selinux April 2016

selinux@lists.fedoraproject.org

13 participants
13 discussions

Re: RHEL 7 consoletype_exec interface issue
by Douglas Brown 27 Mar '17

27 Mar '17

Hi, In RHEL 7 when using the userdom_unpriv_user_template interface to create a new role, it in turn uses the consoletype_exec interface; but when I attempt to insert a policy compiled with this, it says the type consoletype_exec_t doesn’t exist. N.B. This works on RHEL 6. Thanks, Doug

3 2

xinetd and su/runuser and dbus
by Troels Arvin 08 May '16

08 May '16

Hello, Environment: RHEL 7.2 with all the latest fixes. The server has the Check_MK agent (check-mk-agent-1.2.6p16-3.el7.x86_64 from EPEL) installed, and the mk_postgres module has been activated by symlinking /usr/share/check-mk-agent/available-plugins/mk_postgres to /usr/share/check-mk-agent/plugins/mk_postgres The agent plugin's code may be viewed here: http://git.mathias-kettner.de/git/?p=check_mk.git;a=blob;f=agents/plugins/ mk_postgres;h=8333eee316a99e634394aee4f3048b6becc56d69;hb=c33010ba2d24c8b81c4e6221f3cd61bade7e7d9e PostgreSQL version: rh-postgresql94-postgresql 9.4.6-1.el7.x86_64 (from RHEL 7's software collections). Trouble: The Check_MK agent reponse becomes very slow when the mk_postgres agent plugin is activated -- to the extend that checks time out, causing monitoring alerts and missing monitoring data. Meanwhile, in /var/log/audit/audit.log: type=USER_AVC msg=audit(1462018794.424:153): pid=704 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0- s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.19 spid=925 tpid=2851 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:inetd_child_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' The AVC denials pop up when the mk_postgres agent plugin performs a "su" to "postgres". Changing the script to use "runuser" instead of "su" does not help. I've found two different ways to fix this; the latter seems best: 1. Stop the dbus.service and dbus.socket services. But this results in a subsequent flood of messages like: Apr 29 21:48:12 hostname su: pam_systemd(su-l:session): Failed to connect to system bus: Connection refused 2. Add the following SELinux module: --------------------------------------- module inetd_dbus 1.0; require { type systemd_logind_t; type inetd_child_t; class dbus send_msg; } #============= systemd_logind_t ============== allow systemd_logind_t inetd_child_t:dbus send_msg; --------------------------------------- I wonder if the above SELinux module could become part of the main SELinux policy? If so, should I open a Bugzilla request for xinetd, dbus, or SELinux? -- Regards, Troels Arvin

2 2

Error from Checkmodule for my policy
by amir sheng 27 Apr '16

27 Apr '16

I am writing a policy module on Fedora trying to limit running the who command only to specific user. Checkmodule issues following error for my script : Error 'syntax error' at token 'domain_auto_trans' on line 20 But I checked the syntax and there is no typo in it. Here is my whole script. What is the error in it? module who 1.0; require { attribute domain; attribute file_type; attribute exec_type; type sysadm_t; attribute sysadm_r; class process transition; role sysadm_r; } type who_t; typeattribute who_t domain; type who_exec_t; typeattribute who_exec_t file_type; typeattribute who_exec_t exec_type; role sysadm_r types who_t; domain_auto_trans (sysadm_t, who_exec_t, who_t) Another problem is that when I transfer this script to Centos, checkmodule of centos issues other kind of errors. Why this happens? Kinds of errors differ by fedora or centos?

3 8

username.pem
by mark 27 Apr '16

27 Apr '16

Hi, folks, Our system gets/creates /var/lib/ssh-x509-auth/<username>,pem, then deletes it when the log out. selinux (in permissive mode) complains. First, I changed the context to cert_t, and *now* it complains that ksh93 wants write, etc access on the directory. grep ssh-x509-auth /var/log/audit/audit.log | audit2allow offers me this: #============= sshd_t ============== allow sshd_t cert_t:dir write; allow sshd_t var_lib_t:file { write getattr create open ioctl }; So: first, is this an expected behavior; second, is that the correct fcontext, and, finally, is it safe for me to create this as a local policy? Thanks in advance. mark

2 3

Re: SElinux Query
by Vit Mojzis 26 Apr '16

26 Apr '16

Hi, I understand now. As I wrote before, macros are basically just a way to specify multiple allow rules at once. During policy compilation, macros are broken down to those individual allow rules. Therefore binary policy (which is used to make decisions on allowing/denying access) doesn't know about macros (it contains only individual "allow" rules). Another thing is that you are looking at AVC denials (messages in audit.log) the wrong way. Since SELinux policy rules can only allow access (this is not entirely true, but for simplicity lets assume it is), you can't really violate them. When you tried to access the webpage after relabeling it, SELinux reported that there is no rule allowing such access (not that there is a rule prohibiting it). In conclusion, SELinux AVC messages will always contain only specific types (never anything to do with macros). If we look at an actual AVC message type=AVC msg=audit(1363289005.532:184): avc: denied { read } for pid=29199 comm="Trace" name="online" dev="sysfs" ino=30 scontext=staff_u:staff_r:googletalk_plugin_t tcontext=system_u:object_r:sysfs_t tclass=file There will always be a specific target type of the attempted access. In this case the target context is system_u:object_r:sysfs_t (user:role:type) And the target type is "sysfs_t" (specified in "base" policy module). Hope this helps. Vit Mojzis SELinux Solutions Red Hat, Inc. ----- Original Message ----- From: "Naina Emmanuel" <nemmanuel1992(a)gmail.com> To: "Vit Mojzis" <vmojzis(a)redhat.com> Sent: Tuesday, April 26, 2016 1:54:17 PM Subject: Re: SElinux Query Sir my task is to monitor logs (if violation occurs then I have to track that violation has been occurred to which te file(module)) For this purpose I have created violation to get logs, I created apache violation e.g relabled the files, my web page under /var/www/html from httpd_sys_content_t to var_t, in apache te httpd_sys_content_t is allowed to access httpd while var_t under /var/www/html is not allowed so when I accessed my webpage from browser it created violation and went to /var/log/audit/audit.log but that was violation of allow rule in te I.e allow httpd_t httpd_sys_content_t:dir list_dir_perms; NOW I want if some macro (any macro) gets violated then what kind of logs I ll get... Q1: How to create macro violation to see its logs in /var/logs/audit/audit.log Please provide some example/tutorial in which some macro violation has been occurred so that I can monitor the logs... Hope sir u got my problem Thanks Engr. Naina Emmanuel On Apr 22, 2016 2:43 PM, "Naina Emmanuel" <nemmanuel1992(a)gmail.com> wrote: > good afternoon! > i have a problem dealing with the logs,please tell how can we violate a > macro/s (used in a module for example apache) > and how to see their logs... > > i have a task to monitor logs (violations) as MS project, so please help > in this regard > > thanks in advance > > > > > > > > > > *Engr. Naina Emmanuel* > *Linux Essential Certified (LEPDC)* > *Cisco Certified Network Associate (CCNA)* > > *Computer Engineering Department, UET Taxila* > > *Information Security, CS Department, CIIT Islamabad* > > On Thu, Apr 7, 2016 at 3:19 PM, Naina Emmanuel <nemmanuel1992(a)gmail.com> > wrote: > >> thank you so much, i try this method! >> >> thanks once again for your positive response >> >> >> >> >> >> >> >> >> >> *Engr. Naina Emmanuel* >> *Linux Essential Certified (LEPDC)* >> *Cisco Certified Network Associate (CCNA)* >> >> *Computer Engineering Department, UET Taxila* >> >> *Information Security, CS Department, CIIT Islamabad* >> >> On Thu, Apr 7, 2016 at 2:01 AM, Vit Mojzis <vmojzis(a)redhat.com> wrote: >> >>> Hi, >>> depends on the scale. >>> >>> If you just need to identify policy module of one specific service, try >>> searching for the service name in “# semodule -l” output (modules are >>> usually named after corresponding service). >>> >>> If that doesn't help (sometimes 1 module contains policy rules for more >>> services), I would go with Lukas's suggestion, which was to download >>> selinux-policy repository from github ( >>> https://github.com/fedora-selinux/selinux-policy) and search for >>> selinux type of the service you are interested in. >>> >>> Let's say you want policy module of bluetooth daemon. >>> # ps -efZ | grep bluetoothd >>> system_u:system_r:bluetooth_t:s0 root 764 1 0 09:09 ? >>> 00:00:00 /usr/libexec/bluetooth/bluetoothd >>> Bluetoothd process has label of “bluetooth_t”. >>> >>> Search for “bluetooth_t” in selinux-policy repository (branch >>> rawhide-contrib) shows that the type was defined in “bluetooth.te”. >>> $ grep -R bluetooth_t >>> bluetooth.te:type bluetooth_t; >>> >>> If you want to map all running services to their respective policy >>> modules, fastest way would be to search for the type of running process in >>> the file I enclosed to this email (all selinux policy modules in Fedora 23 >>> and types defined in them). Each line contains the following >>> module_nameomain_types:resource_types >>> I won't go into details since obtaining of this mapping is not so >>> straight forward. >>> >>> Hope this helps. >>> >>> Vit Mojzis >>> SELinux Solutions >>> Red Hat, Inc. >>> >>> ----- Original Message ----- >>> From: "Lukas Vrabec" <lvrabec(a)redhat.com> >>> To: selinux(a)lists.fedoraproject.org, "Vit Mojzis" <vmojzis(a)redhat.com> >>> Sent: Thursday, April 7, 2016 10:20:57 AM >>> Subject: Re: SElinux Query >>> >>> On 04/06/2016 08:04 PM, Naina Emmanuel wrote: >>> > Thanks for the response... >>> > Please tell that how can we map the service running to its module? >>> > My use case is, ps -efZ will tell which services are running(enforced >>> > modules) how can we map that running service to its module( that is >>> > applying a policy to that Service?) >>> > >>> >>> Vit Mojzis can help you here. >>> >>> > Thansk in advance >>> > >>> > Engr. Naina Emmanuel >>> > >>> > On Apr 5, 2016 2:51 PM, "Miroslav Grepl" <mgrepl(a)redhat.com >>> > <mailto:mgrepl@redhat.com>> wrote: >>> > >>> > On 04/03/2016 10:20 AM, Naina Emmanuel wrote: >>> > > Good Afternoon >>> > > Can u please help me and tell... >>> > > 1) how we can check, which policy modules are actually enforced? >>> > means >>> > > which services are being secured by selinux. because #semodule >>> -l >>> > gives >>> > > loaded modules, but which are being secured how can we check >>> that???* >>> > > * >>> > >>> > Good point. You can play around >>> > >>> > $ seinfo -xadomain >>> > >>> > > 2) If i dont understand any macro, from where i can get its >>> > description >>> > > or help?* >>> > >>> > You are looking for >>> > >>> > $ firefox /usr/share/doc/selinux-policy/html/index.html >>> > >>> > $ rpm -qf /usr/share/doc/selinux-policy/html/index.html >>> > selinux-policy-doc-3.13.1-180.fc25.noarch >>> > >>> > > * >>> > > * >>> > > * >>> > > * >>> > > *thanks in advance >>> > > * >>> > > * >>> > > * >>> > > * >>> > > * >>> > > /Engr. Naina Emmanuel/* >>> > > *Linux Essential Certified (LEPDC)** >>> > > * >>> > > *Cisco Certified Network Associate (CCNA)* >>> > > *Computer Engineering Department, UET Taxila >>> > > * >>> > > *Information Security, CS Department, CIIT Islamabad >>> > > * >>> > > >>> > > >>> > > -- >>> > > selinux mailing list >>> > > selinux(a)lists.fedoraproject.org >>> > <mailto:selinux@lists.fedoraproject.org> >>> > > >>> > >>> http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org >>> > > >>> > >>> > >>> > -- >>> > Miroslav Grepl >>> > Senior Software Engineer, SELinux Solutions >>> > Red Hat, Inc. >>> > >>> > >>> > >>> > -- >>> > selinux mailing list >>> > selinux(a)lists.fedoraproject.org >>> > >>> http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org >>> > >>> >>> >>> -- >>> Lukas Vrabec >>> SELinux Solutions >>> Red Hat, Inc. >>> >> >> >

1 0

Re: SElinux Query
by Vit Mojzis 26 Apr '16

26 Apr '16

Hi, audit logs can be found in /var/log/audit/audit.log (or /var/log/messages if the audit daemon is not running). You can access audit messages using "ausearch" tool. I'm not sure what you mean by violating a macro. Policy modules define context for files and processes, together with rules specifying allowed access (which process can access what files). Macros in policy files are just a way to specify multiple "allow" rules at once. Access that is not explicitly allowed is denied. To view such denials, run #ausearch -m avc For more info about AVC messages, please see https://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html#… In order to violate policy, SELinux would have to be either in permissive mode, or disabled (either is strongly discouraged!). Hope this helps. Vit Mojzis SELinux Solutions Red Hat, Inc. ----- Original Message ----- From: "Naina Emmanuel" <nemmanuel1992(a)gmail.com> To: "Vit Mojzis" <vmojzis(a)redhat.com> Sent: Friday, April 22, 2016 11:43:40 AM Subject: Re: SElinux Query good afternoon! i have a problem dealing with the logs,please tell how can we violate a macro/s (used in a module for example apache) and how to see their logs... i have a task to monitor logs (violations) as MS project, so please help in this regard thanks in advance *Engr. Naina Emmanuel* *Linux Essential Certified (LEPDC)* *Cisco Certified Network Associate (CCNA)* *Computer Engineering Department, UET Taxila* *Information Security, CS Department, CIIT Islamabad* On Thu, Apr 7, 2016 at 3:19 PM, Naina Emmanuel <nemmanuel1992(a)gmail.com> wrote: > thank you so much, i try this method! > > thanks once again for your positive response > > > > > > > > > > *Engr. Naina Emmanuel* > *Linux Essential Certified (LEPDC)* > *Cisco Certified Network Associate (CCNA)* > > *Computer Engineering Department, UET Taxila* > > *Information Security, CS Department, CIIT Islamabad* > > On Thu, Apr 7, 2016 at 2:01 AM, Vit Mojzis <vmojzis(a)redhat.com> wrote: > >> Hi, >> depends on the scale. >> >> If you just need to identify policy module of one specific service, try >> searching for the service name in “# semodule -l” output (modules are >> usually named after corresponding service). >> >> If that doesn't help (sometimes 1 module contains policy rules for more >> services), I would go with Lukas's suggestion, which was to download >> selinux-policy repository from github ( >> https://github.com/fedora-selinux/selinux-policy) and search for selinux >> type of the service you are interested in. >> >> Let's say you want policy module of bluetooth daemon. >> # ps -efZ | grep bluetoothd >> system_u:system_r:bluetooth_t:s0 root 764 1 0 09:09 ? >> 00:00:00 /usr/libexec/bluetooth/bluetoothd >> Bluetoothd process has label of “bluetooth_t”. >> >> Search for “bluetooth_t” in selinux-policy repository (branch >> rawhide-contrib) shows that the type was defined in “bluetooth.te”. >> $ grep -R bluetooth_t >> bluetooth.te:type bluetooth_t; >> >> If you want to map all running services to their respective policy >> modules, fastest way would be to search for the type of running process in >> the file I enclosed to this email (all selinux policy modules in Fedora 23 >> and types defined in them). Each line contains the following >> module_nameomain_types:resource_types >> I won't go into details since obtaining of this mapping is not so >> straight forward. >> >> Hope this helps. >> >> Vit Mojzis >> SELinux Solutions >> Red Hat, Inc. >> >> ----- Original Message ----- >> From: "Lukas Vrabec" <lvrabec(a)redhat.com> >> To: selinux(a)lists.fedoraproject.org, "Vit Mojzis" <vmojzis(a)redhat.com> >> Sent: Thursday, April 7, 2016 10:20:57 AM >> Subject: Re: SElinux Query >> >> On 04/06/2016 08:04 PM, Naina Emmanuel wrote: >> > Thanks for the response... >> > Please tell that how can we map the service running to its module? >> > My use case is, ps -efZ will tell which services are running(enforced >> > modules) how can we map that running service to its module( that is >> > applying a policy to that Service?) >> > >> >> Vit Mojzis can help you here. >> >> > Thansk in advance >> > >> > Engr. Naina Emmanuel >> > >> > On Apr 5, 2016 2:51 PM, "Miroslav Grepl" <mgrepl(a)redhat.com >> > <mailto:mgrepl@redhat.com>> wrote: >> > >> > On 04/03/2016 10:20 AM, Naina Emmanuel wrote: >> > > Good Afternoon >> > > Can u please help me and tell... >> > > 1) how we can check, which policy modules are actually enforced? >> > means >> > > which services are being secured by selinux. because #semodule -l >> > gives >> > > loaded modules, but which are being secured how can we check >> that???* >> > > * >> > >> > Good point. You can play around >> > >> > $ seinfo -xadomain >> > >> > > 2) If i dont understand any macro, from where i can get its >> > description >> > > or help?* >> > >> > You are looking for >> > >> > $ firefox /usr/share/doc/selinux-policy/html/index.html >> > >> > $ rpm -qf /usr/share/doc/selinux-policy/html/index.html >> > selinux-policy-doc-3.13.1-180.fc25.noarch >> > >> > > * >> > > * >> > > * >> > > * >> > > *thanks in advance >> > > * >> > > * >> > > * >> > > * >> > > * >> > > /Engr. Naina Emmanuel/* >> > > *Linux Essential Certified (LEPDC)** >> > > * >> > > *Cisco Certified Network Associate (CCNA)* >> > > *Computer Engineering Department, UET Taxila >> > > * >> > > *Information Security, CS Department, CIIT Islamabad >> > > * >> > > >> > > >> > > -- >> > > selinux mailing list >> > > selinux(a)lists.fedoraproject.org >> > <mailto:selinux@lists.fedoraproject.org> >> > > >> > >> http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org >> > > >> > >> > >> > -- >> > Miroslav Grepl >> > Senior Software Engineer, SELinux Solutions >> > Red Hat, Inc. >> > >> > >> > >> > -- >> > selinux mailing list >> > selinux(a)lists.fedoraproject.org >> > >> http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org >> > >> >> >> -- >> Lukas Vrabec >> SELinux Solutions >> Red Hat, Inc. >> > >

1 0

A question about unconfined transitions.
by Robin Lee Powell 25 Apr '16

25 Apr '16

Does tranisitioning to unconfined_r/unconfined_t mean "I give up selinux go away" or does it mean "I'm about to do root-ish things"? I guess what I'm wondering is, is this: rlpowell ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r ALL really what's wanted for a system that's trying to use selinux to the fullest, or is there some other role that more-accurately means "I'm doing root-ish things now"?

3 2

unconfineduser module?
by Robin Lee Powell 22 Apr '16

22 Apr '16

So my impression is that the "unconfined" module is the "man, users do weird stuff" grabbag module, and that it is good and helpful to run without it because *in theory*, nothing should actually need the unconfined module to work. I noticed on my system that there's also an unconfineduser module , but that I can't disable it: # semodule -d unconfineduser Failed to resolve 'unconfined_u' in selinuxuser statement at line 19116 of /var/lib/selinux/targeted/tmp/modules/100/base/cil semodule: Failed! And so I'm vaguely curious as to what that module is for and how it relates to the unconfined module; "man unconfined_selinux" does not make it obvious.

2 2

Help with custom policy package for CentOS-7 (1511), MariaDB 10.1.13, NGINX 1.9.14, PHP-FPM and Redis
by Michael Stephenson 21 Apr '16

21 Apr '16

Hello, I am new to selinux and new to this community, and I was wondering if someone could help me review two policies for a new web server I am preparing for release. (Apologize in advance if I am posting this in the wrong location). Software list: CentOS 7.2.1511 MariaDB 10.1.13 NGINX 1.9.14 PHP 5.6 Redis 2.8.19 I have modified the web root and the mysql/mariadb data directory and it seems selinux does not like that at all. Below are some proposed modules from audit2allow. Was wondering if there are any red flags to using them in production. I got a little nervous when I read that "Modules created with audit2allow may allow more access than required. It is recommended that policy created with audit2allow be posted to an SELinux list, such as fedora-selinux-list, for review." https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/ht… Any help greatly appreciated. module phpfpmlocal 1.0; require { type redis_port_t; type httpd_t; type httpd_sys_content_t; class tcp_socket name_connect; class file { write create unlink setattr append }; class dir { write rmdir setattr remove_name create add_name }; } #============= httpd_t ============== #!!!! This avc can be allowed using the boolean 'httpd_unified' allow httpd_t httpd_sys_content_t:dir { write rmdir setattr remove_name create add_name }; #!!!! This avc can be allowed using the boolean 'httpd_unified' allow httpd_t httpd_sys_content_t:file { write create unlink append setattr }; #!!!! This avc can be allowed using the boolean 'httpd_can_network_connect' allow httpd_t redis_port_t:tcp_socket name_connect; module http_t_filerename_local 1.0; require { type httpd_t; type httpd_sys_content_t; class file rename; } #============= httpd_t ============== #!!!! This avc can be allowed using the boolean 'httpd_unified' allow httpd_t httpd_sys_content_t:file rename; Also, can someone advise if using file_contexts.local is a good or bad practice, and what is the difference between using the .local v. creating a custom policy. Here is what I added to /etc/selinux/targeted/contexts/files/file_contexts.local. I am not sure if it is introducing any new risks by doing so. /www/mysql(/.*)? system_u:object_r:mysqld_db_t:s0 /www/sites(/.*)? system_u:object_r:httpd_sys_content_t:s0 Thanks in advance, Michael Stephenson MS Information Systems, BS Computer Science

2 4

So many policie. Confused to select which on?
by amir sheng 20 Apr '16

20 Apr '16

I installed SElinux on Fedora 23 and the only policy that I can see is available is in directory /etc/selinux/targeted/ so I can just load this policy in Apol. By using Fedora 23 Terminal to install policies (i.e, dnf install selinux-policy-*******) there are other different policies to install whose names are: (1) "selinux-policy-3.13.1.fc23.noarch" (2)"selinux-policy-devel-3.13.1-152.fc23.noarch" (3)"selinux-policy-doc-3.13.1-152.fc23.noarch" (4)"selinux-policy-minimum-3.13.1-152.fc23.noarch" (5)"selinux-policy-mls-3.13.1-158.11.fc23.noarch" (6)"selinux--policy-sandbox-3.13.1-152.fc23.noarch" (7)" selinux-policy-targeted-3.13.1-158.11.fc23.noarch" What is the difference between this policies(specially between(1) and (7))? I found out some of them are already installed in my system. Where are the other policy's file that I can load to Apol and analyse them.? What are the differences?

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux April 2016