transition from init_rc
by Tracy Reed
I think I'm really close to having this policy finished and working, just a
couple things to work out...
When I exercise my app and then run audit2allow and it says:
#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.
#Contraint rule:
allow myapp_t default_t:dir search;
allow myapp_t default_t:dir read;
allow myapp_t default_t:file execmod;
allow myapp_t myapp_bin_t:file write;
does it mean only the first line is an constraint violation? Or are all of
those constraint violations?
How does one typically deal with constraint violations? By attribute above I
suppose it means a type attribue but how do I know which one to add?
Then I have these:
#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.
#Contraint rule:
allow initrc_t default_t:file relabelto;
#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.
#Contraint rule:
allow initrc_t myapp_api_t:file relabelto;
The init script which starts the service relabels the files when the service
starts. I suspect this is a bad idea and I'm not sure why they are doing it. I
think they may be applying security categories here. We may have to find a
different way to approach that.
But how would I allow this if I wanted to?
Similarly:
#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.
#Contraint rule:
allow setfiles_t default_t:file relabelfrom;
#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.
#Contraint rule:
allow setfiles_t myapp_api_t:file relabelfrom;
etc...
This is all on CentOS 6.5.
Thanks!
--
Tracy Reed
8 years, 3 months
Conflict between local module and local fcontext
by Robin Lee Powell
So I have a custom module that includes:
type lojban_logger_t;
type lojban_logger_exec_t;
application_domain( lojban_logger_t, lojban_logger_exec_t)
init_daemon_domain(lojban_logger_t, lojban_logger_exec_t)
(not sure if those are redundant?) and:
/srv/lojban/irclogs(/.*)? system_u:object_r:lojban_logger_t:s0
I've made a variety of changes with "semodule fcontext", including:
/srv/lojban system_u:object_r:httpd_user_content_t:s0
/srv/lojban(/.*)? system_u:object_r:httpd_user_content_t:s0
As a result, the changes in my module are ignored, and the files
end up with httpd_user_content_t
So I tried:
$ sudo semanage fcontext -a -t lojban_logger_t '/srv/lojban/irclogs(/.*)?'
ValueError: Type lojban_logger_t is invalid, must be a file or device type
Uhh.
I guess this means that the custom module's types can't be seen by
semanage?
So, what's the correct solution here?
--
http://intelligence.org/ : Our last, best hope for a fantastic future.
.i ko na cpedu lo nu stidi vau loi jbopre .i dafsku lu na go'i li'u .e
lu go'i li'u .i ji'a go'i lu na'e go'i li'u .e lu go'i na'i li'u .e
lu no'e go'i li'u .e lu to'e go'i li'u .e lu lo mamta be do cu sofybakni li'u
8 years, 7 months
man pages are in -devel package
by Ian Pilcher
Can someone please look at/fix this bug:
https://bugzilla.redhat.com/show_bug.cgi?id=815137
This is a longstanding annoyance, and it should be a straightforward
packaging fix. If there's a reason that isn't the case, please not it
in the bug.
Thanks!
--
========================================================================
Ian Pilcher arequipeno(a)gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================
8 years, 8 months
fedora 22
by mark
Hi, folks,
My manager just updated his fedora box from 20 to 22, and it appears as
though selinux, in permissive mode, is logging *EVERY* command run by
the system as root to syslog, even though the auditd's running. I am
talking successes, not failures.
I've been googling, but haven't yet found how to change that so that
it's more normal, with only avc's showing in syslog.
Just looked, and see that setroubleshootd is installed, but not how to
tell systemd (which should die) to start it (if that's my answer).
mark
8 years, 8 months
[HEADS UP] SELinux policy store migration in Rawhide
by Petr Lautrbach
Hi everybody,
we will do an update of SELinux userspace tools
to 2015-02-02 release and selinux-policy packages as it was proposed in
"SELinux policy store migration" Fedora system wide change [1].
What does it mean for you:
1. You use only Fedora default SELinux policy.
You shouldn't notice any change but some performance improvements during
regular policy updates.
2. You have local changes in policy like changed booleans, adjusted SELinux
users, added or changed port or file contexts definitions made via
"semanage" command.
You shouldn't notice any change. All local modifications should be handled
by migration process during packages update.
You can backup your setting using the command below before the update
will happen.
# semanage export -f semanage.mods
3. You have your local SELinux policy modules
You shouldn't notice any change again. All modules should be migrated
during selinux-policy update.
Some of modules could be incompatible with the new policy so they'll
need to be migrated manually. If they are part of any Fedora package,
we will help with the migration. Just file a bug to a component and
add us do CC field.
We are ready to help with other modules or issues with migration on
selinux(a)lists.fedoraproject.org mailing list.
[1] https://fedoraproject.org/wiki/Changes/SELinuxPolicyStoreMigration
Petr
--
Petr Lautrbach
8 years, 8 months
How to (or should I?) change unconfined_u to system_u for a file
by Jeff Boyce
Greetings -
I essentially have two questions here. First, I have a file that
needs the context changed and I don't have a clear understanding of the
proper syntax that should be used. Second, after doing some additional
reading through the SELinux manual and some Google searching, I realized
that I may be taking the wrong approach with this file. Then I ran
across Dan Walsh's blog dated April 23, 2013 (Subject: What is the
differences between user_home_dir_t and user_home_t) and realize that I
am likely not doing something the appropriate way. So I am looking for
someone to educate me on my error, the risks involved, and the proper
approach I should be using.
The issue: I have two shell files run by cron that rsync our file
server directories to two backup servers, one on-site (Bison) and one
off-site. The on-site cron has worked fine for years. I just setup the
off-site cron and it is blocked by SELinux. Looking at the context of
the files, the one that works is listed as system_u, while the one that
fails is listed as unconfined_u. So my first question is, what is the
proper syntax for changing the context of the second file so that it
matches the first one.
[root@sequoia home]# pwd
/home
[root@sequoia home]# ls -lZ | grep RsyncS
-rwxr--r--. root root system_u:object_r:home_root_t:s0
RsyncSequoiaToBison.sh
-rwxr--r--. root root unconfined_u:object_r:home_root_t:s0
RsyncSequoiaToOffsite.sh
Looking from a wider perspective, I have these shell files located in
/home. I am speculating now that for my objective, this might not be
the appropriate location for them, and is probably why SELinux is
blocking the new one I created for the off-site backup. So my second
question is more philosophical regarding what should be the location for
a shell file that is used by cron to rsync our files to a backup server.
Thanks, and please cc me directly as I only receive the daily
digest from the mailing list.
Jeff
--
Jeff Boyce
Meridian Environmental
www.meridianenv.com
8 years, 8 months
Sandbox Firefox
by Robert Gabriel
Hi,
I'm on Fedora 22 and trying:
sandbox -X -H home_sandbox -T tmp_sandbox -t sandbox_web_t firefox
danwalsh.livejournal.com
which results in "Unable to connect" in the opened browser window.
First I had to:
grep Xephyr /var/log/audit/audit.log | audit2allow -M mypol
to get that working so far.
I thought "sandbox_web_t" allowed access to HTTP ports?
Trying "sandbox_net_t" yields no joy and only a "setenforce 0" allows
connections.
Any help appreciated.
Thank you.
8 years, 8 months