selinux July 2010

selinux@lists.fedoraproject.org

24 participants
26 discussions

SELinux, Samba, & Winbind
by Kloc, Alisha 23 Jul '10

23 Jul '10

Hello list, I am trying to set up basic Samba/Winbind on a RHEL5.2 server. But every time I try to do anything - join a domain, run a test join, change configuration settings, basically anything that calls any object related to Samba or Winbind - SELinux blocks it. Disabling protection for the winbind daemon in the boolean settings changes SELinux to blocking /var/run/winbindd/pipe instead. I've run restorecon where possible, and done a full relabel of the whole system, multiple times. Nothing changes. I haven't moved any system files and I'm following the official Samba setup documentation. I'm utterly at a loss. Something must be broken because I can't imagine a default SELinux policy that blocks all Samba/Winbind activity would have made it past RHEL5's quality control. But I can't figure out what it is. Please help! Thanks in advance, -Alisha _____________________________________ [root@myhost ~]# net ads testjoin [2010/07/21 18:28:39.357159, 0] libads/kerberos.c:915(create_local_private_krb5_conf_for_domain) create_local_private_krb5_conf_for_domain: failed to create directory /var/lib/samba/smb_krb5. Error was Permission denied [2010/07/21 18:28:39.359054, 0] libads/kerberos.c:915(create_local_private_krb5_conf_for_domain) create_local_private_krb5_conf_for_domain: failed to create directory /var/lib/samba/smb_krb5. Error was Permission denied Join is OK _____________________________________ Summary: SELinux is preventing the net from using potentially mislabeled files (/tmp/.winbindd). Detailed Description SELinux has denied net access to potentially mislabeled file(s) (/tmp/.winbindd). This means that SELinux will not allow net to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access If you want net to access this files, you need to relabel them using restorecon -v '/tmp/.winbindd'. You might want to relabel the entire directory using restorecon -R -v '/tmp/.winbindd'. Additional Information Source Context: root:system_r:samba_net_t:SystemLow-SystemHighTarget Context: system_u:object_r:winbind_tmp_t Target Objects: /tmp/.winbindd [ dir ] Source: net Source Path: /usr/bin/net Port: <Unknown> Host: <my-hostname> Source RPM Packages: samba3-client-3.5.4-43.el5 Target RPM Packages: Policy RPM: selinux-policy-2.4.6-137.el5 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: home_tmp_bad_labels Host Name: <my-hostname> Platform: Linux <my-hostname> 2.6.18-92.el5 #1 SMP Tue Apr 29 13:16:12 EDT 2008 i686 i686 Alert Count: 24 First Seen: Wed 21 Jul 2010 05:56:30 PM GMT Last Seen: Wed 21 Jul 2010 06:08:40 PM GMT Local ID: 0c95a6b7-9a92-4950-bb1d-9b74686685ea Line Numbers: Raw Audit Messages : host=<my-hostname> type=AVC msg=audit(1279735720.83:120): avc: denied { getattr } for pid=7064 comm="net" path="/tmp/.winbindd" dev=sda3 ino=1166126 scontext=root:system_r:samba_net_t:s0-s0:c0.c1023 tcontext=system_u:object_r:winbind_tmp_t:s0 tclass=dir host=<my-hostname> type=SYSCALL msg=audit(1279735720.83:120): arch=40000003 syscall=196 success=no exit=-13 a0=2ae6b6 a1=bfa92f0c a2=cabff4 a3=2ae6b6 items=0 ppid=6357 pid=7064 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="net" exe="/usr/bin/net" subj=root:system_r:samba_net_t:s0-s0:c0.c1023 key=(null) ______________________________________ Summary: SELinux is preventing net (samba_net_t) "read" to ./filesystems (proc_t). Detailed Description: SELinux denied access requested by net. It is not expected that this access is required by net and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./filesystems, restorecon -v './filesystems' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context root:system_r:samba_net_t:SystemLow-SystemHigh Target Context system_u:object_r:proc_t Target Objects ./filesystems [ file ] Source net Source Path /usr/bin/net Port <Unknown> Host <my-hostname> Source RPM Packages samba3-client-3.5.4-43.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-137.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name <my-hostname> Platform Linux <my-hostname> 2.6.18-92.el5 #1 SMP Tue Apr 29 13:16:12 EDT 2008 i686 i686 Alert Count 12 First Seen Wed 21 Jul 2010 05:56:30 PM GMT Last Seen Wed 21 Jul 2010 06:08:39 PM GMT Local ID 1f71cc35-0ccc-4104-8c99-5158849a8cb1 Line Numbers Raw Audit Messages host=<my-hostname> type=AVC msg=audit(1279735719.957:114): avc: denied { read } for pid=7064 comm="net" name="filesystems" dev=proc ino=-268435452 scontext=root:system_r:samba_net_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file host=<my-hostname> type=SYSCALL msg=audit(1279735719.957:114): arch=40000003 syscall=5 success=no exit=-13 a0=ab1390 a1=8000 a2=0 a3=8000 items=0 ppid=6357 pid=7064 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="net" exe="/usr/bin/net" subj=root:system_r:samba_net_t:s0-s0:c0.c1023 key=(null) _____________________________________

4 5

xguest for CentOS?
by mark 22 Jul '10

22 Jul '10

Does anyone know of an xguest package for CentOS? For that matter, I gather Dan, here, created it - what's in it, beyond an selinux policy, and maybe a login/logout script? Thanks in advance. mark

2 1

system user home
by Vadym Chepkov 20 Jul '10

20 Jul '10

Hi, Whenever I try to modify a policy I get a warning like this: /usr/sbin/genhomedircon will not create a new context. This usually indicates an incorrectly defined system account. If it is a system account please make sure its login shell is /sbin/nologin. And this is true, I did create a system account with home in /var/lib/application But, I need this account to have a real shell. How can I make SELinux happy? Thank you, Vadym Chepkov

2 6

Questions on creating policy
by David Highley 19 Jul '10

19 Jul '10

"dhighley wrote:" >From dhighley Mon Jul 19 08:00:52 2010 Subject: Questions on creating policy To: selinux(a)lists.fedoraproject.org Date: Mon, 19 Jul 2010 08:00:52 -0700 (PDT) X-Mailer: ELM [version 2.5 PL8] Content-Length: 2001 Where do I find the information about how to translate from something like this: module rsyslod 1.0; require { type syslogd_t; type var_run_t; class fifo_file { read write }; } #============= syslogd_t ============== allow syslogd_t var_run_t:fifo_file { read write }; and module sshdfilter 1.0; require { type syslogd_t; type var_run_t; class fifo_file { read write }; } #============= syslogd_t ============== allow syslogd_t var_run_t:fifo_file { read write }; Translation should be something like: [root@redwood sshdfilter]# cat sshdfilter.fc /etc/rc\.d/init\.d/sshdfilter -- gen_context(system_u:object_r:sshdfilter_initrc_exec_t, s0) /etc/sshdfilterrc.* -- gen_context(system_u:object_r:sshdfilter_etc_t, s0) /usr/sbin/sshdfilter -- gen_context(system_u:object_r:sshdfilter_exec_t, s0) [root@redwood sshdfilter]# cat sshdfilter.te policy_module(sshdfilter, 1.0.0) type sshdfilter_t; type sshdfilter_exec_t; init_daemon_domain(sshdfilter_t, sshdfilter_exec_t) type sshdfilter_initrc_exec_t; init_script_file(sshdfilter_initrc_exec_t) type sshdfilter_etc_t; files_config_file(sshdfilter_etc_t) dev_read_urand(sshdfilter_t) corecmd_search_bin(sshdfilter_t) miscfiles_read_localization(sshdfilter_t) optional_policy(` iptables_domtrans(sshdfilter_t) ') Dominick Grift helped with the above translations, but I would like to know how to make the transformations. In addition to the above question I would like to know if there is an existing label type that I should use on a named pipe that would not require policy modifications to be made to rsyslog. I'm working in the context of getting the sshdfilter application packaged into a Fedora RPM and using method of creating a named pipe for rsyslogd to write information to that the sshdfilter can read. The location for the named pipe may even be wrong when selinux labeling is considered, /var/run/sshdfilter.fifo, but that seems to be where I see other named pipes created.

1 0

Questions on creating policy
by David Highley 19 Jul '10

19 Jul '10

Where do I find the information about how to translate from something like this: module rsyslod 1.0; require { type syslogd_t; type var_run_t; class fifo_file { read write }; } #============= syslogd_t ============== allow syslogd_t var_run_t:fifo_file { read write }; and module sshdfilter 1.0; require { type syslogd_t; type var_run_t; class fifo_file { read write }; } #============= syslogd_t ============== allow syslogd_t var_run_t:fifo_file { read write }; Translation should be something like: [root@redwood sshdfilter]# cat sshdfilter.fc /etc/rc\.d/init\.d/sshdfilter -- gen_context(system_u:object_r:sshdfilter_initrc_exec_t, s0) /etc/sshdfilterrc.* -- gen_context(system_u:object_r:sshdfilter_etc_t, s0) /usr/sbin/sshdfilter -- gen_context(system_u:object_r:sshdfilter_exec_t, s0) [root@redwood sshdfilter]# cat sshdfilter.te policy_module(sshdfilter, 1.0.0) type sshdfilter_t; type sshdfilter_exec_t; init_daemon_domain(sshdfilter_t, sshdfilter_exec_t) type sshdfilter_initrc_exec_t; init_script_file(sshdfilter_initrc_exec_t) type sshdfilter_etc_t; files_config_file(sshdfilter_etc_t) dev_read_urand(sshdfilter_t) corecmd_search_bin(sshdfilter_t) miscfiles_read_localization(sshdfilter_t) optional_policy(` iptables_domtrans(sshdfilter_t) ') Dominick Grift helped with the above translations, but I would like to know how to make the transformations. In addition to the above question I would like to know if there is an existing label type that I should use on a named pipe that would not require policy modifications to be made to rsyslog. I'm working in the context of getting the sshdfilter application packaged into a Fedora RPM and using method of creating a named pipe for rsyslogd to write information to that the sshdfilter can read. The location for the named pipe may even be wrong when selinux labeling is considered, /var/run/sshdfilter.fifo, but that seems to be where I see other named pipes created.

1 0

[RFC PATCH] add constraint functionality to mcstrans
by Ted Toth 15 Jul '10

15 Jul '10

Implementation of constraints. Constraints allow for the specification of restrictions on sensitivity and category combinations. Two constraint operations are supported. The '!' operator (ex. s0!c1) accept a sensitivity level or one or more categories on the lhs and one or more categories in the rhs. The '!' constraint fails if the bit defined in the rhs and lhs occur in a label. The '>' operator accepts only categories and it fails if the categories specified on the rhs do not occur in a label which has the categories specified on the lhs. Allow for comments at the end of lines. Adds performance timing debug output when built with -DDEBUG. --- mcstrans.c | 318 +++++++++++++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 289 insertions(+), 29 deletions(-) --- mcstrans-0.3.1/src/mcstrans.c 2010-07-13 17:56:49.908942263 -0500 +++ mcstrans-0.3.1/src/mcstrans.c.constraints 2010-07-13 19:44:34.348523418 -0500 @@ -35,7 +35,7 @@ #include "mls_level.h" #include "mcstrans.h" -#define N_BUCKETS 101 +#define N_BUCKETS 1453 #define OVECCOUNT (512*3) #define max(a,b) ((a) >= (b) ? (a) : (b)) @@ -105,10 +105,10 @@ return 0; } -int +unsigned int ebitmap_cardinality(ebitmap_t *e1) { unsigned int i, count = 0; - for (i=0; i <= ebitmap_length(e1); i++) + for (i=ebitmap_startbit(e1); i < ebitmap_length(e1); i++) if (ebitmap_get_bit(e1, i)) count++; return count; @@ -238,6 +238,27 @@ static domain_t *domains; +typedef struct sens_constraint { + char op; + char *text; + unsigned int sens; + ebitmap_t cat; + struct sens_constraint *next; +} sens_constraint_t; + +static sens_constraint_t *sens_constraints; + +typedef struct cat_constraint { + char op; + char *text; + int nbits; + ebitmap_t mask; + ebitmap_t cat; + struct cat_constraint *next; +} cat_constraint_t; + +static cat_constraint_t *cat_constraints; + unsigned int hash(const char *str) { unsigned int hash = 5381; @@ -399,12 +420,14 @@ void destroy_domain(domain_t *domain) { int i; + unsigned int rt = 0, tr = 0; for (i=0; i < N_BUCKETS; i++) { context_map_node_t *ptr; for (ptr = domain->trans_to_raw[i]; ptr;) { context_map_node_t *t = ptr->next; free(ptr); ptr = t; + tr++; } domain->trans_to_raw[i] = NULL; } @@ -417,6 +440,7 @@ free(ptr->map); free(ptr); ptr = t; + rt++; } domain->raw_to_trans[i] = NULL; } @@ -433,6 +457,8 @@ destroy_group(&domain->groups, domain->groups); free(domain->name); free(domain); + + syslog(LOG_INFO, "cache sizes: tr = %u, rt = %u", tr, rt); } int @@ -458,6 +484,138 @@ return 0; } +int +add_constraint(char op, char *raw, char *tok) { + log_debug("%s\n", "add_constraint"); + ebitmap_t empty; + ebitmap_init(&empty); + if (!raw || !*raw) { + syslog(LOG_ERR, "unable to parse line"); + return -1; + } + if (*raw == 's') { + sens_constraint_t *constraint = calloc(1, sizeof(sens_constraint_t)); + if (sscanf(raw,"s%u", &constraint->sens) != 1) { + syslog(LOG_ERR, "unable to parse level"); + free(constraint); + return -1; + } + if (parse_ebitmap(&constraint->cat, &empty, tok) < 0) { + syslog(LOG_ERR, "unable to parse cat"); + free(constraint); + return -1; + } + if (asprintf(&constraint->text, "%s%c%s", raw, op, tok) < 0) { + log_error("asprintf failed %s", strerror(errno)); + exit(1); + } + constraint->op = op; + sens_constraint_t **p; + for (p= &sens_constraints; *p; p = &(*p)->next) + ; + *p = constraint; + return 0; + } else if (*raw == 'c' ) { + cat_constraint_t *constraint = calloc(1, sizeof(cat_constraint_t)); + if (parse_ebitmap(&constraint->mask, &empty, raw) < 0) { + syslog(LOG_ERR, "unable to parse mask"); + free(constraint); + return -1; + } + if (parse_ebitmap(&constraint->cat, &empty, tok) < 0) { + syslog(LOG_ERR, "unable to parse cat"); + ebitmap_destroy(&constraint->mask); + free(constraint); + return -1; + } + if (asprintf(&constraint->text, "%s%c%s", raw, op, tok) < 0) { + log_error("asprintf failed %s", strerror(errno)); + exit(1); + } + constraint->nbits = ebitmap_cardinality(&constraint->cat); + constraint->op = op; + cat_constraint_t **p; + for (p= &cat_constraints; *p; p = &(*p)->next) + ; + *p = constraint; + return 0; + } else { + return -1; + } + + return 0; +} + +int +violates_constraints(mls_level_t *l) { + int nbits; + sens_constraint_t *s; + for (s=sens_constraints; s; s=s->next) { + if (s->sens == l->sens) { + ebitmap_t common; + ebitmap_and(&common, &s->cat, &l->cat); + nbits = ebitmap_cardinality(&common); + ebitmap_destroy(&common); + if (nbits) { + char *text = mls_level_to_string(l); + syslog(LOG_WARNING, "%s violates %s", text, s->text); + free(text); + return 1; + } + } + } + cat_constraint_t *c; + for (c=cat_constraints; c; c=c->next) { + ebitmap_t common; + ebitmap_and(&common, &c->mask, &l->cat); + nbits = ebitmap_cardinality(&common); + ebitmap_destroy(&common); + if (nbits > 0) { + ebitmap_t common; + ebitmap_and(&common, &c->cat, &l->cat); + nbits = ebitmap_cardinality(&common); + ebitmap_destroy(&common); + if ((c->op == '!' && nbits) || + (c->op == '>' && nbits != c->nbits)) { + char *text = mls_level_to_string(l); + syslog(LOG_WARNING, "%s violates %s (%d,%d)", text, c->text, nbits, c->nbits); + free(text); + return 1; + } + } + } + return 0; +} + +void +destroy_sens_constraint(sens_constraint_t **list, sens_constraint_t *constraint) { + for (; list && *list; list = &(*list)->next) { + if (*list == constraint) { + *list = constraint->next; + break; + } + } + ebitmap_destroy(&constraint->cat); + free(constraint->text); + memset(constraint, 0, sizeof(sens_constraint_t)); + free(constraint); +} + +void +destroy_cat_constraint(cat_constraint_t **list, cat_constraint_t *constraint) { + for (; list && *list; list = &(*list)->next) { + if (*list == constraint) { + *list = constraint->next; + break; + } + } + ebitmap_destroy(&constraint->mask); + ebitmap_destroy(&constraint->cat); + free(constraint->text); + memset(constraint, 0, sizeof(cat_constraint_t)); + free(constraint); +} + mls_level_t * parse_raw (const char *raw) { unsigned low, high; @@ -591,28 +749,52 @@ static word_group_t *group; static int base_classification; static int lineno = 0; - char *raw; - char *ptr, *tok; + char op='\0'; lineno++; - trim(buffer, "\r\n"); /* zap trailing CR, LF */ - buffer = triml(buffer, "\t "); /* zap leading whitespace */ - log_debug("%d: %s\n", lineno, buffer); - if(*buffer == '#') return 0; - if(*buffer == 0) return 0; + log_debug("%d: %s", lineno, buffer); - raw = strtok_r(buffer, "=", &ptr); - if (!raw || !*raw) { + /* zap leading whitespace */ + buffer = triml(buffer, "\t "); + + /* Ignore comments */ + if (*buffer == '#') return 0; + char *comment = strpbrk (buffer, "#"); + if (comment) { + *comment = '\0'; + } + + /* zap trailing whitespace */ + buffer = trim(buffer, "\t \r\n"); + + if (*buffer == 0) return 0; + + char *delim = strpbrk (buffer, "=!>"); + if (! delim) { + syslog(LOG_ERR, "invalid line (no !, = or >) %d", lineno); + return -1; + } + + op = *delim; + *delim = '\0'; + char *raw = buffer; + char *tok = delim+1; + + if (! *raw) { syslog(LOG_ERR, "invalid line %d", lineno); return -1; } - tok = strtok_r(NULL, "\0", &ptr); - if (!tok) { + if (! *tok) { syslog(LOG_ERR, "invalid line %d", lineno); return -1; } + /* constraints have different syntax */ + if (op == '!' || op == '>') { + return add_constraint(op, raw, tok); + } + if (!strcmp(raw, "Domain") || !strcmp(raw, "Table")) { tok = triml(tok, "\t "); trim(tok, "\t "); @@ -776,7 +958,12 @@ } static int -size_alpha(const void *p1, const void *p2) { +string_size(const void *p1, const void *p2) { + return strlen(*(char **)p2) - strlen(*(char **)p1); +} + +static int +word_size(const void *p1, const void *p2) { word_t *w1 = *(word_t **)p1; word_t *w2 = *(word_t **)p2; int w1_len=strlen(w1->text); @@ -803,16 +990,32 @@ build_regexps(domain_t *domain) { char buffer[1024 * 128]; buffer[0] = '\0'; - base_classification_t *i; + base_classification_t *bc; word_group_t *g; affix_t *a; word_t *w; + size_t n_el, i; /* whitespace collapse ??? XXX */ - for (i = domain->base_classifications; i; i = i->next) { - strcat(buffer, i->trans); - if (i->next) strcat(buffer,"|"); + for (n_el = 0, bc = domain->base_classifications; bc; bc = bc->next) { + n_el++; + } + + char **sortable = calloc(n_el, sizeof(char *)); + + for (i=0, bc = domain->base_classifications; bc; bc = bc->next) { + sortable[i++] = bc->trans; + } + + qsort(sortable, n_el, sizeof(char *), string_size); + + for (i = 0; i < n_el; i++) { + strcat(buffer, sortable[i]); + if (i < n_el) strcat(buffer,"|"); } + + free(sortable); + log_debug(">>> %s classification regexp=%s\n", domain->name, buffer); build_regexp(&domain->base_classification_regexp, buffer); @@ -832,19 +1035,25 @@ if (g->prefixes) strcat(buffer, "^"); strcat(buffer, "(?:"); + g->sword_len=0; - for (w = g->words; w; w = w->next) { - strcat(buffer,"\\b"); - strcat(buffer, w->text); - strcat(buffer,"\\b"); - if (w->next) strcat(buffer,"|"); + for (w = g->words; w; w = w->next) g->sword_len++; - } + g->sword = calloc(g->sword_len, sizeof(word_t *)); + int i=0; for (w = g->words; w; w = w->next) g->sword[i++]=w; - qsort(g->sword, g->sword_len, sizeof(word_t *), size_alpha); + + qsort(g->sword, g->sword_len, sizeof(word_t *), word_size); + + for (i=0; i < g->sword_len; i++) { + if (i) strcat(buffer,"|"); + strcat(buffer,"\\b"); + strcat(buffer, g->sword[i]->text); + strcat(buffer,"\\b"); + } strcat(buffer,"|"); emit_whitespace(buffer, g->whitespace); @@ -874,8 +1083,11 @@ /* TODO - if bit is set & cleared in one pass - error */ char * compute_raw_from_trans(const char *level, domain_t *domain) { + +#ifdef DEBUG struct timeval startTime; gettimeofday(&startTime, 0); +#endif int ovector[OVECCOUNT]; word_group_t *g; @@ -888,13 +1100,16 @@ build_regexps(domain); if (!domain->base_classification_regexp) return NULL; + log_debug(" compute_raw_from_trans work = %s\n", work); int rc = pcre_exec(domain->base_classification_regexp, 0, work, strlen (work), 0, PCRE_ANCHORED, ovector, OVECCOUNT); if (rc > 0) { const char *match = NULL; pcre_get_substring(work, ovector, rc, 0, &match); + log_debug(" compute_raw_from_trans match = %s len = %ld\n", match, strlen(match)); base_classification_t *bc; for (bc = domain->base_classifications; bc; bc = bc->next) { if (!strcmp(bc->trans, match)) { + log_debug(" compute_raw_from_trans base classification %s matched %s\n", level, bc->trans); mraw = malloc(sizeof(mls_level_t)); mls_level_cpy(mraw, bc->level); break; @@ -906,6 +1121,8 @@ while (*p && (strchr(" ", *p) != NULL)) *p++ = '#'; pcre_free((char *)match); + } else { + log_debug(" compute_raw_from_trans no base classification matched %s\n", level); } if (mraw == NULL) { @@ -945,8 +1162,7 @@ g->word_regexp) { char *s = work + prefix_offset + prefix_len; int l = (suffix_len ? suffix_offset : work_len) - prefix_len - prefix_offset; - int rc = pcre_exec(g->word_regexp, 0, s, l, 0, - 0, ovector, OVECCOUNT); + int rc = pcre_exec(g->word_regexp, 0, s, l, 0, 0, ovector, OVECCOUNT); if (rc > 0) { const char *match; pcre_get_substring(s, ovector, rc, 0, &match); @@ -994,6 +1210,7 @@ pcre_free((void *)match); } } +/* YYY */ complete=1; char *p = work; while(*p) { @@ -1005,10 +1222,15 @@ } } free(work); + if (violates_constraints(mraw)) { + complete = 0; + } if (complete) r = mls_level_to_string(mraw); mls_level_destroy(mraw); free(mraw); + +#ifdef DEBUG struct timeval stopTime; gettimeofday(&stopTime, 0); long int ms; @@ -1016,6 +1238,8 @@ ms = (stopTime.tv_sec - startTime.tv_sec - 1) * 1000 + (stopTime.tv_usec/1000 + 1000 - startTime.tv_usec/1000); else ms = (stopTime.tv_sec - startTime.tv_sec ) * 1000 + (stopTime.tv_usec/1000 - startTime.tv_usec/1000); + log_debug(" compute_raw_from_trans in %ld ms'\n", ms); +#endif return r; } @@ -1023,8 +1247,11 @@ /* XXX SLOW */ char * compute_trans_from_raw(const char *level, domain_t *domain) { + +#ifdef DEBUG struct timeval startTime; gettimeofday(&startTime, 0); +#endif char *rval = NULL; if (!level) @@ -1034,6 +1261,15 @@ return NULL; log_debug(" compute_trans_from_raw raw = %s\n", level); +/* YYY */ + /* check constraints */ + if (violates_constraints(l)) { + syslog(LOG_ERR, "%s violates constraints", level); + mls_level_destroy(l); + free(l); + return NULL; + } + /* HACK XXX - should be function, should derive from config*/ int doInverse = l->sens > 0; @@ -1180,6 +1416,7 @@ free(l); } +#ifdef DEBUG struct timeval stopTime; gettimeofday(&stopTime, 0); long int ms; @@ -1188,6 +1425,9 @@ else ms = (stopTime.tv_sec - startTime.tv_sec ) * 1000 + (stopTime.tv_usec/1000 - startTime.tv_usec/1000); + log_debug(" compute_trans_from_raw in %ld ms'\n", ms); +#endif + return rval; } @@ -1196,8 +1436,10 @@ char *trans = NULL; *rcon = NULL; +#ifdef DEBUG struct timeval startTime; gettimeofday(&startTime, 0); +#endif log_debug(" trans_context input = %s\n", incon); char *range = extract_range(incon); @@ -1279,6 +1521,7 @@ } free(range); +#ifdef DEBUG struct timeval stopTime; gettimeofday(&stopTime, 0); long int ms; @@ -1288,6 +1531,7 @@ ms = (stopTime.tv_sec - startTime.tv_sec ) * 1000 + (stopTime.tv_usec/1000 - startTime.tv_usec/1000); log_debug(" trans_context input='%s' output='%s in %ld ms'\n", incon, *rcon, ms); +#endif return 0; } @@ -1296,8 +1540,10 @@ char *raw = NULL; *rcon = NULL; +#ifdef DEBUG struct timeval startTime; gettimeofday(&startTime, 0); +#endif log_debug(" untrans_context incon = %s\n", incon); char *range = extract_range(incon); @@ -1323,12 +1569,14 @@ char *canonical = find_in_hashtable(raw, domain, domain->raw_to_trans); if (!canonical) { canonical = compute_trans_from_raw(raw, domain); - if (canonical) + if (canonical && strcmp(canonical, range)) add_cache(domain, raw, canonical); } if (canonical) free(canonical); add_cache(domain, raw, range); + } else { + log_debug("untrans_context unable to compute raw context %s\n", range); } } @@ -1406,6 +1654,7 @@ } free(range); +#ifdef DEBUG struct timeval stopTime; gettimeofday(&stopTime, 0); long int ms; @@ -1415,6 +1664,7 @@ ms = (stopTime.tv_sec - startTime.tv_sec ) * 1000 + (stopTime.tv_usec/1000 - startTime.tv_usec/1000); log_debug(" untrans_context input='%s' output='%s' n %ld ms\n", incon, *rcon, ms); +#endif return 0; } @@ -1425,5 +1675,15 @@ destroy_domain(domains); domains = next; } + while(sens_constraints) { + sens_constraint_t *next = sens_constraints->next; + destroy_sens_constraint(&sens_constraints, sens_constraints); + sens_constraints = next; + } + while(cat_constraints) { + cat_constraint_t *next = cat_constraints->next; + destroy_cat_constraint(&cat_constraints, cat_constraints); + cat_constraints = next; + } }

1 0

Re: Selinux and tomcat
by Harley Race 15 Jul '10

15 Jul '10

Never mind. I figured out what the problem was. After I noticed that httpd was also suffering from the same problem (it would start and run under root as opposed to system_u), I figured it was not my startup script for tomcat. After some investigation, I discovered that the rpm packages acl and attr were not installed with the minimal install from anaconda (I did a minimal install on both Fedora and CentOS). I had performed a minimal install by unchecking all packages (yes even the base one) at the package install screen during OS installation. Supposedly the install performed by anaconda is exactly like the net install image. Unfortunately, when you do the minimal install, it does not install the rpms acl and attr. Once I installed both of these rpm packages and rebooted, everything went back to normal. Thanks for those of you that responded to my cry for help.

1 0

Two diferent Java programs on same machine
by giovanni testing 15 Jul '10

15 Jul '10

Hi everyone, I have to run two differents Java programs, with different permissions (they access to different files and listen to different ports). There is some way to specify different rules even they share the same executable (Java)? I'm thinking of one possibility, but I think that is not possible: -If you come from unconfined_t and run MyPolice_exec_t (java), the transition goes to MyPoliceA_t -If you come from user_t and run MyPolic_exec_t(java), the transition goes to MyPoliceB_t Thank you in advance. Best regards.

3 9

Selinux and tomcat
by Harley Race 14 Jul '10

14 Jul '10

Ladies and Gentlemen, I am contacting this list because I have questions about how selinux has been implemented in Fedora/RHEL/CentOS. I am trying to write a startup script for Tomcat 5.5. I created a tomcat user and group. Made sure that file permissions were set correctly. Tomcat will start, but when you do a ps -efZ instead of tomcat running in system_u, it is running in root. If I check pid and lock file, though permissions are set correctly, a "ls -laZ" reveals that tomcat writes the pid and lock files with root user context instead of system_u. Same thing with log files, they are written with root:object_r:var_log_t instead of system_u:object_r:var_log_t. Any ideas in what could be going wrong? Selinux is running with targeted policy. I tried using both runuser and daemon(), with still the same results. Startup script is attached.

2 1

[PATCH] mcstrans: bug fix for mixed raw and translated level
by Ted Toth 14 Jul '10

14 Jul '10

Fix for bug reported to selinux list ( http://www.nsa.gov/research/selinux/list-archive/1001/31388.shtml) Fixes the handling of cases where the sensitivity level of the context contains a mix of raw and translated levels (ex. s0-SystemHigh or SystemLow-s15:c0.c1023). --- mcstrans.c | 87 +++++++++++++++++++++++++++++++++++++------------------------ 1 file changed, 54 insertions(+), 33 deletions(-) --- mcstrans-0.3.1/src/mcstrans.c 2009-02-16 13:01:15.000000000 -0600 +++ mcstrans-0.3.1/src/mcstrans.c.mixed-range 2010-07-12 16:54:08.921270080 -0500 @@ -1228,6 +1228,13 @@ trans_context(const security_context_t i ltrans = compute_trans_from_raw(lrange, domain); if (ltrans) add_cache(domain, lrange, ltrans); + else { + ltrans = strdup(lrange); + if (! ltrans) { + log_error("strdup failed %s", strerror(errno)); + exit(1); + } + } } utrans = find_in_hashtable(urange, domain, domain->raw_to_trans); @@ -1235,24 +1242,30 @@ trans_context(const security_context_t i utrans = compute_trans_from_raw(urange, domain); if (utrans) add_cache(domain, urange, utrans); + else { + utrans = strdup(urange); + if (! utrans) { + log_error("strdup failed %s", strerror(errno)); + exit(1); + } + } } - if (ltrans && utrans) { - if (strcmp(ltrans, utrans) == 0) { - if (asprintf(&trans, "%s", ltrans) < 0) { - log_error("asprintf failed %s", strerror(errno)); - exit(1); - } - } else { - if (asprintf(&trans, "%s-%s", ltrans, utrans) < 0) { - log_error("asprintf failed %s", strerror(errno)); - exit(1); - } + if (strcmp(ltrans, utrans) == 0) { + if (asprintf(&trans, "%s", ltrans) < 0) { + log_error("asprintf failed %s", strerror(errno)); + exit(1); + } + } else { + if (asprintf(&trans, "%s-%s", ltrans, utrans) < 0) { + log_error("asprintf failed %s", strerror(errno)); + exit(1); } - free(ltrans); - free(utrans); - break; } + free(ltrans); + free(utrans); + *dashp = '-'; + break; } if (dashp) *dashp = '-'; @@ -1333,6 +1346,12 @@ untrans_context(const security_context_t if (canonical) free(canonical); add_cache(domain, lraw, lrange); + } else { + lraw = strdup(lrange); + if (! lraw) { + log_error("strdup failed %s", strerror(errno)); + exit(1); + } } } @@ -1349,32 +1368,34 @@ untrans_context(const security_context_t if (canonical) free(canonical); add_cache(domain, uraw, urange); + } else { + uraw = strdup(urange); + if (! uraw) { + log_error("strdup failed %s", strerror(errno)); + exit(1); + } } } - if (lraw && uraw) { - if (strcmp(lraw, uraw) == 0) { - if (asprintf(&raw, "%s", lraw) < 0) { - log_error("asprintf failed %s", strerror(errno)); - exit(1); - } - } else { - if (asprintf(&raw, "%s-%s", lraw, uraw) < 0) { - log_error("asprintf failed %s", strerror(errno)); - exit(1); - } + if (strcmp(lraw, uraw) == 0) { + if (asprintf(&raw, "%s", lraw) < 0) { + log_error("asprintf failed %s", strerror(errno)); + exit(1); + } + } else { + if (asprintf(&raw, "%s-%s", lraw, uraw) < 0) { + log_error("asprintf failed %s", strerror(errno)); + exit(1); } - free(lraw); - free(uraw); - break; - } - if (lraw) - free(lraw); - if (uraw) - free(uraw); + } + free(lraw); + free(uraw); *dashp = '-'; + break; } + if (dashp) + *dashp = '-'; } if (raw) {

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux July 2010