Tayga policy review
by William
Hi,
I'm submitting a package for tayga to fedora. I would like the SELinux
policy attached to this reviewed.
https://bugzilla.redhat.com/show_bug.cgi?id=1028206
Policy attached. It has comments around parts I have queries and
concerns about.
Note that tayga will attempt to call /usr/sbin/ip, which is why the cmd
transitions are in the policy.
--
William Brown <william(a)firstyear.id.au>
10 years
read_dirs_pattern
by William
Hi,
There is an interface for read_files_pattern, manage_files_pattern,
manage_dirs_pattern, but no "read_dirs_pattern". Why not add this to
policy/support/file_pattrns.spt such as:
define(`read_dirs_pattern',`
search_dirs_pattern($1, $2, $3)
getattr_dirs_pattern($1, $2, $3)
list_dirs_pattern($1, $2, $3)
')
This would be useful for "consistency" of the interfaces when writing
policy.
Sincerely,
--
William Brown <william(a)firstyear.id.au>
10 years
Yubikey policy for review
by William
Hi,
I have made the changes to the policy as suggested my Miroslav.
The reason I initially made two boolean's rather than one, is that OTP
doesn't need the permissions granted by CHAP, and vice versa.
--
William Brown <william(a)firstyear.id.au>
10 years
Re: No clue why I'm getting this AVC
by mark
Daniel J Walsh wrote:
> Mark could you send the actual AVC?
>
> On 04/01/2014 02:27 PM, m.roth(a)5-cent.us wrote:
>> CentOS 6.5, current.
>>
>> ll -aZ /.../apps/trac/<proj>/cgi-bin/
>> drwxr-xr-x. apache root system:object_r:httpd_sys_script_exec_t:s0 .
>> drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0 ..
>> -rwxr-xr-x. apache root system:object_r:httpd_sys_script_exec_t:s0
>> trac.cgi
>> -rwxr-xr-x. apache root system:object_r:httpd_sys_script_exec_t:s0
>> trac.fcgi
>> -rwxr-xr-x. apache root system:object_r:httpd_sys_script_exec_t:s0
>> trac.wsgi
>>
>> httpd_enable_cgi --> on
>>
>>
>> Name : selinux-policy-targeted
>> Version : 3.7.19
>> Release : 231.el6
>>
>> From the sealert:
>> SELinux is preventing /usr/bin/python from ioctl access on the file
>> /public/apps/trac/PLT/cgi-bin/trac.cgi.
>>
>> ***** Plugin restorecon (94.8 confidence) suggests
>> *************************
>>
>> If you want to fix the label.
>> /<...>/apps/trac/<...>/cgi-bin/trac.cgi default label should be
>> httpd_sys_script_exec_t.
>> Then you can run restorecon.
>> Do
>> # /sbin/restorecon -v /public/apps/trac/PLT/cgi-bin/trac.cgi
Ok... took me a bit to figure out which of the current AVCs resulted in
yesterday's. I *think* it's this:
type=AVC msg=audit(1396374681.854:721317): avc: denied { ioctl } for
pid=11906 comm="trac.cgi" path="/public/apps/trac/PLT/cgi-bin/trac.cgi"
dev=sda3 ino=10272821 scontext=unconfined_u:system_r:httpd_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
Yes, grep AVC /var/log/audit/audit.log | grep trac.cgi | grep ioc | grep
-v unlabel
returns nothing. I *may* be getting closer, because, in the raw AVCs, I
also find:
type=AVC msg=audit(1396374115.280:721170): avc: denied { add_name } for
pid=10822 comm="trac.cgi" name="trac.db-journal"
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
Let me say that the trac project directory has fcontexts of
drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0 ./
drwxr-xr-x. apache root system:object_r:default_t:s0 ../
-rw-r--r--. apache root system:object_r:httpd_sys_content_t:s0 README
-rw-r--r--. apache root system:object_r:httpd_sys_content_t:s0 VERSION
drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0 attachments/
drwxr-xr-x. apache root system:object_r:httpd_sys_script_exec_t:s0 cgi-bin/
drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0 conf/
drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0 db/
drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0 htdocs/
drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0 log/
drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0 plugins/
drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0 templates/
I do *not* see a db/trac.db-journal (we're in permissive mode), so I'm
guessing it's a true temporary file - my first thought is to make
transactions atomic, and so roll-backable. There's also no log file -
something I've just taken care of via the apache setup.
However, I'm concerned - I did set all those fcontexts using semanage, not
chcon. *What* is this "unlabelled" in the AVC?
mark
10 years
No clue why I'm getting this AVC
by mark
CentOS 6.5, current.
ll -aZ /.../apps/trac/<proj>/cgi-bin/
drwxr-xr-x. apache root system:object_r:httpd_sys_script_exec_t:s0 .
drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0 ..
-rwxr-xr-x. apache root system:object_r:httpd_sys_script_exec_t:s0 trac.cgi
-rwxr-xr-x. apache root system:object_r:httpd_sys_script_exec_t:s0 trac.fcgi
-rwxr-xr-x. apache root system:object_r:httpd_sys_script_exec_t:s0 trac.wsgi
httpd_enable_cgi --> on
Name : selinux-policy-targeted
Version : 3.7.19
Release : 231.el6
>From the sealert:
SELinux is preventing /usr/bin/python from ioctl access on the file
/public/apps/trac/PLT/cgi-bin/trac.cgi.
***** Plugin restorecon (94.8 confidence) suggests
*************************
If you want to fix the label.
/<...>/apps/trac/<...>/cgi-bin/trac.cgi default label should be
httpd_sys_script_exec_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /public/apps/trac/PLT/cgi-bin/trac.cgi
mark
10 years