selinux July 2011

selinux@lists.fedoraproject.org

15 participants
20 discussions

[sandbox] modifying the Xephyr window title (patch)
by Christoph A. 25 Jun '12

25 Jun '12

Hi, If most of your windows are sandboxed applications, your bar looks like: [Sandbox sandbo..] [Sandbox sandbo..] [Sandbox sandbo..] and it is hard to find a specific application. example of a current Xephyr title: Sandbox sandbox_web_t:s0:c112,c991 -- /usr/bin/firefox with the modification in the attached patch titles will look like: /usr/bin/firefox (sandbox_web_t) and it should be easier to find a specific application. In addition to the type I would find it handy to also include the DISPLAY in the title (needed when using xsel for copy'n paste). The second patch only adds '-nolisten tcp' to Xephyr, but if there are use cases where one needs Xephyr to open a listener this patch will break thinks. regards, Christoph A. btw: secon's manpage doesn't contain the '-l' option.

2 10

Policy for CouchDB
by Michael Milverton 17 Mar '12

17 Mar '12

Hi, I'm in the process of writing a policy for couchdb (nosql database). I'm using the selinux-polgengui and eclipse slide tools to help. I've hit a road block because it won't start but I'm not getting any more AVC's. I'm wondering if anybody might be able to offer some clue about getting more AVC's from it because if it won't talk to me I can't get much further. The only entries in audit.log are: type=CRED_ACQ msg=audit(1309362790.614:1343): user pid=11935 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="couchdb" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success' type=USER_START msg=audit(1309362790.619:1344): user pid=11935 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:session_open acct="couchdb" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success' type=USER_END msg=audit(1309362790.640:1345): user pid=11935 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:session_close acct="couchdb" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success' type=CRED_DISP msg=audit(1309362790.641:1346): user pid=11935 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="couchdb" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success' type=SERVICE_START msg=audit(1309362790.676:1347): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=': comm="couchdb" exe=2F62696E2F73797374656D64202864656C6574656429 hostname=? addr=? terminal=? res=failed' Now, it will start fine (and run) when it is unlabeled (not what I want of course). Couchdb runs under the username/group couchdb but I haven't added any transition rules for this yet (any help on this would be appreciated). FC FILE: /usr/bin/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0) /usr/bin/couchjs -- gen_context(system_u:object_r:couchdb_exec_t,s0) TE FILE: policy_module(couchdb,1.0.0) require { type bin_t; type fs_t; type proc_t; } type couchdb_t; domain_type(couchdb_t) permissive couchdb_t; # Access to shared libraries libs_use_ld_so(couchdb_t) libs_use_shared_libs(couchdb_t) miscfiles_read_localization(couchdb_t) dev_read_urand(couchdb_t) # Type for the daemon type couchdb_exec_t; files_type(couchdb_exec_t) domain_entry_file(couchdb_t, couchdb_exec_t) init_daemon_domain(couchdb_t, couchdb_exec_t) # Logging logging_send_syslog_msg(couchdb_t) logging_log_file(couchdb_t) # Temp files type couchdb_tmp_t; files_tmp_file(couchdb_tmp_t) manage_dirs_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t) manage_files_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t) files_tmp_filetrans(couchdb_t, couchdb_tmp_t, { dir file }) #type couchdb_config_t; files_read_etc_files(couchdb_t) # /bin/basename and some others allow couchdb_t bin_t:file { read getattr open execute execute_no_trans }; allow couchdb_t fs_t:filesystem getattr; allow couchdb_t proc_t:file { read getattr open }; allow couchdb_t self:fifo_file { read write getattr }; # Not sure about this auth_domtrans_chk_passwd(couchdb_t) # Not sure about this either. domain_use_interactive_fds(couchdb_t) Any clues, tips, advice would be most appreciated Thanks

5 20

SEL & Spamassassin
by Arthur Dent 22 Sep '11

22 Sep '11

Hello All, I have just upgraded (clean install) from F13 to F15 and installed spamassassin via yum. At the same time I also installed the plugins Pyzor, Razor and iXhash. In Permissive mode something in those triggers a strange AVC: SELinux is preventing /bin/systemd-tty-ask-password-agent from read access on the fifo_file 136:0. Here is the detail: Raw Audit Messages type=AVC msg=audit(1307797576.537:29628): avc: denied { read } for pid=10471 comm="systemd-tty-ask" name="136:0" dev=tmpfs ino=282609 scontext=unconfined_u:system_r:systemd_passwd_agent_t:s0 tcontext=unconfined_u:object_r:init_var_run_t:s0 tclass=fifo_file type=AVC msg=audit(1307797576.537:29628): avc: denied { open } for pid=10471 comm="systemd-tty-ask" name="136:0" dev=tmpfs ino=282609 scontext=unconfined_u:system_r:systemd_passwd_agent_t:s0 tcontext=unconfined_u:object_r:init_var_run_t:s0 tclass=fifo_file type=SYSCALL msg=audit(1307797576.537:29628): arch=i386 syscall=open success=yes exit=ESRCH a0=8ca9080 a1=88900 a2=0 a3=bf8fba54 items=0 ppid=10470 pid=10471 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm=systemd-tty-ask exe=/bin/systemd-tty-ask-password-agent subj=unconfined_u:system_r:systemd_passwd_agent_t:s0 key=(null) Hash: systemd-tty-ask,systemd_passwd_agent_t,init_var_run_t,fifo_file,read audit2allow #============= systemd_passwd_agent_t ============== allow systemd_passwd_agent_t init_var_run_t:fifo_file { read open }; audit2allow -R #============= systemd_passwd_agent_t ============== allow systemd_passwd_agent_t init_var_run_t:fifo_file { read open }; The other slightly odd thing is that when I place the system back into Enforcing mode I get no AVCs, but some of the Spamassassin checks (Especially iXhash I think) don't seem to be run, but give no errors. Anyway, the above AVC looked strange and I didn't want to create a local policy module for it until I had checked with the chaps here... Thanks in advance for any advice or suggestions... Mark

4 5

How to extract file context patterns from selinux module
by Karel Srot 29 Jul '11

29 Jul '11

Hi, could you please help me with following problem? I would like to extract context patterns from a selinux module. I know there are placed at the end of the module but I don't know (and didn't find) the module structure. Therefore I don't know how to parse them (if there are any in the module). Thank you in advance Karel Srot $ tail abrt.pp var/cache/abrt-di(/.*)? system_u:object_r:abrt_var_cache_t:s0 /var/log/abrt-logger -- system_u:object_r:abrt_var_log_t:s0 /var/run/abrt\.pid -- system_u:object_r:abrt_var_run_t:s0 /var/run/abrtd?\.lock -- system_u:object_r:abrt_var_run_t:s0 /var/run/abrtd?\.socket -s system_u:object_r:abrt_var_run_t:s0 /var/run/abrt(/.*)? system_u:object_r:abrt_var_run_t:s0 ... Karel -- Karel Srot QE BaseOS team http://intranet.corp.redhat.com/ic/intranet/KarelSrot Email: ksrot(a)redhat.com Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

2 1

getsched
by Moray Henderson 28 Jul '11

28 Jul '11

What is a "process getsched" operation? (I have a Ruby on Rails app on CentOS 5.6 that is occasionally throwing up a process getsched denial and I was wondering if it was important.) Moray. "To err is human; to purr, feline."

2 1

Re: getsched
by Dominick Grift 28 Jul '11

28 Jul '11

On Thu, 2011-07-28 at 16:38 +0100, Moray Henderson wrote: > What is a "process getsched" operation? (I have a Ruby on Rails app on > CentOS 5.6 that is occasionally throwing up a process getsched denial and I > was wondering if it was important.) "getsched Get priority of a process." (source: http://www.selinuxproject.org/page/ObjectClassesPerms) Not sure but suspect these are related: http://linux.die.net/man/2/getpriority http://linux.die.net/man/2/setpriority

1 0

some questions about apache and tomcat
by Benedict S 27 Jul '11

27 Jul '11

Hello,everybody. There is no packages about mod_jk-ap20 in our fedora rpm packages.How can I connect apache with tomcat,using http_proxy ,ajp_proxy or something else?Which method is the best way to use it? When i start tomcat6 with command "service tomcat6 start " or "run_init service tomcat6 start" ,the tomcat6 was running under the context of "system_u:system_r:unconfined_java_t" and the web's applications can't run successfully. I found there is no module about tomcat and neither in refpolicy-2.20101213.Should I write some policy for tomcat6 or there is something wrong with my method. Thank you very much.

2 1

policycoreutils-2.0.85-30.2 breaks sandbox
by Christoph A. 26 Jul '11

26 Jul '11

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi, the latest testing update in fc14 breaks sandbox on my machine: Updated: policycoreutils-2.0.85-30.2.fc14.x86_64 Updated: policycoreutils-python-2.0.85-30.2.fc14.x86_64 Updated: policycoreutils-sandbox-2.0.85-30.2.fc14.x86_64 sandbox -X evince /usr/sbin/seunshare: invalid option -- 'k' USAGE: seunshare [ -v ] [ -c ] -C -t tmpdir -h homedir [-Z context] -- executable [args] yum downgrade policycoreutils Resolving Dependencies - --> Running transaction check - ---> Package policycoreutils.x86_64 0:2.0.85-28.fc14 set to be downgraded - ---> Package policycoreutils.x86_64 0:2.0.85-30.2.fc14 set to be erased - --> Finished Dependency Resolution Error: Package: policycoreutils-python-2.0.85-30.2.fc14.x86_64 (@updates-testing) Requires: policycoreutils = 2.0.85-30.2.fc14 Removing: policycoreutils-2.0.85-30.2.fc14.x86_64 (@updates-testing) policycoreutils = 2.0.85-30.2.fc14 Downgraded By: policycoreutils-2.0.85-28.fc14.x86_64 (updates) policycoreutils = 2.0.85-28.fc14 Available: policycoreutils-2.0.83-28.fc14.x86_64 (fedora) policycoreutils = 2.0.83-28.fc14 You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest -----BEGIN PGP SIGNATURE----- iEYEAREKAAYFAk4r86MACgkQrq+riTAIEg0DIwCg57Sz17JxUEmd7vrdyd6DcnIy g+UAniy8NoYaEKZOEqsoa05TXVlwQ1H4 =z4D8 -----END PGP SIGNATURE-----

2 3

problems labeling files
by Michael Atighetchi 26 Jul '11

26 Jul '11

Hi, I'm having issues with getting files labeled correctly. First some background: [proxyuser@lime selinux]$ sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 24 Policy from config file: targeted [proxyuser@lime selinux]$ cat /etc/redhat-release Fedora release 14 (Laughlin) Here the problem: I have setup the following file contexts [proxyuser@lime selinux]$ sudo semanage fcontext -l | grep aps-base /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp regular file system_u:object_r:CZtp_exec_t:s0 /home/proxyuser/trunk/aps-base/crumple-zone/target/runSeed.sh regular file system_u:object_r:CZwd_exec_t:s0 Relabeling for one of the files succeeds: sudo restorecon -F -R -v /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp [proxyuser@lime selinux]$ ls -lZ /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp -rwxr-xr-x. proxyuser proxyuser system_u:object_r:CZtp_exec_t:s0 /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp However, relabeling of the other file silently fails: [proxyuser@lime selinux]$ sudo restorecon -F -R -v /home/proxyuser/trunk/aps-base/crumple-zone/target/runSeed.sh [proxyuser@lime selinux]$ ls -lZ /home/proxyuser/trunk/aps-base/crumple-zone/target/runSeed.sh -rwxrwxr-x. proxyuser proxyuser unconfined_u:object_r:user_home_t:s0 /home/proxyuser/trunk/aps-base/crumple-zone/target/runSeed.sh What am I missing? -- Michael Atighetchi Senior Scientist Raytheon BBN Technologies 617-873-1679 matighet(a)bbn.com

3 10

problems confining a process
by Michael Atighetchi 23 Jul '11

23 Jul '11

Hi, I'm trying to create a new policy for a constrained process (started by an unconstrainted user) and am stuck trying to get the process started in the right context. Here are the steps I followed: 0. confirm SELinux status [proxyuser@lime ~]$ sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 24 Policy from config file: targeted [proxyuser@lime ~]$ cat /etc/redhat-release Fedora release 14 (Laughlin) [proxyuser@lime cz]$ id -Z unconfined_u:unconfined_r:unconfined_t:s0 1. create policy via sepolgen -t 3 /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp Note that CZtp is a shell script which in turn calls the JVM. [proxyuser@lime cz]$ sudo ./CZtp.sh Building and Loading Policy + make -f /usr/share/selinux/devel/Makefile make: Nothing to be done for `all'. + /usr/sbin/semodule -i CZtp.pp + /sbin/restorecon -F -R -v /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp /sbin/restorecon reset /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp context system_u:system_r:CZtp_exec_t:s0->system_u:object_r:CZtp_exec_t:s0 2. Verify that the the CZtp file is labeled properly: [proxyuser@lime cz]$ ls -lZ /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp -rwxr-xr-x. proxyuser proxyuser system_u:object_r:CZtp_exec_t:s0 /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp 3. start process [proxyuser@lime cz]$ cd /home/proxyuser/trunk/aps-base/crumple-zone/target/ [proxyuser@lime target]$ ./CZtp 4. Verify process context [proxyuser@lime ~]$ ps -efZ | grep -v grep | grep CZtp unconfined_u:unconfined_r:unconfined_t:s0 501 5789 5734 0 14:22 pts/0 00:00:00 /bin/sh ./CZtp Note that the process shows up as unconfined_t, although it was labeled with CZtp_exec_t. What am I missing? 4. check process context -- Michael Atighetchi Senior Scientist Raytheon BBN Technologies 617-873-1679 matighet(a)bbn.com

2 6

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux July 2011