-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
New article on opensource.com describing SELinux enforcement in simple terms. Check it out.
http://opensource.com/business/13/11/selinux-policy-guide
Dne 13.11.2013 16:10, Daniel J Walsh napsal(a):
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
New article on opensource.com describing SELinux enforcement in simple terms. Check it out.
http://opensource.com/business/13/11/selinux-policy-guide
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlKDlmQACgkQrlYvE4MpobOjsACfZ4Vtbl8ypCUcN4ofVv/UeeVy /+0AoNGtmaM2Sz2ONX1fOtW/TpTcm2Ob =td+O
-----END PGP SIGNATURE-----
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
I believe it is a great introduction to SELinux.
If we give SELinux talks, people want to see a real world analogy which helps them to understand SELinux basics.
Dan, I think now people will want more articles like this one ;-)
Miroslav Grepl wrote:
New article on opensource.com describing SELinux enforcement in simple terms. Check it out.
I believe it is a great introduction to SELinux.
I liked this.
I also liked the video http://www.youtube.com/watch?v=MxjenQ31b70 with accompanying slides at http://people.redhat.com/tcameron/summit2010/selinux/SELinuxMereMortals.pdf.
I thought I'd try to move from SELinux permissive mode following the advice in this video and slides.
The main problem I met was following sealert advice of the form ----------------------------- If you want to allow perl to have search access on the tim directory Then you need to change the label on /home/tim Do # semanage fcontext -a -t FILE_TYPE '/home/tim' where FILE_TYPE is one of the following: etc_t, proc_t, sysfs_t, setrans_var_run_t, sssd_public_t, etc_mail_t, postgresql_tmp_t, sysctl_t, abrt_t, bin_t, likewise_var_lib_t, postfix_etc_t, lib_t, mnt_t, root_t, device_t, tmp_t, usr_t, var_t, etc_t, udev_tbl_t, proc_t, krb5_conf_t, spamass_milter_state_t, var_lib_t, var_run_t, spamd_tmp_t, var_spool_t, dcc_var_t, spamd_compiled_t, spamd_etc_t, spamd_log_t, var_lib_t, var_run_t, rpm_script_tmp_t, configfile, proc_net_t, abrt_var_run_t, security_t, var_log_t, samba_var_t, spamc_home_t, default_t, amavis_var_lib_t, avahi_var_run_t, cert_type, dirsrv_var_run_t, mysqld_var_run_t, rpm_tmp_t, net_conf_t, abrt_var_cache_t, clamd_var_run_t, var_run_t, httpd_sys_content_t, nscd_var_run_t, nslcd_var_run_t, slapd_var_run_t, configfile, spamd_var_lib_t, spamd_var_run_t, sssd_var_lib_t, cfengine_var_lib_t, rpm_log_t, sysctl_kernel_t, home_root_t, abrt_var_run_t, spamd_spool_t, mysqld_db_t, postgresql_var_run_t, tmp_t, var_t, exim_spool_t, sysctl_crypto_t, user_home_dir_t, sysctl_t, bin_t, winbind_var_run_t, mail_spool_t, logfile, spamd_t, sysctl_type, autofs_t, device_t, devpts_t, tmp_t, usr_t, locale_t, var_t, nfs_t, sysctl_t, bin_t, proc_t, var_lib_t, var_run_t, user_home_t, var_run_t, var_run_t, spamc_home_t, nscd_var_run_t, pcscd_var_run_t, cluster_pid, home_root_t, cluster_var_lib_t, cluster_var_run_t, root_t, sysctl_kernel_t, device_t, devpts_t, var_t, user_home_dir_t, cluster_conf_t, var_t, var_t. -----------------------------
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/14/2013 09:24 AM, Timothy Murphy wrote:
Miroslav Grepl wrote:
New article on opensource.com describing SELinux enforcement in simple terms. Check it out.
I believe it is a great introduction to SELinux.
I liked this.
I also liked the video http://www.youtube.com/watch?v=MxjenQ31b70 with accompanying slides at http://people.redhat.com/tcameron/summit2010/selinux/SELinuxMereMortals.pdf.
I thought I'd try to move from SELinux permissive mode following the advice in this video and slides.
The main problem I met was following sealert advice of the form ----------------------------- If you want to allow perl to have search access on the tim directory Then you need to change the label on /home/tim Do # semanage fcontext -a -t FILE_TYPE '/home/tim' where FILE_TYPE is one of the following: etc_t, proc_t, sysfs_t, setrans_var_run_t, sssd_public_t, etc_mail_t, postgresql_tmp_t, sysctl_t, abrt_t, bin_t, likewise_var_lib_t, postfix_etc_t, lib_t, mnt_t, root_t, device_t, tmp_t, usr_t, var_t, etc_t, udev_tbl_t, proc_t, krb5_conf_t, spamass_milter_state_t, var_lib_t, var_run_t, spamd_tmp_t, var_spool_t, dcc_var_t, spamd_compiled_t, spamd_etc_t, spamd_log_t, var_lib_t, var_run_t, rpm_script_tmp_t, configfile, proc_net_t, abrt_var_run_t, security_t, var_log_t, samba_var_t, spamc_home_t, default_t, amavis_var_lib_t, avahi_var_run_t, cert_type, dirsrv_var_run_t, mysqld_var_run_t, rpm_tmp_t, net_conf_t, abrt_var_cache_t, clamd_var_run_t, var_run_t, httpd_sys_content_t, nscd_var_run_t, nslcd_var_run_t, slapd_var_run_t, configfile, spamd_var_lib_t, spamd_var_run_t, sssd_var_lib_t, cfengine_var_lib_t, rpm_log_t, sysctl_kernel_t, home_root_t, abrt_var_run_t, spamd_spool_t, mysqld_db_t, postgresql_var_run_t, tmp_t, var_t, exim_spool_t, sysctl_crypto_t, user_home_dir_t, sysctl_t, bin_t, winbind_var_run_t, mail_spool_t, logfile, spamd_t, sysctl_type, autofs_t, device_t, devpts_t, tmp_t, usr_t, locale_t, var_t, nfs_t, sysctl_t, bin_t, proc_t, var_lib_t, var_run_t, user_home_t, var_run_t, var_run_t, spamc_home_t, nscd_var_run_t, pcscd_var_run_t, cluster_pid, home_root_t, cluster_var_lib_t, cluster_var_run_t, root_t, sysctl_kernel_t, device_t, devpts_t, var_t, user_home_dir_t, cluster_conf_t, var_t, var_t.
Yes those ones are tough, basically the system is trying to expand the list of file types that the application is allowed to write. In this case it expanded a little too large.
What was the AVC that caused this?
Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/14/2013 09:24 AM, Timothy Murphy wrote:
Miroslav Grepl wrote:
New article on opensource.com describing SELinux enforcement in simple terms. Check it out.
I believe it is a great introduction to SELinux.
I liked this.
I also liked the video http://www.youtube.com/watch?v=MxjenQ31b70 with accompanying slides at
http://people.redhat.com/tcameron/summit2010/selinux/SELinuxMereMortals.pdf.
I thought I'd try to move from SELinux permissive mode following the advice in this video and slides.
The main problem I met was following sealert advice of the form ----------------------------- If you want to allow perl to have search access on the tim directory Then you need to change the label on /home/tim Do # semanage fcontext -a -t FILE_TYPE '/home/tim' where FILE_TYPE is one of the following: etc_t, proc_t, sysfs_t,
...
devpts_t, var_t, user_home_dir_t, cluster_conf_t, var_t, var_t.
Yes those ones are tough, basically the system is trying to expand the list of file types that the application is allowed to write. In this case it expanded a little too large.
What was the AVC that caused this?
I gave the command [root@grover tim]# sealert -a /var/log/audit/audit.log which was mentioned in the video I cited, and the above was one of many suggestions that were made.
The response started with 11 AVC's, which all concerned the same file, this being a sample:
**** Invalid AVC allowed in current policy ***
type=AVC msg=audit(1330438567.88:108452): avc: denied { getattr } for pid=2567 comm="config" path="/etc/dovecot/dovecot.conf" dev=sdb10 ino=3392618 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
found 11 alerts in /var/log/audit/audit.log
Then there was a much longer portion going over different files, giving terse advice of what to do in many cases, but also vague advice of the kind above in other cases.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/14/2013 10:45 AM, Timothy Murphy wrote:
Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/14/2013 09:24 AM, Timothy Murphy wrote:
Miroslav Grepl wrote:
New article on opensource.com describing SELinux enforcement in simple terms. Check it out.
I believe it is a great introduction to SELinux.
I liked this.
I also liked the video http://www.youtube.com/watch?v=MxjenQ31b70 with accompanying slides at
http://people.redhat.com/tcameron/summit2010/selinux/SELinuxMereMortals.pdf.
I thought I'd try to move from SELinux permissive mode following the
advice in this video and slides.
The main problem I met was following sealert advice of the form ----------------------------- If you want to allow perl to have search access on the tim directory Then you need to change the label on /home/tim Do # semanage fcontext -a -t FILE_TYPE '/home/tim' where FILE_TYPE is one of the following: etc_t, proc_t, sysfs_t,
...
devpts_t, var_t, user_home_dir_t, cluster_conf_t, var_t, var_t.
Yes those ones are tough, basically the system is trying to expand the list of file types that the application is allowed to write. In this case it expanded a little too large.
What was the AVC that caused this?
I gave the command [root@grover tim]# sealert -a /var/log/audit/audit.log which was mentioned in the video I cited, and the above was one of many suggestions that were made.
The response started with 11 AVC's, which all concerned the same file, this being a sample:
**** Invalid AVC allowed in current policy ***
type=AVC msg=audit(1330438567.88:108452): avc: denied { getattr } for pid=2567 comm="config" path="/etc/dovecot/dovecot.conf" dev=sdb10 ino=3392618 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
found 11 alerts in /var/log/audit/audit.log
Then there was a much longer portion going over different files, giving terse advice of what to do in many cases, but also vague advice of the kind above in other cases.
Looks like you had a mislabeled file in /etc. Did it suggest restorecon as its #1 option?
restorecon -R -v /etc/dovecot
Daniel J Walsh wrote:
I thought I'd try to move from SELinux permissive mode following the
advice in this video and slides.
The response started with 11 AVC's, which all concerned the same file, this being a sample:
**** Invalid AVC allowed in current policy ***
type=AVC msg=audit(1330438567.88:108452): avc: denied { getattr } for pid=2567 comm="config" path="/etc/dovecot/dovecot.conf" dev=sdb10 ino=3392618 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
found 11 alerts in /var/log/audit/audit.log
Then there was a much longer portion going over different files, giving terse advice of what to do in many cases, but also vague advice of the kind above in other cases.
Looks like you had a mislabeled file in /etc. Did it suggest restorecon as its #1 option?
restorecon -R -v /etc/dovecot
Thanks for the response.
I didn't explain myself very well. The problem with dovecot.conf did not cause any difficulty, I ran restorecon as was suggested. The difficulty arose with cases where I had to choose a FILETYPE from dozens of choices.
On 11/15/2013 07:22 AM, Timothy Murphy wrote:
Daniel J Walsh wrote:
I thought I'd try to move from SELinux permissive mode following the
advice in this video and slides.
The response started with 11 AVC's, which all concerned the same file, this being a sample:
**** Invalid AVC allowed in current policy ***
type=AVC msg=audit(1330438567.88:108452): avc: denied { getattr } for pid=2567 comm="config" path="/etc/dovecot/dovecot.conf" dev=sdb10 ino=3392618 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
found 11 alerts in /var/log/audit/audit.log
Then there was a much longer portion going over different files, giving terse advice of what to do in many cases, but also vague advice of the kind above in other cases.
Looks like you had a mislabeled file in /etc. Did it suggest restorecon as its #1 option?
restorecon -R -v /etc/dovecot
Thanks for the response.
I didn't explain myself very well. The problem with dovecot.conf did not cause any difficulty, I ran restorecon as was suggested. The difficulty arose with cases where I had to choose a FILETYPE from dozens of choices.
Yes we are trying to clean this up in a new gui, and some changes in policy. Hopefully we can at least start sorting the list by matching the namespace.
IE If the source is httpd_t Then the list should start with httpd_* items first.
We can also put some heuristics in such that if the type is var_log_t then suggest httpd_log_t. But as always patches welcome... :^)
-
Daniel J Walsh -
Miroslav Grepl -
Timothy Murphy