On 01/30/2013 08:11 PM, Andrew Jones wrote:
> On Wed, 2013-01-30 at 08:33 -0500, Daniel J Walsh wrote:
>> On 01/30/2013 02:13 AM, Andrew Jones wrote:
>>> On Wed, 2013-01-30 at 01:14 +0100, Andrew Jones wrote:
>>>> On Tue, 2013-01-29 at 10:07 -0500, m.roth(a)5-cent.us wrote:
>>>>> Andrew Jones wrote:
>>>>>> (Apologies in advance for the length of this mail. I am a
total
>>>>>> noob at SELinux so my vocabulary is probably not correct.
>>>>>> Hopefully you will be able to understand from context what I am
>>>>>> trying to say.)
>>>>>>
>>>>>> I have been setting up x11vnc on some of my machines. It looks
>>>>>> like there are a hundred different ways of setting it up but I
>>>>>> have chosen to follow the spirit of this entry in the Fedora
>>>>>> Forum:
>>>>>>
>>>>>>
http://forums.fedoraforum.org/showpost.php?p=1448696&postcount=2
>>>>>>
>>>>>> This works with SELinux permissive but fails completely when
>>>>>> enforcing.
>>>>>>
>>>>>> Even when running permissively there are so many SELinux events
>>>>>> in the first few seconds that many are dropped as shown here:
>>>>>>
>>>>>> Jan 29 03:44:10 ecafe audispd: queue is full - dropping event
>>>>>>
>>>>>> After several hours of scouring the system log, running sealert
>>>>>> and creating policies, rinsing and repeating I think I have
>>>>>> generated the command line that will identify all the events
>>>>>> which occur during an x11vnc session:
>>>>>>
>>>>>> egrep ps\|x11vnc\|tcpd\|mission-control
/var/log/audit/audit.log
>>>>>> | audit2allow -M mypol
>>>>>>
>>>>>> By repetitively running that line, applying the generated policy
>>>>>> then restarting the computer and launching a new vnc session
>>>>>> eventually all the events are able to be recorded without
filling
>>>>>> the queue.
>>>>>>
>>>>> Andrew,
>>>>>
>>>>> First of all, how did you install x11vnc? Did you use yum, or is
>>>>> this from a tarball. You should ALWAYS prefer yum install, since
>>>>> this will get all dependencies, and install policy as part of the
>>>>> package.
>>>>
>>>> Installed from yum. Having read the x11vnc man page I got the
>>>> impression it's a bit of a swiss army knife and I had *assumed*
that
>>>> as it was so hard to predict how it would be used it would not make
>>>> sense to enforce any particular policy. Is there a way of extracting
>>>> and examining the policies in an rpm?
>>>>
>>>>>
>>>>> Secondly, you should be looking at what it wants to do. For
>>>>> example, the fact that mcelog is in there worries me, a *lot*,
>>>>> since mcelog records ->hardware errors<-, meaning that you
could be
>>>>> having hardware issues.
>>>>>
>>>> It is necessary for x11vnc to discover the name of an X11
>>>> authorization file and the trick to do so is to do a `ps wwwaux |
>>>> grep '/X.*-auth'` , followed by a bit more grep and sed trickery
to
>>>> isolate the name of the file that appears on the command line that
>>>> launched xorg.
>>>>
>>>> The command above has this for output... root 26003 0.4 1.1
>>>> 24184 12120 tty9 Ss+ 12:34 2:46 /usr/bin/Xorg :0 -br -verbose
>>>> -logverbose 7 -auth /var/run/gdm/auth-for-gdm-xpIgEt/database
>>>> -nolisten tcp
>>>>
>>>> ... and the sed and grep trickery isolates the string
>>>> '/var/run/gdm/auth-for-gdm-xpIgEt/database' which is a required
>>>> parameter for x11vnc
>>>>
>>>> It did seem that many, many of the AVCs were caused by ps trying to
>>>> get attributes of or open directories in /proc.
>>>>
>>>> Why have I told you all this?
>>>>
>>>> grep type=AVC audit.log.1 | grep mcelog | grep -v comm=\"ps\"
has
>>>> no output grep type=AVC audit.log.1 | grep mcelog has 21 lines of
>>>> output
>>>>
>>>> So all the AVCs which mention mcelog include comm="ps" Here is
a
>>>> typical sequence type=AVC msg=audit(1359035800.677:1209): avc:
>>>> denied { getattr } for pid=2248 comm="ps"
path="/proc/539"
>>>> dev="proc" ino=14875
scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023
>>>> tcontext=system_u:system_r:mcelog_t:s0 tclass=dir
>>>>
>>>> type=AVC msg=audit(1359035800.677:1210): avc: denied { search } for
>>>> pid=2248 comm="ps" name="539" dev="proc"
ino=14875
>>>> scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023
>>>> tcontext=system_u:system_r:mcelog_t:s0 tclass=dir
>>>>
>>>> type=AVC msg=audit(1359035800.677:1210): avc: denied { read } for
>>>> pid=2248 comm="ps" name="stat" dev="proc"
ino=14058
>>>> scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023
>>>> tcontext=system_u:system_r:mcelog_t:s0 tclass=file
>>>>
>>>> type=AVC msg=audit(1359035800.677:1210): avc: denied { open } for
>>>> pid=2248 comm="ps" path="/proc/539/stat"
dev="proc" ino=14058
>>>> scontext=system_u:system_r:tcpd_t:s0-s0:c0.c1023
>>>> tcontext=system_u:system_r:mcelog_t:s0 tclass=file
>>>>
>>>> There were just 3 /proc directories that prompted this sequence of
>>>> AVCs containing mcelog and these were 539 (shown above), 517 and 509,
>>>> but having rebooted since I don't now know what processes they
>>>> correspond to and I suspect many other AVCs may have been omitted due
>>>> to queue overflow. Audit.log currently contains 900 lines of AVCs
>>>> related to ps accessing the /proc directory
>>>
>>> Having checked the timestamps in the system log I see that each set of
>>> AVCs occurred just once between re-boots (I rebooted after every launch
>>> of vnc / generation of new policies) so they could all be referring to
>>> the same process.
>>>
>>> I also noted that on my Fedora 18 machines mcelog is running as a
>>> daemon: $ ps -A www | grep mcelog 528 ? Ss 0:00
>>> /usr/sbin/mcelog --ignorenodev --daemon --foreground
>>>
>>> mcelog is not running as a daemon on my Fedora 16 machine ... So I
>>> could be easily persuaded that the AVCs which mention mcelog refer to
>>> the attempts of ps to access the mcelog process.
>>>
>>>>
>>>> I tried to replicate the generation of AVCs by running ps from a
>>>> command prompt but nothing happened. Could ps be running from the
>>>> wrong context? Can you tell I hadn't a clue what I was talking
about
>>>> when I asked that question??
>>>>
>>>>
>>>>> Third, read the man page for audit2allow. It tells you how to
>>>>> convert from text policy to compiled and install it. It's not
>>>>> complicated.
>>>> Thanks for that.
>>>>
>>>>>
>>>>> Fourth, the "dropped" indicates that there are so many
errors the
>>>>> queue can't keep up. From an old closed bug, one note for this
>>>>> problem is: -b 8192 in auditd.conf priority_boost = 4 in
>>>>> auditd.conf priority_boost = 8 in audispd.conf q_depth = 2048 in
>>>>> audispd.conf
>>>>
>>>> Thanks also for that.
>>>>>
>>>>> mark
>>>>>
>>>> Andy
>>>>
>>>> -- selinux mailing list selinux(a)lists.fedoraproject.org
>>>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>
>>>
>>> -- selinux mailing list selinux(a)lists.fedoraproject.org
>>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>
>> Lets try this.
>>
>> chcon -t xserver_exec_t /usr/bin/x11vnc
>>
>> And create myvnc.te that looks like the following:
>>
>> cat myvnc.te
>> #==========================================================================
>>
>>
policy_module(myvnc,1.0)
>>
>> gen_require(` type xserver_exec_t, xserver_t; ')
>>
>> tcpd_wrapped_domain(xserver_t, xserver_exec_t)
>> #=======================================================================
>>
>> make -f /usr/share/selinux/devel/Makefile myvnc.pp semodule -i myvpnc.pp
>>
>> Then try it again.
>>
>> The reason you are getting all the AVC's about random domains is the
>> x11vnc is doing the equivalent of the ps command, it it is walking
>> through /proc and looking at every process. The SELinux interface to
>> handle this would have been:
>>
>> domain_read_all_domains_state(tcpd_t)
>>
>> But what we really want is tcpd_t to transition to xserver_t when running
>> x11vnc.
>>
>>
>>
> Thank you for that - the difference was phenomenal!
>
> At first it didn't seem to do anything because it was a bash script, not
> x11vnc, that was running ps. However, I read the x11vnc manual again and
> finally realized how to make it run ps for me.
>
> Once I had made the change the AVCs reduced from several hundred to a large
> handful.
>
> (Removing your myvnc.pol policy returned it to producing hundreds of AVCs
> again)
Well I am happy it is working for you, but we prefer the solution to
get
tcpd_t to transition to xserver_t, when running x11vnc.
Which hopefully will be showing up in an update release.
Sorry I think I did not make myself clear. I removed your policy just
to see what a difference it made (HUGE), and then I re-applied it.
The policies I generated afterwards were for the things that weren't
already fixed by your policy.