[sandbox] modifying the Xephyr window title (patch)
by Christoph A.
Hi,
If most of your windows are sandboxed applications, your bar looks like:
[Sandbox sandbo..] [Sandbox sandbo..] [Sandbox sandbo..]
and it is hard to find a specific application.
example of a current Xephyr title:
Sandbox sandbox_web_t:s0:c112,c991 -- /usr/bin/firefox
with the modification in the attached patch titles will look like:
/usr/bin/firefox (sandbox_web_t)
and it should be easier to find a specific application.
In addition to the type I would find it handy to also include the
DISPLAY in the title (needed when using xsel for copy'n paste).
The second patch only adds '-nolisten tcp' to Xephyr, but if there are
use cases where one needs Xephyr to open a listener this patch will
break thinks.
regards,
Christoph A.
btw: secon's manpage doesn't contain the '-l' option.
10 years, 11 months
Policy for CouchDB
by Michael Milverton
Hi,
I'm in the process of writing a policy for couchdb (nosql database). I'm
using the selinux-polgengui and eclipse slide tools to help. I've hit a road
block because it won't start but I'm not getting any more AVC's. I'm
wondering if anybody might be able to offer some clue about getting more
AVC's from it because if it won't talk to me I can't get much further.
The only entries in audit.log are:
type=CRED_ACQ msg=audit(1309362790.614:1343): user pid=11935 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0
msg='op=PAM:setcred acct="couchdb" exe="/sbin/runuser" hostname=? addr=?
terminal=? res=success'
type=USER_START msg=audit(1309362790.619:1344): user pid=11935 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0
msg='op=PAM:session_open acct="couchdb" exe="/sbin/runuser" hostname=?
addr=? terminal=? res=success'
type=USER_END msg=audit(1309362790.640:1345): user pid=11935 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0
msg='op=PAM:session_close acct="couchdb" exe="/sbin/runuser" hostname=?
addr=? terminal=? res=success'
type=CRED_DISP msg=audit(1309362790.641:1346): user pid=11935 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0
msg='op=PAM:setcred acct="couchdb" exe="/sbin/runuser" hostname=? addr=?
terminal=? res=success'
type=SERVICE_START msg=audit(1309362790.676:1347): user pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=':
comm="couchdb" exe=2F62696E2F73797374656D64202864656C6574656429 hostname=?
addr=? terminal=? res=failed'
Now, it will start fine (and run) when it is unlabeled (not what I want of
course). Couchdb runs under the username/group couchdb but I haven't added
any transition rules for this yet (any help on this would be appreciated).
FC FILE:
/usr/bin/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0)
/usr/bin/couchjs -- gen_context(system_u:object_r:couchdb_exec_t,s0)
TE FILE:
policy_module(couchdb,1.0.0)
require {
type bin_t;
type fs_t;
type proc_t;
}
type couchdb_t;
domain_type(couchdb_t)
permissive couchdb_t;
# Access to shared libraries
libs_use_ld_so(couchdb_t)
libs_use_shared_libs(couchdb_t)
miscfiles_read_localization(couchdb_t)
dev_read_urand(couchdb_t)
# Type for the daemon
type couchdb_exec_t;
files_type(couchdb_exec_t)
domain_entry_file(couchdb_t, couchdb_exec_t)
init_daemon_domain(couchdb_t, couchdb_exec_t)
# Logging
logging_send_syslog_msg(couchdb_t)
logging_log_file(couchdb_t)
# Temp files
type couchdb_tmp_t;
files_tmp_file(couchdb_tmp_t)
manage_dirs_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t)
manage_files_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t)
files_tmp_filetrans(couchdb_t, couchdb_tmp_t, { dir file })
#type couchdb_config_t;
files_read_etc_files(couchdb_t)
# /bin/basename and some others
allow couchdb_t bin_t:file { read getattr open execute execute_no_trans };
allow couchdb_t fs_t:filesystem getattr;
allow couchdb_t proc_t:file { read getattr open };
allow couchdb_t self:fifo_file { read write getattr };
# Not sure about this
auth_domtrans_chk_passwd(couchdb_t)
# Not sure about this either.
domain_use_interactive_fds(couchdb_t)
Any clues, tips, advice would be most appreciated
Thanks
11 years, 2 months
How to get targeted policy source code
by Anh-Duy Vu
Friends,
Please show me how to obtain policy code of targeted type for Fedora 15
which are similar to ones located at /etc/selinux/repolicy/src of Reference
Policy provided by NSA.
I downloaded selinux-policy-3.9,16-39.fc15.src.rpm packet, and rebuilt it
(rpmbuild --rebuild <packet-name>).
The results of this steps are the installation file for targeted, mls ...
type.
But they do not contain what I want.
--
Best regards,
Anh-Duy Vu
11 years, 7 months
Allowing not sysadm_t access to change root password
by David Cafaro
Hello All,
I've been beating my head into a wall on this issue and was hoping
someone else might have a clue.
I have a new domain call it "mytool_t" that needs to be able to change
the roots password. Problem is I just can't seem to find the right
rules/macros for the job.
The source context will be root:system_r:mytoolt_t
It will be running the passwd command and transitioning to
root:system_r:passwd_t. That is if I can get it past the only root user
is allowed to change root's password. Here's the command line error:
passwd: root:system_r:mytool_t:s0-s0:c0.c1023 is not authorized to
change the password of root.
UID, gid, groups, etc in the DAC side of things are 0.
Permissive mode reports no selinux errors and the password change works
(I'm assuming that passwd is detecting permissive mode).
But enforcing stops it cold.
Here's some example of the relevant policy I've used to try and get this
to work:
# For access to passwd program
type_transition mytool_t passwd_exec_t:process passwd_t;
domain_auto_trans(mytool_t,passwd_exec_t,passwd_t);
usermanage_run_admin_passwd(mytool_t,system_r)
allow mytool_t passwd_exec_t:file { read getattr open execute };
Any thanks is appreciated.
David
11 years, 7 months
SELinux Bug!!
by Ankur Singh
Hi,
I got an message when i install code warrior. How can i remove it.
Error Message:
SELinux is preventing /usr/libexec/gdm-session-worker "read write" access on /root.
Detailed Description:
SELinux denied access requested by gdm-session-wor. It is not expected that this
access is required by gdm-session-wor and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_u:object_r:admin_home_t:s0
Target Objects /root [ dir ]
Source gdm-session-wor
Source Path /usr/libexec/gdm-session-worker
Port <Unknown>
Host localhost.localdomain
Source RPM Packages gdm-2.30.2-1.fc13
Target RPM Packages filesystem-2.4.31-1.fc13
Policy RPM selinux-policy-3.7.19-10.fc13
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name catchall
Host Name localhost.localdomain
Platform Linux localhost.localdomain
2.6.33.3-85.fc13.i686.PAE #1 SMP Thu May 6
18:27:11 UTC 2010 i686 i686
Alert Count 36
First Seen Mon 03 Oct 2011 11:21:13 AM IST
Last Seen Wed 12 Oct 2011 09:30:55 PM IST
Local ID 2e70d8b3-2ffb-4f41-adce-23c7453c8a5c
Thanks in Advance
Regards
Ankur Singh
Larsen & Toubro Limited
www.larsentoubro.com
This Email may contain confidential or privileged information for the intended recipient (s) If you are not the intended recipient, please do not use or disseminate the information, notify the sender and delete it from your system.
11 years, 7 months
New HIPS based on SELinux
by Hramchenko
Hi all.
I have created new host intrusion prevention system based on SELinux.
It's focused on protection user's data.
One of the main goals was to create lightweight replacement of
setroubleshootd.
I hope my program will be useful for SELinux users.
The project home page:
https://github.com/Hramchenko/userdatadefence/
With respect, Hramchenko Vitaliy.
11 years, 8 months
Relabeling PHP uploads when they are moved into place
by Scott Gifford
PHP uploads files into a temporary directory, where they are given the label
"httpd_tmp_t". When a PHP script processes them, it calls
move_uploaded_file<http://php.net/manual/en/function.move-uploaded-file.php> to
move the newly uploaded file into its final location. This function does
some validity checks, then does a rename(2) from the temporary location to
the location passwd to move_uploaded_file.
The problem is that after the rename, the file still retains its original
label, "httpd_tmp_t". That makes it inconsistent with files and directories
which weren't uploaded, and requires some policy gymnastics to take into
account that anything that could have been uploaded might have the
"httpd_tmp_t" type.
I am wondering if there is some good way to automatically relabel this file
when it is renamed?
I would like for the PHP application to work on SELinux and non-SELinux
systems, so I would prefer not to make calls out to SELinux-specific scripts
and programs (like restorecon). What I would really like is some
configuration option that would just relabel files according to their
destination when they are rename(2)'d, but that may be asking too much. :-)
Thanks for any advice,
-----Scott.
11 years, 8 months
