selinux context disappear after nfs mount
by Fabrizio Buratta
Hi everybody.
I'm trying to mount an nfs server ( a raid5 nas ) on my centos4.
Afterward i want
a script inside apache cgi-bin directory to be able to do any file and
dir operations.
Let's say i want a context capable of apache r/w operations on my
mount dir, then i execute:
mount -t nfs -o context=system_u:object_r:httpd_sys_script_rw_t
mynas:/external_dir /mnt/my_mount_dir
it does mount my external dir but if i execute ls -Z i see:
drwxrwxrwx 254 254 storage
Where's my context? obviously my script is not able to write on this
directory and selinux complains:
type=AVC msg=audit(1223458283.439:3794033): avc: denied { getattr }
for pid=21669 comm="python" name="var" dev=dm-0 ino=261121
scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:var_t tclass=dir
type=SYSCALL msg=audit(1223458283.439:3794033): arch=40000003
syscall=196 success=no exit=-13 a0=bfed2bd0 a1=bfed1f0c a2=3bfff4
a3=bfed2bd0 items=1 pid=21669 auid=0 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 comm="python" exe="/usr/bin/python"
type=AVC_PATH msg=audit(1223458283.439:3794033): path="/var"
type=CWD msg=audit(1223458283.439:3794033): cwd="/var/www/cgi-bin"
type=PATH msg=audit(1223458283.439:3794033): name="/var" flags=0
inode=261121 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1223458286.050:3794034): avc: denied { search }
for pid=21669 comm="python" name="mnt" dev=dm-0 ino=718081
scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:mnt_t tclass=dir
type=SYSCALL msg=audit(1223458286.050:3794034): arch=40000003
syscall=195 success=no exit=-13 a0=9294de8 a1=bfed2610 a2=3bfff4
a3=b7e5014c items=1 pid=21669 auid=0 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 comm="python" exe="/usr/bin/python"
type=CWD msg=audit(1223458286.050:3794034): cwd="/var/www/cgi-bin"
type=PATH msg=audit(1223458286.050:3794034):
name="/mnt/storage/nightly/testfile" flags=1 inode=718081 dev=fd:00
mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1223458286.051:3794035): avc: denied { search }
for pid=21669 comm="python" name="mnt" dev=dm-0 ino=718081
scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:mnt_t tclass=dir
type=SYSCALL msg=audit(1223458286.051:3794035): arch=40000003
syscall=5 success=no exit=-13 a0=9294de8 a1=8241 a2=1b6 a3=8241
items=1 pid=21669 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48
egid=48 sgid=48 fsgid=48 comm="python" exe="/usr/bin/python"
type=CWD msg=audit(1223458286.051:3794035): cwd="/var/www/cgi-bin"
type=PATH msg=audit(1223458286.051:3794035):
name="/mnt/storage/nightly/testfile" flags=310 inode=718081 dev=fd:00
mode=040755 ouid=0 ogid=0 rdev=00:00
Of course i'm using a python script.
Until now i did not try to compile a local selinux policy in order
to allow that kind of operations ( i would avoid it if possible )
Any suggestion?
Thanks,
Fab.
14 years, 5 months
Why is rolemap m4 expanded
by Joe Nall
/usr/share/selinux/devel/include/rolemap looks like this for a default
selinux-policy-3.5.10 install (minus the comments):
user_r user user_t
staff_r staff staff_t
sysadm_r sysadm sysadm_t
The rolemap in the source rpm looks like:
user_r user user_t
staff_r staff staff_t
sysadm_r sysadm sysadm_t
ifdef(`enable_mls',`
secadm_r secadm secadm_t
auditadm_r auditadm auditadm_t
')
The enable_mls clause is lost in the installation m4 expansion. Why is
this file m4 processed on installation?
joe
14 years, 5 months
new postfix will not run.
by John Griffiths
selinux is preventing the update of postfix to run.
The yum update of postfix includes a directory /var/lib/postfix but
postfix is prevented from using the directory by selinux. I think the
policy needs to be updated.
Summary:
SELinux is preventing master (postfix_master_t) "write" to ./postfix
(var_lib_t).
Detailed Description:
SELinux is preventing master (postfix_master_t) "write" to ./postfix
(var_lib_t). The SELinux type var_lib_t, is a generic type for all files
in the
directory and very few processes (SELinux Domains) are allowed to write
to this
SELinux type. This type of denial usual indicates a mislabeled file. By
default
a file created in a directory has the gets the context of the parent
directory,
but SELinux policy has rules about the creation of directories, that say
if a
process running in one SELinux Domain (D1) creates a file in a directory
with a
particular SELinux File Context (F1) the file gets a different File Context
(F2). The policy usually allows the SELinux Domain (D1) the ability to
write,
unlink, and append on (F2). But if for some reason a file (./postfix) was
created with the wrong context, this domain will be denied. The usual
solution
to this problem is to reset the file context on the target file,
restorecon -v
'./postfix'. If the file context does not change from var_lib_t, then
this is
probably a bug in policy. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the
selinux-policy
package. If it does change, you can try your application again to see if it
works. The file context could have been mislabeled by editing the file
or moving
the file from a different directory, if the file keeps getting
mislabeled, check
the init scripts to see if they are doing something to mislabel the file.
Allowing Access:
You can attempt to fix file context by executing restorecon -v './postfix'
The following command will allow this access:
restorecon './postfix'
Additional Information:
Source Context unconfined_u:system_r:postfix_master_t
Target Context system_u:object_r:var_lib_t
Target Objects ./postfix [ dir ]
Source master
Source Path /usr/libexec/postfix/master
Port <Unknown>
Host elijah.suretrak21.net
Source RPM Packages postfix-2.5.5-1.fc8
Target RPM Packages
Policy RPM selinux-policy-3.0.8-117.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name mislabeled_file
Host Name elijah.suretrak21.net
Platform Linux elijah.suretrak21.net
2.6.26.5-28.fc8 #1 SMP
Sat Sep 20 09:32:58 EDT 2008 i686 i686
Alert Count 3
First Seen Thu 09 Oct 2008 09:40:21 AM EDT
Last Seen Fri 10 Oct 2008 02:39:57 PM EDT
Local ID b11cda56-461f-44af-8fd8-3866e11f4833
Line Numbers
Raw Audit Messages
host=elijah.suretrak21.net type=AVC msg=audit(1223663997.824:9826):
avc: denied { write } for pid=1805 comm="master" name="postfix"
dev=dm-0 ino=784360 scontext=unconfined_u:system_r:postfix_master_t:s0
tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
host=elijah.suretrak21.net type=SYSCALL msg=audit(1223663997.824:9826):
arch=40000003 syscall=5 success=no exit=-13 a0=b9d8a560 a1=c2 a2=1a4
a3=0 items=0 ppid=1758 pid=1805 auid=500 uid=0 gid=0 euid=89 suid=0
fsuid=89 egid=89 sgid=0 fsgid=89 tty=(none) ses=1415 comm="master"
exe="/usr/libexec/postfix/master"
subj=unconfined_u:system_r:postfix_master_t:s0 key=(null)
Rather than write a policy change
#============= postfix_master_t ==============
allow postfix_master_t var_lib_t:dir write;
as a work around I changed the context of /var/lib/postfix to
postfix_etc_t which allows postfix to run.
Regards,
John Griffiths
14 years, 5 months
nm-system-settings cannot read /var/lib/PolicyKit
by Ian Pilcher
selinux-policy-targeted-3.0.8-117.fc8
host=home.icp.selfip.net type=AVC msg=audit(1223356599.632:80): avc:
denied { read } for pid=3515 comm="nm-system-setti" name="PolicyKit"
dev=dm-1 ino=360485
scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023
tcontext=system_u:object_r:hald_var_lib_t:s0 tclass=dir
host=home.icp.selfip.net type=SYSCALL msg=audit(1223356599.632:80):
arch=c000003e syscall=254 success=no exit=-13 a0=6 a1=3d75e0914e a2=306
a3=38cb7529f0 items=0 ppid=3514 pid=3515 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="nm-system-setti" exe="/usr/sbin/nm-system-settings"
subj=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 key=(null)
Anyone know what is running nm-system-settings? (NetworkManager is
turned off.)
--
========================================================================
Ian Pilcher arequipeno(a)gmail.com
========================================================================
14 years, 5 months
SUID question
by Richard Troy
Hello All,
As it's my first post here, I want to say I'm glad this list exists as I'm
pretty sure there are folks who can point me in the right directions, as
needed...
I've been using unix since the 1970s, so I'm pretty familliar with it, and
I've been using Linux - and Red-Hat / Fedora since their early days, too,
so in general terms, I'm no novice. However, I've been ignoring SELINUX.
When I first tried it, it was a huge disaster and I haven't given it
another look, but the time has finally come, primarily because I simply
_must_ resolve a problem I strongly suspect is caused by SELINUX, and
secondarily because I've got a system that runs on just about everything
_but_ selinux and provides compute server (think "grid computing") and
sophisticated archival services, and it's to the point where it's time
that it work on SELINUX systems, too.
So, the more immediate problem: On a Fedora host, a "C" based program that
launches all the server functionality (including archiving) has its suid
bit set (and gid, too) so it runs as the server installation's owner. It's
actually pretty smart by validating its environment hasn't been hacked,
etc, and then gets to business. This code has somehow broken during a
couple of upgrades of Fedora - I didn't notice it at first because as the
developer, I always run it as the development installation's owner and as
a fluke apparently others haven't experienced this problem or haven't
reported it. Recently, however, someone else went to play with it and it
refused. Some simple checks indicated that the SUID bit wasn't being
honored. The system has SELINUX installed but disabled - the kernel is
2.6.21-1.3194.fc7. It's trivially easy to prove the suid bit is ignored
but _why?_
...There's no known (to me!) reason this should fail! Any pointers GREATLY
appreciated.
The less immediate issue is really a quest for pointers to the most
appropriate source packages so I can see how other programs solve similar
SELINUX related issues. Ideally, this code can both archive and restore
any file on the system. In addition, it currently - ignoring SELINUX for a
moment - tracks all meta-data changes - ownership and permissions, the
various dates associated with a file, etc, in addition to file data, so it
has the handy trait of both providing an audit trail and an ability to
restore data or meta-data as needed. As such it needs to be able to
discover what the security context details are so it can record them, in
addition to the obvious need to update SELINUX security details on a per
file basis.... I don't even know how to do that from the command line,
much less write a program to do it! ...However, I'm sure somewhere these
things have been already addressed, such as with tar, etc.
Please point me to what you think are appropriate models / code that can
be examined, etc. And, if there's a well written tutorial intended for
people who are already "up to speed" on everything but SELINUX, it would
be greatly appreciated.
Thank you,
Richard
--
Richard Troy, Chief Scientist
Science Tools Corporation
510-717-6942
rtroy(a)ScienceTools.com, http://ScienceTools.com/
14 years, 5 months
rsync as backup for laptop to desktop external HD
by mike cloaked
I have for many years run backups from laptops on the local LAN to an external
USB drive attached to the main desktop machine using rsync -aH.
The main desktop is running F8 with SELinux disabled.
In recent months I upgraded the laptop to F9 with SELinux enabled.
I have just realised that the method I use gives files on the backup drive
that have no selinux contexts... so in the event of having to rebuild a laptop
and pulling files off the backup drive the selinux contexts would have to be
recreated.
I am fairly new to SELinux but I presume that merely adding -X to the rsync
command would still not produce any contexts on the files that are generated
on the backup drive since the machine that is processing the rsync at the
receive end has SELinux disabled.
At some point the desktop will be upgraded to F9 (and later F10) with SELinux
enabled - and I am now not sure if attaching the original external USB drive
unchanged would then still result in files without any security contexts on
the external drive?
If this is the case would I need to label the filesystem on the external drive?
What is the best route to getting this backup system working to preserve
security contexts for all files (including system areas such as /var /etc ?
Thanks
14 years, 5 months
rsync can't write to /var/run/rsyncd.lock
by Ian Pilcher
selinux-policy-targeted-3.0.8-117.fc8
host=home.icp.selfip.net type=AVC msg=audit(1223194499.218:1065): avc:
denied { read write } for pid=9837 comm="rsync" name="rsyncd.lock"
dev=dm-1 ino=337788 scontext=system_u:system_r:rsync_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_run_t:s0 tclass=file
host=home.icp.selfip.net type=SYSCALL msg=audit(1223194499.218:1065):
arch=c000003e syscall=2 success=no exit=-13 a0=adfc60 a1=42 a2=180 a3=8
items=0 ppid=9836 pid=9837 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsync"
exe="/usr/bin/rsync" subj=system_u:system_r:rsync_t:s0-s0:c0.c1023
key=(null)
--
========================================================================
Ian Pilcher arequipeno(a)gmail.com
========================================================================
14 years, 5 months
correct procedure for updating SELinux packages
by Murray McAllister
Hi,
To update SELinux packages, should you always use "yum update" and
update all packages?
Do problems occur if you only upgrade the SELinux packages, and no other
packages?
Thanks.
14 years, 5 months
/var/spool mount denied
by QingLong
Hi, All!
I've come across problem with mount on Fedora 9
--- various filesystems are mounted read-only, others fails to mount at all
due to avc denials during the system startup, e.g.:
|
| type=1400 audit(1222921979.843:4): avc: denied { mounton } for pid=1887 comm="mount" path="/var/lock" dev=md13 ino=62993 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
| type=1400 audit(1222921979.843:5): avc: denied { mounton } for pid=1887 comm="mount" path="/var/lock" dev=md13 ino=62993 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
[...]
| type=1400 audit(1222921980.322:8): avc: denied { mounton } for pid=1887 comm="mount" path="/var/spool" dev=md13 ino=125985 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
| type=1400 audit(1222921980.322:9): avc: denied { mounton } for pid=1887 comm="mount" path="/var/spool" dev=md13 ino=125985 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
[...]
| type=1400 audit(1222921980.331:10): avc: denied { mounton } for pid=1887 comm="mount" path="/var/run" dev=md13 ino=136145 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
| type=1400 audit(1222921980.331:11): avc: denied { mounton } for pid=1887 comm="mount" path="/var/run" dev=md13 ino=136145 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
|
But after the system startup finishes (many subsystems fail to put locks, etc)
manual `mount -a' does magically fix the situation and those filesystems
are remounted read-writeable.
I guess, the bug has been introduced in Fedora 9 release and is still there.
It looks like boot time selinux policies aren't generated depending on fstab
thus handling mount point directories and mounted filesystems incorrectly.
Maybe I am mistaken, and the problem is caused by some more obscure reasons.
Of course, there are chances I am just not aware of some selinux feature
or some boolean that should be enabled to get such cases handled right.
If so, please correct me and let me know how should I configure selinux
to get rid of the problem. Thank you.
This behaviour has been displayed by freshly installed Fedora 9,
and after `yum update' it continues malfunctioning.
My regards.
QingLong
14 years, 5 months
