RE: Fedora 12 and unconfined_u sshdfilter
by Moray Henderson (ICT)
James Carter wrote:
>Dan's example used Refpolicy interfaces. Interfaces are very useful and
>provide a better layer of abstraction, but they are just m4 macros,
>which have always been used in SELinux policy.
>
>Interfaces should be used as much as possible, but it is not true that
>you can't mix the old and new ways.
Mixing the plain rules and the m4 macros didn't work when I tried it - but perhaps I just wasn’t writing it right. Is there a Refpolicy tutorial anywhere?
Moray.
"To err is human. To purr, feline"
14 years, 4 months
The SELinux Documentation Project [Request for topics]
by Joshua Brindle
As we discussed at Linux Plumbers Conference during the 'Making SELinux
Easier to Use" talk we have some document deficiencies in the SELinux
project.
I volunteered to start an SELinux Documentation Project. The primary
purpose of the project would be to get as much documentation as possible
on the selinuxproject.org wiki, organized in a fashion that users can
understand and consume easily.
As I admitted before, we, the developers, are not always the best people
to judge what documentation users need and therefore am requesting
users, hopefully from different backgrounds and environments, tell us
what documentation they feel is lacking, what questions they've been
asked or have asked themselves and couldn't find documentation for.
I think we need basic documentation that tells about SELinux (both
beginner and advanced), howto's for specific things (using secmark,
using netlabel, etc) and a set of short 'recipes' to accomplish simple
tasks.
There are documents all over the place with various information, as well
as blog entries and mailing list archives but the effort here is to
consolidate all those resources onto selinuxproject.org.
I'd also like to see volunteers in the community to help out with the
documentation effort, I know quite a few people already write things
like this on blogs, etc and it would be great to see that information
moved/copied onto selinuxproject.org.
Users:
Please, if you are a user and have run in to lack of documentation
respond to this thread, or privately if you aren't comfortable talking
on list so that we can collect what the biggest deficiencies are and get
to writing documentation as soon as possible.
Thanks.
14 years, 4 months
ecryptfs selinux labeling on Fedora 12
by Roberto Sassu
Hi all
i'm using Fedora12 and i have configured an ecryptfs filesystem.
I see that the default behaviour for this filesystem is to use an unique mount-
wide context (ecryptfs_t) to label each file.
There's a way to override this behaviour (for example by inserting a mount
parameter), in order to use the extended attributes on the lower filesystem or
patching the distributed selinux policy is the only option possible?
Thanks in advance for replies.
14 years, 4 months
Logrotate frustration
by Arthur Dent
Hello all,
Its seems that almost every week logrotate is throwing up a new AVC. I
have an almost vanilla F11 install with most packages installed via yum
and yet I keep getting these. Each time I audit2allow and build a new
policy. My "mylogr.te" is now at version 7. Am I missing a bool or is
there something else I'm lacking?
Here is the latest version of my policy:
===============8<==================================================
module mylogr 11.1.7;
require {
type mail_spool_t;
type logrotate_t;
type fail2ban_var_run_t;
type initrc_t;
type squid_log_t;
class dir {read open write remove_name};
class file { getattr read write open};
class file setattr;
class sock_file write;
class unix_stream_socket connectto;
class lnk_file rename;
}
#============= logrotate_t ==============
allow logrotate_t mail_spool_t:file { getattr read write open };
allow logrotate_t mail_spool_t:dir { read open write remove_name};
allow logrotate_t mail_spool_t:file setattr;
allow logrotate_t fail2ban_var_run_t:sock_file write;
allow logrotate_t initrc_t:unix_stream_socket connectto;
allow logrotate_t squid_log_t:lnk_file rename;
===============8<==================================================
This was today's AVC that necessitated the inclusion of the squid stuff:
===============8<==================================================
Raw Audit Messages :
node=mydomain.org.uk type=AVC msg=audit(1260069452.494:45041): avc: denied { rename } for pid=12302 comm="logrotate" name="squidGuard.log" dev=sda5 ino=387195 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:squid_log_t:s0 tclass=lnk_file
node=mydomain.org.uk type=SYSCALL msg=audit(1260069452.494:45041): arch=40000003 syscall=38 success=no exit=-13 a0=890b130 a1=8908760 a2=890b060 a3=0 items=0 ppid=12300 pid=12302 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2275 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
===============8<==================================================
14 years, 4 months
sebools are getting reset on reboot
by David Highley
Is this a bug? The two sebools, httpd_unified and
httpd_can_network_connect, are getting changed on policy updates and or
reboots.
14 years, 4 months
Targeted Daemons/Apps- Fedora 12
by Jorge Fábregas
Hello everyone,
Where can I find a list of all the targeted daemons/apps that are protected by
the current policy on Fedora 12?
Thanks,
Jorge
14 years, 4 months
Combining modules?
by John Oliver
I don't know if there's a better way to do this, but I'm trying to get
nagios working with selinux (CentOS 5.4 Final) I try to run it, get an
error, create a policy module, install it, and return to step one. It's
getting pretty ridiculous:
[joliver@mda-services4 ~]$ sudo /usr/sbin/semodule -l | grep nagios
nagios 1.1.0
nagios10 1.0
nagios2 1.0
nagios3 1.0
nagios4 1.0
nagios5 1.0
nagios6 1.0
nagios7 1.0
nagios8 1.0
nagios9 1.0
When I finally discover all of the problems... is there a way to dump
all of those modules into one? Both for my sanity, and so that I can
maybe submit that module to CentOS so the next poor SOB who tries to do
this doesn't have to reinvent the wheel?
Or is there another, better, way to find all of the various rules that
are needed in one fell swoop?
--
***********************************************************************
* John Oliver http://www.john-oliver.net/ *
* *
***********************************************************************
14 years, 4 months
cp -Z in Fedora 12
by Michael Madore
Hi,
I have been reading through the Fedora 12 selinux documentation:
http://docs.fedoraproject.org/selinux-user-guide/f12/en-US/
In section 5.10.1 (Copying Files and Directories), the following
example is used to demonstrate changing the context of a file when
copying:
$ touch file1
$ cp -Z system_u:object_r:samba_share_t:s0 file1 file2
$ ls -Z file1 file2
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
-rw-rw-r-- user1 group1 system_u:object_r:samba_share_t:s0 file2
However, when I try this on my Fedora 12 system i get the following:
ls -Z file1 file2
-rw-rw-r--. mmadore mmadore unconfined_u:object_r:user_home_t:s0 file1
-rw-rw-r--. mmadore mmadore unconfined_u:object_r:user_home_t:s0 file2
On CentOS 5.4 and Fedora 11, I see the documented behaviour. Is this
a bug, or am I doing something wrong?
Thanks
Mike Madore
14 years, 4 months
Sample logs of alert types
by Zaina AFOULKI
Hello,
We are trying to develop a graphical interface for SELinux alerts...
We noticed that each log for a specific alert is different from the one of
other types. For example:
type=AVC msg=audit(12/03/2007 12:44:48.301:140) : avc: denied { getattr
} for pid=2816 comm=vi path=/root/xorg.conf.new dev=sda1 ino=131104
scontext=staff_u:staff_r:staff_sudo_t:s0
tcontext=root:object_r:sysadm_home_t:s0 tclass=file
type=SYSCALL msg=audit(12/03/2007 12:44:48.325:141) : arch=i386
syscall=access success=yes exit=0 a0=88caaa8 a1=2 a2=1a4 a3=1 items=0
ppid=2784 pid=2816 auid=gmarzot uid=root gid=root euid=root suid=root
fsuid=root egid=root sgid=root fsgid=root tty=pts0 comm=vi exe=/bin/vi
subj=staff_u:staff_r:staff_sudo_t:s0 key=(null)
Currently we know how the log looks like for the following types:
DAEMON_START ANOM_ABEND AVC CONFIG_CHANGE CRED_ACQ CRED_DISP DAEMON_END
LOGIN MAC_STATUS SELINUX_ERR SYSCALL SYSTEM_RUNLEVEL SYSTEM_SHUTDOWN
USER_ACCT USER_AUTH USER_AVC USER_CHAUTHTOK USER_CMD USER_END USER_ERR
USER_LOGIN USER_ROLE_CHANGE USER_START
We really need to know the look of each alert in the log file.
Is there a way we can get a sample of each log type?
Your help will be greatly appreciated.
Thanks in advance,
--
Zaina AFOULKI
Étudiante à l'Ecole Nationale Supérieure d'Ingénieurs de Bourges.
1ère année Sécurité et Technologies Informatiques
14 years, 4 months
Obtaining MLS policy package for RHEL5?
by Dyson, Mark L (IS)
Hello,
For a test machine I was provided a SunFire X2200 (AMD processors) with
RHEL5 pre-installed. I wasn't provided the install media. It currently
only has the targeted policy package installed. Is there a source from
which I can download and install the multi-level security package(s)?
I had been pointed to some "LSPP" information based on an earlier
question but, aside from my system type not being represented, from
appearances those packages were intended for a fresh install based on a
strictly limited hardware/software architecture. I'm not sure how I
would be able to use them in my case.
Thanks in advance!
Mark
14 years, 4 months