SELinux and Shorewall with IPSets
by Mr Dash Four
Problems combining these 2 to run while SELinux is in 'enforced' mode
(policy running is the 'stock' targeted one supplied with FC13). I get 2
audit alerts when Shorewall starts (and fails!) - see logs below. I have
x86_64 arch machine with FC13 running. Stock Shorewall is installed.
IPSet (xtunnels) is compiled in (though with the 'stock' rpm I am
getting the same errors).
The problem seems to be caused by the Shorewall init script (see further
below). The relevant part of my syslog when SELinux is in enforced mode is:
=========SELinux=Enforcing================================
Jun 26 23:18:38 dev1 shorewall[2456]: Compiling...
Jun 26 23:18:38 dev1 kernel: type=1400 audit(1277590718.634:29543):
avc: denied { create } for pid=2577 comm="ipset"
scontext=unconfined_u:system_r:shorewall_t:s0
tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket
Jun 26 23:18:38 dev1 kernel: type=1400 audit(1277590718.637:29544):
avc: denied { create } for pid=2579 comm="ipset"
scontext=unconfined_u:system_r:shorewall_t:s0
tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket
Jun 26 23:18:38 dev1 shorewall[2456]: Compiling /etc/shorewall/zones...
Jun 26 23:18:38 dev1 shorewall[2456]: Compiling /etc/shorewall/interfaces...
Jun 26 23:18:38 dev1 shorewall[2456]: Determining Hosts in Zones...
Jun 26 23:18:38 dev1 shorewall[2456]: Preprocessing Action Files...
Jun 26 23:18:38 dev1 shorewall[2456]: Pre-processing
/usr/share/shorewall/action.Drop...
Jun 26 23:18:38 dev1 shorewall[2456]: Pre-processing
/usr/share/shorewall/action.Reject...
Jun 26 23:18:38 dev1 shorewall[2456]: Compiling /etc/shorewall/policy...
Jun 26 23:18:38 dev1 shorewall[2456]: Compiling /etc/shorewall/blacklist...
Jun 26 23:18:38 dev1 shorewall[2456]: ERROR: ipset names in Shorewall
configuration files require Ipset Match in your kernel and iptables :
/etc/shorewall/blacklist (line 11)
Jun 26 23:18:38 dev1 shorewall[2456]: ERROR: Shorewall start failed
==========================================================
When I switch SELinux to Permissive I get two further errors:
=========SELinux=Permissive===============================
Jun 26 23:32:45 dev1 kernel: type=1400 audit(1277591565.629:29551):
avc: denied { create } for pid=3799 comm="ipset"
scontext=unconfined_u:system_r:shorewall_t:s0
tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket
Jun 26 23:32:45 dev1 kernel: type=1400 audit(1277591565.629:29552):
avc: denied { getopt } for pid=3799 comm="ipset" lport=255
scontext=unconfined_u:system_r:shorewall_t:s0
tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket
Jun 26 23:32:45 dev1 kernel: type=1400 audit(1277591565.629:29553):
avc: denied { setopt } for pid=3799 comm="ipset" lport=255
scontext=unconfined_u:system_r:shorewall_t:s0
tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling /etc/shorewall/zones...
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling /etc/shorewall/interfaces...
Jun 26 23:32:45 dev1 shorewall[3678]: Determining Hosts in Zones...
Jun 26 23:32:45 dev1 shorewall[3678]: Preprocessing Action Files...
Jun 26 23:32:45 dev1 shorewall[3678]: Pre-processing
/usr/share/shorewall/action.Drop...
Jun 26 23:32:45 dev1 shorewall[3678]: Pre-processing
/usr/share/shorewall/action.Reject...
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling /etc/shorewall/policy...
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling /etc/shorewall/blacklist...
Jun 26 23:32:45 dev1 shorewall[3678]: Adding Anti-smurf Rules
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling TCP Flags filtering...
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling Kernel Route Filtering...
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling Martian Logging...
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling MAC Filtration -- Phase 1...
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling /etc/shorewall/rules...
Jun 26 23:32:45 dev1 shorewall[3678]: Generating Transitive Closure of
Used-action List...
Jun 26 23:32:45 dev1 shorewall[3678]: Processing
/usr/share/shorewall/action.Reject for chain Reject...
Jun 26 23:32:45 dev1 shorewall[3678]: Processing
/usr/share/shorewall/action.Drop for chain Drop...
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling MAC Filtration -- Phase 2...
Jun 26 23:32:45 dev1 shorewall[3678]: Applying Policies...
Jun 26 23:32:45 dev1 shorewall[3678]: Generating Rule Matrix...
Jun 26 23:32:45 dev1 shorewall[3678]: Creating iptables-restore input...
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling iptables-restore input
for chains blacklst mangle:...
Jun 26 23:32:45 dev1 shorewall[3678]: Shorewall configuration compiled
to /var/lib/shorewall/.start
Jun 26 23:32:45 dev1 shorewall[3678]: Starting Shorewall....
Jun 26 23:32:45 dev1 shorewall[3678]: Initializing...
Jun 26 23:32:46 dev1 kernel: u32 classifier
Jun 26 23:32:46 dev1 kernel: Performance counters on
Jun 26 23:32:46 dev1 kernel: input device check on
Jun 26 23:32:46 dev1 kernel: Actions configured
Jun 26 23:32:46 dev1 shorewall[3678]: Processing /etc/shorewall/init ...
Jun 26 23:32:46 dev1 shorewall[3678]: loading
/etc/shorewall/ips/blacklist-x1.ips
Jun 26 23:32:46 dev1 shorewall[3678]: loading
/etc/shorewall/ips/blacklist-x2.ips
Jun 26 23:32:46 dev1 shorewall[3678]: loading
/etc/shorewall/ips/blacklist-z1.ips
Jun 26 23:32:47 dev1 shorewall[3678]: loading
/etc/shorewall/ips/blacklist-z2.ips
Jun 26 23:32:49 dev1 shorewall[3678]: Processing /etc/shorewall/tcclear ...
Jun 26 23:32:49 dev1 shorewall[3678]: Setting up Route Filtering...
Jun 26 23:32:49 dev1 shorewall[3678]: Setting up Martian Logging...
Jun 26 23:32:49 dev1 shorewall[3678]: Setting up Proxy ARP...
Jun 26 23:32:49 dev1 shorewall[3678]: Setting up Traffic Control...
Jun 26 23:32:49 dev1 shorewall[3678]: Preparing iptables-restore input...
Jun 26 23:32:49 dev1 shorewall[3678]: Running /sbin/iptables-restore...
Jun 26 23:32:49 dev1 shorewall[3678]: IPv4 Forwarding Enabled
Jun 26 23:32:49 dev1 shorewall[3678]: Processing /etc/shorewall/start ...
Jun 26 23:32:49 dev1 shorewall[3678]: Processing /etc/shorewall/started ...
Jun 26 23:32:49 dev1 shorewall[3678]: Shorewall started
==========================================================
The problem seems to be caused by the shorewall init script, which is:
===========Shorewall init script==========================
modprobe ifb numifbs=1
ip link set dev ifb0 up
# configure the ipsets
sw_ips_mask='/etc/shorewall/ips/*.ips'
ipset_exec='/usr/sbin/ipset'
if [ "$COMMAND" = start ]; then
$ipset_exec -F
$ipset_exec -X
for c in `/bin/ls $sw_ips_mask 2>/dev/null`; do
echo loading $c
$ipset_exec -R < $c
done
fi
==========================================================
The above script executes /usr/sbin/ipset to create my IP Sets needed
for running Shorewall (all IP set commands are contained in those *.ips
files). These IP sets comprise mainly of IP subnets which are part of my
blacklists (banned IP subnets), though they also contain some IP Port
sets as well.
Don't know why SELinux denies "create" (and then "getopt" and "setopt")
on a, what seems to be, raw ip socket (IPSet do not use/need one as far
as I know!)? If I remove the IP Set part of the init script above and
rearrange Shorewall to run without IPSets all is well, though its
functionality is VERY limited and barely useful to me!
Two questions to the SELinux gurus on here: 1) Why am I getting these
alerts? and 2) How can I fix the problem so that I could run both
Shorewall and IPSets with SELinux in Enforced mode?
This is important for me as this is a production server and a lot of
stuff runs on it and needs to be available 24/7.
Many thanks in advance!
13 years, 2 months
sandbox window size
by Christoph A.
Hi,
as far as I have seen and read it is not possible to resize a SELinux
sandbox window.
Is it possible to specify the size of the sandbox at start-time?
kind regards,
Christoph
13 years, 6 months
Selinux + ruby + httpd
by Erinn Looney-Triggs
In trying to develop some SELinux exceptions (via audit2allow) for a
ruby application I came up with the following:
module myruby 1.0;
require {
type httpd_tmp_t;
type lib_t;
type httpd_t;
type tmp_t;
class sock_file { write create unlink getattr setattr };
class capability { fowner fsetid };
class file { read getattr execute_no_trans };
class fifo_file { create unlink getattr setattr };
}
#============= httpd_t ==============
allow httpd_t httpd_tmp_t:fifo_file { create unlink getattr setattr };
allow httpd_t httpd_tmp_t:sock_file { write create unlink getattr setattr };
allow httpd_t lib_t:file execute_no_trans; #This one is due to
mod_passenger being labelled lib_t
allow httpd_t self:capability { fowner fsetid };
allow httpd_t tmp_t:file { read getattr };
Now the first question I have, is there anything egregiously bad in
there? Aside from lib_t execute due to auto label labelling
mod_passenger as lib_t.
My second question is, I have this policy working on one machine, moved
it to another machine and everything worked, this application was then
deployed on a third machine and I figured, I would just insert the
module again. Well installing the module worked fine but apache is
trying to use a different type on this machine, from audit2allow:
#============= httpd_sys_script_t ==============
allow httpd_sys_script_t devpts_t:chr_file { read write };
allow httpd_sys_script_t httpd_tmp_t:fifo_file setattr;
allow httpd_sys_script_t self:capability { setuid setgid };
Why all the sudden is this machine using httpd_sys_script_t instead of
httpd_t which my other systems use? All the boxes are RHEL 5.5 x64 fully
patched running selinux-policy-2.4.6-279.el5. Now it is possible that
the myruby.pp module mentioned above is working just fine, but why then
would this one system need these extra privileges? Exact same codebase
for the ruby application across the systems. Any insight would be
appreciated.
Thanks,
-Erinn
13 years, 7 months
Re: [refpolicy] [PATCH] revise roles/dbadm.te (Re: dbadm.pp is not available in selinux-policy package)
by KaiGai Kohei
(2010/04/14 0:57), Christopher J. PeBenito wrote:
> On Tue, 2010-04-13 at 11:15 -0400, Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 04/13/2010 09:17 AM, Christopher J. PeBenito wrote:
>>> On Tue, 2010-04-13 at 09:28 +0900, KaiGai Kohei wrote:
>>>> (2010/04/12 23:09), Christopher J. PeBenito wrote:
>>>>> On Fri, 2010-04-09 at 14:29 +0900, KaiGai Kohei wrote:
>>>>>> (2010/04/08 21:15), Daniel J Walsh wrote:
>>>>>>> As Dominick stated. I prefer to think in terms of two different roles.
>>>>>>> Login Roles, and Roles to execute in when you have privileges (IE Root).
>>>>>>>
>>>>>>> Login Roles/Types
>>>>>>> staff_t, user_t, unconfined_t, xguest_t, guest_t
>>>>>>>
>>>>>>> Three interfaces can be used to create confined login users.
>>>>>>>
>>>>>>> userdom_restricted_user_template(guest)
>>>>>>> userdom_restricted_xwindows_user_template(xguest)
>>>>>>> userdom_unpriv_user_template(staff)
>>>>>>>
>>>>>>>
>>>>>>> Admin Roles/Types
>>>>>>> logadm_t, webadm_t, secadm_t, auditadm_t
>>>>>>>
>>>>>>> The following interface can be used to create an Admin ROle
>>>>>>> userdom_base_user_template(logadm)
>>>>>>>
>>>>>>>
>>>>>>> sysadm_t is sort of a hybrid, most people use it as an Admin Role.
>>>>>>>
>>>>>>>
>>>>>>> I imagine that you login as a confined user and then use sudo/newrole to
>>>>>>> switch roles to one of the admin roles.
>>>>>>
>>>>>> The attached patch revises roles/dbadm.te (to be applied on the upstream
>>>>>> reference policy). It uses userdom_base_user_template() instead of the
>>>>>> userdom_unpriv_user_template(), and should be launched via sudo/newrole.
>>>>>> In the default, it intends the dbadm_r role to be launched by staff_r role.
>>>>>
>>>>> Why does dbadm need to run setfiles?
>>>>
>>>> The database files (typically, /var/lib/(se)?pgsql/*) have to be labeled
>>>> correctly, so I thought dbadm needs to run setfiles.
>>>> However, as long as they initialize database files using init script,
>>>> initrc_t domain performs this initial labeling, so it might not be necessary.
>>>>
>>>> On the other hand, PostgreSQL support a feature to use multiple disks
>>>> within a single database instance for performance utilization.
>>>> (Called TABLESPACE; I don't know whether MySQL has such a feature.)
>>>>
>>>> http://archives.postgresql.org/pgsql-general/2006-08/msg00142.php
>>>>
>>>> It requires administrators to assign proper security context on the secondary
>>>> directory, or to mount the secondary disk with context='...' option.
>>>>
>>>> Is there any good idea?
>>>>
>>>> Or, it should not be a task for dbadm?
>>>
>>> Ok, the transition for setfiles is fine.
>>>
>>
>> I would be carefull with this. Since setfiles can take a parameter of a
>> file context file. I think it would be better to only give
>> relabefrom/relabelto privs for all labels dbadm_t can manage. Then
>> figure out what access is required to mount.
>
> Good point. We should probably reconsider the setfiles usage from
> webadm too.
The attached patch is a revised one.
- seutil_domtrans_setfiles() was removed
- staff_role_change_to() was removed, and I put dbadm_role_change()
on the staff.te
- Fix an obvious typo.
It is not clear for me whether the idea to allow relabelfrom/relabelto
for all the files dbadm_t can manage, because it is eventually necessary
someone to relabel (or assign initial labels) files from unlabeled one
to managed labels when we mount a new disk.
If so, should it be a task of sysadm_t to mount new disk and assign
security context correctly, instead of webadm_t/dbadm_t?
Thanks,
--
KaiGai Kohei <kaigai(a)ak.jp.nec.com>
13 years, 7 months
sandbox -X doesn't work in F13
by anonymous
Dear Sir or Madam,
when I run sandbox -X (e.g. sandbox -X xterm or sandbox -X -t sandbox_web_t
firefox) nothing happens and I just silently get thrown back to the shell.
Furthermore, I noticed that /usr/share/sandbox/sandboxX.sh when run
individually prints "Hangup". Is this normal? What can I do to make it work?
[I'm on a Lenovo T61 with an up-to-date Fedora 13 KDE version and installed
policycoreutils-sandbox.]
I already tried both forum and IRC, but had no luck in finding an answer, yet.
Thus - and since sandbox -X is imho one of the coolest features of Fedora - I
would really appreciate suggestions to fix it.
Thank you in advance.
Best regards,
Falk
13 years, 7 months
SELINUX in permissive mode *prevents* write access?
by Nelson Strother
Should programs function the same / compute the same results when
running a system with SELinux enabled but in permissive mode as when
running a system with SELinux disabled? I would have thought the only
expected visible difference would be the presence or absence of
warning messages.
I am now running an application which does not yet have a complete
or correct SELinux policy, so I edited /etc/selinux/config to contain:
SELINUX=permissive
saved, rebooted. I was surprised to subsequently see in
/var/log/messages lines such as:
...setroubleshoot: SELinux is preventing /usr/bin/perl "write" access on z.sock.
If SELINUX=disabled is set and saved in /etc/selinux/config, after
reboot no messages about preventing writes appear in /var/log/messages
when running the same daemons and applications.
I have not yet delved into the code enough to confirm or deny
whether these writes were allowed or not (when running in permissive
mode). Does setroubleshoot log the same messages whether they are
errors (enforcing mode, plausible wording as above) or warnings
(permissive mode, better if worded something like:
...setroubleshoot: SELinux warns about (inconsistent with policy) ...
)? If I determine the actions matched the log message, should the
bugzilla be filed against the policy, or setroubleshoot, or some other
component?
Fedora 13
selinux-policy-targeted-3.7.19-33.fc13.noarch
setroubleshoot-2.2.88-1.fc13.x86_64
Cheers,
Nelson
13 years, 7 months
consolekit, udev and noatsecure
by Dominick Grift
I had the issue where if theres several users logged into the GUI and i log out that sometimes i would get a black screen with a blinking cursor. (user switching thing)
I think that this may be because of:
allow consolekit_t udev_t:process noatsecure;
However i havent tested it enough to be certain, but ever since i added the rule i havent been stuck again so far.
13 years, 7 months
gdb and avc
by Genes MailLists
When I debug (local compiled executable) as user with gdb I get this d:
[selinux-policy-3.7.19-39.fc13.noarch]
gene/
------------------------------
Summary:
SELinux is preventing /usr/bin/gdb "write" access on
/usr/share/glib-2.0/gdb.
Detailed Description:
SELinux denied access requested by gdb. It is not expected that this
access is
required by gdb and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.
...
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_u:object_r:usr_t:s0
Target Objects /usr/share/glib-2.0/gdb [ dir ]
Source gdb
Source Path /usr/bin/gdb
Port <Unknown>
Host lap1.prv.sapience.com
Source RPM Packages gdb-7.1-23.fc13
Target RPM Packages glib2-devel-2.24.1-1.fc13
Policy RPM selinux-policy-3.7.19-21.fc13
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name catchall
Host Name lap1.prv.sapience.com
Platform Linux lap1.prv.sapience.com
2.6.33.5-112.fc13.x86_64 #1 SMP Thu May 27
02:28:31 UTC 2010 x86_64 x86_64
Alert Count 2
First Seen Mon 31 May 2010 06:39:33 PM EDT
Last Seen Mon 31 May 2010 06:39:33 PM EDT
Local ID 93cf7fa2-26ba-4ce9-8bec-2d73222d4602
Line Numbers
Raw Audit Messages
node=lap1.prv.sapience.com type=AVC msg=audit(1275345573.390:33574):
avc: denied { write } for pid=6060 comm="gdb" name="gdb" dev=sda8
ino=929092 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:usr_t:s0 tclass=dir
node=lap1.prv.sapience.com type=SYSCALL msg=audit(1275345573.390:33574):
arch=c000003e syscall=2 success=no exit=-13 a0=7fffc10c7b30 a1=2c1
a2=81a4 a3=7fcbd6e98ad0 items=0 ppid=6058 pid=6060 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="gdb" exe="/usr/bin/gdb"
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
13 years, 7 months
None
by Manisha Ambekar
Ms. Manisha Ambekar
MTech II
IIT, Mumbai
13 years, 7 months
tor: dac_override, dac_read_search, name_bind and net_bind_service
by Mr Dash Four
What is the purpose of dac_override and dac_read_search capabilities?
From what I can gather they allow unrestricted access to the file
system (not sure how secure would that be?).
I am getting 2 avc's when trying to start tor (see logs below). SELinux
is in enforced mode (switched it to permissive in order to get all the
alerts listed below). I looked at the source policy
(policy/modules/services/tor.te) and indeed these 2 capabilities are not
there (only setgid, setuid and sys_tty_config are allowed from what I
can see). How healthy would it be if I add these two capabilities to tor.te?
===========================
type=AVC msg=audit(1278095042.156:12): avc: denied { dac_override }
for pid=1620 comm="tor" capability=1
scontext=unconfined_u:system_r:tor_t:s0
tcontext=unconfined_u:system_r:tor_t:s0 tclass=capability
type=AVC msg=audit(1278095042.156:12): avc: denied { dac_read_search }
for pid=1620 comm="tor" capability=2
scontext=unconfined_u:system_r:tor_t:s0
tcontext=unconfined_u:system_r:tor_t:s0 tclass=capability
===========================
I am also getting two other avc's when tor is trying to bind to port
udp/53 (dns_port_t) and tcp/53. I need this to use tor as my dns
resolution service on the local machine tor is running. I can probably
prevent the first avc with including "allow tor_t dns_port_t:tcp_socket
name_bind;" in tor.te, but how do I prevent the second one?
===========================
type=AVC msg=audit(1278095145.861:14): avc: denied { dac_override }
for pid=1634 comm="tor" capability=1
scontext=unconfined_u:system_r:tor_t:s0
tcontext=unconfined_u:system_r:tor_t:s0 tclass=capability
type=SYSCALL msg=audit(1278095145.861:14): arch=40000003 syscall=195
success=yes exit=0 a0=9e07088 a1=bfad5390 a2=55bff4 a3=0 items=0
ppid=1633 pid=1634 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=tty1 ses=1 comm="tor" exe="/usr/bin/tor"
subj=unconfined_u:system_r:tor_t:s0 key=(null)
type=AVC msg=audit(1278095145.958:15): avc: denied { name_bind } for
pid=1636 comm="tor" src=53 scontext=unconfined_u:system_r:tor_t:s0
tcontext=system_u:object_r:dns_port_t:s0 tclass=udp_socket
type=AVC msg=audit(1278095145.958:15): avc: denied { net_bind_service
} for pid=1636 comm="tor" capability=10
scontext=unconfined_u:system_r:tor_t:s0
tcontext=unconfined_u:system_r:tor_t:s0 tclass=capability
type=SYSCALL msg=audit(1278095145.958:15): arch=40000003 syscall=102
success=yes exit=0 a0=2 a1=bfad5260 a2=0 a3=9e1cba8 items=0 ppid=1
pid=1636 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=1 comm="tor" exe="/usr/bin/tor"
subj=unconfined_u:system_r:tor_t:s0 key=(null)
===========================
I am getting the above set when I place SELinux in Permissive mode
(setenforce 0). As it is clear from the above, I am NOT getting
dac_read_search when SELinux is in Permissive mode. I am also not
getting name_bind and net_bind_service avc when SELinux is in Enforced
mode as obviously tor does not reach that far and terminates.
Help would be much appreciated!
13 years, 8 months