Re: SELinux user domain policy question
by Daniel J Walsh
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/14/2010 03:44 PM, Christopher J. PeBenito wrote:
> On 09/14/10 11:53, Daniel J Walsh wrote:
>> On 09/14/2010 05:55 AM, Roberto Sassu wrote:
>>> Thanks for answers. I'm trying to find a set of types executable by
>>> regular users which are managed by few and high privileged domains.
>>> Unfortunately, regarding 'etc_t', there's a non administrative
>>> domain, 'postgresql_t', which is allowed to create it.
>> That seems wrong, I have no idea why postgresql would be able to manage
>> etc files. Chris do you have any idea? (Hopefully this did not come
>> from me. ) BTW there is no way for user_t to execute something as
>> postgresql_t
>
> Based on the git log, this line has been around upstream since 2005,
> when the postgresql module was converted over from the old NSA example
> policy. I don't know why it would need that access. My preference is
> to remove it, and if it causes problems, hopefully it can be fixed in
> some other way.
>
Agreed I am removing from Fedora now.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkyP1MYACgkQrlYvE4MpobNKawCfXML+mXZk/xJtuRGaqphiPBiO
PtgAoKb1b5mpR46EW6xlDnDMla/tGlOJ
=Uujz
-----END PGP SIGNATURE-----
13 years, 7 months
SELinux user domain policy question
by Roberto Sassu
Hi all
i'm investigating what types the domain user_t is allowed to execute, in
particular those that don't belong to the exec_type attribute. I need more
details about the attribute 'noxattrfs' and the type 'etc_t', more precisely
in which circumstances they are executed by a regular user.
Thanks in advance for replies.
Roberto Sassu
13 years, 7 months
openvpn and script execution
by Dominick Grift
is there any chance you can join the #fedora-selinux IRC chat channel on irc.freenode.org?
this communicates a bit easier and faster which will benefit us if you want to proceed with openvpn lock-down
13 years, 7 months
netif labelling
by Mr Dash Four
I am trying to restrict an application I have installed to have access
to a specific network interface only (tun0).
Are all network interfaces labelled 'automatically' by SELinux with
'netif_xx_t' or do I have to label them manually from the policy file?
If I have to do that manually is it done with the network_interface(...)
macro?
Also, if I relabel the interface would I have to amend all other
policies for applications which need access to that interface
(applications which use the 'generic' naming - netif_t) or is this not
necessary?
I've seen there is a macro in corenetwork.if.in called
'corenet_all_recvfrom_labelled' - is that macro allowing me to receive
packets from labelled interface?
Thanks in advance!
13 years, 7 months
sandbox window size
by Christoph A.
Hi,
as far as I have seen and read it is not possible to resize a SELinux
sandbox window.
Is it possible to specify the size of the sandbox at start-time?
kind regards,
Christoph
13 years, 7 months
audit log not being rotated
by Mike Williams
Hi there. I have three systems running f13 and on one of those systems
audit.log has not been rotated since July 20 when the system was first
brought up with f13.
After some digging I found a reference to a file that can be run as a cron
job to cause the log file to be rotated.
(/usr/share/doc/audit-2.0.4/auditd.cron)
The two systems on which rotating the logs has been working are both in
enforcing mode, the one that has not been rotating the log has enforcing=0
I do not remember doing anything else different as far as selinux goes on
these three boxes. Could not find any reference to audit.log in
/etc/logrotate.conf /etc/logrotate.d/* /etc/cron.daily/* or
/etc/cron.weekly/* on any of the systems.
Any idea why one box out of three would behave differently? It is a
worrisome difference.
Currently running the 2.6.34.6-47.fc13.i686.PAE kernel on the non-rotating
system and one of the two others. But the behavior has not changed from the
initial installation through all of the updates since then. All three
systems are have 2.0.4-3.fc13 of audit, audit-libs and audit-libs-python
installed.
BTW - great work on SELinux! It has improved a great deal over the past
five years. The only reason I have one box in permissive mode is because it
is running TWiki and I have not found time to make the changes needed to get
selinux and twiki to play nice together.
Thanks,
Mike
13 years, 7 months
.autorelabel on mounted filesystems
by Dan Thurman
I have several versions of root distro partitions of which I do
mount via fstab, but of course only one / and /boot partition
is to be defined for the version to be booted.
What I would like to know is, if I do an /.autorelabel,
for one boot/root partition, does this mean that every
mounted filesystem that appears in /etc/fstab also gets
relabeled? If so, this is not what I want especially if
other root distro partitions are being mounted for example,
say: /md/{distro1, distro2, ...}
So, How do I get around this? I could comment out
all entries in /etc/fstab except / and /boot (plus the
required entries), touch /.autorelabel, reboot, and once
relabeling is completed, then add back in the commented
out fstab entries, then issue a mount -a. Could I add an option
entry say: NO_RELABEL to certain fstab entries?
Since I was introduced to the /media since F9, I never could
figure out how to add mounted "media" filesystems, which
is why I added them instead to fstab.
How do I solve this issue?
13 years, 7 months
avc { module_request, relabelfrom }: openvpn->tun
by Mr Dash Four
When trying to start openvpn with 'service openvpn start'
(selinux=enforced) I get the following avc (audit.log):
----audit.log---------------
type=AVC msg=audit(1281803077.151:21): avc: denied { module_request }
for pid=1943 comm="openvpn" kmod="char-major-10-200"
scontext=unconfined_u:system_r:openvpn_t:s0
tcontext=system_u:system_r:kernel_t:s0 tclass=system
type=SYSCALL msg=audit(1281803077.151:21): arch=40000003 syscall=5
success=no exit=-19 a0=80bf7b8 a1=2 a2=38 a3=96bd804 items=0 ppid=1
pid=1943 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=1 comm="openvpn" exe="/usr/sbin/openvpn"
subj=unconfined_u:system_r:openvpn_t:s0 key=(null)
-------------------
-----var/log/messages-------
Aug 14 17:24:37 test1 openvpn[1943]: Note: Cannot open TUN/TAP dev
/dev/net/tun: No such device (errno=19)
Aug 14 17:24:37 test1 openvpn[1943]: Note: Attempting fallback to kernel
2.2 TUN/TAP interface
Aug 14 17:24:37 test1 openvpn[1943]: Cannot open TUN/TAP dev /dev/tun0:
No such file or directory (errno=2)
Aug 14 17:24:37 test1 openvpn[1943]: Exiting
-------------------
When I try to execute 'openvpn --mktun --dev tun0 --user nobody --group
nobody' it works OK, but when I try to start openvpn it again fails with
the following avc:
----audit.log---------------
type=AVC msg=audit(1281803362.451:23): avc: denied { relabelfrom }
for pid=2007 comm="openvpn" scontext=unconfined_u:system_r:openvpn_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=tun_socket
type=SYSCALL msg=audit(1281803362.451:23): arch=40000003 syscall=54
success=no exit=-13 a0=5 a1=400454ca a2=bfb4c26c a3=87e4804 items=0
ppid=1 pid=2007 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=1 comm="openvpn" exe="/usr/sbin/openvpn"
subj=unconfined_u:system_r:openvpn_t:s0 key=(null)
-------------------
-----var/log/messages-------
Aug 14 17:29:22 test1 openvpn[2007]: Note: Cannot ioctl TUNSETIFF tun0:
Permission denied (errno=13)
Aug 14 17:29:22 test1 openvpn[2007]: Note: Attempting fallback to kernel
2.2 TUN/TAP interface
Aug 14 17:29:22 test1 openvpn[2007]: Cannot open TUN/TAP dev /dev/tun0:
No such file or directory (errno=2)
Aug 14 17:29:22 test1 openvpn[2007]: Exiting
-------------------
Any idea what might be the cause of this problem?
openvpn normally tries to open tun0, assign its IP address, net mask and
broadcast address, then reassign the routing on this particular machine
- nothing suspicious really!
13 years, 7 months
wine preloader? being denied by selinux
by Antonio Olivares
Dear selinux experts,
I have a sealert for running a windows program under wine. There had been no problems on a Fedora 13 x86_64 machine till I installed this program. I have not done anything yet. The program runs, but I am hesitant to do anything; therefore I ask for your guidance as to what should I do?
Here's the alert:
Summary:
SELinux has prevented wine from performing an unsafe memory operation.
Detailed Description:
SELinux denied an operation requested by wine-preloader, a program used to run
Windows applications under Linux. This program is known to use an unsafe
operation on system memory but so are a number of malware/exploit programs which
masquerade as wine. If you were attempting to run a Windows program your only
choices are to allow this operation and reduce your system security against such
malware or to refrain from running Windows applications under Linux. If you were
not attempting to run a Windows application this indicates you are likely being
attacked by some for of malware or program trying to exploit your system for
nefarious purposes. Please refer to
http://wiki.winehq.org/PreloaderPageZeroProblem Which outlines the other
problems wine encounters due to its unsafe use of memory and solutions to those
problems.
Allowing Access:
If you decide to continue to run the program in question you will need to allow
this operation. This can be done on the command line by executing: # setsebool
-P mmap_low_allowed 1
Fix Command:
/usr/sbin/setsebool -P mmap_low_allowed 1
Additional Information:
Source Context unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023
Target Context unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023
Target Objects None [ memprotect ]
Source wine-preloader
Source Path /usr/bin/wine-preloader
Port <Unknown>
Host n6355-50168
Source RPM Packages wine-core-1.2.0-2.fc13
Target RPM Packages
Policy RPM selinux-policy-3.7.19-47.fc13
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name wine
Host Name n6355-50168
Platform Linux n6355-50168 2.6.33.8-149.fc13.x86_64 #1 SMP
Tue Aug 17 22:53:15 UTC 2010 x86_64 x86_64
Alert Count 10
First Seen Fri 27 Aug 2010 11:45:10 AM CDT
Last Seen Wed 01 Sep 2010 09:32:26 AM CDT
Local ID ab7d4dae-5686-4d47-ab3b-4ea134844ade
Line Numbers
Raw Audit Messages
node=n6355-50168 type=AVC msg=audit(1283351546.640:36): avc: denied { mmap_zero } for pid=4115 comm="wine-preloader" scontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=memprotect
node=n6355-50168 type=SYSCALL msg=audit(1283351546.640:36): arch=40000003 syscall=90 success=no exit=-13 a0=ffe4a850 a1=0 a2=ffe4a850 a3=5a items=0 ppid=4088 pid=4115 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="wine-preloader" exe="/usr/bin/wine-preloader" subj=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 key=(null)
I run the windows program correctly and with no problems, just that when I start the program I see the sealert(warning). I don't really want to give this program what it is wanting for me to do, but I also don't want to see the warning everytime. How should I approach this matter?
Thanks in Advance,
Antonio
13 years, 7 months
