Re: selinux Digest, Vol 73, Issue 20
by Neeraj Vishwakarma
On 3/22/10, selinux-request(a)lists.fedoraproject.org
<selinux-request(a)lists.fedoraproject.org> wrote:
> Send selinux mailing list submissions to
> selinux(a)lists.fedoraproject.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> or, via email, send a message with subject or body 'help' to
> selinux-request(a)lists.fedoraproject.org
>
> You can reach the person managing the list at
> selinux-owner(a)lists.fedoraproject.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of selinux digest..."
>
>
> Today's Topics:
>
> 1. Looking for SELinux advice regarding samba, apache
> (Toby Ovod-Everett)
> 2. Re: Looking for SELinux advice regarding samba, apache
> (Dominick Grift)
> 3. selinux-policy.spec: Buildrequires missing make and gcc.
> (Dominick Grift)
> 4. Re: selinux-policy.spec: Buildrequires missing make and gcc.
> (Chuck Anderson)
> 5. Re: selinux-policy.spec: Buildrequires missing make and gcc.
> (Dominick Grift)
> 6. Re: selinux-policy.spec: Buildrequires missing make and gcc.
> (Jason L Tibbitts III)
> 7. Re: Looking for SELinux advice regarding samba, apache
> (Paul Howarth)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sun, 21 Mar 2010 08:21:02 -0800
> From: Toby Ovod-Everett <toby(a)ovod-everett.org>
> Subject: Looking for SELinux advice regarding samba, apache
> To: selinux(a)lists.fedoraproject.org
> Message-ID: <20100321162102.GA1875(a)vin.ovod-everett.org>
> Content-Type: text/plain; charset=us-ascii
>
> Two issues in this e-mail. The first is a general request for advice on how
> to structure things for a home-grown photo system I developed - I had it
> working, now the SELinux config has some issues, etc. The second is that
> something changed in libselinux or selinux-policy since January 17th and
> it's
> causing Samba some issues.
>
> So, here's a brief overview of the photo archive system I developed, the
> issues, and how I have them currently resolved.
>
> My server machine runs Fedora 12 with a pretty vanilla configuration and I
> run
> yum update regularly. I have two partitions - /, which contains the OS
> install, user directories, etc., and /data, which I use for some large data
> sets that I don't want to have to copy when rebuilding the machine during OS
> upgrades. In particular, the major large data set is /data/photos.
>
> There are three major directory trees that impact the photo system:
>
> /data/photos - contains the actual digital images in /data/photos/images and
> the information about them in /data/photos/info. Context from / is:
>
> dr-xr-xr-x. root root system_u:object_r:root_t:s0 .
> drwxr-xr-x. root root system_u:object_r:public_content_rw_t:s0 data
> drwxrwsr-x. root photos system_u:object_r:public_content_rw_t:s0 photos
>
> /data/photos needs to be r/w for my user account (which is a member of
> photos)
> and readable for apache. I generally access /data/photos through Samba from
> my user machine which runs (gasp) Windows 7.
>
>
> /var/www/cgi-bin/photos - contains the Perl scripts that implement the web
> frontend for viewing the photos (loading photos is all done from the Command
> Line). I have httpd_enable_cgi=>on in order to support this. Context is
> unchanged from default configs. Desire r/w access through Samba from my
> user
> machine for editing the scripts using Notepad++.
>
>
> /var/www/html/thumbnails - contains directories of thumbnails for the
> photos.
> These are persistently cached in this tree and automatically generated or
> updated as required by the Perl scripts above when required. This data
> doesn't have to persist across rebuilds. There are different subdirectories
> for the different supported thumbnail sizes and each subdir and needs to be
> r/w for apache. Context from / is:
> dr-xr-xr-x. root root system_u:object_r:root_t:s0 .
> drwxr-xr-x. root root system_u:object_r:var_t:s0 var
> drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 www
> drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 html
> drwxrwsr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0
> thumbnails
> drwxrwsr-x. root apache unconfined_u:object_r:public_content_rw_t:s0 180x180
>
>
> One of the main issues is that I need Samba to have r/w to a bunch of the
> trees that apache needs access to. Current Samba SELinux config is
> samba_enable_home_dirs=>on, allow_smbd_anon_write=>on,
> samba_export_all_rw=>on. I'd like to be able to pull the latter eventually,
> but then I need to be able to figure out how to give Samba r/w access to the
> cgi-bin directory.
>
>
> Now on to the "what broke" question. Somewhere in the last two months (it's
> been a while since I've added photos), I lost the ability to use Samba to
> access /data/photos. Generally I access it through a symlink in my homedir:
> lrwxrwxrwx. 1 toby toby 12 2008-11-28 15:05 photos -> /data/photos
>
> This has stopped working. Things I tried:
> * Verifying symlinks. I have Mail -> mail in my homedir and that still
> works.
> * Verifying SELinux settings conform to above model.
> * Creating a separate share for /data/photos. This worked.
>
> I Obviously have a workaround now, but as a solution it's annoying, because
> it
> requires me to create separate shares for all of the things I want to access
> from my Windows machine (/data/photos, /var/www/cgi-bin/photos, and
> /var/www/html/public_html/toby) and then map to them all separately on my
> Windows machine on separate drive letters, instead of having a single share
> that accesses everything.
>
> I'm beginning to suspect the problem is Samba, not SELinux, because my
> attempts at using semodule -DB and ausearch (both avc and user_avc) don't
> turn
> up any events that correlate with attempts to access those directories
> through
> the symlinks. At this point, I'm beginning to suspect a fix in Samba 3.4.6
> or
> 3.4.7 related to the "Samba Remote Directory Traversal" exploit that was
> announced in early February, but I'm hitting my patience limit (my 3 year
> old
> is ready for breakfast), so I'm going to stop writing and go with my
> workaround for now. But if anyone has advice, please offer!
>
> --Toby Ovod-Everett
>
>
> ------------------------------
>
> Message: 2
> Date: Sun, 21 Mar 2010 18:17:51 +0100
> From: Dominick Grift <domg472(a)gmail.com>
> Subject: Re: Looking for SELinux advice regarding samba, apache
> To: selinux(a)lists.fedoraproject.org
> Message-ID: <20100321171750.GA20876(a)localhost.localdomain>
> Content-Type: text/plain; charset="us-ascii"
>
> On Sun, Mar 21, 2010 at 08:21:02AM -0800, Toby Ovod-Everett wrote:
>
> Here are some things to take into consideration:
>
> 1. For the perspective of SELinux we do not have to do anything to give
> users access since in a vanilla Fedora 12
> configuration users are unconfined (exempted for SELinux).
>
> 2. We can give Samba access to read and write any content by setting boolean
> samba_export_all_rw true.
>
> This means that we only have to take care of http.
>
> Using the samba_export_all_rw boolean is essential i believe to meet your
> exotic requirements.
>
>> There are three major directory trees that impact the photo system:
>>
>> /data/photos - contains the actual digital images in /data/photos/images
>> and
>> the information about them in /data/photos/info. Context from / is:
>>
>> dr-xr-xr-x. root root system_u:object_r:root_t:s0 .
>> drwxr-xr-x. root root system_u:object_r:public_content_rw_t:s0 data
>> drwxrwsr-x. root photos system_u:object_r:public_content_rw_t:s0 photos
>>
>> /data/photos needs to be r/w for my user account (which is a member of
>> photos)
>
> As said above by default users are unconfined wrt SELinux in a stock Fedora
> 12 config thus no need to do anything here.
>
>> and readable for apache. I generally access /data/photos through Samba
>> from
>> my user machine which runs (gasp) Windows 7.
>
> You should probably label data and everything below data type
> httpd_sys_content_t. httpd is allowed to read that type.
>
>>
>>
>> /var/www/cgi-bin/photos - contains the Perl scripts that implement the web
>> frontend for viewing the photos (loading photos is all done from the
>> Command
>> Line). I have httpd_enable_cgi=>on in order to support this. Context is
>> unchanged from default configs. Desire r/w access through Samba from my
>> user
>> machine for editing the scripts using Notepad++.
>
> Leave this as is. Apache can run scripts labeled httpd_sys_script_exec_t in
> the httpd_sys_script_t domain. Samba can read and write any content if
> samba_export_all_rw is set.
>
> The use of the samba_export_all_rw boolean is discouraged since obviously
> samba will be able to write almost any file.
> However you do not have much choice unless you modify policy in a major way.
> I would probably use openssh to edit these scripts.
>
>>
>> /var/www/html/thumbnails - contains directories of thumbnails for the
>> photos.
>> These are persistently cached in this tree and automatically generated or
>> updated as required by the Perl scripts above when required. This data
>> doesn't have to persist across rebuilds. There are different
>> subdirectories
>> for the different supported thumbnail sizes and each subdir and needs to
>> be
>> r/w for apache. Context from / is:
>> dr-xr-xr-x. root root system_u:object_r:root_t:s0 .
>> drwxr-xr-x. root root system_u:object_r:var_t:s0 var
>> drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 www
>> drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 html
>> drwxrwsr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0
>> thumbnails
>> drwxrwsr-x. root apache unconfined_u:object_r:public_content_rw_t:s0
>> 180x180
>
> If your perl webscript needs to create files in exisiting sub directories in
> tumbnails/ Then i would label these sub directories type
> httpd_sys_content_rw_t and set httpd_anon_write to true.
>
> Samba will be able to read and write to these files and types since the
> samba_export_all_rw allows samba to read and write almost any type.
>
>>
>> One of the main issues is that I need Samba to have r/w to a bunch of the
>> trees that apache needs access to. Current Samba SELinux config is
>> samba_enable_home_dirs=>on, allow_smbd_anon_write=>on,
>> samba_export_all_rw=>on. I'd like to be able to pull the latter
>> eventually,
>> but then I need to be able to figure out how to give Samba r/w access to
>> the
>> cgi-bin directory.
>
> If you set samba_export_all_rw to true then you do not need the
> public_content_(rw)_types. Since samba will be albe to read and write almost
> any file and type. In that case i believe you can set allow_samba_anon_write
> to false.
>
>>
>> Now on to the "what broke" question. Somewhere in the last two months
>> (it'si
>> been a while since I've added photos), I lost the ability to use Samba to
>> access /data/photos. Generally I access it through a symlink in my
>> homedir:
>> lrwxrwxrwx. 1 toby toby 12 2008-11-28 15:05 photos -> /data/photos
>>
>> This has stopped working. Things I tried:
>> * Verifying symlinks. I have Mail -> mail in my homedir and that still
>> works.
>> * Verifying SELinux settings conform to above model.
>> * Creating a separate share for /data/photos. This worked.
>
> If this is at all SELinux related ( see if it works in permissive mode to
> rule in or rule out SELinux) then it would
> help if you enclose an AVC denial. Some denials are hidden use semodule -DB
> to expose hidden denials and semodule -B to go back to the original state.
>
>> I Obviously have a workaround now, but as a solution it's annoying,
>> because it
>> requires me to create separate shares for all of the things I want to
>> access
>> from my Windows machine (/data/photos, /var/www/cgi-bin/photos, and
>> /var/www/html/public_html/toby) and then map to them all separately on my
>> Windows machine on separate drive letters, instead of having a single
>> share
>> that accesses everything.
>>
>> I'm beginning to suspect the problem is Samba, not SELinux, because my
>> attempts at using semodule -DB and ausearch (both avc and user_avc) don't
>> turn
>> up any events that correlate with attempts to access those directories
>> through
>> the symlinks. At this point, I'm beginning to suspect a fix in Samba
>> 3.4.6 or
>> 3.4.7 related to the "Samba Remote Directory Traversal" exploit that was
>> announced in early February, but I'm hitting my patience limit (my 3 year
>> old
>> is ready for breakfast), so I'm going to stop writing and go with my
>> workaround for now. But if anyone has advice, please offer!
>
> I would probably attempt to implement a solution that does not require
> samba_export_all_rw to be set true since that
> is very coarse.
>
> However with your requirements this is the only simple way.
>
> I would probably use openssh where ever possible. that may be just enough to
> be able to set samba_export_all_rw to false.
>
> Another solution would be to perform serious surgery to fedora policy. You
> would create special types and a special web app domain and give both apache
> and samba the permissions required.
>
>>
>> --Toby Ovod-Everett
>> --
>> selinux mailing list
>> selinux(a)lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
13 years, 8 months
Looking for SELinux advice regarding samba, apache
by Toby Ovod-Everett
Two issues in this e-mail. The first is a general request for advice on how
to structure things for a home-grown photo system I developed - I had it
working, now the SELinux config has some issues, etc. The second is that
something changed in libselinux or selinux-policy since January 17th and it's
causing Samba some issues.
So, here's a brief overview of the photo archive system I developed, the
issues, and how I have them currently resolved.
My server machine runs Fedora 12 with a pretty vanilla configuration and I run
yum update regularly. I have two partitions - /, which contains the OS
install, user directories, etc., and /data, which I use for some large data
sets that I don't want to have to copy when rebuilding the machine during OS
upgrades. In particular, the major large data set is /data/photos.
There are three major directory trees that impact the photo system:
/data/photos - contains the actual digital images in /data/photos/images and
the information about them in /data/photos/info. Context from / is:
dr-xr-xr-x. root root system_u:object_r:root_t:s0 .
drwxr-xr-x. root root system_u:object_r:public_content_rw_t:s0 data
drwxrwsr-x. root photos system_u:object_r:public_content_rw_t:s0 photos
/data/photos needs to be r/w for my user account (which is a member of photos)
and readable for apache. I generally access /data/photos through Samba from
my user machine which runs (gasp) Windows 7.
/var/www/cgi-bin/photos - contains the Perl scripts that implement the web
frontend for viewing the photos (loading photos is all done from the Command
Line). I have httpd_enable_cgi=>on in order to support this. Context is
unchanged from default configs. Desire r/w access through Samba from my user
machine for editing the scripts using Notepad++.
/var/www/html/thumbnails - contains directories of thumbnails for the photos.
These are persistently cached in this tree and automatically generated or
updated as required by the Perl scripts above when required. This data
doesn't have to persist across rebuilds. There are different subdirectories
for the different supported thumbnail sizes and each subdir and needs to be
r/w for apache. Context from / is:
dr-xr-xr-x. root root system_u:object_r:root_t:s0 .
drwxr-xr-x. root root system_u:object_r:var_t:s0 var
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 www
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 html
drwxrwsr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 thumbnails
drwxrwsr-x. root apache unconfined_u:object_r:public_content_rw_t:s0 180x180
One of the main issues is that I need Samba to have r/w to a bunch of the
trees that apache needs access to. Current Samba SELinux config is
samba_enable_home_dirs=>on, allow_smbd_anon_write=>on,
samba_export_all_rw=>on. I'd like to be able to pull the latter eventually,
but then I need to be able to figure out how to give Samba r/w access to the
cgi-bin directory.
Now on to the "what broke" question. Somewhere in the last two months (it's
been a while since I've added photos), I lost the ability to use Samba to
access /data/photos. Generally I access it through a symlink in my homedir:
lrwxrwxrwx. 1 toby toby 12 2008-11-28 15:05 photos -> /data/photos
This has stopped working. Things I tried:
* Verifying symlinks. I have Mail -> mail in my homedir and that still works.
* Verifying SELinux settings conform to above model.
* Creating a separate share for /data/photos. This worked.
I Obviously have a workaround now, but as a solution it's annoying, because it
requires me to create separate shares for all of the things I want to access
from my Windows machine (/data/photos, /var/www/cgi-bin/photos, and
/var/www/html/public_html/toby) and then map to them all separately on my
Windows machine on separate drive letters, instead of having a single share
that accesses everything.
I'm beginning to suspect the problem is Samba, not SELinux, because my
attempts at using semodule -DB and ausearch (both avc and user_avc) don't turn
up any events that correlate with attempts to access those directories through
the symlinks. At this point, I'm beginning to suspect a fix in Samba 3.4.6 or
3.4.7 related to the "Samba Remote Directory Traversal" exploit that was
announced in early February, but I'm hitting my patience limit (my 3 year old
is ready for breakfast), so I'm going to stop writing and go with my
workaround for now. But if anyone has advice, please offer!
--Toby Ovod-Everett
13 years, 8 months
selinux-policy.spec: Buildrequires missing make and gcc.
by Dominick Grift
I tried to build a RPM package using Fedoras spec file on a minimal fedora system and it blew up on cc.
So i looked into the spec file that is supplies by tresys in refpolicy and found that it has buildrequires for make and gcc.
Fedora spec does not include those build requires.
13 years, 8 months
Directing SElinux related logs to a dedicated log file
by Anamitra Dutta Majumdar
Hello All,
We are trying to ascertain if there is a way to make changes to the
syslog configuration file and direct all selinux related messages
including sealerts to a separate dedicated log file for SElinux.
Any pointers would be greatly appreciated.
Thanks
Radha & Anamitra
13 years, 8 months
RE: Directing SElinux related logs to a dedicated log file
by Anamitra Dutta Majumdar
Hi Sai,
We know that selinux messages get logged to /var/log/messages. But what
we want is to configure syslog such that the selinux messages go to a
dedicated file
e.g /var/log/selinux.log instead of getting logged to /var/log/messages
.. etc. In other words we want to find out if there is a well defined
syslog facility for the selinux
related messages.
Thanks
Anamitra
________________________________
From: sai ganesh [mailto:ganesai@gmail.com]
Sent: Wednesday, March 17, 2010 5:57 AM
To: Anamitra Dutta Majumdar (anmajumd)
Subject: Re: Directing SElinux related logs to a dedicated log file
On Wed, Mar 17, 2010 at 5:18 AM, Anamitra Dutta Majumdar (anmajumd)
<anmajumd(a)cisco.com> wrote:
Hello All,
We are trying to ascertain if there is a way to make changes to
the syslog configuration file and direct all selinux related messages
including sealerts to a separate dedicated log file for SElinux.
Any pointers would be greatly appreciated.
Check the audit log which is /var/log/audit/audit.log if auditd is
running, all the logs related to se-linux must be appended
there,otherwise /var/log/messages.
--
s.saiganesh
"<--------May the source be with you, but remember the KISS principle
;-)-------------->. <-Fighting 4 Freedom->"
13 years, 8 months
AVCs seen when running spamass-milter as root
by Paul Howarth
I think these are leaked file descriptors from spamass-milter but the
curious thing is, I don't see them when I run the milter in its normal
configuration as a non root user; they only appear when it's run as
root (which I'm only doing to test a patch for a security
vulnerability, and I have to do that in permissive mode too since
SELinux makes the vulnerability very difficult to test ;-) )
type=AVC msg=audit(1268768820.019:35365): avc: denied { read write } for pid=4941 comm="spamc" name="1" dev=devpts ino=4 scontext=unconfined_u:system_r:spamc_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1268768820.019:35365): arch=c000003e syscall=59 success=yes exit=0 a0=409fae a1=7f6c98000f70 a2=7fff2c255858 a3=7f6ca0ffa7c0 items=0 ppid=1368 pid=4941 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3170 comm="spamc" exe="/usr/bin/spamc" subj=unconfined_u:system_r:spamc_t:s0 key=(null)
Why would they only appear when the process that calls spamc is running
as root?
Paul.
13 years, 8 months
Need suitable target context for writes by netutils_t source context
by Robert Nichols
Where can netutils_t write? I have ifup_local starting a tcpdump process
that needs to create and write files. Using 'sesearch' I thought I found
that netutils_t would be a suitable target context, but now my supposedly
unconfined root shell cannot manage files there (write/link/chcon/...).
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
13 years, 8 months
Re: location of postfix ssl certificates
by John Griffiths
I use postfix and have for a long time.
I put the certificates in:
/etc/pki/tls/certs and /etc/pki/tls/private .
The standard selinux policy works without modification on Fedora 12.
Regards,
John
13 years, 8 months
location of postfix ssl certificates
by Ruben Kerkhof
Hi all,
I was wondering what would be the best place to store tls certificates
for postfix.
Right now, we store them in /var, which is denied by the policy.
The policy allows postfix files_read_usr_files (for openssl, that's
what the comment above it says) but wouldn't it be better to store
them under /etc/pki?
Maybe there should be a postfix_cert_t or something?
Regards,
Ruben
13 years, 8 months
