btrfs SELinux support ??
by Tom London
Sorry if I missed this, but does current rawhide BTRFS support
xattrs/SELinux-labeling/etc.?
Thanks,
tom
--
Tom London
14 years, 6 months
Exception during AVC analysis: global name 'audit_event' is not defined
by lejeczek
dear all regards,
I really don't recall any potential reason nor event that could cause
below, but a while ago a started getting it:
(f10; setroubleshoot-server-2.0.12-3.fc10.noarch)
May 19 10:30:05 whale setroubleshoot: [avc.ERROR] Exception during AVC
analysis: global name 'audit_event' is not defined#012Traceback (most
recent call last):#012 File
"/usr/lib/python2.5/site-packages/setroubleshoot/analyze.py", line 187,
in run#012 self.analyze_avc(avc, report_receiver)#012 File
"/usr/lib/python2.5/site-packages/setroubleshoot/analyze.py", line 171,
in analyze_avc#012 log_stats.info("analyze_avc()
audit_event=%s\nstatistics=%s", audit_event, statistics)#012NameError:
global name 'audit_event' is not defined
cheers
Pawel
___________________________________________________________
Try the all-new Yahoo! Mail. "The New Version is radically easier to use" � The Wall Street Journal
http://uk.docs.yahoo.com/nowyoucan.html
14 years, 6 months
network failures maybe SELinux related?
by Brian Ginn
I have a client app run by users, and two server apps run from xinetd.
The client connects to server1
Server1 connects to server2
Server2 connects back to the client app
When not confined by SELinux policy. Everything works fine.
I can run several hundred iterations without any failures.
When confined, but run in permissive mode, Everything works fine. - nothing in audit.log
When confined and enforced, it works a few times, then the connection from server1 to server2 fails.
Then, after a rest, it works a few times, then the connection from server1 to server2 fails.
There is nothing in audit.log.
Does anyone have suggestions for constraints or don't audit rules I should look into?
Thanks,
Brian
14 years, 6 months
SELinux default contexts and PAM session?
by Brian Ginn
I have a server app that runs from xinetd.
This server's job is to exec a program.
This app is not yet confined by SELinux policy.
When I use PAM session service, audit.log shows:
type=USER_ROLE_CHANGE msg=audit(1242413723.389:14866): user pid=24149 uid=0 auid=0 subj=system_u:system_r:inetd_t:s0-s0:c0.c1023 msg='pam: default-context=root:system_r:amanda_t:s0-s0:c0.c1023 selected-context=root:system_r:amanda_t:s0-s0:c0.c1023: exe="/usr/sbin/myserverd" (hostname=?, addr=?, terminal=ptmx res=success)'
Somehow, SELinux is deciding that the default context should be ...amanda_t...
How is that decision made?
Can I create a more correct context (that will be recognized as the default context) without confining the server?
Thanks,
Brian
14 years, 6 months
multiple output file context types?
by Brian Ginn
I have an application that has two different type out output files that are normally written to /var/log.
1: diagnostic log - should be readable by "normal" system administrators.
2: security data log - should only be readable by security officers.
Is there a different way to declare two different file context types for output files?
My current attempts do not work:
For the diagnostic log, I have created a log file type myapp_log_t, and created a file context:
/var/log/myapp\.log -- gen_context(system_u:object_r:myapp_log_t,s0)
Using the following policy statements, myapp creates a log file, and SELinux takes care of assigning the file context automatically:
logging_log_file(myapp_log_t)
logging_log_filetrans(myapp_t, myapp_log_t, { file dir } )
manage_dirs_pattern(myapp_t, myapp_log_t, myapp_log_t)
manage_files_pattern(myapp_t, myapp_log_t, myapp_log_t)
I wish to have a different type for the data log, however when I try to use logging_log_filetrans for a second log type, semodule complains:
[root@host1 log]# semodule -i /home/brian/src/myapp/myapp.pp
libsepol.expand_terule_helper: conflicting TE rule for (myapp_t, var_log_t:dir): old was myapp_log_t, new is myappsecurity_log_t
libsepol.expand_module: Error during expand
libsemanage.semanage_expand_sandbox: Expand module failed
semodule: Failed!
[root@host1 log]#
Thanks,
Brian
14 years, 6 months
How can I create shadow_t file ?
by Shintaro Fujiwara
Well, I've been writing a policy to add user from certain domain.
I wrote a policy including these interfaces,
auth_domtrans_chk_passwd(segatex_t)
auth_manage_shadow(segatex_t)
auth_rw_shadow(segatex_t)
files_manage_etc_files(segatex_t)
and still I can't add user from certain domain and when I look into
log, I have two denied messages,
etc_t file create
shadow_t file create
So I wrote exactly same thing to allow create these but sill I can't
add user nor delete user.
I feel numb.
--
http://intrajp.no-ip.com/ Home Page
14 years, 6 months
roles in targeted mode
by Brian Ginn
After some time learning SELinux on Fedora 9, I'm on an RHEL 5.3 box in targeted mode.
The policycoreutils rpm doesn't contain the newrole command. Is newrole even needed in targeted mode?
seinfo -r -x
reports 6 roles and 268 total types
It looks like every role is allowed to run every type except for two types:
httpd_squid_script_t and httpd_prewikka_script_t
Thanks,
Brian
14 years, 7 months
What changed that allows xguest to go on AOL?
by adrian golding
i read the article from :
http://magazine.redhat.com/2008/07/02/writing-policy-for-confined-selinux...
and i recently installed setools to (hopefully) understand more about
SELinux.
in the article, it is shown (and i tried) that xguest_t role cannot
communicate using AOL. the xguest_t can launch pidgin in /usr/bin/ though.
AOL uses the port 5190 and that port has the 'aol_port_t' type.
so i created the new policy rule as per the tutorial and now my xguest_t can
use pidgin and talk on AOL.
if i were to use 'apol' to understand the changes made by the new policy
change, how should i do it?
i tried to do a 'domain transition analysis', starting from the xguest_t
type and then see how many ways xguest_t can transit to the aol_port_t type,
and tried to compare the 'before' and 'after' policy addition. But i could
not tell any difference.
so i guess my question is more of how to use 'apol' to obtain meaningful
information such as this. i cannot help but feel overwhelmed using apol
because there are so many options and so much information coming back at me.
thank you
--
View this message in context: http://www.nabble.com/What-changed-that-allows-xguest-to-go-on-AOL--tp234...
Sent from the Fedora SELinux List mailing list archive at Nabble.com.
14 years, 7 months
HowTo create a new domain for a web administration tool
by G. Lohmann
Hi List,
there are a loot of web administration frontends (plesk, confixx,
ispconfig, webmin, ..) out there and nearly all of them start with
disabling SELinux which I think is a bad idea.
On the other hand it is a bit tricky to get around the various issue. I
already started to read for example the "Fedora Core 5 SELinux FAQ"
which already solved me some issues but as well opened a lot of new
questions.
There are in generally two problems:
1. Installing the web frontend in an SELinux enabled environment
Mostly this is done by extracting a tar archive and then calling a
script that starts to copy several files and modify configuration files
of several deamons and restarting them.
I already figured out that if I modify the domain of the script, I get
less warnings:
/home/downloads # chcon -R -t bin_t install
/home/downloads # php install.php
a.) I am not sure if the domain 'bin_t' is Ok at all
b.) I still get a couple of warnings when the script try to restart the
daemons like
type=AVC msg=audit(1241722547.281:24545):
avc: denied { read write } for pid=29460
comm="restorecon" path="socket:[121254]" dev=sockfs ino=121254
scontext=unconfined_u:system_r:setfiles_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0
tclass=unix_stream_socket
type=SYSCALL msg=audit(1241722547.281:24545):
arch=c000003e syscall=59 success=yes exit=0
a0=1d0a630 a1=1d0a6e0 a2=1cd8e70 a3=8 items=0
ppid=29415 pid=29460 auid=500 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2
comm="restorecon" exe="/sbin/setfiles"
subj=unconfined_u:system_r:setfiles_t:s0 key=(null)
type=AVC msg=audit(1241722547.726:24546):
avc: denied { read write } for pid=29463
comm="mysqld_safe" path="socket:[121254]" dev=sockfs ino=121254
scontext=unconfined_u:system_r:mysqld_safe_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0
tclass=unix_stream_socket
type=SYSCALL msg=audit(1241722547.726:24546):
arch=c000003e syscall=59 success=yes exit=0
a0=1d0a630 a1=1d07070 a2=1cd8e70 a3=0 items=0
ppid=29415 pid=29463 auid=500 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2
comm="mysqld_safe" exe="/bin/bash"
subj=unconfined_u:system_r:mysqld_safe_t:s0 key=(null)
c.) I already tried to create a policy via
# audit2allow -m local -l -i /var/log/audit/audit.log > local.te
the resulting file already contain several entries like:
...
#============= ftpd_t ==============
allow ftpd_t unconfined_t:unix_stream_socket { read write };
#============= httpd_t ==============
allow httpd_t initrc_exec_t:dir search;
allow httpd_t unconfined_t:unix_stream_socket { read write };
#============= mysqld_safe_t ==============
allow mysqld_safe_t initrc_exec_t:dir { search getattr };
allow mysqld_safe_t unconfined_t:unix_stream_socket { read write };
...
but the 'unconfined_t' sounds like this rule would be now generated for
ALL and everybody but I only want to give this rights to the install
script. So I guess I have to create an own domain 'install_t' and then
set the domain of the 'install.php' to that domain.
2. Running the web application below the httpd domain
This is the second tricky part. If one get this tools installed properly
one get several warnings of the application accessing several parts
which a common httpd may not be allowed to. Maybe one idea might already
be to have a second apache daemon running for the administration
frontend that run under a different extended domain than the default
apache ... but already this is not obvious to handle.
What I already was able to barely solve was the following. There is a
custom logging tool inside of the 'httpd.conf' using a perl script and
looking like:
CustomLog "| /usr/sbin/vlogger -s access.log
-t \"%Y%m%d-access.log\" /var/log/webadmin/httpd"
combined_webadmin
This produced in the default setup already several errors leading to the
log file placed there to be not written by apache. A small check with ls
already showed me why:
# ls -alZ /var/log
...
drwx------ root root system_u:object_r:httpd_log_t:s0 httpd
drwxr-xr-x root root unconfined_u:object_r:unconfined_t:s0 webadmin
...
changing the user and the domain of that folder already solved the
problem that apache now could write there:
# chcon -R -u system_u webadmin
# chcon -R -u httpd_sys_content_rw_t webadmin
# ls -alZ /var/log
...
drwx------ root root system_u:object_r:httpd_log_t:s0 httpd
drwxr-xr-x root root system_u:object_r:httpd_sys_content_rw_t:s0
webadmin
The follow up problem now is that 'logrotate' throw now warning/errors
that it is unable to rotate the log in that folder. Unfortunately if I
change 'httpd_sys_content_rw_t' to 'httpd_log_t' apache refuse to write
to that folder or better say ... apache is calling '/usr/sbin/vlogger'
in the httpd domain which then is not allowed to write there.
So there are some questions:
a.) how to install those files and folders by the previous mentioned
'install.php' script with the proper rights and
b.) does the issue of the logger man that I need to create an own domain
or can I 'fix' it by just setting a different domain tag to
'/usr/sbin/vlogger'?
thx in adavance
Goetz
14 years, 7 months
