April 2018 - selinux - Fedora Mailing-Lists

by Philip Seeley

Hi all, Quick question is: In the targeted policy should init run SystemHigh as it does in the mls policy? The background: We're setting up a targeted system where we confine all users and remove the unconfined policy module, but we also enable polyinstantiation of /tmp and /var/tmp. If we ssh in as a staff_u user phil and elevate to root/sysadm_r then we have a context of: staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 And therefore /var/tmp is: drwxrwxrwt. root root system_u:object_r:tmp_t:s0-s0:c0.c1023 /var/tmp Which is really: drwxrwxrwt. root root system_u:object_r:tmp_t:s0-s0:c0.c1023 /var/tmp-inst/system_u:object_r:tmp_t:s0-s0:c0.c1023_phil The real /var/tmp is: drwxrwxrwt. root root system_u:object_r:tmp_t:s0 /var/tmp Now if we use run_init to update an RPM that contains a post install script, rpm can't create the temporary script file: # run_init bash -c 'rpm -i --force /root/libselinux-2.0.94-7.el6.x86_64.rpm' Authenticating phil. Password: error: error creating temporary file /var/tmp/rpm-tmp.atkHTf: Permission denied error: Couldn't create temporary file for %post (libselinux-2.0.94-7.el6.x86_64): Permission denied Note: you need to use run_init as the rpm might restart a service, e.g. the sssd rpm. We've traced this to the /etc/selinux/targeted/contexts/initrc_context file which contains: system_u:system_r:initrc_t:s0 So we transition to initrc_t and then to rpm_t without any categories, but because the polyinstantiated /var/tmp directory has c0.c1023 we get denied. Normally in targeted init runs unconfined, but we've removed this. type=AVC msg=audit(1467342325.016:716): avc: denied { read } for pid=2779 comm="rpm" name="system_u:object_r:tmp_t:s0-s0:c0.c1023_phil" dev=dm-0 ino=1966082 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:tmp_t:s0-s0:c0.c1023 tclass=dir It works if we change initrc_context to: system_u:system_r:initrc_t:s0-s0:c0.c1023 We don't see the issue under mls because the default initrc_context is: system_u:system_r:initrc_t:s0-s15:c0.c1023 We've traces this back through the selinux-policy src RPM and to the upstream refpolicy and see that config/appconfig-mcs/initrc_context is: system_u:system_r:initrc_t:s0 whereas config/appconfig-mls/initrc_context is: system_u:system_r:initrc_t:s0-mls_systemhigh So under mls init's context is SystemHigh, but under mcs/targeted it doesn't have any categories. So the long question is should config/appconfig-mcs/initrc_context really be: system_u:system_r:initrc_t:mcs_systemhigh as it seems odd that the more secure mls policy would run init at SystemHigh but targeted doesn't. Thanks Phil Seeley

4 years, 2 months

3
3
0 / 0

ejabberd pull requests

by Randy Barlow

Greetings! In November I pulled the ejabberd SELinux policy into Fedora 27+ so I could manage it more closely with ejabberd updates. At the time I sent pull requests to the Fedora SELinux policy to remove it from there, but the pull requests haven't been reviewed or merged. Could someone take a look? https://github.com/fedora-selinux/selinux-policy-contrib/pull/38 https://github.com/fedora-selinux/selinux-policy-contrib/pull/39 At this point, I suppose we'll also want to make this change on the Fedora 28 branch. You can see the policy in the ejabberd sources now: https://src.fedoraproject.org/rpms/ejabberd/tree/master

5 years, 2 months

4
5
0 / 0

Re: motion

by m.roth＠5-cent.us

On Sun, 15 Apr 2018 20:48. ukas Vrabec <lvrabec(a)redhat.com> wrote: > On 04/12/2018 10:49 PM, m.roth(a)5-cent.us wrote: >> Got a CentOS 7 box running motion. Selinux is complaining that one of the >> scripts motion runs is mislabeled. Here's what it is. >> system_u:object_r:nfs_t:s0 /home/motion/bin/on_move_end >> >> Now, ~motion is NFS mounted, and we've got use_nfs_home_dirs --> on, so >> what *would* the proper label be, or do I really need to create a policy >> for this? > > Could you please reproduce issue on your system and then attach output of: > > # ausearch -m AVC -ts today > It's been a busy week - sorry it took this long to respond. Do you *really* want all of it - this happens whenever someone goes into the secure room and is on video... and there are four cameras. Just today, I get 79k worth of o/p. Here's the most recent minute's o/p: time->Wed Apr 18 11:21:32 2018 type=PROCTITLE msg=audit(1524064892.294:35325): proctitle=7368002D63002F686F6D652F6D6F74696F6E2F62696E2F6F6E5F6D6F76655F656E64202F686F6D652F6D6F74696F6E2F63616D6572612F323031382D30342D31382F323031382D30342D31382D3131313134352D31322D6172676F2D312E617669203120323031382D30342D3138002026 type=SYSCALL msg=audit(1524064892.294:35325): arch=c000003e syscall=59 success=yes exit=0 a0=af4fe0 a1=af5040 a2=af3b90 a3=7ffd1c86d700 items=0 ppid=1438 pid=11961 auid=4294967295 uid=489 gid=39 euid=489 suid=489 fsuid=489 egid=39 sgid=39 fsgid=39 tty=(none) ses=4294967295 comm="on_move_end" exe="/usr/bin/bash" subj=system_u:system_r:motion_t:s0 key=(null) type=AVC msg=audit(1524064892.294:35325): avc: denied { execute_no_trans } for pid=11961 comm="sh" path="/home/motion/bin/on_move_end" dev="0:46" ino=53198849 scontext=system_u:system_r:motion_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file type=AVC msg=audit(1524064892.294:35325): avc: denied { execute } for pid=11961 comm="sh" name="on_move_end" dev="0:46" ino=53198849 scontext=system_u:system_r:motion_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file ---- time->Wed Apr 18 11:21:32 2018 type=PROCTITLE msg=audit(1524064892.291:35324): proctitle=7368002D63002F686F6D652F6D6F74696F6E2F62696E2F6F6E5F6D6F76655F656E64202F686F6D652F6D6F74696F6E2F63616D6572612F323031382D30342D31382F323031382D30342D31382D3131313134352D31322D6172676F2D312E617669203120323031382D30342D3138002026 type=SYSCALL msg=audit(1524064892.291:35324): arch=c000003e syscall=59 success=yes exit=0 a0=432503 a1=7ff42f7f9b00 a2=7ffc2ba4b760 a3=7ff42f7fb730 items=0 ppid=1438 pid=11961 auid=4294967295 uid=489 gid=39 euid=489 suid=489 fsuid=489 egid=39 sgid=39 fsgid=39 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:motion_t:s0 key=(null) type=AVC msg=audit(1524064892.291:35324): avc: denied { execute_no_trans } for pid=11961 comm="motion" path="/usr/bin/bash" dev="dm-1" ino=98 scontext=system_u:system_r:motion_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file ---- time->Wed Apr 18 11:22:22 2018 type=PROCTITLE msg=audit(1524064942.249:35327): proctitle=2F62696E2F7368002F686F6D652F6D6F74696F6E2F62696E2F6F6E5F6D6F76655F656E64002F686F6D652F6D6F74696F6E2F63616D6572612F323031382D30342D31382F323031382D30342D31382D3131323033342D30362D6172676F2D332E617669003300323031382D30342D3138 type=SYSCALL msg=audit(1524064942.249:35327): arch=c000003e syscall=59 success=yes exit=0 a0=78eb50 a1=78eb70 a2=78e8b0 a3=7ffdcf4d8af0 items=0 ppid=12042 pid=12043 auid=4294967295 uid=489 gid=39 euid=489 suid=489 fsuid=489 egid=39 sgid=39 fsgid=39 tty=(none) ses=4294967295 comm="uname" exe="/usr/bin/uname" subj=system_u:system_r:motion_t:s0 key=(null) type=AVC msg=audit(1524064942.249:35327): avc: denied { execute_no_trans } for pid=12043 comm="on_move_end" path="/usr/bin/uname" dev="dm-1" ino=259829 scontext=system_u:system_r:motion_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file ---- time->Wed Apr 18 11:22:22 2018 type=PROCTITLE msg=audit(1524064942.249:35326): proctitle=2F62696E2F7368002F686F6D652F6D6F74696F6E2F62696E2F6F6E5F6D6F76655F656E64002F686F6D652F6D6F74696F6E2F63616D6572612F323031382D30342D31382F323031382D30342D31382D3131323033342D30362D6172676F2D332E617669003300323031382D30342D3138 type=SYSCALL msg=audit(1524064942.249:35326): arch=c000003e syscall=21 success=yes exit=0 a0=78eb50 a1=1 a2=7ffdcf4d8d40 a3=7ffdcf4d89d0 items=0 ppid=12042 pid=12043 auid=4294967295 uid=489 gid=39 euid=489 suid=489 fsuid=489 egid=39 sgid=39 fsgid=39 tty=(none) ses=4294967295 comm="on_move_end" exe="/usr/bin/bash" subj=system_u:system_r:motion_t:s0 key=(null) type=AVC msg=audit(1524064942.249:35326): avc: denied { execute } for pid=12043 comm="on_move_end" name="uname" dev="dm-1" ino=259829 scontext=system_u:system_r:motion_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file mark

5 years, 4 months

2
1
0 / 0

Symlink or bind mount?

by Gionatan Danti

Being a regular user of selinux, I often face situations where some common directories (es: /var/log or /var/lib) needs to be redirected to other partitions/volumes. I very simple approach, without impacting selinux at all, is to mount a volume in the precise path I need to replace - ie mount /dev/vg_test/lv_lib in /var/lib. However, this is a one-volume-for-directory approach and I would like to avoid it. The other possibility is to create single big volume with multiple directories, mount it, and 1) symlink the original dir (ie: /var/log) to the new one (ie: /mnt/volume/var/log); 2) use a bind mount to re-mount the destination dir (/mnt/volume/var/log) on the original one (/var/log). The symlink approach is self-explaining, as anyone listing the original directory will immediately notice it. However, it sometime require extensive customization of the selinux policy, a thing I try hard to avoid. The bind mount approach is somewhat simpler from selinux standpoint, but it much less discoverable by a simple "ls". What do you feel is the preferred approach? I am missing something? Thanks. -- Danti Gionatan Supporto Tecnico Assyoma S.r.l. - www.assyoma.it email: g.danti(a)assyoma.it - info(a)assyoma.it GPG public key ID: FF5F32A8

5 years, 5 months

3
5
0 / 0

Re: selinux crashes always at startup

by Stephen Smalley

On 04/18/2018 04:44 PM, Jaap wrote: > I am on Fedora 28, 4.16.2-300.fc28.x86_64 On a Dell laptop > policy: selinux-policy.noarch 3.14.1-18.fc28 (restored selinux list to cc line) Since this is Fedora-specific, I also added the Fedora selinux mailing list to the cc line above. You may wish to subscribe to that list if not already on it. > I do not know if / where Selinux messages are about the crash of selinux. Does selinux have a log? ausearch -i -m AVC,SELINUX_ERR,USER_AVC -ts boot will show all SELinux kernel permission denials (AVC), kernel errors (SELINUX_ERR), and userspace permission denials (USER_AVC) since boot. You can use other start time values (e.g. recent, today, ...) and other selectors to control exactly what is reported. > > > On 04/18/2018 10:04 PM, Stephen Smalley wrote: >> On 04/18/2018 04:01 PM, Stephen Smalley wrote: >>> On 04/18/2018 03:40 PM, Jaap wrote: >>>> selinux crashes always at startup. problem is always reported (says selinux) But it does not get better. >>> None of the SELinux messages you showed are errors. They are just informational, and the message "the above unknown >>> classes and permissions will be allowed" indicates that they won't cause any permission denials. >> Also, you didn't provide any information about your kernel, distro, policy, etc. >> Please provide a more complete log (particularly one that shows the actual error) and >> information about the system in question. > journalctl | grep selinux gives this: > > Apr 18 21:26:06 localhost.localdomain audit[1170]: USER_START pid=1170 uid=0 auid=42 ses=1 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="gdm" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' > Apr 18 21:26:06 localhost.localdomain systemd[1170]: selinux: avc: denied { status } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gdm-wayland-session gnome-session --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0 > Apr 18 21:26:07 localhost.localdomain systemd[1170]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0 > Apr 18 21:26:07 localhost.localdomain systemd[1170]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0 > Apr 18 21:26:07 localhost.localdomain systemd[1170]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0 > Apr 18 21:26:07 localhost.localdomain systemd[1170]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0 > Apr 18 21:26:07 localhost.localdomain systemd[1170]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0 > Apr 18 21:26:07 localhost.localdomain systemd[1170]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0 > Apr 18 21:26:08 localhost.localdomain systemd[1170]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0 > Apr 18 21:26:08 localhost.localdomain systemd[1170]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0 > Apr 18 21:26:17 localhost.localdomain audit[1613]: USER_START pid=1613 uid=0 auid=1000 ses=3 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="jaap" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' > Apr 18 21:26:17 localhost.localdomain audit[1606]: USER_START pid=1606 uid=0 auid=1000 ses=2 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_gnome_keyring acct="jaap" exe="/usr/libexec/gdm-session-worker" hostname=localhost.localdomain addr=? terminal=/dev/tty2 res=success' > Apr 18 21:26:50 localhost.localdomain audit[1606]: USER_END pid=1606 uid=0 auid=1000 ses=2 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_gnome_keyring acct="jaap" exe="/usr/libexec/gdm-session-worker" hostname=localhost.localdomain addr=? terminal=/dev/tty2 res=success' > Apr 18 21:26:57 localhost.localdomain audit[2919]: USER_START pid=2919 uid=0 auid=1000 ses=5 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="jaap" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' > Apr 18 21:26:57 localhost.localdomain audit[2869]: USER_START pid=2869 uid=0 auid=1000 ses=4 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_gnome_keyring acct="jaap" exe="/usr/libexec/gdm-session-worker" hostname=localhost.localdomain addr=? terminal=/dev/tty2 res=success' > Apr 18 21:27:33 localhost.localdomain audit[2869]: USER_END pid=2869 uid=0 auid=1000 ses=4 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_gnome_keyring acct="jaap" exe="/usr/libexec/gdm-session-worker" hostname=localhost.localdomain addr=? terminal=/dev/tty2 res=success' > Apr 18 21:27:40 localhost.localdomain audit[3983]: USER_START pid=3983 uid=0 auid=1000 ses=7 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="jaap" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' > Apr 18 21:27:40 localhost.localdomain audit[3940]: USER_START pid=3940 uid=0 auid=1000 ses=6 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_gnome_keyring acct="jaap" exe="/usr/libexec/gdm-session-worker" hostname=localhost.localdomain addr=? terminal=/dev/tty2 res=success' > [jaap@localhost ~]$ > >>>> from journalctl: >>>> >>>> >>>> n systemd-journald[207]: Received SIGTERM from PID 1 (systemd). >>>> Aug 15 20:43:44 localhost.localdomain kernel: systemd: 15 output lines suppressed due to ratelimiting >>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: 32768 avtab hash slots, 107409 rules. >>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: 32768 avtab hash slots, 107409 rules. >>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: 8 users, 14 roles, 5094 types, 312 bools, 1 sens, 1024 cats >>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: 94 classes, 107409 rules >>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class sctp_socket not defined in policy. >>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class icmp_socket not defined in policy. >>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class ax25_socket not defined in policy. >>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class ipx_socket not defined in policy. >>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class netrom_socket not defined in policy. >>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class atmpvc_socket not defined in policy. >>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class x25_socket not defined in policy. >>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class rose_socket not defined in policy. >>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class decnet_socket not defined in policy. >>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class atmsvc_socket not defined in policy. >>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class rds_socket not defined in policy. >>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class irda_socket not defined in policy. >>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class pppox_socket not defined in policy. >>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class llc_socket not defined in policy. >>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class can_socket not defined in policy. >>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class tipc_socket not defined in policy. >>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class bluetooth_socket not defined in policy. >>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class iucv_socket not defined in policy. >>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class rxrpc_socket not defined in policy. >>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class isdn_socket not defined in policy. >>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class phonet_socket not defined in policy. >>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class ieee802154_socket not defined in policy. >>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class caif_socket not defined in policy. >>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class alg_socket not defined in policy. >>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class nfc_socket not defined in policy. >>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class vsock_socket not defined in policy. >>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class kcm_socket not defined in policy. >>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class qipcrtr_socket not defined in policy. >>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class smc_socket not defined in policy. >>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: the above unknown classes and permissions will be allowed >>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Completing initialization. >>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Setting up existing superblocks. >>> > >

5 years, 5 months

2
1
0 / 0

motion

by m.roth＠5-cent.us

Got a CentOS 7 box running motion. Selinux is complaining that one of the scripts motion runs is mislabeled. Here's what it is. system_u:object_r:nfs_t:s0 /home/motion/bin/on_move_end Now, ~motion is NFS mounted, and we've got use_nfs_home_dirs --> on, so what *would* the proper label be, or do I really need to create a policy for this? mark

5 years, 5 months

2
1
0 / 0

Re: motion

by justina colmena

>... a CentOS 7 box running motion ... Oh. In other words, "I'm trying to debug my jewelry store burglar alarm..." Blah, blah, blah... Listen, buddy. You really think that stuff ain't hacked by the real pros from the get-go? And people gonna break omerta and help you out on a public mailing list? That's a long way to stick one's neck out for some kind of half-ass Vegas wanna-be bouncer-type video surveillance shit. null

5 years, 5 months

3
2
0 / 0

Re: tpm2-abrmd-selinux package review

by Lukas Vrabec

On 04/09/2018 10:12 AM, Javier Martinez Canillas wrote: > Hello Lukas, > > On 04/08/2018 07:42 PM, Lukas Vrabec wrote: >> On 04/05/2018 10:34 AM, Javier Martinez Canillas wrote: >>> Hello, >>> >>> I've created about a month ago a review request for tpm2-abrmd-selinux package >>> [0] that ships a SELinux policy module for the tpm2-abrmd D-BUS daemon. I did >>> this following what's explained in the SELinux/IndependentPolicy wiki page [1]. >>> >>> It also says that the package should be reviewed by Lukas Vrabec and the Red >>> Hat SELinux team, that's why I didn't do the usual review swap. >>> >>> [0]: https://bugzilla.redhat.com/show_bug.cgi?id=1550595 >>> [1]: https://fedoraproject.org/wiki/SELinux/IndependentPolicy >>> >>> Best regards, >>> >> >> Hi All, >> >> I reviewed SELinux security policy for tpm2-abrmd and both spec file and >> policy looks good to me, it reflects IndependentPolicy guidelines. >> > > Great, thanks a lot! Could you please comment the same in the Bugzilla? > Sure, Done. >> Thanks, >> Lukas. >> > > Best regards, > -- Lukas Vrabec Software Engineer, Security Technologies Red Hat, Inc.

5 years, 5 months

1
0
0 / 0

Newbie asking about first policy file

by leam hall

Good morning! I'm trying to learn SELinux and reduce the number of alerts that refer to normal processes. Postfix is one of the biigies, here's what I've gotten so far. I'd appreciate critique. Note that the file is hand transcribed, not cut and pasted. It does compile and install, so typographic errors are mine. ### module postfix 0.0.1; require { type kernel_t; type postfix_bounce_t; type postfix_master_t; type postfix_smtp_t; } allow postfix_bounce_t kernel_t:system module_request; allow postfix_master_t kernel_t;system module_request; allow postfix_smtp_t kernel_t:system module request; ### Thanks! Leam

5 years, 5 months

4
6
0 / 0

Re: tpm2-abrmd-selinux package review

by Lukas Vrabec

On 04/05/2018 10:34 AM, Javier Martinez Canillas wrote: > Hello, > > I've created about a month ago a review request for tpm2-abrmd-selinux package > [0] that ships a SELinux policy module for the tpm2-abrmd D-BUS daemon. I did > this following what's explained in the SELinux/IndependentPolicy wiki page [1]. > > It also says that the package should be reviewed by Lukas Vrabec and the Red > Hat SELinux team, that's why I didn't do the usual review swap. > > [0]: https://bugzilla.redhat.com/show_bug.cgi?id=1550595 > [1]: https://fedoraproject.org/wiki/SELinux/IndependentPolicy > > Best regards, > Hi All, I reviewed SELinux security policy for tpm2-abrmd and both spec file and policy looks good to me, it reflects IndependentPolicy guidelines. Thanks, Lukas. -- Lukas Vrabec Software Engineer, Security Technologies Red Hat, Inc.

5 years, 5 months

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux April 2018