Re: Domain transition missing
by Vadym Chepkov
That would be unfortunate. Mine approach is not uncommon. If you look closely you will see the same technique in wast scripts. spamassassin restarts itself when it updates anti-spam rules, clamav does that (antivirus) and on and on. I use Fedora 11, by the way.
For now, instead of creating a new policy I just added 'runcon -t unconfind_t ' in the cron, and it seemed to did the trick.
Sincerely yours,
Vadym Chepkov
--- On Sat, 7/4/09, Dominick Grift <domg472(a)gmail.com> wrote:
> From: Dominick Grift <domg472(a)gmail.com>
> Subject: Re: Domain transition missing
> To: "Vadym Chepkov" <chepkov(a)yahoo.com>
> Cc: "Fedora SELinux" <fedora-selinux-list(a)redhat.com>
> Date: Saturday, July 4, 2009, 8:57 AM
> On Sat, 2009-07-04 at 05:48 -0700,
> Vadym Chepkov wrote:
> > I really get used to running my scripts unconfined,
> how I can accomplish it in this scenario?
> >
> > Sincerely yours,
> > Vadym Chepkov
> >
>
> if you want the system to run jobs you will need to write
> some policy or
> extend the system_cronjob_t domain i think
>
>
> Were those the only avc denial you got? I would expect more
> denials.
>
> > --- On Sat, 7/4/09, Dominick Grift <domg472(a)gmail.com>
> wrote:
> >
> > > From: Dominick Grift <domg472(a)gmail.com>
> > > Subject: Re: Domain transition missing
> > > To: "Vadym Chepkov" <chepkov(a)yahoo.com>
> > > Cc: "Fedora SELinux" <fedora-selinux-list(a)redhat.com>
> > > Date: Saturday, July 4, 2009, 8:41 AM
> > > On Sat, 2009-07-04 at 14:38 +0200,
> > > Dominick Grift wrote:
> > > > On Sat, 2009-07-04 at 05:11 -0700, Vadym
> Chepkov
> > > wrote:
> > > > > Hi,
> > > > >
> > > > > Last night I got a nasty surprise from
> selinux. I
> > > am using winbind for external authentication and
> since it
> > > has history of failures I have a simple watchdog
> implemented
> > > to check the status and restart it if necessary.
> That
> > > is what happened last night and as a law
> abiding
> > > selinux citizen I used 'service winbind restart',
> but it
> > > seems the proper domain transitions is missing
> and winbind
> > > was started in system_cronjob_t domain instead of
> winbind_t
> > > and none of other domains could connect to it.
> > > > >
> > > > > I think jobs running from cron should
> be granted
> > > the same transition rules as from
> unconfined_t.
> > > > >
> > > > > I will file bugzilla report about it,
> but could
> > > somebody help me with modifying my local policy
> until/if it
> > > gets implemented, please? Thank you.
> > > > >
> > > > > Sincerely yours,
> > > > > Vadym Chepkov
> > > >
> > > > A domain transition would be:
> > > >
> > > > policy_module(mywinbind, 0.0.1)
> > > >
> > > > require { type system_cronjob_t,
> winbind_exec_t,
> > > winbind_t; }
> > > > domain_auto_trans(system_cronjob_t,
> winbind_exec_t,
> > > winbind_t)
> > > >
> > > > Can you show us the full raw avc denial?
> > >
> > >
> > > But personally would deal with this in a
> different way. I
> > > would write
> > > policy for the script that restarts winbind and
> then i
> > > would create a
> > > domain transition for the domain in which the
> script runs
> > > to winbind_t.
> > >
> > > Mainly because i wouldnt want to extend/modify
> > > system_cronjob_t
> > >
> > > So: system_cronjob_t -> myscript_exec_t ->
> myscript_t
> > > -> winbind_exec_t
> > > -> winbind_t
> > >
> > > > > --
> > > > > fedora-selinux-list mailing list
> > > > > fedora-selinux-list(a)redhat.com
> > > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > > >
> > >
> > >
>
>
14 years, 9 months
Re: Domain transition missing
by Vadym Chepkov
Thank you
Every single daemon out there was choking, just a few:
type=AVC msg=audit(1246707387.606:8922): avc: denied { connectto } for pid=1313 comm="dovecot-auth" path="/var/run/winbindd/pipe" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:system_cronjob_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1246707463.608:8931): avc: denied { connectto } for pid=6828 comm="sendmail" path="/var/run/winbindd/pipe" scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:system_cronjob_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1246707468.105:8932): avc: denied { connectto } for pid=6841 comm="procmail" path="/var/run/winbindd/pipe" scontext=unconfined_u:system_r:procmail_t:s0 tcontext=system_u:system_r:system_cronjob_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1246707508.622:8935): avc: denied { connectto } for pid=6847 comm="sendmail" path="/var/run/winbindd/pipe" scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:system_cronjob_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1246707508.629:8936): avc: denied { connectto } for pid=6851 comm="dbus-daemon-lau" path="/var/run/winbindd/pipe" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_cronjob_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1246707632.720:8963): avc: denied { connectto } for pid=7855 comm="pop3" path="/var/run/winbindd/pipe" scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:system_cronjob_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1246707632.732:8964): avc: denied { connectto } for pid=7857 comm="dbus-daemon-lau" path="/var/run/winbindd/pipe" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_cronjob_t:s0 tclass=unix_stream_socket
Sincerely yours,
Vadym Chepkov
--- On Sat, 7/4/09, Dominick Grift <domg472(a)gmail.com> wrote:
> From: Dominick Grift <domg472(a)gmail.com>
> Subject: Re: Domain transition missing
> To: "Vadym Chepkov" <chepkov(a)yahoo.com>
> Cc: "Fedora SELinux" <fedora-selinux-list(a)redhat.com>
> Date: Saturday, July 4, 2009, 8:38 AM
> On Sat, 2009-07-04 at 05:11 -0700,
> Vadym Chepkov wrote:
> > Hi,
> >
> > Last night I got a nasty surprise from selinux. I am
> using winbind for external authentication and since it has
> history of failures I have a simple watchdog implemented to
> check the status and restart it if necessary. That is
> what happened last night and as a law abiding selinux
> citizen I used 'service winbind restart', but it seems the
> proper domain transitions is missing and winbind was started
> in system_cronjob_t domain instead of winbind_t and none of
> other domains could connect to it.
> >
> > I think jobs running from cron should be granted the
> same transition rules as from unconfined_t.
> >
> > I will file bugzilla report about it, but could
> somebody help me with modifying my local policy until/if it
> gets implemented, please? Thank you.
> >
> > Sincerely yours,
> > Vadym Chepkov
>
> A domain transition would be:
>
> policy_module(mywinbind, 0.0.1)
>
> require { type system_cronjob_t, winbind_exec_t, winbind_t;
> }
> domain_auto_trans(system_cronjob_t, winbind_exec_t,
> winbind_t)
>
> Can you show us the full raw avc denial?
>
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list(a)redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
14 years, 9 months
Domain transition missing
by Vadym Chepkov
Hi,
Last night I got a nasty surprise from selinux. I am using winbind for external authentication and since it has history of failures I have a simple watchdog implemented to check the status and restart it if necessary. That is what happened last night and as a law abiding selinux citizen I used 'service winbind restart', but it seems the proper domain transitions is missing and winbind was started in system_cronjob_t domain instead of winbind_t and none of other domains could connect to it.
I think jobs running from cron should be granted the same transition rules as from unconfined_t.
I will file bugzilla report about it, but could somebody help me with modifying my local policy until/if it gets implemented, please? Thank you.
Sincerely yours,
Vadym Chepkov
14 years, 9 months
proftpd and mod_ban
by Paul Howarth
proftpd's mod_ban uses shared memory, so I needed to add this policy
locally on F-11:
# Proftpd needs shared memory for mod_ban
allow ftpd_t self:shm create_shm_perms;
Paul.
14 years, 9 months
Supporting multiple OS releases
by Rob Crittenden
In the freeIPA project we have our own SELinux policy. We support RHEL 5
up through Fedora Rawhide. With Fedora 11 we saw some problems compiling
our SELinux module which Dan Walsh provided a patch for. I haven't tried
this on older releases yet but I'm guessing it won't work as expected
(some policies seem to have been renamed, such as
corenet_non_ipsec_sendrecv() -> corenet_all_recvfrom_unlabeled()
My question is, how can we handle this in our source tree? Are we going
to need to maintain per-release policies or does SELinux support some
sort of versioning conditionals?
thanks
rob
14 years, 10 months