Re: avc: smartcard token login
by Dominick Grift
Signed-off-by: Dominick Grift <domg472(a)gmail.com>
---
:100644 100644 26e9f79... bac72c6... M policy/modules/system/locallogin.te
policy/modules/system/locallogin.te | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 26e9f79..bac72c6 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -188,6 +188,12 @@ optional_policy(`
')
optional_policy(`
+ openct_stream_connect(local_login_t)
+ openct_signull(local_login_t)
+ openct_read_pid_files(local_login_t)
+')
+
+optional_policy(`
unconfined_shell_domtrans(local_login_t)
')
--
1.7.3.2
13 years, 4 months
touch & how labels are created
by Jorge Fábregas
Hi,
I'm trying to figure out how labels are actually created. I know rpm have the
smarts to consult the file_contexts file in order to assign the coorect labels
but I was doing some test with "touch" and I have some doubts. For example:
cd /etc
rm hosts
touch hosts
ls -lZ /etc/hosts
(it shows etc_t as its type)
If I do a restorecon of the hosts file I'll get the correct net_conf_t for the
file.
Since I don't think "touch" is SELinux aware (because if it was it would have
created the file with the correct label), then, who|what created the SELinux
context on the hosts file after using touch? Is it some low level facility
(e.g. a system call) that assigns the label based just on the label of the
parent directory? If it is, why doesn't it also consult the file_contexts fie?
Thanks in advance,
Jorge
13 years, 4 months
http AVC
by Tony Molloy
Hi,
I'm running http on a fully updated Centos 5 system.
httpd-2.2.3-43.el5.centos.3.x86_64
selinux-policy-2.4.6-279.el5_5.2.noarch
selinux-policy-targeted-2.4.6-279.el5_5.2.noarch
I'm trying to run a cgi script from a user directory.
With SELinux enabled I get the following error.
[Thu Dec 02 12:10:11 2010] [error] [client 193.1.104.8]
(13)Permission denied: exec of '/usr/sbin/suexec' failed
[Thu Dec 02 12:10:11 2010] [error] [client 193.1.104.8]
Premature end of script headers: survey.cgi
With SELinux in permissive mode I get the following AVC
Summary:
SELinux prevented httpd executing access to http files.
Detailed Description:
[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]
SELinux prevented httpd executing access to http files. Ordinarily httpd is
allowed full access to all files labeled with http file context. This machine
has a tightened security policy with the httpd_unified turned off, this
requires
explicit labeling of all files. If a file is a cgi script it needs to be
labeled
with httpd_TYPE_script_exec_t in order to be executed. If it is read-only
content, it needs to be labeled httpd_TYPE_content_t, it is writable content.
it
needs to be labeled httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You can
use the chcon command to change these contexts. Please refer to the man page
"man httpd_selinux" or FAQ (http://fedora.redhat.com/docs/selinux-apache-fc3)
"TYPE" refers to one of "sys", "user" or "staff" or potentially other script
types.
Allowing Access:
Changing the "httpd_unified" boolean to true will allow this access:
"setsebool -P httpd_unified=1"
The following command will allow this access:
setsebool -P httpd_unified=1
Additional Information:
Source Context system_u:system_r:httpd_t
Target Context system_u:object_r:httpd_suexec_exec_t
Target Objects /usr/sbin/suexec [ file ]
Source suexec
Source Path /usr/sbin/suexec
Port <Unknown>
Host a.b.c.d
Source RPM Packages httpd-2.2.3-43.el5.centos.3
Target RPM Packages httpd-2.2.3-43.el5.centos.
Policy RPM selinux-policy-2.4.6-279.el5_5.2
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name httpd_unified
Host Name a.b.c.d
Platform Linux a.b.c.d 2.6.18-194.17.4.el5
#1 SMP Mon Oct 25 15:50:53 EDT 2010 x86_64
Alert Count 2
First Seen Thu Dec 2 13:09:20 2010
Last Seen Thu Dec 2 13:33:32 2010
Local ID 4a26d013-6f04-4a0f-af21-760368cc9908
Line Numbers
Raw Audit Messages
host=a.b.c.d type=AVC msg=audit(1291296812.604:97588): avc: denied {
execute_no_trans } for pid=5567 comm="httpd" path="/usr/sbin/suexec" dev=sda2
ino=1791541 scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:httpd_suexec_exec_t:s0 tclass=file
host=a.b.c.d type=SYSCALL msg=audit(1291296812.604:97588): arch=c000003e
syscall=59 success=yes exit=0 a0=2abacad53449 a1=2abae3768e90 a2=2abae37684d8
a3=0 items=0 ppid=789 pid=5567 auid=4294967295 uid=48 gid=48 euid=0 suid=0
fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="suexec"
exe="/usr/sbin/suexec" subj=system_u:system_r:httpd_t:s0 key=(null)
So it suggests "setsebool -P httpd_unified=1" will allow this access.
However getsebool -a | grep http gives
httpd_unified --> on
So it is allready on.
Thanks,
Tony
13 years, 4 months
Fwd: Re: http AVC
by Tony Molloy
---------- Forwarded Message ----------
Subject: Re: http AVC
Date: Thursday 02 December 2010, 17:21:25
From: Daniel J Walsh <dwalsh(a)redhat.com>
To: Tony Molloy <tony.molloy(a)ul.ie>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/02/2010 12:15 PM, Tony Molloy wrote:
> On Thursday 02 December 2010 15:04:24 you wrote:
>> On 12/02/2010 09:35 AM, Tony Molloy wrote:
>>> Hi,
>>>
>>> I'm running http on a fully updated Centos 5 system.
>>>
>>> httpd-2.2.3-43.el5.centos.3.x86_64
>>> selinux-policy-2.4.6-279.el5_5.2.noarch
>>> selinux-policy-targeted-2.4.6-279.el5_5.2.noarch
>>>
>>>
>>> I'm trying to run a cgi script from a user directory.
>>>
>>> With SELinux enabled I get the following error.
>>>
>>> [Thu Dec 02 12:10:11 2010] [error] [client 193.1.104.8]
>>>
>>> (13)Permission denied: exec of '/usr/sbin/suexec' failed
>>>
>>> [Thu Dec 02 12:10:11 2010] [error] [client 193.1.104.8]
>>>
>>> Premature end of script headers: survey.cgi
>>>
>>> With SELinux in permissive mode I get the following AVC
>>>
>>> Summary:
>>>
>>> SELinux prevented httpd executing access to http files.
>>>
>>> Detailed Description:
>>>
>>> [SELinux is in permissive mode, the operation would have been denied but
>>> was permitted due to permissive mode.]
>>>
>>> SELinux prevented httpd executing access to http files. Ordinarily httpd
>>> is allowed full access to all files labeled with http file context. This
>>> machine has a tightened security policy with the httpd_unified turned
>>> off, this requires
>>> explicit labeling of all files. If a file is a cgi script it needs to be
>>> labeled
>>> with httpd_TYPE_script_exec_t in order to be executed. If it is read-only
>>> content, it needs to be labeled httpd_TYPE_content_t, it is writable
>>> content. it
>>> needs to be labeled httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You
>>> can use the chcon command to change these contexts. Please refer to the
>>> man page "man httpd_selinux" or FAQ
>>> (http://fedora.redhat.com/docs/selinux-apache-fc3) "TYPE" refers to one
>>> of "sys", "user" or "staff" or potentially other script types.
>>>
>>> Allowing Access:
>>>
>>> Changing the "httpd_unified" boolean to true will allow this access:
>>> "setsebool -P httpd_unified=1"
>>>
>>> The following command will allow this access:
>>>
>>> setsebool -P httpd_unified=1
>
>>> Raw Audit Messages
>>>
>>> host=a.b.c.d type=AVC msg=audit(1291296812.604:97588): avc: denied {
>>> execute_no_trans } for pid=5567 comm="httpd" path="/usr/sbin/suexec"
>>> dev=sda2 ino=1791541 scontext=system_u:system_r:httpd_t:s0
>>> tcontext=system_u:object_r:httpd_suexec_exec_t:s0 tclass=file
>>>
>>> host=a.b.c.d type=SYSCALL msg=audit(1291296812.604:97588): arch=c000003e
>>> syscall=59 success=yes exit=0 a0=2abacad53449 a1=2abae3768e90
>>> a2=2abae37684d8 a3=0 items=0 ppid=789 pid=5567 auid=4294967295 uid=48
>>> gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none)
>>> ses=4294967295 comm="suexec" exe="/usr/sbin/suexec"
>>> subj=system_u:system_r:httpd_t:s0 key=(null)
>>>
>>>
>>> So it suggests "setsebool -P httpd_unified=1" will allow this access.
>>>
>>> However getsebool -a | grep http gives
>>> httpd_unified --> on
>>>
>>> So it is allready on.
>>>
>>>
>>> Thanks,
>>>
>>> Tony
>>
>> Do you have httpd_suexec_disable_trans turned on?
>
>
> Yep
>
> getsebool -a | grep http
>
> httpd_suexec_disable_trans --> on
> httpd_enable_cgi --> on
>
>
> Tony
>
>
> >
>Turn the httpd_suexec_disable_trans off
>setsebool -P httpd_suexec_disable_trans 0
>ANd I bet it will work
OK I'll try that, but I won't be able to test it until tomorrow morning.
I'll let you know what happens.
Thanks,
Tony
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkz31ZUACgkQrlYvE4MpobPhRQCeNTeiAI98Szsc1dVmFpP0SynC
RkMAnRlIiPwYqUYzhdbtGv5Hav8N+Ngk
=x3GH
-----END PGP SIGNATURE-----
-----------------------------------------
13 years, 4 months
proftpd AVC on Rawhide
by Paul Howarth
I've just been trying out proftpd on a Rawhide box with /var/run on
tmpfs, and got this AVC:
time->Wed Dec 1 16:33:16 2010
type=SYSCALL msg=audit(1291221196.017:128): arch=40000003 syscall=5
success=no exit=-13 a0=1c3f6c a1=a0142 a2=180 a3=9665f78 items=0
ppid=1213 pid=1336 auid=500 uid=0 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 tty=(none) ses=8 comm="proftpd"
exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1291221196.017:128): avc: denied { search } for
pid=1336 comm="proftpd" name="user" dev=tmpfs ino=12173
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_auth_t:s0 tclass=dir
It's trying to look in /var/run/user I think.
I don't know why it was trying to do this (maybe related to
pam_systemd?) but it didn't seem to stop it working.
Paul.
13 years, 4 months
