Re: using an interface defined in another loaded module
by SZIGETVÁRI János
Dear Gary,
Thanks a zillion times for your help, the building of the policy works fine
now that I have copied the .if file of the submodule to the directory you
mentioned!
I did not know I was reqired to copy the module's interface file to
SELinux's include dirs to make it available for other modules to use.
BTW, I was building my module from within my "policy builder and installer"
script using the "traditional" way of:
# make -f /usr/share/selinux/devel/Makefile A.pp
Now the build process works, thanks to your suggestion!
Best Regards,
János
--
Janos SZIGETVARI
RHCE, License no. 150-053-692
<https://www.redhat.com/rhtapps/verify/?certId=150-053-692>
LinkedIn: linkedin.com/in/janosszigetvari
E-mail: janos(a)szigetvari.com, jszigetvari(a)gmail.com
Phone: +36209440412 (Hungary)
__@__˚V˚
Make the switch to open (source) applications, protocols, formats now:
- windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice
- msn -> jabber protocol (Pidgin, Google Talk)
- mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp
Gary Tierney <gary.tierney(a)gmx.com> ezt írta (időpont: 2019. ápr. 3., Sze,
17:14):
> On Wed, Apr 03, 2019 at 10:34:08AM +0200, SZIGETVÁRI János wrote:
> >Could anyone please give me some insight on this?
> >
> >Thanks a lot!
> >
>
> Hi,
>
> How are you building and installing your policy modules? The interface
> definitions (.if files) aren't preserved in the compiled policy package,
> so are typically kept elsewhere. On Fedora this is under
> /usr/share/selinux/devel/include and its associated subdirectories
> (which are recursively walked to find .if files when building policy
> using the refpolicy framework, i.e., the selinux-policy-devel package).
>
> So it should be as simple as copying your .if files to:
> /usr/share/selinux/devel/include (though the "services" subdir is likely
> more appropriate).
>
> Thanks,
> Gary.
>
> >Best Regards,
> >János Szigetvári
> >
> >SZIGETVÁRI János <jszigetvari(a)gmail.com> ezt írta (időpont: 2019. márc.
> >31., V, 13:47):
> >
> >> ... snip ...
> >_______________________________________________
> >selinux mailing list -- selinux(a)lists.fedoraproject.org
> >To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
> >Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> >List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> >List Archives:
> https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
>
>
3 years, 10 months
SElinux and proxies
by Jayson Hurst
I am running into an issue using a 2fa binary through a squid proxy. I am writing the selinux policy for the 2fa binary, but when when I attempt to access the system via ssh I am seeing the following AVC
type=AVC msg=audit(1564694436.236:1003): avc: denied { name_connect } for pid=30620 comm="starling" dest=3128 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:squid_port_t:s0 tclass=tcp_socket permissive=0
The following will fix it for the squid proxy:
corenet_tcp_connect_squid_port(sshd_t)
but what if tomorrow I decide to use a different proxy, that uses a different port. What is the correct way to set this up so that regardless of what proxy is being used on whatever port I don't have to update my policy every time?
Thanks
4 years
rpm-ostree not showing status because of SELinux
by arnaud gaboury
I am running Fedora atomic server 29 and start to see weird behaviors due
to SELinux since a few days. I did everything I could to fix issues with
audit2allow, sealert and audit2why (logs are empty of alerts). Some issues
are still here. One example below:
-----------------------------
% rpm-ostree status
error: An SELinux policy prevents this sender from sending this message to
this recipient, 0 matched rules; type="method_call", sender=":1.90" (uid=0
pid=1731 comm="/usr/bin/rpm-ostree status "
label="sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023")
interface="org.projectatomic.rpmostree1.Sysroot" member="RegisterClient"
error name="(unset)" requested_reply="0"
destination="org.projectatomic.rpmostree1" (uid=0 pid=1734
comm="/usr/bin/rpm-ostree start-daemon "
label="system_u:system_r:install_t:s0")
---------------------------------------------------------------
NOTE: I ssh the machine.
A few settings if it can help:
----------------------
gab@poppy➤➤ ~ % id -Z
sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
gab@poppy➤➤ ~ % semanage login -l
ValueError: SELinux policy is not managed or store cannot be accessed.
root@poppy➤➤ ~ # semanage login -l
Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u s0-s0:c0.c1023 *
gab sysadm_u s0-s0:c0.c1023 *
root system_u s0-s0:c0.c1023 *
gab@poppy➤➤ ~ % sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 31
gab@poppy➤➤ ~ # cat /etc/sudoers.d/gab
gab ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL
gab@poppy➤➤ ~ # ls -alZ /etc/sudoers.d/
total 24
drwxr-x---. 2 root root system_u:object_r:etc_t:s0 42 Aug 31 15:05 .
drwxr-xr-x. 90 root root system_u:object_r:etc_t:s0 8192 Aug 31 17:09 ..
-rw-r--r--. 1 root root unconfined_u:object_r:etc_t:s0 71 Aug 31 14:42
gab
-rw-r--r--. 1 root root unconfined_u:object_r:etc_t:s0 72 Aug 31 15:04
gabx
-rw-r--r--. 1 root root unconfined_u:object_r:etc_t:s0 120 Aug 12 11:53
louis
No more alerts:
gab@poppy➤➤ ~ % sealert -b
/usr/bin/sealert:32: DeprecationWarning: Importing dbus.glib to use the
GLib main loop with dbus-python is deprecated.
Instead, use this sequence:
from dbus.mainloop.glib import DBusGMainLoop
DBusGMainLoop(set_as_default=True)
import dbus.glib
gab@poppy➤➤ ~ %
-----------------------------------------------
What can I do to fix the ostree status and more globally fix any SELinux
remaing issues. The server has yet to be set up and I don't want to go
ahead with lying around issues.
Thank you for help.
4 years
issues su/sudo and more
by arnaud gaboury
I run one Fedora Atomic 30 desktop and one server. I am lfet with two
issues on these machines.
1. On server:
---------
gabx@poppy➤➤ ~ % su
zsh: permission denied: su
gabx@poppy➤➤ ~ % sudo -i
[sudo] password for gabx:
root@poppy➤➤ ~ #
-------------------------
Is it the expected behavior? I could run su a few days ago.
Below some info:
----------
# cat /etc/sudoers
root ALL=(ALL) ALL
%wheel ALL=(ALL) ALL
#includedir /etc/sudoers.d
# cat /etc/sudoers.d/gabx
gabx ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL
# semanage login -l
Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u s0-s0:c0.c1023 *
gabx sysadm_u s0-s0:c0.c1023 *
root system_u s0-s0:c0.c1023 *
gabx@poppy➤➤ ~ % id -Z
sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
------------------------------------------------
2. On Silverblue desktop, I can't start the system anymore with selinux
enforced. I had to edit kernel command line with selinux=0 to boot, then
edit selinux config to disable.
How can I debug and solve this issue?
Thank you for help.
4 years
reinstall package on Atomic host
by arnaud gaboury
I run Fedora atomic 29. I made a mistake by removing one very important
SELinux module: su.
I can no more su (I can sudo), which is very annoying. To get back the
module, I need to reinstall the selinux-policy-targeted package.
------------------------------------------
% sudo setenforce 0
% sudo rpm-ostree uninstall selinux-policy-targeted
error:package/capability 'selinux-policy-targeted' isnot currently requested
% rpm -qa | grep selinux
.....
182:selinux-policy-targeted-3.....
-------------------------
Following this[0] thread, I tried:
----------------------------
% sudo rpm-ostree override remove selinux-policy-targeted
[sudo] password for gabx:
Checking out tree cb40a05... done
Resolving dependencies... done
Applying 1 override and 79 overlays
Processing packages... done
Running pre scripts... done
Running post scripts... done
Writing rpmdb... done
Writing OSTree commit... done
error: With policy root '/proc/self/fd/25/usr/etc/selinux/targeted':
selabel_open(SELABEL_CTX_FILE): No such file or directory
-----------------------------------
How can I delete/install or reinstall it? Is there a way to get back the su
module?
Thank you for help
[0]https://github.com/projectatomic/rpm-ostree/issues/1386
4 years
SELinux troubleshoot: can't install modules
by arnaud gaboury
Until a few days ago, my Fedora 29 Atomic host was working perfectly with
SELinux enforced. The server is only a few week old with nothing fancy yet
set or installed.
I changed recently my user (gabx) context from the default unconfined to
sysadmn_u and ran restorecon.
Here is what I did:
Fresh after install:
--------------------------------------------------
# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023
root unconfined_u s0-s0:c0.c1023
gabx unconfined_u s0-s0:c0.c1023
--------------------------------
Then:
# semanage login -m -s sysadm_u --range s0-s0.c0.c1023
# semanage login -l
gabx sysadm_u s0-s0:c0.c1023 *
# restorecon -RF /hone/gabx
# ls -alZ /home/gabx
drwxrwxr-x. 5 gabx gabx sysadm_u:object_r:config_home_t:s0 61 Aug
17 14:42 .config/
drwxrwxr-x. 2 gabx gabx sysadm_u:object_r:user_home_t:s0 6 Aug
21 14:09 hugo/
....
# vim /etc/sudoers.d/gabx
gabx ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r /bin/sh
This change may be the root of the problem. I ran a few a
certbot-letsencrypt container which changed a few files contexts
(container_t): maybe did it broke a few things?
I can't load modules.
With the help of ausearch and journalctl, I can identify SELinux messages,
I can write a *myapp.pp* module. But then:
-----------------------------------
# semodule -i myapp.pp
semodule: Failed on myapp.pp!
-------------------------------
4 years
How can I protect a service by SELinux?
by Jason Long
Hello,
I installed "vsftpd" service, but by default SELinux blocked it. I changed SELinux configuration by "setsebool -P ftpd_full_access 1", but I guess its mean that SELinux can't protect my "vsftpd" service. How can I use "vsftpd" service with SELinux enabled?
Thanks.
4 years, 1 month
Fwd: setools-console-analyses package
by Aristeidis Dimitriadis
Forwarded from the "users" list
-------- Forwarded Message --------
Subject: setools-console-analyses package
Date: Mon, 5 Aug 2019 13:34:11 +0300
From: Aristeidis Dimitriadis <ar.s.dimitriadis(a)gmail.com>
To: users(a)lists.fedoraproject.org
Hello,
I believe there is an error in the packaging of setools-console-analyses
which results in one of the tools being unusable. I am close to
submitting a bug report but I would like someone to have a look first in
case I am doing something wrong. Using up-to-date Fedora 30.
The tool of interest in sedta which performs "Domain transition analysis
for SELinux policies" (from the manpage). Running this tool results in this:
$ sedta -s <some domain> -p <some policy file>
'DiGraph' object has no attribute 'edges_iter'
This is a Python error and seems related to the networkx Python library
which is listed as a requirement. No version requirements for this
library are displayed by rpm. Installed version (by dnf) is 2.3.
However, there is this guide :
https://networkx.github.io/documentation/stable/release/migration_guide_f...
where it is clearly stated that the "edges_iter" API is removed in
version 2.0. The upstream SELinux tools project which I believe is here :
https://github.com/SELinuxProject/setools
does not use the "edges_iter" API (I grep-ed for it). My guess is that
networkx was updated but setools-console-analyses was not and now is
trying to use an incompatible library version.
No similar issues appear on bugzilla. Should I create one?
Also, is there a way to report a bug without creating a bugzilla/fedora
account? answered in "users" lists
Aristeidis Dimitriadis
4 years, 1 month
Re: SElinux and proxies
by Jay Vyas
Why not just run all possible proxies now, or a large subset of them, and open up those avcs?
> On Aug 1, 2019, at 7:04 PM, Jayson Hurst <swazup(a)hotmail.com> wrote:
>
> I am running into an issue using a 2fa binary through a squid proxy. I am writing the selinux policy for the 2fa binary, but when when I attempt to access the system via ssh I am seeing the following AVC
>
> type=AVC msg=audit(1564694436.236:1003): avc: denied { name_connect } for pid=30620 comm="starling" dest=3128 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:squid_port_t:s0 tclass=tcp_socket permissive=0
>
> The following will fix it for the squid proxy:
>
> corenet_tcp_connect_squid_port(sshd_t)
>
> but what if tomorrow I decide to use a different proxy, that uses a different port. What is the correct way to set this up so that regardless of what proxy is being used on whatever port I don't have to update my policy every time?
>
> Thanks,
>
> Jayson
> _______________________________________________
> selinux mailing list -- selinux(a)lists.fedoraproject.org
> To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
4 years, 1 month
Initial context for init
by Philip Seeley
Hi all,
Quick question is:
In the targeted policy should init run SystemHigh as it does in the mls
policy?
The background:
We're setting up a targeted system where we confine all users and remove
the unconfined policy module, but we also enable polyinstantiation of /tmp
and /var/tmp.
If we ssh in as a staff_u user phil and elevate to root/sysadm_r then we
have a context of:
staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
And therefore /var/tmp is:
drwxrwxrwt. root root system_u:object_r:tmp_t:s0-s0:c0.c1023 /var/tmp
Which is really:
drwxrwxrwt. root root
system_u:object_r:tmp_t:s0-s0:c0.c1023 /var/tmp-inst/system_u:object_r:tmp_t:s0-s0:c0.c1023_phil
The real /var/tmp is:
drwxrwxrwt. root root system_u:object_r:tmp_t:s0 /var/tmp
Now if we use run_init to update an RPM that contains a post install
script, rpm can't create the temporary script file:
# run_init bash -c 'rpm -i
--force /root/libselinux-2.0.94-7.el6.x86_64.rpm'
Authenticating phil.
Password:
error: error creating temporary file /var/tmp/rpm-tmp.atkHTf: Permission
denied
error: Couldn't create temporary file for %post
(libselinux-2.0.94-7.el6.x86_64): Permission denied
Note: you need to use run_init as the rpm might restart a service, e.g. the
sssd rpm.
We've traced this to the /etc/selinux/targeted/contexts/initrc_context file
which contains:
system_u:system_r:initrc_t:s0
So we transition to initrc_t and then to rpm_t without any categories, but
because the polyinstantiated /var/tmp directory has c0.c1023 we get denied.
Normally in targeted init runs unconfined, but we've removed this.
type=AVC msg=audit(1467342325.016:716): avc: denied { read } for
pid=2779 comm="rpm" name="system_u:object_r:tmp_t:s0-s0:c0.c1023_phil"
dev=dm-0 ino=1966082 scontext=system_u:system_r:rpm_t:s0
tcontext=system_u:object_r:tmp_t:s0-s0:c0.c1023 tclass=dir
It works if we change initrc_context to:
system_u:system_r:initrc_t:s0-s0:c0.c1023
We don't see the issue under mls because the default initrc_context is:
system_u:system_r:initrc_t:s0-s15:c0.c1023
We've traces this back through the selinux-policy src RPM and to the
upstream refpolicy and see that config/appconfig-mcs/initrc_context is:
system_u:system_r:initrc_t:s0
whereas config/appconfig-mls/initrc_context is:
system_u:system_r:initrc_t:s0-mls_systemhigh
So under mls init's context is SystemHigh, but under mcs/targeted it
doesn't have any categories.
So the long question is should config/appconfig-mcs/initrc_context really
be:
system_u:system_r:initrc_t:mcs_systemhigh
as it seems odd that the more secure mls policy would run init at
SystemHigh but targeted doesn't.
Thanks
Phil Seeley
4 years, 1 month
