Bootup error with Selinux +F15
by magina antimage
Hi,
i have tried disabling SElinux ,because i didnt had selinux module
enabled in my kernel.
i have tried changing /etc/selinux/config:
from SELINUX=permissive to SELINUX=disabled
but still i get error
"Failed to load SELinux policy." during bootup
i have referred to "https://bugzilla.redhat.com/show_bug.cgi?id=692573 "
and tried to solve this problem, but no positive results
also sometimes i get I/O errors on my hard disk (during boot) after
one or two boots .
i am not sure whether its because of SElinux or not,but while
searching this I/O error i came across few cases where these I/O
errors were because of SElinux policies.
other details:
arch:x86
selinux version:libselinux-2.0.99-4.fc15.i686
10 years, 2 months
Re: Not sure who else to send this to...
by Dominick Grift
On Fri, 2012-11-30 at 11:27 -0800, Robin Lee Powell wrote:
> On Fri, Nov 30, 2012 at 11:32:19AM -0500, Daniel J Walsh wrote:
> > >> If you are looking to become a packager from dropbox in fedora,
> > >> I can put you in contact with people who can help you out.
> > >
> > > *Definitely* not that. I'm happy to do much of the back-end
> > > work, but I do *not* want the responsibility of actually
> > > maintaining any packages; my life is full to bursting as it is.
> > > Making all these AVC bug reports is about as much as I can
> > > handle.
> > >
> > > Anyways, Dominick said in IRC that he wanted to see it and the
> > > raw AVCs, so here it is, and Dan you can probably ignore it. It
> > > is *not* polished, but I think it's a decent starting point.
> > >
> > Great, I would love to get this stuff into Fedora, and any help
> > you can give is appreciated.
>
> Well, the "fun" thing about dropbox is that you need to run one
> daemon per each user, and each user has to interact with their
> personal daemon to set up synch and so on. As such, I don't know
> what a decent packaging of it would act like, even in theory. For
> my own part, I've created a puppet definition that takes a user name
> and installs a systemd definition for each dropbox user; once the
> user does the manual synch steps, the daemon can take over and just
> works.
>
> Y'all are welcome to the puppet definition and the systemd template
> if you think it'll help :), but honestly I think the best way to
> handle it at the system packaging level is to just say "Here's the
> daemon, here's some selinux policy, here's a man page that shows you
> how to run the thing yourself".
>
> -Robin
This is what i have so far. It seems to be a solid base on first sight:
> policy_module(mydropbox, 1.0.0)
>
> attribute dropbox_domain;
>
> type dropbox_exec_t;
>
> type dropbox_home_t;
> userdom_user_home_content(dropbox_home_t)
>
> type dropbox_tmp_t;
> userdom_user_tmp_content(dropbox_tmp_t)
>
> type dropbox_tmpfs_t;
> userdom_user_tmpfs_content(dropbox_tmpfs_t)
>
> type dropbox_port_t;
> corenet_port(dropbox_port_t)
>
> allow dropbox_domain self:capability dac_override; # mount
> allow dropbox_domain self:netlink_route_socket r_netlink_socket_perms;
> allow dropbox_domain self:process { execmem signal };
> allow dropbox_domain self:shm create_shm_perms;
> allow dropbox_domain self:tcp_socket create_stream_socket_perms;
> allow dropbox_domain self:udp_socket create_socket_perms;
>
> allow dropbox_domain dropbox_home_t:dir manage_dir_perms;
> allow dropbox_domain dropbox_home_t:file manage_file_perms;
> allow dropbox_domain dropbox_home_t:sock_file manage_sock_file_perms;
> userdom_user_home_dir_filetrans(dropbox_domain, dropbox_home_t, dir, ".dropbox")
>
> allow dropbox_domain dropbox_tmp_t:file { manage_file_perms mmap_file_perms };
> files_tmp_filetrans(dropbox_domain, dropbox_tmp_t, file)
>
> can_exec(dropbox_domain, dropbox_exec_t)
>
> kernel_getattr_core_if(dropbox_domain)
>
> corecmd_exec_shell(dropbox_domain)
>
> corenet_tcp_bind_generic_node(dropbox_domain)
> corenet_tcp_sendrecv_generic_if(dropbox_domain)
> corenet_tcp_sendrecv_generic_node(dropbox_domain)
> corenet_udp_bind_generic_node(dropbox_domain)
> corenet_udp_sendrecv_generic_if(dropbox_domain)
> corenet_udp_sendrecv_generic_node(dropbox_domain)
>
> corenet_sendrecv_http_client_packets(dropbox_domain)
> corenet_tcp_connect_http_port(dropbox_domain)
> corenet_tcp_sendrecv_http_port(dropbox_domain)
>
> allow dropbox_domain dropbox_port_t:{ tcp_socket udp_socket } name_bind; # temporary workaround: 17500
>
> dev_list_sysfs(dropbox_domain)
> dev_read_sysfs(dropbox_domain)
> dev_read_urand(dropbox_domain)
>
> dev_dontaudit_getattr_all_blk_files(dropbox_domain) # panic
> dev_dontaudit_getattr_all_chr_files(dropbox_domain) # panic
>
> fs_getattr_tmpfs(dropbox_domain)
> fs_getattr_xattr_fs(dropbox_domain)
> fs_rw_inherited_tmpfs_files(dropbox_domain) # this is that xserver shm thing
>
> auth_read_passwd(dropbox_domain)
>
> init_getattr_initctl(dropbox_domain)
>
> libs_exec_ldconfig(dropbox_domain)
>
> mount_exec(dropbox_domain)
> mount_manage_pid_files(dropbox_domain) # mount: read/write /run/mount/utab
>
> sysnet_exec_ifconfig(dropbox_domain)
> sysnet_read_config(dropbox_domain)
>
> userdom_manage_user_home_content_dirs(dropbox_domain)
> userdom_manage_user_home_content_files(dropbox_domain)
> userdom_mmap_user_home_content_files(dropbox_domain) # libraries in ~/.dropbox-dist
> userdom_user_home_dir_filetrans_user_home_content(dropbox_domain, dir) # cannot use named file transition due to random names
> userdom_use_inherited_user_terminals(dropbox_domain)
>
> optional_policy(`
> dbus_session_bus_client(dropbox_domain) # probably not actually optional
> dbus_connect_session_bus(dropbox_domain) # probably not actually optional
> ')
>
> optional_policy(`
> gnome_read_home_config(dropbox_domain) # ibus, might not be optional
>
> # hack
> gen_require(`
> type config_home_t;
> ')
>
> allow dropbox_domain config_home_t:dir setattr_dir_perms;
> ')
> policy_module(myuserdomain, 1.0.0)
>
> gen_require(`
> type unconfined_t;
> role unconfined_r;
> ')
>
> dropbox_role_template(unconfined, unconfined_r, unconfined_t)
> ## <summary>Dropbox is a free service that lets you bring all your photos, docs, and videos anywhere.</summary>
>
> #######################################
> ## <summary>
> ## The role template for the dropbox module.
> ## </summary>
> ## <desc>
> ## <p>
> ## This template creates a derived domains which are used
> ## for window manager applications.
> ## </p>
> ## </desc>
> ## <param name="role_prefix">
> ## <summary>
> ## The prefix of the user domain (e.g., user
> ## is the prefix for user_t).
> ## </summary>
> ## </param>
> ## <param name="user_role">
> ## <summary>
> ## The role associated with the user domain.
> ## </summary>
> ## </param>
> ## <param name="user_domain">
> ## <summary>
> ## The type of the user domain.
> ## </summary>
> ## </param>
> #
> template(`dropbox_role_template',`
> gen_require(`
> attribute dropbox_domain;
> type dropbox_exec_t, dropbox_home_t, dropbox_tmpfs_t;
> ')
>
> ########################################
> #
> # Declarations
> #
>
> type $1_dropbox_t, dropbox_domain;
> userdom_user_application_domain($1_dropbox_t, dropbox_exec_t)
> role $2 types $1_dropbox_t;
>
> ########################################
> #
> # Policy
> #
>
> domtrans_pattern($3, dropbox_exec_t, $1_dropbox_t)
>
> ps_process_pattern($3, $1_dropbox_t)
> allow $3 $1_dropbox_t:process { ptrace signal_perms };
>
> allow $1_dropbox_t $3:process signull;
> allow $1_dropbox_t $3:unix_stream_socket connectto;
>
> allow $3 dropbox_exec_t:file { manage_file_perms relabel_file_perms };
> userdom_user_home_content_filetrans($3, dropbox_exec_t, file, "dropbox")
> userdom_user_home_content_filetrans($3, dropbox_exec_t, file, "dropboxd")
> userdom_user_home_content_filetrans($3, dropbox_exec_t, file, "library.zip")
>
> allow $3 dropbox_home_t:dir { manage_dir_perms relabel_dir_perms };
> allow $3 dropbox_home_t:file { manage_file_perms relabel_file_perms };
> allow $3 dropbox_home_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
> userdom_user_home_dir_filetrans($3, dropbox_home_t, dir, ".dropbox")
>
> kernel_read_system_state($1_dropbox_t)
>
> corecmd_bin_domtrans($1_dropbox_t, $3)
>
> corenet_all_recvfrom_unlabeled($1_dropbox_t)
> corenet_all_recvfrom_netlabel($1_dropbox_t)
>
> logging_send_syslog_msg($1_dropbox_t) # might want to make this conditional if possible
>
> optional_policy(`
> dropbox_dbus_chat($1, $3) # probably not actually optional
> ')
>
> optional_policy(`
> xserver_user_x_domain_template($1_dropbox, $1_dropbox_t, dropbox_tmpfs_t) # might not be optional
> ')
> ')
>
> ########################################
> ## <summary>
> ## Send and receive messages from
> ## dropbox over dbus.
> ## </summary>
> ## <param name="role_prefix">
> ## <summary>
> ## The prefix of the user domain (e.g., user
> ## is the prefix for user_t).
> ## </summary>
> ## </param>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`dropbox_dbus_chat',`
> gen_require(`
> type $1_dropbox_t;
> class dbus send_msg;
> ')
>
> allow $2 $1_dropbox_t:dbus send_msg;
> allow $1_dropbox_t $2:dbus send_msg;
> ')
> ## <summary></summary>
> HOME_DIR/\.dropbox(/.*)? gen_context(system_u:object_r:dropbox_home_t,s0)
> HOME_DIR/\.dropbox-dist/dropbox(d)? -- gen_context(system_u:object_r:dropbox_exec_t,s0)
> HOME_DIR/\.dropbox-dist/library.zip -- gen_context(system_u:object_r:dropbox_exec_t,s0)
The above are two policy modules: mydropbox and myuserdomain
The my userdomain extents the unconfined_t domain to run dropbox in the dropbox domain
I havent tested/supported the nautilus plugin
You need to label the dropbox port manually after you installed above modules:
# semanage port -l | grep dropbox
dropbox_port_t tcp 17500
dropbox_port_t udp 17500
The way this works is:
In a clean home directory (no ~/Dropbox, ~/.dropbox, ~/.dropbox-dist) do:
cd ~ && wget -O - "https://www.dropbox.com/download?plat=lnx.x86_64" | tar xzf -
cd ~/.dropbox-dist
./dropboxd
Then just follow the steps in the wizard
I only testing it with a existing account
I only tested it with a express setup (no customised locations)
Try it out and please give feed back so that we can improve it
10 years, 10 months
list changes made to policy from default
by Erik Boyer
Hello!
Is there any way to list changes or additions to the policy from the default?
I have a server that I plan on migrating and I don't have all of the changes I made to SELinux's policy documented. It would be nice if there was a tool that would list what options have changes since the default and their current values.
Thanks in advance!
Thank you,
Erik Boyer
Production / IT System Support
KUKA Toledo Production Operations, LLC
Tel. +1 419 727-5549, Fax +1 419 729-7085, Cell 419-438-5350
erik.boyer(a)ktpo.com<mailto:erik.boyer@ktpo.com>
www.ktpo.com<http://www.ktpo.com/>
Consider the environment. If you print this email, please recycle.
This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of contents of this e-mail is strictly forbidden.
10 years, 10 months
Problem creating user in loadable module
by Andy Ruch
Hello,
I'm trying to write a module for my custom service that will execute as a separate user. However, I'm having problems creating an SELinux user in the module. When I call make, I get a syntax error. Below is a simple module that reproduces the problem.
Everything compiles when I comment out the 'allow' line. I can install the module and see my user in semanage. Everything also compiles when I comment out the 'gen_user' line. It only fails when there is something after the 'gen_user'.
Can someone tell me the proper syntax for creating a user in a module?
******** BEGIN MODULE ********
module mytest 1.0;
require {
sensitivity s0;
class file { read };
}
type mytest_t;
role mytest_r types { mytest_t };
gen_user( mytest_u, user, mytest_r, s0, s0 )
allow mytest_t self:file read;
******** END MODULE ********
Thanks,
Andrew Ruch
10 years, 10 months
node contexts
by Andy Ruch
Hello,
I'm setting up a system where the nodes need to have different types. Currently, I'm getting an AVC denial for a node but I don't know which node.
My questions:
1) Is it possible to know which node an AVC message is referencing?
2) Is there a way to see all the node contexts? I know "semanage node -l" will show my local nodecon modifications but how do I list all the nodes?
3) I tried to add a "nodecon" statement to the corenetwork.te file but the policy won't compile. How can I label a node from the policy? Here is what I tried:
type my_lo_node_t;
corenet_node( my_lo_node_t )
nodecon 127.0.0.1 255.255.255.255 gen_context(system_u:object_r:my_lo_node_t, s0)
Thanks,
Andy Ruch
10 years, 10 months
Denials not reported in enforcing mode
by Ian Pilcher
I just finished debugging an issue with kdump startup. (systemd was
unable to load the kdump kernel, even though using the kdumpctl command
from a shell worked just fine.) These symptoms immediately made me
think that the problem might be SELinux-related, and my /boot directory
was indeed not labeled correctly.
It took me quite a bit longer than it should have to figure out what was
going on, however, because no denials were reported -- either in the
audit log or by ausearch. It was only when I put SELinux in permissive
mode "just to doublecheck" that anything was reported:
time->Sun Nov 18 22:42:13 2012
type=SYSCALL msg=audit(1353300133.076:93): arch=c000003e syscall=5
success=yes exit=0 a0=3 a1=7fff0a12e0e0 a2=7fff0a12e0e0 a3=7fff0a12de70
items=0 ppid=3402 pid=3422 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kexec"
exe="/usr/sbin/kexec" subj=system_u:system_r:kdump_t:s0 key=(null)
type=AVC msg=audit(1353300133.076:93): avc: denied { getattr } for
pid=3422 comm="kexec"
path="/boot/initramfs-3.6.6-1.fc17.x86_64kdump.img" dev="md0" ino=19
scontext=system_u:system_r:kdump_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file
----
time->Sun Nov 18 22:42:13 2012
type=SYSCALL msg=audit(1353300133.076:92): arch=c000003e syscall=2
success=yes exit=3 a0=7fff0a12fee4 a1=0 a2=a a3=7fff0a12de70 items=0
ppid=3402 pid=3422 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kexec"
exe="/usr/sbin/kexec" subj=system_u:system_r:kdump_t:s0 key=(null)
type=AVC msg=audit(1353300133.076:92): avc: denied { open } for
pid=3422 comm="kexec"
path="/boot/initramfs-3.6.6-1.fc17.x86_64kdump.img" dev="md0" ino=19
scontext=system_u:system_r:kdump_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file
type=AVC msg=audit(1353300133.076:92): avc: denied { read } for
pid=3422 comm="kexec" name="initramfs-3.6.6-1.fc17.x86_64kdump.img"
dev="md0" ino=19 scontext=system_u:system_r:kdump_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file
Is this expected behavior for some reason? Anyone ever seen anything
like this?
--
========================================================================
Ian Pilcher arequipeno(a)gmail.com
Sometimes there's nothing left to do but crash and burn...or die trying.
========================================================================
10 years, 10 months
Why am I a guest on Fedora 18?
by Erinn Looney-Triggs
Been trying to figure this one out for a bit.
erinn@thin-mint ~ $ id -Z
guest_u:guest_r:oddjob_mkhomedir_t:s0
Fine, well not fine, but given that the homedir was created by oddjob
since this is an IPA client, it makes sense.
However:
erinn@thin-mint ~ $ sudo semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023
erinn unconfined_u s0-s0:c0.c1023
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
Ok so I should be an unconfined-U according to this mapping, right?
Is this perhaps SSSD interfering? This F18 client is running against a
RHEL 6.3 IPA server, fully updated. I tried to work with the SELinux
mappings in IPA, however, I was informed that as of 6.3 they are almost
totally broken and to wait for the next release.
Anyway, any ideas?
-Erinn
10 years, 10 months
avc while running appliance-creator
by Matthew Miller
I have been running this with SELinux disabled, but I'm trying to be A
Better Person by running in enforcing mode all the time. I got the following
alert while running appliace-creator. What the heck is "run lnk_file"?
----
SELinux is preventing /usr/sbin/useradd from read access on the lnk_file
run.
***** Plugin catchall_labels (83.8 confidence) suggests
***** ********************
If you want to allow useradd to have read access on the run lnk_file
Then you need to change the label on run
Do
# semanage fcontext -a -t FILE_TYPE 'run'
where FILE_TYPE is one of the following: cert_t, selinux_config_t,
# user_home_dir_t, device_t, device_t, devlog_t, locale_t,
# httpd_user_content_type, security_t, etc_t, ld_so_t, proc_t, mail_spool_t,
# device_t, abrt_t, bin_t, etc_t, base_ro_file_type, lib_t, man_t,
# etc_runtime_t, root_t, tmp_t, bin_t, cert_t, var_run_t, tmp_t, tmp_t,
# selinux_login_config_t, httpd_user_script_exec_type, textrel_shlib_t,
# etc_runtime_t, var_run_t, selinux_config_t, rpm_script_tmp_t, security_t,
# proc_t, net_conf_t, security_t, etc_t, etc_runtime_t, var_run_t, bin_t,
# var_run_t, var_run_t, useradd_t, usr_t, user_home_type, domain,
# home_root_t, etc_t, var_run_t, var_run_t.
Then execute:
restorecon -v 'run'
***** Plugin catchall (17.1 confidence) suggests
***** ***************************
If you believe that useradd should be allowed read access on the run
lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep useradd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context
unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023
Target Context unconfined_u:object_r:var_t:s0
Target Objects run [ lnk_file ]
Source useradd
Source Path /usr/sbin/useradd
Port <Unknown>
Host ubik.home.mkmiller.org
Source RPM Packages shadow-utils-4.1.5.1-1.fc18.x86_64
Target RPM Packages filesystem-3.1-2.fc18.x86_64
Policy RPM selinux-policy-3.11.1-50.fc18.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name ubik.home.mkmiller.org
Platform Linux ubik.home.mkmiller.org
3.6.5-2.fc18.x86_64
#1 SMP Thu Nov 1 00:39:17 UTC 2012 x86_64
# x86_64
Alert Count 7
First Seen 2012-11-08 15:53:06 EST
Last Seen 2012-11-08 15:53:10 EST
Local ID e1402ea5-4bcb-45fa-b220-95fe0c0dc868
Raw Audit Messages
type=AVC msg=audit(1352407990.104:1493): avc: denied { read } for
pid=19226 comm="useradd" name="run" dev="dm-1" ino=130358
scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1352407990.104:1493): arch=x86_64 syscall=connect
success=no exit=EACCES a0=5 a1=7ffffac812e0 a2=6e a3=ffffffffffffffff
items=0 ppid=19218 pid=19226 auid=18281 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts5 ses=1 comm=useradd exe=/usr/sbin/useradd
subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null)
Hash: useradd,useradd_t,var_t,lnk_file,read
audit2allow
#============= useradd_t ==============
allow useradd_t var_t:lnk_file read;
audit2allow -R
#============= useradd_t ==============
allow useradd_t var_t:lnk_file read;
--
Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ <mattdm(a)fedoraproject.org>
10 years, 11 months
Off-topic: rounds
by Moray Henderson
Sorry for the off-topic question: this is the only security-type list I'm a
member of. Please point me to a better place to ask if there is one. I've
just been looking at the 'rounds' options for sha512 password hashing.
According to the man pages, you can set rounds options in: 1)
/etc/libuser.conf 2) pam_unix 3) /etc/login.defs. Now I'm confused: is
this really 3 different places to set the same thing? Do they all need to
be set? Which is used under what circumstances? What happens if they are
set differently?
Moray.
"To err is human; to purr, feline."
10 years, 11 months
block find / perl / curl to user ?
by bob lapointe
Hello,
I want to restrict a user, I would forbid the use of system command such as
"find, perl".
In all documentation I've found is always to allow commands, never to
prohibit a user to do something.
it's can be done with Selinux ? or I have to "play" with the rights of
commands ?
Thanks
Jérémy P
10 years, 11 months
