Ruby random UDP port bind in DNS resolver
by Lukas Zapletal
Hello,
in our software (Foreman) we use DNS resolver provided by Ruby runtime.
This is some kind of optimized thread-safe resolver which ships with the
Ruby platform.
The problem I am facing is that this implementation randomly binds UDP
port when DNS request is sent. Here is the code bit:
https://github.com/ruby/ruby/blob/trunk/lib/resolv.rb#L651-L660
This is there from Ruby 1.8.7 until now (trunk) as far as I can tell.
Since any Ruby application can leverage this API and expect the same
behavior, I'd like to ask if you encounter such an error in Fedora and
how do you recommend to solve this.
Have you experienced this kind of behavior with non-Ruby DNS clients?
Is it safe to allow UDP binds for all unprivileged ports?
How to do this technically in my policy?
Thanks.
--
Later,
Lukas #lzap Zapletal
9 years, 4 months
What the best way to resolve these AVC's
by Ed Greshko
This comes about from a thread on the "users" list.
The person on the users list has an external drive, formatted with an ntfs partition. It gets mounted at boot time as there is an fstab entry for it using UUID as the identifier. It is being mounted on /media/PRTZ-src_sync
The person wishes to run an rsync at boot time and is using the rc-local.service to call another script file containing the following.
#!/bin/bash
/usr/bin/rsync -av \
--delete \
--include='*/' \
--include='*.java' \
--include='*.form' \
--exclude='*' \
/home/programmers/java/PROJECTS_development/ \
/media/PRTZ-src_sync
This fails, with no errors. But is generates the following AVC
type=AVC msg=audit(1414746668.306:107): avc: denied { search } for pid=805 comm="rsync" name="programmers" dev="dm-0" ino=786655 scontext=system_u:system_r:rsync_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1414746668.306:108): avc: denied { getattr } for pid=807 comm="rsync" path="/media/PRTZ-src_sync" dev="sdb1" ino=1 scontext=system_u:system_r:
The "work around" is either to run in permissive (not ideal) or to call the script from the rc.local script like so...
su -c '/etc/rc.d/syncronize-java_srcs.sh' programmers
What would be the "selinux" fix for this?
Thanks....
--
If you can't laugh at yourself, others will gladly oblige.
9 years, 4 months
Optional policy block on some macros
by Lukas Zapletal
Hello,
I am working on a policy where we want to modularize certain features
(management of DHCP, DNS and TFTP services). Since users can turn these
features on and off, we would like to introduce SELinux booleans to do
the same.
Unfortunately when I try to put some macros in the tunable_policy
blocks, I get errors:
tunable_policy(`foreman_proxy_manage_dhcp', `
dhcpd_admin(foreman_proxy_t, system_r)
netutils_exec_ping(foreman_proxy_t)
netutils_domtrans_ping(foreman_proxy_t)
')
foreman-proxy.te":188:ERROR 'syntax error' at token 'typeattribute' on
line 10649:
typeattribute foreman_proxy_t initrc_transition_domain;
/usr/bin/checkmodule: error(s) encountered while parsing
configuration
It works just fine without the tunable_policy block.
Where's the snag and how can we workaround it? Thanks!
--
Later,
Lukas #lzap Zapletal
9 years, 4 months
Diagnostic messages
by Gian Luca Ortelli
Hi,
I recently had to do some selinux tuning to have chrome correctly start on
my fedora 20 box. I googled around and eventually found the correct type to
apply to the chrome executable in order to make it work.
So the problem is solved, but the error messages that I got were much less
informative than I expected. After watching
https://www.youtube.com/watch?v=MxjenQ31b70 on selinux configuration, I was
expecting messages in a format like "selinux is preventing X from access on
directoy Y", but instead...
'journal -f' provided nothing useful; 'tail -f /var/log/audit/audit.log'
showed a couple of log lines which actually mentioned chrome, but in too
generic a manner (see below):
--------------------------------------
type=SYSCALL msg=audit(1413532031.170:387): arch=c000003e syscall=56
success=yes exit=2394 a0=60000011 a1=0 a2=0 a3=0 items=0 ppid=2382 pid=2393
auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000
fsgid=1000 tty=(none) ses=1 comm="chrome-sandbox"
exe="/opt/google/chrome/chrome-sandbox"
subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)
type=PROCTITLE msg=audit(1413532031.170:387):
proctitle=2F6F70742F676F6F676C652F6368726F6D652F6368726F6D652D73616E64626F78002F6F70742F676F6F676C652F6368726F6D652F6368726F6D65002D2D747970653D7A79676F7465
type=ANOM_ABEND msg=audit(1413532031.195:388): auid=1000 uid=1000 gid=1000
ses=1 subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023
pid=2394 comm="chrome" exe="/opt/google/chrome/chrome" sig=11
--------------------------------------
Before I fixed the problem, launching google-chrome from command line
resulted in an error message about the impossibility of creating
directory .pki/nssdb in my home. No mention of this directory name in the
audit.
And to finish, the SELinux troubleshooting tool didn't show anything at all.
Why don't I see a richer diagnostics? Am I missing some configuration?
Kind regards,
Gianluca Ortelli
9 years, 4 months
sssd_be port type
by mark
Hi, folks,
CentOS 6.5, /usr/libexec/sssd/sssd_be - wants to connect to network
port. Should that be kerberos_port_t or kerberos_password_port_t?
mark
9 years, 4 months
Re: find invalid fcontext without autorelabeling
by George Karakougioumtzis
It seems that restorecon -Rv / would do the trick, thanks
On 10/24/2014 08:15 PM, Yusuf Hadiwinata wrote:
> Hi
>
> You need to know the right security context and use semanage fcontext -t
> http_sys_content_t '/var/www/myweb' and run restoreconf for example
>
9 years, 4 months
find invalid fcontext without autorelabeling
by George Karakougioumtzis
So i disabled some semodules i did not want to make selinux perform
faster and my logs got filled with invalid context. Is there an easy way
to restorecon without touching an autorelabel file?
Something like
find / -type f -context blahblah
or something else?
Actually i thought that since the context was invalid selinux would have
simply denied access to files but that didn't seem to be the case...
9 years, 4 months
custom logwatch crontab issues
by Dmitry Makovey
Hi,
While playing with logwatch setup I've stepped on a small issue: when I
try to use logwatch to output to file via:
logwatch > /var/lib/logwatch/all_reports.txt
I've got deny whether I tag above file with var_lib_t or cron_var_lib_t
. I took a look at sesearch:
$ sesearch -A -s logwatch_exec_t
Found 7 semantic av rules:
allow file_type tmp_t : filesystem associate ;
allow file_type noxattrfs : filesystem associate ;
allow file_type fs_t : filesystem associate ;
allow file_type ramfs_t : filesystem associate ;
allow file_type tmpfs_t : filesystem associate ;
allow file_type hugetlbfs_t : filesystem associate ;
allow logwatch_exec_t logwatch_exec_t : filesystem associate ;
Nothing indicates any way of making my setup work other than crafting a
module, is that the answer?
--
Dmitry Makovey
Web Systems Administrator
Athabasca University
(780) 675-6245
---
Confidence is what you have before you understand the problem
Woody Allen
When in trouble when in doubt run in circles scream and shout
http://www.wordwizard.com/phpbb3/viewtopic.php?f=16&t=19330
9 years, 5 months
SECMARK type containment strategy
by Philip Seeley
Hi all,
We're looking to add additional packet type containment when running MLS
(currently selinux-policy-mls-3.7.19-231.el6_5.3) using SECMARK.
For the standard daemons I've looked to see if there are appropriate types
that we can reuse. For example for SSH there is the ssh_server_packet_t
type, so the following iptables rule would suffice:
iptables -t mangle -A INPUT -p tcp --dport 22 -j SECMARK --selctx
system_u:object_r: ssh_server_packet_t
So I checked what domain types could send and recv this type:
[root@build7 ~]# sesearch -A -t ssh_server_packet_t
Found 7 semantic av rules:
allow vmware_host_t server_packet_type : packet { send recv } ;
allow corenet_unconfined_type packet_type : packet { send recv relabelto
flow_in flow_out forward_in forward_out } ;
allow sshd_t ssh_server_packet_t : packet { send recv } ;
allow iptables_t packet_type : packet relabelto ;
allow kernel_t packet_type : packet send ;
allow squid_t packet_type : packet { send recv } ;
allow git_session_t server_packet_type : packet { send recv } ;
I wasn't expecting the git and squid entries and to a lesser degree the
vmware domain. These seem to stem from the following direct rules:
[root@build7 ~]# sesearch -A -d -t server_packet_type
Found 2 semantic av rules:
allow vmware_host_t server_packet_type : packet { send recv } ;
allow git_session_t server_packet_type : packet { send recv } ;
[root@build7 ~]# sesearch -A -d -t packet_type
Found 4 semantic av rules:
allow corenet_unconfined_type packet_type : packet { send recv relabelto
flow_in flow_out forward_in forward_out } ;
allow iptables_t packet_type : packet relabelto ;
allow kernel_t packet_type : packet send ;
allow squid_t packet_type : packet { send recv } ;
So my 2 questions are:
1) Is the approach of reusing the existing *_server_packet_t types in
SECMARK rules a good one?
2) Are there good reasons for the git and squid entries?
Thanks
Phil
9 years, 5 months
Managing SELinux in the Enterprise
by Douglas Brown
Hi all,
SELinux has some configuration files such as /etc/selinux/config which are easily managed with a tool like puppet. There’s also modular policies that can be managed with rpms (via Satellite) and or puppet (semodule). Finally puppet supports enforcing booleans with 'seboolean’. However, there’s a few things missing:
* SELinux user and role mappings
* Port labels (only supported in base policy or changed with semanage like so: semanage port -a -t httpd_port_t -p tcp 6312)
* Custom file labels (ie. semanage fcontext -a -t httpd_sys_content_t "/data/www(/.*)?")
I know these can be imported and exported with semanage using the -i and -o flags, however it’s slow and doesn't easily facilitate the programmatic query and enforcement of these settings at scale using a tool like puppet. Ideally puppet could manage the .local files in /etc/selinux/targeted/modules/active/, however Red Hat support tells me this won’t work and that semanage is the only supported mechanism. Surely there’s someone in the community who has a non-hackish method of dealing with this?
Is FreeIPA the solution to the user and role mappings? What about the labels?
Thanks,
Doug
9 years, 5 months