[ANN] CDS Framework 3.3
by David Sugar
Version 3.3 of the CDS Framework Toolkit from Tresys Technology is now
available for download from the Tresys Open Source website at
http://oss.tresys.com
The CDS Framework Toolkit is an Eclipse plug-in that allows engineers to
leverage the power of SELinux when designing and implementing cross
domain solutions without requiring that they have in depth knowledge of
the complex details of underlying SELinux security policies. In
particular the CDS Framework Toolkit provides the following benefits to
CDS developers on SELinux systems:
* An integrated development environment for creating security policy
* Graphical editing of information flow for developing security policy
* SELinux policy generation
* Integration with SLIDE and Reference Policy (also available on
http://oss.tresys.com)
CDS Framework version 3.3.0 - highlights:
* Adds ability to print the security architecture diagram
* Facilitates interfacing with raw SELinux policy through the addition
of an export option in the graphical interface
* Adds enhancements to CDS Framework translation dictionary and add
additional linkage files
* Fixes issues with routing of lines across boundaries and with
attaching control resources in a domain when changing its parent
Dave Sugar
Tresys Technology, LLC
15 years, 1 month
implications of httpd_unified
by Scott Radvan
Hi all,
I have taken ownership of development on the Fedora 11 SELinux
(Managing Confined Services) guide, and am currently trying to build on
the descriptions of the purposes, uses and implications of
enabling/disabling some of the available Booleans.
I am wondering if anybody can expand or has any comments on this
description of the httpd_unified Boolean, as there doesn't seem to be a
great deal out there about it.
"This Boolean is off by default, turning it on will allow all httpd
executables to have full access to all content labeled with a http file
context. Leaving it off makes sure that one httpd service can not
interfere with another."
Specifically I am interested in what is meant by a service that can not
"interfere with another" in the case of http_unified, but any comments
which may help me refine the description are more than welcome.
Thank you,
--
Scott Radvan, Content Author
Red Hat APAC (Brisbane) http://www.apac.redhat.com
15 years, 1 month
Unable to successfully run some applications in Fedora 9 with MLS enforcing
by Mohammad zoroufi
Dear All,
After successfully switching to MLS enforcing mode in Fedora 9 I have some
troubles when running some applications. After executing these applications
they are terminated and no result even no log is generated.
For example running the system-config-selinux terminates the application.
Would you please help me what should I do in order to overcome this problem?
Similar behaviors are estimated when you run any of the followings commands
service --status-all
system-config-users
system-config-display
...
Any comments will be appreciated
Mohammad
--
View this message in context: http://www.nabble.com/Unable-to-successfully-run-some-applications-in-Fed...
Sent from the Fedora SELinux List mailing list archive at Nabble.com.
15 years, 1 month
how does execstack work?
by Sebastian Pfaff
Hello everyone,
1st i'm relativley new to selinux, so be patient with me ;). Im
using Fedora 10. I wrote a small c app:
#include <stdio.h>
/* shellcode calls exit_code(2), see man 2 exit_code */
void func(int a, int b, int c) {
int *helper = NULL;
char buf[] = "\x31\xdb\xb3\x02\x31\xc0\xb0\xfc\xcd\x80";
helper = (int *)(&helper+2);
*helper=(int)buf;
}
int main(int c, char **v) {
func(1, 2, 3);
return 0;
}
the shellcode executes exit_group(2) with argument 2 (like
exit_group(2)). Shellcode works as expected. I tested it on several
systems. The shellcode will run in the stack region of the process.
helper = (int *)(&helper+2); will overwrite the saved instrucion
pointer (return address), so the process will continue execution at
address of local variable buf (which is saved on stack). Program was
compiled with: gcc -Xlinker -v -Xlinker execstack -o shellcode_str
shellcode_str.c
Here the commands:
[root@SecLab student]# gcc -Xlinker -z -Xlinker execstack
shellcode_str.c -o shellcode_str
[root@SecLab student]# chcon -t vul_exec_t shellcode_str
[root@SecLab student]# ls -Z shellcode_str
-rwxrwxr-x root root unconfined_u:object_r:vul_exec_t:s0 shellcode_str
(i i did a chcon -t vul_exec_t shellcode_str, so excutable
shellcode_str is labled correctly)
Please note that shellscript will run in domain vul_t.
My te file (vul.te):
## <summary>confines vul</summary>
policy_module(vul,0.0.6)
require { type unconfined_t; }
role unconfined_r types vul_t;
########################################
#
# Declarations
#
type vul_t;
domain_type(vul_t)
# Access to shared libraries
libs_use_ld_so(vul_t)
libs_use_shared_libs(vul_t)
type vul_exec_t;
files_type(vul_exec_t)
domain_entry_file(vul_t, vul_exec_t)
domain_auto_transition_pattern(unconfined_t, vul_exec_t, vul_t);
#auditallow unconfined_t self:process execstack;
#auditallow vul_t self:process execstack;
execstack -q says that the executable has an exectcubale stack:
[root@SecLab student]# execstack -q shellcode_str
X shellcode_str
exucting shellcode_str:
[root@SecLab student]# semodule -R
[root@SecLab student]# ./shellcode_str
[root@SecLab student]# echo $?
2
Return value of 2 indicates that shellcode on the stack has been
executed successfully.
I expected that SELinux will prevent any execution of code on the
stack. But audit.log shows me nothing like this. Here the audit.log,
since last reloead:
type=MAC_POLICY_LOAD msg=audit(1237306463.553:2886): policy loaded
auid=0 ses=133
type=SYSCALL msg=audit(1237306463.553:2886): arch=40000003 syscall=4
success=yes exit=3470910 a0=4 a1=b7bce000 a2=34f63e a3=bf9330f8
items=0 ppid=20508 pid=20509 auid
=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0
ses=133 comm="load_policy" exe="/usr/sbin/load_policy"
subj=unconfined_u:unconfined_r:load_policy_
t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1237306470.434:2887): avc: denied { read write }
for pid=20511 comm="shellcode_str" name="0" dev=devpts ino=2
scontext=unconfined_u:unconfined_r
:vul_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:unconfined_devpts_t:s0 tclass=chr_file
type=AVC msg=audit(1237306470.434:2887): avc: denied { read write }
for pid=20511 comm="shellcode_str" path="/dev/pts/0" dev=devpts ino=2
scontext=unconfined_u:unc
onfined_r:vul_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:unconfined_devpts_t:s0 tclass=chr_file
type=AVC msg=audit(1237306470.434:2887): avc: denied { read write }
for pid=20511 comm="shellcode_str" path="/dev/pts/0" dev=devpts ino=2
scontext=unconfined_u:unc
onfined_r:vul_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:unconfined_devpts_t:s0 tclass=chr_file
type=AVC msg=audit(1237306470.434:2887): avc: denied { read write }
for pid=20511 comm="shellcode_str" path="/dev/pts/0" dev=devpts ino=2
scontext=unconfined_u:unc
onfined_r:vul_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:unconfined_devpts_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1237306470.434:2887): arch=40000003 syscall=11
per=400000 success=yes exit=0 a0=811b480 a1=8121ca8 a2=8110bc0 a3=0
items=0 ppid=6574 pid=20511
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=133 comm="shellcode_str" exe="/home/student/
shellcode_str" subj=unconfined_u:unconfined_
r:vul_t:s0-s0:c0.c1023 key=(null)
Does SELinux prevent exectution on the stack? If yes, how can i see
this. It would also be helpful, when i had an example which shows me a
denial of execstack (searching the log gave no results here). Or is
something wrong with my example?
I suppose, i have an wrong understanding adout how SELinux execstack
works. Please help to clarify this.
hope someone can help. tnx in advance.
--
Sebastian Pfaff
15 years, 1 month
mediawiki AVC
by Vadym Chepkov
Hello,
mediawiki software has a following script, ImageMagick gets invoked using it:
$ cat /var/www/mediawiki/bin/ulimit4.sh
#!/bin/bash
ulimit -t $1 -v $2 -f $3
eval "$4"
I added
/var/www/mediawiki/bin/.* regular file system_u:object_r:httpd_sys_script_exec_t:s0
into local policy. I receive the following AVC denial:
type=AVC msg=audit(1236789583.906:576443): avc: denied { read } for pid=22724 comm="ulimit4.sh" path="eventpoll:[10101538]" dev=eventpollfs ino=10101538 scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=file
audit2allow suggests the following:
allow httpd_sys_script_t httpd_t:file read;
but it doesn't seem right to me. I don't want to make it httpd_unconfined_script_exec_t, does anyone has a better suggestion?
Thank you.
Sincerely yours,
Vadym Chepkov
15 years, 1 month
I need a copy of the vsftpd.te configuration files
by Doug Poulin
Can someone please send me a copy of the SELinux domain file(s) to set up vsftpd properly. I'm running Redhat EL4 and they aren't included in the source rpms.
Send it to email dougp(a)medinet.ca
Doug Poulin
Senior Developer
Medinet Health Systems
15 years, 1 month
Several policy questions
by Brian Ginn
I have an application that consists of four different programs that all talk to each other via TCP sockets... Similar to the diagram:
+---------+
+-------| ServerA |------+
| +---------+ |
| | |
+----------------+ | +---------+
| UserApp Client |---|-----| ServerB |
+----------------+ | +---------+
| | |
| | |
| +--------+ |
+-------| Logger |------+
+--------+
The ServerA, ServerB, and Logger all run from xinetd.
The "UserApp Client" is the only program directly executed via the user.
All programs read from a common settings file in /etc.
With Fedora Core 9, I've used the polgengui to create initial policies for the four programs.
Then since they share the settings file, I edited the definitions so that configuration file is not specific to any one of the programs.
They all need to share port information, so I added require { myservera_port_t; myserverb_port_t; mylogger_port_t } statements to each .te file.
That seems to work on FC9, but on RedHat EL 5.2, when attempting to load myservera, it complains:
/usr/sbin/semodule -i myservera.pp
libsepol.print_missing_requirements: myservera's global requirements were not met: type/attribute myserverb_port_t
libsemanage.semanage_link_sandbox: Link packages failed
/usr/sbin/semodule: Failed!
Attempting to load myserverB first ends up with the same complaint about the serverA's port_t being undefined.
I had kept the .te files for the four programs separate... but this message makes me think that maybe I need to combine them. Is that necessary? Or is there a way to pre-define the ports before the "require from somewhere else" statement?
For my four programs, should I have four distinct policy_module statements?
Is it possible to have multiple policy_module statements in the same .te file?
Also, I seem to be having domain transfer problems.
I added this following code to each .te file:
domain_auto_trans(unconfined_t, myapp_exec_t, myapp_t )
allow unconfined_t myapp_t:fd use;
allow myapp_t unconfined_t:fifo_file rw_file_perms;
allow myapp_t unconfined_t:process sigchld;
however, each process still runs as follows:
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 32504 pts/4 00:00:00 myapp
unconfined_u:system_r:inetd_child_t:s0-s0:c0.c1023 32508 ? 00:00:00 myserverb
unconfined_u:system_r:inetd_child_t:s0-s0:c0.c1023 32512 ? 00:00:00 mylogger
For the inetd daemons, is this something I should try to fix, or is unconfined_u:system_r:inetd_child_t "secure enough"?
Any suggestions for getting the myapp domain transferred?
Thanks,
Brian
15 years, 1 month
AVCs with spamd (F10)
by Brian Chadwick
Hi,
Fedora 10. A number of AVCs are occurring with my use of spamassassin.
For some spamd seems to want to access /home .. is this right?
Raw Audit Messages
node=admin.brianac.com.au type=AVC msg=audit(1236681698.7:20): avc:
denied { read } for pid=3148 comm="spamd" name=".razor" dev=sda3
ino=198361 scontext=system_u:system_r:spamd_t:s0
tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=dir
node=admin.brianac.com.au type=SYSCALL msg=audit(1236681698.7:20):
arch=40000003 syscall=5 success=yes exit=9 a0=9bb07c4 a1=98800 a2=2
a3=927d0d4 items=0 ppid=1 pid=3148 auid=4294967295 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="spamd" exe="/usr/bin/perl" subj=system_u:system_r:spamd_t:s0
key=(null)
Raw Audit Messages
node=admin.brianac.com.au type=AVC msg=audit(1236681698.7:21): avc:
denied { read } for pid=3148 comm="spamd"
name="server.c302.cloudmark.com.conf" dev=sda3 ino=198151
scontext=system_u:system_r:spamd_t:s0
tcontext=system_u:object_r:admin_home_t:s0 tclass=file
node=admin.brianac.com.au type=SYSCALL msg=audit(1236681698.7:21):
arch=40000003 syscall=5 success=yes exit=9 a0=9bba88c a1=8000 a2=0
a3=8000 items=0 ppid=1 pid=3148 auid=4294967295 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="spamd" exe="/usr/bin/perl" subj=system_u:system_r:spamd_t:s0
key=(null)
Raw Audit Messages
node=admin.brianac.com.au type=AVC msg=audit(1236681697.863:14): avc:
denied { append } for pid=3148 comm="spamd" name="razor-agent.log"
dev=sda3 ino=199151 scontext=system_u:system_r:spamd_t:s0
tcontext=system_u:object_r:admin_home_t:s0 tclass=file
node=admin.brianac.com.au type=SYSCALL msg=audit(1236681697.863:14):
arch=40000003 syscall=5 success=yes exit=8 a0=9bb0f14 a1=8441 a2=1b6
a3=8441 items=0 ppid=1 pid=3148 auid=4294967295 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="spamd" exe="/usr/bin/perl" subj=system_u:system_r:spamd_t:s0
key=(null)
Raw Audit Messages
node=admin.brianac.com.au type=AVC msg=audit(1236681697.879:15): avc:
denied { ioctl } for pid=3148 comm="spamd"
path="/root/.razor/razor-agent.log" dev=sda3 ino=199151
scontext=system_u:system_r:spamd_t:s0
tcontext=system_u:object_r:admin_home_t:s0 tclass=file
node=admin.brianac.com.au type=SYSCALL msg=audit(1236681697.879:15):
arch=40000003 syscall=54 success=no exit=-25 a0=8 a1=5401 a2=bfa0c9d8
a3=bfa0ca18 items=0 ppid=1 pid=3148 auid=4294967295 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="spamd" exe="/usr/bin/perl" subj=system_u:system_r:spamd_t:s0
key=(null)
Raw Audit Messages
node=admin.brianac.com.au type=AVC msg=audit(1236681697.985:17): avc:
denied { read } for pid=3148 comm="spamd" name="servers.discovery.lst"
dev=sda3 ino=198364 scontext=system_u:system_r:spamd_t:s0
tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
node=admin.brianac.com.au type=SYSCALL msg=audit(1236681697.985:17):
arch=40000003 syscall=5 success=yes exit=9 a0=9bb6bec a1=8000 a2=0
a3=8000 items=0 ppid=1 pid=3148 auid=4294967295 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="spamd" exe="/usr/bin/perl" subj=system_u:system_r:spamd_t:s0
key=(null)
Raw Audit Messages
node=admin.brianac.com.au type=AVC msg=audit(1236681697.879:16): avc:
denied { getattr } for pid=3148 comm="spamd"
path="/root/.razor/razor-agent.log" dev=sda3 ino=199151
scontext=system_u:system_r:spamd_t:s0
tcontext=system_u:object_r:admin_home_t:s0 tclass=file
node=admin.brianac.com.au type=SYSCALL msg=audit(1236681697.879:16):
arch=40000003 syscall=197 success=yes exit=0 a0=8 a1=81d6060 a2=7ccff4
a3=0 items=0 ppid=1 pid=3148 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamd"
exe="/usr/bin/perl" subj=system_u:system_r:spamd_t:s0 key=(null)
Raw Audit Messages
node=admin.brianac.com.au type=AVC msg=audit(1236681697.986:18): avc:
denied { ioctl } for pid=3148 comm="spamd"
path="/root/.razor/servers.discovery.lst" dev=sda3 ino=198364
scontext=system_u:system_r:spamd_t:s0
tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
node=admin.brianac.com.au type=SYSCALL msg=audit(1236681697.986:18):
arch=40000003 syscall=54 success=no exit=-25 a0=9 a1=5401 a2=bfa0c9d8
a3=bfa0ca18 items=0 ppid=1 pid=3148 auid=4294967295 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="spamd" exe="/usr/bin/perl" subj=system_u:system_r:spamd_t:s0
key=(null)
Raw Audit Messages
node=admin.brianac.com.au type=AVC msg=audit(1236681697.986:19): avc:
denied { getattr } for pid=3148 comm="spamd"
path="/root/.razor/servers.discovery.lst" dev=sda3 ino=198364
scontext=system_u:system_r:spamd_t:s0
tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
node=admin.brianac.com.au type=SYSCALL msg=audit(1236681697.986:19):
arch=40000003 syscall=197 success=yes exit=0 a0=9 a1=81d6060 a2=7ccff4
a3=0 items=0 ppid=1 pid=3148 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamd"
exe="/usr/bin/perl" subj=system_u:system_r:spamd_t:s0 key=(null)
15 years, 1 month
fetchmail/procmail denials
by Gene Heskett
Greetings;
Its been several days, but I haven't seen any policy updates yet, and
setroubleshooter is still hacking away at the lower right corner of the
screen.
Call this a ping? :)
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Indifference will certainly be the downfall of mankind, but who cares?
15 years, 1 month
