5:55 a.m.
Hi,
I am stuck trying to create a selinux policy for the Software Test
Automation Framework (STAF) daemon on Fedora 14.
From the violations, it seems that STAF wants to send out emails and
restart iptables, which is behavior that should be allowed.
I've created the inital policy with sepolgen and did run the resulting
.sh script with "--update" a number of times, but so far no success in
getting a policy that works without generating violations.
I have included the resulting te file as an attachment.
Any ideas about what could be wrong would be greatly appreciated.
The current set of violations are:
[root@lime audit]# grep AVC audit.log | grep STAF
type=AVC msg=audit(1316772648.834:16749): avc: denied { create } for
pid=13504 comm="STAFProc" name="STAF.tmp"
scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=unconfined_u:object_r:krb5_host_rcache_t:s0 tclass=file
type=AVC msg=audit(1316772676.905:16750): avc: denied { read } for
pid=13541 comm="killall" name="stat" dev=proc ino=5874476
scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=system_u:system_r:sendmail_t:s0 tclass=file
type=AVC msg=audit(1316772676.905:16750): avc: denied { open } for
pid=13541 comm="killall" name="stat" dev=proc ino=5874476
scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=system_u:system_r:sendmail_t:s0 tclass=file
type=AVC msg=audit(1316772676.906:16751): avc: denied { getattr } for
pid=13541 comm="killall" path="/proc/1433/stat" dev=proc ino=5874476
scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=system_u:system_r:sendmail_t:s0 tclass=file
type=AVC msg=audit(1316772677.136:16755): avc: denied { transition }
for pid=13558 comm="env" path="/etc/rc.d/init.d/iptables" dev=dm-0
ino=652904 scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
type=AVC msg=audit(1316772677.136:16755): avc: denied { rlimitinh }
for pid=13558 comm="iptables"
scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
type=AVC msg=audit(1316772677.136:16755): avc: denied { siginh } for
pid=13558 comm="iptables"
scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
type=AVC msg=audit(1316772677.136:16755): avc: denied { noatsecure }
for pid=13558 comm="iptables"
scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
--
Michael Atighetchi
Senior Scientist
Raytheon BBN Technologies
617-873-1679
matighet(a)bbn.com
6:09 a.m.
On Fri, 2011-09-23 at 12:55 +0200, Michael Atighetchi wrote:
Hi,
I am stuck trying to create a selinux policy for the Software Test
Automation Framework (STAF) daemon on Fedora 14.
From the violations, it seems that STAF wants to send out emails and
restart iptables, which is behavior that should be allowed.
I've created the inital policy with sepolgen and did run the resulting
.sh script with "--update" a number of times, but so far no success in
getting a policy that works without generating violations.
Somehing like this:
optional_policy(`
gen_require(`
type STAFProc_t, iptables_initrc_exec_t;
role unconfined_r, system_r;
')
init_labeled_script_domtrans(STAFProc_t, iptables_initrc_exec_t)
domain_system_change_exemption(STAFProc_t)
# this may be duplicates
# role_transition unconfined_r iptables_initrc_exec_t system_r;
# allow unconfined_r system_r;
')
Might deal with allowing unconfined_r:STAFProc_t, to restart iptables
init daemon via /etc/rc.d/init.d/iptables.
That might have dealt with the constraint issues.
I have included the resulting te file as an attachment.
Any ideas about what could be wrong would be greatly appreciated.
The current set of violations are:
[root@lime audit]# grep AVC audit.log | grep STAF
type=AVC msg=audit(1316772648.834:16749): avc: denied { create } for
pid=13504 comm="STAFProc" name="STAF.tmp"
scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=unconfined_u:object_r:krb5_host_rcache_t:s0 tclass=file
type=AVC msg=audit(1316772676.905:16750): avc: denied { read } for
pid=13541 comm="killall" name="stat" dev=proc ino=5874476
scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=system_u:system_r:sendmail_t:s0 tclass=file
type=AVC msg=audit(1316772676.905:16750): avc: denied { open } for
pid=13541 comm="killall" name="stat" dev=proc ino=5874476
scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=system_u:system_r:sendmail_t:s0 tclass=file
type=AVC msg=audit(1316772676.906:16751): avc: denied { getattr } for
pid=13541 comm="killall" path="/proc/1433/stat" dev=proc ino=5874476
scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=system_u:system_r:sendmail_t:s0 tclass=file
type=AVC msg=audit(1316772677.136:16755): avc: denied { transition }
for pid=13558 comm="env" path="/etc/rc.d/init.d/iptables" dev=dm-0
ino=652904 scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
type=AVC msg=audit(1316772677.136:16755): avc: denied { rlimitinh }
for pid=13558 comm="iptables"
scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
type=AVC msg=audit(1316772677.136:16755): avc: denied { siginh } for
pid=13558 comm="iptables"
scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
type=AVC msg=audit(1316772677.136:16755): avc: denied { noatsecure }
for pid=13558 comm="iptables"
scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
6:21 a.m.
On Fri, 2011-09-23 at 12:55 +0200, Michael Atighetchi wrote:
Hi,
I am stuck trying to create a selinux policy for the Software Test
Automation Framework (STAF) daemon on Fedora 14.
From the violations, it seems that STAF wants to send out emails and
restart iptables, which is behavior that should be allowed.
I've created the inital policy with sepolgen and did run the resulting
.sh script with "--update" a number of times, but so far no success in
getting a policy that works without generating violations.
I have included the resulting te file as an attachment.
You have made a mistake. When writing policy one should always try and
take care of any transitions first.
Your policy allows your stafproc_t process to execute iptables but this
is wrong i suspect. I suspect you added that because stafproc_t needs to
restart the iptables service. (this requires a domain transition to the
init script domain. The iptables init script file running in the init
script domain will execute iptables with a domain transition.
You added a lot of policy in your type enforcement file that likely
should not be there. Just because you did not take care of this
transition described above before allowing anything else.
If you want some interactive guidance with your policy, please stop by
#fedora-selinux on irc.freenode.net
Any ideas about what could be wrong would be greatly appreciated.
The current set of violations are:
[root@lime audit]# grep AVC audit.log | grep STAF
type=AVC msg=audit(1316772648.834:16749): avc: denied { create } for
pid=13504 comm="STAFProc" name="STAF.tmp"
scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=unconfined_u:object_r:krb5_host_rcache_t:s0 tclass=file
type=AVC msg=audit(1316772676.905:16750): avc: denied { read } for
pid=13541 comm="killall" name="stat" dev=proc ino=5874476
scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=system_u:system_r:sendmail_t:s0 tclass=file
type=AVC msg=audit(1316772676.905:16750): avc: denied { open } for
pid=13541 comm="killall" name="stat" dev=proc ino=5874476
scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=system_u:system_r:sendmail_t:s0 tclass=file
type=AVC msg=audit(1316772676.906:16751): avc: denied { getattr } for
pid=13541 comm="killall" path="/proc/1433/stat" dev=proc ino=5874476
scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=system_u:system_r:sendmail_t:s0 tclass=file
type=AVC msg=audit(1316772677.136:16755): avc: denied { transition }
for pid=13558 comm="env" path="/etc/rc.d/init.d/iptables" dev=dm-0
ino=652904 scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
type=AVC msg=audit(1316772677.136:16755): avc: denied { rlimitinh }
for pid=13558 comm="iptables"
scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
type=AVC msg=audit(1316772677.136:16755): avc: denied { siginh } for
pid=13558 comm="iptables"
scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
type=AVC msg=audit(1316772677.136:16755): avc: denied { noatsecure }
for pid=13558 comm="iptables"
scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
6:46 a.m.
On 9/23/2011 1:21 PM, Dominick Grift wrote:
On Fri, 2011-09-23 at 12:55 +0200, Michael Atighetchi wrote:
> Hi,
>
> I am stuck trying to create a selinux policy for the Software Test
> Automation Framework (STAF) daemon on Fedora 14.
> From the violations, it seems that STAF wants to send out emails and
> restart iptables, which is behavior that should be allowed.
>
> I've created the inital policy with sepolgen and did run the resulting
> .sh script with "--update" a number of times, but so far no success in
> getting a policy that works without generating violations.
>
> I have included the resulting te file as an attachment.
You have made a mistake. When writing policy one should always try and
take care of any transitions first.
Your policy allows your stafproc_t process to execute iptables but this
is wrong i suspect. I suspect you added that because stafproc_t needs to
restart the iptables service. (this requires a domain transition to the
init script domain. The iptables init script file running in the init
script domain will execute iptables with a domain transition.
You added a lot of policy in your type enforcement file that likely
should not be there. Just because you did not take care of this
transition described above before allowing anything else.
If you want some interactive guidance with your policy, please stop by
#fedora-selinux on irc.freenode.net
Dominick,
thanks for the fast response. I'll add the transition you suggested in
the other email and start over with a small type enforcement file.
What I was trying to do is to use sepolgen to generate a minimalistic
policy, then run the processes through its paces and add
observed violations via --update.
Regarding transitions, is there a way to programmatically figure out
what transitions a process might need or do you have to know something
about the processes to construct required transitions ?
I will gladly take you up on the interactive guidance early next week.
Thanks and have a great weekend
Michael
> Any ideas about what could be wrong would be greatly
appreciated.
>
> The current set of violations are:
> [root@lime audit]# grep AVC audit.log | grep STAF
> type=AVC msg=audit(1316772648.834:16749): avc: denied { create } for
> pid=13504 comm="STAFProc" name="STAF.tmp"
> scontext=unconfined_u:unconfined_r:STAFProc_t:s0
> tcontext=unconfined_u:object_r:krb5_host_rcache_t:s0 tclass=file
> type=AVC msg=audit(1316772676.905:16750): avc: denied { read } for
> pid=13541 comm="killall" name="stat" dev=proc ino=5874476
> scontext=unconfined_u:unconfined_r:STAFProc_t:s0
> tcontext=system_u:system_r:sendmail_t:s0 tclass=file
> type=AVC msg=audit(1316772676.905:16750): avc: denied { open } for
> pid=13541 comm="killall" name="stat" dev=proc ino=5874476
> scontext=unconfined_u:unconfined_r:STAFProc_t:s0
> tcontext=system_u:system_r:sendmail_t:s0 tclass=file
> type=AVC msg=audit(1316772676.906:16751): avc: denied { getattr } for
> pid=13541 comm="killall" path="/proc/1433/stat" dev=proc
ino=5874476
> scontext=unconfined_u:unconfined_r:STAFProc_t:s0
> tcontext=system_u:system_r:sendmail_t:s0 tclass=file
> type=AVC msg=audit(1316772677.136:16755): avc: denied { transition }
> for pid=13558 comm="env" path="/etc/rc.d/init.d/iptables"
dev=dm-0
> ino=652904 scontext=unconfined_u:unconfined_r:STAFProc_t:s0
> tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
> type=AVC msg=audit(1316772677.136:16755): avc: denied { rlimitinh }
> for pid=13558 comm="iptables"
> scontext=unconfined_u:unconfined_r:STAFProc_t:s0
> tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
> type=AVC msg=audit(1316772677.136:16755): avc: denied { siginh } for
> pid=13558 comm="iptables"
> scontext=unconfined_u:unconfined_r:STAFProc_t:s0
> tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
> type=AVC msg=audit(1316772677.136:16755): avc: denied { noatsecure }
> for pid=13558 comm="iptables"
> scontext=unconfined_u:unconfined_r:STAFProc_t:s0
> tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
>
>
>
>
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
--
Michael Atighetchi
Senior Scientist
Raytheon BBN Technologies
617-873-1679
matighet(a)bbn.com
6:59 a.m.
On Fri, 2011-09-23 at 13:46 +0200, Michael Atighetchi wrote:
On 9/23/2011 1:21 PM, Dominick Grift wrote:
> On Fri, 2011-09-23 at 12:55 +0200, Michael Atighetchi wrote:
> > Hi,
> >
> > I am stuck trying to create a selinux policy for the Software Test
> > Automation Framework (STAF) daemon on Fedora 14.
> > From the violations, it seems that STAF wants to send out emails and
> > restart iptables, which is behavior that should be allowed.
> >
> > I've created the inital policy with sepolgen and did run the resulting
> > .sh script with "--update" a number of times, but so far no success
in
> > getting a policy that works without generating violations.
> >
> > I have included the resulting te file as an attachment.
> You have made a mistake. When writing policy one should always try and
> take care of any transitions first.
>
> Your policy allows your stafproc_t process to execute iptables but this
> is wrong i suspect. I suspect you added that because stafproc_t needs to
> restart the iptables service. (this requires a domain transition to the
> init script domain. The iptables init script file running in the init
> script domain will execute iptables with a domain transition.
>
> You added a lot of policy in your type enforcement file that likely
> should not be there. Just because you did not take care of this
> transition described above before allowing anything else.
>
> If you want some interactive guidance with your policy, please stop by
> #fedora-selinux on irc.freenode.net
Dominick,
thanks for the fast response. I'll add the transition you suggested in
the other email and start over with a small type enforcement file.
What I was trying to do is to use sepolgen to generate a minimalistic
policy, then run the processes through its paces and add
observed violations via --update.
Regarding transitions, is there a way to programmatically figure out
what transitions a process might need or do you have to know something
about the processes to construct required transitions ?
I will gladly take you up on the interactive guidance early next week.
To some degree, maybe, but it is not easy if it is possible.
One must keep in mind that SELinux is a framework and policy is not
something that is fixed. So you can not use policy as something fixed in
a program if you want this program to be proper.
A type may exist and have a particular classification in one policy and
not exist in another policy.
A program can not make security decisions generally.
This is also why i do not believe that polgen is and should be real
solution.
That is not to say that there cannot be programs that make policy
writing easier. Tools like Eclipse-slide can help, regardless of the
policy -- as long as it is based off of reference policy ;)
Thanks and have a great weekend
Michael
> > Any ideas about what could be wrong would be greatly appreciated.
> >
> > The current set of violations are:
> > [root@lime audit]# grep AVC audit.log | grep STAF
> > type=AVC msg=audit(1316772648.834:16749): avc: denied { create } for
> > pid=13504 comm="STAFProc" name="STAF.tmp"
> > scontext=unconfined_u:unconfined_r:STAFProc_t:s0
> > tcontext=unconfined_u:object_r:krb5_host_rcache_t:s0 tclass=file
> > type=AVC msg=audit(1316772676.905:16750): avc: denied { read } for
> > pid=13541 comm="killall" name="stat" dev=proc ino=5874476
> > scontext=unconfined_u:unconfined_r:STAFProc_t:s0
> > tcontext=system_u:system_r:sendmail_t:s0 tclass=file
> > type=AVC msg=audit(1316772676.905:16750): avc: denied { open } for
> > pid=13541 comm="killall" name="stat" dev=proc ino=5874476
> > scontext=unconfined_u:unconfined_r:STAFProc_t:s0
> > tcontext=system_u:system_r:sendmail_t:s0 tclass=file
> > type=AVC msg=audit(1316772676.906:16751): avc: denied { getattr } for
> > pid=13541 comm="killall" path="/proc/1433/stat" dev=proc
ino=5874476
> > scontext=unconfined_u:unconfined_r:STAFProc_t:s0
> > tcontext=system_u:system_r:sendmail_t:s0 tclass=file
> > type=AVC msg=audit(1316772677.136:16755): avc: denied { transition }
> > for pid=13558 comm="env" path="/etc/rc.d/init.d/iptables"
dev=dm-0
> > ino=652904 scontext=unconfined_u:unconfined_r:STAFProc_t:s0
> > tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
> > type=AVC msg=audit(1316772677.136:16755): avc: denied { rlimitinh }
> > for pid=13558 comm="iptables"
> > scontext=unconfined_u:unconfined_r:STAFProc_t:s0
> > tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
> > type=AVC msg=audit(1316772677.136:16755): avc: denied { siginh } for
> > pid=13558 comm="iptables"
> > scontext=unconfined_u:unconfined_r:STAFProc_t:s0
> > tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
> > type=AVC msg=audit(1316772677.136:16755): avc: denied { noatsecure }
> > for pid=13558 comm="iptables"
> > scontext=unconfined_u:unconfined_r:STAFProc_t:s0
> > tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
> >
> >
> >
> >
> > --
> > selinux mailing list
> > selinux(a)lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
Michael Atighetchi
Senior Scientist
Raytheon BBN Technologies
617-873-1679
matighet(a)bbn.com
4607
days inactive
4607
days old
selinux@lists.fedoraproject.org
4 comments
2 participants
participants (2)
-
Dominick Grift -
Michael Atighetchi