how to change the context of running process
by bigclouds
hi,all
1.
how to change the context of running process.
2.
in my case, libvirtd is initrc_t, how to find where and which file defines this rule?
libvirtd should be virtd_t, i want to correct it.
3.audot2allow outputs a rule ,'allow initrc_t svirt_t:process transition'
is there a comamnd line tool can finish this request? not to install .pp module?
thanks
10 years, 2 months
Looking for the right, but easy way to add SELinux setup into my package/RPM
by Fulko Hew
I made a package a long time ago, and over the years I've been adding
new features, but the correct? support of SELinux has always eluded me.
Occasionally I encounter problems with new versions of Fedora and RHEL.
Recently I was asked to support the installation of my RPM on RHEL 6
systems, and I find that there are new SELinux feature/requirements.
Its probably me, but I haven't found any instructions/how-tos that have
really helped (me) in providing the steps for testing and making a package
SELinux compatible. I have something that works on older releases,
but I've probably done it wrong.
There's lots of documentation about its concepts, but not anything
that has helped me in porting.
Scenario:
Given a working RPM (with SELinux disabled)... what would the process
be (with examples) of turning SELinux on, attempting to install and
run the various applications, viewing security logs, and turning
any errors detected into correct config files/commands that can be
included in a spec-file/package.
Thanks
Fulko
10 years, 2 months
self:key?
by mark
CentOS 6.5. We've got a script running under apache for users to d/l
software. Please don't ask my why it needs sudo....
At any rate, sealert tells me "SELinux is preventing /usr/bin/sudo from
write access on the key .", and when I grep sudo /var/log/audit/audit.log
| audit2allow, it shows that it would allow the script self:key write;
What is self:key, and would this be very bad, or can I get away with it
for this one script?
mark
10 years, 2 months
RE: How to properly setup my domains security contexts in the domain.fc file?
by Jayson Hurst
The policy was in play before installing the product, also why doesn't the pid file get labeled correctly?
Sent from my Windows Phone
________________________________
From: Daniel J Walsh<mailto:dwalsh@redhat.com>
Sent: 2/13/2014 6:58 PM
To: Jayson Hurst<mailto:swazup@hotmail.com>; selinux(a)lists.fedoraproject.org<mailto:selinux@lists.fedoraproject.org>
Subject: Re: How to properly setup my domains security contexts in the domain.fc file?
On 02/13/2014 08:30 PM, Jayson Hurst wrote:
> I have a file context installed as follows:
>
> # semanage fcontext -l | grep vasd
>
> /etc/rc.d/init.d/vasd regular file
> system_u:object_r:vasd_initrc_exec_t:s0 /opt/quest/sbin/vasd regular file
> system_u:object_r:vasd_exec_t:s0 /var/opt/quest(/.*)? all files
> system_u:object_r:vasd_var_t:s0 /var/opt/quest/vas/vasd(/.*)? all files
> system_u:object_r:vasd_var_auth_t:s0 /var/opt/quest/vas/vasd/.vasd.pid
> regular file system_u:object_r:vasd_var_run_t:s0
>
> After a fresh install I see the following:
>
> # ls -laZ /var/opt/quest/vas/vasd/ drwxr-xr-x. root root
> unconfined_u:object_r:vasd_var_t:s0 . drwxr-xr-x. root root
> unconfined_u:object_r:vasd_var_t:s0 .. -rw-r--r--. root root
> unconfined_u:object_r:vasd_var_t:s0 vas_ident.vdb -rw-r--r--. root root
> unconfined_u:object_r:vasd_var_t:s0 vas_misc.vdb
>
>
> Why are the files being created under /var/opt/quest/vas/vasd not being
> labelled correctly as qasd_var_auth_t as the fcontext states? Is the
> software installer supposed to force a relabel on a post-install?
>
> After a restart of the daemon I do not see the pid file being labelled
> correctly:
>
> # /etc/init.d/vasd restart Stopping vasd: vasd does not appear to be
> running. Starting vasd: [ OK
> ]
>
> # ls -laZ /var/opt/quest/vas/vasd/ drwxr-xr-x. daemon daemon
> unconfined_u:object_r:vasd_var_t:s0 . drwxr-xr-x. root root
> unconfined_u:object_r:vasd_var_t:s0 .. srwxrwxrwx. daemon daemon
> unconfined_u:object_r:vasd_var_t:s0 .vasd_19574 srwxrwxrwx. daemon daemon
> unconfined_u:object_r:vasd_var_t:s0 .vasd_19575 srwxrwxrwx. daemon daemon
> unconfined_u:object_r:vasd_var_t:s0 .vasd_19576 srwxrwxrwx. daemon daemon
> unconfined_u:object_r:vasd_var_t:s0 .vasd40_ipc_sock -rw-r--r--. daemon
> daemon unconfined_u:object_r:vasd_var_t:s0 .vasd.pid -rw-r--r--. daemon
> daemon unconfined_u:object_r:vasd_var_t:s0 vas_ident.vdb -rw-r--r--.
> daemon daemon unconfined_u:object_r:vasd_var_t:s0 vas_misc.vdb
>
> After forcing a relabel:
>
> # restorecon -F -R /var/opt/quest/vas/vasd/
>
> # ls -laZ /var/opt/quest/vas/vasd/ drwxr-xr-x. daemon daemon
> system_u:object_r:vasd_var_auth_t:s0 . drwxr-xr-x. root root
> unconfined_u:object_r:vasd_var_t:s0 .. srwxrwxrwx. daemon daemon
> system_u:object_r:vasd_var_auth_t:s0 .vasd_19574 srwxrwxrwx. daemon daemon
> system_u:object_r:vasd_var_auth_t:s0 .vasd_19575 srwxrwxrwx. daemon daemon
> system_u:object_r:vasd_var_auth_t:s0 .vasd_19576 srwxrwxrwx. daemon daemon
> system_u:object_r:vasd_var_auth_t:s0 .vasd40_ipc_sock -rw-r--r--. daemon
> daemon system_u:object_r:vasd_var_auth_t:s0 .vasd.pid -rw-r--r--. daemon
> daemon system_u:object_r:vasd_var_auth_t:s0 vas_ident.vdb -rw-r--r--.
> daemon daemon system_u:object_r:vasd_var_auth_t:s0 vas_misc.vdb
>
> I get the files and directory labelled correctly, but not the pid file. I
> can set a pid transition in the policy but then what is the point of
> setting a file context in the <domain>.fc for the pid file if it never
> gets picked up? Apparently I am missing something important here.
>
> Does anyone know a place for good documentation on this subject?
>
>
>
>
>
>
>
> -- selinux mailing list selinux(a)lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
If RPM puts the files on disk and then installs your policy in post install,
it will not fix the labels.
You could create an vasd-selinux.rpm and require this to be installed before
the vasd.rpm is installed. In that case the rpm should do the right thing, at
least on Fedora/RHEL7. Not sure about RHEL6.
Otherwise you can just run restorecon in the post install.
10 years, 2 months
How to properly setup my domains security contexts in the domain.fc file?
by Jayson Hurst
I have a file context installed as follows:
# semanage fcontext -l | grep vasd
/etc/rc.d/init.d/vasd regular file system_u:object_r:vasd_initrc_exec_t:s0
/opt/quest/sbin/vasd regular file system_u:object_r:vasd_exec_t:s0
/var/opt/quest(/.*)? all files system_u:object_r:vasd_var_t:s0
/var/opt/quest/vas/vasd(/.*)? all files system_u:object_r:vasd_var_auth_t:s0
/var/opt/quest/vas/vasd/.vasd.pid regular file system_u:object_r:vasd_var_run_t:s0
After a fresh install I see the following:
# ls -laZ /var/opt/quest/vas/vasd/
drwxr-xr-x. root root unconfined_u:object_r:vasd_var_t:s0 .
drwxr-xr-x. root root unconfined_u:object_r:vasd_var_t:s0 ..
-rw-r--r--. root root unconfined_u:object_r:vasd_var_t:s0 vas_ident.vdb
-rw-r--r--. root root unconfined_u:object_r:vasd_var_t:s0 vas_misc.vdb
Why are the files being created under /var/opt/quest/vas/vasd not being labelled correctly as qasd_var_auth_t as the fcontext states?
Is the software installer supposed to force a relabel on a post-install?
After a restart of the daemon I do not see the pid file being labelled correctly:
# /etc/init.d/vasd restart
Stopping vasd: vasd does not appear to be running.
Starting vasd: [ OK ]
# ls -laZ /var/opt/quest/vas/vasd/
drwxr-xr-x. daemon daemon unconfined_u:object_r:vasd_var_t:s0 .
drwxr-xr-x. root root unconfined_u:object_r:vasd_var_t:s0 ..
srwxrwxrwx. daemon daemon unconfined_u:object_r:vasd_var_t:s0 .vasd_19574
srwxrwxrwx. daemon daemon unconfined_u:object_r:vasd_var_t:s0 .vasd_19575
srwxrwxrwx. daemon daemon unconfined_u:object_r:vasd_var_t:s0 .vasd_19576
srwxrwxrwx. daemon daemon unconfined_u:object_r:vasd_var_t:s0 .vasd40_ipc_sock
-rw-r--r--. daemon daemon unconfined_u:object_r:vasd_var_t:s0 .vasd.pid
-rw-r--r--. daemon daemon unconfined_u:object_r:vasd_var_t:s0 vas_ident.vdb
-rw-r--r--. daemon daemon unconfined_u:object_r:vasd_var_t:s0 vas_misc.vdb
After forcing a relabel:
# restorecon -F -R /var/opt/quest/vas/vasd/
# ls -laZ /var/opt/quest/vas/vasd/
drwxr-xr-x. daemon daemon system_u:object_r:vasd_var_auth_t:s0 .
drwxr-xr-x. root root unconfined_u:object_r:vasd_var_t:s0 ..
srwxrwxrwx. daemon daemon system_u:object_r:vasd_var_auth_t:s0 .vasd_19574
srwxrwxrwx. daemon daemon system_u:object_r:vasd_var_auth_t:s0 .vasd_19575
srwxrwxrwx. daemon daemon system_u:object_r:vasd_var_auth_t:s0 .vasd_19576
srwxrwxrwx. daemon daemon system_u:object_r:vasd_var_auth_t:s0 .vasd40_ipc_sock
-rw-r--r--. daemon daemon system_u:object_r:vasd_var_auth_t:s0 .vasd.pid
-rw-r--r--. daemon daemon system_u:object_r:vasd_var_auth_t:s0 vas_ident.vdb
-rw-r--r--. daemon daemon system_u:object_r:vasd_var_auth_t:s0 vas_misc.vdb
I get the files and directory labelled correctly, but not the pid file. I can set a pid transition in the policy but then what is the point of setting a file context in the <domain>.fc for the pid file if it never gets picked up? Apparently I am missing something important here.
Does anyone know a place for good documentation on this subject?
10 years, 2 months
File context for /var/opt/quest/vas/vasd(/.*)? is defined in policy, cannot be deleted
by Jayson Hurst
I am trying to create a policy for vasd but I cannot set my own fcontext for /var/opt/quest/vas/vasd(/.*)? because I get the following error:
/etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /var/opt/quest/vas/vasd(/.*)? (system_u:object_r:qasd_var_auth_t:s0 and system_u:object_r:var_auth_t:s0)
When I attempt to delete the file context I get:
$ semanage fcontext -d "/var/opt/quest/vas/vasd(/.*)?"
/usr/sbin/semanage: File context for /var/opt/quest/vas/vasd(/.*)? is defined in policy, cannot be deleted
I don't know who or what has already installed this file context, but I am not able to work around it and it is causing problems with my module who is the true owner of the file directory in question.
Is there was way to find out how this file context was created and by what? Also how do I remove it so I can define the directories file context correctly?
10 years, 2 months
how to use setroubleshootd
by bigclouds
hi,all
how to monitor selinux message from setroubleshootd?
i want to integrate this function into my program, this function is like seaudit command line tool which can monitor selinux message in real time.
1. after i run this command, 'nc -U /var/run/setroubleshoot/setroubleshoot_server ', setroubleshootd exit immidiately.
i want to connect to setroubleshoot_server to receive message , if am i right?
thanks
10 years, 2 months
semanage.conf.5.gz
by Dominick Grift
Is there any particular reason why this man page is installed with
semanage-devel and not policycoreutils-python?
I think it might make sense to install it with policycoreutils-python
instead. It will make the info that it provides more accessible because
it is pretty unlikely that semanage-devel will be installed on a regular
system.
One ends up with a semanage.conf without a corresponding man page
10 years, 2 months
Bug ? on "semanage fcontext" when directory name is starting with Upper case
by Shintaro Fujiwara
Hi, I'm playing with my web server and found a strange incident.
I try to enable write to certain directory in /var/www/dir in SELinux way.
I know that fancy way of doing this is to type,
# semanage fcontext -a -t httpd_sys_rw_content_t /var/www/dir
After successfully added rw type to directory, I will type
# restorecon -rv /var/www
It works fine.
But, when I name the very directory "/var/www/Dir" not "/var/www/dir"
first command works fine and I could see by
# semanage fcontext -l |grep "/var/www"
The rw type is set allright.
BUT, when I restorecon the /var/www, nothing happens and with force option,
no use.
Is this a bug on "semanage fcontext" or my box is broken?
My solution now is just name the directory "/var/www/dir" and post this
question.
Thanks.
[root@xxxx]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
[root@xxxx]# rpm -qa|grep selinux
selinux-policy-3.12.1-119.fc20.noarch
libselinux-2.2.1-6.fc20.x86_64
libselinux-utils-2.2.1-6.fc20.x86_64
selinux-policy-targeted-3.12.1-119.fc20.noarch
libselinux-python-2.2.1-6.fc20.x86_64
php-pecl-selinux-0.3.1-12.fc20.x86_64
libselinux-devel-2.2.1-6.fc20.x86_64
--
"segatex" SELinux tool
http://sourceforge.net/projects/segatex/
10 years, 2 months
audit2allow: invalid binary policy
by leo kirotawa
Hi,
I'm having issues when use audit2allow in a Z machine with Fedora 19.
This is the output message it raises:
audit2allow -a
security: ebitmap: map size 1064 does not match my size 64 (high bit was
595)
invalid binary policy
As a solution I thought in recompile my whole policy and generate a new
/policy/binary, but this time I grabbed a ERROR: (serefpolicy-3.12.1)
/usr/bin/checkmodule base.conf -o tmp/base.mod
/usr/bin/checkmodule: loading policy configuration from base.conf
policy/modules/kernel/domain.te":256:ERROR 'unknown type tape_device_t used
in transition definition' at token ';' on line 22729:
#line 256
type_transition unconfined_domain_type device_t:chr_file tape_device_t
"ht00";
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/base.mod] Error 1
Looking in my /dev/ I did not find any 'ht00' device, what makes me suppose
maybe it is the problem. Also looking in .te files I saw tape_device_t is
defined into storage.te, and in this point I have no idea what is cause of
this problem or how to fix it.
Have you ever seen it before?
10 years, 2 months
