Testing SELinux
by John Smith
Hello,
I'm doing a testing for SELinux, so far I have create a domain for a special program. It does work correctly.
I have not given the domain any permissions to access any top leve directories or their subdirectories since I am running it in chroot.
The thing when it came to testing now, I have created some bash files, and labelled with with exec as the entry to the domain.
But even after changing the default security context for these bash files, when executing them, the still be in unconfined domain instead of entering the new domain for testing.
Anyone can identify where is the problem?
Thanks in advance
_________________________________________________________________
Windows Live Messenger: Thanks for 10 great years—enjoy free winks and emoticons.
http://clk.atdmt.com/UKM/go/157562755/direct/01/
14 years, 8 months
SELinux Reset
by Peter Joseph
While experimenting with SELinux, I finally managed to lock myself out of the
system. The only way to get back in, I had to add "selinux=0" to the end of
the kernel line.
Now, if I run in a permissive mode the following message appears when I try
to log in:
"Could not connect to session bus: An SELinux policy prevents this sender
from sending this message to this recipient (rejected message had sender
"(unset)" interface "org.freedesktop.DBus" member "Hello" error name
"(unset)" destination "org.freedesktop.DBus)."
I am forced to go back to the grub prompt and disable SELinux again, in
order to get in. What is the best way to reset SEL to its original state?
--
View this message in context: http://www.nabble.com/SELinux-Reset-tp24855587p24855587.html
Sent from the Fedora SELinux List mailing list archive at Nabble.com.
14 years, 8 months
F9: sendmail AVC complaint
by Dan Thurman
I got this AVC complaint fairly recently so please
let me know how to fix this one thanks!
File: /var/log/messages
=================================================
setroubleshoot: SELinux is preventing sendmail (system_mail_t) "read" to
/var/log/messages (var_log_t). For complete SELinux messages. run
sealert -l 5672ff6c-ad2c-4d3b-aa2b-4c53178ed5f2
$ sealert -l 5672ff6c-ad2c-4d3b-aa2b-4c53178ed5f2
=================================================
Summary:
SELinux is preventing sendmail (system_mail_t) "read" to /var/log/messages
(var_log_t).
Detailed Description:
SELinux denied access requested by sendmail. It is not expected that
this access
is required by sendmail and this access may signal an intrusion attempt.
It is
also possible that the specific version or configuration of the
application is
causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to
restore
the default system file context for /var/log/messages,
restorecon -v '/var/log/messages'
If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:system_mail_t:s0-s0:c0.c1023
Target Context system_u:object_r:var_log_t:s0
Target Objects /var/log/messages [ file ]
Source sendmail
Source Path /usr/sbin/sendmail.sendmail
Port <Unknown>
Host mysystem.mydomain.com
Source RPM Packages sendmail-8.14.2-4.fc9
Target RPM Packages
Policy RPM selinux-policy-3.3.1-135.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name mysystem.mydomain.com
Platform Linux mysystem.mydomain.com
2.6.27.25-78.2.56.fc9.i686 #1
SMP Thu Jun 18 12:47:50 EDT 2009 i686 i686
Alert Count 1
First Seen Mon Aug 10 04:47:23 2009
Last Seen Mon Aug 10 04:47:23 2009
Local ID 5672ff6c-ad2c-4d3b-aa2b-4c53178ed5f2
Line Numbers
Raw Audit Messages
node=mysystem.mydomain.com type=AVC msg=audit(1249904843.352:37350):
avc: denied { read } for pid=16757 comm="sendmail"
path="/var/log/messages" dev=sda6 ino=86361
scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_log_t:s0 tclass=file
node=mysystem.mydomain.com type=AVC msg=audit(1249904843.352:37350):
avc: denied { read } for pid=16757 comm="sendmail"
path="/var/log/secure" dev=sda6 ino=86369
scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_log_t:s0 tclass=file
node=mysystem.mydomain.com type=AVC msg=audit(1249904843.352:37350):
avc: denied { read } for pid=16757 comm="sendmail"
path="/var/log/maillog" dev=sda6 ino=4956165
scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_log_t:s0 tclass=file
node=mysystem.mydomain.com type=SYSCALL msg=audit(1249904843.352:37350):
arch=40000003 syscall=11 success=yes exit=0 a0=8f4e3d0 a1=8f4e458
a2=8f4da48 a3=0 items=0 ppid=16704 pid=16757 auid=0 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=6305
comm="sendmail" exe="/usr/sbin/sendmail.sendmail"
subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)
14 years, 8 months
HPLIP and Fedora9
by Arthur Dent
Hello all,
I tried today to install the latest hplip package from
http://hplipopensource.com to use the printer driver for my HP Printer
on my Fedora 9 system (I plan to upgrade to Fedora 11 in the next few
weeks). The install package warns you to turn off selinux so I
setenforce 0. I assumed that I would be able to write a policy before
resuming enforcing mode.
The install went fine with no avcs. I then tried to print a test page
and got 3 avcs (I can post in full if required).
SELinux is preventing hp (hplip_t) "name_bind" howl_port_t.
SELinux is preventing hp (hplip_t) "search" to ./dbus
(system_dbusd_var_run_t).
SELinux is preventing hpcups (cupsd_t) "name_bind" howl_port_t.
From these I tried to create a policy using audit2allow. This is what it
proposed:
##########################################
# cat myhplip.te
policy_module(myhplip, 9.0.1)
require {
type cupsd_t;
type hplip_t;
type system_dbusd_t;
class unix_stream_socket { write connectto search };
}
#============= cupsd_t ==============
corenet_udp_bind_howl_port(cupsd_t)
#============= hplip_t ==============
allow hplip_t system_dbusd_t:unix_stream_socket { write connectto
search };
corenet_udp_bind_howl_port(hplip_t)
##########################################
"make -f" worked OK on this, but when I tried semodule -i I got the
following error:
[root@localhost selinux]# semodule -i myhplip.pp
libsepol.permission_copy_callback: Module myhplip depends on permission
search in class unix_stream_socket, not satisfied
libsemanage.semanage_link_sandbox: Link packages failed
semodule: Failed!
Is there any way I can resolve this?
The only existing bug I can find on hplip is 516078
(https://bugzilla.redhat.com/show_bug.cgi?id=516078) is it related?
Thanks in advance for any help or suggestions...
Mark
14 years, 8 months
SELinux and Wine
by Ryan Anthony
Hello,
I use FC11 64 bit and have the default (add/remove software) installation
for both SELinux and Wine. I've been trying to get my Windows programs to
run but see entries in my setroubleshoot log regarding Wine not being
cleared for "allow_execmem" or "mmap_zero." I'm not that experienced with
it, but I gather enabling either of these would be a bad thing from what
I've already seen on google. Is there a way I can get Wine to run without
effectively disabling SELinux?
Regards,
Ryan
14 years, 8 months
Conflicting contexts for httpd and Samba
by Trevor Hemsley
I have a machine where I am trying to turn on selinux in enforcing mode
- currently running in permissive mode while I sort out what's likely to
stop working. On this machine I have both Samba and Apache. The Samba
server has shares on a disk partition that's mounted on /share and I was
getting AVCs for this so I used semanage and restorecon to mark all
directories on there as context samba_share_t. Works great except that
one directory on that share is also used by Apache and then I started
getting AVCs for that dir whenever someone tried to access its content
over http. Having done some reading I then tried to mark that directory
as context public_content_t and that gets rid of the AVCs for http but I
get them back for the Samba server instead :(
The directory in question that resides on the /share partition is used
by the Sophos Anti-Virus Enterprise Console to keep copies of all its
install materials and locally cached copies of all the AV definition
files. We have a Windows XP machine that runs the Enterprise Console and
this updates the AV definitions on the Samba share about every 5 minutes
- so Samba needs to have update access to the directory in question.
For users outside the main office we also make the Sophos AV definitions
available over https so Apache needs to be able to read the same
directory that Samba can write to. Both Samba and Apache processes are
running on the same machine and are accessing /share as a local file
system. I can see booleans that let Apache access Samba shares as
network drives but not as local file systems.
These are the sort of AVCs I am currently getting and I'm now out of
ideas about how to solve this. Does anyone have any suggestions please?
[root@here manifests]# ausearch -i -a 12027
----
type=SYSCALL msg=audit(07/08/09 09:14:50.432:12027) : arch=x86_64
syscall=open success=yes exit=41 a0=7fff3638c690 a1=42 a2=1f4
a3=4a7bf08a items=0 ppid=5277 pid=460 auid=unset uid=SophosEmLibUser1
gid=root euid=SophosEmLibUser1 suid=root fsuid=SophosEmLibUser1
egid=Domain Users sgid=root fsgid=Domain Users tty=(none) ses=4294967295
comm=smbd exe=/usr/sbin/smbd subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(07/08/09 09:14:50.432:12027) : avc: denied { create
} for pid=460 comm=smbd name=pws-bcr.ide
scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:public_content_t:s0 tclass=file
type=AVC msg=audit(07/08/09 09:14:50.432:12027) : avc: denied {
add_name } for pid=460 comm=smbd name=pws-bcr.ide
scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:public_content_t:s0 tclass=dir
type=AVC msg=audit(07/08/09 09:14:50.432:12027) : avc: denied { write
} for pid=460 comm=smbd name=savxp dev=drbd3 ino=2293891
scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:public_content_t:s0 tclass=dir
[root@here manifests]# ausearch -i -a 12028
----
type=SYSCALL msg=audit(07/08/09 09:14:50.434:12028) : arch=x86_64
syscall=ftruncate success=yes exit=0 a0=29 a1=0 a2=2ad636132320 a3=1
items=0 ppid=5277 pid=460 auid=unset uid=SophosEmLibUser1 gid=root
euid=SophosEmLibUser1 suid=root fsuid=SophosEmLibUser1 egid=Domain Users
sgid=root fsgid=Domain Users tty=(none) ses=4294967295 comm=smbd
exe=/usr/sbin/smbd subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(07/08/09 09:14:50.434:12028) : avc: denied { write
} for pid=460 comm=smbd name=pws-bcr.ide dev=drbd3 ino=2850949
scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:public_content_t:s0 tclass=file
[root@here manifests]# ausearch -i -a 12029
----
type=SYSCALL msg=audit(07/08/09 09:14:50.440:12029) : arch=x86_64
syscall=utimes success=yes exit=0 a0=7fff3638b4d0 a1=7fff3638a9a0
a2=71be1 a3=0 items=0 ppid=5277 pid=460 auid=unset uid=SophosEmLibUser1
gid=root euid=SophosEmLibUser1 suid=root fsuid=SophosEmLibUser1
egid=Domain Users sgid=root fsgid=Domain Users tty=(none) ses=4294967295
comm=smbd exe=/usr/sbin/smbd subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(07/08/09 09:14:50.440:12029) : avc: denied {
setattr } for pid=460 comm=smbd name=pws-bcr.ide dev=drbd3 ino=2850949
scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:public_content_t:s0 tclass=file
[root@here manifests]# ausearch -i -a 12030
----
type=SYSCALL msg=audit(07/08/09 09:14:52.556:12030) : arch=x86_64
syscall=unlink success=yes exit=0 a0=2ad63619e430 a1=2ad63619e430 a2=0
a3=2ad623feab20 items=0 ppid=5277 pid=460 auid=unset
uid=SophosEmLibUser1 gid=root euid=SophosEmLibUser1 suid=root
fsuid=SophosEmLibUser1 egid=Domain Users sgid=root fsgid=Domain Users
tty=(none) ses=4294967295 comm=smbd exe=/usr/sbin/smbd
subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(07/08/09 09:14:52.556:12030) : avc: denied { unlink
} for pid=460 comm=smbd name=cidsync.upd dev=drbd3 ino=1572898
scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:public_content_t:s0 tclass=file
type=AVC msg=audit(07/08/09 09:14:52.556:12030) : avc: denied {
remove_name } for pid=460 comm=smbd name=cidsync.upd dev=drbd3
ino=1572898 scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:public_content_t:s0 tclass=dir
[root@here manifests]# ausearch -i -a 12031
----
type=SYSCALL msg=audit(07/08/09 09:14:52.559:12031) : arch=x86_64
syscall=stat success=yes exit=0 a0=7fff3638adb8 a1=7fff3638b1a0
a2=7fff3638b1a0 a3=0 items=0 ppid=5277 pid=460 auid=unset
uid=SophosEmLibUser1 gid=root euid=SophosEmLibUser1 suid=root
fsuid=SophosEmLibUser1 egid=Domain Users sgid=root fsgid=Domain Users
tty=(none) ses=4294967295 comm=smbd exe=/usr/sbin/smbd
subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(07/08/09 09:14:52.559:12031) : avc: denied {
getattr } for pid=460 comm=smbd path=/codefarm/backups dev=dm-15 ino=2
scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(07/08/09 09:14:52.559:12031) : avc: denied { search
} for pid=460 comm=smbd name=codefarm dev=dm-0 ino=819201
scontext=system_u:system_r:smbd_t:s0
tcontext=user_u:object_r:default_t:s0 tclass=dir
[root@here manifests]# ausearch -i -a 12032
----
type=SYSCALL msg=audit(07/08/09 09:14:52.559:12032) : arch=x86_64
syscall=stat success=yes exit=0 a0=2ad636320285 a1=7fff3638ae60
a2=7fff3638ae60 a3=0 items=0 ppid=5277 pid=460 auid=unset
uid=SophosEmLibUser1 gid=root euid=SophosEmLibUser1 suid=root
fsuid=SophosEmLibUser1 egid=Domain Users sgid=root fsgid=Domain Users
tty=(none) ses=4294967295 comm=smbd exe=/usr/sbin/smbd
subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(07/08/09 09:14:52.559:12032) : avc: denied {
getattr } for pid=460 comm=smbd path=/proc/sys/fs/binfmt_misc
dev=binfmt_misc ino=6477 scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:binfmt_misc_fs_t:s0 tclass=dir
[root@here manifests]#
--
Trevor Hemsley
Infrastructure Engineer
.................................................
* C A L Y P S O
* Brighton, UK
OFFICE +44 (0) 1273 666 350
FAX +44 (0) 1273 666 351
.................................................
www.calypso.com
This electronic-mail might contain confidential information intended
only for the use by the entity named. If the reader of this message is
not the intended recipient, the reader is hereby notified that any
dissemination, distribution or copying is strictly prohibited.
* P * /*/ Please consider the environment before printing this e-mail /*/
14 years, 8 months
Some AVC denials to consider:
by Dominick Grift
dev_rw_generic_files(NetworkManager_t)
allow consoletype_t device_t:file { read getattr ioctl };
xserver_rw_xdm_home_files(staff_dbusd_t)
allow staff_t staff_screen_t:process sigchld;
allow staff_t print_spool_t:dir getattr;
allow staff_t screen_var_run_t:fifo_file read;
dev_rw_dri(staff_t)
allow ifconfig_t device_t:file read;
allow mount_t dgrift_t:unix_stream_socket { read write };
allow nscd_t device_t:file read;
allow ifconfig_t device_t:file read;
allow mount_t dgrift_t:unix_stream_socket { read write };
allow nscd_t device_t:file read;
term_use_console(portreserve_t)
allow readahead_t proc_kcore_t:file getattr;
allow readahead_ self:capability net_admin;
allow rpcbind_t self:udp_socket listen;
allow xdm_dbusd_t xdm_var_lib_t:dir search;
dev_rw_generic_files(auditctl_t)
allow readahead_t self:capability net_admin;
fs_rw_tmpfs_chr_files(readahead_t)
fprintd_dbus_chat(staff_sudo_t)
fprintd_dbus_chat(staff_t)
fprintd_dbus_chat(fprintd_t)
14 years, 8 months
spamassassin transition
by Scott Radvan
Hi,
Working on the Postfix chapter in my SELinux managing confined services
book [0] and am having trouble with Postfix/spamassassin.
I have got email traversing back and forth just fine, but I am trying to
invoke a denial or a problem for which I can document the work-around.
spamassassin_can_network seems to be a good Boolean to explain, show
the denial and then show the work-around for.
This Boolean is off by default, which as far as I can tell would stop
spamassassin from launching as a daemon listening on the machine's
actual IP/interface.
But my problem is that it is launching without a problem and listening
on the machine's interface without error. I am assuming that it is
working fine because the spamassassin processes are only launching as
initrc_t, when it should be transitioning to something else..?
# ps -eZ | grep spamd
unconfined_u:system_r:initrc_t:s0 3085 ? 00:00:01 spamd
unconfined_u:system_r:initrc_t:s0 3087 ? 00:00:00 spamd
unconfined_u:system_r:initrc_t:s0 3088 ? 00:00:00 spamd
# ls -lZ /etc/init.d/spamassassin
-rwxr-xr-x.
rootrootsystem_u:object_r:initrc_exec_t:s0 /etc/init.d/spamassassin
(I tried labelling this differently to this default setting, to
spamd_initrc_exec_t, but to no avail.)
# getsebool -a | grep spam
spamassassin_can_network --> off
spamd_enable_home_dirs --> on
Basically I need to make sure spamassassin is starting normally so that
the Boolean mentioned will block access. So any help is appreciated,
should spamassassin as a daemon transition to something other than
initrc_t? And how do I get it to do so?
Or am I going down the wrong track to get this Boolean which is off by
default to do something which I can demonstrate and fix?
Thank you,
--
Scott Radvan
Content Author, Platform (Installation and Deployment)
Red Hat Asia Pacific (Brisbane) http://www.apac.redhat.com
14 years, 8 months