Re: dracut: ordering of modules
by Roberto Sassu
Hi Mimi
i'm CCing the systemd and Fedora SELinux mailing lists.
Unfortunately, the SELinux policy initialization (at least
in Fedora 16) has been moved to systemd, so, now, loading an
IMA policy cannot be done in the initial ramdisk.
Further, the SELinux policy loading code is not in a unit file
but embedded in the main binary, which means that the new code for
loading IMA policies must be added just after that point.
I already wrote a patch for this. I need some time to test it
and will post in the systemd mailing list at the beginning of
the next week.
Roberto Sassu
On 02/10/2012 04:01 PM, Mimi Zohar wrote:
> Hi Harald,
>
> Originally, 98integrity/ima-policy-load.sh didn't start executing before
> 98selinux/selinux-loadpolicy.sh finished, but unfortunately it now does.
>
> inst_hook pre-pivot 50 "$moddir/selinux-loadpolicy.sh"
> inst_hook pre-pivot 62 "$moddir/ima-policy-load.sh"
>
> As the IMA policy could be dependent on LSM runtime info, this is a
> problem.
>
> [ 10.040574] type=1805 audit(1328865524.387:2): action="dont_measure" fsmagic="0x9fa0" res=0
> [ 10.040663] type=1805 audit(1328865524.387:3): action="dont_appraise" fsmagic="0x9fa0" res=0
> [ 10.040729] type=1805 audit(1328865524.387:4): action="dont_measure" fsmagic="0x62656572" res=0
> [ 10.040792] type=1805 audit(1328865524.387:5): action="dont_appraise" fsmagic="0x62656572" res=0
> [ 10.040857] type=1805 audit(1328865524.387:6): action="dont_measure" fsmagic="0x64626720" res=0
> [ 10.040921] type=1805 audit(1328865524.387:7): action="dont_appraise" fsmagic="0x64626720" res=0
> [ 10.040985] type=1805 audit(1328865524.387:8): action="dont_measure" fsmagic="0x01021994" res=0
> [ 10.041047] type=1805 audit(1328865524.387:9): action="dont_appraise" fsmagic="0x01021994" res=0
> [ 10.041113] type=1805 audit(1328865524.387:10): action="dont_measure" fsmagic="0x73636673" res=0
> [ 10.041177] type=1805 audit(1328865524.387:11): action="dont_appraise" fsmagic="0x73636673" res=0
> [ 11.898956] SELinux: Completing initialization.
>
> I've tried adding a depend for selinux, but it doesn't seem to resolve
> the problem, nor does delaying 98integrity to later. Any suggestions
> would be appreciated.
>
> thanks,
>
> Mimi
>
12 years, 2 months
error setting 'httpd_enable-homedirs' boolean in F16
by Tom London
I've convinced a pal at work to enable SELinux on his updated F16 home
'gateway' system.
He reports getting this:
bee(814)[~]# setsebool -P httpd_enable_homedirs true
libsepol.scope_copy_callback: passenger: Duplicate declaration in
module: type/attribute passenger_tmp_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file
or directory).
Could not change policy booleans
I didn't see anything like this in BZ.
Ring a bell?
[says the same in enforcing or permissive, and if the syntax is '=1'
instead of 'true'. No messages in /var/log/messages.]
thanks,
tom
--
Tom London
12 years, 2 months
A confined sftp user
by Erinn Looney-Triggs
My company asked me today to set up a user that is allowed only to
upload files via sftp. This got me thinking, an sftp user has shell
access as well, of course, and this can lead to all kinds of interesting
things (the kernel privilege escalation from last week comes to mind).
I figured it might be appropriate to run this user as a confined user,
at least at a minimum running the user as user_u would block a lot of
options, or perhaps a different user I haven't researched them all yet.
Now the question is, would SELinux be an appropriate place for an sftp_u
user? What I am envisioning is a confined user, that allows only the
sftp subsystem to be run and files to be uploaded to the confined users
homedir. It seems to me that SELinux would be a good fit for this, but I
am merely an amateur here :).
Anyone ever done anything like this? Would this be an easy thing?
There are of course other options, folks have written programs to
confine a user to only uploading via sftp, rssh and others.
-Erinn
12 years, 2 months
selinux equivalent of umask or setuid bit
by Edward Harvey
Just like the people who rsh as root into another system, I understand that
in many situations you wouldn't want something like this, but hypothetically
supposing you did...
If there is a directory in your system, and you want all new files created
in that directory to inherit the context type of the parent folder, is there
a way to do that? Something like the selinux equivalent of the setgid bit?
or...
If you are going to do something a moment from now which will create some
files, and you want them to be created with a specific context type, is
there a way to do that? Something like the selinux equivalent of umask?
The situation is this: I'm supporting a web hosting company who uses
drupal, and they're constantly adding & removing plugins via drush. Since
this is a non-OS-specific application, it doesn't know anything about how it
should set the context on files it creates. Fortunately, (!) my client has
been hacked before, so they're extremely cautious when it comes to ignoring
selinux practices. They are manually changing the context of all these
files, which is tedious. But at least they're doing it.
I'm hoping for a better way, and since my knowledge is pretty much limited
to the light saber book, I don't recall any mention of anything like this.
Thanks for any suggestions...
12 years, 2 months
Tomcat selinux
by Nabeel Moidu
Hi
Is there a tomcat implementation of selinux where the process runs in its
own domain rather than unconfined_java_t ?
Are there any known issues with implementing java servers in a confined
domain ?
If not tomcat, can somebody point me to any other java server
(jetty/websphere etc) with a selinux implementation ?
--
Thanks and Regards,
Nabeel Moidu
Hyderabad, India
12 years, 2 months
making a file context change work for initrc_t and unconfined_t
by Maria Iano
I have a RHEL 6.2 server running LikewiseOpen. It appears to me that I
will take care of a large number of denials if I can change the type
of /var/lib/likewise/.lsassd to be lsassd_var_socket_t.
I added the file context rule with semanage, and used restorecon to
change it to lsassd_var_socket_t as desired. But later I found that /
var/lib/likewise/.lsassd had type var_lib_t again. I assume that is
because the likewise processes run as initrc_t.
I'd like to change the policy and tell it that services running in
either initrc_t or unconfined_t domains should create the file /var/
lib/likewise/.lsassd with type lsassd_var_socket_t. (A command line
tool lwsm for managing the processes runs in unconfined_t so I'd like
to include that domain to be safe. ) How can I go about doing that in
RHEL 6 (or can I)?
Thanks,
Maria
12 years, 2 months
SELinux and RPM packages
by Dmitry Makovey
Hi list,
I know I have asked that question before and the answer was to use
"semanage/setsebool" from %post section.
However here's my dilemma:
say I have packageA and packageB, both running some "semanage/setsebool"
combinations that overlap (most likely case for the setsebool). If I mirror
statements in %post into the %postun whenever I uninstall packageA I will be
wiping settings needed by packageB. How are people dealing with those? It
doesn't look like Fedora/RedHat has some strict policy or guideline on that
(or do they? did I miss it?) so I am interested how are others coping with
this? Falling back to manual process? Some extra scripting?
--
Dmitry Makovey
Web Systems Administrator
Athabasca University
(780) 675-6245
---
Confidence is what you have before you understand the problem
Woody Allen
When in trouble when in doubt run in circles scream and shout
http://www.wordwizard.com/phpbb3/viewtopic.php?f=16&t=19330
12 years, 2 months
SELinux for LXC Container
by Shweta Shinde
Hi everyone,
I am interested in the security aspects of LXC.
How can we use SELinux to secure LXC containers?
Any information will be very helpful.
--
Regards,
Shweta
12 years, 2 months
fixfiles restore
by Frank Murphy
Does "fixfiles restore"
check the whole system.
Or just the dir.
it was launched from?
--
Regards,
Frank Murphy, friend of fedoraproject
UTF_8 Encoded
12 years, 2 months