Re: RHEL 7 consoletype_exec interface issue
by Douglas Brown
Hi,
In RHEL 7 when using the userdom_unpriv_user_template interface to create a new role, it in turn uses the consoletype_exec interface; but when I attempt to insert a policy compiled with this, it says the type consoletype_exec_t doesn’t exist.
N.B. This works on RHEL 6.
Thanks,
Doug
6 years, 8 months
SELinux and relocatable RPMs
by Marko Rauhamaa
When creating an SELinux policy to go with my package, I write a .fc
file. However, the .fc file format does not seem amenable to relocatable
RPMs.
Is there a recommendation for how to handle the relocation in policies?
I wouldn't like to mandate a dependency on selinux-policy-devel.
Marko
7 years, 11 months
invalid security context, lpr_t
by Dr. Michael J. Chudobiak
Hi,
I've installed the Citrix Receiver rpm
(https://www.citrix.com/downloads/citrix-receiver/linux.html). The
citrix client runs, but doesn't see the local printers. The messages in
the audit log are not of the "normal" type, in my limited experience:
[root@daisy files]# audit2allow -a
libsepol.context_from_record: invalid security context:
"unconfined_u:unconfined_r:lpr_t:s0-s0:c0.c1023"
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert
unconfined_u:unconfined_r:lpr_t:s0-s0:c0.c1023 to sid
libsepol.context_from_record: invalid security context:
"unconfined_u:unconfined_r:lpr_t:s0-s0:c0.c1023"
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert
unconfined_u:unconfined_r:lpr_t:s0-s0:c0.c1023 to sid
It works fine in permissive mode.
Any pointers on how to fix this?
- Mike
7 years, 11 months
Re: Using interfaces with role statements fails to compile when used inside a tunable_policy block
by Douglas Brown
Hi,
It seems that if an interface has a role statement inside it, that interface can’t be used *inside* a tunable_policy block.
For example, the shutdown_run() interface causes this policy to fail compilation:
policy_module(test, 1.0.0)
require {
type staff_t;
role staff_r;
}
gen_tunable(staff_shutdown, false)
tunable_policy(`staff_shutdown', `
shutdown_run(staff_t,staff_r)
')
This is the error given:
test.te":10:ERROR 'syntax error' at token 'role' on line 3360:
role staff_r types shutdown_t;
#line 10
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/test.mod] Error 1
If I manually put the rules that interface generates into the tunable_policy block but place the role statement outside, it compiles fine. The rpm_run() interface also fails to compile when inside a tunable_policy block (presumably for the same reason).
Thanks,
Doug
7 years, 11 months
transition from init_rc
by Tracy Reed
I think I'm really close to having this policy finished and working, just a
couple things to work out...
When I exercise my app and then run audit2allow and it says:
#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.
#Contraint rule:
allow myapp_t default_t:dir search;
allow myapp_t default_t:dir read;
allow myapp_t default_t:file execmod;
allow myapp_t myapp_bin_t:file write;
does it mean only the first line is an constraint violation? Or are all of
those constraint violations?
How does one typically deal with constraint violations? By attribute above I
suppose it means a type attribue but how do I know which one to add?
Then I have these:
#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.
#Contraint rule:
allow initrc_t default_t:file relabelto;
#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.
#Contraint rule:
allow initrc_t myapp_api_t:file relabelto;
The init script which starts the service relabels the files when the service
starts. I suspect this is a bad idea and I'm not sure why they are doing it. I
think they may be applying security categories here. We may have to find a
different way to approach that.
But how would I allow this if I wanted to?
Similarly:
#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.
#Contraint rule:
allow setfiles_t default_t:file relabelfrom;
#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.
#Contraint rule:
allow setfiles_t myapp_api_t:file relabelfrom;
etc...
This is all on CentOS 6.5.
Thanks!
--
Tracy Reed
7 years, 11 months
How to label rootfs at the build time?
by Srinivasa Rao Ragolu
Hi All,
I have ported selinux targeted policy (meta-selinux, yocto), to my embedded
platform. But, after first time boot only my rootfs is getting labeled. If
I would like to apply the policy or label my rootfs, what should I do?
Please suggest me the way to enforce policy and label rootfs at the build
time
Thanks,
Srinivas.
7 years, 11 months
newly installed packages mislabeled?
by Chris Murphy
I see restorecon always relabels something, e.g. after doing dnf
upgrade I'll run restorecon and something or other is always reset.
I can't tell if this is a problem or not, but it seems to me the
selinux label for a current package should already be correctly set,
rather than depending on restorecon to reset them. Or is there more
than one valid labeling possible?
For example, the kernel packages are always affected. This is what I
got today after installing kernel 4.2.6-301
http://fpaste.org/295221/
I'm guessing it's the kernel package that's setting the kernel to
system_u:object_r:modules_object_t and then restorecon resets it to
system_u:object_r:boot_t:s0. So is this a nitpick difference, or
should I file a bug against the kernel package so it sets things
correctly from the outset? I don't think we should have to do a
restorecon after every dnf upgrade or install to make sure labeling is
correct.
Similarly, I get:
restorecon reset /sys/fs/cgroup context
system_u:object_r:tmpfs_t:s0->system_u:object_r:cgroup_t:s0
restorecon set context /sys/fs/cgroup->system_u:object_r:cgroup_t:s0
failed:'Read-only file system'
So, whatever is responsible for setting selinux labels on /sys/fs (?)
seems to set that incorrectly, and restorecon can't fix it because
it's an ro filesystem. So is that a bug and if so what should it be
filed against?
Thanks,
--
Chris Murphy
7 years, 11 months
Open vSwitch broken in Fedora 23?
by Ian Pilcher
Am I the only person who has found Open vSwitch to be totally broken (in
enforcing mode) on Fedora 23?
https://bugzilla.redhat.com/show_bug.cgi?id=1282638
--
========================================================================
Ian Pilcher arequipeno(a)gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================
8 years
boolean value had been reset after system-upgrade
by Shintaro Fujiwara
Hi, happy SELinux.
I have a AWS fedora server SELinux enabled.
I could system-upgrade from 22 to 23 allright except one boolean option had
been reset to (off,off).
Why did not boolean value survive after system-upgrade reboot?
Here's what I did.
------------------------------------------------------------------------------
# dnf update --refresh
# dnf install dnf-plugin-system-upgrade
# dnf system-upgrade download --releasever=23
# dnf system-upgrade reboot
I checked by web page and I got,
ERROR: SQLSTATE[08006] [7] could not connect to server: Permission denied
Is the server running on host "localhost" (::1) and accepting TCP/IP
connections on port 5432? could not connect to server: Permission denied Is
the server running on host "localhost" (127.0.0.1) and accepting TCP/IP
connections on port 5432?
I knew I set some boolean --off to --on, so I grepped the boolean list.
# semanage boolean --list | grep httpd
I found this despite my difinition.
httpd_can_network_connect_db (off , off) Allow httpd to can network
connect db
So, I set the value again.
# semanage boolean --modify httpd_can_network_connect_db --on
------------------------------------------------------------------------------------
No problem otherwise, thanks.
--
Linux Distribution Project
http://sourceforge.net/projects/pinkrabbitlinux/
日本にヘヴィメタル・ハードロックを根付かせるページ
http://heavymetalhardrock.no-ip.info/
世界中でセキュアOSのSELinuxを使いやすくするフリーソフト
http://sourceforge.net/projects/segatex/
CMS(PHPとPostgreSQLを使ったフリーソフト)
http://sourceforge.net/projects/webon/
https://github.com/intrajp/irforum_jp
8 years
Semodule libsepol.permission_copy_callback permission not satisfied
by RIJKEN Jeroen
Dear all,
Let me begin by saying the SELinux installation I currently use is non-standard. The platform I work on officially only supports seedit for creating policies, however I simply prefer writing them by hand. Also, I don't have a GUI. I downloaded the RPM selinux-policy and installed it, providing the necessary files in /usr/share/selinux/devel for compiling the policies. The compilation of policies works, installing them with semodule doesn't. The following error is produced:
[CODE]
root@_________:/root/thales_logging> make -f /usr/share/selinux/devel/Makefile thales_logging.pp
Compiling wr-standard thales_logging module
/usr/bin/checkmodule: loading policy configuration from tmp/thales_logging.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 10) to tmp/thales_logging.mod
Creating wr-standard thales_logging.pp policy package
rm tmp/thales_logging.mod tmp/thales_logging.mod.fc
root@_________:/root/thales_logging> semodule -i thales_logging.pp
libsepol.permission_copy_callback: Module thales_logging depends on permission audit_access in class dir, not satisfied (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule: Failed!
[/CODE]
What does this error mean?
The system is running Wind River Linux. I have to write the log files to a file under /opt (non-ramdisk), which is labeled with usr_t. The directories inside /opt have the proper labeles. Below the .te file:
[CODE]
policy_module(thales_logging, 0.1)
########################################
#
# Declarations
#
gen_require(`
type usr_t;
type auditctl_t;
type syslogd_t;
type var_log_t;
type audit_log_t;
type syslogd_initrc_exec_t;
')
########################################
#
# thales_logging local policy
#
allow auditctl_t usr_t:dir { getattr ioctl read search };
allow auditctl_t usr_t:lnk_file { getattr ioctl read };
#allow syslogd_t usr_t:dir { getattr ioctl read search };
[/CODE]
The .fc file:
[CODE]
/etc/init.d/syslog-ng -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
/opt/platform_log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
/opt/platform_log/audit(/.*)? gen_context(system_u:object_r:audit_log_t,s0)
[/CODE]
No .if is present, the one generated when compiling is empty.
Thanks in advance,
Jeroen
------------------------------------------------------------------------------------------------------------
Disclaimer:
If you are not the intended recipient of this email, please notify the sender and
delete it.
Any unauthorized copying, disclosure or distribution of this email or its
attachment(s) is forbidden.
Thales Nederland BV will not accept liability for any damage caused by this email or
its attachment(s).
Thales Nederland BV is seated in Hengelo and is registered at the Chamber of
Commerce under number 06061578.
------------------------------------------------------------------------------------------------------------
8 years
