selinux February 2007

selinux@lists.fedoraproject.org

21 participants
23 discussions

Confining TeX
by Jan Kasprzak 09 Oct '07

09 Oct '07

Hello, I am implementing a remote TeX server for our users, and I would like to confine it using SELinux (FC6, targeted policy). I need help or suggestions on possible approaches. What I want to do is the following: - I have a TeX installation in a separate directory - I want local users to be able to run TeX commands without restrictions - I want to have a daemon, running under a separate user, which will handle remote requests for TeX compilation. Under this user/daemon the TeX commands should be confined, so that they can only read TeX data files (the texmf/ tree), execute the TeX sub-commands (i.e. files under <texroot>/bin/ directory) - including the rights to the system libraries, locales, etc. as necessary. And the confined processes should write only to the texmf-var tree (autogenerated bitmap fonts, etc.) and to the temporary directory, reserved for TeX outputs (logs, DVI files, dvips outputs, etc.). My current solution is to create the tex_t domain, and tex_exec_t, tex_data_t, and tex_tmp_t file types, and make the daemon run "runcon -t tex_t -- tex myfile.tex" instead of plain "tex myfile.tex". Maybe there are better approaches than this: - maybe the "runcon" is not necessary, and TeX executables can be made to enter the tex_t domain automatically, when started by the UNIX user under which the daemon runs. - or maybe I should use SELinux users or roles instead of domains (?) - or maybe the daemon should run under its own special domain? The "runcon" approach allows local users to compile also untrusted TeX sources - i.e. they can be able to run TeX either under their own context, or via "runcon" in the confined mode. Any suggestions? -Yenya -- | Jan "Yenya" Kasprzak <kas at {fi.muni.cz - work | yenya.net - private}> | | GPG: ID 1024/D3498839 Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E | | http://www.fi.muni.cz/~kas/ Journal: http://www.fi.muni.cz/~kas/blog/ | > I will never go to meetings again because I think face to face meetings < > are the biggest waste of time you can ever have. --Linus Torvalds <

2 2

Nagios Web Interface and SELinux
by Ryan Skadberg 12 Sep '07

12 Sep '07

I have been trying to get nagios up and running on 2 different machines. One running FC5 and one running FC6. Nagios itself starts up fine, but the web interface fails miserably. When looking at /var/log/messages, I see things like: Dec 3 11:38:17 xray kernel: audit(1165174697.348:289): avc: denied { execute_no_trans } for pid=22237 comm="httpd" name="tac.cgi" dev=dm-0 ino=11272226 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file I noticed in the selinux-policy-targeted Changelog: * Wed Jul 26 2006 Dan Walsh <dwalsh(a)redhat.com> 2.3.3-13 - Add nagios policy This may have been for the program itself or maybe the web interface, but it sure doesn't seem to be working for me. Both systems are set to: SELINUX=enforcing SELINUXTYPE=targeted SETLOCALDEFS=0 Anyone have any advice on how to fix this? Thanks! Skadz

3 4

selinux-policy-2.5.4
by Steve G 26 Feb '07

26 Feb '07

Hi, I am curious about the testing process for policy releases. Seems like everytime a new upstream policy is pulled in, we suddenly have a bunch of avcs. For the newest policy, 2.5.4, I have all these: allow avahi_t unlabeled_t : packet { recv send }; allow bluetooth_t lib_t : file execute_no_trans; allow mount_t security_t : filesystem getattr; allow postfix_local_t mail_spool_t : file append; allow postfix_local_t unlabeled_t : packet send; allow postfix_master_t security_t : filesystem getattr; allow restorecon_t security_t : filesystem getattr; allow setrans_t security_t : filesystem getattr; allow setroubleshootd_t mail_spool_t : lnk_file read; allow setroubleshootd_t security_t : filesystem getattr; allow vpnc_t security_t : filesystem getattr; allow vpnc_t unlabeled_t : packet { recv send }; These are simply from booting and connecting to the network. I haven't even tried to start X or do any serious work. -Steve ____________________________________________________________________________________ No need to miss a message. Get email on-the-go with Yahoo! Mail for Mobile. Get started. http://mobile.yahoo.com/mail

2 2

SELinux stats
by Casper Gasper 25 Feb '07

25 Feb '07

I'm looking for some figures on the success rate of SELinux, a count of vulnerabilities for RHEL/Fedora which are mitigated with targeted mode. I'm sure people must have done assessments on it efficacy, but so far my googling skills have failed me. thanks, Casper.

1 0

[ANN] SELinux Policy Editor 2.1.0
by Yuichi Nakamura 25 Feb '07

25 Feb '07

Hi, I would like to announce SELinux Policy Editor(SEEdit) 2.1.0 is released. SEEdit is a tool that makes SELinux easy. It supports Fedora Core 6 and Cent OS4. * Changes from 2.0: - Merged to Fedora Extras CVS You can get seedit more easily for Fedora! - Improved rpm package - Thanks to reviewers in Fedora bugzilla - New icons - Improved performance of policy generation tool - Created new button "guess policy" For detail please visit http://seedit.sourceforge.net/ -- Yuichi Nakamura Hitachi Software Engineering Co., Ltd. SELinux Policy Editor: http://seedit.sourceforge.net/

1 0

23 Feb '07

I've been working on a fedora livecd that runs the mls policy. When I login as root via ssh [root@livecd ~]# id -Z root:staff_r:staff_t:SystemLow-SystemHigh but if I login via the console [root@livecd ~]# id -Z system_u:system_r:local_login_t:SystemLow-SystemHigh I'm not transitioning into the correct role/type on a console login. Any pointers on where to look/what I forgot to create would be appreciated. joe ls -Z `tty` crw--w---- root tty system_u:object_r:tty_device_t:SystemLow /dev/tty4 Audit from a login local login: type=USER_AUTH msg=audit(1172236367.222:134): user pid=2395 uid=0 auid=4294967295 subj=system_u:system_r:local_login_t:s0-s15:c0.c1023 msg='PAM: authentication acct=root : exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)' type=USER_ACCT msg=audit(1172236367.222:135): user pid=2395 uid=0 auid=4294967295 subj=system_u:system_r:local_login_t:s0-s15:c0.c1023 msg='PAM: accounting acct=root : exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)' type=LOGIN msg=audit(1172236367.228:136): login pid=2395 uid=0 old auid=4294967295 new auid=0 type=USER_ROLE_CHANGE msg=audit(1172236367.246:137): user pid=2395 uid=0 auid=0 subj=system_u:system_r:local_login_t:s0-s15:c0.c1023 msg='pam: default-context=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 selected-context=?: exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)' type=USER_START msg=audit(1172236367.246:138): user pid=2395 uid=0 auid=0 subj=system_u:system_r:local_login_t:s0-s15:c0.c1023 msg='PAM: session open acct=root : exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)' type=USER_LOGIN msg=audit(1172236367.248:140): user pid=2395 uid=0 auid=0 subj=system_u:system_r:local_login_t:s0-s15:c0.c1023 msg='uid=0: exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)'type=AVC msg=audit(1172236367.248:141): avc: denied { execute_no_trans } for pid=2401 comm="login" name="bash" dev=dm-0 ino=32771 scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023 tcontext=system_u:object_r:shell_exec_t:s0 tclass=filetype=SYSCALL msg=audit(1172236367.248:141): arch=40000003 syscall=11 success=yes exit=0 a0=91d56d0 a1=bfde41c0 a2=91d7978 a3=804d2e8 items=0 ppid=2395 pid=2401 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 comm="bash" exe="/bin/bash" subj=system_u:system_r:local_login_t:s0-s15:c0.c1023 key=(null) type=AVC_PATH msg=audit(1172236367.248:141): path="/bin/bash" type=AVC msg=audit(1172236367.301:142): avc: denied { execute } for pid=2411 comm="bash" name="hostname" dev=dm-0 ino=32832 scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file type=AVC msg=audit(1172236367.301:142): avc: denied { execute_no_trans } for pid=2411 comm="bash" name="hostname" dev=dm-0 ino=32832 scontext=system_u:system_r:local_login_t:s0- s15:c0.c1023 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file sestatus -v SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 21 Policy from config file: mls Process contexts: Current context: system_u:system_r:local_login_t:SystemLow-SystemHigh Init context: system_u:system_r:init_t:SystemLow- SystemHigh /sbin/mingetty system_u:system_r:getty_t:SystemLow- SystemHigh /usr/sbin/sshd system_u:system_r:sshd_t:SystemLow- SystemHigh File contexts: Controlling term: system_u:object_r:tty_device_t:SystemLow /etc/passwd system_u:object_r:etc_t:SystemLow /etc/shadow system_u:object_r:shadow_t:SystemLow /bin/bash system_u:object_r:shell_exec_t:SystemLow /bin/login system_u:object_r:login_exec_t:SystemLow /bin/sh system_u:object_r:bin_t:SystemLow -> system_u:object_r:shell_exec_t:SystemLow /sbin/agetty system_u:object_r:getty_exec_t:SystemLow /sbin/init system_u:object_r:init_exec_t:SystemLow /sbin/mingetty system_u:object_r:getty_exec_t:SystemLow /usr/sbin/sshd system_u:object_r:sshd_exec_t:SystemLow /lib/libc.so.6 system_u:object_r:lib_t:SystemLow -> system_u:object_r:shlib_t:SystemLow /lib/ld-linux.so.2 system_u:object_r:lib_t:SystemLow -> system_u:object_r:ld_so_t:SystemLow

2 2

Re: Posttinstall scriptlets failing ?
by Stephen Smalley 23 Feb '07

23 Feb '07

On Fri, 2007-02-23 at 15:33 +0100, Davide Bolcioni wrote: > On Friday 23 February 2007 13:50:21 you wrote: > > On Thu, 2007-02-22 at 13:56 -0500, Daniel J Walsh wrote: > > > Davide Bolcioni wrote: > > > > Greeetings, > > > > I just tried the following: > > > > > > > > yum install kernel-devel.x86_64 > > > > > > > > and got > > > > > > > > Installing: kernel-devel ######################### > > > > [1/1] error: %post(kernel-devel-2.6.19-1.2911.fc6.x86_64) scriptlet > > > > failed, exit status 255 > > > > > > > > the failure seems to be related to the following in the audit log: > > > > > > > > type=AVC msg=audit(1172166288.763:92): avc: denied { transition } for > > > > pid=7023 comm="yum" name="bash" dev=dm-1 ino=409636 > > > > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 > > > > tcontext=system_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=process > > > > type=SYSCALL msg=audit(1172166288.763:92): arch=c000003e syscall=59 > > > > success=no exit=-13 a0=3b5afef a1=7fff58604730 a2=4112960 a3=5f74c70 > > > > items=0 ppid=6779 pid=7023 auid=503 uid=0 gid=0 euid=0 suid=0 fsuid=0 > > > > egid=0 sgid=0 fsgid=0 tty=pts0 comm="yum" exe="/usr/bin/python" > > > > subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) > > > > type=AVC_PATH msg=audit(1172166288.763:92): path="/bin/bash" > > > > > > > > which I understand being a failure to exec() bash, correct ? > > > > > > > > Apparently, yum is running as system_u:system_r:xdm_t, which I find > > > > somewhat surprising, but still. > > > > > > > > Thank you for your consideration, > > > > Davide Bolcioni > > > > > > There is a problem in the latest version of pam_selinux that is causing > > > this problem. > > > > > > You can either revert to the previous version of pam or wait for the > > > next update. > > > > gdm at least doesn't use pam_selinux AFAICS, so it wouldn't be affected > > by the pam_selinux bug. > > > > If you log out and log back in, is your session still running in xdm_t? > > That is definitely wrong. > > I am using kdm, which definitely includes pam_selinux.so in /etc/pam.d/kdm. > Why doesn't gdm use pam_selinux ? IIRC the point of PAM was to separate > authentication, was it ? gdm has direct selinux support integrated into it. IIRC, we tried using pam_selinux with it but it performs the pam_open_session() from a different process than the one that ultimately exec's the user shell, so it didn't work. pam_selinux isn't authentication; it is setting the security context for the user shell. Whether or not it belongs in pam is open to debate, e.g. setting of the uid for the shell doesn't happen in pam either. -- Stephen Smalley National Security Agency

1 0

SpamAssassin Log explosion issue following update
by Ted Rule 23 Feb '07

23 Feb '07

I recently updated SpamAssassin on my FC6/strict box to spamassassin-3.1.8-2.fc6. FWIW, the selinux-policy is currently on selinux-policy-strict-2.4.6-37.fc6 It seems that the installation may well have partially failed because I ran "yum update spamassassin" whilst still in enforcing mode. I erroneously assumed that spamd continued to run Ok, as I saw no error messages during the "yum update". Sadly, to my horror earlier today, I found that the /var partition was completely full of log messages from SELinux/spamd, viz: ... Feb 22 12:08:25 topaz kernel: audit(1172146105.931:9462050): avc: denied { search } for pid=10329 comm="spamd" name="/" dev=hda2 ino=2 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir Feb 22 12:08:25 topaz kernel: audit(1172146105.932:9462051): avc: denied { search } for pid=10329 comm="spamd" name="/" dev=hda2 ino=2 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir Feb 22 12:08:25 topaz kernel: audit(1172146105.932:9462052): avc: denied { search } for pid=10329 comm="spamd" name="/" dev=hda2 ino=2 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir Feb 22 12:08:25 topaz kernel: audit(1172146105.932:9462053): avc: denied { search } for pid=10329 comm="spamd" name="/" dev=hda2 ino=2 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir .... In other words, for some reason the "broken" update left the process running in the unlabeled_t domain, which is a little bizarre. In any event, I then got a continuous stream of these denials in the log which eventually filled the log within a few hours. Note to self: presumably using auditd instead of syslog-ng for storing these messages would have avoided the filesystem overload. Similarly, I have yet to check the manual pages for syslog-ng for a max-logfile-size option which might have avoided the ensuing embarrassment. After clearing out the massive log files to give spamd and syslog-ng room to manoeuvre, I then tried looking for the spamd[10329] in the process list, but found that it was invisible(!), presumably because it was running as unlabeled_t. I then tried temporarily enabling the "allow_ptrace" boolean to see if that helped make the process visible, to no avail. Finally, I was forced to drop into permissive mode to locate the rogue PID running in "unlabeled_t". So then I stopped spamd, went back to enforcing mode, and restarted spamd, which duly ran in its proper spamd_t domain. >From previous experiences I think the strict policy, and perhaps the targeted policy also, is missing several permissions which allow various init scripts to be called from within "yum update". To satisfy my own curiousity, can someone explain how spamd ended up running in unlabeled_t? Is it somehow related to a process continuing to run which has no corresponding executable binary? Following this experience, can I make some suggestions: a. Please test that rpm/yum update runs without error for any RPM update on both a strict/enforcing box and a targeted/enforcing box before the RPM is released to mirrors. b. Don't expect that yum update can be run in enforcing mode, especially on packages associated with running daemons. c. Please can we add a policy permission so that sysadm_t can seek and destroy unlabeled_t processes with extreme prejudice without recourse to permissive mode? Ted # ps axf | grep 103 14549 pts/1 S+ 0:00 \_ grep 103 # setsebool allow_ptrace=1 # getsebool -a| grep ptrace allow_ptrace --> on # ps axf | grep 103 14561 pts/1 S+ 0:00 \_ grep 103 # setenforce 0 # ps axf | grep 103 10329 ? Ss 12:44 /usr/bin/spamd -d -c -m5 -H -r /var/run/spamd.pid 10331 ? Z 1:23 \_ [spamd] <defunct> 10332 ? Z 0:06 \_ [spamd] <defunct> 14564 pts/1 S+ 0:00 \_ grep 103 # ps axfZ | grep 103 system_u:object_r:unlabeled_t 10329 ? Ss 12:44 /usr/bin/spamd -d -c -m5 -H -r /var/run/spamd.pid system_u:object_r:unlabeled_t 10331 ? Z 1:23 \_ [spamd] <defunct> system_u:object_r:unlabeled_t 10332 ? Z 0:06 \_ [spamd] <defunct> staff_u:sysadm_r:sysadm_t 14566 pts/1 S+ 0:00 \_ grep 103 # setenforce 1 # ps axfZ | grep 103 staff_u:sysadm_r:sysadm_t 14569 pts/1 S+ 0:00 \_ grep 103 # setenforce 0 # run_init service spamassassin stop Authenticating root. Password: Stopping spamd: [ OK ] # ps axf | grep spam 14591 pts/1 S+ 0:00 \_ grep spam # setenforce 1 # run_init service spamassassin start Authenticating root. Password: Starting spamd: [ OK ] # ps axfZ | grep spam staff_u:sysadm_r:sysadm_t 14617 pts/1 S+ 0:00 \_ grep spam system_u:system_r:spamd_t 14612 ? Ss 0:01 /usr/bin/spamd -d -c -m5 -H -r /var/run/spamd.pid system_u:system_r:spamd_t 14614 ? S 0:00 \_ spamd child system_u:system_r:spamd_t 14615 ? S 0:00 \_ spamd child # -- Ted Rule Director, Layer3 Systems Ltd W: http://www.layer3.co.uk/

3 4

Posttinstall scriptlets failing ?
by Davide Bolcioni 23 Feb '07

23 Feb '07

Greeetings, I just tried the following: yum install kernel-devel.x86_64 and got Installing: kernel-devel ######################### [1/1] error: %post(kernel-devel-2.6.19-1.2911.fc6.x86_64) scriptlet failed, exit status 255 the failure seems to be related to the following in the audit log: type=AVC msg=audit(1172166288.763:92): avc: denied { transition } for pid=7023 comm="yum" name="bash" dev=dm-1 ino=409636 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1172166288.763:92): arch=c000003e syscall=59 success=no exit=-13 a0=3b5afef a1=7fff58604730 a2=4112960 a3=5f74c70 items=0 ppid=6779 pid=7023 auid=503 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="yum" exe="/usr/bin/python" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC_PATH msg=audit(1172166288.763:92): path="/bin/bash" which I understand being a failure to exec() bash, correct ? Apparently, yum is running as system_u:system_r:xdm_t, which I find somewhat surprising, but still. Thank you for your consideration, Davide Bolcioni -- There is no place like /home.

3 2

more prelink AVCs
by Tom London 20 Feb '07

20 Feb '07

Running latest rawhide, targeted/enforcing. Getting AVCs for prelink for sudo_exec_t type=AVC msg=audit(1171985725.828:47): avc: denied { read } for pid=32139 comm="prelink" name="sudoedit" dev=dm-0 ino=5474778 scontext=system_u:system_r:prelink_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file type=SYSCALL msg=audit(1171985725.828:47): arch=40000003 syscall=5 success=no exit=-13 a0=a02bcf8 a1=8000 a2=0 a3=0 items=0 ppid=32130 pid=32139 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="prelink" exe="/usr/sbin/prelink" subj=system_u:system_r:prelink_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1171985739.772:48): avc: denied { read } for pid=32139 comm="prelink" name="sudo" dev=dm-0 ino=5474778 scontext=system_u:system_r:prelink_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file type=SYSCALL msg=audit(1171985739.772:48): arch=40000003 syscall=5 success=no exit=-13 a0=a02bcf8 a1=8000 a2=0 a3=0 items=0 ppid=32130 pid=32139 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="prelink" exe="/usr/sbin/prelink" subj=system_u:system_r:prelink_t:s0-s0:c0.c1023 key=(null) tom -- Tom London

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux February 2007