chcon and semanage
by Rahul Sundaram
Hi,
sealert suggests these changes if I try to run some software in a stock
Fedora 10 box with no updates:
----
/usr/bin/chcon -t textrel_shlib_t '/usr/lib/sse2/libpostproc.so.51.2.0'
/usr/bin/chcon -t textrel_shlib_t '/usr/lib/sse2/libswscale.so.0.6.1'
---
I assume these changes are not going to be persistent. What is the
semanage equivalent and why doesn't sealert suggest that instead?
Rahul
15 years, 4 months
AVC for rpcbind
by Bert Todger
Hello all,
Following a yum update to my two F9 machines I now find that the NFS
services I have enabled to share files between the machines fails. On
closer inspection it seems that rpcbind is now denied on both machines.
I have absolutely no idea what rpcbind does, but I do know putting them
into permissive mode allows rpcbind and then the NFS services start
normally.
What should I do?
Thanks in advance
BT
Summary:
SELinux is preventing rpcbind (rpcbind_t) "setgid" rpcbind_t.
Detailed Description:
SELinux denied access requested by rpcbind. It is not expected that this
access is required by rpcbind and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration
of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ Or
you can disable SELinux protection altogether. Disabling SELinux
protection is not recommended. Please file a bug report against this
package.
Additional Information:
Source Context: unconfined_u:system_r:rpcbind_t:s0
Target Context: unconfined_u:system_r:rpcbind_t:s0
Target Objects: None [ capability ]
Source: rpcbind
Source Path: /sbin/rpcbind
Port: <Unknown>
Host: mydomain.com
Source RPM Packages: rpcbind-0.1.7-1.fc9
Target RPM Packages:
Policy RPM: selinux-policy-3.3.1-111.fc9
Selinux Enabled: True
Policy Type: targeted
MLS Enabled: True
Enforcing Mode: Enforcing
Plugin Name: catchall
Host Name: mydomain.com
Platform: Linux mydomain.com 2.6.26.6-79.fc9.i686 #1 SMP Fri Oct
17 14:52:14 EDT 2008 i686 i686
Alert Count: 1
First Seen: Fri Dec 12 19:51:54 2008
Last Seen: Fri Dec 12 19:51:54 2008
Local ID: 88e9ae88-4654-4ee6-99a1-34a6dafdcff5
Line Numbers:
Raw Audit Messages :
node=mydomain.com type=AVC msg=audit(1229111514.633:6512): avc: denied {
setgid } for pid=20774 comm="rpcbind" capability=6
scontext=unconfined_u:system_r:rpcbind_t:s0
tcontext=unconfined_u:system_r:rpcbind_t:s0 tclass=capability
node=mydomain.com type=SYSCALL msg=audit(1229111514.633:6512):
arch=40000003 syscall=214 success=no exit=-1 a0=20 a1=2db9bc a2=2105b0
a3=bf9daeb0 items=0 ppid=20773 pid=20774 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="rpcbind" exe="/sbin/rpcbind"
subj=unconfined_u:system_r:rpcbind_t:s0 key=(null)
15 years, 4 months
using selinux to allow only certain hosts or networks
by Douglas Sikora
The below rules came from audit2allow,
allow test_t inaddr_any_node_t:tcp_socket node_bind;
allow test_t inaddr_any_node_t:udp_socket node_bind;
Instead of allowing "any_node" I would like to limit this to specific hosts and or networks.
Does anyone know the syntax for this?
Thanks
Doug
15 years, 4 months
I believe that selinux saved me from a certain attack
by Edward Kuns
Almost a week ago, some AVCs brought to my attention by setroubleshoot
made me look into system logs. There were three complaints of:
SELinux is preventing the sh from using potentially mislabeled files
(./x).
Source Context: system_u:system_r:httpd_t:s0
Target Context: system_u:object_r:httpd_tmp_t:s0
Target Objects: ./x [ file ]
First Seen: Fri 05 Dec 2008 04:32:12 AM CST
Last Seen: Fri 05 Dec 2008 04:32:12 AM CST
and twenty complaints of:
SELinux is preventing the http daemon from connecting to the itself or
the relay ports
Source Context: system_u:system_r:httpd_t:s0
Target Context: system_u:object_r:http_cache_port_t:s0
Target Objects: None [ tcp_socket ]
Source: wget
Source Path: /usr/bin/wget
Port: 8080
First Seen: Fri 05 Dec 2008 04:32:09 AM CST
Last Seen: Fri 05 Dec 2008 04:34:34 AM CST
This lead me to look in my http access logs, where I found:
74.247.251.227 - - [05/Dec/2008:04:32:11 -0600]
"POST /wordtrans/wordtrans.php HTTP/1.1" 200 1348 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows 98)"
74.247.251.227 - - [05/Dec/2008:04:32:12 -0600]
"POST /wordtrans/wordtrans.php HTTP/1.1" 200 1338 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows 98)"
74.247.251.227 - - [05/Dec/2008:04:32:12 -0600]
"POST /wordtrans/wordtrans.php HTTP/1.1" 200 1340 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows 98)"
74.247.251.227 - - [05/Dec/2008:04:32:08 -0600]
"POST /wordtrans/wordtrans.php HTTP/1.1" 200 1426 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows 98)"
Looking in the http error log, I see prodigious complaints at the same
time, but also for my later wordtrans use (so I had something to compare
against). It looks like wordtrans-web tries to create a .kde directory,
among other things. The only significant difference between the error
logs of my access and the attack is that during the attack I see one
instance of
sh: /var/tmp/x: Permission denied
sh: line 0: exec: /var/tmp/x: cannot execute: Permission denied
among the rest of the errors generated by wordtrans. (I didn't see
a /var/tmp/x, but I didn't look until somewhat later.)
I did my own wordtrans access and there was not just the POST but a
bunch of GETs before that to load the web page. This difference made it
clear that wordtrans was the attack vector so I googled for "http attack
wordtrans" and found that the version of wordtrans I have installed is
successfully attackable:
http://www.juniper.net/security/auto/vulnerabilities/vuln30027.html
If not for selinux, this attack certainly would have been successful and
unnoticed. While selinux stopped this attack, I still did an "rpm -e
wordtrans-web" as it was only installed as a cool toy, not anything I
need.
The full AVCs are listed below, from the attack, in case this is of
interest.
I thought I would share this in case it was useful or interesting.
Thank you for your work on improved security!
Eddie
type=AVC msg=audit(1228473129.823:148293): avc: denied
{ name_connect } for pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1228473129.823:148293): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1228473130.824:148294): avc: denied
{ name_connect } for pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1228473130.824:148294): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1228473132.155:148295): avc: denied { execute } for
pid=31642 comm="sh" name="x" dev=dm-2 ino=32828
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1228473132.155:148295): arch=40000003 syscall=11
success=no exit=-13 a0=853a2a0 a1=853a280 a2=8538b10 a3=853a280 items=0
ppid=31641 pid=31642 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sh"
exe="/bin/bash" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1228473132.155:148296): avc: denied { execute } for
pid=31642 comm="sh" name="x" dev=dm-2 ino=32828
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1228473132.155:148296): arch=40000003 syscall=33
success=no exit=-13 a0=853a2a0 a1=1 a2=11 a3=853a2a0 items=0 ppid=31641
pid=31642 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48
sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash"
subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1228473132.155:148297): avc: denied { execute } for
pid=31642 comm="sh" name="x" dev=dm-2 ino=32828
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1228473132.155:148297): arch=40000003 syscall=33
success=no exit=-13 a0=853a2a0 a1=1 a2=11 a3=853a2a0 items=0 ppid=31641
pid=31642 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48
sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash"
subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1228473132.824:148298): avc: denied
{ name_connect } for pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1228473132.824:148298): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1228473135.824:148299): avc: denied
{ name_connect } for pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1228473135.824:148299): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1228473139.824:148300): avc: denied
{ name_connect } for pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1228473139.824:148300): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1228473144.825:148301): avc: denied
{ name_connect } for pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1228473144.825:148301): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1228473150.825:148302): avc: denied
{ name_connect } for pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1228473150.825:148302): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1228473157.825:148303): avc: denied
{ name_connect } for pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1228473157.825:148303): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1228473165.825:148304): avc: denied
{ name_connect } for pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1228473165.825:148304): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1228473174.825:148305): avc: denied
{ name_connect } for pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1228473174.825:148305): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1228473184.825:148306): avc: denied
{ name_connect } for pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1228473184.825:148306): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1228473194.825:148307): avc: denied
{ name_connect } for pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1228473194.825:148307): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1228473204.826:148308): avc: denied
{ name_connect } for pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1228473204.826:148308): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1228473214.826:148309): avc: denied
{ name_connect } for pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1228473214.826:148309): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1228473221.544:148310): avc: denied { read write }
for pid=31674 comm="mailman" path="socket:[69554624]" dev=sockfs
ino=69554624 scontext=system_u:system_r:mailman_mail_t:s0
tcontext=system_u:system_r:sendmail_t:s0 tclass=unix_stream_socket
type=SYSCALL msg=audit(1228473221.544:148310): arch=40000003 syscall=11
success=yes exit=0 a0=8715e78 a1=8715f48 a2=87154f8 a3=40 items=0
ppid=31673 pid=31674 auid=4294967295 uid=8 gid=12 euid=8 suid=8 fsuid=8
egid=41 sgid=41 fsgid=41 tty=(none) ses=4294967295 comm="mailman"
exe="/usr/lib/mailman/mail/mailman"
subj=system_u:system_r:mailman_mail_t:s0 key=(null)
type=AVC msg=audit(1228473224.826:148311): avc: denied
{ name_connect } for pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1228473224.826:148311): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1228473234.826:148312): avc: denied
{ name_connect } for pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1228473234.826:148312): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1228473244.826:148313): avc: denied
{ name_connect } for pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1228473244.826:148313): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1228473254.826:148314): avc: denied
{ name_connect } for pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1228473254.826:148314): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1228473264.826:148315): avc: denied
{ name_connect } for pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1228473264.826:148315): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1228473274.826:148316): avc: denied
{ name_connect } for pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1228473274.826:148316): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)
15 years, 4 months
Re: iptables denied by selinux
by Tarek W.
iptables isn't low enough the networking stack to block dhcpd. Only ebtables
can look that low and I don't think it's standard in Fedora.
T
On Thu, Dec 11, 2008 at 1:25 PM, Tarek W. <mailinglists(a)lonecoder.net>wrote:
> iptables isn't low enough the networking stack to block dhcpd. Only
> ebtables can look that low and I don't think it's standard in Fedora.
>
> T
>
>
> On Thu, Dec 11, 2008 at 1:08 PM, Antonio Olivares <olivares14031(a)yahoo.com
> > wrote:
>
>> --- On Thu, 12/11/08, Paul Howarth <paul(a)city-fan.org> wrote:
>>
>> > From: Paul Howarth <paul(a)city-fan.org>
>> > Subject: Re: iptables denied by selinux
>> > To: olivares14031(a)yahoo.com, "Fedora SELinux support list" <
>> fedora-selinux-list(a)redhat.com>
>> > Date: Thursday, December 11, 2008, 1:38 AM
>> > Antonio Olivares wrote:
>> > > Dear all,
>> > >
>> > > I have still yet to make the dhcpd server work because
>> > of selinux. I have been patient, but I am getting
>> > frustrated :(
>> > >
>> > > [olivares@localhost ~]$ dmesg | grep avc
>> > > type=1400 audit(1228956840.530:4): avc: denied {
>> > write } for pid=1499 comm="ip6tables-resto"
>> > path="/0" dev=devpts ino=2
>> > scontext=system_u:system_r:iptables_t:s0
>> > tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
>> > > [olivares@localhost ~]$
>> > >
>> > > I have already ran touch /.autorelabel; reboot and all
>> > of the other denials have been cleared but this one. I am
>> > not yet taking selinux off or getting that desparate,
>> > because when I booted in enforcing=0 mode for other
>> > troubles, the dhcpd server still did not work, but the
>> > iptables message was still there :(
>> > >
>> > > Please advice me, I do not want to throw the towel
>> > yet!
>> >
>> > Why do you think the DHCP server problem is SELinux
>> > related? The AVC here appears to be from starting the
>> > ip6tables service, and you say that the DCHP server still
>> > doesn't work in permissive mode...
>> >
>> > What, if any, messages do you see in /var/log/messages from
>> > dhcpd?
>> >
>> > Paul.
>>
>> Well I overlooked the 6 in ip6tables-resto and blamed it on selinux. Mr.
>> Walsh added it to the policy to fix the other selinux error, but the
>> machines on the DHCP server get ip's, dns and all and cannot surf so I
>> easily blamed it on selinux. Sorry for that. What else could be
>> interfering here?
>>
>> Here's output of tail -f /var/log/messages:
>>
>> Dec 11 07:01:32 localhost dhcpd: DHCPDISCOVER from 00:d0:b7:c1:09:58 via
>> eth1
>> Dec 11 07:01:33 localhost dhcpd: DHCPOFFER on 192.168.0.2 to
>> 00:d0:b7:c1:09:58 (6355-hthhzebqqx) via eth1
>> Dec 11 07:01:33 localhost dhcpd: Wrote 3 leases to leases file.
>> Dec 11 07:01:33 localhost dhcpd: DHCPREQUEST for 192.168.0.2 (192.168.0.1)
>> from 00:d0:b7:c1:09:58 (6355-hthhzebqqx) via eth1
>> Dec 11 07:01:33 localhost dhcpd: DHCPACK on 192.168.0.2 to
>> 00:d0:b7:c1:09:58 (6355-hthhzebqqx) via eth1
>> Dec 11 07:02:34 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
>> Dec 11 07:02:34 localhost dhcpd: DHCPACK to 192.168.0.2(00:d0:b7:c1:09:58) via eth1
>> Dec 11 07:02:37 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
>> Dec 11 07:02:37 localhost dhcpd: DHCPACK to 192.168.0.2(00:d0:b7:c1:09:58) via eth1
>> Dec 11 07:02:53 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
>> Dec 11 07:02:53 localhost dhcpd: DHCPACK to 192.168.0.2(00:d0:b7:c1:09:58) via eth1
>> Dec 11 07:02:57 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
>> Dec 11 07:02:57 localhost dhcpd: DHCPACK to 192.168.0.2(00:d0:b7:c1:09:58) via eth1
>> Dec 11 07:04:09 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
>> Dec 11 07:04:09 localhost dhcpd: DHCPACK to 192.168.0.2(00:d0:b7:c1:09:58) via eth1
>> Dec 11 07:04:13 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
>> Dec 11 07:04:13 localhost dhcpd: DHCPACK to 192.168.0.2(00:d0:b7:c1:09:58) via eth1
>> Dec 11 07:04:21 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
>> Dec 11 07:04:21 localhost dhcpd: DHCPACK to 192.168.0.2(00:d0:b7:c1:09:58) via eth1
>> Dec 11 07:04:25 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
>> Dec 11 07:04:25 localhost dhcpd: DHCPACK to 192.168.0.2(00:d0:b7:c1:09:58) via eth1
>>
>> Sorry but I overlooked the 6 in the selinux denied avc. Does it make a
>> difference with the server?
>>
>> Thanks,
>>
>> Antonio
>>
>>
>>
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list(a)redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>
>
15 years, 4 months
RE: using selinux to allow only certain hosts or networks
by Clarkson, Mike R (US SSA)
I've never done it but I think you can accomplish what you want by
setting up netfilter rules using iptables to label the incoming packets
from the specific hosts/networks that you wish to allow. Since ip
addresses can be spoofed, it won't be very secure unless you use ipsec.
Josh Brindle wrote a good article on secure networking with SELinux:
http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinu
x/
> -----Original Message-----
> From: fedora-selinux-list-bounces(a)redhat.com
[mailto:fedora-selinux-list-
> bounces(a)redhat.com] On Behalf Of Doug Sikora
> Sent: Tuesday, December 09, 2008 6:16 AM
> To: fedora-selinux-list(a)redhat.com
> Subject: using selinux to allow only certain hosts or networks
>
> The below rules came from audit2allow,
>
> allow test_t inaddr_any_node_t:tcp_socket node_bind;
> allow test_t inaddr_any_node_t:udp_socket node_bind;
>
> Instead of allowing "any_node" I would like to limit this to specific
> hosts and or networks.
>
> Does anyone know the syntax for this?
>
> Thanks
> Doug
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
15 years, 4 months
new avc's on rawhide
by Antonio Olivares
Dear all,
Selinux is denying some unknown things which I have no idea here:
type=1401 audit(1229001124.306:10): security_compute_sid: invalid context unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:java_exec_t:s0 tclass=process
type=1401 audit(1229001126.375:11): security_compute_sid: invalid context unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:java_exec_t:s0 tclass=process
type=1401 audit(1229001143.573:12): security_compute_sid: invalid context unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:java_exec_t:s0 tclass=process
type=1401 audit(1228999637.368:5): security_compute_sid: invalid context unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:java_exec_t:s0 tclass=process
type=1401 audit(1228999646.221:6): security_compute_sid: invalid context unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:java_exec_t:s0 tclass=process
npviewer.bin[9213] general protection ip:1132f8c sp:bf86f140 error:0 in libflashplayer.so[dc7000+951000]
Thanks,
Antonio
15 years, 4 months
iptables denied by selinux
by Antonio Olivares
Dear all,
I have still yet to make the dhcpd server work because of selinux. I have been patient, but I am getting frustrated :(
[olivares@localhost ~]$ dmesg | grep avc
type=1400 audit(1228956840.530:4): avc: denied { write } for pid=1499 comm="ip6tables-resto" path="/0" dev=devpts ino=2 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
[olivares@localhost ~]$
I have already ran touch /.autorelabel; reboot
and all of the other denials have been cleared but this one. I am not yet taking selinux off or getting that desparate, because when I booted in enforcing=0 mode for other troubles, the dhcpd server still did not work, but the iptables message was still there :(
Please advice me, I do not want to throw the towel yet!
Regards,
Antonio
15 years, 4 months
denied avc's on rawhide
by Antonio Olivares
Dear fellow testers and selinux experts,
After updating to latest updates, I get several selinux denials, but setroubleshoot does not display, them. I get to see them when the system starts and that is it :(
[olivares@localhost ~]$ rpm -qa selinux*
[olivares@localhost ~]$ rpm -qa selinux
[olivares@localhost ~]$ rpm -qa selinux-policy*
selinux-policy-3.6.1-6.fc11.noarch
selinux-policy-targeted-3.6.1-6.fc11.noarch
[olivares@localhost ~]$ dmesg | grep 'avc'
type=1400 audit(1228782900.945:4): avc: denied { sys_tty_config } for pid=709 comm="consoletype" capability=26 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:system_r:consoletype_t:s0 tclass=capability
type=1400 audit(1228782901.610:5): avc: denied { sys_tty_config } for pid=716 comm="consoletype" capability=26 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:system_r:consoletype_t:s0 tclass=capability
type=1400 audit(1228782924.617:6): avc: denied { sys_tty_config } for pid=1471 comm="consoletype" capability=26 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:system_r:consoletype_t:s0 tclass=capability
type=1400 audit(1228782926.009:7): avc: denied { write } for pid=1497 comm="ip6tables-resto" path="/0" dev=devpts ino=2 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
type=1400 audit(1228782928.136:8): avc: denied { sys_tty_config } for pid=1672 comm="consoletype" capability=26 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:system_r:consoletype_t:s0 tclass=capability
type=1400 audit(1228782964.027:9): avc: denied { sys_tty_config } for pid=1688 comm="consoletype" capability=26 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:system_r:consoletype_t:s0 tclass=capability
type=1400 audit(1228782991.682:10): avc: denied { search } for pid=2415 comm="python" name=".local" dev=dm-0 ino=1507729 scontext=system_u:system_r:cupsd_config_t:s0 tcontext=system_u:object_r:gconf_home_t:s0 tclass=dir
type=1400 audit(1228782992.039:11): avc: denied { search } for pid=2445 comm="python" name=".local" dev=dm-0 ino=1507729 scontext=system_u:system_r:cupsd_config_t:s0 tcontext=system_u:object_r:gconf_home_t:s0 tclass=dir
type=1400 audit(1228782993.853:12): avc: denied { search } for pid=2482 comm="python" name=".local" dev=dm-0 ino=1507729 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:object_r:gconf_home_t:s0 tclass=dir
type=1400 audit(1228782995.570:13): avc: denied { search } for pid=2574 comm="python" name=".local" dev=dm-0 ino=1507729 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:object_r:gconf_home_t:s0 tclass=dir
type=1400 audit(1228783019.890:14): avc: denied { search } for pid=2845 comm="polkit-read-aut" name="dbus" dev=dm-0 ino=3276848 scontext=system_u:system_r:polkit_auth_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir
[olivares@localhost ~]$
Regards,
Antonio
15 years, 4 months