On 21/05/13 15:00, Miroslav Grepl wrote:
On 05/21/2013 03:47 PM, Tristan Santore wrote:
> Dear All,
>
> For the last few days Dominick and I have been trying to write a
> policy for Zoneminder, as the current policy does not seem to be working.
>
> I will append what we gathered up so far below, however before I do,
> there seems to be an inherent problem with apache and sudo/su/pam,
> which seems to work in permissive mode, but as soon as I enable
> enforcing, b00m, I get these.
>
> May 21 14:18:23 hq su: pam_unix(su:auth): auth could not identify
> password for [apache]
> May 21 14:18:23 hq su: pam_succeed_if(su:auth): requirement "uid >=
> 1000" not met by user "apache"
> May 21 14:18:23 hq su: pam_unix(su:auth): auth could not identify
> password for [apache]
> May 21 14:18:23 hq su: pam_succeed_if(su:auth): requirement "uid >=
> 1000" not met by user "apache"
>
> In permissive mode all is fine:
>
> May 21 14:32:03 hq su: pam_unix(su:session): session opened for user
> apache by (uid=0)
> May 21 14:32:03 hq su: pam_unix(su:session): session closed for user
> apache
> May 21 14:32:03 hq su: pam_unix(su:session): session opened for user
> apache by (uid=0)
> May 21 14:32:03 hq su: pam_unix(su:session): session closed for user
> apache
> May 21 14:32:03 hq su: pam_unix(su:session): session opened for user
> apache by (uid=0)
>
> type=USER_CMD msg=audit(1369143877.597:513): pid=2196 uid=0
> auid=4294967295 ses=4294967295 subj=system_u:system_r:zoneminder_t:s0
> msg='cwd="/usr/share/zoneminder/www" cmd="true" terminal=?
res=failed'
> type=USER_AUTH msg=audit(1369143877.611:514): pid=2197 uid=0
> auid=4294967295 ses=4294967295 subj=system_u:system_r:zoneminder_t:s0
> msg='op=PAM:authentication acct="apache" exe="/usr/bin/su"
hostname=?
> addr=? terminal=? res=failed'
> type=USER_AUTH msg=audit(1369143877.625:515): pid=2199 uid=0
> auid=4294967295 ses=4294967295 subj=system_u:system_r:zoneminder_t:s0
> msg='op=PAM:authentication acct="apache" exe="/usr/bin/su"
hostname=?
> addr=? terminal=? res=failed'
> type=SERVICE_START msg=audit(1369143877.642:516): pid=1 uid=0
> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='
> comm="zoneminder" exe="/usr/lib/systemd/systemd" hostname=?
addr=?
> terminal=? res=failed'
>
>
> Any insights would be most appreciated, as I would really like to see
> a policy for zoneminder that works, not only for myself, but so that
> we can have it in the Fedora stock policy.
>
>
> Thank you for all your help, especially Dominick Grift's.
>
> Regards,
>
> Tristan
>
>
> And the policy we have so far:
>
> policy_module(myzonem, 1.0.0)
> gen_require(` type zoneminder_t; ')
> domain_read_all_domains_state(zoneminder_t)
> logging_send_audit_msgs(zoneminder_t)
> sudo_exec(zoneminder_t)
> su_exec(zoneminder_t)
> allow zoneminder_t self:process setrlimit;
> allow zoneminder_t self:capability { setuid setgid sys_resource };
> gen_require(`type httpd_zoneminder_script_exec_t; ')
> can_exec(zoneminder_t, httpd_zoneminder_script_exec_t)
> gen_require(` type zoneminder_var_lib_t; ')
> manage_lnk_files_pattern(zoneminder_t, zoneminder_var_lib_t,
> zoneminder_var_lib_t)
> dbus_system_bus_client(zoneminder_t)
> selinux_compute_access_vector(zoneminder_t)
> allow zoneminder_t self:process setsched;
>
>
> allow zoneminder_t self:key write;
> auth_rw_lastlog(zoneminder_t)
> systemd_write_inherited_logind_sessions_pipes(zoneminder_t)
> auth_domtrans_chk_passwd(zoneminder_t)
> systemd_dbus_chat_logind(zoneminder_t)
> gen_require(` type chkpwd_t; ')
> allow zoneminder_t chkpwd_t:process { rlimitinh noatsecure siginh };
> auth_read_shadow(zoneminder_t)
> auth_domtrans_upd_passwd(zoneminder_t)
> #gen_require(` type systemd_logind_t; ')
> #permissive systemd_logind_t;
> gen_require(` type unconfined_t; role system_r; type
> zoneminder_exec_t; role unconfined_r; ')
> domtrans_pattern(unconfined_t, zoneminder_exec_t, zoneminder_t)
> role_transition unconfined_r zoneminder_exec_t:file system_r;
> domain_entry_file(zoneminder_t, httpd_zoneminder_script_exec_t)
> domtrans_pattern(unconfined_t, httpd_zoneminder_script_exec_t,
> zoneminder_t)
> gen_require(` type httpd_t; ')
> gen_require(` type httpd_zoneminder_script_t; type zoneminder_tmpfs_t;')
> init_read_utmp(httpd_t)
> read_files_pattern(httpd_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
> rw_files_pattern(httpd_zoneminder_script_t, zoneminder_tmpfs_t,
> zoneminder_tmpfs_t)
> manage_dirs_pattern(httpd_zoneminder_script_t, zoneminder_var_lib_t,
> zoneminder_var_lib_t)
> manage_files_pattern(httpd_zoneminder_script_t, zoneminder_var_lib_t,
> zoneminder_var_lib_t)
> allow httpd_t zoneminder_var_lib_t:dir list_dir_perms;
> init_daemon_domain(zoneminder_t, httpd_zoneminder_script_exec_t)
>
> require {
> type chkpwd_t;
> type httpd_t;
> type httpd_zoneminder_script_t;
> type sshd_t;
> class process { siginh noatsecure rlimitinh };
> class unix_stream_socket { read write };
> }
>
> #============= httpd_t ==============
> allow httpd_t httpd_zoneminder_script_t:process { siginh noatsecure
> rlimitinh };
>
> #============= httpd_zoneminder_script_t ==============
> allow httpd_zoneminder_script_t httpd_t:unix_stream_socket { read
> write };
>
> require {
> type passwd_t;
> }
> allow passwd_t chkpwd_t:process { noatsecure siginh rlimitinh };
> allow httpd_zoneminder_script_t httpd_t:unix_stream_socket { read
> write };
> allow httpd_t httpd_zoneminder_script_t:process { noatsecure siginh
> rlimitinh };
>
>
After the quick review I see that this policy is coming to be unconfined
probably. For example, it runs su/sudo directly.
Could you open a new bug?
Thank you.
Regards,
Miroslav
Miroslav,
Thanks to Dan, we found out what was lacking. Policy complete see below
bugzilla's for fix and PAM bug, for pam_rootok.
The fix was:
allow zoneminder_t self:passwd rootok;
Bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=965723
https://bugzilla.redhat.com/show_bug.cgi?id=965714
Big thank you to Dominick for help with the policy write up and
debugging and also for Dan for the PAM pam_rootok issue, where it does
not log to auditd.
Regards,
Tristan
--
Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
Tristan.Santore(a)internexusconnect.net
Former Thawte Notary
(Please note: Thawte has closed its WoT programme down,
and I am therefore no longer able to accredit trust)
For Fedora related issues, please email me at:
TSantore(a)fedoraproject.org