Setting-up Fedora-20 SELinux with Linode
by Lakshmipathi.G
For past 10-12hrs, I'm try to get SELinux working with Linode Fedora-20 machine.
I downloaded new kernel and configured like below.
linux-3.16.2]$ cat .config | grep SELINUX
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
CONFIG_SECURITY_SELINUX_DISABLE=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX=y
#CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE=19 # comment this
line and tried again.
CONFIG_DEFAULT_SECURITY_SELINUX=y
CONFIG_DEFAULT_SECURITY="selinux"
--
pv-grub menu.lst
$ cat /boot/grub/menu.lst
timeout 1
title Fedora 20, kernel 3.15.10-201.fc20.x86_64
root (hd0)
kernel /boot/vmlinuz root=/dev/xvda rootfstype=ext4 ro quiet selinux=1
---
Now during boot I get this message and it hangs there:
libsepol.policydb_write: Warning! policy version 19 cannot support
permissive types, but some were defined
===
Any thoughts on how to resolve this issue, before I give up?
----
Cheers,
Lakshmipathi.G
FOSS Programmer.
www.giis.co.in/readme.html
9 years, 7 months
Allowed rule is denied.
by dE
Hi.
I'm running CentOS 6. I've httpd running which accesses a file but it
results in access denied with the following --
type=AVC msg=audit(1410680693.979:40): avc: denied { read } for
pid=987 comm="httpd" name="README.txt" dev=dm-0 ino=12573
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
However,
sesearch -A | grep 'allow httpd_t' | grep ': file' | grep user_home_t
allow httpd_t user_home_t : file { ioctl read getattr lock open } ;
allow httpd_t user_home_t : file { ioctl read getattr lock open } ;
9 years, 7 months
Selinux denial on clamd
by Watts M.R.
I'm currently trying to integrate Squid, c-icap and clamd together to get A/V scanning of objects through squid on a CentOS 6.5 server.
I have things working but every time I try and download the eicar.com test virus, I see the following in the logs:
type=AVC msg=audit(1410534437.751:227204): avc: denied { write } for pid=22480 comm="clamd" path="/var/tmp/CI_TMP_DaewkQ" dev=dm-1 ino=182 scontext=unconfined_u:system_r:antivirus_t:s0 tcontext=unconfined_u:object_r:initrc_tmp_t:s0 tclass=file
For the record, this server has been hardened according to the CIS CentOS 6.5 benchmark document.
/tmp and /var/tmp are mounted as so, if this matters:
/dev/mapper/VolGroup00-tmp on /tmp type ext4 (rw,noexec,nosuid,nodev)
/tmp on /var/tmp type none (rw,noexec,nosuid,nodev,bind)
If I set "semanage permissive -a clamd_t" then everything works.
Audit2allow suggests I need the following, but I'm not really understanding why:
allow antivirus_t initrc_tmp_t:file write;
Any guidance?
Mark.
--
Mark Watts
Infrastructure Engineer, iSolutions
University of Southampton
Tel: (02380) 595788 Int: 25788
9 years, 7 months
Re: High weirdness and questionable utility of restorecond
by Jonathan Abbey
On Fri, 05 Sep 2014 14:05:57 -0500, Jonathan Abbey wrote:
|
| Given that this is happening with max_watches set far too low to
| handle recursive directory watches under /home, I'm going to assume
| that the restorecond code at selinuxproject actually does closely
| reflect what RHEL 6 is shipping, and recursion just isn't supported
| with restorecond.
And after re-reading the comment on restored.conf at
http://selinuxproject.org/page/GlobalConfigurationFiles
I see that I misinterpreted the meaning of "~/*". It says that it
"expands to listen for all files created for all logged-in users
within their home directories". I took that to be recursively within
their home directories, but apparently not.
Jon
--
-------------------------------------------------------------------------------
Jonathan Abbey jonabbey(a)arlut.utexas.edu
Applied Research Laboratories The University of Texas at Austin
GPG Key: 71767586 at keyserver pgp.mit.edu, http://www.ganymeta.org/workkey.gpg
9 years, 7 months
Activate a SELinux Module at Initial Install
by Dustin C. Hatch
Hello,
I have a SELinux module that I've packaged following the SELinux Policy
Modules Packaging Draft[1] on the Fedora wiki. This module is fairly
simple and just adjusts the contexts of some files. The package works
well, and automatically activates the module and fixes file labels when
it is installed on the running machine using Yum. Unfortunately, it does
not work as smoothly if it is installed during initial setup by
Anaconda. In this case, the module is available but not activated
automatically; I have to manually run `semodule -i …` and `restorecon`
on the first boot.
Is there a recommended way to automatically activate a module that was
installed from an additional package by Anaconda?
Any ideas or pointers would be greatly appreciated.
[1] http://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft
Regards,
--
Dustin C. Hatch
9 years, 7 months
High weirdness and questionable utility of restorecond
by Jonathan Abbey
Hi, SELinux folk.
I've got a couple of RHEL 6 systems that have a whole lot of files on
them that I am trying to keep well labeled by using restorecond.
I have the following in my /etc/selinux/restored.conf file:
/etc/services
/etc/resolv.conf
/etc/samba/secrets.tdb
/etc/mtab
/var/run/utmp
/var/log/wtmp
/root/*
/root/.ssh/*
~/*
The last line there is the problem. I want to have restorecond
monitor everything created under any directory recursively anywhere
under /home on my systems, but this is not happening.
To figure out why, I'm going to be referencing the code for
restorecond located online at
http://userspace.selinuxproject.org/trac/browser/policycoreutils/restorec...
The description of the restored.conf file at
http://selinuxproject.org/page/GlobalConfigurationFiles makes it seem
that the "~/*" line should be recursive, but I only see a simple
glob() at watch_list_add() when the first watches are added, and no
logic to add new watches for newly created subdirectories.
I'm assuming that I'm just missing it, more on this below.
When I start restorecond on our first RHEL6 box, I see the following
error:
restorecond: Unable to watch (/home/falazar/*) No such file or directory
Now, this is true, as far as it goes, because falazar is a user
account in our NIS that doesn't have a directory on this server. He
has logged into the server in the past, though, so utmpwatcher.c is
finding his entry under /var/run/utmp. It's not an error I care
about, but okay.
However, while I was investigating, I came across the inotify watch
limits set under /proc/sys/fs/inotify, and started looking into that.
Still thinking that restorecond should actually work recursively, I
took a look at how many directories are actually under /home on the
two RHEL6 boxes at issue.
Here's what I came up with by running
find /home -type d -ls | wc | egrep -o '^\s+([0-9]+)'
system1: 15640
system2: 1018055
And the default for /proc/sys/fs/inotify/max_user_watches is only
8192, okay.
I set max_user_watches to 2097152 so that inotify will allow up to two
million watches.
I then restart restorecond, and
** I no longer see the error about the missing user home directory. **
This is weird. It seems to mean that the error message about the "No
such file or directory" disappears when max_user_watches is set
adequately high, which seems pretty absurd. Looking at the version of
watch.c in
http://userspace.selinuxproject.org/trac/browser/policycoreutils/restorec...
it appears that the code which would be distinguishing the two cases
would have to be in inotify_add_watch() itself, and that it is giving
a "no such file or directory" errno when it should be setting ENOSPC.
Given that this seems unlikely, and given that the code at
http://userspace.selinuxproject.org/trac/browser/policycoreutils/restorec...
seems to make no provision at all for recursive inotify watches that
would implicate the default max_user_watches limit at all, I have to
think that RHEL6 is shipping something substantially different from
what's upstream at userspace.selinuxproject.org.
True?
Assuming RHEL6 has some distinctly different code in its current
policycoreutils package.. is '~/*' genuinely supported as recursive?
Is restorecond truly giving the "no such file or directory" error only
when max_watches is set too low?
Do I need to just plan on giving up on the restorecond hammer and am I
doomed to debug and fix the SELinux policy problems on these systems
that is causing files to be mislabeled in the first place?
Jon
--
-------------------------------------------------------------------------------
Jonathan Abbey jonabbey(a)arlut.utexas.edu
Applied Research Laboratories The University of Texas at Austin
GPG Key: 71767586 at keyserver pgp.mit.edu, http://www.ganymeta.org/workkey.gpg
9 years, 7 months
Why does my confined application fail to start?
by Göran Uddeborg
I'm trying to create a module for the Net ID electronic identification
system used in Sweden. With the standard policy, this does not work
with SELinux enabled, but works fine in permissive mode.
Net ID works as a plugin to Firefox. The plugin starts a separate
program "iid". This program needs access to some files in the user's
home directory, and also to open a graphical window for reading a
passphrase and the like.
My idea was create a specific domain for this program, and try to
allow this domain as little as necessary. I'm working with this in
permissive mode, trying check what it tries to do, and trying to find
the correct M4 macros to enable it.
One thing confuses me. If I try to run the same thing in enforcing
mode, the application doesn't come up at all. That's not surprising,
the new policy isn't finished yet.
But what IS surprising is I don't get any AVC telling me why. Even if
I rebuld with "semodule -DB" I only get a couple of comments about the
plugin-container not being allowed to read/write an unix_stream_socket
with the type xdm_t. As I understand it, that is unrelated and
normally dontaudited.
But then, why don't I get any AVC:s? What is blocking without
telling?
For reference, I attach the policy so far as I've come. But note that
it is not under development. (But comments on mistakes I've made and
other suggestions are welcome in any case! :-)
# Module to make the NetID program run in its own domain, and be allowed to
# create the necessary files in the home directory.
module netid 1.10;
require {
type mozilla_plugin_t;
type tmpfs_t;
all_kernel_class_perms
}
# Create a domain for NetID
type netid_t;
type netid_exec_t;
application_domain(netid_t, netid_exec_t)
domtrans_pattern(mozilla_plugin_t, netid_exec_t, netid_t)
# NetID files in the home directory
type netid_home_t;
userdom_user_home_content(netid_home_t)
rw_files_pattern(netid_t, netid_home_t, netid_home_t)
# NetID communicates with pcscd
pcscd_stream_connect(netid_t)
# Things needed to create the GUI
type netid_tmpfs_t;
userdom_user_tmpfs_file(netid_tmpfs_t)
manage_dirs_pattern(netid_t, netid_tmpfs_t, netid_tmpfs_t)
manage_files_pattern(netid_t, netid_tmpfs_t, netid_tmpfs_t)
fs_tmpfs_filetrans(netid_t, netid_tmpfs_t, { dir file })
xserver_user_x_domain_template(netid, netid_t, netid_tmpfs_t)
userdom_home_reader(netid_t) # Is this really necessary?
# NetID logs to a file in /tmp
userdom_manage_tmp_files(netid_t)
HOME_DIR/\.iid(/.*)? gen_context(system_u:object_r:netid_home_t,s0)
/usr/bin/iid[.0-9]* -- gen_context(system_u:object_r:netid_exec_t,s0)
9 years, 7 months
Setting httpd fcontexts on apache files which are subsequently reverted.
by William Hargrove
I'm stuck with an selinux problem and I hope someone can point me in the right direction.
I have apache installed into some custom directories, and am adding fcontext entries to the file_context.local using the commands shown below. These commands are being executed via a puppet manifext, using exec's, eg
exec{'fix_projects_apache_context':
command => "/usr/sbin/semanage fcontext -a -t httpd_exec_t '/opt/projects/apache(/.*)?' ; /sbin/restorecon -R -v /opt/projects/apache",
user => 'root',
unless => "/bin/grep '/opt/projects/apache(/.*)?' /etc/selinux/targeted/contexts/files/file_contexts.local",
logoutput => 'true',
}
1. Executables in /opt/projects/apache/{bin,sbin,ssl}
/usr/sbin/semanage fcontext -a -t httpd_exec_t '/opt/projects/apache(/.*)?'; /sbin/restorecon -R -v /opt/projects/apache
2. Site configs in /etc/httpd-site1/{conf,conf.d} and /etc/httpd-site2/{conf,conf.d}
/usr/sbin/semanage fcontext -a -t httpd_config_t '/etc/httpd(.*)?/conf(.d)?(/.*)?' ; /sbin/restorecon -R -v /etc/httpd*/conf*
3. Logs in /var/mylogs/webserver
/usr/sbin/semanage fcontext -a -t httpd_log_t '/var/mylogs/webServer(/.*)?' ; /sbin/restorecon -R -v /var/mylogs/webServer
4. Webcontent in /mycontent/webcontent
/usr/sbin/semanage fcontext -a -t httpd_sys_content_t '/mycontent/webcontent(/.*)?' ; /sbin/restorecon -R -v /mycontent/webcontent
The issue I have is that these entries are initially set correctly yet their contexts seem to be reverted on subsequent puppet runs and I cannot understand why. eg. If I do:
ls -Z
-rw-r--r-- webservd webservd system_u:object_r:etc_t httpd.conf
which is incorrect, as matchpathcon reports the correct context:
matchpathcon /etc/httpd-site1/conf/httpd.conf
/etc/httpd-site1/conf/httpd.conf system_u:object_r:httpd_config_t
If I run restorecon, the correct contexts are applied, but after a period of time, the config will revert to that shown.
I have a local policy file which is loaded during the regular puppet runs, but my understanding is that this shouldn't affect the file labelling. It is as if a re-label occurs which ignores the settings in my file_context.local override.
Puppet doesn't seem to provide a very good way of managing fcontect settings on selinux files, at least for situation like mine with multiple files that are deploy from a config management system.
I'm happy to provide further information. System details are selinux-policy-2.4.6-338.el5, RHEL 5.9 (and seen on RHEL 6.4)
Many thanks, Will.
________________________________
The information contained in this email is strictly confidential and for the use of the addressee only, unless otherwise indicated. If you are not the intended recipient, please do not read, copy, use or disclose to others this message or any attachment. Please also notify the sender by replying to this email or by telephone (+44 (0)20 7896 0011) and then delete the email and any copies of it. Opinions, conclusions (etc) that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. IG Group Holdings plc is a company registered in England and Wales under number 01190902. VAT registration number 761 2978 07. Registered Office: Cannon Bridge House, 25 Dowgate Hill, London EC4R 2YA. Authorised and regulated by the Financial Services Authority. FSA Register number 114059.
9 years, 7 months