selinux July 2007

selinux@lists.fedoraproject.org

35 participants
45 discussions

remote logging and sealert
by Jan-Frode Myklebust 29 Jul '07

29 Jul '07

We run a centralized syslog server, and separate all syslogged avc into a separate log file. Is it possible to have setroubleshooter/sealert use this log file ? -jf

1 0

crond wants 'entrypoint' for updpwd_exec_t
by Tom London 28 Jul '07

28 Jul '07

Rawhide, targeted/enforcing. Seeing the below. Sort of remember something similar (May 30 according to gmail) that seemed to be resolved by pam: http://www.redhat.com/archives/fedora-selinux-list/2007-May/msg00095.html This similar? tom type=AVC msg=audit(1185663661.818:55): avc: denied { entrypoint } for pid=8356 comm="crond" path="/sbin/unix_update" dev=dm-0 ino=11338066 scontext=system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=file type=SYSCALL msg=audit(1185663661.818:55): arch=40000003 syscall=11 success=no exit=-13 a0=2c2918 a1=bffa858c a2=2c4408 a3=400 items=0 ppid=8355 pid=8356 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key=(null) -- Tom London

1 0

Re: Containing vmware player 2.0.0 with SELINUX
by Louis Lam 28 Jul '07

28 Jul '07

My mistakes, apologies for the confusion, under part 2, I was trying to do domain_auto_trans instead of doman_entry_file, so... 2. Created a domain transition so that the vmware user programs e.g. /usr/lib/vmplayer script, /usr/lib/vmware/bin/vmplayer that are labelleled system_u:object_r:vmware_exec_t will transit to system_u:object_r:vmware_t when executed. I put it also in vmware.te: domain_auto_trans($1_t, vmware_exec_t, $1_vmware_t) but on making the vmware.pp module I get this warning and error: 'syntax error' at token '1' on line 81143: #line 13 allow $1_t vmware_exec_t: file {getattr read execute}; Thanks in advance, Louis ----- Original Message ---- From: Louis Lam <lshoujun(a)yahoo.com> To: Daniel J Walsh <dwalsh(a)redhat.com> Cc: fedora-selinux-list(a)redhat.com Sent: Friday, July 27, 2007 5:05:05 AM Subject: Re: Containing vmware player 2.0.0 with SELINUX Thanks Daniel for the information, hi everyone I've tried to make the following changes: 1. Defined the vmware_t type in vmware.te: type vmware_t; I need to do this since I'm trying to let the vmware user program run under vmware_t domain but this is not defined. In terms of overall code compliance is it correct to define here? or should be at the vmware.if? 2. Created a domain transition so that the vmware user programs e.g. /usr/lib/vmplayer script, /usr/lib/vmware/bin/vmplayer that are labelleled system_u:object_r:vmware_exec_t will transit to system_u:object_r:vmware_t when executed. I put it also in vmware.te: domain_entry_file($1_t, vmware_exec_t, $1_vmware_t) but on making the vmware.pp module I get this warning and error: 'syntax error' at token '1' on line 81143: #line 13 allow $1_t vmware_exec_t: file entrypoint; Not very sure what this means and how it should be corrected. Thanks in advance, Louis ----- Original Message ---- From: Daniel J Walsh <dwalsh(a)redhat.com> To: Louis Lam <lshoujun(a)yahoo.com> Cc: Ken YANG <spng.yang(a)gmail.com>; fedora-selinux-list(a)redhat.com Sent: Wednesday, July 25, 2007 3:12:56 PM Subject: Re: Containing vmware player 2.0.0 with SELINUX Louis Lam wrote: > Hi All, > > Still on the topic of transition between a file vmware_exec_t to vmware_t. > > Under the vmware.if file, there is a: > > domain_entry_file($1_vmware_t, vmware_exec_t) > role $3 types $1_vmware_t > > Is this a rule that allows files marked with vmware_exec_t to transit > to vmware_t? What does the $1,$2,$3 represent? Pardon my ignorance on > this but i see these $1, $2 things appear in a lot of places which > confuse me. Can anyone point me to a place to learn more about the > substitutions? > This just says that files labeled vmware_exec_t can be used as entrypoints into the $1_vmware_t, where $1 is a user type. "user", "staff", "guest", "xguest". The next line specifies which roles can reach the specified domain. No transition rules have been defined. > For the transition to take place I'd probably need to add something > like this: > > domain_auto_trans(initrc_t, vmware_exec_t, vmware_t) > Yes this allows it to reach this particular domain. But to reach the user domains defined above. domain_auto_trans($1_t, vmware_exec_t, $1_vmware_t) or domain_auto_trans(user_t, vmware_exec_t, user_vmware_t) > That is following the suggestion below by Daniel to make the > /usr/bin/vmplayer script initrc_exec_t. > > But not too sure where to place this statement, in vmware.te? > > I tried that but get a compilation error > > vmware.te:13:ERROR: 'unknown type vmware_t' at token ';' > Yes I was mistaken. That is not the way the policy is written. ( I guess I should read before I speak.) If you want to get vmware to transition from unconfined_t you will have to write the transition rules from uncofined_t to unconfined_vmware_t. > I thought vmware_t has been defined in vmware.if? > > Thanks in Advance, > Best Regards, > Louis > > ----- Original Message ---- > From: Daniel J Walsh <dwalsh(a)redhat.com> > To: Louis Lam <lshoujun(a)yahoo.com> > Cc: Ken YANG <spng.yang(a)gmail.com>; fedora-selinux-list(a)redhat.com > Sent: Monday, July 16, 2007 1:24:00 PM > Subject: Re: Containing vmware player 2.0.0 with SELINUX > > Louis Lam wrote: > > Hi All, > > > > I managed to get the vmware host services e.g. vmnet-bridge, > vmnet-dhcpd etc... to be running in > > vmware_host_t domain. I did it by modifying the net-services.sh as > described in an earlier post. > > > > Next I tried to get vmplayer (i'm using vmware player 2.0.0 but it > is similar for vmware ws 6) to > > run in vmware_t domain. First i tried to chcon /usr/bin/vmplayer to > > system_u:object_r:vmware_exec_t. But it turns out that > /usr/bin/vmplayer is a script that would in > > turn execute /usr/lib/vmware/bin/vmplayer. I have chcon > /usr/lib/vmware/bin/vmplayer to > > system_u:object_r:vmware_exec_t but still it runs in unconfined_t > when i launched it. I seems like > > the domain transition didn't take place. Please help. > > > > 1. What should be the context for the /usr/bin/vmplayer script? Does > it affect the transition of > > the actual executable /usr/lib/vmware/bin/vmplayer? > > > > 2. For those who could get vmware workstation 6 to run how did you > get it to run in vmware_t > > domain? > > > > > There is currently no transition from unconfined_t to vmware_t. So the > only way to get > the transition to happen is through the initrc script. You could label > the vmplayer script > initrc_exec_t and the transitions should happen properly. > > THanks, > > Louis > > > > --- Daniel J Walsh <dwalsh(a)redhat.com> wrote: > > > > > >> Ken YANG wrote: > >> > >>> Daniel J Walsh wrote: > >>> > >>> > >>>> Louis Lam wrote: > >>>> > >>>> > >>>>> Hi all, > >>>>> > >>>>> At this point i'm still trying to use SELINUX to "contain" vmware > >>>>> player, making it run in > >>>>> targeted mode. > >>>>> > >>>>> I'm still rather new to this but through the help of Ken, i've been > >>>>> able to manipulate modules and > >>>>> get it to "affect" the vmware player but at this point my vmware > >>>>> player is still "broken". > >>>>> Would anyone be able to share their configurations (.te,.fc,.if) > file > >>>>> if you've managed to get it > >>>>> to work with vmware player or vmware-workstation 6 ? CUrrently i'm > >>>>> working with Fedora 7 but > >>>>> intend to port it back to RHEL 5. > >>>>> > >>>>> I've downloaded the latest reference policy from oss and > examined the > >>>>> vmware relevant files. From > >>>>> examining the vmware.fc and > >>>>> "/etc/selinux/targeted/modules/active/file_context", seems like the > >>>>> vmware.fc file could have been written for an older/different > version > >>>>> of vmware where the vmnet > >>>>> devices are at /dev/vmnet.* instead of /dev/vmnet* found in vmplayer > >>>>> 2/workstation 6. Which > >>>>> version was it written for? > >>>>> > >>>>> > >>>>> > >>>>> > >>>> There is vmware policy that we are starting to use in Rawhide (fc8) > >>>> > >>>> > >>>>> I went on to modify the vmware.fc file and managed to compile > and load > >>>>> the vmware.pp module. But > >>>>> currently this affected the vmware services at startup, e.g. > >>>>> vmnet-dhcpd. For vmware, when > >>>>> something fails to start, it would ask me to rum vmware-config.pl > >>>>> again when i restart it. Doing > >>>>> this would recreate the /dev/vmnet* files over again but it will not > >>>>> have the right context, > >>>>> defaulting to "device_t" instead of "vmware_device_t" that i have > >>>>> modified. The line in my > >>>>> vmware.fc looks like this: > >>>>> > >>>>> /dev/vmnet0 -- gen_context(system_u:object_r:vmware_device_t,s0) > >>>>> /dev/vmnet1 -- gen_context(system_u:object_r:vmware_device_t,s0) > >>>>> /dev/vmnet8 -- gen_context(system_u:object_r:vmware_device_t,s0) > >>>>> > >>>>> I was thinking that if the script has created a new /dev/vmnet > file it > >>>>> would automatically use the > >>>>> vmware_device_t context but it didn't. Did i miss out anything? > >>>>> > >>>>> > >>>>> > >>>> The problem here is the script is running as initrc_t which has > no rules > >>>> when creating devices in directories labeled device_t (/dev) So > it uses > >>>> the default and labels the devices the same as the > directory. Usually > >>>> when we have this situation, we just run restorecon /dev/XYZ > after the > >>>> creation, > >>>> for example > >>>> > >>>> mknod /dev/XYZ > >>>> chmod 666 /dev/XYZ > >>>> restorecon /dev/XYZ > >>>> > >>>> > >>> as tom said, it seemed that it's "$vmdb_answer_LIBDIR"/net-services.sh > >>> who create such devices: > >>> > >>> http://marc.info/?l=fedora-selinux-list&m=118407622004161&w=2 > <http://marc.info/?l=fedora-selinux-list&m=118407622004161&w=2> > >>> > >>> > >>> i notice "/dev" is tmpfs: > >>> > >>> -(:14:45:$)-> cat /proc/mounts > >>> rootfs / rootfs rw 0 0 > >>> /dev/root / ext3 rw,data=ordered 0 0 > >>> /dev /dev tmpfs rw 0 0 > >>> ...... > >>> > >>> i want to add rules in policy: > >>> > >>> type_transition "vmware type" tmpfs_t : chr_file vmware_device_t; > >>> > >>> additionally i don't know what type of the net-services.sh, now it is: > >>> > >>> ... root root user_u:object_r:lib_t /usr/lib/vmware/net-services.sh > >>> > >>> > >>> is this method appropriate? > >>> > >>> > >>> > >>> > >>> > >>> > >>>>> What is the two "--" on the line mean? are they significant? > >>>>> > >>>>> > >>>>> > >>>> The -- indicates that this matches only files. > >>>> > >>>> -d directories > >>>> -s sock_file > >>>> -l link file > >>>> -c char_file > >>>> ... > >>>> > >>>> Second character matches the first character of the ls -l line > >>>> > >>>> ls -l /dev/ttyS0 > >>>> crw-rw---- 1 root uucp 4, 64 2007-07-11 19:07 /dev/ttyS0 > >>>> > >>>> If you have no option specified it would match any file type. > >>>> > >>>> /dev/vmnet0 -- gen_context(system_u:object_r:vmware_device_t,s0) > >>>> /dev/vmnet1 -- gen_context(system_u:object_r:vmware_device_t,s0) > >>>> /dev/vmnet8 -- gen_context(system_u:object_r:vmware_device_t,s0) > >>>> > >>>> > >>>> Would match only "Regular files" with this labels. So you would be > >>>> better off with -c (or -b if they are block devices). > >>>> > >>>> > >>>>> Sorry about the long post, any help or advice? Thanks. > >>>>> > >>>>> Louis > >>>>> Send instant messages to your online friends > >>>>> http://uk.messenger.yahoo.com > >>>>> -- > >>>>> fedora-selinux-list mailing list > >>>>> fedora-selinux-list(a)redhat.com > >>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > >>>>> > >>>>> > >>>>> > >>>> -- > >>>> fedora-selinux-list mailing list > >>>> fedora-selinux-list(a)redhat.com > >>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > >>>> > >>>> > >>>> > >>> > >>> > >> One approach to this would be to label the /etc/init.d/vmware script > >> vmware_initrc_exec_t and then setup the proper transitions. > >> > >> This is something we are considering for RBAC. For example we want to > >> allow the webadm_t to be able to only restart/execute the httpd > >> script. Currently we have to allow him to execute any initrc script, > >> although we can prevent him from starting other confined domains. > >> A cleaner solution might be to label the script differently and setup > >> another domain for the script to transition to. > >> > >> > > > > > > Send instant messages to your online friends > http://uk.messenger.yahoo.com > > > > > > Send instant messages to your online friends > http://uk.messenger.yahoo.com Send instant messages to your online friends http://uk.messenger.yahoo.com Send instant messages to your online friends http://uk.messenger.yahoo.com

2 1

loadkeys.... I see red.... (minor)
by Tom London 27 Jul '07

27 Jul '07

Running latest Rawhide, targeted/enforcing. On boot, I get failure message from rc.sysinit when loading keymap. System->Administration->Keyboard produces AVCs, so I suspect the bootup failure is related. Appears that loadkeys will try to search current working directory for keymap file if its argument is not an 'absolute path'. So, s-c-keyboard will try to search /home and /home/<user>. Not sure which directory loadkeys runs in during rc.sysinit. I've thought of the following options: 1. Change rc.sysinit to include full path in call to loadkeys. That will probably turn RED message on boot to GREEN. But, s-c-keyboard will still produce AVCs. [Seems to 'work', however.] 2. Change loadkeys to only look at /lib/kbd. I'm guessing this is not likely, nor correct. 3. Allow loadkeys_t to search home_dir_t and home_root_t or DONTAUDIT. 4. Other? Combination? tom -- Tom London

3 3

insmod_t wants setsched
by Tom London 27 Jul '07

27 Jul '07

Get these during boot and shutdown.... type=AVC msg=audit(1185485644.365:96): avc: denied { setsched } for pid=3339 comm="modprobe" scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=process type=SYSCALL msg=audit(1185485644.365:96): arch=40000003 syscall=128 success=yes exit=0 a0=b7f18008 a1=1818c a2=9211708 a3=9211708 items=0 ppid=3315 pid=3339 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="modprobe" exe="/sbin/modprobe" subj=system_u:system_r:insmod_t:s0-s0:c0.c1023 key=(null) -- Tom London

2 1

Re: Containing vmware player 2.0.0 with SELINUX
by Louis Lam 27 Jul '07

27 Jul '07

Thanks Daniel for the information, hi everyone I've tried to make the following changes: 1. Defined the vmware_t type in vmware.te: type vmware_t; I need to do this since I'm trying to let the vmware user program run under vmware_t domain but this is not defined. In terms of overall code compliance is it correct to define here? or should be at the vmware.if? 2. Created a domain transition so that the vmware user programs e.g. /usr/lib/vmplayer script, /usr/lib/vmware/bin/vmplayer that are labelleled system_u:object_r:vmware_exec_t will transit to system_u:object_r:vmware_t when executed. I put it also in vmware.te: domain_entry_file($1_t, vmware_exec_t, $1_vmware_t) but on making the vmware.pp module I get this warning and error: 'syntax error' at token '1' on line 81143: #line 13 allow $1_t vmware_exec_t: file entrypoint; Not very sure what this means and how it should be corrected. Thanks in advance, Louis ----- Original Message ---- From: Daniel J Walsh <dwalsh(a)redhat.com> To: Louis Lam <lshoujun(a)yahoo.com> Cc: Ken YANG <spng.yang(a)gmail.com>; fedora-selinux-list(a)redhat.com Sent: Wednesday, July 25, 2007 3:12:56 PM Subject: Re: Containing vmware player 2.0.0 with SELINUX Louis Lam wrote: > Hi All, > > Still on the topic of transition between a file vmware_exec_t to vmware_t. > > Under the vmware.if file, there is a: > > domain_entry_file($1_vmware_t, vmware_exec_t) > role $3 types $1_vmware_t > > Is this a rule that allows files marked with vmware_exec_t to transit > to vmware_t? What does the $1,$2,$3 represent? Pardon my ignorance on > this but i see these $1, $2 things appear in a lot of places which > confuse me. Can anyone point me to a place to learn more about the > substitutions? > This just says that files labeled vmware_exec_t can be used as entrypoints into the $1_vmware_t, where $1 is a user type. "user", "staff", "guest", "xguest". The next line specifies which roles can reach the specified domain. No transition rules have been defined. > For the transition to take place I'd probably need to add something > like this: > > domain_auto_trans(initrc_t, vmware_exec_t, vmware_t) > Yes this allows it to reach this particular domain. But to reach the user domains defined above. domain_auto_trans($1_t, vmware_exec_t, $1_vmware_t) or domain_auto_trans(user_t, vmware_exec_t, user_vmware_t) > That is following the suggestion below by Daniel to make the > /usr/bin/vmplayer script initrc_exec_t. > > But not too sure where to place this statement, in vmware.te? > > I tried that but get a compilation error > > vmware.te:13:ERROR: 'unknown type vmware_t' at token ';' > Yes I was mistaken. That is not the way the policy is written. ( I guess I should read before I speak.) If you want to get vmware to transition from unconfined_t you will have to write the transition rules from uncofined_t to unconfined_vmware_t. > I thought vmware_t has been defined in vmware.if? > > Thanks in Advance, > Best Regards, > Louis > > ----- Original Message ---- > From: Daniel J Walsh <dwalsh(a)redhat.com> > To: Louis Lam <lshoujun(a)yahoo.com> > Cc: Ken YANG <spng.yang(a)gmail.com>; fedora-selinux-list(a)redhat.com > Sent: Monday, July 16, 2007 1:24:00 PM > Subject: Re: Containing vmware player 2.0.0 with SELINUX > > Louis Lam wrote: > > Hi All, > > > > I managed to get the vmware host services e.g. vmnet-bridge, > vmnet-dhcpd etc... to be running in > > vmware_host_t domain. I did it by modifying the net-services.sh as > described in an earlier post. > > > > Next I tried to get vmplayer (i'm using vmware player 2.0.0 but it > is similar for vmware ws 6) to > > run in vmware_t domain. First i tried to chcon /usr/bin/vmplayer to > > system_u:object_r:vmware_exec_t. But it turns out that > /usr/bin/vmplayer is a script that would in > > turn execute /usr/lib/vmware/bin/vmplayer. I have chcon > /usr/lib/vmware/bin/vmplayer to > > system_u:object_r:vmware_exec_t but still it runs in unconfined_t > when i launched it. I seems like > > the domain transition didn't take place. Please help. > > > > 1. What should be the context for the /usr/bin/vmplayer script? Does > it affect the transition of > > the actual executable /usr/lib/vmware/bin/vmplayer? > > > > 2. For those who could get vmware workstation 6 to run how did you > get it to run in vmware_t > > domain? > > > > > There is currently no transition from unconfined_t to vmware_t. So the > only way to get > the transition to happen is through the initrc script. You could label > the vmplayer script > initrc_exec_t and the transitions should happen properly. > > THanks, > > Louis > > > > --- Daniel J Walsh <dwalsh(a)redhat.com> wrote: > > > > > >> Ken YANG wrote: > >> > >>> Daniel J Walsh wrote: > >>> > >>> > >>>> Louis Lam wrote: > >>>> > >>>> > >>>>> Hi all, > >>>>> > >>>>> At this point i'm still trying to use SELINUX to "contain" vmware > >>>>> player, making it run in > >>>>> targeted mode. > >>>>> > >>>>> I'm still rather new to this but through the help of Ken, i've been > >>>>> able to manipulate modules and > >>>>> get it to "affect" the vmware player but at this point my vmware > >>>>> player is still "broken". > >>>>> Would anyone be able to share their configurations (.te,.fc,.if) > file > >>>>> if you've managed to get it > >>>>> to work with vmware player or vmware-workstation 6 ? CUrrently i'm > >>>>> working with Fedora 7 but > >>>>> intend to port it back to RHEL 5. > >>>>> > >>>>> I've downloaded the latest reference policy from oss and > examined the > >>>>> vmware relevant files. From > >>>>> examining the vmware.fc and > >>>>> "/etc/selinux/targeted/modules/active/file_context", seems like the > >>>>> vmware.fc file could have been written for an older/different > version > >>>>> of vmware where the vmnet > >>>>> devices are at /dev/vmnet.* instead of /dev/vmnet* found in vmplayer > >>>>> 2/workstation 6. Which > >>>>> version was it written for? > >>>>> > >>>>> > >>>>> > >>>>> > >>>> There is vmware policy that we are starting to use in Rawhide (fc8) > >>>> > >>>> > >>>>> I went on to modify the vmware.fc file and managed to compile > and load > >>>>> the vmware.pp module. But > >>>>> currently this affected the vmware services at startup, e.g. > >>>>> vmnet-dhcpd. For vmware, when > >>>>> something fails to start, it would ask me to rum vmware-config.pl > >>>>> again when i restart it. Doing > >>>>> this would recreate the /dev/vmnet* files over again but it will not > >>>>> have the right context, > >>>>> defaulting to "device_t" instead of "vmware_device_t" that i have > >>>>> modified. The line in my > >>>>> vmware.fc looks like this: > >>>>> > >>>>> /dev/vmnet0 -- gen_context(system_u:object_r:vmware_device_t,s0) > >>>>> /dev/vmnet1 -- gen_context(system_u:object_r:vmware_device_t,s0) > >>>>> /dev/vmnet8 -- gen_context(system_u:object_r:vmware_device_t,s0) > >>>>> > >>>>> I was thinking that if the script has created a new /dev/vmnet > file it > >>>>> would automatically use the > >>>>> vmware_device_t context but it didn't. Did i miss out anything? > >>>>> > >>>>> > >>>>> > >>>> The problem here is the script is running as initrc_t which has > no rules > >>>> when creating devices in directories labeled device_t (/dev) So > it uses > >>>> the default and labels the devices the same as the > directory. Usually > >>>> when we have this situation, we just run restorecon /dev/XYZ > after the > >>>> creation, > >>>> for example > >>>> > >>>> mknod /dev/XYZ > >>>> chmod 666 /dev/XYZ > >>>> restorecon /dev/XYZ > >>>> > >>>> > >>> as tom said, it seemed that it's "$vmdb_answer_LIBDIR"/net-services.sh > >>> who create such devices: > >>> > >>> http://marc.info/?l=fedora-selinux-list&m=118407622004161&w=2 > <http://marc.info/?l=fedora-selinux-list&m=118407622004161&w=2> > >>> > >>> > >>> i notice "/dev" is tmpfs: > >>> > >>> -(:14:45:$)-> cat /proc/mounts > >>> rootfs / rootfs rw 0 0 > >>> /dev/root / ext3 rw,data=ordered 0 0 > >>> /dev /dev tmpfs rw 0 0 > >>> ...... > >>> > >>> i want to add rules in policy: > >>> > >>> type_transition "vmware type" tmpfs_t : chr_file vmware_device_t; > >>> > >>> additionally i don't know what type of the net-services.sh, now it is: > >>> > >>> ... root root user_u:object_r:lib_t /usr/lib/vmware/net-services.sh > >>> > >>> > >>> is this method appropriate? > >>> > >>> > >>> > >>> > >>> > >>> > >>>>> What is the two "--" on the line mean? are they significant? > >>>>> > >>>>> > >>>>> > >>>> The -- indicates that this matches only files. > >>>> > >>>> -d directories > >>>> -s sock_file > >>>> -l link file > >>>> -c char_file > >>>> ... > >>>> > >>>> Second character matches the first character of the ls -l line > >>>> > >>>> ls -l /dev/ttyS0 > >>>> crw-rw---- 1 root uucp 4, 64 2007-07-11 19:07 /dev/ttyS0 > >>>> > >>>> If you have no option specified it would match any file type. > >>>> > >>>> /dev/vmnet0 -- gen_context(system_u:object_r:vmware_device_t,s0) > >>>> /dev/vmnet1 -- gen_context(system_u:object_r:vmware_device_t,s0) > >>>> /dev/vmnet8 -- gen_context(system_u:object_r:vmware_device_t,s0) > >>>> > >>>> > >>>> Would match only "Regular files" with this labels. So you would be > >>>> better off with -c (or -b if they are block devices). > >>>> > >>>> > >>>>> Sorry about the long post, any help or advice? Thanks. > >>>>> > >>>>> Louis > >>>>> Send instant messages to your online friends > >>>>> http://uk.messenger.yahoo.com > >>>>> -- > >>>>> fedora-selinux-list mailing list > >>>>> fedora-selinux-list(a)redhat.com > >>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > >>>>> > >>>>> > >>>>> > >>>> -- > >>>> fedora-selinux-list mailing list > >>>> fedora-selinux-list(a)redhat.com > >>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > >>>> > >>>> > >>>> > >>> > >>> > >> One approach to this would be to label the /etc/init.d/vmware script > >> vmware_initrc_exec_t and then setup the proper transitions. > >> > >> This is something we are considering for RBAC. For example we want to > >> allow the webadm_t to be able to only restart/execute the httpd > >> script. Currently we have to allow him to execute any initrc script, > >> although we can prevent him from starting other confined domains. > >> A cleaner solution might be to label the script differently and setup > >> another domain for the script to transition to. > >> > >> > > > > > > Send instant messages to your online friends > http://uk.messenger.yahoo.com > > > > > > Send instant messages to your online friends > http://uk.messenger.yahoo.com Send instant messages to your online friends http://uk.messenger.yahoo.com

1 0

NTFS-3G strange AVC Denied.
by piotreek 27 Jul '07

27 Jul '07

audit(1185512975.221:4): avc: denied { search } for pid=1361 comm=" mount.ntfs-3g" name="media" dev=sdb1 ino=65409 scontext=system_u:system_r:mount_ntfs_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir Jul 27 07:09:46 merkury kernel: audit(1185512975.221:5): avc: denied { search } for pid=1369 comm="mount.ntfs-3g" name="media" dev=sdb1 ino=65409 scontext=system_u:system_r:mount_ntfs_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir Jul 27 07:09:46 merkury kernel: Adding 2192864k swap on /dev/sdb2. Priority:-1 extents:1 across:2192864k Hi Guys after update to ntfs-3g-1.710-1.fc7 i cannot mount my NTFS partitions and get this avc denied messages. Greatings Peter

2 1

Powertop and SE Alert
by Rahul Sundaram 26 Jul '07

26 Jul '07

Hi I get this advice when running powertop --- Disable the SE-Alert software by removing the 'setroubleshoot-server' rpm SE-Alert alerts you about SELinux policy violations, but also has a bug that wakes it up 10 times per second. --- Is this fixed or do I need to file a bug report? Rahul

2 1

Today's rawhide update
by Steve G 25 Jul '07

25 Jul '07

Hi, FYI, got this updating today: Cleanup : setools ####################### [14/22] Cleanup : selinux-policy-targeted ####################### [15/22] libsemanage.semanage_commit_sandbox: Error while renaming /etc/selinux/targeted/modules/active to /etc/selinux/targeted/modules/previous. /usr/sbin/semanage: Could not add SELinux user guest_u libsemanage.semanage_commit_sandbox: Error while renaming /etc/selinux/targeted/modules/active to /etc/selinux/targeted/modules/previous. /usr/sbin/semanage: Could not add SELinux user xguest_u Cleanup : policycoreutils ####################### [16/22] -Steve ____________________________________________________________________________________Ready for the edge of your seat? Check out tonight's top picks on Yahoo! TV. http://tv.yahoo.com/

3 4

Re: Containing vmware player 2.0.0 with SELINUX
by Louis Lam 25 Jul '07

25 Jul '07

Hi All, Still on the topic of transition between a file vmware_exec_t to vmware_t. Under the vmware.if file, there is a: domain_entry_file($1_vmware_t, vmware_exec_t) role $3 types $1_vmware_t Is this a rule that allows files marked with vmware_exec_t to transit to vmware_t? What does the $1,$2,$3 represent? Pardon my ignorance on this but i see these $1, $2 things appear in a lot of places which confuse me. Can anyone point me to a place to learn more about the substitutions? For the transition to take place I'd probably need to add something like this: domain_auto_trans(initrc_t, vmware_exec_t, vmware_t) That is following the suggestion below by Daniel to make the /usr/bin/vmplayer script initrc_exec_t. But not too sure where to place this statement, in vmware.te? I tried that but get a compilation error vmware.te:13:ERROR: 'unknown type vmware_t' at token ';' I thought vmware_t has been defined in vmware.if? Thanks in Advance, Best Regards, Louis ----- Original Message ---- From: Daniel J Walsh <dwalsh(a)redhat.com> To: Louis Lam <lshoujun(a)yahoo.com> Cc: Ken YANG <spng.yang(a)gmail.com>; fedora-selinux-list(a)redhat.com Sent: Monday, July 16, 2007 1:24:00 PM Subject: Re: Containing vmware player 2.0.0 with SELINUX Louis Lam wrote: > Hi All, > > I managed to get the vmware host services e.g. vmnet-bridge, vmnet-dhcpd etc... to be running in > vmware_host_t domain. I did it by modifying the net-services.sh as described in an earlier post. > > Next I tried to get vmplayer (i'm using vmware player 2.0.0 but it is similar for vmware ws 6) to > run in vmware_t domain. First i tried to chcon /usr/bin/vmplayer to > system_u:object_r:vmware_exec_t. But it turns out that /usr/bin/vmplayer is a script that would in > turn execute /usr/lib/vmware/bin/vmplayer. I have chcon /usr/lib/vmware/bin/vmplayer to > system_u:object_r:vmware_exec_t but still it runs in unconfined_t when i launched it. I seems like > the domain transition didn't take place. Please help. > > 1. What should be the context for the /usr/bin/vmplayer script? Does it affect the transition of > the actual executable /usr/lib/vmware/bin/vmplayer? > > 2. For those who could get vmware workstation 6 to run how did you get it to run in vmware_t > domain? > > There is currently no transition from unconfined_t to vmware_t. So the only way to get the transition to happen is through the initrc script. You could label the vmplayer script initrc_exec_t and the transitions should happen properly. > THanks, > Louis > > --- Daniel J Walsh <dwalsh(a)redhat.com> wrote: > > >> Ken YANG wrote: >> >>> Daniel J Walsh wrote: >>> >>> >>>> Louis Lam wrote: >>>> >>>> >>>>> Hi all, >>>>> >>>>> At this point i'm still trying to use SELINUX to "contain" vmware >>>>> player, making it run in >>>>> targeted mode. >>>>> >>>>> I'm still rather new to this but through the help of Ken, i've been >>>>> able to manipulate modules and >>>>> get it to "affect" the vmware player but at this point my vmware >>>>> player is still "broken". >>>>> Would anyone be able to share their configurations (.te,.fc,.if) file >>>>> if you've managed to get it >>>>> to work with vmware player or vmware-workstation 6 ? CUrrently i'm >>>>> working with Fedora 7 but >>>>> intend to port it back to RHEL 5. >>>>> >>>>> I've downloaded the latest reference policy from oss and examined the >>>>> vmware relevant files. From >>>>> examining the vmware.fc and >>>>> "/etc/selinux/targeted/modules/active/file_context", seems like the >>>>> vmware.fc file could have been written for an older/different version >>>>> of vmware where the vmnet >>>>> devices are at /dev/vmnet.* instead of /dev/vmnet* found in vmplayer >>>>> 2/workstation 6. Which >>>>> version was it written for? >>>>> >>>>> >>>>> >>>>> >>>> There is vmware policy that we are starting to use in Rawhide (fc8) >>>> >>>> >>>>> I went on to modify the vmware.fc file and managed to compile and load >>>>> the vmware.pp module. But >>>>> currently this affected the vmware services at startup, e.g. >>>>> vmnet-dhcpd. For vmware, when >>>>> something fails to start, it would ask me to rum vmware-config.pl >>>>> again when i restart it. Doing >>>>> this would recreate the /dev/vmnet* files over again but it will not >>>>> have the right context, >>>>> defaulting to "device_t" instead of "vmware_device_t" that i have >>>>> modified. The line in my >>>>> vmware.fc looks like this: >>>>> >>>>> /dev/vmnet0 -- gen_context(system_u:object_r:vmware_device_t,s0) >>>>> /dev/vmnet1 -- gen_context(system_u:object_r:vmware_device_t,s0) >>>>> /dev/vmnet8 -- gen_context(system_u:object_r:vmware_device_t,s0) >>>>> >>>>> I was thinking that if the script has created a new /dev/vmnet file it >>>>> would automatically use the >>>>> vmware_device_t context but it didn't. Did i miss out anything? >>>>> >>>>> >>>>> >>>> The problem here is the script is running as initrc_t which has no rules >>>> when creating devices in directories labeled device_t (/dev) So it uses >>>> the default and labels the devices the same as the directory. Usually >>>> when we have this situation, we just run restorecon /dev/XYZ after the >>>> creation, >>>> for example >>>> >>>> mknod /dev/XYZ >>>> chmod 666 /dev/XYZ >>>> restorecon /dev/XYZ >>>> >>>> >>> as tom said, it seemed that it's "$vmdb_answer_LIBDIR"/net-services.sh >>> who create such devices: >>> >>> http://marc.info/?l=fedora-selinux-list&m=118407622004161&w=2 >>> >>> >>> i notice "/dev" is tmpfs: >>> >>> -(:14:45:$)-> cat /proc/mounts >>> rootfs / rootfs rw 0 0 >>> /dev/root / ext3 rw,data=ordered 0 0 >>> /dev /dev tmpfs rw 0 0 >>> ...... >>> >>> i want to add rules in policy: >>> >>> type_transition "vmware type" tmpfs_t : chr_file vmware_device_t; >>> >>> additionally i don't know what type of the net-services.sh, now it is: >>> >>> ... root root user_u:object_r:lib_t /usr/lib/vmware/net-services.sh >>> >>> >>> is this method appropriate? >>> >>> >>> >>> >>> >>> >>>>> What is the two "--" on the line mean? are they significant? >>>>> >>>>> >>>>> >>>> The -- indicates that this matches only files. >>>> >>>> -d directories >>>> -s sock_file >>>> -l link file >>>> -c char_file >>>> ... >>>> >>>> Second character matches the first character of the ls -l line >>>> >>>> ls -l /dev/ttyS0 >>>> crw-rw---- 1 root uucp 4, 64 2007-07-11 19:07 /dev/ttyS0 >>>> >>>> If you have no option specified it would match any file type. >>>> >>>> /dev/vmnet0 -- gen_context(system_u:object_r:vmware_device_t,s0) >>>> /dev/vmnet1 -- gen_context(system_u:object_r:vmware_device_t,s0) >>>> /dev/vmnet8 -- gen_context(system_u:object_r:vmware_device_t,s0) >>>> >>>> >>>> Would match only "Regular files" with this labels. So you would be >>>> better off with -c (or -b if they are block devices). >>>> >>>> >>>>> Sorry about the long post, any help or advice? Thanks. >>>>> >>>>> Louis >>>>> Send instant messages to your online friends >>>>> http://uk.messenger.yahoo.com >>>>> -- >>>>> fedora-selinux-list mailing list >>>>> fedora-selinux-list(a)redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>>>> >>>>> >>>>> >>>> -- >>>> fedora-selinux-list mailing list >>>> fedora-selinux-list(a)redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>>> >>>> >>>> >>> >>> >> One approach to this would be to label the /etc/init.d/vmware script >> vmware_initrc_exec_t and then setup the proper transitions. >> >> This is something we are considering for RBAC. For example we want to >> allow the webadm_t to be able to only restart/execute the httpd >> script. Currently we have to allow him to execute any initrc script, >> although we can prevent him from starting other confined domains. >> A cleaner solution might be to label the script differently and setup >> another domain for the script to transition to. >> >> > > > Send instant messages to your online friends http://uk.messenger.yahoo.com > Send instant messages to your online friends http://uk.messenger.yahoo.com

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux July 2007