Apache/PHP mail function SELinux permissions
by Ted Rule
I've had a "problem" recently with SELinux permissions related to PHP's
mail functions. These appear to give rise to two different classes of error,
one for read permissions on the httpd_t domain itself, and one for
read/write permission on a file in the httpd_tmp_t domain.
aureport gives this:
$ sudo aureport -a |grep system_mail |head
6. 25/10/09 13:12:48 sendmail user_u:system_r:system_mail_t:s0 11 file
read user_u:system_r:httpd_t:s0 denied 116101
7. 25/10/09 13:15:57 sendmail user_u:system_r:system_mail_t:s0 11 file
read write user_u:object_r:httpd_tmp_t:s0 denied 116102
17. 25/10/09 13:39:46 sendmail user_u:system_r:system_mail_t:s0 11 file
read write user_u:object_r:httpd_tmp_t:s0 denied 116124
23. 25/10/09 13:43:04 sendmail user_u:system_r:system_mail_t:s0 11 file
read write user_u:object_r:httpd_tmp_t:s0 denied 116136
24. 25/10/09 13:43:04 sendmail user_u:system_r:system_mail_t:s0 11 file
read user_u:system_r:httpd_t:s0 denied 116136
30. 25/10/09 13:52:57 sendmail user_u:system_r:system_mail_t:s0 11 file
read write user_u:object_r:httpd_tmp_t:s0 denied 116148
31. 25/10/09 13:52:57 sendmail user_u:system_r:system_mail_t:s0 11 file
read user_u:system_r:httpd_t:s0 denied 116148
39. 25/10/09 14:01:18 sendmail user_u:system_r:system_mail_t:s0 11 file
read write user_u:object_r:httpd_tmp_t:s0 denied 116168
40. 25/10/09 14:01:18 sendmail user_u:system_r:system_mail_t:s0 11 file
read user_u:system_r:httpd_t:s0 denied 116168
48. 25/10/09 14:11:50 sendmail user_u:system_r:system_mail_t:s0 11 file
read write user_u:object_r:httpd_tmp_t:s0 denied 116181
Policy on the Apache hosts currently uses selinux-policy-2.4.6-203.el5
Looking in more detail at ausearch we see that the httpd_t related avc
is apparently related to an "eventpoll" file descriptor, whilst the
httpd_tmp_t
avc is probably for a file created by php in /tmp.
Looking at the php source code itself, I see that it is simply opening a
temporary file containing the body of the Email and pouring it via a
pipe into an instance of sendmail via popen().
As such, it seems likely that both classes of avc's are simply file
descriptors "leaking" into the popen'ed child process running in the
system_mail_t domain.
Sadly, for other reasons, the Apache hosts are still in permissive, so
it's currently unclear to me whether the PHP mail function would fail
completely if either
of these permissions are denied in enforcing mode, but it makes me
wonder whether there would be any sense in a wider solution to leaky
descriptors which caused popen() itself to close all file descriptors
other than STDIN/STDOUT/STDERR if the popen'ed executable implies a
domain transition. Alternatively, one might envisage a set of selinux
booleans which allowed a more granular control of leaked descriptors
outside of STDIN/STDOUT/STDERR.
The other potential policy improvement would be for system_mail_t to
simply "dontaudit" denials relating to eventpoll class file descriptors
and temporary files in context *_tmp_t.
time->Sun Oct 25 13:12:48 2009
type=SYSCALL msg=audit(1256476368.217:116101): arch=40000003 syscall=11
success=yes exit=0 a0=97e5ff0 a1=97e5798 a2=97e5600 a3=40 items=0
ppid=20809 pid=22040 auid=500 uid=48 gid=48 euid=
48 suid=48 fsuid=48 egid=51 sgid=51 fsgid=51 tty=(none) ses=11966
comm="sendmail" exe="/usr/sbin/sendmail.sendmail"
subj=user_u:system_r:system_mail_t:s0 key=(null)
type=AVC msg=audit(1256476368.217:116101): avc: denied { read } for
pid=22040 comm="sendmail" path="eventpoll:[129640960]" dev=eventpollfs
ino=129640960 scontext=user_u:system_r:system
_mail_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=file
----
time->Sun Oct 25 13:15:57 2009
type=SYSCALL msg=audit(1256476557.234:116102): arch=40000003 syscall=11
success=yes exit=0 a0=9ab7ff0 a1=9ab7798 a2=9ab7600 a3=40 items=0
ppid=21767 pid=22099 auid=500 uid=48 gid=48 euid=
48 suid=48 fsuid=48 egid=51 sgid=51 fsgid=51 tty=(none) ses=11966
comm="sendmail" exe="/usr/sbin/sendmail.sendmail"
subj=user_u:system_r:system_mail_t:s0 key=(null)
type=AVC msg=audit(1256476557.234:116102): avc: denied { read write }
for pid=22099 comm="sendmail"
path=2F746D702F2E7863616368652E302E302E313032353230323336322E6C6F636B202864656C65746
56429 dev=dm-3 ino=97922 scontext=user_u:system_r:system_mail_t:s0
tcontext=user_u:object_r:httpd_tmp_t:s0 tclass=file
----
time->Sun Oct 25 13:39:46 2009
type=SYSCALL msg=audit(1256477986.012:116124): arch=40000003 syscall=11
success=yes exit=0 a0=97f1ff0 a1=97f1798 a2=97f1600 a3=40 items=0
ppid=23457 pid=23560 auid=500 uid=48 gid=48 euid=
48 suid=48 fsuid=48 egid=51 sgid=51 fsgid=51 tty=(none) ses=11966
comm="sendmail" exe="/usr/sbin/sendmail.sendmail"
subj=user_u:system_r:system_mail_t:s0 key=(null)
type=AVC msg=audit(1256477986.012:116124): avc: denied { read write }
for pid=23560 comm="sendmail"
path=2F746D702F2E7863616368652E302E302E313032353230323336322E6C6F636B202864656C65746
56429 dev=dm-3 ino=97922 scontext=user_u:system_r:system_mail_t:s0
tcontext=user_u:object_r:httpd_tmp_t:s0 tclass=file
----
time->Sun Oct 25 13:43:04 2009
type=SYSCALL msg=audit(1256478184.954:116136): arch=40000003 syscall=11
success=yes exit=0 a0=8f48ff0 a1=8f48798 a2=8f48600 a3=40 items=0
ppid=23048 pid=23802 auid=500 uid=48 gid=48 euid=
48 suid=48 fsuid=48 egid=51 sgid=51 fsgid=51 tty=(none) ses=11966
comm="sendmail" exe="/usr/sbin/sendmail.sendmail"
subj=user_u:system_r:system_mail_t:s0 key=(null)
type=AVC msg=audit(1256478184.954:116136): avc: denied { read } for
pid=23802 comm="sendmail" path="eventpoll:[129701955]" dev=eventpollfs
ino=129701955 scontext=user_u:system_r:system
_mail_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=file
type=AVC msg=audit(1256478184.954:116136): avc: denied { read write }
for pid=23802 comm="sendmail"
path=2F746D702F2E7863616368652E302E302E313032353230323336322E6C6F636B202864656C65746
56429 dev=dm-3 ino=97922 scontext=user_u:system_r:system_mail_t:s0
tcontext=user_u:object_r:httpd_tmp_t:s0 tclass=file
----
time->Sun Oct 25 13:52:57 2009
type=SYSCALL msg=audit(1256478777.377:116148): arch=40000003 syscall=11
success=yes exit=0 a0=945bff0 a1=945b798 a2=945b600 a3=40 items=0
ppid=24396 pid=24439 auid=500 uid=48 gid=48 euid=
48 suid=48 fsuid=48 egid=51 sgid=51 fsgid=51 tty=(none) ses=11966
comm="sendmail" exe="/usr/sbin/sendmail.sendmail"
subj=user_u:system_r:system_mail_t:s0 key=(null)
type=AVC msg=audit(1256478777.377:116148): avc: denied { read } for
pid=24439 comm="sendmail" path="eventpoll:[129734033]" dev=eventpollfs
ino=129734033 scontext=user_u:system_r:system
_mail_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=file
type=AVC msg=audit(1256478777.377:116148): avc: denied { read write }
for pid=24439 comm="sendmail"
path=2F746D702F2E7863616368652E302E302E313032353230323336322E6C6F636B202864656C65746
56429 dev=dm-3 ino=97922 scontext=user_u:system_r:system_mail_t:s0
tcontext=user_u:object_r:httpd_tmp_t:s0 tclass=file
----
--
Ted Rule
Director, Layer3 Systems Ltd
Layer3 Systems Limited is registered in England. Company no 3130393
W: http://www.layer3.co.uk/
13 years, 2 months
Apparent memory leak in libselinux
by Ed Swierk
When I run the following on a F12 system booted with selinux=0, the
tcmalloc heap checker complains about a leak somewhere in libselinux:
$ HEAPCHECK=normal LD_PRELOAD=/usr/lib64/libtcmalloc.so.0
/usr/bin/python -c 'import _ssl'
Leak check _main_ detected leaks of 120 bytes in 1 objects
The 1 largest leaks:
Leak of 120 bytes in 1 objects allocated from:
@ 0x3bf9866589 _IO_getdelim
@ 0x3bfb40ca53 set_selinuxmnt
@ 0x3bfb414fe6 string_to_security_class
@ 0x3bfb404cdb _init
@ 0x7fff4bdfa8ed 0x00007fff4bdfa8ed
No leak is detected when I run this with selinux enabled. My system
has libselinux-2.0.87-1.fc12 installed.
--Ed
13 years, 6 months
Selinux Troubleshoot Browser at login
by David Highley
Since the most recent update of the selinux policies:
Jan 29 06:05:50 Updated: setroubleshoot-plugins-2.1.37-1.fc12.noarch
Jan 29 06:05:52 Updated: setroubleshoot-server-2.2.60-1.fc12.x86_64
Jan 29 06:05:53 Updated: setroubleshoot-2.2.60-1.fc12.x86_64
The browser pops up on every login indicating that there are two events.
Open the browser and nothing is listed.
Question, as part of the move of the email lists from Red Hat did the
bug reporting also move? My account at bugzilla.redhat.com is now gone.
So where do we now report Fedora bugs?
--
Regards,
David Highley
13 years, 7 months
dbus daemon
by Steve Blackwell
I have been getting alot of AVCs that are related to dbus. A quick check
shows that I have 2 dbus daemons running.
$ ps aux | grep dbus
dbus 1615 0.0 0.1 14160 1880 ? Ssl 11:53 0:01
dbus-daemon --system
gdm 2385 0.0 0.0 3312 580 ? S 11:54
0:00 /usr/bin/dbus-launch --exit-with-session
steve
2650 0.0 0.0 3312 576 ? S 11:58 0:00 dbus-launch
--sh-syntax --exit-with-session
steve 2652 0.1 0.1 13528 1484 ? Ssl 11:58
0:01 /bin/dbus-daemon --fork --print-pid 7 --print-address 9 --session
steve 3154 0.0 0.0 4192 708 pts/0 S+ 12:16 0:00 grep
dbus
The one that is owned by dbus has a system_u:system_r:system_dbusd_t
context.
The one that is owned by me has a unconfined_u:unconfined_r:unconfined_t
context.
First question: should I really have 2 dbus-daemons?
One AVC says that the dbus daemon owned by dbus can't search
unconfined_t. It was trying to search /proc/2963 which was the
gpk-update-viewer which was running unconfined. (I'm running SELinux in
permissive mode)
$ ps -efZ | grep 2964
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 steve 2963 1 3
12:05 ? 00:00:07 gpk-update-viewer
Second question: does dbus have any reason to look at gpk-update
viewer?
Clearly, it needs to record the fact that the system was updated but
why does it need to check the update viewer for that?
Last question: how do I fix this? I don't have any modified or
additional SELinux policies so I would have thought this would work
"out-of-the-box".
Here is the raw audit message:
node=steve.blackwell type=AVC msg=audit(1264871141.507:132): avc:
denied { search } for pid=1615 comm="dbus-daemon" name="2963" dev=proc
ino=17982 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=dir
$ sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 24
Policy from config file: targeted
$ rpm -qa | grep selinux
libselinux-2.0.80-1.fc11.i586
selinux-policy-targeted-3.6.12-93.fc11.noarch
libselinux-utils-2.0.80-1.fc11.i586
libselinux-devel-2.0.80-1.fc11.i586
libselinux-python-2.0.80-1.fc11.i586
selinux-policy-3.6.12-93.fc11.noarch
Thanks,
Steve
13 years, 8 months
Selinux process transition
by Seramal
Hi there,
I have fedora 11 installed and I'm running a program with root, but
need to drop priviledges to another user (xguest_u) and change to the
proper security context. When I tried to use simple tools like runcon
or newrole, I wasn't able to modify the context. I tried:
su -c 'runcon -c -t xguest_t -u xguest_u -r xguest_r -l s0
/usr/bin/id' unpriviledged-user-that-is-xguest_u
I always get permission denied. After checking /var/log/audit and
doing an audit2allow it pointed out:
allow unconfined_t xguest_t : process transition.
However, when I load the module, the problem continues... Any easy way
to run a program with another UID and another security context from
root/unconfined_t/unconfined_r?
thanks!
13 years, 8 months
Fixfiles confused by bad filenames
by Moray Henderson
Fixfiles in selinux-policy-targeted-2.4.6-255.el5_4.3.noarch cannot cope
with a cr/lf sequence occurring in a file name. I'm not sure I can
either, come to that, but one of my users somehow managed to create
himself a file with the MS-DOS line termination sequence embedded in its
name. The directory tree needed a relabel, and fixfiles threw lstat
errors when it hit that file.
The file was called
__history/Ict.Petra.Client.MCommon??.UC_PartnerAddresses.Logic.pas.~1~
(with the double-question mark being the offending characters) and
fixfiles complained
lstat(__history/Ict.Petra.Client.MCommon^M) failed: No such file or
directory
lstat(.UC_PartnerAddresses.Logic.pas.~1~) failed: No such file or
directory
lstat(__history/Ict.Petra.Client.MCommon^M) failed: No such file or
directory
lstat(.UC_PartnerAddresses.Logic.pas.~1~) failed: No such file or
directory
It's probably a bug, but whether it's in fixfiles or in my user is
harder to determine.
Moray.
"To err is human. To purr, feline"
13 years, 8 months
Problem getting newrole working in centos54
by Leif Thuresson
Hi,
I have been experimenting with confined users in centos54 to create my own
staff and admin roles.
I have only been meddling with policies for services before so creating user
domains is
new territory for me.
For the test I used userdom_unpriv_user_template() and
userdom_admin_user_template()
interfaces to create the an unprivileged login role and an admin role.
The first test policy module looked like the one below but without the call
auth_run_chk_passwd()
interface.
In permissive mode I could login and verify with id -Z that I had the
correct login role and type.
I could use newrole to switch to the admin role and again verify that I
received the correct
role and type. I did not get any AVC denials when doing this.
Now when I switched to enforcing mode I could login to the login role as
before
but when I ran newrole to switch to the admin role, newrole said
'incorrect password' and failed'
but still no AVC denials.
I traced newrole with strace and I could see that it failed trying to open
/etc/shadow
When comparing centos54 interface for newrole in selinuxutil.if with
corresponding
interface in fedora12 (where I got a similar test working) I saw that the
newrole interface in
fedora12 called interfaces in authlogin.if so I added similar calls in my
module
and then I got it working in enforcing mode too !
Although I think the newrole interface in centos54 is kind of useless when
it does not
handle the authentication permissions internally :-(
Now before I proceed with this project I would like to clear up my
understanding of
user domains so if anyone of you can answer these questions it would be much
appreciated.
The ultimate target environment for my project is a RedHat5 based server
farm.
- First of all is this the right way to do this kind of thing or am I
completely on the wrong track?
Is the user domain support mature enough in redhat5 to be used in a
production environment?
If not I guess I have to wait for redhat6.
- Does anyone know how the feature transfer from Fedora to RedHat work?
How much of the selinux functionality existing in Fedora12 can we expect
to appear in
RedHat 6 when it arrives?
- A assume that the reason my first test failed in enforcing mode without
any AVC denials was
because of some hidden don't audit rules in the interfaces I called.
Is there some way to turn off don't audit rules globally to trace these
problems ?
(I tried semodule -DB although it is not listed as a valid option on
centos54 semodule man
page, but the only effect it had was that it got the setroubleshootd
constantly crashing)
Thanks,
/leif
Policy used in test below:
policy_module(myadm, 1.0.0)
require {
type unconfined_t;
type newrole_t;
type user_home_t;
type devpts_t;
type system_chkpwd_t;
}
# Create mystaff_r and mystaff_t
userdom_unpriv_user_template(mystaff)
allow mystaff_t user_home_t: file read;
allow mystaff_t devpts_t:chr_file { read write ioctl };
# Allow login daemon (sshd) to transition to mystaff_t
allow unconfined_t mystaff_t:process transition;
# Add "mystaff_r:mystaff_t" to /etc/selinux/targeted/
contexts/default_type
seutil_run_newrole(mystaff_t, mystaff_r, devpts_t)
# There is a typo in the auth_run_chk_passwd() interface so we can't use it.
# Lets do the work inline instead
# Implement auth_run_chk_passwd(newrole_t, mystaff_r, devpts_t) inline:
auth_domtrans_chk_passwd(newrole_t)
role mystaff_r types system_chkpwd_t;
allow system_chkpwd_t devpts_t:chr_file rw_file_perms;
auth_run_upd_passwd(newrole_t, mystaff_r, devpts_t)
# Create myadm_r and myadm_t
userdom_admin_user_template(myadm)
# Add "myadm_r:myadm_t" to /etc/selinux/targeted/contexts/default_type
domain_transition_pattern(newrole_t, shell_exec_t, myadm_t)
userdom_role_change_template(mystaff, myadm)
# Create mystaff_u
gen_user(mystaff_u, mystaff, mystaff_r myadm_r, s0, s0 - mls_systemhigh,
mcs_allcats)
13 years, 8 months
Bad AVC message reported from kernel.
by Daniel J Walsh
https://bugzilla.redhat.com/show_bug.cgi?id=558499
In Fedora 13, we had a rule that said
dontaudit domain rpm_tmp_t:file { read write };
rpm changed the access on rpm_tmp_t to be { read append };
This caused the following avc.
node=(removed) type=AVC msg=audit(1264430091.330:28): avc: denied { read
append } for pid=2933 comm="rpc.statd" path="/tmp/tmp9IF8MN" dev=dm-0 ino=432
scontext=unconfined_u:system_r:rpcd_t:s0
tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file
node=(removed) type=SYSCALL msg=audit(1264430091.330:28): arch=c000003e
syscall=59 success=yes exit=0 a0=28bd8d0 a1=28bdb50 a2=28bc920 a3=7fff07d44c30
items=0 ppid=2932 pid=2933 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=1 comm="rpc.statd" exe="/sbin/rpc.statd"
subj=unconfined_u:system_r:rpcd_t:s0 key=(null)
Indicating that rpcd_t did not have read append access. When it should have only reported append access, since the read access should have been dontaudited.
13 years, 8 months
Need help bypassing spamass-milter audit
by Dan Thurman
I know that F8 is not supported, but I need help in knowing how
to get SELinux to permanently bypass spamass-milter denials.
I just cannot upgrade this F8 machine right now as it is my main email
server.
The following is generated by the command:
# service spamass-milter start:
[OK] is generated, but the errors are shown in /var/log/audit/audit.log:
type=AVC msg=audit(1264646701.440:1750): avc: denied { execute } for
pid=13694 comm="spamass-milter" name="spamc" dev=sda3 ino=4688447
scontext=unconfined_u:system_r:spamd_t:s0
tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1264646701.440:1750): arch=40000003 syscall=11
success=no exit=-13 a0=8058507 a1=968fa20 a2=bf95526c a3=1 items=0
ppid=13056 pid=13694 auid=500 uid=600 gid=600 euid=600 suid=600
fsuid=600 egid=600 sgid=600 fsgid=600 tty=(none) ses=186
comm="spamass-milter" exe="/usr/sbin/spamass-milter"
subj=unconfined_u:system_r:spamd_t:s0 key=(null)
type=USER_START msg=audit(1264646735.400:1751): user pid=13765 uid=0
auid=500 ses=186 subj=unconfined_u:system_r:initrc_t:s0
msg='op=PAM:session_open acct="sa-milt" exe="/sbin/runuser" (hostname=?,
addr=?, terminal=pts/1 res=success)'
type=CRED_ACQ msg=audit(1264646735.400:1752): user pid=13765 uid=0
auid=500 ses=186 subj=unconfined_u:system_r:initrc_t:s0
msg='op=PAM:setcred acct="sa-milt" exe="/sbin/runuser" (hostname=?,
addr=?, terminal=pts/1 res=success)'
type=CRED_DISP msg=audit(1264646738.120:1753): user pid=13765 uid=0
auid=500 ses=186 subj=unconfined_u:system_r:initrc_t:s0
msg='op=PAM:setcred acct="sa-milt" exe="/sbin/runuser" (hostname=?,
addr=?, terminal=pts/1 res=success)'
type=USER_END msg=audit(1264646738.122:1754): user pid=13765 uid=0
auid=500 ses=186 subj=unconfined_u:system_r:initrc_t:s0
msg='op=PAM:session_close acct="sa-milt" exe="/sbin/runuser"
(hostname=?, addr=?, terminal=pts/1 res=success)'
Of course, shutting down spamass-milter will fail:
# service spamass-milter stop
[FAILED] is generated, because
/var/run/spamass-milter/spamass-milter.sock is not created.
Interestingly, if one issues:
# setenforce 0
# service spamass-milter start
[OK] is generated
# service spamass-milter stop
[OK] is generated
# setenforce 1
And, /var/run/spamass-milter/spamass-milter.sock is created.
However, sendmail with spamass-milter enabled results in permission denied
because security context is enabled.
So, can someone please give me instructions so that I can permanently
bypass spamass-milter audit?
Thanks!
Dan
13 years, 8 months
How to temporarily turn off "don't audit" feature
by Bruno Wolff III
I am trying to get a game working under xguest and some rule is blocking
it from working, but the rule doesn't show up in the audit log. (If I
go to permissive mode after logging in to xguest I can run the game. But
it won't work if I stay in enforcing mode.)
I would would like to temporarily have all avc's show up in the audit file
so that I can find the one that is blocking things. I haven't found a
way to do this on current verions of Fedora. (There was a recommendation
for rhel that doesn't apply to Fedora.)
13 years, 8 months
