service not starting via systemd but no AVCs are generated
by Ed Greshko
Hi,
On F19 the service fail2ban won't start via systemd with selinux in enforcing mode.
The error in the message log indicates....
fail2ban-client[2804]: ERROR Directory /var/run/fail2ban exists but not accessible for writing
But, if you execute the command in the service file from the command line....
[root@f18x log]# /usr/bin/fail2ban-client -x start
2013-07-09 18:46:10,558 fail2ban.server : INFO Starting Fail2ban v0.8.10
2013-07-09 18:46:10,559 fail2ban.server : INFO Starting in daemon mode
It starts and you can see the files created in /var/run/fail2ban
[root@f18x fail2ban]# pwd
/var/run/fail2ban
[root@f18x fail2ban]# ls
fail2ban.pid fail2ban.sock
And if you put selinux in permissive mode....
[root@f18x fail2ban]# pwd
/var/run/fail2ban
[root@f18x fail2ban]# ls
[root@f18x fail2ban]# setenforce 0
[root@f18x fail2ban]# systemctl start fail2ban
[root@f18x fail2ban]# ls
fail2ban.pid fail2ban.sock
So it is running with selinux placed in permissive mode.....
But, no AVC are ever thrown to the audit log.
How to figure out what is the culprit?
--
The only thing worse than a poorly asked question is a cryptic answer.
10 years, 9 months
Fedora 19 clamd jit in logwatch, uncertain if bug?
by Frank Murphy
Do I need to bz this?
This is all the info I have.
No avcs re clamd, but logwatch shows the following:
--------------------- Clamav Begin ------------------------
Virus database reloaded 14 time(s) (last time with 3953698 viruses)
**Unmatched Entries**
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory:
Permission denied LibClamAV Warning: Bytecode: disabling JIT because
SELinux is preventing 'execmem' access. Run 'setsebool -P
clamd_use_jit on'.
<snipped/>
That boolean doesn't seem to be in F19
/bin/clamscan -r / --exclude-dir=/proc --exclude-dir=/sys
--exclude-dir=/dev --exclude=/home/frank/Viruses
--move=/home/frank/Viruses -i --log=/var/log/clamscan.log
Clamscan report itself just show one error
----------- SCAN SUMMARY -----------
Known viruses: 3952638
Engine version: 0.97.8
Scanned directories: 23593
Scanned files: 199362
Infected files: 0
Total errors: 1
Data scanned: 20502.27 MB
Data read: 79546.97 MB (ratio 0.26:1)
Time: 7120.754 sec (118 m 40 s)
--
Regards,
Frank "When in doubt PANIC!"
I check for new mail app. 20min
www.frankly3d.com
10 years, 9 months
Apache Shell Attack Domain Transition
by Robert Gabriel
Greetz,
So we asked a question on another list about how to avoid storing
credentials
to a DB in files for said Apache server.
It was found then a great solution from PHP Cookbook suggesting
to use an "Include" file readable only by root with credentials and Apache
then reads on
startand stores credentials as variables.
I would like to know if SELinux can block this attack?
For example, an attacker gets a reverse shell as apache:apache user
and they try to connect to DB.
What domain would they be in at time of shell (httpd_t)?
Would the DB be confined to some other domain?
Could they try and connect to DB after having read credentials from
unsecured config file?
Is there a domain transition.
Thank you.
10 years, 9 months
Fedora 19 Selinux policy stops nagios
by Vadym Chepkov
Hi,
I just upgraded to Fedora 19 and found out nagios is incompatible with Selinux policy.
One could blame nagios maintainers to not comply with SELinux, since they use /var/log/nagios location for work files:
# grep /var/log /etc/nagios/nagios.cfg
log_file=/var/log/nagios/nagios.log
object_cache_file=/var/log/nagios/objects.cache
precached_object_file=/var/log/nagios/objects.precache
status_file=/var/log/nagios/status.dat
temp_file=/var/log/nagios/nagios.tmp
log_archive_path=/var/log/nagios/archives
check_result_path=/var/log/nagios/spool/checkresults
state_retention_file=/var/log/nagios/retention.dat
debug_file=/var/log/nagios/nagios.debug
but it used to work in Fedora 18 and now doesn't work at all.
I tried to relocate some of the files to /var/spool/nagios, but it didn't help, SElinux doesn't allow to modify nagios_spool_t either.
audit2allow suggested to allow nagios_t nagios_spool_t:file { rename write getattr read create unlink open };
Is there some other type I overlooked so I can use it properly?
Thanks,
Vadym
10 years, 9 months
Re: Fedora 19 clamd jit in logwatch, uncertain if bug?
by Frank Murphy
On Sat, 6 Jul 2013 22:24:35 +1000
Douglas Brown <d46.brown(a)student.qut.edu.au> wrote:
> Try this:
>
> First run: semanage dontaudit off
>
> Which will disable any 'dontaudit' rules.
>
> Rerun clam.
>
> Then: grep clam /var/log/audit/audit.log | audit2why
>
> semanage dontaudit on
>
> This *may* give you somewhere to start.
>
> Cheers,
> Doug
>
This came back will try it:
grep clam /var/log/audit/audit.log | audit2why
type=AVC msg=audit(1373130883.401:2868): avc: denied { execmem }
for pid=1144 comm="clamd" scontext=system_u:system_r:antivirus_t:s0
tcontext=system_u:system_r:antivirus_t:s0 tclass=process
Was caused by:
The boolean antivirus_use_jit was set incorrectly.
Description:
Determine whether can antivirus programs use JIT compiler.
Allow access by executing:
# setsebool -P antivirus_use_jit 1
--
Regards,
Frank "When in doubt PANIC!"
I check for new mail app. 20min
www.frankly3d.com
10 years, 9 months
Recommended types for special keys
by mark
Ok, small problem: where I work is a US federal gov't agency, and we're
required to use data from our PIV cards (the same as US DoD CAC cards). We
store the user's public keys from those cards, so they are, in effect,
their ssh keys for going to other systems. Selinux complains about the
types. The sealert offers, among other obviously inappropriate types,
these: nx_server_home_ssh_t, etc_t, rssh_ro_t, ssh_home_t, cert_type,
home_root_t, sshd_t, selinux_login_config_t, ssh_home_t.
What *would* be an appropriate type?
mark
10 years, 9 months
SELinux MLS
by Robert Gabriel
Greetz,
I'm struggling with this.
I have MLS enabled along with a freshly relabelled, rebooted system.
I have mapped my Linux user to SELinux user staff_u and do a domain
transition
via sudo.
So, here is the dumb question: how do I start httpd?
%wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r NOPASSWD: ALL
[root@pluto ~]# id -Z
staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
[root@pluto ~]# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ user_u SystemLow
robert staff_u SystemLow-SystemHigh
root root SystemLow-SystemHigh
system_u system_u SystemLow-SystemHigh
[root@pluto ~]# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range
SELinux Roles
staff_u user SystemLow SystemLow-SystemHigh
auditadm_r staff_r secadm_r sysadm_r system_r
[root@pluto ~]# service httpd start
env: /etc/init.d/httpd: Permission denied
[root@pluto ~]# secon -f /usr/sbin/httpd
user: system_u
role: object_r
type: httpd_exec_t
sensitivity: SystemLow
clearance: SystemLow
mls-range: SystemLow
Do I have to transition to some domain (newrole?) or can I be in a domain
(allowed of
course) that will execute the process and then do the transition?
Thank you.
10 years, 9 months
