ANN: SELinux Policy IDE (SLIDE) version 1.3
by David Sugar
Version 1.3 of the SELinux Policy IDE (SLIDE) from Tresys Technology is
now available for download from the Tresys Open source website at
http://oss.tresys.com.
SLIDE is an Eclipse plug-in that integrates with the SELinux Reference
Policy to provide a development environment for building SELinux policy.
SLIDE Features:
* A graphical user interface for policy development, including policy
syntax highlighting, context suggestions, and integrated compilation.
* Integration with SELinux Reference Policy, including quick lookup and
documentation for interfaces and macros.
* Wizards and easy to use templates to automate common tasks from
creating a new SELinux policy to adding an interface into an existing
module.
* Integrated remote policy installation and audit log monitoring, to
facilitate policy testing.
* Integration with SETools to provide many analysis and auditing
features.
* Seamless integration with the power of standard Eclipse.
Version 1.3 highlights:
* Graphical interface for editing user and rolemap files.
* Modified syntax coloring to include attributes, classes, permissions,
roles, type and users.
* Integration with SETools 3.3 to include some basic analysis features
including TE Rule searching and Domain Transition Analysis.
* Integration with audit2allow to provide quick and easy way to convert
one or more audit denials into call to interfaces or allow rules.
* New 'Open Module' dialog to quickly find and open any module based on
name.
* Improved documentation on the open source web site.
* Updates to work with SETools version 3.3.
* Fixed problems with the Console output.
* Bugs fixed with undo/redo when toggling commenting on numerous lines
of policy.
If you would like to contribute, currently the best help would be to
test and provide feedback on the SLIDE plugin and SLIDE Remote.
Dave Sugar
Tresys Technology, LLC
16 years, 4 months
Re: adding only port 1186 to mysqld connect
by Johnny Tan
Eric Paris wrote:
>> 1) Is there a better way to allow mysqld to connect to the
>> cluster nodes besides just allowing mysqld to make any tcp
>> connect?
>
> Maybe. But I don't know. Does name_connect/the socket controls pay
> attention to rules set by SECMARK? If not, I don't know how to make
> this work. Even if it will pay attention to labeling from SECMARK is
> there some sort of iptables matching which would find this?
I glanced over the secmark stuff at:
http://james-morris.livejournal.com/11010.html
Can't say I fully understand it, but right off the bat, I
would say if I'm opening the ephemeral ports for
mysqld_packet_t (is that right?) via iptables, then the main
win for me is that it's not open for all the other ports, in
particular, the privileged ports?
>> 2) If this is changed to the correct behavior in the future,
>> is this something that Red Hat would backport into existing
>> RHELs, like RHEL-5?
>
> Dan might be willing to backport the first port change to RHEL5, I'm
> not sure. I'd suggest opening a BZ against the policy. If SECMARK
> solves your problem (hopefully while I sleep James will answer that
> question) open up a BZ for RHEL5 iptables stating that secmark would
> be a serious win for you (and if you have paid support open it there
> as well) Assuming you do open the secmark BZ please let me know (off
> list if you like) the BZ number. (and most/all of this would only
> possibly be backported to RHEL5, not RHEL4)
We're moving forward with allowing mysqld to make any tcp
connect, just because we have to, for the moment.
But I'm willing to continue working on this (I have a spare
box I can dedicate to testing this), as it's important to
me, and I think it's going to become more common and more
important to others using SELinux with NDB (mysql clustering).
I'll wait for James's reply first before opening BZ, because
it's very possible secmark does what I need.
johnn
16 years, 4 months
Re: adding only port 1186 to mysqld connect
by Johnny Tan
Eric Paris wrote:
> On 12/11/07, Johnny Tan <linuxweb(a)gmail.com> wrote:
>> Stephen Smalley wrote:
>>> On Mon, 2007-12-10 at 17:14 -0500, Johnny Tan wrote:
>>>> Stephen Smalley wrote:
>>>>>> Then I tried:
>>>>>> semanage port -a -t mysqld_port_t -p tcp 1186
>>>>> What does semanage port -l | grep 1186 show afterward?
>>>> # semanage port -l | grep 1186
>>>> mysqld_port_t tcp 1186, 3306
>>>>
>>>>
>>>>> What do you mean by "didn't work", i.e. same avc message repeated
>>>>> afterward upon subsequent attempts to connect?
>>>> type=AVC msg=audit(1197324654.830:1482): avc: denied {
>>>> name_connect } for pid=20484 comm="mysqld" dest=54859
>>>> scontext=root:system_r:mysqld_t:s0
>>>> tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
>>>> type=SYSCALL msg=audit(1197324654.830:1482): arch=c000003e
>>>> syscall=42 success=no exit=-13 a0=e a1=1972e194 a2=10
>>>> a3=4504aedc items=0 ppid=20385 pid=20484 auid=0 uid=27
>>>> gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27
>>>> tty=pts1 comm="mysqld" exe="/usr/libexec/mysqld"
>>>> subj=root:system_r:mysqld_t:s0 key=(null)
>>> Hmm...that's a bug then - that should work, and seems to work for me on
>>> Fedora 7.
>> I can file a bugzilla. But do you know if these types of
>> changes get backported into RHEL? They're technically not
>> security exploits so I'm guessing "no".
>
> Actually, isn't that AVC saying the port you are connecting to is
> 54859, not 1186?
You're right. I just saw the name_connect and assumed it was
1186 again. It seems it only connects to the cluster
manager on port 1186. Once that's successful (which it now
is with the semanage rule above), it then makes a connection
to every node in the cluster, using ports in the ephemeral
port range.
And it's those extra node connect attempts that are being
denied. There's one denial for every single cluster node. (I
didn't look closely, and thought those were simply multiple
denials for the 1186 connect.)
So, my two follow-up questions are:
1) Is there a better way to allow mysqld to connect to the
cluster nodes besides just allowing mysqld to make any tcp
connect?
2) If this is changed to the correct behavior in the future,
is this something that Red Hat would backport into existing
RHELs, like RHEL-5?
johnn
16 years, 4 months
mounting nfs as httpd_sys_content_t under selinux
by Johnny Tan
I have a NFS mount that I want apache to be able to serve
files from.
According to this doc:
http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/en-US/RHEL510...
I should be able to mount it with a context that will allow
apache to access it.
But when I try the suggested command:
[root@vm-37:~] mount -t nfs -o \
context=system_u:object_r:httpd_sys_content_t \
192.168.1.100:/data/test /mnt/test
It *does* mount, but when I do:
[root@vm-37:~]# ls -lZ /mnt
drwxr-xr-x 65534 65534 system_u:object_r:nfs_t test
It doesn't show the correct context.
(I don't know if it matters that I don't have a user with
UID 65534, only the remote NFS server has that.)
And sure enough, apache still can't serve from it. I see
this in /var/log/messages:
Dec 7 17:30:14 vm-37 kernel: audit(1197066614.787:240):
avc: denied { search } for pid=18066 comm="httpd" name=
"" dev=0:14 ino=4301717509 scontext=root:system_r:httpd_t:s0
tcontext=system_u:object_r:nfs_t:s0 tclass=dir
Dec 7 17:30:14 vm-37 kernel: audit(1197066614.787:241):
avc: denied { getattr } for pid=18066 comm="httpd" name
="" dev=0:14 ino=4301717509
scontext=root:system_r:httpd_t:s0
tcontext=system_u:object_r:nfs_t:s0 tclass=dir
When I "setenforce 0", it works. But I want SELinux.
Granted, I could do:
allow httpd_t nfs_t:dir { search getattr };
Well, actually, I haven't tried it but I'm guessing that
that will work. The problem is that I have other nfs
directories that I don't want httpd to access, even
accidentally if we ever point httpd at those directories.
So... any ideas on the nfs mount with the context option?
I'm running CentOS-5.1 with latest updates of everything.
johnn
16 years, 4 months
Re: adding only port 1186 to mysqld connect
by Stephen Smalley
On Tue, 2007-12-11 at 14:57 -0500, Eric Paris wrote:
> On 12/11/07, Johnny Tan <linuxweb(a)gmail.com> wrote:
> > Stephen Smalley wrote:
> > > On Mon, 2007-12-10 at 17:14 -0500, Johnny Tan wrote:
> > >> Stephen Smalley wrote:
> > >>>> Then I tried:
> > >>>> semanage port -a -t mysqld_port_t -p tcp 1186
> > >>> What does semanage port -l | grep 1186 show afterward?
> > >> # semanage port -l | grep 1186
> > >> mysqld_port_t tcp 1186, 3306
> > >>
> > >>
> > >>> What do you mean by "didn't work", i.e. same avc message repeated
> > >>> afterward upon subsequent attempts to connect?
> > >> type=AVC msg=audit(1197324654.830:1482): avc: denied {
> > >> name_connect } for pid=20484 comm="mysqld" dest=54859
> > >> scontext=root:system_r:mysqld_t:s0
> > >> tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
> > >> type=SYSCALL msg=audit(1197324654.830:1482): arch=c000003e
> > >> syscall=42 success=no exit=-13 a0=e a1=1972e194 a2=10
> > >> a3=4504aedc items=0 ppid=20385 pid=20484 auid=0 uid=27
> > >> gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27
> > >> tty=pts1 comm="mysqld" exe="/usr/libexec/mysqld"
> > >> subj=root:system_r:mysqld_t:s0 key=(null)
> > >
> > > Hmm...that's a bug then - that should work, and seems to work for me on
> > > Fedora 7.
> >
> > I can file a bugzilla. But do you know if these types of
> > changes get backported into RHEL? They're technically not
> > security exploits so I'm guessing "no".
>
> Actually, isn't that AVC saying the port you are connecting to is
> 54859, not 1186?
Ah, good catch, I missed that. In which case semanage and the kernel
are working correctly.
I doubt he wants to map that to mysqld_port_t though - since it comes
from the local port range. So there's a question - should we be mapping
everything in the local port range to a single type for name_connect
checking? name_bind doesn't get checked against that range at all since
the kernel internally allocates from it.
Sounds like a job for secmark to control, but not sure how the port is
originally conveyed to mysqld for use.
--
Stephen Smalley
National Security Agency
16 years, 4 months
adding only port 1186 to mysqld connect
by Johnny Tan
I'm doing mysql clustering (aka NDB). It requires a mysqld
client to connect to the cluster management node on port 1186.
By default, SELinux disallows mysqld from making tcp
connections (except to port 3306, I think?, not sure).
To allow mysqld to connect to the management node, I ran
audit2allow on the denials and got this:
allow mysqld_t port_t:tcp_socket name_connect;
But this rule seems *too* open. Ideally, I'd like it to only
be able to connect on port 1186.
Then I tried:
semanage port -a -t mysqld_port_t -p tcp 1186
But this didn't work either. I think this just allows mysqld
to bind to port 1186. (Or maybe not. Because, even without
this rule, it's still able to bind to 1186 on the management
nodes. So maybe this means something else.)
How would I accomplish adding ONLY port 1186 to what mysqld
can do a tcp connect to?
p.s. Does this patch:
http://www.redhat.com/archives/fedora-extras-commits/2007-November/msg007...
... do what I'm trying to accomplish? I see 1186 is added to
the mysqld network ports.
But either way, since it's a recent commit against Fedora,
I'm guessing it will be some time before it gets into
RHEL-5. Actaully, do these types of SELinux targeted-policy
commits even get backported into RHEL? It's not really a
security patch, as such.
johnn
16 years, 4 months
home directory problems with Fedora 8
by Chris Howard
I have previously existing home directories under /u01/home.
I did this because upgrading from FC6 to Fedora 7 caused me trouble
and I want to avoid having to recreate my home directory. So I copied
the whole system into /u01 before doing a fresh Fedora 8 install. I
do not have a separate home-only partition.
SELinux prevents me from making a symbolic link like this:
/home--> /u01/home or like this
/home/chris--> /u01/home/chris.
If I setup a dummy user with home at /home/chris, then
edit /etc/passwd to change the home to /u01/home/chris... that doesn't
work either.
nor if I create a new user like so:
useradd -d /u01/home/pete pete
Is there something magic about the string '/home' ?
that keeps me from creating home directories anywhere else?
I'd really love to keep from smashing /home on every OS reload.
For now I have SELinux in Permissive mode so I can at least use the
system.
16 years, 4 months
[Question] How enforcing and permissive differ on start-up
by Shintaro Fujiwara
Hi, I have a question on differences between permissve and enforcing.
I installed courier-imap from source (as always), and configured
courier.te, courier.fc just to apply installation-path to souece installation.
There are two say, daemons, courier_$1_t, i.e. courier_authdaemon_t,
and I had to declair
domain_auto_trans(initrc_t, courier_exec_t, courier_t)
(courier_t was not declared in courier.te, so I did)
as I declared starting script in /etc/rc.d/rc.local.
I set selinux enforcing and found that courier_authdaemon_t started all-right,
but courier_t not.
When I set selinux permissive, it started all-right.
How should I fix this problem ?
Thanks in advance !
--
Shintaro Fujiwara
segatex project (SELinux policy tool)
http://sourceforge.net/projects/segatex/
Home page
http://intrajp.no-ip.com/
Blog
http://intrajp.no-ip.com/nucleus/
CMS
http://intrajp.no-ip.com/xoops/
Wiki
http://intrajp.no-ip.com/pukiwiki/
16 years, 4 months
Adobe acroread
by John Griffiths
The Adobe acroread rpm from Adobe installs the plugin for
firefox/mozilla with a context of system_u:object_r:lib_t nppdf.so.
It will not run with that context because nppdf.so request text
relocation, so selinux denies firefox to load nppdf.so. nppdf.so needs a
context of system_u:object_r:textrel_shlib_t to run.
Regards,
John Griffiths
16 years, 4 months