Bootup error with Selinux +F15
by magina antimage
Hi,
i have tried disabling SElinux ,because i didnt had selinux module
enabled in my kernel.
i have tried changing /etc/selinux/config:
from SELINUX=permissive to SELINUX=disabled
but still i get error
"Failed to load SELinux policy." during bootup
i have referred to "https://bugzilla.redhat.com/show_bug.cgi?id=692573 "
and tried to solve this problem, but no positive results
also sometimes i get I/O errors on my hard disk (during boot) after
one or two boots .
i am not sure whether its because of SElinux or not,but while
searching this I/O error i came across few cases where these I/O
errors were because of SElinux policies.
other details:
arch:x86
selinux version:libselinux-2.0.99-4.fc15.i686
9 years, 10 months
OpenVPN launching scripts
by Bruno Vernay
I am trying to allow OpenVPN to use Amazon Simple Notification Service
(SNS), so that each time a client connects to the VPN, OpenVPN
triggers a bash script that will use Amazon SNS.
Amazon SNS is a Java program launched via bash scripts.
It is in aws/SimpleNotificationServiceCli/bin/ for the .sh and /lib for the .jar
OpenVPN launches a script in /etc/openvpn/client-connect.
OpenVPN runs confined and I don't want to poke a big hole just to run SNS.
So I tried to "confine" SNS and allow the transition from OpenVPN, but
it didn't went well. (config files bellow)
I wonder if it could be just as good to allow OpenVPN to escape its
confine to only call the relevant SNS script ?
>From documentation and audit2allow I got to these configuration files.
But it still doesn't authorize the script to run and now the messages
triggers errors in audit2allow:
libsepol.mls_from_string: invalid MLS context
libsepol.mls_from_string: could not construct mls context structure
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert
system_u:object_r:proc_t: to sid
libsepol.context_from_record: type op is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert system_u:object_r:op:s0 to sid
libsepol.context_from_record: type openvpn_ is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert
system_u:object_r:openvpn_:s0 to sid
libsepol.context_from_record: type shell_e is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert
system_u:object_r:shell_e:s0 to sid
$ cat amz_sns.fc
/opt/aws/SimpleNotificationServiceCli.*/bin/.* --
gen_context(system_u:object_r:amz_sns_exec_t,s0)
/opt/aws/SimpleNotificationServiceCli.*/lib(/.*)?
gen_context(system_u:object_r:amz_sns_lib_t,s0)
$ cat amz_sns.te
policy_module( amz_sns, 1.0.0)
require {
type openvpn_t;
type openvpn_tmp_t;
type shell_exec_t;
}
type amz_sns_t;
type amz_sns_exec_t;
type amz_sns_lib_t;
files_type(amz_sns_lib_t);
domain_type(amz_sns_t)
domain_entry_file(amz_sns_t, amz_sns_exec_t)
allow amz_sns_t amz_sns_exec_t:file { read execute entrypoint };
domain_auto_trans( openvpn_t, amz_sns_exec_t, amz_sns_t );
role system_r types amz_sns_t; # ???
# The child process sends a signal to its parent as it dies
allow amz_sns_t openvpn_t:process sigchld;
allow amz_sns_t openvpn_tmp_t:file write; # For /tmp/debug
allow amz_sns_t shell_exec_t:file { read open execute execute_no_trans
}; # Bash exec
Bruno
10 years, 3 months
x11vnc on Fedora 18
by Andrew Jones
(Apologies in advance for the length of this mail. I am a total noob at
SELinux so my vocabulary is probably not correct. Hopefully you will be
able to understand from context what I am trying to say.)
I have been setting up x11vnc on some of my machines. It looks like
there are a hundred different ways of setting it up but I have chosen to
follow the spirit of this entry in the Fedora Forum:
http://forums.fedoraforum.org/showpost.php?p=1448696&postcount=2
This works with SELinux permissive but fails completely when enforcing.
Even when running permissively there are so many SELinux events in the
first few seconds that many are dropped as shown here:
Jan 29 03:44:10 ecafe audispd: queue is full - dropping event
After several hours of scouring the system log, running sealert and
creating policies, rinsing and repeating I think I have generated the
command line that will identify all the events which occur during an
x11vnc session:
egrep ps\|x11vnc\|tcpd\|mission-control /var/log/audit/audit.log |
audit2allow -M mypol
By repetitively running that line, applying the generated policy then
restarting the computer and launching a new vnc session eventually all
the events are able to be recorded without filling the queue.
I will put my questions here together where they are easy to find and
will post logs and other data below in case anyone wants to look at
them...
1) I have copied the mypol.te file below. Could someone tell me if
anything in there opens up a huge security risk?
2) Can I copy the mypol.pp file to another computer and apply the
policy directly?
3) If yes can I also copy it to a computer running Fedora 16 or 17?
4) Is there a simple way to convert a .te file to a .pp file?
5) If I put up this informaton as a How-To on the forum is there a
preferred way of defining the policy? For example:
a) publish this line...
egrep ps\|x11vnc\|tcpd\|mission-control /var/log/audit/audit.log |
audit2allow -M mypol
... and tell them to work from that
b) Publish the contents of the .te file (assuming there is a neat way to
create a .pp file) and say "Trust me"
c) Put the .pp file somewhere accessible from the internet and say
"Trust me even more"
d) Something else???
6) I have copied one of the outputs from sealert -l GUID below in case
it is useful. I have kept copies of all the others. Please let me know
if it would be useful to see them. I can supply them with no problem.
There are seventeen different outputs.
7) Is there a simpler way of having x11vnc "running as a service" like
Windows?
Thanks to anyone who can respond...
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
mypol.te (For brevity I have removed
several lines saying #!!!! This avc is allowed in the current policy )
module mypol9 1.0;
require {
type modemmanager_t;
type ksmtuned_t;
type shell_exec_t;
type initrc_t;
type fprintd_t;
type telepathy_mission_control_exec_t;
type user_devpts_t;
type dhcpc_t;
type cupsd_t;
type inetd_t;
type fsdaemon_t;
type keyboardd_t;
type udev_t;
type admin_home_t;
type xserver_t;
type audisp_t;
type policykit_t;
type dnsmasq_t;
type tcpd_t;
type virtd_t;
type bin_t;
type rpcd_t;
type crond_t;
type apmd_t;
type rtkit_daemon_t;
type sysctl_kernel_t;
type NetworkManager_t;
type colord_t;
type unconfined_t;
type unconfined_dbusd_t;
type rpcbind_t;
type init_t;
type auditd_t;
type devpts_t;
type syslogd_t;
type xserver_port_t;
type tty_device_t;
type xdm_var_lib_t;
type setroubleshootd_t;
type system_dbusd_t;
type var_log_t;
type config_home_t;
type accountsd_t;
type passwd_file_t;
type xdm_dbusd_t;
type avahi_t;
type proc_t;
type bluetooth_t;
type xdm_var_run_t;
type xdm_tmp_t;
type abrt_watch_log_t;
type mcelog_t;
type iscsid_t;
type kernel_t;
type rpm_t;
type consolekit_t;
type firewalld_t;
type chronyd_t;
type xdm_t;
type systemd_logind_t;
type sendmail_t;
type sshd_t;
type devicekit_power_t;
type devicekit_disk_t;
type tmpfs_t;
class process setsched;
class unix_stream_socket connectto;
- class chr_file getattr;
class shm { write unix_read unix_write read destroy create };
class capability { sys_ptrace dac_override };
class tcp_socket name_connect;
class file { rename execute read create ioctl execute_no_trans write
getattr unlink open };
class netlink_route_socket { bind create setopt nlmsg_read getattr };
class lnk_file read;
class udp_socket { create connect getattr };
class dir { write getattr read remove_name create search add_name };
}
#============= tcpd_t ==============
allow tcpd_t NetworkManager_t:dir { getattr search };
allow tcpd_t NetworkManager_t:file { read open };
allow tcpd_t abrt_watch_log_t:dir { getattr search };
allow tcpd_t abrt_watch_log_t:file { read open };
allow tcpd_t accountsd_t:dir { getattr search };
allow tcpd_t accountsd_t:file { read open };
allow tcpd_t admin_home_t:dir search;
allow tcpd_t admin_home_t:file { read getattr open };
allow tcpd_t apmd_t:dir { getattr search };
allow tcpd_t apmd_t:file { read open };
allow tcpd_t audisp_t:dir { getattr search };
allow tcpd_t audisp_t:file { read open };
allow tcpd_t auditd_t:dir { getattr search };
allow tcpd_t auditd_t:file { read open };
allow tcpd_t avahi_t:dir { getattr search };
allow tcpd_t avahi_t:file { read open };
allow tcpd_t bin_t:file { ioctl execute read open getattr
execute_no_trans };
allow tcpd_t bluetooth_t:dir { getattr search };
allow tcpd_t bluetooth_t:file { read open };
allow tcpd_t chronyd_t:dir { getattr search };
allow tcpd_t chronyd_t:file { read open };
allow tcpd_t colord_t:dir { getattr search };
allow tcpd_t colord_t:file { read open };
allow tcpd_t consolekit_t:dir { getattr search };
allow tcpd_t consolekit_t:file { read open };
allow tcpd_t crond_t:dir { getattr search };
allow tcpd_t crond_t:file { read open };
allow tcpd_t cupsd_t:dir { getattr search };
allow tcpd_t cupsd_t:file { read open };
allow tcpd_t devicekit_disk_t:dir { getattr search };
allow tcpd_t devicekit_disk_t:file { read open };
allow tcpd_t devicekit_power_t:dir { getattr search };
allow tcpd_t devicekit_power_t:file { read open };
allow tcpd_t devpts_t:dir { getattr search };
allow tcpd_t dhcpc_t:dir { getattr search };
allow tcpd_t dhcpc_t:file { read open };
allow tcpd_t dnsmasq_t:dir { getattr search };
allow tcpd_t dnsmasq_t:file { read open };
allow tcpd_t firewalld_t:dir { getattr search };
allow tcpd_t firewalld_t:file { read open };
allow tcpd_t fprintd_t:dir { getattr search };
allow tcpd_t fprintd_t:file { read open };
allow tcpd_t fsdaemon_t:dir { getattr search };
allow tcpd_t fsdaemon_t:file { read open };
allow tcpd_t inetd_t:dir { getattr search };
allow tcpd_t inetd_t:file { read open };
allow tcpd_t init_t:dir { getattr search };
allow tcpd_t init_t:file { read open };
allow tcpd_t initrc_t:dir { getattr search };
allow tcpd_t initrc_t:file { read open };
allow tcpd_t iscsid_t:dir { getattr search };
allow tcpd_t iscsid_t:file { read open };
allow tcpd_t kernel_t:dir { getattr search };
allow tcpd_t kernel_t:file { read open };
allow tcpd_t keyboardd_t:dir { getattr search };
allow tcpd_t keyboardd_t:file { read open };
allow tcpd_t ksmtuned_t:dir { getattr search };
allow tcpd_t ksmtuned_t:file { read open };
allow tcpd_t mcelog_t:dir { getattr search };
allow tcpd_t mcelog_t:file { read open };
allow tcpd_t modemmanager_t:dir { getattr search };
allow tcpd_t modemmanager_t:file { read open };
allow tcpd_t passwd_file_t:file { read getattr open };
allow tcpd_t policykit_t:dir { getattr search };
allow tcpd_t policykit_t:file { read open };
allow tcpd_t proc_t:dir read;
allow tcpd_t proc_t:file { read getattr open };
allow tcpd_t rpcbind_t:dir { getattr search };
allow tcpd_t rpcbind_t:file { read open };
allow tcpd_t rpcd_t:dir { getattr search };
allow tcpd_t rpcd_t:file { read open };
allow tcpd_t rpm_t:dir { getattr search };
allow tcpd_t rpm_t:file { read open };
allow tcpd_t rtkit_daemon_t:dir { getattr search };
allow tcpd_t rtkit_daemon_t:file { read open };
allow tcpd_t self:capability { sys_ptrace dac_override };
allow tcpd_t self:netlink_route_socket { bind create setopt nlmsg_read
getattr };
allow tcpd_t self:shm { write unix_read unix_write read destroy
create };
allow tcpd_t self:udp_socket { create connect getattr };
allow tcpd_t sendmail_t:dir { getattr search };
allow tcpd_t sendmail_t:file { read open };
allow tcpd_t setroubleshootd_t:dir { getattr search };
allow tcpd_t setroubleshootd_t:file { read open };
allow tcpd_t shell_exec_t:file { read execute open };
allow tcpd_t sshd_t:dir { getattr search };
allow tcpd_t sshd_t:file { read open };
allow tcpd_t sysctl_kernel_t:dir search;
allow tcpd_t sysctl_kernel_t:file { read open };
allow tcpd_t syslogd_t:dir { getattr search };
allow tcpd_t syslogd_t:file { read open };
allow tcpd_t system_dbusd_t:dir { getattr search };
allow tcpd_t system_dbusd_t:file { read open };
allow tcpd_t systemd_logind_t:dir { getattr search };
allow tcpd_t systemd_logind_t:file { read open };
allow tcpd_t tmpfs_t:file { read write };
allow tcpd_t tty_device_t:chr_file getattr;
allow tcpd_t udev_t:dir { getattr search };
allow tcpd_t udev_t:file { read open };
allow tcpd_t unconfined_dbusd_t:dir { getattr search };
allow tcpd_t unconfined_dbusd_t:file { read open };
allow tcpd_t unconfined_t:dir { getattr search };
allow tcpd_t unconfined_t:file { read open };
allow tcpd_t unconfined_t:lnk_file read;
allow tcpd_t user_devpts_t:chr_file getattr;
allow tcpd_t var_log_t:dir { write add_name };
allow tcpd_t var_log_t:file { write create open };
allow tcpd_t virtd_t:dir { getattr search };
allow tcpd_t virtd_t:file { read open };
allow tcpd_t xdm_dbusd_t:dir { getattr search };
allow tcpd_t xdm_dbusd_t:file { read open };
allow tcpd_t xdm_t:dir { getattr search };
allow tcpd_t xdm_t:file { read open };
allow tcpd_t xdm_tmp_t:dir search;
allow tcpd_t xdm_var_run_t:dir search;
allow tcpd_t xdm_var_run_t:file { read getattr open };
allow tcpd_t xserver_port_t:tcp_socket name_connect;
allow tcpd_t xserver_t:dir { getattr search };
allow tcpd_t xserver_t:file { read open };
allow tcpd_t xserver_t:unix_stream_socket connectto;
#============= xdm_dbusd_t ==============
allow xdm_dbusd_t config_home_t:file write;
allow xdm_dbusd_t self:process setsched;
allow xdm_dbusd_t telepathy_mission_control_exec_t:file { read open
execute_no_trans };
allow xdm_dbusd_t xdm_var_lib_t:dir { write remove_name create
add_name };
allow xdm_dbusd_t xdm_var_lib_t:file { rename write getattr read create
unlink open };
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
SELinux is preventing /usr/bin/bash from execute access on the
file /usr/bin/bash.
***** Plugin catchall (100. confidence) suggests
***************************
If you believe that bash should be allowed execute access on the bash
file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep x11vnc_sh /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:tcpd_t:s0-s0:c0.c1023
Target Context system_u:object_r:shell_exec_t:s0
Target Objects /usr/bin/bash [ file ]
Source x11vnc_sh
Source Path /usr/bin/bash
Port <Unknown>
Host ecafe.hogwarts.local
Source RPM Packages bash-4.2.42-1.fc18.i686
Target RPM Packages bash-4.2.42-1.fc18.i686
Policy RPM selinux-policy-3.11.1-73.fc18.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name ecafe.hogwarts.local
Platform Linux ecafe.hogwarts.local
3.7.4-204.fc18.i686.PAE
#1 SMP Wed Jan 23 16:58:41 UTC 2013 i686
i686
Alert Count 1
First Seen 2013-01-29 04:34:05 CET
Last Seen 2013-01-29 04:34:05 CET
Local ID 0215ecf1-f067-4475-a2ff-3810697a0c55
Raw Audit Messages
type=AVC msg=audit(1359430445.962:387): avc: denied { execute } for
pid=1740 comm="tcpd" name="bash" dev="sda5" ino=2123061
scontext=system_u:system_r:tcpd_t:s0-s0\
:c0.c1023 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1359430445.962:387): arch=i386 syscall=execve
success=yes exit=0 a0=bfcc93fc a1=bfccb4b4 a2=bfccb4bc a3=bfcc90c0
items=0 ppid=780 pid=1740 auid\
=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
ses=4294967295 tty=(none) comm=x11vnc_sh exe=/usr/bin/bash
subj=system_u:system_r:tcpd_t:s0-s0:c0.\
c1023 key=(null)
Hash: x11vnc_sh,tcpd_t,shell_exec_t,file,execute
audit2allow
#============= tcpd_t ==============
allow tcpd_t shell_exec_t:file execute;
audit2allow -R
#============= tcpd_t ==============
allow tcpd_t shell_exec_t:file execute;
10 years, 4 months
Re: Backups with rsync totally broken in Fedora 18
by David Highley
"Daniel J Walsh wrote:"
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 01/22/2013 03:36 PM, David Highley wrote:
> > "Daniel J Walsh wrote:"
> >>
> > On 01/22/2013 12:32 PM, David Highley wrote:
> >>>> "Daniel J Walsh wrote:"
> >>>>>
> >>>> On 01/22/2013 09:39 AM, David Highley wrote:
> >>>>>>> "Daniel J Walsh wrote:"
> >>>>>>>>
> >>>>>>> On 01/21/2013 06:13 PM, David Highley wrote:
> >>>>>>>>>> "Daniel J Walsh wrote:"
> >>>>>>>>>>>
> >>>>>>>>>> On 01/21/2013 12:49 PM, David Highley wrote:
> >>>>>>>>>>>>> "Daniel J Walsh wrote:"
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>> On 01/18/2013 09:29 PM, David Highley wrote:
> >>>>>>>>>>>>>>>> "David Highley wrote:"
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> "Daniel J Walsh wrote:"
> >>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> On 01/18/2013 09:20 AM, David Highley wrote:
> >>>>>>>>>>>>>>>>>>>> Upgraded a test box to Fedora 18 and
> >>>>>>>>>>>>>>>>>>>> have tried to get rsync backups to it
> >>>>>>>>>>>>>>>>>>>> working. Looked at many discussions
> >>>>>>>>>>>>>>>>>>>> about backing up in a selinux
> >>>>>>>>>>>>>>>>>>>> environment and all discussions
> >>>>>>>>>>>>>>>>>>>> seemed to be incomplete.
> >>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>> Most indicate you should not keep
> >>>>>>>>>>>>>>>>>>>> selinux labels, but none of those
> >>>>>>>>>>>>>>>>>>>> discussion indicate what options to
> >>>>>>>>>>>>>>>>>>>> change. After working on a thousand
> >>>>>>>>>>>>>>>>>>>> line policy file I'm beginning to
> >>>>>>>>>>>>>>>>>>>> think you just want to completely
> >>>>>>>>>>>>>>>>>>>> turn off any audit of the rsync
> >>>>>>>>>>>>>>>>>>>> domain.
> >>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>> Is this how we should approach
> >>>>>>>>>>>>>>>>>>>> backups? If you do not preserve
> >>>>>>>>>>>>>>>>>>>> selinux labels what should the backup
> >>>>>>>>>>>>>>>>>>>> location get labeled to?
> >>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>> I'm surprised as long as selinux has
> >>>>>>>>>>>>>>>>>>>> been in use that a template with
> >>>>>>>>>>>>>>>>>>>> details has not been defined for
> >>>>>>>>>>>>>>>>>>>> this. By the way I had just submitted
> >>>>>>>>>>>>>>>>>>>> an enhancement bug report for rsync
> >>>>>>>>>>>>>>>>>>>> with examples of getting it to
> >>>>>>>>>>>>>>>>>>>> function with systemd control. --
> >>>>>>>>>>>>>>>>>>>> selinux mailing list
> >>>>>>>>>>>>>>>>>>>> selinux(a)lists.fedoraproject.org
> >>>>>>>>>>>>>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>
> >>>>>>>
> >>>>>>>>>>>>>>>>>>>>
> >>>>
> >>>>>>>>>>>>>>>>>>>>
> >
> >>>>>>>>>>>>>>>>>>>>
> Does this help?
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> http://danwalsh.livejournal.com/61646.html
> >>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>> I had found and read this information,
> >>>>>>>>>>>>>>>>>> but was not sure from it and the other
> >>>>>>>>>>>>>>>>>> discussions that it was the right
> >>>>>>>>>>>>>>>>>> direction and if the right direction that
> >>>>>>>>>>>>>>>>>> it had complete information for doing the
> >>>>>>>>>>>>>>>>>> implementation.
> >>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>> Has anyone tried this and has it worked
> >>>>>>>>>>>>>>>>>> out? Do you define the backup area as
> >>>>>>>>>>>>>>>>>> unconfined_u and relabel everything to
> >>>>>>>>>>>>>>>>>> that?
> >>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> OK, making rsync_t and unconfined domain
> >>>>>>>>>>>>>>>>> gets rid of the AVCs. I still have concerns
> >>>>>>>>>>>>>>>>> that it is just opening up a bad whole in
> >>>>>>>>>>>>>>>>> the system. Is there a way of scoping it to
> >>>>>>>>>>>>>>>>> only the back up area and or maybe forcing
> >>>>>>>>>>>>>>>>> what ever is copied to a benign state by
> >>>>>>>>>>>>>>>>> labeling it to something safe?
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> -- selinux mailing list
> >>>>>>>>>>>>>>>>> selinux(a)lists.fedoraproject.org
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>
> >>>>
> >>>>>>>>>>>>>>>>>
> >
> >>>>>>>>>>>>>>>>>
> - -- selinux mailing list selinux(a)lists.fedoraproject.org
> >>>>>>>>>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >
> >>>>>>>>>>>>>>>>
> Well rsync_t policy if for running rsync as a daemon not as a
> >>>>>>>>>>>>> client.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> /usr/lib/systemd/system/rsyncd.service
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> I just checked a fix into the policy so that only
> >>>>>>>>>>>>> rsynd when run as a service will transition to
> >>>>>>>>>>>>> rsync_t. But if you run it from a script or an
> >>>>>>>>>>>>> application running as initrc_t, it will stay as
> >>>>>>>>>>>>> the current domain.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>> Thanks, will check again when it is available. We
> >>>>>>>>>>>>>> are using rsync as daemon spond by systemd.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> If you are only running rsync as a client, adding
> >>>>>>>>>>>>> unconfined_domain(rsync_t) will not give it more
> >>>>>>>>>>>>> privs that initrc_t already has.
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> Ok then that is different, what is broken for you?
> >>>>>>>>>> Without the unconfined_domain(rsync_t)?
> >>>>>>>>>>
> >>>>>>>>>> Sorry for the confusion.
> >>>>>>>>>>
> >>>>>>>>>>> OK, maybe the issue of confusion is what is the client
> >>>>>>>>>>> and what is the server in the process. We have systems
> >>>>>>>>>>> that we back up to, servers. They run rsyncd via
> >>>>>>>>>>> systemd port activation requests. We have clients that
> >>>>>>>>>>> run cron jobs to push back ups to one or more backup
> >>>>>>>>>>> systems.
> >>>>>>>>>>
> >>>>>>>>>>> What we see with Fedora 18 selinux on the backup
> >>>>>>>>>>> servers block everything. When I mean everything it
> >>>>>>>>>>> seems to block almost all operations from getattr to
> >>>>>>>>>>> relabel to unlink, name it, it is blocked.
> >>>>>>>>>>
> >>>>>>>>>>> This pretty much just worked for Fedora 16 and 17.
> >>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>> -- selinux mailing list selinux(a)lists.fedoraproject.org
> >>>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>>>>>>>>>
> >>>>>>> Could you send me a compresses audit.log?
> >>>>>>>
> >>>>>>>> Attached bzip2 file.
> >>>>>>>
> >>>>>>>>
> >>>>
> >>>> This looks like you are having your rsync server accepts files from
> >>>> a remote machine and then writing them to anywhere on the local
> >>>> machine. Meaning you really need to have rules like:
> >>>>
> >>>>> Not really, the rsync configuration file defines where the back ups
> >>>>> go by system all under one directory. So one of my previous
> >>>>> questions was can we identify that area to selinux? Sould we
> >>>>> relabel the back up area? If we define it some how then we assume a
> >>>>> complete relabel of the storage would do the right thing.
> >>>>
> >>>>
> >>>>
> >>>> allow rsync_t file_type:file create_file_perms;
> >>>>
> >>>> Or a boolean like ftp_full_access
> >>>>
> >>>> tunable_policy(`ftpd_full_access',` allow ftpd_t self:capability {
> >>>> dac_override dac_read_search };
> >>>> files_manage_non_security_files(ftpd_t) ')
> >>>>
> >>>> FOr rsync.
> >>>>>
> >
> > I thought the way you were supposed to use rsync was to pick a subdir
> > where rsync would write its data to, and then label this rsync_data_t. But
> > in your case it looks like the rsync server is trying to maintain the
> > labels that it gets from the remote end? If it is not actually trying to
> > overwrite local labels.
> >
> >> Ah, the answer I have been trying to get to. The policies expect the back
> >> up area to be labeled rsync_data_t. So the fix is not to preserve labels
> >> and to define to selinux the back up area by labeling it to rsync_data_t.
> >> That should do it. In all the researching I never found or remember
> >> seeing that the back up area should be labled rsync_data_t. Thanks
> >
> >>
>
> man rsync_selinux
> ...
> rsync_data_t
>
> - Set files with the rsync_data_t type, if you want to treat the files
> as rsync content.
Egg on face, somehow missed that information. Now if there were a
better/faster way of relabeling the back up area. Still experimenting
with rsync options as the man pages give no direct reference to selinux
and the internet information indicates removing the -X option but were
not sure that is enough. Thanks Dan for the help and support.
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAlD++NUACgkQrlYvE4MpobMOYQCg5+fbjD1VU8GfIPh3rBHcf1RS
> gJ0AoKeT/BPPIiMwt8B2xv43+B91wg/K
> =xu4O
> -----END PGP SIGNATURE-----
>
10 years, 4 months
Allowing CUPS to use http ports 80 and 443
by Steve Wilson
I'm migrating a CUPS print server from Ubuntu to RHEL6. Previously I
had CUPS configured to listen on port 80, 443 and 631. Now SELinux is
preventing CUPS from binding to ports 80 and 443. What would be the
recommended way to permit this in SELinux?
Thanks!
Steve
10 years, 4 months
Bug, or already fixed?
by mark
Trying to setsebool -P use_nfs_home_dirs 1
FC 17
3.6.11-5.fc17.x86_64
selinux-policy-3.10.0-166.fc17.noarch
selinux-policy-targeted-3.10.0-166.fc17.noarch
selinux-policy-devel-3.10.0-166.fc17.noarch
selinux-policy-doc-3.10.0-166.fc17.noarch
and my results are:
$ setsebool -P use_nfs_home_dirs 1
libsepol.scope_copy_callback: entropyd: Duplicate declaration in module:
type/attribute entropyd_var_run_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or
directory).
Could not change policy booleans
mark
10 years, 4 months
segatex-7.850 released !
by Shintaro Fujiwara
segatex-7.850 released !
Fixed Refpolicy Analyzer.
It's fun to break down .te or .if files just pushing button and see
.te_raw files or .if_raw files by file manager.
Have fun with segatex.
You will find SELinux world productive and rewarding.
http://sourceforge.net/projects/segatex/?source=navbar
I have fixed refpolicy analyzer, but it's not completed yet so I will
fix it in near future.
///////////////////////////////////////////////////////////////////////////////////////
segatex is a SELinux third-party GUI tool.
See tresys page here.
http://userspace.selinuxproject.org/trac/wiki/SelinuxTools
///////////////////////////////////////////////////////////////////////////////////////
segatex means
se --- SELinux
gate --- let's open the gate to
x --- with GUI
Let's open the gate to SELinux with GUI
10 years, 4 months
semanage inconsistency
by Dominick Grift
I was able to remove a user mapping while there was a login mapping to
that user
That caused issues because then i later was not able to remove the login
mapping because the seuser did not exist.
I have to eventually manually edit the various seuser files
in /etc/selinux && semodule -B to undo the mess.
Also on a somewhat unrelated note:
if you add a user with useradd -Z and then later delete the user then
the mapping is still left behind without any warnings
10 years, 4 months
Creating new roles
by richard -rw- weinberger
Hi!
What is the preferred way to create new roles?
I'd like to create a role like sysadm_r but with less rights.
Do I have to patch the selinux-policy rpm?
Is somewhere defined (in written text) what exactly the current roles
are allowed to do?
E.g. user_u seems unable to see system processes. Where can I read
more about such
limitations?
--
Thanks,
//richard
10 years, 4 months
Re: Backups with rsync totally broken in Fedora 18
by David Highley
"Daniel J Walsh wrote:"
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 01/22/2013 03:36 PM, David Highley wrote:
> > "Daniel J Walsh wrote:"
> >>
> > On 01/22/2013 12:32 PM, David Highley wrote:
> >>>> "Daniel J Walsh wrote:"
> >>>>>
> >>>> On 01/22/2013 09:39 AM, David Highley wrote:
> >>>>>>> "Daniel J Walsh wrote:"
> >>>>>>>>
> >>>>>>> On 01/21/2013 06:13 PM, David Highley wrote:
> >>>>>>>>>> "Daniel J Walsh wrote:"
> >>>>>>>>>>>
> >>>>>>>>>> On 01/21/2013 12:49 PM, David Highley wrote:
> >>>>>>>>>>>>> "Daniel J Walsh wrote:"
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>> On 01/18/2013 09:29 PM, David Highley wrote:
> >>>>>>>>>>>>>>>> "David Highley wrote:"
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> "Daniel J Walsh wrote:"
> >>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> On 01/18/2013 09:20 AM, David Highley wrote:
> >>>>>>>>>>>>>>>>>>>> Upgraded a test box to Fedora 18 and
> >>>>>>>>>>>>>>>>>>>> have tried to get rsync backups to it
> >>>>>>>>>>>>>>>>>>>> working. Looked at many discussions
> >>>>>>>>>>>>>>>>>>>> about backing up in a selinux
> >>>>>>>>>>>>>>>>>>>> environment and all discussions
> >>>>>>>>>>>>>>>>>>>> seemed to be incomplete.
> >>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>> Most indicate you should not keep
> >>>>>>>>>>>>>>>>>>>> selinux labels, but none of those
> >>>>>>>>>>>>>>>>>>>> discussion indicate what options to
> >>>>>>>>>>>>>>>>>>>> change. After working on a thousand
> >>>>>>>>>>>>>>>>>>>> line policy file I'm beginning to
> >>>>>>>>>>>>>>>>>>>> think you just want to completely
> >>>>>>>>>>>>>>>>>>>> turn off any audit of the rsync
> >>>>>>>>>>>>>>>>>>>> domain.
> >>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>> Is this how we should approach
> >>>>>>>>>>>>>>>>>>>> backups? If you do not preserve
> >>>>>>>>>>>>>>>>>>>> selinux labels what should the backup
> >>>>>>>>>>>>>>>>>>>> location get labeled to?
> >>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>> I'm surprised as long as selinux has
> >>>>>>>>>>>>>>>>>>>> been in use that a template with
> >>>>>>>>>>>>>>>>>>>> details has not been defined for
> >>>>>>>>>>>>>>>>>>>> this. By the way I had just submitted
> >>>>>>>>>>>>>>>>>>>> an enhancement bug report for rsync
> >>>>>>>>>>>>>>>>>>>> with examples of getting it to
> >>>>>>>>>>>>>>>>>>>> function with systemd control. --
> >>>>>>>>>>>>>>>>>>>> selinux mailing list
> >>>>>>>>>>>>>>>>>>>> selinux(a)lists.fedoraproject.org
> >>>>>>>>>>>>>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>
> >>>>>>>
> >>>>>>>>>>>>>>>>>>>>
> >>>>
> >>>>>>>>>>>>>>>>>>>>
> >
> >>>>>>>>>>>>>>>>>>>>
> Does this help?
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> http://danwalsh.livejournal.com/61646.html
> >>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>> I had found and read this information,
> >>>>>>>>>>>>>>>>>> but was not sure from it and the other
> >>>>>>>>>>>>>>>>>> discussions that it was the right
> >>>>>>>>>>>>>>>>>> direction and if the right direction that
> >>>>>>>>>>>>>>>>>> it had complete information for doing the
> >>>>>>>>>>>>>>>>>> implementation.
> >>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>> Has anyone tried this and has it worked
> >>>>>>>>>>>>>>>>>> out? Do you define the backup area as
> >>>>>>>>>>>>>>>>>> unconfined_u and relabel everything to
> >>>>>>>>>>>>>>>>>> that?
> >>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> OK, making rsync_t and unconfined domain
> >>>>>>>>>>>>>>>>> gets rid of the AVCs. I still have concerns
> >>>>>>>>>>>>>>>>> that it is just opening up a bad whole in
> >>>>>>>>>>>>>>>>> the system. Is there a way of scoping it to
> >>>>>>>>>>>>>>>>> only the back up area and or maybe forcing
> >>>>>>>>>>>>>>>>> what ever is copied to a benign state by
> >>>>>>>>>>>>>>>>> labeling it to something safe?
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> -- selinux mailing list
> >>>>>>>>>>>>>>>>> selinux(a)lists.fedoraproject.org
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>
> >>>>
> >>>>>>>>>>>>>>>>>
> >
> >>>>>>>>>>>>>>>>>
> - -- selinux mailing list selinux(a)lists.fedoraproject.org
> >>>>>>>>>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >
> >>>>>>>>>>>>>>>>
> Well rsync_t policy if for running rsync as a daemon not as a
> >>>>>>>>>>>>> client.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> /usr/lib/systemd/system/rsyncd.service
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> I just checked a fix into the policy so that only
> >>>>>>>>>>>>> rsynd when run as a service will transition to
> >>>>>>>>>>>>> rsync_t. But if you run it from a script or an
> >>>>>>>>>>>>> application running as initrc_t, it will stay as
> >>>>>>>>>>>>> the current domain.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>> Thanks, will check again when it is available. We
> >>>>>>>>>>>>>> are using rsync as daemon spond by systemd.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> If you are only running rsync as a client, adding
> >>>>>>>>>>>>> unconfined_domain(rsync_t) will not give it more
> >>>>>>>>>>>>> privs that initrc_t already has.
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> Ok then that is different, what is broken for you?
> >>>>>>>>>> Without the unconfined_domain(rsync_t)?
> >>>>>>>>>>
> >>>>>>>>>> Sorry for the confusion.
> >>>>>>>>>>
> >>>>>>>>>>> OK, maybe the issue of confusion is what is the client
> >>>>>>>>>>> and what is the server in the process. We have systems
> >>>>>>>>>>> that we back up to, servers. They run rsyncd via
> >>>>>>>>>>> systemd port activation requests. We have clients that
> >>>>>>>>>>> run cron jobs to push back ups to one or more backup
> >>>>>>>>>>> systems.
> >>>>>>>>>>
> >>>>>>>>>>> What we see with Fedora 18 selinux on the backup
> >>>>>>>>>>> servers block everything. When I mean everything it
> >>>>>>>>>>> seems to block almost all operations from getattr to
> >>>>>>>>>>> relabel to unlink, name it, it is blocked.
> >>>>>>>>>>
> >>>>>>>>>>> This pretty much just worked for Fedora 16 and 17.
> >>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>> -- selinux mailing list selinux(a)lists.fedoraproject.org
> >>>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>>>>>>>>>
> >>>>>>> Could you send me a compresses audit.log?
> >>>>>>>
> >>>>>>>> Attached bzip2 file.
> >>>>>>>
> >>>>>>>>
> >>>>
> >>>> This looks like you are having your rsync server accepts files from
> >>>> a remote machine and then writing them to anywhere on the local
> >>>> machine. Meaning you really need to have rules like:
> >>>>
> >>>>> Not really, the rsync configuration file defines where the back ups
> >>>>> go by system all under one directory. So one of my previous
> >>>>> questions was can we identify that area to selinux? Sould we
> >>>>> relabel the back up area? If we define it some how then we assume a
> >>>>> complete relabel of the storage would do the right thing.
> >>>>
> >>>>
> >>>>
> >>>> allow rsync_t file_type:file create_file_perms;
> >>>>
> >>>> Or a boolean like ftp_full_access
> >>>>
> >>>> tunable_policy(`ftpd_full_access',` allow ftpd_t self:capability {
> >>>> dac_override dac_read_search };
> >>>> files_manage_non_security_files(ftpd_t) ')
> >>>>
> >>>> FOr rsync.
> >>>>>
> >
> > I thought the way you were supposed to use rsync was to pick a subdir
> > where rsync would write its data to, and then label this rsync_data_t. But
> > in your case it looks like the rsync server is trying to maintain the
> > labels that it gets from the remote end? If it is not actually trying to
> > overwrite local labels.
> >
> >> Ah, the answer I have been trying to get to. The policies expect the back
> >> up area to be labeled rsync_data_t. So the fix is not to preserve labels
> >> and to define to selinux the back up area by labeling it to rsync_data_t.
> >> That should do it. In all the researching I never found or remember
> >> seeing that the back up area should be labled rsync_data_t. Thanks
> >
> >>
>
> man rsync_selinux
> ...
> rsync_data_t
>
> - Set files with the rsync_data_t type, if you want to treat the files
> as rsync content.
Egg on face, missed that information somehow. Thanks Dan. Now if there
were just a better/faster way to change the labels to rsync_data_t.
Still experimenting on rsync options to not preserve labels. There seems
to be no direct documentation on this. Many references on the internet
indicate to remove the -X option, but that does not so far seem to be
the complete answer.
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAlD++NUACgkQrlYvE4MpobMOYQCg5+fbjD1VU8GfIPh3rBHcf1RS
> gJ0AoKeT/BPPIiMwt8B2xv43+B91wg/K
> =xu4O
> -----END PGP SIGNATURE-----
>
10 years, 4 months
