[sandbox] modifying the Xephyr window title (patch)
by Christoph A.
Hi,
If most of your windows are sandboxed applications, your bar looks like:
[Sandbox sandbo..] [Sandbox sandbo..] [Sandbox sandbo..]
and it is hard to find a specific application.
example of a current Xephyr title:
Sandbox sandbox_web_t:s0:c112,c991 -- /usr/bin/firefox
with the modification in the attached patch titles will look like:
/usr/bin/firefox (sandbox_web_t)
and it should be easier to find a specific application.
In addition to the type I would find it handy to also include the
DISPLAY in the title (needed when using xsel for copy'n paste).
The second patch only adds '-nolisten tcp' to Xephyr, but if there are
use cases where one needs Xephyr to open a listener this patch will
break thinks.
regards,
Christoph A.
btw: secon's manpage doesn't contain the '-l' option.
11 years, 3 months
Policy for CouchDB
by Michael Milverton
Hi,
I'm in the process of writing a policy for couchdb (nosql database). I'm
using the selinux-polgengui and eclipse slide tools to help. I've hit a road
block because it won't start but I'm not getting any more AVC's. I'm
wondering if anybody might be able to offer some clue about getting more
AVC's from it because if it won't talk to me I can't get much further.
The only entries in audit.log are:
type=CRED_ACQ msg=audit(1309362790.614:1343): user pid=11935 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0
msg='op=PAM:setcred acct="couchdb" exe="/sbin/runuser" hostname=? addr=?
terminal=? res=success'
type=USER_START msg=audit(1309362790.619:1344): user pid=11935 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0
msg='op=PAM:session_open acct="couchdb" exe="/sbin/runuser" hostname=?
addr=? terminal=? res=success'
type=USER_END msg=audit(1309362790.640:1345): user pid=11935 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0
msg='op=PAM:session_close acct="couchdb" exe="/sbin/runuser" hostname=?
addr=? terminal=? res=success'
type=CRED_DISP msg=audit(1309362790.641:1346): user pid=11935 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0
msg='op=PAM:setcred acct="couchdb" exe="/sbin/runuser" hostname=? addr=?
terminal=? res=success'
type=SERVICE_START msg=audit(1309362790.676:1347): user pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=':
comm="couchdb" exe=2F62696E2F73797374656D64202864656C6574656429 hostname=?
addr=? terminal=? res=failed'
Now, it will start fine (and run) when it is unlabeled (not what I want of
course). Couchdb runs under the username/group couchdb but I haven't added
any transition rules for this yet (any help on this would be appreciated).
FC FILE:
/usr/bin/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0)
/usr/bin/couchjs -- gen_context(system_u:object_r:couchdb_exec_t,s0)
TE FILE:
policy_module(couchdb,1.0.0)
require {
type bin_t;
type fs_t;
type proc_t;
}
type couchdb_t;
domain_type(couchdb_t)
permissive couchdb_t;
# Access to shared libraries
libs_use_ld_so(couchdb_t)
libs_use_shared_libs(couchdb_t)
miscfiles_read_localization(couchdb_t)
dev_read_urand(couchdb_t)
# Type for the daemon
type couchdb_exec_t;
files_type(couchdb_exec_t)
domain_entry_file(couchdb_t, couchdb_exec_t)
init_daemon_domain(couchdb_t, couchdb_exec_t)
# Logging
logging_send_syslog_msg(couchdb_t)
logging_log_file(couchdb_t)
# Temp files
type couchdb_tmp_t;
files_tmp_file(couchdb_tmp_t)
manage_dirs_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t)
manage_files_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t)
files_tmp_filetrans(couchdb_t, couchdb_tmp_t, { dir file })
#type couchdb_config_t;
files_read_etc_files(couchdb_t)
# /bin/basename and some others
allow couchdb_t bin_t:file { read getattr open execute execute_no_trans };
allow couchdb_t fs_t:filesystem getattr;
allow couchdb_t proc_t:file { read getattr open };
allow couchdb_t self:fifo_file { read write getattr };
# Not sure about this
auth_domtrans_chk_passwd(couchdb_t)
# Not sure about this either.
domain_use_interactive_fds(couchdb_t)
Any clues, tips, advice would be most appreciated
Thanks
11 years, 6 months
selinux denial not appearing in logs
by Edward Harvey
How can this happen? It's getting denied, but not appearing in either the
audit log or the messages file. Running Centos 6 fully updated, php
(drupal) inside of httpd tries to send mail via postfix (postdrop).
When I have setenforce 0, the mail goes through. No errors in any logs
(audit.log, error_log, messages)
When I have setenforce 1, the mail gets blocked. I get this message in
httpd error_log:
sendmail: fatal: execvp /usr/sbin/postdrop: Permission
denied
sendmail: warning: command "/usr/sbin/postdrop -r" exited with status 1
sendmail: fatal: email(a)example.com(48): unable to execute /usr/sbin/postdrop
-r: Success
I have auditd running. In fact, I regularly use audit2allow to create allow
policies on this machine. So I can confidently say normally my selinux
denials get logged in the audit.log. I am at a loss to think of any reason
this particular failure is not getting logged the same way my other error
messages usually get logged.
I believe I can write a custom allow script by hand, but I believe I
probably shouldn't, or if I try, it will fail for some reason.
Thanks for your help...
11 years, 9 months
selinux denial not appearing in logs
by Edward Harvey
How can this happen? It's getting denied, but not appearing in either the
audit log or the messages file. Running Centos 6 fully updated, php
(drupal) inside of httpd tries to send mail via postfix (postdrop).
When I have setenforce 0, the mail goes through. No errors in any logs
(audit.log, error_log, messages)
When I have setenforce 1, the mail gets blocked. I get this message in
httpd error_log:
sendmail: fatal: execvp /usr/sbin/postdrop: Permission
denied
sendmail: warning: command "/usr/sbin/postdrop -r" exited with status 1
sendmail: fatal: email(a)example.com(48): unable to execute /usr/sbin/postdrop
-r: Success
I have auditd running. In fact, I regularly use audit2allow to create allow
policies on this machine. So I can confidently say normally my selinux
denials get logged in the audit.log. I am at a loss to think of any reason
this particular failure is not getting logged the same way my other error
messages usually get logged.
I believe I can write a custom allow script by hand, but I believe I
probably shouldn't, or if I try, it will fail for some reason.
Thanks for your help...
11 years, 9 months
NetworkManager / OpenVPN Certificates
by Jeroen van Meeuwen
Hi there,
I wanted to ask what the proper location is to store client OpenVPN
certificates, if any exists.
With SELinux enforcing the targeted policy, the following occurs on
attempting to connect to a VPN:
type=AVC msg=audit(1324632910.570:383): avc: denied { read } for
pid=4098 comm="openvpn" name="vanmeeuwen.crt" dev=dm-3 ino=3933169
scontext=system_u:system_r:openvpn_t:s0
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=SYSCALL msg=audit(1324632910.570:383): arch=c000003e syscall=2
success=no exit=-13 a0=7fff58e16ec9 a1=0 a2=1b6 a3=238 items=0 ppid=4095
pid=4098 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="openvpn" exe="/usr/sbin/openvpn"
subj=system_u:system_r:openvpn_t:s0 key=(null)
When I setenforce 0, the following happens:
type=MAC_STATUS msg=audit(1324633028.994:384): enforcing=0
old_enforcing=1 auid=1000 ses=2
type=SYSCALL msg=audit(1324633028.994:384): arch=c000003e syscall=1
success=yes exit=1 a0=3 a1=7fffda4ea5f0 a2=1 a3=0 items=0 ppid=4032
pid=4145 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts1 ses=2 comm="setenforce" exe="/usr/sbin/setenforce"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1324633034.039:385): avc: denied { read } for
pid=4149 comm="openvpn" name="vanmeeuwen.crt" dev=dm-3 ino=3933169
scontext=system_u:system_r:openvpn_t:s0
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1324633034.039:385): avc: denied { open } for
pid=4149 comm="openvpn" name="vanmeeuwen.crt" dev=dm-3 ino=3933169
scontext=system_u:system_r:openvpn_t:s0
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=SYSCALL msg=audit(1324633034.039:385): arch=c000003e syscall=2
success=yes exit=5 a0=7fff96303ec9 a1=0 a2=1b6 a3=238 items=0 ppid=4146
pid=4149 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="openvpn" exe="/usr/sbin/openvpn"
subj=system_u:system_r:openvpn_t:s0 key=(null)
For the vanmeeuwen.crt client certificate, there's also a
vanmeeuwen.key and a ca.crt, BTW, but the latter two never trigger an
audit trail (though have the same selinux context).
I have stored the certificates in a directory tree in ~/.openvpn, with
one directory per VPN connection, BTW, for which I recognize there is no
separate custom context definition in
/etc/selinux/targeted/contexts/files/.
Kind regards,
Jeroen van Meeuwen
--
Senior Engineer, Kolab Systems AG
e: vanmeeuwen at kolabsys.com
t: +44 144 340 9500
m: +44 74 2516 3817
w: http://www.kolabsys.com
pgp: 9342 BF08
11 years, 9 months
Custom SNMP scripts
by Frederick William New
Hi,
Is there recommended way of setting up custom SNMP (net-snmp) scripts used for monitoring the status of software or hardware RAID, Web site hits, etc.? I created a special directory for them - /usr/local/snmp/bin/, and then let sealert and audit2allow tell me what to do. My snmpScripts.te on a server with software RAID looks like this:
module snmpScripts 1.0;
require {
type snmpd_t;
type proc_mdstat_t;
type usr_t;
class file { ioctl execute read open getattr execute_no_trans };
}
#============= snmpd_t ==============
Is there a better or more secure way of doing this?
Fred New
Systems administrator
Elion Ettevõtted AS
Tallinn, Estonia
11 years, 9 months
procmail prevented from delivering mail
by Lester M Petrie
Hi
When I try to have procmail deliver my email, I get the following avc messages:
type=AVC msg=audit(1323699624.572:2022): avc: denied { write } for pid=18801 comm="procmail" name="local-mail" dev=sdd10 ino=7471567 scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:data_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1323699624.572:2022): arch=c000003e syscall=2 success=no exit=-13 a0=cba680 a1=441 a2=1b7 a3=1 items=0 ppid=18799 pid=18801 auid=4294967295 uid=14060 gid=100 euid=14060 suid=14060 fsuid=14060 egid=100 sgid=100 fsgid=100 tty=(none) ses=4294967295 comm="procmail" exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1323699624.572:2023): avc: denied { write } for pid=18801 comm="procmail" name="inbox" dev=sdd10 ino=12714135 scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:data_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1323699624.572:2023): arch=c000003e syscall=2 success=no exit=-13 a0=cb7b50 a1=c1 a2=1b7 a3=65642d6e697373 items=0 ppid=18799 pid=18801 auid=4294967295 uid=14060 gid=100 euid=14060 suid=14060 fsuid=14060 egid=100 sgid=100 fsgid=100 tty=(none) ses=4294967295 comm="procmail" exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null)
I am running Fedora 15 with a KDE 4.7.4 desktop, and am using kmail2. When I try to create and install a local
policy to allow this access, a .pp file is created, but installing fails with the following messages.
libsepol.print_missing_requirements: procmail's global requirements were not met: type/attribute procmail_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule: Failed!
The .pp file is
module procmail 1.0;
require {
type data_home_t;
type procmail_t;
class dir write;
class file append;
}
#============= procmail_t ==============
#!!!! The source type 'procmail_t' can write to a 'dir' of the following types:
# user_home_t, var_log_t, procmail_log_t, user_home_dir_t, tmp_t, mail_spool_t, nfs_t
allow procmail_t data_home_t:dir write;
allow procmail_t data_home_t:file append;
I can relabel the mail directory as user_home_t, and procmail works, but I haven't found how to make the
relabel survive a general machine relabel. Any help would be appreciated.
--
Lester M Petrie
865-574-5259
petrielmjr(a)ornl.gov
11 years, 9 months
Looking for directory paths...
by Arthur Dent
Hello all,
When I get a SEL alert it refers only to to the actual directory and not
the full pathname. For example:
SELinux is preventing /usr/sbin/smbd from create access on the directory 05.
The advice for fixing this alert is probably useful but without knowing
the full path is actually completely useless:
If you want to allow smbd to have create access on the 05 directory
Then you need to change the label on '05'
Do
# semanage fcontext -a -t samba_share_t '05'
# restorecon -v '05'
The problem is - I don't know where directory "05" is. It's probably
some temporary cache file or some such and trying to even find its
parent directory with a name like "05" makes using 'locate' or 'find'
really quite hard work.
In this case the alert(s) (there were several - each with a different
numerical directory name) were actually caused when I tried to sync my
iPhone using iTunes installed on a Windows XP virtual machine running
under VirtualBox on this Fedora 16 host, accessing the music library via
a Samba share on a separate partition on the Fedora 16 box.... Yeah... I
know....
But anyway - if I could find the full path of the directory in question
I *might* be able to take a closer look at where the problem lies...
Thanks in advance for any help or suggestions.
Mark
11 years, 9 months
RE: Looking for directory paths...
by Arthur Dent
>> From: Arthur Dent
>> Sent: 11 December 2011 13:49
>>
>> Hello all,
>>
>> When I get a SEL alert it refers only to to the actual directory and
>> not the full pathname. For example:
>>
>> SELinux is preventing /usr/sbin/smbd from create access on the
>> directory 05.
>>
>> The advice for fixing this alert is probably useful but without knowing
>> the full path is actually completely useless:
>>
>> If you want to allow smbd to have create access on the 05 directory
>> Then you need to change the label on '05'
>> Do
>> # semanage fcontext -a -t samba_share_t '05'
>> # restorecon -v '05'
>>
>> The problem is - I don't know where directory "05" is. It's probably
>> some temporary cache file or some such and trying to even find its
>> parent directory with a name like "05" makes using 'locate' or 'find'
>> really quite hard work.
>>
>> In this case the alert(s) (there were several - each with a different
>> numerical directory name) were actually caused when I tried to sync my
>> iPhone using iTunes installed on a Windows XP virtual machine running
>> under VirtualBox on this Fedora 16 host, accessing the music library
>> via a Samba share on a separate partition on the Fedora 16 box....
>> Yeah... I know....
>>
>> But anyway - if I could find the full path of the directory in question
>> I *might* be able to take a closer look at where the problem lies...
>>
>> Thanks in advance for any help or suggestions.
>>
>> Mark
>
> If you get the device and inode from the the AVC message you can use
> find's -inum option to look for the inode number on the device's
> filesystem rather than -name.
>
Ha! That looks useful. I can't try it at the moment because, although I
can ssh into that machine from work - I can't reproduce the event from the
command line. I will try as soon as I can...
Thanks again...
Mark
11 years, 9 months
IPTables labeling and user roles
by Konstantin Ryabitsev
Hi, all:
Here's an interesting idea I had. Let's say my users have two ways of
logging in to the systems -- one via a VPN that requires 2-factor
authentication, and another directly via ssh using their public key.
Is there a way to use pam in conjunction with iptables packet labeling
to make sure that if the users logged in via VPN, they get user_u, but
if they went directly, they only get guest_u?
Or, simiarly, if a sysadmin logs in via the VPN that required 2-factor
authn, they get sysadm_u, and if directly, then just user_u?
I think that would be kinda neat, but I'm not sure it Works That Way
(TM).
Best regards,
--
Konstantin Ryabitsev
Systems Administrator
Linux Foundation, kernel.org
Montréal, Québec
11 years, 9 months
