sandbox cleanup?
by Christoph A.
Hi,
I just noticed that I have over 100 processes running in the
sandbox_web_client_t domain, although I closed all my sandbox windows.
ps auxZ|grep sandbox_web_client_t|grep -c /usr/libexec/gvfsd
52
ps auxZ|grep sandbox_web_client_t|grep -c '/bin/dbus-daemon --fork
--print-pid 5 --print-address 7 --session'
51
Shouldn't they be killed after I closed all sandbox windows?
Kind regards,
Christoph
12 years, 9 months
sandbox: open new firefox tab from outside
by Christoph A.
Hi,
I was using firefox within sandboxes for a while without perm. home
directory.
To store bookmarks, addons and so on, I started to use perm. homedir (-H).
Because firefox does not allow multiple concurrent sessions (lock on
.mozilla) it is not possible to open multiple websites when specifying
the same sandbox homedir, hence I'm looking for a possibility to open
new websites within a running sandbox from outside.
Without sandboxes everyone can open new websites in a running firefox
instance using:
firefox -remote "openurl(http://www.mozilla.org)"
sandbox scenario:
1. step:
start firefox:
sandbox -X -H homedir -T tempdir -t sandbox_web_t -l s0:c100,c100 firefox
2. step:
sandbox -H homedir -T tempdir -t sandbox_web_t -l s0:c100,c100 firefox
-remote "openurl(http://www.mozilla.org)"
My current attempts fail because I'm unable use the '-l' option
(#632377) but would the policy allow the 'firefox -remote' command if
type and security level matches with the already running sandbox?
kind regards,
Christoph
12 years, 11 months
Using dyntransition to reduce privileges for Web application
by Scott Gifford
Hello,
I'm experimenting with SELinux policies again. I've got a test server set
up now, so I have a bit more freedom and flexibility. I have a policy that
is basically working, and wanted to get some feedback on it.
I'm working on designing a security architecture for a Web application we
have under development, and creating an SELinux policy to help implement it.
I would like to prevent any flaws in Apache or the Web application from
leaking access to other HTTP worker processes for current or future
connections, where credentials of other users may be accessible.
The Web server begins in the httpd_t domain, which has somewhat more
privileges than our application needs. For example it has access to the
listening HTTP socket, where it could accept new connections and so access
future connections. I would like to reduce the privileges of the HTTP
worker processes after the connection is accepted but before any user data
has been processed or our application code has been executed.
I have this working with some mod_perl code which hooks into Apache right
after it accepts the connection, and changes its running domain to
httpd_portal_app_t. I did this by allowing a dyntransition from httpd_t to
httpd_portal_app_t, then writing the new context to "/proc/$$/attr/current",
and verified it is working with ps -Z. That domain has a smaller set of
privileges than httpd_t, and is not allowed to do things like accept new
connections, listen on new sockets, read from log files, etc. There is no
rule allowing httpd_portal_app_t to transition back to httpd_t, and after
handling a single connection, the process exits (it is configured with the
Apache option MaxRequestsPerChild 1).
I am still testing and prototyping, but so far this is all working. I have
a few questions, though.
First, I see a lot of warnings in "SELinux by example" and other places on
the Web about how using dyntransition is a bad idea. Is that true in this
case, and if so is there a better way to get a similar degree of isolation
without taking the performance hit that a CGI-based environment would cost?
Second, in RHEL 5, is there a way to constrain my httpd_portal_app_t to have
its permission set bounded by that of httpd_t? That is, so
that httpd_portal_app_t cannot have any privileges that httpd_t does not
have? I see that some versions of SELinux are able to enforce this with the
"typebounds" command, but that doesn't seem to be available in RHEL 5? That
would help me ensure that this domain could only make things more secure,
not less.
Third, since my main goal here is to prevent processes from interacting with
each other inappropriately, I would like to prevent each HTTP worker from
reading any information from "/proc" for other HTTP workers. Currently they
are allowed to do this, because they all run in the same domain. Is there
any way to prevent this?
Finally, if anybody has any thoughts or suggestions from doing similar
applications, your thoughts are appreciated.
Thanks!
-----Scott.
13 years
AVC report from command line
by vishesh kumar
I am new in SeLinux , can anyone guide me How to view AVC report from
command line in fedora. I am accessing my server through ssh and i
have no graphical interface to work with.
--
http://linuxmantra.com
13 years, 1 month
New file getting different context than what restorecond specifies
by Luis Fernando Muñoz Mejías
Hello, list.
I'm having quite some difficulties in understanding some SELinux
behaviour, and Google is not helping...
On an RHEL6-based system using the targeted policy, when we create our
.k5login files, they get the context of their parent directory, and
*not* the one specified in the policy for .k5login. Calling restorecon
gives them the correct context, but I would expect it to be correct
since the file is created.
The file_contexts file looks like this:
19:/root(/.*)? system_u:object_r:admin_home_t:s0
2353:/root/\.k5login -- system_u:object_r:krb5_home_t:s0
And the behaviour we get is:
************************************************************
# Initial status:
~ # sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: permissive
Policy version: 24
Policy from config file: targeted
~ # LANG=C ls -a .k5login
ls: cannot access .k5login: No such file or directory
# Create the file
~ # echo foo(a)CERN.CH > .k5login
~ # ls -Z .k5login
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 .k5login
# But restorecon gives it the correct context!!
~ # restorecon .k5login
~ # ls -Z .k5login
-rw-r--r--. root root system_u:object_r:krb5_home_t:s0 .k5login
************************************************************
I would expect that newly-created files wouldn't need a restorecon,
unless the policy changed or they were created when SELinux was
disabled. Am I wrong? Or is it a bug in the policy?
Thanks a lot.
PS: I suppose this problem applies to other files, we've been hit with
.k5login first (users couldn't SSH in).
PPS: I'm using: selinux-policy-targeted-3.7.19-54.el6.noarch
--
Luis Fernando Muñoz Mejías
Luis.Fernando.Munoz.Mejias(a)cern.ch
13 years, 1 month
HOWTO Logging tcp binding on permissive mode
by François Chenais
Hello,
I would like to log process binding on tcp ports > 1023.
"On YYYY/MM/DD hh:mm:ss, which account ran the process X listening on
port aaaa"
Is there any way to do this with SElinux on permissive mode ?
- using système policy ?
- creating a new policy ?
- ... ?
Thanks a lot in advance !
François
13 years, 1 month
Right context for /var/spool/cron/crontabs/root
by Luciano Furtado
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi group,
Why does the context of the crontab spool directory is set to <<none>>
on /etc/selinux/default/contexts/files/file_contexts
/var/spool/cron/crontabs/.* -- <<none>>
I am getting the following avc messages :
[ 17.600000] type=1400 audit(1295191072.769:6): avc: denied { read }
for pid=1847 comm="cron" name="root" dev=xvda ino=106585
scontext=system_u:system_r:crond_t:s0-s0:c0.c1023
tcontext=system_u:object_r:file_t:s0 tclass=file
[ 17.600000] type=1400 audit(1295191072.769:7): avc: denied {
getattr } for pid=1847 comm="cron" path="/var/spool/cron/crontabs/root"
dev=xvda ino=106585 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023
tcontext=system_u:object_r:file_t:s0 tclass=file
Is cron_spool_t the right context for this file ?
Best Regards.
Luciano
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJNNcPPAAoJENgwSj9ZOOwrnn8H/3j2IYdio26kI96nYN7CbNaE
Oq0BjWWAsiwxcBMtA8V6ZpWQo4KE7L9+kI3CV/q04Nt2M03f+OV7dQM1OOcoEYqr
t7yBPqTXQL1/2R8gEQu9pfS+b3+9k/buU9ynFT8mFe/ZHXNZwGTzJ6n4aBfwk9X1
xw9J634HmBC5CDsYg9G7kNKCUjSP/Yi392l4yMZxvGwhelvIlzjoxC3b3ulrD+L1
GlrGcFnZpiX9KZBfvlTeIzW1lNuFJAAYUihnW97B5wUbzU0qXcdo6JMUzb2S85Wg
reFoPWk9BRjOaFMqV49Jnc1/JgA4A5sCBE3lzHQmw6gRGwrOTjKSNewTt6J9VXE=
=2h4M
-----END PGP SIGNATURE-----
13 years, 2 months
Re: mod_passenger and Rails 3 module work
by Erinn Looney-Triggs
Ah, sorry I should have been clearer this is on a RHEL 5 setup, so as
far as I know this all has to be generated by hand, unless it is
possible for me to pull the module from fedora, then of course I would
have to make my ruby and passenger install conform to what is expected.
Yeah I know this is not a policy per se, and this is on of my rubs with
SELinux, it takes a lot of research and understanding to get to the
point of being able to generate policy that anyone can have confidence
in. It was a bit simpler albeit looser with DAC, and sadly we just end
up hoping that someone who knows what they are doing will make a policy
for us, or sit down and study SELinux for a month or two and take a
whack at it ourselves. Any good book recommendations? I have read
through SELinux by Example as that seems to be the most recommended, but
there doesn't seem to be much published in the last 4 years or so.
I don't like what audit2allow has done here, it isn't audit2allow's,
fault it is just a matter of the huge number of requests that passenger
is putting through the system, why for instance does it need access to
syslogd_t, or crond_t, or snmpd_t? Trying to deduce from where these
access calls are coming and if/why they are needed is difficult for me.
Anyway, I am sure Fedora will get there, but this little module may have
to suffice for my needs (back in the olden days) on RHEL 5.
-Erinn
13 years, 2 months
smartd and 3ware
by Ruben Kerkhof
I'm getting some AVC's when smartd starts and tries to read the 3ware
character devices /dev/twa[0-9]
The boolean smartmon_3ware is on.
Running restorecon on the character devices relabels the character
devices to fixed_device_disk_t and everything works fine, but
something is labeling them as device_t at boot.
I've found some closed bugs in bugzilla, but all of them with a fix
for smartmontools. I'm guessing the issue is somewhere else. The
kernel?
Kind regards,
Ruben Kerkhof
13 years, 2 months
mod_passenger and Rails 3 module work
by Erinn Looney-Triggs
This is a lot of groping about in the dark for me with SELinux so please
excuse any completely absurd choices I made :).
I posted before about getting a setup working with mod_passenger, I was
able to work things around such that mod_passenger worked fine with
selinux enabled. I came up with this small policy:
module myruby 1.0;
require {
type httpd_tmp_t;
type lib_t;
type httpd_t;
type tmp_t;
class sock_file { write create unlink getattr setattr };
class capability { fowner fsetid };
class file { read getattr execute_no_trans };
class fifo_file { create unlink getattr setattr };
}
#============= httpd_t ==============
allow httpd_t httpd_tmp_t:fifo_file { create unlink getattr setattr };
allow httpd_t httpd_tmp_t:sock_file { write create unlink getattr setattr };
allow httpd_t lib_t:file execute_no_trans;
allow httpd_t self:capability { fowner fsetid };
allow httpd_t tmp_t:file { read getattr };
It worked just fine though I had a bit of a gripe with the execute on
lib_t, this was due to the mod_passenger module being automatically
labelled as lib_t (it was located in /usr/local/ruby/lib, hence the
labelling), but I couldn't really change things as they were in
production. Well now we are going through an upgrade to Rails 3 and it
is not playing nicely with SELinux again, so around we go with
audit2allow, this time I changed the passenger module to be labelled
like all the other apache modules (httpd_modules_t), and there are a few
other executables that Passenger requires, I labelled them as apache
modules as well (for better or worse, I tried httpd_script_t as well
thinking that it would fit better, but I don't know if it makes much
difference). However, after many runs through adit2allow the outcome is
pretty vulgar:
module myruby 1.0;
require {
type unconfined_t;
type semanage_t;
type hplip_t;
type setrans_t;
type mysqld_t;
type syslogd_t;
type getty_t;
type xfs_t;
type initrc_t;
type irqbalance_t;
type httpd_modules_t;
type snmpd_t;
type tmp_t;
type avahi_t;
type rpm_t;
type gpm_t;
type unconfined_execmem_t;
type restorecond_t;
type init_t;
type httpd_tmp_t;
type ntpd_t;
type fsdaemon_t;
type postfix_master_t;
type auditd_t;
type udev_t;
type postfix_qmgr_t;
type audisp_t;
type system_dbusd_t;
type cupsd_t;
type inetd_t;
type portmap_t;
type postfix_pickup_t;
type kernel_t;
type setfiles_t;
type hald_t;
type apmd_t;
type crond_t;
type rpcd_t;
type httpd_t;
class capability { fowner sys_resource fsetid };
class process ptrace;
class dir { getattr search };
class file { read getattr execute_no_trans };
class sock_file { write create unlink getattr setattr };
}
#============= httpd_t ==============
allow httpd_t apmd_t:dir { getattr search };
allow httpd_t apmd_t:file read;
allow httpd_t audisp_t:dir { getattr search };
allow httpd_t audisp_t:file read;
allow httpd_t auditd_t:dir { getattr search };
allow httpd_t auditd_t:file read;
allow httpd_t avahi_t:dir { getattr search };
allow httpd_t avahi_t:file read;
allow httpd_t crond_t:dir { getattr search };
allow httpd_t crond_t:file read;
allow httpd_t cupsd_t:dir { getattr search };
allow httpd_t cupsd_t:file read;
allow httpd_t fsdaemon_t:dir { getattr search };
allow httpd_t fsdaemon_t:file read;
allow httpd_t getty_t:dir { getattr search };
allow httpd_t getty_t:file read;
allow httpd_t gpm_t:dir { getattr search };
allow httpd_t gpm_t:file read;
allow httpd_t hald_t:dir { getattr search };
allow httpd_t hald_t:file read;
allow httpd_t hplip_t:dir { getattr search };
allow httpd_t hplip_t:file read;
allow httpd_t httpd_modules_t:file execute_no_trans;
allow httpd_t httpd_tmp_t:sock_file { write create unlink getattr setattr };
allow httpd_t inetd_t:dir { getattr search };
allow httpd_t inetd_t:file read;
allow httpd_t init_t:dir { getattr search };
allow httpd_t init_t:file read;
allow httpd_t initrc_t:dir { getattr search };
allow httpd_t initrc_t:file read;
allow httpd_t irqbalance_t:dir { getattr search };
allow httpd_t irqbalance_t:file read;
allow httpd_t kernel_t:dir { getattr search };
allow httpd_t kernel_t:file read;
allow httpd_t mysqld_t:dir { getattr search };
allow httpd_t mysqld_t:file read;
allow httpd_t ntpd_t:dir { getattr search };
allow httpd_t ntpd_t:file read;
allow httpd_t portmap_t:dir { getattr search };
allow httpd_t portmap_t:file read;
allow httpd_t postfix_master_t:dir { getattr search };
allow httpd_t postfix_master_t:file read;
allow httpd_t postfix_pickup_t:dir { getattr search };
allow httpd_t postfix_pickup_t:file read;
allow httpd_t postfix_qmgr_t:dir { getattr search };
allow httpd_t postfix_qmgr_t:file read;
allow httpd_t restorecond_t:dir { getattr search };
allow httpd_t restorecond_t:file read;
allow httpd_t rpcd_t:dir { getattr search };
allow httpd_t rpcd_t:file read;
allow httpd_t rpm_t:dir { getattr search };
allow httpd_t rpm_t:file read;
allow httpd_t self:capability { fowner sys_resource fsetid };
allow httpd_t self:process ptrace;
allow httpd_t semanage_t:dir getattr;
allow httpd_t setfiles_t:dir getattr;
allow httpd_t setrans_t:dir { getattr search };
allow httpd_t setrans_t:file read;
allow httpd_t snmpd_t:dir { getattr search };
allow httpd_t snmpd_t:file read;
allow httpd_t syslogd_t:dir { getattr search };
allow httpd_t syslogd_t:file read;
allow httpd_t system_dbusd_t:dir { getattr search };
allow httpd_t system_dbusd_t:file read;
allow httpd_t tmp_t:file { read getattr };
allow httpd_t udev_t:dir { getattr search };
allow httpd_t udev_t:file read;
allow httpd_t unconfined_execmem_t:dir { getattr search };
allow httpd_t unconfined_execmem_t:file read;
allow httpd_t unconfined_t:dir { getattr search };
allow httpd_t unconfined_t:file read;
allow httpd_t xfs_t:dir { getattr search };
allow httpd_t xfs_t:file read;
This seems like an absurd amount of access to me, it gets things going
but really? Anyone have a bit of experience with mod_passenger and Rails
3, any insight? Now I did go through and manually prune out what I
though was wrong and came up with this (this was when I was testing the
httpd_sys_script type, just mentally change it to httpd_t):
module myruby 1.0;
require {
type httpd_tmp_t;
type httpd_sys_script_t;
type devpts_t;
type httpd_t;
type tmp_t;
type udev_tbl_t;
class process { ptrace setpgid getsched };
class sock_file { write create unlink getattr setattr };
class capability { kill sys_resource dac_override
dac_read_search chown fsetid setgid setuid fowner };
class chr_file { read write ioctl };
class file { read getattr execute_no_trans };
class fifo_file { create unlink getattr setattr };
class lnk_file read;
class dir search;
class unix_stream_socket connectto;
}
#============= httpd_t ==============
allow httpd_t httpd_tmp_t:fifo_file { create unlink getattr setattr };
allow httpd_t httpd_tmp_t:sock_file { write create unlink getattr setattr };
allow httpd_t self:capability { fowner fsetid };
allow httpd_t tmp_t:file { read getattr };
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
#============= httpd_sys_script_t ==============
allow httpd_sys_script_t devpts_t:chr_file { read write ioctl };
allow httpd_sys_script_t self:capability { kill dac_read_search fsetid
sys_resource setuid setgid fowner chown dac_override };
allow httpd_sys_script_t self:process { getsched setpgid };
allow httpd_sys_script_t udev_tbl_t:lnk_file read;
allow httpd_sys_script_t devpts_t:dir search;
System works, passenger runs etc. but an obscene amount of logs are
being pumped into the audit logs for each of those directory reads etc.
I suppose I could add dontaudit rules (not that I know how). But again
seeking any other insights into this.
Thanks,
-Erinn
13 years, 2 months