December 2012 - selinux - Fedora Mailing-Lists

by magina antimage

Hi, i have tried disabling SElinux ,because i didnt had selinux module enabled in my kernel. i have tried changing /etc/selinux/config: from SELINUX=permissive to SELINUX=disabled but still i get error "Failed to load SELinux policy." during bootup i have referred to "https://bugzilla.redhat.com/show_bug.cgi?id=692573 " and tried to solve this problem, but no positive results also sometimes i get I/O errors on my hard disk (during boot) after one or two boots . i am not sure whether its because of SElinux or not,but while searching this I/O error i came across few cases where these I/O errors were because of SElinux policies. other details: arch:x86 selinux version:libselinux-2.0.99-4.fc15.i686

10 years, 2 months

7
19
0 / 0

iptables denied read to inotifyfs

by Kristen

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I am finding after a reboot of my server these AVC denials: type=AVC msg=audit(1356666298.031:40): avc: denied { read } for pid=2837 comm="iptables" path="inotify" dev=inotifyfs ino=337 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir Installed is: selinux-policy-2.4.6-327.el5 on a CentOS 5.5 build with kernel 2.6.18-308.24.1.el5 Should this be allowed? Kristen -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlDdN94ACgkQF1wXlvLxlNh0WgCgjLBAtEjLuZyZqtxDgE0QHmPk /7cAoKt0Q4f+RB4AoNpC350eO0mSpaCw =/SJ4 -----END PGP SIGNATURE-----

10 years, 9 months

3
3
0 / 0

AVC for df from logwatch

by SternData

This has appeared the past two mornings. The initial triggering event was probably the last kernel update: Dec 16 08:59:09 Installed: kernel-3.6.10-2.fc17.x86_64 ********************************** SELinux is preventing /usr/bin/df from getattr access on the directory /sys/kernel/config. ***** Plugin restorecon (99.5 confidence) suggests ************************* If you want to fix the label. /sys/kernel/config default label should be sysfs_t. Then you can run restorecon. Do # /sbin/restorecon -v /sys/kernel/config ***** Plugin catchall (1.49 confidence) suggests *************************** If you believe that df should be allowed getattr access on the config directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep df /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:logwatch_t:s0-s0:c0.c1023 Target Context system_u:object_r:configfs_t:s0 Target Objects /sys/kernel/config [ dir ] Source df Source Path /usr/bin/df Port <Unknown> Host sds-desk-2.sterndata.local Source RPM Packages coreutils-8.15-9.fc17.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-161.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name sds-desk-2.sterndata.local Platform Linux sds-desk-2.sterndata.local 3.6.10-2.fc17.x86_64 #1 SMP Tue Dec 11 18:07:34 UTC 2012 x86_64 x86_64 Alert Count 1 First Seen 2012-12-18 03:33:03 CST Last Seen 2012-12-18 03:33:03 CST Local ID 9f9df328-2e36-4b38-8e5b-ec1ee816c1e1 Raw Audit Messages type=AVC msg=audit(1355823183.154:493): avc: denied { getattr } for pid=31684 comm="df" path="/sys/kernel/config" dev="configfs" ino=9139 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:configfs_t:s0 tclass=dir type=SYSCALL msg=audit(1355823183.154:493): arch=x86_64 syscall=stat success=yes exit=0 a0=1078340 a1=7ffff0c48b90 a2=7ffff0c48b90 a3=3eb5b2f360 items=0 ppid=31683 pid=31684 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=54 comm=df exe=/usr/bin/df subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null) Hash: df,logwatch_t,configfs_t,dir,getattr audit2allow #============= logwatch_t ============== allow logwatch_t configfs_t:dir getattr; audit2allow -R #============= logwatch_t ============== allow logwatch_t configfs_t:dir getattr; -- -- Steve

10 years, 9 months

3
2
0 / 0

Re: apcupsd

by Dominick Grift

On Tue, 2012-12-18 at 17:17 +0000, Moray Henderson wrote: > > -----Original Message----- > > From: grift [mailto:dominick.grift@gmail.com] > > Sent: 18 December 2012 17:01 > > > > On Tue, 2012-12-18 at 17:49 +0100, grift wrote: > > > On Tue, 2012-12-18 at 16:37 +0000, Moray Henderson wrote: > > > > Hi SELinux > > > > > > > > mkdir myapcupsd; cd myapcupsd; echo "policy_module(myapcupsd, 1.0.0) > > > gen_require(\` type apcupsd_t; ') > > > corenet_udp_bind_generic_node(apcupsd_t) > > > corenet_udp_bind_snmp_port(apcupsd_t) allow apcupsd_t self:capability > > > net_bind_service;" > myapcupsd.te > > > > > > make -f /usr/share/selinux/devel/Makefile myapcupsd.te sudo semodule > > > -i myapcupsd.pp; > > > > > > consider filing a bugzilla please > > > > I am adding this upstream (should eventually trickle down): > > > > > From 87e5d6d571cb82c3a96159041962c2a9378bc023 Tue, 18 Dec 2012 > > > 17:59:34 +0100 > > > From: Dominick Grift <dominick.grift(a)gmail.com> > > > Date: Tue, 18 Dec 2012 17:59:18 +0100 > > > Subject: [PATCH] Changes to the apcupsd policy module > > > > > > > > > Support apcupsd configured for snmp > > > > > > Signed-off-by: Dominick Grift <dominick.grift(a)gmail.com> diff --git > > > a/apcupsd.te b/apcupsd.te index ceb368d..9cd93c5 100644 > > > --- a/apcupsd.te > > > +++ b/apcupsd.te > > > @@ -1,4 +1,4 @@ > > > -policy_module(apcupsd, 1.8.3) > > > +policy_module(apcupsd, 1.8.4) > > > > > > ######################################## > > > # > > > @@ -29,7 +29,7 @@ > > > # Local policy > > > # > > > > > > -allow apcupsd_t self:capability { dac_override setgid sys_tty_config > > > }; > > > +allow apcupsd_t self:capability { dac_override setgid sys_tty_config > > > +net_bind_service }; > > > allow apcupsd_t self:process signal; > > > allow apcupsd_t self:fifo_file rw_file_perms; allow apcupsd_t > > > self:unix_stream_socket create_stream_socket_perms; @@ -58,13 +58,20 > > > @@ > > > corenet_all_recvfrom_netlabel(apcupsd_t) > > > corenet_tcp_sendrecv_generic_if(apcupsd_t) > > > corenet_tcp_sendrecv_generic_node(apcupsd_t) > > > -corenet_tcp_sendrecv_all_ports(apcupsd_t) > > > corenet_tcp_bind_generic_node(apcupsd_t) > > > +corenet_udp_sendrecv_generic_if(apcupsd_t) > > > +corenet_udp_sendrecv_generic_node(apcupsd_t) > > > +corenet_udp_bind_generic_node(apcupsd_t) > > > > > > corenet_tcp_bind_apcupsd_port(apcupsd_t) > > > corenet_sendrecv_apcupsd_server_packets(apcupsd_t) > > > +corenet_tcp_sendrecv_apcupsd_port(apcupsd_t) > > > corenet_tcp_connect_apcupsd_port(apcupsd_t) > > > > > > +corenet_udp_bind_snmp_port(apcupsd_t) > > > +corenet_sendrecv_snmp_server_packets(apcupsd_t) > > > +corenet_udp_sendrecv_snmp_port(apcupsd_t) > > > + > > > dev_rw_generic_usb_dev(apcupsd_t) > > > > > > files_read_etc_files(apcupsd_t) > > Excellent - thanks. It looks as if corenet_udp_bind_snmp_port already allows the capability net_bind_service. Do you still want an RHEL 6 bug logged? nice catch on the net_bind_service :) Welp, that is up to you. Not sure how soon this fix would end up in el6 though.. but then again, reporting it could not hurt.. or could it? > > Moray. > “To err is human; to purr, feline.” > > > > >

10 years, 9 months

3
2
0 / 0

audit2allow analysis

by Ramkumar Raghavan

Hi, I am a newbee to selinux. I have enabled selinux in enforcing mode. Based on the audit logs, I have run the audit2allow tool to generate the custome policy modules. Here is the content of "te" file.. Please let me know if there are any security issues in the below module. ======================================================================== cat Custom_stage_watch.te module Custom_stage_watch 1.0; require { type httpd_tmp_t; type user_tmp_t; type sshd_t; type usr_t; type user_home_dir_t; type sendmail_t; type httpd_t; type certwatch_t; type initrc_tmp_t; type local_login_t; type fixed_disk_device_t; type logrotate_t; type memory_device_t; type var_t; type nfs_t; class blk_file read; class dir { search read create write getattr rmdir remove_name open add_name }; class file { rename execute setattr read create execute_no_trans write getattr unlink open append }; class chr_file { read write }; } #============= certwatch_t ============== allow certwatch_t var_t:file { read getattr open }; #============= httpd_t ============== #!!!! This avc can be allowed using the boolean 'httpd_tmp_exec' allow httpd_t httpd_tmp_t:file execute; #!!!! This avc can be allowed using one of the these booleans: # httpd_use_nfs, httpd_enable_homedirs allow httpd_t nfs_t:dir { search read create write getattr rmdir remove_name open add_name }; #!!!! This avc can be allowed using one of the these booleans: # httpd_use_nfs, httpd_enable_homedirs allow httpd_t nfs_t:file { rename create unlink open setattr }; #!!!! This avc can be allowed using one of the these booleans: # httpd_read_user_content, httpd_enable_homedirs allow httpd_t user_home_dir_t:dir getattr; allow httpd_t user_tmp_t:dir read; allow httpd_t usr_t:file { write execute create append execute_no_trans }; allow httpd_t var_t:file { read getattr open }; #============= local_login_t ============== allow local_login_t initrc_tmp_t:file { read open }; #============= logrotate_t ============== #!!!! The source type 'logrotate_t' can write to a 'dir' of the following types: # varnishlog_log_t, var_lock_t, tmp_t, logrotate_var_lib_t, logrotate_tmp_t, logfile, named_cache_t, acct_data_t, var_spool_t, var_lib_t, abrt_var_cache_t, var_log_t, mailman_log_t allow logrotate_t usr_t:dir { write remove_name add_name }; allow logrotate_t usr_t:file { write rename create unlink setattr }; #============= sendmail_t ============== allow sendmail_t fixed_disk_device_t:blk_file read; allow sendmail_t memory_device_t:chr_file { read write }; #============= sshd_t ============== allow sshd_t initrc_tmp_t:file { read getattr open }; =============================================================================================== Regards Ramkumar Raghavan

10 years, 9 months

1
0
0 / 0

BackupPC

by Gabriele Pohl

Hi all, I reinstalled BackupPC BackupPC-3.2.1-7.fc17.i686 on my Fedora 17 machine. (Reason is, that I have a new backup disk, which is mounted in /var/lib/BackupPC and I wanted the installation to create the directories there and set the appropriate SELinux privileges..) httpd runs under user backuppc on this host. backuppc service is started. When I call the CGI-Interface I see the following message on screen: -------------- snip -------------- Error: Unable to connect to BackupPC server This CGI script (/backuppc) is unable to connect to the BackupPC server on localhost port -1. The error was: unix connect: Permission denied. Perhaps the BackupPC server is not running or there is a configuration error. Please report this to your Sys Admin. -------------- snip -------------- At same time the following AVC-Denial is written: type=AVC msg=audit(1355679394.218:18): avc: denied { write } for pid=9409 comm="BackupPC_Admin." name="BackupPC.sock" dev="tmpfs" ino=3636017 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file type=SYSCALL msg=audit(1355679394.218:18): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfca7e90 a2=b771bff4 a3=8de4008 items=0 ppid=9337 pid=9409 auid=4294967295 uid=483 gid=488 euid=483 suid=483 fsuid=483 egid=488 sgid=488 fsgid=488 tty=(none) ses=4294967295 comm="BackupPC_Admin." exe="/usr/bin/perl" subj=system_u:system_r:httpd_t:s0 key=(null) I tried to add an appropriate rule following the instructions from sealert: # grep BackupPC_Admin. /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp libsepol.scope_copy_callback: entropyd: Duplicate declaration in module: type/attribute entropyd_var_run_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed! Can you help / explain the issue? Thanks in advance and kind regards Gabriele

10 years, 9 months

2
9
0 / 0

ssh on SElinux with permisive mode

by sruthi mohan

Hi, currently in my system Selinux is in permissive mode. I am unable to connect remotely through ssh. i have done semodule -DB I did not find any ssh related messages on audit.log. Request some help in resolving this issue Thanks and Regards

10 years, 9 months

5
4
0 / 0

Re: apcupsd

by Dominick Grift

On Tue, 2012-12-18 at 17:36 +0000, Moray Henderson wrote: > > From: grift [mailto:dominick.grift@gmail.com] > > Sent: 18 December 2012 17:18 > > > > Welp, that is up to you. Not sure how soon this fix would end up in el6 > > though.. but then again, reporting it could not hurt.. or could it? > > https://bugzilla.redhat.com/show_bug.cgi?id=888440 > > ;-) Thanks again for reminding me about the redundant net_bind_service, i just did a pretty big cleanup removing all the redudant entries! > > Moray. > “To err is human; to purr, feline.” > > > > > >

10 years, 9 months

1
0
0 / 0

Re: apcupsd

by Dominick Grift

On Tue, 2012-12-18 at 16:37 +0000, Moray Henderson wrote: > Hi SELinux > > > Trying to start apcupsd (version 3.14.10) configured for snmp on CentOS 6.3 > (targeted policy 3.7.19) results in > > ---- > time->Tue Dec 18 16:07:47 2012 > type=SYSCALL msg=audit(1355846867.862:18629): arch=c000003e syscall=49 > success=yes exit=0 a0=4 a1=7fffabaa61f0 a2=10 a3=7fffabaa5f30 items=0 ppid=1 > pid=2162 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 > tty=(none) ses=2 comm="apcupsd" exe="/sbin/apcupsd" > subj=unconfined_u:system_r:apcupsd_t:s0 key=(null) > type=AVC msg=audit(1355846867.862:18629): avc: denied { node_bind } for > pid=2162 comm="apcupsd" scontext=unconfined_u:system_r:apcupsd_t:s0 > tcontext=system_u:object_r:node_t:s0 tclass=udp_socket > sls.test.office:~# ausearch -a 18629 -a 18630 > ---- > time->Tue Dec 18 16:07:47 2012 > type=SYSCALL msg=audit(1355846867.864:18630): arch=c000003e syscall=49 > success=yes exit=0 a0=5 a1=7fffabaa61f0 a2=10 a3=7fffabaa5f30 items=0 ppid=1 > pid=2162 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 > tty=(none) ses=2 comm="apcupsd" exe="/sbin/apcupsd" > subj=unconfined_u:system_r:apcupsd_t:s0 key=(null) > type=AVC msg=audit(1355846867.864:18630): avc: denied { net_bind_service } > for pid=2162 comm="apcupsd" capability=10 > scontext=unconfined_u:system_r:apcupsd_t:s0 > tcontext=unconfined_u:system_r:apcupsd_t:s0 tclass=capability > type=AVC msg=audit(1355846867.864:18630): avc: denied { name_bind } for > pid=2162 comm="apcupsd" src=162 scontext=unconfined_u:system_r:apcupsd_t:s0 > tcontext=system_u:object_r:snmp_port_t:s0 tclass=udp_socket > > If SELinux is enforcing, apcupsd crashes. If SELinux is permissive, it > works. > > apcupsd.conf contains > > UPSCABLE ether > UPSTYPE snmp > DEVICE 192.168.1.1:161:APC:private > > Is there a configuration, Boolean or a policy-writing macro to fix this > easily? > > mkdir myapcupsd; cd myapcupsd; echo "policy_module(myapcupsd, 1.0.0) gen_require(\` type apcupsd_t; ') corenet_udp_bind_generic_node(apcupsd_t) corenet_udp_bind_snmp_port(apcupsd_t) allow apcupsd_t self:capability net_bind_service;" > myapcupsd.te make -f /usr/share/selinux/devel/Makefile myapcupsd.te sudo semodule -i myapcupsd.pp; consider filing a bugzilla please > > Moray. > "To err is human; to purr, feline." > > > > > > -- > selinux mailing list > selinux(a)lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux

10 years, 9 months

2
2
0 / 0

apcupsd

by Moray Henderson

Hi SELinux Trying to start apcupsd (version 3.14.10) configured for snmp on CentOS 6.3 (targeted policy 3.7.19) results in ---- time->Tue Dec 18 16:07:47 2012 type=SYSCALL msg=audit(1355846867.862:18629): arch=c000003e syscall=49 success=yes exit=0 a0=4 a1=7fffabaa61f0 a2=10 a3=7fffabaa5f30 items=0 ppid=1 pid=2162 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="apcupsd" exe="/sbin/apcupsd" subj=unconfined_u:system_r:apcupsd_t:s0 key=(null) type=AVC msg=audit(1355846867.862:18629): avc: denied { node_bind } for pid=2162 comm="apcupsd" scontext=unconfined_u:system_r:apcupsd_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket sls.test.office:~# ausearch -a 18629 -a 18630 ---- time->Tue Dec 18 16:07:47 2012 type=SYSCALL msg=audit(1355846867.864:18630): arch=c000003e syscall=49 success=yes exit=0 a0=5 a1=7fffabaa61f0 a2=10 a3=7fffabaa5f30 items=0 ppid=1 pid=2162 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="apcupsd" exe="/sbin/apcupsd" subj=unconfined_u:system_r:apcupsd_t:s0 key=(null) type=AVC msg=audit(1355846867.864:18630): avc: denied { net_bind_service } for pid=2162 comm="apcupsd" capability=10 scontext=unconfined_u:system_r:apcupsd_t:s0 tcontext=unconfined_u:system_r:apcupsd_t:s0 tclass=capability type=AVC msg=audit(1355846867.864:18630): avc: denied { name_bind } for pid=2162 comm="apcupsd" src=162 scontext=unconfined_u:system_r:apcupsd_t:s0 tcontext=system_u:object_r:snmp_port_t:s0 tclass=udp_socket If SELinux is enforcing, apcupsd crashes. If SELinux is permissive, it works. apcupsd.conf contains UPSCABLE ether UPSTYPE snmp DEVICE 192.168.1.1:161:APC:private Is there a configuration, Boolean or a policy-writing macro to fix this easily? Moray. "To err is human; to purr, feline."

10 years, 9 months

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux December 2012