sandbox -X broken on FC20?
by Robert Horovitz
Hi,
I'm using firefox in a sandbox.
It doesn't work anymore since today:
sandbox -X -t sandbox_web_t firefox
Failed to execute command /usr/share/sandbox/sandboxX.sh: Operation not
permitted
My installed versions:
policycoreutils-sandbox-2.2.5-3.fc20.x86_64
selinux-policy-targeted-3.12.1-153.fc20.noarch
libselinux-2.2.1-6.fc20.x86_64
libselinux-python-2.2.1-6.fc20.x86_64
libselinux-utils-2.2.1-6.fc20.x86_64
selinux-policy-3.12.1-153.fc20.noarch
Anyone having the same problem? Or a fix?
thanks!
Robert
8 years, 9 months
SELinux Development yum group proposal
by Lukas Zapletal
Hello,
I think for newcomers it is sometimes difficult to find the packages to
install if they want to use some tools. The relevant packages are AFAIK:
selinux-policy, audit, libselinux-utils, setools, setools-console,
policycoreutils-python, setroubleshoot and maybe few others.
The most confusing is in my humble opinion semanage tool which is
present in policycoreutils-python. With image deployment which is
popular in infrastructure clouds, administrators need to deal with
minimum OS installs very often and some tools are usually missing in
RHEL/Fedora. And they are not finding them.
Thus I propose to create new yum group SELinux Development that would
help installing these tools all in once. And then spreading the word.
What folks think about this?
--
Later,
Lukas "lzap" Zapletal
8 years, 10 months
directory fcontext
by mark
What should be the fcontext for a directory that contains cgi (or, in this
case, ruby gems)?
mark
8 years, 10 months
selinux, httpd, and lighttpd
by Gene Czarcinski
Generally I am a "belt and suspenders" type of guy with respect to
security so for a webserver (apache(httpd), lighttpd, or nginx) I want
to run the server chrooted AS WELL AS have SELinux enforcing in effect.
I have been running SELinux enabled and enforcing from the beginning so
it is not a question of using SELinux.
Well, I am not doing to well and really cannot get things to work.
Without chroot but with SELinux enforcing, I can get lighttpd to serve
static files and CPI created info (specifically to support git clone and
gitweb). With chroot and SELInux enforcing I can get static files
served but *not* CGI stuff ...
I get lots of "CGI failed: Permission denied cgi-bin/git-http-backend"
A bunch of years ago when I was using the bind package for dns, there
was a change in Fedora/RHEL to de-emphasize use of chroot and instead
depend on SELinux to protect things. This change was not so much
advertised and just done.
I am wondering if something similar has happened for the webserver.
There is some (very limited) doc for apache (httpd) and a lot of rules
in selinux-policy-targetted for "httpd" and these rules seem to apply to
both httpd (apache) and lighttpd. If I am reading the tea leaves
correctly SELinux seems to be providing a lot of protection.
So, do I need chroot??? Is just using SELinux a "good enough"
solution? I am not looking for a perfect solution but one which "good
engineering practice" says should be "good enough." I hope it is but
would sure like some "experts" to agree as well as maybe pointing to
some substantiating documentation.
Side comment: If SELinux is attempting to provide the same
functionality to both httpd and lighttpd, it would be nice if the
documentation at least mentioned lighttpd.
Gene
8 years, 10 months
SELinux blocks apachectl from stopping apache
by Konopka.Andre
Hi list,
I use a self compiled apache-2.2.27 on a CentOS6.5 box
I run into trouble with the apachectl command.
If I try stop apache with 'apachectl stop' it complains:
(13)Permission denied: Error retrieving pid file run/httpd.pid
Remove it before continuing if it is corrupted.
Audit logs shows the problem:
type=AVC msg=audit(1404897126.819:7069): avc: denied { read } for pid=23031 comm="httpd" name="httpd.pid" dev=dm-0 ino=529958 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1404897126.819:7069): arch=c000003e syscall=2 success=no exit=-13 a0=7ff99e37eff0 a1=80000 a2=1b6 a3=1 items=0 ppid=23029 pid=23031 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
BTW Stopping apache with 'httpd -k stop' works fine.
[root@centos1 conf]# ls -lZ /usr/sbin/apachectl
-rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 /usr/sbin/apachectl
[root@centos1 conf]#
[root@centos1 conf]# ls -lZ /usr/sbin/httpd
-rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd
[root@centos1 conf]#
[root@centos1 audit]# ps -efZ | grep -i apachectl
unconfined_u:system_r:initrc_t:s0 root 23066 2412 0 11:20 pts/0 00:00:00 /bin/sh /usr/sbin/apachectl
[root@centos1 audit]# ls -lZ httpd.pid
-rw-r--r--. root root unconfined_u:object_r:var_run_t:s0 httpd.pid
How can I fix it?
8 years, 10 months
Weird un-audited denial on tmp_t
by David Cafaro
Sorry, I know this isn't fedora (CentOS 5 actually) but I believe this
may be a more generic situation.
I recently was trying to troubleshoot an issue where a process spawned
off under the dovecot_t process type and needed to create files under /tmp
(tmp_t).
This wasn't obvious as there where no denial messages in audit for
tmp_t. Even using "semodule -DB" didn't show denial messages. All I
knew was the process was trying to read/write files and was getting
access denied. I just didn't know where or why.
Eventually an strace on the process tree showed the access attempt to
/tmp. Since I knew policy would be required to create tmp types I went
ahead and added tmp file transitions and appropriate supporting
permissions around the new dovecot_tmp_t type. This fixed the problem.
What is surprising to me is that there were no denial messages related
to tmp_t or dovecot_t. Nothing, regardless of permissive vs enforcing,
or semodule -DB set.
Any clue as to why this wouldn't trigger a log message?
This is a strict, not targeted policy, yes I know very old school.
Thanks,
David
8 years, 11 months
