SSHFS (SELinux) frustrations
by Mr Dash Four
I am trying to implement SSH FS on a shared DMZ box running SELinux (the
latest policy in FC15) and have the layout almost a carbon copy of what
is described in [1]. I have been frustrated by multiple failures, however.
The first thing I did after creating the directories is to set the
SELinux domain on these:
/home/sftp-chroot -d
gen_context(system_u:object_r:user_home_dir_t,s0)
/home/sftp-chroot/home(/.*)?
gen_context(system_u:object_r:user_home_dir_t,s0)
/home/sftp-chroot/dev -d
gen_context(system_u:object_r:device_t,s0)
/home/sftp-chroot/dev/log -s
gen_context(system_u:object_r:devlog_t,mls_systemhigh)
I've also altered the rsyslog in the way described in [1] so that a log
socket can be used inside chroot. I also altered the policy to enable
ssh home dirs access - gen_tunable(sftpd_enable_homedirs, true) in
ftp.te. On a side note, is there a way to do that in my policy
(sftpd_enable_homedirs -> on), without either altering ftp.te or using
setsebool? I've also noticed that /usr/libexec/openssh/sftp-server has
"bin_t" type - shouldn't that be "sftpd_t"?
When I try to use SSHFS with a dedicated using user account I used to
get a lot of AVC's, but I eventually got them reduced to just 2 - one
known (below), and one unknown:
type=AVC msg=audit(1326034699.037:356): avc: denied { create } for
pid=2713 comm="sshd" name="ltm-0.42.0.tar.bz2"
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file
type=SYSCALL msg=audit(1326034699.037:356): arch=40000003 syscall=5
success=no exit=-13 a0=241388 a1=80c1 a2=81b4 a3=233284 items=0
ppid=2710 pid=2713 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=30 comm="sshd" exe="/usr/sbin/sshd"
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
This happens when I try to copy a single file (ltm-0.42.0.tar.bz2 in
this case) to the SSHFS partition. So, in effect, even though I can look
at my newly-shared partition I can't do anything with it because of
SELinux. If I go into permisive mode - everything is fine (though I get
a lot of avcs, but that's to be expected).
The other error I get is when rsyslogd starts (at the very beginning
when the DMZ box starts) - I get "Permission denied" message and
rsyslogd cannot open that socket in /home/sftp-chroot/dev/log for some
reason - don't know why as it appears the context is properly set there!
Any help?
[1] -
http://blog.famzah.net/2011/02/03/secure-chroot-remote-file-access-via-sf...
(Secure chroot() remote file access via SFTP and SSH)
12 years, 3 months
SELinux newbie help please
by Alain Williams
I am building a new machine and am trying very hard to not do as I have done before
and switch selinux off. I am having problems getting things to work.
I want one user to, on login, run a script setuid root -- it needs to be able to
read all files in one part of the file system to back that part up to an externally
mounted USB drive.
I have a small setuid root program (written in C) that just runs the shell script.
1) Making that setuid prgram user's login shell does not work. I could not see
what to do.
so I tried an intermediate step.
2) Giving the user a standard bash login shell, then running the setuid root program
at the command line does not do what I want. I put 'id' at the start of the script
and got:
uid=501(backup) gid=502(backup) groups=502(backup) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
I was expecting to see a 'uid=0'. The script then fails since it cannot do things
that I want it to.
I am running CentOS 6.
I have done a lot of reading, but end up going round in circles and much of what I read
seems to be out of date or refer to commands that I do not have.
I understand that I ought to perhaps produce a specific security profile for the 'backup'
user - but can't see how to start.
Any pointers would be gratefully received.
--
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256 http://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php
#include <std_disclaimer.h>
12 years, 3 months
adding port restrictions to policy generated by sepolgen
by Michael Atighetchi
Hi,
I have a question about how to restrict network access via SELinux.I
generated a policy via sepolgen on Fedora 14, and there are some network
specific rules and macros in it, for example:
corenet_tcp_bind_generic_node(CZtp_t)
corenet_tcp_connect_postgresql_port(CZtp_t)
corenet_tcp_connect_vnc_port(CZtp_t)
corenet_udp_bind_generic_node(CZtp_t)
allow CZtp_t self:tcp_socket { setopt read bind create accept write
getattr connect shutdown getopt listen };
allow CZtp_t self:udp_socket { setopt read bind create ioctl write
getattr connect getopt };
Here is what I would like to change
1) Restrict privs so that the process can only bind to a specific custom
port, e.g., 2222 (controlled by my app)
2) Restrict privs so that the only processes on the local machine
allowed to connect to this port is in the same domain as the process who
created the listening socket (same policy as above)
Is this doable?
--
Michael Atighetchi
Senior Scientist
Raytheon BBN Technologies
617-873-1679
matighet(a)bbn.com
12 years, 3 months
F17\Rawhide boot avc's
by Frank Murphy
Hi,
Am getting lots of avc's and failed services on Rawhide
as below. Can only boot with enforcing=0 as per:
https://lists.fedoraproject.org/pipermail/devel/2012-January/161127.html
Snip from my logwatch below:
--------------------------------------------------
**Unmatched Entries** (Only first 10 out of 71 are printed)
No rules
AUDIT_STATUS: enabled=1 flag=1 pid=626 rate_limit=0 backlog_limit=320
lost=0 backlog=0
type=1130 audit(1326356505.927:102): user pid=0 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg=':
comm="plymouth-reboot" exe="/bin/systemd" hostname=? addr=? terminal=?
res=failed'
type=1130 audit(1326356505.678:94): user pid=0 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg=':
comm="systemd-random-seed-save" exe="/bin/systemd" hostname=? addr=?
terminal=? res=success'
type=1131 audit(1326356505.686:95): user pid=0 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg=':
comm="systemd-random-seed-save" exe="/bin/systemd" hostname=? addr=?
terminal=? res=success'
type=1131 audit(1326356505.714:96): user pid=0 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg=': comm="dbus"
exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
type=1130 audit(1326356505.764:97): user pid=0 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg=': comm="alsa-store"
exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
type=1131 audit(1326356505.766:98): user pid=0 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg=': comm="alsa-store"
exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
type=1131 audit(1326356505.785:99):Jan 12 08:22:52 test05 kernel:
imklog 5.8.6, log source = /proc/kmsg started.
No rules
---------------------------------------------------
How can I help debug this?
selinux-policy-3.10.0-74.fc17
selinux-policy-targeted-3.10.0-74.fc17
32 and 64 bit
--
Regards,
Frank Murphy
UTF_8 Encoded
Friend of fedoraproject.org
12 years, 3 months
circular policy references generated by sepolgen
by Michael Atighetchi
All,
I have a number of custom policies that I developed on a Fedora 14
system by using sepolgen and iterating over the policies up to a point
where they are violation free.
When trying to install those policies on another system, I've run into a
circular dependency issue. No matter what order I call the 6 .sh
scripts created by sepolgen, I always end up with missing required
types, e.g.,:
----
[proxyuser@lime selinux]$ sudo ./CZwd.sh
Building and Loading Policy
+ make -f /usr/share/selinux/devel/Makefile
make: Nothing to be done for `all'.
+ /usr/sbin/semodule -i CZwd.pp
libsepol.print_missing_requirements: CZwd's global requirements were not
met: type/attribute CZfwa_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or
directory).
/usr/sbin/semodule: Failed!
----
Presumably, one can break these cycles by defining all required types first.
Is there a manual way to do this using the SELinux tools?
Thanks
Michael
--
Michael Atighetchi
Senior Scientist
Raytheon BBN Technologies
617-873-1679
matighet(a)bbn.com
12 years, 3 months
Proper settings to allow web server to send mail
by SternData
I found this in my maillog:
Jan 10 13:54:02 scarletfire sendmail[9824]: NOQUEUE: SYSERR(apache): can
not chdir(/var/spool/clientmqueue/): Permission denied
coming from an AVC:
Jan 10 13:54:02 scarletfire kernel: type=1400 audit(1326225242.351:5):
avc: denied { search } for pid=9824 comm="sendmail"
name="clientmqueue" dev=dm-0 ino=1312124
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir
What is the proper settings to allow a web server to do whatever it was
trying to do here... (Or was this something bad that SELINUX prevented)
--
-- Steve
12 years, 3 months
security contexts
by mark
In CentOS 6.2, I'm getting
sshd[6116]: pam_selinux(sshd:session): Security context
unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 is not allowed for
and
sshd[6116]: pam_selinux(sshd:session): Unable to get valid context for root
Googling shows me nothing useful - what's causing this? Is it a process or
a file that needs something changed? This is a production and home
directory server, so I can't touch /.autorelabel and reboot, though I can
certainly do whole directory trees.
mark
12 years, 3 months
MySQL's LOAD DATA INFILE statement
by Marcio B. Jr.
Hi,
I'm incurring some problems with MySQL and SELinux, and I need help.
Running a 64-bit Fedora 12 with mysql-server-5.1.47-2.fc12.x86_64.
$ ps -eZ | grep mysqld
system_u:system_r:mysqld_safe_t:s0 1321 ? 00:00:00 mysqld_safe
system_u:system_r:mysqld_t:s0 1410 ? 00:00:01 mysqld
My problem is:
it is only possible to use "LOAD DATA INFILE" statement if SELinux is
in its permissive state.
Strangely, logs below show no avc denial (all I can tell from them is
Chinese tried to break into, and last line probably refers to when I
added mysql user to some group I created). But statement won't work in
enforcing state. Nothing gives me any tip concerning the referred
MySQL statement issue.
# cat /var/log/audit/audit.log | grep mysql
type=USER_LOGIN msg=audit(1305401554.802:34): user pid=2229 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login
acct="mysql" exe="/usr/sbin/sshd" hostname=? addr=218.241.236.69
terminal=sshd res=failed'
type=USER_LOGIN msg=audit(1305401556.759:36): user pid=2229 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login
acct="mysql" exe="/usr/sbin/sshd" hostname=? addr=218.241.236.69
terminal=sshd res=failed'
type=USER_LOGIN msg=audit(1305404558.850:1653): user pid=3709 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login
acct="mysql" exe="/usr/sbin/sshd" hostname=? addr=218.241.236.69
terminal=sshd res=failed'
type=USER_LOGIN msg=audit(1305404560.536:1655): user pid=3709 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login
acct="mysql" exe="/usr/sbin/sshd" hostname=? addr=218.241.236.69
terminal=sshd res=failed'
type=USER_LOGIN msg=audit(1305404563.834:1656): user pid=3711 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login
acct="mysql" exe="/usr/sbin/sshd" hostname=? addr=218.241.236.69
terminal=sshd res=failed'
type=USER_LOGIN msg=audit(1305404566.207:1658): user pid=3711 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login
acct="mysql" exe="/usr/sbin/sshd" hostname=? addr=218.241.236.69
terminal=sshd res=failed'
type=ADD_GROUP msg=audit(1322849937.081:18): user pid=1989 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:useradd_t:s0-s0:c0.c1023 msg='op=adding group
acct="mysql" exe="/usr/sbin/useradd" hostname=? addr=? terminal=?
res=success'
Firstly, where could that avc denial be in?
And, well, I want to keep SELinux enforcing its policies, except for
what is needed in order to make "LOAD DATA INFILE" work.
So, what would be the proper way to achieve that?
Marcio Barbado, Jr.
12 years, 3 months
filesystem relabeling not working for /tmp after enabling SELinux
by Bennett Haselton
Quick version: Anyone know why, if you try to relabel your filesystem
for SELinux, files in /tmp do not get relabeled?
Detailed version:
I have a CentOS 5.7 machine where I am trying to enable SELinux to
improve the machine's security.
I specified "SELINUX=permissive" in /etc/selinux/config and rebooted,
and sestatus reports that it's on:
[root@g6950-21025 tmp]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 21
Policy from config file: targeted
But when I try to relabel the filesystem, files in /tmp do not get
relabeled, although files everywhere except /tmp do get relabeled
properly. I relabeled by doing
# genhomedircon
# touch /.autorelabel
# reboot
in accordance with directions at
http://wiki.centos.org/HowTos/SELinux
and the /.autorelabel was deleted after I rebooted (indicating that it
had been processed), and most files were relabeled correctly:
>>
[root@g6950-21025 tmp]# ls -lZ /var/www/html/robots.txt
-rw-rw-rw- root root system_u:object_r:httpd_sys_content_t
/var/www/html/robots.txt
>>
However, the ones in /tmp were not:
>>
[root@g6950-21025 tmp]# ls -lZ /tmp/hostname_SKYSLICE.INFO
-rw-r--r-- apache apache system_u:object_r:file_t
/tmp/hostname_SKYSLICE.INFO
>>
(sealert says that any file of type "file_t" means it was not relabeled
properly.) I have a number of CGI scripts that rely on reading and
writing to files in the /tmp directory and SELinux would block most of
them from working because of the labeling problem. (Plus PHP writes to
/tmp so I assume many PHP scripts would have errors as well.)
Any idea why the files in /tmp were not relabeled, and how to fix it?
My only guess is that since I think /tmp is a different partition, maybe
the relabeling relabeled everything on the "/" partition but not on
/tmp? If that's correct, how would I fix it? I tried creating a file
at /tmp/.autorelabel and rebooting, but that didn't work (and the file
did not get deleted, suggesting it wasn't processed at all).
Bennett
12 years, 3 months
CIPSO Labeling of Network Packets to/from KVM Windows Guest OS
by djackso1@rockwellcollins.com
Is there any method by which KVM in conjunction with Netlabel or other
labeling function can be configured such that a statically configured
label
is added for all outgoing network traffic generated by a specific Windows
Guest OS instance
is verified and then removed for all incoming network traffic delivered to
a specific Windows Guest OS instance
in a manner which is transparent to Windows and Windows applications?
12 years, 3 months