[clueless-user]Should I ignore or report this avc denial?
by Sergio
Hello.
For quite some time I have this avc denial at boot time:
f17 kernel: [ 24.589672] type=1400 audit(1348484525.104:4): avc: denied { mmap_zero } for pid=449 comm="vbetool" scontext=system_u:system_r:vbetool_t:s0-s0:c0.c1023 tcontext=system_u:system_r:vbetool_t:s0-s0:c0.c1023 tclass=memprotect
I know it's for vbetool but it comes right after the video driver module is loaded (don't know if it makes sense).
Should I leave it alone? Should I report to selinux-policy-targeted as a bug? Or maybe create some policy to work around that?
Thank you.
11 years, 2 months
Configuring Setroubleshhot
by Arthur Dent
Hello all,
I have just had a weird email indicating that my server is spamming.
This resulted from my attempt to get setroubleshoot to send email
notifications.
I don't really understand how this happened, and I keep looking at the
headers wondering exactly what went on...
This is the message I received:
================================8<=====================================
The original message was received at Sat, 29 Sep 2012 17:18:17 +0100
from localhost [127.0.0.1]
with id q8TGIHxg001451
----- The following addresses had permanent fatal errors -----
<root(a)localhost.localdomain>
(reason: 554 5.7.1 Service unavailable; Client host [82.43.145.228] blocked using ix.dnsbl.manitu.net; Your e...2 13:01:07 +0200. Your admin should visit http://www.dnsbl.manitu.net/lookup.php?value=82.43.145.228)
----- Transcript of session follows -----
... while talking to el-tio.edelhost.de.:
>>> DATA
<<< 554 5.7.1 Service unavailable; Client host [82.43.145.228] blocked using ix.dnsbl.manitu.net; Your e-mail service was detected by el-tio.edelhost.de (NiX Spam) as spamming at Sat, 29 Sep 2012 13:01:07 +0200. Your admin should visit http://www.dnsbl.manitu.net/lookup.php?value=82.43.145.228
554 5.0.0 Service unavailable
<<< 554 5.5.1 Error: no valid recipients
550 5.1.1 <SELinux_Troubleshoot(a)mydomain.org>... User unknown
================================8<=====================================
These are the headers for that email. As far as I can tell the email
never left my server.
================================8<=====================================
Return-path: <MAILER-DAEMON(a)mydomain.org>
X-spam-checker-version: SpamAssassin 3.3.2 (2011-06-06) on mydomain.org
X-spam-level:
X-spam-status: No, score=-0.3 required=5.0 tests=BAYES_00,NO_RELAYS, T_TVD_MIME_NO_HEADERS,URIBL_WS_SURBL autolearn=no version=3.3.2
Received: from localhost (localhost) by mydomain.org (8.14.5/8.14.5) id q8TGIJxg001453; Sat, 29 Sep 2012 17:18:19 +0100
Date: Sat, 29 Sep 2012 17:18:19 +0100
From: Mail Delivery Subsystem <MAILER-DAEMON(a)mydomain.org>
Message-id: <201209291618.q8TGIJxg001453(a)mydomain.org>
To: postmaster(a)mydomain.org
Mime-version: 1.0
Content-type: multipart/report; report-type=delivery-status; boundary="q8TGIJxg001453.1348935499/mydomain.org"
Subject: Postmaster notify: see transcript for details
Auto-submitted: auto-generated (postmaster-notification)
X-evolution-source: 1292576305.15554.21(a)localhost.localdomain
================================8<=====================================
This was attached. I do not understand how this came about:
================================8<=====================================
Reporting-MTA: dns; mydomain.org
Received-From-MTA: DNS; localhost
Arrival-Date: Sat, 29 Sep 2012 17:18:17 +0100
Final-Recipient: RFC822; root(a)localhost.localdomain.org
Action: failed
Status: 5.7.1
Remote-MTA: DNS; el-tio.edelhost.de
Diagnostic-Code: SMTP; 554 5.7.1 Service unavailable; Client host [82.43.145.228] blocked using ix.dnsbl.manitu.net; Your e-mail service was detected by el-tio.edelhost.de (NiX Spam) as spamming at Sat, 29 Sep 2012 13:01:07 +0200. Your admin should visit http://www.dnsbl.manitu.net/lookup.php?value=82.43.145.228
Last-Attempt-Date: Sat, 29 Sep 2012 17:18:19 +0100
================================8<=====================================
And the actual mail was a standard setroubleshoot report detailing an
AVC.
I admit I probably do not have this set up right, but I don't know what
I have done wrong.
In /var/lib/setroubleshoot/email_alert_recipients I have simply:
root(a)localhost.localdomain filter_type=after_first
Note that there is no ".org" after that.
I have not touched /etc/setroubleshoot/setroubleshoot.conf at all.
What do I have to do to fix this?
Thanks...
Mark
11 years, 2 months
cron -> epylog -> links
by Zdenek Pytela
Hello everybody,
every night cron calls epylog and it launches links.
links wants to create a temporary file links.tmp and write to ~/.links
directory and to check bookmarks/history and other files.
As epylog is run as root, admin_home is affected.
If run from a cli, no alert is displayed.
It is (probably) run from publishers.py at line 264:
exitcode = os.system('%s -dump %s > %s 2>/dev/null'
% (self.lynx, htmlfile, plainfile)
As a2a recommends, it is easy to make a local policy file.
#============= logwatch_t ==============
#!!!! The source type 'logwatch_t' can write to a 'dir' of the following types:
# logwatch_cache_t, logwatch_tmp_t
allow logwatch_t admin_home_t:dir { write remove_name add_name setattr };
#!!!! The source type 'logwatch_t' can write to a 'file' of the following types:
# logwatch_lock_t, logwatch_var_run_t, logwatch_cache_t, logwatch_tmp_t
allow logwatch_t admin_home_t:file { rename write read create unlink open };
(and similar).
This looks to me as too big unconfining.
I think that relabeling of .elinks directory and its files are better solution.
Maybe this is a job for transition which I am not still familiar with.
But I am also surprised that this happen to nobody else, as most of the
epylog.conf settings are default. All of my hosts have this bug-or-what-it-is.
Thanks in advance,
--
--Zdenek Pytela, <pytela(a)phil.muni.cz>
11 years, 2 months
httpd soap connection over https
by Ahmed Sghaier
Hello,
I have read on this page
<https://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Lin...>
:
/Important//
//Modules created with audit2allow may allow more access than required.
It is recommended that policy created with audit2allow be posted to an
SELinux list, such as fedora-selinux-list, for review. If you believe
their is a bug in policy, create a bug in Red Hat Bugzilla./
So here I post my issue first to make sure audit2allow is giving the
perfect rule to be set and to ask for the best and most secure way to
allow this.
I have been trying to connect to a remote soap over https on port 443
from a simple php script.
But selinux set to enforcing has been blocking the connection.
I have tried the three methods separately and each one of them allowed
the php script to connect correctly to remote soap.
First I need to know which one of the three methods is best (which will
give less privileges?). Does the audit2allow give a rule with "/more
access than required/"?
Second, I want to ask if there is a way to allow remote soap for only
https://www.domain.com and not any other ip address.
Please find php script, selinux log, audit2why output, audit2allow
output and the three methods I have used to allow connection in postscript.
Thank you very much, I really appreciate your help.
Sincerely yours,
Ahmed Sghaier.
PS :
selinux log :
/# grep '1346290066.999:85' /var/log/audit/audit.log //
//type=AVC msg=audit(1346290066.999:85): avc: denied { name_connect }
for pid=2021 comm="httpd" dest=1664
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket//
//type=SYSCALL msg=audit(1346290066.999:85): arch=c000003e syscall=42
success=no exit=-13 a0=b a1=7f65a9e33b18 a2=10 a3=40 items=0 ppid=2016
pid=2021 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48
fsgid=48 tty=(none) ses=3 comm="httpd" exe="/usr/sbin/httpd"
subj=unconfined_u:system_r:httpd_t:s0 key=(null)/
Method 1 :
/# setsebool -P allow_ypbind 1/
Method 2 :
/# setsebool -P httpd_can_network_connect 1
/Method 3 :
/# grep '1346290066.999:85' /var/log/audit/audit.log | audit2allow -M soap//
//# semodule -i soap.pp/
audit2allow output :
/# grep '1346290066.999:85' /var/log/audit/audit.log | audit2allow //
//#============= httpd_t ==============//
//#!!!! This avc can be allowed using one of the these booleans://
//# allow_ypbind, httpd_can_network_connect//
//allow httpd_t port_t:tcp_socket name_connect;/
audit2why output :
/# grep '1346290066.999:85' /var/log/audit/audit.log | audit2why //
//type=AVC msg=audit(1346290066.999:85): avc: denied { name_connect }
for pid=2021 comm="httpd" dest=1664
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket//
//
// Was caused by://
// One of the following booleans was set incorrectly.//
// Description://
// Allow system to run with NIS//
//
// Allow access by executing://
// # setsebool -P allow_ypbind 1//
// Description://
// Allow HTTPD scripts and modules to connect to the network
using TCP.//
//
// Allow access by executing://
// # setsebool -P httpd_can_network_connect 1/
php script :
/<?php//
//try {//
//$soap = new SoapClient("https://www.domain.com/soap.wsdl");//
//echo "SoapLoaded\n";//
////login//
//$session = $soap->login("user", "login"...);//
//echo "LoginSuccessfull\n";//
////logout//
//$soap->logout($session);//
//echo "LogoutSuccessfull\n";//
//} catch(SoapFault $fault) {//
//ec//ho $fault;//
//}//
/ /?>//
/
11 years, 2 months
PostgreSQL PITR & SELinux
by Dmitry Makovey
Hi everybody,
I have seen this topic pop up on this ML previously but without much traction.
However I'll try it again ;)
I'm building PostgreSQL setup with PGPool-II replication and PITR. After some
tinkering I've arrived at a module with contents:
===pgsql-pitr.te===
module pgsql-pitr 1.7;
require {
type ssh_home_t;
type ssh_port_t;
type ssh_exec_t;
type rsync_exec_t;
type postgresql_t;
class tcp_socket name_connect;
class file { getattr execute read open execute_no_trans };
class dir { search getattr };
}
allow postgresql_t rsync_exec_t:file { read open execute_no_trans getattr
execute };
allow postgresql_t ssh_exec_t:file { read open execute execute_no_trans };
allow postgresql_t ssh_home_t:dir { search getattr };
allow postgresql_t ssh_home_t:file { read open getattr };
allow postgresql_t ssh_port_t:tcp_socket name_connect;
===end of pgsql-pitr.te===
All of the above to allow me to launch rsync as an "archive_command" from
postgres an copy WAL files from primary over to secondary, generated from
auditd messages thus very specific. I could probably drop the rsync part and
go with scp alone but that won't change what I'm about to ask.
What I really wander about is - above I've opened up quite a few things that
are very specific to this mode of operation, however I can't believe I'm in a
situation nobody else have been before and there are no booleans/tunables for
most of things outlined above. So is there a way to make above utilize
existing hooks or is it "as good as it gets"?
--
Dmitry Makovey
Web Systems Administrator
Athabasca University
(780) 675-6245
---
Confidence is what you have before you understand the problem
Woody Allen
When in trouble when in doubt run in circles scream and shout
http://www.wordwizard.com/phpbb3/viewtopic.php?f=16&t=19330
--
This communication is intended for the use of the recipient to whom it
is addressed, and may contain confidential, personal, and or privileged
information. Please contact us immediately if you are not the intended
recipient of this communication, and do not copy, distribute, or take
action relying on it. Any communications received in error, or
subsequent reply, should be deleted or destroyed.
---
11 years, 2 months
SELinux Branded USB Thumb Drives
by David Quigley
I've been thinking of putting in a bulk order for either 8GB or 16GB
USB thumb drives with special SELinux branding on them. Who would be
interested in participating in the bulk order? We would have to decide
on a design first and then once that was done and I felt I had enough
people on board I could order about 100 of them (which seems to be the
minimum for some places). Nothing is definite yet as I'm just shopping
around the idea.
11 years, 2 months
fcontext nightmare - Help please?
by Edward Harvey
I'm managing an amazon virtual machine, with 8G / partition, and a larger
secondary storage device attached. I enabled selinux, and I'm trying to
make things work (and keep things secure) while migrating some things such
as the ldap & mysql directories to the second device.
As far as I know, simply extending the / partition isn't an option (not LVM)
... Conceivably I could just make a clone larger machine, but there are a
lot of advantages to having the separate storage device... which can be LVM,
and prevents the / filesystem from getting filled up, and can be
detached/reattached to other machines, etc etc. So I'm trying like heck to
keep the second storage device separate.
Here's the problem:
I mount /data, and now I've got to move & preserve things like the
/var/lib/mysql directory to a subdir of /data, while preserving selinux
types and everything. I started out by simply mimicking the / structure ...
sudo mount /data
sudo mkdir -p /data/var/lib
sudo chown --reference=/ /data
sudo chcon --reference=/ /data
sudo chmod --reference=/ /data
sudo chown --reference=/var /data/var
sudo chcon --reference=/var /data/var
sudo chmod --reference=/var /data/var
sudo chown --reference=/var/lib /data/var/lib
sudo chcon --reference=/var/lib /data/var/lib
sudo chmod --reference=/var/lib /data/var/lib
And finally
cd /var/lib ; sudo tar cpf - --selinux mysql | (cd
/data/var/lib ; sudo tar xpf - --selinux) ; cd -
I understand that chcon is not persistent...
And after all the above was done, I meticulously examined all the contexts
of all those directories and confirmed they do match the original...
Unfortunately, as soon as I start mysqld, the context of /data/var/lib/mysql
gets reset. I don't know how or why that is happening, but I presume it's
because I haven't set the fcontext. So ...
I want to write a script that walks through the whole /var/lib/mysql
directory, and creates matching fcontexts for /data/var/lib/mysql. Better
yet ... I would like to create fcontext applied to /data which is a complete
replica of /
Here is where I'm getting stuck. I can do "semanage fcontext -l" and I see
all the information, but it's not in a format that's suitable to modify and
feed back into semanage. I can do "semanage -o -" but it only says
"fcontext -D" which is not helpful.
I can't seem to find any combination of commands that will allow me to get
all the fcontexts of / (or a relatively large subdir of /) and modify them
with the /data prefix to feed back into semanage.
Help please?
Thanks...
11 years, 2 months
SELinux is preventing /bin/ps from search access...
by mark
CentOS 6.3. *Just* updated, including most current selinux-policy and
selinux-policy-targeted. I'm getting tons of these, as in it's just
spitting them out when I tail -f /var/log/messages:
Sep 13 15:20:51 <server> setroubleshoot: SELinux is preventing /bin/ps
from search access on the directory @2. For complete SELinux messages. run
sealert -l d92ec78b-3897-4760-93c5-343a662fec67
Sep 13 15:20:51 <server> setroubleshoot: SELinux is preventing /bin/ps
from getattr access on the directory /proc/<pid>. For complete SELinux
messages. run sealert -l a9c9bf7d-d646-4c29-9fe6-ac61b6806f52
Sep 13 15:20:52 <server> setroubleshoot: SELinux is preventing /bin/ps
from search access on the directory 4417. For complete SELinux messages.
run sealert -l b321ab2d-0277-45c9-bc86-545f9ff6ff91
You can see how many of them there are from the timestamps.
Googling, I've seen other folks complain months ago, but no answers.
Anyone have a clue?
If selinux wasn't in permissive mode, something(s) would be dead.
mark
11 years, 2 months
Re: SELinux is preventing /bin/ps from search access...
by mark
Daniel J Walsh wrote:
> On 09/13/2012 04:44 PM, m.roth(a)5-cent.us wrote:
>> Daniel J Walsh wrote:
>>> On 09/13/2012 03:24 PM, m.roth(a)5-cent.us wrote:
>>>> CentOS 6.3. *Just* updated, including most current selinux-policy and
>>>> selinux-policy-targeted. I'm getting tons of these, as in it's just
>>>> spitting them out when I tail -f /var/log/messages: Sep 13 15:20:51
>>>> <server> setroubleshoot: SELinux is preventing /bin/ps from search
>>>> access on the directory @2. For complete SELinux messages. run sealert
>>>> -l d92ec78b-3897-4760-93c5-343a662fec67
>> <snip>
>>> What are the AVC's you are seeing. What domain is running ps command.
>>
>> I've turned down auditd to *try* to cut down some of the garbage in the
>> logs, but I still see things like: Sep 13 16:04:02 <server> kernel:
>> type=1400 audit(1347566642.053:96703): avc: denied { search } for
>> pid=9835 comm="ps" name="3647" dev=proc ino=20207
>> scontext=unconfined_u:system_r:httpd_t:s0
>> tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=dir
>>
> You running passenger?
Let me guess: I just googled passenger and selinux, and I see a number of
hits to
grep httpd /var/log/audit/audit.log | audit2allow -M passenger
then
semodule -i passenger.pp
Looking in the .te, there's a *lot* of allows....
mark
11 years, 2 months
F17 yum/rpm not running groupadd in %pre scripts
by Chuck Anderson
Forwarding here since I think this is an SELinux issue w/rpm running
%pre scripts. See the two bugs below.
The "screen" package has this %pre script:
preinstall scriptlet (using /bin/sh):
/usr/sbin/groupadd -g 84 -r -f screen
:
These dontaudit AVCs appear when installing the package via yum and
the group doesn't get created:
# semodule -DB
# yum install screen
...
Running Transaction
Installing : screen-4.1.0-0.9.20120314git3c2946.fc17.x86_64 1/1
warning: group screen does not exist - using root
warning: group screen does not exist - using root
# grep -i avc audit/audit.log
type=AVC msg=audit(1344982418.400:148): avc: denied { read } for pid=5725 comm="groupadd" path="/tmp/tmpdH4tic" dev="dm-5" ino=942811 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file
type=AVC msg=audit(1344982418.400:148): avc: denied { read } for pid=5725 comm="groupadd" path="/tmp/tmpdH4tic" dev="dm-5" ino=942811 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file
type=AVC msg=audit(1344982418.445:149): avc: denied { search } for pid=5725 comm="groupadd" name="contexts" dev="dm-5" ino=672610 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_context_t:s0 tclass=dir
type=AVC msg=audit(1344982418.445:150): avc: denied { search } for pid=5725 comm="groupadd" name="contexts" dev="dm-5" ino=672610 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_context_t:s0 tclass=dir
type=AVC msg=audit(1344982418.445:151): avc: denied { search } for pid=5725 comm="groupadd" name="contexts" dev="dm-5" ino=672610 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_context_t:s0 tclass=dir
Everything works correctly if I "setenforce 0" first.
Thanks.
----- Forwarded message from Chuck Anderson <cra(a)WPI.EDU> -----
Date: Tue, 14 Aug 2012 15:30:33 -0400
From: Chuck Anderson <cra(a)WPI.EDU>
To: For testing and quality assurance of Fedora releases <test(a)lists.fedoraproject.org>
Subject: F17 yum/rpm not running groupadd in %pre scripts
Precedence: list
Reply-To: For testing and quality assurance of Fedora releases <test(a)lists.fedoraproject.org>
I ran into a comedy of errors today after I did a new F17 installation
yesterday. Here are a couple:
https://bugzilla.redhat.com/show_bug.cgi?id=848148
Error in PREIN scriptlet in rpm package wireshark-1.6.9-1.fc17.x86_64
(and why does yum still let the transaction succeed, creating problems
in the RPMDB, broken dependencies?)
https://bugzilla.redhat.com/show_bug.cgi?id=845671
"Directory '/var/run/screen' must have mode 777." when opening screen
(and why does systemd-tmpfiles completely fail to start when there is
a missing group--it should fail gracefully, allowing the other
tmpfiles stuff to run and the service as a whole to run)
Both of these are traceable to missing entries in /etc/group. In the
former cae, there is an explicit "Error in PREIN" script during
instalation. In the latter case, there is only a warning and
installation proceeds:
Running Transaction
Installing : screen-4.1.0-0.9.20120314git3c2946.fc17.x86_64 1/1
warning: group screen does not exist - using root
warning: group screen does not exist - using root
So what is going on with %pre not running groupadd properly? Are there
any known issues in this area?
Thanks.
--
test mailing list
test(a)lists.fedoraproject.org
To unsubscribe:
https://admin.fedoraproject.org/mailman/listinfo/test
----- End forwarded message -----
11 years, 2 months
