selinux August 2010

selinux@lists.fedoraproject.org

23 participants
35 discussions

Re: avc { module_request, relabelfrom }: openvpn->tun

by Mr Dash Four

>> That did the trick! >> >> It was good that you've included this as a separate module so that I >> could test it, otherwise I had to patch and recompile the whole >> policy, then rebuild the image in order to test it and see whether >> it works. >> >> I take it to make this a 'permanent' solution I have to patch and >> include 'kernel_request_load_module(openvpn_t)' in openvpn.te >> (forming part of the -44 policy), is that right? >> > > Yes but Fedora should fix this. It is already fixed in f14 (v3.8.8-14). they just need to back port this to f13/f12 > Agreed. I am waiting to see if this patch is going to work in the event of connection reset/time out (in situations when the connection needs to be re-established - with/without closing the tun device and possibly re-establishing the ip address, routing and all other parameters) - in that case the tun kernel module should already be loaded so if anything goes wrong I am expecting 'relablefrom' avc to pop up. If not, then all is well and I am applying this patch permanently.

13 years, 8 months

1
0
0 / 0

Re: avc { module_request, relabelfrom }: openvpn->tun

by Mr Dash Four

> koji.fedoraproject.org/koji but i guess its for f14, so instead: > > >>> kernel_request_load_module(openvpn_t) >>> > create module that allows openvpn_t to request the kernel to load a module: > > mkdir ~/myopenvpn; cd ~/myopenvpn; > echo "policy_module(myopenvpn, 1.0.0)" > myopenvpn.te; > echo "gen_require(\`" >> myopenvpn.te; > echo "type openvpn_t;" >> myopenvpn.te; > echo "')" >> myopenvpn.te; > echo "kernel_request_load_module(openvpn_t)" >> myopenvpn.te; > make -f /usr/share/selinux/devel/Makefile myopenvpn.pp > sudo semodule -i myopenvpn.pp > That did the trick! It was good that you've included this as a separate module so that I could test it, otherwise I had to patch and recompile the whole policy, then rebuild the image in order to test it and see whether it works. I take it to make this a 'permanent' solution I have to patch and include 'kernel_request_load_module(openvpn_t)' in openvpn.te (forming part of the -44 policy), is that right? > You can not define this rule for just a single particular module. > That's a pity, but I could live with that - auditd gives me a detailed info when a module is loaded, so I can trace this anyway, so no big loss. > See if you can reproduce it. unconfined_t (you) transition to the rc > script domain when you run an rc script, the rc script domain in turn > runs the openvpn executables. > > So with that in mind why would openvpn need to relabel unconfined_t > tun_sockets? > I take it this gets called only if loading of the tun/tap module fails. May be in a similar way as to when dac_* gets called - only in case the 'normal' permissions are too restrictive.

13 years, 8 months

1
0
0 / 0

dac_override and dac_read_search ... again!

by Mr Dash Four

Having upgraded selinux-policy(-targeted) from 3.7.19-37 to 3.7.19-39 I started getting heaps of the two avc types from variety of programs/processes. Logs follow below. I have not done anything unusual apart from upgrading and patching 3 policy module files (though I am getting exactly the same avcs if using the pre-built policies packages!). The OS image is built in exactly the same way (with kickstart file and using livecd tools) as it was with the 3.7.19-37 version (and it worked there without any problems). I first though that it might be labelling problem, but as is evident from the file label listings below that appear not to be the case. When I try and boot from that image, the first sign of trouble comes when the auditd service does not start, hence why I do not have audit.log listing to include. The only way I could activate auditd is to force selinux into permissive mode (echo 0 > /selinux/enforce) and then execute "service auditd start". What could be the cause for this? I can't see the file permissions to be too restrictive either (which was the root cause of my previous dac_* problems). Any ideas as to how to solve this sorry mess are welcome! ====================/var/log/messages Aug 1 12:13:57 test1 kernel: type=1400 audit(1280664734.151:4): avc: denied { dac_override } for pid=378 comm="hostname" capability=1 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:system_r:hostname_t:s0 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280664734.152:5): avc: denied { dac_read_search } for pid=378 comm="hostname" capability=2 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:system_r:hostname_t:s0 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280664738.378:8): avc: denied { dac_override } for pid=386 comm="dmesg" capability=1 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280664738.378:9): avc: denied { dac_read_search } for pid=386 comm="dmesg" capability=2 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661191.023:12): avc: denied { dac_override } for pid=689 comm="ip" capability=1 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661191.027:13): avc: denied { dac_read_search } for pid=689 comm="ip" capability=2 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661193.668:16): avc: denied { dac_override } for pid=714 comm="ifconfig" capability=1 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661193.671:17): avc: denied { dac_read_search } for pid=714 comm="ifconfig" capability=2 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661197.508:20): avc: denied { dac_override } for pid=729 comm="hostname" capability=1 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:system_r:hostname_t:s0 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661197.510:21): avc: denied { dac_read_search } for pid=729 comm="hostname" capability=2 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:system_r:hostname_t:s0 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661229.399:54): avc: denied { dac_override } for pid=922 comm="arping" capability=1 scontext=system_u:system_r:netutils_t:s0 tcontext=system_u:system_r:netutils_t:s0 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661229.399:55): avc: denied { dac_read_search } for pid=922 comm="arping" capability=2 scontext=system_u:system_r:netutils_t:s0 tcontext=system_u:system_r:netutils_t:s0 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661235.258:116): avc: denied { dac_override } for pid=973 comm="auditd" capability=1 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:system_r:auditd_t:s0 tclass=capability Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661235.260:117): avc: denied { dac_read_search } for pid=973 comm="auditd" capability=2 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:system_r:auditd_t:s0 tclass=capability Aug 1 12:14:49 test1 kernel: type=1400 audit(1280661289.020:124): avc: denied { dac_override } for pid=1300 comm="ip" capability=1 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability Aug 1 12:14:49 test1 kernel: type=1400 audit(1280661289.025:125): avc: denied { dac_read_search } for pid=1300 comm="ip" capability=2 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability Aug 1 12:15:40 test1 kernel: type=1400 audit(1280661340.105:130): avc: denied { dac_override } for pid=1350 comm="ip" capability=1 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability Aug 1 12:15:40 test1 kernel: type=1400 audit(1280661340.108:131): avc: denied { dac_read_search } for pid=1350 comm="ip" capability=2 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability Aug 1 12:15:41 test1 kernel: type=1400 audit(1280661341.058:138): avc: denied { dac_override } for pid=1364 comm="ip" capability=1 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability Aug 1 12:15:41 test1 kernel: type=1400 audit(1280661341.058:139): avc: denied { dac_read_search } for pid=1364 comm="ip" capability=2 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability Aug 1 12:15:45 test1 kernel: type=1400 audit(1280661345.145:350): avc: denied { dac_override } for pid=1418 comm="tc" capability=1 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability Aug 1 12:15:45 test1 kernel: type=1400 audit(1280661345.146:351): avc: denied { dac_read_search } for pid=1418 comm="tc" capability=2 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability Aug 1 12:16:09 test1 kernel: type=1400 audit(1280661369.758:1176): avc: denied { dac_override } for pid=1615 comm="smartd" capability=1 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:system_r:fsdaemon_t:s0 tclass=capability Aug 1 12:16:09 test1 kernel: type=1400 audit(1280661369.759:1177): avc: denied { dac_read_search } for pid=1615 comm="smartd" capability=2 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:system_r:fsdaemon_t:s0 tclass=capability ==================== ====================service start auditd Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.362:1226): avc: denied { dac_override } for pid=1583 comm="auditd" capability=1 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.364:1227): avc: denied { dac_read_search } for pid=1583 comm="auditd" capability=2 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.370:1228): avc: denied { dac_override } for pid=1583 comm="auditd" capability=1 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.371:1229): avc: denied { dac_read_search } for pid=1583 comm="auditd" capability=2 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.436:1230): avc: denied { dac_override } for pid=1583 comm="auditd" capability=1 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.436:1231): avc: denied { dac_read_search } for pid=1583 comm="auditd" capability=2 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.443:1232): avc: denied { dac_override } for pid=1583 comm="auditd" capability=1 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.443:1233): avc: denied { dac_read_search } for pid=1583 comm="auditd" capability=2 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability Aug 1 13:14:05 test1 auditd: Error opening config file (Permission denied) Aug 1 13:14:05 test1 auditd: The audit daemon is exiting. ==================== ====================echo 0 > /selinux/enforce && service auditd start && service smartd start type=AVC msg=audit(1280608935.230:327): avc: denied { dac_override } for pid=1368 comm="smartd" capability=1 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=unconfined_u:system_r:fsdaemon_t:s0 tclass=capability type=AVC msg=audit(1280608935.230:327): avc: denied { dac_read_search } for pid=1368 comm="smartd" capability=2 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=unconfined_u:system_r:fsdaemon_t:s0 tclass=capability type=SYSCALL msg=audit(1280608935.230:327): arch=40000003 syscall=33 success=no exit=-13 a0=21a814 a1=4 a2=21ffc4 a3=2208f8 items=0 ppid=1367 pid=1368 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="smartd" exe="/usr/sbin/smartd" subj=unconfined_u:system_r:fsdaemon_t:s0 key=(null) type=AVC msg=audit(1280608935.245:328): avc: denied { dac_override } for pid=1368 comm="smartd" capability=1 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=unconfined_u:system_r:fsdaemon_t:s0 tclass=capability type=AVC msg=audit(1280608935.245:328): avc: denied { dac_read_search } for pid=1368 comm="smartd" capability=2 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=unconfined_u:system_r:fsdaemon_t:s0 tclass=capability type=SYSCALL msg=audit(1280608935.245:328): arch=40000003 syscall=5 success=no exit=-13 a0=21a9fe a1=0 a2=0 a3=220880 items=0 ppid=1367 pid=1368 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="smartd" exe="/usr/sbin/smartd" subj=unconfined_u:system_r:fsdaemon_t:s0 key=(null) ==================== ====================ls -lasZ /etc | grep audit drwxr-x---. root root system_u:object_r:auditd_etc_t:s0 audit -rw-r-----. root root system_u:object_r:etc_t:s0 libaudit.conf ==================== ====================ls -lasZ /etc/audit drwxr-x---. root root system_u:object_r:auditd_etc_t:s0 . drw-r--r--. root root system_u:object_r:etc_t:s0 .. -rw-r-----. root root system_u:object_r:auditd_etc_t:s0 auditd.conf -rw-r-----. root root system_u:object_r:auditd_etc_t:s0 audit.rules ==================== ====================ls -lasZ /etc/init.d/auditd -rwxr-xr-x. root root system_u:object_r:auditd_initrc_exec_t:s0 /etc/init.d/auditd ==================== ====================ls -lasZ /sbin/auditd -rwxr-x---. root root system_u:object_r:auditd_exec_t:s0 /sbin/auditd ==================== ====================ls -lasZ /var/log | grep audit drwxr-xr-x. root root system_u:object_r:auditd_log_t:s0 audit ==================== ====================ls -lasZ /var/log/audit drwxr-xr-x. root root system_u:object_r:auditd_log_t:s0 . drwxr-xr-x. root root system_u:object_r:var_log_t:s0 .. -rw-------. root root system_u:object_r:auditd_log_t:s0 audit.log ====================

13 years, 8 months

2
6
0 / 0

A sendmail problem

by mark

The last few days - I think there was a policy update to FC13 - I started seeing /etc/cron.daily/0logwatch: > > Can't exec "sendmail": Permission denied at /usr/sbin/logwatch line > 1032, <TESTFILE> line 2. > Can't execute sendmail -t: Permission denied Mentioned this to my manager, and he didn't see anything in messages, but saw this audit message: type=SELINUX_ERR msg=audit(1281423963.394:71003): security_compute_sid: invalid context system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 for scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=process Why would a policy prevent logwatch from using sendmail to forward a log? mark

13 years, 8 months

3
3
0 / 0

SELINUX_ERR about sendmail (postfix version) on F-13

by Laurent Rineau

For a few days (maybe two weeks), my cron deamon keeps sending me error emails, once a day: > /etc/cron.daily/0logwatch: > > Can't exec "/usr/sbin/sendmail": Permission denied at /usr/sbin/logwatch line 1032, <TESTFILE> line 2. > Can't execute /usr/sbin/sendmail -t: Permission denied I have suspected SELinux, but the setroubleshot stuff did not say anything. And I eventually found that: lrineau@matisse ~ $ sudo ausearch -ts yesterday -m SELINUX_ERR ---- time->Tue Aug 3 03:16:04 2010 type=SYSCALL msg=audit(1280798164.966:454): arch=c000003e syscall=59 success=no exit=-13 a0=1dfe430 a1=1dfe3c0 a2=1e01240 a3=8 items=0 ppid=17968 pid=18278 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=31 comm="logwatch" exe="/usr/bin/perl" subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null) type=SELINUX_ERR msg=audit(1280798164.966:454): security_compute_sid: invalid context system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 for scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=process ---- time->Wed Aug 4 03:19:04 2010 type=SYSCALL msg=audit(1280884744.246:135): arch=c000003e syscall=59 success=no exit=-13 a0=187b190 a1=187b120 a2=187ac30 a3=7ffff2dc3ec0 items=0 ppid=14696 pid=15085 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=21 comm="logwatch" exe="/usr/bin/perl" subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null) type=SELINUX_ERR msg=audit(1280884744.246:135): security_compute_sid: invalid context system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 for scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=process I did not know about SELINUX_ERR before that error. Maybe setroubleshotd should be aware of it, so that one can report bugs about SELINUX_ERR easily with the applet. My configuration is this one: lrineau@matisse ~ $ rpm -qa postfix selinux\* selinux-policy-3.7.19-39.fc13.noarch selinux-policy-targeted-3.7.19-39.fc13.noarch postfix-2.7.0-1.fc13.x86_64 logwatch and postfix are configured with the default configurations, tweak only the simpliest way. -- Laurent Rineau http://fedoraproject.org/wiki/LaurentRineau

13 years, 8 months

4
4
0 / 0

← Newer
1
2
3
4
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux August 2010