remote logging and sealert
by Jan-Frode Myklebust
We run a centralized syslog server, and separate all syslogged avc
into a separate log file. Is it possible to have setroubleshooter/sealert
use this log file ?
-jf
16 years, 9 months
crond wants 'entrypoint' for updpwd_exec_t
by Tom London
Rawhide, targeted/enforcing.
Seeing the below.
Sort of remember something similar (May 30 according to gmail) that
seemed to be resolved by pam:
http://www.redhat.com/archives/fedora-selinux-list/2007-May/msg00095.html
This similar?
tom
type=AVC msg=audit(1185663661.818:55): avc: denied { entrypoint }
for pid=8356 comm="crond" path="/sbin/unix_update" dev=dm-0
ino=11338066 scontext=system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1185663661.818:55): arch=40000003 syscall=11
success=no exit=-13 a0=2c2918 a1=bffa858c a2=2c4408 a3=400 items=0
ppid=8355 pid=8356 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) comm="crond" exe="/usr/sbin/crond"
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key=(null)
--
Tom London
16 years, 9 months
Re: Containing vmware player 2.0.0 with SELINUX
by Louis Lam
My mistakes, apologies for the confusion, under part 2, I was trying to do domain_auto_trans instead of doman_entry_file, so...
2. Created a domain transition so that the vmware user programs e.g.
/usr/lib/vmplayer script, /usr/lib/vmware/bin/vmplayer that are
labelleled system_u:object_r:vmware_exec_t will transit to
system_u:object_r:vmware_t when executed. I put it also in vmware.te:
domain_auto_trans($1_t, vmware_exec_t, $1_vmware_t)
but
on making the vmware.pp module I get this warning and error:
'syntax error' at token '1' on line 81143:
#line 13
allow $1_t vmware_exec_t: file {getattr read execute};
Thanks in advance,
Louis
----- Original Message ----
From: Louis Lam <lshoujun(a)yahoo.com>
To: Daniel J Walsh <dwalsh(a)redhat.com>
Cc: fedora-selinux-list(a)redhat.com
Sent: Friday, July 27, 2007 5:05:05 AM
Subject: Re: Containing vmware player 2.0.0 with SELINUX
Thanks Daniel for the information, hi everyone
I've tried to make the following changes:
1. Defined the vmware_t type in vmware.te:
type vmware_t;
I need to do this since I'm trying to let the vmware user program run under vmware_t domain but this is not defined. In terms of overall code compliance is it correct to define here? or should be at the vmware.if?
2. Created a domain transition so that the vmware user programs e.g. /usr/lib/vmplayer script, /usr/lib/vmware/bin/vmplayer that are labelleled system_u:object_r:vmware_exec_t will transit to system_u:object_r:vmware_t when executed. I put it also in vmware.te:
domain_entry_file($1_t, vmware_exec_t, $1_vmware_t)
but
on making the vmware.pp module I get this warning and error:
'syntax error' at token '1' on line 81143:
#line 13
allow $1_t vmware_exec_t: file entrypoint;
Not very sure what this means and how it should be corrected.
Thanks in advance,
Louis
----- Original Message ----
From: Daniel J Walsh <dwalsh(a)redhat.com>
To: Louis Lam <lshoujun(a)yahoo.com>
Cc: Ken YANG <spng.yang(a)gmail.com>; fedora-selinux-list(a)redhat.com
Sent: Wednesday, July 25, 2007 3:12:56 PM
Subject: Re: Containing vmware player 2.0.0 with SELINUX
Louis Lam wrote:
> Hi All,
>
> Still on the topic of transition between a file vmware_exec_t to vmware_t.
>
> Under the vmware.if file, there is a:
>
> domain_entry_file($1_vmware_t, vmware_exec_t)
> role $3 types
$1_vmware_t
>
> Is this a rule that allows files marked with vmware_exec_t to transit
> to vmware_t? What does the $1,$2,$3 represent? Pardon my ignorance on
> this but i see these $1, $2 things appear in a lot of places which
> confuse me. Can anyone point me to a place to learn more about the
> substitutions?
>
This just says that files labeled vmware_exec_t can be used as
entrypoints into the $1_vmware_t, where $1 is a user type. "user",
"staff", "guest", "xguest". The next line specifies which roles can
reach the specified domain. No transition rules have been defined.
> For the transition to take place I'd probably need to add something
> like this:
>
> domain_auto_trans(initrc_t, vmware_exec_t, vmware_t)
>
Yes this allows it to reach this particular domain. But to reach the
user domains defined
above.
domain_auto_trans($1_t, vmware_exec_t, $1_vmware_t)
or
domain_auto_trans(user_t, vmware_exec_t, user_vmware_t)
> That is following the suggestion below by Daniel to make the
> /usr/bin/vmplayer script initrc_exec_t.
>
> But not too sure where to place this statement, in vmware.te?
>
> I tried that but get a compilation error
>
> vmware.te:13:ERROR: 'unknown type vmware_t' at token ';'
>
Yes I was mistaken. That is not the way the policy is written. ( I
guess I should read before I speak.)
If you want to get vmware to transition from unconfined_t you will have
to write the transition rules from uncofined_t to unconfined_vmware_t.
> I thought vmware_t has been defined in vmware.if?
>
> Thanks in Advance,
> Best Regards,
> Louis
>
> ----- Original Message ----
> From: Daniel J
Walsh <dwalsh(a)redhat.com>
> To: Louis Lam <lshoujun(a)yahoo.com>
> Cc: Ken YANG <spng.yang(a)gmail.com>; fedora-selinux-list(a)redhat.com
> Sent: Monday, July 16, 2007 1:24:00 PM
> Subject: Re: Containing vmware player 2.0.0 with SELINUX
>
> Louis Lam wrote:
> > Hi All,
> >
> > I managed to get the vmware host services e.g. vmnet-bridge,
> vmnet-dhcpd etc... to be running in
> > vmware_host_t domain. I did it by modifying the net-services.sh as
> described in an earlier post.
> >
> > Next I tried to get vmplayer (i'm using vmware player 2.0.0 but it
> is similar for vmware ws 6) to
> > run in vmware_t domain. First i tried to chcon /usr/bin/vmplayer to
> > system_u:object_r:vmware_exec_t. But it turns out that
> /usr/bin/vmplayer is a script that would in
> > turn execute
/usr/lib/vmware/bin/vmplayer. I have chcon
> /usr/lib/vmware/bin/vmplayer to
> > system_u:object_r:vmware_exec_t but still it runs in unconfined_t
> when i launched it. I seems like
> > the domain transition didn't take place. Please help.
> >
> > 1. What should be the context for the /usr/bin/vmplayer script? Does
> it affect the transition of
> > the actual executable /usr/lib/vmware/bin/vmplayer?
> >
> > 2. For those who could get vmware workstation 6 to run how did you
> get it to run in vmware_t
> > domain?
> >
> >
> There is currently no transition from unconfined_t to vmware_t. So the
> only way to get
> the transition to happen is through the initrc script. You could label
> the vmplayer script
> initrc_exec_t and the transitions should happen properly.
> >
THanks,
> > Louis
> >
> > --- Daniel J Walsh <dwalsh(a)redhat.com> wrote:
> >
> >
> >> Ken YANG wrote:
> >>
> >>> Daniel J Walsh wrote:
> >>>
> >>>
> >>>> Louis Lam wrote:
> >>>>
> >>>>
> >>>>> Hi all,
> >>>>>
> >>>>> At this point i'm still trying to use SELINUX to "contain" vmware
> >>>>> player, making it run in
> >>>>> targeted mode.
> >>>>>
> >>>>> I'm still rather new to this but through the help of Ken, i've been
> >>>>> able to manipulate modules and
>
>>>>> get it to "affect" the vmware player but at this point my vmware
> >>>>> player is still "broken".
> >>>>> Would anyone be able to share their configurations (.te,.fc,.if)
> file
> >>>>> if you've managed to get it
> >>>>> to work with vmware player or vmware-workstation 6 ? CUrrently i'm
> >>>>> working with Fedora 7 but
> >>>>> intend to port it back to RHEL 5.
> >>>>>
> >>>>> I've downloaded the latest reference policy from oss and
> examined the
> >>>>> vmware relevant files. From
> >>>>> examining the vmware.fc and
> >>>>> "/etc/selinux/targeted/modules/active/file_context", seems like the
> >>>>> vmware.fc file could have been written for an
older/different
> version
> >>>>> of vmware where the vmnet
> >>>>> devices are at /dev/vmnet.* instead of /dev/vmnet* found in vmplayer
> >>>>> 2/workstation 6. Which
> >>>>> version was it written for?
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>> There is vmware policy that we are starting to use in Rawhide (fc8)
> >>>>
> >>>>
> >>>>> I went on to modify the vmware.fc file and managed to compile
> and load
> >>>>> the vmware.pp module. But
> >>>>> currently this affected the vmware
services at startup, e.g.
> >>>>> vmnet-dhcpd. For vmware, when
> >>>>> something fails to start, it would ask me to rum vmware-config.pl
> >>>>> again when i restart it. Doing
> >>>>> this would recreate the /dev/vmnet* files over again but it will not
> >>>>> have the right context,
> >>>>> defaulting to "device_t" instead of "vmware_device_t" that i have
> >>>>> modified. The line in my
> >>>>> vmware.fc looks like this:
> >>>>>
> >>>>> /dev/vmnet0 -- gen_context(system_u:object_r:vmware_device_t,s0)
> >>>>> /dev/vmnet1 -- gen_context(system_u:object_r:vmware_device_t,s0)
> >>>>> /dev/vmnet8 -- gen_context(system_u:object_r:vmware_device_t,s0)
>
>>>>>
> >>>>> I was thinking that if the script has created a new /dev/vmnet
> file it
> >>>>> would automatically use the
> >>>>> vmware_device_t context but it didn't. Did i miss out anything?
> >>>>>
> >>>>>
> >>>>>
> >>>> The problem here is the script is running as initrc_t which has
> no rules
> >>>> when creating devices in directories labeled device_t (/dev) So
> it uses
> >>>> the default and labels the devices the same as the
> directory. Usually
> >>>> when we have this situation, we just run restorecon /dev/XYZ
> after the
> >>>> creation,
>
>>>> for example
> >>>>
> >>>> mknod /dev/XYZ
> >>>> chmod 666 /dev/XYZ
> >>>> restorecon /dev/XYZ
> >>>>
> >>>>
> >>> as tom said, it seemed that it's "$vmdb_answer_LIBDIR"/net-services.sh
> >>> who create such devices:
> >>>
> >>> http://marc.info/?l=fedora-selinux-list&m=118407622004161&w=2
> <http://marc.info/?l=fedora-selinux-list&m=118407622004161&w=2>
> >>>
> >>>
> >>> i notice "/dev" is tmpfs:
> >>>
>
>>> -(:14:45:$)-> cat /proc/mounts
> >>> rootfs / rootfs rw 0 0
> >>> /dev/root / ext3 rw,data=ordered 0 0
> >>> /dev /dev tmpfs rw 0 0
> >>> ......
> >>>
> >>> i want to add rules in policy:
> >>>
> >>> type_transition "vmware type" tmpfs_t : chr_file vmware_device_t;
> >>>
> >>> additionally i don't know what type of the net-services.sh, now it is:
> >>>
> >>> ... root root user_u:object_r:lib_t /usr/lib/vmware/net-services.sh
> >>>
> >>>
> >>> is this method appropriate?
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>>> What is the two "--" on the line
mean? are they significant?
> >>>>>
> >>>>>
> >>>>>
> >>>> The -- indicates that this matches only files.
> >>>>
> >>>> -d directories
> >>>> -s sock_file
> >>>> -l link file
> >>>> -c char_file
> >>>> ...
> >>>>
> >>>> Second character matches the first character of the ls -l line
> >>>>
> >>>> ls -l /dev/ttyS0
> >>>> crw-rw---- 1 root uucp 4, 64 2007-07-11 19:07 /dev/ttyS0
> >>>>
> >>>> If you have no option specified it would match any file type.
> >>>>
> >>>> /dev/vmnet0 --
gen_context(system_u:object_r:vmware_device_t,s0)
> >>>> /dev/vmnet1 -- gen_context(system_u:object_r:vmware_device_t,s0)
> >>>> /dev/vmnet8 -- gen_context(system_u:object_r:vmware_device_t,s0)
> >>>>
> >>>>
> >>>> Would match only "Regular files" with this labels. So you would be
> >>>> better off with -c (or -b if they are block devices).
> >>>>
> >>>>
> >>>>> Sorry about the long post, any help or advice? Thanks.
> >>>>>
> >>>>> Louis
> >>>>> Send instant messages to your online friends
> >>>>> http://uk.messenger.yahoo.com
>
>>>>> --
> >>>>> fedora-selinux-list mailing list
> >>>>> fedora-selinux-list(a)redhat.com
> >>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >>>>>
> >>>>>
> >>>>>
> >>>> --
> >>>> fedora-selinux-list mailing list
> >>>> fedora-selinux-list(a)redhat.com
> >>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >>>>
> >>>>
>
>>>>
> >>>
> >>>
> >> One approach to this would be to label the /etc/init.d/vmware script
> >> vmware_initrc_exec_t and then setup the proper transitions.
> >>
> >> This is something we are considering for RBAC. For example we want to
> >> allow the webadm_t to be able to only restart/execute the httpd
> >> script. Currently we have to allow him to execute any initrc script,
> >> although we can prevent him from starting other confined domains.
> >> A cleaner solution might be to label the script differently and setup
> >> another domain for the script to transition to.
> >>
> >>
> >
> >
> > Send instant messages to
your online friends
> http://uk.messenger.yahoo.com
> >
>
>
>
> Send instant messages to your online friends
> http://uk.messenger.yahoo.com
Send instant messages to your online friends http://uk.messenger.yahoo.com
Send instant messages to your online friends http://uk.messenger.yahoo.com
16 years, 9 months
loadkeys.... I see red.... (minor)
by Tom London
Running latest Rawhide, targeted/enforcing.
On boot, I get failure message from rc.sysinit when loading keymap.
System->Administration->Keyboard produces AVCs, so I suspect the
bootup failure is related.
Appears that loadkeys will try to search current working directory for
keymap file if its argument is not an 'absolute path'.
So, s-c-keyboard will try to search /home and /home/<user>. Not sure
which directory loadkeys runs in during rc.sysinit.
I've thought of the following options:
1. Change rc.sysinit to include full path in call to loadkeys. That
will probably turn RED message on boot to GREEN. But, s-c-keyboard
will still produce AVCs. [Seems to 'work', however.]
2. Change loadkeys to only look at /lib/kbd. I'm guessing this is not
likely, nor correct.
3. Allow loadkeys_t to search home_dir_t and home_root_t or DONTAUDIT.
4. Other? Combination?
tom
--
Tom London
16 years, 9 months
insmod_t wants setsched
by Tom London
Get these during boot and shutdown....
type=AVC msg=audit(1185485644.365:96): avc: denied { setsched } for
pid=3339 comm="modprobe"
scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=system_u:system_r:kernel_t:s0 tclass=process
type=SYSCALL msg=audit(1185485644.365:96): arch=40000003 syscall=128
success=yes exit=0 a0=b7f18008 a1=1818c a2=9211708 a3=9211708 items=0
ppid=3315 pid=3339 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) comm="modprobe" exe="/sbin/modprobe"
subj=system_u:system_r:insmod_t:s0-s0:c0.c1023 key=(null)
--
Tom London
16 years, 9 months
Re: Containing vmware player 2.0.0 with SELINUX
by Louis Lam
Thanks Daniel for the information, hi everyone
I've tried to make the following changes:
1. Defined the vmware_t type in vmware.te:
type vmware_t;
I need to do this since I'm trying to let the vmware user program run under vmware_t domain but this is not defined. In terms of overall code compliance is it correct to define here? or should be at the vmware.if?
2. Created a domain transition so that the vmware user programs e.g. /usr/lib/vmplayer script, /usr/lib/vmware/bin/vmplayer that are labelleled system_u:object_r:vmware_exec_t will transit to system_u:object_r:vmware_t when executed. I put it also in vmware.te:
domain_entry_file($1_t, vmware_exec_t, $1_vmware_t)
but on making the vmware.pp module I get this warning and error:
'syntax error' at token '1' on line 81143:
#line 13
allow $1_t vmware_exec_t: file entrypoint;
Not very sure what this means and how it should be corrected.
Thanks in advance,
Louis
----- Original Message ----
From: Daniel J Walsh <dwalsh(a)redhat.com>
To: Louis Lam <lshoujun(a)yahoo.com>
Cc: Ken YANG <spng.yang(a)gmail.com>; fedora-selinux-list(a)redhat.com
Sent: Wednesday, July 25, 2007 3:12:56 PM
Subject: Re: Containing vmware player 2.0.0 with SELINUX
Louis Lam wrote:
> Hi All,
>
> Still on the topic of transition between a file vmware_exec_t to vmware_t.
>
> Under the vmware.if file, there is a:
>
> domain_entry_file($1_vmware_t, vmware_exec_t)
> role $3 types $1_vmware_t
>
> Is this a rule that allows files marked with vmware_exec_t to transit
> to vmware_t? What does the $1,$2,$3 represent? Pardon my ignorance on
> this but i see these $1, $2 things appear in a lot of places which
> confuse me. Can anyone point me to a place to learn more about the
> substitutions?
>
This just says that files labeled vmware_exec_t can be used as
entrypoints into the $1_vmware_t, where $1 is a user type. "user",
"staff", "guest", "xguest". The next line specifies which roles can
reach the specified domain. No transition rules have been defined.
> For the transition to take place I'd probably need to add something
> like this:
>
> domain_auto_trans(initrc_t, vmware_exec_t, vmware_t)
>
Yes this allows it to reach this particular domain. But to reach the
user domains defined above.
domain_auto_trans($1_t, vmware_exec_t, $1_vmware_t)
or
domain_auto_trans(user_t, vmware_exec_t, user_vmware_t)
> That is following the suggestion below by Daniel to make the
> /usr/bin/vmplayer script initrc_exec_t.
>
> But not too sure where to place this statement, in vmware.te?
>
> I tried that but get a compilation error
>
> vmware.te:13:ERROR: 'unknown type vmware_t' at token ';'
>
Yes I was mistaken. That is not the way the policy is written. ( I
guess I should read before I speak.)
If you want to get vmware to transition from unconfined_t you will have
to write the transition rules from uncofined_t to unconfined_vmware_t.
> I thought vmware_t has been defined in vmware.if?
>
> Thanks in Advance,
> Best Regards,
> Louis
>
> ----- Original Message ----
> From: Daniel J Walsh <dwalsh(a)redhat.com>
> To: Louis Lam <lshoujun(a)yahoo.com>
> Cc: Ken YANG <spng.yang(a)gmail.com>; fedora-selinux-list(a)redhat.com
> Sent: Monday, July 16, 2007 1:24:00 PM
> Subject: Re: Containing vmware player 2.0.0 with SELINUX
>
> Louis Lam wrote:
> > Hi All,
> >
> > I managed to get the vmware host services e.g. vmnet-bridge,
> vmnet-dhcpd etc... to be running in
> > vmware_host_t domain. I did it by modifying the net-services.sh as
> described in an earlier post.
> >
> > Next I tried to get vmplayer (i'm using vmware player 2.0.0 but it
> is similar for vmware ws 6) to
> > run in vmware_t domain. First i tried to chcon /usr/bin/vmplayer to
> > system_u:object_r:vmware_exec_t. But it turns out that
> /usr/bin/vmplayer is a script that would in
> > turn execute /usr/lib/vmware/bin/vmplayer. I have chcon
> /usr/lib/vmware/bin/vmplayer to
> > system_u:object_r:vmware_exec_t but still it runs in unconfined_t
> when i launched it. I seems like
> > the domain transition didn't take place. Please help.
> >
> > 1. What should be the context for the /usr/bin/vmplayer script? Does
> it affect the transition of
> > the actual executable /usr/lib/vmware/bin/vmplayer?
> >
> > 2. For those who could get vmware workstation 6 to run how did you
> get it to run in vmware_t
> > domain?
> >
> >
> There is currently no transition from unconfined_t to vmware_t. So the
> only way to get
> the transition to happen is through the initrc script. You could label
> the vmplayer script
> initrc_exec_t and the transitions should happen properly.
> > THanks,
> > Louis
> >
> > --- Daniel J Walsh <dwalsh(a)redhat.com> wrote:
> >
> >
> >> Ken YANG wrote:
> >>
> >>> Daniel J Walsh wrote:
> >>>
> >>>
> >>>> Louis Lam wrote:
> >>>>
> >>>>
> >>>>> Hi all,
> >>>>>
> >>>>> At this point i'm still trying to use SELINUX to "contain" vmware
> >>>>> player, making it run in
> >>>>> targeted mode.
> >>>>>
> >>>>> I'm still rather new to this but through the help of Ken, i've been
> >>>>> able to manipulate modules and
> >>>>> get it to "affect" the vmware player but at this point my vmware
> >>>>> player is still "broken".
> >>>>> Would anyone be able to share their configurations (.te,.fc,.if)
> file
> >>>>> if you've managed to get it
> >>>>> to work with vmware player or vmware-workstation 6 ? CUrrently i'm
> >>>>> working with Fedora 7 but
> >>>>> intend to port it back to RHEL 5.
> >>>>>
> >>>>> I've downloaded the latest reference policy from oss and
> examined the
> >>>>> vmware relevant files. From
> >>>>> examining the vmware.fc and
> >>>>> "/etc/selinux/targeted/modules/active/file_context", seems like the
> >>>>> vmware.fc file could have been written for an older/different
> version
> >>>>> of vmware where the vmnet
> >>>>> devices are at /dev/vmnet.* instead of /dev/vmnet* found in vmplayer
> >>>>> 2/workstation 6. Which
> >>>>> version was it written for?
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>> There is vmware policy that we are starting to use in Rawhide (fc8)
> >>>>
> >>>>
> >>>>> I went on to modify the vmware.fc file and managed to compile
> and load
> >>>>> the vmware.pp module. But
> >>>>> currently this affected the vmware services at startup, e.g.
> >>>>> vmnet-dhcpd. For vmware, when
> >>>>> something fails to start, it would ask me to rum vmware-config.pl
> >>>>> again when i restart it. Doing
> >>>>> this would recreate the /dev/vmnet* files over again but it will not
> >>>>> have the right context,
> >>>>> defaulting to "device_t" instead of "vmware_device_t" that i have
> >>>>> modified. The line in my
> >>>>> vmware.fc looks like this:
> >>>>>
> >>>>> /dev/vmnet0 -- gen_context(system_u:object_r:vmware_device_t,s0)
> >>>>> /dev/vmnet1 -- gen_context(system_u:object_r:vmware_device_t,s0)
> >>>>> /dev/vmnet8 -- gen_context(system_u:object_r:vmware_device_t,s0)
> >>>>>
> >>>>> I was thinking that if the script has created a new /dev/vmnet
> file it
> >>>>> would automatically use the
> >>>>> vmware_device_t context but it didn't. Did i miss out anything?
> >>>>>
> >>>>>
> >>>>>
> >>>> The problem here is the script is running as initrc_t which has
> no rules
> >>>> when creating devices in directories labeled device_t (/dev) So
> it uses
> >>>> the default and labels the devices the same as the
> directory. Usually
> >>>> when we have this situation, we just run restorecon /dev/XYZ
> after the
> >>>> creation,
> >>>> for example
> >>>>
> >>>> mknod /dev/XYZ
> >>>> chmod 666 /dev/XYZ
> >>>> restorecon /dev/XYZ
> >>>>
> >>>>
> >>> as tom said, it seemed that it's "$vmdb_answer_LIBDIR"/net-services.sh
> >>> who create such devices:
> >>>
> >>> http://marc.info/?l=fedora-selinux-list&m=118407622004161&w=2
> <http://marc.info/?l=fedora-selinux-list&m=118407622004161&w=2>
> >>>
> >>>
> >>> i notice "/dev" is tmpfs:
> >>>
> >>> -(:14:45:$)-> cat /proc/mounts
> >>> rootfs / rootfs rw 0 0
> >>> /dev/root / ext3 rw,data=ordered 0 0
> >>> /dev /dev tmpfs rw 0 0
> >>> ......
> >>>
> >>> i want to add rules in policy:
> >>>
> >>> type_transition "vmware type" tmpfs_t : chr_file vmware_device_t;
> >>>
> >>> additionally i don't know what type of the net-services.sh, now it is:
> >>>
> >>> ... root root user_u:object_r:lib_t /usr/lib/vmware/net-services.sh
> >>>
> >>>
> >>> is this method appropriate?
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>>> What is the two "--" on the line mean? are they significant?
> >>>>>
> >>>>>
> >>>>>
> >>>> The -- indicates that this matches only files.
> >>>>
> >>>> -d directories
> >>>> -s sock_file
> >>>> -l link file
> >>>> -c char_file
> >>>> ...
> >>>>
> >>>> Second character matches the first character of the ls -l line
> >>>>
> >>>> ls -l /dev/ttyS0
> >>>> crw-rw---- 1 root uucp 4, 64 2007-07-11 19:07 /dev/ttyS0
> >>>>
> >>>> If you have no option specified it would match any file type.
> >>>>
> >>>> /dev/vmnet0 -- gen_context(system_u:object_r:vmware_device_t,s0)
> >>>> /dev/vmnet1 -- gen_context(system_u:object_r:vmware_device_t,s0)
> >>>> /dev/vmnet8 -- gen_context(system_u:object_r:vmware_device_t,s0)
> >>>>
> >>>>
> >>>> Would match only "Regular files" with this labels. So you would be
> >>>> better off with -c (or -b if they are block devices).
> >>>>
> >>>>
> >>>>> Sorry about the long post, any help or advice? Thanks.
> >>>>>
> >>>>> Louis
> >>>>> Send instant messages to your online friends
> >>>>> http://uk.messenger.yahoo.com
> >>>>> --
> >>>>> fedora-selinux-list mailing list
> >>>>> fedora-selinux-list(a)redhat.com
> >>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >>>>>
> >>>>>
> >>>>>
> >>>> --
> >>>> fedora-selinux-list mailing list
> >>>> fedora-selinux-list(a)redhat.com
> >>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >>>>
> >>>>
> >>>>
> >>>
> >>>
> >> One approach to this would be to label the /etc/init.d/vmware script
> >> vmware_initrc_exec_t and then setup the proper transitions.
> >>
> >> This is something we are considering for RBAC. For example we want to
> >> allow the webadm_t to be able to only restart/execute the httpd
> >> script. Currently we have to allow him to execute any initrc script,
> >> although we can prevent him from starting other confined domains.
> >> A cleaner solution might be to label the script differently and setup
> >> another domain for the script to transition to.
> >>
> >>
> >
> >
> > Send instant messages to your online friends
> http://uk.messenger.yahoo.com
> >
>
>
>
> Send instant messages to your online friends
> http://uk.messenger.yahoo.com
Send instant messages to your online friends http://uk.messenger.yahoo.com
16 years, 9 months
NTFS-3G strange AVC Denied.
by piotreek
audit(1185512975.221:4): avc: denied { search } for pid=1361 comm="
mount.ntfs-3g" name="media" dev=sdb1 ino=65409
scontext=system_u:system_r:mount_ntfs_t:s0
tcontext=system_u:object_r:mnt_t:s0 tclass=dir
Jul 27 07:09:46 merkury kernel: audit(1185512975.221:5): avc: denied {
search } for pid=1369 comm="mount.ntfs-3g" name="media" dev=sdb1 ino=65409
scontext=system_u:system_r:mount_ntfs_t:s0
tcontext=system_u:object_r:mnt_t:s0 tclass=dir
Jul 27 07:09:46 merkury kernel: Adding 2192864k swap on /dev/sdb2.
Priority:-1 extents:1 across:2192864k
Hi Guys after update to ntfs-3g-1.710-1.fc7 i cannot mount my NTFS
partitions and get this avc denied messages.
Greatings Peter
16 years, 9 months
Powertop and SE Alert
by Rahul Sundaram
Hi
I get this advice when running powertop
---
Disable the SE-Alert software by removing the 'setroubleshoot-server'
rpm SE-Alert alerts you about SELinux policy violations, but also
has a bug that wakes it up 10 times per second.
---
Is this fixed or do I need to file a bug report?
Rahul
16 years, 9 months
Today's rawhide update
by Steve G
Hi,
FYI, got this updating today:
Cleanup : setools ####################### [14/22]
Cleanup : selinux-policy-targeted ####################### [15/22]
libsemanage.semanage_commit_sandbox: Error while renaming
/etc/selinux/targeted/modules/active to /etc/selinux/targeted/modules/previous.
/usr/sbin/semanage: Could not add SELinux user guest_u
libsemanage.semanage_commit_sandbox: Error while renaming
/etc/selinux/targeted/modules/active to /etc/selinux/targeted/modules/previous.
/usr/sbin/semanage: Could not add SELinux user xguest_u
Cleanup : policycoreutils ####################### [16/22]
-Steve
____________________________________________________________________________________Ready for the edge of your seat?
Check out tonight's top picks on Yahoo! TV.
http://tv.yahoo.com/
16 years, 9 months
Re: Containing vmware player 2.0.0 with SELINUX
by Louis Lam
Hi All,
Still on the topic of transition between a file vmware_exec_t to vmware_t.
Under the vmware.if file, there is a:
domain_entry_file($1_vmware_t, vmware_exec_t)
role $3 types $1_vmware_t
Is this a rule that allows files marked with vmware_exec_t to transit to vmware_t? What does the $1,$2,$3 represent? Pardon my ignorance on this but i see these $1, $2 things appear in a lot of places which confuse me. Can anyone point me to a place to learn more about the substitutions?
For the transition to take place I'd probably need to add something like this:
domain_auto_trans(initrc_t, vmware_exec_t, vmware_t)
That is following the suggestion below by Daniel to make the /usr/bin/vmplayer script initrc_exec_t.
But not too sure where to place this statement, in vmware.te?
I tried that but get a compilation error
vmware.te:13:ERROR: 'unknown type vmware_t' at token ';'
I thought vmware_t has been defined in vmware.if?
Thanks in Advance,
Best Regards,
Louis
----- Original Message ----
From: Daniel J Walsh <dwalsh(a)redhat.com>
To: Louis Lam <lshoujun(a)yahoo.com>
Cc: Ken YANG <spng.yang(a)gmail.com>; fedora-selinux-list(a)redhat.com
Sent: Monday, July 16, 2007 1:24:00 PM
Subject: Re: Containing vmware player 2.0.0 with SELINUX
Louis Lam wrote:
> Hi All,
>
> I managed to get the vmware host services e.g. vmnet-bridge, vmnet-dhcpd etc... to be running in
> vmware_host_t domain. I did it by modifying the net-services.sh as described in an earlier post.
>
> Next I tried to get vmplayer (i'm using vmware player 2.0.0 but it is similar for vmware ws 6) to
> run in vmware_t domain. First i tried to chcon /usr/bin/vmplayer to
> system_u:object_r:vmware_exec_t. But it turns out that /usr/bin/vmplayer is a script that would in
> turn execute /usr/lib/vmware/bin/vmplayer. I have chcon /usr/lib/vmware/bin/vmplayer to
> system_u:object_r:vmware_exec_t but still it runs in unconfined_t when i launched it. I seems like
> the domain transition didn't take place. Please help.
>
> 1. What should be the context for the /usr/bin/vmplayer script? Does it affect the transition of
> the actual executable /usr/lib/vmware/bin/vmplayer?
>
> 2. For those who could get vmware workstation 6 to run how did you get it to run in vmware_t
> domain?
>
>
There is currently no transition from unconfined_t to vmware_t. So the
only way to get
the transition to happen is through the initrc script. You could label
the vmplayer script
initrc_exec_t and the transitions should happen properly.
> THanks,
> Louis
>
> --- Daniel J Walsh <dwalsh(a)redhat.com> wrote:
>
>
>> Ken YANG wrote:
>>
>>> Daniel J Walsh wrote:
>>>
>>>
>>>> Louis Lam wrote:
>>>>
>>>>
>>>>> Hi all,
>>>>>
>>>>> At this point i'm still trying to use SELINUX to "contain" vmware
>>>>> player, making it run in
>>>>> targeted mode.
>>>>>
>>>>> I'm still rather new to this but through the help of Ken, i've been
>>>>> able to manipulate modules and
>>>>> get it to "affect" the vmware player but at this point my vmware
>>>>> player is still "broken".
>>>>> Would anyone be able to share their configurations (.te,.fc,.if) file
>>>>> if you've managed to get it
>>>>> to work with vmware player or vmware-workstation 6 ? CUrrently i'm
>>>>> working with Fedora 7 but
>>>>> intend to port it back to RHEL 5.
>>>>>
>>>>> I've downloaded the latest reference policy from oss and examined the
>>>>> vmware relevant files. From
>>>>> examining the vmware.fc and
>>>>> "/etc/selinux/targeted/modules/active/file_context", seems like the
>>>>> vmware.fc file could have been written for an older/different version
>>>>> of vmware where the vmnet
>>>>> devices are at /dev/vmnet.* instead of /dev/vmnet* found in vmplayer
>>>>> 2/workstation 6. Which
>>>>> version was it written for?
>>>>>
>>>>>
>>>>>
>>>>>
>>>> There is vmware policy that we are starting to use in Rawhide (fc8)
>>>>
>>>>
>>>>> I went on to modify the vmware.fc file and managed to compile and load
>>>>> the vmware.pp module. But
>>>>> currently this affected the vmware services at startup, e.g.
>>>>> vmnet-dhcpd. For vmware, when
>>>>> something fails to start, it would ask me to rum vmware-config.pl
>>>>> again when i restart it. Doing
>>>>> this would recreate the /dev/vmnet* files over again but it will not
>>>>> have the right context,
>>>>> defaulting to "device_t" instead of "vmware_device_t" that i have
>>>>> modified. The line in my
>>>>> vmware.fc looks like this:
>>>>>
>>>>> /dev/vmnet0 -- gen_context(system_u:object_r:vmware_device_t,s0)
>>>>> /dev/vmnet1 -- gen_context(system_u:object_r:vmware_device_t,s0)
>>>>> /dev/vmnet8 -- gen_context(system_u:object_r:vmware_device_t,s0)
>>>>>
>>>>> I was thinking that if the script has created a new /dev/vmnet file it
>>>>> would automatically use the
>>>>> vmware_device_t context but it didn't. Did i miss out anything?
>>>>>
>>>>>
>>>>>
>>>> The problem here is the script is running as initrc_t which has no rules
>>>> when creating devices in directories labeled device_t (/dev) So it uses
>>>> the default and labels the devices the same as the directory. Usually
>>>> when we have this situation, we just run restorecon /dev/XYZ after the
>>>> creation,
>>>> for example
>>>>
>>>> mknod /dev/XYZ
>>>> chmod 666 /dev/XYZ
>>>> restorecon /dev/XYZ
>>>>
>>>>
>>> as tom said, it seemed that it's "$vmdb_answer_LIBDIR"/net-services.sh
>>> who create such devices:
>>>
>>> http://marc.info/?l=fedora-selinux-list&m=118407622004161&w=2
>>>
>>>
>>> i notice "/dev" is tmpfs:
>>>
>>> -(:14:45:$)-> cat /proc/mounts
>>> rootfs / rootfs rw 0 0
>>> /dev/root / ext3 rw,data=ordered 0 0
>>> /dev /dev tmpfs rw 0 0
>>> ......
>>>
>>> i want to add rules in policy:
>>>
>>> type_transition "vmware type" tmpfs_t : chr_file vmware_device_t;
>>>
>>> additionally i don't know what type of the net-services.sh, now it is:
>>>
>>> ... root root user_u:object_r:lib_t /usr/lib/vmware/net-services.sh
>>>
>>>
>>> is this method appropriate?
>>>
>>>
>>>
>>>
>>>
>>>
>>>>> What is the two "--" on the line mean? are they significant?
>>>>>
>>>>>
>>>>>
>>>> The -- indicates that this matches only files.
>>>>
>>>> -d directories
>>>> -s sock_file
>>>> -l link file
>>>> -c char_file
>>>> ...
>>>>
>>>> Second character matches the first character of the ls -l line
>>>>
>>>> ls -l /dev/ttyS0
>>>> crw-rw---- 1 root uucp 4, 64 2007-07-11 19:07 /dev/ttyS0
>>>>
>>>> If you have no option specified it would match any file type.
>>>>
>>>> /dev/vmnet0 -- gen_context(system_u:object_r:vmware_device_t,s0)
>>>> /dev/vmnet1 -- gen_context(system_u:object_r:vmware_device_t,s0)
>>>> /dev/vmnet8 -- gen_context(system_u:object_r:vmware_device_t,s0)
>>>>
>>>>
>>>> Would match only "Regular files" with this labels. So you would be
>>>> better off with -c (or -b if they are block devices).
>>>>
>>>>
>>>>> Sorry about the long post, any help or advice? Thanks.
>>>>>
>>>>> Louis
>>>>> Send instant messages to your online friends
>>>>> http://uk.messenger.yahoo.com
>>>>> --
>>>>> fedora-selinux-list mailing list
>>>>> fedora-selinux-list(a)redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>>
>>>>>
>>>>>
>>>> --
>>>> fedora-selinux-list mailing list
>>>> fedora-selinux-list(a)redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>
>>>>
>>>>
>>>
>>>
>> One approach to this would be to label the /etc/init.d/vmware script
>> vmware_initrc_exec_t and then setup the proper transitions.
>>
>> This is something we are considering for RBAC. For example we want to
>> allow the webadm_t to be able to only restart/execute the httpd
>> script. Currently we have to allow him to execute any initrc script,
>> although we can prevent him from starting other confined domains.
>> A cleaner solution might be to label the script differently and setup
>> another domain for the script to transition to.
>>
>>
>
>
> Send instant messages to your online friends http://uk.messenger.yahoo.com
>
Send instant messages to your online friends http://uk.messenger.yahoo.com
16 years, 9 months
