sandbox cleanup?
by Christoph A.
Hi,
I just noticed that I have over 100 processes running in the
sandbox_web_client_t domain, although I closed all my sandbox windows.
ps auxZ|grep sandbox_web_client_t|grep -c /usr/libexec/gvfsd
52
ps auxZ|grep sandbox_web_client_t|grep -c '/bin/dbus-daemon --fork
--print-pid 5 --print-address 7 --session'
51
Shouldn't they be killed after I closed all sandbox windows?
Kind regards,
Christoph
12 years, 5 months
sandbox: open new firefox tab from outside
by Christoph A.
Hi,
I was using firefox within sandboxes for a while without perm. home
directory.
To store bookmarks, addons and so on, I started to use perm. homedir (-H).
Because firefox does not allow multiple concurrent sessions (lock on
.mozilla) it is not possible to open multiple websites when specifying
the same sandbox homedir, hence I'm looking for a possibility to open
new websites within a running sandbox from outside.
Without sandboxes everyone can open new websites in a running firefox
instance using:
firefox -remote "openurl(http://www.mozilla.org)"
sandbox scenario:
1. step:
start firefox:
sandbox -X -H homedir -T tempdir -t sandbox_web_t -l s0:c100,c100 firefox
2. step:
sandbox -H homedir -T tempdir -t sandbox_web_t -l s0:c100,c100 firefox
-remote "openurl(http://www.mozilla.org)"
My current attempts fail because I'm unable use the '-l' option
(#632377) but would the policy allow the 'firefox -remote' command if
type and security level matches with the already running sandbox?
kind regards,
Christoph
12 years, 7 months
eggdrop policy module
by Luciano Furtado
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Group,
Does eggdrop has a selinux policy module? if so starting on which fedora
version?
I am looking to get the sources for it , build / install it on my Debian
installation which doesn't seem to have a module for it.
Best Regards.
Luciano
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJNjNptAAoJEEJ82UW2Ovvtyd4IAIoQqJPXFlNNtOH3V+EM0zL9
8pujhgoM7x2kEssoOY/taTyOPxn5PDys28ZLB1nuqx9Br1s7bt+ErserSCVBVyo/
zopiZYb93ky2NII9rerN5eE+E49fGhsb0svUPaDkKN95bYM+FIvlP8FrEN/sT3N1
Mh2pJNGtStFZlC7TQi1NXGis6r05z0/IfYx0Rpqr0XBIQ3LnWrijGBBnz3qx097a
YOfRKHpIPqEeXaeX3TzxS+VDCWqH1FObRbK6STO9Q1fge3iNHvyEqNqE7qbB2sHE
SlIqmIqdjzbnMz66vDsOpBrkxXrjCarUhZm8BrYbR8fO6Hc2sXz0huRT2XLmAik=
=cUlU
-----END PGP SIGNATURE-----
12 years, 8 months
[PATCH] serefpolicy: named getattr AVC accessing /dev/random
by Ted Toth
When I was configuring a local dns server I noticed the following AVC:
type=AVC msg=audit(1301591991.675:24730): avc: denied { getattr }
for pid=23587 comm="named" path="/dev/random" dev=dm-0 ino=533878
scontext=system_u:system_r:named_t:s0
tcontext=system_u:object_r:named_zone_t:s0 tclass=chr_file
[root@localhost BUILD]# find / -inum 533878
/var/named/chroot/dev/random
I've included a proposed patch below.
Ted
--- serefpolicy-3.9.7/policy/modules/services/bind.fc.orig 2011-03-31
12:54:32.128829155 -0500
+++ serefpolicy-3.9.7/policy/modules/services/bind.fc 2011-03-31
12:58:11.849410409 -0500
@@ -60,4 +60,6 @@
/var/named/chroot/var/named/named\.ca --
gen_context(system_u:object_r:named_conf_t,s0)
/var/named/chroot/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/dev/random -- gen_context(system_u:object_r:random_device_t:s0)
+/var/named/chroot/dev/zero -- gen_context(system_u:object_r:zero_device_t:s0)
')
12 years, 8 months
sandbox: changed handling of /tmp (2.0.83-33.7.fc13.x86_64)
by Christoph A.
Hi,
this post might be of interest for you if since today's update in F13
specific sandboxes are no longer working.
I used to open files from the internet via sandboxes.
For example firefox uses the following bash script to open pdf files:
#!/bin/bash
sandbox -X -w 1432x821 evince "$*"
This is from originally from Dan's blog:
http://danwalsh.livejournal.com/31247.html?thread=214031
Since today, this no longer works due to changes in the handling of /tmp
(firefox stores the downloaded file in /tmp).
Today the policycoreutils packages was updated (2.0.83-33.7.fc13.x86_64).
The changes mention the handling of /tmp:
"fix to sandbox - Fix seunshare to use more secure handling of /tmp -
Rewrite seunshare to make sure /tmp is mounted stickybit owned by root"
https://admin.fedoraproject.org/updates/policycoreutils-2.0.83-33.7.fc13?...
which is probably related to Tavis Ormandy's post on FD
http://seclists.org/fulldisclosure/2011/Feb/585
I worked around the issue and modified the bash script:
#!/bin/bash
cp "$*" ~/.tmp
sandbox -X -w 1432x821 evince "/home/user/.tmp/`basename $*`"
rm /home/user/.tmp/*
This quick hack works for me, but maybe there is a nicer way ;)
kind regards,
Christoph
12 years, 8 months
i get this on rawhide.
by Dominick Grift
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
$ sesearch --allow -SC -T | grep unconfined_login
ERROR: policydb version 25 does not match my version range 15-24
ERROR: Unable to open policy /etc/selinux/targeted/policy/policy.25.
ERROR: Success
by the way: looks like if i set unconfined_login to off that then
sulogin_t is not allowed to execute shell_exec_t?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk2TbrcACgkQMlxVo39jgT9u3QCgkHwbH7tsqZbzSsV/Nzjc19bQ
kRkAnjJJhoCYWcjYJQPrqO5t2TfbjFpJ
=ROnS
-----END PGP SIGNATURE-----
12 years, 8 months
3 what looks like bugs in rawhide policy
by Dominick Grift
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
1. unconfined_login boolean does not work.
2. either userdom_use_user_terminals needs "open" for user_devpts_t or
we have to allow $1_sudo_t open access to user_devpts_t:chr_file.
(allow staff_sudo_t user_devpts_t:chr_file open;)
3. mount needs to mounton var_lock_t directories.
(allow mount_t var_lock_t:dir mounton;)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk2N3WoACgkQMlxVo39jgT/+zgCePu/c/MHUlmcOJxFkMS+UWTbl
AAMAoLaTbh6Ww6HZMw4NN8Dh/17Qyl6k
=jJ2X
-----END PGP SIGNATURE-----
12 years, 8 months
Restrict httpd network connections to a specific network interface?
by Mark Montague
Fedora 14, httpd is working correctly, however the
httpd_can_network_connect boolean grants more access than I want. I'd
like httpd to be able to open connections on any port, but only via a
specific network interface (lo0) and no others (eth0, etc.), while still
accepting HTTP connections on all interfaces.
I've set up iptables to label all packets in and out of the loopback
interface:
iptables -t mangle -A INPUT -i lo -j SECMARK --selctx
system_u:object_r:loopback_packet_t:s0
iptables -t mangle -A OUTPUT -o lo -j SECMARK --selctx
system_u:object_r:loopback_packet_t:s0
and have permitted httpd to send and receive these:
allow httpd_t loopback_packet_t:packet { send recv };
allow httpd_sys_script_t loopback_packet_t:packet { send recv };
But the problem is that this does not permit httpd to connect:
type=AVC msg=audit(1299866424.466:17033): avc: denied { name_connect }
for pid=28402 comm="test-script" dest=9000
scontext=unconfined_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
Adding the following TE rule of course permits httpd to connect via any
interface (equivalent to turning on httpd_can_network_connect):
allow httpd_sys_script_t http_port_t:tcp_socket name_connect;
What am I missing? Any suggestions? I've searched the web but haven't
found anything. Thanks in advance for any help.
--
Mark Montague
mark(a)catseye.org
12 years, 8 months
logrotate accessing /root avc messages
by Luciano Furtado
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hey Guys,
Any ideas why logrotate is trying to access /root as shown by the avc
message bellow:
lrfurtado:~# ausearch -ts today
- ----
time->Thu Mar 24 06:25:45 2011
type=SYSCALL msg=audit(1300947945.464:26): arch=40000003 syscall=5
success=no exit=-13 a0=88404c0 a1=8000 a2=0 a3=8000 items=0 ppid=13192
pid=13193 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="logrotate"
exe="/usr/sbin/logrotate"
subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1300947945.464:26): avc: denied { search } for
pid=13193 comm="logrotate" name="root" dev=xvda ino=401409
scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 tclass=dir
is this the issue described here :
https://bugzilla.redhat.com/show_bug.cgi?id=471463
For now I have added :
allow logrotate_t unconfined_home_dir_t:dir search;
to my local module to shut up the avc messages. IS there any to stop
logrotate from generating those AVC messages other then adding the allow
rule above?
Best Regards.
Luciano
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJNi4i1AAoJENgwSj9ZOOwrAlwH/i8NnndtZl4Ktw3e4uDZZ2Qm
kyhvNnf3UmKfTEUTcn7/BFVqWAr+SCVjuZfO1ITEns7vTr89cs8Z1R9+cfgMOLbK
CUvQYLx9aPZqse5OsU4/Qpq0x3IRFBc+fsbm8tLYl3G8V38omIINpro59wuzZtdK
5hrB7cTQKnrBZaHopr8CLA3H4oIEuwVtxyvy63CKrVuXCT5SakVyUEAf4Dr2DPgz
7MOTqEJq1G5NMxEMWBuFLYkQQ6J7djXEe9P6mFHnOcYQ+WxWBQUhuR2fWoFteRXK
BEzXEV86UieM8cmp9mI+Z2qusXFggWsQNjkBZ1GumCB9GidZQLdyCH+fDNf7tSU=
=VWaD
-----END PGP SIGNATURE-----
12 years, 8 months
Re: nginx policy
by Dominick Grift
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/18/2011 11:41 AM, Mossburg wrote:
> On Mon, Mar 14, 2011 at 11:58 AM, Mossburg <mossburg79(a)gmail.com> wrote:
>>>>> On 03/14/2011 10:07 AM, Mossburg wrote:
>>>>>> I'm currently trying to write a policy for the nginx webserver.
>>>>>
>>>>> It is probably better to make this webserver run in the httpd_t domain.
>>>>
>>>> It was my first idea but i didn't if it was a good idea to use an
>>>> existing policy, written for a specific process.
>>>>
>>>>> That means that you would have to add file context specifications for
>>>>> some files included with the nginx package:
>>>>>
>>>>> its executable file, configuration file, pid file, log, lib and init
>>>>> script file.
>>>>
>>>> To make it permanent i would have to write a policy only with a .fc file ?
>>>>
>>>>> You did not include your nginx.fc file and so i cannot suggest these
>>>>> changes.
>>>>
>>>> # nginx executable will have:
>>>> # label: system_u:object_r:nginx_exec_t
>>>> # MLS sensitivity: s0
>>>> # MCS categories: <none>
>>>>
>>>> /usr/sbin/nginx -- gen_context(system_u:object_r:nginx_exec_t,s0)
>>>
>>> to test (temporary label)
>>> chcon -t httpd_exec_t /usr/sbin/nginx
>>>
>>> to make it permanent locally
>>> semanage fcontext -a -t httpd_exec_t /usr/sbin/nginx
>>>
>>>> /var/run/nginx.pid gen_context(system_u:object_r:nginx_var_run_t,s0)
>>>
>>> semanage fcontext -a -t httpd_var_run_t /var/run/nginx.pid
>>>
>>>> /var/log/nginx(/.*)? gen_context(system_u:object_r:nginx_var_log_t,s0)
>>>
>>> to test (temporary label)
>>>
>>> chcon -R -t httpd_log_t /var/log/nginx
>>>
>>> to make permanent locally
>>>
>>> semanage fcontext -a -t httpd_log_t "/var/log/nginx(/.*)?"
>>>
>>>> /var/lib/nginx(/.*)? gen_context(system_u:object_r:nginx_var_lib_t,s0)
>>>
>>> chcon -R -t httpd_var_lib_t /var/lib/nginx
>>>
>>> semanage fcontext -a -t httpd_var_lib_t "/var/lib/nginx(/.*)?"
>>>
>>>> /etc/nginx(/.*)? gen_context(system_u:object_r:nginx_conf_t,s0)
>>>
>>> chcon -R -t httpd_config_t /etc/nginx
>>>
>>> semanage fcontext -a -t httpd_config_t "/etc/nginx(/.*)?"
>>>
>>> use existing apache locations/types:
>>>
>>> default system webroot:
>>>
>>> /var/www
>>>
>>>
>>> you can also just add the above fc specs to a .fc file (you may need to
>>> require the types used in the fc file in your te file)
>>>
>>> Instead i would just use chcon or semanage fcontext plus restorecon.
>>> Once you confirmed that it works, you can suggest your changes upstream
>>> so that Fedora /refpolicy can make the changes to the apache module.
>
>
> Hi Dominick,
>
> What you suggested seems to work. Thanks again for your help.
> How can i suggest this changes upstream ?
>
I have submitted a patch upstream here:
http://oss.tresys.com/pipermail/refpolicy/2011-March/004135.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk2DPIAACgkQMlxVo39jgT+Z0wCgyE9auWDqgdHG1EUDBxVBhJ2S
zfcAn1tSLN9DP/U2n16Bje5p88u/1ZpK
=IQ3y
-----END PGP SIGNATURE-----
12 years, 8 months