The SELinux Documentation Project [Request for topics]
by Joshua Brindle
As we discussed at Linux Plumbers Conference during the 'Making SELinux
Easier to Use" talk we have some document deficiencies in the SELinux
project.
I volunteered to start an SELinux Documentation Project. The primary
purpose of the project would be to get as much documentation as possible
on the selinuxproject.org wiki, organized in a fashion that users can
understand and consume easily.
As I admitted before, we, the developers, are not always the best people
to judge what documentation users need and therefore am requesting
users, hopefully from different backgrounds and environments, tell us
what documentation they feel is lacking, what questions they've been
asked or have asked themselves and couldn't find documentation for.
I think we need basic documentation that tells about SELinux (both
beginner and advanced), howto's for specific things (using secmark,
using netlabel, etc) and a set of short 'recipes' to accomplish simple
tasks.
There are documents all over the place with various information, as well
as blog entries and mailing list archives but the effort here is to
consolidate all those resources onto selinuxproject.org.
I'd also like to see volunteers in the community to help out with the
documentation effort, I know quite a few people already write things
like this on blogs, etc and it would be great to see that information
moved/copied onto selinuxproject.org.
Users:
Please, if you are a user and have run in to lack of documentation
respond to this thread, or privately if you aren't comfortable talking
on list so that we can collect what the biggest deficiencies are and get
to writing documentation as soon as possible.
Thanks.
13 years, 12 months
change a user's MCS category
by Tyler Durvik
I have 3 levels set up using MCS under the targeted policy:
s0 SystemLow
s0-s0:c0.c1023 SystemLow-SystemHigh
s0-s0:c0.c1023 SystemHigh
s0:c0 A
s0:c1 B
s0:c2 C
I have 3 users set up and I want to assign an MCS category to each of
them. So for instance:
bob -> A
joe -> B
sue -> C
how can I do this? I have tried the examples at James Morris's blog
http://james-morris.livejournal.com/8228.html
I get the following error:
[root@fedora11sel targeted]# chcat -l -- +c0 bob
libsemanage.validate_handler: MLS range s0-s0:c0 for Unix user bob
exceeds allowed range s0 for SELinux user user_u (No such file or
directory).
libsemanage.validate_handler: seuser mapping [bob -> (user_u,
s0-s0:c0)] is invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over records (No
such file or directory).
/usr/sbin/semanage: Could not commit semanage transaction
Thanks for any help you may have
14 years, 1 month
nagios avc
by Vadym Chepkov
Hi,
I think it's a legitimate access call that needs to be allowed:
type=AVC msg=audit(1256842390.777:50774): avc: denied { read } for pid=17310 comm="httpd" name="status.dat" dev=dm-3 ino=182451 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_log_t:s0 tclass=file
Sincerely yours,
Vadym Chepkov
14 years, 1 month
Relabelling issue
by Arthur Dent
Hello all,
I got an avc the other day that made me suspect that I might have
labelling problems on my Fedora 11 box, so I did a "touch /.autorelabel;
reboot"
The avc turned out to be unrelated to this, but I was a little surprised
to see the following errors during the relabelling process:
SELinux: initialized (dev sda3, type fuseblk), uses genfs_contexts
type=1404 audit(1256456979.782:4): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295
SELinux: Context system_u:object_r:gamin_exec_t:s0 is not valid (left unmapped).
SELinux: Context system_u:object_r:pppd_script_exec_t:s0 is not valid (left unmapped).
SELinux: Context system_u:object_r:NetworkManager_script_exec_t:s0 is not valid (left unmapped).
SELinux: Context system_u:object_r:snmp_script_exec_t:s0 is not valid (left unmapped).
SELinux: Context system_u:object_r:auditd_script_exec_t:s0 is not valid (left unmapped).
SELinux: Context system_u:object_r:bluetooth_script_exec_t:s0 is not valid (left unmapped).
SELinux: Context system_u:object_r:httpd_script_exec_t:s0 is not valid (left unmapped).
SELinux: Context system_u:object_r:samba_script_exec_t:s0 is not valid (left unmapped).
SELinux: Context system_u:object_r:nscd_script_exec_t:s0 is not valid (left unmapped).
SELinux: Context system_u:object_r:tor_script_exec_t:s0 is not valid (left unmapped).
SELinux: Context system_u:object_r:mysqld_script_exec_t:s0 is not valid (left unmapped).
SELinux: Context system_u:object_r:openvpn_script_exec_t:s0 is not valid (left unmapped).
SELinux: Context system_u:object_r:kerneloops_script_exec_t:s0 is not valid (left unmapped).
SELinux: Context system_u:object_r:ntpd_script_exec_t:s0 is not valid (left unmapped).
SELinux: Context system_u:object_r:dnsmasq_script_exec_t:s0 is not valid (left unmapped).
SELinux: Context system_u:object_r:privoxy_script_exec_t:s0 is not valid (left unmapped).
SELinux: Context system_u:object_r:syslogd_script_exec_t:s0 is not valid (left unmapped).
SELinux: Context system_u:object_r:fsdaemon_script_exec_t:s0 is not valid (left unmapped).
SELinux: Context system_u:object_r:setroubleshoot_script_exec_t:s0 is not valid (left unmapped).
SELinux: Context system_u:object_r:virtd_script_exec_t:s0 is not valid (left unmapped).
SELinux: Context system_u:object_r:rpcbind_script_exec_t:s0 is not valid (left unmapped).
type=1404 audit(1256457362.896:5): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295
Adding 2096440k swap on /dev/sdb10. Priority:-1 extents:1 across:2096440k
SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts
Should I be concerned?
Thanks for any suggestions...
Mark
p.s.
Latest yum log entries:
[root@localhost ~]# cat /var/log/yum.log | grep -i selinux
Aug 08 21:05:15 Updated: selinux-policy-3.6.12-69.fc11.noarch
Aug 08 21:08:51 Updated: selinux-policy-targeted-3.6.12-69.fc11.noarch
Aug 12 13:28:30 Updated: selinux-policy-3.6.12-72.fc11.noarch
Aug 12 13:29:05 Updated: selinux-policy-targeted-3.6.12-72.fc11.noarch
Aug 22 10:31:50 Updated: selinux-policy-3.6.12-78.fc11.noarch
Aug 22 10:32:25 Updated: selinux-policy-targeted-3.6.12-78.fc11.noarch
Aug 29 16:17:14 Updated: selinux-policy-3.6.12-80.fc11.noarch
Aug 29 16:17:48 Updated: selinux-policy-targeted-3.6.12-80.fc11.noarch
Sep 07 18:20:34 Updated: selinux-policy-3.6.12-81.fc11.noarch
Sep 07 18:21:09 Updated: selinux-policy-targeted-3.6.12-81.fc11.noarch
Sep 12 09:31:35 Updated: selinux-policy-3.6.12-82.fc11.noarch
Sep 12 09:32:08 Updated: selinux-policy-targeted-3.6.12-82.fc11.noarch
Oct 01 19:43:02 Updated: selinux-policy-3.6.12-83.fc11.noarch
Oct 01 19:43:35 Updated: selinux-policy-targeted-3.6.12-83.fc11.noarch
Oct 14 22:04:23 Updated: selinux-policy-3.6.12-85.fc11.noarch
Oct 14 22:04:57 Updated: selinux-policy-targeted-3.6.12-85.fc11.noarch
14 years, 1 month
F12 beta, ldap authentication and NFS mounted home
by Tim Fenn
I upgraded a machine from F10 to F12 beta - its a client machine that
mounts /home over NFS and authenticates over LDAP (however, its a mac
server that sets /home as /Volumes/Homes, which I have set up as a
pointer to /home). use_nfs_home_dirs is on and I can log in via SSH or
the console, but the graphical login fails when clicking "log in" with
the following selinux error:
SELinux is preventing /usr/libexec/ck-get-x11-server-pid "read" access
on Homes.
I've attached the full sealart, am I missing something obvious/simple?
Thanks for any help!
-Tim
--
---------------------------------------------------------
Tim Fenn
fenn(a)stanford.edu
Stanford University, School of Medicine
James H. Clark Center
318 Campus Drive, Room E300
Stanford, CA 94305-5432
Phone: (650) 736-1714
FAX: (650) 736-1961
---------------------------------------------------------
14 years, 1 month
strange avc with racoon under f-11 mls
by Joshua Roys
Hello all,
I am trying to get ipsec/racoon running under f11 mls. However, an
annoying avc is preventing that.
avc: denied { recv } for saddr=1.2.3.4 src=500 daddr=4.3.2.1 dest=500
netif=eth0 scontext=system_u:system_r:racoon_t:s0-s15:c0.c1023
tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=peer
On IRC it was mentioned the tcontext=...:s15:... could be an issue...?
Here's a bit of the selinux-policy that I thought should be allowing this:
./policy/modules/system/ipsec.te:
corenet_all_recvfrom_unlabeled(racoon_t)
corenet_tcp_sendrecv_all_if(racoon_t)
corenet_udp_sendrecv_all_if(racoon_t)
corenet_tcp_sendrecv_all_nodes(racoon_t)
corenet_udp_sendrecv_all_nodes(racoon_t)
corenet_tcp_bind_all_nodes(racoon_t)
corenet_udp_bind_all_nodes(racoon_t)
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
./policy/modules/kernel/corenetwork.if.in:
interface(`corenet_all_recvfrom_unlabeled',`
kernel_tcp_recvfrom_unlabeled($1)
kernel_udp_recvfrom_unlabeled($1)
kernel_raw_recvfrom_unlabeled($1)
kernel_recvfrom_unlabeled_peer($1)
# XXX - at some point the oubound/send access check will be removed
# but for right now we need to keep this in place so as not to
break
# older systems
kernel_sendrecv_unlabeled_association($1)
')
./policy/modules/kernel/kernel.if:
interface(`kernel_recvfrom_unlabeled_peer',`
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:peer recv;
')
I'm not entirely certain if the following ipsec rules were necessary,
but I added them anyway:
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:selinux_input - [0:0]
:selinux_output - [0:0]
:selinux_new_input - [0:0]
:selinux_new_output - [0:0]
-A INPUT -j selinux_input
-A OUTPUT -j selinux_output
-A selinux_input -m state --state NEW -j selinux_new_input
-A selinux_input -m state --state RELATED,ESTABLISHED -j CONNSECMARK
--restore
-A selinux_output -m state --state NEW -j selinux_new_output
-A selinux_output -m state --state RELATED,ESTABLISHED -j CONNSECMARK
--restore
-A selinux_new_input -j SECMARK --selctx
system_u:object_r:server_packet_t:s0
-A selinux_new_output -j SECMARK --selctx
system_u:object_r:client_packet_t:s0
-A selinux_new_input -p udp --dport 500 -j SECMARK --selctx
system_u:object_r:isakmp_server_packet_t:s0
-A selinux_new_output -p udp --dport 500 -j SECMARK --selctx
system_u:object_r:isakmp_client_packet_t:s0
-A selinux_new_input -j CONNSECMARK --save
-A selinux_new_input -j RETURN
-A selinux_new_output -j CONNSECMARK --save
-A selinux_new_output -j RETURN
COMMIT
Thanks in advance,
Joshua Roys
14 years, 1 month
fixfiles -F option
by Moray Henderson (ICT)
Hello List.
I have an rpm for an selinux policy for a custom CentOS 5.3 distribution. When I install it, I use pre/post install scripts to back up the previous file contexts and run "fixfiles -C ${FILE_CONTEXT}.pre restore" as in the standard selinux-policy-targeted rpm.
On an upgrade, old httpd_sys_content_t files are not being updated to public_content_rw_t because httpd_sys_content_t is in the customizable_types file.
According to the fixfiles man page, -F should "Force reset of context to match file_context for customizable files", but when I added it, it made no difference. I had a look at the fixfiles script, and indeed it looks as if -F doesn't work with -C. Is that correct, or did I miss something?
Is there a recommended way to do that?
Moray.
"To err is human. To purr, feline"
14 years, 1 month
Accounting/auditing reference?
by Marco Shaw
Is there anything online detailing SELinux's accounting and auditing features?
Example:
How/if it does system and process accounting
How/if it does system and process auditing
How/if it exactly logs (through syslogd?)
Thanks,
Marco
14 years, 1 month
Feedback from Linux users about SELinux.
by Matthew Ife
So, I did a brief unscientific survey regarding SELinux with my
colleagues. The idea here is to work out what people see wrong or right
with SELinux and when documentation is done what should our focus or
priorities be in regards to it?
To give you a bit of background respondents are all above average
technically Linux experienced whom work for a hosting company offering
amongst other things Linux based solutions of some sort either
pre-packed or bespoke. All the people I asked have a procedural approach
to security (not the type of thing tagged onto the end of a project line
of thinking) and in general are open to security advise.
Attached is the PDF document with the questions I asked - you'll have to
forgive my decorating abilities!
The questions I asked could be wrong, the people I'm asking might not be
the "average" sample we could do with and admittedly the sample is way
too small.
So firstly on with the questions I asked and why I asked them:
> If you installed Fedora regarding SELinux would you
> a) Disable it on install
> b) permissive on install
> c) enforcing on install.
The point with this question is to really just gauge what these peoples
feelings are with it "out of the box". Do they run it or do they not and
how does that compare with their ideas for the questions I asked below.
> Why would you choose that option?
So the idea behind this question was to find out what they liked or
disliked about selinux which was enough of a motivator for them to turn
it on or turn it off or disable it completely.
> Specifically what is SELinux meant to do?
Really what I wanted to find out here is what the people would consider
SELinux as being able to achieve for them as well as a brief
understanding of how much they know about SELinux.
> Out of five, (five being very sufficient, 0 being completely
insufficient) where would you put standard UNIX permissions (rwx,
setuids and acls) for security on a machine? First for desktops second
for servers.
This question was meant to gauge the persons understanding of DAC and
how they pit against the current major security threats. I.E "Do you
find DAC is sufficient enough for securing your server".
>From the data this is my analysis but my opinions are pretty biased as I
already know all these people anyway. I'd love peoples feedback.
None of the respondents had any insight into the pros/cons of DAC or
MAC.
All the respondents saw SELinux as a fine grained access control
mechanism.
The more respondents understood about SELinux the more they were likely
to enable it.
Currently servers would benefit from SELinux more than Desktops would.
So from the very limited feedback I've got I would say:
Peoples understanding of why MAC in some fashion is necessary is limited
or none existent. There should probably be some good argumentative cases
for why DAC is not able to adequately contain a security breach or
threat and what SELinux MAC is ready to do about it. Perhaps a wiki page
that explains what DAC and MAC is - giving examples, what the current
security trends and threats are against your systems and what both can /
cannot do to mitigate them.
People envision SELinux as a access control system. Documentation on
type enforcement (perhaps with examples analogous to DAC) would be
beneficial.
In addition personally I would say most sysadmins are totally missing
fundamental security understandings (what is a subject, what is an
object, what is DAC what is MAC etc) and this means they are unable to
appreciate what SELinux is trying to accomplish. Also I believe
sysadmins do not consider containment of a security breach and spend
much of their effort attempting to prevent it in the first place.
Well, thats probably more than I can prune on the whole thing i've got.
I might be perhaps looking way too much into the information I have and
would recommend people make up their own minds based off of the
information I supplied.
The goal here is to find out what peoples vision of SELinux is (either
right or wrong) and what can be done to help correct it.
14 years, 1 month
Confined User using screen
by Ian Lists
I just started playing around with confining users in rawhide using
selinux-policy-3.6.32-24.fc12.noarch and am having an issue running screen.
When running screen with selinux enforcing I get the following error with no
AVC.
[b1gb0y@imarks-ws ~]$ id -Z
user_u:user_r:user_t:s0
[b1gb0y@imarks-ws ~]$ screen
Cannot make directory '/var/run/screen': File exists
When I run screen with selinux in permissive mode it works as expected and
generates AVCs. I have tried to run audit2allow against the follow AVCs but
the module is not able to load.
234. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 83 dir write
system_u:object_r:screen_var_run_t:s0 denied 26464
235. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 83 dir add_name
system_u:object_r:screen_var_run_t:s0 denied 26464
236. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 83 dir create
user_u:object_r:screen_var_run_t:s0 denied 26464
237. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 92 dir setattr
user_u:object_r:screen_var_run_t:s0 denied 26465
238. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 133 dir write
user_u:object_r:screen_var_run_t:s0 denied 26467
239. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 133 dir add_name
user_u:object_r:screen_var_run_t:s0 denied 26467
240. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 133 fifo_file create
user_u:object_r:screen_var_run_t:s0 denied 26467
241. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 2 fifo_file read
user_u:object_r:screen_var_run_t:s0 denied 26468
242. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 2 fifo_file open
user_u:object_r:screen_var_run_t:s0 denied 26468
243. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 2 fifo_file write
user_u:object_r:screen_var_run_t:s0 denied 26471
244. 10/11/2009 12:53:40 screen user_u:user_r:user_t:s0 87 dir remove_name
user_u:object_r:screen_var_run_t:s0 denied 26478
245. 10/11/2009 12:53:40 screen user_u:user_r:user_t:s0 87 fifo_file unlink
user_u:object_r:screen_var_run_t:s0 denied 26478
ausearch --start today -m avc | audit2allow -M screen
[root@imarks-ws ~]# cat screen.te
module screen 1.0;
require {
type screen_var_run_t;
type user_t;
class dir { write remove_name create add_name setattr };
class fifo_file { read write create unlink open };
}
#============= user_t ==============
allow user_t screen_var_run_t:dir { write remove_name create add_name
setattr };
allow user_t screen_var_run_t:fifo_file { read write create unlink open };
semodule -i screen.pp
libsepol.print_missing_requirements: screen's global requirements were not
met: type/attribute screen_var_run_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or
directory).
semodule: Failed!
I know user_u should only be able to write to /tmp and /~ so this may be a
bad idea all together..
Any suggests on getting this work would be much appreciated.
Thanks,
Ian
14 years, 2 months
