On 06/01/15 16:27, m.roth(a)5-cent.us wrote:
From: "Daniel J Walsh" <dwalsh(a)redhat.com>
Cc: "Miroslav Grepl" <mgrepl(a)redhat.com>
On 05/29/2015 04:34 PM, m.roth(a)5-cent.us wrote:
> Daniel J Walsh wrote:
>> On 05/29/2015 01:03 PM, m.roth(a)5-cent.us wrote:
>>> Daniel J Walsh wrote:
>>>> On 05/29/2015 09:20 AM, m.roth(a)5-cent.us wrote:
>>>>> CentOS 7.1. Selinux policy, and targetted, updated two days ago.
>>>>>
>>>>> May 28 17:02:41 <servername> python: SELinux is preventing
>>>>> /usr/bin/bash from execute access on the file
/usr/bin/bash.#012#012***** <...>
>>>>> May 28 17:02:45 <servername> python:
SELinux is preventing
>>>>> /usr/bin/bash from execute access on the file
/usr/bin/uname.#012#012***** <...>
>>>>> May 28 17:02:45 <servername> python:
SELinux is preventing
>>>>> /usr/bin/uname from execute_no_trans access on the file /usr/bin
>>>>> /uname.#012#012***** <...>
>>>>> May 28 17:02:47 <servername> python: SELinux is preventing
>>>>> /usr/bin/bash from execute access on the file
/usr/bin/mailx.#012#012***** <...>
> <snip>
>>>> What is the avc that you are seeing?
>>>>
>>>> ausearch -m avc -ts recent
>>> Hmmm, that ausearch gives no matches. However, in
>>> /var/log/audit/audit.log
>>> type=AVC msg=audit(1432846954.621:112734): avc: denied { execute } for
>>> pid=1984 comm="rsync" name="bash" dev="sda3"
ino=23075548
>>> scontext=system_u:system_r:rsync_t:s0
>>> tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
>>> type=AVC msg=audit(1432846954.628:112735): avc: denied { execute } for
>>> pid=1987 comm="sh" name="uname" dev="sda3"
ino=23071676
>>> scontext=system_u:system_r:rsync_t:s0
>>> tcontext=system_u:object_r:bin_t:s0
>>> tclass=file
>>> type=AVC msg=audit(1432846954.629:112737): avc: denied { execute } for
>>> pid=1986 comm="sh" name="mailx" dev="sda3"
ino=23072424
>>> scontext=system_u:system_r:rsync_t:s0
>>> tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
>>>
>>> Now, my manager thinks that it's complaining that it's complaining
>>> because we have an rsync daemon running, and every time there's an
>>> upload, the daemon sends an email to a user.
>>>
>> Is the rsync set up as a client or server? Does it copy off or copy too?
>>
> Server. And stuff is copied onto it (it having a nice big RAID). They
> *may* copy stuff off - not sure.
>
I just pushed this to fedora upstream policy
commit 035cecfb52aff40a60b0bb7651aadc284e0dffb7
Author: Dan Walsh <dwalsh(a)redhat.com>
Date: Mon Jun 1 08:59:29 2015 -0400
rsync server can be setup to send mail
You can add the rules locally by compiling and installing this policy
create myrsync.te to look like the following
# =========================================
policy_module(myrsync, 1.0)
gen_require(`
type rsync_t;
')
mta_send_mail(rsync_t)
# ==========================================
Then execute
# make -f /usr/share/selinux/devel/Makefile
# semodule -i myrsync.pp
Ok, count me confused. I created that file, and tried the make, and it
failed, which is reasonable, since I see there's no Makefile. I have on
the system:
rpm -qa | grep selinux
selinux-policy-3.13.1-23.el7_1.7.noarch
libselinux-devel-2.2.2-6.el7.x86_64
libselinux-2.2.2-6.el7.x86_64
selinux-policy-targeted-3.13.1-23.el7_1.7.noarch
libselinux-utils-2.2.2-6.el7.x86_64
libselinux-python-2.2.2-6.el7.x86_64
I've never made a policy_module, just local policies, and (the audit log
with the AVCs has been rotated):
grep -i avc /var/log/audit/audit.log.1 | grep sendmail | audit2allow -M
mypol > a2apol
gives me:
module mypol 1.0;
require {
type sendmail_exec_t;
type rsync_t;
type init_t;
class process setrlimit;
class unix_stream_socket getattr;
class file { execute execute_no_trans };
}
#============= rsync_t ==============
allow rsync_t init_t:unix_stream_socket getattr;
allow rsync_t self:process setrlimit;
allow rsync_t sendmail_exec_t:file { execute execute_no_trans };
Should I use that, or is there another selinux package I need to install?
Also, what's better/the more correct way to do this: the module, or the
policy_module?
mark