allow sftp to read httpd_sys_content_t or public_content_t
by George Myer
I have a directory that I need to share via https and sftp. I have tried labeling the directory as httpd_sys_content_t and public_content_t. This allows httpd access to the directory but not sftp via ssh. If I change the label to chroot_user_t then ssh works but httpd can't access the data.
# cat /var/log/secure
Jan 27 13:50:25 www sshd[8872]: fatal: safely_chroot: stat("/data"): Permission denied
# ls -lZ
drwxr-xr-x. root anonymous system_u:object_r:public_content_t:s0 data
# cat /var/log/audit/audit.log
type=AVC
msg=audit(1391012447.734:1292): avc: denied { getattr } for pid=7910
comm="sshd" path="/data" dev=dm-4 ino=2
scontext=unconfined_u:system_r:chroot_user_t:s0-s0:c0.c1023
tcontext=system_u:object_r:public_content_t:s0 tclass=dir
I have https working as I am currently using public_content_t. I know that the public_content_t allows HTTP Sever, FTP, rsync, and Samba but sftp is not listed. So I have 2 questions:
1) How can I allow sftp access to /data?
2) Why isn't sftp allowed to read public_content_t labels?
Thanks,
George
9 years, 8 months
VASD policy
by Vadym Chepkov
Hi,
I noticed just one vasd related entry found it's way into SELinux policy:
# grep vasd ./serefpolicy-3.7.19/policy/modules/system/authlogin.fc
/var/opt/quest/vas/vasd(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
vasd is part of Quest Auth Services and I wonder if somebody already has a
policy defined for it or I have to start from scratch. Quest suggested to
disable SELinux, of cause.
Thanks,
Vadym
9 years, 8 months
mozilla got rid of xulrunner
by Dominick Grift
Please add:
/usr/lib/firefox/plugin-container regular file
system_u:object_r:mozilla_plugin_exec_t:s0
So that:
unconfined_mozilla_plugin_transition --> on
... works again
9 years, 8 months
allow NetworkManager_t initrc_t:process sigkill ??
by Shintaro Fujiwara
Hi, this morning I started up my Fedora and got this.
type=AVC msg=audit(1390251172.954:357): avc: denied { sigkill } for
pid=1022 comm="nm-dispatcher.a"
scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=process
"report a bug" says SETroubleShoot, so I reported on this list.
Thanks.
9 years, 8 months
Re: how to transition a daemon to its own domain
by jiun bookworm
Ok,
so my celebration was a little premature, it seems the only reason the
daemon's execution of a cmdline utility in a particular category had
worked when running in the initrc_t domain was because apparently
initrc_t is equivalent to unconfined_t[1], so it offers zero
protection.
Now i if anyone outthere has any ideas on how to allow an app in its
domain myapp_t (plus full mcs range) to use runcon to run something in
one of those categories (like 'runcon -l cX,cY /path/to/app /path/to/input'
) it would be awesome :)
[1] http://mgrepl.fedorapeople.org/Presentations/HowToBeSELinuxAware.pdf
On Tue, Jan 21, 2014 at 6:07 PM, jiun bookworm <thebookworm101(a)gmail.com>wrote:
> Thanks,
> but i tried that after sending the email, i saw it while looking at some
> policies (init.te) in fedora selinux policy source, and its not worked,
> (please see the end of this email for some questions)
>
> here is what the policy looks like currently.
>
>
> policy_module(myapp, 1.0.0)
>
> ########################################
> #
> # Declarations
> #
> require {
> type init_t;
> type initrc_t;
> type systemd_unit_file_t ;
> type urandom_device_t ;
> type etc_runtime_t ;
> type proc_t;
> type bin_t;
> type tmp_t;
> type user_home_dir_t;
> type user_home_t;
> type net_conf_t;
> type ldconfig_exec_t;
> type mongod_port_t;
> type unreserved_port_t;
> type http_cache_port_t;
> type http_port_t;
> type sandbox_file_t;
> type node_t ;
> type shell_exec_t ;
> type bin_t ;
> type default_t ;
> type usr_t ;
> type root_t ;
> type security_t ;
> type unlabeled_t ;
> type unlabeled_t ;
> type milter_port_t ;
>
> }
>
> type myapp_t;
> type myapp_exec_t;
>
> init_daemon_domain(myapp_t,myapp_exec_t);
>
> ifdef(`enable_mcs',`
>
> init_ranged_daemon_domain(myapp_t,myapp_exec_t,s0 - mcs_systemhigh);
> ')
>
> systemd_unit_file(systemd_unit_file_t) ;
>
>
> ########################################
> allow myapp_t self:fifo_file rw_fifo_file_perms;
> allow myapp_t self:unix_stream_socket create_stream_socket_perms;
> allow myapp_t self:process { signal transition setexec setcurrent
> dyntransition };
>
> allow myapp_t etc_runtime_t:file { read getattr open ioctl execute};
> allow myapp_t proc_t:file { read open};
> allow myapp_t bin_t:dir { write add_name create };
> allow myapp_t bin_t:file { execute execute_no_trans read open getattr
> ioctl };
> allow myapp_t proc_t:file getattr;
> allow myapp_t tmp_t:dir {write add_name};
> allow myapp_t tmp_t:file {write open create};
> allow myapp_t ldconfig_exec_t:file {execute read open execute_no_trans};
> allow myapp_t net_conf_t:file { read open getattr ioctl};
> allow myapp_t mongod_port_t:tcp_socket name_connect;
> allow myapp_t unreserved_port_t:tcp_socket {name_bind create setopt
> connect getattr getopt write read bind append};
> allow myapp_t node_t:tcp_socket {node_bind };
> allow myapp_t http_cache_port_t:tcp_socket { name_connect create setopt
> connect getattr getopt write read bind append };
> allow myapp_t http_port_t:tcp_socket { name_connect };
> allow myapp_t sandbox_file_t:dir { search getattr read open write add_name
> create };
> allow myapp_t sandbox_file_t:file { read open getattr ioctl create write
> relabelfrom relabelto };
> allow myapp_t sandbox_file_t:dir { relabelfrom relabelto };
> allow myapp_t shell_exec_t:file { execute execute_no_trans entrypoint };
>
> allow myapp_t default_t:dir { search read getattr write add_name
> remove_name };
> allow myapp_t default_t:file { read getattr open execute execute_no_trans
> ioctl create write rename unlink };
> allow myapp_t default_t:lnk_file { read getattr ioctl open } ;
>
> allow myapp_t root_t:dir { write search read getattr add_name create
> relabelfrom } ;
> allow myapp_t root_t:file { write read getattr create open ioctl
> relabelfrom } ;
> allow myapp_t security_t:file write;
> allow myapp_t security_t:security check_context;
> allow myapp_t milter_port_t:tcp_socket name_bind;
>
> mcs_process_set_categories(myapp_t);
>
>
> allow myapp_t usr_t:file { execute entrypoint read getattr create open
> ioctl };
> allow unlabeled_t root_t:dir { search read getattr write add_name
> remove_name };
>
>
> allow myapp_t self:tcp_socket { create setopt connect getattr getopt
> write read bind append listen accept};
> allow myapp_t self:udp_socket { create connect getattr getopt setopt write
> read bind append listen accept };
>
> allow myapp_t self:netlink_route_socket { create bind getattr write
> nlmsg_read nlmsg_write read setattr lock getopt setopt append };
>
>
> domain_use_interactive_fds(myapp_t)
>
> #files_read_etc_files(myapp_t)
>
> #miscfiles_read_localization(myapp_t)
>
> #!!!! This avc can be allowed using the boolean 'global_ssp'
> allow myapp_t urandom_device_t:chr_file {read open};
>
> ##############################################################
> ##############################################################
>
>
> do you have any clues on what other obvious places i should look ( im
> new to policy writting so im inclined
> to think there is something simple iv missed as a beginner).
> there is nothing in the audit_t logs about denials, now in the runcon
> manual it states clearly that only
> carefully chosen contexts are going to run, obviously there is something
> preventing the command from
> running, but runcon does not provoke any avc denials, is there a way to
> figure out the specific reason for runcon
> to fail?
>
>
> thanks
>
>
> On Tue, Jan 21, 2014 at 5:22 PM, Daniel J Walsh <dwalsh(a)redhat.com> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 01/21/2014 03:31 AM, jiun bookworm wrote:
>> > I have nanaged to get the daemon working with the full mcs range, but
>> it
>> > can not run a shell program under a particular category with runcon,
>> what
>> > special priviledges are neccessary for an app to use runcon?
>> >
>> > this is the error message when the app calls a shell command with runcon
>> >
>> > /bin/runcon: invalid context: system_u:system_r:myapp_t:s0:c370,c606:
>> > Permission denied
>> >
>> > after attempting to do this: /bin/runcon -l s0:c370,c606
>> /path/to/app
>> > input
>> >
>> > the daemon itself runs in the following context:
>> >
>> > system_u:system_r:myapp_t:s0-s0:c0.c1023 myapp 7542 0.2 0.0 909660
>> 60 ?
>> > Ssl 01:06 0:14
>> >
>> >
>> >
>> Potentially mcs_process_set_categories(myapp_t)
>>
>>
>> > here is the policy
>> >
>> > policy_module(myapp, 1.0.0)
>> >
>> > ######################################## # # Declarations # require {
>> type
>> > init_t; type initrc_t; type systemd_unit_file_t ; type urandom_device_t
>> ;
>> > type etc_runtime_t ; type proc_t; type bin_t; type tmp_t; type
>> > user_home_dir_t; type user_home_t; type net_conf_t; type
>> ldconfig_exec_t;
>> > type mongod_port_t; type unreserved_port_t; type http_cache_port_t; type
>> > http_port_t; type sandbox_file_t; type node_t ; type shell_exec_t ; type
>> > bin_t ; type default_t ; type usr_t ; type root_t ; type security_t ;
>> type
>> > unlabeled_t ; }
>> >
>> > type myapp_t; type myapp_exec_t;
>> >
>> > init_daemon_domain(myapp_t,myapp_exec_t);
>> >
>> > ifdef(`enable_mcs',` init_ranged_daemon_domain(myapp_t,myapp_exec_t,s0 -
>> > mcs_systemhigh); ') systemd_unit_file(systemd_unit_file_t) ;
>> >
>> >
>> > ######################################## allow myapp_t self:fifo_file
>> > rw_fifo_file_perms; allow myapp_t self:unix_stream_socket
>> > create_stream_socket_perms; allow myapp_t self:process { signal
>> transition
>> > setexec }; allow myapp_t etc_runtime_t:file { read getattr open ioctl
>> > execute}; allow myapp_t proc_t:file { read open}; allow myapp_t
>> bin_t:dir {
>> > write add_name create }; allow myapp_t bin_t:file { execute
>> > execute_no_trans read open getattr ioctl }; allow myapp_t proc_t:file
>> > getattr; allow myapp_t tmp_t:dir {write add_name}; allow myapp_t
>> tmp_t:file
>> > {write open create}; allow myapp_t ldconfig_exec_t:file {execute read
>> open
>> > execute_no_trans}; allow myapp_t net_conf_t:file { read open getattr
>> > ioctl}; allow myapp_t mongod_port_t:tcp_socket name_connect; allow
>> myapp_t
>> > unreserved_port_t:tcp_socket {name_bind create setopt connect getattr
>> > getopt write read bind append}; allow myapp_t node_t:tcp_socket
>> {node_bind
>> > }; allow myapp_t http_cache_port_t:tcp_socket { name_connect create
>> setopt
>> > connect getattr getopt write read bind append }; allow myapp_t
>> > http_port_t:tcp_socket { name_connect }; allow myapp_t
>> sandbox_file_t:dir {
>> > search getattr read open write add_name create }; allow myapp_t
>> > sandbox_file_t:file { read open getattr ioctl create write relabelfrom
>> > relabelto }; allow myapp_t sandbox_file_t:dir { relabelfrom relabelto
>> };
>> > allow myapp_t shell_exec_t:file { execute execute_no_trans };
>> >
>> >
>> > allow myapp_t default_t:dir { search read getattr write }; allow myapp_t
>> > default_t:file { read getattr open execute execute_no_trans ioctl };
>> allow
>> > myapp_t default_t:lnk_file read; allow myapp_t root_t:dir { write
>> search
>> > read getattr add_name create relabelfrom } ; allow myapp_t root_t:file {
>> > write read getattr create open ioctl relabelfrom } ; allow myapp_t
>> > security_t:file write; allow myapp_t security_t:security check_context;
>> >
>> > allow myapp_t usr_t:file { execute entrypoint read getattr create open
>> > ioctl };
>> >
>> > allow unlabeled_t root_t:dir search;
>> >
>> > allow myapp_t self:tcp_socket { create setopt connect getattr getopt
>> write
>> > read bind append listen accept}; allow myapp_t self:udp_socket { create
>> > connect getattr getopt setopt write read bind append listen accept };
>> >
>> > domain_use_interactive_fds(myapp_t)
>> >
>> > #files_read_etc_files(myapp_t)
>> >
>> > #miscfiles_read_localization(myapp_t)
>> >
>> > #!!!! This avc can be allowed using the boolean 'global_ssp' allow
>> myapp_t
>> > urandom_device_t:chr_file {read open};
>> >
>> >
>> >
>> > On Mon, Jan 20, 2014 at 2:24 PM, jiun bookworm <
>> thebookworm101(a)gmail.com
>> > <mailto:thebookworm101@gmail.com>> wrote:
>> >
>> > init_ranged_daemon_domain() was not working for me, im sure i have
>> done
>> > something wrong, but i have no idea what or where that is, right now
>> > with the policy as it is, its running in
>> system_u:object_r:unlabeled_t:s0
>> > meaning iv borked things big time.
>> >
>> > here is the policy:
>> >
>> >
>> > policy_module(myapp, 1.0.0)
>> >
>> > ######################################## # # Declarations # require { #
>> > type init_t; type initrc_t;
>> >
>> > type systemd_unit_file_t ; type urandom_device_t ; type etc_runtime_t ;
>> > type proc_t; type bin_t; type tmp_t; type user_home_dir_t; type
>> > user_home_t; type net_conf_t; type ldconfig_exec_t; type mongod_port_t;
>> > type unreserved_port_t; type http_cache_port_t; type http_port_t; type
>> > sandbox_file_t; type node_t ; type shell_exec_t ; type bin_t ; type
>> > security_t ; type setroubleshootd_t ; type unconfined_t ; type
>> default_t ;
>> > }
>> >
>> > init_ranged_daemon_domain(myapp_t,myapp_exec_t,s0 - mcs_systemhigh);
>> type
>> > myapp_t; domain_type(myapp_t); type myapp_exec_t;
>> >
>> > type myapp_unit_file_t; systemd_unit_file(systemd_unit_file_t)
>> >
>> > mcs_process_set_categories(myapp_t);
>> >
>> > ########################################
>> >
>> > allow myapp_t self:fifo_file rw_fifo_file_perms; allow myapp_t
>> > self:unix_stream_socket create_stream_socket_perms; allow myapp_t
>> > self:process signal; allow myapp_t etc_runtime_t:file { read getattr
>> open
>> > ioctl execute}; allow myapp_t proc_t:file { read open}; allow myapp_t
>> > bin_t:dir write; allow myapp_t bin_t:file { execute execute_no_trans };
>> >
>> > allow myapp_t proc_t:file getattr; allow myapp_t tmp_t:dir {write
>> > add_name}; allow myapp_t tmp_t:file {write open create}; allow myapp_t
>> > user_home_dir_t:dir { search getattr read open write add_name}; allow
>> > myapp_t user_home_t:file { read open getattr ioctl create}; allow
>> myapp_t
>> > user_home_t:dir { read open search getattr }; allow myapp_t
>> > ldconfig_exec_t:file {execute read open execute_no_trans}; allow
>> myapp_t
>> > net_conf_t:file { read open getattr ioctl}; allow myapp_t
>> > mongod_port_t:tcp_socket name_connect; allow myapp_t
>> > unreserved_port_t:tcp_socket {name_bind create setopt connect getattr
>> > getopt write read bind append}; allow myapp_t node_t:tcp_socket
>> {node_bind
>> > }; allow myapp_t http_cache_port_t:tcp_socket { name_connect create
>> setopt
>> > connect getattr getopt write read bind append }; allow myapp_t
>> > http_port_t:tcp_socket { name_connect }; allow myapp_t
>> sandbox_file_t:dir {
>> > search getattr read open write add_name create }; allow myapp_t
>> > sandbox_file_t:file { read open getattr ioctl create write relabelfrom
>> > relabelto }; allow myapp_t sandbox_file_t:dir { relabelfrom relabelto
>> };
>> > allow myapp_t shell_exec_t:file { execute execute_no_trans }; allow
>> myapp_t
>> > security_t:file write;
>> >
>> >
>> > allow myapp_t self:tcp_socket { create setopt connect getattr getopt
>> write
>> > read bind append listen accept}; allow myapp_t self:udp_socket { create
>> > connect getattr getopt setopt write read bind append listen accept };
>> >
>> >
>> > allow myapp_t self:netlink_route_socket { create bind getattr write
>> > nlmsg_read nlmsg_write read setattr lock getopt setopt append };
>> >
>> >
>> > domain_use_interactive_fds(myapp_t)
>> >
>> >
>> >
>> > allow myapp_t urandom_device_t:chr_file {read open};
>> >
>> > allow myapp_t default_t:file { read getattr execute open
>> > execute_no_trans}; allow setroubleshootd_t myapp_exec_t:file getattr;
>> allow
>> > init_t myapp_exec_t:file execute; allow init_t myapp_exec_t:file { read
>> > open execute getattr entrypoint };
>> >
>> >
>> >
>> > On Mon, Jan 20, 2014 at 12:19 PM, Dominick Grift <
>> dominick.grift(a)gmail.com
>> > <mailto:dominick.grift@gmail.com>> wrote:
>> >
>> > On Mon, 2014-01-20 at 05:51 +0300, jiun bookworm wrote:
>> >> Let me try the question again, all init daemons are started with the
>> >> context specified at [jiun@localhost ~]$ cat
>> >> /etc/selinux/targeted/contexts/initrc_context
>> >> system_u:system_r:initrc_t:s0
>> >>
>> >>
>> >> is it possible to have my application specifically override this and
>> >> start with the full mcs range? you mentioned that the init_t is able to
>> >> do something like this because of some mcsconstraints, what constraints
>> >> are these?
>> >>
>> >> iv tried these and they do not work:
>> >>
>> >> init_ranged_daemon_domain(myapp_t,myapp_exec_t,s0 - mcs_systemhigh)
>> >
>> > In theory the above should work maybe theres a small error somewhere You
>> > should probably look more into the source policy for examples
>> >
>> >> mcs_process_set_categories(myapp_t);
>> >
>> > Thats one of the available mcs interfaces. Theres more in the policy
>> >
>> > seinfo -a | grep mcs
>> >
>> >> range_transition initrc_t myapp_exec_t:process s0:c0.c1023;
>> >>
>> > oh right, it should probably be:
>> >
>> > range_transition init_t myapp_exec_t:process s0:c0.c1023;
>> >
>> > So maybe init_ranged_daemon_domain() needed to be updated to reflect
>> > systems.
>> >
>> > But the idea is that init_ranged_daemon_domain() should work
>> >
>> >>
>> >> On Mon, Jan 20, 2014 at 2:28 AM, Dominick Grift <
>> dominick.grift(a)gmail.com
>> >> <mailto:dominick.grift@gmail.com>> wrote: On Mon, 2014-01-20 at 01:42
>> >> +0300, jiun bookworm wrote:
>> >>
>> >>> Dominick, thanks but you may have misunderstood my question, its not
>> >> the daemon
>> >>> that is confined to one category its the child processes that it
>> >>> spawns, previously when in
>> >> init_t
>> >>> the app could spawn processes and assign
>> >>>
>> >>> them categories, now it can not, when running under
>> >> myapp_t, what
>> >>> makes init_t or other types able to support mcs and myapp_t can not?
>> >>
>> >>
>> >> There are two options:
>> >>
>> >> 1. you run the parent with the full mcs range 2. you override mcs
>> >> constraints for the parent using the applicable mcs type attributes
>> >>
>> >> the latter is why init is allowed to do it but i recommend the former
>> for
>> >> your parent process
>> >>
>> >>
>> >>
>> >>
>> >
>> >
>> >
>> >
>> >
>> >
>> > -- selinux mailing list selinux(a)lists.fedoraproject.org
>> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>> >
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iEYEARECAAYFAlLegqIACgkQrlYvE4MpobOXLACeNQ5HyBr3PSqIps0qbks+gPXZ
>> /xUAnR6nuOXHAoGuhqPCysSyOunVukbJ
>> =qRfS
>> -----END PGP SIGNATURE-----
>>
>
>
9 years, 8 months
Converting semange/restorecon/sesetbool commands into a policy.
by William Hargrove
I want to convert the selinux commands that I have created for a custom install of apache into an selinux policy such that it could be applied to multiple machines using puppet.
As a snapshot of the selinux config, I have something like:
semanage fcontext -a -t httpd_exec_t "/opt/custom/apache(/.*)?"
semanage fcontext -a -t httpd_sys_content_t "/var/custom/webcontent(/.*)?"
etc ...
restorecon -R -v /opt/custom/apache
restorecon -R -v /var/custom/webcontent
etc ... (to actually apply it)
# allow apache to initiate connections (proxying/ajp)
setsebool httpd_can_network_connect on
setsebool httpd_can_network_relay on
etc ...
semanage port -a -t http_port_t -p tcp 9xxx-91xx
etc ...
Now I've tried to create a policy for the types above by using chcon to set the type on the various directories and then running up audit2allow in the hope that it would produce a policy based on the fcontext settings, but it doesn't seem to produce anything. Also, I assume it will only log when an attempt is made for access that is then denied rather than give the commands to proactively all various options, like enabling builtin scripting.
I've not seen a way of handling the Booleans so far and the port commands I have used allow httpd_t port_t:tcp_socket name_bind;
So far the apache.te policy file looks like this:
module apache 1.0;
require {
type httpd_t;
type httpd_exec_t;
type httpd_var_run_t;
type port_t;
class lnk_file read;
class dir search;
class tcp_socket;
}
#============= httpd_t ==============
allow httpd_t httpd_exec_t:dir search;
allow httpd_t httpd_var_run_t:lnk_file read;
allow httpd_t port_t:tcp_socket name_bind;
I've be very grateful for any help on this as I'd really like to be able to tie up all the commands into a policy file which can be applied as part of the apache install process.
Will.
________________________________
The information contained in this email is strictly confidential and for the use of the addressee only, unless otherwise indicated. If you are not the intended recipient, please do not read, copy, use or disclose to others this message or any attachment. Please also notify the sender by replying to this email or by telephone (+44(020 7896 0011) and then delete the email and any copies of it. Opinions, conclusion (etc) that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. IG is a trading name of IG Markets Limited (a company registered in England and Wales, company number 04008957) and IG Index Limited (a company registered in England and Wales, company number 01190902). Registered address at Cannon Bridge House, 25 Dowgate Hill, London EC4R 2YA. Both IG Markets Limited (register number 195355) and IG Index Limited (register number 114059) are authorised and regulated by the Financial Conduct Authority.
9 years, 8 months
how to transition a daemon to its own domain
by jiun bookworm
I have been attempting to get my app to transition to a different domain
unsuccessfully,
what is wring with the following:
###############################TE file #############
########################################
#
# Declarations
#
require {
type initrc_t;
}
type myapp_t;
type myapp_unit_file_t;
init_daemon_domain(myapp_t, myapp_unit_file_t);
allow initrc_t myapp_unit_file_t : file { read getattr execute open } ;
allow initrc_t myapp_unit_file_t : file { ioctl read getattr lock execute
entrypoint open } ;
allow initrc_t myapp_t : process { transition siginh } ;
type myapp_exec_t;
files_type(myapp_exec_t);
allow initrc_t myapp_exec_t : file { read getattr execute open } ;
allow initrc_t myapp_exec_t : file { ioctl read getattr lock execute
entrypoint open } ;
allow initrc_t myapp_t : process { transition siginh } ;
allow myapp_t self:fifo_file rw_fifo_file_perms;
allow myapp_t self:unix_stream_socket create_stream_socket_perms;
domain_use_interactive_fds(myapp_t)
#files_read_etc_files(myapp_t)
#miscfiles_read_localization(myapp_t)
#####################################################
########################END OF TE
#######################~INTERFACE#######
## <summary>policy for myapp</summary>
########################################
## <summary>
## Execute TEMPLATE in the myapp domin.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`myapp_domtrans',`
gen_require(`
type myapp_t, myapp_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, myapp_exec_t, myapp_t)
##############################################
########################END OF INTERFACE#######################
and the other :
/appcl/myapp/apiservice.py --
gen_context(system_u:object_r:myapp_exec_t,s0)
/usr/lib/systemd/system/myapp.service --
gen_context(system_u:object_r:myapp_unit_file_t,s0)
unfortunately it remains in init_t rather than transition to mayapp_t,
which is my intention, but im wrong somewhere, any help will be
appreciated.
here is some debug info:
# sesearch --allow -t myapp_t | grep transition
allow initrc_t myapp_t : process { transition siginh } ;
allow myapp_domain daemon : process transition ;
and there are no avc denials in the logs. what do i do to correct?
----------------another question -------only for the patient---------------
For those who like reading alot here is where im going with this:
My aim is to have the service interact over the network at a certain
unpriviledged port, and i can interact with it over some REST interface,
and it can call some other programs with untrusted data an give back
results.
So far i was able to isolate different proceses that are launched by the
app from each other by using mcs and using runcon to set the level,
unfortunately everything is still running as
system_u:system_r:init_t:s0:cX,cY, how can i have the child process run
with lower selinux priviledges? like maybe :
system_u:system_r:sandbox_t:s0:cX,cY,
or another equivalent of sandbox? if i try
system_u:system_r:sandbox_t:s0:cX,cY i get
invalid context error.
Jiun
9 years, 8 months
rpm %post script fails returning 127
by Shintaro Fujiwara
HI, during the process of #rpm -ivh my_program, I had an error saying as
follows.
In spec file, I wrote one line which runs a script.
Studying web, I found some guy had a same kind of trouble, and another guy
saying that update selinux-policy and it will fix the problem.
So, I updated as follows and still I have an error.
Fortunately or not, when I set enforce 0, it works fine (%post script
works).
But, it's embarassing, my program is for SELinux!
What's going on for rpm and please fix this.
Thanks for reading.
[root@localhost ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
[root@localhost ~]# rpm -ivh --force
/home/fujiwara/rpmbuild/RPMS/i686/segatex-7.990-1.i686.rpm
Preparing... #################################
[100%]
Updating / installing...
1:segatex-7.990-1 #################################
[100%]
warning: %post(segatex-7.990-1.i686) scriptlet failed, exit status 127
[root@localhost ~]# rpm -qa|grep selinux
selinux-policy-devel-3.12.1-116.fc20.noarch
selinux-policy-3.12.1-117.fc20.noarch
mod_selinux-2.4.4-2.fc20.i686
libselinux-python-2.2.1-6.fc20.i686
libselinux-devel-2.2.1-6.fc20.i686
selinux-policy-mls-3.12.1-116.fc20.noarch
selinux-policy-targeted-3.12.1-116.fc20.noarch
libselinux-2.2.1-6.fc20.i686
selinux-policy-doc-3.12.1-116.fc20.noarch
libselinux-utils-2.2.1-6.fc20.i686
[root@localhost ~]#
9 years, 8 months
Combine *.te contents
by Frank Murphy
I there a pointer to combine the contents of *.te files
Have looked at sample.te, but my perception fails a lot these days.
# cat F20mailx01.te
module F20mailx01 1.0;
require {
type admin_home_t;
type logwatch_mail_t;
class dir write;
}
#============= logwatch_mail_t ==============
allow logwatch_mail_t admin_home_t:dir write;
# cat F20mailx04.te
module F20mailx04 1.0;
require {
type logwatch_mail_t;
type mail_home_t;
class file create;
}
#============= logwatch_mail_t ==============
allow logwatch_mail_t mail_home_t:file create;
___
Regards,
Frank
www.frankly3d.com
9 years, 8 months
Download passwd using ftp
by Frederico Madeira
Hi guys,
I'm running a centos 6.5 with vsftpd.vsftpd-2.2.2-11.el6_4.1.i686
I've set boolean to allow users to connect to their home dir
[root@seg_linux-2 /]# getsebool -a | grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> on
ftpd_connect_db --> off
ftpd_use_fusefs --> off
ftpd_use_passive_mode --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
tftp_use_cifs --> off
tftp_use_nfs --> off
My problem is that when a user connect to my server, he is able to change
dir to /etc and get passwd file.
The domain of passwd file is etc_t and domain for vsftpd process is ftp_t.
Why users can download passwd file if subject and object belongs to
different domains ?
[root@seg_linux-2 /]# ls -Z /etc/passwd
-rw-r--r--. root root system_u:object_r:etc_t:s0 /etc/passwd
[root@seg_linux-2 /]# ps -eZ | grep vsftp
unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 1086 ? 00:00:00 vsftpd
* Frederico Madeira *
fred(a)madeira.eng.br
www.madeira.eng.br
Cisco CCNA, LPIC-1, LPIC-2
Registered GNU/Linux nº 206120
GPG-Key-ID: 1024D/0F0A721D
Key fingerprint = C424 D86B 57D5 BE55 767A 6ED1 53F8 254E 0F0A 721D
MSN: fttmadeira(a)hotmail.com
GTalk:fmadeira@gmail.com
SKYPE: fred_madeira
9 years, 8 months
