Re: RHEL 7 consoletype_exec interface issue
by Douglas Brown
Hi,
In RHEL 7 when using the userdom_unpriv_user_template interface to create a new role, it in turn uses the consoletype_exec interface; but when I attempt to insert a policy compiled with this, it says the type consoletype_exec_t doesn’t exist.
N.B. This works on RHEL 6.
Thanks,
Doug
6 years, 6 months
xinetd and su/runuser and dbus
by Troels Arvin
Hello,
Environment:
RHEL 7.2 with all the latest fixes.
The server has the Check_MK agent (check-mk-agent-1.2.6p16-3.el7.x86_64
from EPEL) installed, and the mk_postgres module has been activated by
symlinking /usr/share/check-mk-agent/available-plugins/mk_postgres to
/usr/share/check-mk-agent/plugins/mk_postgres
The agent plugin's code may be viewed here:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=blob;f=agents/plugins/
mk_postgres;h=8333eee316a99e634394aee4f3048b6becc56d69;hb=c33010ba2d24c8b81c4e6221f3cd61bade7e7d9e
PostgreSQL version: rh-postgresql94-postgresql 9.4.6-1.el7.x86_64 (from
RHEL 7's software collections).
Trouble: The Check_MK agent reponse becomes very slow when the
mk_postgres agent plugin is activated -- to the extend that checks time
out, causing monitoring alerts and missing monitoring data.
Meanwhile, in /var/log/audit/audit.log:
type=USER_AVC msg=audit(1462018794.424:153): pid=704 uid=81
auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-
s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return
dest=:1.19 spid=925 tpid=2851
scontext=system_u:system_r:systemd_logind_t:s0
tcontext=system_u:system_r:inetd_child_t:s0-s0:c0.c1023 tclass=dbus
exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
The AVC denials pop up when the mk_postgres agent plugin performs a "su"
to "postgres". Changing the script to use "runuser" instead of "su" does
not help.
I've found two different ways to fix this; the latter seems best:
1. Stop the dbus.service and dbus.socket services. But this results in a
subsequent flood of messages like:
Apr 29 21:48:12 hostname su: pam_systemd(su-l:session): Failed to connect
to system bus: Connection refused
2. Add the following SELinux module:
---------------------------------------
module inetd_dbus 1.0;
require {
type systemd_logind_t;
type inetd_child_t;
class dbus send_msg;
}
#============= systemd_logind_t ==============
allow systemd_logind_t inetd_child_t:dbus send_msg;
---------------------------------------
I wonder if the above SELinux module could become part of the main
SELinux
policy? If so, should I open a Bugzilla request for xinetd, dbus, or
SELinux?
--
Regards,
Troels Arvin
7 years, 4 months
Error from Checkmodule for my policy
by amir sheng
I am writing a policy module on Fedora trying to limit running the who command only to specific user. Checkmodule issues following error for my script :
Error 'syntax error' at token 'domain_auto_trans' on line 20
But I checked the syntax and there is no typo in it. Here is my whole script. What is the error in it?
module who 1.0;
require {
attribute domain;
attribute file_type;
attribute exec_type;
type sysadm_t;
attribute sysadm_r;
class process transition;
role sysadm_r; }
type who_t;
typeattribute who_t domain;
type who_exec_t;
typeattribute who_exec_t file_type;
typeattribute who_exec_t exec_type;
role sysadm_r types who_t;
domain_auto_trans (sysadm_t, who_exec_t, who_t)
Another problem is that when I transfer this script to Centos, checkmodule of centos issues other kind of errors. Why this happens? Kinds of errors differ by fedora or centos?
7 years, 5 months
username.pem
by mark
Hi, folks,
Our system gets/creates /var/lib/ssh-x509-auth/<username>,pem, then
deletes it when the log out. selinux (in permissive mode) complains.
First, I changed the context to cert_t, and *now* it complains that
ksh93 wants write, etc access on the directory. grep ssh-x509-auth
/var/log/audit/audit.log | audit2allow offers me this:
#============= sshd_t ==============
allow sshd_t cert_t:dir write;
allow sshd_t var_lib_t:file { write getattr create open ioctl };
So: first, is this an expected behavior; second, is that the correct
fcontext, and, finally, is it safe for me to create this as a local
policy?
Thanks in advance.
mark
7 years, 5 months
Re: SElinux Query
by Vit Mojzis
Hi,
I understand now.
As I wrote before, macros are basically just a way to specify multiple allow rules at once.
During policy compilation, macros are broken down to those individual allow rules. Therefore binary policy (which is used to make decisions on allowing/denying access) doesn't know about macros (it contains only individual "allow" rules).
Another thing is that you are looking at AVC denials (messages in audit.log) the wrong way. Since SELinux policy rules can only allow access (this is not entirely true, but for simplicity lets assume it is), you can't really violate them. When you tried to access the webpage after relabeling it, SELinux reported that there is no rule allowing such access (not that there is a rule prohibiting it).
In conclusion, SELinux AVC messages will always contain only specific types (never anything to do with macros).
If we look at an actual AVC message
type=AVC msg=audit(1363289005.532:184): avc: denied { read } for pid=29199 comm="Trace"
name="online" dev="sysfs" ino=30 scontext=staff_u:staff_r:googletalk_plugin_t
tcontext=system_u:object_r:sysfs_t tclass=file
There will always be a specific target type of the attempted access.
In this case the target context is
system_u:object_r:sysfs_t
(user:role:type)
And the target type is "sysfs_t" (specified in "base" policy module).
Hope this helps.
Vit Mojzis
SELinux Solutions
Red Hat, Inc.
----- Original Message -----
From: "Naina Emmanuel" <nemmanuel1992(a)gmail.com>
To: "Vit Mojzis" <vmojzis(a)redhat.com>
Sent: Tuesday, April 26, 2016 1:54:17 PM
Subject: Re: SElinux Query
Sir my task is to monitor logs (if violation occurs then I have to track
that violation has been occurred to which te file(module)) For this purpose
I have created violation to get logs, I created apache violation e.g
relabled the files, my web page under /var/www/html from
httpd_sys_content_t to var_t, in apache te httpd_sys_content_t is allowed
to access httpd while var_t under /var/www/html is not allowed so when I
accessed my webpage from browser it created violation and went to
/var/log/audit/audit.log but that was violation of allow rule in te I.e
allow httpd_t httpd_sys_content_t:dir list_dir_perms; NOW I want if some
macro (any macro) gets violated then what kind of logs I ll get...
Q1: How to create macro violation to see its logs in
/var/logs/audit/audit.log
Please provide some example/tutorial in which some macro violation has been
occurred so that I can monitor the logs... Hope sir u got my problem
Thanks
Engr. Naina Emmanuel
On Apr 22, 2016 2:43 PM, "Naina Emmanuel" <nemmanuel1992(a)gmail.com> wrote:
> good afternoon!
> i have a problem dealing with the logs,please tell how can we violate a
> macro/s (used in a module for example apache)
> and how to see their logs...
>
> i have a task to monitor logs (violations) as MS project, so please help
> in this regard
>
> thanks in advance
>
>
>
>
>
>
>
>
>
> *Engr. Naina Emmanuel*
> *Linux Essential Certified (LEPDC)*
> *Cisco Certified Network Associate (CCNA)*
>
> *Computer Engineering Department, UET Taxila*
>
> *Information Security, CS Department, CIIT Islamabad*
>
> On Thu, Apr 7, 2016 at 3:19 PM, Naina Emmanuel <nemmanuel1992(a)gmail.com>
> wrote:
>
>> thank you so much, i try this method!
>>
>> thanks once again for your positive response
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> *Engr. Naina Emmanuel*
>> *Linux Essential Certified (LEPDC)*
>> *Cisco Certified Network Associate (CCNA)*
>>
>> *Computer Engineering Department, UET Taxila*
>>
>> *Information Security, CS Department, CIIT Islamabad*
>>
>> On Thu, Apr 7, 2016 at 2:01 AM, Vit Mojzis <vmojzis(a)redhat.com> wrote:
>>
>>> Hi,
>>> depends on the scale.
>>>
>>> If you just need to identify policy module of one specific service, try
>>> searching for the service name in “# semodule -l” output (modules are
>>> usually named after corresponding service).
>>>
>>> If that doesn't help (sometimes 1 module contains policy rules for more
>>> services), I would go with Lukas's suggestion, which was to download
>>> selinux-policy repository from github (
>>> https://github.com/fedora-selinux/selinux-policy) and search for
>>> selinux type of the service you are interested in.
>>>
>>> Let's say you want policy module of bluetooth daemon.
>>> # ps -efZ | grep bluetoothd
>>> system_u:system_r:bluetooth_t:s0 root 764 1 0 09:09 ?
>>> 00:00:00 /usr/libexec/bluetooth/bluetoothd
>>> Bluetoothd process has label of “bluetooth_t”.
>>>
>>> Search for “bluetooth_t” in selinux-policy repository (branch
>>> rawhide-contrib) shows that the type was defined in “bluetooth.te”.
>>> $ grep -R bluetooth_t
>>> bluetooth.te:type bluetooth_t;
>>>
>>> If you want to map all running services to their respective policy
>>> modules, fastest way would be to search for the type of running process in
>>> the file I enclosed to this email (all selinux policy modules in Fedora 23
>>> and types defined in them). Each line contains the following
>>> module_nameomain_types:resource_types
>>> I won't go into details since obtaining of this mapping is not so
>>> straight forward.
>>>
>>> Hope this helps.
>>>
>>> Vit Mojzis
>>> SELinux Solutions
>>> Red Hat, Inc.
>>>
>>> ----- Original Message -----
>>> From: "Lukas Vrabec" <lvrabec(a)redhat.com>
>>> To: selinux(a)lists.fedoraproject.org, "Vit Mojzis" <vmojzis(a)redhat.com>
>>> Sent: Thursday, April 7, 2016 10:20:57 AM
>>> Subject: Re: SElinux Query
>>>
>>> On 04/06/2016 08:04 PM, Naina Emmanuel wrote:
>>> > Thanks for the response...
>>> > Please tell that how can we map the service running to its module?
>>> > My use case is, ps -efZ will tell which services are running(enforced
>>> > modules) how can we map that running service to its module( that is
>>> > applying a policy to that Service?)
>>> >
>>>
>>> Vit Mojzis can help you here.
>>>
>>> > Thansk in advance
>>> >
>>> > Engr. Naina Emmanuel
>>> >
>>> > On Apr 5, 2016 2:51 PM, "Miroslav Grepl" <mgrepl(a)redhat.com
>>> > <mailto:mgrepl@redhat.com>> wrote:
>>> >
>>> > On 04/03/2016 10:20 AM, Naina Emmanuel wrote:
>>> > > Good Afternoon
>>> > > Can u please help me and tell...
>>> > > 1) how we can check, which policy modules are actually enforced?
>>> > means
>>> > > which services are being secured by selinux. because #semodule
>>> -l
>>> > gives
>>> > > loaded modules, but which are being secured how can we check
>>> that???*
>>> > > *
>>> >
>>> > Good point. You can play around
>>> >
>>> > $ seinfo -xadomain
>>> >
>>> > > 2) If i dont understand any macro, from where i can get its
>>> > description
>>> > > or help?*
>>> >
>>> > You are looking for
>>> >
>>> > $ firefox /usr/share/doc/selinux-policy/html/index.html
>>> >
>>> > $ rpm -qf /usr/share/doc/selinux-policy/html/index.html
>>> > selinux-policy-doc-3.13.1-180.fc25.noarch
>>> >
>>> > > *
>>> > > *
>>> > > *
>>> > > *
>>> > > *thanks in advance
>>> > > *
>>> > > *
>>> > > *
>>> > > *
>>> > > *
>>> > > /Engr. Naina Emmanuel/*
>>> > > *Linux Essential Certified (LEPDC)**
>>> > > *
>>> > > *Cisco Certified Network Associate (CCNA)*
>>> > > *Computer Engineering Department, UET Taxila
>>> > > *
>>> > > *Information Security, CS Department, CIIT Islamabad
>>> > > *
>>> > >
>>> > >
>>> > > --
>>> > > selinux mailing list
>>> > > selinux(a)lists.fedoraproject.org
>>> > <mailto:selinux@lists.fedoraproject.org>
>>> > >
>>> >
>>> http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
>>> > >
>>> >
>>> >
>>> > --
>>> > Miroslav Grepl
>>> > Senior Software Engineer, SELinux Solutions
>>> > Red Hat, Inc.
>>> >
>>> >
>>> >
>>> > --
>>> > selinux mailing list
>>> > selinux(a)lists.fedoraproject.org
>>> >
>>> http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
>>> >
>>>
>>>
>>> --
>>> Lukas Vrabec
>>> SELinux Solutions
>>> Red Hat, Inc.
>>>
>>
>>
>
7 years, 5 months
Re: SElinux Query
by Vit Mojzis
Hi,
audit logs can be found in /var/log/audit/audit.log (or /var/log/messages if the audit daemon is not running).
You can access audit messages using "ausearch" tool.
I'm not sure what you mean by violating a macro.
Policy modules define context for files and processes, together with rules specifying allowed access (which process can access what files).
Macros in policy files are just a way to specify multiple "allow" rules at once.
Access that is not explicitly allowed is denied.
To view such denials, run
#ausearch -m avc
For more info about AVC messages, please see
https://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.htm...
In order to violate policy, SELinux would have to be either in permissive mode, or disabled (either is strongly discouraged!).
Hope this helps.
Vit Mojzis
SELinux Solutions
Red Hat, Inc.
----- Original Message -----
From: "Naina Emmanuel" <nemmanuel1992(a)gmail.com>
To: "Vit Mojzis" <vmojzis(a)redhat.com>
Sent: Friday, April 22, 2016 11:43:40 AM
Subject: Re: SElinux Query
good afternoon!
i have a problem dealing with the logs,please tell how can we violate a
macro/s (used in a module for example apache)
and how to see their logs...
i have a task to monitor logs (violations) as MS project, so please help in
this regard
thanks in advance
*Engr. Naina Emmanuel*
*Linux Essential Certified (LEPDC)*
*Cisco Certified Network Associate (CCNA)*
*Computer Engineering Department, UET Taxila*
*Information Security, CS Department, CIIT Islamabad*
On Thu, Apr 7, 2016 at 3:19 PM, Naina Emmanuel <nemmanuel1992(a)gmail.com>
wrote:
> thank you so much, i try this method!
>
> thanks once again for your positive response
>
>
>
>
>
>
>
>
>
> *Engr. Naina Emmanuel*
> *Linux Essential Certified (LEPDC)*
> *Cisco Certified Network Associate (CCNA)*
>
> *Computer Engineering Department, UET Taxila*
>
> *Information Security, CS Department, CIIT Islamabad*
>
> On Thu, Apr 7, 2016 at 2:01 AM, Vit Mojzis <vmojzis(a)redhat.com> wrote:
>
>> Hi,
>> depends on the scale.
>>
>> If you just need to identify policy module of one specific service, try
>> searching for the service name in “# semodule -l” output (modules are
>> usually named after corresponding service).
>>
>> If that doesn't help (sometimes 1 module contains policy rules for more
>> services), I would go with Lukas's suggestion, which was to download
>> selinux-policy repository from github (
>> https://github.com/fedora-selinux/selinux-policy) and search for selinux
>> type of the service you are interested in.
>>
>> Let's say you want policy module of bluetooth daemon.
>> # ps -efZ | grep bluetoothd
>> system_u:system_r:bluetooth_t:s0 root 764 1 0 09:09 ?
>> 00:00:00 /usr/libexec/bluetooth/bluetoothd
>> Bluetoothd process has label of “bluetooth_t”.
>>
>> Search for “bluetooth_t” in selinux-policy repository (branch
>> rawhide-contrib) shows that the type was defined in “bluetooth.te”.
>> $ grep -R bluetooth_t
>> bluetooth.te:type bluetooth_t;
>>
>> If you want to map all running services to their respective policy
>> modules, fastest way would be to search for the type of running process in
>> the file I enclosed to this email (all selinux policy modules in Fedora 23
>> and types defined in them). Each line contains the following
>> module_nameomain_types:resource_types
>> I won't go into details since obtaining of this mapping is not so
>> straight forward.
>>
>> Hope this helps.
>>
>> Vit Mojzis
>> SELinux Solutions
>> Red Hat, Inc.
>>
>> ----- Original Message -----
>> From: "Lukas Vrabec" <lvrabec(a)redhat.com>
>> To: selinux(a)lists.fedoraproject.org, "Vit Mojzis" <vmojzis(a)redhat.com>
>> Sent: Thursday, April 7, 2016 10:20:57 AM
>> Subject: Re: SElinux Query
>>
>> On 04/06/2016 08:04 PM, Naina Emmanuel wrote:
>> > Thanks for the response...
>> > Please tell that how can we map the service running to its module?
>> > My use case is, ps -efZ will tell which services are running(enforced
>> > modules) how can we map that running service to its module( that is
>> > applying a policy to that Service?)
>> >
>>
>> Vit Mojzis can help you here.
>>
>> > Thansk in advance
>> >
>> > Engr. Naina Emmanuel
>> >
>> > On Apr 5, 2016 2:51 PM, "Miroslav Grepl" <mgrepl(a)redhat.com
>> > <mailto:mgrepl@redhat.com>> wrote:
>> >
>> > On 04/03/2016 10:20 AM, Naina Emmanuel wrote:
>> > > Good Afternoon
>> > > Can u please help me and tell...
>> > > 1) how we can check, which policy modules are actually enforced?
>> > means
>> > > which services are being secured by selinux. because #semodule -l
>> > gives
>> > > loaded modules, but which are being secured how can we check
>> that???*
>> > > *
>> >
>> > Good point. You can play around
>> >
>> > $ seinfo -xadomain
>> >
>> > > 2) If i dont understand any macro, from where i can get its
>> > description
>> > > or help?*
>> >
>> > You are looking for
>> >
>> > $ firefox /usr/share/doc/selinux-policy/html/index.html
>> >
>> > $ rpm -qf /usr/share/doc/selinux-policy/html/index.html
>> > selinux-policy-doc-3.13.1-180.fc25.noarch
>> >
>> > > *
>> > > *
>> > > *
>> > > *
>> > > *thanks in advance
>> > > *
>> > > *
>> > > *
>> > > *
>> > > *
>> > > /Engr. Naina Emmanuel/*
>> > > *Linux Essential Certified (LEPDC)**
>> > > *
>> > > *Cisco Certified Network Associate (CCNA)*
>> > > *Computer Engineering Department, UET Taxila
>> > > *
>> > > *Information Security, CS Department, CIIT Islamabad
>> > > *
>> > >
>> > >
>> > > --
>> > > selinux mailing list
>> > > selinux(a)lists.fedoraproject.org
>> > <mailto:selinux@lists.fedoraproject.org>
>> > >
>> >
>> http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
>> > >
>> >
>> >
>> > --
>> > Miroslav Grepl
>> > Senior Software Engineer, SELinux Solutions
>> > Red Hat, Inc.
>> >
>> >
>> >
>> > --
>> > selinux mailing list
>> > selinux(a)lists.fedoraproject.org
>> >
>> http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
>> >
>>
>>
>> --
>> Lukas Vrabec
>> SELinux Solutions
>> Red Hat, Inc.
>>
>
>
7 years, 5 months
A question about unconfined transitions.
by Robin Lee Powell
Does tranisitioning to unconfined_r/unconfined_t mean "I give up
selinux go away" or does it mean "I'm about to do root-ish things"?
I guess what I'm wondering is, is this:
rlpowell ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r ALL
really what's wanted for a system that's trying to use selinux to
the fullest, or is there some other role that more-accurately means
"I'm doing root-ish things now"?
7 years, 5 months
unconfineduser module?
by Robin Lee Powell
So my impression is that the "unconfined" module is the "man, users
do weird stuff" grabbag module, and that it is good and helpful to
run without it because *in theory*, nothing should actually need
the unconfined module to work.
I noticed on my system that there's also an unconfineduser module ,
but that I can't disable it:
# semodule -d unconfineduser
Failed to resolve 'unconfined_u' in selinuxuser statement at line 19116 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
semodule: Failed!
And so I'm vaguely curious as to what that module is for and how it
relates to the unconfined module; "man unconfined_selinux" does not
make it obvious.
7 years, 5 months
Help with custom policy package for CentOS-7 (1511), MariaDB 10.1.13,
NGINX 1.9.14, PHP-FPM and Redis
by Michael Stephenson
Hello,
I am new to selinux and new to this community, and I was wondering if someone could help me review two policies for a new web server I am preparing for release. (Apologize in advance if I am posting this in the wrong location).
Software list:
CentOS 7.2.1511
MariaDB 10.1.13
NGINX 1.9.14
PHP 5.6
Redis 2.8.19
I have modified the web root and the mysql/mariadb data directory and it seems selinux does not like that at all. Below are some proposed modules from audit2allow. Was wondering if there are any red flags to using them in production. I got a little nervous when I read that "Modules created with audit2allow may allow more access than required. It is recommended that policy created with audit2allow be posted to an SELinux list, such as fedora-selinux-list, for review." https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/...
Any help greatly appreciated.
module phpfpmlocal 1.0;
require {
type redis_port_t;
type httpd_t;
type httpd_sys_content_t;
class tcp_socket name_connect;
class file { write create unlink setattr append };
class dir { write rmdir setattr remove_name create add_name };
}
#============= httpd_t ==============
#!!!! This avc can be allowed using the boolean 'httpd_unified'
allow httpd_t httpd_sys_content_t:dir { write rmdir setattr remove_name create add_name };
#!!!! This avc can be allowed using the boolean 'httpd_unified'
allow httpd_t httpd_sys_content_t:file { write create unlink append setattr };
#!!!! This avc can be allowed using the boolean 'httpd_can_network_connect'
allow httpd_t redis_port_t:tcp_socket name_connect;
module http_t_filerename_local 1.0;
require {
type httpd_t;
type httpd_sys_content_t;
class file rename;
}
#============= httpd_t ==============
#!!!! This avc can be allowed using the boolean 'httpd_unified'
allow httpd_t httpd_sys_content_t:file rename;
Also, can someone advise if using file_contexts.local is a good or bad practice, and what is the difference between using the .local v. creating a custom policy. Here is what I added to /etc/selinux/targeted/contexts/files/file_contexts.local. I am not sure if it is introducing any new risks by doing so.
/www/mysql(/.*)? system_u:object_r:mysqld_db_t:s0
/www/sites(/.*)? system_u:object_r:httpd_sys_content_t:s0
Thanks in advance,
Michael Stephenson
MS Information Systems, BS Computer Science
7 years, 5 months
So many policie. Confused to select which on?
by amir sheng
I installed SElinux on Fedora 23 and the only policy that I can see is available is in directory /etc/selinux/targeted/ so I can just load this policy in Apol. By using Fedora 23 Terminal to install policies (i.e, dnf install selinux-policy-*******) there are other different policies to install whose names are:
(1) "selinux-policy-3.13.1.fc23.noarch"
(2)"selinux-policy-devel-3.13.1-152.fc23.noarch"
(3)"selinux-policy-doc-3.13.1-152.fc23.noarch"
(4)"selinux-policy-minimum-3.13.1-152.fc23.noarch"
(5)"selinux-policy-mls-3.13.1-158.11.fc23.noarch"
(6)"selinux--policy-sandbox-3.13.1-152.fc23.noarch"
(7)" selinux-policy-targeted-3.13.1-158.11.fc23.noarch"
What is the difference between this policies(specially between(1) and (7))? I found out some of them are already installed in my system. Where are the other policy's file that I can load to Apol and analyse them.? What are the differences?
7 years, 5 months
