10:17 a.m.
We use targeted SELinux and Likewise Open on our RHEL 5 and CentOS 5
servers, even though Likewise is currently not supported with SELinux
in enforcing mode. Both of them together have been working reliably
for us so far. The audit logs fill up with AVC messages like the ones
I have pasted at the end of this message, which are all regarding /var/
lib/likewise/.lsassd and don't appear to matter from a functional
point of view for the system. I have configured setroubleshoot to send
emails to an internal mailing list when something is blocked, because
apart from the likewise events anything else is really urgent. The
problem is that the list receives so many messages about /var/lib/
likewise/.lsassd that the urgent ones get "lost". I have asked the
folks at Likewise about this and their answer is always that SELinux
should be permissive or disabled.
Is there some way to prevent auditd from logging these AVC messages?
type=AVC msg=audit(1306183684.644:121931): avc: denied { connectto }
for pid=31266 comm="vsftpd" path="/var/lib/likewise/.lsassd"
scontext=system_u:system_r:ftpd_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1306185430.740:122001): avc: denied { write }
for pid=378 comm="pickup" name=".lsassd" dev=dm-1 ino=426071
scontext=system_u:system_r:postfix_pickup_t:s0
tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file
type=AVC msg=audit(1306179615.139:121656): avc: denied { connectto }
for pid=22431 comm="httpd" path="/var/lib/likewise/.lsassd"
scontext=user_u:system_r:httpd_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
type=USER_AUTH msg=audit(1306265986.269:124088): user pid=25822 uid=0
auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023
msg='PAM: authentication acct="layout" : exe="/usr/sbin/
sshd" (hostname=asb-sys61.us.ad.gannett.com, addr=10.0.65.242,
terminal=ssh res=failed)'
type=AVC msg=audit(1306853338.309:51215): avc: denied { write } for
pid=5472 comm="genhomedircon" name=".lsassd" dev=dm-4 ino=32827
scontext=user_u:system_r:semanage_t:s0
tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file
type=AVC msg=audit(1306853338.309:51215): avc: denied { connectto }
for pid=5472 comm="genhomedircon" path="/var/lib/likewise/.lsassd"
scontext=user_u:system_r:semanage_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
Thanks,
Maria
10:31 a.m.
On Tue, 2011-05-31 at 11:17 -0400, Maria Iano wrote:
Is there some way to prevent auditd from logging these AVC
messages?
type=AVC msg=audit(1306183684.644:121931): avc: denied { connectto }
for pid=31266 comm="vsftpd" path="/var/lib/likewise/.lsassd"
scontext=system_u:system_r:ftpd_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1306185430.740:122001): avc: denied { write }
for pid=378 comm="pickup" name=".lsassd" dev=dm-1 ino=426071
scontext=system_u:system_r:postfix_pickup_t:s0
tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file
type=AVC msg=audit(1306179615.139:121656): avc: denied { connectto }
for pid=22431 comm="httpd" path="/var/lib/likewise/.lsassd"
scontext=user_u:system_r:httpd_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
type=USER_AUTH msg=audit(1306265986.269:124088): user pid=25822 uid=0
auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023
msg='PAM: authentication acct="layout" : exe="/usr/sbin/
sshd" (hostname=asb-sys61.us.ad.gannett.com, addr=10.0.65.242,
terminal=ssh res=failed)'
type=AVC msg=audit(1306853338.309:51215): avc: denied { write } for
pid=5472 comm="genhomedircon" name=".lsassd" dev=dm-4 ino=32827
scontext=user_u:system_r:semanage_t:s0
tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file
type=AVC msg=audit(1306853338.309:51215): avc: denied { connectto }
for pid=5472 comm="genhomedircon" path="/var/lib/likewise/.lsassd"
scontext=user_u:system_r:semanage_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
I am not sure whether "el5" supports it but i guess you could try piping
the avc denials into "audit2allow -DM mydontauditsforlikewise"
And then load it into the system with "semodule -i
mydontauditsforlikewise.pp"
If that does not work you could write a policy module manually:
mkdir mylw; cd mylw; echo "policy_module(mylw, 1.0.0) gen_require(\`
type semanage_t, initrc_t, var_lib_t, ftpd_t, httpd_t, postfix_pickup_t;
') dontaudit { httpd_t ftpd_t semanage_t postfix_pickup_t }
initrc_t:unix_stream_socket connectto; dontaudit { httpd_t ftpd_t
semanage_t, postfix_pickup_t } var_lib_t:sock_file
write_sock_file_perms;" >> mylw.te
(yum install selinux-policy-devel)
make -f /usr/share/selinux/devel/Makefile mylw.pp
sudo semodule -i mylw.pp
Although hidding these may have consequences for example attempts by
httpd, ftpd etc to connect to any service with a unix stream socket
running in the init script domain will be hidden.
Same for any of those domain trying to write to var_lib_t sock files.
Thanks,
Maria
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
11:33 a.m.
On May 31, 2011, at 11:31 AM, Dominick Grift wrote:
On Tue, 2011-05-31 at 11:17 -0400, Maria Iano wrote:
> Is there some way to prevent auditd from logging these AVC messages?
>
> type=AVC msg=audit(1306183684.644:121931): avc: denied
> { connectto }
> for pid=31266 comm="vsftpd" path="/var/lib/likewise/.lsassd"
> scontext=system_u:system_r:ftpd_t:s0
> tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
>
> type=AVC msg=audit(1306185430.740:122001): avc: denied { write }
> for pid=378 comm="pickup" name=".lsassd" dev=dm-1 ino=426071
> scontext=system_u:system_r:postfix_pickup_t:s0
> tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file
>
> type=AVC msg=audit(1306179615.139:121656): avc: denied
> { connectto }
> for pid=22431 comm="httpd" path="/var/lib/likewise/.lsassd"
> scontext=user_u:system_r:httpd_t:s0
> tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
>
> type=USER_AUTH msg=audit(1306265986.269:124088): user pid=25822 uid=0
> auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023
> msg='PAM: authentication acct="layout" : exe="/usr/sbin/
> sshd" (hostname=asb-sys61.us.ad.gannett.com, addr=10.0.65.242,
> terminal=ssh res=failed)'
>
> type=AVC msg=audit(1306853338.309:51215): avc: denied { write } for
> pid=5472 comm="genhomedircon" name=".lsassd" dev=dm-4 ino=32827
> scontext=user_u:system_r:semanage_t:s0
> tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file
>
> type=AVC msg=audit(1306853338.309:51215): avc: denied { connectto }
> for pid=5472 comm="genhomedircon"
path="/var/lib/likewise/.lsassd"
> scontext=user_u:system_r:semanage_t:s0
> tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
I am not sure whether "el5" supports it but i guess you could try
piping
the avc denials into "audit2allow -DM mydontauditsforlikewise"
And then load it into the system with "semodule -i
mydontauditsforlikewise.pp"
If that does not work you could write a policy module manually:
mkdir mylw; cd mylw; echo "policy_module(mylw, 1.0.0) gen_require(\`
type semanage_t, initrc_t, var_lib_t, ftpd_t, httpd_t,
postfix_pickup_t;
') dontaudit { httpd_t ftpd_t semanage_t postfix_pickup_t }
initrc_t:unix_stream_socket connectto; dontaudit { httpd_t ftpd_t
semanage_t, postfix_pickup_t } var_lib_t:sock_file
write_sock_file_perms;" >> mylw.te
(yum install selinux-policy-devel)
make -f /usr/share/selinux/devel/Makefile mylw.pp
sudo semodule -i mylw.pp
Although hidding these may have consequences for example attempts by
httpd, ftpd etc to connect to any service with a unix stream socket
running in the init script domain will be hidden.
Same for any of those domain trying to write to var_lib_t sock files.
I don't want to allow that access. I just want auditd to not log it.
1:51 p.m.
On May 31, 2011, at 11:31 AM, Dominick Grift wrote:
On Tue, 2011-05-31 at 11:17 -0400, Maria Iano wrote:
> Is there some way to prevent auditd from logging these AVC messages?
>
> type=AVC msg=audit(1306183684.644:121931): avc: denied
> { connectto }
> for pid=31266 comm="vsftpd" path="/var/lib/likewise/.lsassd"
> scontext=system_u:system_r:ftpd_t:s0
> tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
>
> type=AVC msg=audit(1306185430.740:122001): avc: denied { write }
> for pid=378 comm="pickup" name=".lsassd" dev=dm-1 ino=426071
> scontext=system_u:system_r:postfix_pickup_t:s0
> tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file
>
> type=AVC msg=audit(1306179615.139:121656): avc: denied
> { connectto }
> for pid=22431 comm="httpd" path="/var/lib/likewise/.lsassd"
> scontext=user_u:system_r:httpd_t:s0
> tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
>
> type=USER_AUTH msg=audit(1306265986.269:124088): user pid=25822 uid=0
> auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023
> msg='PAM: authentication acct="layout" : exe="/usr/sbin/
> sshd" (hostname=asb-sys61.us.ad.gannett.com, addr=10.0.65.242,
> terminal=ssh res=failed)'
>
> type=AVC msg=audit(1306853338.309:51215): avc: denied { write } for
> pid=5472 comm="genhomedircon" name=".lsassd" dev=dm-4 ino=32827
> scontext=user_u:system_r:semanage_t:s0
> tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file
>
> type=AVC msg=audit(1306853338.309:51215): avc: denied { connectto }
> for pid=5472 comm="genhomedircon"
path="/var/lib/likewise/.lsassd"
> scontext=user_u:system_r:semanage_t:s0
> tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
I am not sure whether "el5" supports it but i guess you could try
piping
the avc denials into "audit2allow -DM mydontauditsforlikewise"
And then load it into the system with "semodule -i
mydontauditsforlikewise.pp"
If that does not work you could write a policy module manually:
mkdir mylw; cd mylw; echo "policy_module(mylw, 1.0.0) gen_require(\`
type semanage_t, initrc_t, var_lib_t, ftpd_t, httpd_t,
postfix_pickup_t;
') dontaudit { httpd_t ftpd_t semanage_t postfix_pickup_t }
initrc_t:unix_stream_socket connectto; dontaudit { httpd_t ftpd_t
semanage_t, postfix_pickup_t } var_lib_t:sock_file
write_sock_file_perms;" >> mylw.te
(yum install selinux-policy-devel)
make -f /usr/share/selinux/devel/Makefile mylw.pp
sudo semodule -i mylw.pp
Although hidding these may have consequences for example attempts by
httpd, ftpd etc to connect to any service with a unix stream socket
running in the init script domain will be hidden.
Same for any of those domain trying to write to var_lib_t sock files.
Thank you - I understand what you're saying now. I don't think I'm
comfortable with turning off notifications for all attempts to connect
to those types, just when the path is /var/lib/likewise/.lsassd. Would
the only way to achieve that be to add a new type for var/lib/
likewise/.lsassd? I'm wondering just how much havoc that would cause...
4714
days inactive
4714
days old
selinux@lists.fedoraproject.org
4 comments
2 participants
participants (2)
-
Dominick Grift -
Maria Iano