Hello world and first question concerning Munin
by Gabriele Pohl
Hi all,
my name is Gabriele Pohl. I live in Bonn, Germany
and use Fedora for a few years (starting with
Core 4 and upgraded to 9 some months ago)
I use Munin (http://munin.projects.linpro.no/)
to monitor my computers hardware and services.
After upgrading to Fedora 9 I decided to use SELinux
in mode *enforce* and run into lots of problems
concerning SELinux and Munin-Plugins, that need
high system privileges to access block devices a.s.o.
I would like to solve this issues in a good
manner and therefore subscribed to this list
to ask the experts, how to do it.
Now my first question:
Plugin smart_ is written in Python.
It calls "smartctl" from the smartmontools package
(http://smartmontools.sourceforge.net/) to read the
values of the SMART-Attributes from the harddisks.
To activate the plugin, one has to create a link
within the service directory.
Actually the link looks like this:
lrwxrwxrwx root root unconfined_u:object_r:munin_etc_t:s0 smart_sda
-> /usr/share/munin/plugins/smart_
The plugins file looks like this:
-rwxr-xr-x root root
system_u:object_r:munin_exec_t:s0 /usr/share/munin/plugins/smart_
Executable smartctl looks like this:
-rwxr-xr-x root root
system_u:object_r:fsadm_exec_t:s0 /usr/sbin/smartctl
It needs access to the disks block device /dev/sda
that looks like this:
brw-rw---- root disk system_u:object_r:fixed_disk_device_t:s0 /dev/sda
I have policy type targeted active and
policy module munin 1.4.0 installed.
I get the following raw audit messages, when
calling smart_sda:
host=calex.dipohl.com type=AVC msg=audit(1221221404.542:709): avc:
denied { getattr } for pid=18327 comm="python" path="/dev/sda" dev=tmpfs
ino=298 scontext=unconfined_u:system_r:munin_t:s0
tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
host=calex.dipohl.com type=SYSCALL msg=audit(1221221404.542:709):
arch=40000003 syscall=195 success=no exit=-13 a0=8fbe278 a1=bfcdf038
a2=3e8ff4 a3=8f481b8 items=0 ppid=18220 pid=18327 auid=500 uid=0 gid=491
euid=0 suid=0 fsuid=0 egid=491 sgid=491 fsgid=491 tty=(none) ses=1
comm="python" exe="/usr/bin/python"
subj=unconfined_u:system_r:munin_t:s0 key=(null)
As the FAQ said, I fed these messages into audit2allow:
audit2allow -M mine < avcs
and get the following mine.te:
-------------------------------
module mine 1.0;
require {
type munin_t;
type fixed_disk_device_t;
class blk_file getattr;
}
require {
type munin_t;
type fixed_disk_device_t;
class blk_file getattr;
}
#============= munin_t ==============
allow munin_t fixed_disk_device_t:blk_file getattr;
-------------------------------
and a mine.pp
Will it be ok to load that into the kernel using
semodule -i mine.pp ?
And why are there two identical *require* structs?
Can / Should I delete one of them?
What shall I do with the message of type "SYSCALL"
if it were wrong to put it into the avcs-File?
Should I make adjustments to the files above
(service-link, plugin-file)
Anything else, that you can advise?
So far for now & cheers,
Gabriele
15 years, 6 months
Re[2+]: /var/spool mount denied
by QingLong
>
> Fix for now: reboot so that all "problem" filesystems are left
> unmounted (or manually unmount all of them), then change the context
> type of the mountpoint directories to mnt_t:
>
> # chcon -t mnt_t /var/run /var/spool /var/lock
>
Just for curiousity I had changed context of /var/spool and /var/lock
but not that of /var/run. Guess what? On the next reboot ALL of those three
have been mounted successfully and there have been no complains or denials
on /var/run mounting. The problem appears to be not so simple.
QingLong.
15 years, 6 months
Re: npviever on rawhide: denied avcs
by Antonio Olivares
--- On Thu, 10/2/08, Antonio Olivares <olivares14031(a)yahoo.com> wrote:
> From: Antonio Olivares <olivares14031(a)yahoo.com>
> Subject: npviever on rawhide: denied avcs
> To: fedora-selinux-list(a)redhat.com
> Cc: fedora-test-list(a)redhat.com
> Date: Thursday, October 2, 2008, 5:21 PM
> Dear all,
>
> Doing a dmesg I see some denied avcs for npviewer
>
> I will attach the file, I have not seen setroubleshoot
> kick in to warn me about these avcs. Has anyone else seen
> these?
>
> Thanks,
>
> Antonio
>
>
> --
> fedora-test-list mailing list
> fedora-test-list(a)redhat.com
> To unsubscribe:
> https://www.redhat.com/mailman/listinfo/fedora-test-list
Messages were not attached, file too big :(
Here's preview :)
type=1400 audit(1222991578.902:1308): avc: denied { search } for pid=17937 comm="npviewer.bin" name="dbus" dev=dm-0 ino=3276847 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_dbusd_var_lib_t:s0 tclass=dir
type=1400 audit(1222991578.902:1309): avc: denied { create } for pid=17937 comm="npviewer.bin" scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
type=1400 audit(1222991578.903:1310): avc: denied { create } for pid=17937 comm="npviewer.bin" scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
type=1400 audit(1222991578.922:1311): avc: denied { search } for pid=17937 comm="npviewer.bin" name="dbus" dev=dm-0 ino=3276847 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_dbusd_var_lib_t:s0 tclass=dir
Thanks,
Antonio
15 years, 6 months
Need Info adding\editing to a personal module?
by Frank Murphy
Examples only:
If exim gave an avc denial.
1: Create policy.
audit2allow -M myexim < /var/log/audit/audit.log
then enable it.
semodule -i myexim.pp
2: If then in a couple of days exim generates another avc denial,
different from the first.
How does one edid\use audid2allow to include the new avc.
Have looked at "man audit2allow" and can't seem to grasp an edit from
the options.
Frank
--
gpg id EB547226 Revoked Forgot Password :(
aMSN: Frankly3D
http://www.frankly3d.com
15 years, 6 months
Alternate OpenSSH ports
by Arthur Pemberton
I'm getting an denial when I attempt o use port 23 as an additional
port for sshd. That makes sense. What's the best way to define
alternate SSHd ports?
--
Fedora 9 : sulphur is good for the skin
( www.pembo13.com )
15 years, 6 months
Re: Alternate OpenSSH ports
by Daniel J Walsh
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Joshua Brindle wrote:
> Stephen Smalley wrote:
>> On Tue, 2008-09-30 at 08:41 -0400, Daniel J Walsh wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Arthur Pemberton wrote:
>>>> On Mon, Sep 29, 2008 at 3:40 PM, Stephen Smalley <sds(a)tycho.nsa.gov> wrote:
>>>>> On Mon, 2008-09-29 at 15:31 -0500, Arthur Pemberton wrote:
>>>>>> I'm getting an denial when I attempt o use port 23 as an additional
>>>>>> port for sshd. That makes sense. What's the best way to define
>>>>>> alternate SSHd ports?
>>>>> semanage port -m -t ssh_port_t -p tcp 23
>>>>
>>>> When trying this, I get:
>>>> sealert -l 819f882a-3d08-41da-bc19-4168c9b8b4cb
>>>>
>>>> Even after doing that, I get this on `service sshd restart`:
>>>> sealert -l 82267d8b-d557-4891-bdb0-26e0feb1e986
>>>>
>>>>
>>> Please send the output from that command, that number is only local to
>>> your machine.
>> Wondering if libsemanage does the right thing when the port already
>> exists in the base policy, as in this case. It should override the base
>> policy definition with the local one, but I'm not 100% sure it does.
>>
>
> There does appear to be a bug, after running:
> semanage port -m -t ssh_port_t -p tcp 8021
>
> I get:
>
> [root@misterfreeze ~]# seinfo --portcon=8021
> portcon tcp 8021 system_u:object_r:ssh_port_t:s0
> portcon tcp 8021 system_u:object_r:zope_port_t:s0
>
>
> I'm not sure when I'll be able to get to this, can you take a look first Dan?
Well do you think this is a bug in semanage or sepol? I though you used
to get a denial when you tried to do this saying you could not modify a
named port.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjjbvMACgkQrlYvE4MpobMEngCfcSWudrlmHqTEpOnnkzWAO154
0BsAn18NWq7l5MckmQH06fPYr+5LvLvV
=v6JT
-----END PGP SIGNATURE-----
15 years, 6 months
