restorecon question
by Vadym Chepkov
Hi,
Could you explain me, please, the behavior of the restorecon utility.
I added the following in the local.fc file
# phpbb
/var/www/phpbb/cache(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
/var/www/phpbb/files(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
compiled and installed policy, seems to be in place.
# semanage fcontext -l|grep phpbb
/var/www/phpbb/cache(/.*)? all files system_u:object_r:httpd_sys_script_rw_t:s0
/var/www/phpbb/files(/.*)? all files system_u:object_r:httpd_sys_script_rw_t:s0
But when now I run restorecon -vR /var/www/phpbb/
it doesn't do anything. I would expect it to changed context on two directories and files in them.
Only if I specify -F (force) I relabel everything.
I can't quite grasp why sometimes I don't have to supply -F and sometimes I do.
Thank you.
Sincerely yours,
Vadym Chepkov
14 years, 9 months
httpd interface question
by Vadym Chepkov
Hi,
I have a question about httpd interface on RedHat 5.3
selinux-policy-targeted-2.4.6-203.el5
I have httpd_unified --> off
and I defined domain for subversion:
apache_content_template(svn)
I labeled my subversion hooks as httpd_svn_script_exec_t
and I expected it will be able to read files labeled as httpd_svn_content_t, but it is not the case:
type=AVC msg=audit(1247931060.612:40993): avc: denied { read } for pid=21405 comm="svn-mailer" name="svn-mailer.cfg" dev=sda1 ino=773360 scontext=user_u:system_r:httpd_svn_script_t:s0 tcontext=system_u:object_r:httpd_svn_content_t:s0 tclass=file
# sesearch -a -s httpd_svn_script_t -t httpd_svn_content_t
Found 1 av rules:
allow httpd_svn_script_t httpd_svn_content_t : dir { getattr search };
The question is, why only this and nothing else?
Sincerely yours,
Vadym Chepkov
14 years, 9 months
policy database
by Stefano Carucci
Hello all!
I would like to ask you experts some details about how the policy binary is managed by the security server. While looking through the code I noticed that the avtab (in security/selinux/ss/avtab.h/c) stores all the needed information about the rules in a hash-table. Then, on the other side there is a policy database, that, as far as I understood is meant for configuration parameters only. So my question is: what is the link betweem the policy binary file and the avtab? Are all the rules loaded into the avtab from the binary file? Is there any mechanism to fast policy lookup from the binary file?
Thank you in advance.
Stefano
_________________________________________________________________
25 GB di spazio sempre con te. Accedi a SkyDrive!
http://www.windowslive.it/skyDrive.aspx
14 years, 9 months
Trying to cause a denial with rsync and SELinux
by Scott Radvan
Hello all,
I'm having troubles invoking _any_ denial whatsoever for rsync related
tasks, in order for me to demonstrate in my book how to then work
around it.
I've made a custom init script for rsync as there is no existing one in
Fedora 11, so I labeled it initrc_exec_t so that the rsync daemon
transitions to rsync_t:
# ps -eZ | grep rsync
unconfined_u:system_r:rsync_t:s0 326 ? 00:00:00 rsync
According to the information I have, now that it's running as rsync_t,
the following Booleans should have an effect:
allow_rsync_anon_write
No mattter the state of this Boolean, I can still write to
public_content_rw_t files, locally or over the LAN.
rsync_client
I have very little information on this Boolean and what it
actually implies, what it requires in terms of labels, etc. but
no matter its state, rsync operates normally as a client
reading and writing to a daemonized process on another machine.
rsync_export_all_ro
Perhaps I'm misinterpreting this one as well, but no matter its
state, I can read _and_ write the test files in the directory
specified by the rsync daemon, locally and over the network.
Really, I'm probably misinterpreting these Booleans and their actual
implications, or doing something completely wrong.
I simply need a way that I can get SELinux to give me a denial related
to rsync (running as a daemon) which I can then document and demonstrate
the work-around for. My problem remains that everything works too _well_
and SELinux doesn't seem to be denying any of the access or transfers
I'm performing, whatever the state of these Booleans, based on my
limited understanding of them.
Does anyone have a better understanding of these particular Booleans,
what they actually imply, what labels the files need in order to be
affected by them, any other condition they require to enforce upon the
system...and mainly how I can intentionally invoke a denial based on
one of them?
Thanks in advance,
--
Scott Radvan
Content Author, Platform (Installation and Deployment)
Red Hat Asia Pacific (Brisbane) http://www.apac.redhat.com
14 years, 9 months
Re: spamassassin pre-compiled rules
by Vadym Chepkov
--- On Mon, 7/13/09, Daniel J Walsh <dwalsh(a)redhat.com> wrote:
> Vadym, can you create a patch for them to add a restorecon
> after they create the libraries.
You mean to the Fedora package? Sure, I can try, I will cc you on it. It's a perl script so I am not sure how keen maintainer will be to include it 'system' call.
14 years, 9 months
Re: spamassassin pre-compiled rules
by Vadym Chepkov
sa-compile scripts puts them there, it runs manually from the cron.
sa-compile call is not part of the standard Fedora package and as I said earlier, this context already exists in the standard policy, furthermore, Dan, you added it the by my request :) But even though it exists, it is being ignored when the library is created, I am not really sure how sa-compile script does it, but 'restorecon -R' afterward seems like an appropriate workaround.
Sincerely yours,
Vadym Chepkov
--- On Mon, 7/13/09, Daniel J Walsh <dwalsh(a)redhat.com> wrote:
> From: Daniel J Walsh <dwalsh(a)redhat.com>
> Subject: Re: spamassassin pre-compiled rules
> To: "Vadym Chepkov" <chepkov(a)yahoo.com>
> Cc: "Fedora SELinux" <fedora-selinux-list(a)redhat.com>
> Date: Monday, July 13, 2009, 11:06 AM
> On 07/11/2009 08:06 AM, Vadym Chepkov
> wrote:
> > spamassassin rules got updated recently and I got this
> avc
> >
> > type=AVC msg=audit(1247216252.200:31900): avc:
> denied { execute } for pid=24001 comm="spamd"
> path="/var/lib/spamassassin/compiled/5.010/3.002005/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so"
> dev=dm-3 ino=124989 scontext=system_u:system_r:spamd_t:s0
> tcontext=system_u:object_r:spamd_var_lib_t:s0 tclass=file
> >
> > audit2allow suggests this
> > #============= spamd_t ==============
> > allow spamd_t spamd_var_lib_t:file execute;
> > seems reasonable, but why is it missing in standard
> policy?
> >
> > Sincerely yours,
> > Vadym Chepkov
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list(a)redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> Vadym, What puts the files in this directory? Are
> they all shared libraries?
>
> One solution would be to label this directory
>
> # semanage fcontext -a -t lib_t
> '/var/lib/spamassassin/compiled(/.*)?'
> # restorecon -R -v /var/lib/spamassassin
>
>
>
14 years, 9 months
semodule/dbus
by Vadym Chepkov
Everytime I install or update a local selinux module I get a log entry, like this.
Jul 11 08:10:36 hut dbus: Can't send to audit system: USER_AVC avc: received policyload notice (seqno=5)#012: exe="?" (sauid=81, hostname=?, addr=?, terminal=?)
I wonder what is it about? It doesn't seem to affect anything, but still.
Sincerely yours,
Vadym Chepkov
14 years, 9 months
spamassassin pre-compiled rules
by Vadym Chepkov
spamassassin rules got updated recently and I got this avc
type=AVC msg=audit(1247216252.200:31900): avc: denied { execute } for pid=24001 comm="spamd" path="/var/lib/spamassassin/compiled/5.010/3.002005/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so" dev=dm-3 ino=124989 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:spamd_var_lib_t:s0 tclass=file
audit2allow suggests this
#============= spamd_t ==============
allow spamd_t spamd_var_lib_t:file execute;
seems reasonable, but why is it missing in standard policy?
Sincerely yours,
Vadym Chepkov
14 years, 9 months
selinux denying ifconfig, Fedora 11
by Antonio Olivares
[olivares@ET1161-05 ~]$ dmesg | grep 'avc'
type=1400 audit(1247281500.625:4): avc: denied { read } for pid=871 comm="ifconfig" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=file
[olivares@ET1161-05 ~]$
[olivares@ET1161-05 ~]$ cat /etc/fedora-release
Fedora release 11 (Leonidas)
[olivares@ET1161-05 ~]$ uname -r
2.6.30.1
smoltProfile here after install if it is useful?
http://www.smolts.org/client/show/pub_bf6b4475-b2d9-4796-8965-112b094912de
I only called command to check that I was connected while using dialup
# ifconfig -a
That was it, I saw setroubleshoot pop up but my fonts are very small, and I used above command to give me back avc.
Regards,
Antonio
14 years, 9 months
