Question about "class context contains;"
by Maurizio Pagani
Hi everybody,
Someone knows the "class context"?, I did not find anything about them in my
book: SELinux By Example.
Is there some documentation about this class?
Thanks in advance,
Best Regards,
Maurizio Pagani
10 years, 7 months
*Urgent* selinux : could not connect session bus, selinux policy perevents this
by Rahul Khali
Hi,
I am using rehel 6.0.
As a beginner I picked dummy policies in
linux-2.6.32-71.el6/scripts/selinux/.
This is a monolithic policy.
After setting up every thing, I rebooted the machine. It did all the
relabling.
In permissive mode I looked at audit logs and found messages :
type=USER_AVC msg=audit(1360672844.901:8): user pid=1658 uid=81
auid=4294967295 ses=4294967295 subj=admin_u:admin_r:base_t msg='avc:
denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus
member=Hello dest=org.freedesktop.DBus spid=1
scontext=admin_u:admin_r:base_t tcontext=admin_u:admin_r:base_t
tclass=dbus exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1360672844.903:9): user pid=1658 uid=81
auid=4294967295 ses=4294967295 subj=admin_u:admin_r:base_t msg='avc:
denied { acquire_svc } for service=com.ubuntu.Upstart spid=1
scontext=admin_u:admin_r:base_t tcontext=admin_u:admin_r:base_t
tclass=dbus exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Then I used audit2allow and it suggested:
allow base_t self:dbus acquire_svc
allow base_t self:dbus send_msg
I added these in policy.conf and recreated policy.24 using checkpolicy.
There was no dbus class define in policy.conf So i decleared it
class dbus
{
acquire_svc
send_msg
}
I rebooted machine in enforcement mode.
And I could not loginin in init5.( I was able to login to init 3).
I saw following message:
"Could not connect to session bus: An SELinux policy prevents this sender
from sending this message to this recepient (rejected message had sender
"(unset)" interface "org.freedesktop.DBus" member "Hello" error
name"(unset)" destination org.freedesktop.DBus")
Then again I went into permissive mode and looked at audit.log and found
the above messages again.
Can someone please help on this ?
--
------------------
with regards
Rahul Khali
10 years, 7 months
Email notifications of access denials on Fedora 18
by Jamie Nguyen
Hi,
All you had to do on RHEL 6 was "chkconfig messagebus on", but I'm not
sure how to enable setroubleshoot email notifications on Fedora 18.
"systemctl enable messagebus.service" doesn't work. I've found this dbus
service but not sure how to enable it:
/usr/share/dbus-1/system-services/org.fedoraproject.Setroubleshootd.service
Any advice?
Kind regards,
--
Jamie Nguyen
10 years, 7 months
Difference between users getting selinux status info between Fedora 18 and RHEL6
by Dominick Grift
Ive recently written a blog post about creating a restricted openssh
login user with raw rules:
https://84.245.5.136/wordpress/create-a-restricted-openssh-login-user-wit...
It works really well in Fedora 18. I am able to prevent the user from
getting any information about selinux. For example:
[myrole@virt ~]$ id -Z
id: --context (-Z) works only on an SELinux-enabled kernel
[myrole@virt ~]$ sestatus
SELinux status: disabled
[myrole@virt ~]$ getenforce
Disabled
However this does not work in RHEL6 like it does in Fedora 18
In Fedora 18 its probably blocked by disallowing the user to get
attributes of its own process (?)
However it seems that in RHEL6 it gets much of this information by
reading the user process state files instead?
Is some difference in behaviour in libselinux or some other selinux lib
responsible for this?
10 years, 7 months
Preventing getting SELinux status information in RHEL 6.x
by Maurizio Pagani
Good Morning everybody,
This is my first question on this mailing-list.
I'm a beginner and i'm studing how deploy some policy with SELinux on RHEL
5.x/6.x.
Now, while I'm writing a restricted role, I would that a restricted user can
not getting SELinux information status.
For example, Now I have this context:
Instead, I want that my restricted user (ssh_test), can see when I type
"sestatus":
Disabled
And when I type "id -Z", must not getting information about its "id
context".
I know that it is possible on Fedora, so, is it possible also in RHEL
5.x/6.x???
Thanks in advance.
###################################
Maurizio Pagani
RedHat Certified Engineer
IBM Certified System Administrator AIX 7
NickName: LordFire (I'm also on #selinux)
how can i prevent restricted users from getting selinux status information
in rhel6"
10 years, 7 months
provide mysql access to guest_u
by Lakshmipathi.G
Hi -
I have a restricted account with guest_u.How to provide
mysql access to guest_u without breaking other services?
I tried
"setsebool -P allow_user_mysql_connect 1"
Still it says -
ERROR 2002 (HY000): Can't connect to local MySQL server through socket
'/var/lib/mysql/mysql.sock' (13)
Thanks for help.
--
----
Cheers,
Lakshmipathi.G
FOSS Programmer.
www.giis.co.in
10 years, 7 months
Problems creating a directory in /usr
by Clive Hills
I have a user application (the Reality/Pick database from Northgate
Reality) that requires the creation of a user before install.
That user *must* have as their home directory : /usr/realman. Prior to F16
i used to do "useradd -r -d /usr/realman -m realman".
On the most recent versions of Fedora this fails with : "useradd: cannot
create directory /usr/realman".
I get an AVN which is : "
Clivetime->Fri Feb 8 10:30:02 2013
type=SYSCALL msg=audit(1360319402.989:97): arch=c000003e syscall=83
success=no exit=-13 #============= useradd_t ==============
#!!!! The source type 'useradd_t' can write to a 'dir' of the following
types:
# selinux_config_t, stapserver_var_lib_t, user_home_dir_t,
default_context_t, httpd_user_content_type, mail_spool_t, etc_t,
semanage_tmp_t, config_home_t, var_t, semanage_store_t,
selinux_login_config_t, httpd_user_script_exec_type, selinux_config_t,
pcscd_var_run_t, tmp_t, user_home_type, semanage_store_t, file_context_t,
home_root_t
allow useradd_t usr_t:dir write;
7fff498c2639 a1=0 a2=7f26197f6750 a3=6165726373662f72 items=0 ppid=1855
pid=2277 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
ses=1 tty=pts0 comm="useradd" exe="/usr/sbin/useradd"
subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1360319402.989:97): avc: denied { write } for
pid=2277 comm="useradd" name="usr" dev="sda11" ino=917505
scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:usr_t:s0 tclass=dir".
Audit2why says : "type=AVC msg=audit(1360319402.989:97): avc: denied {
write } for pid=2277 comm="useradd" name="usr" dev="sda11" ino=917505
scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:usr_t:s0 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
"
and audit2allow says : "
which I find confusing as it makes no reference to the /usr/realman or for
that matter /usr directories.
Please advise what I need to do to have it writeable by this application
(which is closed source to which I have no access.
Many thanks
Clive
10 years, 7 months
OpenVPN launching scripts
by Bruno Vernay
I am trying to allow OpenVPN to use Amazon Simple Notification Service
(SNS), so that each time a client connects to the VPN, OpenVPN
triggers a bash script that will use Amazon SNS.
Amazon SNS is a Java program launched via bash scripts.
It is in aws/SimpleNotificationServiceCli/bin/ for the .sh and /lib for the .jar
OpenVPN launches a script in /etc/openvpn/client-connect.
OpenVPN runs confined and I don't want to poke a big hole just to run SNS.
So I tried to "confine" SNS and allow the transition from OpenVPN, but
it didn't went well. (config files bellow)
I wonder if it could be just as good to allow OpenVPN to escape its
confine to only call the relevant SNS script ?
>From documentation and audit2allow I got to these configuration files.
But it still doesn't authorize the script to run and now the messages
triggers errors in audit2allow:
libsepol.mls_from_string: invalid MLS context
libsepol.mls_from_string: could not construct mls context structure
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert
system_u:object_r:proc_t: to sid
libsepol.context_from_record: type op is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert system_u:object_r:op:s0 to sid
libsepol.context_from_record: type openvpn_ is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert
system_u:object_r:openvpn_:s0 to sid
libsepol.context_from_record: type shell_e is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert
system_u:object_r:shell_e:s0 to sid
$ cat amz_sns.fc
/opt/aws/SimpleNotificationServiceCli.*/bin/.* --
gen_context(system_u:object_r:amz_sns_exec_t,s0)
/opt/aws/SimpleNotificationServiceCli.*/lib(/.*)?
gen_context(system_u:object_r:amz_sns_lib_t,s0)
$ cat amz_sns.te
policy_module( amz_sns, 1.0.0)
require {
type openvpn_t;
type openvpn_tmp_t;
type shell_exec_t;
}
type amz_sns_t;
type amz_sns_exec_t;
type amz_sns_lib_t;
files_type(amz_sns_lib_t);
domain_type(amz_sns_t)
domain_entry_file(amz_sns_t, amz_sns_exec_t)
allow amz_sns_t amz_sns_exec_t:file { read execute entrypoint };
domain_auto_trans( openvpn_t, amz_sns_exec_t, amz_sns_t );
role system_r types amz_sns_t; # ???
# The child process sends a signal to its parent as it dies
allow amz_sns_t openvpn_t:process sigchld;
allow amz_sns_t openvpn_tmp_t:file write; # For /tmp/debug
allow amz_sns_t shell_exec_t:file { read open execute execute_no_trans
}; # Bash exec
Bruno
10 years, 7 months
