November 2009 - selinux - Fedora Mailing-Lists

Apache/PHP mail function SELinux permissions

by Ted Rule

I've had a "problem" recently with SELinux permissions related to PHP's mail functions. These appear to give rise to two different classes of error, one for read permissions on the httpd_t domain itself, and one for read/write permission on a file in the httpd_tmp_t domain. aureport gives this: $ sudo aureport -a |grep system_mail |head 6. 25/10/09 13:12:48 sendmail user_u:system_r:system_mail_t:s0 11 file read user_u:system_r:httpd_t:s0 denied 116101 7. 25/10/09 13:15:57 sendmail user_u:system_r:system_mail_t:s0 11 file read write user_u:object_r:httpd_tmp_t:s0 denied 116102 17. 25/10/09 13:39:46 sendmail user_u:system_r:system_mail_t:s0 11 file read write user_u:object_r:httpd_tmp_t:s0 denied 116124 23. 25/10/09 13:43:04 sendmail user_u:system_r:system_mail_t:s0 11 file read write user_u:object_r:httpd_tmp_t:s0 denied 116136 24. 25/10/09 13:43:04 sendmail user_u:system_r:system_mail_t:s0 11 file read user_u:system_r:httpd_t:s0 denied 116136 30. 25/10/09 13:52:57 sendmail user_u:system_r:system_mail_t:s0 11 file read write user_u:object_r:httpd_tmp_t:s0 denied 116148 31. 25/10/09 13:52:57 sendmail user_u:system_r:system_mail_t:s0 11 file read user_u:system_r:httpd_t:s0 denied 116148 39. 25/10/09 14:01:18 sendmail user_u:system_r:system_mail_t:s0 11 file read write user_u:object_r:httpd_tmp_t:s0 denied 116168 40. 25/10/09 14:01:18 sendmail user_u:system_r:system_mail_t:s0 11 file read user_u:system_r:httpd_t:s0 denied 116168 48. 25/10/09 14:11:50 sendmail user_u:system_r:system_mail_t:s0 11 file read write user_u:object_r:httpd_tmp_t:s0 denied 116181 Policy on the Apache hosts currently uses selinux-policy-2.4.6-203.el5 Looking in more detail at ausearch we see that the httpd_t related avc is apparently related to an "eventpoll" file descriptor, whilst the httpd_tmp_t avc is probably for a file created by php in /tmp. Looking at the php source code itself, I see that it is simply opening a temporary file containing the body of the Email and pouring it via a pipe into an instance of sendmail via popen(). As such, it seems likely that both classes of avc's are simply file descriptors "leaking" into the popen'ed child process running in the system_mail_t domain. Sadly, for other reasons, the Apache hosts are still in permissive, so it's currently unclear to me whether the PHP mail function would fail completely if either of these permissions are denied in enforcing mode, but it makes me wonder whether there would be any sense in a wider solution to leaky descriptors which caused popen() itself to close all file descriptors other than STDIN/STDOUT/STDERR if the popen'ed executable implies a domain transition. Alternatively, one might envisage a set of selinux booleans which allowed a more granular control of leaked descriptors outside of STDIN/STDOUT/STDERR. The other potential policy improvement would be for system_mail_t to simply "dontaudit" denials relating to eventpoll class file descriptors and temporary files in context *_tmp_t. time->Sun Oct 25 13:12:48 2009 type=SYSCALL msg=audit(1256476368.217:116101): arch=40000003 syscall=11 success=yes exit=0 a0=97e5ff0 a1=97e5798 a2=97e5600 a3=40 items=0 ppid=20809 pid=22040 auid=500 uid=48 gid=48 euid= 48 suid=48 fsuid=48 egid=51 sgid=51 fsgid=51 tty=(none) ses=11966 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=user_u:system_r:system_mail_t:s0 key=(null) type=AVC msg=audit(1256476368.217:116101): avc: denied { read } for pid=22040 comm="sendmail" path="eventpoll:[129640960]" dev=eventpollfs ino=129640960 scontext=user_u:system_r:system _mail_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=file ---- time->Sun Oct 25 13:15:57 2009 type=SYSCALL msg=audit(1256476557.234:116102): arch=40000003 syscall=11 success=yes exit=0 a0=9ab7ff0 a1=9ab7798 a2=9ab7600 a3=40 items=0 ppid=21767 pid=22099 auid=500 uid=48 gid=48 euid= 48 suid=48 fsuid=48 egid=51 sgid=51 fsgid=51 tty=(none) ses=11966 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=user_u:system_r:system_mail_t:s0 key=(null) type=AVC msg=audit(1256476557.234:116102): avc: denied { read write } for pid=22099 comm="sendmail" path=2F746D702F2E7863616368652E302E302E313032353230323336322E6C6F636B202864656C65746 56429 dev=dm-3 ino=97922 scontext=user_u:system_r:system_mail_t:s0 tcontext=user_u:object_r:httpd_tmp_t:s0 tclass=file ---- time->Sun Oct 25 13:39:46 2009 type=SYSCALL msg=audit(1256477986.012:116124): arch=40000003 syscall=11 success=yes exit=0 a0=97f1ff0 a1=97f1798 a2=97f1600 a3=40 items=0 ppid=23457 pid=23560 auid=500 uid=48 gid=48 euid= 48 suid=48 fsuid=48 egid=51 sgid=51 fsgid=51 tty=(none) ses=11966 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=user_u:system_r:system_mail_t:s0 key=(null) type=AVC msg=audit(1256477986.012:116124): avc: denied { read write } for pid=23560 comm="sendmail" path=2F746D702F2E7863616368652E302E302E313032353230323336322E6C6F636B202864656C65746 56429 dev=dm-3 ino=97922 scontext=user_u:system_r:system_mail_t:s0 tcontext=user_u:object_r:httpd_tmp_t:s0 tclass=file ---- time->Sun Oct 25 13:43:04 2009 type=SYSCALL msg=audit(1256478184.954:116136): arch=40000003 syscall=11 success=yes exit=0 a0=8f48ff0 a1=8f48798 a2=8f48600 a3=40 items=0 ppid=23048 pid=23802 auid=500 uid=48 gid=48 euid= 48 suid=48 fsuid=48 egid=51 sgid=51 fsgid=51 tty=(none) ses=11966 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=user_u:system_r:system_mail_t:s0 key=(null) type=AVC msg=audit(1256478184.954:116136): avc: denied { read } for pid=23802 comm="sendmail" path="eventpoll:[129701955]" dev=eventpollfs ino=129701955 scontext=user_u:system_r:system _mail_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=file type=AVC msg=audit(1256478184.954:116136): avc: denied { read write } for pid=23802 comm="sendmail" path=2F746D702F2E7863616368652E302E302E313032353230323336322E6C6F636B202864656C65746 56429 dev=dm-3 ino=97922 scontext=user_u:system_r:system_mail_t:s0 tcontext=user_u:object_r:httpd_tmp_t:s0 tclass=file ---- time->Sun Oct 25 13:52:57 2009 type=SYSCALL msg=audit(1256478777.377:116148): arch=40000003 syscall=11 success=yes exit=0 a0=945bff0 a1=945b798 a2=945b600 a3=40 items=0 ppid=24396 pid=24439 auid=500 uid=48 gid=48 euid= 48 suid=48 fsuid=48 egid=51 sgid=51 fsgid=51 tty=(none) ses=11966 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=user_u:system_r:system_mail_t:s0 key=(null) type=AVC msg=audit(1256478777.377:116148): avc: denied { read } for pid=24439 comm="sendmail" path="eventpoll:[129734033]" dev=eventpollfs ino=129734033 scontext=user_u:system_r:system _mail_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=file type=AVC msg=audit(1256478777.377:116148): avc: denied { read write } for pid=24439 comm="sendmail" path=2F746D702F2E7863616368652E302E302E313032353230323336322E6C6F636B202864656C65746 56429 dev=dm-3 ino=97922 scontext=user_u:system_r:system_mail_t:s0 tcontext=user_u:object_r:httpd_tmp_t:s0 tclass=file ---- -- Ted Rule Director, Layer3 Systems Ltd Layer3 Systems Limited is registered in England. Company no 3130393 W: http://www.layer3.co.uk/

13 years, 4 months

3
5
0 / 0

The SELinux Documentation Project [Request for topics]

by Joshua Brindle

As we discussed at Linux Plumbers Conference during the 'Making SELinux Easier to Use" talk we have some document deficiencies in the SELinux project. I volunteered to start an SELinux Documentation Project. The primary purpose of the project would be to get as much documentation as possible on the selinuxproject.org wiki, organized in a fashion that users can understand and consume easily. As I admitted before, we, the developers, are not always the best people to judge what documentation users need and therefore am requesting users, hopefully from different backgrounds and environments, tell us what documentation they feel is lacking, what questions they've been asked or have asked themselves and couldn't find documentation for. I think we need basic documentation that tells about SELinux (both beginner and advanced), howto's for specific things (using secmark, using netlabel, etc) and a set of short 'recipes' to accomplish simple tasks. There are documents all over the place with various information, as well as blog entries and mailing list archives but the effort here is to consolidate all those resources onto selinuxproject.org. I'd also like to see volunteers in the community to help out with the documentation effort, I know quite a few people already write things like this on blogs, etc and it would be great to see that information moved/copied onto selinuxproject.org. Users: Please, if you are a user and have run in to lack of documentation respond to this thread, or privately if you aren't comfortable talking on list so that we can collect what the biggest deficiencies are and get to writing documentation as soon as possible. Thanks.

13 years, 11 months

5
11
0 / 0

SELinux won't let dovecot connect to postgresql

by Roland Roberts

I'm running Fedora 11 x86_64 with the dovecot and dovecot-pgsql RPMs installed. I have a small user database set up for email authentication. The issue I'm having is that when I am in enforcing mode, dovecot can't connect to the database. Turning off enforcing mode lets it work. I'm having trouble diagnosing where the denial is taking place as I don't see any avc messages in /var/log/messages that relate to dovecot. The only messages I'm getting are in /var/log/maillog from dovecot like this: Nov 28 22:23:11 fred dovecot: auth(default): pgsql: Connect failed to maildb: could not connect to server: Permission denied Nov 28 22:23:11 fred dovecot: auth(default): #011Is the server running on host "fred.flinstone.org" and accepting Nov 28 22:23:11 fred dovecot: auth(default): #011TCP/IP connections on port 5432? The answer to the questions is "yes" it is running and accepting connections. Whether or not enforcing mode is on, when logged in, I can connect to the database via $ psql -h fred.flinstone.org maildb I *think* this is a result of updating on Nov 18. I have not changed the default selinux mode since the host was set up back in September. At that point, I set it to enforcing mode after working out a few issues. On Nov 18, a lot of things were updated, but among there were Nov 18 10:00:02 Updated: kernel-firmware-2.6.30.9-96.fc11.noarch Nov 18 10:00:15 Updated: kernel-headers-2.6.30.9-96.fc11.x86_64 Nov 18 10:00:28 Installed: kernel-devel-2.6.30.9-96.fc11.x86_64 Nov 18 10:01:30 Installed: kernel-2.6.30.9-96.fc11.x86_64 Nov 18 10:02:01 Updated: selinux-policy-3.6.12-86.fc11.noarch Nov 18 10:02:46 Updated: selinux-policy-targeted-3.6.12-86.fc11.noarch Today, I did another update, hoping it would cure the problem and got these revisions Nov 28 10:57:33 Updated: selinux-policy-3.6.12-88.fc11.noarch Nov 28 10:57:47 Updated: selinux-policy-targeted-3.6.12-88.fc11.noarch but the behavior is unchanged, I still have to turn off enforcing mode. Any clues on what I need to do to get this to work? Or where to look for clues since, as I mentioned, I can't even find log entries that would clue me in. roland -- PGP Key ID: 66 BC 3B CD Roland B. Roberts, PhD RL Enterprises roland(a)rlenter.com 6818 Madeline Court roland(a)astrofoto.org Brooklyn, NY 11220

13 years, 12 months

8
25
0 / 0

libcgroup policy (concept)

by Dominick Grift

Attached policy targets some libcgroup stuff. The policy is largely untested (i do have it running on a few servers here but i get some avc denials that i am not quite sure what to do with)

14 years

1
1
0 / 0

screen wants to set attributes of user tty device

by Dominick Grift

I got this one using screen in tty1: userdom_setattr_user_ttys(staff_screen_t) thanks

14 years

1
0
0 / 0

3.7.3-1 nsplugin

by Dominick Grift

> type=SYSCALL msg=audit(1259237381.086:26296): arch=c000003e syscall=84 success=yes exit=68719476864 a0=168e400 a1=7fff3a1c4260 a2=ffffffffffffffa8 a3=fffffff4 items=0 ppid=5802 pid=5935 auid=501 uid=501 gid=503 euid=501 suid=501 fsuid=501 egid=503 sgid=503 fsgid=503 tty=(none) ses=1 comm="npviewer.bin" exe="/usr/lib64/nspluginwrapper/npviewer.bin" subj=staff_u:staff_r:nsplugin_t:s0 key=(null) > type=AVC msg=audit(1259237381.086:26296): avc: denied { rmdir } for pid=5935 comm="npviewer.bin" name=".pulse" dev=dm-1 ino=909380 scontext=staff_u:staff_r:nsplugin_t:s0 tcontext=staff_u:object_r:gnome_home_t:s0 tclass=dir > allow nsplugin_t gnome_home_t:dir { search getattr setattr rmdir }; Why is .pulse even gnome_home_t and why is .pulse-cookie user_home_t. Looks to me these locations are owned by pulseaudio not gnome.

14 years

1
0
0 / 0

execstack fun

by Braden McDaniel

I develop software on Fedora. Since upgrading to Fedora 12, I now trip over this when my program tries to dlopen libjvm.so: SELinux is preventing /var/user/braden/openvrml-dbg/examples/.libs/lt-sdl-viewer from making the program stack executable. Changing the context of the executable each time it's built isn't especially practical; and disabling this check for everything on the system isn't especially desirable. Is there a better way to manage this? -- Braden McDaniel <braden(a)endoframe.com>

14 years

3
4
0 / 0

The story behind by default permissive domains

by Göran Uddeborg

After switching to F12 policy I've started getting SELinux alerts from setroubleshoot looking like this Summary: SELinux is preventing ntop (ntop_t) "create" ntop_t. Detailed Description: [ntop has a permissive type (ntop_t). This access was not denied.] I thought permissive domains was meant as a debugging and development tool. But I haven't (knowingly) made ntop_t permissive. And the command suggested in the user guide, semodule -l | grep permissive, returns nothing. So it seems ntop_t is permissive by default somehow. Is the reasoning behind domains that are permissive by default documented somewhere? A blog I should read or so? Can I find out what other domains are also permissive? (I haven't yet upgraded ntop to F12, so this particular AVC might be because I run an old version. This mail is a question about the concept of domains that are permissive from the start, not this AVC.)

14 years

3
4
0 / 0

Add new ksm domain.

by Dominick Grift

Attached is ksm module. If virtualization is installed then ksm and ksmtuned services are enabled by default. Currently they run in initrc_t. It seems the initrc_t domain has sufficient permissions for ksm tune daemon. The policy is not thoroughly tested yet and so i left ksmtuned_t permissive.

14 years

1
2
0 / 0

F-12 arpwatch AVCs

by Paul Howarth

Just updated my DHCP/arpwatch box to F-12 and needed to add this to local policy: kernel_read_network_state(arpwatch_t) AVCs: type=AVC msg=audit(1258984783.886:788): avc: denied { read } for pid=4592 comm="arpwatch" name="dev" dev=proc ino=4026531931 scontext=unconfined_u:system_r:arpwatch_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file type=SYSCALL msg=audit(1258984783.886:788): arch=c000003e syscall=2 success=no exit=-13 a0=3e9aa1f9d5 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=4592 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="arpwatch" exe="/usr/sbin/arpwatch" subj=unconfined_u:system_r:arpwatch_t:s0 key=(null) type=SYSCALL msg=audit(1258984783.894:789): arch=c000003e syscall=54 success=yes exit=0 a0=0 a1=107 a2=1 a3=7fff6c6ebff0 items=0 ppid=1 pid=4592 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="arpwatch" exe="/usr/sbin/arpwatch" subj=unconfined_u:system_r:arpwatch_t:s0 key=(null) type=AVC msg=audit(1259008591.308:107843): avc: denied { read } for pid=4085 comm="arpwatch" name="dev" dev=proc ino=4026531931 scontext=unconfined_u:system_r:arpwatch_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file type=AVC msg=audit(1259008591.308:107843): avc: denied { open } for pid=4085 comm="arpwatch" name="dev" dev=proc ino=4026531931 scontext=unconfined_u:system_r:arpwatch_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file type=SYSCALL msg=audit(1259008591.308:107843): arch=c000003e syscall=2 success=yes exit=0 a0=3e9aa1f9d5 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=4085 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="arpwatch" exe="/usr/sbin/arpwatch" subj=unconfined_u:system_r:arpwatch_t:s0 key=(null) type=AVC msg=audit(1259008591.308:107844): avc: denied { getattr } for pid=4085 comm="arpwatch" path="/proc/4085/net/dev" dev=proc ino=4026531931 scontext=unconfined_u:system_r:arpwatch_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file type=SYSCALL msg=audit(1259008591.308:107844): arch=c000003e syscall=5 success=yes exit=0 a0=0 a1=7fff01307210 a2=7fff01307210 a3=7fff01307110 items=0 ppid=1 pid=4085 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="arpwatch" exe="/usr/sbin/arpwatch" subj=unconfined_u:system_r:arpwatch_t:s0 key=(null) type=SYSCALL msg=audit(1259008591.317:107845): arch=c000003e syscall=54 success=yes exit=0 a0=0 a1=107 a2=1 a3=7fff01307560 items=0 ppid=1 pid=4085 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="arpwatch" exe="/usr/sbin/arpwatch" subj=unconfined_u:system_r:arpwatch_t:s0 key=(null) Cheers, Paul.

14 years

2
1
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux November 2009