Hi,
I just noticed that I have over 100 processes running in the
sandbox_web_client_t domain, although I closed all my sandbox windows.
ps auxZ|grep sandbox_web_client_t|grep -c /usr/libexec/gvfsd
52
ps auxZ|grep sandbox_web_client_t|grep -c '/bin/dbus-daemon --fork
--print-pid 5 --print-address 7 --session'
51
Shouldn't they be killed after I closed all sandbox windows?
Kind regards,
Christoph
Hi,
I was using firefox within sandboxes for a while without perm. home
directory.
To store bookmarks, addons and so on, I started to use perm. homedir (-H).
Because firefox does not allow multiple concurrent sessions (lock on
.mozilla) it is not possible to open multiple websites when specifying
the same sandbox homedir, hence I'm looking for a possibility to open
new websites within a running sandbox from outside.
Without sandboxes everyone can open new websites in a running firefox
instance using:
firefox -remote "openurl(http://www.mozilla.org)"
sandbox scenario:
1. step:
start firefox:
sandbox -X -H homedir -T tempdir -t sandbox_web_t -l s0:c100,c100 firefox
2. step:
sandbox -H homedir -T tempdir -t sandbox_web_t -l s0:c100,c100 firefox
-remote "openurl(http://www.mozilla.org)"
My current attempts fail because I'm unable use the '-l' option
(#632377) but would the policy allow the 'firefox -remote' command if
type and security level matches with the already running sandbox?
kind regards,
Christoph
Problems combining these 2 to run while SELinux is in 'enforced' mode
(policy running is the 'stock' targeted one supplied with FC13). I get 2
audit alerts when Shorewall starts (and fails!) - see logs below. I have
x86_64 arch machine with FC13 running. Stock Shorewall is installed.
IPSet (xtunnels) is compiled in (though with the 'stock' rpm I am
getting the same errors).
The problem seems to be caused by the Shorewall init script (see further
below). The relevant part of my syslog when SELinux is in enforced mode is:
=========SELinux=Enforcing================================
Jun 26 23:18:38 dev1 shorewall[2456]: Compiling...
Jun 26 23:18:38 dev1 kernel: type=1400 audit(1277590718.634:29543):
avc: denied { create } for pid=2577 comm="ipset"
scontext=unconfined_u:system_r:shorewall_t:s0
tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket
Jun 26 23:18:38 dev1 kernel: type=1400 audit(1277590718.637:29544):
avc: denied { create } for pid=2579 comm="ipset"
scontext=unconfined_u:system_r:shorewall_t:s0
tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket
Jun 26 23:18:38 dev1 shorewall[2456]: Compiling /etc/shorewall/zones...
Jun 26 23:18:38 dev1 shorewall[2456]: Compiling /etc/shorewall/interfaces...
Jun 26 23:18:38 dev1 shorewall[2456]: Determining Hosts in Zones...
Jun 26 23:18:38 dev1 shorewall[2456]: Preprocessing Action Files...
Jun 26 23:18:38 dev1 shorewall[2456]: Pre-processing
/usr/share/shorewall/action.Drop...
Jun 26 23:18:38 dev1 shorewall[2456]: Pre-processing
/usr/share/shorewall/action.Reject...
Jun 26 23:18:38 dev1 shorewall[2456]: Compiling /etc/shorewall/policy...
Jun 26 23:18:38 dev1 shorewall[2456]: Compiling /etc/shorewall/blacklist...
Jun 26 23:18:38 dev1 shorewall[2456]: ERROR: ipset names in Shorewall
configuration files require Ipset Match in your kernel and iptables :
/etc/shorewall/blacklist (line 11)
Jun 26 23:18:38 dev1 shorewall[2456]: ERROR: Shorewall start failed
==========================================================
When I switch SELinux to Permissive I get two further errors:
=========SELinux=Permissive===============================
Jun 26 23:32:45 dev1 kernel: type=1400 audit(1277591565.629:29551):
avc: denied { create } for pid=3799 comm="ipset"
scontext=unconfined_u:system_r:shorewall_t:s0
tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket
Jun 26 23:32:45 dev1 kernel: type=1400 audit(1277591565.629:29552):
avc: denied { getopt } for pid=3799 comm="ipset" lport=255
scontext=unconfined_u:system_r:shorewall_t:s0
tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket
Jun 26 23:32:45 dev1 kernel: type=1400 audit(1277591565.629:29553):
avc: denied { setopt } for pid=3799 comm="ipset" lport=255
scontext=unconfined_u:system_r:shorewall_t:s0
tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling /etc/shorewall/zones...
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling /etc/shorewall/interfaces...
Jun 26 23:32:45 dev1 shorewall[3678]: Determining Hosts in Zones...
Jun 26 23:32:45 dev1 shorewall[3678]: Preprocessing Action Files...
Jun 26 23:32:45 dev1 shorewall[3678]: Pre-processing
/usr/share/shorewall/action.Drop...
Jun 26 23:32:45 dev1 shorewall[3678]: Pre-processing
/usr/share/shorewall/action.Reject...
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling /etc/shorewall/policy...
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling /etc/shorewall/blacklist...
Jun 26 23:32:45 dev1 shorewall[3678]: Adding Anti-smurf Rules
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling TCP Flags filtering...
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling Kernel Route Filtering...
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling Martian Logging...
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling MAC Filtration -- Phase 1...
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling /etc/shorewall/rules...
Jun 26 23:32:45 dev1 shorewall[3678]: Generating Transitive Closure of
Used-action List...
Jun 26 23:32:45 dev1 shorewall[3678]: Processing
/usr/share/shorewall/action.Reject for chain Reject...
Jun 26 23:32:45 dev1 shorewall[3678]: Processing
/usr/share/shorewall/action.Drop for chain Drop...
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling MAC Filtration -- Phase 2...
Jun 26 23:32:45 dev1 shorewall[3678]: Applying Policies...
Jun 26 23:32:45 dev1 shorewall[3678]: Generating Rule Matrix...
Jun 26 23:32:45 dev1 shorewall[3678]: Creating iptables-restore input...
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling iptables-restore input
for chains blacklst mangle:...
Jun 26 23:32:45 dev1 shorewall[3678]: Shorewall configuration compiled
to /var/lib/shorewall/.start
Jun 26 23:32:45 dev1 shorewall[3678]: Starting Shorewall....
Jun 26 23:32:45 dev1 shorewall[3678]: Initializing...
Jun 26 23:32:46 dev1 kernel: u32 classifier
Jun 26 23:32:46 dev1 kernel: Performance counters on
Jun 26 23:32:46 dev1 kernel: input device check on
Jun 26 23:32:46 dev1 kernel: Actions configured
Jun 26 23:32:46 dev1 shorewall[3678]: Processing /etc/shorewall/init ...
Jun 26 23:32:46 dev1 shorewall[3678]: loading
/etc/shorewall/ips/blacklist-x1.ips
Jun 26 23:32:46 dev1 shorewall[3678]: loading
/etc/shorewall/ips/blacklist-x2.ips
Jun 26 23:32:46 dev1 shorewall[3678]: loading
/etc/shorewall/ips/blacklist-z1.ips
Jun 26 23:32:47 dev1 shorewall[3678]: loading
/etc/shorewall/ips/blacklist-z2.ips
Jun 26 23:32:49 dev1 shorewall[3678]: Processing /etc/shorewall/tcclear ...
Jun 26 23:32:49 dev1 shorewall[3678]: Setting up Route Filtering...
Jun 26 23:32:49 dev1 shorewall[3678]: Setting up Martian Logging...
Jun 26 23:32:49 dev1 shorewall[3678]: Setting up Proxy ARP...
Jun 26 23:32:49 dev1 shorewall[3678]: Setting up Traffic Control...
Jun 26 23:32:49 dev1 shorewall[3678]: Preparing iptables-restore input...
Jun 26 23:32:49 dev1 shorewall[3678]: Running /sbin/iptables-restore...
Jun 26 23:32:49 dev1 shorewall[3678]: IPv4 Forwarding Enabled
Jun 26 23:32:49 dev1 shorewall[3678]: Processing /etc/shorewall/start ...
Jun 26 23:32:49 dev1 shorewall[3678]: Processing /etc/shorewall/started ...
Jun 26 23:32:49 dev1 shorewall[3678]: Shorewall started
==========================================================
The problem seems to be caused by the shorewall init script, which is:
===========Shorewall init script==========================
modprobe ifb numifbs=1
ip link set dev ifb0 up
# configure the ipsets
sw_ips_mask='/etc/shorewall/ips/*.ips'
ipset_exec='/usr/sbin/ipset'
if [ "$COMMAND" = start ]; then
$ipset_exec -F
$ipset_exec -X
for c in `/bin/ls $sw_ips_mask 2>/dev/null`; do
echo loading $c
$ipset_exec -R < $c
done
fi
==========================================================
The above script executes /usr/sbin/ipset to create my IP Sets needed
for running Shorewall (all IP set commands are contained in those *.ips
files). These IP sets comprise mainly of IP subnets which are part of my
blacklists (banned IP subnets), though they also contain some IP Port
sets as well.
Don't know why SELinux denies "create" (and then "getopt" and "setopt")
on a, what seems to be, raw ip socket (IPSet do not use/need one as far
as I know!)? If I remove the IP Set part of the init script above and
rearrange Shorewall to run without IPSets all is well, though its
functionality is VERY limited and barely useful to me!
Two questions to the SELinux gurus on here: 1) Why am I getting these
alerts? and 2) How can I fix the problem so that I could run both
Shorewall and IPSets with SELinux in Enforced mode?
This is important for me as this is a production server and a lot of
stuff runs on it and needs to be available 24/7.
Many thanks in advance!
Hello
I get the following error when I try to log in through ssh (even if
selinux is in permissive mode!!!):
Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: Accepted
keyboard-interactive/pam for mat from 131.102.233.127 port 58912 ssh2
Sep 28 09:01:32 stvlx05.test.admin.ch kernel: [60557.252750] type=1400
audit(1285657292.298:286): avc: denied { audit_control } for pid=12614
comm="sshd" capability=30 scontext=system_u:system_r:sysadm_t
tcontext=system_u:system_r:sysadm_t tclass=capability
Sep 28 09:01:32 stvlx05.test.ch sshd[12621]: error:
ssh_selinux_getctxbyname: Failed to get default SELinux security context
for mat
Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: error:
ssh_selinux_getctxbyname: Failed to get default SELinux security context
for mat
Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: error: ssh_selinux_setup_pty:
security_compute_relabel: Invalid argument
I already went through this post:
http://www.nsa.gov/research/selinux/list-archive/0910/30906.shtml but I
can't figure out the exact problem.
Here is what I've done so far:
- Downloaded the latest reference policy from tresys:
http://oss.tresys.com/files/refpolicy/refpolicy-2.20100524.tar.bz2
- Compiled and installed it on my sles 11.1
- set selinux into permissive mode: (so far so good.. :))
sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 24
Policy from config file: refpolicy
- Add selinux user "mat_u": semanage user -R "staff_r system_r" -P user -a
mat_u
- Add linux user " mat": useradd mat
- Set password for "mat": passwd mat
- User mapping: semanage login -s mat_u -a mat
- add security context for "mat_u" by copying staff_u's context (don't
know if that's needed??!): cp /etc/selinux/refpolicy/contexts/user/staff_u
/etc/selinux/refpolicy/contexts/user/mat_u
- set boolean for sysadm ssh login to true (don't know if thats needed?!):
setsebool ssh_sysadm_login on
In other posts I've read something about sepermit.conf and namespace.conf
but these files don't exist on my system. What about these files? Do I
need them?
What's wrong on my system?
Why it's not possible to login even if selinux is in permissive mode?
Any suggestions?
thanks in advance
Matthias
I was trying to test the early version of thunbderbird 3.3 and got the
following :
-------------------
SELinux is preventing
/opt/Local/vers/mozilla/released/thunderbird-3.3a1pre-100930/thunderbird-bin
"execmod" access to
/opt/Local/vers/mozilla/released/thunderbird-3.3a1pre-100930/libxul.so.
-------------------
SELinux denied access requested by
/opt/Local/vers/mozilla/released/thunderbird-3.3a1pre-100930/thunderbird-bin.
/opt/Local/vers/mozilla/released/thunderbird-3.3a1pre-100930/thunderbird-bin
is mislabeled.
/opt/Local/vers/mozilla/released/thunderbird-3.3a1pre-100930/thunderbird-bin
default SELinux type is usr_t, but its current type is usr_t. Changing
this file back to the default type, may fix your problem. If you believe
this is a bug, please file a bug report against this package. Allowing
AccessYou can restore the default system context to this file by
executing the restorecon command. resto
-----------------------------------
(1) Note the message: "default SELinux type is usr_t, but its current
type is usr_t."
confuses me ... ?
setebool -P execmod 1
allowed it run - but that seems like way overkill.
(2) What is the 'right' way to allow
/opt/Local/vers/mozilla/released/thunderbird-3.3a1pre-100930/libxul.so
to be execmod'ed (or whatever its called) ?
Thanks
gene/
In the standard policy most of the kernel/service modules allow access
to unlabelled traffic, interfaces and nodes.
I have a simple question regarding this: if I were to write an
additional module and include neverallow statement to deny previously
granted access to such resources would this be enough (my understanding
of neverallow is that it just checks whether previous 'allow' statements
were issued and if so, generates a warning and stops)?
If neverallow is not the way to go, what could I do, short of altering
every single policy file and remove the appropriate allow statements, to
disable such access to the above resources?
Getting the following through logwatch:
--------------------- Selinux Audit Begin ------------------------
**Unmatched Entries**
auditd (1319): /proc/1319/oom_adj is deprecated, please use
/proc/1319/oom_score_adj instead.
auditd (1323): /proc/1323/oom_adj is deprecated, please use
/proc/1323/oom_score_adj instead.
---------------------- Selinux Audit End -------------------------
--
Regards,
Frank Murphy
UTF_8 Encoded
Friend of Fedora
I am trying to get Rsyslog queues working on RHEL 5.5. Queues, sort of
as the name implies, will queue messages, in my case they will queue
messages if the central log server goes down (if you want the details
take a look here:
http://www.rsyslog.com/doc/rsyslog_reliable_forwarding.html). Now for
the most part this queue remains in memory, but it can be written to
disk. That of course is the rub with SELinux, it will deny access to
arbitrary locations that I want to put files into. I don't really want
to use a custom policy as that just creates overhead, so I searched for
allow rules for syslogd_t and came up with the following options that
looked promising:
allow syslogd_t syslogd_var_lib_t : file { ioctl read write create
getattr setattr lock append unlink link rename };
allow syslogd_t syslogd_var_lib_t : dir { ioctl read write getattr
lock add_name remove_name search };
allow syslogd_t syslogd_var_run_t : file { ioctl read write create
getattr setattr lock append unlink link rename };
allow syslogd_t syslogd_var_run_t : dir { ioctl read write getattr
lock add_name remove_name search };
Excellent, so if I have a location labelled with either of those types I
ought to be good (well I think so, I am kind of new to this). But again
in the interest of not maintaining local changes across many systems I
wanted the files labels to come from the default contexts, so after a
little digging through /etc/selinux/targeted/contexts/files:
/var/lib/syslog-ng(/.*)? system_u:object_r:syslogd_var_lib_t:s0
Bingo, sort of. What is a syslog-ng setup doing in a distribution that
doesn't even ship with syslog-ng? Is this for third party installs of
syslog-ng? I guess it doesn't really matter. Here are the questions
after that long winded introduction: Is this the right way to go about
setting this up? If we can have a syslog-ng specific file context is
there any reason we can't have a rsyslog specific one given that rsyslog
is actually shipping with RHEL? I know it is just names but it bothers
my OCD ;).
Thanks for the help,
-Erinn