selinux January 2014

selinux@lists.fedoraproject.org

19 participants
16 discussions

Policy Review
by David Hampton 10 Jan '14

10 Jan '14

Hi all, I'm trying to (re)learn SELinux, and spent the last day or two writing a policy for the fwknopd service, starting with a skeleton generated by selinux-polgengui. I was hoping that someone here could take a look at it and suggest anywhere I can make improvements to the policy. This is a learning exercise for me, so any comments are welcome. Thanks. David ========== fwknopd.fc ========= etc/fwknop(/.*)? gen_context(system_u:object_r:fwknopd_etc_t,s0) /usr/lib/systemd/system/fwknopd.service -- gen_context(system_u:object_r:fwknopd_unit_file_t,s0) /usr/sbin/fwknopd -- gen_context(system_u:object_r:fwknopd_exec_t,s0) /var/run/fwknop(/.*)? -- gen_context(system_u:object_r:fwknopd_var_run_t,s0) ========== fwknopd.te ========= policy_module(fwknopd, 1.0.0) ######################################## # # Declarations # type fwknopd_t; type fwknopd_exec_t; init_daemon_domain(fwknopd_t, fwknopd_exec_t) #permissive fwknopd_t; type fwknopd_etc_t; files_config_file(fwknopd_etc_t) type fwknopd_unit_file_t; systemd_unit_file(fwknopd_unit_file_t) type fwknopd_var_run_t; files_pid_file(fwknopd_var_run_t) type fwknopd_port_t; corenet_port(fwknopd_port_t) ######################################## # # fwknopd local policy # allow fwknopd_t self:capability { setuid }; allow fwknopd_t self:process { fork signal_perms }; allow fwknopd_t self:fifo_file rw_fifo_file_perms; allow fwknopd_t self:unix_stream_socket create_stream_socket_perms; # # Only need to read config files. # read_files_pattern(fwknopd_t, fwknopd_etc_t, fwknopd_etc_t) # # Create (/var)/run/fwknop directory, and manage files within that # directory. # files_create_var_run_dirs(fwknopd_t) files_pid_filetrans(fwknopd_t, fwknopd_var_run_t, dir) manage_files_pattern(fwknopd_t, fwknopd_var_run_t, fwknopd_var_run_t) # # All client messages are read via pcap. Server only needs enough # permission to create a TCP socket and bind to it, but not permission # to read or write. It doesn't need any UDP permissions at all. # kernel_read_network_state(fwknopd_t) allow fwknopd_t self:capability net_raw; allow fwknopd_t self:packet_socket create_socket_perms; allow fwknopd_t self:tcp_socket create_stream_socket_perms; allow fwknopd_t fwknopd_port_t:tcp_socket name_bind; # # Uses system() to exec other programs, mainly xiptables-multi and gpg # family. # corecmd_exec_shell(fwknopd_t) # read /proc/meminfo # provides access to generic files in /proc kernel_read_system_state(fwknopd_t) iptables_domtrans(fwknopd_t) # # GPG support # optional_policy(` gen_require(` type gpg_secret_t; ') corecmd_exec_bin(fwknopd_t) gpg_domtrans(fwknopd_t) # App stats /root/.gnupg before running userdom_search_admin_dir(fwknopd_t) gpg_list_user_secrets(fwknopd_t) ') # # Provided by selinux-polgengui # domain_use_interactive_fds(fwknopd_t) auth_use_nsswitch(fwknopd_t) logging_send_syslog_msg(fwknopd_t) miscfiles_read_localization(fwknopd_t) ============== end ============

3 2

problem with crypt function
by Doug Poulin 10 Jan '14

10 Jan '14

A user found this strange problem. When their password ends in a single digit, you can use any number instead of that one and still get the same encrypted result. Also if you add an extra digit onto the end you get a similar result Below is a sample: Sample test program: #!/usr/bin/perl my($passwd,$crypt,$salt,$tcrypt); my(@saltar,$cnt,$rnd); print "Enter your password to encrypt: "; $passwd = (<STDIN>); chop($passwd); @set = (a..z,A..Z,0..9); for ($cnt=0; $cnt<2; $cnt++) { $rnd = int(rand(62)); $saltar[$cnt]=$set[$rnd]; } $salt = $saltar[0] . $saltar[1]; $crypt = crypt($passwd,$salt); print "Encrypted string using $salt is $crypt\n"; print "Enter in a test password: "; $passwd = (<STDIN>); chop $passwd; $salt = substr($crypt,0,2); $tcrypt = crypt($passwd,$salt); print "Result of test encrypt: $tcrypt\n"; Sample output 1: Enter your password to encrypt: aabbccddee Encrypted string using j1 is j1E.Uer2plwdM Enter in a test password: aabbccddee1 Result of test encrypt: j1E.Uer2plwdM Enter your password to encrypt: aabbccdde1 Encrypted string using 2z is 2zL6VvHA/mBl. Enter in a test password: aabbccdde2 Result of test encrypt: 2zL6VvHA/mBl. Doug Poulin

3 2

A question of trust
by mark 07 Jan '14

07 Jan '14

Here's one for the selinux list: a thread just started on the CentOS list, about whether the encryption tools from upstream were trustworthy, given the revelations from Snowdon in the last six months. That, of course, leads to the question as to whether selinux, and its base policies, are trustworthy, given they were written by the NSA.... So, why *should* we trust it? mark "no, I do not have the time or energy to audit and comprehend the implications of all of selinux's policies myself"

4 4

sound within sandboxed firefox
by fedorauser 07 Jan '14

07 Jan '14

Hi, I'm running my firefox in a SELinux sandbox, but have the following problem: Sound will always play via the integrated speakers but never on the "remote" screen (which is attached via HDMI). This problem only occurs within a sandboxed firefox (but not in "natively" run firefox). Can this be fixed via a changing certain settings or is this a bug? thanks! ------------------------------------------------- VFEmail.net - http://www.vfemail.net ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands! $24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options!

5 16

SELinux and Nagios
by Vadym Chepkov 07 Jan '14

07 Jan '14

Hi, I observe two related AVC in Fedora 20 (although to be fair, Fedora 19 also had this issue): ---- time->Tue Jan 7 02:17:09 2014 type=SYSCALL msg=audit(1389061029.116:92): arch=c000003e syscall=59 success=yes exit=0 a0=2623760 a1=26237c0 a2=261fa10 a3=7fff3197ecb0 items=0 ppid=1580 pid=1581 auid=4294967295 uid=997 gid=996 euid=997 suid=997 fsuid=997 egid=996 sgid=996 fsgid=996 ses=4294967295 tty=(none) comm="check_ping" exe="/usr/lib64/nagios/plugins/check_ping" subj=system_u:system_r:nagios_services_plugin_t:s0 key=(null) type=AVC msg=audit(1389061029.116:92): avc: denied { read write } for pid=1581 comm="check_ping" path="/var/spool/nagios/checkresults/checkMLYIdJ" dev="dm-1" ino=643 scontext=system_u:system_r:nagios_services_plugin_t:s0 tcontext=system_u:object_r:nagios_spool_t:s0 tclass=file ---- time->Tue Jan 7 02:17:09 2014 type=SYSCALL msg=audit(1389061029.132:93): arch=c000003e syscall=59 success=yes exit=0 a0=7f59269e4320 a1=7f59269e4360 a2=7fff689f3020 a3=7f5924a98a10 items=0 ppid=1581 pid=1582 auid=4294967295 uid=997 gid=996 euid=997 suid=997 fsuid=997 egid=996 sgid=996 fsgid=996 ses=4294967295 tty=(none) comm="ping" exe="/usr/bin/ping" subj=system_u:system_r:ping_t:s0 key=(null) type=AVC msg=audit(1389061029.132:93): avc: denied { read write } for pid=1582 comm="ping" path="/var/spool/nagios/checkresults/checkMLYIdJ" dev="dm-1" ino=643 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:nagios_spool_t:s0 tclass=file I assume first one is deficiency of the selinux policy - plugin check_ping should be able to create work files somewhere. If /var/spool/nagios is not a proper place, then some other location should be used, but the choice is limited: # semanage fcontext -l|grep nagios|grep /var /var/log/nagios(/.*)? all files system_u:object_r:nagios_log_t:s0 /var/log/netsaint(/.*)? all files system_u:object_r:nagios_log_t:s0 /var/run/nagios.* all files system_u:object_r:nagios_var_run_t:s0 /var/spool/nagios(/.*)? all files system_u:object_r:nagios_spool_t:s0 The send one is probably some file decriptor leak, because ping utility doesn’t actually supply output to the temporary file. Does anybody use nagios in SELinux environment? check_ping seems like a very basic plugin. Thanks, Vadym

3 2

SELinux is preventing /usr/bin/dbus-daemon from using the sys_resource capability.
by Shintaro Fujiwara 02 Jan '14

02 Jan '14

Hi, I recently updated my box to Fedora20. I run my segatex program and got this error. [root@localhost ~]# less /var/log/audit/audit.log|grep capability type=AVC msg=audit(1388174188.785:534): avc: denied { sys_resource } for pid=2819 comm="dbus-daemon" capability=24 scontext=unconfined_u:unconfined_r:segatex_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:segatex_t:s0-s0:c0.c1023 tclass=capability ////////////////////////////////////////////////////////////////////// And, here's SETtroubleshoot Details window says. ////////////////////////////////////////////////////////////////////// Additional Information: Source Context unconfined_u:unconfined_r:segatex_t:s0-s0:c0.c1023 Target Context unconfined_u:unconfined_r:segatex_t:s0-s0:c0.c1023 Target Objects [ capability ] Source dbus-daemon Source Path /usr/bin/dbus-daemon Port <Unknown> Host localhost.localdomain Source RPM Packages dbus-1.6.12-2.fc19.i686 Target RPM Packages Policy RPM selinux-policy-3.12.1-106.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 3.11.10-301.fc20.i686+PAE #1 SMP Thu Dec 5 14:12:06 UTC 2013 i686 i686 Alert Count 1 First Seen 2013-12-28 04:56:28 JST Last Seen 2013-12-28 04:56:28 JST Local ID deb7259c-4795-48a1-a74f-61c331ddd21c Raw Audit Messages type=AVC msg=audit(1388174188.785:534): avc: denied { sys_resource } for pid=2819 comm="dbus-daemon" capability=24 scontext=unconfined_u:unconfined_r:segatex_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:segatex_t:s0-s0:c0.c1023 tclass=capability type=SYSCALL msg=audit(1388174188.785:534): arch=i386 syscall=setrlimit success=no exit=EPERM a0=7 a1=bfd61e28 a2=b7594000 a3=b8d8cee0 items=0 ppid=1 pid=2819 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=(none) comm=dbus-daemon exe=/usr/bin/dbus-daemon subj=unconfined_u:unconfined_r:segatex_t:s0-s0:c0.c1023 key=(null) Hash: dbus-daemon,segatex_t,segatex_t,capability,sys_resource ////////////////////////////////////////////////////// Is it just complaining for the more use for the resource?

2 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux January 2014