place for Postfix keytab files to make selinux happy
by Stephen Ingram
I'm using Fedora 20 and CentOS 7 and have tried several places to place
keytab files for Postfix. Each time I'm getting a denied message:
type=AVC msg=audit(1419366895.530:491753): avc: denied { search } for
pid=28412 comm="lmtp" name="postfix" dev="xvda1" ino=1223493
scontext=system_u:system_r:postfix_smtp_t:s0
tcontext=system_u:object_r:postfix_data_t:s0 tclass=dir
type=SYSCALL msg=audit(1419366895.530:491753): arch=c000003e syscall=4
success=no exit=-13 a0=7f347b8377f0 a1=7fffa6f23670 a2=7fffa6f23670
a3=7fffa6f23540 items=0 ppid=28406 pid=28412 auid=4294967295 uid=89 gid=89
euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295
comm="lmtp" exe="/usr/libexec/postfix/lmtp"
subj=system_u:system_r:postfix_smtp_t:s0 key=(null)
I see on the postfix_selinux man page that there is a postfix_keytab_t
type, however, even if I use this, postfix is not able to read the
credential file. Has anyone gotten this to work?
Steve
8 years, 10 months
Looking for a SELinux Demo
by MJang
Hi,
Perhaps my googles are just failing me.
I'm looking for a demo of a security breach when SELinux is disabled --
and how that security breach is stopped with SELinux is enabled.
Alternatively, perhaps my imagination is failing me -- is there some
such demo that I could put together?
Thanks,
Mike
8 years, 11 months
Problem running "selinux sandbox" with java
by Bhuvan Gupta
Hello all,
Greeting and happy new year to all.
I am trying to sandbox a java application using selinux sandbox.
System details: Redhat 6 | x86_64 | no x server install | jdk7 from oracle
tar.gz version | cgred and cgconfig are stop
The cmd (run as root)
* sandbox /root/jdk/bin/java -version*
above cmd failed with
* /root/jdk/bin/java: error while loading shared libraries:
libjli.so: cannot open shared object file: No such file or directory*
Digging, revealed that "libjli.so" is RPATH shared library. so i thought ok
since sandbox is copying my bin/java to /tmp/sandbox_random therefore a
hardcode path will not be found.
Then i change the RPATH using "chrpath" utility and changed it to a
hardcode value
But still it showed the same error.
Then i used the -M -i option of sandbox and ran following command (i
included all the .so file it complaint about):
* sandbox -M -i /root/jdk/lib/amd64/jli/libjli.so -i
/root/jdk/jre/lib/amd64/libjava.so -i /root/jdk/jre/lib/amd64/jvm.cfg -i
/root/jdk/jre/lib/amd64/server/libjvm.so -i
/root/jdk/jre/lib/amd64/libverify.so -i /root/jdk/jre/lib/amd64/libzip.so
/root/jdk/bin/java -version*
Following command resulted in this error:
*Java HotSpot(TM) 64-Bit Server VM warning: INFO:
os::commit_memory(0x00007fb039000000, 2555904, 1) failed; error='Permission
denied' (errno=13)*
*#*
*# There is insufficient memory for the Java Runtime Environment to
continue.*
*# Native memory allocation (malloc) failed to allocate 2555904 bytes for
committing reserved memory.*
*# An error report file with more information is saved as:*
*# /root/hs_err_pid1270.log*
Now i used the strace to see what happened and strace printed(small
section)
*clone(child_stack=0,
flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD,
child_tidptr=0x7fb15b6359d0) = 8268*
*close(4) = 0*
*read(3, "", 1048576) = 0*
*close(3) = 0*
*wait4(8268, Java HotSpot(TM) 64-Bit Server VM warning: INFO:
os::commit_memory(0x00007f4579000000, 2555904, 1) failed; error='Permission
denied' (errno=13)*
I have enough space for sure
*Can you guys please indicate what might be wrong ?*
8 years, 11 months
checkpolicy doesn't know interface "gnome_manage_generic_home_content"
by Shintaro Fujiwara
Hi, I'm making a module on related to gnome.
I want to use interface "gnome_manage_generic_home_content", but
checkpolicy complains don't know the interface.
gnome.if in latest refpolicy has "gnome_manage_generic_home_content".
It seems he knows not "gnome_manage_generic_home_content" but
"gnome_manage_generic_home_dirs".
###################################
module local 1.0;
require {
type mytype_t;
class lnk_file { getattr read };
class dir { create open getattr setattr read write link unlink
rename search add_name remove_name reparent rmdir lock ioctl };
}
gnome_manage_generic_home_content(mytype_t)
#gnome_manage_generic_home_dirs(mytype_t) <- works fine !
####################################
[root@localhost xxx]# make -f /usr/share/selinux/devel/Makefile local.pp
Compiling targeted local module
/usr/bin/checkmodule: loading policy configuration from tmp/local.tmp
local.te:13:ERROR 'syntax error' at token
'gnome_manage_generic_home_content' on line 991:
gnome_manage_generic_home_content(mytype_t)
/usr/bin/checkmodule: error(s) encountered while parsing configuration
/usr/share/selinux/devel/include/Makefile:154: recipe for target
'tmp/local.mod' failed
make: *** [tmp/local.mod] Error 1
####################################
checkpolicy version
[fujiwara@localhost ~]$ rpm -qf /usr/bin/checkmodule
checkpolicy-2.3-4.fc21.x86_64
--
日本にヘヴィメタル・ハードロックを根付かせるページ
http://heavymetalhardrock.no-ip.info/
世界中でセキュアOSのSELinuxを使いやすくするフリーソフト
http://sourceforge.net/projects/segatex/
CMS(PHPとPostgreSQLを使ったフリーソフト)
http://sourceforge.net/projects/webon/
https://github.com/intrajp/irforum_jp
8 years, 11 months
SELinux alert in Fedora 21
by Shintaro Fujiwara
Hi, I run SELinux on Fedora 21.
I got this alert.
What's this?
SELinux is preventing /usr/sbin/logrotate from read access on the directory
/var/cache/dnf.
***** Plugin catchall (100. confidence) suggests
**************************
Additional Information:
Source Context system_u:system_r:logrotate_t:s0-s0:c0.c1023
Target Context system_u:object_r:rpm_var_cache_t:s0
Target Objects /var/cache/dnf [ dir ]
Source logrotate
Source Path /usr/sbin/logrotate
Port <Unknown>
Host localhost.localdomain
Source RPM Packages logrotate-3.8.7-4.fc21.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-99.fc21.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain
3.17.6-300.fc21.x86_64
#1 SMP Mon Dec 8 22:29:32 UTC 2014 x86_64
x86_64
Alert Count 1
First Seen 2014-12-15 07:21:01 JST
Last Seen 2014-12-15 07:21:01 JST
Local ID 4f20b888-a8fd-484b-a665-dcd7b149502d
Raw Audit Messages
type=AVC msg=audit(1418595661.775:465): avc: denied { read } for
pid=6758 comm="logrotate" name="dnf" dev="dm-1" ino=3148310
scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1418595661.775:465): arch=x86_64 syscall=openat
success=no exit=EACCES a0=ffffffffffffff9c a1=7fffc09f1730 a2=90800 a3=0
items=0 ppid=6756 pid=6758 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=3 comm=logrotate exe=/usr/sbin/logrotate
subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
Hash: logrotate,logrotate_t,rpm_var_cache_t,dir,read
[fujiwara@localhost ~]$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 29
--
日本にヘヴィメタル・ハードロックを根付かせるページ
http://heavymetalhardrock.no-ip.info/
世界中でセキュアOSのSELinuxを使いやすくするフリーソフト
http://sourceforge.net/projects/segatex/
CMS(PHPとPostgreSQLを使ったフリーソフト)
http://sourceforge.net/projects/webon/
https://github.com/intrajp/irforum_jp
8 years, 12 months
