December 2008 - selinux - Fedora Mailing-Lists

by Rahul Sundaram

Hi, sealert suggests these changes if I try to run some software in a stock Fedora 10 box with no updates: ---- /usr/bin/chcon -t textrel_shlib_t '/usr/lib/sse2/libpostproc.so.51.2.0' /usr/bin/chcon -t textrel_shlib_t '/usr/lib/sse2/libswscale.so.0.6.1' --- I assume these changes are not going to be persistent. What is the semanage equivalent and why doesn't sealert suggest that instead? Rahul

15 years, 4 months

2
1
0 / 0

What is the proper way to use an alternate public_html path?

by Arthur Pemberton

i would like to use ~/Public insted of ~/public_html. What is the proper way to do this such that restorecon respects the change? -- Fedora 9 : sulphur is good for the skin ( www.pembo13.com )

15 years, 4 months

3
4
0 / 0

AVC for rpcbind

by Bert Todger

Hello all, Following a yum update to my two F9 machines I now find that the NFS services I have enabled to share files between the machines fails. On closer inspection it seems that rpcbind is now denied on both machines. I have absolutely no idea what rpcbind does, but I do know putting them into permissive mode allows rpcbind and then the NFS services start normally. What should I do? Thanks in advance BT Summary: SELinux is preventing rpcbind (rpcbind_t) "setgid" rpcbind_t. Detailed Description: SELinux denied access requested by rpcbind. It is not expected that this access is required by rpcbind and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package. Additional Information: Source Context: unconfined_u:system_r:rpcbind_t:s0 Target Context: unconfined_u:system_r:rpcbind_t:s0 Target Objects: None [ capability ] Source: rpcbind Source Path: /sbin/rpcbind Port: <Unknown> Host: mydomain.com Source RPM Packages: rpcbind-0.1.7-1.fc9 Target RPM Packages: Policy RPM: selinux-policy-3.3.1-111.fc9 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: catchall Host Name: mydomain.com Platform: Linux mydomain.com 2.6.26.6-79.fc9.i686 #1 SMP Fri Oct 17 14:52:14 EDT 2008 i686 i686 Alert Count: 1 First Seen: Fri Dec 12 19:51:54 2008 Last Seen: Fri Dec 12 19:51:54 2008 Local ID: 88e9ae88-4654-4ee6-99a1-34a6dafdcff5 Line Numbers: Raw Audit Messages : node=mydomain.com type=AVC msg=audit(1229111514.633:6512): avc: denied { setgid } for pid=20774 comm="rpcbind" capability=6 scontext=unconfined_u:system_r:rpcbind_t:s0 tcontext=unconfined_u:system_r:rpcbind_t:s0 tclass=capability node=mydomain.com type=SYSCALL msg=audit(1229111514.633:6512): arch=40000003 syscall=214 success=no exit=-1 a0=20 a1=2db9bc a2=2105b0 a3=bf9daeb0 items=0 ppid=20773 pid=20774 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpcbind" exe="/sbin/rpcbind" subj=unconfined_u:system_r:rpcbind_t:s0 key=(null)

15 years, 4 months

2
2
0 / 0

using selinux to allow only certain hosts or networks

by Douglas Sikora

The below rules came from audit2allow, allow test_t inaddr_any_node_t:tcp_socket node_bind; allow test_t inaddr_any_node_t:udp_socket node_bind; Instead of allowing "any_node" I would like to limit this to specific hosts and or networks. Does anyone know the syntax for this? Thanks Doug

15 years, 4 months

2
3
0 / 0

I believe that selinux saved me from a certain attack

by Edward Kuns

Almost a week ago, some AVCs brought to my attention by setroubleshoot made me look into system logs. There were three complaints of: SELinux is preventing the sh from using potentially mislabeled files (./x). Source Context: system_u:system_r:httpd_t:s0 Target Context: system_u:object_r:httpd_tmp_t:s0 Target Objects: ./x [ file ] First Seen: Fri 05 Dec 2008 04:32:12 AM CST Last Seen: Fri 05 Dec 2008 04:32:12 AM CST and twenty complaints of: SELinux is preventing the http daemon from connecting to the itself or the relay ports Source Context: system_u:system_r:httpd_t:s0 Target Context: system_u:object_r:http_cache_port_t:s0 Target Objects: None [ tcp_socket ] Source: wget Source Path: /usr/bin/wget Port: 8080 First Seen: Fri 05 Dec 2008 04:32:09 AM CST Last Seen: Fri 05 Dec 2008 04:34:34 AM CST This lead me to look in my http access logs, where I found: 74.247.251.227 - - [05/Dec/2008:04:32:11 -0600] "POST /wordtrans/wordtrans.php HTTP/1.1" 200 1348 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 74.247.251.227 - - [05/Dec/2008:04:32:12 -0600] "POST /wordtrans/wordtrans.php HTTP/1.1" 200 1338 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 74.247.251.227 - - [05/Dec/2008:04:32:12 -0600] "POST /wordtrans/wordtrans.php HTTP/1.1" 200 1340 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 74.247.251.227 - - [05/Dec/2008:04:32:08 -0600] "POST /wordtrans/wordtrans.php HTTP/1.1" 200 1426 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" Looking in the http error log, I see prodigious complaints at the same time, but also for my later wordtrans use (so I had something to compare against). It looks like wordtrans-web tries to create a .kde directory, among other things. The only significant difference between the error logs of my access and the attack is that during the attack I see one instance of sh: /var/tmp/x: Permission denied sh: line 0: exec: /var/tmp/x: cannot execute: Permission denied among the rest of the errors generated by wordtrans. (I didn't see a /var/tmp/x, but I didn't look until somewhat later.) I did my own wordtrans access and there was not just the POST but a bunch of GETs before that to load the web page. This difference made it clear that wordtrans was the attack vector so I googled for "http attack wordtrans" and found that the version of wordtrans I have installed is successfully attackable: http://www.juniper.net/security/auto/vulnerabilities/vuln30027.html If not for selinux, this attack certainly would have been successful and unnoticed. While selinux stopped this attack, I still did an "rpm -e wordtrans-web" as it was only installed as a cool toy, not anything I need. The full AVCs are listed below, from the attack, in case this is of interest. I thought I would share this in case it was useful or interesting. Thank you for your work on improved security! Eddie type=AVC msg=audit(1228473129.823:148293): avc: denied { name_connect } for pid=31619 comm="wget" dest=8080 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1228473129.823:148293): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0 ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget" exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1228473130.824:148294): avc: denied { name_connect } for pid=31619 comm="wget" dest=8080 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1228473130.824:148294): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0 ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget" exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1228473132.155:148295): avc: denied { execute } for pid=31642 comm="sh" name="x" dev=dm-2 ino=32828 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1228473132.155:148295): arch=40000003 syscall=11 success=no exit=-13 a0=853a2a0 a1=853a280 a2=8538b10 a3=853a280 items=0 ppid=31641 pid=31642 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1228473132.155:148296): avc: denied { execute } for pid=31642 comm="sh" name="x" dev=dm-2 ino=32828 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1228473132.155:148296): arch=40000003 syscall=33 success=no exit=-13 a0=853a2a0 a1=1 a2=11 a3=853a2a0 items=0 ppid=31641 pid=31642 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1228473132.155:148297): avc: denied { execute } for pid=31642 comm="sh" name="x" dev=dm-2 ino=32828 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1228473132.155:148297): arch=40000003 syscall=33 success=no exit=-13 a0=853a2a0 a1=1 a2=11 a3=853a2a0 items=0 ppid=31641 pid=31642 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1228473132.824:148298): avc: denied { name_connect } for pid=31619 comm="wget" dest=8080 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1228473132.824:148298): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0 ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget" exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1228473135.824:148299): avc: denied { name_connect } for pid=31619 comm="wget" dest=8080 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1228473135.824:148299): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0 ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget" exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1228473139.824:148300): avc: denied { name_connect } for pid=31619 comm="wget" dest=8080 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1228473139.824:148300): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0 ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget" exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1228473144.825:148301): avc: denied { name_connect } for pid=31619 comm="wget" dest=8080 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1228473144.825:148301): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0 ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget" exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1228473150.825:148302): avc: denied { name_connect } for pid=31619 comm="wget" dest=8080 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1228473150.825:148302): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0 ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget" exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1228473157.825:148303): avc: denied { name_connect } for pid=31619 comm="wget" dest=8080 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1228473157.825:148303): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0 ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget" exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1228473165.825:148304): avc: denied { name_connect } for pid=31619 comm="wget" dest=8080 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1228473165.825:148304): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0 ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget" exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1228473174.825:148305): avc: denied { name_connect } for pid=31619 comm="wget" dest=8080 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1228473174.825:148305): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0 ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget" exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1228473184.825:148306): avc: denied { name_connect } for pid=31619 comm="wget" dest=8080 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1228473184.825:148306): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0 ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget" exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1228473194.825:148307): avc: denied { name_connect } for pid=31619 comm="wget" dest=8080 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1228473194.825:148307): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0 ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget" exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1228473204.826:148308): avc: denied { name_connect } for pid=31619 comm="wget" dest=8080 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1228473204.826:148308): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0 ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget" exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1228473214.826:148309): avc: denied { name_connect } for pid=31619 comm="wget" dest=8080 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1228473214.826:148309): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0 ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget" exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1228473221.544:148310): avc: denied { read write } for pid=31674 comm="mailman" path="socket:[69554624]" dev=sockfs ino=69554624 scontext=system_u:system_r:mailman_mail_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1228473221.544:148310): arch=40000003 syscall=11 success=yes exit=0 a0=8715e78 a1=8715f48 a2=87154f8 a3=40 items=0 ppid=31673 pid=31674 auid=4294967295 uid=8 gid=12 euid=8 suid=8 fsuid=8 egid=41 sgid=41 fsgid=41 tty=(none) ses=4294967295 comm="mailman" exe="/usr/lib/mailman/mail/mailman" subj=system_u:system_r:mailman_mail_t:s0 key=(null) type=AVC msg=audit(1228473224.826:148311): avc: denied { name_connect } for pid=31619 comm="wget" dest=8080 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1228473224.826:148311): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0 ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget" exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1228473234.826:148312): avc: denied { name_connect } for pid=31619 comm="wget" dest=8080 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1228473234.826:148312): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0 ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget" exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1228473244.826:148313): avc: denied { name_connect } for pid=31619 comm="wget" dest=8080 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1228473244.826:148313): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0 ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget" exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1228473254.826:148314): avc: denied { name_connect } for pid=31619 comm="wget" dest=8080 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1228473254.826:148314): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0 ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget" exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1228473264.826:148315): avc: denied { name_connect } for pid=31619 comm="wget" dest=8080 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1228473264.826:148315): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0 ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget" exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1228473274.826:148316): avc: denied { name_connect } for pid=31619 comm="wget" dest=8080 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1228473274.826:148316): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0 ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget" exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

15 years, 4 months

2
1
0 / 0

Re: iptables denied by selinux

by Tarek W.

iptables isn't low enough the networking stack to block dhcpd. Only ebtables can look that low and I don't think it's standard in Fedora. T On Thu, Dec 11, 2008 at 1:25 PM, Tarek W. <mailinglists(a)lonecoder.net>wrote: > iptables isn't low enough the networking stack to block dhcpd. Only > ebtables can look that low and I don't think it's standard in Fedora. > > T > > > On Thu, Dec 11, 2008 at 1:08 PM, Antonio Olivares <olivares14031(a)yahoo.com > > wrote: > >> --- On Thu, 12/11/08, Paul Howarth <paul(a)city-fan.org> wrote: >> >> > From: Paul Howarth <paul(a)city-fan.org> >> > Subject: Re: iptables denied by selinux >> > To: olivares14031(a)yahoo.com, "Fedora SELinux support list" < >> fedora-selinux-list(a)redhat.com> >> > Date: Thursday, December 11, 2008, 1:38 AM >> > Antonio Olivares wrote: >> > > Dear all, >> > > >> > > I have still yet to make the dhcpd server work because >> > of selinux. I have been patient, but I am getting >> > frustrated :( >> > > >> > > [olivares@localhost ~]$ dmesg | grep avc >> > > type=1400 audit(1228956840.530:4): avc: denied { >> > write } for pid=1499 comm="ip6tables-resto" >> > path="/0" dev=devpts ino=2 >> > scontext=system_u:system_r:iptables_t:s0 >> > tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file >> > > [olivares@localhost ~]$ >> > > >> > > I have already ran touch /.autorelabel; reboot and all >> > of the other denials have been cleared but this one. I am >> > not yet taking selinux off or getting that desparate, >> > because when I booted in enforcing=0 mode for other >> > troubles, the dhcpd server still did not work, but the >> > iptables message was still there :( >> > > >> > > Please advice me, I do not want to throw the towel >> > yet! >> > >> > Why do you think the DHCP server problem is SELinux >> > related? The AVC here appears to be from starting the >> > ip6tables service, and you say that the DCHP server still >> > doesn't work in permissive mode... >> > >> > What, if any, messages do you see in /var/log/messages from >> > dhcpd? >> > >> > Paul. >> >> Well I overlooked the 6 in ip6tables-resto and blamed it on selinux. Mr. >> Walsh added it to the policy to fix the other selinux error, but the >> machines on the DHCP server get ip's, dns and all and cannot surf so I >> easily blamed it on selinux. Sorry for that. What else could be >> interfering here? >> >> Here's output of tail -f /var/log/messages: >> >> Dec 11 07:01:32 localhost dhcpd: DHCPDISCOVER from 00:d0:b7:c1:09:58 via >> eth1 >> Dec 11 07:01:33 localhost dhcpd: DHCPOFFER on 192.168.0.2 to >> 00:d0:b7:c1:09:58 (6355-hthhzebqqx) via eth1 >> Dec 11 07:01:33 localhost dhcpd: Wrote 3 leases to leases file. >> Dec 11 07:01:33 localhost dhcpd: DHCPREQUEST for 192.168.0.2 (192.168.0.1) >> from 00:d0:b7:c1:09:58 (6355-hthhzebqqx) via eth1 >> Dec 11 07:01:33 localhost dhcpd: DHCPACK on 192.168.0.2 to >> 00:d0:b7:c1:09:58 (6355-hthhzebqqx) via eth1 >> Dec 11 07:02:34 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1 >> Dec 11 07:02:34 localhost dhcpd: DHCPACK to 192.168.0.2(00:d0:b7:c1:09:58) via eth1 >> Dec 11 07:02:37 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1 >> Dec 11 07:02:37 localhost dhcpd: DHCPACK to 192.168.0.2(00:d0:b7:c1:09:58) via eth1 >> Dec 11 07:02:53 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1 >> Dec 11 07:02:53 localhost dhcpd: DHCPACK to 192.168.0.2(00:d0:b7:c1:09:58) via eth1 >> Dec 11 07:02:57 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1 >> Dec 11 07:02:57 localhost dhcpd: DHCPACK to 192.168.0.2(00:d0:b7:c1:09:58) via eth1 >> Dec 11 07:04:09 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1 >> Dec 11 07:04:09 localhost dhcpd: DHCPACK to 192.168.0.2(00:d0:b7:c1:09:58) via eth1 >> Dec 11 07:04:13 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1 >> Dec 11 07:04:13 localhost dhcpd: DHCPACK to 192.168.0.2(00:d0:b7:c1:09:58) via eth1 >> Dec 11 07:04:21 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1 >> Dec 11 07:04:21 localhost dhcpd: DHCPACK to 192.168.0.2(00:d0:b7:c1:09:58) via eth1 >> Dec 11 07:04:25 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1 >> Dec 11 07:04:25 localhost dhcpd: DHCPACK to 192.168.0.2(00:d0:b7:c1:09:58) via eth1 >> >> Sorry but I overlooked the 6 in the selinux denied avc. Does it make a >> difference with the server? >> >> Thanks, >> >> Antonio >> >> >> >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list(a)redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> > >

15 years, 4 months

2
4
0 / 0

RE: using selinux to allow only certain hosts or networks

by Clarkson, Mike R (US SSA)

I've never done it but I think you can accomplish what you want by setting up netfilter rules using iptables to label the incoming packets from the specific hosts/networks that you wish to allow. Since ip addresses can be spoofed, it won't be very secure unless you use ipsec. Josh Brindle wrote a good article on secure networking with SELinux: http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinu x/ > -----Original Message----- > From: fedora-selinux-list-bounces(a)redhat.com [mailto:fedora-selinux-list- > bounces(a)redhat.com] On Behalf Of Doug Sikora > Sent: Tuesday, December 09, 2008 6:16 AM > To: fedora-selinux-list(a)redhat.com > Subject: using selinux to allow only certain hosts or networks > > The below rules came from audit2allow, > > allow test_t inaddr_any_node_t:tcp_socket node_bind; > allow test_t inaddr_any_node_t:udp_socket node_bind; > > Instead of allowing "any_node" I would like to limit this to specific > hosts and or networks. > > Does anyone know the syntax for this? > > Thanks > Doug > > -- > fedora-selinux-list mailing list > fedora-selinux-list(a)redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list

15 years, 4 months

1
0
0 / 0

new avc's on rawhide

by Antonio Olivares

Dear all, Selinux is denying some unknown things which I have no idea here: type=1401 audit(1229001124.306:10): security_compute_sid: invalid context unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:java_exec_t:s0 tclass=process type=1401 audit(1229001126.375:11): security_compute_sid: invalid context unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:java_exec_t:s0 tclass=process type=1401 audit(1229001143.573:12): security_compute_sid: invalid context unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:java_exec_t:s0 tclass=process type=1401 audit(1228999637.368:5): security_compute_sid: invalid context unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:java_exec_t:s0 tclass=process type=1401 audit(1228999646.221:6): security_compute_sid: invalid context unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:java_exec_t:s0 tclass=process npviewer.bin[9213] general protection ip:1132f8c sp:bf86f140 error:0 in libflashplayer.so[dc7000+951000] Thanks, Antonio

15 years, 4 months

2
1
0 / 0

iptables denied by selinux

by Antonio Olivares

Dear all, I have still yet to make the dhcpd server work because of selinux. I have been patient, but I am getting frustrated :( [olivares@localhost ~]$ dmesg | grep avc type=1400 audit(1228956840.530:4): avc: denied { write } for pid=1499 comm="ip6tables-resto" path="/0" dev=devpts ino=2 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file [olivares@localhost ~]$ I have already ran touch /.autorelabel; reboot and all of the other denials have been cleared but this one. I am not yet taking selinux off or getting that desparate, because when I booted in enforcing=0 mode for other troubles, the dhcpd server still did not work, but the iptables message was still there :( Please advice me, I do not want to throw the towel yet! Regards, Antonio

15 years, 4 months

2
2
0 / 0

denied avc's on rawhide

by Antonio Olivares

Dear fellow testers and selinux experts, After updating to latest updates, I get several selinux denials, but setroubleshoot does not display, them. I get to see them when the system starts and that is it :( [olivares@localhost ~]$ rpm -qa selinux* [olivares@localhost ~]$ rpm -qa selinux [olivares@localhost ~]$ rpm -qa selinux-policy* selinux-policy-3.6.1-6.fc11.noarch selinux-policy-targeted-3.6.1-6.fc11.noarch [olivares@localhost ~]$ dmesg | grep 'avc' type=1400 audit(1228782900.945:4): avc: denied { sys_tty_config } for pid=709 comm="consoletype" capability=26 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:system_r:consoletype_t:s0 tclass=capability type=1400 audit(1228782901.610:5): avc: denied { sys_tty_config } for pid=716 comm="consoletype" capability=26 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:system_r:consoletype_t:s0 tclass=capability type=1400 audit(1228782924.617:6): avc: denied { sys_tty_config } for pid=1471 comm="consoletype" capability=26 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:system_r:consoletype_t:s0 tclass=capability type=1400 audit(1228782926.009:7): avc: denied { write } for pid=1497 comm="ip6tables-resto" path="/0" dev=devpts ino=2 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file type=1400 audit(1228782928.136:8): avc: denied { sys_tty_config } for pid=1672 comm="consoletype" capability=26 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:system_r:consoletype_t:s0 tclass=capability type=1400 audit(1228782964.027:9): avc: denied { sys_tty_config } for pid=1688 comm="consoletype" capability=26 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:system_r:consoletype_t:s0 tclass=capability type=1400 audit(1228782991.682:10): avc: denied { search } for pid=2415 comm="python" name=".local" dev=dm-0 ino=1507729 scontext=system_u:system_r:cupsd_config_t:s0 tcontext=system_u:object_r:gconf_home_t:s0 tclass=dir type=1400 audit(1228782992.039:11): avc: denied { search } for pid=2445 comm="python" name=".local" dev=dm-0 ino=1507729 scontext=system_u:system_r:cupsd_config_t:s0 tcontext=system_u:object_r:gconf_home_t:s0 tclass=dir type=1400 audit(1228782993.853:12): avc: denied { search } for pid=2482 comm="python" name=".local" dev=dm-0 ino=1507729 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:object_r:gconf_home_t:s0 tclass=dir type=1400 audit(1228782995.570:13): avc: denied { search } for pid=2574 comm="python" name=".local" dev=dm-0 ino=1507729 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:object_r:gconf_home_t:s0 tclass=dir type=1400 audit(1228783019.890:14): avc: denied { search } for pid=2845 comm="polkit-read-aut" name="dbus" dev=dm-0 ino=3276848 scontext=system_u:system_r:polkit_auth_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir [olivares@localhost ~]$ Regards, Antonio

15 years, 4 months

2
4
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux December 2008