[sandbox] modifying the Xephyr window title (patch)
by Christoph A.
Hi,
If most of your windows are sandboxed applications, your bar looks like:
[Sandbox sandbo..] [Sandbox sandbo..] [Sandbox sandbo..]
and it is hard to find a specific application.
example of a current Xephyr title:
Sandbox sandbox_web_t:s0:c112,c991 -- /usr/bin/firefox
with the modification in the attached patch titles will look like:
/usr/bin/firefox (sandbox_web_t)
and it should be easier to find a specific application.
In addition to the type I would find it handy to also include the
DISPLAY in the title (needed when using xsel for copy'n paste).
The second patch only adds '-nolisten tcp' to Xephyr, but if there are
use cases where one needs Xephyr to open a listener this patch will
break thinks.
regards,
Christoph A.
btw: secon's manpage doesn't contain the '-l' option.
11 years, 8 months
Policy for CouchDB
by Michael Milverton
Hi,
I'm in the process of writing a policy for couchdb (nosql database). I'm
using the selinux-polgengui and eclipse slide tools to help. I've hit a road
block because it won't start but I'm not getting any more AVC's. I'm
wondering if anybody might be able to offer some clue about getting more
AVC's from it because if it won't talk to me I can't get much further.
The only entries in audit.log are:
type=CRED_ACQ msg=audit(1309362790.614:1343): user pid=11935 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0
msg='op=PAM:setcred acct="couchdb" exe="/sbin/runuser" hostname=? addr=?
terminal=? res=success'
type=USER_START msg=audit(1309362790.619:1344): user pid=11935 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0
msg='op=PAM:session_open acct="couchdb" exe="/sbin/runuser" hostname=?
addr=? terminal=? res=success'
type=USER_END msg=audit(1309362790.640:1345): user pid=11935 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0
msg='op=PAM:session_close acct="couchdb" exe="/sbin/runuser" hostname=?
addr=? terminal=? res=success'
type=CRED_DISP msg=audit(1309362790.641:1346): user pid=11935 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0
msg='op=PAM:setcred acct="couchdb" exe="/sbin/runuser" hostname=? addr=?
terminal=? res=success'
type=SERVICE_START msg=audit(1309362790.676:1347): user pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=':
comm="couchdb" exe=2F62696E2F73797374656D64202864656C6574656429 hostname=?
addr=? terminal=? res=failed'
Now, it will start fine (and run) when it is unlabeled (not what I want of
course). Couchdb runs under the username/group couchdb but I haven't added
any transition rules for this yet (any help on this would be appreciated).
FC FILE:
/usr/bin/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0)
/usr/bin/couchjs -- gen_context(system_u:object_r:couchdb_exec_t,s0)
TE FILE:
policy_module(couchdb,1.0.0)
require {
type bin_t;
type fs_t;
type proc_t;
}
type couchdb_t;
domain_type(couchdb_t)
permissive couchdb_t;
# Access to shared libraries
libs_use_ld_so(couchdb_t)
libs_use_shared_libs(couchdb_t)
miscfiles_read_localization(couchdb_t)
dev_read_urand(couchdb_t)
# Type for the daemon
type couchdb_exec_t;
files_type(couchdb_exec_t)
domain_entry_file(couchdb_t, couchdb_exec_t)
init_daemon_domain(couchdb_t, couchdb_exec_t)
# Logging
logging_send_syslog_msg(couchdb_t)
logging_log_file(couchdb_t)
# Temp files
type couchdb_tmp_t;
files_tmp_file(couchdb_tmp_t)
manage_dirs_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t)
manage_files_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t)
files_tmp_filetrans(couchdb_t, couchdb_tmp_t, { dir file })
#type couchdb_config_t;
files_read_etc_files(couchdb_t)
# /bin/basename and some others
allow couchdb_t bin_t:file { read getattr open execute execute_no_trans };
allow couchdb_t fs_t:filesystem getattr;
allow couchdb_t proc_t:file { read getattr open };
allow couchdb_t self:fifo_file { read write getattr };
# Not sure about this
auth_domtrans_chk_passwd(couchdb_t)
# Not sure about this either.
domain_use_interactive_fds(couchdb_t)
Any clues, tips, advice would be most appreciated
Thanks
12 years
SEL & Spamassassin
by Arthur Dent
Hello All,
I have just upgraded (clean install) from F13 to F15 and installed
spamassassin via yum.
At the same time I also installed the plugins Pyzor, Razor and iXhash.
In Permissive mode something in those triggers a strange AVC:
SELinux is preventing /bin/systemd-tty-ask-password-agent from read access on the fifo_file 136:0.
Here is the detail:
Raw Audit Messages
type=AVC msg=audit(1307797576.537:29628): avc: denied { read } for pid=10471 comm="systemd-tty-ask" name="136:0" dev=tmpfs ino=282609 scontext=unconfined_u:system_r:systemd_passwd_agent_t:s0 tcontext=unconfined_u:object_r:init_var_run_t:s0 tclass=fifo_file
type=AVC msg=audit(1307797576.537:29628): avc: denied { open } for pid=10471 comm="systemd-tty-ask" name="136:0" dev=tmpfs ino=282609 scontext=unconfined_u:system_r:systemd_passwd_agent_t:s0 tcontext=unconfined_u:object_r:init_var_run_t:s0 tclass=fifo_file
type=SYSCALL msg=audit(1307797576.537:29628): arch=i386 syscall=open success=yes exit=ESRCH a0=8ca9080 a1=88900 a2=0 a3=bf8fba54 items=0 ppid=10470 pid=10471 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm=systemd-tty-ask exe=/bin/systemd-tty-ask-password-agent subj=unconfined_u:system_r:systemd_passwd_agent_t:s0 key=(null)
Hash: systemd-tty-ask,systemd_passwd_agent_t,init_var_run_t,fifo_file,read
audit2allow
#============= systemd_passwd_agent_t ==============
allow systemd_passwd_agent_t init_var_run_t:fifo_file { read open };
audit2allow -R
#============= systemd_passwd_agent_t ==============
allow systemd_passwd_agent_t init_var_run_t:fifo_file { read open };
The other slightly odd thing is that when I place the system back into
Enforcing mode I get no AVCs, but some of the Spamassassin checks
(Especially iXhash I think) don't seem to be run, but give no errors.
Anyway, the above AVC looked strange and I didn't want to create a local
policy module for it until I had checked with the chaps here...
Thanks in advance for any advice or suggestions...
Mark
12 years, 6 months
Re: sshd constraint violation issue
by Stephen Smalley
On Mon, 2011-08-29 at 10:36 -0400, Christopher J. PeBenito wrote:
> On 08/29/11 11:10, Miroslav Grepl wrote:
> > On 08/29/2011 12:52 PM, Christopher J. PeBenito wrote:
> >> On 08/29/11 08:33, Stephen Smalley wrote:
> >>> On Fri, 2011-08-26 at 20:51 +0200, Miroslav Grepl wrote:
> >>>> Together with Dan Walsh, Jan Chadima we made some changes in the
> >>>> openssh
> >>>> package.
> >>>>
> >>>> But we have the following issue with the following code
> >>>>
> >>>> ...
> >>>>
> >>>> if (internal-sftp)
> >>>> setuid()
> >>>> getexecon(&scon)
> >>>> setcon(scon)
> >>>> freecon(scon)
> >>>>
> >>>> ...
> >>>>
> >>>> We have
> >>>>
> >>>> allow sshd_t unpriv_userdomain:process dyntransition
> >>>>
> >>>> rule but we get a constraint violation with the following AVC msg
> >>>>
> >>>> type=AVC msg=audit(1314348650.561:7910): avc: denied {
> >>>> dyntransition }
> >>>> for
> >>>> pid=555 comm="sshd"
> >>>> scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023
> >>>> tcontext=staff_u:staff_r:staff_t:s0
> >>>>
> >>>> because of
> >>>>
> >>>> constrain process dyntransition
> >>>> (
> >>>> u1 == u2 and r1 == r2
> >>>> )
> >>>>
> >>>> My question is why dyntrans is not allowed to change USER or ROLE.
> >>>>
> >>>>
> >>>> https://bugzilla.redhat.com/show_bug.cgi?id=729648
> >>> I think just because we haven't previously had a system program using
> >>> setcon(3) to switch its user/role.
> >> Also because the theory we would be reproducing privilege bracketed
> >> domains, so you'd be going to a different privilege in eg httpd_t ->
> >> httpd_mycgi_t, and that would not require user or role changes.
> >>
> > Ok, I understand. Thanks.
> >
> > Could we add an attribute to break this?
>
> Yes, we could add one. The question is if we want the same attribute as
> the regular transition or a new one. i.e. I'm thinking
>
> constran process dyntranstion
> (
> u1 == u2
> or ( t1 == can_change_process_identity and t2 == process_user_target )
> );
>
> constran process dyntranstion
> (
> r1 == r2
> or ( t1 == can_change_process_identity and t2 == process_user_target )
> );
>
> do we want can_change_process_identity attribute or a new one?
If so, then might as well just coalesce into the existing constraint on
transition permission.
--
Stephen Smalley
National Security Agency
12 years, 6 months
Re: sshd constraint violation issue
by Miroslav Grepl
On 08/29/2011 12:52 PM, Christopher J. PeBenito wrote:
> On 08/29/11 08:33, Stephen Smalley wrote:
>> On Fri, 2011-08-26 at 20:51 +0200, Miroslav Grepl wrote:
>>> Together with Dan Walsh, Jan Chadima we made some changes in the openssh
>>> package.
>>>
>>> But we have the following issue with the following code
>>>
>>> ...
>>>
>>> if (internal-sftp)
>>> setuid()
>>> getexecon(&scon)
>>> setcon(scon)
>>> freecon(scon)
>>>
>>> ...
>>>
>>> We have
>>>
>>> allow sshd_t unpriv_userdomain:process dyntransition
>>>
>>> rule but we get a constraint violation with the following AVC msg
>>>
>>> type=AVC msg=audit(1314348650.561:7910): avc: denied { dyntransition }
>>> for
>>> pid=555 comm="sshd"
>>> scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023
>>> tcontext=staff_u:staff_r:staff_t:s0
>>>
>>> because of
>>>
>>> constrain process dyntransition
>>> (
>>> u1 == u2 and r1 == r2
>>> )
>>>
>>> My question is why dyntrans is not allowed to change USER or ROLE.
>>>
>>>
>>> https://bugzilla.redhat.com/show_bug.cgi?id=729648
>> I think just because we haven't previously had a system program using
>> setcon(3) to switch its user/role.
> Also because the theory we would be reproducing privilege bracketed
> domains, so you'd be going to a different privilege in eg httpd_t ->
> httpd_mycgi_t, and that would not require user or role changes.
>
Ok, I understand. Thanks.
Could we add an attribute to break this?
12 years, 6 months
sshd constraint violation issue
by Miroslav Grepl
Together with Dan Walsh, Jan Chadima we made some changes in the openssh
package.
But we have the following issue with the following code
...
if (internal-sftp)
setuid()
getexecon(&scon)
setcon(scon)
freecon(scon)
...
We have
allow sshd_t unpriv_userdomain:process dyntransition
rule but we get a constraint violation with the following AVC msg
type=AVC msg=audit(1314348650.561:7910): avc: denied { dyntransition }
for
pid=555 comm="sshd"
scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=staff_u:staff_r:staff_t:s0
because of
constrain process dyntransition
(
u1 == u2 and r1 == r2
)
My question is why dyntrans is not allowed to change USER or ROLE.
https://bugzilla.redhat.com/show_bug.cgi?id=729648
Regards,
Miroslav
12 years, 6 months
LMTP, Postfix, Dovecot AVC denial
by Jens Falsmar Oechsler
Hello
Getting errors below when using Postfix with LMTP deliver to Dovecot on same
machine. Should Dovecot configure LMTP in another path, context or how do I
resolve?
type=AVC msg=audit(1314483455.100:17918): avc: denied { search } for pid=6665
comm="lmtp" name="dovecot" dev=vda1 ino=1051484
scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system
_u:object_r:dovecot_var_run_t:s0 tclass=dir
type=AVC msg=audit(1314483455.100:17918): avc: denied { write } for pid=6665
comm="lmtp" name="lmtp" dev=vda1 ino=1044670
scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:o
bject_r:dovecot_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1314483455.100:17918): avc: denied { connectto } for
pid=6665 comm="lmtp" path="/var/run/dovecot/lmtp"
scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:s
ystem_r:dovecot_t:s0 tclass=unix_stream_socket
type=SYSCALL msg=audit(1314483455.100:17918): arch=c000003e syscall=42
success=yes exit=0 a0=e a1=7fff1e9e21d0 a2=6e a3=7fff1e9e1e70 items=0 ppid=1177
pid=6665 auid=4294967295 uid=89 gid=89
euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295
comm="lmtp" exe="/usr/libexec/postfix/lmtp"
subj=system_u:system_r:postfix_smtp_t:s0 key=(null)
Thanks in advance
12 years, 6 months
qmail policy patch
by Adi Fairbank
I had some trouble with the policy for the qmail service, as shipped
with CentOS 6. I assume the policy comes from the Fedora project, so
I'm posting here.
It was preventing qmail-inject / qmail-queue / sendmail from search
and write to /var/qmail/queue/, among other issues. I noticed the
problems because crond generated e-mail was not getting delivered,
with an error message like:
CROND[21591]: (root) MAIL (mailed 1290 bytes of output but got
status 0x006f#012)
AVC errors in audit.log were:
type=AVC msg=audit(1314228902.078:112210): avc: denied { search }
for pid=12894 comm="qmail-queue" name="queue" dev=dm-4 ino=655368
scontext=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:qmail_spool_t:s0 tclass=dir
type=AVC msg=audit(1314229501.848:112243): avc: denied { search }
for pid=13193 comm="qmail-queue" name="pid" dev=dm-4 ino=655470
scontext=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:qmail_spool_t:s0 tclass=dir
type=AVC msg=audit(1314239102.056:112926): avc: denied { write }
for pid=946 comm="qmail-queue" name="pid" dev=dm-4 ino=655470
scontext=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_run_t:s0 tclass=dir
type=AVC msg=audit(1314245701.871:113246): avc: denied { write }
for pid=21283 comm="qmail-queue" name="trigger" dev=dm-4 ino=655365
scontext=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:qmail_spool_t:s0 tclass=fifo_file
type=AVC msg=audit(1314246901.535:113302): avc: denied { read }
for pid=21514 comm="qmail-queue" name="owners" dev=dm-4 ino=655362
scontext=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_t:s0 tclass=lnk_file
Attached is a patch to the selinux-policy SRPM (the latest one from
centos6 updates), including spec file diff. Basically, it does the
following:
1. change file context of /var/qmail/owners(/.*)? to qmail_etc_t
2. allow processes of scontext system_mail_t read, write, search
access to files, dirs, and fifos of tcontext qmail_spool_t
Let me know if this policy change poses any security issues or could
be implemented a different way, as I'm rather new to SElinux policy.
I wonder if nobody else is running qmail with selinux in enforcing
mode? Or perhaps they have a different qmail installation than me.
I don't know how the sendmail command could work because qmail-queue
can't access /var/qmail/queue/ which is where qmail stores all its
mail for processing.
Adi
12 years, 6 months
Shouldn't restorecond be allowed to relabel anything?
by Göran Uddeborg
When using the Nvidia proprietary drivers, the files /dev/nvidiaN and
/dev/nvidiactl don't get the right context. That has been discussed
here and elsewhere previously. As I've understood it, it has to be
fixed in the proprietary code somewhere.
To work around the problem until there is a proper fix, if ever, I
added
/dev/nvidia0
/dev/nvidiactl
to /etc/selinux/restorecond.conf. But now I get a complaint about
restorecond not being allowed to relabel those files:
type=AVC msg=audit(1312575006.803:33): avc: denied { relabelto } for pid=905 comm="restorecond" name="nvidiactl" dev=devtmpfs ino=18490 scontext=system_u:system_r:restorecond_t:s0 tcontext=system_u:object_r:xserver_misc_device_t:s0 tclass=chr_file
SEtroubleshoot suggests to audit2allow to make a module to allow
that. I'll do that, so I can work around this problem too.
But I am a bit suprised by the need. Why isn't restorcond
(or more properly, restorecond_t) allowed to relabel everything?
Isn't that what it is all about?
I did a "sesearch --allow --perm=relabelto --source=restorecond_t" and
got a very long list of allow rules. I'm not quite sure how those
look in the source code, if all of them have been individually listed,
of if they use some general attributes. But obviously it's not
completely wildcarded.
Is this a bug or a feature? :-)
12 years, 7 months