February 2012 - selinux - Fedora Mailing-Lists

by mark

I'm running CentOS 6.2, all updates. selinux-policy 3.7.19-126.el6_2.6. I see /usr/share/selinux/devel/include/admin/mcelog.if: ######################################## ## <summary> ## Execute a domain transition to run mcelog. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed to transition. ## </summary> ## </param> # interface(`mcelog_domtrans',` gen_require(` type mcelog_t, mcelog_exec_t; ') domtrans_pattern($1, mcelog_exec_t, mcelog_t) ') Yet, I'm seeing SELinux is preventing /usr/sbin/mcelog from getattr access on the file /var/run/mcelog.pid. Now, from some googling, it *looks* as though this was fixed already. Am I missing something, or has this bug been reintroduced? mark

12 years, 2 months

3
2
0 / 0

Fedora in the wild! Or, try out this script kiddie shell.

by Robin Lee Powell

I just discovered, because setroubleshootd was taking up all my CPU time :D, that there's a script kiddie console on my webserver, which is not only running selinux, but is running it with unconfined mostly off. This amuses me. Not least because it turns out I copied it over from my previous server 0.o, so it's been around for years. I've eliminated the immediate problem, in the form of: iptables -I INPUT -s 180.76.6.0/24 -j DROP iptables -I INPUT -s 180.76.5.0/24 -j DROP but I invite you all to poke at it: http://www.lojban.org/story/bok.php I'm just curious as to whether anyone can get it to do anything *remotely* bad, given my configuration. I'd rather you didn't ruin the machine (although I could certainly recover), but other than that, have at. -Robin -- http://singinst.org/ : Our last, best hope for a fantastic future. .i ko na cpedu lo nu stidi vau loi jbopre .i danfu lu na go'i li'u .e lu go'i li'u .i ji'a go'i lu na'e go'i li'u .e lu go'i na'i li'u .e lu no'e go'i li'u .e lu to'e go'i li'u .e lu lo mamta be do cu sofybakni li'u

12 years, 2 months

2
4
0 / 0

OTish audit.log

by Frank Murphy

Apologies if OT. Is /var/log/audit/audit.log just to keep filling up. Is there a way to empty ie every so often. Without breaking anything. Asking as I never see an audil.log.old similar to other logs. -- Regards Frank "Jack of all Fubars"

12 years, 2 months

4
4
0 / 0

mcelog

by mark

I've just upgraded one server to CentOS 6.2. I relabelled. In /var/log/messages, I'm seeing: SELinux is preventing /usr/sbin/mcelog from getattr access on the file /var/run/mcelog.pid Now, from mcelog's project page documentation, I see: socket-path = /var/run/mcelog-client Am I misunderstanding something, or is this a policy error? mark

12 years, 2 months

3
2
0 / 0

Re: dracut: ordering of modules

by Daniel J Walsh

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/13/2012 05:29 AM, Harald Hoyer wrote: > Am 13.02.2012 11:17, schrieb Roberto Sassu: >> Hi Harald >> >> this functionality seems to be broken in dracut due to a change >> in the SELinux load_policy tool. After enabling the selinux >> module in dracut, i obtain: >> >> [ 3.369059] dracut: Loading SELinux policy [ 3.449850] >> dracut: /sbin/load_policy: Can't load policy: No such file or >> directory [ 3.659899] dracut: Switching root >> > > This error can have multiple causes... Dan? Well likeliest would be selinux-policy package is not installed. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk85QaIACgkQrlYvE4MpobMNbwCgi8JG0fmlQsnvo2HNnA+Orxzr UYcAoKqHj0+Ll8lfbYpvGzANxck4MAwP =geIr -----END PGP SIGNATURE-----

12 years, 2 months

2
2
0 / 0

RE: cron vs. anacron

by Moray Henderson

> From: Moray Henderson [mailto:Moray.Henderson@ict-software.org] > Sent: 13 February 2012 13:05 > > Can someone explain why the logwatch process run by crond transitions > to unconfined_t, while the same process run by anacron remains in > logwatch_t:s0-s0:c0.c1023? Does this answer my own question? [root@centos services]# ldd /usr/sbin/crond linux-gate.so.1 => (0x00550000) libselinux.so.1 => /lib/libselinux.so.1 (0x00671000) libpam.so.0 => /lib/libpam.so.0 (0x001c8000) libpam_misc.so.0 => /lib/libpam_misc.so.0 (0x00803000) libaudit.so.0 => /lib/libaudit.so.0 (0x00a2e000) libc.so.6 => /lib/libc.so.6 (0x0031c000) libdl.so.2 => /lib/libdl.so.2 (0x00110000) libsepol.so.1 => /lib/libsepol.so.1 (0x00bb0000) /lib/ld-linux.so.2 (0x00eef000) [root@centos services]# ldd /usr/sbin/anacron linux-gate.so.1 => (0x005d3000) libc.so.6 => /lib/libc.so.6 (0x0014d000) /lib/ld-linux.so.2 (0x00129000) Am I right that crond can do type transitions because it was written with libselinux.so in mind, while anacron can't because it wasn't? Although somehow my ps process did manage to get to logwatch_t. Am I right that that was a bug? Looks like it's been fixed in CentOS 6. Unfortunately I'm stuck on 5 for this project. I'll have to come up with a workaround. Moray. "To err is human; to purr, feline."

12 years, 2 months

2
2
0 / 0

User role and transitioning

by Konstantin Ryabitsev

Hi, all: I'm trying to lock down the gitolite user by creating a user role that would be pretty much "guest_u" plus pemission to transition to gitosis_t. I've not yet written a user role policy, so I'm not sure where I should start. Best, -- Konstantin Ryabitsev Systems Administrator The Linux Foundation Montréal, Québec

12 years, 2 months

3
5
0 / 0

RFE: allow gitolite to send mail

by Konstantin Ryabitsev

Hello: Looking at the gitolite policy (still called gitosis in refpolicy), it would appear that it needs mta_send_mail(gitosis_t), otherwise the very common "mail this to a list" hook doesn't work. Should I file a bug for this? Best, -- Konstantin Ryabitsev Systems Administrator, Kernel.org Montréal, Québec

12 years, 2 months

1
0
0 / 0

cron vs. anacron

by Moray Henderson

I'm still investigating a problem I reported to the list a while ago on CentOS 5.6: certain jobs run through cron work perfectly, but when run through anacron (for example, cron.daily on a freshly installed system) generate errors. Both anacron and crond are running in the same context: # ps -ZC anacron -C crond LABEL PID TTY TIME CMD system_u:system_r:crond_t:SystemLow-SystemHigh 2779 ? 00:00:00 crond system_u:system_r:crond_t:SystemLow-SystemHigh 2792 ? 00:00:00 anacron I added a "ps -eZ" command to a logwatch report to test this, and found something interesting: under anacron, the only process which had its SELinux context listed was the ps command itself. Can someone explain why the logwatch process run by crond transitions to unconfined_t, while the same process run by anacron remains in logwatch_t:s0-s0:c0.c1023? Run by cron: LABEL PID TTY TIME CMD system_u:system_r:init_t 1 ? 00:00:02 init system_u:system_r:kernel_t 2 ? 00:00:00 migration/0 system_u:system_r:kernel_t 3 ? 00:00:00 ksoftirqd/0 system_u:system_r:kernel_t 4 ? 00:00:00 events/0 system_u:system_r:kernel_t 5 ? 00:00:00 khelper system_u:system_r:kernel_t 6 ? 00:00:00 kthread system_u:system_r:kernel_t 9 ? 00:00:00 kblockd/0 ... user_u:system_r:unconfined_t 3559 ? 00:00:00 run-parts user_u:system_r:unconfined_t 3564 ? 00:00:00 0logwatch user_u:system_r:unconfined_t 3565 ? 00:00:00 awk user_u:system_r:unconfined_t 3605 ? 00:00:00 perl user_u:system_r:sendmail_t 3611 ? 00:00:00 sendmail user_u:system_r:unconfined_t 3616 ? 00:00:00 sh user_u:system_r:unconfined_t 3617 ? 00:00:00 ps Run by anacron: LABEL PID TTY TIME CMD - 1 ? 00:00:02 init - 2 ? 00:00:00 migration/0 - 3 ? 00:00:00 ksoftirqd/0 - 4 ? 00:00:00 events/0 - 5 ? 00:00:00 khelper - 6 ? 00:00:00 kthread - 9 ? 00:00:00 kblockd/0 ... - 4069 ? 00:00:00 run-parts - 4072 ? 00:00:00 0logwatch - 4073 ? 00:00:00 awk - 4105 ? 00:00:00 perl - 4107 ? 00:00:00 sendmail - 4116 ? 00:00:00 sh system_u:system_r:logwatch_t:s0-s0:c0.c1023 4117 ? 00:00:00 ps AVC entries at the time of the anacron jobs are time->Mon Feb 13 12:27:37 2012 type=SYSCALL msg=audit(1329136057.506:52): arch=40000003 syscall=3 success=yes exit=177 a0=6 a1=2be900 a2=3ff a3=2be8a0 items=0 ppid=4108 pid=4109 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps" exe="/bin/ps" subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1329136057.506:52): avc: denied { sys_ptrace } for pid=4109 comm="ps" capability=19 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tclass=capability time->Mon Feb 13 12:27:37 2012 type=SYSCALL msg=audit(1329136057.512:53): arch=40000003 syscall=3 success=no exit=-13 a0=6 a1=8d7ee20 a2=fff a3=fff items=0 ppid=4108 pid=4109 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps" exe="/bin/ps" subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1329136057.512:53): avc: denied { getattr } for pid=4109 comm="ps" scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=process time->Mon Feb 13 12:27:37 2012 type=SYSCALL msg=audit(1329136057.524:104): arch=40000003 syscall=3 success=yes exit=168 a0=6 a1=2be900 a2=3ff a3=2be8a0 items=0 ppid=4108 pid=4109 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps" exe="/bin/ps" subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1329136057.524:104): avc: denied { ptrace } for pid=4109 comm="ps" scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=process time->Mon Feb 13 12:27:37 2012 type=SYSCALL msg=audit(1329136057.524:105): arch=40000003 syscall=3 success=no exit=-13 a0=6 a1=8d7ee20 a2=fff a3=fff items=0 ppid=4108 pid=4109 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps" exe="/bin/ps" subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1329136057.524:105): avc: denied { getattr } for pid=4109 comm="ps" scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=process time->Mon Feb 13 12:27:37 2012 type=SYSCALL msg=audit(1329136057.688:254): arch=40000003 syscall=5 success=no exit=-13 a0=99ead34 a1=18800 a2=8058b0c a3=110 items=0 ppid=4108 pid=4114 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="du" exe="/usr/bin/du" subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1329136057.688:254): avc: denied { read } for pid=4114 comm="du" name="pm" dev=dm-0 ino=491689 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hald_log_t:s0 tclass=dir Moray. "To err is human; to purr, feline."

12 years, 2 months

1
0
0 / 0

Re: dracut: ordering of modules

by Roberto Sassu

On 02/13/2012 10:59 AM, Harald Hoyer wrote: > Am 10.02.2012 16:01, schrieb Mimi Zohar: >> Hi Harald, >> >> Originally, 98integrity/ima-policy-load.sh didn't start executing before >> 98selinux/selinux-loadpolicy.sh finished, but unfortunately it now does. >> >> inst_hook pre-pivot 50 "$moddir/selinux-loadpolicy.sh" >> inst_hook pre-pivot 62 "$moddir/ima-policy-load.sh" >> >> As the IMA policy could be dependent on LSM runtime info, this is a >> problem. >> >> [ 10.040574] type=1805 audit(1328865524.387:2): action="dont_measure" fsmagic="0x9fa0" res=0 >> [ 10.040663] type=1805 audit(1328865524.387:3): action="dont_appraise" fsmagic="0x9fa0" res=0 >> [ 10.040729] type=1805 audit(1328865524.387:4): action="dont_measure" fsmagic="0x62656572" res=0 >> [ 10.040792] type=1805 audit(1328865524.387:5): action="dont_appraise" fsmagic="0x62656572" res=0 >> [ 10.040857] type=1805 audit(1328865524.387:6): action="dont_measure" fsmagic="0x64626720" res=0 >> [ 10.040921] type=1805 audit(1328865524.387:7): action="dont_appraise" fsmagic="0x64626720" res=0 >> [ 10.040985] type=1805 audit(1328865524.387:8): action="dont_measure" fsmagic="0x01021994" res=0 >> [ 10.041047] type=1805 audit(1328865524.387:9): action="dont_appraise" fsmagic="0x01021994" res=0 >> [ 10.041113] type=1805 audit(1328865524.387:10): action="dont_measure" fsmagic="0x73636673" res=0 >> [ 10.041177] type=1805 audit(1328865524.387:11): action="dont_appraise" fsmagic="0x73636673" res=0 >> [ 11.898956] SELinux: Completing initialization. >> >> I've tried adding a depend for selinux, but it doesn't seem to resolve >> the problem, nor does delaying 98integrity to later. Any suggestions >> would be appreciated. >> >> thanks, >> >> Mimi >> > > In Fedora the selinux dracut module is disabled by default. You have to enable > it manually. > Hi Harald this functionality seems to be broken in dracut due to a change in the SELinux load_policy tool. After enabling the selinux module in dracut, i obtain: [ 3.369059] dracut: Loading SELinux policy [ 3.449850] dracut: /sbin/load_policy: Can't load policy: No such file or directory [ 3.659899] dracut: Switching root > echo 'add_dracutmodules+=" selinux "'>> /etc/dracut.conf.d/99-my.conf > > although, this also should do the thing: > > $ git diff modules.d/98integrity/module-setup.sh > diff --git a/modules.d/98integrity/module-setup.sh > b/modules.d/98integrity/module-setup.sh > index 7d5771c..ff1b4aa 100755 > --- a/modules.d/98integrity/module-setup.sh > +++ b/modules.d/98integrity/module-setup.sh > @@ -7,7 +7,7 @@ check() { > } > > depends() { > - echo masterkey securityfs > + echo masterkey securityfs selinux > return 0 > } > > > > >

12 years, 2 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux February 2012