Obtaining Source for Fedora SELinux policies
by Antony Vennard
Hi All,
This may seem like an obvious question but I'm yet to understand how I
do it. How do I obtain the sources for the Fedora SELinux policy
(targetted) used on my system and how do I grab the sources for the
MLS policy should I want to look at that?
I imagine this won't be too difficult to answer, I just can't seem to
find the sources.
Thanks,
Antony
14 years, 4 months
General interface question
by Moray Henderson
How do you find out what module interfaces are available for you to use
in your own policies?
Moray.
"To err is human. To purr, feline"
14 years, 4 months
DenyHosts policy
by Dominick Grift
Attached is DenyHosts modules Based on the Fedora 12 DenyHosts package.
Maintained here: git clone git://82.197.205.60/selinux-modules.git
14 years, 4 months
Re: Logrotate frustration
by Arthur Dent
On Tue, 2009-12-15 at 09:39 -0500, Daniel J Walsh wrote:
> On 12/14/2009 05:01 AM, Arthur Dent wrote:
> > On Mon, 2009-12-07 at 22:30 +0000, Arthur Dent wrote:
> >> On Mon, 2009-12-07 at 16:24 -0500, Daniel J Walsh wrote:
> >>> On 12/06/2009 04:38 AM, Arthur Dent wrote:
[Snip]
> >>> I can allow logrotate to manage log lnk_files, and allow it to write to the fail2ban socket.
> >>>
> >>> Are you using a custom logrotate to rotate mail_spool?
[Snip]
> >
> > OK - Following another arm of this thread I have (last week) done a
> > complete relabel and removed my existing fail2ban and logrotate local
> > policies.
> >
> > As a result of yesterday's weekly log rotate squid threw up another
> > couple of AVCs related to log_lnk (see below).
> >
> > I have created another local policy but, do I understand you correctly
> > Daniel that you may include log_lnk in a future targeted policy?
> >
> > Here is my new logrotate policy:
> >
> > ===============8<==================================================
> >
> > module mylogr 11.2.2;
> >
> > require {
> > type mail_spool_t;
> > type logrotate_t;
> > type squid_log_t;
> > class file getattr;
> > class lnk_file { rename unlink };
> > }
> >
> > #============= logrotate_t ==============
> > allow logrotate_t mail_spool_t:file getattr;
> > allow logrotate_t squid_log_t:lnk_file { rename unlink };
> >
> > ===============8<==================================================
> >
> > Is this OK?
[Snip]
>
> Yes the squid access will not be needed.
>
> Fixed in selinux-policy-3.6.32-59.fc12.noarch
>
> logrotate looking at /mnt/backup/mail/rawmail
> Looks like a local customization.
Thanks Daniel,
OK - I am running F11:
# rpm -qa | grep -i selinux-policy
selinux-policy-targeted-3.6.12-91.fc11.noarch
selinux-policy-3.6.12-91.fc11.noarch
Will there be a F11 version? (If so what version will it be in?)
In the meantime I should keep using my local policy I guess?...
Thanks again
Mark
14 years, 4 months
SELinux is preventing zenity...
by Steve Blackwell
I have a UPS that sends an SNMP trap when the main power goes out.
I wrote my snmptrapd.conf file to execute a script when the trap is
received. The script simply calls zenity to pop up a message.
Here's my problem. If I start snmptrapd from the command line
everything works beautifully but if I have the system start it at boot
time or via System->Administration->Services, the trap gets logged
in /var/log/messages but the zenity window doesn't get displayed and I
get these SELinux messages in /var/log/messages.
SELinux is preventing the zenity from using potentially mislabeled
files (XO)...
SELinux is preventing zenity (snmpd_t) "name_connect" to <Unknown>
<xserver_port_t>...
I've looked at the ouput of
# ps -ef | grep snmptrapd
and it is identical in both cases so I don't understand why one works
and the other doesn't. I tried
# cat /var/log/messages | audit2allow -m local
but that just produced a file that said:
module local 1.0;
and nothing else.
I'm running RHEL5.4 with SELinux in enforcing mode.
Any help would be appreciated.
Thanks,
Steve
14 years, 4 months
libcg policy
by Dominick Grift
The policy below works for me. But there are variables. like for example
i choose to mount cgroup fs in /mnt/ some mount it to /dev others to /proc
Also interface naming could be better. And unfortunatly alot if done in
init scripts.
/etc/rc\.d/init\.d/cgconfig --
gen_context(system_u:object_r:cgconfig_initrc_exec_t, s0)
/etc/rc\.d/init\.d/cgred --
gen_context(system_u:object_r:cgrulesengd_initrc_exec_t, s0)
/sbin/cgrulesengd -- gen_context(system_u:object_r:cgrulesengd_exec_t, s0)
/sbin/cgconfigparser --
gen_context(system_u:object_r:cgconfigparser_exec_t, s0)
policy_module(libcgroup, 1.0.0)
########################################
#
# cgrulesengd personal declarations.
#
type cgrulesengd_t;
type cgrulesengd_exec_t;
init_daemon_domain(cgrulesengd_t, cgrulesengd_exec_t)
type cgrulesengd_initrc_exec_t;
init_script_file(cgrulesengd_initrc_exec_t)
type cgrulesengd_var_run_t;
files_pid_file(cgrulesengd_var_run_t)
permissive cgrulesengd_t;
########################################
#
# cgconfig personal declarations.
#
type cgconfigparser_t;
type cgconfigparser_exec_t;
init_daemon_domain(cgconfigparser_t, cgconfigparser_exec_t)
type cgconfig_initrc_exec_t;
init_script_file(cgconfig_initrc_exec_t)
permissive cgconfigparser_t;
########################################
#
# cgrulesengd personal policy.
#
allow cgrulesengd_t self:capability { net_admin sys_ptrace dac_override };
allow cgrulesengd_t self:netlink_socket { write bind create read };
allow cgrulesengd_t self:unix_dgram_socket { write create connect };
manage_sock_files_pattern(cgrulesengd_t, cgrulesengd_var_run_t,
cgrulesengd_var_run_t)
files_pid_filetrans(cgrulesengd_t, cgrulesengd_var_run_t, sock_file)
domain_read_all_domains_state(cgrulesengd_t)
files_read_etc_files(cgrulesengd_t)
files_search_all(cgrulesengd_t)
files_getattr_all_files(cgrulesengd_t)
files_getattr_all_dirs(cgrulesengd_t)
files_getattr_all_sockets(cgrulesengd_t)
files_getattr_all_pipes(cgrulesengd_t)
files_getattr_all_symlinks(cgrulesengd_t)
# read all link files.
kernel_read_system_state(cgrulesengd_t)
logging_send_syslog_msg(cgrulesengd_t)
miscfiles_read_localization(cgrulesengd_t)
optional_policy(`
fs_write_cgroup_files(cgrulesengd_t)
')
########################################
#
# cgconfig personal policy.
#
optional_policy(`
fs_manage_cgroup_dirs(cgconfigparser_t)
fs_rw_cgroup_files(cgconfigparser_t)
fs_setattr_cgroup_files(cgconfigparser_t)
fs_mount_cgroup_fs(cgconfigparser_t)
')
files_mounton_mnt(cgconfigparser_t)
files_manage_mnt_dirs(cgconfigparser_t)
files_read_etc_files(cgconfigparser_t)
## <summary>Control group rules engine daemon.</summary>
## <desc>
## <p>
## cgrulesengd is a daemon, which distributes processes
## to control groups. When any process changes its
## effective UID or GID, cgrulesengd inspects list of
## rules loaded from cgrules.conf file and moves the
## process to the appropriate control group.
## </p>
## <p>
## The list of rules is read during the daemon startup and
## are cached in daemon’s memory. The daemon reloads the
## list of rules when it receives SIGUSR2 signal.
## </p>
## </desc>
########################################
## <summary>
## Read and write cgrulesengd sock file in /var/run.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`libcgroup_cgrulesengd_rw_pid_sock_file', `
gen_require(`
type cgrulesengd_var_run_t;
')
rw_sock_files_pattern($1, cgrulesengd_var_run_t, cgrulesengd_var_run_t)
files_search_pids($1)
')
########################################
## <summary>
## Unix stream socket connect to cgrulesengd.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`libcgroup_cgrulesengd_stream_connect', `
gen_require(`
type cgrulesengd_t;
')
allow $1 cgrulesengd_t:unix_stream_socket connectto;
')
# /mnt/cgroups/cpu
kernel_list_unlabeled(cgconfigparser_t)
kernel_read_system_state(cgconfigparser_t)
-------------------------------------------
-------------------------------------------
patch to filesystem
-------------------------------------------
## <summary>Patch to facilitate interface to interact with cgroup
fs.</summary>
## <desc>
## <p>
## Add interfaces to allow for interaction with cgroupfs
## for initrc (cfconfig) and for cfrulesengd.
## </p>
## </desc>
########################################
## <summary>
## Mount a cgroup filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_mount_cgroup_fs', `
gen_require(`
type cgroup_t;
')
allow $1 cgroup_t:filesystem mount;
')
########################################
## <summary>
## Remount a cgroup filesystem This allows
## some mount options to be changed.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_remount_cgroup_fs', `
gen_require(`
type cgroup_t;
')
allow $1 cgroup_t:filesystem remount;
')
########################################
## <summary>
## Unmount a cgroup file system.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_unmount_cgroup_fs', `
gen_require(`
type cgroup_t;
')
allow $1 cgroup_t:filesystem unmount;
')
########################################
## <summary>
## Read and write files on cgroup
## file systems.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_rw_cgroup_files',`
gen_require(`
type cgroup_t;
')
rw_files_pattern($1, cgroup_t, cgroup_t)
fs_search_cgroup_dirs($1)
')
########################################
## <summary>
## Set attributes of files on cgroup
## file systems.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_setattr_cgroup_files',`
gen_require(`
type cgroup_t;
')
setattr_files_pattern($1, cgroup_t, cgroup_t)
fs_search_cgroup_dirs($1)
')
########################################
## <summary>
## Manage dirs on cgroup
## file systems.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_manage_cgroup_dirs',`
gen_require(`
type cgroup_t;
')
manage_dirs_pattern($1, cgroup_t, cgroup_t)
')
########################################
## <summary>
## Search dirs on cgroup
## file systems.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_search_cgroup_dirs', `
gen_require(`
type cgroup_t;
')
allow $1 cgroup_t:dir search;
')
########################################
## <summary>
## Write files on cgroup
## file systems.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_write_cgroup_files', `
gen_require(`
type cgroup_t;
')
write_files_pattern($1, cgroup_t, cgroup_t)
fs_search_cgroup_dirs($1)
')
########################################
## <summary>
## list dirs on cgroup
## file systems.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_list_cgroup_dirs', `
gen_require(`
type cgroup_t;
')
list_dirs_pattern($1, cgroup_t, cgroup_t)
')
########################################
## <summary>
## create dirs on cgroup
## file systems.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_create_cgroup_dirs', `
gen_require(`
type cgroup_t;
')
create_dirs_pattern($1, cgroup_t, cgroup_t)
')
----------------------------------------------
patch to init
---------------------------------------------
policy_module(patch_initrc_to_allow_cgconf_cgrulesengd_manage_files_on_cgroup_fs,
1.0.0)
########################################
#
# Declarations
#
optional_policy(`
gen_require(`
type initrc_t;
')
fs_manage_cgroup_dirs(initrc_t)
fs_rw_cgroup_files(initrc_t)
fs_setattr_cgroup_files(initrc_t)
libcgroup_cgrulesengd_rw_pid_sock_file(initrc_t)
libcgroup_cgrulesengd_stream_connect(initrc_t)
')
14 years, 4 months
labeling traffic over lo
by Joshua Roys
Hello,
I am trying to have some applications communicate over loopback under a
f12 mls policy using some sort of labeled networking, the reason being
that otherwise I hit a selinux avc about an unlabeled_t ingress:
avc: denied { ingress } for saddr=127.0.0.1 daddr=127.0.0.1 netif=lo
scontext=system_u:object_r:unlabeled_t:s15:c0.c1023
tcontext=...:lo_netif_t:s0-s15:c0.c1023 tclass=netif
Thus far I have tried secmark, but there appear to be issues. I have
incoming and outgoing labeled ipsec from this box working, until I add a
secmark rule like:
iptables -t mangle -A INPUT -p tcp -s 127.0.0.1 -d 127.0.0.1 -i lo
--dport $secondary_app_port -j SECMARK --selctx
system_u:system_r:httpd_t:s0-s1:c0,c3
And then labeled ipsec falls over and I get avcs similar to:
avc: denied { recv } for saddr=$remote daddr=$local netif=eth0
scontext=...:application_t tcontext=...:unlabeled_t tclass=packet
It seems as if having any secmark labels causes selinux to "forget"
about the labels retrieved from labeled ipsec? When I delete the
secmark rule, I return to getting ingress avcs...
Any ideas?
Thanks,
Josh
14 years, 4 months
Tutorial on setting up SELinux / X Server
by Tyler Durvik
Greetings,
I am looking for a tutorial, or instructions, on how to set up an X
Server to work with SELinux. I have fedora 12 installed and ready to
go. Does anyone have links/pages to where I may find this
information?
Thanks
14 years, 4 months
FC12: 'sandbox -X' AVC's
by Christoph A.
Hi,
after watching Dan's presentation (LPC) about sandbox
in Fedora 12 I wanted to try it out, but I was not successfull.
I tried 'sandbox -X xterm'
and 'sandbox -X firefox' but both crashed immedeately, and I got AVC's.
package versions:
selinux-policy-targeted-3.6.32-56.fc12.noarch
policycoreutils-2.0.74-17.fc12.i686
policycoreutils-sandbox-2.0.74-17.fc12.i686
selinux-policy-3.6.32-56.fc12.noarch
policycoreutils-python-2.0.74-17.fc12.i686
avc's for 'sandbox -X firefox' attached.
Is this a known issue or should this work?
thanks!
Christoph
14 years, 4 months
how to restrict a SOCK_RAW by interface
by Cernak, James E (IS)
Hello,
I am trying to restrict an application to using only some interfaces on the system. I have defined a new type and assigned the interface on my RHEL5.4-x64 system to the new type with semanage. The system indicates that the interface is now configured.
# semanage interface -l
SELinux Interface Context
eth1 system_u:object_r:iface_test_t:s0
This does restrict applications like tcpdump or wireshark from listing the interface that was configured.
# tcpdump -D
1.peth0
2.virbr0
3.vif0.0
4.eth0
5.xenbr0
6.eth2
7.eth3
8.any (Pseudo-device that captures on all interfaces)
9.lo
My problem comes that my application can still open eth1 and read and write packets to this interface.
The application is opening a socket as SOCK_RAW then binding with a struct sockaddr_LL that has the ssll_ifindex field configured with the index of ETH1.
How do I write a selinux policy to restrict this application from using some interfaces.
Thanks
James Cernak
<James.Cernak`at`ngc.com>
14 years, 4 months