sVirt
by Gene Czarcinski
I am having some problems with the design/implementation of sVirt for Fedora-
virtualization on Fedora 11.
1. I am a longtime user of Fedora since FC1 and, prior to that, I used Red Hat
Linux.
2. I am a big fan of SELinux and have been using it since FC3 and always run
in enforcing mode. I get upset/angry when someone suggests disabling SELinux
to "fix" my problems. If there is a "bug", report it and get it fixed ... do
not ignore it.
3. I have also been a longtime user of VMware. However, with Fedora-
virtualization on Fedora 11, I decided to "change my problem set" and give
Fedora-virtualization a try ... especially since I now have an AMD Phenom II
940 which supports hardware virtualization.
I have researched and found a number of documents which provide some of the
goals, etc. for sVirt. However, I have hit some undesirable characteristics
and bad side effects in dealing with ISO images.
First of all, sVirt changes/sets the file context for any virtual disk, ISO
image, or device (e.g., /dev/sr0) ... I am not sure what happens with LVM
logical volumes because I have not tried them yet.
I understand that, with mandatory access control, a process should be denied
access to all resources except those which have been explicitly permitted. I
assume this is the reason for setting/changing the file context. For ISO
images, this is BAD!
I have an apache (httpd) server running which has access to my repository of
ISO images. After I create a virtual guest and point to an ISO image in the
repository, the apache server can no longer see that ISO image! Bad, BAD!
Yes, I know restorecon will fix things up but this should not happen in the
first place.
Another (related) problem is that I cannot use an ISO image file on a read-only
mounted file system. Why? Just what is being protected here?
As currently implemented, there is no protection between guests with respect
to their individual virtual disk files. This really does need doing and it
will be interesting to see how it will be done by SELinux (assuming this is
protected by Fedora-virtualization applications software is not good enough).
Some suggestions:
1. I am not sure what should be done with real devices such as /dev/sr0.
2. For files on read-only file systems, don't do anything ... they are protected
about as much as they can be.
3. For files in /var/lib/libvirt/images, set the file context as is now done.
This is also true if I locate my read/write virtual disk (file) elsewhere.
4. For ISO files, maybe there should be a new/special file context which allows
sharing between processes ... it would be explicit but it would allow sharing
... maybe something like "public_content_t".
5. Maybe implement a switch which disables SELinux enforcing (and does not
change the file context of ISO files) for Fedora-virtualization.
6. Maybe the switch should be by guest.
- - - - -
OK, I can see where locking down Fedora-virtualization with mandatory access
control would be very interesting to some organizations such as NSA but that
this would be used in a very rigidly controlled and limited system. But, this
stuff has to be usable in other environments too.
- - - - - -
Finally ... IMHO, the design/implementation of SELinux for Fedora-
virtualization was a bit of a quick-and-dirty approach ... do what we know
how to do. I suggest that maybe some SELinux folks and some key Fedora-
virtualization (especially libvirt) folks should take a week off (or maybe just
a weekend), go off somewhere where you will not be bothered, and the figure out
what should be done ... not "how" ... just the "should" at first. Then after
some time has passed so that folks have had time to think about it, have
another "session" where the "how" is considered and a roadmap is created.
Just some food for thought.
Gene
14 years, 9 months
Confining stunnel started from init script
by Allen Kistler
Since F7, I've started stunnel as a daemon from an init script. In F11,
I'm confining it using SELinux, instead of just letting it run as
initrc_t. However, I've got two questions.
First:
I think at some point, it might be worth submitting what I've done as an
enhancement, minor though it may be, to stunnel. In my case, I use
stunnel to establish an SSL tunnel to my ISP's smtps port from sendmail.
Since I bind stunnel locally to tcp/465, I can't define stunnel_port_t
(the pre-existing label for whatever port the end user chooses to use)
as tcp/465 because tcp/465 is already labeled as smtp_port_t. What I've
done is:
bool stunnel_can_sendmail false;
if (stunnel_can_sendmail) {
allow stunnel_t smtp_port_t : tcp_socket name_bind;
};
Does this seem the most reasonable way to do things with ports already
labeled? For a more general policy, that would mean a Boolean for every
port label. Hmm....
Second:
What's the syntax in the TE file to get descriptive text attached to a
Boolean declaration? Right now I get:
# semanage boolean -l | grep stunnel_can_sendmail
stunnel_can_sendmail -> on stunnel_can_sendmail
But I'd prefer something more informative and cosmetically pleasing like:
# semanage boolean -l | grep xen_use_nfs
xen_use_nfs -> off Allow xen to manage nfs files
Thanks for any info and assistance.
14 years, 9 months
Re: Domain transition missing
by Vadym Chepkov
I really get used to running my scripts unconfined, how I can accomplish it in this scenario?
Sincerely yours,
Vadym Chepkov
--- On Sat, 7/4/09, Dominick Grift <domg472(a)gmail.com> wrote:
> From: Dominick Grift <domg472(a)gmail.com>
> Subject: Re: Domain transition missing
> To: "Vadym Chepkov" <chepkov(a)yahoo.com>
> Cc: "Fedora SELinux" <fedora-selinux-list(a)redhat.com>
> Date: Saturday, July 4, 2009, 8:41 AM
> On Sat, 2009-07-04 at 14:38 +0200,
> Dominick Grift wrote:
> > On Sat, 2009-07-04 at 05:11 -0700, Vadym Chepkov
> wrote:
> > > Hi,
> > >
> > > Last night I got a nasty surprise from selinux. I
> am using winbind for external authentication and since it
> has history of failures I have a simple watchdog implemented
> to check the status and restart it if necessary. That
> is what happened last night and as a law abiding
> selinux citizen I used 'service winbind restart', but it
> seems the proper domain transitions is missing and winbind
> was started in system_cronjob_t domain instead of winbind_t
> and none of other domains could connect to it.
> > >
> > > I think jobs running from cron should be granted
> the same transition rules as from unconfined_t.
> > >
> > > I will file bugzilla report about it, but could
> somebody help me with modifying my local policy until/if it
> gets implemented, please? Thank you.
> > >
> > > Sincerely yours,
> > > Vadym Chepkov
> >
> > A domain transition would be:
> >
> > policy_module(mywinbind, 0.0.1)
> >
> > require { type system_cronjob_t, winbind_exec_t,
> winbind_t; }
> > domain_auto_trans(system_cronjob_t, winbind_exec_t,
> winbind_t)
> >
> > Can you show us the full raw avc denial?
>
>
> But personally would deal with this in a different way. I
> would write
> policy for the script that restarts winbind and then i
> would create a
> domain transition for the domain in which the script runs
> to winbind_t.
>
> Mainly because i wouldnt want to extend/modify
> system_cronjob_t
>
> So: system_cronjob_t -> myscript_exec_t -> myscript_t
> -> winbind_exec_t
> -> winbind_t
>
> > > --
> > > fedora-selinux-list mailing list
> > > fedora-selinux-list(a)redhat.com
> > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >
>
>
14 years, 9 months
Re: Strange denials
by Vadym Chepkov
I barely redirect output of a cron job to /dev/null :(
Is the a way to run cron unconfined? I don't see any boolean anymore.
Sincerely yours,
Vadym Chepkov
--- On Sat, 7/4/09, Kévin GUERIN <leguerinos(a)gmail.com> wrote:
> From: Kévin GUERIN <leguerinos(a)gmail.com>
> Subject: Re: Strange denials
> To: "Vadym Chepkov" <chepkov(a)yahoo.com>
> Cc: "Fedora SELinux" <fedora-selinux-list(a)redhat.com>
> Date: Saturday, July 4, 2009, 10:55 AM
> winbindd is running with no MCS
> categories and tries to access a file with c0.c0123.
>
> Access will be granted only if winbindd runs with all the
> categories that has the file it wants to interact with.
>
> Kévin
>
>
> 2009/7/4 Vadym Chepkov <chepkov(a)yahoo.com>
>
>
>
> Ok, I am lost
>
>
>
> I clearly allowed this.
>
>
>
> allow winbind_t crond_t:fifo_file write;
>
>
>
> I can see it in the policy:
>
> sesearch --all --source winbind_t --target crond_t
>
> Found 3 semantic av rules:
>
> allow winbind_t crond_t : process sigchld ;
>
> allow winbind_t crond_t : fd use ;
>
> allow winbind_t crond_t : fifo_file { ioctl read write
> getattr lock append open } ;
>
>
>
> Why do I get denial anyway?
>
>
>
> time->Sat Jul 4 10:28:01 2009
>
> type=SYSCALL msg=audit(1246717681.676:10436): arch=40000003
> syscall=11 success=yes exit=0 a0=9073c10 a1=9073358
> a2=90732a8 a3=9073358 items=0 ppid=20323 pid=20324 auid=0
> uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> tty=(none) ses=777 comm="winbindd"
> exe="/usr/sbin/winbindd"
> subj=system_u:system_r:winbind_t:s0 key=(null)
>
>
> type=AVC msg=audit(1246717681.676:10436): avc: denied {
> write } for pid=20324 comm="winbindd"
> path="pipe:[611496]" dev=pipefs ino=611496
> scontext=system_u:system_r:winbind_t:s0
> tcontext=unconfined_u:system_r:crond_t:s0-s0:c0.c1023
> tclass=fifo_file
>
>
>
>
>
>
> Sincerely yours,
>
> Vadym Chepkov
>
>
>
> --
>
> fedora-selinux-list mailing list
>
> fedora-selinux-list(a)redhat.com
>
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
>
>
14 years, 9 months
Strange denials
by Vadym Chepkov
Ok, I am lost
I clearly allowed this.
allow winbind_t crond_t:fifo_file write;
I can see it in the policy:
sesearch --all --source winbind_t --target crond_t
Found 3 semantic av rules:
allow winbind_t crond_t : process sigchld ;
allow winbind_t crond_t : fd use ;
allow winbind_t crond_t : fifo_file { ioctl read write getattr lock append open } ;
Why do I get denial anyway?
time->Sat Jul 4 10:28:01 2009
type=SYSCALL msg=audit(1246717681.676:10436): arch=40000003 syscall=11 success=yes exit=0 a0=9073c10 a1=9073358 a2=90732a8 a3=9073358 items=0 ppid=20323 pid=20324 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=777 comm="winbindd" exe="/usr/sbin/winbindd" subj=system_u:system_r:winbind_t:s0 key=(null)
type=AVC msg=audit(1246717681.676:10436): avc: denied { write } for pid=20324 comm="winbindd" path="pipe:[611496]" dev=pipefs ino=611496 scontext=system_u:system_r:winbind_t:s0 tcontext=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
Sincerely yours,
Vadym Chepkov
14 years, 9 months
QEMU in Fedora 10
by John Smith
Hello,
I'm working on QEMU right now on Fedora 10. Interestingly I QEMU runs in qemu_unconfined_t. as I have not changed any of the labelling of my qemu files ( chroot directory, qemu filesystem image). I find it working with them with no denial messages. I have checked the policy for qemu on tresys refpolicy trunk, which somehow make the QEMU unconfined. Is this true?
_________________________________________________________________
With Windows Live, you can organise, edit, and share your photos.
http://clk.atdmt.com/UKM/go/134665338/direct/01/
14 years, 9 months
sysstat policy
by Vadym Chepkov
It seems sysstat policy in Fedora 11 needs adjustment, it didn't happen before:
type=AVC msg=audit(1246506781.781:1687): avc: denied { read } for pid=16924 comm="find" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:sysstat_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=file
Sincerely yours,
Vadym Chepkov
14 years, 9 months
kismet - DBUS AVCs
by Christoph A.
Hi,
I'm running fedora 11.
rpm -qa selinux*
selinux-policy-3.6.12-53.fc11.noarch
selinux-policy-targeted-3.6.12-53.fc11.noarch
When I try to start kismet it failes with this error:
WARNING: Failed to connect to DBUS system, will not be able to control
networkmanager: Failed to connect to socket
/var/run/dbus/system_bus_socket: Permission denied
WARNING: Failed to send 'sleep' command to networkmanager via DBUS, NM
may try to take control of the interfaces still.FATAL: Dump file error:
Unable to open dump file /home/kismet/dump/Jul-05-2009-14-26-09.dump (No
such file or directory)
Sending termination request to channel control child 10743...
WARNING: Error disabling monitor mode: mode set ioctl failed 16:Device
or resource busy
WARNING: WIFI5100AGN (wlan0) left in an unknown state. You may need to
manually
restart or reconfigure it for normal operation.
WARNING: Sometimes cards don't always come out of monitor mode
cleanly. If your card is not fully working, you may need to
restart or reconfigure it for normal operation.
Waiting for channel control child 10743 to exit...
Trying to wake networkmanager back up...
WARNING: Failed to connect to DBUS system, will not be able to control
networkmanager: Failed to connect to socket
/var/run/dbus/system_bus_socket: Permission denied
WARNING: Failed to send 'wake' command to networkmanager via DBUS, NM
may still be inactive.Kismet exiting.
log:
node=localhost.localdomain type=AVC msg=audit(1246795836.328:420): avc:
denied { search } for pid=10334 comm="kismet_server" name="dbus"
dev=dm-1 ino=2000053
scontext=unconfined_u:unconfined_r:kismet_t:s0-s0:c0.c1023
tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir
node=localhost.localdomain type=SYSCALL msg=audit(1246795836.328:420):
arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfe50b20 a2=bbeff4
a3=bfe50ccc items=0 ppid=10333 pid=10334 auid=500 uid=492 gid=496
euid=492 suid=492 fsuid=492 egid=496 sgid=496 fsgid=496 tty=pts0 ses=1
comm="kismet_server" exe="/usr/bin/kismet_server"
subj=unconfined_u:unconfined_r:kismet_t:s0-s0:c0.c1023 key=(null)
while searching the web I found a old but similar issue:
http://www.linux-archive.org/fedora-selinux-support/195736-further-selinu...
What should I do to successfully start kismet (without disabling SELinux)?
thanks
Christoph
(kismet.conf attached)
14 years, 9 months
Re: Domain transition missing
by Vadym Chepkov
This worked well too, thank you
system_u:system_r:winbind_t:SystemLow root 11926 1 0 09:57 ? 00:00:00 winbindd
system_u:system_r:winbind_t:SystemLow root 11928 11926 0 09:57 ? 00:00:00 winbindd
system_u:system_r:winbind_t:SystemLow root 11954 11926 0 09:57 ? 00:00:00 winbindd
system_u:system_r:winbind_t:SystemLow root 11956 11926 0 09:57 ? 00:00:00 winbindd
system_u:system_r:winbind_t:SystemLow root 11957 11926 0 09:57 ? 00:00:00 winbindd
Sincerely yours,
Vadym Chepkov
--- On Sat, 7/4/09, Dominick Grift <domg472(a)gmail.com> wrote:
> From: Dominick Grift <domg472(a)gmail.com>
> Subject: Re: Domain transition missing
> To: "Vadym Chepkov" <chepkov(a)yahoo.com>
> Cc: "Fedora SELinux" <fedora-selinux-list(a)redhat.com>
> Date: Saturday, July 4, 2009, 9:28 AM
> On Sat, 2009-07-04 at 06:18 -0700,
> Vadym Chepkov wrote:
> > That would be unfortunate. Mine approach is not
> uncommon. If you look closely you will see the same
> technique in wast scripts. spamassassin restarts itself when
> it updates anti-spam rules, clamav does that (antivirus) and
> on and on. I use Fedora 11, by the way.
> >
> > For now, instead of creating a new policy I just added
> 'runcon -t unconfind_t ' in the cron, and it seemed to did
> the trick.
> >
> > Sincerely yours,
> > Vadym Chepkov
> >
>
> Looking here:
> http://oss.tresys.com/projects/refpolicy/browser/trunk/policy/modules/ser...
> line 235 to line 269.
>
> That seems like a interface one might use in your
> situation:
>
> cron_system_entry(winbind_t, winbind_exec_t)
>
> I admit that using cron with SELinux is not very easy
> currently
>
> > --- On Sat, 7/4/09, Dominick Grift <domg472(a)gmail.com>
> wrote:
> >
> > > From: Dominick Grift <domg472(a)gmail.com>
> > > Subject: Re: Domain transition missing
> > > To: "Vadym Chepkov" <chepkov(a)yahoo.com>
> > > Cc: "Fedora SELinux" <fedora-selinux-list(a)redhat.com>
> > > Date: Saturday, July 4, 2009, 8:57 AM
> > > On Sat, 2009-07-04 at 05:48 -0700,
> > > Vadym Chepkov wrote:
> > > > I really get used to running my scripts
> unconfined,
> > > how I can accomplish it in this scenario?
> > > >
> > > > Sincerely yours,
> > > > Vadym Chepkov
> > > >
> > >
> > > if you want the system to run jobs you will need
> to write
> > > some policy or
> > > extend the system_cronjob_t domain i think
> > >
> > >
> > > Were those the only avc denial you got? I would
> expect more
> > > denials.
> > >
> > > > --- On Sat, 7/4/09, Dominick Grift <domg472(a)gmail.com>
> > > wrote:
> > > >
> > > > > From: Dominick Grift <domg472(a)gmail.com>
> > > > > Subject: Re: Domain transition missing
> > > > > To: "Vadym Chepkov" <chepkov(a)yahoo.com>
> > > > > Cc: "Fedora SELinux" <fedora-selinux-list(a)redhat.com>
> > > > > Date: Saturday, July 4, 2009, 8:41 AM
> > > > > On Sat, 2009-07-04 at 14:38 +0200,
> > > > > Dominick Grift wrote:
> > > > > > On Sat, 2009-07-04 at 05:11 -0700,
> Vadym
> > > Chepkov
> > > > > wrote:
> > > > > > > Hi,
> > > > > > >
> > > > > > > Last night I got a nasty
> surprise from
> > > selinux. I
> > > > > am using winbind for external
> authentication and
> > > since it
> > > > > has history of failures I have a simple
> watchdog
> > > implemented
> > > > > to check the status and restart it if
> necessary.
> > > That
> > > > > is what happened last night and
> as a law
> > > abiding
> > > > > selinux citizen I used 'service winbind
> restart',
> > > but it
> > > > > seems the proper domain transitions is
> missing
> > > and winbind
> > > > > was started in system_cronjob_t domain
> instead of
> > > winbind_t
> > > > > and none of other domains could connect
> to it.
> > > > > > >
> > > > > > > I think jobs running from
> cron should
> > > be granted
> > > > > the same transition rules as
> from
> > > unconfined_t.
> > > > > > >
> > > > > > > I will file bugzilla report
> about it,
> > > but could
> > > > > somebody help me with modifying my
> local policy
> > > until/if it
> > > > > gets implemented, please? Thank you.
> > > > > > >
> > > > > > > Sincerely yours,
> > > > > > > Vadym
> Chepkov
> > > > > >
> > > > > > A domain transition would be:
> > > > > >
> > > > > > policy_module(mywinbind, 0.0.1)
> > > > > >
> > > > > > require { type system_cronjob_t,
> > > winbind_exec_t,
> > > > > winbind_t; }
> > > > > >
> domain_auto_trans(system_cronjob_t,
> > > winbind_exec_t,
> > > > > winbind_t)
> > > > > >
> > > > > > Can you show us the full raw avc
> denial?
> > > > >
> > > > >
> > > > > But personally would deal with this in
> a
> > > different way. I
> > > > > would write
> > > > > policy for the script that restarts
> winbind and
> > > then i
> > > > > would create a
> > > > > domain transition for the domain in
> which the
> > > script runs
> > > > > to winbind_t.
> > > > >
> > > > > Mainly because i wouldnt want to
> extend/modify
> > > > > system_cronjob_t
> > > > >
> > > > > So: system_cronjob_t ->
> myscript_exec_t ->
> > > myscript_t
> > > > > -> winbind_exec_t
> > > > > -> winbind_t
> > > > >
> > > > > > > --
> > > > > > > fedora-selinux-list mailing
> list
> > > > > > > fedora-selinux-list(a)redhat.com
> > > > > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > > > > >
> > > > >
> > > > >
> > >
> > >
>
>
14 years, 10 months