sandbox cleanup?
by Christoph A.
Hi,
I just noticed that I have over 100 processes running in the
sandbox_web_client_t domain, although I closed all my sandbox windows.
ps auxZ|grep sandbox_web_client_t|grep -c /usr/libexec/gvfsd
52
ps auxZ|grep sandbox_web_client_t|grep -c '/bin/dbus-daemon --fork
--print-pid 5 --print-address 7 --session'
51
Shouldn't they be killed after I closed all sandbox windows?
Kind regards,
Christoph
12 years, 9 months
sandbox: open new firefox tab from outside
by Christoph A.
Hi,
I was using firefox within sandboxes for a while without perm. home
directory.
To store bookmarks, addons and so on, I started to use perm. homedir (-H).
Because firefox does not allow multiple concurrent sessions (lock on
.mozilla) it is not possible to open multiple websites when specifying
the same sandbox homedir, hence I'm looking for a possibility to open
new websites within a running sandbox from outside.
Without sandboxes everyone can open new websites in a running firefox
instance using:
firefox -remote "openurl(http://www.mozilla.org)"
sandbox scenario:
1. step:
start firefox:
sandbox -X -H homedir -T tempdir -t sandbox_web_t -l s0:c100,c100 firefox
2. step:
sandbox -H homedir -T tempdir -t sandbox_web_t -l s0:c100,c100 firefox
-remote "openurl(http://www.mozilla.org)"
My current attempts fail because I'm unable use the '-l' option
(#632377) but would the policy allow the 'firefox -remote' command if
type and security level matches with the already running sandbox?
kind regards,
Christoph
12 years, 11 months
SELinux and Shorewall with IPSets
by Mr Dash Four
Problems combining these 2 to run while SELinux is in 'enforced' mode
(policy running is the 'stock' targeted one supplied with FC13). I get 2
audit alerts when Shorewall starts (and fails!) - see logs below. I have
x86_64 arch machine with FC13 running. Stock Shorewall is installed.
IPSet (xtunnels) is compiled in (though with the 'stock' rpm I am
getting the same errors).
The problem seems to be caused by the Shorewall init script (see further
below). The relevant part of my syslog when SELinux is in enforced mode is:
=========SELinux=Enforcing================================
Jun 26 23:18:38 dev1 shorewall[2456]: Compiling...
Jun 26 23:18:38 dev1 kernel: type=1400 audit(1277590718.634:29543):
avc: denied { create } for pid=2577 comm="ipset"
scontext=unconfined_u:system_r:shorewall_t:s0
tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket
Jun 26 23:18:38 dev1 kernel: type=1400 audit(1277590718.637:29544):
avc: denied { create } for pid=2579 comm="ipset"
scontext=unconfined_u:system_r:shorewall_t:s0
tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket
Jun 26 23:18:38 dev1 shorewall[2456]: Compiling /etc/shorewall/zones...
Jun 26 23:18:38 dev1 shorewall[2456]: Compiling /etc/shorewall/interfaces...
Jun 26 23:18:38 dev1 shorewall[2456]: Determining Hosts in Zones...
Jun 26 23:18:38 dev1 shorewall[2456]: Preprocessing Action Files...
Jun 26 23:18:38 dev1 shorewall[2456]: Pre-processing
/usr/share/shorewall/action.Drop...
Jun 26 23:18:38 dev1 shorewall[2456]: Pre-processing
/usr/share/shorewall/action.Reject...
Jun 26 23:18:38 dev1 shorewall[2456]: Compiling /etc/shorewall/policy...
Jun 26 23:18:38 dev1 shorewall[2456]: Compiling /etc/shorewall/blacklist...
Jun 26 23:18:38 dev1 shorewall[2456]: ERROR: ipset names in Shorewall
configuration files require Ipset Match in your kernel and iptables :
/etc/shorewall/blacklist (line 11)
Jun 26 23:18:38 dev1 shorewall[2456]: ERROR: Shorewall start failed
==========================================================
When I switch SELinux to Permissive I get two further errors:
=========SELinux=Permissive===============================
Jun 26 23:32:45 dev1 kernel: type=1400 audit(1277591565.629:29551):
avc: denied { create } for pid=3799 comm="ipset"
scontext=unconfined_u:system_r:shorewall_t:s0
tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket
Jun 26 23:32:45 dev1 kernel: type=1400 audit(1277591565.629:29552):
avc: denied { getopt } for pid=3799 comm="ipset" lport=255
scontext=unconfined_u:system_r:shorewall_t:s0
tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket
Jun 26 23:32:45 dev1 kernel: type=1400 audit(1277591565.629:29553):
avc: denied { setopt } for pid=3799 comm="ipset" lport=255
scontext=unconfined_u:system_r:shorewall_t:s0
tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling /etc/shorewall/zones...
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling /etc/shorewall/interfaces...
Jun 26 23:32:45 dev1 shorewall[3678]: Determining Hosts in Zones...
Jun 26 23:32:45 dev1 shorewall[3678]: Preprocessing Action Files...
Jun 26 23:32:45 dev1 shorewall[3678]: Pre-processing
/usr/share/shorewall/action.Drop...
Jun 26 23:32:45 dev1 shorewall[3678]: Pre-processing
/usr/share/shorewall/action.Reject...
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling /etc/shorewall/policy...
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling /etc/shorewall/blacklist...
Jun 26 23:32:45 dev1 shorewall[3678]: Adding Anti-smurf Rules
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling TCP Flags filtering...
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling Kernel Route Filtering...
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling Martian Logging...
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling MAC Filtration -- Phase 1...
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling /etc/shorewall/rules...
Jun 26 23:32:45 dev1 shorewall[3678]: Generating Transitive Closure of
Used-action List...
Jun 26 23:32:45 dev1 shorewall[3678]: Processing
/usr/share/shorewall/action.Reject for chain Reject...
Jun 26 23:32:45 dev1 shorewall[3678]: Processing
/usr/share/shorewall/action.Drop for chain Drop...
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling MAC Filtration -- Phase 2...
Jun 26 23:32:45 dev1 shorewall[3678]: Applying Policies...
Jun 26 23:32:45 dev1 shorewall[3678]: Generating Rule Matrix...
Jun 26 23:32:45 dev1 shorewall[3678]: Creating iptables-restore input...
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling iptables-restore input
for chains blacklst mangle:...
Jun 26 23:32:45 dev1 shorewall[3678]: Shorewall configuration compiled
to /var/lib/shorewall/.start
Jun 26 23:32:45 dev1 shorewall[3678]: Starting Shorewall....
Jun 26 23:32:45 dev1 shorewall[3678]: Initializing...
Jun 26 23:32:46 dev1 kernel: u32 classifier
Jun 26 23:32:46 dev1 kernel: Performance counters on
Jun 26 23:32:46 dev1 kernel: input device check on
Jun 26 23:32:46 dev1 kernel: Actions configured
Jun 26 23:32:46 dev1 shorewall[3678]: Processing /etc/shorewall/init ...
Jun 26 23:32:46 dev1 shorewall[3678]: loading
/etc/shorewall/ips/blacklist-x1.ips
Jun 26 23:32:46 dev1 shorewall[3678]: loading
/etc/shorewall/ips/blacklist-x2.ips
Jun 26 23:32:46 dev1 shorewall[3678]: loading
/etc/shorewall/ips/blacklist-z1.ips
Jun 26 23:32:47 dev1 shorewall[3678]: loading
/etc/shorewall/ips/blacklist-z2.ips
Jun 26 23:32:49 dev1 shorewall[3678]: Processing /etc/shorewall/tcclear ...
Jun 26 23:32:49 dev1 shorewall[3678]: Setting up Route Filtering...
Jun 26 23:32:49 dev1 shorewall[3678]: Setting up Martian Logging...
Jun 26 23:32:49 dev1 shorewall[3678]: Setting up Proxy ARP...
Jun 26 23:32:49 dev1 shorewall[3678]: Setting up Traffic Control...
Jun 26 23:32:49 dev1 shorewall[3678]: Preparing iptables-restore input...
Jun 26 23:32:49 dev1 shorewall[3678]: Running /sbin/iptables-restore...
Jun 26 23:32:49 dev1 shorewall[3678]: IPv4 Forwarding Enabled
Jun 26 23:32:49 dev1 shorewall[3678]: Processing /etc/shorewall/start ...
Jun 26 23:32:49 dev1 shorewall[3678]: Processing /etc/shorewall/started ...
Jun 26 23:32:49 dev1 shorewall[3678]: Shorewall started
==========================================================
The problem seems to be caused by the shorewall init script, which is:
===========Shorewall init script==========================
modprobe ifb numifbs=1
ip link set dev ifb0 up
# configure the ipsets
sw_ips_mask='/etc/shorewall/ips/*.ips'
ipset_exec='/usr/sbin/ipset'
if [ "$COMMAND" = start ]; then
$ipset_exec -F
$ipset_exec -X
for c in `/bin/ls $sw_ips_mask 2>/dev/null`; do
echo loading $c
$ipset_exec -R < $c
done
fi
==========================================================
The above script executes /usr/sbin/ipset to create my IP Sets needed
for running Shorewall (all IP set commands are contained in those *.ips
files). These IP sets comprise mainly of IP subnets which are part of my
blacklists (banned IP subnets), though they also contain some IP Port
sets as well.
Don't know why SELinux denies "create" (and then "getopt" and "setopt")
on a, what seems to be, raw ip socket (IPSet do not use/need one as far
as I know!)? If I remove the IP Set part of the init script above and
rearrange Shorewall to run without IPSets all is well, though its
functionality is VERY limited and barely useful to me!
Two questions to the SELinux gurus on here: 1) Why am I getting these
alerts? and 2) How can I fix the problem so that I could run both
Shorewall and IPSets with SELinux in Enforced mode?
This is important for me as this is a production server and a lot of
stuff runs on it and needs to be available 24/7.
Many thanks in advance!
13 years, 2 months
AVC bluetoothd
by Genes MailLists
Anyone see this ? (f13 fully updated) - when this happens i cannot
connect my BT mouse - i need to resync the mouse and it works till mouse
idles and then it stops again.
PS - i am (and have been for a week or so) running Kyles kernel with
the tty sched changes (v2 or something) but this problem arose today.
Summary:
SELinux is preventing /usr/sbin/bluetoothd "getopt" access .
Detailed Description:
SELinux denied access requested by bluetoothd. It is not expected that this
access is required by bluetoothd and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration
of the
application is causing it to require additional access.
Additional Information:
Source Context system_u:system_r:bluetooth_t:s0-s0:c0.c1023
Target Context system_u:object_r:unlabeled_t:s0
Target Objects None [ socket ]
Source bluetoothd
Source Path /usr/sbin/bluetoothd
Port <Unknown>
Source RPM Packages bluez-4.64-1.fc13
Target RPM Packages
Policy RPM selinux-policy-3.7.19-73.fc13
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name catchall
Platform Linux hx.sapience.com
2.6.36.1-10.fc15.x86_64 #1 SMP Mon Nov 29
14:41:22
UTC 2010 x86_64 x86_64
Alert Count 12
First Seen Mon Nov 29 19:50:26 2010
Last Seen Mon Nov 29 21:19:22 2010
Local ID 31836b48-2806-449c-a54f-220757a9497e
Line Numbers
node=hx.prv.sapience.com type=AVC msg=audit(1291083562.766:32696): avc:
denied { getopt } for pid=1687 comm="bluetoothd"
scontext=system_u:system_r:bluetooth_t:s0-s0:c0.c1023
tcontext=system_u:object_r:unlabeled_t:s0 tclass=socket
node=hx.prv.sapience.com type=SYSCALL msg=audit(1291083562.766:32696):
arch=c000003e syscall=55 success=no exit=-13 a0=1a a1=6 a2=1
a3=7ffff4cc07d0 items=0 ppid=1 pid=1687 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="bluetoothd" exe="/usr/sbin/bluetoothd"
subj=system_u:system_r:bluetooth_t:s0-s0:c0.c1023 key=(null)
13 years, 3 months
Fedora 14 AVCs
by Vadym Chepkov
Hi,
I just upgraded to Fedora 14 and got a significant amount of all sort of denials.
I thought maybe some relabeling went wrong - so I did it manually, just in case, didn't help much, still lots of issues.
I tried to post raw audit log, but got bounced from mail-list with "message too big"
Anyway, here is what audit2allow -R suggests
#============= chkpwd_t ==============
allow chkpwd_t self:capability sys_nice;
allow chkpwd_t self:process setsched;
files_list_tmp(chkpwd_t)
files_read_usr_symlinks(chkpwd_t)
#============= dovecot_auth_t ==============
allow dovecot_auth_t self:capability sys_nice;
allow dovecot_auth_t self:process setsched;
#============= dovecot_t ==============
allow dovecot_t self:capability sys_nice;
files_read_usr_symlinks(dovecot_t)
#============= nscd_t ==============
files_list_tmp(nscd_t)
files_read_usr_symlinks(nscd_t)
#============= saslauthd_t ==============
allow saslauthd_t self:capability sys_nice;
allow saslauthd_t self:process setsched;
files_read_usr_symlinks(saslauthd_t)
#============= spamd_t ==============
allow spamd_t admin_home_t:file { read ioctl open getattr append }; # spammers send e-mails to root@ , spamd needs to create working files in /root/
allow spamd_t self:capability sys_nice;
kernel_list_unlabeled(spamd_t) # razor and pyzor contexts gone
kernel_read_unlabeled_state(spamd_t) # same
userdom_read_user_home_content_files(spamd_t) # changed boolean spamd_enable_home_dirs
Thanks,
Vadym
13 years, 3 months
system shuts down during file system relabel
by Mark juszczec
Hello all
I upgraded my system (Toshiba Satellite P205D-S7802) to Fedora Core 14 over
the weekend.
Yesterday, the automatic software upgrade indicated there was an SELinux
patch to install. I installed in and then enjoyed (*sarcasm*) the following
bizzare behavior:
1. My wireless card shut off.
2. On reboot, SELinux's file system relabel never completed. Each time I
rebooted it would get partway thru the file system relabel and then shut off
the system.
I was able to boot into Windows with no problem.
Now knowing what else to do, I gave up and went to bed.
This morning, I started the system up and the file system relabel completed
on its first attempt.
I did a hardware diagnostic scan with Windows and no problems were
indicated.
Has anyone else had similar behavior during a file system relabel? Any idea
what happened?
Mark
13 years, 4 months
socket files and ruby/passenger
by mark
I'm not sure where to start on this one.... I've got a user running ruby,
and a gem called passenger. It creates a socket file in a configured
directory (now /var/tmp/passenger/<blah>/backend/. Selinux is complaining
(it's permissive) that it's a potentially mislabelled file. From the
sealert o/p:
<...>
Source Context root:system_r:httpd_t
Target Context root:object_r:httpd_tmp_t
<...>
The directory context is:
d-ws-wx-wx root root root:object_r:httpd_tmp_t ./
d-ws--x--x root root root:object_r:httpd_tmp_t ../
srw------- root root root:object_r:httpd_tmp_t
backend.ib4gxn1IpkOSkiCP0TviW6AoGO2CXhq0W9SzzVsUVMC0U2Yc9zOvVDr=
So, what should it be, to make the AVC go away, and how would I know what
it should be?
mark
13 years, 4 months
building go compiler
by Patrick Bakker
Hi,
I'm trying to build the Go compiler and the build script all.bash
brings up the following when executed:
****************************************
WARNING: the default SELinux policy on, at least, Fedora 12 breaks
Go. You can enable the features that Go needs via the following
command (as root):
# setsebool -P allow_execstack 1
Note that this affects your system globally!
The build will continue in five seconds in case we misdiagnosed the issue...
****************************************
Is there any other recommended way of working around this problem or
should I simply perform this change if I want to build Go?
13 years, 4 months
[PATCH] Fix typo in interface name
by Ruben Kerkhof
>From 1ddd316c8b339d918871170d7c0a3eb2fd588ada Mon Sep 17 00:00:00 2001
From: Ruben Kerkhof <ruben(a)rubenkerkhof.com>
Date: Mon, 15 Nov 2010 15:08:46 +0100
Subject: [PATCH] Fix typo in interface name
Signed-off-by: Ruben Kerkhof <ruben(a)rubenkerkhof.com>
---
policy/modules/services/nagios.te | 2 +-
policy/modules/services/postfix.if | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/services/nagios.te
b/policy/modules/services/nagios.te
index b9ab551..5416fde 100644
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
@@ -299,7 +299,7 @@ optional_policy(`
optional_policy(`
postfix_stream_connect_master(nagios_mail_plugin_t)
- posftix_exec_postqueue(nagios_mail_plugin_t)
+ postfix_exec_postqueue(nagios_mail_plugin_t)
')
######################################
diff --git a/policy/modules/services/postfix.if
b/policy/modules/services/postfix.if
index 9c13189..b87375e 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -484,7 +484,7 @@ interface(`postfix_domtrans_postqueue',`
## </summary>
## </param>
#
-interface(`posftix_exec_postqueue',`
+interface(`postfix_exec_postqueue',`
gen_require(`
type postfix_postqueue_exec_t;
')
--
1.7.3.2
13 years, 4 months