August 2007 - selinux - Fedora Mailing-Lists

How does 'login' change MCS Category Access?

by Josh

Hello, On page 509 of the RHEL manual, there's a note that states: "MCS category access is assigned during login." What is the mechanism that does this? How can I assign MCS Category Access to an arbitrary Python script that is run as a certain user from Crontab (without being 'logged in')? Thanks, -Josh

15 years, 7 months

1
0
0 / 0

SElinux beginner

by jihene tanneche

Which is a better distribution to learn SE Linux, Mandriva or Fedora Core? Are they some problems with mandriva to compile SElinux or not? thanks in advance _____________________________________________________________________________ Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail

15 years, 7 months

3
2
0 / 0

Re: Strict policy on FC6 and F7

by Louis Lam

Hi Dan, I'm using the stock policy for FC7 2.6.4-8, not the latest policy. I'm not too sure where to go and how to get the latest policy version. Do i take the latest policy version and remake the source RPM? Or are there pre-packaged rpms that I can use to upgrade? You didn't see this problem in RHEL 5? Do i need the local.te module if I use the "stock" RHEL 5? I tried switching to strict policy in RHEL 5 and cannot login with root. But I can log in as a normal user. Is it "normal" that this restriction be placed on root? Is the local.te trying to enable root login? Thanks, Louis ----- Original Message ---- From: Daniel J Walsh <dwalsh(a)redhat.com> To: Louis Lam <lshoujun(a)yahoo.com> Cc: shintaro_fujiwara <shin216(a)xf7.so-net.ne.jp>; Hal <hal_bg(a)yahoo.com>; fedora-selinux-list(a)redhat.com; cpebenito(a)tresys.com Sent: Friday, August 10, 2007 11:17:42 PM Subject: Re: Strict policy on FC6 and F7 Louis Lam wrote: > Hi, > > I'm still having problems compiling the local.te module. The problem > i'm facing seems to be different from Hal's: > > -------------------- > local.te:11:ERROR 'permission nlsms_relay is not defined for class > netlink_audit_socket' at token ' > ;' on line 80809: > allow local_login_t self:netlink_audit_socket { { create { > ioctl read getattr write setattr > append bind connect getopt setopt shutdown } } nlmsg_read nlsms_relay }; > #line 11 > /usr/bin/checkmodule: error(s) encountered while parsing configuration > make: *** [tmp/local.mod] Error 1 > --------------------- > > My local.te file looks like this: > ------------- > policy_module(local,1.0) > > require { > > type local_login_t; > class netlink_audit_socket { append bind connect shutdown > ioctl getattr setattr shutdown ge > topt setopt write nlmsg_relay nlmsg_read create read }; > } > > > logging_send_audit_msg(local_login_t) > logging_set_loginuid(local_login_t) > > ------------- > > Seems like the problem is with logging_set_loginuid macro. I'm not > sure how to solve this problem though. > > BTW here are some details on my environment: > > 1. I'm using the stock policy for FC7 2.6.4-8 > 2. I did the compilation while running in targeted mode (will it affect?) > 3. The macro logging_set_loginuid is defined in the file > policy-20070501.patch > > Here is an extract of how logging_set_loginuid is defined in the patch : > > +######################################## > +## <summary> > +## Set login uid > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +# > +interface(`logging_set_loginuid',` > + gen_require(` > + attribute can_set_loginuid; > + attribute can_send_audit_msg; > + ') > + > + typeattribute $1 can_set_loginuid, can_send_audit_msg; > + > + allow $1 self:capability audit_control; > + allow $1 self:netlink_audit_socket { create_socket_perms > nlmsg_read nlsms_relay }; > +') > > Hope it helps in solving the problem... > > Thanks, > Louis I am not seeing this in RHEL5, FC6, F7 or F8. So are you sure you are using the latest policy? Send instant messages to your online friends http://uk.messenger.yahoo.com

15 years, 7 months

3
4
0 / 0

Re: apache2 failing to start

by Ubaidul Khan

Ken, Thank you for your response. >you can first use execstack to check whether your program really need >executable stack(you must have prelink firstly): I checked to see if the library requires executable stack and execstack returns unknown(? - when it is unknown whether the object requires or doesn't require exe-cutable stack). # execstack -q libclntsh.so.10.1 ? libclntsh.so.10.1 I don't think it was prelinked since these libraries are distributed by oracle as binary files( all I did was downloaded the archive from oracle's website and extracted them into /opt/oracle/app/instant-client-10.1). Then I downloaded the php-5.1.6-11 SRPM and linked against the oci libraries in the following manner: configure \ --with-oci8=instantclient,/opt/oracle/app/instant-client-10.1/ >i wonder why is your libraries usr_t, not lib_t, if your libs are lib_t, >httpd_t can execute those files I think this happened because I made the directory path /opt/oracle/app/instant-client-10.1/ as root. This path inherited the default context. I imagine it would be more sensible to store the libraries in /usr/lib or /usr/lib64. I am still puzzled by the executable stack dilemma. I noticed this goes away, when disable selinux(setenforce 0). Look forward to your correspondence. >From: Ken YANG <spng.yang(a)gmail.com> >To: Ubaidul Khan <ukhanlists(a)hotmail.com> >CC: fedora-selinux-list(a)redhat.com >Subject: Re: apache2 failing to start >Date: Fri, 03 Aug 2007 13:10:27 +0800 > >Ubaidul Khan wrote: > > Hello, > > > > We are running RHEL 5 x86_64 and I compiled php from Source RPM, so I > > could link php with Oracle Instant Client Libraries(oci). OCI is > > installed under /opt with the following contexts: > > > > # ls -lZ > > drwxr-xr-x root root system_u:object_r:usr_t oracle > > > > [root@saleen_webvm1 instant-client-10.1]# pwd > > /opt/oracle/app/instant-client-10.1 > > [root@saleen_webvm1 instant-client-10.1]# ls -alZ > > drwxr-xr-x root root system_u:object_r:usr_t . > > drwxr-xr-x root root system_u:object_r:usr_t .. > > -rw-r--r-- root root system_u:object_r:usr_t classes12.jar > > drwxr-xr-x root root system_u:object_r:usr_t docs > > -rw-r--r-- root root system_u:object_r:usr_t glogin.sql > > lrwxrwxrwx root root system_u:object_r:usr_t libclntsh.so > > -rwxr-xr-x root root system_u:object_r:usr_t libclntsh.so.10.1 > > -rwxr-xr-x root root system_u:object_r:usr_t libnnz10.so > > lrwxrwxrwx root root system_u:object_r:usr_t libocci.so > > -rwxr-xr-x root root system_u:object_r:usr_t libocci.so.10.1 > > -rwxr-xr-x root root system_u:object_r:usr_t libociei.so > > -rwxr-xr-x root root system_u:object_r:usr_t libocijdbc10.so > > -rwxr-xr-x root root system_u:object_r:usr_t libsqlplus.so > > -rw-r--r-- root root system_u:object_r:usr_t ojdbc14.jar > > -rw-r--r-- root root system_u:object_r:usr_t README_IC.htm > > drwxr-xr-x root root system_u:object_r:usr_t sdk > > -rwxr-xr-x root root system_u:object_r:usr_t sqlplus > > -rw-r--r-- root root system_u:object_r:usr_t tnsnames.ora > > > > When try to start apache, I get some errors in audit.log and apache > > fails to start. > > > > type=AVC msg=audit(1186086032.546:60): avc: denied { execstack } for > > pid=2852 comm="httpd" scontext=user_u:system_r:httpd_t:s0 > > tcontext=user_u:system_r:httpd_t:s0 tclass=process > > type=SYSCALL msg=audit(1186086032.546:60): arch=c000003e syscall=10 > > success=no exit=-13 a0=7fff9c992000 a1=1000 a2=1000007 a3=4 items=0 > > ppid=2851 pid=2852 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > sgid=0 fsgid=0 tty=(none) comm="httpd" exe="/usr/sbin/httpd" > > subj=user_u:system_r:httpd_t:s0 key=(null) > > type=AVC msg=audit(1186088202.755:61): avc: denied { execute } for > > pid=2881 comm="httpd" name="libclntsh.so.10.1" dev=xvda3 ino=2703819 > > scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 > > tclass=file > > type=SYSCALL msg=audit(1186088202.755:61): arch=c000003e syscall=9 > > success=no exit=-13 a0=0 a1=ec0b08 a2=5 a3=802 items=0 ppid=2880 > > pid=2881 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > > fsgid=0 tty=(none) comm="httpd" exe="/usr/sbin/httpd" > > subj=user_u:system_r:httpd_t:s0 key=(null) > > type=AVC_PATH msg=audit(1186088202.755:61): > > path="/opt/oracle/app/instant-client-10.1/libclntsh.so.10.1" > > > > audit2allow is telling me to add the following rules: > > > > # audit2allow < audit.log > > allow httpd_t self:process execstack; > > allow httpd_t usr_t:file execute; > > > > My question/concerns are the following: > > > > 1. What risks do I incur by making the process stack executable? > >it will incur the security risk, such as buffer overflow. >Stack memory is not executable on most OSes these days, and >will not change. > >you can first use execstack to check whether your program >really need executable stack(you must have prelink firstly): > >for example: > >#execstack -q /usr/lib/vmware/lib/libart_lgpl_2.so.2/libart_lgpl_2.so.2 >X libart_lgpl_2.so.2 > >and use execstack to remove the p_flags field of PT_GNU_STACK header >entry, and run program to see whether it really need stack to be >executable: > >execstack -c libart_lgpl_2.so.2 > >if yes, you also can use boolean to allow stack to be executed: > >setsebool [-P] allow_execstack 1 > >this will make all program stack executable, and there are still: > >allow_java_execstack,allow_mplayer_execstack > >use these booleans, you will not need write policy for executable >stack. > > > > 2. If I am reading the second rule correctly, its asking to allow > > httpd_t to execute user_t files? > >i wonder why is your libraries usr_t, not lib_t, if your libs are >lib_t, httpd_t can execute those files > > > > > Thanks for your help > > > > _________________________________________________________________ > > Now you can see trouble…before he arrives > > >http://newlivehotmail.com/?ocid=TXT_TAGHM_migration_HM_viral_protection_0507 > > > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list(a)redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > _________________________________________________________________ Now you can see troublebefore he arrives http://newlivehotmail.com/?ocid=TXT_TAGHM_migration_HM_viral_protection_0507

15 years, 7 months

2
1
0 / 0

Re : SElinux beginner

by jihene tanneche

thanks mark, have you ever write some policies and test them? ----- Message d'origine ---- De : Mark <elihusmails(a)gmail.com> À : jihene tanneche <jihene_tanneche(a)yahoo.fr> Cc : fedora-selinux-list(a)redhat.com Envoyé le : Lundi, 13 Août 2007, 14h40mn 30s Objet : Re: SElinux beginner I am fairly new to SE Linux as well, and all indications I have received is that Fedora Core is the best distribution to use. -- ..Cheers Mark On 8/13/07, jihene tanneche <jihene_tanneche(a)yahoo.fr> wrote: Which is a better distribution to learn SE Linux, Mandriva or Fedora Core? Are they some problems with mandriva to compile SElinux or not? thanks in advance Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail -- fedora-selinux-list mailing list fedora-selinux-list(a)redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list ______________________________________________________________________________ Stockage illimité de vos mails avec Yahoo! Mail. Changez aujourd'hui de mail !

15 years, 7 months

3
2
0 / 0

Freeciv 2.0.8

by Temlakos

Everyone: Would SELinux interfere with Freeciv? Freeciv works in single-player mode primarily by starting its own server process and connecting to it. But when I try to start a Freeciv client, I get this message: > Starting server... > Couldn't connect to the server. > We probably couldn't start it from here. > You'll have to start one manually. Sorry.... Then when I /do/ try to start a Freeciv server manually, and load a game, I can't connect. When I try to use Freeciv's client to "connect to a network game"--well, I see a few games out on the Internet, but /none/ in my "Local Area Network." When I run Freeciv on a Windows box--no problem at all. What might be the issue? Actually, I tried disabling SELinux, and then running Freeciv right away. No joy. (Whenever I process updates to selinux-policy and selinux-policy-targeted, I always disable SELinux, process the update, re-enforce SELinux, and restart the system for relabeling.) It's either some obscure element of SELinux, or it's the kernel. I don't even know how to go about diagnosing it. I would appreciate any suggestion. I know it's "just a game," but anything that interferes with a game, might also interfere with a business or professional application that I might try to develop, that needs to do something similar. Temlakos

15 years, 7 months

3
6
0 / 0

Re: Strict policy on FC6 and F7

by Louis Lam

Hi, I'm still having problems compiling the local.te module. The problem i'm facing seems to be different from Hal's: -------------------- local.te:11:ERROR 'permission nlsms_relay is not defined for class netlink_audit_socket' at token ' ;' on line 80809: allow local_login_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlsms_relay }; #line 11 /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/local.mod] Error 1 --------------------- My local.te file looks like this: ------------- policy_module(local,1.0) require { type local_login_t; class netlink_audit_socket { append bind connect shutdown ioctl getattr setattr shutdown ge topt setopt write nlmsg_relay nlmsg_read create read }; } logging_send_audit_msg(local_login_t) logging_set_loginuid(local_login_t) ------------- Seems like the problem is with logging_set_loginuid macro. I'm not sure how to solve this problem though. BTW here are some details on my environment: 1. I'm using the stock policy for FC7 2.6.4-8 2. I did the compilation while running in targeted mode (will it affect?) 3. The macro logging_set_loginuid is defined in the file policy-20070501.patch Here is an extract of how logging_set_loginuid is defined in the patch : +######################################## +## <summary> +## Set login uid +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`logging_set_loginuid',` + gen_require(` + attribute can_set_loginuid; + attribute can_send_audit_msg; + ') + + typeattribute $1 can_set_loginuid, can_send_audit_msg; + + allow $1 self:capability audit_control; + allow $1 self:netlink_audit_socket { create_socket_perms nlmsg_read nlsms_relay }; +') Hope it helps in solving the problem... Thanks, Louis ----- Original Message ---- From: shintaro_fujiwara <shin216(a)xf7.so-net.ne.jp> To: Hal <hal_bg(a)yahoo.com>; fedora-selinux-list(a)redhat.com; cpebenito(a)tresys.com Sent: Wednesday, August 8, 2007 5:55:49 PM Subject: Re: Strict policy on FC6 and F7 I think F7 strict policy is broken. Let's wait for a while until SELinux guys fix it. I decided to play with FC6 this time. 2007-08-08 (水) の 14:43 -0700 に Hal さんは書きました: > Authentication failed again:( > but meanwhile I have checked firefox on strict policy on FC7 it does not work. > > --- shintaro_fujiwara <shin216(a)xf7.so-net.ne.jp> wrote: > > > 2007-08-08 (æ°´) ã® 13:32 -0700 ã« Hal ã•ã‚“ã¯æ›¸ãã¾ã—ãŸ: > > > Well > > > I manged to compile the module, but > > > it does not work for me. > > > Compiled,loaded,set enforcing and: "authentication failed" again. > > > > > > I do not know if I am stupid, but I can not get a long with this Selinux... > > > > > > > > Does this nodule work for you guys???? > > > > > > hal > > > > > > --- "Christopher J. PeBenito" <cpebenito(a)tresys.com> wrote: > > > > > > > On Wed, 2007-08-08 at 12:39 -0700, Hal wrote: > > > > > I have tryed with > > > > > logging_send_audit_msgs(local_login_t) > > > > > > > > > > But still: > > > > > [root@localhost hal]# make -f /usr/share/selinux/devel/Makefile > > local.pp > > > > > Compiling strict local module > > > > > /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp > > > > > local.te:9:ERROR 'unknown class capability used in rule' at token ';' > > on > > > > line > > > > > 81105: > > > > > #line 9 > > > > > allow local_login_t self:capability audit_write; > > Because we did not write > > > > class capability { audit_write }; > > > > in require brace. > > > > write it and try again. > > Did you make it? > > > > > > As a matter of fact, I have another problem on strict policy. > > I ended up breaking F7 altogether eliminating libselinux with --nodeps. > > Now I'm trying to upgrade FC6 to F7. > > You can upgrade FC6 to F7, if you are tired of your process on F7. > > Do not stop trying strict policy.Never surrender. > > It's rewarding, and SELinux guys will guide you to the right place. > > > > > > > > > /usr/bin/checkmodule: error(s) encountered while parsing configuration > > > > > make: *** [tmp/local.mod] Error 1 > > > > > > > > > > I really have no idea what all this means. > > > > > there is nowhere "allow" in local.te. if it is in this macros at the > > end... > > > > > Do I need to install the policy source and edit it? > > > > > > > > It is in the interface. You need to change this: > > > > > > > > > > > module local 1.0; > > > > > > > > to this: > > > > > > > > policy_module(local,1.0) > > > > > > > > It will automatically require all of the kernel object classes. > > > > > > > > -- > > > > Chris PeBenito > > > > Tresys Technology, LLC > > > > (410) 290-1411 x150 > > > > > > > > > > > > > > > > > > > > > > > ____________________________________________________________________________________ > > > Luggage? GPS? Comic books? > > > Check out fitting gifts for grads at Yahoo! Search > > > http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=bz > > > > > > -- > > > fedora-selinux-list mailing list > > > fedora-selinux-list(a)redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > > > > > > ____________________________________________________________________________________ > Sick sense of humor? Visit Yahoo! TV's > Comedy with an Edge to see what's on, when. > http://tv.yahoo.com/collections/222 -- fedora-selinux-list mailing list fedora-selinux-list(a)redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list Send instant messages to your online friends http://uk.messenger.yahoo.com

15 years, 7 months

3
4
0 / 0

Re: beginner to SE Linux policy

by Elihu Smails

Thanks for the help. I just want to become more familiar with SE Linux and understand the context of the te, fe, if..etc files and how I can modify them so that my programs are more secure. There just seems to be alot of information that may or may not be related in order to help me. For instance, there is the seedit tools, SLIDE and RedHat tools available. Also, which is a better distribution to learn SE Linux, CentOS or Fedora Core? I am an application developer who really just needs to learn how to write policies for the programs I am developing. Things like policies, domains and domain transition are important areas I really want to learn. Thanks for the help. PS. I ordered the SE Linux by Example yesterday! -- ..Cheers Mark On 7/28/07, shahbaz khan <shazalive(a)gmail.com> wrote: > > Mark > > Selinux by example is the best answer to ur stated problem. NSA documents > will give u a good background because things have been changing alot. Do not > miss tresys' reference policy and policy managemnt server. U can get more > info about it from tresys' website. Once u start to get aquainted with > selinux this mailing list will be more useful to u. Also join fedora selinux > mailing list. > > I am not sure which policy analysis tool will be more useful to u. Why > dont u right a more specific question to this list w.r.t. policy analysis > tools. U might get good answers from selinux by example. > > Shaz. > > > > > On 7/28/07, Mark <elihusmails(a)gmail.com> wrote: > > > > I have seen programs that will help me to edit and analyze SE Linux > > policies. What I am interested in is a resource that will help me > > understand what a policy does and how to write them. At least for me, > > learning at the code level and not using GUI tools helps me to understand > > things better. > > > > So what resources are out there for me to start looking at? > > > > Thanks in advance. > > Mark > > > >

15 years, 7 months

3
3
0 / 0

failed to load policy

by Michael Thomas

I've got a policy that I built according to the packaging guidelines[1] that has been working fine for me for FC6 and F7. But today when I rebuilt the package and installed on rawhide, semodule fails to load the module: # semodule -s targeted -i /usr/share/selinux/targeted/xpilotd.pp libsepol.link_modules: Tried to link in a non-MLS module with an MLS base. libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed! Has something changed in Rawhide that I need to reflect in the way I build/load the module, or should I file a bugzilla on this? --Wart [1]http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules

15 years, 7 months

2
1
0 / 0

avc denied for /sbin/rpc.statd

by Pedro Lamarão

I got this today while updating an FC7 system. avc: denied { search } for comm="rpc.statd" dev=dm-0 egid=0 euid=0 exe="/sbin/rpc.statd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="sbin" pid=7791 scontext=system_u:system_r:rpcd_t:s0 sgid=0 subj=system_u:system_r:rpcd_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:bin_t:s0 tty=(none) uid=0 avc: denied { search } for comm="rpc.statd" egid=0 euid=0 exe="/sbin/rpc.statd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=7790 scontext=system_u:system_r:rpcd_t:s0 sgid=0 subj=system_u:system_r:rpcd_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:sysctl_fs_t:s0 tty=(none) uid=0 -- Pedro Lamarão

15 years, 7 months

2
1
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux August 2007