selinux February 2014

selinux@lists.fedoraproject.org

15 participants
22 discussions

how to change the context of running process
by bigclouds 21 Feb '14

21 Feb '14

hi,all 1. how to change the context of running process. 2. in my case, libvirtd is initrc_t, how to find where and which file defines this rule? libvirtd should be virtd_t, i want to correct it. 3.audot2allow outputs a rule ,'allow initrc_t svirt_t:process transition' is there a comamnd line tool can finish this request? not to install .pp module? thanks

2 1

Looking for the right, but easy way to add SELinux setup into my package/RPM
by Fulko Hew 18 Feb '14

18 Feb '14

I made a package a long time ago, and over the years I've been adding new features, but the correct? support of SELinux has always eluded me. Occasionally I encounter problems with new versions of Fedora and RHEL. Recently I was asked to support the installation of my RPM on RHEL 6 systems, and I find that there are new SELinux feature/requirements. Its probably me, but I haven't found any instructions/how-tos that have really helped (me) in providing the steps for testing and making a package SELinux compatible. I have something that works on older releases, but I've probably done it wrong. There's lots of documentation about its concepts, but not anything that has helped me in porting. Scenario: Given a working RPM (with SELinux disabled)... what would the process be (with examples) of turning SELinux on, attempting to install and run the various applications, viewing security logs, and turning any errors detected into correct config files/commands that can be included in a spec-file/package. Thanks Fulko

2 5

self:key?
by mark 17 Feb '14

17 Feb '14

CentOS 6.5. We've got a script running under apache for users to d/l software. Please don't ask my why it needs sudo.... At any rate, sealert tells me "SELinux is preventing /usr/bin/sudo from write access on the key .", and when I grep sudo /var/log/audit/audit.log | audit2allow, it shows that it would allow the script self:key write; What is self:key, and would this be very bad, or can I get away with it for this one script? mark

2 1

RE: How to properly setup my domains security contexts in the domain.fc file?
by Jayson Hurst 14 Feb '14

14 Feb '14

The policy was in play before installing the product, also why doesn't the pid file get labeled correctly? Sent from my Windows Phone ________________________________ From: Daniel J Walsh<mailto:dwalsh@redhat.com> Sent: ‎2/‎13/‎2014 6:58 PM To: Jayson Hurst<mailto:swazup@hotmail.com>; selinux(a)lists.fedoraproject.org<mailto:selinux@lists.fedoraproject.org> Subject: Re: How to properly setup my domains security contexts in the domain.fc file? On 02/13/2014 08:30 PM, Jayson Hurst wrote: > I have a file context installed as follows: > > # semanage fcontext -l | grep vasd > > /etc/rc.d/init.d/vasd regular file > system_u:object_r:vasd_initrc_exec_t:s0 /opt/quest/sbin/vasd regular file > system_u:object_r:vasd_exec_t:s0 /var/opt/quest(/.*)? all files > system_u:object_r:vasd_var_t:s0 /var/opt/quest/vas/vasd(/.*)? all files > system_u:object_r:vasd_var_auth_t:s0 /var/opt/quest/vas/vasd/.vasd.pid > regular file system_u:object_r:vasd_var_run_t:s0 > > After a fresh install I see the following: > > # ls -laZ /var/opt/quest/vas/vasd/ drwxr-xr-x. root root > unconfined_u:object_r:vasd_var_t:s0 . drwxr-xr-x. root root > unconfined_u:object_r:vasd_var_t:s0 .. -rw-r--r--. root root > unconfined_u:object_r:vasd_var_t:s0 vas_ident.vdb -rw-r--r--. root root > unconfined_u:object_r:vasd_var_t:s0 vas_misc.vdb > > > Why are the files being created under /var/opt/quest/vas/vasd not being > labelled correctly as qasd_var_auth_t as the fcontext states? Is the > software installer supposed to force a relabel on a post-install? > > After a restart of the daemon I do not see the pid file being labelled > correctly: > > # /etc/init.d/vasd restart Stopping vasd: vasd does not appear to be > running. Starting vasd: [ OK > ] > > # ls -laZ /var/opt/quest/vas/vasd/ drwxr-xr-x. daemon daemon > unconfined_u:object_r:vasd_var_t:s0 . drwxr-xr-x. root root > unconfined_u:object_r:vasd_var_t:s0 .. srwxrwxrwx. daemon daemon > unconfined_u:object_r:vasd_var_t:s0 .vasd_19574 srwxrwxrwx. daemon daemon > unconfined_u:object_r:vasd_var_t:s0 .vasd_19575 srwxrwxrwx. daemon daemon > unconfined_u:object_r:vasd_var_t:s0 .vasd_19576 srwxrwxrwx. daemon daemon > unconfined_u:object_r:vasd_var_t:s0 .vasd40_ipc_sock -rw-r--r--. daemon > daemon unconfined_u:object_r:vasd_var_t:s0 .vasd.pid -rw-r--r--. daemon > daemon unconfined_u:object_r:vasd_var_t:s0 vas_ident.vdb -rw-r--r--. > daemon daemon unconfined_u:object_r:vasd_var_t:s0 vas_misc.vdb > > After forcing a relabel: > > # restorecon -F -R /var/opt/quest/vas/vasd/ > > # ls -laZ /var/opt/quest/vas/vasd/ drwxr-xr-x. daemon daemon > system_u:object_r:vasd_var_auth_t:s0 . drwxr-xr-x. root root > unconfined_u:object_r:vasd_var_t:s0 .. srwxrwxrwx. daemon daemon > system_u:object_r:vasd_var_auth_t:s0 .vasd_19574 srwxrwxrwx. daemon daemon > system_u:object_r:vasd_var_auth_t:s0 .vasd_19575 srwxrwxrwx. daemon daemon > system_u:object_r:vasd_var_auth_t:s0 .vasd_19576 srwxrwxrwx. daemon daemon > system_u:object_r:vasd_var_auth_t:s0 .vasd40_ipc_sock -rw-r--r--. daemon > daemon system_u:object_r:vasd_var_auth_t:s0 .vasd.pid -rw-r--r--. daemon > daemon system_u:object_r:vasd_var_auth_t:s0 vas_ident.vdb -rw-r--r--. > daemon daemon system_u:object_r:vasd_var_auth_t:s0 vas_misc.vdb > > I get the files and directory labelled correctly, but not the pid file. I > can set a pid transition in the policy but then what is the point of > setting a file context in the <domain>.fc for the pid file if it never > gets picked up? Apparently I am missing something important here. > > Does anyone know a place for good documentation on this subject? > > > > > > > > -- selinux mailing list selinux(a)lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux > If RPM puts the files on disk and then installs your policy in post install, it will not fix the labels. You could create an vasd-selinux.rpm and require this to be installed before the vasd.rpm is installed. In that case the rpm should do the right thing, at least on Fedora/RHEL7. Not sure about RHEL6. Otherwise you can just run restorecon in the post install.

2 1

How to properly setup my domains security contexts in the domain.fc file?
by Jayson Hurst 13 Feb '14

13 Feb '14

I have a file context installed as follows: # semanage fcontext -l | grep vasd /etc/rc.d/init.d/vasd regular file system_u:object_r:vasd_initrc_exec_t:s0 /opt/quest/sbin/vasd regular file system_u:object_r:vasd_exec_t:s0 /var/opt/quest(/.*)? all files system_u:object_r:vasd_var_t:s0 /var/opt/quest/vas/vasd(/.*)? all files system_u:object_r:vasd_var_auth_t:s0 /var/opt/quest/vas/vasd/.vasd.pid regular file system_u:object_r:vasd_var_run_t:s0 After a fresh install I see the following: # ls -laZ /var/opt/quest/vas/vasd/ drwxr-xr-x. root root unconfined_u:object_r:vasd_var_t:s0 . drwxr-xr-x. root root unconfined_u:object_r:vasd_var_t:s0 .. -rw-r--r--. root root unconfined_u:object_r:vasd_var_t:s0 vas_ident.vdb -rw-r--r--. root root unconfined_u:object_r:vasd_var_t:s0 vas_misc.vdb Why are the files being created under /var/opt/quest/vas/vasd not being labelled correctly as qasd_var_auth_t as the fcontext states? Is the software installer supposed to force a relabel on a post-install? After a restart of the daemon I do not see the pid file being labelled correctly: # /etc/init.d/vasd restart Stopping vasd: vasd does not appear to be running. Starting vasd: [ OK ] # ls -laZ /var/opt/quest/vas/vasd/ drwxr-xr-x. daemon daemon unconfined_u:object_r:vasd_var_t:s0 . drwxr-xr-x. root root unconfined_u:object_r:vasd_var_t:s0 .. srwxrwxrwx. daemon daemon unconfined_u:object_r:vasd_var_t:s0 .vasd_19574 srwxrwxrwx. daemon daemon unconfined_u:object_r:vasd_var_t:s0 .vasd_19575 srwxrwxrwx. daemon daemon unconfined_u:object_r:vasd_var_t:s0 .vasd_19576 srwxrwxrwx. daemon daemon unconfined_u:object_r:vasd_var_t:s0 .vasd40_ipc_sock -rw-r--r--. daemon daemon unconfined_u:object_r:vasd_var_t:s0 .vasd.pid -rw-r--r--. daemon daemon unconfined_u:object_r:vasd_var_t:s0 vas_ident.vdb -rw-r--r--. daemon daemon unconfined_u:object_r:vasd_var_t:s0 vas_misc.vdb After forcing a relabel: # restorecon -F -R /var/opt/quest/vas/vasd/ # ls -laZ /var/opt/quest/vas/vasd/ drwxr-xr-x. daemon daemon system_u:object_r:vasd_var_auth_t:s0 . drwxr-xr-x. root root unconfined_u:object_r:vasd_var_t:s0 .. srwxrwxrwx. daemon daemon system_u:object_r:vasd_var_auth_t:s0 .vasd_19574 srwxrwxrwx. daemon daemon system_u:object_r:vasd_var_auth_t:s0 .vasd_19575 srwxrwxrwx. daemon daemon system_u:object_r:vasd_var_auth_t:s0 .vasd_19576 srwxrwxrwx. daemon daemon system_u:object_r:vasd_var_auth_t:s0 .vasd40_ipc_sock -rw-r--r--. daemon daemon system_u:object_r:vasd_var_auth_t:s0 .vasd.pid -rw-r--r--. daemon daemon system_u:object_r:vasd_var_auth_t:s0 vas_ident.vdb -rw-r--r--. daemon daemon system_u:object_r:vasd_var_auth_t:s0 vas_misc.vdb I get the files and directory labelled correctly, but not the pid file. I can set a pid transition in the policy but then what is the point of setting a file context in the <domain>.fc for the pid file if it never gets picked up? Apparently I am missing something important here. Does anyone know a place for good documentation on this subject?

2 1

File context for /var/opt/quest/vas/vasd(/.*)? is defined in policy, cannot be deleted
by Jayson Hurst 13 Feb '14

13 Feb '14

I am trying to create a policy for vasd but I cannot set my own fcontext for /var/opt/quest/vas/vasd(/.*)? because I get the following error: /etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /var/opt/quest/vas/vasd(/.*)? (system_u:object_r:qasd_var_auth_t:s0 and system_u:object_r:var_auth_t:s0) When I attempt to delete the file context I get: $ semanage fcontext -d "/var/opt/quest/vas/vasd(/.*)?" /usr/sbin/semanage: File context for /var/opt/quest/vas/vasd(/.*)? is defined in policy, cannot be deleted I don't know who or what has already installed this file context, but I am not able to work around it and it is causing problems with my module who is the true owner of the file directory in question. Is there was way to find out how this file context was created and by what? Also how do I remove it so I can define the directories file context correctly?

2 17

how to use setroubleshootd
by bigclouds 11 Feb '14

11 Feb '14

hi,all how to monitor selinux message from setroubleshootd? i want to integrate this function into my program, this function is like seaudit command line tool which can monitor selinux message in real time. 1. after i run this command, 'nc -U /var/run/setroubleshoot/setroubleshoot_server ', setroubleshootd exit immidiately. i want to connect to setroubleshoot_server to receive message , if am i right? thanks

2 1

semanage.conf.5.gz
by Dominick Grift 11 Feb '14

11 Feb '14

Is there any particular reason why this man page is installed with semanage-devel and not policycoreutils-python? I think it might make sense to install it with policycoreutils-python instead. It will make the info that it provides more accessible because it is pretty unlikely that semanage-devel will be installed on a regular system. One ends up with a semanage.conf without a corresponding man page

2 1

Bug ? on "semanage fcontext" when directory name is starting with Upper case
by Shintaro Fujiwara 10 Feb '14

10 Feb '14

Hi, I'm playing with my web server and found a strange incident. I try to enable write to certain directory in /var/www/dir in SELinux way. I know that fancy way of doing this is to type, # semanage fcontext -a -t httpd_sys_rw_content_t /var/www/dir After successfully added rw type to directory, I will type # restorecon -rv /var/www It works fine. But, when I name the very directory "/var/www/Dir" not "/var/www/dir" first command works fine and I could see by # semanage fcontext -l |grep "/var/www" The rw type is set allright. BUT, when I restorecon the /var/www, nothing happens and with force option, no use. Is this a bug on "semanage fcontext" or my box is broken? My solution now is just name the directory "/var/www/dir" and post this question. Thanks. [root@xxxx]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 [root@xxxx]# rpm -qa|grep selinux selinux-policy-3.12.1-119.fc20.noarch libselinux-2.2.1-6.fc20.x86_64 libselinux-utils-2.2.1-6.fc20.x86_64 selinux-policy-targeted-3.12.1-119.fc20.noarch libselinux-python-2.2.1-6.fc20.x86_64 php-pecl-selinux-0.3.1-12.fc20.x86_64 libselinux-devel-2.2.1-6.fc20.x86_64 -- "segatex" SELinux tool http://sourceforge.net/projects/segatex/

2 4

audit2allow: invalid binary policy
by leo kirotawa 06 Feb '14

06 Feb '14

Hi, I'm having issues when use audit2allow in a Z machine with Fedora 19. This is the output message it raises: audit2allow -a security: ebitmap: map size 1064 does not match my size 64 (high bit was 595) invalid binary policy As a solution I thought in recompile my whole policy and generate a new /policy/binary, but this time I grabbed a ERROR: (serefpolicy-3.12.1) /usr/bin/checkmodule base.conf -o tmp/base.mod /usr/bin/checkmodule: loading policy configuration from base.conf policy/modules/kernel/domain.te":256:ERROR 'unknown type tape_device_t used in transition definition' at token ';' on line 22729: #line 256 type_transition unconfined_domain_type device_t:chr_file tape_device_t "ht00"; /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/base.mod] Error 1 Looking in my /dev/ I did not find any 'ht00' device, what makes me suppose maybe it is the problem. Also looking in .te files I saw tape_device_t is defined into storage.te, and in this point I have no idea what is cause of this problem or how to fix it. Have you ever seen it before?

3 3

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux February 2014