Recommendation for manipulating config files using external tool
by zer0 0ne
All,
I am new to SELinux policy. I have several Daemons D1, D2..and each have corresponding config files C1, C2, . The config files are typed per daemon and .fc is set by individual daemon policy. However, we have a common utility that is used for manipulating all the config files and all the daemons use the utility to manipulate the config files. All daemons run exec() and invoke the utility to manipulate config file (it is ugly, legcay code).
Any recommendation on how to tailor SELinux policies for a use case like this? Is there any existing SELinux policy that follows a similar model?
Zer0 0ne
4 years, 2 months
Selinux and parent/component directory
by Gionatan Danti
Hi all,
I have a question about how selinux match the parent and/or higher
component path directory.
Lets say I want to relocate a service home under /mnt/. For example, I
want to relocate /var/lib/libvirt under /mnt/xfs/var/lib/libvirt. I
understand I can, and should, use selinux equivalency: "semanage
fcontext -a -e /var/lib/libvirt /mnt/xfs/var/lib/libvirt".
So far, so good: a "restorecon -RF /mnt/xfs/var/libv/libvirt" leave the
selinux labels intact.
However, the /mnt/xfs/ component path still (obviously) labeled as type
mnt_t. How will selinux behave in this case? It will only match the
final path component (ie: the "libvirt" dir in
"/mnt/xfs/var/lib/libvirt")? Or should libvirt be enabled to
read/list/execute from mnt_t also?
More broadly: a targeted selinux policy has a list of *enabled* actions,
with all others automatically denied, or "extraneous" labels are just
ignored?
Thanks.
--
Danti Gionatan
Supporto Tecnico
Assyoma S.r.l. - www.assyoma.it
email: g.danti(a)assyoma.it - info(a)assyoma.it
GPG public key ID: FF5F32A8
4 years, 2 months
SELinux is preventing systemd-tmpfile from using the sys_resource
capability.
by Manfred Lotz
Hi there,
Running Fedora 31 and SELinux still in permissive mode I got
SELinux is preventing systemd-tmpfile from using the sys_resource capability.
***** Plugin sys_resource (91.4 confidence) suggests **********************
If you do not want processes to require capabilities to use up all the system resources on your syste>
Then you need to diagnose why your system is running out of system resources and fix the problem.
According to /usr/include/linux/capability.h, sys_resource is required to:
/* Override resource limits. Set resource limits. */
/* Override quota limits. */
/* Override reserved space on ext2 filesystem */
/* Modify data journaling mode on ext3 filesystem (uses journaling
resources) */
/* NOTE: ext2 honors fsuid when checking for resource overrides, so
you can override using fsuid too */
/* Override size restrictions on IPC message queues */
/* Allow more than 64hz interrupts from the real-time clock */
/* Override max number of consoles on console allocation */
/* Override max number of keymaps */
Do
fix the cause of the SYS_RESOURCE on your system.
***** Plugin catchall (9.59 confidence) suggests **************************
If you believe that systemd-tmpfile should have the sys_resource capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd-tmpfile' --raw | audit2allow -M my-systemdtmpfile
# semodule -X 300 -i my-systemdtmpfile.pp
I also see
type=AVC msg=audit(1569414241.452:321): avc: denied { sys_resource } for pid=17409 comm="systemd-tmpfile" capability=24
scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:systemd_tmpfiles_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1569414241.452:322): avc: denied { setrlimit } for pid=17409 comm="systemd-tmpfile"
scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:systemd_tmpfiles_t:s0 tclass=process permissive=1
I have to admit I don't know how to judge this. Before I do anything here I like to understand.
--
Manfred
4 years, 2 months