Initial context for init
by Philip Seeley
Hi all,
Quick question is:
In the targeted policy should init run SystemHigh as it does in the mls
policy?
The background:
We're setting up a targeted system where we confine all users and remove
the unconfined policy module, but we also enable polyinstantiation of /tmp
and /var/tmp.
If we ssh in as a staff_u user phil and elevate to root/sysadm_r then we
have a context of:
staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
And therefore /var/tmp is:
drwxrwxrwt. root root system_u:object_r:tmp_t:s0-s0:c0.c1023 /var/tmp
Which is really:
drwxrwxrwt. root root
system_u:object_r:tmp_t:s0-s0:c0.c1023 /var/tmp-inst/system_u:object_r:tmp_t:s0-s0:c0.c1023_phil
The real /var/tmp is:
drwxrwxrwt. root root system_u:object_r:tmp_t:s0 /var/tmp
Now if we use run_init to update an RPM that contains a post install
script, rpm can't create the temporary script file:
# run_init bash -c 'rpm -i
--force /root/libselinux-2.0.94-7.el6.x86_64.rpm'
Authenticating phil.
Password:
error: error creating temporary file /var/tmp/rpm-tmp.atkHTf: Permission
denied
error: Couldn't create temporary file for %post
(libselinux-2.0.94-7.el6.x86_64): Permission denied
Note: you need to use run_init as the rpm might restart a service, e.g. the
sssd rpm.
We've traced this to the /etc/selinux/targeted/contexts/initrc_context file
which contains:
system_u:system_r:initrc_t:s0
So we transition to initrc_t and then to rpm_t without any categories, but
because the polyinstantiated /var/tmp directory has c0.c1023 we get denied.
Normally in targeted init runs unconfined, but we've removed this.
type=AVC msg=audit(1467342325.016:716): avc: denied { read } for
pid=2779 comm="rpm" name="system_u:object_r:tmp_t:s0-s0:c0.c1023_phil"
dev=dm-0 ino=1966082 scontext=system_u:system_r:rpm_t:s0
tcontext=system_u:object_r:tmp_t:s0-s0:c0.c1023 tclass=dir
It works if we change initrc_context to:
system_u:system_r:initrc_t:s0-s0:c0.c1023
We don't see the issue under mls because the default initrc_context is:
system_u:system_r:initrc_t:s0-s15:c0.c1023
We've traces this back through the selinux-policy src RPM and to the
upstream refpolicy and see that config/appconfig-mcs/initrc_context is:
system_u:system_r:initrc_t:s0
whereas config/appconfig-mls/initrc_context is:
system_u:system_r:initrc_t:s0-mls_systemhigh
So under mls init's context is SystemHigh, but under mcs/targeted it
doesn't have any categories.
So the long question is should config/appconfig-mcs/initrc_context really
be:
system_u:system_r:initrc_t:mcs_systemhigh
as it seems odd that the more secure mls policy would run init at
SystemHigh but targeted doesn't.
Thanks
Phil Seeley
3 years, 10 months
shellinabox
by lejeczek
hi guys,
cannot get it to work - shellinabox - not being programmer nor selinux
sorcerer.
shellinabox via apache, when I ausearch it all I get is:
#============= unconfined_service_t ==============
#!!!! The file '/usr/bin/bash' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v /usr/bin/bash
allow unconfined_service_t unconfined_t:process transition;
I have shellinabox in Apache's:
<Location /cmd>
AuthType Basic
AuthName "some more"
AuthBasicProvider PAM
AuthPAMService rstudio
Require valid-user
#Require all granted
ProxyPass http://localhost:4200/
</Location>
using:
LoadModule authnz_pam_module modules/mod_authnz_pam.so
So all seems to work there between apache & shellinabox. Last bit when
you login to shell you get denied.
Would there be a reasonable selinux module for it or is shellinabox just
too poor design?
many thanks, L.
4 years, 10 months
Zoneminder Policy Fixes
by Tristan Santore
Dear Lukas and Petr,
I have made fixes to the Zoneminder Policy module. Zoneminder will not
start with the current one.
Also I took them liberty to add two bools, one for email sending,
because Zoneminder can send emails with images, when an alarm event was
detected on a camera, and another boolean for ftp access, as Zoneminder
can upload alarm events to a ftp, for safe keeping, in case somebody
burgles your house and steals your CCTV gear.
It can also use sftp, but not sure I would really like to add a port for
that. But if you would like to add that option, I would leave that up to
you.
If you could be so kind, to look over the additions, I suspect, there
might be a few things in there, one might want to avoid, or require
labelling. Or ways to make it more secure.
Policy additions below(Will require merging into existing policy):
module zoneminder2018 1.3;
require {
type sysfs_t;
type zoneminder_script_t;
type zoneminder_var_lib_t;
type zoneminder_t;
type v4l_device_t;
type init_var_run_t;
type cert_t;
type httpd_t;
type syslogd_t;
type zoneminder_tmpfs_t;
type smtp_port_t;
type tmpfs_t;
type ftp_port_t;
type ephemeral_port_t;
class file { create getattr lock map open read unlink write };
class chr_file map;
class lnk_file read;
class dir { create read rmdir search write add_name };
class unix_dgram_socket sendto;
class sock_file { create unlink };
class process { noatsecure rlimitinh siginh };
class tcp_socket name_connect;
}
bool zoneminder_can_sendmail false;
bool zoneminder_can_ftp false;
#============= httpd_t ==============
#allow httpd_t zoneminder_script_t:process { noatsecure rlimitinh siginh };
#Flagged, but not required.
allow httpd_t zoneminder_tmpfs_t:file map;
allow httpd_t zoneminder_tmpfs_t:file { getattr open read write };
allow httpd_t zoneminder_var_lib_t:sock_file { create unlink };
#============= syslogd_t ==============
allow syslogd_t init_var_run_t:lnk_file read;
#============= zoneminder_script_t ==============
allow zoneminder_script_t cert_t:dir search;
allow zoneminder_script_t cert_t:file { getattr open read };
allow zoneminder_script_t httpd_t:unix_dgram_socket sendto;
allow zoneminder_script_t init_var_run_t:dir search;
allow zoneminder_script_t sysfs_t:dir read;
allow zoneminder_script_t sysfs_t:file { getattr open read };
allow zoneminder_script_t zoneminder_tmpfs_t:file map;
allow zoneminder_script_t zoneminder_var_lib_t:dir { create rmdir };
allow zoneminder_script_t zoneminder_var_lib_t:file { create getattr
lock open read unlink write };
allow zoneminder_script_t tmpfs_t:dir { add_name write };
#============= zoneminder_t ==============
if (zoneminder_can_sendmail) {
allow zoneminder_t smtp_port_t:tcp_socket name_connect;
}
#add ftp and sftp here
#sftp needs some extra work I guess.
if (zoneminder_can_ftp) {
allow zoneminder_t ftp_port_t:tcp_socket name_connect;
allow zoneminder_t ephemeral_port_t:tcp_socket name_connect;
}
allow zoneminder_t v4l_device_t:chr_file map;
allow zoneminder_t zoneminder_tmpfs_t:file map;
--
Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
Tristan.Santore(a)internexusconnect.net
Former Thawte Notary
(Please note: Thawte has closed its WoT programme down,
and I am therefore no longer able to accredit trust)
For Fedora related issues, please email me at:
TSantore(a)fedoraproject.org
4 years, 11 months
Re: Trying again: why am I getting denials in a directory that has
been labeled..
by mark
As Lukas suggested, I tried to relabel the file. It didn't work, and the
reason is this: we have the web under our own root directory, not under
/var/www. We had done an semanage fcontext -e /var/www <ourpath>. When I
tried to relabel, it suggested I try to relabel using the /var/www path,
which won't work.
Is there any way around this?
/<ourpath>/htdocs/<website>/cgi-bin/data/<the probelematic file>
mark
4 years, 11 months
Logging Denials
by Sean Hogan
Hello,
I am not sure this use case has come up before but some our systems are
set permissive. I have 3 files I want to have shared with 644 on purpose.
The goal is for selinux to allow users(permissive) to read the file but I
need a context that will still report an AVC to audit.log as that will be
forwarded to a SIEM where rules will be in place to contact security. I
have tried auditd_etc_t, var_log_t but nothing ever shows up in audit.log
when watching a user cat/vi the files.
In this situation I actually want to see denials lol but not 100% I am
seeing this right. Any help is appreciated.
-rw-r--r--. root root unconfined_u:object_r:auditd_etc_t:s0 fil1.pgp
-rw-r--r--. root root unconfined_u:object_r:auditd_etc_t:s0 file2.docx
-rw-r--r--. root root unconfined_u:object_r:var_log_t:s0 file3.docx
Sean Hogan
4 years, 11 months
Trying again: why am I getting denials in a directory that has been
labeled...
by m.roth@5-cent.us
Or, more precisely, we have a std. directory, which is bind mounted, and
which was set with semanage fcontext -a -e /var/www /actual/path/htdocs,
and a file in <directory>/htdocs/<site>/cgi-bin/sub>/<sub?file
-rw-rw-r--. apache imagej unconfined_u:object_r:httpd_sys_script_exec_t:s0
is the file's info. From the names, I'm guessing some .cgi is writing a
count to it.
What *should* it be?
mark
4 years, 11 months
A touch conused on context
by m.roth@5-cent.us
Ok, we've got a set of directories bind mounted on our standard mount
point for the web. The directory tree's been set with semanage fcontext -t
-e /var/www <ourmountpoint>. In one of the websites under there is
<site>/cgi-bin, and under *there are a couple of subdirectories, and a
.dat file that is written to (I thihnk it's a counter, or whatever). Yet I
see sealerts complaining that, if it was in enforcing mode, would not
allow the .cgi that's in the cgi-bin write access on the file.
What am I missing here?
mark
4 years, 12 months
