transition from init_rc
by Tracy Reed
I think I'm really close to having this policy finished and working, just a
couple things to work out...
When I exercise my app and then run audit2allow and it says:
#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.
#Contraint rule:
allow myapp_t default_t:dir search;
allow myapp_t default_t:dir read;
allow myapp_t default_t:file execmod;
allow myapp_t myapp_bin_t:file write;
does it mean only the first line is an constraint violation? Or are all of
those constraint violations?
How does one typically deal with constraint violations? By attribute above I
suppose it means a type attribue but how do I know which one to add?
Then I have these:
#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.
#Contraint rule:
allow initrc_t default_t:file relabelto;
#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.
#Contraint rule:
allow initrc_t myapp_api_t:file relabelto;
The init script which starts the service relabels the files when the service
starts. I suspect this is a bad idea and I'm not sure why they are doing it. I
think they may be applying security categories here. We may have to find a
different way to approach that.
But how would I allow this if I wanted to?
Similarly:
#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.
#Contraint rule:
allow setfiles_t default_t:file relabelfrom;
#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.
#Contraint rule:
allow setfiles_t myapp_api_t:file relabelfrom;
etc...
This is all on CentOS 6.5.
Thanks!
--
Tracy Reed
7 years, 9 months
Subgit SELinux issue
by Matthew Saltzman
Subgit (www.subgit.com) is a system for reflecting Subversion
repository changes to a Git mirror or vice versa. In the former case,
it uses a pre-commit script to spawn a Java daemon that monitors and
mirrors the updates.
When run in enforcing mode, the daemon fails to start and the commit
fails when the spawn attempt times out. No error appears in the audit
log.
When run in permissive mode, the spawn succeeds d the commit works. The
program that is supposed to spawn the daemon has context
system_u:object_r:httpd_sys_script_exec_t:s0
The directory where the PID file is supposed to write its lock file is
The error reported by Subgit on failure is:
Failed to launch background translation process: timeout waiting
for pid file '/var/www/svn/FlopC++/subgit/daemon.pid
(FlopC++ is the repository name).
What policy change do I need to implement to make this work in
enforcing mode? Or how can I debug the process and what information
should I bring to the list for help?
Thanks in advance.
--
Matthew Saltzman
Clemson University Math Sciences
mjs AT clemson DOT edu
7 years, 11 months
guest_t allowed to enter directories labelled with admin_home_t
by Mario Rosic
Hello,
the guest_t type is allowed to browse directories labelled with
admin_home_t but guest_t is not allowed to interact with any
non-directory files labelled with admin_home_t.
That looks inconsistent to me. Why should guest_t be allowed to enter
directories labelled with admin_home_t but not interact with any other
files? Is there a reasoning behind that (i.e. am I missing something) or
should I file a bug report?
In my opinion guest_t shouldn't be able to browse folders labelled with
admin_home_t.
Regards,
Mario
PS
That is on a RHEL7 machine.
7 years, 12 months
How to whitelist a user avc?
by Bruno Wolff III
I have a problem in F23 (that wasn't in F22), where getmail (or its feed
into qmail) doesn't work in enforcing mode. I first tried using audit2allow
to whitelist all of the avcs. That didn't work. Then I used semodule -DB
in case there was a don't audit rule and then used audit2allow again to
get the data for a local semodule and it still didn't work. I am seeing
a user avc in the logs, that I suspect isn't getting handled by
audit2allow, but I am not sure how to say its OK or change things so I
don't hit it:
type=USER_AVC msg=audit(1443471901.485:584): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission stop for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
I tried searching for some of the text, but I didn't find any relevant
references.
7 years, 12 months
Re: [NEWBIE, HELP] Help on my first contact with selinux.
by Alec Leamas
On 21/09/15 19:39, Alec Leamas wrote:
> On 21/09/15 18:59, Miroslav Grepl wrote:
>> On 09/21/2015 02:13 PM, Daniel J Walsh wrote:
>>> Adding Miroslav Grepl, current maintainer of selinux-policy in RHEL,
>>> Fedora, Centos.
>>>
>>> Miroslav I guess it looks like we are not shipping licrd.pp
>>
>> About what system are we talking?
>>
>> We definitely ship lircd in Fedora/RHEL.
>>
>> # semodule -l |grep lircd
>> lircd
>>
>> https://github.com/fedora-selinux/selinux-policy/blob/f23-contrib/lircd.te
>>
>>
>> So if you see some issues and you use Fedora/RHEL, please open a new bug
>> or a new pull request against
Hm... for the lircd module I think I now understand why it exists. It's
defined in for kernel and describes permissions for the /dev/lirc[0-9]
devices, defining the type *lirc_device_t*. All this looks fine.
However, I think the kernel module name lircd is, well, "not ideal".
lircd is a user space daemon which basically isn't related to the
kernel devices in any specific way (although it is the primary user of
this interface). IMHO, the kernel selinux module should be named lirc,
leaving the *lircd* name open for the lircd user space daemon.
If it's complicated to change the kernel module name, we need a new name
for the lircd user-space daemon selinux module. It should _not_ be the
same as the kernel stuff since they are unrelated.
Thoughts?
Cheers!
--alec
7 years, 12 months
Packaging Icinga 2 requiring SELinux assistance
by Shawn Starr
Hello SELinux Fedora developers,
What is the process for packaging 3rd party SELinux
policies? the Icinga developers have been working on
this but in Fedora we have a package for each policy
type. Is the convention to merge this into the main
policy packages?
Thanks,
Shawn
8 years
Deep Dive into MLS/MCS
by Yan Naing Myint
Hello,
I'm new to this list.
I've been looking for a guide or documentation for MLS/MCS policy
implementation with SELinux. I've read all the documentations from CentOS,
RedHat, Fedora documentations. But, I'm still not clear enough to use it on
the production servers.
If it is okay, please kindly advice me to a guide or a documentation or a
link or something like that for me to read which would be quite more
helpful.
Regards,
--
Yan Naing Myint
8 years
[NEWBIE, HELP] Help on my first contact with selinux.
by Alec Leamas
Dear list,
I maintain the lirc package. This is basically a daemon handling IR
remotes, adding some flexibility and functionality to the kernel.
Recently we have moved from a model where the daemon runs as root to
running as a regular user. The test environment has been run with
selinux disabled, so we missed the selinux denials this created. Now, I
need to correct this - but I'm new to selinux and somewhat lost..
Reading the docs I have created a simple-minded patch[1]. Has anyone
time to give it a look and provide some feedback, direct or perhaps some
better links than I have found [2]? The patch does mute the AVC denials
messages, but I guess there are other things to think about (?)
Cheers!
--alec
[1] http://ur1.ca/nt44a
[2] https://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft
8 years
