lnk_file read permission
by Gionatan Danti
Hi all,
using selinux, I saw many times that when relocating service dirs (eg:
mysql, mongodb, etc) putting a symlink in the original location, the
affected services fail to start due to missing lnk_file read permission.
As selinux works with target file label and it is path-agnostic (this
is, indeed, a major selinux feature), while is the lnk_file read often
not granted by default? Does granting it expose to additional attack
vectors?
Thanks.
--
Danti Gionatan
Supporto Tecnico
Assyoma S.r.l. - www.assyoma.it [1]
email: g.danti(a)assyoma.it - info(a)assyoma.it
GPG public key ID: FF5F32A8
3 years, 7 months
Updating security classes and access vectors in Fedora policy?
by Stephen Smalley
Hi,
Fedora policy has a number of differences in its security_classes and
access_vectors from current refpolicy, and neither are fully up to date
with the kernel (but refpolicy is closer). One consequence of this is
that parts of the selinux-testsuite do not run by default on Fedora
(including rawhide) at present and still require manual patching by
testers if they want to exercise all the tests.
Differences that I see include:
- refpolicy has added the watch* permissions exercised by the
selinux-testsuite/tests/{notify,filesystem,fs_filesystem} tests. These
were first defined in refpolicy by
https://github.com/SELinuxProject/refpolicy/commit/c656b97a289ce6c2da2871...
but there have been a series of subsequent commits (one to fix an
ordering problem to better align with the kernel) and then allowing
these new watch permissions as needed.
- refpolicy has added the perf_event class exercised by the
selinux-testsuite/tests/perf_event tests. These were first defined in
refpolicy by
https://github.com/SELinuxProject/refpolicy/commit/624a63704c19a653486f37....
- Neither refpolicy nor fedora have yet added the lockdown class
exercised by selinux-testsuite/tests/lockdown. The kernel commit
introducing this class is
https://github.com/SELinuxProject/selinux-kernel/commit/59438b46471ae6cdf....
Other differences that don't directly affect the testsuite execution:
- Drop unused socket security classes,
https://github.com/SELinuxProject/refpolicy/commit/4637cd6f898e95ffa95b2d...
- Remove unused permissions,
https://github.com/SELinuxProject/refpolicy/commit/161bda392e61056ea22fe9...
- Remove entrypoint and execute_no_trans from chr_file,
https://github.com/SELinuxProject/refpolicy/commit/8486b8aa83afa7abd94c93...
- remove flow_in and flow_out permissions from packet class,
https://github.com/SELinuxProject/refpolicy/commit/f4459adf3242ed2dbc35e2...
- Rename obsolete netlink_firewall_socket and netlink_ip6fw_socket
classes,
https://github.com/SELinuxProject/refpolicy/commit/5fd175fa453e995d8b7357...
- Remove unused translate permission in context userspace class,
https://github.com/SELinuxProject/refpolicy/commit/65da822c1b5c70bd1ff7ec...
- Fedora policy has an "undefined" permission in its class system access
vector, not present in refpolicy (some kind of compatibility hack?).
- Fedora policy has an "epolwakeup" permission in its class capability2
access vector, not present in refpolicy (old name for block_suspend,
never included in an official kernel release, also not even correct
originally - should have been epollwakeup).
- Fedora policy has "getnetgrp" and "shmemnetgrp" permissions in its
class nscd access vector, not sure if those are used by glibc/ncsd code
but if so should get added to refpolicy too.
- Fedora policy has a "proxy" class and access vector for "gssd", not
present in refpolicy. If that's something that isn't Fedora-specific,
it should probably get upstreamed to refpolicy although the class name
isn't very descriptive.
- refpolicy has "db_exception" and "db_datatype" classes and access
vectors for "Interbase/Firebird/Red Database", not present in Fedora.
Don't know if that matters to Fedora.
- Various whitespace/comment cleanups in refpolicy not in Fedora.
- process2 is declared at a different place in security_classes in
refpolicy versus Fedora. Doesn't really matter since kernel uses
dynamic class/perm support and no fixed definition ever defined in
libselinux/libsepol headers but might be good to align them for consistency.
NB The removals and renames may have some compatibility implications,
e.g. a local or third party policy module built against the existing
Fedora policy headers may have picked up dependencies on these
classes/permissions and therefore may need to be rebuilt against the
updated headers in order to still link successfully. This could break
upon an update if those local or third party modules were installed at
the time of the update since we'd fail on the semodule -B during %post,
leaving the system with the old policy. rpm selinux support was
supposed to fix that kind of thing by handling it via plugin and not
from %post and rolling the package update back but never got adopted/used ;(
3 years, 10 months
Unsubscription
by david v
I want
Unsubscription
________________________________
De: Jonathan Aquilina <jaquilina(a)eagleeyet.net>
Enviado: domingo, 12 de abril de 2020 19:15
Para: selinux(a)lists.fedoraproject.org <selinux(a)lists.fedoraproject.org>
Asunto: Question
Hi guys i have a question regarding SEL.
I have a VM that is on centos 7 and before I had an issue with wordpress where it was in read only mode and i ran
chcon -R unconfined_u:object_r:httpd_sys_rw_content_t:s0 /var/www/html/wordpress
to put it in read write mode for me to update the site
I then ran
restorecon -rv /var/www/html to restore things to the way they are.
since then i have not had to run the commands again to update the site with any other updates
what exactly is happening
Regards,
Jonathan
3 years, 11 months
Re: Question
by Lukas Vrabec
On 4/13/20 5:46 AM, Jonathan Aquilina wrote:
> Hi Lukas,
>
> I am you could say brand new to SEL in all fairness and given how security paranoid I am about my systems I am glad I am starting to work with it.
>
> I am using a very stock and out of the box policy with nothing change.
>
> A friend of mine who works with SEL himself gave me the two commands mentioned.
>
> Another question that stems off this should I just give the necessary rw access to the folders that will need to be updated?
>
Hi Jonathan,
If you're new in SELinux, I would suggest you to start from beginning,
please read Red Hat Enterprise Linux 8 SELinux guide[1] or SELinux
notebook[2] which is much more technical documentation about SELinux.
[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
[2] http://freecomputerbooks.com/books/The_SELinux_Notebook-4th_Edition.pdf
Thanks,
Lukas.
> Regards,
> Jonathan
>
>
> -----Original Message-----
> From: Lukas Vrabec <lvrabec(a)redhat.com>
> Sent: Sunday, 12 April 2020 22:07
> To: selinux(a)lists.fedoraproject.org
> Subject: Re: Question
>
> On 4/12/20 9:15 PM, Jonathan Aquilina wrote:
>> Hi guys i have a question regarding SEL.
>>
>> I have a VM that is on centos 7 and before I had an issue with
>> wordpress where it was in read only mode and i ran
>>
>> chcon -R unconfined_u:object_r:httpd_sys_rw_content_t:s0
>> /var/www/html/wordpress
>>
>>
>>
>> to put it in read write mode for me to update the site
>>
>>
>>
>> I then ran
>>
>>
>>
>> restorecon -rv /var/www/html to restore things to the way they are.
>>
>>
>>
>> since then i have not had to run the commands again to update the site
>> with any other updates
>>
>>
>>
>> what exactly is happening
>>
>>
>>
>> Regards,
>>
>> Jonathan
>>
>>
>> _______________________________________________
>> selinux mailing list -- selinux(a)lists.fedoraproject.org To unsubscribe
>> send an email to selinux-leave(a)lists.fedoraproject.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines:
>> https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproj
>> ect.org
>>
>
> Hi Jonathan,
>
> Can you please share the reproducer ? Also, can you please share SELinux denials you saw in past (maybe they're still in audit.log) ?
>
> From your e-mail it's hard to decide what really happened on the system.
> Btw. Did you changed value of any httpd_* boolean?
> Please attach output of:
> # semanage boolean -l | grep httpd
>
> Thanks,
> Lukas.
>
>
>
>
>
>
> --
> Lukas Vrabec
> SELinux Evangelist,
> Senior Software Engineer, Security Technologies Red Hat, Inc.
>
--
Lukas Vrabec
SELinux Evangelist,
Senior Software Engineer, Security Technologies
Red Hat, Inc.
3 years, 11 months
Re: Question
by Lukas Vrabec
On 4/12/20 9:15 PM, Jonathan Aquilina wrote:
> Hi guys i have a question regarding SEL.
>
> I have a VM that is on centos 7 and before I had an issue with wordpress
> where it was in read only mode and i ran
>
> chcon -R unconfined_u:object_r:httpd_sys_rw_content_t:s0
> /var/www/html/wordpress
>
>
>
> to put it in read write mode for me to update the site
>
>
>
> I then ran
>
>
>
> restorecon -rv /var/www/html to restore things to the way they are.
>
>
>
> since then i have not had to run the commands again to update the site
> with any other updates
>
>
>
> what exactly is happening
>
>
>
> Regards,
>
> Jonathan
>
>
> _______________________________________________
> selinux mailing list -- selinux(a)lists.fedoraproject.org
> To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
>
Hi Jonathan,
Can you please share the reproducer ? Also, can you please share SELinux
denials you saw in past (maybe they're still in audit.log) ?
From your e-mail it's hard to decide what really happened on the system.
Btw. Did you changed value of any httpd_* boolean?
Please attach output of:
# semanage boolean -l | grep httpd
Thanks,
Lukas.
--
Lukas Vrabec
SELinux Evangelist,
Senior Software Engineer, Security Technologies
Red Hat, Inc.
3 years, 11 months
Re: Question
by Casper
Jonathan Aquilina a écrit :
> Hi guys i have a question regarding SEL.
>
> I have a VM that is on centos 7 and before I had an issue with wordpress
> where it was in read only mode and i ran
>
> chcon -R unconfined_u:object_r:httpd_sys_rw_content_t:s0
> /var/www/html/wordpress
>
>
>
> to put it in read write mode for me to update the site
>
>
>
> I then ran
>
>
>
> restorecon -rv /var/www/html to restore things to the way they are.
>
>
>
> since then i have not had to run the commands again to update the site
> with any other updates
>
>
>
> what exactly is happening
Hi Jonathan,
when you run the 'chcon', you're changing the contexte of the
directory and its subdirectories
As you noticed, it works fine
But, when you run the 'restorecon', the command read what contexte to
apply for each file and directory in a policy file
If you don't update the policy file with what you want
(httpd_sys_rw_content_t on /var/www/html/wordpress and its
subdirectories), then restorecon will reset the contexte accordingly
to its policy file
See 'semanage fcontext' for editing the policy file (man semanage)
Then, restorecon will do what you want :)
Regards,
Casper
--
Clé GPG: AE157E0B29F0BEF2 at keys.openpgp.org
« Ceux qui peuvent renoncer à la liberté essentielle pour obtenir un
peu de sécurité temporaire, ne méritent ni la liberté ni la
sécurité. »
-- Memoirs of the life and writings of Benjamin Franklin (1818)
CA Cert: https://dl.casperlefantom.net/pub/ssl/root.der
3 years, 11 months
Question
by Jonathan Aquilina
Hi guys i have a question regarding SEL.
I have a VM that is on centos 7 and before I had an issue with wordpress where it was in read only mode and i ran
chcon -R unconfined_u:object_r:httpd_sys_rw_content_t:s0 /var/www/html/wordpress
to put it in read write mode for me to update the site
I then ran
restorecon -rv /var/www/html to restore things to the way they are.
since then i have not had to run the commands again to update the site with any other updates
what exactly is happening
Regards,
Jonathan
3 years, 11 months
[PATCH 1/1] fix building against musl and uClibc libc libraries.
by aduskett@gmail.com
From: Adam Duskett <Aduskett(a)gmail.com>
Currently, the src/Makefile provides the FTS_LDLIBS when building against musl
or uClibc. However, this is missing from utils/Makefile, which causes linking
to fail.
Add the FTS_LDLIBS variable to the LDLIBS variable in utils/Makefile to fix
compiling against uClibc and musl.
Signed-off-by: Adam Duskett <Aduskett(a)gmail.com>
---
libselinux/utils/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libselinux/utils/Makefile b/libselinux/utils/Makefile
index 36150638..a5632b7c 100644
--- a/libselinux/utils/Makefile
+++ b/libselinux/utils/Makefile
@@ -45,7 +45,7 @@ endif
override CFLAGS += -I../include -D_GNU_SOURCE $(DISABLE_FLAGS) $(PCRE_CFLAGS)
override LDFLAGS += -L../src
-override LDLIBS += -lselinux
+override LDLIBS += -lselinux $(FTS_LDLIBS)
PCRE_LDLIBS ?= -lpcre
ifeq ($(ANDROID_HOST),y)
--
2.25.1
3 years, 11 months
sa-update weirdness
by Laurent Jacquot
Hello,
Every days I have these AVC in my logs (F31 fully updated)
Apr 7 00:00:00 jack audit[1]: SERVICE_START pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='unit=sa-update comm="systemd" exe="/usr/lib/systemd/systemd"
hostname=? addr=? terminal=? res=success'
Apr 7 00:15:19 jack audit[1]: USER_AVC pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied {
start } for auid=n/a uid=0 gid=0
path="/usr/lib/systemd/system/spamassassin.service" cmdline=""
scontext=system_u:system_r:spamd_update_t:s0
tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service
permissive=0#012 exe="/usr/lib/systemd/systemd" sauid=0 hostname=?
addr=? terminal=?'
Apr 7 00:15:19 jack audit[1]: USER_AVC pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied {
status } for auid=n/a uid=0 gid=0 cmdline=""
scontext=system_u:system_r:spamd_update_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=system permissive=0#012
exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Apr 7 00:15:19 jack audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sa-update
comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
terminal=? res=success'
and in /var/log/sa-update.log
07-avril-2020 00:15:19: SpamAssassin: Update processed successfully
I try to understand what is going on: the sa-update service is started
OK, but 15 seconds later, the same? service is denied start and status,
and finally is stopped with success.
I would be grateful to get any hints on how to debug this issue and
stop the AVCs.
best regards
Laurent Jacquot
3 years, 11 months