SELinux, Samba, & Winbind
by Kloc, Alisha
Hello list,
I am trying to set up basic Samba/Winbind on a RHEL5.2 server. But every time I try to do anything - join a domain, run a test join, change configuration settings, basically anything that calls any object related to Samba or Winbind - SELinux blocks it.
Disabling protection for the winbind daemon in the boolean settings changes SELinux to blocking /var/run/winbindd/pipe instead. I've run restorecon where possible, and done a full relabel of the whole system, multiple times. Nothing changes. I haven't moved any system files and I'm following the official Samba setup documentation.
I'm utterly at a loss. Something must be broken because I can't imagine a default SELinux policy that blocks all Samba/Winbind activity would have made it past RHEL5's quality control. But I can't figure out what it is.
Please help!
Thanks in advance,
-Alisha
_____________________________________
[root@myhost ~]# net ads testjoin
[2010/07/21 18:28:39.357159, 0] libads/kerberos.c:915(create_local_private_krb5_conf_for_domain)
create_local_private_krb5_conf_for_domain: failed to create directory /var/lib/samba/smb_krb5. Error was Permission denied
[2010/07/21 18:28:39.359054, 0] libads/kerberos.c:915(create_local_private_krb5_conf_for_domain)
create_local_private_krb5_conf_for_domain: failed to create directory /var/lib/samba/smb_krb5. Error was Permission denied
Join is OK
_____________________________________
Summary:
SELinux is preventing the net from using potentially mislabeled files (/tmp/.winbindd).
Detailed Description
SELinux has denied net access to potentially mislabeled file(s) (/tmp/.winbindd). This means that SELinux will not allow net to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access.
Allowing Access
If you want net to access this files, you need to relabel them using restorecon -v '/tmp/.winbindd'. You might want to relabel the entire directory using restorecon -R -v '/tmp/.winbindd'.
Additional Information
Source Context: root:system_r:samba_net_t:SystemLow-SystemHighTarget Context: system_u:object_r:winbind_tmp_t
Target Objects: /tmp/.winbindd [ dir ]
Source: net
Source Path: /usr/bin/net
Port: <Unknown>
Host: <my-hostname>
Source RPM Packages: samba3-client-3.5.4-43.el5
Target RPM Packages:
Policy RPM: selinux-policy-2.4.6-137.el5
Selinux Enabled: True
Policy Type: targeted
MLS Enabled: True
Enforcing Mode: Enforcing
Plugin Name: home_tmp_bad_labels
Host Name: <my-hostname>
Platform: Linux <my-hostname> 2.6.18-92.el5 #1 SMP Tue Apr 29 13:16:12 EDT 2008 i686 i686
Alert Count: 24
First Seen: Wed 21 Jul 2010 05:56:30 PM GMT
Last Seen: Wed 21 Jul 2010 06:08:40 PM GMT
Local ID: 0c95a6b7-9a92-4950-bb1d-9b74686685ea
Line Numbers:
Raw Audit Messages :
host=<my-hostname> type=AVC msg=audit(1279735720.83:120): avc: denied { getattr } for pid=7064 comm="net" path="/tmp/.winbindd" dev=sda3 ino=1166126 scontext=root:system_r:samba_net_t:s0-s0:c0.c1023 tcontext=system_u:object_r:winbind_tmp_t:s0 tclass=dir
host=<my-hostname> type=SYSCALL msg=audit(1279735720.83:120): arch=40000003 syscall=196 success=no exit=-13 a0=2ae6b6 a1=bfa92f0c a2=cabff4 a3=2ae6b6 items=0 ppid=6357 pid=7064 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="net" exe="/usr/bin/net" subj=root:system_r:samba_net_t:s0-s0:c0.c1023 key=(null)
______________________________________
Summary:
SELinux is preventing net (samba_net_t) "read" to ./filesystems (proc_t).
Detailed Description:
SELinux denied access requested by net. It is not expected that this access is required by net and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./filesystems,
restorecon -v './filesystems'
If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context root:system_r:samba_net_t:SystemLow-SystemHigh
Target Context system_u:object_r:proc_t
Target Objects ./filesystems [ file ]
Source net
Source Path /usr/bin/net
Port <Unknown>
Host <my-hostname>
Source RPM Packages samba3-client-3.5.4-43.el5
Target RPM Packages
Policy RPM selinux-policy-2.4.6-137.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name <my-hostname>
Platform Linux <my-hostname> 2.6.18-92.el5 #1 SMP Tue Apr 29 13:16:12 EDT 2008 i686 i686
Alert Count 12
First Seen Wed 21 Jul 2010 05:56:30 PM GMT
Last Seen Wed 21 Jul 2010 06:08:39 PM GMT
Local ID 1f71cc35-0ccc-4104-8c99-5158849a8cb1
Line Numbers
Raw Audit Messages
host=<my-hostname> type=AVC msg=audit(1279735719.957:114): avc: denied { read } for pid=7064 comm="net" name="filesystems" dev=proc ino=-268435452 scontext=root:system_r:samba_net_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file
host=<my-hostname> type=SYSCALL msg=audit(1279735719.957:114): arch=40000003 syscall=5 success=no exit=-13 a0=ab1390 a1=8000 a2=0 a3=8000 items=0 ppid=6357 pid=7064 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="net" exe="/usr/bin/net" subj=root:system_r:samba_net_t:s0-s0:c0.c1023 key=(null)
_____________________________________
10 years, 9 months
xguest for CentOS?
by mark
Does anyone know of an xguest package for CentOS?
For that matter, I gather Dan, here, created it - what's in it, beyond an
selinux policy, and maybe a login/logout script?
Thanks in advance.
mark
10 years, 9 months
system user home
by Vadym Chepkov
Hi,
Whenever I try to modify a policy I get a warning like this:
/usr/sbin/genhomedircon will not create a new context. This usually indicates an incorrectly defined system account. If it is a system account please make sure its login shell is /sbin/nologin.
And this is true, I did create a system account with home in /var/lib/application
But, I need this account to have a real shell. How can I make SELinux happy?
Thank you,
Vadym Chepkov
10 years, 9 months
Questions on creating policy
by David Highley
"dhighley wrote:"
>From dhighley Mon Jul 19 08:00:52 2010
Subject: Questions on creating policy
To: selinux(a)lists.fedoraproject.org
Date: Mon, 19 Jul 2010 08:00:52 -0700 (PDT)
X-Mailer: ELM [version 2.5 PL8]
Content-Length: 2001
Where do I find the information about how to translate from something
like this:
module rsyslod 1.0;
require {
type syslogd_t;
type var_run_t;
class fifo_file { read write };
}
#============= syslogd_t ==============
allow syslogd_t var_run_t:fifo_file { read write };
and
module sshdfilter 1.0;
require {
type syslogd_t;
type var_run_t;
class fifo_file { read write };
}
#============= syslogd_t ==============
allow syslogd_t var_run_t:fifo_file { read write };
Translation should be something like:
[root@redwood sshdfilter]# cat sshdfilter.fc
/etc/rc\.d/init\.d/sshdfilter --
gen_context(system_u:object_r:sshdfilter_initrc_exec_t, s0)
/etc/sshdfilterrc.* -- gen_context(system_u:object_r:sshdfilter_etc_t,
s0)
/usr/sbin/sshdfilter -- gen_context(system_u:object_r:sshdfilter_exec_t,
s0)
[root@redwood sshdfilter]# cat sshdfilter.te
policy_module(sshdfilter, 1.0.0)
type sshdfilter_t;
type sshdfilter_exec_t;
init_daemon_domain(sshdfilter_t, sshdfilter_exec_t)
type sshdfilter_initrc_exec_t;
init_script_file(sshdfilter_initrc_exec_t)
type sshdfilter_etc_t;
files_config_file(sshdfilter_etc_t)
dev_read_urand(sshdfilter_t)
corecmd_search_bin(sshdfilter_t)
miscfiles_read_localization(sshdfilter_t)
optional_policy(`
iptables_domtrans(sshdfilter_t)
')
Dominick Grift helped with the above translations, but I would like to
know how to make the transformations.
In addition to the above question I would like to know if there is an
existing label type that I should use on a named pipe that would not
require policy modifications to be made to rsyslog. I'm working in the
context of getting the sshdfilter application packaged into a Fedora RPM
and using method of creating a named pipe for rsyslogd to write
information to that the sshdfilter can read. The location for the named
pipe may even be wrong when selinux labeling is considered,
/var/run/sshdfilter.fifo, but that seems to be where I see other named
pipes created.
10 years, 9 months
Questions on creating policy
by David Highley
Where do I find the information about how to translate from something
like this:
module rsyslod 1.0;
require {
type syslogd_t;
type var_run_t;
class fifo_file { read write };
}
#============= syslogd_t ==============
allow syslogd_t var_run_t:fifo_file { read write };
and
module sshdfilter 1.0;
require {
type syslogd_t;
type var_run_t;
class fifo_file { read write };
}
#============= syslogd_t ==============
allow syslogd_t var_run_t:fifo_file { read write };
Translation should be something like:
[root@redwood sshdfilter]# cat sshdfilter.fc
/etc/rc\.d/init\.d/sshdfilter --
gen_context(system_u:object_r:sshdfilter_initrc_exec_t, s0)
/etc/sshdfilterrc.* -- gen_context(system_u:object_r:sshdfilter_etc_t,
s0)
/usr/sbin/sshdfilter -- gen_context(system_u:object_r:sshdfilter_exec_t,
s0)
[root@redwood sshdfilter]# cat sshdfilter.te
policy_module(sshdfilter, 1.0.0)
type sshdfilter_t;
type sshdfilter_exec_t;
init_daemon_domain(sshdfilter_t, sshdfilter_exec_t)
type sshdfilter_initrc_exec_t;
init_script_file(sshdfilter_initrc_exec_t)
type sshdfilter_etc_t;
files_config_file(sshdfilter_etc_t)
dev_read_urand(sshdfilter_t)
corecmd_search_bin(sshdfilter_t)
miscfiles_read_localization(sshdfilter_t)
optional_policy(`
iptables_domtrans(sshdfilter_t)
')
Dominick Grift helped with the above translations, but I would like to
know how to make the transformations.
In addition to the above question I would like to know if there is an
existing label type that I should use on a named pipe that would not
require policy modifications to be made to rsyslog. I'm working in the
context of getting the sshdfilter application packaged into a Fedora RPM
and using method of creating a named pipe for rsyslogd to write
information to that the sshdfilter can read. The location for the named
pipe may even be wrong when selinux labeling is considered,
/var/run/sshdfilter.fifo, but that seems to be where I see other named
pipes created.
10 years, 9 months
[RFC PATCH] add constraint functionality to mcstrans
by Ted Toth
Implementation of constraints. Constraints allow for the specification of
restrictions
on sensitivity and category combinations. Two constraint operations are
supported. The
'!' operator (ex. s0!c1) accept a sensitivity level or one or more
categories on the lhs
and one or more categories in the rhs. The '!' constraint fails if the bit
defined in the
rhs and lhs occur in a label. The '>' operator accepts only categories and
it fails if
the categories specified on the rhs do not occur in a label which has the
categories
specified on the lhs.
Allow for comments at the end of lines.
Adds performance timing debug output when built with -DDEBUG.
---
mcstrans.c | 318
+++++++++++++++++++++++++++++++++++++++++++++++++++++++------
1 file changed, 289 insertions(+), 29 deletions(-)
--- mcstrans-0.3.1/src/mcstrans.c 2010-07-13 17:56:49.908942263 -0500
+++ mcstrans-0.3.1/src/mcstrans.c.constraints 2010-07-13
19:44:34.348523418 -0500
@@ -35,7 +35,7 @@
#include "mls_level.h"
#include "mcstrans.h"
-#define N_BUCKETS 101
+#define N_BUCKETS 1453
#define OVECCOUNT (512*3)
#define max(a,b) ((a) >= (b) ? (a) : (b))
@@ -105,10 +105,10 @@
return 0;
}
-int
+unsigned int
ebitmap_cardinality(ebitmap_t *e1) {
unsigned int i, count = 0;
- for (i=0; i <= ebitmap_length(e1); i++)
+ for (i=ebitmap_startbit(e1); i < ebitmap_length(e1); i++)
if (ebitmap_get_bit(e1, i))
count++;
return count;
@@ -238,6 +238,27 @@
static domain_t *domains;
+typedef struct sens_constraint {
+ char op;
+ char *text;
+ unsigned int sens;
+ ebitmap_t cat;
+ struct sens_constraint *next;
+} sens_constraint_t;
+
+static sens_constraint_t *sens_constraints;
+
+typedef struct cat_constraint {
+ char op;
+ char *text;
+ int nbits;
+ ebitmap_t mask;
+ ebitmap_t cat;
+ struct cat_constraint *next;
+} cat_constraint_t;
+
+static cat_constraint_t *cat_constraints;
+
unsigned int
hash(const char *str) {
unsigned int hash = 5381;
@@ -399,12 +420,14 @@
void
destroy_domain(domain_t *domain) {
int i;
+ unsigned int rt = 0, tr = 0;
for (i=0; i < N_BUCKETS; i++) {
context_map_node_t *ptr;
for (ptr = domain->trans_to_raw[i]; ptr;) {
context_map_node_t *t = ptr->next;
free(ptr);
ptr = t;
+ tr++;
}
domain->trans_to_raw[i] = NULL;
}
@@ -417,6 +440,7 @@
free(ptr->map);
free(ptr);
ptr = t;
+ rt++;
}
domain->raw_to_trans[i] = NULL;
}
@@ -433,6 +457,8 @@
destroy_group(&domain->groups, domain->groups);
free(domain->name);
free(domain);
+
+ syslog(LOG_INFO, "cache sizes: tr = %u, rt = %u", tr, rt);
}
int
@@ -458,6 +484,138 @@
return 0;
}
+int
+add_constraint(char op, char *raw, char *tok) {
+ log_debug("%s\n", "add_constraint");
+ ebitmap_t empty;
+ ebitmap_init(&empty);
+ if (!raw || !*raw) {
+ syslog(LOG_ERR, "unable to parse line");
+ return -1;
+ }
+ if (*raw == 's') {
+ sens_constraint_t *constraint = calloc(1,
sizeof(sens_constraint_t));
+ if (sscanf(raw,"s%u", &constraint->sens) != 1) {
+ syslog(LOG_ERR, "unable to parse level");
+ free(constraint);
+ return -1;
+ }
+ if (parse_ebitmap(&constraint->cat, &empty, tok) < 0) {
+ syslog(LOG_ERR, "unable to parse cat");
+ free(constraint);
+ return -1;
+ }
+ if (asprintf(&constraint->text, "%s%c%s", raw, op, tok) < 0) {
+ log_error("asprintf failed %s", strerror(errno));
+ exit(1);
+ }
+ constraint->op = op;
+ sens_constraint_t **p;
+ for (p= &sens_constraints; *p; p = &(*p)->next)
+ ;
+ *p = constraint;
+ return 0;
+ } else if (*raw == 'c' ) {
+ cat_constraint_t *constraint = calloc(1, sizeof(cat_constraint_t));
+ if (parse_ebitmap(&constraint->mask, &empty, raw) < 0) {
+ syslog(LOG_ERR, "unable to parse mask");
+ free(constraint);
+ return -1;
+ }
+ if (parse_ebitmap(&constraint->cat, &empty, tok) < 0) {
+ syslog(LOG_ERR, "unable to parse cat");
+ ebitmap_destroy(&constraint->mask);
+ free(constraint);
+ return -1;
+ }
+ if (asprintf(&constraint->text, "%s%c%s", raw, op, tok) < 0) {
+ log_error("asprintf failed %s", strerror(errno));
+ exit(1);
+ }
+ constraint->nbits = ebitmap_cardinality(&constraint->cat);
+ constraint->op = op;
+ cat_constraint_t **p;
+ for (p= &cat_constraints; *p; p = &(*p)->next)
+ ;
+ *p = constraint;
+ return 0;
+ } else {
+ return -1;
+ }
+
+ return 0;
+}
+
+int
+violates_constraints(mls_level_t *l) {
+ int nbits;
+ sens_constraint_t *s;
+ for (s=sens_constraints; s; s=s->next) {
+ if (s->sens == l->sens) {
+ ebitmap_t common;
+ ebitmap_and(&common, &s->cat, &l->cat);
+ nbits = ebitmap_cardinality(&common);
+ ebitmap_destroy(&common);
+ if (nbits) {
+ char *text = mls_level_to_string(l);
+ syslog(LOG_WARNING, "%s violates %s", text, s->text);
+ free(text);
+ return 1;
+ }
+ }
+ }
+ cat_constraint_t *c;
+ for (c=cat_constraints; c; c=c->next) {
+ ebitmap_t common;
+ ebitmap_and(&common, &c->mask, &l->cat);
+ nbits = ebitmap_cardinality(&common);
+ ebitmap_destroy(&common);
+ if (nbits > 0) {
+ ebitmap_t common;
+ ebitmap_and(&common, &c->cat, &l->cat);
+ nbits = ebitmap_cardinality(&common);
+ ebitmap_destroy(&common);
+ if ((c->op == '!' && nbits) ||
+ (c->op == '>' && nbits != c->nbits)) {
+ char *text = mls_level_to_string(l);
+ syslog(LOG_WARNING, "%s violates %s (%d,%d)", text,
c->text, nbits, c->nbits);
+ free(text);
+ return 1;
+ }
+ }
+ }
+ return 0;
+}
+
+void
+destroy_sens_constraint(sens_constraint_t **list, sens_constraint_t
*constraint) {
+ for (; list && *list; list = &(*list)->next) {
+ if (*list == constraint) {
+ *list = constraint->next;
+ break;
+ }
+ }
+ ebitmap_destroy(&constraint->cat);
+ free(constraint->text);
+ memset(constraint, 0, sizeof(sens_constraint_t));
+ free(constraint);
+}
+
+void
+destroy_cat_constraint(cat_constraint_t **list, cat_constraint_t
*constraint) {
+ for (; list && *list; list = &(*list)->next) {
+ if (*list == constraint) {
+ *list = constraint->next;
+ break;
+ }
+ }
+ ebitmap_destroy(&constraint->mask);
+ ebitmap_destroy(&constraint->cat);
+ free(constraint->text);
+ memset(constraint, 0, sizeof(cat_constraint_t));
+ free(constraint);
+}
+
mls_level_t *
parse_raw (const char *raw) {
unsigned low, high;
@@ -591,28 +749,52 @@
static word_group_t *group;
static int base_classification;
static int lineno = 0;
- char *raw;
- char *ptr, *tok;
+ char op='\0';
lineno++;
- trim(buffer, "\r\n"); /* zap trailing CR, LF */
- buffer = triml(buffer, "\t "); /* zap leading whitespace */
- log_debug("%d: %s\n", lineno, buffer);
- if(*buffer == '#') return 0;
- if(*buffer == 0) return 0;
+ log_debug("%d: %s", lineno, buffer);
- raw = strtok_r(buffer, "=", &ptr);
- if (!raw || !*raw) {
+ /* zap leading whitespace */
+ buffer = triml(buffer, "\t ");
+
+ /* Ignore comments */
+ if (*buffer == '#') return 0;
+ char *comment = strpbrk (buffer, "#");
+ if (comment) {
+ *comment = '\0';
+ }
+
+ /* zap trailing whitespace */
+ buffer = trim(buffer, "\t \r\n");
+
+ if (*buffer == 0) return 0;
+
+ char *delim = strpbrk (buffer, "=!>");
+ if (! delim) {
+ syslog(LOG_ERR, "invalid line (no !, = or >) %d", lineno);
+ return -1;
+ }
+
+ op = *delim;
+ *delim = '\0';
+ char *raw = buffer;
+ char *tok = delim+1;
+
+ if (! *raw) {
syslog(LOG_ERR, "invalid line %d", lineno);
return -1;
}
- tok = strtok_r(NULL, "\0", &ptr);
- if (!tok) {
+ if (! *tok) {
syslog(LOG_ERR, "invalid line %d", lineno);
return -1;
}
+ /* constraints have different syntax */
+ if (op == '!' || op == '>') {
+ return add_constraint(op, raw, tok);
+ }
+
if (!strcmp(raw, "Domain") || !strcmp(raw, "Table")) {
tok = triml(tok, "\t ");
trim(tok, "\t ");
@@ -776,7 +958,12 @@
}
static int
-size_alpha(const void *p1, const void *p2) {
+string_size(const void *p1, const void *p2) {
+ return strlen(*(char **)p2) - strlen(*(char **)p1);
+}
+
+static int
+word_size(const void *p1, const void *p2) {
word_t *w1 = *(word_t **)p1;
word_t *w2 = *(word_t **)p2;
int w1_len=strlen(w1->text);
@@ -803,16 +990,32 @@
build_regexps(domain_t *domain) {
char buffer[1024 * 128];
buffer[0] = '\0';
- base_classification_t *i;
+ base_classification_t *bc;
word_group_t *g;
affix_t *a;
word_t *w;
+ size_t n_el, i;
/* whitespace collapse ??? XXX */
- for (i = domain->base_classifications; i; i = i->next) {
- strcat(buffer, i->trans);
- if (i->next) strcat(buffer,"|");
+ for (n_el = 0, bc = domain->base_classifications; bc; bc = bc->next) {
+ n_el++;
+ }
+
+ char **sortable = calloc(n_el, sizeof(char *));
+
+ for (i=0, bc = domain->base_classifications; bc; bc = bc->next) {
+ sortable[i++] = bc->trans;
+ }
+
+ qsort(sortable, n_el, sizeof(char *), string_size);
+
+ for (i = 0; i < n_el; i++) {
+ strcat(buffer, sortable[i]);
+ if (i < n_el) strcat(buffer,"|");
}
+
+ free(sortable);
+
log_debug(">>> %s classification regexp=%s\n", domain->name, buffer);
build_regexp(&domain->base_classification_regexp, buffer);
@@ -832,19 +1035,25 @@
if (g->prefixes)
strcat(buffer, "^");
strcat(buffer, "(?:");
+
g->sword_len=0;
- for (w = g->words; w; w = w->next) {
- strcat(buffer,"\\b");
- strcat(buffer, w->text);
- strcat(buffer,"\\b");
- if (w->next) strcat(buffer,"|");
+ for (w = g->words; w; w = w->next)
g->sword_len++;
- }
+
g->sword = calloc(g->sword_len, sizeof(word_t *));
+
int i=0;
for (w = g->words; w; w = w->next)
g->sword[i++]=w;
- qsort(g->sword, g->sword_len, sizeof(word_t *), size_alpha);
+
+ qsort(g->sword, g->sword_len, sizeof(word_t *), word_size);
+
+ for (i=0; i < g->sword_len; i++) {
+ if (i) strcat(buffer,"|");
+ strcat(buffer,"\\b");
+ strcat(buffer, g->sword[i]->text);
+ strcat(buffer,"\\b");
+ }
strcat(buffer,"|");
emit_whitespace(buffer, g->whitespace);
@@ -874,8 +1083,11 @@
/* TODO - if bit is set & cleared in one pass - error */
char *
compute_raw_from_trans(const char *level, domain_t *domain) {
+
+#ifdef DEBUG
struct timeval startTime;
gettimeofday(&startTime, 0);
+#endif
int ovector[OVECCOUNT];
word_group_t *g;
@@ -888,13 +1100,16 @@
build_regexps(domain);
if (!domain->base_classification_regexp)
return NULL;
+ log_debug(" compute_raw_from_trans work = %s\n", work);
int rc = pcre_exec(domain->base_classification_regexp, 0, work, strlen
(work), 0, PCRE_ANCHORED, ovector, OVECCOUNT);
if (rc > 0) {
const char *match = NULL;
pcre_get_substring(work, ovector, rc, 0, &match);
+ log_debug(" compute_raw_from_trans match = %s len = %ld\n", match,
strlen(match));
base_classification_t *bc;
for (bc = domain->base_classifications; bc; bc = bc->next) {
if (!strcmp(bc->trans, match)) {
+ log_debug(" compute_raw_from_trans base classification %s
matched %s\n", level, bc->trans);
mraw = malloc(sizeof(mls_level_t));
mls_level_cpy(mraw, bc->level);
break;
@@ -906,6 +1121,8 @@
while (*p && (strchr(" ", *p) != NULL))
*p++ = '#';
pcre_free((char *)match);
+ } else {
+ log_debug(" compute_raw_from_trans no base classification matched
%s\n", level);
}
if (mraw == NULL) {
@@ -945,8 +1162,7 @@
g->word_regexp) {
char *s = work + prefix_offset + prefix_len;
int l = (suffix_len ? suffix_offset : work_len) -
prefix_len - prefix_offset;
- int rc = pcre_exec(g->word_regexp, 0, s, l, 0,
- 0, ovector, OVECCOUNT);
+ int rc = pcre_exec(g->word_regexp, 0, s, l, 0, 0, ovector,
OVECCOUNT);
if (rc > 0) {
const char *match;
pcre_get_substring(s, ovector, rc, 0, &match);
@@ -994,6 +1210,7 @@
pcre_free((void *)match);
}
}
+/* YYY */
complete=1;
char *p = work;
while(*p) {
@@ -1005,10 +1222,15 @@
}
}
free(work);
+ if (violates_constraints(mraw)) {
+ complete = 0;
+ }
if (complete)
r = mls_level_to_string(mraw);
mls_level_destroy(mraw);
free(mraw);
+
+#ifdef DEBUG
struct timeval stopTime;
gettimeofday(&stopTime, 0);
long int ms;
@@ -1016,6 +1238,8 @@
ms = (stopTime.tv_sec - startTime.tv_sec - 1) * 1000 +
(stopTime.tv_usec/1000 + 1000 - startTime.tv_usec/1000);
else
ms = (stopTime.tv_sec - startTime.tv_sec ) * 1000 +
(stopTime.tv_usec/1000 - startTime.tv_usec/1000);
+ log_debug(" compute_raw_from_trans in %ld ms'\n", ms);
+#endif
return r;
}
@@ -1023,8 +1247,11 @@
/* XXX SLOW */
char *
compute_trans_from_raw(const char *level, domain_t *domain) {
+
+#ifdef DEBUG
struct timeval startTime;
gettimeofday(&startTime, 0);
+#endif
char *rval = NULL;
if (!level)
@@ -1034,6 +1261,15 @@
return NULL;
log_debug(" compute_trans_from_raw raw = %s\n", level);
+/* YYY */
+ /* check constraints */
+ if (violates_constraints(l)) {
+ syslog(LOG_ERR, "%s violates constraints", level);
+ mls_level_destroy(l);
+ free(l);
+ return NULL;
+ }
+
/* HACK XXX - should be function, should derive from config*/
int doInverse = l->sens > 0;
@@ -1180,6 +1416,7 @@
free(l);
}
+#ifdef DEBUG
struct timeval stopTime;
gettimeofday(&stopTime, 0);
long int ms;
@@ -1188,6 +1425,9 @@
else
ms = (stopTime.tv_sec - startTime.tv_sec ) * 1000 +
(stopTime.tv_usec/1000 - startTime.tv_usec/1000);
+ log_debug(" compute_trans_from_raw in %ld ms'\n", ms);
+#endif
+
return rval;
}
@@ -1196,8 +1436,10 @@
char *trans = NULL;
*rcon = NULL;
+#ifdef DEBUG
struct timeval startTime;
gettimeofday(&startTime, 0);
+#endif
log_debug(" trans_context input = %s\n", incon);
char *range = extract_range(incon);
@@ -1279,6 +1521,7 @@
}
free(range);
+#ifdef DEBUG
struct timeval stopTime;
gettimeofday(&stopTime, 0);
long int ms;
@@ -1288,6 +1531,7 @@
ms = (stopTime.tv_sec - startTime.tv_sec ) * 1000 +
(stopTime.tv_usec/1000 - startTime.tv_usec/1000);
log_debug(" trans_context input='%s' output='%s in %ld ms'\n", incon,
*rcon, ms);
+#endif
return 0;
}
@@ -1296,8 +1540,10 @@
char *raw = NULL;
*rcon = NULL;
+#ifdef DEBUG
struct timeval startTime;
gettimeofday(&startTime, 0);
+#endif
log_debug(" untrans_context incon = %s\n", incon);
char *range = extract_range(incon);
@@ -1323,12 +1569,14 @@
char *canonical = find_in_hashtable(raw, domain,
domain->raw_to_trans);
if (!canonical) {
canonical = compute_trans_from_raw(raw, domain);
- if (canonical)
+ if (canonical && strcmp(canonical, range))
add_cache(domain, raw, canonical);
}
if (canonical)
free(canonical);
add_cache(domain, raw, range);
+ } else {
+ log_debug("untrans_context unable to compute raw context
%s\n", range);
}
}
@@ -1406,6 +1654,7 @@
}
free(range);
+#ifdef DEBUG
struct timeval stopTime;
gettimeofday(&stopTime, 0);
long int ms;
@@ -1415,6 +1664,7 @@
ms = (stopTime.tv_sec - startTime.tv_sec ) * 1000 +
(stopTime.tv_usec/1000 - startTime.tv_usec/1000);
log_debug(" untrans_context input='%s' output='%s' n %ld ms\n", incon,
*rcon, ms);
+#endif
return 0;
}
@@ -1425,5 +1675,15 @@
destroy_domain(domains);
domains = next;
}
+ while(sens_constraints) {
+ sens_constraint_t *next = sens_constraints->next;
+ destroy_sens_constraint(&sens_constraints, sens_constraints);
+ sens_constraints = next;
+ }
+ while(cat_constraints) {
+ cat_constraint_t *next = cat_constraints->next;
+ destroy_cat_constraint(&cat_constraints, cat_constraints);
+ cat_constraints = next;
+ }
}
10 years, 9 months
Re: Selinux and tomcat
by Harley Race
Never mind. I figured out what the problem was. After I noticed that httpd was also suffering from the same problem (it would start and run under root as opposed to system_u), I figured it was not my startup script for tomcat. After some investigation, I discovered that the rpm packages acl and attr were not installed with the minimal install from anaconda (I did a minimal install on both Fedora and CentOS). I had performed a minimal install by unchecking all packages (yes even the base one) at the package install screen during OS installation. Supposedly the install performed by anaconda is exactly like the net install image. Unfortunately, when you do the minimal install, it does not install the rpms acl and attr. Once I installed both of these rpm packages and rebooted, everything went back to normal. Thanks for those of you that responded to my cry for help.
10 years, 9 months
Two diferent Java programs on same machine
by giovanni testing
Hi everyone,
I have to run two differents Java programs, with different permissions (they
access to different files and listen to different ports).
There is some way to specify different rules even they share the same
executable (Java)?
I'm thinking of one possibility, but I think that is not possible:
-If you come from unconfined_t and run MyPolice_exec_t (java), the
transition goes to MyPoliceA_t
-If you come from user_t and run MyPolic_exec_t(java), the transition goes
to MyPoliceB_t
Thank you in advance.
Best regards.
10 years, 9 months
Selinux and tomcat
by Harley Race
Ladies and Gentlemen,
I am contacting this list because I have questions about how selinux has been implemented in Fedora/RHEL/CentOS. I am trying to write a startup script for Tomcat 5.5. I created a tomcat user and group. Made sure that file permissions were set correctly. Tomcat will start, but when you do a
ps -efZ
instead of tomcat running in system_u, it is running in root. If I check pid and lock file, though permissions are set correctly, a "ls -laZ" reveals that tomcat writes the pid and lock files with root user context instead of system_u. Same thing with log files, they are written with root:object_r:var_log_t instead of system_u:object_r:var_log_t. Any ideas in what could be going wrong? Selinux is running with targeted policy.
I tried using both runuser and daemon(), with still the same results.
Startup script is attached.
10 years, 9 months
[PATCH] mcstrans: bug fix for mixed raw and translated level
by Ted Toth
Fix for bug reported to selinux list (
http://www.nsa.gov/research/selinux/list-archive/1001/31388.shtml).
Fixes the handling of cases where the sensitivity level of the context
contains a mix of raw and
translated levels (ex. s0-SystemHigh or SystemLow-s15:c0.c1023).
---
mcstrans.c | 87
+++++++++++++++++++++++++++++++++++++------------------------
1 file changed, 54 insertions(+), 33 deletions(-)
--- mcstrans-0.3.1/src/mcstrans.c 2009-02-16 13:01:15.000000000 -0600
+++ mcstrans-0.3.1/src/mcstrans.c.mixed-range 2010-07-12
16:54:08.921270080 -0500
@@ -1228,6 +1228,13 @@ trans_context(const security_context_t i
ltrans = compute_trans_from_raw(lrange, domain);
if (ltrans)
add_cache(domain, lrange, ltrans);
+ else {
+ ltrans = strdup(lrange);
+ if (! ltrans) {
+ log_error("strdup failed %s", strerror(errno));
+ exit(1);
+ }
+ }
}
utrans = find_in_hashtable(urange, domain,
domain->raw_to_trans);
@@ -1235,24 +1242,30 @@ trans_context(const security_context_t i
utrans = compute_trans_from_raw(urange, domain);
if (utrans)
add_cache(domain, urange, utrans);
+ else {
+ utrans = strdup(urange);
+ if (! utrans) {
+ log_error("strdup failed %s", strerror(errno));
+ exit(1);
+ }
+ }
}
- if (ltrans && utrans) {
- if (strcmp(ltrans, utrans) == 0) {
- if (asprintf(&trans, "%s", ltrans) < 0) {
- log_error("asprintf failed %s", strerror(errno));
- exit(1);
- }
- } else {
- if (asprintf(&trans, "%s-%s", ltrans, utrans) < 0) {
- log_error("asprintf failed %s", strerror(errno));
- exit(1);
- }
+ if (strcmp(ltrans, utrans) == 0) {
+ if (asprintf(&trans, "%s", ltrans) < 0) {
+ log_error("asprintf failed %s", strerror(errno));
+ exit(1);
+ }
+ } else {
+ if (asprintf(&trans, "%s-%s", ltrans, utrans) < 0) {
+ log_error("asprintf failed %s", strerror(errno));
+ exit(1);
}
- free(ltrans);
- free(utrans);
- break;
}
+ free(ltrans);
+ free(utrans);
+ *dashp = '-';
+ break;
}
if (dashp)
*dashp = '-';
@@ -1333,6 +1346,12 @@ untrans_context(const security_context_t
if (canonical)
free(canonical);
add_cache(domain, lraw, lrange);
+ } else {
+ lraw = strdup(lrange);
+ if (! lraw) {
+ log_error("strdup failed %s", strerror(errno));
+ exit(1);
+ }
}
}
@@ -1349,32 +1368,34 @@ untrans_context(const security_context_t
if (canonical)
free(canonical);
add_cache(domain, uraw, urange);
+ } else {
+ uraw = strdup(urange);
+ if (! uraw) {
+ log_error("strdup failed %s", strerror(errno));
+ exit(1);
+ }
}
}
- if (lraw && uraw) {
- if (strcmp(lraw, uraw) == 0) {
- if (asprintf(&raw, "%s", lraw) < 0) {
- log_error("asprintf failed %s", strerror(errno));
- exit(1);
- }
- } else {
- if (asprintf(&raw, "%s-%s", lraw, uraw) < 0) {
- log_error("asprintf failed %s", strerror(errno));
- exit(1);
- }
+ if (strcmp(lraw, uraw) == 0) {
+ if (asprintf(&raw, "%s", lraw) < 0) {
+ log_error("asprintf failed %s", strerror(errno));
+ exit(1);
+ }
+ } else {
+ if (asprintf(&raw, "%s-%s", lraw, uraw) < 0) {
+ log_error("asprintf failed %s", strerror(errno));
+ exit(1);
}
- free(lraw);
- free(uraw);
- break;
- }
- if (lraw)
- free(lraw);
- if (uraw)
- free(uraw);
+ }
+ free(lraw);
+ free(uraw);
*dashp = '-';
+ break;
}
+ if (dashp)
+ *dashp = '-';
}
if (raw) {
10 years, 9 months
