selinux August 2023

selinux@lists.fedoraproject.org

3 participants
8 discussions

Not possible to specify smtp password for setroubleshootd?
by Matt Kinni 09 Jun '24

09 Jun '24

Hello, I run a Fedora 35 server and would like setroubleshootd to send email alerts for avc denials, but I'm having trouble configuring this due to the apparent lack of support for configuring an smtp password. The out of the box setroubleshoot.conf sets > smtp_host = localhost > smtp_port = 25 > from_address = SELinux_Troubleshoot , but there is no config parameter for smtp password. For this to actually work on a machine acting as an MTA (I have postfix running locally), the mail server would have to be configured to allow unauthenticated port 25 connections to masquerade as any local system user, which no decent postfix setup would allow. I am not a python programmer, but in my reading of https://pagure.io/setroubleshoot/blob/main/f/framework/src/setroubleshoot/e…, it doesn't appear there is any built in way to support authenticated email sending despite the underlying smtplib being able to do it. I would suggest either a) adding password support for smtplib, or/and b) adding an option to send mail using the sendmail binary, which allows postfix to recognize the running user without any password needed. Has anyone else run into problems deploying the setroubleshootd email alerts in practice? email_alert.py appears simple enough to hack in password support, but I feel a security oriented project like selinux shouldn't require an insecure mail setup in order to send its alerts. Any tips are welcome, Thanks, Matt

2 4

get rid of setenforce
by Henry Zhang 09 Jun '24

09 Jun '24

Hi folks, setenforce allows users to swap selinux mode between enforcing and permissive. If I want my selinux to stay in enforcing mode forever so that nobody is able to interfere with my selinux. What should I do? Thanks. ---henry

5 13

certmonger post-save scripts & certmonger_unconfined_t domain
by Sam Morris 06 Jun '24

06 Jun '24

Certmonger allows for the configuration of a post-save command to be run after it has obtained new certificates. This can be used to copy the key & certificates out of wherever certmonger is allowed to put them, and save them elsewhere with a particular owner/group, combine the certificate & chain into a single file as required by some software, etc. The problem comes with SELinux which prevents my post-save scripts from being able to do all of that. I thought the solution was to give the scripts the context of certmonger_unconfined_exec_t, which would cause a transition to the certmonger_unconfined_t domain which is as its name suggests unconfined; but I can't get this to work. I'm trying to use runcon to simulate certmonger executing a fake script: # cat /tmp/fakescript #!/bin/bash set -eu id -Z # /tmp/fakescript unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 # ls -Z /tmp/fakescript unconfined_u:object_r:certmonger_unconfined_exec_t:s0 /tmp/fakescript # runcon system_u:system_r:certmonger_t:s0 /tmp/fakescript runcon: ‘/tmp/fakescript’: Permission denied Here is the avc denial: ---- type=PROCTITLE msg=audit(27/04/21 16:16:47.156:153492) : proctitle=runcon system_u:system_r:certmonger_t:s0 /tmp/fakescript type=SYSCALL msg=audit(27/04/21 16:16:47.156:153492) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x7ffd8aa768ab a1=0x7ffd8aa75888 a2=0x7ffd8aa75898 a3=0x0 items=0 ppid=177795 pid=177796 auid=sam.admin uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts5 ses=103 comm=runcon exe=/usr/bin/runcon subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(27/04/21 16:16:47.156:153492) : avc: denied { entrypoint } for pid=177796 comm=runcon path=/tmp/fakescript dev="dm-0" ino=33563064 scontext=system_u:system_r:certmonger_t:s0 tcontext=unconfined_u:object_r:certmonger_unconfined_exec_t:s0 tclass=file permissive=0 Even though: # sepolicy transition -s certmonger_t -t certmonger_unconfined_t certmonger_t @ certmonger_unconfined_exec_t --> certmonger_unconfined_t Diving in a little deeper, I can see that certmonger can execute the file: # sesearch -s certmonger_t -t certmonger_unconfined_exec_t -c file -p execute -A allow certmonger_t certmonger_unconfined_exec_t:file { execute execute_no_trans getattr ioctl map open read }; ... and that the file type is an entrypoint for the certmonger_unconfined_t domain: # sesearch -s certmonger_unconfined_t -t certmonger_unconfined_exec_t -c file -p entrypoint -A allow certmonger_unconfined_t certmonger_unconfined_exec_t:file { entrypoint execute getattr ioctl lock map open read }; ... and that transition is permitted from certmonger_t: # sesearch -s certmonger_t -t certmonger_unconfined_t -c process -p transition -A allow certmonger_t certmonger_unconfined_t:process transition; Which leaves me scratching my head, unsure why it doesn't work in practice... -- Sam Morris <https://robots.org.uk/> PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9

2 4

Re: [CentOS-devel] Making the redhat selinux-policy repository publicly available
by Zdenek Pytela 15 Apr '24

15 Apr '24

On Tue, Jul 11, 2023 at 10:37 PM Troy Dawson <tdawson(a)redhat.com> wrote: > On Tue, Jul 11, 2023 at 12:50 PM Neal Gompa <ngompa13(a)gmail.com> wrote: > >> On Tue, Jul 11, 2023 at 9:31 AM Troy Dawson <tdawson(a)redhat.com> wrote: >> > >> > On Tue, Jul 11, 2023 at 4:28 AM Daan De Meyer <daan.j.demeyer(a)gmail.com> >> wrote: >> >> >> >> Hi, >> >> >> >> It seems that the selinux-policy rpm is built from >> >> git@gitlab.cee.redhat.com:SELinux/selinux-policy.git which seems to be >> >> a redhat internal repository. More specifically, if I try to checkout >> >> the commit listed in the selinux-policy spec >> >> ( >> https://gitlab.com/redhat/centos-stream/rpms/selinux-policy/-/blob/c9s/seli… >> ) >> >> in the fedora-selinux repository cloned from github, I get an error >> >> saying that the commit does not exist. It would be great if the >> >> repository containing this commit was publicly available and open for >> >> external contributors just like all the other packages in CentOS >> >> Stream. Is it possible to make this happen? >> > >> > >> > I'm not the selinux-policy maintainer, so I can't comment on where they >> work on the selinux-policy source code. >> > >> > But this is how I get the sources, if that is what you are ultimately >> looking for. >> > >> > centpkg clone selinux-policy >> > cd selinux-policy >> > centpkg sources >> > or if you want to know where they really are >> > centpkg -v sources >> > This shows it to be coming from >> > >> https://sources.stream.centos.org/sources/rpms/selinux-policy/selinux-polic… >> > >> > The sources information is found in the sources file >> > >> https://gitlab.com/redhat/centos-stream/rpms/selinux-policy/-/blob/c9s/sour… >> > >> > I know this isn't exactly what you asked for, but I hope it still helps. >> > >> >> I think the idea is that having the Git repository in a public >> location would allow the CentOS Hyperscale SIG to contribute to the >> SELinux policy in a meaningful way. >> > > Ah, ok. That makes sense. > As I said, I'm not the maintainer so I don't know why it's where it is. > So I'll step out of the conversation. > Hi, I am one of the selinux-policy maintainers. Currently, repository for Fedora is at github.com and RHEL sources are in an internal repo. We have already discussed moving centos stream sources to some of the public repositories, but it did not happen. Currently we are discussing it again, there are a few options how to do so. To get just the latest repository content, steps described by Troy should work. Additionally, most of the upstream work is done in Fedora and anyway every new commit should go to Fedora first, RHEL content is mostly a subset of Fedora, there are very few differences. -- Zdenek Pytela Security SELinux team

2 3

label rootfs in compile time not run time
by Henry Zhang 30 Aug '23

30 Aug '23

Hi folks, Any document talking about how to set the SELinux security context of files and directories of rootfs at compile time. Any suggestions? Thanks. ---henry

1 0

busybox with selinux
by Henry Zhang 15 Aug '23

15 Aug '23

Hi folks, New version of SELinux complains of busybox when relabeling. My busybox was compiled as CONFIG_FEATURE_INDIVIDUAL=n That means all applets of busybox share the same inode. But SElinux requires each file assigned to an individual inode so that each file can be defined by file_contexts. Any suggestions? Thanks ---henry

2 2

conflicting specifications during booting up
by Henry Zhang 11 Aug '23

11 Aug '23

Hi guys, My selinux complains during booting. setfiles complains conflicting specifications: selinux-autorelabel.sh[1524]: /sbin/setfiles: conflicting specifications for /tmp/tmp.flCsmAYyao/usr/lib/systemd/system/smartcard.target and /tmp/tmp.flCsmAYyao/usr/lib/systemd/user/smartcard.target, using system_u:object_r:systemd_user_unit_t:s0. # ls -Z /usr/lib/systemd/system/sound.target system_u:object_r:systemd_user_unit_t:s0 /usr/lib/systemd/system/sound.target ls -Z /usr/lib/systemd/user/sound.target system_u:object_r:systemd_user_unit_t:s0 /usr/lib/systemd/user/sound.target # grep "/usr/lib/systemd/system" /etc/selinux/mcs/contexts/files/file_contexts /usr/lib/systemd/system(/.*)? system_u:object_r:systemd_unit_t:s0 /usr/lib/systemd/user(/.*)? system_u:object_r:systemd_user_unit_t:s0 My question is why "/usr/lib/systemd/system/smartcard.target " does not take systemd_unit_t from file_contexts? What is wrong in my selinux? Thanks. ----henry

1 0

selinux_init() is not executed in booting in kernel 5.15
by Henry Zhang 10 Aug '23

10 Aug '23

2 8

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux August 2023