Trying SELinux again on CentOS 5.1 - local script problems
Daniel J Walsh
dwalsh at redhat.com
Mon Mar 3 20:53:33 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Robert Nichols wrote:
> Being masochistic by nature, I decided to take another crack at getting
> SELinux running on my system, and ran into a couple of problems with
> some important local scripts. First, some system information:
>
> System: CentOS 5.1 on an Intel Pentium 4 CPU
> kernel-2.6.18-53.1.13.el5
> selinux-policy-targeted-2.4.6-106.el5_1.3
> setools-3.0-3.el5
>
> Problem 1:
>
> Here, my dhclient-exit-hooks script is examining the 'named' configuration
> file to verify that the local DNS server will be forwarding queries to the
> servers assigned by DHCP. The script will reconfigure and restart 'named'
> if necessary, and that would undoubtedly result in more AVCs. Testing
> every
> combination of things that might happen is impractical, so just running
> audit2allow on these AVCs is almost certainly insufficient. Operation of
> this script absolutely must not be blocked. How can I open the door wide
> enough to ensure that?
>
> avc: denied { search } for pid=2551 comm="dhclient-script"
> name="named" dev=hda6 ino=267649 scontext=system_u:system_r:dhcpc_t:s0
> tcontext=system_u:object_r:named_zone_t:s0 tclass=dir
> avc: denied { search } for pid=2551 comm="dhclient-script"
> name="chroot" dev=hda6 ino=267651 scontext=system_u:system_r:dhcpc_t:s0
> tcontext=system_u:object_r:named_conf_t:s0 tclass=dir
> avc: denied { getattr } for pid=2551 comm="dhclient-script"
> path="/var/named/chroot/etc/named.conf" dev=hda6 ino=267674
> scontext=system_u:system_r:dhcpc_t:s0
> tcontext=system_u:object_r:named_conf_t:s0 tclass=file
> avc: denied { read } for pid=2599 comm="grep" name="named.conf"
> dev=hda6 ino=267674 scontext=system_u:system_r:dhcpc_t:s0
> tcontext=system_u:object_r:named_conf_t:s0 tclass=file
>
> Problem 2:
>
> Here, my ifup-local script is starting a tcpdump capture on eth1. It is
> important to me that this capture begin automatically with the eth1 link
> is started. The actual directory where the capture files are stored has
> been given a context system_u:object_r:netutils_tmp_t, and that works
> without complaint (and does not appear below). Is there a way to make
> this work other than blindly running audit2allow on all these AVCs?
> Other than perhaps the stderr file (/root/eth1-cap.out), I don't see any
> possibility of adjusting target contexts. (Why
> system_u:system_r:netutils_t
> should be denied search and read permission in /proc is puzzling.)
>
> avc: denied { write } for pid=2670 comm="tcpdump"
> path="/root/eth1-cap.out" dev=hda2 ino=43920
> scontext=system_u:system_r:netutils_t:s0
> tcontext=user_u:object_r:user_home_t:s0 tclass=file
> avc: denied { search } for pid=2670 comm="tcpdump" name="nscd"
> dev=hda6 ino=283420 scontext=system_u:system_r:netutils_t:s0
> tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=dir
> avc: denied { search } for pid=2670 comm="tcpdump" name="sys"
> dev=proc ino=-268435428 scontext=system_u:system_r:netutils_t:s0
> tcontext=system_u:object_r:sysctl_t:s0 tclass=dir
> avc: denied { search } for pid=2670 comm="tcpdump" name="kernel"
> dev=proc ino=-268435416 scontext=system_u:system_r:netutils_t:s0
> tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir
> avc: denied { read } for pid=2670 comm="tcpdump" name="ngroups_max"
> dev=proc ino=-268435369 scontext=system_u:system_r:netutils_t:s0
> tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file
> avc: denied { search } for pid=2670 comm="tcpdump" name="/" dev=hdb1
> ino=2 scontext=system_u:system_r:netutils_t:s0
> tcontext=system_u:object_r:default_t:s0 tclass=dir
>
> That last AVC is puzzling, because the root directory ("/") is not located
> on hdb1. That device holds the directory where the capture files are
> being stored. Inode 2 on /dev/hdb1 is on mount point "/x" in the
> filesystem.
>
Simplest thing is to run this through
# grep avc /var/log/audit2allow | audit2allow -M mypol
# semodule -i mypol.pp
You might want to first update to the U2 preview policy, available on
http://people.redhat.com/dwalsh/SELinux/RHEL5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkfMZUwACgkQrlYvE4MpobP6BQCfRuiyKhp3dQfk6/eDhj2ZXY3k
qGUAn2jzSJsPWOB5pKNF2LwgCvMI26LI
=Jq+9
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list