qmail labeling
by Kristen R
List
I have had some trouble with qmail and SELinux. Following my
installation of qmail and running restorecon on the /var/qmail
directory tree I ran into AVC denial messages upon reboots.
When my server boots the smart daemon is trying to send mail stating
that I have a drive which is failing. (true, it's the one that caused
me to have CentOS 5.2 on a new drive). The smartd error messages follow:
Jul 24 14:31:39 host smartd[2598]: Monitoring 2 ATA and 0 SCSI devices
Jul 24 14:31:39 host smartd[2598]: Device: /dev/hdb, FAILED SMART
self-check. BACK UP DATA NOW!
Jul 24 14:31:39 host smartd[2598]: Sending warning via mail to root ...
Jul 24 14:31:39 host smartd[2598]: Warning via mail to root produced
unexpected output (32 bytes) to STDOUT/STDERR: qmail-inject: fatal:
read error
Jul 24 14:31:39 host smartd[2598]: Warning via mail to root: successful
Jul 24 14:31:39 host smartd[2598]: Device: /dev/hdb, 1522 Currently
unreadable (pending) sectors
Jul 24 14:31:39 host smartd[2598]: Sending warning via mail to root ...
Jul 24 14:31:39 host smartd[2598]: Warning via mail to root produced
unexpected output (32 bytes) to STDOUT/STDERR: qmail-inject: fatal:
read error
Jul 24 14:31:39 host smartd[2598]: Warning via mail to root: successful
Jul 24 14:31:39 host smartd[2606]: smartd has fork()ed into
background mode. New PID=2606.
Below is the reason for the fatal read error which is listed above as
being successful, but isn't. (AVC message not specific to the above
smartd error, it's just one of many related to the smartd error)
type=AVC msg=audit(1215375080.575:15): avc: denied { read } for
pid=2585 comm="qmail-inject" name="me" dev=dm-4 ino=3170476
scontext=system_u:system_r:system_mail_t:s0
tcontext=user_u:object_r:var_t:s0 tclass=file
type=SYSCALL msg=audit(1215375080.575:15): arch=40000003 syscall=5
success=no exit=-13 a0=804e45b a1=800 a2=0 a3=bfe68128 items=0
ppid=2584 pid=2585 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qmail-inject"
exe="/var/qmail/bin/qmail-inject"
subj=system_u:system_r:system_mail_t:s0 key=(null)
The "me" file is in the /var/qmail/control/ directory, a directory
which hasn't any content labeling when I view a recent strict policy
file.
/var/qmail/bin(/.*)? system_u:object_r:bin_t:s0
/var/qmail/supervise(/.*)? system_u:object_r:svc_svc_t:s0
/var/qmail/supervise/.*/run --
system_u:object_r:svc_run_exec_t:s0
/var/qmail/supervise/.*/log/run --
system_u:object_r:svc_run_exec_t:s0
/var/qmail/rc -- system_u:object_r:bin_t:s0
/var/qmail/bin -d system_u:object_r:bin_t:s0
/var/qmail/bin/sendmail -- system_u:object_r:sendmail_exec_t:s0
The problem is when the system boots, the smartd finds my bad drive
and tries to email me about it. No emails arrive and I find rather
messages in my audit log. I ran audit2why to study this, then
audit2allow to create te rules. Below are the rules created which I
have implemented.
allow system_mail_t var_t:dir { write remove_name add_name };
allow system_mail_t var_t:fifo_file write;
allow system_mail_t var_t:file { write getattr link read create
unlink };
I now received email ( 2 messages total ) from the smartd following a
reboot. The question I have is this. Should I even be making allow
rules at all? Should not the policy file have the right labeling for
a qmail install? And since it appears to me it does not, should I be
making a policy file which I can then use restorecon to adjust my
system labeling with? Or are type enforcement rules truly the way to
go? I must admit I am new to SELinux and it's management so this is
all about learning. I am not seeking a 'fix' so much but rather an
understanding leading to a proper fix. I have read that relabeling
has security risk and should be avoided entirely. Perhaps that's
another subject all together?
Kristen
15 years, 9 months
SELinux from disabled to enforcing - is it possible?
by mike cloaked
Having got one machine running with SELinux enabled very recently I decided to
try to turn SELinux back on for a machine on which I had installed F9 a few
weeks ago and set SELinux to disabled.
That was a definite no-no - it would not boot once I set SELinux back to
enforcing unless I added "selinux=0" to the kernel line for boot.
I resorted to re-installing F9 and it works fone now with SELinux enabled.
However I now wonder if it was in fact possible to go from SELinux disabled
to enforcing or if this is something which is not possible?
If it is impossible then there perhaps ought to be a health warning asking
the user if they really want to switch to disabled - saying that reversing
the change is not going to work.
I thought I would ask here if the process is actually possible?
15 years, 9 months
SELinux concerning /home symlink?
by mike cloaked
I have had a thread running on Fedora list about a specific SELinux issue
I have hit with F9.
The history is that I did a clean install on a machine that was previously
running F8, keeping /opt as an untouched partition and installed F9,
leaving the SELinux enforcing on.
On that /opt partition I keep the user area as /opt/Local/home, and
as previously after the install I do
cd /
mv home home.dist
ln -s /opt/Local/home .
This then previously set my home areas to the way they were -
On the machine in question this worked fine initially until I tried
to ssh in to the machine from another in my local LAN.
I was only able to login but could not change directory to the user home
directory.
There was a sealert message in /var/log/messages which indicated that
I should restorecon -v /opt/* which I did -
The contexts that are relevant were previously as follows:
[mike <at> lapmike2 mike]$ ls -Zd /opt/Local/home
drwxr-xr-x root root system_u:object_r:file_t:s0 /opt/Local/home
[mike <at> lapmike2 mike]$ ls -Zd /home
lrwxrwxrwx root root unconfined_u:object_r:root_t:s0 /home -> /opt/Local/home
[mike <at> lapmike2 mike]$ ls -Zd /home/mike
drwx------ mike mike system_u:object_r:user_home_dir_t:s0 /home/mike
[mike <at> lapmike2 mike]$ ls -Zd /opt/Local/home/mike
drwx------ mike mike system_u:object_r:user_home_dir_t:s0 /opt/Local/home/mike
[mike <at> lapmike2 mike]$ ls -Zd /home/mike/.bash_profile
-rw-r--r-- mike mike system_u:object_r:user_home_t:s0 /home/mike/.bash_profile
I noticed that my /opt/Local/home has a type file_t whereas
a posting in fedora list indicated it should be home_root_t
I ran restorecon -v /opt/*
The context for /opt/Local/home then had a type usr_t
So I did
chcon -t home_root_t
At this point I could login to the machine using ssh as user mike.
However I could not use passwordless ssh login even though I did have
the previously working ~/.ssh directory.
The sealert message suggested that the context of the authorized_keys2 file
was wrong and I should run
restorecon -v /opt/Local/home/mike/.ssh/authorized_keys2
After doing this the context seemed the same as before and ssh remains
only with a password for access and no passwordless login was possible.
I found that another user reported a similar issue:
http://www.mjmwired.net/linux/2008/06/16/
selinux-preventing-ssh-passwordless-login/
(This url should be on a single line)
So how do I proceed?
Is the problem caused by the fact that the home area is symlinked from
/home to /opt/Local/home ?
I have seen some suggestion in a blog elsewhere that symlinks are
problematic in SELinux? Maybe I need to create a directory /home
and then bind mount /opt/Local/home onto it?
Any advice would be appreciated as I am very new to SELinux, but would
like to make it work rather than switching it off as I have done up to now.
Thanks
Mike
15 years, 9 months
Re: Can't export samba share
by Steve Blackwell
I've been out of town for a few days but there were no new postings
while I was away and I still don't have a solution for this.
Steve Blackwell wrote:
> I have a dual boot F8/XP machine and I want to export, via samba, the
> NTFS partition so that I can use it to back up my wife's Vista
> machine. It seems that selinux is preventing this from happening.
> Here is the summary message from setroubleshoot:
>
> SELinux is preventing the samba daemon from serving r/o local files
> to remote clients.
>
> and the Allowing Access section says:
>
> If you want to export file systems using samba you need to turn on
> the samba_export_all_ro boolean: "setsebool -P
> samba_export_all_ro=1". The following command will allow this
> access:setsebool -P samba_export_all_ro=1
>
> There seems to be 2 problems here; 1) The filesystem that I'm trying
> to export is read-write not read-only and 2) I have already set
> samba_export_all_ro=1. In fact I also set samba_export_all_rw=1 and I
> even set samba_run_unconfined=1 and I still get the same messages.
>
> Here is the filesystem I'm trying to export:
>
> # cat /etc/fstab | grep ntfs
> /dev/sdb1 /mnt/c_drive ntfs-3g rw,defaults,umask=0000 0 0
>
> # ls -lZ /mnt
> drwxrwxrwx root root system_u:object_r:fusefs_t:s0 c_drive
>
> Here is the /etc/samba/smb.conf stanza:
> [Kellie]
> comment = Winblows backup
> path = /mnt/c_drive
> writable = yes
> browseable = yes
> valid users = Kellie
>
> User Kellie can see the Kellie share from her Vista computer but
> whenever she tries to use it, I get an AVC.
>
> # rpm -qa | grep selinux
> libselinux-python-2.0.43-1.fc8
> selinux-policy-devel-3.0.8-109.fc8
> libselinux-devel-2.0.43-1.fc8
> selinux-policy-3.0.8-109.fc8
> libselinux-2.0.43-1.fc8
> selinux-policy-targeted-3.0.8-109.fc8
>
> # uname -sr
> Linux 2.6.25.10-47.fc8
>
> I suppose I could go back to permissive mode but I'd like to get this
> to work.
>
> Any suggestion?
> Thanks,
> Steve
15 years, 9 months
custom policy guidelines
by Michael Thomas
The proposed guidelines on the wiki recommend a %define macro to embed
the build-time selinux-policy version in the resulting -selinux
subpackage Requires:
https://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules#Runt...
This has worked fine for me in F-8 and F-9, but when I try to build the
package (crossfire) in rawhide, mock now gives the error below. Is this
a temporary rawhide problem, or do the guidelines need to be updated?
--Wart
Executing command: ['bash', '--login', '-c', 'rpmbuild -bs --target i386
--nodeps builddir/build/SPECS/crossfire.spec']
/etc/profile: line 38: /bin/hostname: No such file or directory
sed: can't read /usr/share/selinux/devel/policyhelp: No such file or
directory
error:
syntax error in expression
error:
/builddir/build/SPECS/crossfire.spec:91: parseExpressionBoolean returns -1
Building target platforms: i386
Building for target i386
Child returncode was: 1
EXCEPTION: Command failed. See logs for output.
15 years, 9 months
Re: Can't export samba share
by Steve Blackwell
---- Murray McAllister <mmcallis(a)redhat.com> wrote:
> Steve Blackwell wrote:
> > I have a dual boot F8/XP machine and I want to export, via samba, the
> > NTFS partition so that I can use it to back up my wife's Vista machine.
> > It seems that selinux is preventing this from happening. Here is the
> > summary message from setroubleshoot:
> >
> > SELinux is preventing the samba daemon from serving r/o local files to
> > remote clients.
...
>
> If you're still having problems,
> <http://danwalsh.livejournal.com/14195.html> on "Confining Samba with
> SELinux" might help.
>
Thanks for the link but I didn't learn anything new from that.
Steve
15 years, 9 months
Can't export samba share
by Steve Blackwell
I have a dual boot F8/XP machine and I want to export, via samba, the
NTFS partition so that I can use it to back up my wife's Vista machine.
It seems that selinux is preventing this from happening. Here is the
summary message from setroubleshoot:
SELinux is preventing the samba daemon from serving r/o local files to
remote clients.
and the Allowing Access section says:
If you want to export file systems using samba you need to turn on the
samba_export_all_ro boolean: "setsebool -P samba_export_all_ro=1". The
following command will allow this access:setsebool -P
samba_export_all_ro=1
There seems to be 2 problems here; 1) The filesystem that I'm trying to
export is read-write not read-only and 2) I have already set
samba_export_all_ro=1. In fact I also set samba_export_all_rw=1 and I
even set samba_run_unconfined=1 and I still get the same messages.
Here is the filesystem I'm trying to export:
# cat /etc/fstab | grep ntfs
/dev/sdb1 /mnt/c_drive ntfs-3g rw,defaults,umask=0000 0 0
# ls -lZ /mnt
drwxrwxrwx root root system_u:object_r:fusefs_t:s0 c_drive
Here is the /etc/samba/smb.conf stanza:
[Kellie]
comment = Winblows backup
path = /mnt/c_drive
writable = yes
browseable = yes
valid users = Kellie
User Kellie can see the Kellie share from her Vista computer but
whenever she tries to use it, I get an AVC.
# rpm -qa | grep selinux
libselinux-python-2.0.43-1.fc8
selinux-policy-devel-3.0.8-109.fc8
libselinux-devel-2.0.43-1.fc8
selinux-policy-3.0.8-109.fc8
libselinux-2.0.43-1.fc8
selinux-policy-targeted-3.0.8-109.fc8
# uname -sr
Linux 2.6.25.10-47.fc8
I suppose I could go back to permissive mode but I'd like to get this
to work.
Any suggestion?
Thanks,
Steve
15 years, 9 months
backups and selinux
by Steve Blackwell
Are any of the common linux backup utilities, eg Amanda or
Backup-pc, selinux aware? Do they need to be?
In other words, if I backup a file with a particular set of selinux
attributes using one of these utilities, delete the file and then
restore it, will the restored file have the correct attributes?
I read somewhere on the selinux wiki that there was a special backup
utility required but I can't find that page again.
Thanks,
Steve
15 years, 9 months
Re: [Fwd: Re: Can't export samba share]
by Steve Blackwell
---- max <maximilianbianco(a)gmail.com> wrote:
> CURSES!! If it weren't for those damn kids I would have gotten away with
> it too...
>
> -------- Original Message --------
> Subject: Re: Can't export samba share
> Date: Mon, 21 Jul 2008 11:38:06 -0400
> From: max <maximilianbianco(a)gmail.com>
> To: Steve Blackwell <zephod(a)cfl.rr.com>
> References: <20080721105041.1fd67e05(a)steve.blackwell>
> <4884AA94.1010409(a)gmail.com>
>
> max wrote:
> > Steve Blackwell wrote:
> >> I have a dual boot F8/XP machine and I want to export, via samba, the
> >> NTFS partition so that I can use it to back up my wife's Vista machine.
> >> It seems that selinux is preventing this from happening. Here is the
> >> summary message from setroubleshoot:
> >>
> >> SELinux is preventing the samba daemon from serving r/o local files to
> >> remote clients.
> >> and the Allowing Access section says:
> >>
> >> If you want to export file systems using samba you need to turn on the
> >> samba_export_all_ro boolean: "setsebool -P samba_export_all_ro=1". The
> >> following command will allow this access:setsebool -P
> >> samba_export_all_ro=1
> >>
> >> There seems to be 2 problems here; 1) The filesystem that I'm trying to
> >> export is read-write not read-only and 2) I have already set
> >> samba_export_all_ro=1. In fact I also set samba_export_all_rw=1 and I
> >> even set samba_run_unconfined=1 and I still get the same messages.
> >
> > I would try setting samba_export_all_ro=0, leave samba_export_all_rw=1
> >
> > Those two settings will conflict and denials should always win out over
> > allows.
Tried that. No luck.
> Just to be clear. I am saying where two settings conflict a denial
> should not be surprising, it makes good sense, at least to me.
>
> I am not sure you need samba_run_unconfined here either.
Here is what I have set now:
# getsebool -a | grep samba
samba_domain_controller --> on
samba_enable_home_dirs --> on
samba_export_all_ro --> off
samba_export_all_rw --> on
samba_run_unconfined --> off
samba_share_nfs --> off
use_samba_home_dirs --> on
> Checkout man ausearch, this can help pull all the AVC's related to this
> together, it has many search options. It is worth reading.
Will do.
Thanks,
Steve
15 years, 9 months
[Fwd: Re: Can't export samba share]
by max
CURSES!! If it weren't for those damn kids I would have gotten away with
it too...
-------- Original Message --------
Subject: Re: Can't export samba share
Date: Mon, 21 Jul 2008 11:38:06 -0400
From: max <maximilianbianco(a)gmail.com>
To: Steve Blackwell <zephod(a)cfl.rr.com>
References: <20080721105041.1fd67e05(a)steve.blackwell>
<4884AA94.1010409(a)gmail.com>
max wrote:
> Steve Blackwell wrote:
>> I have a dual boot F8/XP machine and I want to export, via samba, the
>> NTFS partition so that I can use it to back up my wife's Vista machine.
>> It seems that selinux is preventing this from happening. Here is the
>> summary message from setroubleshoot:
>>
>> SELinux is preventing the samba daemon from serving r/o local files to
>> remote clients.
>> and the Allowing Access section says:
>>
>> If you want to export file systems using samba you need to turn on the
>> samba_export_all_ro boolean: "setsebool -P samba_export_all_ro=1". The
>> following command will allow this access:setsebool -P
>> samba_export_all_ro=1
>>
>> There seems to be 2 problems here; 1) The filesystem that I'm trying to
>> export is read-write not read-only and 2) I have already set
>> samba_export_all_ro=1. In fact I also set samba_export_all_rw=1 and I
>> even set samba_run_unconfined=1 and I still get the same messages.
>
> I would try setting samba_export_all_ro=0, leave samba_export_all_rw=1
>
> Those two settings will conflict and denials should always win out over
> allows.
Just to be clear. I am saying where two settings conflict a denial
should not be surprising, it makes good sense, at least to me.
I am not sure you need samba_run_unconfined here either.
Checkout man ausearch, this can help pull all the AVC's related to this
together, it has many search options. It is worth reading.
Max
--
Fortune favors the BOLD
15 years, 9 months