Selinux policy for beanstalkd
by Ruben Kerkhof
Hi list,
I haven't written an selinux module before, so to start simple I
created one for beanstalkd, since we use this a lot.
I'm running into one issue though:
beanstalkd has the ability to create binary log files in
/var/lib/beanstalkd/binlog.
This directory doesn't exist by default, but it is created in the init script.
Starting up beanstalkd creates an AVC denial:
type=AVC msg=audit(1263749015.682:199): avc: denied { create } for
pid=2163 comm="mkdir" name="beanstalkd"
scontext=unconfined_u:system_r:initrc_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1263749015.682:199): arch=c000003e syscall=83
success=no exit=-13 a0=7fff4e491f7b a1=1ed a2=7fff4e490770
a3=7fff4e4902c0 items=0 ppid=2156 pid=2163 auid=500 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6 comm="mkdir"
exe="/bin/mkdir" subj=unconfined_u:system_r:initrc_t:s0 key=(null)
How do I allow the init script to do mkdir -p /var/lib/beanstalkd/binlog?
Here's my policy:
[root@ruben ~]# cat beanstalkd.fc
/usr/bin/beanstalkd --
gen_context(system_u:object_r:beanstalkd_exec_t,s0)
/etc/rc\.d/init\.d/beanstalkd --
gen_context(system_u:object_r:beanstalkd_initrc_exec_t,s0)
/var/lib/beanstalkd(/.*)?
gen_context(system_u:object_r:beanstalkd_var_lib_t,s0)
[root@ruben ~]# cat beanstalkd.te
policy_module(beanstalkd,1.0.0)
########################################
#
# Declarations
#
type beanstalkd_t;
type beanstalkd_exec_t;
init_daemon_domain(beanstalkd_t, beanstalkd_exec_t)
type beanstalkd_initrc_exec_t;
init_script_file(beanstalkd_initrc_exec_t)
type beanstalkd_var_lib_t;
files_type(beanstalkd_var_lib_t)
########################################
#
# beanstalkd local policy
#
allow beanstalkd_t self:capability { dac_override setgid setuid };
allow beanstalkd_t self:process { fork setrlimit };
allow beanstalkd_t self:tcp_socket create_stream_socket_perms;
manage_files_pattern(beanstalkd_t, beanstalkd_var_lib_t, beanstalkd_var_lib_t)
files_var_lib_filetrans(beanstalkd_t, beanstalkd_var_lib_t, file)
corenet_tcp_sendrecv_generic_if(beanstalkd_t)
corenet_tcp_sendrecv_generic_node(beanstalkd_t)
corenet_tcp_sendrecv_all_ports(beanstalkd_t)
corenet_tcp_bind_generic_node(beanstalkd_t)
corenet_tcp_bind_generic_node(beanstalkd_t)
# FIXME: we need a beanstalkd_port (tcp, 11300) in core policy
corenet_tcp_bind_all_unreserved_ports(beanstalkd_t)
fs_dontaudit_getattr_all_fs(beanstalkd_t)
domain_use_interactive_fds(beanstalkd_t)
auth_use_nsswitch(beanstalkd_t)
[root@ruben ~]# cat beanstalkd.if
## <summary>policy for beanstalkd</summary>
########################################
## <summary>
## Execute a domain transition to run beanstalkd.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`beanstalkd_domtrans',`
gen_require(`
type beanstalkd_t, beanstalkd_exec_t;
')
domtrans_pattern($1, beanstalkd_exec_t, beanstalkd_t)
')
########################################
## <summary>
## Execute beanstalkd server in the beanstalkd domain.
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## </summary>
## </param>
#
interface(`beanstalkd_initrc_domtrans',`
gen_require(`
type beanstalkd_initrc_exec_t;
')
init_labeled_script_domtrans($1, beanstalkd_initrc_exec_t)
')
########################################
## <summary>
## All of the rules required to administrate
## an beanstalkd environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`beanstalkd_admin',`
gen_require(`
type beanstalkd_t;
')
allow $1 beanstalkd_t:process { ptrace signal_perms getattr };
read_files_pattern($1, beanstalkd_t, beanstalkd_t)
gen_require(`
type beanstalkd_initrc_exec_t;
')
beanstalkd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 beanstalkd_initrc_exec_t system_r;
allow $2 system_r;
')
Kind regards,
Ruben Kerkhof
13 years, 10 months
Selinux policy for git + apache
by Roberto Sassu
Hi all
i have an issue when configuring apache + git + gitweb on fedora 12 (with /srv
mounted in another ext4 partition).
I put all my data in /srv/git, including gitweb relevant files.
Then i relabeled the entire filesystem but some warnings appear.
I created a custom selinux module by using audit2allow:
--------------------------------------------------- git.te
policy_module(git,1.0.0)
gitconfig()
---------------------------------------------------
--------------------------------------------------- git.if
interface(`gitconfig',`
gen_require(`
type git_data_t;
type httpd_t;
type var_t;
')
allow httpd_t git_data_t:dir { read search open getattr };
allow httpd_t git_data_t:file { execute getattr read open ioctl
execute_no_trans };
allow httpd_t var_t:file { read getattr open };
')
---------------------------------------------------
The compile process works fine but when executing semodule -i git.pp, this
error appears:
libsepol.print_missing_requirements: git's global requirements were not met:
type/attribute git_data_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or
directory).
semodule: Failed!
What's wrong, my module or some system component is missing?
Thanks for your help.
13 years, 10 months
new denials: shutdown, cupsd and abrt?
by Antonio Olivares
Dear all,
after being unable to update to latest since end of December and updating successfully, I see the following alerts. I try to submit reports but abrt? is crashing :(
Thanks for any pointers/advice/suggestions in advance,
Regards,
Antonio
Summary:
SELinux is preventing /usr/sbin/abrtd (deleted) "write" access on /etc/abrt.
Detailed Description:
[abrtd has a permissive type (abrt_t). This access was not denied.]
SELinux denied access requested by abrtd. It is not expected that this access is
required by abrtd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.
Additional Information:
Source Context system_u:system_r:abrt_t:s0-s0:c0.c1023
Target Context system_u:object_r:abrt_etc_t:s0
Target Objects /etc/abrt [ dir ]
Source abrtd
Source Path /usr/sbin/abrtd (deleted)
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages abrt-1.0.2-1.fc13
Policy RPM selinux-policy-3.7.7-2.fc13
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name catchall
Host Name (removed)
Platform Linux (removed) 2.6.32-7.fc13.x86_64 #1 SMP
Wed Dec 9 10:51:00 EST 2009 x86_64 x86_64
Alert Count 3
First Seen Fri 15 Jan 2010 05:16:23 PM CST
Last Seen Fri 15 Jan 2010 05:16:23 PM CST
Local ID 384ec928-68a3-44de-99df-c72f1463e4d6
Line Numbers
Raw Audit Messages
node=(removed) type=AVC msg=audit(1263597383.547:63): avc: denied { write } for pid=1420 comm="abrtd" name="abrt" dev=dm-0 ino=28638 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:abrt_etc_t:s0 tclass=dir
node=(removed) type=AVC msg=audit(1263597383.547:63): avc: denied { add_name } for pid=1420 comm="abrtd" name="pyhook.conf" scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:abrt_etc_t:s0 tclass=dir
node=(removed) type=AVC msg=audit(1263597383.547:63): avc: denied { create } for pid=1420 comm="abrtd" name="pyhook.conf" scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:abrt_etc_t:s0 tclass=file
node=(removed) type=SYSCALL msg=audit(1263597383.547:63): arch=c000003e syscall=2 success=yes exit=9 a0=7f72659b8625 a1=241 a2=1b6 a3=0 items=0 ppid=1 pid=1420 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrtd" exe=2F7573722F7362696E2F6162727464202864656C6574656429 subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)
Summary:
Detailed Description:
[shutdown has a permissive type (xdm_t). This access was not denied.]
SELinux denied access requested by shutdown. It is not expected that this access
is required by shutdown and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_u:system_r:init_t:s0
Target Objects [ unix_stream_socket ]
Source shutdown
Source Path /sbin/shutdown
Port <Unknown>
Host n6355-ET1161-05
Source RPM Packages upstart-0.6.3-5.fc13
Target RPM Packages filesystem-2.4.31-1.fc13
Policy RPM selinux-policy-3.7.7-2.fc13
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name catchall
Host Name n6355-ET1161-05
Platform Linux n6355-ET1161-05 2.6.32-7.fc13.x86_64 #1 SMP
Wed Dec 9 10:51:00 EST 2009 x86_64 x86_64
Alert Count 1
First Seen Fri 15 Jan 2010 06:18:46 PM CST
Last Seen Fri 15 Jan 2010 06:18:46 PM CST
Local ID 68992789-1746-4d6e-9f9b-fb5113529442
Line Numbers
Raw Audit Messages
node=n6355-ET1161-05 type=AVC msg=audit(1263601126.315:74): avc: denied { connectto } for pid=23588 comm="shutdown" path=002F636F6D2F7562756E74752F75707374617274 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
node=n6355-ET1161-05 type=SYSCALL msg=audit(1263601126.315:74): arch=c000003e syscall=42 success=yes exit=128 a0=3 a1=7fff661de2d0 a2=16 a3=7fff661de050 items=0 ppid=1483 pid=23588 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="shutdown" exe="/sbin/shutdown" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Summary:
SELinux is preventing /usr/bin/python "read" access on /var/run/abrt.pid.
Detailed Description:
SELinux denied access requested by SetroubleshootF. It is not expected that this
access is required by SetroubleshootF and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.
Additional Information:
Source Context system_u:system_r:setroubleshoot_fixit_t:s0-s0:c0.
c1023
Target Context system_u:object_r:abrt_var_run_t:s0
Target Objects /var/run/abrt.pid [ file ]
Source SetroubleshootF
Source Path /usr/bin/python
Port <Unknown>
Host n6355-ET1161-05
Source RPM Packages python-2.6.4-4.fc13
Target RPM Packages
Policy RPM selinux-policy-3.7.7-2.fc13
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name catchall
Host Name n6355-ET1161-05
Platform Linux n6355-ET1161-05 2.6.32.3-21.fc13.x86_64 #1
SMP Mon Jan 11 16:53:56 UTC 2010 x86_64 x86_64
Alert Count 0
First Seen Fri 15 Jan 2010 12:23:06 PM CST
Last Seen Fri 15 Jan 2010 12:23:06 PM CST
Local ID 5806d5ac-edaf-4975-99eb-28b018e6379f
Line Numbers
Raw Audit Messages
node=n6355-ET1161-05 type=AVC msg=audit(1263579786.790:22): avc: denied { read } for pid=2250 comm="SetroubleshootF" name="abrt.pid" dev=dm-0 ino=131500 scontext=system_u:system_r:setroubleshoot_fixit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:abrt_var_run_t:s0 tclass=file
node=n6355-ET1161-05 type=SYSCALL msg=audit(1263579786.790:22): arch=c000003e syscall=2 success=no exit=-13 a0=d44570 a1=0 a2=1b6 a3=0 items=0 ppid=2249 pid=2250 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="SetroubleshootF" exe="/usr/bin/python" subj=system_u:system_r:setroubleshoot_fixit_t:s0-s0:c0.c1023 key=(null)
Summary:
SELinux is preventing /usr/sbin/cupsd "read" access to
/etc/cups/ppd/Cups-PDF.ppd.
Detailed Description:
SELinux denied access requested by cupsd. /etc/cups/ppd/Cups-PDF.ppd may be a
mislabeled. /etc/cups/ppd/Cups-PDF.ppd default SELinux type is cupsd_rw_etc_t,
but its current type is tmp_t. Changing this file back to the default type, may
fix your problem.
File contexts can be assigned to a file in the following ways.
* Files created in a directory receive the file context of the parent
directory by default.
* The SELinux policy might override the default label inherited from the
parent directory by specifying a process running in context A which creates
a file in a directory labeled B will instead create the file with label C.
An example of this would be the dhcp client running with the dhclient_t type
and creating a file in the directory /etc. This file would normally receive
the etc_t type due to parental inheritance but instead the file is labeled
with the net_conf_t type because the SELinux policy specifies this.
* Users can change the file context on a file using tools such as chcon, or
restorecon.
This file could have been mislabeled either by user error, or if an normally
confined application was run under the wrong domain.
However, this might also indicate a bug in SELinux because the file should not
have been labeled with this type.
If you believe this is a bug, please file a bug report against this package.
Allowing Access:
You can restore the default system context to this file by executing the
restorecon command. restorecon '/etc/cups/ppd/Cups-PDF.ppd', if this file is a
directory, you can recursively restore using restorecon -R
'/etc/cups/ppd/Cups-PDF.ppd'.
Fix Command:
/sbin/restorecon '/etc/cups/ppd/Cups-PDF.ppd'
Additional Information:
Source Context unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context system_u:object_r:tmp_t:s0
Target Objects /etc/cups/ppd/Cups-PDF.ppd [ file ]
Source cupsd
Source Path /usr/sbin/cupsd
Port <Unknown>
Host n6355-ET1161-05
Source RPM Packages cups-1.4.2-24.fc13
Target RPM Packages
Policy RPM selinux-policy-3.7.7-2.fc13
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name restorecon
Host Name n6355-ET1161-05
Platform Linux n6355-ET1161-05 2.6.32-7.fc13.x86_64 #1 SMP
Wed Dec 9 10:51:00 EST 2009 x86_64 x86_64
Alert Count 2
First Seen Mon 14 Dec 2009 09:04:50 AM CST
Last Seen Fri 15 Jan 2010 05:06:08 PM CST
Local ID d2a2744e-27fd-40d6-8f8b-46ef65fd1026
Line Numbers
Raw Audit Messages
node=n6355-ET1161-05 type=AVC msg=audit(1263596768.153:59): avc: denied { read } for pid=21527 comm="cupsd" name="Cups-PDF.ppd" dev=dm-0 ino=221456 scontext=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=file
node=n6355-ET1161-05 type=SYSCALL msg=audit(1263596768.153:59): arch=c000003e syscall=2 success=no exit=-13 a0=7fffcd2267e0 a1=0 a2=0 a3=7fffcd225fc0 items=0 ppid=21526 pid=21527 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="cupsd" exe="/usr/sbin/cupsd" subj=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
Summary:
SELinux is preventing /usr/sbin/cupsd "read" access to
/etc/cups/ppd/HP-LaserJet-1200.ppd.
Detailed Description:
SELinux denied access requested by cupsd. /etc/cups/ppd/HP-LaserJet-1200.ppd may
be a mislabeled. /etc/cups/ppd/HP-LaserJet-1200.ppd default SELinux type is
cupsd_rw_etc_t, but its current type is tmp_t. Changing this file back to the
default type, may fix your problem.
File contexts can be assigned to a file in the following ways.
* Files created in a directory receive the file context of the parent
directory by default.
* The SELinux policy might override the default label inherited from the
parent directory by specifying a process running in context A which creates
a file in a directory labeled B will instead create the file with label C.
An example of this would be the dhcp client running with the dhclient_t type
and creating a file in the directory /etc. This file would normally receive
the etc_t type due to parental inheritance but instead the file is labeled
with the net_conf_t type because the SELinux policy specifies this.
* Users can change the file context on a file using tools such as chcon, or
restorecon.
This file could have been mislabeled either by user error, or if an normally
confined application was run under the wrong domain.
However, this might also indicate a bug in SELinux because the file should not
have been labeled with this type.
If you believe this is a bug, please file a bug report against this package.
Allowing Access:
You can restore the default system context to this file by executing the
restorecon command. restorecon '/etc/cups/ppd/HP-LaserJet-1200.ppd', if this
file is a directory, you can recursively restore using restorecon -R
'/etc/cups/ppd/HP-LaserJet-1200.ppd'.
Fix Command:
/sbin/restorecon '/etc/cups/ppd/HP-LaserJet-1200.ppd'
Additional Information:
Source Context unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context system_u:object_r:tmp_t:s0
Target Objects /etc/cups/ppd/HP-LaserJet-1200.ppd [ file ]
Source cupsd
Source Path /usr/sbin/cupsd
Port <Unknown>
Host n6355-ET1161-05
Source RPM Packages cups-1.4.2-24.fc13
Target RPM Packages
Policy RPM selinux-policy-3.7.7-2.fc13
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name restorecon
Host Name n6355-ET1161-05
Platform Linux n6355-ET1161-05 2.6.32-7.fc13.x86_64 #1 SMP
Wed Dec 9 10:51:00 EST 2009 x86_64 x86_64
Alert Count 2
First Seen Mon 14 Dec 2009 09:04:50 AM CST
Last Seen Fri 15 Jan 2010 05:06:08 PM CST
Local ID 38fbab19-5c32-404e-9d68-ca6fded185b0
Line Numbers
Raw Audit Messages
node=n6355-ET1161-05 type=AVC msg=audit(1263596768.222:61): avc: denied { read } for pid=21527 comm="cupsd" name="HP-LaserJet-1200.ppd" dev=dm-0 ino=104601 scontext=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=file
node=n6355-ET1161-05 type=SYSCALL msg=audit(1263596768.222:61): arch=c000003e syscall=2 success=no exit=-13 a0=7fffcd2267e0 a1=0 a2=0 a3=1 items=0 ppid=21526 pid=21527 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="cupsd" exe="/usr/sbin/cupsd" subj=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
Thanks for helping.
13 years, 10 months
SELinux troubleshooting example
by Richard Bullington-McGuire
I'd like to share a blog article I wrote recently on troubleshooting SELinux
problems. If more people knew how to troubleshoot and remediate permissions
issues when they came up, fewer people would react by disabling SELinux at
the first sign of trouble.
Don't Leave the Barn Door Open: Troubleshooting SELinux Issues
http://www.threepillarsoftware.com/troubleshooting-selinux-issues
Any review comments would be welcome.
I'd also like to thank the SELinux community, including the NSA, Red Hat,
the Fedora project, Tresys, and many others, for coming up with such a solid
system.
--
Richard Bullington-McGuire | Director of Technology | Three Pillar Global
mobile: 571.236.0938 | fax: 703-564-5595 | PGP key ID: 0xDAC3028E
richard.bullington-mcguire(a)threepillarglobal.com | www.threepillarglobal.com
13 years, 10 months
SELinux context file format
by Leif Thuresson
I'm experimenting with creating custom SELinux users with specific
privileges.
I've read Dominick Grift article series about SELinux lockdown which I
found very helpful.
(http://selinux-mac.blogspot.com/2009/06/selinux-lockdown-part-one-confine...)
What I'm still missing is a detailed description of the SELinux context
files and format.
Although I can guess the use of certain fields I don't feel comfortable
with just copying
a context file for a built in user without understanding exactly what
I'm doing.
Can someone point me to some documentation of the context file format?
(I'm using Fedora12 for my experiments)
Thanks,
/Leif
13 years, 11 months
Assigning a Type to Network Interfaces
by Jason Shaw
I need help understanding if SELinux supports restricting a confined
application from binding to specific network interfaces. I cannot seem to
make this work under F11 and F12 (using targeted, mls, and reference
policies), or under RHEL 5.3U3 targeted.
Details:
- I have a system with two network interfaces: eth0 and eth1.
- I have an application that must only be allowed to read data from eth0
(raw and tcp).
- I do not need to label packets.
Here's what I have tried
1) In a new policy module, I create new types: myApp_exec_t, myApp_t,
myApp_eth0_t, myApp_eth1_t.
2) I use semanage -fcontext to label my application's executable file as
myApp_exec_t
3) I assign eth0 with a new type: 'semanage interface -a -t myApp_eth0_t
eth0'
4) I assign eth1 with a new type: 'semanage interface -a -t myApp_eth1_t
eth1'
5) In my policy module, I allow the following: "allow myApp_t
self:capability net raw", and "allow myApp_t self:tcp_socket { accept read
}"
6) I verify that when I execute my application, using ps -efZ it is running
in the myApp_t domain (has transitioned properly from unconfined_t)
The problem is, my app can read raw or tcp data from either eth0 or eth1
even though both interfaces have been assigned different types using
semanage -interface.
Is this because 'allow myApp_t self:capability net_raw' does not distinguish
between network interfaces? Is my understanding of semanage -interface
incorrect - shouldn't labeling the interface result in no ability to use the
interface unless explicitly allowed?
13 years, 11 months
updatedb (locate_t) "read" fusefs_t.
by Arthur Dent
Hello All,
I have a NTFS partition mounted by fstab at boot time on my F11 system.
Recently I have been getting screeds and screeds of AVCs each time
updatedb runs (daily) - See below for an example.
A bit of googling revealed Bug 549602
https://bugzilla.redhat.com/show_bug.cgi?id=549602 which seems similar.
Although fixed, it relates to F12. Unless I have missed something (quite
probable) I can't see a similar fix for F11.
My questions are therefore:
1) Is there a similar fix for F11?
2) Will that solve my problem?
3) If not, what should I do?
I am running:
selinux-policy-targeted-3.6.12-92.fc11.noarch
selinux-policy-3.6.12-92.fc11.noarch
Thanks in advance
Mark
======================8<=================================================
Summary:
SELinux is preventing updatedb (locate_t) "read" fusefs_t.
Detailed Description:
SELinux denied access requested by updatedb. It is not expected that this access
is required by updatedb and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:locate_t:s0-s0:c0.c1023
Target Context system_u:object_r:fusefs_t:s0
Target Objects /mnt/ntfs/Users/Mark/Cookies [ lnk_file ]
Source updatedb
Source Path /usr/bin/updatedb
Port <Unknown>
Host localhost.localdomain
Source RPM Packages mlocate-0.22-1
Target RPM Packages
Policy RPM selinux-policy-3.6.12-92.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name localhost.localdomain
Platform Linux localhost.localdomain
2.6.30.10-105.fc11.i686.PAE #1 SMP Thu Dec 24
16:41:17 UTC 2009 i686 i686
Alert Count 3
First Seen Mon 11 Jan 2010 09:22:03 GMT
Last Seen Wed 13 Jan 2010 08:27:02 GMT
Local ID f5c7a401-052c-4149-b79c-d5bef7725b9d
Line Numbers
Raw Audit Messages
node=localhost.localdomain type=AVC msg=audit(1263371222.110:58): avc: denied { read } for pid=4574 comm="updatedb" name="Cookies" dev=sda3 ino=86736 scontext=system_u:system_r:locate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fusefs_t:s0 tclass=lnk_file
node=localhost.localdomain type=SYSCALL msg=audit(1263371222.110:58): arch=40000003 syscall=12 success=no exit=-13 a0=8e1e6f9 a1=bfcd3510 a2=bfcd36f4 a3=bfcd3510 items=0 ppid=4568 pid=4574 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="updatedb" exe="/usr/bin/updatedb" subj=system_u:system_r:locate_t:s0-s0:c0.c1023 key=(null)
13 years, 11 months
Using audit to log all users commands
by Damian Montaldo
Hi, this is my first message to this list and I hope that this is the
correct place to post it, don't? If is not, please tell me.
So, thanks in advantage.
For auditing purposes, I want to log in a server all the users
commands and all their arguments [0] using audit (and if is someone
have a better idea, I'm all ears!)
I was reading over the internet and Fedora related posts and I found
[1] that the better way to log users commands, is to add a filter for
the execve system call.
I'm trying to add a rule like this in the /etc/audit/audit.rules
(avoiding the root commands and crons etc)
-a always,entry -S execve -F auid>=500
But it doesn't work for me :(
I think that I have two "things" or problems.
First it doesn't work the ">=" auid filter (and sometimes I have the
auid "unset" so anyway it's not working)
I fixed this adding several rules like:
-a always,entry -S execve -F auid=1000
-a always,entry -S execve -F auid=1001
-a always,entry -S execve -F auid=1002
-a always,entry -S execve -F auid=1003
... and so on
And second, I have a lot of additional context information and I don't want It.
If I can have a simple list like: user command arguments and (less
important) path it's great.
I do some research and again I found [2] this paragraph:
type=SYSCALL ...
type=CWD ...
type=PATH...
The above event, a simple less /var/log/audit/audit.log, wrote three
messages to the log. All of them are closely linked together and you
would not be able
to make sense of one of them without the others. The first message
reveals the following
information:
Confirming that I can't reduce de amount of additional information.
Thanks again and excuse me for my English ;)
Damian.
[0] That's way I can't use sa
[1] For example:
http://osdir.com/ml/linux.redhat.security.audit/2007-04/msg00043.html
[2] It is a complete document about audit made by novell:
www.novell.com/documentation/sled10/pdfdoc/audit_sp1/audit_sp1.pdf
13 years, 11 months
Re: Using audit to log all users commands
by mark
> On Mon, Jan 11, 2010 at 12:50 PM, <m.roth(a)5-cent.us> wrote:
>>> Hi, this is my first message to this list and I hope that this is the
>>> correct place to post it, don't? If is not, please tell me.
>>> So, thanks in advantage.
>>>
>>> For auditing purposes, I want to log in a server all the users
>>> commands and all their arguments [0] using audit (and if is someone
>>> have a better idea, I'm all ears!)
>>> I was reading over the internet and Fedora related posts and I found
>>> [1] that the better way to log users commands, is to add a filter for
>>> the execve system call.
>> <snip>
>> You want to log all users' commands, all the time?
> Yes.
>
>> What's the point?
> It's a production server whit users running commands and I need the
> command history of everyone, for example if something goes wrong
> (beside the audition part that I need).
>
>> If you have more than a few users, there is no way you'll ever be able to
>> find anything, since you'll be buried under dozens of commands per user
>> per hour.
>> And your filesystems with the logfiles will fill up really fast, since
>> you want to log the full commands (with pathnames in them), but also the
>> audit messages.
>
> I have now more or less with 30~40 users 50~60mb per day.
> Anyway, you can rotate the log file and it has a big compression ratio.
That's not the point - you'll get logfiles that are many megs large, every
day. How do you think you'll find what you don't like?
>
>> Unless you don't trust any of your users, this is a pointless exercise
>> in pretend security.
>
> No, I can't trust in all the users, I need some extra security.
Do these users have root logins? Or do they only have sudo? If the latter,
that's already being logged in /var/log/secure. If the former, and they're
not trained admins, this is the first thing you need to change, long
before you worry about logging. NO ORDINARY USERS should *ever* have root
login.
>
> Ps: you reply only to me.
>
ARGH! I HATE MAILING LISTS THAT ARE CONFIGURED SO THAT <REPLY> DOES
*N*O*T* GO TO THE MAILING LIST.
mark
13 years, 11 months
Constraints on netif and nodes no longer working after upgrading policy compiler
by mantaray_1
Hello,
I have been using the same policy, which I have customized, for a few
years now. When I upgrade my OS (I believe I originally developed the
policy on Fedora 6) I use the same policy and compile it with the new
compiler. The message from checkpolicy when I started using this policy
was that the binary representation was version 6. I upgraded to version
7 and version 8 without any difficulties. I have recently upgraded to a
version of the compiler that outputs version 10. With this version all
constraints on both netif and node have no effect on my policy. I have
done some troubleshooting by simplifying the personalized policy to the
point that now I am only looking at the following constraint:
constrain netif { dccp_recv dccp_send egress ingress rawip_recv
rawip_send tcp_send tcp_recv udp_send udp_recv }
(
t1 == can_access_internet and r1 == standard_r
);
I had previously been able to successfully constrain Eth0, as well as
several nodes I had defined. One of these constraints was for an rdc
connection to a company server (used on a "work" user account), which
was restricted to one ip address; and another was for my young son, to
keep him limited to his "pbs kids" site. This is the primary reason I
have used SELinux, although I am sure the other protections have been
helpful as well.
I have already upgraded the policy to the most recent reference policy
in an effort to resolve the issue. The only result was additional
difficulties which were the result of labeling changes in the policy.
After resolving those difficulties, I am back to my original problem.
I am wondering what changes have been made in the policy compiler that
could cause this change in behavior, and how I need to modify my policy
in order to get the node and netif based constraints working again. If
anyone has any ideas that would help my to resolve the problem I would
appreciate it.
-Ken-
13 years, 11 months
