Re: avc { module_request, relabelfrom }: openvpn->tun
by Mr Dash Four
>> That did the trick!
>>
>> It was good that you've included this as a separate module so that I
>> could test it, otherwise I had to patch and recompile the whole
>> policy, then rebuild the image in order to test it and see whether
>> it works.
>>
>> I take it to make this a 'permanent' solution I have to patch and
>> include 'kernel_request_load_module(openvpn_t)' in openvpn.te
>> (forming part of the -44 policy), is that right?
>>
>
> Yes but Fedora should fix this. It is already fixed in f14 (v3.8.8-14). they just need to back port this to f13/f12
>
Agreed. I am waiting to see if this patch is going to work in the event
of connection reset/time out (in situations when the connection needs to
be re-established - with/without closing the tun device and possibly
re-establishing the ip address, routing and all other parameters) - in
that case the tun kernel module should already be loaded so if anything
goes wrong I am expecting 'relablefrom' avc to pop up. If not, then all
is well and I am applying this patch permanently.
13 years, 8 months
Re: avc { module_request, relabelfrom }: openvpn->tun
by Mr Dash Four
> koji.fedoraproject.org/koji but i guess its for f14, so instead:
>
>
>>> kernel_request_load_module(openvpn_t)
>>>
> create module that allows openvpn_t to request the kernel to load a module:
>
> mkdir ~/myopenvpn; cd ~/myopenvpn;
> echo "policy_module(myopenvpn, 1.0.0)" > myopenvpn.te;
> echo "gen_require(\`" >> myopenvpn.te;
> echo "type openvpn_t;" >> myopenvpn.te;
> echo "')" >> myopenvpn.te;
> echo "kernel_request_load_module(openvpn_t)" >> myopenvpn.te;
> make -f /usr/share/selinux/devel/Makefile myopenvpn.pp
> sudo semodule -i myopenvpn.pp
>
That did the trick!
It was good that you've included this as a separate module so that I
could test it, otherwise I had to patch and recompile the whole policy,
then rebuild the image in order to test it and see whether it works.
I take it to make this a 'permanent' solution I have to patch and
include 'kernel_request_load_module(openvpn_t)' in openvpn.te (forming
part of the -44 policy), is that right?
> You can not define this rule for just a single particular module.
>
That's a pity, but I could live with that - auditd gives me a detailed
info when a module is loaded, so I can trace this anyway, so no big loss.
> See if you can reproduce it. unconfined_t (you) transition to the rc
> script domain when you run an rc script, the rc script domain in turn
> runs the openvpn executables.
>
> So with that in mind why would openvpn need to relabel unconfined_t
> tun_sockets?
>
I take it this gets called only if loading of the tun/tap module fails.
May be in a similar way as to when dac_* gets called - only in case the
'normal' permissions are too restrictive.
13 years, 8 months
dac_override and dac_read_search ... again!
by Mr Dash Four
Having upgraded selinux-policy(-targeted) from 3.7.19-37 to 3.7.19-39 I
started getting heaps of the two avc types from variety of
programs/processes. Logs follow below.
I have not done anything unusual apart from upgrading and patching 3
policy module files (though I am getting exactly the same avcs if using
the pre-built policies packages!).
The OS image is built in exactly the same way (with kickstart file and
using livecd tools) as it was with the 3.7.19-37 version (and it worked
there without any problems). I first though that it might be labelling
problem, but as is evident from the file label listings below that
appear not to be the case.
When I try and boot from that image, the first sign of trouble comes
when the auditd service does not start, hence why I do not have
audit.log listing to include. The only way I could activate auditd is to
force selinux into permissive mode (echo 0 > /selinux/enforce) and then
execute "service auditd start".
What could be the cause for this? I can't see the file permissions to be
too restrictive either (which was the root cause of my previous dac_*
problems). Any ideas as to how to solve this sorry mess are welcome!
====================/var/log/messages
Aug 1 12:13:57 test1 kernel: type=1400 audit(1280664734.151:4): avc:
denied { dac_override } for pid=378 comm="hostname" capability=1
scontext=system_u:system_r:hostname_t:s0
tcontext=system_u:system_r:hostname_t:s0 tclass=capability
Aug 1 12:13:57 test1 kernel: type=1400 audit(1280664734.152:5): avc:
denied { dac_read_search } for pid=378 comm="hostname" capability=2
scontext=system_u:system_r:hostname_t:s0
tcontext=system_u:system_r:hostname_t:s0 tclass=capability
Aug 1 12:13:57 test1 kernel: type=1400 audit(1280664738.378:8): avc:
denied { dac_override } for pid=386 comm="dmesg" capability=1
scontext=system_u:system_r:dmesg_t:s0
tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
Aug 1 12:13:57 test1 kernel: type=1400 audit(1280664738.378:9): avc:
denied { dac_read_search } for pid=386 comm="dmesg" capability=2
scontext=system_u:system_r:dmesg_t:s0
tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661191.023:12): avc:
denied { dac_override } for pid=689 comm="ip" capability=1
scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023
tcontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tclass=capability
Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661191.027:13): avc:
denied { dac_read_search } for pid=689 comm="ip" capability=2
scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023
tcontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tclass=capability
Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661193.668:16): avc:
denied { dac_override } for pid=714 comm="ifconfig" capability=1
scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023
tcontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tclass=capability
Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661193.671:17): avc:
denied { dac_read_search } for pid=714 comm="ifconfig" capability=2
scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023
tcontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tclass=capability
Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661197.508:20): avc:
denied { dac_override } for pid=729 comm="hostname" capability=1
scontext=system_u:system_r:hostname_t:s0
tcontext=system_u:system_r:hostname_t:s0 tclass=capability
Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661197.510:21): avc:
denied { dac_read_search } for pid=729 comm="hostname" capability=2
scontext=system_u:system_r:hostname_t:s0
tcontext=system_u:system_r:hostname_t:s0 tclass=capability
Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661229.399:54): avc:
denied { dac_override } for pid=922 comm="arping" capability=1
scontext=system_u:system_r:netutils_t:s0
tcontext=system_u:system_r:netutils_t:s0 tclass=capability
Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661229.399:55): avc:
denied { dac_read_search } for pid=922 comm="arping" capability=2
scontext=system_u:system_r:netutils_t:s0
tcontext=system_u:system_r:netutils_t:s0 tclass=capability
Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661235.258:116): avc:
denied { dac_override } for pid=973 comm="auditd" capability=1
scontext=system_u:system_r:auditd_t:s0
tcontext=system_u:system_r:auditd_t:s0 tclass=capability
Aug 1 12:13:57 test1 kernel: type=1400 audit(1280661235.260:117): avc:
denied { dac_read_search } for pid=973 comm="auditd" capability=2
scontext=system_u:system_r:auditd_t:s0
tcontext=system_u:system_r:auditd_t:s0 tclass=capability
Aug 1 12:14:49 test1 kernel: type=1400 audit(1280661289.020:124): avc:
denied { dac_override } for pid=1300 comm="ip" capability=1
scontext=system_u:system_r:ifconfig_t:s0
tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability
Aug 1 12:14:49 test1 kernel: type=1400 audit(1280661289.025:125): avc:
denied { dac_read_search } for pid=1300 comm="ip" capability=2
scontext=system_u:system_r:ifconfig_t:s0
tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability
Aug 1 12:15:40 test1 kernel: type=1400 audit(1280661340.105:130): avc:
denied { dac_override } for pid=1350 comm="ip" capability=1
scontext=system_u:system_r:ifconfig_t:s0
tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability
Aug 1 12:15:40 test1 kernel: type=1400 audit(1280661340.108:131): avc:
denied { dac_read_search } for pid=1350 comm="ip" capability=2
scontext=system_u:system_r:ifconfig_t:s0
tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability
Aug 1 12:15:41 test1 kernel: type=1400 audit(1280661341.058:138): avc:
denied { dac_override } for pid=1364 comm="ip" capability=1
scontext=system_u:system_r:ifconfig_t:s0
tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability
Aug 1 12:15:41 test1 kernel: type=1400 audit(1280661341.058:139): avc:
denied { dac_read_search } for pid=1364 comm="ip" capability=2
scontext=system_u:system_r:ifconfig_t:s0
tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability
Aug 1 12:15:45 test1 kernel: type=1400 audit(1280661345.145:350): avc:
denied { dac_override } for pid=1418 comm="tc" capability=1
scontext=system_u:system_r:ifconfig_t:s0
tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability
Aug 1 12:15:45 test1 kernel: type=1400 audit(1280661345.146:351): avc:
denied { dac_read_search } for pid=1418 comm="tc" capability=2
scontext=system_u:system_r:ifconfig_t:s0
tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability
Aug 1 12:16:09 test1 kernel: type=1400 audit(1280661369.758:1176):
avc: denied { dac_override } for pid=1615 comm="smartd" capability=1
scontext=system_u:system_r:fsdaemon_t:s0
tcontext=system_u:system_r:fsdaemon_t:s0 tclass=capability
Aug 1 12:16:09 test1 kernel: type=1400 audit(1280661369.759:1177):
avc: denied { dac_read_search } for pid=1615 comm="smartd"
capability=2 scontext=system_u:system_r:fsdaemon_t:s0
tcontext=system_u:system_r:fsdaemon_t:s0 tclass=capability
====================
====================service start auditd
Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.362:1226):
avc: denied { dac_override } for pid=1583 comm="auditd" capability=1
scontext=unconfined_u:system_r:auditd_t:s0
tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability
Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.364:1227):
avc: denied { dac_read_search } for pid=1583 comm="auditd"
capability=2 scontext=unconfined_u:system_r:auditd_t:s0
tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability
Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.370:1228):
avc: denied { dac_override } for pid=1583 comm="auditd" capability=1
scontext=unconfined_u:system_r:auditd_t:s0
tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability
Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.371:1229):
avc: denied { dac_read_search } for pid=1583 comm="auditd"
capability=2 scontext=unconfined_u:system_r:auditd_t:s0
tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability
Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.436:1230):
avc: denied { dac_override } for pid=1583 comm="auditd" capability=1
scontext=unconfined_u:system_r:auditd_t:s0
tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability
Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.436:1231):
avc: denied { dac_read_search } for pid=1583 comm="auditd"
capability=2 scontext=unconfined_u:system_r:auditd_t:s0
tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability
Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.443:1232):
avc: denied { dac_override } for pid=1583 comm="auditd" capability=1
scontext=unconfined_u:system_r:auditd_t:s0
tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability
Aug 1 13:14:05 test1 kernel: type=1400 audit(1280664845.443:1233):
avc: denied { dac_read_search } for pid=1583 comm="auditd"
capability=2 scontext=unconfined_u:system_r:auditd_t:s0
tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability
Aug 1 13:14:05 test1 auditd: Error opening config file (Permission denied)
Aug 1 13:14:05 test1 auditd: The audit daemon is exiting.
====================
====================echo 0 > /selinux/enforce && service auditd start &&
service smartd start
type=AVC msg=audit(1280608935.230:327): avc: denied { dac_override }
for pid=1368 comm="smartd" capability=1
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=unconfined_u:system_r:fsdaemon_t:s0 tclass=capability
type=AVC msg=audit(1280608935.230:327): avc: denied { dac_read_search
} for pid=1368 comm="smartd" capability=2
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=unconfined_u:system_r:fsdaemon_t:s0 tclass=capability
type=SYSCALL msg=audit(1280608935.230:327): arch=40000003 syscall=33
success=no exit=-13 a0=21a814 a1=4 a2=21ffc4 a3=2208f8 items=0 ppid=1367
pid=1368 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=1 comm="smartd" exe="/usr/sbin/smartd"
subj=unconfined_u:system_r:fsdaemon_t:s0 key=(null)
type=AVC msg=audit(1280608935.245:328): avc: denied { dac_override }
for pid=1368 comm="smartd" capability=1
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=unconfined_u:system_r:fsdaemon_t:s0 tclass=capability
type=AVC msg=audit(1280608935.245:328): avc: denied { dac_read_search
} for pid=1368 comm="smartd" capability=2
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=unconfined_u:system_r:fsdaemon_t:s0 tclass=capability
type=SYSCALL msg=audit(1280608935.245:328): arch=40000003 syscall=5
success=no exit=-13 a0=21a9fe a1=0 a2=0 a3=220880 items=0 ppid=1367
pid=1368 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=1 comm="smartd" exe="/usr/sbin/smartd"
subj=unconfined_u:system_r:fsdaemon_t:s0 key=(null)
====================
====================ls -lasZ /etc | grep audit
drwxr-x---. root root system_u:object_r:auditd_etc_t:s0 audit
-rw-r-----. root root system_u:object_r:etc_t:s0 libaudit.conf
====================
====================ls -lasZ /etc/audit
drwxr-x---. root root system_u:object_r:auditd_etc_t:s0 .
drw-r--r--. root root system_u:object_r:etc_t:s0 ..
-rw-r-----. root root system_u:object_r:auditd_etc_t:s0 auditd.conf
-rw-r-----. root root system_u:object_r:auditd_etc_t:s0 audit.rules
====================
====================ls -lasZ /etc/init.d/auditd
-rwxr-xr-x. root root system_u:object_r:auditd_initrc_exec_t:s0
/etc/init.d/auditd
====================
====================ls -lasZ /sbin/auditd
-rwxr-x---. root root system_u:object_r:auditd_exec_t:s0 /sbin/auditd
====================
====================ls -lasZ /var/log | grep audit
drwxr-xr-x. root root system_u:object_r:auditd_log_t:s0 audit
====================
====================ls -lasZ /var/log/audit
drwxr-xr-x. root root system_u:object_r:auditd_log_t:s0 .
drwxr-xr-x. root root system_u:object_r:var_log_t:s0 ..
-rw-------. root root system_u:object_r:auditd_log_t:s0 audit.log
====================
13 years, 8 months
A sendmail problem
by mark
The last few days - I think there was a policy update to FC13 - I started
seeing
/etc/cron.daily/0logwatch:
>
> Can't exec "sendmail": Permission denied at /usr/sbin/logwatch line
> 1032, <TESTFILE> line 2.
> Can't execute sendmail -t: Permission denied
Mentioned this to my manager, and he didn't see anything in messages, but
saw this audit message:
type=SELINUX_ERR msg=audit(1281423963.394:71003):
security_compute_sid: invalid context
system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 for
scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=process
Why would a policy prevent logwatch from using sendmail to forward a log?
mark
13 years, 8 months
SELINUX_ERR about sendmail (postfix version) on F-13
by Laurent Rineau
For a few days (maybe two weeks), my cron deamon keeps sending me error emails, once a day:
> /etc/cron.daily/0logwatch:
>
> Can't exec "/usr/sbin/sendmail": Permission denied at /usr/sbin/logwatch line 1032, <TESTFILE> line 2.
> Can't execute /usr/sbin/sendmail -t: Permission denied
I have suspected SELinux, but the setroubleshot stuff did not say anything. And I eventually found that:
lrineau@matisse ~ $ sudo ausearch -ts yesterday -m SELINUX_ERR
----
time->Tue Aug 3 03:16:04 2010
type=SYSCALL msg=audit(1280798164.966:454): arch=c000003e syscall=59 success=no exit=-13 a0=1dfe430 a1=1dfe3c0 a2=1e01240 a3=8 items=0 ppid=17968 pid=18278 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=31 comm="logwatch" exe="/usr/bin/perl" subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
type=SELINUX_ERR msg=audit(1280798164.966:454): security_compute_sid: invalid context system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 for scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=process
----
time->Wed Aug 4 03:19:04 2010
type=SYSCALL msg=audit(1280884744.246:135): arch=c000003e syscall=59 success=no exit=-13 a0=187b190 a1=187b120 a2=187ac30 a3=7ffff2dc3ec0 items=0 ppid=14696 pid=15085 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=21 comm="logwatch" exe="/usr/bin/perl" subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
type=SELINUX_ERR msg=audit(1280884744.246:135): security_compute_sid: invalid context system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 for scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=process
I did not know about SELINUX_ERR before that error. Maybe setroubleshotd should be aware of it, so that one can report bugs about SELINUX_ERR easily with the applet.
My configuration is this one:
lrineau@matisse ~ $ rpm -qa postfix selinux\*
selinux-policy-3.7.19-39.fc13.noarch
selinux-policy-targeted-3.7.19-39.fc13.noarch
postfix-2.7.0-1.fc13.x86_64
logwatch and postfix are configured with the default configurations, tweak only the simpliest way.
--
Laurent Rineau
http://fedoraproject.org/wiki/LaurentRineau
13 years, 8 months