Confining TeX
by Jan Kasprzak
Hello,
I am implementing a remote TeX server for our users,
and I would like to confine it using SELinux (FC6, targeted policy).
I need help or suggestions on possible approaches. What I want to do
is the following:
- I have a TeX installation in a separate directory
- I want local users to be able to run TeX commands without restrictions
- I want to have a daemon, running under a separate user, which will handle
remote requests for TeX compilation. Under this user/daemon
the TeX commands should be confined, so that they can only
read TeX data files (the texmf/ tree), execute the TeX sub-commands
(i.e. files under <texroot>/bin/ directory) - including the rights
to the system libraries, locales, etc. as necessary. And the confined
processes should write only to the texmf-var tree (autogenerated
bitmap fonts, etc.) and to the temporary directory, reserved for
TeX outputs (logs, DVI files, dvips outputs, etc.).
My current solution is to create the tex_t domain,
and tex_exec_t, tex_data_t, and tex_tmp_t file types, and make the
daemon run "runcon -t tex_t -- tex myfile.tex" instead of plain
"tex myfile.tex".
Maybe there are better approaches than this:
- maybe the "runcon" is not necessary, and TeX executables can be made to
enter the tex_t domain automatically, when started by the UNIX user
under which the daemon runs.
- or maybe I should use SELinux users or roles instead of domains (?)
- or maybe the daemon should run under its own special domain?
The "runcon" approach allows local users to compile also
untrusted TeX sources - i.e. they can be able to run TeX either under their
own context, or via "runcon" in the confined mode.
Any suggestions?
-Yenya
--
| Jan "Yenya" Kasprzak <kas at {fi.muni.cz - work | yenya.net - private}> |
| GPG: ID 1024/D3498839 Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E |
| http://www.fi.muni.cz/~kas/ Journal: http://www.fi.muni.cz/~kas/blog/ |
> I will never go to meetings again because I think face to face meetings <
> are the biggest waste of time you can ever have. --Linus Torvalds <
15 years, 7 months
Nagios Web Interface and SELinux
by Ryan Skadberg
I have been trying to get nagios up and running on 2 different
machines. One running FC5 and one running FC6. Nagios itself starts
up fine, but the web interface fails miserably.
When looking at /var/log/messages, I see things like:
Dec 3 11:38:17 xray kernel: audit(1165174697.348:289): avc: denied
{ execute_no_trans } for pid=22237 comm="httpd" name="tac.cgi"
dev=dm-0 ino=11272226 scontext=user_u:system_r:httpd_t:s0
tcontext=system_u:object_r:lib_t:s0 tclass=file
I noticed in the selinux-policy-targeted Changelog:
* Wed Jul 26 2006 Dan Walsh <dwalsh(a)redhat.com> 2.3.3-13
- Add nagios policy
This may have been for the program itself or maybe the web interface,
but it sure doesn't seem to be working for me.
Both systems are set to:
SELINUX=enforcing
SELINUXTYPE=targeted
SETLOCALDEFS=0
Anyone have any advice on how to fix this?
Thanks!
Skadz
15 years, 8 months
selinux-policy-2.5.4
by Steve G
Hi,
I am curious about the testing process for policy releases. Seems like everytime
a new upstream policy is pulled in, we suddenly have a bunch of avcs. For the
newest policy, 2.5.4, I have all these:
allow avahi_t unlabeled_t : packet { recv send };
allow bluetooth_t lib_t : file execute_no_trans;
allow mount_t security_t : filesystem getattr;
allow postfix_local_t mail_spool_t : file append;
allow postfix_local_t unlabeled_t : packet send;
allow postfix_master_t security_t : filesystem getattr;
allow restorecon_t security_t : filesystem getattr;
allow setrans_t security_t : filesystem getattr;
allow setroubleshootd_t mail_spool_t : lnk_file read;
allow setroubleshootd_t security_t : filesystem getattr;
allow vpnc_t security_t : filesystem getattr;
allow vpnc_t unlabeled_t : packet { recv send };
These are simply from booting and connecting to the network. I haven't even tried
to start X or do any serious work.
-Steve
____________________________________________________________________________________
No need to miss a message. Get email on-the-go
with Yahoo! Mail for Mobile. Get started.
http://mobile.yahoo.com/mail
16 years, 3 months
SELinux stats
by Casper Gasper
I'm looking for some figures on the success rate of SELinux, a count
of vulnerabilities for RHEL/Fedora which are mitigated with targeted
mode.
I'm sure people must have done assessments on it efficacy, but so
far my googling skills have failed me.
thanks,
Casper.
16 years, 3 months
[ANN] SELinux Policy Editor 2.1.0
by Yuichi Nakamura
Hi,
I would like to announce SELinux Policy Editor(SEEdit) 2.1.0 is released.
SEEdit is a tool that makes SELinux easy.
It supports Fedora Core 6 and Cent OS4.
* Changes from 2.0:
- Merged to Fedora Extras CVS
You can get seedit more easily for Fedora!
- Improved rpm package
- Thanks to reviewers in Fedora bugzilla
- New icons
- Improved performance of policy generation tool
- Created new button "guess policy"
For detail please visit http://seedit.sourceforge.net/
--
Yuichi Nakamura
Hitachi Software Engineering Co., Ltd.
SELinux Policy Editor: http://seedit.sourceforge.net/
16 years, 3 months
login role transition failing on mls livecd
by Joe Nall
I've been working on a fedora livecd that runs the mls policy. When I
login as root via ssh
[root@livecd ~]# id -Z
root:staff_r:staff_t:SystemLow-SystemHigh
but if I login via the console
[root@livecd ~]# id -Z
system_u:system_r:local_login_t:SystemLow-SystemHigh
I'm not transitioning into the correct role/type on a console login.
Any pointers on where to look/what I forgot to create would be
appreciated.
joe
ls -Z `tty`
crw--w---- root tty system_u:object_r:tty_device_t:SystemLow /dev/tty4
Audit from a login local login:
type=USER_AUTH msg=audit(1172236367.222:134): user pid=2395 uid=0
auid=4294967295 subj=system_u:system_r:local_login_t:s0-s15:c0.c1023
msg='PAM: authentication acct=root : exe="/bin/login" (hostname=?,
addr=?, terminal=tty1 res=success)'
type=USER_ACCT msg=audit(1172236367.222:135): user pid=2395 uid=0
auid=4294967295 subj=system_u:system_r:local_login_t:s0-s15:c0.c1023
msg='PAM: accounting acct=root : exe="/bin/login" (hostname=?,
addr=?, terminal=tty1 res=success)'
type=LOGIN msg=audit(1172236367.228:136): login pid=2395 uid=0 old
auid=4294967295 new auid=0
type=USER_ROLE_CHANGE msg=audit(1172236367.246:137): user pid=2395
uid=0 auid=0 subj=system_u:system_r:local_login_t:s0-s15:c0.c1023
msg='pam: default-context=root:sysadm_r:sysadm_t:s0-s15:c0.c1023
selected-context=?: exe="/bin/login" (hostname=?, addr=?,
terminal=tty1 res=success)'
type=USER_START msg=audit(1172236367.246:138): user pid=2395 uid=0
auid=0 subj=system_u:system_r:local_login_t:s0-s15:c0.c1023 msg='PAM:
session open acct=root : exe="/bin/login" (hostname=?, addr=?,
terminal=tty1 res=success)'
type=USER_LOGIN msg=audit(1172236367.248:140): user pid=2395 uid=0
auid=0 subj=system_u:system_r:local_login_t:s0-s15:c0.c1023
msg='uid=0: exe="/bin/login" (hostname=?, addr=?, terminal=tty1
res=success)'type=AVC msg=audit(1172236367.248:141): avc: denied
{ execute_no_trans } for pid=2401 comm="login" name="bash" dev=dm-0
ino=32771 scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
tcontext=system_u:object_r:shell_exec_t:s0 tclass=filetype=SYSCALL
msg=audit(1172236367.248:141): arch=40000003 syscall=11 success=yes
exit=0 a0=91d56d0 a1=bfde41c0 a2=91d7978 a3=804d2e8 items=0 ppid=2395
pid=2401 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=tty1 comm="bash" exe="/bin/bash"
subj=system_u:system_r:local_login_t:s0-s15:c0.c1023 key=(null)
type=AVC_PATH msg=audit(1172236367.248:141): path="/bin/bash"
type=AVC msg=audit(1172236367.301:142): avc: denied { execute }
for pid=2411 comm="bash" name="hostname" dev=dm-0 ino=32832
scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file
type=AVC msg=audit(1172236367.301:142): avc: denied
{ execute_no_trans } for pid=2411 comm="bash" name="hostname"
dev=dm-0 ino=32832 scontext=system_u:system_r:local_login_t:s0-
s15:c0.c1023 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file
sestatus -v
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 21
Policy from config file: mls
Process contexts:
Current context:
system_u:system_r:local_login_t:SystemLow-SystemHigh
Init context: system_u:system_r:init_t:SystemLow-
SystemHigh
/sbin/mingetty system_u:system_r:getty_t:SystemLow-
SystemHigh
/usr/sbin/sshd system_u:system_r:sshd_t:SystemLow-
SystemHigh
File contexts:
Controlling term: system_u:object_r:tty_device_t:SystemLow
/etc/passwd system_u:object_r:etc_t:SystemLow
/etc/shadow system_u:object_r:shadow_t:SystemLow
/bin/bash system_u:object_r:shell_exec_t:SystemLow
/bin/login system_u:object_r:login_exec_t:SystemLow
/bin/sh system_u:object_r:bin_t:SystemLow ->
system_u:object_r:shell_exec_t:SystemLow
/sbin/agetty system_u:object_r:getty_exec_t:SystemLow
/sbin/init system_u:object_r:init_exec_t:SystemLow
/sbin/mingetty system_u:object_r:getty_exec_t:SystemLow
/usr/sbin/sshd system_u:object_r:sshd_exec_t:SystemLow
/lib/libc.so.6 system_u:object_r:lib_t:SystemLow ->
system_u:object_r:shlib_t:SystemLow
/lib/ld-linux.so.2 system_u:object_r:lib_t:SystemLow ->
system_u:object_r:ld_so_t:SystemLow
16 years, 3 months
Re: Posttinstall scriptlets failing ?
by Stephen Smalley
On Fri, 2007-02-23 at 15:33 +0100, Davide Bolcioni wrote:
> On Friday 23 February 2007 13:50:21 you wrote:
> > On Thu, 2007-02-22 at 13:56 -0500, Daniel J Walsh wrote:
> > > Davide Bolcioni wrote:
> > > > Greeetings,
> > > > I just tried the following:
> > > >
> > > > yum install kernel-devel.x86_64
> > > >
> > > > and got
> > > >
> > > > Installing: kernel-devel #########################
> > > > [1/1] error: %post(kernel-devel-2.6.19-1.2911.fc6.x86_64) scriptlet
> > > > failed, exit status 255
> > > >
> > > > the failure seems to be related to the following in the audit log:
> > > >
> > > > type=AVC msg=audit(1172166288.763:92): avc: denied { transition } for
> > > > pid=7023 comm="yum" name="bash" dev=dm-1 ino=409636
> > > > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> > > > tcontext=system_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=process
> > > > type=SYSCALL msg=audit(1172166288.763:92): arch=c000003e syscall=59
> > > > success=no exit=-13 a0=3b5afef a1=7fff58604730 a2=4112960 a3=5f74c70
> > > > items=0 ppid=6779 pid=7023 auid=503 uid=0 gid=0 euid=0 suid=0 fsuid=0
> > > > egid=0 sgid=0 fsgid=0 tty=pts0 comm="yum" exe="/usr/bin/python"
> > > > subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
> > > > type=AVC_PATH msg=audit(1172166288.763:92): path="/bin/bash"
> > > >
> > > > which I understand being a failure to exec() bash, correct ?
> > > >
> > > > Apparently, yum is running as system_u:system_r:xdm_t, which I find
> > > > somewhat surprising, but still.
> > > >
> > > > Thank you for your consideration,
> > > > Davide Bolcioni
> > >
> > > There is a problem in the latest version of pam_selinux that is causing
> > > this problem.
> > >
> > > You can either revert to the previous version of pam or wait for the
> > > next update.
> >
> > gdm at least doesn't use pam_selinux AFAICS, so it wouldn't be affected
> > by the pam_selinux bug.
> >
> > If you log out and log back in, is your session still running in xdm_t?
> > That is definitely wrong.
>
> I am using kdm, which definitely includes pam_selinux.so in /etc/pam.d/kdm.
> Why doesn't gdm use pam_selinux ? IIRC the point of PAM was to separate
> authentication, was it ?
gdm has direct selinux support integrated into it. IIRC, we tried using
pam_selinux with it but it performs the pam_open_session() from a
different process than the one that ultimately exec's the user shell, so
it didn't work. pam_selinux isn't authentication; it is setting the
security context for the user shell. Whether or not it belongs in pam
is open to debate, e.g. setting of the uid for the shell doesn't happen
in pam either.
--
Stephen Smalley
National Security Agency
16 years, 3 months
SpamAssassin Log explosion issue following update
by Ted Rule
I recently updated SpamAssassin on my FC6/strict box to
spamassassin-3.1.8-2.fc6.
FWIW, the selinux-policy is currently on
selinux-policy-strict-2.4.6-37.fc6
It seems that the installation may well have partially failed because
I ran "yum update spamassassin" whilst still in enforcing mode.
I erroneously assumed that spamd continued to run Ok, as I saw no error
messages during the "yum update".
Sadly, to my horror earlier today, I found that the /var partition was
completely full of log messages from SELinux/spamd, viz:
...
Feb 22 12:08:25 topaz kernel: audit(1172146105.931:9462050): avc:
denied { search } for pid=10329 comm="spamd" name="/" dev=hda2 ino=2
scontext=system_u:object_r:unlabeled_t:s0
tcontext=system_u:object_r:root_t:s0 tclass=dir
Feb 22 12:08:25 topaz kernel: audit(1172146105.932:9462051): avc:
denied { search } for pid=10329 comm="spamd" name="/" dev=hda2 ino=2
scontext=system_u:object_r:unlabeled_t:s0
tcontext=system_u:object_r:root_t:s0 tclass=dir
Feb 22 12:08:25 topaz kernel: audit(1172146105.932:9462052): avc:
denied { search } for pid=10329 comm="spamd" name="/" dev=hda2 ino=2
scontext=system_u:object_r:unlabeled_t:s0
tcontext=system_u:object_r:root_t:s0 tclass=dir
Feb 22 12:08:25 topaz kernel: audit(1172146105.932:9462053): avc:
denied { search } for pid=10329 comm="spamd" name="/" dev=hda2 ino=2
scontext=system_u:object_r:unlabeled_t:s0
tcontext=system_u:object_r:root_t:s0 tclass=dir
....
In other words, for some reason the "broken" update left the process
running in the unlabeled_t domain, which is a little bizarre.
In any event, I then got a continuous stream of these denials in the log
which eventually filled the log within a few hours.
Note to self: presumably using auditd instead of syslog-ng for storing
these messages would have avoided the filesystem overload. Similarly, I
have yet to check the manual pages for syslog-ng for a max-logfile-size
option which might have avoided the ensuing embarrassment.
After clearing out the massive log files to give spamd and syslog-ng
room to manoeuvre, I then tried looking for the spamd[10329] in the
process list, but found that it was invisible(!), presumably because it
was running as unlabeled_t.
I then tried temporarily enabling the "allow_ptrace" boolean to see if
that helped make the process visible, to no avail.
Finally, I was forced to drop into permissive mode to locate the rogue
PID running in "unlabeled_t".
So then I stopped spamd, went back to enforcing mode, and restarted
spamd, which duly ran in its proper spamd_t domain.
>From previous experiences I think the strict policy, and perhaps the
targeted policy also, is missing several permissions which allow various
init scripts to be called from within "yum update".
To satisfy my own curiousity, can someone explain how spamd ended up
running in unlabeled_t? Is it somehow related to a process continuing to
run which has no corresponding executable binary?
Following this experience, can I make some suggestions:
a. Please test that rpm/yum update runs without error for any RPM update
on both a strict/enforcing box and a targeted/enforcing box before the
RPM is released to mirrors.
b. Don't expect that yum update can be run in enforcing mode, especially
on packages associated with running daemons.
c. Please can we add a policy permission so that sysadm_t can seek and
destroy unlabeled_t processes with extreme prejudice without recourse to
permissive mode?
Ted
# ps axf | grep 103
14549 pts/1 S+ 0:00 \_ grep 103
# setsebool allow_ptrace=1
# getsebool -a| grep ptrace
allow_ptrace --> on
# ps axf | grep 103
14561 pts/1 S+ 0:00 \_ grep 103
# setenforce 0
# ps axf | grep 103
10329 ? Ss 12:44 /usr/bin/spamd -d -c -m5 -H
-r /var/run/spamd.pid
10331 ? Z 1:23 \_ [spamd] <defunct>
10332 ? Z 0:06 \_ [spamd] <defunct>
14564 pts/1 S+ 0:00 \_ grep 103
# ps axfZ | grep 103
system_u:object_r:unlabeled_t 10329 ? Ss
12:44 /usr/bin/spamd -d -c -m5 -H -r /var/run/spamd.pid
system_u:object_r:unlabeled_t 10331 ? Z 1:23 \_ [spamd]
<defunct>
system_u:object_r:unlabeled_t 10332 ? Z 0:06 \_ [spamd]
<defunct>
staff_u:sysadm_r:sysadm_t 14566 pts/1 S+ 0:00
\_ grep 103
# setenforce 1
# ps axfZ | grep 103
staff_u:sysadm_r:sysadm_t 14569 pts/1 S+ 0:00
\_ grep 103
# setenforce 0
# run_init service spamassassin stop
Authenticating root.
Password:
Stopping spamd: [ OK ]
# ps axf | grep spam
14591 pts/1 S+ 0:00 \_ grep spam
# setenforce 1
# run_init service spamassassin start
Authenticating root.
Password:
Starting spamd: [ OK ]
# ps axfZ | grep spam
staff_u:sysadm_r:sysadm_t 14617 pts/1 S+ 0:00
\_ grep spam
system_u:system_r:spamd_t 14612 ? Ss
0:01 /usr/bin/spamd -d -c -m5 -H -r /var/run/spamd.pid
system_u:system_r:spamd_t 14614 ? S 0:00 \_ spamd
child
system_u:system_r:spamd_t 14615 ? S 0:00 \_ spamd
child
#
--
Ted Rule
Director, Layer3 Systems Ltd
W: http://www.layer3.co.uk/
16 years, 3 months
Posttinstall scriptlets failing ?
by Davide Bolcioni
Greeetings,
I just tried the following:
yum install kernel-devel.x86_64
and got
Installing: kernel-devel ######################### [1/1]
error: %post(kernel-devel-2.6.19-1.2911.fc6.x86_64) scriptlet failed, exit
status 255
the failure seems to be related to the following in the audit log:
type=AVC msg=audit(1172166288.763:92): avc: denied { transition } for
pid=7023 comm="yum" name="bash" dev=dm-1 ino=409636
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1172166288.763:92): arch=c000003e syscall=59 success=no
exit=-13 a0=3b5afef a1=7fff58604730 a2=4112960 a3=5f74c70 items=0 ppid=6779
pid=7023 auid=503 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts0 comm="yum" exe="/usr/bin/python"
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC_PATH msg=audit(1172166288.763:92): path="/bin/bash"
which I understand being a failure to exec() bash, correct ?
Apparently, yum is running as system_u:system_r:xdm_t, which I find somewhat
surprising, but still.
Thank you for your consideration,
Davide Bolcioni
--
There is no place like /home.
16 years, 3 months
more prelink AVCs
by Tom London
Running latest rawhide, targeted/enforcing.
Getting AVCs for prelink for sudo_exec_t
type=AVC msg=audit(1171985725.828:47): avc: denied { read } for
pid=32139 comm="prelink" name="sudoedit" dev=dm-0 ino=5474778
scontext=system_u:system_r:prelink_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1171985725.828:47): arch=40000003 syscall=5
success=no exit=-13 a0=a02bcf8 a1=8000 a2=0 a3=0 items=0 ppid=32130
pid=32139 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="prelink" exe="/usr/sbin/prelink"
subj=system_u:system_r:prelink_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1171985739.772:48): avc: denied { read } for
pid=32139 comm="prelink" name="sudo" dev=dm-0 ino=5474778
scontext=system_u:system_r:prelink_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1171985739.772:48): arch=40000003 syscall=5
success=no exit=-13 a0=a02bcf8 a1=8000 a2=0 a3=0 items=0 ppid=32130
pid=32139 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="prelink" exe="/usr/sbin/prelink"
subj=system_u:system_r:prelink_t:s0-s0:c0.c1023 key=(null)
tom
--
Tom London
16 years, 3 months