CentOS 7 selinux policy bug

m.roth at 5-cent.us m.roth at 5-cent.us
Tue Jun 2 15:50:53 UTC 2015 

On 06/01/15 16:27, m.roth at 5-cent.us wrote:
> From:    "Daniel J Walsh" <dwalsh at redhat.com>
> Cc:      "Miroslav Grepl" <mgrepl at redhat.com>
> On 05/29/2015 04:34 PM, m.roth at 5-cent.us wrote:
>> Daniel J Walsh wrote:
>>> On 05/29/2015 01:03 PM, m.roth at 5-cent.us wrote:
>>>> Daniel J Walsh wrote:
>>>>> On 05/29/2015 09:20 AM, m.roth at 5-cent.us wrote:
>>>>>>     CentOS 7.1. Selinux policy, and targetted, updated two days ago.
>>>>>>
>>>>>> May 28 17:02:41 <servername> python: SELinux is preventing
>>>>>> /usr/bin/bash from execute access on the file
/usr/bin/bash.#012#012***** <...>
>>>>>> May 28 17:02:45 <servername> python: SELinux is preventing
>>>>>> /usr/bin/bash from execute access on the file
/usr/bin/uname.#012#012*****  <...>
>>>>>> May 28 17:02:45 <servername> python: SELinux is preventing
>>>>>> /usr/bin/uname from execute_no_trans access on the file /usr/bin
>>>>>> /uname.#012#012***** <...>
>>>>>> May 28 17:02:47 <servername> python: SELinux is preventing
>>>>>> /usr/bin/bash from execute access on the file
/usr/bin/mailx.#012#012*****  <...>
>> <snip>
>>>>> What is the avc that you are seeing?
>>>>>
>>>>> ausearch -m avc -ts recent
>>>> Hmmm, that ausearch gives no matches. However, in
>>>> /var/log/audit/audit.log
>>>> type=AVC msg=audit(1432846954.621:112734): avc:  denied  { execute } for
>>>> pid=1984 comm="rsync" name="bash" dev="sda3" ino=23075548
>>>> scontext=system_u:system_r:rsync_t:s0
>>>> tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
>>>> type=AVC msg=audit(1432846954.628:112735): avc:  denied  { execute } for
>>>> pid=1987 comm="sh" name="uname" dev="sda3" ino=23071676
>>>> scontext=system_u:system_r:rsync_t:s0
>>>> tcontext=system_u:object_r:bin_t:s0
>>>> tclass=file
>>>> type=AVC msg=audit(1432846954.629:112737): avc:  denied  { execute } for
>>>> pid=1986 comm="sh" name="mailx" dev="sda3" ino=23072424
>>>> scontext=system_u:system_r:rsync_t:s0
>>>> tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
>>>>
>>>> Now, my manager thinks that it's complaining that it's complaining
>>>> because we have an rsync daemon running, and every time there's an
>>>> upload, the daemon sends an email to a user.
>>>>
>>> Is the rsync set up as a client or server?  Does it copy off or copy too?
>>>
>> Server. And stuff is copied onto it (it having a nice big RAID). They
>> *may* copy stuff off - not sure.
>>
> I just pushed this to fedora upstream policy
>
> commit 035cecfb52aff40a60b0bb7651aadc284e0dffb7
> Author: Dan Walsh <dwalsh at redhat.com>
> Date:   Mon Jun 1 08:59:29 2015 -0400
>
>      rsync server can be setup to send mail
>
> You can add the rules locally by compiling and installing this policy

> create myrsync.te to look like the following
> # =========================================
> policy_module(myrsync, 1.0)
>
> gen_require(`
> type rsync_t;
> ')
> mta_send_mail(rsync_t)
> # ==========================================
>
> Then execute
>
> # make -f /usr/share/selinux/devel/Makefile
> # semodule -i myrsync.pp
>
Ok, count me confused. I created that file, and tried the make, and it
failed, which is reasonable, since I see there's no Makefile. I have on
the system:
rpm -qa | grep selinux
selinux-policy-3.13.1-23.el7_1.7.noarch
libselinux-devel-2.2.2-6.el7.x86_64
libselinux-2.2.2-6.el7.x86_64
selinux-policy-targeted-3.13.1-23.el7_1.7.noarch
libselinux-utils-2.2.2-6.el7.x86_64
libselinux-python-2.2.2-6.el7.x86_64

I've never made a policy_module, just local policies, and (the audit log
with the AVCs has been rotated):
grep -i avc /var/log/audit/audit.log.1 | grep sendmail | audit2allow -M
mypol > a2apol

gives me:
module mypol 1.0;

require {
        type sendmail_exec_t;
        type rsync_t;
        type init_t;
        class process setrlimit;
        class unix_stream_socket getattr;
        class file { execute execute_no_trans };
}

#============= rsync_t ==============
allow rsync_t init_t:unix_stream_socket getattr;
allow rsync_t self:process setrlimit;
allow rsync_t sendmail_exec_t:file { execute execute_no_trans };

Should I use that, or is there another selinux package I need to install?
Also, what's better/the more correct way to do this: the module, or the
policy_module?

        mark

More information about the selinux mailing list