Re: First crack at argparse parser for semanage.
by mark
Daniel J Walsh wrote:
> On 04/18/2013 10:31 AM, m.roth(a)5-cent.us wrote:
>> David Quigley wrote:
>>> On 04/18/2013 10:12, m.roth(a)5-cent.us wrote:
>>>> David Quigley wrote:
<snip>
>>>> ? And why doesn't semanage have a was to set -t u?
>>>
>>> I'm not sure I understand your last question. Also I'm trying not to
<snip>
>> And the second note - if there's a syntax for semanage that lets me
change user context, I don't see it - the -s doesn't seem to let me do,
for example, -s system_u.
>>
> Please explain what you are trying to do? Change a logged in user context?
Nahhh.... Working on a new system, to replace an older one, and my
manager's copied some stuff, and either on the original system, or the
copy, don't know why, but the base of the directory tree we use for
websites came out as unconfined_u, and I was changing it to system_u. I've
run into that before, though, and want to make a change that will stick,
and result in new files being created with the correct context.
mark
11 years
Syntax Errors on F18 Update
by Garry Williams
I just received these errors during a yum update:
garry@vfr$ sudo dnf update
Setting up Update Process
Resolving Dependencies
...
Updating : selinux-policy-devel-3.11.1-90.fc18.noarch 12/37
/usr/share/selinux/devel/include/services/xserver.if: Syntax error on line 232355 : [type=COLON]
/usr/share/selinux/devel/include/services/xserver.if: Syntax error on line 232356 : [type=COLON]
/usr/share/selinux/devel/include/services/xserver.if: Syntax error on line 232357 : [type=COLON]
/usr/share/selinux/devel/include/services/xserver.if: Syntax error on line 232358 : [type=COLON]
/usr/share/selinux/devel/include/services/xserver.if: Syntax error on line 232359 : [type=COLON]
/usr/share/selinux/devel/include/services/xserver.if: Syntax error on line 232360 : [type=COLON]
/usr/share/selinux/devel/include/services/xserver.if: Syntax error on line 232361 : [type=COLON]
/usr/share/selinux/devel/include/services/xserver.if: Syntax error on line 232362 : [type=COLON]
/usr/share/selinux/devel/include/services/xserver.if: Syntax error on line 232363 : [type=COLON]
/usr/share/selinux/devel/include/services/xserver.if: Syntax error on line 232364 : [type=COLON]
/usr/share/selinux/devel/include/services/xserver.if: Syntax error on line 232373 ' [type=SQUOTE]
/usr/share/selinux/devel/include/services/xserver.if: Syntax error on line 232395 : [type=COLON]
/usr/share/selinux/devel/include/services/xserver.if: Syntax error on line 232396 : [type=COLON]
/usr/share/selinux/devel/include/services/xserver.if: Syntax error on line 232397 : [type=COLON]
/usr/share/selinux/devel/include/services/xserver.if: Syntax error on line 232398 : [type=COLON]
/usr/share/selinux/devel/include/services/xserver.if: Syntax error on line 232399 : [type=COLON]
/usr/share/selinux/devel/include/services/xserver.if: Syntax error on line 232400 : [type=COLON]
/usr/share/selinux/devel/include/services/xserver.if: Syntax error on line 232401 : [type=COLON]
/usr/share/selinux/devel/include/services/xserver.if: Syntax error on line 232402 : [type=COLON]
/usr/share/selinux/devel/include/services/xserver.if: Syntax error on line 232403 : [type=COLON]
/usr/share/selinux/devel/include/services/xserver.if: Syntax error on line 232404 : [type=COLON]
/usr/share/selinux/devel/include/services/xserver.if: Syntax error on line 232422 ' [type=SQUOTE]
Updating : selinux-policy-targeted-3.11.1-90.fc18.noarch 13/37
***********************************************
Updating : selinux-policy-doc-3.11.1-90.fc18.noarch 14/37
--
Garry T. Williams
11 years
Re: First crack at argparse parser for semanage.
by mark
David Quigley wrote:
> I posted this yesterday but sent it from the wrong account so its
probably in moderation.
>
> Attached is my first crack at the argparse version of semanage. Right
now it just parses the command line and spits out the dictionary raw.
Please mess around with the command line and make sure that it behaves
how you would expect. Some of the names in the dictionary are a bit
weird and I'm having trouble getting sensible semantics for fcontext -e
but it should be parsing the command lines properly. Also not all of the
help text is in place yet. If you want to add some help text either send
it to me in an email or send me a patch and I'll apply it to my repo. I
still need to commit the latest changes to my github account but once I
do you should be able to get the same file from my semanage-argparse
repo on github. After we're sure that the parsing works as we'd like and
the help messages are sensible to people I'll work on gluing this
frontend back onto the seobject class that semanage uses to do that
actual policy store manipulations. Someone pointed out that I have some
spelling mistakes in there. I will make sure to address them in the next
version once I add more help text.
>
Well, if you're screwing with semanage's syntax... can't the bizarre
syntax of wildcards be changed to something *normal*? Y'know, like make
semanage fcontext -a -t httpd_sys_content_t /web\*
?
And why doesn't semanage have a was to set -t u?
mark
11 years
type question - samba script
by mark
Hi. We've got a samba shell script. It was in /etc/samba, and we got a ton
of AVC's (we are in permissive, CentOS 6.4). It just got moved to
/usr/local/sbin, ditto. Currently, it looks like
system_u:object_r:samba_etc_t:s0. What *is* the correct type for it?
mark
11 years
Running hpacucli from snmpd blocked by SElinux
by Michael Ludvig
Hi
I've got RHEL6 server with the targeted SElinux enabled. I'm running a
script /usr/local/sbin/check-hp-smartarray.pl from snmpd. The script
executes and tries to invoke /usr/sbin/hpacucli and that's where the
problems begin.
First of all /usr/sbin/hpacucli runs /opt/compaq/hpacucli/bld/.hpacucli
- that failed because the context of the file was
system_u:object_r:usr_t:s0 - I changed that to bin_t and got a bit
further. Now hpacucli fails because it can't write some temporary files.
Probably because it runs under snmpd_t that isn't allowed to write there.
I don't want to turn off SELinux completely and I don't really agree
with the solutions suggested by audit2allow (essentially it lets snmpd_t
execute everything and write everywhere).
I tried "sudo /usr/sbin/hpacucli" with this sudoers line:
root ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r NOPASSWD: ALL
but when that is ran from snmpd it fails with "sudo: unable to open
audit system: Permission denied"
Then I tried "runcon root:system_r:unconfined_t:s0-s0:c0.c1023
/usr/bin/hpacucli" and although from the shell it runs fine from snmp
script it fails with:
"runcon: invalid context: root:system_r:unconfined_t:s0-s0:c0.c1023:
Permission denied"
Is there any way to run /usr/sbin/hpacucli as unconfined_t from snmpd or
somehow disable selinux for just that one program?
Thanks!
Michael
11 years
total newbie audit2allow question
by Richard Greenwood
I have a CGI application named "mapserv" that needs to write to a specific
location: "/rwg/mapserver/tmp". I ran audit2allow which produced the
test.te file file below. I ran "semodule -i test.pp" and my CGI application
is now happy, and so you would think that I should be happy also. But I am
confused/concerned because I do not see "mapserv" nor do I see
"/rwg/mapserver/tmp" in the te file. So my uninformed interpretation of the
te file below is that I have just granted all httpd scripts permission to
write to any directory. I did a quick test and this is thankfully *NOT* the
case, but how does selinx know that I am granting only the "mapserv"
application write permissions to only the "/rwg/mapserver/tmp" directory? I
feel like there is a big piece that I am completely missing.
Thanks for your patience with a newbie.
Rich
module test 1.0;
require {
type httpd_sys_content_t;
type httpd_sys_script_t;
class dir add_name;
class file { write create };
}
#============= httpd_sys_script_t ==============
allow httpd_sys_script_t httpd_sys_content_t:dir add_name;
allow httpd_sys_script_t httpd_sys_content_t:file { write create };
--
Richard Greenwood
richard.greenwood(a)gmail.com
www.greenwoodmap.com
11 years
Fwd: How do I make sure I've done this correctly?
by Another Sillyname
Dominick
The denial was in my OP.
Line beginning......
Selinux is preventing.........then through to the line commencing....
restorecon......
Hope that makes it clear.
On 16 April 2013 12:01, Dominick Grift <dominick.grift(a)gmail.com> wrote:
> On Mon, 2013-04-15 at 23:43 +0100, Another Sillyname wrote:
> > I am setting up a new mythweb server on F18x64 and whereas
> > historically I've just put selinux into permissive mode in this
> > instance I want to actually use it as an opportunity to learn more
> > about selinux and correct configuration.
>
> I would start by learning how to understand, analyze and translate the
> SELinux AVC denials.
>
> I noticed that you had not enclosed the AVC denial for this event.
>
> The AVC denial is actually the only line one needs to determine the
> problem and solution.
>
> So first things first: Can you enclose the AVC denial of this event?
> >
> > --
> > selinux mailing list
> > selinux(a)lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
11 years
How do I make sure I've done this correctly?
by Another Sillyname
I am setting up a new mythweb server on F18x64 and whereas historically
I've just put selinux into permissive mode in this instance I want to
actually use it as an opportunity to learn more about selinux and correct
configuration.
I've therefore hit a small problem and want to make sure I've understood
correctly before doing this....
mythweb allows recorded programs to be streamed to a remote client via an
asx stream.....
Quite rightly selinux is saying "whoa boy...not on my watch!!" and throwing
a permissions query......
Selinux is preventing /usr/bin/perl from getattr access to the file
/path/to/file/xxxxxxxxxxx.mpg
If you want to allow perl to have getattr access on the xxxxxxxxxx.mpg file
Do
semanage fcontext -a -t FILE_TYPE '/path/to/file/xxxxxxxxxxx.mpg'
where FILE_TYPE is one of the following.....very very very long list of
file types
then execute
restorecon -v '/path/to/file/xxxxxxxx.mpg'
What I ACTUALLY want to do though is set permissions for that whole
directory if the file is an mpg file, so that files created subsequently
also have the corrct permissions setup already.
Also I'm not 100% certain which FILE_TYPE is most appropriate, I'm guessing
it's httpd_php_tmp_t but would appreciate any other views.
Thanks in advance.
11 years
list of which daemons are targeted in RHEL 5
by Daniel Neuberger
All,
I'm trying to get some sense of what the targeted policy covers in RHEL 5.5.
The documentation from
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Lin...
says, "The targeted daemons are as follows: dhcpd; httpd; mysqld; named;
nscd; ntpd; portmap; postgres; snmpd; squid; syslogd; and winbind." Is
that accurate and more or less complete?
I had my doubts, so I went on the system to try to get a list, but based
on
http://thread.gmane.org/gmane.linux.redhat.fedora.selinux/11458/focus=11478,
that is a non-trivial task.
I tried using seinfo, but am seeing strange behavior:
[deuberger@saleen ~]$ seinfo -a domain -x
Rule loading disabled
Segmentation fault
[deuberger@saleen ~]$
[deuberger@saleen ~]$ seinfo -adomain -x
Rule loading disabled
ERROR: Provided attribute (domain) is not a valid attribute name.
Questions:
1. Any reason I shouldn't think the segfault is a bug?
2. Since domain is no longer a valid attribute, is there a better way to
query a system to get some sense of what daemons the target policy covers?
Thanks!
- Daniel
11 years
Re: [PATCH 1/2] iptables (userspace): add secmark match
by Mr Dash Four
Pablo Neira Ayuso wrote:
> On Tue, Mar 05, 2013 at 12:48:47PM +0000, Mr Dash Four wrote:
>
>> This patch is part of the userspace changes needed for the "secmark" match
>> in iptables.
>>
>
> SELinux already provides the framework to define your network policy
> based on the secmark. I don't see why we need this in iptables.
>
I am not sure what to make of your response above Pablo. The purpose of
the patch isn't to replace what SELinux already provides, but to make
full use of that security framework. Are you questioning the purpose or
usefulness of the patch in general? Elaborate please.
11 years