
}
# Stop the file system blocking driver
vmware_stop_vmblock() {
umount /proc/fs/vmware-block/mountPoint
vmware_unload_module $vmblock
}
Right way to fix?
tom
--
Tom London
17 years, 3 months
How to 'fix' webalizer problem since FC4?
by Stephen John Smoogen
I installed a new system, and saw that I was getting a set of selinux
messages everytime cron runs. It looks like it is this bug:
Bug 169434 Processed: selinux prevents webalizer running from cron
The message from audit2allow is
allow webalizer_t fs_t:filesystem getattr;
audit2why shows:
type=AVC msg=audit(1167649332.157:607): avc: denied { getattr } for
pid=2739 comm="webalizer" name="/" dev=dm-3 ino=2
scontext=system_u:system_r:webalizer_t:s0-s0:c0.c1023
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
Was caused by:
Missing or disabled TE allow rule.
Allow rules may exist but be disabled by boolean
settings; check boolean settings.
You can see the necessary allow rules by running
audit2allow with this audit message as input.
type=AVC msg=audit(1167649332.273:608): avc: denied { getattr } for
pid=2737 comm="webalizer" name="/" dev=dm-3 ino=2
scontext=system_u:system_r:webalizer_t:s0-s0:c0.c1023
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
Was caused by:
Missing or disabled TE allow rule.
Allow rules may exist but be disabled by boolean
settings; check boolean settings.
You can see the necessary allow rules by running
audit2allow with this audit message as input.
--
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"
17 years, 3 months