The SELinux Documentation Project [Request for topics]
by Joshua Brindle
As we discussed at Linux Plumbers Conference during the 'Making SELinux
Easier to Use" talk we have some document deficiencies in the SELinux
project.
I volunteered to start an SELinux Documentation Project. The primary
purpose of the project would be to get as much documentation as possible
on the selinuxproject.org wiki, organized in a fashion that users can
understand and consume easily.
As I admitted before, we, the developers, are not always the best people
to judge what documentation users need and therefore am requesting
users, hopefully from different backgrounds and environments, tell us
what documentation they feel is lacking, what questions they've been
asked or have asked themselves and couldn't find documentation for.
I think we need basic documentation that tells about SELinux (both
beginner and advanced), howto's for specific things (using secmark,
using netlabel, etc) and a set of short 'recipes' to accomplish simple
tasks.
There are documents all over the place with various information, as well
as blog entries and mailing list archives but the effort here is to
consolidate all those resources onto selinuxproject.org.
I'd also like to see volunteers in the community to help out with the
documentation effort, I know quite a few people already write things
like this on blogs, etc and it would be great to see that information
moved/copied onto selinuxproject.org.
Users:
Please, if you are a user and have run in to lack of documentation
respond to this thread, or privately if you aren't comfortable talking
on list so that we can collect what the biggest deficiencies are and get
to writing documentation as soon as possible.
Thanks.
13 years, 9 months
Samba AVC
by Tony Molloy
Hi,
This is Centos 5.3 fully updated.
Im getting the following error from setroubleshoot
SELinux is preventing samba (smbd) "unlink" to ./log.cs244-34.old
(samba_log_t).
when samba tries to rotate the log files.
Running sealert I get the following ( edited )
Summary:
SELinux is preventing samba (smbd) "unlink" to ./log.cs244-24.old
(samba_log_t).
Detailed Description:
SELinux denied samba access to ./log.cs244-24.old. If you want to share this
directory with samba it has to have a file context label of samba_share_t. If
^^^^^^^^^^^^^
you did not intend to use ./log.cs244-24.old as a samba repository it could
indicate either a bug or it could signal a intrusion attempt.
Allowing Access:
You can alter the file context by executing chcon -R -t samba_share_t
'./log.cs244-24.old' You must also change the default file context files on
the
system in order to preserve them even on a full relabel. "semanage fcontext -a
-t samba_share_t './log.cs244-24.old'"
The following command will allow this access:
chcon -R -t samba_share_t './log.cs244-24.old'
Additional Information:
Source Context root:system_r:smbd_t
Target Context root:object_r:samba_log_t
Target Objects ./log.cs244-24.old [ file ]
Source smbd
Source Path /usr/sbin/smbd
Port <Unknown>
Host janus.x.y.z
Source RPM Packages samba-3.0.33-3.7.el5_3.1
Target RPM Packages
Policy RPM selinux-policy-2.4.6-203.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name samba_share
Host Name janus.x.y.z
Platform Linux janus.x.y.z 2.6.18-128.7.1.el5 #1 SMP
Mon Aug 24 08:21:56 EDT 2009 x86_64 x86_64
Alert Count 53
First Seen Fri Sep 25 15:54:24 2009
Last Seen Tue Sep 29 15:55:25 2009
Local ID e4426abc-3b0b-4df2-a380-3f0fba344c63
Line Numbers
Raw Audit Messages
host=janus.x.y.z type=AVC msg=audit(1254236125.438:70641): avc: denied {
unlink } for pid=27420 comm="smbd" name="log.cs244-24.old" dev=sda5
ino=164076 scontext=root:system_r:smbd_t:s0
tcontext=root:object_r:samba_log_t:s0 tclass=file
host=janus.x.y.z type=SYSCALL msg=audit(1254236125.438:70641): arch=c000003e
syscall=82 success=no exit=-13 a0=2b1b457b5220 a1=7fffa9a7ba90 a2=1f a3=0
items=0 ppid=3787 pid=27420 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=1675 comm="smbd" exe="/usr/sbin/smbd"
subj=root:system_r:smbd_t:s0 key=(null)
log.cs244-24.old is a file not a directory and it's located in
the /var/log/samba directory with permissions
system_u:object_r:samba_log_t samba
Any ideas,
Tony
--
Dept. of Comp. Sci.
University of Limerick.
14 years
Clamav/SeLinux, issue with system call recvmsg, and auxilary data.
by J. David Rye of Roadtech
Hello All
I triggered this issue with clamav/clamav-milter 0.95.2 from rpmforge running on a test box with Centos 5.3
Clamd opens a socket /var/run/clamav/clamd.sock to accept requests to scan things.
ls -Z /var/run/clamav/clamd.sock
srwxrwxrwx clamav clamav root:object_r:clamd_var_run_t /var/run/clamav/clamd.sock
Requests are read using the system call recvmsg, this allows for the passing auxiliary control data.
Clamav-milter 0.95.2 uses this to pass a handle to the temp file containing the data to be scanned
With SeLinux set to targeted enforcing, this call reads and returns the normal data fine, but returns with the
flag MSG_CTRUNC set.
according to the man page this is
"indicates that some control data were discarded due to lack of space in the buffer for ancillary data."
clamd responded by closing the socket, clamav-milter responded to the closed socket by looping a 100% CPU. :-(
Running the audit log through audit2allow suggests
grep clam /var/log/audit/audit.log | audit2allow -m local > local.te
[root@fallback0 selinux]# cat local.te
module local 1.0;
require {
type initrc_tmp_t;
type proc_t;
type sysctl_kernel_t;
type clamd_t;
class dir search;
class file { read write getattr };
}
#============= clamd_t ==============
allow clamd_t initrc_tmp_t:file { read write getattr };
allow clamd_t proc_t:file { read getattr };
allow clamd_t sysctl_kernel_t:dir search;
allow clamd_t sysctl_kernel_t:file read;
The allow clamd_t proc_t:file { read getattr }; looks to relate to reading /proc/meminfo
allow clamd_t sysctl_kernel_t:dir search;
allow clamd_t sysctl_kernel_t:file read;
Look to relate to these log entries
type=AVC msg=audit(1254139856.343:48724): avc: denied { search } for pid=14771 comm="clamd" name="kernel" dev=proc ino=-268435416 scontext=root:system_r:clamd_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir
type=AVC msg=audit(1254139856.343:48724): avc: denied { read } for pid=14771 comm="clamd" name="ngroups_max" dev=proc ino=-268435368 scontext=root:system_r:clamd_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file
type=AVC msg=audit(1254149740.665:48885): avc: denied { search } for pid=1261 comm="clamd" name="kernel" dev=proc ino=-268435416 scontext=root:system_r:clamd_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir
This if I have figured it out right relate to something that clamd is calling in turn trying to read /proc/sys/kernel/ngroups_max
So by elimination
allow clamd_t initrc_tmp_t:file { read write getattr };
Must relate to the the use of auxiliary data with the socket, and the following log entries but I do not see why.
Can anyone explain?
type=AVC msg=audit(1254150147.188:48924): avc: denied { read write } for pid=1288 comm="clamd" path=2F746D702F636C616D61762D3063666237656532666331656139656636323364373463316236626532623735202864656C6574656429 dev=dm-0 ino=34668546 scontext=root:system_r:clamd_t:s0 tcontext=root:object_r:initrc_tmp_t:s0 tclass=file
type=AVC msg=audit(1254150153.681:48925): avc: denied { read write } for pid=1288 comm="clamd" path=2F746D702F636C616D61762D3336316332323033323138613239633865363633633937303962663133363664202864656C6574656429 dev=dm-0 ino=34668546 scontext=root:system_r:clamd_t:s0 tcontext=root:object_r:initrc_tmp_t:s0 tclass=file
type=AVC msg=audit(1254150177.903:48926): avc: denied { read write } for pid=1288 comm="clamd" path=2F746D702F636C616D61762D3366636162623138633237636231383466643064656630643838353063363933202864656C6574656429 dev=dm-0 ino=34668546 scontext=root:system_r:clamd_t:s0 tcontext=root:object_r:initrc_tmp_t:s0 tclass=file
type=AVC msg=audit(1254150188.366:48927): avc: denied { read write } for pid=1288 comm="clamd" path=2F746D702F636C616D61762D6366393131623632353130333564353832656435396466663136373362626131202864656C6574656429 dev=dm-0 ino=34668546 scontext=root:system_r:clamd_t:s0 tcontext=root:object_r:initrc_tmp_t:s0 tclass=file
type=AVC msg=audit(1254150220.428:48928): avc: denied { read write } for pid=1288 comm="clamd" path=2F746D702F636C616D61762D3931633534623761393630653531386630363539653033363537303937323135202864656C6574656429 dev=dm-0 ino=34668546 scontext=root:system_r:clamd_t:s0 tcontext=root:object_r:initrc_tmp_t:s0 tclass=file
Yours
J. David Rye
*************************************************************************
This e-mail is confidential and may be legally privileged. It is intended
solely for the use of the individual(s) to whom it is addressed. Any
content in this message is not necessarily a view or statement from Road
Tech Computer Systems Limited but is that of the individual sender. If
you are not the intended recipient, be advised that you have received
this e-mail in error and that any use, dissemination, forwarding,
printing, or copying of this e-mail is strictly prohibited. We use
reasonable endeavours to virus scan all e-mails leaving the company but
no warranty is given that this e-mail and any attachments are virus free.
You should undertake your own virus checking. The right to monitor e-mail
communications through our networks is reserved by us
Road Tech Computer Systems Ltd. Shenley Hall, Rectory Lane, Shenley,
Radlett, Hertfordshire, WD7 9AN. - VAT Registration No GB 449 3582 17
Registered in England No: 02017435, Registered Address: Charter Court,
Midland Road, Hemel Hempstead, Hertfordshire, HP2 5GE.
*************************************************************************
14 years
Logging with bind-chroot
by Paul Howarth
Today's update of bind in F11 suggests adding this line to
/etc/rsyslog.conf to maintain logging with a chroot-ed bind:
$AddUnixListenSocket /var/named/chroot/dev/log
For this to work on F-11, I needed to add the following policy module:
::::::::::::::
mybindchroot.fc
::::::::::::::
/var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0)
/var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
::::::::::::::
mybindchroot.te
::::::::::::::
policy_module(mybindchroot, 0.0.4)
require {
type syslogd_t;
}
# rsyslog needs to search the bind chroot when creating
# /dev/log in the chroot
bind_search_cache(syslogd_t)
I'd expect the same to apply in other releases too.
Paul.
14 years
have finally succeeded installing rawhide by livecd, got sealert but couldn't load it :(
by Antonio Olivares
[liveuser@localhost ~]$ sealert
Traceback (most recent call last):
File "/usr/bin/sealert", line 37, in <module>
import slip.dbus.service
File "/usr/lib/python2.6/site-packages/slip/dbus/__init__.py", line 1, in <module>
import bus
ImportError: No module named bus
[liveuser@localhost ~]$ dmesg | grep 'avc'
type=1400 audit(1254092543.093:7): avc: denied { read } for pid=844 comm="passwd" path="/dev/console" dev=tmpfs ino=2114 scontext=system_u:system_r:passwd_t:s0 tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file
type=1400 audit(1254092543.094:8): avc: denied { read } for pid=844 comm="passwd" path="/dev/console" dev=tmpfs ino=2114 scontext=system_u:system_r:passwd_t:s0 tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file
installed from KDE-x86_64-20090926.19
[liveuser@localhost ~]$ uname -r
2.6.31.1-48.fc12.x86_64
[liveuser@localhost ~]$ cat /etc/fedora-release
Fedora release 11.91 (Rawhide)
Regards,
Antonio
14 years
Dear List members
by tarnait
Hi,
I'm new to SElinux and I'm a bit careful with it, so up till now I want to run it in permissive mode. After reading a lot's of docs I fixed most of my problems, but there are still some errors in audit.log. Now I would like to ask you to review this errors and give me feedback if this rules are safe to add to my policy or not. In summary is my understanding correct that:
O auditctl, ifconfig, iptables-restor, dmesg and pppd try to write to the console,
O pppd searches something in the root home directory ??!,
O and iptables writes to a socket?
if I would add this policy to the module wouldn't it be too much (e.g. could for example pppd access all my files?)
Thanks for the answers,
Kind Regards, Tibor
type=AVC msg=audit(1253870573.883:13): avc: denied { read write } for pid=877 comm="auditctl" name="console" dev=sda1 ino=15533 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=chr_file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1253870574.190:15): avc: denied { read write } for pid=918 comm="ifconfig" name="console" dev=sda1 ino=15533 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=chr_file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1253870574.264:16): avc: denied { read write } for pid=921 comm="pppd" name="console" dev=sda1 ino=15533 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=chr_file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1253870574.325:17): avc: denied { search } for pid=921 comm="pppd" name="root" dev=sda1 ino=12 scontext=system_u:system_r:pppd_t:s0 tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1253870574.401:18): avc: denied { read write } for pid=929 comm="iptables-restor" name="console" dev=sda1 ino=15533 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=chr_file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1253870576.482:19): avc: denied { read write } for pid=1087 comm="dmesg" name="console" dev=sda1 ino=15533 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=chr_file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1253870578.829:20): avc: denied { read write } for pid=1242 comm="iptables" path="socket:[3131]" dev=sockfs ino=3131 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=packet_socket
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
14 years
New equivalent to browser_confine_xguest?
by Bruno Wolff III
There used to be a boolean browser_confine_xguest, but there no longer is.
Is there a simple way to not let firefox connect to the network when run
by an xguest user?
14 years
Can I allow console_type_t to access pppd_t?
by chenh
Everytime I use adsl connection, AVC alerts: "SELinux is preventing consoletype (consoletype_t) "read write" pppd_t. " I typed "audit2allow -a" and saw:
#============= alsa_t ==============
allow alsa_t file_t:file read;
#============= consoletype_t ==============
allow consoletype_t file_t:file read;
allow consoletype_t pppd_t:packet_socket { read write };
#============= dmesg_t ==============
allow dmesg_t file_t:file read;
#============= hwclock_t ==============
allow hwclock_t file_t:file read;
#============= ifconfig_t ==============
allow ifconfig_t file_t:file read;
#============= mount_t ==============
allow mount_t file_t:file unlink;
#============= setroubleshootd_t ==============
allow setroubleshootd_t locate_var_lib_t:file read;
There're two rule about consoletype above. Is it safe to add them using audit2allow? Thanks!
14 years
