Re: Impact?
by mark
> Date: Thu, 22 Apr 2010 22:53:01 +0200
> From: Dominick Grift <domg472(a)gmail.com>
> On Thu, Apr 22, 2010 at 04:25:58PM -0400, m.roth(a)5-cent.us wrote:
>> I've got the java wants to write, and execmem errors. audit2allow gives
>> me
>> this:
>> allow httpd_sys_script_t nfs_t:file { execute execute_no_trans };
>> allow httpd_sys_script_t self:process { execmem getsched };
>> allow httpd_sys_script_t usr_t:file { execute execute_no_trans };
>
> By allowing the second line of policy you allow all generic httpd system
> scripts to execute anonymous memory and you allow then to set schedule
> on its own process.
<snip>
Looking futher: that second one, I see, is also being caused by matlab,
which is not an unintelligent package. How serious is it to allow that...
or is there a policy rule that's been tightened recently that used to
allow this?
mark
14 years
Building a modified selinux source rpm
by Alan Rouse
I'm trying to get selinux working in a different linux distribution where
the directory structure differs from the fedora / redhat pattern. I'm
attempting to use the fedora selinux src rpm as a starting point, but of
course lots of files are being labelled incorrectly due to the directory
differences. I can identify the incorrectly labelled files and I know how
to get them labelled correctly. But I need to be able to make a new source
rpm based on the fedora selinux src rpm, including the necessary changes, so
I can distribute and maintain the policy over time.
I can execute "rpmbuild -bp SPECS/selinux-policy.spec" to generate the
fedora patched policy source in the BUILD directory. Then I can make my
changes there. But I need to be able to regenerate the src rpm including
those changes. And I need to be able to maintain this over time as the
reference policy evolves, by dropping in a new reference policy tgz and
regenerating the patch files. Surely there's a better way than "vi
policy-F12.patch"!
I presume there are tools / scripts / instructions to help with this. Can
someone point me in the right direction?
Thanks!
--
My PGP public key:
http://rouses.net/public_key/alan.asc
14 years
Impact?
by mark
I've got the java wants to write, and execmem errors. audit2allow gives me
this:
allow httpd_sys_script_t nfs_t:file { execute execute_no_trans };
allow httpd_sys_script_t self:process { execmem getsched };
allow httpd_sys_script_t usr_t:file { execute execute_no_trans };
What would be the impact of implementing this policy on a server visible
to the world? Would it open up some huge, known hole?
mark
14 years
Audit messages being disabled
by Robert Nichols
Any ideas how I can track down what might be blocking the logging of
audit messages to /var/log/audit/audit.log? The last entry there
is at 12:56:16 today, which is just as the system was coming up after
a reboot (matches the timestamps for the never-used LOGIN entries in
/var/run/utmp). I do see these lines in /var/log/messages right
afterward:
Apr 21 12:56:26 omega-3a kernel: type=1305 audit(1271872586.681:17143):
auid=4294967295 ses=4294967295 subj=system_u:system_r:readahead_t:s0 op="remove
rule" key=(null) list=4 res=0
Apr 21 12:56:26 omega-3a kernel: type=1305 audit(1271872586.681:17144):
audit_enabled=0 old=1 auid=4294967295 ses=4294967295
subj=system_u:system_r:readahead_t:s0 res=1
Thereafter, there are "dbus: Can't send to audit system" messages.
The auditd service shows as running. If I restart auditd, audit.log
shows "auditd normal halt" and "auditd start" messages, and after that
messages do get logged to audit.log.
I have no clue what might be setting audit_enabled=0 in the kernel,
but that "remove rule" message just before makes me suspicious that
it's SElinux related.
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
14 years
setroubleshootd not running
by Robert Nichols
What, in the hopelessly complex chain of process startups, is supposed to start
setroubleshootd? I find it is either not getting started or silently dieing on
my Fedora 12 system. I find I've been getting a bunch of AVCs logged, with no
alert of course, and no way to get those AVCs translated with human-readable
timestamps so that I have the slightest chance of correlating those with
anything else going on in the system. ("sealert -a /var/log/audit/audit.log"
just dies with "NameError: global name 'avc' is not defined".)
The manpage for sealert mentions a GUI browser. That must have been in
somebody's wet dream, because there is no such thing. Regardless of how
sealert is started, the GUI menu discussed in the manpage does not exist.
Again, SElinux turns out to be a bigger pain than anything it is supposedly
protecting against.
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
14 years
Any log entries from semodule???
by Robert Nichols
Does the loading and removing of modules by semodule get logged
anywhere? Apparently not. That would seem to be pretty important
information.
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
14 years
system-config-selinux doesn't show policy modules
by Robert Nichols
In the system-config-selinux utility, when you select "Policy Module"
nothing is displayed. Worthless!
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
14 years
SELinux Apache and Symbolic Links...GGGrrrr
by Another Sillyname
Hi All
OK I've been playing with this for nearly two days now and cannot seem
to get it working at all.
In a nutshell.
Standard Apache Server setup...
in /var/www/html I have a subdirectory called reststop and within that
is a symbolic link to a directory at
/mnt/anotherdrive/newpath/nearlythere/reststop
I have set the permissions chcon -R 775 /var/www/html/reststop
I have set the permissions chcon -R 775
/mnt/anotherdrive/newpath/nearlythere/reststop
I have set the se permissions chcon -R -h -t httpd_sys_content_t
/var/www/html/reststop
I have set the se permissions chcon -R -h -t httpd_sys_content_t
/mnt/anotherdrive/newpath/nearlythere/reststop
I have checked the settings using ls -Z and they are correct
I have set the http.conf to allow followsymlinks
If I set selinux to permissive I DO get an error message:-
------------------------------------------------------------
Summary:
SELinux is preventing access to files with the label, file_t.
Detailed Description:
[SELinux is in permissive mode. This access was not denied.]
SELinux permission checks on files labeled file_t are being denied. file_t is
the context the SELinux kernel gives to files that do not have a label. This
indicates a serious labeling problem. No files on an SELinux box should ever be
labeled file_t. If you have just added a disk drive to the system you can
relabel it using the restorecon command. For example if you saved the home
directory from a previous installation that did not use SELinux, 'restorecon -R
-v /home' will fix the labels. Otherwise you should relabel the entire file
system.
Allowing Access:
You can execute the following command as root to relabel your computer system:
"touch /.autorelabel; reboot"
Additional Information:
Source Context unconfined_u:system_r:httpd_t:s0
Target Context unconfined_u:object_r:file_t:s0
Target Objects reststop [ dir ]
Source httpd
Source Path /usr/sbin/httpd
Port <Unknown>
Host secretsquirrel.com
Source RPM Packages httpd-2.2.14-1.fc12
Target RPM Packages
Policy RPM selinux-policy-3.6.32-108.fc12
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Plugin Name file
Host Name secretsquirrel.com
Platform Linux secretsquirrel.com
2.6.32.11-99.fc12.x86_64 #1 SMP Mon Apr 5 19:59:38
UTC 2010 x86_64 x86_64
Alert Count 1
First Seen Mon 19 Apr 2010 03:45:40 PM BST
Last Seen Mon 19 Apr 2010 03:45:40 PM BST
Local ID yadayadayada
Line Numbers
Raw Audit Messages
node=secretsquirrel.com type=AVC msg=audit(1288463622.694:23321): avc:
denied { read } for pid=3605 comm="httpd" name="reststop" dev=dm-0
ino=340012822 scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:file_t:s0 tclass=dir
node=secretsquirrel.com type=SYSCALL msg=audit(1288463622.694:23321):
arch=c000003e syscall=2 success=yes exit=16 a0=7f2f691d91c0 a1=90800
a2=7f2f691d5198 a3=7f2f691da150 items=0 ppid=3600 pid=3605 auid=500
uid=48 gid=489 euid=48 suid=48 fsuid=48 egid=489 sgid=489 fsgid=489
tty=(none) ses=2 comm="httpd" exe="/usr/sbin/httpd"
subj=unconfined_u:system_r:httpd_t:s0 key=(null)
----------------------------------------------------------------
Why is the error message telling me files are labelled file_t when
they are labelled httpd_sys_content_t? To confirm that I ls -RZ | grep
file_t in the two directories I get no files returned.
What am I missing here guys? and before anyone suggests it I don't
just want to turn selinux off, I want to actually protect my system
properly though.
Thanks in advance
14 years
Re: snmp Permission denied on mounted filesystems
by Sandro Janke
On 04/16/2010 01:51 AM, Paul Ward wrote:
> I have run the command as follows but I am still getting the permission issues.
>
> Apr 16 11:48:13 sargas snmpd[23987]: /home/work/exports: Permission denied
>
> # restorecon -v /home/work/exports
> restorecon reset context /home/work/exports:->system_u:object_r:user_home_t
Without the -R switch only the directory itself will be labeled. I'm
pretty sure you want to run restorecon as suggested by dwalsh.
What does 'ausearch -m -ts recent' tell? You can pipe the output to
audit2why or audit2allow like:
ausearch -m avc -ts recent | audit2why
ausearch -m avc -ts recent | audit2allow -M mysnmp
The latter will generate a loadable module. There is some documentation
at [1] about creating and loading your own modules.
[1]
http://docs.fedoraproject.org/selinux-user-guide/f12/en-US/sect-Security-...
> ls -lZd /home/work/exports
>
> drwxrwxr-x oracle dba system_u:object_r:user_home_t
> /home/work/exports
>
> Whats next?
> Do I need to restart something?
>
>
>
>
> On 16 April 2010 11:11, Sandro Janke <gui1ty_fedora(a)penguinpee.nl> wrote:
>> On 04/16/2010 12:33 AM, Paul Ward wrote:
>>>> What does 'rpm -qv selinux-policy-targeted' say?
>>>> What are the settings in /etc/selinux/config?
>>>
>>> My server shows the following selinux packages.
>>>
>>> selinux-policy-targeted-1.17.30-2.152.el4
>>> selinux-policy-targeted-sources-1.17.30-2.152.el4
>>>
>>> I have run:
>>> snmpwalk -v 2c -c public .iso
>>> cd /etc/selinux/targeted/src/policy
>>> audit2allow -d -l -o domains/misc/local.te
>>> make load
>>>
>>> Until no more errors were found, this fixed theoriginal errors from
>>> selinux, but not the permissions.
>>>
>>>> Try running restorecon -R -v /home
>>>
>>> If I run
>>>
>>> restorecon -R -v /home
>>>
>>> Would this affect a production servers running or should I do this in
>>> a mainaintance window?
>>
>> Well, you can try to run it with the -n switch first to show you what
>> would happen. According to the man page: "It can be run at any time to
>> correct errors..."
>>
>>> On 15 April 2010 19:05, Sandro Janke <gui1ty_fedora(a)penguinpee.nl> wrote:
>>>> On 04/15/2010 06:49 AM, Paul Ward wrote:
>>>>> Hi all,
>>>>>
>>>>> I am sure this comes up a lot but have spent hours trying to find th
>>>>> eanswers with no success apart from disabling selinux which I don't
>>>>> want to do.
>>>>>
>>>>> Apr 15 16:48:26 sargas snmpd[23987]: /home/appl: Permission denied
>>>>>
>>>>> The following filesystems are mounted with same issue.
>>>>>
>>>>> /dev/sda7 3.9G 427M 3.3G 12% /home/appl
>>>>> /dev/sda6 4.0G 2.7G 1.2G 71% /home/users
>>>>> /dev/sda8 3.9G 2.5G 1.2G 68% /home/work
>>>>>
>>>>> ls -ldZ /home/appl/
>>>>> drwxr-xr-x root root /home/appl/
>>>>
>>>> This shows that the directory has not been labeled, yet.
>>>>
>>>>> /usr/sbin/sestatus
>>>>> SELinux status: enabled
>>>>> SELinuxfs mount: /selinux
>>>>> Current mode: enforcing
>>>>>
>>>>
>>>> Could it be that you don't have any policy package installed?
>>>>
>>>> What does 'rpm -qv selinux-policy-targeted' say?
>>>> What are the settings in /etc/selinux/config?
>>>>
>>>>> What do I need to do to fix this chcon? If so what is the full comman
>>>>> / context to enter?
>>>>>
>>>>> Thanks
>>>>> --
>>>>> selinux mailing list
>>>>> selinux(a)lists.fedoraproject.org
>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>
>>>>
>>> --
>>> selinux mailing list
>>> selinux(a)lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
14 years