I'm using firefox in a sandbox.
It doesn't work anymore since today:
sandbox -X -t sandbox_web_t firefox
Failed to execute command /usr/share/sandbox/sandboxX.sh: Operation not
My installed versions:
Anyone having the same problem? Or a fix?
I think for newcomers it is sometimes difficult to find the packages to
install if they want to use some tools. The relevant packages are AFAIK:
selinux-policy, audit, libselinux-utils, setools, setools-console,
policycoreutils-python, setroubleshoot and maybe few others.
The most confusing is in my humble opinion semanage tool which is
present in policycoreutils-python. With image deployment which is
popular in infrastructure clouds, administrators need to deal with
minimum OS installs very often and some tools are usually missing in
RHEL/Fedora. And they are not finding them.
Thus I propose to create new yum group SELinux Development that would
help installing these tools all in once. And then spreading the word.
What folks think about this?
Lukas "lzap" Zapletal
Generally I am a "belt and suspenders" type of guy with respect to
security so for a webserver (apache(httpd), lighttpd, or nginx) I want
to run the server chrooted AS WELL AS have SELinux enforcing in effect.
I have been running SELinux enabled and enforcing from the beginning so
it is not a question of using SELinux.
Well, I am not doing to well and really cannot get things to work.
Without chroot but with SELinux enforcing, I can get lighttpd to serve
static files and CPI created info (specifically to support git clone and
gitweb). With chroot and SELInux enforcing I can get static files
served but *not* CGI stuff ...
I get lots of "CGI failed: Permission denied cgi-bin/git-http-backend"
A bunch of years ago when I was using the bind package for dns, there
was a change in Fedora/RHEL to de-emphasize use of chroot and instead
depend on SELinux to protect things. This change was not so much
advertised and just done.
I am wondering if something similar has happened for the webserver.
There is some (very limited) doc for apache (httpd) and a lot of rules
in selinux-policy-targetted for "httpd" and these rules seem to apply to
both httpd (apache) and lighttpd. If I am reading the tea leaves
correctly SELinux seems to be providing a lot of protection.
So, do I need chroot??? Is just using SELinux a "good enough"
solution? I am not looking for a perfect solution but one which "good
engineering practice" says should be "good enough." I hope it is but
would sure like some "experts" to agree as well as maybe pointing to
some substantiating documentation.
Side comment: If SELinux is attempting to provide the same
functionality to both httpd and lighttpd, it would be nice if the
documentation at least mentioned lighttpd.
Sorry, I know this isn't fedora (CentOS 5 actually) but I believe this
may be a more generic situation.
I recently was trying to troubleshoot an issue where a process spawned
off under the dovecot_t process type and needed to create files under /tmp
This wasn't obvious as there where no denial messages in audit for
tmp_t. Even using "semodule -DB" didn't show denial messages. All I
knew was the process was trying to read/write files and was getting
access denied. I just didn't know where or why.
Eventually an strace on the process tree showed the access attempt to
/tmp. Since I knew policy would be required to create tmp types I went
ahead and added tmp file transitions and appropriate supporting
permissions around the new dovecot_tmp_t type. This fixed the problem.
What is surprising to me is that there were no denial messages related
to tmp_t or dovecot_t. Nothing, regardless of permissive vs enforcing,
or semodule -DB set.
Any clue as to why this wouldn't trigger a log message?
This is a strict, not targeted policy, yes I know very old school.