audit and /etc/profile.d in Fedora 11
by Vadym Chepkov
Hi,
I am not really sure it is SELinux related, but for the lack of a better audience I thought I would share my observation of a newly installed Fedora 11. During system startup some audit related process is trying to execute all scripts in /etc/profile.d/ and since I always have a separate /usr file system it fails miserable trying to do so, since /usr is not mounted yet. I am pretty sure it doesn't affect functionality and can be ignored in my case, but still, I would expect only login shell executing those scripts.
It happens right after 'audit policy loaded' line and before 'Welcome to Fedora'.
Sincerely yours,
Vadym Chepkov
14 years, 10 months
Policy for zoneminder
by Jason L Tibbitts III
Zoneminder (http://www.zoneminder.com) is a really nice web-based
surveillance application that's been packages for Fedora. It runs as
a combination of daemons (written in perl) and a php-based web
interface and it should come as no surprise that it has issues with
selinux.
The zoneminder documentation includes some information on policy at
http://www.zoneminder.com/wiki/index.php/Main_Documentation#Configuring_S...,
including a policy module which I'll include at the end of this
message. I haven't tested it yet; I'm currently more concerned about
whether there's any path to getting some kind of reasonable support
for zoneminder into the base policy. I don't really know enough to
say what form that it should take; if the suggested policy module is
really sufficient, a simple boolean that allows httpd to access a few
extra things might be good. However, the daemons which currently seem
to run as initrc_t also need to be confined, then things rapidly
become complex beyond my limited understanding of selinux.
Here's the suggested policy:
module local_zoneminder 1.0;
require {
type httpd_t;
type initrc_var_run_t;
type initrc_t;
type v4l_device_t;
type file_t;
class unix_stream_socket { read connectto };
class file { read lock };
class shm { unix_read unix_write associate read write getattr };
class chr_file getattr;
}
#============= httpd_t ==============
allow httpd_t initrc_t:unix_stream_socket connectto;
allow httpd_t initrc_t:shm { unix_read unix_write associate read write getattr };
allow httpd_t initrc_var_run_t:file { read lock };
allow httpd_t v4l_device_t:chr_file getattr;
- J<
14 years, 10 months
Re: Fedora11 and Setroubleshoot-server
by Vadym Chepkov
But as I already explained setroubleshoot-server package was intended for the server environment - no GUI, no stars, no clicking .... I understand I have to run messagebus service now, which wasn't needed before in server environment. Thank you.
Vadym
14 years, 10 months
Re: Fedora11 and Setroubleshoot-server
by Vadym Chepkov
I would be glad to know what that is I suppose to start "faster" now. Is Fedora becoming strictly a desktop solution and I need to start looking for something else for a server? I am just curious.
Sincerely yours,
Vadym Chepkov
--- On Tue, 6/9/09, David P. Quigley <dpquigl(a)tycho.nsa.gov> wrote:
> From: David P. Quigley <dpquigl(a)tycho.nsa.gov>
> Subject: Re: Fedora11 and Setroubleshoot-server
> To: "Vadym Chepkov" <chepkov(a)yahoo.com>
> Cc: "Fedora SELinux" <fedora-selinux-list(a)redhat.com>
> Date: Tuesday, June 9, 2009, 2:42 PM
> I could be wrong so don't hold me to
> this but I remember hearing that
> they moved this service into being started as needed by
> another
> component. I believe this was done to help with boot times.
> If I
> remember correctly setroubleshoot should start up when it
> receives the
> first AVC denial.
14 years, 10 months
SELinux Instructions
by Peter Joseph
For the past several weeks I have been trying to learn SELinux, and as so
many before me, I find it extremely frustrating, ready to give up. Can
someone tell me where to start? It looks to me that all of the stuff
written about SELinux was written by Microsoft people in order to keep
people from using Linux. Take for example the 'cat' command relating to
/etc/pam.d/gdm - what in the world am I to get from this:
#%PAM-1.0
auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth required pam_succeed_if.so user != root quiet
auth required pam_env.so
auth substack system-auth
auth optional pam_gnome_keyring.so
account required pam_nologin.so
account include system-auth
password include system-auth
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_namespace.so
session optional pam_gnome_keyring.so auto_start
session include system-auth
Where can I find information explaining the above? Is there a place where
one could find some sort of a basic template file? A file showing the
minimum initial settings that could be built upon?
It seems to me that inclusion of SELinux in Fedora is counterproductive.
Instead of providing users with a firewall they could manage after
negotiating a reasonable learning curve, the users are presented with this
monstrous security system understood only by full-blown programmers. Is
there a way of learning SELinux without the computer science degree
prerequisit?
--
View this message in context: http://www.nabble.com/SELinux-Instructions-tp23904686p23904686.html
Sent from the Fedora SELinux List mailing list archive at Nabble.com.
14 years, 10 months
Fedora11 and Setroubleshoot-server
by Vadym Chepkov
It seems /etc/rc.d/init.d/setroubleshoot was removed in setroubleshoot-server in Fedora 11. What was the rationale behind it? Is there other tool to monitor SELinux events on servers without console now? Thanks.
Sincerely yours,
Vadym Chepkov
14 years, 10 months
Re: firefox on rawhide and selinux
by Antonio Olivares
--- On Mon, 6/8/09, Daniel J Walsh <dwalsh(a)redhat.com> wrote:
> From: Daniel J Walsh <dwalsh(a)redhat.com>
> Subject: Re: firefox on rawhide and selinux
> To: "Antonio Olivares" <olivares14031(a)yahoo.com>
> Cc: fedora-selinux-list(a)redhat.com
> Date: Monday, June 8, 2009, 2:17 PM
> On 06/08/2009 04:21 PM, Antonio
> Olivares wrote:
> >
> >
> > Summary:
> >
> > SELinux is preventing firefox from changing a writable
> memory segment
> > executable.
> >
> > Detailed Description:
> >
> > The firefox application attempted to change the access
> protection of memory
> > (e.g., allocated using malloc). This is a potential
> security problem.
> > Applications should not be doing this. Applications
> are sometimes coded
> > incorrectly and request this permission. The SELinux
> Memory Protection Tests
> > (http://people.redhat.com/drepper/selinux-mem.html) web
> page explains how to
> > remove this requirement. If firefox does not work and
> you need it to work, you
> > can configure SELinux temporarily to allow this access
> until the application is
> > fixed. Please file a bug report
> > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
> >
> > Allowing Access:
> >
> > If you trust firefox to run correctly, you can change
> the context of the
> > executable to unconfined_execmem_exec_t. "chcon -t
> unconfined_execmem_exec_t
> > '/usr/lib/firefox-3.5b4/firefox'". You must also
> change the default file context
> > files on the system in order to preserve them even on
> a full relabel. "semanage
> > fcontext -a -t unconfined_execmem_exec_t
> '/usr/lib/firefox-3.5b4/firefox'"
> >
> > Fix Command:
> >
> > chcon -t unconfined_execmem_exec_t
> '/usr/lib/firefox-3.5b4/firefox'
> >
> > Additional Information:
> >
> > Source Context
>
> unconfined_u:unconfined_r:unconfined_t:SystemLow-
> >
>
> SystemHigh
> > Target Context
>
> unconfined_u:unconfined_r:unconfined_t:SystemLow-
> >
>
> SystemHigh
> > Target Objects
> None [ process ]
> > Source
> firefox
> > Source Path
>
> /usr/lib/firefox-3.5b4/firefox
> > Port<Unknown>
> > Host
>
> localhost.localdomain
> > Source RPM Packages
> firefox-3.5-0.21.beta4.fc12
> > Target RPM Packages
> > Policy RPM
> selinux-policy-3.6.13-2.fc12
> > Selinux Enabled
> True
> > Policy Type
> targeted
> > MLS Enabled
> True
> > Enforcing Mode
> Enforcing
> > Plugin Name
> allow_execmem
> > Host Name
>
> localhost.localdomain
> > Platform
> Linux
> localhost.localdomain
> >
>
> 2.6.30-0.97.rc8.fc12.i586 #1 SMP Wed Jun 3
> >
>
> 09:55:34 EDT 2009 i686 i686
> > Alert Count
> 8
> > First Seen
> Mon 08 Jun 2009 12:27:54 PM CDT
> > Last Seen
> Mon 08 Jun 2009
> 12:28:08 PM CDT
> > Local ID
>
> 0e0d62f4-09db-4ddf-987c-8210c45b9e70
> > Line Numbers
> >
> > Raw Audit Messages
> >
> > node=localhost.localdomain type=AVC
> msg=audit(1244482088.874:27316): avc: denied {
> execmem } for pid=2566 comm="firefox"
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=process
> >
> > node=localhost.localdomain type=SYSCALL
> msg=audit(1244482088.874:27316): arch=40000003 syscall=192
> success=no exit=-13 a0=0 a1=2000 a2=7 a3=22 items=0
> ppid=2554 pid=2566 auid=500 uid=500 gid=500 euid=500
> suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none)
> ses=1 comm="firefox" exe="/usr/lib/firefox-3.5b4/firefox"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> key=(null)
> >
> >
> >
> >
> > Thanks,
> >
> > Antonio
> >
> >
> >
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list(a)redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> Are you using flashplugin? Not sure which app is
> causing the execmem.
> Do you have nspluginwrapper installed?
>
both flashplugin and nspluginwrapper are installed :(
updated rawhide as of yesterdays 20080607's report, I can't get todays updates, will apply them tomorrow when more mirrors are updated.
Thanks,
Antonio
14 years, 10 months
firefox on rawhide and selinux
by Antonio Olivares
Summary:
SELinux is preventing firefox from changing a writable memory segment
executable.
Detailed Description:
The firefox application attempted to change the access protection of memory
(e.g., allocated using malloc). This is a potential security problem.
Applications should not be doing this. Applications are sometimes coded
incorrectly and request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. If firefox does not work and you need it to work, you
can configure SELinux temporarily to allow this access until the application is
fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Allowing Access:
If you trust firefox to run correctly, you can change the context of the
executable to unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t
'/usr/lib/firefox-3.5b4/firefox'". You must also change the default file context
files on the system in order to preserve them even on a full relabel. "semanage
fcontext -a -t unconfined_execmem_exec_t '/usr/lib/firefox-3.5b4/firefox'"
Fix Command:
chcon -t unconfined_execmem_exec_t '/usr/lib/firefox-3.5b4/firefox'
Additional Information:
Source Context unconfined_u:unconfined_r:unconfined_t:SystemLow-
SystemHigh
Target Context unconfined_u:unconfined_r:unconfined_t:SystemLow-
SystemHigh
Target Objects None [ process ]
Source firefox
Source Path /usr/lib/firefox-3.5b4/firefox
Port <Unknown>
Host localhost.localdomain
Source RPM Packages firefox-3.5-0.21.beta4.fc12
Target RPM Packages
Policy RPM selinux-policy-3.6.13-2.fc12
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name allow_execmem
Host Name localhost.localdomain
Platform Linux localhost.localdomain
2.6.30-0.97.rc8.fc12.i586 #1 SMP Wed Jun 3
09:55:34 EDT 2009 i686 i686
Alert Count 8
First Seen Mon 08 Jun 2009 12:27:54 PM CDT
Last Seen Mon 08 Jun 2009 12:28:08 PM CDT
Local ID 0e0d62f4-09db-4ddf-987c-8210c45b9e70
Line Numbers
Raw Audit Messages
node=localhost.localdomain type=AVC msg=audit(1244482088.874:27316): avc: denied { execmem } for pid=2566 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
node=localhost.localdomain type=SYSCALL msg=audit(1244482088.874:27316): arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=2000 a2=7 a3=22 items=0 ppid=2554 pid=2566 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="firefox" exe="/usr/lib/firefox-3.5b4/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Thanks,
Antonio
14 years, 10 months
Re: semodule
by Vadym Chepkov
I compared /etc/pam.d/sshd of the affected and working system, they are identical. But, I found these entries in /var/log/secure of the system in trouble:
error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument
I bet it's a smoking gun, I just have no idea what to do about it.
Sincerely yours,
Vadym Chepkov
14 years, 10 months
allow_execstack
by "Stanisław T. Findeisen"
Look what I've found regarding stack execution:
=======================================================================
execstack :: As the name suggests, this error is raised if a program
tries to make its stack (or parts thereof) executable with an mprotect
call. This should never, ever be necessary. Stack memory is not
executable on most OSes these days and this won't change. Executable
stack memory is one of the biggest security problems. An execstack error
might in fact be most likely raised by malicious code.
http://people.redhat.com/drepper/selinux-mem.html
=======================================================================
$ cat /selinux/booleans/allow_execstack
1 1
$ cat /etc/redhat-release
Fedora release 10 (Cambridge)
I haven't changed this setting manually since system install so I guess
this is a bug in the Fedora policy?
BTW what does the 1st "1", and what does the 2nd "1" in
/selinux/booleans/allow_execstack stand for?
Thanks!
STF
=======================================================================
http://eisenbits.homelinux.net/~stf/
OpenPGP: DFD9 0146 3794 9CF6 17EA D63F DBF5 8AA8 3B31 FE8A
=======================================================================
14 years, 10 months
