Re: using an interface defined in another loaded module
by SZIGETVÁRI János
Dear Gary,
Thanks a zillion times for your help, the building of the policy works fine
now that I have copied the .if file of the submodule to the directory you
mentioned!
I did not know I was reqired to copy the module's interface file to
SELinux's include dirs to make it available for other modules to use.
BTW, I was building my module from within my "policy builder and installer"
script using the "traditional" way of:
# make -f /usr/share/selinux/devel/Makefile A.pp
Now the build process works, thanks to your suggestion!
Best Regards,
János
--
Janos SZIGETVARI
RHCE, License no. 150-053-692
<https://www.redhat.com/rhtapps/verify/?certId=150-053-692>
LinkedIn: linkedin.com/in/janosszigetvari
E-mail: janos(a)szigetvari.com, jszigetvari(a)gmail.com
Phone: +36209440412 (Hungary)
__@__˚V˚
Make the switch to open (source) applications, protocols, formats now:
- windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice
- msn -> jabber protocol (Pidgin, Google Talk)
- mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp
Gary Tierney <gary.tierney(a)gmx.com> ezt írta (időpont: 2019. ápr. 3., Sze,
17:14):
> On Wed, Apr 03, 2019 at 10:34:08AM +0200, SZIGETVÁRI János wrote:
> >Could anyone please give me some insight on this?
> >
> >Thanks a lot!
> >
>
> Hi,
>
> How are you building and installing your policy modules? The interface
> definitions (.if files) aren't preserved in the compiled policy package,
> so are typically kept elsewhere. On Fedora this is under
> /usr/share/selinux/devel/include and its associated subdirectories
> (which are recursively walked to find .if files when building policy
> using the refpolicy framework, i.e., the selinux-policy-devel package).
>
> So it should be as simple as copying your .if files to:
> /usr/share/selinux/devel/include (though the "services" subdir is likely
> more appropriate).
>
> Thanks,
> Gary.
>
> >Best Regards,
> >János Szigetvári
> >
> >SZIGETVÁRI János <jszigetvari(a)gmail.com> ezt írta (időpont: 2019. márc.
> >31., V, 13:47):
> >
> >> ... snip ...
> >_______________________________________________
> >selinux mailing list -- selinux(a)lists.fedoraproject.org
> >To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
> >Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> >List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> >List Archives:
> https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
>
>
3 years, 10 months
Where to Start For A Beginner
by Jonathan Aquilina
Hi all,
I am just starting out with SEL and im wondering what is the best way to start learning how it works such as writing policies customizing policies etc.
I have fedora 30 on my dev laptop which has SEL in enforcing mode.
Regards,
Jonathan
4 years
SELinux disabled after installation through Kickstart
by Jose Vicente Nunez
Hello all,
I did a installation through Kickstart and installed a custom kernel; On my kickstart file I explicitly told kickstart to warn about violations but not to enforce:
selinux --permissive
However after the system comes up I can see than SELinux is completely disabled:
[root@X ~]# getenforce
Disabled
My /etc/selinux/config seems to have the right settings:
SELINUX=permissive
SELINUXTYPE=targeted
Any pointers where I can look up for issues?
Could be my custom kernel who is causing this issue?
I'm learning the ropes with SELinux so any help will be greatly appreciated.
Thanks.
4 years
SElinux and proxies
by Jayson Hurst
I am running into an issue using a 2fa binary through a squid proxy. I am writing the selinux policy for the 2fa binary, but when when I attempt to access the system via ssh I am seeing the following AVC
type=AVC msg=audit(1564694436.236:1003): avc: denied { name_connect } for pid=30620 comm="starling" dest=3128 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:squid_port_t:s0 tclass=tcp_socket permissive=0
The following will fix it for the squid proxy:
corenet_tcp_connect_squid_port(sshd_t)
but what if tomorrow I decide to use a different proxy, that uses a different port. What is the correct way to set this up so that regardless of what proxy is being used on whatever port I don't have to update my policy every time?
Thanks
4 years
rpm-ostree not showing status because of SELinux
by arnaud gaboury
I am running Fedora atomic server 29 and start to see weird behaviors due
to SELinux since a few days. I did everything I could to fix issues with
audit2allow, sealert and audit2why (logs are empty of alerts). Some issues
are still here. One example below:
-----------------------------
% rpm-ostree status
error: An SELinux policy prevents this sender from sending this message to
this recipient, 0 matched rules; type="method_call", sender=":1.90" (uid=0
pid=1731 comm="/usr/bin/rpm-ostree status "
label="sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023")
interface="org.projectatomic.rpmostree1.Sysroot" member="RegisterClient"
error name="(unset)" requested_reply="0"
destination="org.projectatomic.rpmostree1" (uid=0 pid=1734
comm="/usr/bin/rpm-ostree start-daemon "
label="system_u:system_r:install_t:s0")
---------------------------------------------------------------
NOTE: I ssh the machine.
A few settings if it can help:
----------------------
gab@poppy➤➤ ~ % id -Z
sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
gab@poppy➤➤ ~ % semanage login -l
ValueError: SELinux policy is not managed or store cannot be accessed.
root@poppy➤➤ ~ # semanage login -l
Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u s0-s0:c0.c1023 *
gab sysadm_u s0-s0:c0.c1023 *
root system_u s0-s0:c0.c1023 *
gab@poppy➤➤ ~ % sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 31
gab@poppy➤➤ ~ # cat /etc/sudoers.d/gab
gab ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL
gab@poppy➤➤ ~ # ls -alZ /etc/sudoers.d/
total 24
drwxr-x---. 2 root root system_u:object_r:etc_t:s0 42 Aug 31 15:05 .
drwxr-xr-x. 90 root root system_u:object_r:etc_t:s0 8192 Aug 31 17:09 ..
-rw-r--r--. 1 root root unconfined_u:object_r:etc_t:s0 71 Aug 31 14:42
gab
-rw-r--r--. 1 root root unconfined_u:object_r:etc_t:s0 72 Aug 31 15:04
gabx
-rw-r--r--. 1 root root unconfined_u:object_r:etc_t:s0 120 Aug 12 11:53
louis
No more alerts:
gab@poppy➤➤ ~ % sealert -b
/usr/bin/sealert:32: DeprecationWarning: Importing dbus.glib to use the
GLib main loop with dbus-python is deprecated.
Instead, use this sequence:
from dbus.mainloop.glib import DBusGMainLoop
DBusGMainLoop(set_as_default=True)
import dbus.glib
gab@poppy➤➤ ~ %
-----------------------------------------------
What can I do to fix the ostree status and more globally fix any SELinux
remaing issues. The server has yet to be set up and I don't want to go
ahead with lying around issues.
Thank you for help.
4 years
