Re: using an interface defined in another loaded module
by SZIGETVÁRI János
Dear Gary,
Thanks a zillion times for your help, the building of the policy works fine
now that I have copied the .if file of the submodule to the directory you
mentioned!
I did not know I was reqired to copy the module's interface file to
SELinux's include dirs to make it available for other modules to use.
BTW, I was building my module from within my "policy builder and installer"
script using the "traditional" way of:
# make -f /usr/share/selinux/devel/Makefile A.pp
Now the build process works, thanks to your suggestion!
Best Regards,
János
--
Janos SZIGETVARI
RHCE, License no. 150-053-692
<https://www.redhat.com/rhtapps/verify/?certId=150-053-692>
LinkedIn: linkedin.com/in/janosszigetvari
E-mail: janos(a)szigetvari.com, jszigetvari(a)gmail.com
Phone: +36209440412 (Hungary)
__@__˚V˚
Make the switch to open (source) applications, protocols, formats now:
- windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice
- msn -> jabber protocol (Pidgin, Google Talk)
- mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp
Gary Tierney <gary.tierney(a)gmx.com> ezt írta (időpont: 2019. ápr. 3., Sze,
17:14):
> On Wed, Apr 03, 2019 at 10:34:08AM +0200, SZIGETVÁRI János wrote:
> >Could anyone please give me some insight on this?
> >
> >Thanks a lot!
> >
>
> Hi,
>
> How are you building and installing your policy modules? The interface
> definitions (.if files) aren't preserved in the compiled policy package,
> so are typically kept elsewhere. On Fedora this is under
> /usr/share/selinux/devel/include and its associated subdirectories
> (which are recursively walked to find .if files when building policy
> using the refpolicy framework, i.e., the selinux-policy-devel package).
>
> So it should be as simple as copying your .if files to:
> /usr/share/selinux/devel/include (though the "services" subdir is likely
> more appropriate).
>
> Thanks,
> Gary.
>
> >Best Regards,
> >János Szigetvári
> >
> >SZIGETVÁRI János <jszigetvari(a)gmail.com> ezt írta (időpont: 2019. márc.
> >31., V, 13:47):
> >
> >> ... snip ...
> >_______________________________________________
> >selinux mailing list -- selinux(a)lists.fedoraproject.org
> >To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
> >Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> >List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> >List Archives:
> https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
>
>
4 years, 4 months
Initial context for init
by Philip Seeley
Hi all,
Quick question is:
In the targeted policy should init run SystemHigh as it does in the mls
policy?
The background:
We're setting up a targeted system where we confine all users and remove
the unconfined policy module, but we also enable polyinstantiation of /tmp
and /var/tmp.
If we ssh in as a staff_u user phil and elevate to root/sysadm_r then we
have a context of:
staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
And therefore /var/tmp is:
drwxrwxrwt. root root system_u:object_r:tmp_t:s0-s0:c0.c1023 /var/tmp
Which is really:
drwxrwxrwt. root root
system_u:object_r:tmp_t:s0-s0:c0.c1023 /var/tmp-inst/system_u:object_r:tmp_t:s0-s0:c0.c1023_phil
The real /var/tmp is:
drwxrwxrwt. root root system_u:object_r:tmp_t:s0 /var/tmp
Now if we use run_init to update an RPM that contains a post install
script, rpm can't create the temporary script file:
# run_init bash -c 'rpm -i
--force /root/libselinux-2.0.94-7.el6.x86_64.rpm'
Authenticating phil.
Password:
error: error creating temporary file /var/tmp/rpm-tmp.atkHTf: Permission
denied
error: Couldn't create temporary file for %post
(libselinux-2.0.94-7.el6.x86_64): Permission denied
Note: you need to use run_init as the rpm might restart a service, e.g. the
sssd rpm.
We've traced this to the /etc/selinux/targeted/contexts/initrc_context file
which contains:
system_u:system_r:initrc_t:s0
So we transition to initrc_t and then to rpm_t without any categories, but
because the polyinstantiated /var/tmp directory has c0.c1023 we get denied.
Normally in targeted init runs unconfined, but we've removed this.
type=AVC msg=audit(1467342325.016:716): avc: denied { read } for
pid=2779 comm="rpm" name="system_u:object_r:tmp_t:s0-s0:c0.c1023_phil"
dev=dm-0 ino=1966082 scontext=system_u:system_r:rpm_t:s0
tcontext=system_u:object_r:tmp_t:s0-s0:c0.c1023 tclass=dir
It works if we change initrc_context to:
system_u:system_r:initrc_t:s0-s0:c0.c1023
We don't see the issue under mls because the default initrc_context is:
system_u:system_r:initrc_t:s0-s15:c0.c1023
We've traces this back through the selinux-policy src RPM and to the
upstream refpolicy and see that config/appconfig-mcs/initrc_context is:
system_u:system_r:initrc_t:s0
whereas config/appconfig-mls/initrc_context is:
system_u:system_r:initrc_t:s0-mls_systemhigh
So under mls init's context is SystemHigh, but under mcs/targeted it
doesn't have any categories.
So the long question is should config/appconfig-mcs/initrc_context really
be:
system_u:system_r:initrc_t:mcs_systemhigh
as it seems odd that the more secure mls policy would run init at
SystemHigh but targeted doesn't.
Thanks
Phil Seeley
4 years, 7 months
module removal fails
by lejeczek
$ semanage module -r ganesha
libsemanage.semanage_direct_remove_key: Unable to remove module ganesha
at priority 400. (No such file or directory).
OSError: No such file or directory
hi guys,
how to fix the above?
many thanks, L.
4 years, 9 months
Dnsmasq log setattr denial
by Jeff Boyce
Greetings -
I recently had some brief intermittent network connection issues that I
finally tracked down to occurring in time with dns lease renewal by
dnsmasq. Looking into the logs I found that the issue began after I
rebooted my dns server recently. No configuration changes had been
made, we shut servers down for a planned power outage for our building.
I have read the full sealert message, but with my limited experience I
am looking for some confirmation before making any changes. The raw
audit message is listed below. It appears there may be a context issue
on the log file (I know there is a typo in my log file name).
Raw Audit Messages
type=AVC msg=audit(1559298063.86:81599): avc: denied { setattr } for
pid=15072 comm="dnsmasq" name="dsnmasq.log" dev=vda2 ino=1068
scontext=system_u:system_r:dnsmasq_t:s0
tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1559298063.86:81599): arch=x86_64 syscall=fchown
success=no exit=EACCES a0=c a1=63 a2=ffffffff a3=418 items=0 ppid=1
pid=15072 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=13562 comm=dnsmasq exe=/usr/sbin/dnsmasq
subj=system_u:system_r:dnsmasq_t:s0 key=(null)
Running audit2why gives the following, which references a missing type
enforcement allow rule.
type=AVC msg=audit(1558865403.590:67806): avc: denied { setattr } for
pid=1429 comm="dnsmasq" name="dsnmasq.log" dev=vda2 ino=827
scontext=system_u:system_r:dnsmasq_t:s0
tcontext=system_u:object_r:var_log_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module
to allow this access.
However, when I run matchpathcon, I get the following results, which
seems to indicate that everything should be ok.
[root@taxa ~]# matchpathcon -V /var/log/*
/var/log/dsnmasq.log verified.
/var/log/dsnmasq.log-20190525 verified.
/var/log/dsnmasq.log-20190526 verified.
/var/log/dsnmasq.log-20190527 verified.
/var/log/dsnmasq.log-20190528 verified.
/var/log/dsnmasq.log-20190529 verified.
/var/log/dsnmasq.log-20190530 verified.
/var/log/dsnmasq.log-20190531 verified.
So it is not clear to me what is the proper way to resolve this denial,
and am looking for a little more education and advice so that I don't
issue the wrong selinux command. I am running dnsmasq 2.48-18.el6_9 on
a CentOS 6 system. Thanks.
Jeff
--
Jeff Boyce
Meridian Environmental
4 years, 9 months
numad daemon
by lejeczek
hi guys
I have a few Centos 7.6 boxes and one would not let numad start showing:
...
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1559226205.999:2396605): avc: denied { unix_read }
for pid=61553 comm="numad" key=-559038737
scontext=system_u:system_r:numad_t:s0
tcontext=system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023 tclass=msgq
permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1559226205.999:2396606): avc: denied { unix_read }
for pid=61553 comm="numad" key=-559038737
scontext=system_u:system_r:numad_t:s0
tcontext=system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023 tclass=msgq
permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1559226206.000:2396607): avc: denied { unix_read }
for pid=61553 comm="numad" key=-559038737
scontext=system_u:system_r:numad_t:s0
tcontext=system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023 tclass=msgq
permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access
--end
How would that one box be different? Am I missing some boolean(s)?
many thanks, L.
4 years, 9 months
Issues trying to change the selinux context
by mark
We're forced to use Siteminder, by CA, who have no clue what they're doing
in *nix. No packages, tarballs...
Anyway, I'm trying clean up some stuff, and in /*/smwa/webagent/bin (all
their binaries, including .so's, are in there, duh... I'm trying to set
the .so's to lib_t.
semanage -fcontext -a -t lib_t "/<elided>/smwa/webagent/bin(/.*).so"
gives me the completely unexpected response of
semanage: error: argument subcommand: invalid choice: 'lib_t' (choose from
'import', 'export', 'login', 'user', 'port', 'ibpkey', 'ibendport',
'interface', 'module', 'node', 'fcontext', 'boolean', 'permissive',
'dontaudit')
What am I doing wrong?
mark
4 years, 10 months