Getting kmotion under selinux's control.
by Dan Thurman
I am trying to bring kmotion under control of SeLinux,
so how can I do it?
1) I tried context httpd_exec_t and httpd_t, but neither seems to work,
so out of the zillions of options which do I use as these files are
apache
and python programs. (See log below):
semanage fcontext -a -t httpd_t '/www/kmotion/www/vhosts/kmotion'
semanage fcontext -a -t httpd_t '/www/kmotion/www/www/cgi_bin'
semanage fcontext -a -t httpd_t '/www/kmotion/www/www/cgi_bin/*'
And these commands seemed to take without any errors reported
but the context of the directory and files remain unchanged:
-rw-r--r--. <me> <me> unconfined_u:object_r:default_t:s0
/www/kmotion/www/vhosts/kmotion
drwxr-xr-x. <me> <me> unconfined_u:object_r:default_t:s0 cgi_bin
-rwxr-xr-x. <me> <me> unconfined_u:object_r:default_t:s0
xmlHttp_arch.py
-rwxr-xr-x. <me> <me> unconfined_u:object_r:default_t:s0
xmlHttp_feeds.py
-rwxr-xr-x. <me> <me> unconfined_u:object_r:default_t:s0
xmlHttp_func.py
-rwxr-xr-x. <me> <me> unconfined_u:object_r:default_t:s0
xmlHttp_load.py
-rwxr-xr-x. <me> <me> unconfined_u:object_r:default_t:s0
xmlHttp_logs.py
-rwxr-xr-x. <me> <me> unconfined_u:object_r:default_t:s0 xmlHttp_out.py
-rwxr-xr-x. <me> <me> unconfined_u:object_r:default_t:s0 xmlHttp_ptz.py
-rwxr-xr-x. <me> <me> unconfined_u:object_r:default_t:s0
xmlHttp_settings_rd.py
-rwxr-xr-x. <me> <me> unconfined_u:object_r:default_t:s0
xmlHttp_settings_wr.py
2) For fun, I also tried these steps for the above files:
chcon -t httpd_t cgi_bin
chcon -t httpd_t cgi_bin/*
And I get: "chcon: failed to change context of <...>: Permission
denied.",
however, http_exec_t seems to take, but does not shut up selinux AVC
denials.
====================================================
The following is what is reported from setroubleshooter tool
====================================================
Summary:
SELinux is preventing /usr/sbin/httpd from using potentially mislabeled
files
/www/kmotion/www/vhosts/kmotion.
Detailed Description:
SELinux has denied the httpd access to potentially mislabeled files
/www/kmotion/www/vhosts/kmotion. This means that SELinux will not allow
httpd to
use these files. If httpd should be allowed this access to these files you
should change the file context to one of the following types,
httpd_mediawiki_htaccess_t, calamaris_www_t, udev_tbl_t, user_cron_spool_t,
httpd_cache_t, httpd_tmp_t, httpd_tmpfs_t, iso9660_t, smokeping_var_lib_t,
shell_exec_t, httpd_w3c_validator_htaccess_t, rpm_tmp_t, mysqld_etc_t,
cvs_data_t, var_lib_t, dirsrvadmin_tmp_t, sendmail_exec_t, cobbler_etc_t,
configfile, httpd_helper_exec_t, dbusd_etc_t, dirsrv_share_t, ld_so_cache_t,
httpd_squirrelmail_t, httpd_php_exec_t, httpd_nagios_htaccess_t, logfile,
httpd_mediawiki_tmp_t, samba_var_t, dirsrv_var_log_t, net_conf_t,
user_tmp_t,
public_content_t, anon_inodefs_t, sysctl_kernel_t, httpd_modules_t,
cert_type,
etc_runtime_t, dirsrv_var_run_t, abrt_var_run_t, httpd_var_lib_t,
httpd_var_run_t, httpd_suexec_exec_t, application_exec_type,
httpd_awstats_htaccess_t, httpd_dirsrvadmin_htaccess_t,
httpd_nutups_cgi_htaccess_t, mailman_cgi_exec_t, gitosis_var_lib_t,
httpd_user_htaccess_t, dirsrvadmin_config_t, user_home_t,
httpd_squid_htaccess_t, chroot_exec_t, httpd_munin_htaccess_t,
sysctl_crypto_t,
httpd_sys_content_t, mailman_archive_t, public_content_rw_t,
httpd_bugzilla_htaccess_t, httpd_cobbler_htaccess_t, mailman_data_t,
httpd_apcupsd_cgi_htaccess_t, system_dbusd_var_lib_t, abrt_t, bin_t,
httpd_cvs_htaccess_t, httpd_git_htaccess_t, httpd_sys_htaccess_t,
squirrelmail_spool_t, httpd_t, lib_t, lib_t, httpd_prewikka_htaccess_t,
usr_t,
passenger_var_lib_t, passenger_var_run_t, cobbler_var_lib_t,
httpd_rotatelogs_exec_t, abrt_helper_exec_t, httpd_smokeping_cgi_htaccess_t,
nagios_etc_t, nagios_log_t, sssd_public_t, httpd_keytab_t, ping_exec_t,
cluster_conf_t, locale_t, httpd_unconfined_script_exec_t, etc_t, fonts_t,
fonts_cache_t, httpd_exec_t, ld_so_t, httpd_lock_t, proc_t, httpd_log_t,
sysfs_t, dirsrv_config_t, textrel_shlib_t, krb5_keytab_t, ssh_exec_t,
passenger_exec_t, krb5_conf_t, fail2ban_var_lib_t, httpd_config_t,
rpm_script_tmp_t, httpd_cobbler_ra_content_t, httpd_cobbler_rw_content_t,
httpd_prewikka_script_exec_t, httpd_munin_ra_content_t,
httpd_munin_rw_content_t, httpd_sys_script_exec_t, httpd_git_script_exec_t,
httpd_cvs_script_exec_t, root_t, user_home_t,
httpd_dirsrvadmin_script_exec_t,
httpd_bugzilla_ra_content_t, httpd_bugzilla_rw_content_t,
httpd_nutups_cgi_script_exec_t, httpd_cvs_ra_content_t,
httpd_cvs_rw_content_t,
httpd_git_ra_content_t, httpd_git_rw_content_t, httpd_nagios_content_t,
httpd_sys_ra_content_t, httpd_sys_rw_content_t,
httpd_w3c_validator_content_t,
httpd_nagios_ra_content_t, httpd_nagios_rw_content_t,
httpd_nutups_cgi_ra_content_t, httpd_nutups_cgi_rw_content_t,
httpd_cobbler_script_exec_t, httpd_mediawiki_script_exec_t,
httpd_smokeping_cgi_script_exec_t, httpd_git_content_t,
httpd_user_content_t,
httpd_mediawiki_ra_content_t, httpd_mediawiki_rw_content_t,
httpd_squid_ra_content_t, httpd_squid_rw_content_t,
httpd_apcupsd_cgi_content_t,
httpd_apcupsd_cgi_ra_content_t, httpd_apcupsd_cgi_rw_content_t,
httpd_prewikka_content_t, httpd_smokeping_cgi_ra_content_t,
httpd_smokeping_cgi_rw_content_t, httpd_munin_content_t,
httpd_squid_content_t,
httpd_smokeping_cgi_content_t, httpd_awstats_script_exec_t,
httpd_cvs_content_t,
httpd_sys_content_t, httpd_dirsrvadmin_ra_content_t,
httpd_dirsrvadmin_rw_content_t, httpd_munin_script_exec_t,
httpd_w3c_validator_script_exec_t, httpd_prewikka_ra_content_t,
httpd_prewikka_rw_content_t, httpd_user_script_exec_t,
httpd_bugzilla_content_t,
httpd_cobbler_content_t, httpd_mediawiki_content_t, krb5_host_rcache_t,
httpd_apcupsd_cgi_script_exec_t, httpd_nagios_script_exec_t,
httpd_dirsrvadmin_content_t, httpd_squid_script_exec_t,
httpd_w3c_validator_ra_content_t, httpd_w3c_validator_rw_content_t,
httpd_awstats_ra_content_t, httpd_awstats_rw_content_t,
httpd_bugzilla_script_exec_t, httpd_awstats_content_t,
httpd_user_ra_content_t,
httpd_user_rw_content_t, httpd_nutups_cgi_content_t. Many third party apps
install html files in directories that SELinux policy cannot predict. These
directories have to be labeled with a file context which httpd can access.
Allowing Access:
If you want to change the file context of /www/kmotion/www/vhosts/kmotion so
that the httpd daemon can access it, you need to execute it using semanage
fcontext -a -t FILE_TYPE '/www/kmotion/www/vhosts/kmotion'.
where FILE_TYPE is one of the following: httpd_mediawiki_htaccess_t,
calamaris_www_t, udev_tbl_t, user_cron_spool_t, httpd_cache_t, httpd_tmp_t,
httpd_tmpfs_t, iso9660_t, smokeping_var_lib_t, shell_exec_t,
httpd_w3c_validator_htaccess_t, rpm_tmp_t, mysqld_etc_t, cvs_data_t,
var_lib_t,
dirsrvadmin_tmp_t, sendmail_exec_t, cobbler_etc_t, configfile,
httpd_helper_exec_t, dbusd_etc_t, dirsrv_share_t, ld_so_cache_t,
httpd_squirrelmail_t, httpd_php_exec_t, httpd_nagios_htaccess_t, logfile,
httpd_mediawiki_tmp_t, samba_var_t, dirsrv_var_log_t, net_conf_t,
user_tmp_t,
public_content_t, anon_inodefs_t, sysctl_kernel_t, httpd_modules_t,
cert_type,
etc_runtime_t, dirsrv_var_run_t, abrt_var_run_t, httpd_var_lib_t,
httpd_var_run_t, httpd_suexec_exec_t, application_exec_type,
httpd_awstats_htaccess_t, httpd_dirsrvadmin_htaccess_t,
httpd_nutups_cgi_htaccess_t, mailman_cgi_exec_t, gitosis_var_lib_t,
httpd_user_htaccess_t, dirsrvadmin_config_t, user_home_t,
httpd_squid_htaccess_t, chroot_exec_t, httpd_munin_htaccess_t,
sysctl_crypto_t,
httpd_sys_content_t, mailman_archive_t, public_content_rw_t,
httpd_bugzilla_htaccess_t, httpd_cobbler_htaccess_t, mailman_data_t,
httpd_apcupsd_cgi_htaccess_t, system_dbusd_var_lib_t, abrt_t, bin_t,
httpd_cvs_htaccess_t, httpd_git_htaccess_t, httpd_sys_htaccess_t,
squirrelmail_spool_t, httpd_t, lib_t, lib_t, httpd_prewikka_htaccess_t,
usr_t,
passenger_var_lib_t, passenger_var_run_t, cobbler_var_lib_t,
httpd_rotatelogs_exec_t, abrt_helper_exec_t, httpd_smokeping_cgi_htaccess_t,
nagios_etc_t, nagios_log_t, sssd_public_t, httpd_keytab_t, ping_exec_t,
cluster_conf_t, locale_t, httpd_unconfined_script_exec_t, etc_t, fonts_t,
fonts_cache_t, httpd_exec_t, ld_so_t, httpd_lock_t, proc_t, httpd_log_t,
sysfs_t, dirsrv_config_t, textrel_shlib_t, krb5_keytab_t, ssh_exec_t,
passenger_exec_t, krb5_conf_t, fail2ban_var_lib_t, httpd_config_t,
rpm_script_tmp_t, httpd_cobbler_ra_content_t, httpd_cobbler_rw_content_t,
httpd_prewikka_script_exec_t, httpd_munin_ra_content_t,
httpd_munin_rw_content_t, httpd_sys_script_exec_t, httpd_git_script_exec_t,
httpd_cvs_script_exec_t, root_t, user_home_t,
httpd_dirsrvadmin_script_exec_t,
httpd_bugzilla_ra_content_t, httpd_bugzilla_rw_content_t,
httpd_nutups_cgi_script_exec_t, httpd_cvs_ra_content_t,
httpd_cvs_rw_content_t,
httpd_git_ra_content_t, httpd_git_rw_content_t, httpd_nagios_content_t,
httpd_sys_ra_content_t, httpd_sys_rw_content_t,
httpd_w3c_validator_content_t,
httpd_nagios_ra_content_t, httpd_nagios_rw_content_t,
httpd_nutups_cgi_ra_content_t, httpd_nutups_cgi_rw_content_t,
httpd_cobbler_script_exec_t, httpd_mediawiki_script_exec_t,
httpd_smokeping_cgi_script_exec_t, httpd_git_content_t,
httpd_user_content_t,
httpd_mediawiki_ra_content_t, httpd_mediawiki_rw_content_t,
httpd_squid_ra_content_t, httpd_squid_rw_content_t,
httpd_apcupsd_cgi_content_t,
httpd_apcupsd_cgi_ra_content_t, httpd_apcupsd_cgi_rw_content_t,
httpd_prewikka_content_t, httpd_smokeping_cgi_ra_content_t,
httpd_smokeping_cgi_rw_content_t, httpd_munin_content_t,
httpd_squid_content_t,
httpd_smokeping_cgi_content_t, httpd_awstats_script_exec_t,
httpd_cvs_content_t,
httpd_sys_content_t, httpd_dirsrvadmin_ra_content_t,
httpd_dirsrvadmin_rw_content_t, httpd_munin_script_exec_t,
httpd_w3c_validator_script_exec_t, httpd_prewikka_ra_content_t,
httpd_prewikka_rw_content_t, httpd_user_script_exec_t,
httpd_bugzilla_content_t,
httpd_cobbler_content_t, httpd_mediawiki_content_t, krb5_host_rcache_t,
httpd_apcupsd_cgi_script_exec_t, httpd_nagios_script_exec_t,
httpd_dirsrvadmin_content_t, httpd_squid_script_exec_t,
httpd_w3c_validator_ra_content_t, httpd_w3c_validator_rw_content_t,
httpd_awstats_ra_content_t, httpd_awstats_rw_content_t,
httpd_bugzilla_script_exec_t, httpd_awstats_content_t,
httpd_user_ra_content_t,
httpd_user_rw_content_t, httpd_nutups_cgi_content_t. You can look at the
httpd_selinux man page for additional information.
Additional Information:
Source Context system_u:system_r:httpd_t:s0-s0:c0.c1023
Target Context unconfined_u:object_r:default_t:s0
Target Objects /www/kmotion/www/vhosts/kmotion [ file ]
Source httpd
Source Path /usr/sbin/httpd
Port <Unknown>
Host <host>.<domain>.com
Source RPM Packages httpd-2.2.17-1.fc13.1
Target RPM Packages
Policy RPM selinux-policy-3.7.19-101.fc13
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Plugin Name httpd_bad_labels
Host Name <host>.<domain>.com
Platform Linux <host>.<domain>.com
2.6.34.9-69.fc13.i686 #1 SMP
Tue May 3 09:20:30 UTC 2011 i686 i686
Alert Count 1
First Seen Thu 23 Jun 2011 03:53:08 AM PDT
Last Seen Thu 23 Jun 2011 03:53:08 AM PDT
Local ID 6611a91e-3b6b-4ed8-9ac1-a6bf0d08f5ca
Line Numbers
Raw Audit Messages
node=<host>.<domain>.com type=AVC msg=audit(1308826388.806:65944): avc:
denied { getattr } for pid=28408 comm="httpd"
path="/www/kmotion/www/vhosts/kmotion" dev=sda10 ino=5637335
scontext=system_u:system_r:httpd_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:default_t:s0 tclass=file
node=<host>.<domain>.com type=SYSCALL msg=audit(1308826388.806:65944):
arch=40000003 syscall=195 success=yes exit=0 a0=176fa30 a1=bf903050
a2=994ff4 a3=8000 items=0 ppid=28407 pid=28408 auid=0 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=335 comm="httpd"
exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0-s0:c0.c1023
key=(null)
12 years, 10 months
File Labeling
by mantaray_1
Hi all,
I have a directory which is set to label its contents with a particular
label, and I have a file within this directory that is set to receive a
different label. If this file is deleted, and a new file with the same
name is created, the new file receives the label from the parent
directory instead of its correct label. If I relabel the filesystem,
the file gets the correct label, but I would like to have it labeled
correctly when it is created. Is this possible?
Thanks in advance,
Ken.
12 years, 10 months
Re: [INFO] New benchmark on SELINUX and Fedora 15 from Phoronix
by Daniel J Walsh
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 06/23/2011 08:58 AM, Pádraig Brady wrote:
> On 23/06/11 12:28, Lennart Poettering wrote:
>> On Thu, 23.06.11 12:58, yersinia (yersinia.spiros(a)gmail.com) wrote:
>>
>>> Greetings
>>>
>>> Perhaps it is of interest to this list that Phonorix has produced a new
>>> benchmark about the performance impact of SELinux on
>>> Fedora 15. Look very good
>>> http://www.phoronix.com/scan.php?page=article&item=fedora_15_selinux&num=2.
>>
>> The biggest impact it has on boot time really. Might be worth measuring that.
>
> A work colleague here did that a couple of days ago.
> To boot to a usable desktop with stock F15 with gdm auto login:
>
> with selinux: 43s
> without selinux: 24s
>
> Hardware is pinetrail netbook (1.6GHz Atom N455).
> 2GB RAM and SSD limited by SATA I interface.
>
> cheers,
> Pádraig.
We have found one problem in libselinux that could account for some of
the slowdown, but not much, this increases the spead of matchpathcon.
We have fixed this in F16.
Tests conducted in Rawhide.
systemd reads in policy file and loads it in the kernel.
# du -m /etc/selinux/targeted/policy/policy.26
7 /etc/selinux/targeted/policy/policy.26
The load_policy command on my T61 does pretty much the equivalent.
# time load_policy
real 0m7.483s
user 0m0.000s
sys 0m2.255s
systemd and udev both load the file_context files and create regexs
based on these files. matchpathcon does the equivalent.
time matchpathcon /dev
/dev system_u:object_r:device_t:s0
real 0m0.069s
user 0m0.012s
sys 0m0.021s
Obviously this is a more powerful machine then the Atom, but I would
figure loading of the policy is the culprit.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk4DQ2QACgkQrlYvE4MpobMvywCdHt07Jtfef5e6oQHLEM/6OToy
F18AoIt+je00t/uPSt9vMOj0L/4nwhnX
=32eQ
-----END PGP SIGNATURE-----
12 years, 10 months
Running sshd inside mock
by Paul Howarth
As part of the libssh2 test suite, we run sshd inside mock and see that
we can connect to it successfully. This entails manipulation of some
file contexts in the chroot to get sshd running in sshd_t so that it can
correctly assign a login context when connected to. With the latest mock
(1.1.11), I found I needed the following local policy to achieve this:
# restorecon under mock needs to execute /%{_lib}/libselinux.so.*
# and read temp file for /proc/filesystems in mock selinux plugin
# and write to a mock_var_lib_t /dev/null
allow setfiles_t mock_var_lib_t:file execute;
allow setfiles_t mock_var_lib_t:chr_file write;
mock_read_lib_files(setfiles_t)
userdom_read_user_tmp_files(setfiles_t)
# Need to run sshd under mock
allow sshd_t mock_var_lib_t:file { execute getattr read open ioctl
execute_no_trans };
corenet_tcp_bind_generic_port(sshd_t)
hostname_exec(sshd_t)
mock_manage_lib_chr_files(sshd_t)
mock_manage_lib_symlinks(sshd_t)
mock_search_lib(sshd_t)
I guess a bunch of these are rather too permissive to allow generally?
Paul.
12 years, 10 months
SELinux "upgrade" issues
by Mr Dash Four
Yesterday I've upgraded my SELinux policy & tools on my FC13 machine to
bring it up to date with what is distributed with FC15 and later on did
a similar upgrade to the kernel as well (.38 - the latest released for
FC15), but SELinux is experiencing a few issues with the kernel. Here is
what I've upgraded:
old:
policycoreutils-python-2.0.83-33.8
policycoreutils-2.0.83-33.8
selinux-policy-3.7.19-101
selinux-policy-targeted-3.7.19-101
libsemanage-2.0.45-1
libsemanage-devel-2.0.45-1
libsemanage-static-2.0.45-1
libsemanage-python-2.0.45-1
libselinux-python-2.0.94-2
libselinux-2.0.94-2
libselinux-devel-2.0.94-2
libselinux-utils-2.0.94-2
libsepol-2.0.41-3
libsepol-devel-2.0.41-3
libsepol-static-2.0.41-3
new:
policycoreutils-python-2.0.86-7
policycoreutils-2.0.86-7
policycoreutils-gui-2.0.86-7
policycoreutils-newrole-2.0.86-7
policycoreutils-restorecond-2.0.86-7
selinux-policy-3.9.16-26
selinux-policy-targeted-3.9.16-26
libsemanage-2.0.46-4
libsemanage-devel-2.0.46-4
libsemanage-static-2.0.46-4
libsemanage-python-2.0.46-4
libselinux-python-2.0.99-4
libselinux-2.0.99-4
libselinux-devel-2.0.99-4
libselinux-utils-2.0.99-4
libsepol-2.0.42-2
libsepol-devel-2.0.42-2
libsepol-static-2.0.42-2
Most of the new SELinux policy & tools above have been compiled from
source - successfully - using the source rpm and just running rpmbuild
with no changes to the .spec file. Everything installed OK, though when
I recompiled and upgraded the kernel, it does boot up and works OK,
though I have this in my syslog from SELinux:
kernel: dracut: Loading SELinux policy
kernel: type=1404 audit(1308450301.855:2): enforcing=1 old_enforcing=0
auid=4294967295 ses=4294967295
kernel: SELinux: Permission audit_access in class file not defined in
policy.
kernel: SELinux: Permission audit_access in class dir not defined in
policy.
kernel: SELinux: Permission execmod in class dir not defined in policy.
kernel: SELinux: Permission audit_access in class lnk_file not defined
in policy.
kernel: SELinux: Permission open in class lnk_file not defined in policy.
kernel: SELinux: Permission execmod in class lnk_file not defined in
policy.
kernel: SELinux: Permission audit_access in class chr_file not defined
in policy.
kernel: SELinux: Permission audit_access in class blk_file not defined
in policy.
kernel: SELinux: Permission execmod in class blk_file not defined in
policy.
kernel: SELinux: Permission audit_access in class sock_file not defined
in policy.
kernel: SELinux: Permission execmod in class sock_file not defined in
policy.
kernel: SELinux: Permission audit_access in class fifo_file not defined
in policy.
kernel: SELinux: Permission execmod in class fifo_file not defined in
policy.
kernel: SELinux: Permission syslog in class capability2 not defined in
policy.
kernel: SELinux: the above unknown classes and permissions will be allowed
kernel: type=1403 audit(1308450302.288:3): policy loaded auid=4294967295
ses=4294967295
What could be the reason for this?
I remember getting similar messages when I attempted to upgrade the
kernel a couple of months ago from .34 to .37 - I had similar "not
defined in policy" messages then from what I remember, though they were
just a couple and certainly not the amount I am getting above. Is there
any way I could rectify this *without* doing a full upgrade to FC15?
12 years, 10 months
Confined Users & SELinux Denials
by Michael Milverton
Hi, firstly thanks for all the great work, Fedora 15 is a nice release and
SELinux has come a long way since I first had a look at it. I followed Dan's
instructions on confining users here:
http://danwalsh.livejournal.com/18312.html. Now that I'm a 'guinea pig'
should I report these denials here or somewhere else or nowhere?
The following process want read access on ld.so.cache:
setfiles, ssh-keygen, consoletype, systemd-tty-ask-password-agent,
avahi-daemon, nm-dhcp-client.action smbd, ip, ip6tables-multi, nmbd
ld.so.cache is quite the desirable file apparently so whats up with this?
Thanks
Michael
12 years, 10 months
clamd -selinux Should I allow?
by Frank Murphy
As I have done a touch /.autorelabel;reboot yesterday.
The next suggestion is below.
Is it safe to do it.
clamd\clamav is used to /home
or do I click "ignore"
***** Plugin catchall_labels (23.2 confidence) suggests
********************
If you want to allow clamd to have search access on the selinux directory
Then you need to change the label on /selinux
Do
# semanage fcontext -a -t FILE_TYPE '/selinux'
where FILE_TYPE is one of the following: sysctl_crypto_t, samba_var_t,
amavis_var_lib_t, avahi_var_run_t, clamd_var_log_t, setrans_var_run_t,
net_conf_t, clamd_var_lib_t, clamd_var_run_t, sysctl_t, sysctl_kernel_t,
abrt_t, bin_t, nscd_var_run_t, nslcd_var_run_t, clamd_etc_t, lib_t,
mnt_t, sssd_var_lib_t, root_t, tmp_t, usr_t, var_t, device_t, etc_t,
clamd_tmp_t, amavis_spool_t, proc_t, sysfs_t, var_lib_t, exim_spool_t,
textrel_shlib_t, sysctl_t, bin_t, cert_t, clamd_t, tmp_t,
rpm_script_tmp_t, usr_t, var_t, winbind_var_run_t, security_t, device_t,
devpts_t, locale_t, sssd_public_t, etc_t, proc_t, default_t, etc_mail_t,
sosreport_tmp_t, fail2ban_var_lib_t, likewise_var_lib_t, rpm_tmp_t,
var_run_t, krb5_conf_t, httpd_sys_content_t, rpm_log_t, var_log_t,
var_spool_t, var_lib_t, var_run_t, abrt_var_run_t, var_t, var_log_t,
nscd_var_run_t, pcscd_var_run_t, var_t, var_t, cgroup_t, var_run_t,
var_run_t, root_t, sysfs_t, tmpfs_t.
Then execute:
restorecon -v '/selinux'
--
Regards,
Frank Murphy
UTF_8 Encoded
Friend of fedoraproject.org
12 years, 10 months
sandbox cleanup?
by Christoph A.
Hi,
I just noticed that I have over 100 processes running in the
sandbox_web_client_t domain, although I closed all my sandbox windows.
ps auxZ|grep sandbox_web_client_t|grep -c /usr/libexec/gvfsd
52
ps auxZ|grep sandbox_web_client_t|grep -c '/bin/dbus-daemon --fork
--print-pid 5 --print-address 7 --session'
51
Shouldn't they be killed after I closed all sandbox windows?
Kind regards,
Christoph
12 years, 10 months
mouse pointer stuck in browser sandbox window
by GSO
The executive summary is that I seem to be experiencing browser hacking even
with a completely locked down install (i.e., shouldn't be any malware
involved) and an encrypted VPN - in the first instance the X mouse pointer
was periodically getting stuck in a firefox sandbox (duly described over on
the Fedora Security forum
http://forums.fedoraforum.org/showthread.php?t=263947 - in a nutshell though
the mouse pointer will not cross the window border to the desktop; Alt+Tab
to cycle windows also fails, the only way out is to switch into another
virtual terminal). Firefox also intermittently shows other signs of being
hacked - flash video crashing the player when it was previously working fine
- BBC iPlayer being one such site, the mouse pointer disappearing hovering
over links, etc. For anyone with their Sherlock hats on the details are as
follow:
- I know for sure that I do have a MITM hacker - if I surf without
encrypting the Internet connection very quickly invalid site SSL certificate
errors follow and pages are rewritten. With iVPN (http://ivpn.net) at least
(and probably the other VPNs if their procedures for setting the openvpn
passphrase/cert were as bulletproof as iVPN's) the only problem I have is
with the SELinux sandbox and firefox. Also it is more than a co-incidence
that as I write this email this hack occurs (the mouse is locked into the
sandbox window at this moment), or likewise when I post to the unix.com or
fedora security forums (having worked fine all day otherwise).
- It looks like there possibly is a correlation between entering text into a
textbox and this happening, mostly after I have posted the text to the
Internet, but sometimes as I am typing. The mouse will sometimes and
somewhat less frequently unlock itself from the sandbox (i.e., the pointer
can freely move around the desktop again). (Something also that might be
related and that has just started today, the mouse pointer vanishes when
over a button or link - but not in all sandbox windows, just the odd one.)
- I've done my damnedest to rule out any kind of malware on the install
(ref. link above to the fedora forum post).
- The same problem occurs with metacity and openbox window managers, the
former both as the X wm and sandbox '-W' wm.
- I will at some point do a backup and run the browser out of the sandbox,
I've a feeling that whatever this is allows this hacker into root and to
trash the install.
- I will at some point rule an openvpn bug out by trying a L2TP connection.
- Any malicious code surely has to run through the browser, chromium
unfortunately will not run in a default sandbox so I can't at the moment
compare the security of this browser.
- I'm working on the basis at the moment that local crime -- this is very
much a local crime problem -- can 'see' my browser, but it could equally be
a TEMPTEST problem as a browser hack (I will make some checks on the former
sometime, but I can't be absolutely conclusive on this).
Not being a network engineer I can't really go much further than the above -
I have some long dead Netware skills but otherwise was essentially trained
as a programmer.
G.
12 years, 10 months