selinux and mcelog
by mark
I'm running CentOS 6.2, all updates. selinux-policy 3.7.19-126.el6_2.6. I
see /usr/share/selinux/devel/include/admin/mcelog.if:
########################################
## <summary>
## Execute a domain transition to run mcelog.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`mcelog_domtrans',`
gen_require(`
type mcelog_t, mcelog_exec_t;
')
domtrans_pattern($1, mcelog_exec_t, mcelog_t)
')
Yet, I'm seeing
SELinux is preventing /usr/sbin/mcelog from getattr access on the file
/var/run/mcelog.pid.
Now, from some googling, it *looks* as though this was fixed already. Am I
missing something, or has this bug been reintroduced?
mark
12 years, 2 months
Fedora in the wild! Or, try out this script kiddie shell.
by Robin Lee Powell
I just discovered, because setroubleshootd was taking up all my CPU
time :D, that there's a script kiddie console on my webserver, which
is not only running selinux, but is running it with unconfined
mostly off.
This amuses me. Not least because it turns out I copied it over
from my previous server 0.o, so it's been around for years.
I've eliminated the immediate problem, in the form of:
iptables -I INPUT -s 180.76.6.0/24 -j DROP
iptables -I INPUT -s 180.76.5.0/24 -j DROP
but I invite you all to poke at it:
http://www.lojban.org/story/bok.php
I'm just curious as to whether anyone can get it to do anything
*remotely* bad, given my configuration. I'd rather you didn't ruin
the machine (although I could certainly recover), but other than
that, have at.
-Robin
--
http://singinst.org/ : Our last, best hope for a fantastic future.
.i ko na cpedu lo nu stidi vau loi jbopre .i danfu lu na go'i li'u .e
lu go'i li'u .i ji'a go'i lu na'e go'i li'u .e lu go'i na'i li'u .e
lu no'e go'i li'u .e lu to'e go'i li'u .e lu lo mamta be do cu sofybakni li'u
12 years, 2 months
OTish audit.log
by Frank Murphy
Apologies if OT.
Is /var/log/audit/audit.log just to keep filling up.
Is there a way to empty ie every so often.
Without breaking anything.
Asking as I never see an audil.log.old
similar to other logs.
--
Regards
Frank "Jack of all Fubars"
12 years, 2 months
mcelog
by mark
I've just upgraded one server to CentOS 6.2. I relabelled. In
/var/log/messages, I'm seeing:
SELinux is preventing /usr/sbin/mcelog from getattr access on the file
/var/run/mcelog.pid
Now, from mcelog's project page documentation, I see:
socket-path = /var/run/mcelog-client
Am I misunderstanding something, or is this a policy error?
mark
12 years, 2 months
Re: dracut: ordering of modules
by Daniel J Walsh
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/13/2012 05:29 AM, Harald Hoyer wrote:
> Am 13.02.2012 11:17, schrieb Roberto Sassu:
>> Hi Harald
>>
>> this functionality seems to be broken in dracut due to a change
>> in the SELinux load_policy tool. After enabling the selinux
>> module in dracut, i obtain:
>>
>> [ 3.369059] dracut: Loading SELinux policy [ 3.449850]
>> dracut: /sbin/load_policy: Can't load policy: No such file or
>> directory [ 3.659899] dracut: Switching root
>>
>
> This error can have multiple causes... Dan?
Well likeliest would be selinux-policy package is not installed.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk85QaIACgkQrlYvE4MpobMNbwCgi8JG0fmlQsnvo2HNnA+Orxzr
UYcAoKqHj0+Ll8lfbYpvGzANxck4MAwP
=geIr
-----END PGP SIGNATURE-----
12 years, 2 months
RE: cron vs. anacron
by Moray Henderson
> From: Moray Henderson [mailto:Moray.Henderson@ict-software.org]
> Sent: 13 February 2012 13:05
>
> Can someone explain why the logwatch process run by crond transitions
> to unconfined_t, while the same process run by anacron remains in
> logwatch_t:s0-s0:c0.c1023?
Does this answer my own question?
[root@centos services]# ldd /usr/sbin/crond
linux-gate.so.1 => (0x00550000)
libselinux.so.1 => /lib/libselinux.so.1 (0x00671000)
libpam.so.0 => /lib/libpam.so.0 (0x001c8000)
libpam_misc.so.0 => /lib/libpam_misc.so.0 (0x00803000)
libaudit.so.0 => /lib/libaudit.so.0 (0x00a2e000)
libc.so.6 => /lib/libc.so.6 (0x0031c000)
libdl.so.2 => /lib/libdl.so.2 (0x00110000)
libsepol.so.1 => /lib/libsepol.so.1 (0x00bb0000)
/lib/ld-linux.so.2 (0x00eef000)
[root@centos services]# ldd /usr/sbin/anacron
linux-gate.so.1 => (0x005d3000)
libc.so.6 => /lib/libc.so.6 (0x0014d000)
/lib/ld-linux.so.2 (0x00129000)
Am I right that crond can do type transitions because it was written with
libselinux.so in mind, while anacron can't because it wasn't? Although
somehow my ps process did manage to get to logwatch_t.
Am I right that that was a bug? Looks like it's been fixed in CentOS 6.
Unfortunately I'm stuck on 5 for this project. I'll have to come up with a
workaround.
Moray.
"To err is human; to purr, feline."
12 years, 2 months
User role and transitioning
by Konstantin Ryabitsev
Hi, all:
I'm trying to lock down the gitolite user by creating a user role that
would be pretty much "guest_u" plus pemission to transition to
gitosis_t.
I've not yet written a user role policy, so I'm not sure where I should
start.
Best,
--
Konstantin Ryabitsev
Systems Administrator
The Linux Foundation
Montréal, Québec
12 years, 2 months
RFE: allow gitolite to send mail
by Konstantin Ryabitsev
Hello:
Looking at the gitolite policy (still called gitosis in refpolicy), it
would appear that it needs mta_send_mail(gitosis_t), otherwise the very
common "mail this to a list" hook doesn't work.
Should I file a bug for this?
Best,
--
Konstantin Ryabitsev
Systems Administrator, Kernel.org
Montréal, Québec
12 years, 2 months
cron vs. anacron
by Moray Henderson
I'm still investigating a problem I reported to the list a while ago on
CentOS 5.6: certain jobs run through cron work perfectly, but when run
through anacron (for example, cron.daily on a freshly installed system)
generate errors.
Both anacron and crond are running in the same context:
# ps -ZC anacron -C crond
LABEL PID TTY TIME CMD
system_u:system_r:crond_t:SystemLow-SystemHigh 2779 ? 00:00:00 crond
system_u:system_r:crond_t:SystemLow-SystemHigh 2792 ? 00:00:00 anacron
I added a "ps -eZ" command to a logwatch report to test this, and found
something interesting: under anacron, the only process which had its
SELinux context listed was the ps command itself.
Can someone explain why the logwatch process run by crond transitions to
unconfined_t, while the same process run by anacron remains in
logwatch_t:s0-s0:c0.c1023?
Run by cron:
LABEL PID TTY TIME CMD
system_u:system_r:init_t 1 ? 00:00:02 init
system_u:system_r:kernel_t 2 ? 00:00:00 migration/0
system_u:system_r:kernel_t 3 ? 00:00:00 ksoftirqd/0
system_u:system_r:kernel_t 4 ? 00:00:00 events/0
system_u:system_r:kernel_t 5 ? 00:00:00 khelper
system_u:system_r:kernel_t 6 ? 00:00:00 kthread
system_u:system_r:kernel_t 9 ? 00:00:00 kblockd/0
...
user_u:system_r:unconfined_t 3559 ? 00:00:00 run-parts
user_u:system_r:unconfined_t 3564 ? 00:00:00 0logwatch
user_u:system_r:unconfined_t 3565 ? 00:00:00 awk
user_u:system_r:unconfined_t 3605 ? 00:00:00 perl
user_u:system_r:sendmail_t 3611 ? 00:00:00 sendmail
user_u:system_r:unconfined_t 3616 ? 00:00:00 sh
user_u:system_r:unconfined_t 3617 ? 00:00:00 ps
Run by anacron:
LABEL PID TTY TIME CMD
- 1 ? 00:00:02 init
- 2 ? 00:00:00 migration/0
- 3 ? 00:00:00 ksoftirqd/0
- 4 ? 00:00:00 events/0
- 5 ? 00:00:00 khelper
- 6 ? 00:00:00 kthread
- 9 ? 00:00:00 kblockd/0
...
- 4069 ? 00:00:00 run-parts
- 4072 ? 00:00:00 0logwatch
- 4073 ? 00:00:00 awk
- 4105 ? 00:00:00 perl
- 4107 ? 00:00:00 sendmail
- 4116 ? 00:00:00 sh
system_u:system_r:logwatch_t:s0-s0:c0.c1023 4117 ? 00:00:00 ps
AVC entries at the time of the anacron jobs are
time->Mon Feb 13 12:27:37 2012
type=SYSCALL msg=audit(1329136057.506:52): arch=40000003 syscall=3
success=yes exit=177 a0=6 a1=2be900 a2=3ff a3=2be8a0 items=0 ppid=4108
pid=4109 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="ps" exe="/bin/ps"
subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1329136057.506:52): avc: denied { sys_ptrace } for
pid=4109 comm="ps" capability=19
scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
tcontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tclass=capability
time->Mon Feb 13 12:27:37 2012
type=SYSCALL msg=audit(1329136057.512:53): arch=40000003 syscall=3
success=no exit=-13 a0=6 a1=8d7ee20 a2=fff a3=fff items=0 ppid=4108 pid=4109
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="ps" exe="/bin/ps"
subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1329136057.512:53): avc: denied { getattr } for
pid=4109 comm="ps" scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
tcontext=system_u:system_r:init_t:s0 tclass=process
time->Mon Feb 13 12:27:37 2012
type=SYSCALL msg=audit(1329136057.524:104): arch=40000003 syscall=3
success=yes exit=168 a0=6 a1=2be900 a2=3ff a3=2be8a0 items=0 ppid=4108
pid=4109 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="ps" exe="/bin/ps"
subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1329136057.524:104): avc: denied { ptrace } for
pid=4109 comm="ps" scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=process
time->Mon Feb 13 12:27:37 2012
type=SYSCALL msg=audit(1329136057.524:105): arch=40000003 syscall=3
success=no exit=-13 a0=6 a1=8d7ee20 a2=fff a3=fff items=0 ppid=4108 pid=4109
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="ps" exe="/bin/ps"
subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1329136057.524:105): avc: denied { getattr } for
pid=4109 comm="ps" scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=process
time->Mon Feb 13 12:27:37 2012
type=SYSCALL msg=audit(1329136057.688:254): arch=40000003 syscall=5
success=no exit=-13 a0=99ead34 a1=18800 a2=8058b0c a3=110 items=0 ppid=4108
pid=4114 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="du" exe="/usr/bin/du"
subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1329136057.688:254): avc: denied { read } for pid=4114
comm="du" name="pm" dev=dm-0 ino=491689
scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
tcontext=system_u:object_r:hald_log_t:s0 tclass=dir
Moray.
"To err is human; to purr, feline."
12 years, 2 months
Re: dracut: ordering of modules
by Roberto Sassu
On 02/13/2012 10:59 AM, Harald Hoyer wrote:
> Am 10.02.2012 16:01, schrieb Mimi Zohar:
>> Hi Harald,
>>
>> Originally, 98integrity/ima-policy-load.sh didn't start executing before
>> 98selinux/selinux-loadpolicy.sh finished, but unfortunately it now does.
>>
>> inst_hook pre-pivot 50 "$moddir/selinux-loadpolicy.sh"
>> inst_hook pre-pivot 62 "$moddir/ima-policy-load.sh"
>>
>> As the IMA policy could be dependent on LSM runtime info, this is a
>> problem.
>>
>> [ 10.040574] type=1805 audit(1328865524.387:2): action="dont_measure" fsmagic="0x9fa0" res=0
>> [ 10.040663] type=1805 audit(1328865524.387:3): action="dont_appraise" fsmagic="0x9fa0" res=0
>> [ 10.040729] type=1805 audit(1328865524.387:4): action="dont_measure" fsmagic="0x62656572" res=0
>> [ 10.040792] type=1805 audit(1328865524.387:5): action="dont_appraise" fsmagic="0x62656572" res=0
>> [ 10.040857] type=1805 audit(1328865524.387:6): action="dont_measure" fsmagic="0x64626720" res=0
>> [ 10.040921] type=1805 audit(1328865524.387:7): action="dont_appraise" fsmagic="0x64626720" res=0
>> [ 10.040985] type=1805 audit(1328865524.387:8): action="dont_measure" fsmagic="0x01021994" res=0
>> [ 10.041047] type=1805 audit(1328865524.387:9): action="dont_appraise" fsmagic="0x01021994" res=0
>> [ 10.041113] type=1805 audit(1328865524.387:10): action="dont_measure" fsmagic="0x73636673" res=0
>> [ 10.041177] type=1805 audit(1328865524.387:11): action="dont_appraise" fsmagic="0x73636673" res=0
>> [ 11.898956] SELinux: Completing initialization.
>>
>> I've tried adding a depend for selinux, but it doesn't seem to resolve
>> the problem, nor does delaying 98integrity to later. Any suggestions
>> would be appreciated.
>>
>> thanks,
>>
>> Mimi
>>
>
> In Fedora the selinux dracut module is disabled by default. You have to enable
> it manually.
>
Hi Harald
this functionality seems to be broken in dracut due to a change in the
SELinux load_policy tool.
After enabling the selinux module in dracut, i obtain:
[ 3.369059] dracut: Loading SELinux policy
[ 3.449850] dracut: /sbin/load_policy: Can't load policy: No such
file or directory
[ 3.659899] dracut: Switching root
> echo 'add_dracutmodules+=" selinux "'>> /etc/dracut.conf.d/99-my.conf
>
> although, this also should do the thing:
>
> $ git diff modules.d/98integrity/module-setup.sh
> diff --git a/modules.d/98integrity/module-setup.sh
> b/modules.d/98integrity/module-setup.sh
> index 7d5771c..ff1b4aa 100755
> --- a/modules.d/98integrity/module-setup.sh
> +++ b/modules.d/98integrity/module-setup.sh
> @@ -7,7 +7,7 @@ check() {
> }
>
> depends() {
> - echo masterkey securityfs
> + echo masterkey securityfs selinux
> return 0
> }
>
>
>
>
>
12 years, 2 months