Policy Review
by David Hampton
Hi all,
I'm trying to (re)learn SELinux, and spent the last day or two writing a
policy for the fwknopd service, starting with a skeleton generated by
selinux-polgengui. I was hoping that someone here could take a look at
it and suggest anywhere I can make improvements to the policy. This is
a learning exercise for me, so any comments are welcome. Thanks.
David
========== fwknopd.fc =========
etc/fwknop(/.*)? gen_context(system_u:object_r:fwknopd_etc_t,s0)
/usr/lib/systemd/system/fwknopd.service --
gen_context(system_u:object_r:fwknopd_unit_file_t,s0)
/usr/sbin/fwknopd -- gen_context(system_u:object_r:fwknopd_exec_t,s0)
/var/run/fwknop(/.*)? --
gen_context(system_u:object_r:fwknopd_var_run_t,s0)
========== fwknopd.te =========
policy_module(fwknopd, 1.0.0)
########################################
#
# Declarations
#
type fwknopd_t;
type fwknopd_exec_t;
init_daemon_domain(fwknopd_t, fwknopd_exec_t)
#permissive fwknopd_t;
type fwknopd_etc_t;
files_config_file(fwknopd_etc_t)
type fwknopd_unit_file_t;
systemd_unit_file(fwknopd_unit_file_t)
type fwknopd_var_run_t;
files_pid_file(fwknopd_var_run_t)
type fwknopd_port_t;
corenet_port(fwknopd_port_t)
########################################
#
# fwknopd local policy
#
allow fwknopd_t self:capability { setuid };
allow fwknopd_t self:process { fork signal_perms };
allow fwknopd_t self:fifo_file rw_fifo_file_perms;
allow fwknopd_t self:unix_stream_socket create_stream_socket_perms;
#
# Only need to read config files.
#
read_files_pattern(fwknopd_t, fwknopd_etc_t, fwknopd_etc_t)
#
# Create (/var)/run/fwknop directory, and manage files within that
# directory.
#
files_create_var_run_dirs(fwknopd_t)
files_pid_filetrans(fwknopd_t, fwknopd_var_run_t, dir)
manage_files_pattern(fwknopd_t, fwknopd_var_run_t, fwknopd_var_run_t)
#
# All client messages are read via pcap. Server only needs enough
# permission to create a TCP socket and bind to it, but not permission
# to read or write. It doesn't need any UDP permissions at all.
#
kernel_read_network_state(fwknopd_t)
allow fwknopd_t self:capability net_raw;
allow fwknopd_t self:packet_socket create_socket_perms;
allow fwknopd_t self:tcp_socket create_stream_socket_perms;
allow fwknopd_t fwknopd_port_t:tcp_socket name_bind;
#
# Uses system() to exec other programs, mainly xiptables-multi and gpg
# family.
#
corecmd_exec_shell(fwknopd_t)
# read /proc/meminfo
# provides access to generic files in /proc
kernel_read_system_state(fwknopd_t)
iptables_domtrans(fwknopd_t)
#
# GPG support
#
optional_policy(`
gen_require(`
type gpg_secret_t;
')
corecmd_exec_bin(fwknopd_t)
gpg_domtrans(fwknopd_t)
# App stats /root/.gnupg before running
userdom_search_admin_dir(fwknopd_t)
gpg_list_user_secrets(fwknopd_t)
')
#
# Provided by selinux-polgengui
#
domain_use_interactive_fds(fwknopd_t)
auth_use_nsswitch(fwknopd_t)
logging_send_syslog_msg(fwknopd_t)
miscfiles_read_localization(fwknopd_t)
============== end ============
10 years, 3 months
problem with crypt function
by Doug Poulin
A user found this strange problem. When their password ends in a single
digit, you can use any number instead of that one and still get the same
encrypted result. Also if you add an extra digit onto the end you get a
similar result Below is a sample:
Sample test program:
#!/usr/bin/perl
my($passwd,$crypt,$salt,$tcrypt);
my(@saltar,$cnt,$rnd);
print "Enter your password to encrypt: ";
$passwd = (<STDIN>);
chop($passwd);
@set = (a..z,A..Z,0..9);
for ($cnt=0; $cnt<2; $cnt++) {
$rnd = int(rand(62));
$saltar[$cnt]=$set[$rnd];
}
$salt = $saltar[0] . $saltar[1];
$crypt = crypt($passwd,$salt);
print "Encrypted string using $salt is $crypt\n";
print "Enter in a test password: ";
$passwd = (<STDIN>);
chop $passwd;
$salt = substr($crypt,0,2);
$tcrypt = crypt($passwd,$salt);
print "Result of test encrypt: $tcrypt\n";
Sample output 1:
Enter your password to encrypt: aabbccddee
Encrypted string using j1 is j1E.Uer2plwdM
Enter in a test password: aabbccddee1
Result of test encrypt: j1E.Uer2plwdM
Enter your password to encrypt: aabbccdde1
Encrypted string using 2z is 2zL6VvHA/mBl.
Enter in a test password: aabbccdde2
Result of test encrypt: 2zL6VvHA/mBl.
Doug Poulin
10 years, 3 months
A question of trust
by mark
Here's one for the selinux list: a thread just started on the CentOS list,
about whether the encryption tools from upstream were trustworthy, given
the revelations from Snowdon in the last six months. That, of course,
leads to the question as to whether selinux, and its base policies, are
trustworthy, given they were written by the NSA....
So, why *should* we trust it?
mark "no, I do not have the time or energy to audit and comprehend
the
implications of all of selinux's policies myself"
10 years, 3 months
sound within sandboxed firefox
by fedorauser
Hi,
I'm running my firefox in a SELinux sandbox, but have the following problem:
Sound will always play via the integrated speakers but never on the
"remote" screen (which is attached via HDMI).
This problem only occurs within a sandboxed firefox (but not in
"natively" run firefox).
Can this be fixed via a changing certain settings or is this a bug?
thanks!
-------------------------------------------------
VFEmail.net - http://www.vfemail.net
ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!
10 years, 3 months
SELinux and Nagios
by Vadym Chepkov
Hi,
I observe two related AVC in Fedora 20 (although to be fair, Fedora 19 also had this issue):
----
time->Tue Jan 7 02:17:09 2014
type=SYSCALL msg=audit(1389061029.116:92): arch=c000003e syscall=59 success=yes exit=0 a0=2623760 a1=26237c0 a2=261fa10 a3=7fff3197ecb0 items=0 ppid=1580 pid=1581 auid=4294967295 uid=997 gid=996 euid=997 suid=997 fsuid=997 egid=996 sgid=996 fsgid=996 ses=4294967295 tty=(none) comm="check_ping" exe="/usr/lib64/nagios/plugins/check_ping" subj=system_u:system_r:nagios_services_plugin_t:s0 key=(null)
type=AVC msg=audit(1389061029.116:92): avc: denied { read write } for pid=1581 comm="check_ping" path="/var/spool/nagios/checkresults/checkMLYIdJ" dev="dm-1" ino=643 scontext=system_u:system_r:nagios_services_plugin_t:s0 tcontext=system_u:object_r:nagios_spool_t:s0 tclass=file
----
time->Tue Jan 7 02:17:09 2014
type=SYSCALL msg=audit(1389061029.132:93): arch=c000003e syscall=59 success=yes exit=0 a0=7f59269e4320 a1=7f59269e4360 a2=7fff689f3020 a3=7f5924a98a10 items=0 ppid=1581 pid=1582 auid=4294967295 uid=997 gid=996 euid=997 suid=997 fsuid=997 egid=996 sgid=996 fsgid=996 ses=4294967295 tty=(none) comm="ping" exe="/usr/bin/ping" subj=system_u:system_r:ping_t:s0 key=(null)
type=AVC msg=audit(1389061029.132:93): avc: denied { read write } for pid=1582 comm="ping" path="/var/spool/nagios/checkresults/checkMLYIdJ" dev="dm-1" ino=643 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:nagios_spool_t:s0 tclass=file
I assume first one is deficiency of the selinux policy - plugin check_ping should be able to create work files somewhere.
If /var/spool/nagios is not a proper place, then some other location should be used, but the choice is limited:
# semanage fcontext -l|grep nagios|grep /var
/var/log/nagios(/.*)? all files system_u:object_r:nagios_log_t:s0
/var/log/netsaint(/.*)? all files system_u:object_r:nagios_log_t:s0
/var/run/nagios.* all files system_u:object_r:nagios_var_run_t:s0
/var/spool/nagios(/.*)? all files system_u:object_r:nagios_spool_t:s0
The send one is probably some file decriptor leak, because ping utility doesn’t actually supply output to the temporary file.
Does anybody use nagios in SELinux environment? check_ping seems like a very basic plugin.
Thanks,
Vadym
10 years, 3 months
SELinux is preventing /usr/bin/dbus-daemon from using the sys_resource capability.
by Shintaro Fujiwara
Hi, I recently updated my box to Fedora20.
I run my segatex program and got this error.
[root@localhost ~]# less /var/log/audit/audit.log|grep capability
type=AVC msg=audit(1388174188.785:534): avc: denied { sys_resource } for
pid=2819 comm="dbus-daemon" capability=24
scontext=unconfined_u:unconfined_r:segatex_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:segatex_t:s0-s0:c0.c1023
tclass=capability
//////////////////////////////////////////////////////////////////////
And, here's SETtroubleshoot Details window says.
//////////////////////////////////////////////////////////////////////
Additional Information:
Source Context
unconfined_u:unconfined_r:segatex_t:s0-s0:c0.c1023
Target Context
unconfined_u:unconfined_r:segatex_t:s0-s0:c0.c1023
Target Objects [ capability ]
Source dbus-daemon
Source Path /usr/bin/dbus-daemon
Port <Unknown>
Host localhost.localdomain
Source RPM Packages dbus-1.6.12-2.fc19.i686
Target RPM Packages
Policy RPM selinux-policy-3.12.1-106.fc20.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain
3.11.10-301.fc20.i686+PAE #1 SMP Thu Dec 5
14:12:06 UTC 2013 i686 i686
Alert Count 1
First Seen 2013-12-28 04:56:28 JST
Last Seen 2013-12-28 04:56:28 JST
Local ID deb7259c-4795-48a1-a74f-61c331ddd21c
Raw Audit Messages
type=AVC msg=audit(1388174188.785:534): avc: denied { sys_resource } for
pid=2819 comm="dbus-daemon" capability=24
scontext=unconfined_u:unconfined_r:segatex_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:segatex_t:s0-s0:c0.c1023
tclass=capability
type=SYSCALL msg=audit(1388174188.785:534): arch=i386 syscall=setrlimit
success=no exit=EPERM a0=7 a1=bfd61e28 a2=b7594000 a3=b8d8cee0 items=0
ppid=1 pid=2819 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 ses=1 tty=(none) comm=dbus-daemon exe=/usr/bin/dbus-daemon
subj=unconfined_u:unconfined_r:segatex_t:s0-s0:c0.c1023 key=(null)
Hash: dbus-daemon,segatex_t,segatex_t,capability,sys_resource
//////////////////////////////////////////////////////
Is it just complaining for the more use for the resource?
10 years, 3 months