iptables denied read to inotifyfs
by Kristen
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I am finding after a reboot of my server these AVC denials:
type=AVC msg=audit(1356666298.031:40): avc: denied { read } for
pid=2837 comm="iptables" path="inotify" dev=inotifyfs ino=337
scontext=system_u:system_r:iptables_t:s0
tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
Installed is:
selinux-policy-2.4.6-327.el5
on a CentOS 5.5 build with kernel 2.6.18-308.24.1.el5
Should this be allowed?
Kristen
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAlDdN94ACgkQF1wXlvLxlNh0WgCgjLBAtEjLuZyZqtxDgE0QHmPk
/7cAoKt0Q4f+RB4AoNpC350eO0mSpaCw
=/SJ4
-----END PGP SIGNATURE-----
11 years, 3 months
zoneminder & nfs
by mark
Has there been some change in policy? I've got a box that's running fc17,
updated fully, and it's spitting avc's when motion is creating files and
links on an nfs-mounted directory.
Running audit2allow gets me:
#============= zoneminder_t ==============
allow zoneminder_t nfs_t:lnk_file create;
I'd rather not install that if something happened, and a bug crept into
the current policy....
mark
11 years, 3 months
AVC for df from logwatch
by SternData
This has appeared the past two mornings. The initial triggering event
was probably the last kernel update:
Dec 16 08:59:09 Installed: kernel-3.6.10-2.fc17.x86_64
**********************************
SELinux is preventing /usr/bin/df from getattr access on the directory
/sys/kernel/config.
***** Plugin restorecon (99.5 confidence) suggests
*************************
If you want to fix the label.
/sys/kernel/config default label should be sysfs_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /sys/kernel/config
***** Plugin catchall (1.49 confidence) suggests
***************************
If you believe that df should be allowed getattr access on the config
directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep df /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:logwatch_t:s0-s0:c0.c1023
Target Context system_u:object_r:configfs_t:s0
Target Objects /sys/kernel/config [ dir ]
Source df
Source Path /usr/bin/df
Port <Unknown>
Host sds-desk-2.sterndata.local
Source RPM Packages coreutils-8.15-9.fc17.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.10.0-161.fc17.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name sds-desk-2.sterndata.local
Platform Linux sds-desk-2.sterndata.local
3.6.10-2.fc17.x86_64 #1 SMP Tue Dec 11
18:07:34
UTC 2012 x86_64 x86_64
Alert Count 1
First Seen 2012-12-18 03:33:03 CST
Last Seen 2012-12-18 03:33:03 CST
Local ID 9f9df328-2e36-4b38-8e5b-ec1ee816c1e1
Raw Audit Messages
type=AVC msg=audit(1355823183.154:493): avc: denied { getattr } for
pid=31684 comm="df" path="/sys/kernel/config" dev="configfs" ino=9139
scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1355823183.154:493): arch=x86_64 syscall=stat
success=yes exit=0 a0=1078340 a1=7ffff0c48b90 a2=7ffff0c48b90
a3=3eb5b2f360 items=0 ppid=31683 pid=31684 auid=0 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=54 comm=df
exe=/usr/bin/df subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
Hash: df,logwatch_t,configfs_t,dir,getattr
audit2allow
#============= logwatch_t ==============
allow logwatch_t configfs_t:dir getattr;
audit2allow -R
#============= logwatch_t ==============
allow logwatch_t configfs_t:dir getattr;
--
-- Steve
11 years, 3 months
Re: apcupsd
by Dominick Grift
On Tue, 2012-12-18 at 17:17 +0000, Moray Henderson wrote:
> > -----Original Message-----
> > From: grift [mailto:dominick.grift@gmail.com]
> > Sent: 18 December 2012 17:01
> >
> > On Tue, 2012-12-18 at 17:49 +0100, grift wrote:
> > > On Tue, 2012-12-18 at 16:37 +0000, Moray Henderson wrote:
> > > > Hi SELinux
> >
> > >
> > > mkdir myapcupsd; cd myapcupsd; echo "policy_module(myapcupsd, 1.0.0)
> > > gen_require(\` type apcupsd_t; ')
> > > corenet_udp_bind_generic_node(apcupsd_t)
> > > corenet_udp_bind_snmp_port(apcupsd_t) allow apcupsd_t self:capability
> > > net_bind_service;" > myapcupsd.te
> > >
> > > make -f /usr/share/selinux/devel/Makefile myapcupsd.te sudo semodule
> > > -i myapcupsd.pp;
> > >
> > > consider filing a bugzilla please
> >
> > I am adding this upstream (should eventually trickle down):
> >
> > > From 87e5d6d571cb82c3a96159041962c2a9378bc023 Tue, 18 Dec 2012
> > > 17:59:34 +0100
> > > From: Dominick Grift <dominick.grift(a)gmail.com>
> > > Date: Tue, 18 Dec 2012 17:59:18 +0100
> > > Subject: [PATCH] Changes to the apcupsd policy module
> > >
> > >
> > > Support apcupsd configured for snmp
> > >
> > > Signed-off-by: Dominick Grift <dominick.grift(a)gmail.com> diff --git
> > > a/apcupsd.te b/apcupsd.te index ceb368d..9cd93c5 100644
> > > --- a/apcupsd.te
> > > +++ b/apcupsd.te
> > > @@ -1,4 +1,4 @@
> > > -policy_module(apcupsd, 1.8.3)
> > > +policy_module(apcupsd, 1.8.4)
> > >
> > > ########################################
> > > #
> > > @@ -29,7 +29,7 @@
> > > # Local policy
> > > #
> > >
> > > -allow apcupsd_t self:capability { dac_override setgid sys_tty_config
> > > };
> > > +allow apcupsd_t self:capability { dac_override setgid sys_tty_config
> > > +net_bind_service };
> > > allow apcupsd_t self:process signal;
> > > allow apcupsd_t self:fifo_file rw_file_perms; allow apcupsd_t
> > > self:unix_stream_socket create_stream_socket_perms; @@ -58,13 +58,20
> > > @@
> > > corenet_all_recvfrom_netlabel(apcupsd_t)
> > > corenet_tcp_sendrecv_generic_if(apcupsd_t)
> > > corenet_tcp_sendrecv_generic_node(apcupsd_t)
> > > -corenet_tcp_sendrecv_all_ports(apcupsd_t)
> > > corenet_tcp_bind_generic_node(apcupsd_t)
> > > +corenet_udp_sendrecv_generic_if(apcupsd_t)
> > > +corenet_udp_sendrecv_generic_node(apcupsd_t)
> > > +corenet_udp_bind_generic_node(apcupsd_t)
> > >
> > > corenet_tcp_bind_apcupsd_port(apcupsd_t)
> > > corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
> > > +corenet_tcp_sendrecv_apcupsd_port(apcupsd_t)
> > > corenet_tcp_connect_apcupsd_port(apcupsd_t)
> > >
> > > +corenet_udp_bind_snmp_port(apcupsd_t)
> > > +corenet_sendrecv_snmp_server_packets(apcupsd_t)
> > > +corenet_udp_sendrecv_snmp_port(apcupsd_t)
> > > +
> > > dev_rw_generic_usb_dev(apcupsd_t)
> > >
> > > files_read_etc_files(apcupsd_t)
>
> Excellent - thanks. It looks as if corenet_udp_bind_snmp_port already allows the capability net_bind_service. Do you still want an RHEL 6 bug logged?
nice catch on the net_bind_service :)
Welp, that is up to you. Not sure how soon this fix would end up in el6
though.. but then again, reporting it could not hurt.. or could it?
>
> Moray.
> “To err is human; to purr, feline.”
>
>
>
>
>
11 years, 3 months
