[sandbox] modifying the Xephyr window title (patch)
by Christoph A.
Hi,
If most of your windows are sandboxed applications, your bar looks like:
[Sandbox sandbo..] [Sandbox sandbo..] [Sandbox sandbo..]
and it is hard to find a specific application.
example of a current Xephyr title:
Sandbox sandbox_web_t:s0:c112,c991 -- /usr/bin/firefox
with the modification in the attached patch titles will look like:
/usr/bin/firefox (sandbox_web_t)
and it should be easier to find a specific application.
In addition to the type I would find it handy to also include the
DISPLAY in the title (needed when using xsel for copy'n paste).
The second patch only adds '-nolisten tcp' to Xephyr, but if there are
use cases where one needs Xephyr to open a listener this patch will
break thinks.
regards,
Christoph A.
btw: secon's manpage doesn't contain the '-l' option.
11 years, 3 months
Policy for CouchDB
by Michael Milverton
Hi,
I'm in the process of writing a policy for couchdb (nosql database). I'm
using the selinux-polgengui and eclipse slide tools to help. I've hit a road
block because it won't start but I'm not getting any more AVC's. I'm
wondering if anybody might be able to offer some clue about getting more
AVC's from it because if it won't talk to me I can't get much further.
The only entries in audit.log are:
type=CRED_ACQ msg=audit(1309362790.614:1343): user pid=11935 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0
msg='op=PAM:setcred acct="couchdb" exe="/sbin/runuser" hostname=? addr=?
terminal=? res=success'
type=USER_START msg=audit(1309362790.619:1344): user pid=11935 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0
msg='op=PAM:session_open acct="couchdb" exe="/sbin/runuser" hostname=?
addr=? terminal=? res=success'
type=USER_END msg=audit(1309362790.640:1345): user pid=11935 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0
msg='op=PAM:session_close acct="couchdb" exe="/sbin/runuser" hostname=?
addr=? terminal=? res=success'
type=CRED_DISP msg=audit(1309362790.641:1346): user pid=11935 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0
msg='op=PAM:setcred acct="couchdb" exe="/sbin/runuser" hostname=? addr=?
terminal=? res=success'
type=SERVICE_START msg=audit(1309362790.676:1347): user pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=':
comm="couchdb" exe=2F62696E2F73797374656D64202864656C6574656429 hostname=?
addr=? terminal=? res=failed'
Now, it will start fine (and run) when it is unlabeled (not what I want of
course). Couchdb runs under the username/group couchdb but I haven't added
any transition rules for this yet (any help on this would be appreciated).
FC FILE:
/usr/bin/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0)
/usr/bin/couchjs -- gen_context(system_u:object_r:couchdb_exec_t,s0)
TE FILE:
policy_module(couchdb,1.0.0)
require {
type bin_t;
type fs_t;
type proc_t;
}
type couchdb_t;
domain_type(couchdb_t)
permissive couchdb_t;
# Access to shared libraries
libs_use_ld_so(couchdb_t)
libs_use_shared_libs(couchdb_t)
miscfiles_read_localization(couchdb_t)
dev_read_urand(couchdb_t)
# Type for the daemon
type couchdb_exec_t;
files_type(couchdb_exec_t)
domain_entry_file(couchdb_t, couchdb_exec_t)
init_daemon_domain(couchdb_t, couchdb_exec_t)
# Logging
logging_send_syslog_msg(couchdb_t)
logging_log_file(couchdb_t)
# Temp files
type couchdb_tmp_t;
files_tmp_file(couchdb_tmp_t)
manage_dirs_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t)
manage_files_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t)
files_tmp_filetrans(couchdb_t, couchdb_tmp_t, { dir file })
#type couchdb_config_t;
files_read_etc_files(couchdb_t)
# /bin/basename and some others
allow couchdb_t bin_t:file { read getattr open execute execute_no_trans };
allow couchdb_t fs_t:filesystem getattr;
allow couchdb_t proc_t:file { read getattr open };
allow couchdb_t self:fifo_file { read write getattr };
# Not sure about this
auth_domtrans_chk_passwd(couchdb_t)
# Not sure about this either.
domain_use_interactive_fds(couchdb_t)
Any clues, tips, advice would be most appreciated
Thanks
11 years, 6 months
SEL & Spamassassin
by Arthur Dent
Hello All,
I have just upgraded (clean install) from F13 to F15 and installed
spamassassin via yum.
At the same time I also installed the plugins Pyzor, Razor and iXhash.
In Permissive mode something in those triggers a strange AVC:
SELinux is preventing /bin/systemd-tty-ask-password-agent from read access on the fifo_file 136:0.
Here is the detail:
Raw Audit Messages
type=AVC msg=audit(1307797576.537:29628): avc: denied { read } for pid=10471 comm="systemd-tty-ask" name="136:0" dev=tmpfs ino=282609 scontext=unconfined_u:system_r:systemd_passwd_agent_t:s0 tcontext=unconfined_u:object_r:init_var_run_t:s0 tclass=fifo_file
type=AVC msg=audit(1307797576.537:29628): avc: denied { open } for pid=10471 comm="systemd-tty-ask" name="136:0" dev=tmpfs ino=282609 scontext=unconfined_u:system_r:systemd_passwd_agent_t:s0 tcontext=unconfined_u:object_r:init_var_run_t:s0 tclass=fifo_file
type=SYSCALL msg=audit(1307797576.537:29628): arch=i386 syscall=open success=yes exit=ESRCH a0=8ca9080 a1=88900 a2=0 a3=bf8fba54 items=0 ppid=10470 pid=10471 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm=systemd-tty-ask exe=/bin/systemd-tty-ask-password-agent subj=unconfined_u:system_r:systemd_passwd_agent_t:s0 key=(null)
Hash: systemd-tty-ask,systemd_passwd_agent_t,init_var_run_t,fifo_file,read
audit2allow
#============= systemd_passwd_agent_t ==============
allow systemd_passwd_agent_t init_var_run_t:fifo_file { read open };
audit2allow -R
#============= systemd_passwd_agent_t ==============
allow systemd_passwd_agent_t init_var_run_t:fifo_file { read open };
The other slightly odd thing is that when I place the system back into
Enforcing mode I get no AVCs, but some of the Spamassassin checks
(Especially iXhash I think) don't seem to be run, but give no errors.
Anyway, the above AVC looked strange and I didn't want to create a local
policy module for it until I had checked with the chaps here...
Thanks in advance for any advice or suggestions...
Mark
12 years
How to extract file context patterns from selinux module
by Karel Srot
Hi,
could you please help me with following problem?
I would like to extract context patterns from a selinux module.
I know there are placed at the end of the module but I don't know (and
didn't find) the module structure. Therefore I don't know how to parse
them (if there are any in the module).
Thank you in advance
Karel Srot
$ tail abrt.pp
var/cache/abrt-di(/.*)? system_u:object_r:abrt_var_cache_t:s0
/var/log/abrt-logger -- system_u:object_r:abrt_var_log_t:s0
/var/run/abrt\.pid -- system_u:object_r:abrt_var_run_t:s0
/var/run/abrtd?\.lock -- system_u:object_r:abrt_var_run_t:s0
/var/run/abrtd?\.socket -s system_u:object_r:abrt_var_run_t:s0
/var/run/abrt(/.*)? system_u:object_r:abrt_var_run_t:s0
...
Karel
--
Karel Srot
QE BaseOS team
http://intranet.corp.redhat.com/ic/intranet/KarelSrot
Email: ksrot(a)redhat.com
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
12 years, 2 months
getsched
by Moray Henderson
What is a "process getsched" operation? (I have a Ruby on Rails app on
CentOS 5.6 that is occasionally throwing up a process getsched denial and I
was wondering if it was important.)
Moray.
"To err is human; to purr, feline."
12 years, 2 months
some questions about apache and tomcat
by Benedict S
Hello,everybody.
There is no packages about mod_jk-ap20 in our fedora rpm packages.How can I
connect apache with tomcat,using http_proxy ,ajp_proxy or something
else?Which method is the best way to use it?
When i start tomcat6 with command "service tomcat6 start " or "run_init
service tomcat6 start" ,the tomcat6 was running under the context of
"system_u:system_r:unconfined_java_t" and the web's applications can't run
successfully. I found there is no module about tomcat and neither in
refpolicy-2.20101213.Should I write some policy for tomcat6 or there is
something wrong with my method.
Thank you very much.
12 years, 2 months
policycoreutils-2.0.85-30.2 breaks sandbox
by Christoph A.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi,
the latest testing update in fc14 breaks sandbox on my machine:
Updated: policycoreutils-2.0.85-30.2.fc14.x86_64
Updated: policycoreutils-python-2.0.85-30.2.fc14.x86_64
Updated: policycoreutils-sandbox-2.0.85-30.2.fc14.x86_64
sandbox -X evince
/usr/sbin/seunshare: invalid option -- 'k'
USAGE: seunshare [ -v ] [ -c ] -C -t tmpdir -h homedir [-Z context] --
executable [args]
yum downgrade policycoreutils
Resolving Dependencies
- --> Running transaction check
- ---> Package policycoreutils.x86_64 0:2.0.85-28.fc14 set to be downgraded
- ---> Package policycoreutils.x86_64 0:2.0.85-30.2.fc14 set to be erased
- --> Finished Dependency Resolution
Error: Package: policycoreutils-python-2.0.85-30.2.fc14.x86_64
(@updates-testing)
Requires: policycoreutils = 2.0.85-30.2.fc14
Removing: policycoreutils-2.0.85-30.2.fc14.x86_64
(@updates-testing)
policycoreutils = 2.0.85-30.2.fc14
Downgraded By: policycoreutils-2.0.85-28.fc14.x86_64 (updates)
policycoreutils = 2.0.85-28.fc14
Available: policycoreutils-2.0.83-28.fc14.x86_64 (fedora)
policycoreutils = 2.0.83-28.fc14
You could try using --skip-broken to work around the problem
You could try running: rpm -Va --nofiles --nodigest
-----BEGIN PGP SIGNATURE-----
iEYEAREKAAYFAk4r86MACgkQrq+riTAIEg0DIwCg57Sz17JxUEmd7vrdyd6DcnIy
g+UAniy8NoYaEKZOEqsoa05TXVlwQ1H4
=z4D8
-----END PGP SIGNATURE-----
12 years, 2 months
problems labeling files
by Michael Atighetchi
Hi,
I'm having issues with getting files labeled correctly.
First some background:
[proxyuser@lime selinux]$ sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 24
Policy from config file: targeted
[proxyuser@lime selinux]$ cat /etc/redhat-release
Fedora release 14 (Laughlin)
Here the problem: I have setup the following file contexts
[proxyuser@lime selinux]$ sudo semanage fcontext -l | grep aps-base
/home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp regular
file system_u:object_r:CZtp_exec_t:s0
/home/proxyuser/trunk/aps-base/crumple-zone/target/runSeed.sh regular
file system_u:object_r:CZwd_exec_t:s0
Relabeling for one of the files succeeds:
sudo restorecon -F -R -v
/home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
[proxyuser@lime selinux]$ ls -lZ
/home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
-rwxr-xr-x. proxyuser proxyuser system_u:object_r:CZtp_exec_t:s0
/home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
However, relabeling of the other file silently fails:
[proxyuser@lime selinux]$ sudo restorecon -F -R -v
/home/proxyuser/trunk/aps-base/crumple-zone/target/runSeed.sh
[proxyuser@lime selinux]$ ls -lZ
/home/proxyuser/trunk/aps-base/crumple-zone/target/runSeed.sh
-rwxrwxr-x. proxyuser proxyuser unconfined_u:object_r:user_home_t:s0
/home/proxyuser/trunk/aps-base/crumple-zone/target/runSeed.sh
What am I missing?
--
Michael Atighetchi
Senior Scientist
Raytheon BBN Technologies
617-873-1679
matighet(a)bbn.com
12 years, 2 months
problems confining a process
by Michael Atighetchi
Hi,
I'm trying to create a new policy for a constrained process (started by
an unconstrainted user) and am stuck trying to get the process started
in the right context.
Here are the steps I followed:
0. confirm SELinux status
[proxyuser@lime ~]$ sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 24
Policy from config file: targeted
[proxyuser@lime ~]$ cat /etc/redhat-release
Fedora release 14 (Laughlin)
[proxyuser@lime cz]$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0
1. create policy via
sepolgen -t 3 /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
Note that CZtp is a shell script which in turn calls the JVM.
[proxyuser@lime cz]$ sudo ./CZtp.sh
Building and Loading Policy
+ make -f /usr/share/selinux/devel/Makefile
make: Nothing to be done for `all'.
+ /usr/sbin/semodule -i CZtp.pp
+ /sbin/restorecon -F -R -v
/home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
/sbin/restorecon reset
/home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp context
system_u:system_r:CZtp_exec_t:s0->system_u:object_r:CZtp_exec_t:s0
2. Verify that the the CZtp file is labeled properly:
[proxyuser@lime cz]$ ls -lZ
/home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
-rwxr-xr-x. proxyuser proxyuser system_u:object_r:CZtp_exec_t:s0
/home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
3. start process
[proxyuser@lime cz]$ cd /home/proxyuser/trunk/aps-base/crumple-zone/target/
[proxyuser@lime target]$ ./CZtp
4. Verify process context
[proxyuser@lime ~]$ ps -efZ | grep -v grep | grep CZtp
unconfined_u:unconfined_r:unconfined_t:s0 501 5789 5734 0 14:22 pts/0
00:00:00 /bin/sh ./CZtp
Note that the process shows up as unconfined_t, although it was labeled
with CZtp_exec_t.
What am I missing?
4. check process context
--
Michael Atighetchi
Senior Scientist
Raytheon BBN Technologies
617-873-1679
matighet(a)bbn.com
12 years, 2 months