selinux July 2009

selinux@lists.fedoraproject.org

36 participants
45 discussions

restorecon question
by Vadym Chepkov 24 Jul '09

24 Jul '09

Hi, Could you explain me, please, the behavior of the restorecon utility. I added the following in the local.fc file # phpbb /var/www/phpbb/cache(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0) /var/www/phpbb/files(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0) compiled and installed policy, seems to be in place. # semanage fcontext -l|grep phpbb /var/www/phpbb/cache(/.*)? all files system_u:object_r:httpd_sys_script_rw_t:s0 /var/www/phpbb/files(/.*)? all files system_u:object_r:httpd_sys_script_rw_t:s0 But when now I run restorecon -vR /var/www/phpbb/ it doesn't do anything. I would expect it to changed context on two directories and files in them. Only if I specify -F (force) I relabel everything. I can't quite grasp why sometimes I don't have to supply -F and sometimes I do. Thank you. Sincerely yours, Vadym Chepkov

5 9

httpd interface question
by Vadym Chepkov 22 Jul '09

22 Jul '09

Hi, I have a question about httpd interface on RedHat 5.3 selinux-policy-targeted-2.4.6-203.el5 I have httpd_unified --> off and I defined domain for subversion: apache_content_template(svn) I labeled my subversion hooks as httpd_svn_script_exec_t and I expected it will be able to read files labeled as httpd_svn_content_t, but it is not the case: type=AVC msg=audit(1247931060.612:40993): avc: denied { read } for pid=21405 comm="svn-mailer" name="svn-mailer.cfg" dev=sda1 ino=773360 scontext=user_u:system_r:httpd_svn_script_t:s0 tcontext=system_u:object_r:httpd_svn_content_t:s0 tclass=file # sesearch -a -s httpd_svn_script_t -t httpd_svn_content_t Found 1 av rules: allow httpd_svn_script_t httpd_svn_content_t : dir { getattr search }; The question is, why only this and nothing else? Sincerely yours, Vadym Chepkov

2 2

policy database
by Stefano Carucci 21 Jul '09

21 Jul '09

Hello all! I would like to ask you experts some details about how the policy binary is managed by the security server. While looking through the code I noticed that the avtab (in security/selinux/ss/avtab.h/c) stores all the needed information about the rules in a hash-table. Then, on the other side there is a policy database, that, as far as I understood is meant for configuration parameters only. So my question is: what is the link betweem the policy binary file and the avtab? Are all the rules loaded into the avtab from the binary file? Is there any mechanism to fast policy lookup from the binary file? Thank you in advance. Stefano _________________________________________________________________ 25 GB di spazio sempre con te. Accedi a SkyDrive! http://www.windowslive.it/skyDrive.aspx

1 0

Trying to cause a denial with rsync and SELinux
by Scott Radvan 20 Jul '09

20 Jul '09

Hello all, I'm having troubles invoking _any_ denial whatsoever for rsync related tasks, in order for me to demonstrate in my book how to then work around it. I've made a custom init script for rsync as there is no existing one in Fedora 11, so I labeled it initrc_exec_t so that the rsync daemon transitions to rsync_t: # ps -eZ | grep rsync unconfined_u:system_r:rsync_t:s0 326 ? 00:00:00 rsync According to the information I have, now that it's running as rsync_t, the following Booleans should have an effect: allow_rsync_anon_write No mattter the state of this Boolean, I can still write to public_content_rw_t files, locally or over the LAN. rsync_client I have very little information on this Boolean and what it actually implies, what it requires in terms of labels, etc. but no matter its state, rsync operates normally as a client reading and writing to a daemonized process on another machine. rsync_export_all_ro Perhaps I'm misinterpreting this one as well, but no matter its state, I can read _and_ write the test files in the directory specified by the rsync daemon, locally and over the network. Really, I'm probably misinterpreting these Booleans and their actual implications, or doing something completely wrong. I simply need a way that I can get SELinux to give me a denial related to rsync (running as a daemon) which I can then document and demonstrate the work-around for. My problem remains that everything works too _well_ and SELinux doesn't seem to be denying any of the access or transfers I'm performing, whatever the state of these Booleans, based on my limited understanding of them. Does anyone have a better understanding of these particular Booleans, what they actually imply, what labels the files need in order to be affected by them, any other condition they require to enforce upon the system...and mainly how I can intentionally invoke a denial based on one of them? Thanks in advance, -- Scott Radvan Content Author, Platform (Installation and Deployment) Red Hat Asia Pacific (Brisbane) http://www.apac.redhat.com

1 0

Would SELinux prevent that with the current policy?
by Christoph Höger 20 Jul '09

20 Jul '09

Hi, after looking at: http://blog.cr0.org/2009/07/old-school-local-root-vulnerability-in.html I wondered if SELinux would not be the right answer to those re-exec exploits. I guess that pulseaudio should run as something like pulseaudio_t which has all caps it needs. Re-exec should not change that as pulseaudio does not need any transformation of context. So short question: Does it work that way?

4 5

Re: spamassassin pre-compiled rules
by Vadym Chepkov 14 Jul '09

14 Jul '09

--- On Mon, 7/13/09, Daniel J Walsh <dwalsh(a)redhat.com> wrote: > Vadym, can you create a patch for them to add a restorecon > after they create the libraries. You mean to the Fedora package? Sure, I can try, I will cc you on it. It's a perl script so I am not sure how keen maintainer will be to include it 'system' call.

1 0

Re: spamassassin pre-compiled rules
by Vadym Chepkov 13 Jul '09

13 Jul '09

sa-compile scripts puts them there, it runs manually from the cron. sa-compile call is not part of the standard Fedora package and as I said earlier, this context already exists in the standard policy, furthermore, Dan, you added it the by my request :) But even though it exists, it is being ignored when the library is created, I am not really sure how sa-compile script does it, but 'restorecon -R' afterward seems like an appropriate workaround. Sincerely yours, Vadym Chepkov --- On Mon, 7/13/09, Daniel J Walsh <dwalsh(a)redhat.com> wrote: > From: Daniel J Walsh <dwalsh(a)redhat.com> > Subject: Re: spamassassin pre-compiled rules > To: "Vadym Chepkov" <chepkov(a)yahoo.com> > Cc: "Fedora SELinux" <fedora-selinux-list(a)redhat.com> > Date: Monday, July 13, 2009, 11:06 AM > On 07/11/2009 08:06 AM, Vadym Chepkov > wrote: > > spamassassin rules got updated recently and I got this > avc > > > > type=AVC msg=audit(1247216252.200:31900): avc: > denied { execute } for pid=24001 comm="spamd" > path="/var/lib/spamassassin/compiled/5.010/3.002005/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so" > dev=dm-3 ino=124989 scontext=system_u:system_r:spamd_t:s0 > tcontext=system_u:object_r:spamd_var_lib_t:s0 tclass=file > > > > audit2allow suggests this > > #============= spamd_t ============== > > allow spamd_t spamd_var_lib_t:file execute; > > seems reasonable, but why is it missing in standard > policy? > > > > Sincerely yours, > > Vadym Chepkov > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list(a)redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > Vadym, What puts the files in this directory? Are > they all shared libraries? > > One solution would be to label this directory > > # semanage fcontext -a -t lib_t > '/var/lib/spamassassin/compiled(/.*)?' > # restorecon -R -v /var/lib/spamassassin > > >

2 1

semodule/dbus
by Vadym Chepkov 13 Jul '09

13 Jul '09

Everytime I install or update a local selinux module I get a log entry, like this. Jul 11 08:10:36 hut dbus: Can't send to audit system: USER_AVC avc: received policyload notice (seqno=5)#012: exe="?" (sauid=81, hostname=?, addr=?, terminal=?) I wonder what is it about? It doesn't seem to affect anything, but still. Sincerely yours, Vadym Chepkov

3 2

spamassassin pre-compiled rules
by Vadym Chepkov 13 Jul '09

13 Jul '09

spamassassin rules got updated recently and I got this avc type=AVC msg=audit(1247216252.200:31900): avc: denied { execute } for pid=24001 comm="spamd" path="/var/lib/spamassassin/compiled/5.010/3.002005/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so" dev=dm-3 ino=124989 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:spamd_var_lib_t:s0 tclass=file audit2allow suggests this #============= spamd_t ============== allow spamd_t spamd_var_lib_t:file execute; seems reasonable, but why is it missing in standard policy? Sincerely yours, Vadym Chepkov

3 3

selinux denying ifconfig, Fedora 11
by Antonio Olivares 13 Jul '09

13 Jul '09

[olivares@ET1161-05 ~]$ dmesg | grep 'avc' type=1400 audit(1247281500.625:4): avc: denied { read } for pid=871 comm="ifconfig" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=file [olivares@ET1161-05 ~]$ [olivares@ET1161-05 ~]$ cat /etc/fedora-release Fedora release 11 (Leonidas) [olivares@ET1161-05 ~]$ uname -r 2.6.30.1 smoltProfile here after install if it is useful? http://www.smolts.org/client/show/pub_bf6b4475-b2d9-4796-8965-112b094912de I only called command to check that I was connected while using dialup # ifconfig -a That was it, I saw setroubleshoot pop up but my fonts are very small, and I used above command to give me back avc. Regards, Antonio

3 2

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux July 2009