selinux September 2015

selinux@lists.fedoraproject.org

21 participants
21 discussions

transition from init_rc
by Tracy Reed 08 Dec '15

08 Dec '15

I think I'm really close to having this policy finished and working, just a couple things to work out... When I exercise my app and then run audit2allow and it says: #!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. #Contraint rule: allow myapp_t default_t:dir search; allow myapp_t default_t:dir read; allow myapp_t default_t:file execmod; allow myapp_t myapp_bin_t:file write; does it mean only the first line is an constraint violation? Or are all of those constraint violations? How does one typically deal with constraint violations? By attribute above I suppose it means a type attribue but how do I know which one to add? Then I have these: #!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. #Contraint rule: allow initrc_t default_t:file relabelto; #!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. #Contraint rule: allow initrc_t myapp_api_t:file relabelto; The init script which starts the service relabels the files when the service starts. I suspect this is a bad idea and I'm not sure why they are doing it. I think they may be applying security categories here. We may have to find a different way to approach that. But how would I allow this if I wanted to? Similarly: #!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. #Contraint rule: allow setfiles_t default_t:file relabelfrom; #!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. #Contraint rule: allow setfiles_t myapp_api_t:file relabelfrom; etc... This is all on CentOS 6.5. Thanks! -- Tracy Reed

4 5

Subgit SELinux issue
by Matthew Saltzman 05 Oct '15

05 Oct '15

Subgit (www.subgit.com) is a system for reflecting Subversion repository changes to a Git mirror or vice versa. In the former case, it uses a pre-commit script to spawn a Java daemon that monitors and mirrors the updates. When run in enforcing mode, the daemon fails to start and the commit fails when the spawn attempt times out. No error appears in the audit log. When run in permissive mode, the spawn succeeds d the commit works. The program that is supposed to spawn the daemon has context system_u:object_r:httpd_sys_script_exec_t:s0 The directory where the PID file is supposed to write its lock file is The error reported by Subgit on failure is: Failed to launch background translation process: timeout waiting for pid file '/var/www/svn/FlopC++/subgit/daemon.pid (FlopC++ is the repository name). What policy change do I need to implement to make this work in enforcing mode? Or how can I debug the process and what information should I bring to the list for help? Thanks in advance. -- Matthew Saltzman Clemson University Math Sciences mjs AT clemson DOT edu

4 8

guest_t allowed to enter directories labelled with admin_home_t
by Mario Rosic 30 Sep '15

30 Sep '15

Hello, the guest_t type is allowed to browse directories labelled with admin_home_t but guest_t is not allowed to interact with any non-directory files labelled with admin_home_t. That looks inconsistent to me. Why should guest_t be allowed to enter directories labelled with admin_home_t but not interact with any other files? Is there a reasoning behind that (i.e. am I missing something) or should I file a bug report? In my opinion guest_t shouldn't be able to browse folders labelled with admin_home_t. Regards, Mario PS That is on a RHEL7 machine.

2 1

How to whitelist a user avc?
by Bruno Wolff III 30 Sep '15

30 Sep '15

I have a problem in F23 (that wasn't in F22), where getmail (or its feed into qmail) doesn't work in enforcing mode. I first tried using audit2allow to whitelist all of the avcs. That didn't work. Then I used semodule -DB in case there was a don't audit rule and then used audit2allow again to get the data for a local semodule and it still didn't work. I am seeing a user avc in the logs, that I suspect isn't getting handled by audit2allow, but I am not sure how to say its OK or change things so I don't hit it: type=USER_AVC msg=audit(1443471901.485:584): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission stop for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' I tried searching for some of the text, but I didn't find any relevant references.

2 2

Re: [NEWBIE, HELP] Help on my first contact with selinux.
by Alec Leamas 29 Sep '15

29 Sep '15

On 21/09/15 19:39, Alec Leamas wrote: > On 21/09/15 18:59, Miroslav Grepl wrote: >> On 09/21/2015 02:13 PM, Daniel J Walsh wrote: >>> Adding Miroslav Grepl, current maintainer of selinux-policy in RHEL, >>> Fedora, Centos. >>> >>> Miroslav I guess it looks like we are not shipping licrd.pp >> >> About what system are we talking? >> >> We definitely ship lircd in Fedora/RHEL. >> >> # semodule -l |grep lircd >> lircd >> >> https://github.com/fedora-selinux/selinux-policy/blob/f23-contrib/lircd.te >> >> >> So if you see some issues and you use Fedora/RHEL, please open a new bug >> or a new pull request against Hm... for the lircd module I think I now understand why it exists. It's defined in for kernel and describes permissions for the /dev/lirc[0-9] devices, defining the type *lirc_device_t*. All this looks fine. However, I think the kernel module name lircd is, well, "not ideal". lircd is a user space daemon which basically isn't related to the kernel devices in any specific way (although it is the primary user of this interface). IMHO, the kernel selinux module should be named lirc, leaving the *lircd* name open for the lircd user space daemon. If it's complicated to change the kernel module name, we need a new name for the lircd user-space daemon selinux module. It should _not_ be the same as the kernel stuff since they are unrelated. Thoughts? Cheers! --alec

2 1

Packaging Icinga 2 requiring SELinux assistance
by Shawn Starr 23 Sep '15

23 Sep '15

Hello SELinux Fedora developers, What is the process for packaging 3rd party SELinux policies? the Icinga developers have been working on this but in Fedora we have a package for each policy type. Is the convention to merge this into the main policy packages? Thanks, Shawn

4 3

Updated Fedora policy github wiki page
by Miroslav Grepl 22 Sep '15

22 Sep '15

Hi folks, We are working on updated wiki for Fedora Policy github repository. It should help you to contribute and work together with us. See https://github.com/fedora-selinux/selinux-policy/wiki/HowToContribute https://github.com/fedora-selinux/selinux-policy/wiki/Packaging This is still in progress and your ideas are really welcomed. Thank you. -- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc.

1 0

Deep Dive into MLS/MCS
by Yan Naing Myint 20 Sep '15

20 Sep '15

Hello, I'm new to this list. I've been looking for a guide or documentation for MLS/MCS policy implementation with SELinux. I've read all the documentations from CentOS, RedHat, Fedora documentations. But, I'm still not clear enough to use it on the production servers. If it is okay, please kindly advice me to a guide or a documentation or a link or something like that for me to read which would be quite more helpful. Regards, -- Yan Naing Myint

2 1

[NEWBIE, HELP] Help on my first contact with selinux.
by Alec Leamas 19 Sep '15

19 Sep '15

Dear list, I maintain the lirc package. This is basically a daemon handling IR remotes, adding some flexibility and functionality to the kernel. Recently we have moved from a model where the daemon runs as root to running as a regular user. The test environment has been run with selinux disabled, so we missed the selinux denials this created. Now, I need to correct this - but I'm new to selinux and somewhat lost.. Reading the docs I have created a simple-minded patch[1]. Has anyone time to give it a look and provide some feedback, direct or perhaps some better links than I have found [2]? The patch does mute the AVC denials messages, but I guess there are other things to think about (?) Cheers! --alec [1] http://ur1.ca/nt44a [2] https://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft

2 1

Re: Labelling for RHEL 6 Software Collections
by Douglas Brown 17 Sep '15

17 Sep '15

Hi all, In a effort to transparently support packages installed from RHEL 6’s Software Collections channel, I’ve come up with this: semanage fcontext -a -e / '/opt/rh/([^/]+)/root’ Seems to work well; does anyone have any comments or suggestions about the use of Software Collections and labelling? If this is the right approach, could it be put into the selinux-policy rpm in the future or at least noted here: https://access.redhat.com/documentation/en-US/Red_Hat_Developer_Toolset/1/h… Thanks, Doug

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux September 2015