Re: RHEL 7 consoletype_exec interface issue
by Douglas Brown
Hi,
In RHEL 7 when using the userdom_unpriv_user_template interface to create a new role, it in turn uses the consoletype_exec interface; but when I attempt to insert a policy compiled with this, it says the type consoletype_exec_t doesn’t exist.
N.B. This works on RHEL 6.
Thanks,
Doug
6 years, 8 months
Fwd: AVC denials for custom service after upgrading to F24
by Juan Orti Alcaine
2016-06-19 17:15 GMT+02:00 Jeremy Young <jrm16020(a)gmail.com>:
> The problem is that's your script is being executed with under the init_t
> type. You should be able to update your unit file to specify an appropriate
> SELinux context for your script.
>
> http://man7.org/linux/man-pages/man5/systemd.exec.5.html
>
> Under [Service], add something like this:
>
> SELinuxContext=system_u:system_r::s0-c0.c1023
>
>
>
> You may also be able to label your script httpd_exec_t and have it
> transition to the Apache domain so that it doesn't run as init_t when your
> system starts.
>
I'm trying to transition to the httpd_t domain, but after labeling the
script as httpd_exec_t, I get this AVC.
What does execute_no_trans mean?
Thank you.
SELinux is preventing (mon2.php) from execute_no_trans access on the
file /var/www/ttrss.miceliux.com/update_daemon2.php.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that (mon2.php) should be allowed execute_no_trans
access on the update_daemon2.php file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c '(mon2.php)' --raw | audit2allow -M my-mon2php
# semodule -X 300 -i my-mon2php.pp
Additional Information:
Source Context system_u:system_r:init_t:s0
Target Context system_u:object_r:httpd_exec_t:s0
Target Objects /var/www/ttrss.miceliux.com/update_daemon2.php [
file ]
Source (mon2.php)
Source Path (mon2.php)
Port <Unknown>
Host argon
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-190.fc24.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name argon
Platform Linux argon 4.5.5-300.fc24.x86_64 #1 SMP Thu May
19 13:05:32 UTC 2016 x86_64 x86_64
Alert Count 30
First Seen 2016-06-20 10:06:58 CEST
Last Seen 2016-06-20 10:37:19 CEST
Local ID 93118537-004d-40f1-9603-bf0cded5dd34
Raw Audit Messages
type=AVC msg=audit(1466411839.205:13159): avc: denied {
execute_no_trans } for pid=16149 comm="(mon2.php)"
path="/var/www/ttrss.miceliux.com/update_daemon2.php" dev="dm-0"
ino=25403430 scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:httpd_exec_t:s0 tclass=file permissive=0
Hash: (mon2.php),init_t,httpd_exec_t,file,execute_no_trans
--
Juan Orti
https://apuntesderootblog.wordpress.com/
7 years, 5 months
RHEL 7 shutdown_run interface
by Douglas Brown
Hi all,
In the process of porting policies from RHEL 6 to 7, I’m having an issue with the shutdown_run interface.
The trivial te file below compiles and loads fine on RHEL 6.7:
policy_module(test, 0.1)
require {
role staff_r;
type staff_t;
}
shutdown_run(staff_t, staff_r)
However, there appears to be a bug in RHEL 7.2, because loading with semodule gives the error: "libsepol.print_missing_requirements: test's global requirements were not met: role shutdown_roles (No such file or directory)"
After looking into this, curiously the interface has moved from /usr/share/selinux/devel/include/admin/shutdown.if (selinux-policy rpm in RHEL 6) to /usr/share/selinux/devel/include/contrib/shutdown.if (selinux-policy-devel rpm in RHEL 7). Should it be in contrib?
There’s also another issue in that shutdown_exec_t is used in the RHEL 7 interface but it no longer exists because the shutdown binary has been replaced with a symlink to systemctl.
Thanks,
Doug
7 years, 5 months
AVC denials for custom service after upgrading to F24
by Juan Orti Alcaine
Hi,
After upgrading to F24, my custom service ttrss-update.service doesn't
start anymore. I think it was launched before as unconfined_t, but now
I get this AVC. Should I open a bug?
SELinux is preventing php from read access on the file
/var/www/ttrss.miceliux.com/update_daemon2.php.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that php should be allowed read access on the
update_daemon2.php file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'php' --raw | audit2allow -M my-php
# semodule -X 300 -i my-php.pp
Additional Information:
Source Context system_u:system_r:init_t:s0
Target Context system_u:object_r:httpd_sys_content_t:s0
Target Objects /var/www/ttrss.miceliux.com/update_daemon2.php [
file ]
Source php
Source Path php
Port <Unknown>
Host argon
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-190.fc24.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name argon
Platform Linux argon 4.5.5-300.fc24.x86_64 #1 SMP Thu May
19 13:05:32 UTC 2016 x86_64 x86_64
Alert Count 35
First Seen 2016-06-16 10:26:22 CEST
Last Seen 2016-06-19 13:42:58 CEST
Local ID 853772a0-7b0e-4f8d-a700-0e829fc401c6
Raw Audit Messages
type=AVC msg=audit(1466336578.797:5880): avc: denied { read } for
pid=7743 comm="php" name="update_daemon2.php" dev="dm-0" ino=25403430
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
permissive=0
Hash: php,init_t,httpd_sys_content_t,file,read
This is the service unit:
# systemctl cat ttrss-update.service
# /etc/systemd/system/ttrss-update.service
[Unit]
Description=Tiny Tiny RSS Update daemon
After=network-online.target
After=mariadb.service
Wants=mariadb.service
Requires=network-online.target
[Service]
Type=simple
User=apache
Group=apache
WorkingDirectory=/var/www/ttrss.miceliux.com
ExecStart=/usr/bin/php /var/www/ttrss.miceliux.com/update_daemon2.php
ProtectSystem=full
ProtectHome=true
Nice=19
StandardOutput=null
StandardError=journal
PrivateTmp=true
PrivateDevices=true
NoNewPrivileges=true
Restart=always
[Install]
WantedBy=multi-user.target
--
Juan Orti
https://apuntesderootblog.wordpress.com/
7 years, 5 months
New procmail avc
by David Highley
Should we file a report on the issue below?
time->Mon Jun 13 08:50:37 2016
type=AVC msg=audit(1465833037.215:3116): avc: denied { create } for
pid=5356 comm="procmail" name="_sTB.NZtXXB.douglas"
scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=0
----
time->Mon Jun 13 08:50:37 2016
type=AVC msg=audit(1465833037.215:3117): avc: denied { create } for
pid=5356 comm="procmail" name="spamlog"
scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=0
----
time->Mon Jun 13 08:50:37 2016
type=AVC msg=audit(1465833037.215:3118): avc: denied { create } for
pid=5356 comm="procmail" name="_sTB,NZtXXB.douglas"
scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=0
----
time->Mon Jun 13 08:50:37 2016
type=AVC msg=audit(1465833037.215:3119): avc: denied { create } for
pid=5356 comm="procmail" name="spamlog"
scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=0
7 years, 5 months
Cannot find rpm
by mark
Hi, folks,
We're working on several new CentOS 7 systems, moving users from
CentOS 6. Now, the users have had some *sigh* custom stuff, like their
own version of Perl (please do *not* ask, and I would *love* to get
them off it, but....)
Anyway, in the directory it's in, I did a semanage fcontext -e
/usr/bin, and now I'm seeing errors in the log of selinux complaining
it can't find the rpm (because there's not one for this).
What's the correct way to deal with this - different labelling, a local
policy, or ?
mark
7 years, 5 months
Training for Writing SELinux Policy
by Fong Vang
Which training classes are best for hands-on experience writing SELinux policies? Any recommendations? Preferably offsite for a week.
7 years, 6 months
