[sandbox] modifying the Xephyr window title (patch)
by Christoph A.
Hi,
If most of your windows are sandboxed applications, your bar looks like:
[Sandbox sandbo..] [Sandbox sandbo..] [Sandbox sandbo..]
and it is hard to find a specific application.
example of a current Xephyr title:
Sandbox sandbox_web_t:s0:c112,c991 -- /usr/bin/firefox
with the modification in the attached patch titles will look like:
/usr/bin/firefox (sandbox_web_t)
and it should be easier to find a specific application.
In addition to the type I would find it handy to also include the
DISPLAY in the title (needed when using xsel for copy'n paste).
The second patch only adds '-nolisten tcp' to Xephyr, but if there are
use cases where one needs Xephyr to open a listener this patch will
break thinks.
regards,
Christoph A.
btw: secon's manpage doesn't contain the '-l' option.
11 years, 3 months
siteminder and selinux
by mark
I'm getting AVCs, and as I've mentioned before, the report from sealert is
*wrong*.
siteminder is running as root:system_r:httpd_sys_script_t
/etc/httpd/conf, and siteminder's configuration file, are both
system_u:object_r:httpd_config_t, and the configuration file is rw by
root, and r by group root.
sealert keeps trying to tell me to set httpd_unified on, which I've had on.
Clues on what I actually have to change to let siteminder not cause
selinux AVCs? (The system is running in permissive mode, and we're CentOS
5.7 (which will get updated to 5.8 when I can....)
mark
11 years, 5 months
setroubleshootd swaps too much
by Gergely Buday
Hi,
today I booted my fedora 15 box and for ten minutes I could not use
it, because setroubleshootd swapped a lot and consumed all the cpu
cycles. How can I prevent this?
- Gergely
11 years, 5 months
weird dyntransition issue
by Mr Dash Four
Since upgrading to the latest openssh (server) - v5.8p2-25 - and using
kernel 3.2 I started getting the following avc when trying to connect
via sftp and attempting to delete/change various files (please note that
sftpd_full_access is on!):
type=AVC msg=audit(1332653118.024:179): avc: denied { dyntransition }
for pid=1989 comm="sshd"
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=process
type=SYSCALL msg=audit(1332653118.024:179): arch=40000003 syscall=4
success=no exit=-13 a0=3 a1=e11a48 a2=36 a3=e11a48 items=0 ppid=1986
pid=1989 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=3 comm="sshd" exe="/usr/sbin/sshd"
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
I did not get the above avc with the previous version of openssh I was
using (v5.6) and I suspect it is something to do with the unprivileged
user transition feature, which has been implemented in this version, but
I can't be 100% sure.
I have tried to counter the above avc with including
"dyntrans_pattern(sshd_t, unconfined_t)", then
"unconfined_domtrans(sshd_t)" and finally a raw "allow sshd_t
unconfined_t:process { dyntransition };" but to no avail - I am still
getting the above avc! What am I doing wrong and is there a way to get
this sorted? Many thanks!
11 years, 6 months
Policy for CouchDB
by Michael Milverton
Hi,
I'm in the process of writing a policy for couchdb (nosql database). I'm
using the selinux-polgengui and eclipse slide tools to help. I've hit a road
block because it won't start but I'm not getting any more AVC's. I'm
wondering if anybody might be able to offer some clue about getting more
AVC's from it because if it won't talk to me I can't get much further.
The only entries in audit.log are:
type=CRED_ACQ msg=audit(1309362790.614:1343): user pid=11935 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0
msg='op=PAM:setcred acct="couchdb" exe="/sbin/runuser" hostname=? addr=?
terminal=? res=success'
type=USER_START msg=audit(1309362790.619:1344): user pid=11935 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0
msg='op=PAM:session_open acct="couchdb" exe="/sbin/runuser" hostname=?
addr=? terminal=? res=success'
type=USER_END msg=audit(1309362790.640:1345): user pid=11935 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0
msg='op=PAM:session_close acct="couchdb" exe="/sbin/runuser" hostname=?
addr=? terminal=? res=success'
type=CRED_DISP msg=audit(1309362790.641:1346): user pid=11935 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0
msg='op=PAM:setcred acct="couchdb" exe="/sbin/runuser" hostname=? addr=?
terminal=? res=success'
type=SERVICE_START msg=audit(1309362790.676:1347): user pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=':
comm="couchdb" exe=2F62696E2F73797374656D64202864656C6574656429 hostname=?
addr=? terminal=? res=failed'
Now, it will start fine (and run) when it is unlabeled (not what I want of
course). Couchdb runs under the username/group couchdb but I haven't added
any transition rules for this yet (any help on this would be appreciated).
FC FILE:
/usr/bin/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0)
/usr/bin/couchjs -- gen_context(system_u:object_r:couchdb_exec_t,s0)
TE FILE:
policy_module(couchdb,1.0.0)
require {
type bin_t;
type fs_t;
type proc_t;
}
type couchdb_t;
domain_type(couchdb_t)
permissive couchdb_t;
# Access to shared libraries
libs_use_ld_so(couchdb_t)
libs_use_shared_libs(couchdb_t)
miscfiles_read_localization(couchdb_t)
dev_read_urand(couchdb_t)
# Type for the daemon
type couchdb_exec_t;
files_type(couchdb_exec_t)
domain_entry_file(couchdb_t, couchdb_exec_t)
init_daemon_domain(couchdb_t, couchdb_exec_t)
# Logging
logging_send_syslog_msg(couchdb_t)
logging_log_file(couchdb_t)
# Temp files
type couchdb_tmp_t;
files_tmp_file(couchdb_tmp_t)
manage_dirs_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t)
manage_files_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t)
files_tmp_filetrans(couchdb_t, couchdb_tmp_t, { dir file })
#type couchdb_config_t;
files_read_etc_files(couchdb_t)
# /bin/basename and some others
allow couchdb_t bin_t:file { read getattr open execute execute_no_trans };
allow couchdb_t fs_t:filesystem getattr;
allow couchdb_t proc_t:file { read getattr open };
allow couchdb_t self:fifo_file { read write getattr };
# Not sure about this
auth_domtrans_chk_passwd(couchdb_t)
# Not sure about this either.
domain_use_interactive_fds(couchdb_t)
Any clues, tips, advice would be most appreciated
Thanks
11 years, 6 months
/usr/bin/xauth: error in locking authority file
by Bob Benites
I've searched the archives about this particular
problem and not found a reference to it. While
a Google search yields some results, the solutions
provided do not solve my problem.
When we run SELinux in enforcing mode and
attempt to ssh to the host using the -X option
(yes, I've tried the -Y option) a user will see a
pause on the console and messages such as:
benites@host1's password:
Last login: Thu Mar 15 11:17:22 2012 from host0
/usr/bin/xauth: error in locking authority file /home/benites/.Xauthority
[benites@host1 ~]$ xbiff
X11 connection rejected because of wrong authentication.
Error: Can't open display: localhost:10.0
[benites@host1 ~]$
If we switch the host to permissive mode the X11
forwarding works fine.
What is most peculiar is that there are no messages in
audit log to identify why the forwarding is denied when we
run in enforcing mode.
Some post I have read suggest it has to do with the file context
on the home directory and/or .Xauthority files:
[benites@host1 ~]$ ls -lZd /home/benites /home/benites/.Xauthority
drwxr-xr-x. benites users system_u:object_r:default_t:s0 /home/benites
-rw-------. benites users unconfined_u:object_r:default_t:s0
/home/benites/.Xauthority
I've tried changing the context on both, but nothing
seems to fix the problem.
Any suggestions?
Thanks!
-- Bob
11 years, 6 months
Alert from turning off/on wireless
by SternData
On my (very old) laptop, I turned off the wireless (via the hardware
switch) then turned it back on, generating an alert. This action
should be allowed by the default policy. (Fedora 17)
SELinux is preventing NetworkManager from read access on the file
/etc/sysctl.conf.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that NetworkManager should be allowed read access on
the sysctl.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep NetworkManager /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:NetworkManager_t:s0
Target Context system_u:object_r:system_conf_t:s0
Target Objects /etc/sysctl.conf [ file ]
Source NetworkManager
Source Path NetworkManager
Port <Unknown>
Host sdssony.sterndata.local
Source RPM Packages
Target RPM Packages initscripts-9.35-1.fc17.i686
Policy RPM selinux-policy-3.10.0-95.fc17.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name sdssony.sterndata.local
Platform Linux sdssony.sterndata.local
3.3.0-0.rc6.git0.2.fc17.i686.PAE #1 SMP Mon Mar 5
17:02:45 UTC 2012 i686 i686
Alert Count 3
First Seen Sat 10 Mar 2012 05:46:38 PM CST
Last Seen Sun 11 Mar 2012 09:03:09 AM CDT
Local ID dcb10873-6853-4f15-b7ad-98be5dca0afb
Raw Audit Messages
type=AVC msg=audit(1331474589.552:82): avc: denied { read } for
pid=581 comm="NetworkManager" name="sysctl.conf" dev="sda5"
ino=2360124 scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:object_r:system_conf_t:s0 tclass=file
Hash: NetworkManager,NetworkManager_t,system_conf_t,file,read
audit2allowunable to open /sys/fs/selinux/policy: Permission denied
audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied
11 years, 6 months
Detecting MLS mode
by Moray Henderson
Is there an easy way for a script to detect whether MLS mode is enabled?
On CentOS 5 whether running normally or in Anaconda's rescue mode,
SELINUX=enforcing (or permissive), SELINUXTYPE=targeted, there is no
/etc/selinux/mls directory and cat /selinux/mls prints "1".
However, with CentOS running normally a command to set a context works,
while from rescue mode the same command fails with "cannot setup default
context" unless I add and :s0 MLS piece. That's fine when I'm doing things
manually, but I'd like a script to detect whether it's being run in an
environment that needs the :s0 added. I don't want to just add :s0 all the
time, in case it's already there in the context string I'm trying to set.
Moray.
"To err is human; to purr, feline."
11 years, 6 months
Dipping into the policy waters
by Alan Batie
I'm trying a simple "first policy" with Eclipse and SLIDE, and getting
an error I don't understand. I'm hoping someone can point me in the
right direction:
Creating policy.xml
/usr/share/selinux/devel/include/support/segenxml.py: warning: unable to
find XML for interface peak_read_files()
/usr/share/selinux/devel/include/support/segenxml.py: warning: unable to
find XML for interface peak_read_config_files()
/usr/share/selinux/devel/include/support/segenxml.py: warning: orphan
XML comments at bottom of file ./peak_files.te
doc/policy.xml:65535: element module: validity error : Element module
content does not follow the DTD, expecting (summary , desc? , required?
, (interface | template)* , (bool | tunable)*), got (summary param
interface interface )
Document doc/policy.xml does not validate against
/usr/share/selinux/devel/include/support/policy.dtd
make: *** [doc/policy.xml] Error 3
Compiling targeted peak_files module
I'm guessing that means I haven't defined the interfaces somewhere I
ought to, but I have them in the Interfaces (.if) tab:
############################################################
## <summary>
## Access to reading peak files
## </summary>
## <param name="domain">
## <summary>
## Source domain to give access to
## </summary>
## </param>
#
interface(`peak_read_files',`
gen_require(`
type peak_t;
')
allow $1 peak_t:dir list_dir_perms;
read_files_pattern($1,peak_t,peak_t)
')
############################################################
## <summary>
## Access to reading peak config files
## </summary>
## <param name="domain">
## <summary>
## Source domain to give access to
## </summary>
## </param>
#
interface(`peak_read_config_files',`
gen_require(`
type peak_config_t;
')
allow $1 peak_config_t:dir list_dir_perms;
read_files_pattern($1,peak_config_t,peak_config_t)
')
The .te file is simple enough:
policy_module(peak_files,1.0.0)
############################################################
## <summary>
## Peak local configuration files and scripts
## </summary>
# domain for peak files
type peak_t;
# domain for peak configuration files
type peak_config_t;
# domain for peak scripts to run in
type peak_exec_t;
files_type(peak_t)
files_type(peak_config_t)
# peak things can read peak config files
read_files_pattern(peak_t,peak_config_t,peak_config_t)
For completeness, the .fc file:
/peak(/.*)? gen_context(system_u:object_r:peak_t,s0))
11 years, 6 months
