[RFC] change policy loading to initramfs
by Bill Nottingham
We're looking to move to a different init system in Fedora - the
current work is going to be around upstart, most likely. upstart
does not have native code for loading the SELinux policy.
We could modify every possible init to load the policy... but
that would be painful. So we might as well move to having the
policy loaded from the initramfs. The attached patches are the
first quick cut at doing that.
The main patch is for mkinitrd/nash; there's a short patch for the
current init, as it will abort if policy is already loaded. We
can't actually remove the code from init to load the policy, as
there will always be older initramfses.
Comments? Ideas for different ways to do this? It's sort of ugly
with fork and chroot(), but to avoid that we'd have to reimplement
most, if not all, of libselinux's policy loading code directly.
Bill
16 years, 3 months
Nother selinux denial to be dealt with.
by Gene Heskett
Greetings;
Verizon makes life a bitch by violating common carrier rules when the block
port 80 to keep their customers from running a web server. But port 85
appears to be an unassigned port, and I have successfully used it to test when
selinux, privoxy and squid were not running. Now they are, and an attempted
connect to http://gene.homelinux.net:85 now gets a 503 cuz selinux denies it.
As saved from setroubleshooter:
=================
Summary:
SELinux is preventing the privoxy(/usr/sbin/privoxy) (privoxy_t) from connecting
to port 85.
Detailed Description:
SELinux has denied the privoxy(/usr/sbin/privoxy) from connecting to a network
port 85 which does not have an SELinux type associated with it. If
privoxy(/usr/sbin/privoxy) is supposed to be allowed to connect on this port,
you can use the semanage command to add this port to a port type that privoxy_t
can connect to. semanage port -L will list all port types. Please file a bug
report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the
selinux-policy package. If privoxy(/usr/sbin/privoxy) is not supposed to bind to
this port, this could signal a intrusion attempt.
Allowing Access:
If you want to allow privoxy(/usr/sbin/privoxy) to connect to this port semanage
port -a -t PORT_TYPE -p PROTOCOL 85 Where PORT_TYPE is a type that privoxy_t can
connect.
Additional Information:
Source Context system_u:system_r:privoxy_t:s0
Target Context system_u:object_r:reserved_port_t:s0
Target Objects None [ tcp_socket ]
Source privoxy(/usr/sbin/privoxy)
Port 85
Host coyote.coyote.den
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.0.8-76.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name connect_ports
Host Name coyote.coyote.den
Platform Linux coyote.coyote.den 2.6.24-rc8 #2 SMP Wed Jan
16 22:47:57 EST 2008 i686 athlon
Alert Count 4
First Seen Tue 22 Jan 2008 10:10:07 AM EST
Last Seen Tue 22 Jan 2008 10:11:16 AM EST
Local ID 748d1fcf-28fe-4b1b-87c3-40a0b272393d
Line Numbers
Raw Audit Messages
host=coyote.coyote.den type=AVC msg=audit(1201014676.609:434): avc: denied { name_connect } for pid=14357
comm="privoxy" dest=85 scontext=system_u:system_r:privoxy_t:s0 tcontext=system_u:object_r:reserved_port_t:s0
tclass=tcp_socket
host=coyote.coyote.den type=SYSCALL msg=audit(1201014676.609:434): arch=40000003 syscall=102 success=no exit=-13 a0=3
a1=b67366e0 a2=b6736798 a3=0 items=0 ppid=1 pid=14357 auid=4294967295 uid=73 gid=73 euid=73 suid=73 fsuid=73 egid=73
sgid=73 fsgid=73 tty=(none) comm="privoxy" exe="/usr/sbin/privoxy" subj=system_u:system_r:privoxy_t:s0 key=(null)
==================
What can I do to allow this? The above isn't precise enough for me to go stumbling around.
2nd, do these mailing lists echo each other? If so, sorry about hitting both.
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Real Users hate Real Programmers.
16 years, 3 months
SELinux is preventing dbus-daemon(/bin/dbus-daemon) (system_dbusd_t) "read" to <Unknown> (inotifyfs_t).
by Antonio Olivares
Dear all,
as of yesterday's updates, I get a bunch of
dbus-deamon denials, the cpu went to 99-100% during
the update and running top showed dbus-daemon to be up
there causing trouble. When I rebooted the machine,
Selinux caught the act which is summarized below.
Thanks,
Antonio
Summary:
SELinux is preventing dbus-daemon(/bin/dbus-daemon)
(system_dbusd_t) "read" to <Unknown>
(inotifyfs_t).
Detailed Description:
SELinux denied access requested by
dbus-daemon(/bin/dbus-daemon). It is not
expected that this access is required by
dbus-daemon(/bin/dbus-daemon) and this
access may signal an intrusion attempt. It is also
possible that the specific
version or configuration of the application is causing
it to require additional
access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials.
You could try to restore
the default system file context for <Unknown>,
restorecon -v <Unknown>
If this does not work, there is currently no automatic
way to allow this access.
Instead, you can generate a local policy module to
allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)
Or you can disable
SELinux protection altogether. Disabling SELinux
protection is not recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context
system_u:system_r:system_dbusd_t
Target Context
system_u:object_r:inotifyfs_t
Target Objects None [ dir ]
Source
dbus-daemon(/bin/dbus-daemon)
Port <Unknown>
Host localhost
Source RPM Packages
Target RPM Packages
Policy RPM
selinux-policy-3.2.5-12.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name localhost
Platform Linux localhost
2.6.24-0.155.rc7.git6.fc9 #1 SMP
Tue Jan 15 17:52:31 EST
2008 i686 athlon
Alert Count 1026
First Seen Mon 21 Jan 2008 07:18:32
AM CST
Last Seen Mon 21 Jan 2008 07:19:08
AM CST
Local ID
4b1ce20c-c683-40fb-a014-85dbe8d69052
Line Numbers
Raw Audit Messages
host=localhost type=AVC
msg=audit(1200921548.546:1057): avc: denied { read }
for pid=1898 comm="dbus-daemon" path="inotify"
dev=inotifyfs ino=1
scontext=system_u:system_r:system_dbusd_t:s0
tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
host=localhost type=SYSCALL
msg=audit(1200921548.546:1057): arch=40000003
syscall=3 success=no exit=-13 a0=5 a1=bfae1fe0 a2=10
a3=b8608508 items=0 ppid=1 pid=1898 auid=4294967295
uid=81 gid=81 euid=81 suid=81 fsuid=81 egid=81 sgid=81
fsgid=81 tty=(none) comm="dbus-daemon"
exe="/bin/dbus-daemon"
subj=system_u:system_r:system_dbusd_t:s0 key=(null)
____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
16 years, 3 months
wpa_supplicant, NetworkManager_t & inotifyfs_t AVC
by Tom London
Running latest rawhide, targeted/enforcing (selinux-policy-3.2.5-12.fc9).
Notice the following AVC in audit.log
type=AVC msg=audit(1200767626.005:18): avc: denied { read } for
pid=2725 comm="wpa_supplicant" path="inotify" dev=inotifyfs ino=1
scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1200767626.005:18): arch=40000003 syscall=11
success=yes exit=0 a0=8619fd8 a1=8619c78 a2=8619008 a3=de799c items=0
ppid=2724 pid=2725 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) comm="wpa_supplicant"
exe="/usr/sbin/wpa_supplicant"
subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=ANOM_ABEND msg=audit(1200767646.778:19): auid=4294967295 uid=42
gid=42 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 pid=2742
comm="dbus-launch" sig=6
#============= NetworkManager_t ==============
allow NetworkManager_t inotifyfs_t:dir read;
Appears to be generated before gdm login; sort of looks like when
NetworkManager is started by init.
Not exactly sure where to BZ..... wpa_supplicant? NetworkManager? inotify?
tom
--
Tom London
16 years, 3 months
segatex-4.40 released
by Shintaro Fujiwara
Hi, I released segatex-4.40.
segatex is SELinux tool written with qt.
GUI program and colorful.
segatex-4.40 can do,
audit2allow
semodule
semanage login, fcontext, and list objects.
Analize refpolicy (20071214 included).
Edit files related to policies like .te, .fc, .if files.
Thank you.p.s.
http://sourceforge.net/projects/segatex/
Any comments appreciated to this address.
--
http://intrajp.no-ip.com/ Home Page
16 years, 3 months
procmail revisited, and now squid
by Gene Heskett
Greetings;
The last policy update didn't fix my procmail problems yet, in fact it made
them worse cuz now I'm getting failure messages in its logfile that I wasn't
before.
procmail, setroubleshoot output:
Source Context: system_u:system_r:procmail_t:s0
Target Context: unconfined_u:object_r:var_log_t:s0
Target Objects: None [ file ]
Affected RPM Packages: procmail-3.22-20.fc8 [application]
Policy RPM: selinux-policy-3.0.8-74.fc8
Selinux Enabled: True
Policy Type: targeted
MLS Enabled: True
Enforcing Mode: Enforcing
Plugin Name: plugins.mislabeled_file
Host Name: coyote.coyote.den
Platform: Linux coyote.coyote.den 2.6.24-rc8 #2 SMP Wed Jan 16 22:47:57 EST
2008 i686 athlon
Alert Count: 3
First Seen: Sat 19 Jan 2008 01:50:20 AM EST
Last Seen: Sat 19 Jan 2008 05:09:16 AM EST
Local ID: 3114f17d-0dc1-4453-ad4c-3b3548003cc4
Line Numbers: Raw
Audit Messages :
avc: denied { append } for comm=procmail dev=dm-0 egid=500 euid=500
exe=/usr/bin/procmail exit=-13 fsgid=500 fsuid=500 gid=500 items=0
name=procmail.log pid=10138 scontext=system_u:system_r:procmail_t:s0 sgid=0
subj=system_u:system_r:procmail_t:s0 suid=500 tclass=file
tcontext=unconfined_u:object_r:var_log_t:s0 tty=(none) uid=500
I note that the Last Seen time is before I did an autorelabel this morning.
And now, trying to setup squid, I'm failing that:
Source Context: system_u:system_r:squid_t:s0
Target Context: system_u:object_r:var_spool_t:s0
Target Objects: None [ dir ]
Affected RPM Packages: squid-2.6.STABLE17-1.fc8 [application]
Policy RPM: selinux-policy-3.0.8-74.fc8
Selinux Enabled: True
Policy Type: targeted
MLS Enabled: True
Enforcing Mode: Enforcing
Plugin Name: plugins.mislabeled_file
Host Name: coyote.coyote.den
Platform: Linux coyote.coyote.den 2.6.24-rc8 #2 SMP Wed Jan 16 22:47:57 EST
2008 i686 athlon
Alert Count: 3
First Seen: Sat 19 Jan 2008 02:29:31 PM EST
Last Seen: Sat 19 Jan 2008 04:43:50 PM EST
Local ID: 1eb62793-1368-45b9-b0c0-c117f10dafd4
Line Numbers: Raw
Audit Messages :
avc: denied { write } for comm=squid dev=dm-0 egid=23 euid=23
exe=/usr/sbin/squid exit=-13 fsgid=23 fsuid=23 gid=23 items=0 name=squid
pid=17099 scontext=system_u:system_r:squid_t:s0 sgid=23
subj=system_u:system_r:squid_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:var_spool_t:s0 tty=pts9 uid=23
For squid, I hand made its parent /var/spool/squid dir, and chowned it to
squid:squid but the exact same failure occurs as it is trying to setup its
cache dirs within that dir, so I gave it up. Its logs gets a new stanza of
this:
squid: ERROR: No running copy
2008/01/19 14:29:31| Creating Swap Directories
FATAL: Failed to make swap directory /var/spool/squid/00: (13) Permission
denied
Squid Cache (Version 2.6.STABLE17): Terminated abnormally.
CPU Usage: 0.001 seconds = 0.001 user + 0.000 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 0
for everytime I attempt a 'service squid start'
Can we make these work please? setroubleshooter's suggestions about running
restorecon are rather worthless without the rest of the command line as an
example cuz I have NDI what the file should be relabeled as.
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
In my experience, if you have to keep the lavatory door shut by extending
your left leg, it's modern architecture.
-- Nancy Banks Smith
16 years, 3 months
2.6.24-rc8-mm1 and SELinux MLS - not playing nice....
by Valdis.Kletnieks@vt.edu
Posting to both lists because I'm not sure who's at fault here....
System is a Dell Latitude D820, x86_64 kernel, userspace is basically
Fedora Rawhide as of earlier today, in particular selinux-policy-mls-3.2.5-12.fc9
Trying to boot a 2.6.24-rc8-mm1 kernel gets me these msgs:
security: 5 users, 8 roles, 2043 types, 102 bools, 16 sens, 1024 cats
security: 67 classes, 164754 rules
security: class peer not defined in policy
security: permission recvfrom in class node not defined in policy
security: permission sendto in class node not defined in policy
security: permission ingress in class netif not defined in policy
security: permission egress in class netif not defined in policy
security: permission forward_in in class packet not found in policy, bad policy
security: the definition of a class is incorrect
2.6.24-rc6-mm1 said this instead:
security: class peer not defined in policy
security: permission recvfrom in class node not defined in policy
security: permission sendto in class node not defined in policy
security: permission ingress in class netif not defined in policy
security: permission egress in class netif not defined in policy
SELinux: policy loaded with handle_unknown=deny
and then proceeded to work OK.
(I suspect this may be the same thing Andrew Morton hit, but I can't be sure).
Anybody got hints on how to move forward? Or is a fixed policy already in the
Rawhide pipe?
16 years, 3 months
Relabeling User home directories
by Tony Molloy
Hi,
First of all this is a SElinux question on a CentOS File server rather than
Fedora but I don't think that should make any difference. The clients are
Fedora.
For historical reasons we mount our user home directories under /users instead
of /home. During a recent installation of CentOS-5 the user home directories
appear to have been relabeled. Many now seem to have the type default_t
drwx------ 8237 csim root:object_r:default_t x0667617
If I unmount the users directories and mount them under /home can I use
restorecon -v /home to restore the correct file contexts as I understand that
SElinux understands /home is for user directories. Also if I can do that will
the command understand public_html directories have to be labelled so that
apache can access them.
Thanks
Tony
16 years, 3 months
Re: SELinux is preventing access to files with the label, file_t.
by Daniel J Walsh
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Till Maas wrote:
> On Wed January 16 2008, Antonio Olivares wrote:
>
>> I have seen it before. I have not added other
>> disks/drives. I do not know what file_t is?
>
> file_t is the type/context of files that are not really labeled.
>
>> I ask why should I do this:
>>
>> "touch /.autorelabel; reboot"
>> ?
>
> These should apply the correct context on all files, maybe in you case running
> restorecon (man restorecon) is enough, too. This does not require a reboot.
> But I do not know more about this issue.
>
> Regards,
> Till
>
Yes file_t means you have a file with no label on it. If you are adding
a new disk drive with existing files, you can end up with this, or if
you turn on SELinux on a machine that did not have it before, this can
happen. (Although when Fedora boots it is supposed to realize SELinux
is turned no and the machine needs to be labeled.)
touch /.autorelabel; reboot
will relabel the entire machine.
But if you are just adding a new disk you could just execute
restorecon -R -v PATHTOMOUNTPOINT
And that will fix it.
You can also mount the disk using context=system_u:object_r:TYPE_t:s0
and not add labels at all.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkePk48ACgkQrlYvE4MpobPfLQCffGROjw2lUETDIlET1vj//PkY
VQsAn23zFdSm0TYnR4CmEmKG8WEwVVIY
=vMDe
-----END PGP SIGNATURE-----
16 years, 3 months
procmail vs amanda selinux hits
by Gene Heskett
Greetings;
At about the time the backup program amanda is due to send me an email, I'm
getting popups from selinux.
Amanda is at times trying to send the user gene an email, some of which I do
get, but:
>From setroubleshoot:
SUMMARY
SELinux is preventing /usr/bin/procmail (procmail_t) "search" to (var_log_t).
Detailed Description
SELinux denied access requested by /usr/bin/procmail. It is not expected that
this access is required by /usr/bin/procmail and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for , restorecon -v If this does not
work, there is currently no automatic way to allow this access. Instead, you
can generate a local policy module to allow this access - see FAQ Or you can
disable SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a bug report against this package.
=====================================
Note the space before the comma above, is a name missing?
Also I have not done the restorecon -v as I've used the advice from
setroubleshooter to clear a goodly number of squawks.
=====================================
Additional Information
Source Context: system_u:system_r:procmail_t:s0
Target Context: system_u:object_r:var_log_t:s0
Target Objects: None [ dir ]
Affected RPM Packages: procmail-3.22-20.fc8 [application]
Policy RPM: selinux-policy-3.0.8-74.fc8Selinux
Enabled: True
Policy Type: targeted
MLS Enabled: True
Enforcing Mode: Enforcing
Plugin Name: plugins.catchall_file
Host Name: coyote.coyote.den
Platform: Linux coyote.coyote.den 2.6.24-rc7 #1 SMP Mon Jan 14 10:00:40 EST
2008 i686 athlon
Alert Count: 26
First Seen: Wed 09 Jan 2008 05:09:14 AM EST
Last Seen: Wed 16 Jan 2008 05:09:15 AM EST
Local ID: bfec6c3c-7d3b-47f7-9174-a2251b12534a
Line Numbers:
Raw Audit Messages :avc: denied { search } for comm=procmail dev=dm-0 egid=500
euid=500 exe=/usr/bin/procmail exit=-13 fsgid=500 fsuid=500 gid=500 items=0
name=log pid=15219 scontext=system_u:system_r:procmail_t:s0 sgid=0
subj=system_u:system_r:procmail_t:s0 suid=500 tclass=dir
tcontext=system_u:object_r:var_log_t:s0 tty=(none) uid=500
Comments people?
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
It is better for civilization to be going down the drain than to be
coming up it.
-- Henry Allen
16 years, 3 months