[sandbox] modifying the Xephyr window title (patch)
by Christoph A.
Hi,
If most of your windows are sandboxed applications, your bar looks like:
[Sandbox sandbo..] [Sandbox sandbo..] [Sandbox sandbo..]
and it is hard to find a specific application.
example of a current Xephyr title:
Sandbox sandbox_web_t:s0:c112,c991 -- /usr/bin/firefox
with the modification in the attached patch titles will look like:
/usr/bin/firefox (sandbox_web_t)
and it should be easier to find a specific application.
In addition to the type I would find it handy to also include the
DISPLAY in the title (needed when using xsel for copy'n paste).
The second patch only adds '-nolisten tcp' to Xephyr, but if there are
use cases where one needs Xephyr to open a listener this patch will
break thinks.
regards,
Christoph A.
btw: secon's manpage doesn't contain the '-l' option.
11 years, 10 months
Policy for CouchDB
by Michael Milverton
Hi,
I'm in the process of writing a policy for couchdb (nosql database). I'm
using the selinux-polgengui and eclipse slide tools to help. I've hit a road
block because it won't start but I'm not getting any more AVC's. I'm
wondering if anybody might be able to offer some clue about getting more
AVC's from it because if it won't talk to me I can't get much further.
The only entries in audit.log are:
type=CRED_ACQ msg=audit(1309362790.614:1343): user pid=11935 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0
msg='op=PAM:setcred acct="couchdb" exe="/sbin/runuser" hostname=? addr=?
terminal=? res=success'
type=USER_START msg=audit(1309362790.619:1344): user pid=11935 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0
msg='op=PAM:session_open acct="couchdb" exe="/sbin/runuser" hostname=?
addr=? terminal=? res=success'
type=USER_END msg=audit(1309362790.640:1345): user pid=11935 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0
msg='op=PAM:session_close acct="couchdb" exe="/sbin/runuser" hostname=?
addr=? terminal=? res=success'
type=CRED_DISP msg=audit(1309362790.641:1346): user pid=11935 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0
msg='op=PAM:setcred acct="couchdb" exe="/sbin/runuser" hostname=? addr=?
terminal=? res=success'
type=SERVICE_START msg=audit(1309362790.676:1347): user pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=':
comm="couchdb" exe=2F62696E2F73797374656D64202864656C6574656429 hostname=?
addr=? terminal=? res=failed'
Now, it will start fine (and run) when it is unlabeled (not what I want of
course). Couchdb runs under the username/group couchdb but I haven't added
any transition rules for this yet (any help on this would be appreciated).
FC FILE:
/usr/bin/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0)
/usr/bin/couchjs -- gen_context(system_u:object_r:couchdb_exec_t,s0)
TE FILE:
policy_module(couchdb,1.0.0)
require {
type bin_t;
type fs_t;
type proc_t;
}
type couchdb_t;
domain_type(couchdb_t)
permissive couchdb_t;
# Access to shared libraries
libs_use_ld_so(couchdb_t)
libs_use_shared_libs(couchdb_t)
miscfiles_read_localization(couchdb_t)
dev_read_urand(couchdb_t)
# Type for the daemon
type couchdb_exec_t;
files_type(couchdb_exec_t)
domain_entry_file(couchdb_t, couchdb_exec_t)
init_daemon_domain(couchdb_t, couchdb_exec_t)
# Logging
logging_send_syslog_msg(couchdb_t)
logging_log_file(couchdb_t)
# Temp files
type couchdb_tmp_t;
files_tmp_file(couchdb_tmp_t)
manage_dirs_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t)
manage_files_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t)
files_tmp_filetrans(couchdb_t, couchdb_tmp_t, { dir file })
#type couchdb_config_t;
files_read_etc_files(couchdb_t)
# /bin/basename and some others
allow couchdb_t bin_t:file { read getattr open execute execute_no_trans };
allow couchdb_t fs_t:filesystem getattr;
allow couchdb_t proc_t:file { read getattr open };
allow couchdb_t self:fifo_file { read write getattr };
# Not sure about this
auth_domtrans_chk_passwd(couchdb_t)
# Not sure about this either.
domain_use_interactive_fds(couchdb_t)
Any clues, tips, advice would be most appreciated
Thanks
12 years, 1 month
Dipping into the policy waters
by Alan Batie
I'm trying a simple "first policy" with Eclipse and SLIDE, and getting
an error I don't understand. I'm hoping someone can point me in the
right direction:
Creating policy.xml
/usr/share/selinux/devel/include/support/segenxml.py: warning: unable to
find XML for interface peak_read_files()
/usr/share/selinux/devel/include/support/segenxml.py: warning: unable to
find XML for interface peak_read_config_files()
/usr/share/selinux/devel/include/support/segenxml.py: warning: orphan
XML comments at bottom of file ./peak_files.te
doc/policy.xml:65535: element module: validity error : Element module
content does not follow the DTD, expecting (summary , desc? , required?
, (interface | template)* , (bool | tunable)*), got (summary param
interface interface )
Document doc/policy.xml does not validate against
/usr/share/selinux/devel/include/support/policy.dtd
make: *** [doc/policy.xml] Error 3
Compiling targeted peak_files module
I'm guessing that means I haven't defined the interfaces somewhere I
ought to, but I have them in the Interfaces (.if) tab:
############################################################
## <summary>
## Access to reading peak files
## </summary>
## <param name="domain">
## <summary>
## Source domain to give access to
## </summary>
## </param>
#
interface(`peak_read_files',`
gen_require(`
type peak_t;
')
allow $1 peak_t:dir list_dir_perms;
read_files_pattern($1,peak_t,peak_t)
')
############################################################
## <summary>
## Access to reading peak config files
## </summary>
## <param name="domain">
## <summary>
## Source domain to give access to
## </summary>
## </param>
#
interface(`peak_read_config_files',`
gen_require(`
type peak_config_t;
')
allow $1 peak_config_t:dir list_dir_perms;
read_files_pattern($1,peak_config_t,peak_config_t)
')
The .te file is simple enough:
policy_module(peak_files,1.0.0)
############################################################
## <summary>
## Peak local configuration files and scripts
## </summary>
# domain for peak files
type peak_t;
# domain for peak configuration files
type peak_config_t;
# domain for peak scripts to run in
type peak_exec_t;
files_type(peak_t)
files_type(peak_config_t)
# peak things can read peak config files
read_files_pattern(peak_t,peak_config_t,peak_config_t)
For completeness, the .fc file:
/peak(/.*)? gen_context(system_u:object_r:peak_t,s0))
12 years, 2 months
SELinux hooks
by Mr Dash Four
To cut the long story short - I need to find out what part of the source
code in a given application/process triggers the need for a particular
SELinux permission - process:setsched, capability:setpcap or
capability:net_admin for example.
I am guessing this is all done via appropriate SELInux hooks, but I need
to find a way to trace that back (stack trace?) to the originating
code/process, which triggers this. Is there a way I could do that?
12 years, 2 months
semanage is prevented from writing to user_tmp_t file
by Jeroen van Meeuwen
Hello,
I have an Enterprise Linux 6 machine, managed by Puppet, enforcing the
target policy, for which Puppet manages a bunch of contexts and
policies, but the following message occurs when it attempts to do so:
type=AVC msg=audit(1330511088.080:1757): avc: denied { write } for
pid=9222 comm="semanage" path="/tmp/puppet20120229-8297-bjmcbp-0"
dev=dm-0 ino=1572875
scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
The following is a reference to what Puppet is trying to do:
http://git.puppetmanaged.org/?p=mail;a=blob;f=manifests/init.pp;h=2b25c58...
In short, I'm installing custom built mailman packages so that I can
have devel@project1 alongside devel@project2 mailing lists by installing
dedicated mailman instances for project1 and project2. The Puppet module
I'm referring to attempts to apply the necessary SELinux contexts to the
files deployed with each RPM package.
I'm wondering what is causing the denial (or, why semanage needs
something in /tmp/ with the name of puppet in it) as well as what to do
about it - it doesn't seem to be blocking Puppet from achieving the goal
of adding new file_contexts for these custom packages.
Kind regards,
Jeroen van Meeuwen
--
Systems Architect, Kolab Systems AG
e: vanmeeuwen at kolabsys.com
m: +44 74 2516 3817
w: http://www.kolabsys.com
pgp: 9342 BF08
12 years, 2 months
load_policy failure in RHEL 6.2
by Joe Nall
I'm experiencing a number of load_policy errors on a RHEL 6.2 policy development box when using semodule -i
load_policy: page allocation failure. order:4, mode:0xd0
Pid: 4054, comm: load_policy Not tainted 2.6.32-220.4.2.el6.x86_64 #1
Call Trace:
[<ffffffff81123daf>] ? __alloc_pages_nodemask+0x77f/0x940
[<ffffffff8115dc62>] ? kmem_getpages+0x62/0x170
[<ffffffff8115e87a>] ? fallback_alloc+0x1ba/0x270
[<ffffffff8115e2cf>] ? cache_grow+0x2cf/0x320
[<ffffffff8115e5f9>] ? ____cache_alloc_node+0x99/0x160
[<ffffffff8122813e>] ? policydb_read+0x91e/0xef0
[<ffffffff8115f229>] ? __kmalloc+0x189/0x220
[<ffffffff8122813e>] ? policydb_read+0x91e/0xef0
[<ffffffff8122a601>] ? security_load_policy+0x141/0x410
[<ffffffff8113c354>] ? handle_mm_fault+0x1e4/0x2b0
[<ffffffff8100bc0e>] ? apic_timer_interrupt+0xe/0x20
[<ffffffff81042c24>] ? __do_page_fault+0x1e4/0x480
[<ffffffff81137440>] ? __pte_alloc_kernel+0x80/0xc0
[<ffffffff81147e69>] ? vmap_page_range_noflush+0x279/0x370
[<ffffffff814f23fe>] ? do_page_fault+0x3e/0xa0
[<ffffffff814ef7b5>] ? page_fault+0x25/0x30
[<ffffffff8121e64b>] ? sel_write_load+0xdb/0x710
[<ffffffff81218d2b>] ? selinux_file_permission+0xfb/0x150
[<ffffffff8120c0d6>] ? security_file_permission+0x16/0x20
[<ffffffff81176478>] ? vfs_write+0xb8/0x1a0
[<ffffffff810d4582>] ? audit_syscall_entry+0x272/0x2a0
[<ffffffff81176e81>] ? sys_write+0x51/0x90
[<ffffffff8100b0f2>] ? system_call_fastpath+0x16/0x1b
mls policy, vmware vm with 2.5GB ram, totally up to date RHEL 6.2
A couple of bugs look similar:
https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=590363
https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=602504
Any ideas?
joe
12 years, 2 months
Blocking change to permissive
by Bruno Wolff III
I remember that once apon a time there was a boolean (or at least a setting
in system-config-selinux) that would block root from using setenforce to
change from enforcing to permissive mode.
I can't seem to find it now on F17. I haven't figured out the correct
combo to find this via google.
I tested the secure_mode boolean, but that didn't appear to work.
Nothing else in the list looked like it would block changing to
permisive mode.
Is this setting gone now? If not can someone point me to what it is or
documentation about it?
Thanks.
12 years, 2 months
Re: selinux and mcelog
by mark
I wrote:
> I'm running CentOS 6.2, all updates. selinux-policy 3.7.19-126.el6_2.6.
I > see /usr/share/selinux/devel/include/admin/mcelog.if:
> ########################################
> ## <summary>
> ## Execute a domain transition to run mcelog.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed to transition.
> ## </summary>
> ## </param>
> #
> interface(`mcelog_domtrans',`
> gen_require(`
> type mcelog_t, mcelog_exec_t;
> ')
>
> domtrans_pattern($1, mcelog_exec_t, mcelog_t)
> ')
>
> Yet, I'm seeing
> SELinux is preventing /usr/sbin/mcelog from getattr access on the file
> /var/run/mcelog.pid.
> Now, from some googling, it *looks* as though this was fixed already.
> Am I missing something, or has this bug been reintroduced?
From: Miroslav Grepl <mgrepl(a)redhat.com>
> On 02/17/2012 09:19 PM, Daniel J Walsh wrote:
>> Well i am not sure if it is was fixed in 6.2 policy or 6.3. I provide
>> the current selinux policy prerelease in
>> people.redhat.com/dwalsh/SELinux/RHEL6
> Please, could you use the latest selinux-policy packages from
> people.redhat.com/dwalsh/SELinux/RHEL6
> how Dan wrote.
Are you asking me to test this policy update? I can do it on this one
machine... but it will be overwritten with the next update, and under no
circumstances will I roll it out to all our servers. We don't normally
even use CPAN - *everything's* from the repositories.
mark
12 years, 2 months
f16 x86_64 :: kwin - execmem
by Adrian Sevcenco
Hi! i have this situation in which kwin (which is strange as the command
reported is firefox) tries to map a memory region as executable and
writable. The advice is to report to bugzilla ..
before doing this, did someone else encountered this?
Thanks,
Adrian
SELinux is preventing /usr/bin/kwin from execmem access on the None .
***** Plugin catchall (100. confidence) suggests
***************************
If you believe that kwin should be allowed execmem access on the
<Unknown> by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep kwin /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Context
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects [ None ]
Source kwin
Source Path /usr/bin/kwin
Port <Unknown>
Host adrian.home
Source RPM Packages firefox-10.0.1-1.fc16.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.10.0-75.fc16.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name adrian.home
Platform Linux adrian.home 3.2.6-3.fc16.x86_64 #1
SMP Mon
Feb 13 20:35:42 UTC 2012 x86_64 x86_64
Alert Count 13
First Seen Sat 18 Feb 2012 02:55:59 PM EET
Last Seen Sun 19 Feb 2012 09:53:32 AM EET
Local ID 5f799950-b58d-4cda-af92-f71bb4d4652c
Raw Audit Messages
type=AVC msg=audit(1329638012.530:69): avc: denied { execmem } for
pid=2360 comm="firefox"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=processnode=adrian.home type=SYSCALL
msg=audit(1329638012.530:69): arch=c000003e syscall=9 success=yes
exit=140493093380096 a0=0 a1=10000 a2=7 a3=22 items=0 ppid=1634 pid=2360
auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000
sgid=1000 fsgid=1000 tty=(none) ses=1 comm="firefox"
exe="/usr/lib64/firefox/firefox"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
12 years, 2 months
Allow PHP to list other users' processes
by Ole Jon Bjørkum
Hi!
I have a problem with SELinux not allowing PHP to list other users' processes with the "ps" command.If I disable SELinux with "setenforce 0" it works immediately.
Is it possible to allow PHP to do this without disabling SELinux completely?
Thanks!
Ole Jon
12 years, 2 months