sandbox cleanup?
by Christoph A.
Hi,
I just noticed that I have over 100 processes running in the
sandbox_web_client_t domain, although I closed all my sandbox windows.
ps auxZ|grep sandbox_web_client_t|grep -c /usr/libexec/gvfsd
52
ps auxZ|grep sandbox_web_client_t|grep -c '/bin/dbus-daemon --fork
--print-pid 5 --print-address 7 --session'
51
Shouldn't they be killed after I closed all sandbox windows?
Kind regards,
Christoph
12 years, 9 months
sandbox: open new firefox tab from outside
by Christoph A.
Hi,
I was using firefox within sandboxes for a while without perm. home
directory.
To store bookmarks, addons and so on, I started to use perm. homedir (-H).
Because firefox does not allow multiple concurrent sessions (lock on
.mozilla) it is not possible to open multiple websites when specifying
the same sandbox homedir, hence I'm looking for a possibility to open
new websites within a running sandbox from outside.
Without sandboxes everyone can open new websites in a running firefox
instance using:
firefox -remote "openurl(http://www.mozilla.org)"
sandbox scenario:
1. step:
start firefox:
sandbox -X -H homedir -T tempdir -t sandbox_web_t -l s0:c100,c100 firefox
2. step:
sandbox -H homedir -T tempdir -t sandbox_web_t -l s0:c100,c100 firefox
-remote "openurl(http://www.mozilla.org)"
My current attempts fail because I'm unable use the '-l' option
(#632377) but would the policy allow the 'firefox -remote' command if
type and security level matches with the already running sandbox?
kind regards,
Christoph
12 years, 11 months
SELinux and Shorewall with IPSets
by Mr Dash Four
Problems combining these 2 to run while SELinux is in 'enforced' mode
(policy running is the 'stock' targeted one supplied with FC13). I get 2
audit alerts when Shorewall starts (and fails!) - see logs below. I have
x86_64 arch machine with FC13 running. Stock Shorewall is installed.
IPSet (xtunnels) is compiled in (though with the 'stock' rpm I am
getting the same errors).
The problem seems to be caused by the Shorewall init script (see further
below). The relevant part of my syslog when SELinux is in enforced mode is:
=========SELinux=Enforcing================================
Jun 26 23:18:38 dev1 shorewall[2456]: Compiling...
Jun 26 23:18:38 dev1 kernel: type=1400 audit(1277590718.634:29543):
avc: denied { create } for pid=2577 comm="ipset"
scontext=unconfined_u:system_r:shorewall_t:s0
tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket
Jun 26 23:18:38 dev1 kernel: type=1400 audit(1277590718.637:29544):
avc: denied { create } for pid=2579 comm="ipset"
scontext=unconfined_u:system_r:shorewall_t:s0
tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket
Jun 26 23:18:38 dev1 shorewall[2456]: Compiling /etc/shorewall/zones...
Jun 26 23:18:38 dev1 shorewall[2456]: Compiling /etc/shorewall/interfaces...
Jun 26 23:18:38 dev1 shorewall[2456]: Determining Hosts in Zones...
Jun 26 23:18:38 dev1 shorewall[2456]: Preprocessing Action Files...
Jun 26 23:18:38 dev1 shorewall[2456]: Pre-processing
/usr/share/shorewall/action.Drop...
Jun 26 23:18:38 dev1 shorewall[2456]: Pre-processing
/usr/share/shorewall/action.Reject...
Jun 26 23:18:38 dev1 shorewall[2456]: Compiling /etc/shorewall/policy...
Jun 26 23:18:38 dev1 shorewall[2456]: Compiling /etc/shorewall/blacklist...
Jun 26 23:18:38 dev1 shorewall[2456]: ERROR: ipset names in Shorewall
configuration files require Ipset Match in your kernel and iptables :
/etc/shorewall/blacklist (line 11)
Jun 26 23:18:38 dev1 shorewall[2456]: ERROR: Shorewall start failed
==========================================================
When I switch SELinux to Permissive I get two further errors:
=========SELinux=Permissive===============================
Jun 26 23:32:45 dev1 kernel: type=1400 audit(1277591565.629:29551):
avc: denied { create } for pid=3799 comm="ipset"
scontext=unconfined_u:system_r:shorewall_t:s0
tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket
Jun 26 23:32:45 dev1 kernel: type=1400 audit(1277591565.629:29552):
avc: denied { getopt } for pid=3799 comm="ipset" lport=255
scontext=unconfined_u:system_r:shorewall_t:s0
tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket
Jun 26 23:32:45 dev1 kernel: type=1400 audit(1277591565.629:29553):
avc: denied { setopt } for pid=3799 comm="ipset" lport=255
scontext=unconfined_u:system_r:shorewall_t:s0
tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling /etc/shorewall/zones...
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling /etc/shorewall/interfaces...
Jun 26 23:32:45 dev1 shorewall[3678]: Determining Hosts in Zones...
Jun 26 23:32:45 dev1 shorewall[3678]: Preprocessing Action Files...
Jun 26 23:32:45 dev1 shorewall[3678]: Pre-processing
/usr/share/shorewall/action.Drop...
Jun 26 23:32:45 dev1 shorewall[3678]: Pre-processing
/usr/share/shorewall/action.Reject...
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling /etc/shorewall/policy...
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling /etc/shorewall/blacklist...
Jun 26 23:32:45 dev1 shorewall[3678]: Adding Anti-smurf Rules
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling TCP Flags filtering...
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling Kernel Route Filtering...
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling Martian Logging...
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling MAC Filtration -- Phase 1...
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling /etc/shorewall/rules...
Jun 26 23:32:45 dev1 shorewall[3678]: Generating Transitive Closure of
Used-action List...
Jun 26 23:32:45 dev1 shorewall[3678]: Processing
/usr/share/shorewall/action.Reject for chain Reject...
Jun 26 23:32:45 dev1 shorewall[3678]: Processing
/usr/share/shorewall/action.Drop for chain Drop...
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling MAC Filtration -- Phase 2...
Jun 26 23:32:45 dev1 shorewall[3678]: Applying Policies...
Jun 26 23:32:45 dev1 shorewall[3678]: Generating Rule Matrix...
Jun 26 23:32:45 dev1 shorewall[3678]: Creating iptables-restore input...
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling iptables-restore input
for chains blacklst mangle:...
Jun 26 23:32:45 dev1 shorewall[3678]: Shorewall configuration compiled
to /var/lib/shorewall/.start
Jun 26 23:32:45 dev1 shorewall[3678]: Starting Shorewall....
Jun 26 23:32:45 dev1 shorewall[3678]: Initializing...
Jun 26 23:32:46 dev1 kernel: u32 classifier
Jun 26 23:32:46 dev1 kernel: Performance counters on
Jun 26 23:32:46 dev1 kernel: input device check on
Jun 26 23:32:46 dev1 kernel: Actions configured
Jun 26 23:32:46 dev1 shorewall[3678]: Processing /etc/shorewall/init ...
Jun 26 23:32:46 dev1 shorewall[3678]: loading
/etc/shorewall/ips/blacklist-x1.ips
Jun 26 23:32:46 dev1 shorewall[3678]: loading
/etc/shorewall/ips/blacklist-x2.ips
Jun 26 23:32:46 dev1 shorewall[3678]: loading
/etc/shorewall/ips/blacklist-z1.ips
Jun 26 23:32:47 dev1 shorewall[3678]: loading
/etc/shorewall/ips/blacklist-z2.ips
Jun 26 23:32:49 dev1 shorewall[3678]: Processing /etc/shorewall/tcclear ...
Jun 26 23:32:49 dev1 shorewall[3678]: Setting up Route Filtering...
Jun 26 23:32:49 dev1 shorewall[3678]: Setting up Martian Logging...
Jun 26 23:32:49 dev1 shorewall[3678]: Setting up Proxy ARP...
Jun 26 23:32:49 dev1 shorewall[3678]: Setting up Traffic Control...
Jun 26 23:32:49 dev1 shorewall[3678]: Preparing iptables-restore input...
Jun 26 23:32:49 dev1 shorewall[3678]: Running /sbin/iptables-restore...
Jun 26 23:32:49 dev1 shorewall[3678]: IPv4 Forwarding Enabled
Jun 26 23:32:49 dev1 shorewall[3678]: Processing /etc/shorewall/start ...
Jun 26 23:32:49 dev1 shorewall[3678]: Processing /etc/shorewall/started ...
Jun 26 23:32:49 dev1 shorewall[3678]: Shorewall started
==========================================================
The problem seems to be caused by the shorewall init script, which is:
===========Shorewall init script==========================
modprobe ifb numifbs=1
ip link set dev ifb0 up
# configure the ipsets
sw_ips_mask='/etc/shorewall/ips/*.ips'
ipset_exec='/usr/sbin/ipset'
if [ "$COMMAND" = start ]; then
$ipset_exec -F
$ipset_exec -X
for c in `/bin/ls $sw_ips_mask 2>/dev/null`; do
echo loading $c
$ipset_exec -R < $c
done
fi
==========================================================
The above script executes /usr/sbin/ipset to create my IP Sets needed
for running Shorewall (all IP set commands are contained in those *.ips
files). These IP sets comprise mainly of IP subnets which are part of my
blacklists (banned IP subnets), though they also contain some IP Port
sets as well.
Don't know why SELinux denies "create" (and then "getopt" and "setopt")
on a, what seems to be, raw ip socket (IPSet do not use/need one as far
as I know!)? If I remove the IP Set part of the init script above and
rearrange Shorewall to run without IPSets all is well, though its
functionality is VERY limited and barely useful to me!
Two questions to the SELinux gurus on here: 1) Why am I getting these
alerts? and 2) How can I fix the problem so that I could run both
Shorewall and IPSets with SELinux in Enforced mode?
This is important for me as this is a production server and a lot of
stuff runs on it and needs to be available 24/7.
Many thanks in advance!
13 years, 2 months
Trouble sending mail from PHP scripts
by Scott Gifford
Hello,
I'm having some trouble with an SELinux policy to allow sending mail from a
PHP script run from our Web server with a local installation of qmail on a
CentOS 5 system. We send mail using php's mail() function, which calls
/usr/bin/sendmail, which in turn calls /var/qmail/bin/qmail-inject, then
/var/qmail/bin/qmail-queue, which actually puts the message in the queue.
SELinux comes with some default qmail policies, but out-of-the-box we had
AVC denials when qmail-queue would try to write the message into the queue,
since the Web script context was not permitted to do this.
I decided to take this opportunity to learn about writing SELinux policies.
I know qmail very well, so thought I would write a policy for qmail. The
policy would transition to a new type mail_qmail_queue_t when qmail-queue
was run, and then allow this type to write into the queue.
I think I have the basics working, but I'm running into some snags, and I
don't have enough experience to know what sorts of solutions are likely to
work out.
First, I am seeing some denials that seem to be related to file descriptors
passed by Apache to qmail-queue. When qmail-queue is run, stderr is
connected to the Web server log, and stdout is connected to the HTTP socket.
This is a pretty normal setup, which will cause any output to show up in
the user's browser and errors to show up in the Web server log. However I
get these AVC denials:
- Thu Dec 30 01:27:47 2010 type=AVC msg=audit(1293690467.534:90936): avc:
denied { read } for pid=9643 comm="qmail-queue" path="pipe:[4937510]"
dev=pipefs ino=4937510 scontext=system_u:system_r:mail_qmail_queue_t:s0
tcontext=system_u:system_r:httpd_t:s0 tclass=fifo_file
- Thu Dec 30 01:27:47 2010 type=AVC msg=audit(1293690467.534:90936): avc:
denied { append } for pid=9643 comm="qmail-queue"
path="/var/log/httpd/error_log" dev=md2 ino=24183170
scontext=system_u:system_r:mail_qmail_queue_t:s0
tcontext=user_u:object_r:httpd_log_t:s0 tclass=file
- Thu Dec 30 01:27:47 2010 type=AVC msg=audit(1293690467.534:90936): avc:
denied { read write } for pid=9643 comm="qmail-queue"
path="socket:[13964]" dev=sockfs ino=13964
scontext=system_u:system_r:mail_qmail_queue_t:s0
tcontext=system_u:system_r:httpd_t:s0 tclass=tcp_socket
I could write policy to allow mail_qmail_queue access to these httpd_t
resources, but in general it should not have that access; only when it is
run from Apache. I could create a special type for "qmail-queue run from
Apache", but that quickly gets out-of-hand if I create custom policies for
each program that sends mail. What is the normal way to deal with these
sorts of situations?
Second, I am having some trouble getting file contexts set up. I have
several qmail installations with different policies, so I wrote a rule in my
fc file like this:
/var/qmail(-.*)?/bin/qmail-queue --
gen_context(system_u:object_r:mail_qmail_queue_exec_t,s0)
When I use that rule, qmail-queue gets labeled bin_t, I think because of
another rule saying anything in a directory named "bin" is "bin_t". How can
I tell it my rule is more specific or higher priority than the default rule?
For that matter, how can I figure out what rule is overriding mine?
Third, is there a useful guide for troubleshooting SELinux policy execution?
When things don't work as I expect them to, it's hard to find the reason if
it's not obvious from the audit.log.
Finally, can anybody recommend a good book or other resource for learning
SELinux? I have *SELinux by Example*, but it seems that conventions for
policy files have changed a great deal since it was written.
Thanks!
-----Scott.
13 years, 2 months
Issues logging into to more than one system
by David Highley
Keep getting AVC's when I log into multiple Fedora 14 systems with
automounted home directories. Labels keep getting mucked up after
logging into a client NFS host.
NFS directory server has files located in /export/home/<user>. Have done
semanage fcontext -a -e /home /export/home. They automount to
/home/<user>.
time->Sat Dec 4 15:36:14 2010
type=SYSCALL msg=audit(1291505774.397:17149): arch=c000003e syscall=21
success=no exit=-13 a0=2320f80 a1=6 a2=20 a3=0 items=0 ppid=23814
pid=23980 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000
egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2462
comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker"
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1291505774.397:17149): avc: denied { write } for
pid=23980 comm="gdm-session-wor" name=".xsession-errors" dev=dm-2
ino=392531 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:user_home_t:s0 tclass=file
----
time->Sat Dec 4 15:36:14 2010
type=SYSCALL msg=audit(1291505774.397:17150): arch=c000003e syscall=77
success=no exit=-13 a0=c a1=0 a2=7fff53028020 a3=0 items=0 ppid=23814
pid=23980 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000
egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2462
comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker"
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1291505774.397:17150): avc: denied { write } for
pid=23980 comm="gdm-session-wor" name=".xsession-errors" dev=dm-2
ino=392531 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:user_home_t:s0 tclass=file
13 years, 2 months
razor policy
by Vadym Chepkov
Hi,
It seems for some reason selinux-targeted policy on Fedora doesn't install razor policy and, furthermore, removes it if razor module was installed.
I guess it is done for simplicity, to have just one "spam" domain. But, somehow the proper labeling was forgotten:
selinux-policy-targeted-3.9.7-18.fc14.noarch
# ls -Z /usr/bin/razor-*
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/razor-admin
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/razor-check
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/razor-client
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/razor-report
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/razor-revoke
# ls -dZ /home/vchepkov/.razor
drwxr-xr-x. vchepkov users unconfined_u:object_r:user_home_t:s0 /home/vchepkov/.razor
# ls -dZ /root/.razor
drwxr-xr-x. root root system_u:object_r:admin_home_t:s0 /root/.razor
Vadym
P.S. On related note, how do $HOME files get their labeling?
# semanage fcontext -l|grep pyzor
has reference only to
/root/\.pyzor(/.*)? all files system_u:object_r:pyzor_home_t:s0
but, directory gets proper labeling:
# ls -dZ /home/vchepkov/.pyzor
drwx------. vchepkov users unconfined_u:object_r:spamc_home_t:s0 /home/vchepkov/.pyzor
13 years, 2 months
Denied for com='ps' name='stat' {open} {read} {search}
by Frank Licea
I'm on a fresh install of Fedora 14 and using phusion passenger. I currently
have SELinux in permissive mode.
When I checked my /var/log/audit/audit.log file I noticed three denial
messages and I can't figure out why they are there. Has anyone encountered
anything similar before?
==========================
type=AVC msg=audit(1293393237.358:102): avc: denied { search } for
pid=3451 comm="ps" name="3279" dev=proc ino=9320
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this
access.
type=AVC msg=audit(1293393237.358:102): avc: denied { read } for pid=3451
comm="ps" name="stat" dev=proc ino=9816
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this
access.
type=AVC msg=audit(1293393237.358:102): avc: denied { open } for pid=3451
comm="ps" name="stat" dev=proc ino=9816
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this
access.
==========================
13 years, 2 months
Using audti2why with tail?
by Frank Licea
I'd like to scroll the output messages located in /var/log/audit/audit.log.
I know I can do that with tail -f /var/log/audit/audit.log.
Is there a way to some how pipe that through audit2why and tail -f to clean
up the messages as they happen?
13 years, 2 months
sshd_t & guest_t - Boolean suggestion
by Jorge Fábregas
Hello again,
If all my SSH users are "guest_u" users (guest_t domain) and there won't be
any admin connecting to the machine...wouldn't it be great to remove the
capability sshd_t has in transitioning into unconfined_t? ...by means of a
boolean?
Thanks,
Jorge
13 years, 2 months
Type aliases & sesearch
by Jorge Fábregas
Hi,
I was using sesearch to verify the allow rule for sshd and how it transitions
to unconfined_t:
# sesearch --allow -s sshd_t -c process -p transition
Found 12 semantic av rules:
allow sshd_t oddjob_mkhomedir_t : process transition ;
allow domain abrt_helper_t : process transition ;
allow sshd_t chkpwd_t : process transition ;
allow sshd_t passwd_t : process transition ;
allow sshd_t updpwd_t : process transition ;
allow sshd_t mount_t : process transition ;
allow sshd_t rssh_t : process transition ;
allow sshd_t xauth_t : process transition ;
allow sshd_t nx_server_t : process transition ;
allow sshd_t unpriv_userdomain : process { transition signal } ;
allow polydomain setfiles_t : process transition ;
allow unconfined_login_domain unconfined_t : process transition ;
I see it transitions to unconfined_t by means of "unconfined_login_domain" that
I guess it's a type alias. How can I list all types that have
"uncofnined_login_domain" as an alias? Is there a way to do this with
sesearch or without having the policy source installed?
Thanks,
Jorge
13 years, 2 months