From ltcgcw at us.ibm.com Sun Apr 1 16:34:39 2007 From: ltcgcw at us.ibm.com (George C. Wilson) Date: Sun, 1 Apr 2007 11:34:39 -0500 Subject: [redhat-lspp] [Reminder] LSPP Bug Telecon Mon., Apr. 2 Message-ID: <20070401163439.GA25423@us.ibm.com> IBM hosts the LSPP Bug Telecon every Monday at 20:00 UTC. If you would like to participate and are not already an attendee, please reply directly to me with your contact information. I will respond with an invitation after review by the existing participants. Please note that the number of attendees may be limited by our call center's restrictions on maximum lines per conference. -- George Wilson IBM Linux Technology Center From joe at nall.com Sun Apr 1 23:13:29 2007 From: joe at nall.com (Joe Nall) Date: Sun, 1 Apr 2007 18:13:29 -0500 Subject: [redhat-lspp] dmesg from lspp.72.el5 with inconsistent lock state Message-ID: <765619F4-234F-4AD3-884C-7C08AFA9514F@nall.com> This is a dmesg from an lspp.72 kernel with current fc6 userland. lspp.70 was generating the same errors. It is running within a Parallels VM on my laptop. Linux version 2.6.18-8.1.1.lspp.72.el5 (brewbuilder at hs20- bc1-6.build.redhat.com) (gcc version 4.1.1 20070105 (Red Hat 4.1.1-52)) #1 SMP Wed Mar 28 16:10:51 EDT 2007 BIOS-provided physical RAM map: BIOS-e820: 0000000000000000 - 000000000009fc00 (usable) BIOS-e820: 0000000000100000 - 0000000014000000 (usable) 0MB HIGHMEM available. 320MB LOWMEM available. Using x86 segment limits to approximate NX protection On node 0 totalpages: 81920 DMA zone: 4096 pages, LIFO batch:0 Normal zone: 77824 pages, LIFO batch:15 DMI not present or invalid. Using APIC driver default ACPI: Unable to locate RSDP Allocating PCI resources starting at 20000000 (gap: 14000000:ec000000) Detected 2214.945 MHz processor. Built 1 zonelists. Total pages: 81920 Kernel command line: ro root=/dev/VolGroup00/LogVol00 quiet Local APIC disabled by BIOS -- you can enable it with "lapic" mapped APIC to ffffd000 (0128d000) Enabling fast FPU save and restore... done. Enabling unmasked SIMD FPU exception support... done. Initializing CPU#0 CPU 0 irqstacks, hard=c0794000 soft=c0774000 PID hash table entries: 2048 (order: 11, 8192 bytes) Console: colour VGA+ 80x25 Lock dependency validator: Copyright (c) 2006 Red Hat, Inc., Ingo Molnar ... MAX_LOCKDEP_SUBCLASSES: 8 ... MAX_LOCK_DEPTH: 30 ... MAX_LOCKDEP_KEYS: 2048 ... CLASSHASH_SIZE: 1024 ... MAX_LOCKDEP_ENTRIES: 8192 ... MAX_LOCKDEP_CHAINS: 8192 ... CHAINHASH_SIZE: 4096 memory used by lock dependency info: 904 kB per task-struct memory footprint: 1200 bytes Dentry cache hash table entries: 65536 (order: 6, 262144 bytes) Inode-cache hash table entries: 32768 (order: 5, 131072 bytes) Memory: 315572k/327680k available (2138k kernel code, 11440k reserved, 1123k data, 236k init, 0k highmem) Checking if this processor honours the WP bit even in supervisor mode... Ok. Calibrating delay using timer specific routine.. 17301.52 BogoMIPS (lpj=8650764) Security Framework v1.0.0 initialized SELinux: Initializing. SELinux: Starting in permissive mode selinux_register_security: Registering secondary module capability Capability LSM initialized as secondary Mount-cache hash table entries: 512 CPU: After generic identify, caps: 0f80b9b9 00000000 00000000 00000000 00000001 00000000 00000000 CPU: After vendor identify, caps: 0f80b9b9 00000000 00000000 00000000 00000001 00000000 00000000 CPU: L1 I cache: 32K, L1 D cache: 32K CPU: L2 cache: 2048K CPU: After all inits, caps: 0f80b1b9 00000000 00000000 00000140 00000001 00000000 00000000 Checking 'hlt' instruction... OK. SMP alternatives: switching to UP code Freeing SMP alternatives: 12k freed CPU0: Intel Genuine Intel(R) CPU T2600 @ 2.16GHz stepping 08 SMP motherboard not detected. Local APIC not detected. Using dummy APIC emulation. Brought up 1 CPUs sizeof(vma)=84 bytes sizeof(page)=32 bytes sizeof(inode)=568 bytes sizeof(dentry)=160 bytes sizeof(ext3inode)=804 bytes sizeof(buffer_head)=52 bytes sizeof(skbuff)=172 bytes checking if image is initramfs... it is Freeing initrd memory: 2138k freed NET: Registered protocol family 16 ACPI Exception (utmutex-0262): AE_BAD_PARAMETER, Thread C132D530 could not acquire Mutex [2] [20060707] PCI: PCI BIOS revision 2.10 entry at 0xf81a4, last bus=1 PCI: Using configuration type 1 Setting up standard PCI resources ACPI: Interpreter disabled. Linux Plug and Play Support v0.97 (c) Adam Belay pnp: PnP ACPI: disabled usbcore: registered new driver usbfs usbcore: registered new driver hub PCI: Probing PCI hardware PCI: Probing PCI hardware (bus 00) Boot video device is 0000:00:02.0 PCI quirk: region 1000-107f claimed by ICH4 ACPI/GPIO/TCO PCI: Device 0000:00:1d.7 not found by BIOS PCI: Device 0000:00:1f.5 not found by BIOS NetLabel: Initializing NetLabel: domain hash size = 128 NetLabel: protocols = UNLABELED CIPSOv4 NetLabel: unlabeled traffic allowed by default NET: Registered protocol family 2 IP route cache hash table entries: 4096 (order: 2, 16384 bytes) TCP established hash table entries: 16384 (order: 7, 524288 bytes) TCP bind hash table entries: 8192 (order: 6, 262144 bytes) TCP: Hash tables configured (established 16384 bind 8192) TCP reno registered apm: BIOS not found. audit: initializing netlink socket (disabled) audit(1175447891.613:1): initialized Total HugeTLB memory allocated, 0 VFS: Disk quotas dquot_6.5.1 Dquot-cache hash table entries: 1024 (order 0, 4096 bytes) SELinux: Registering netfilter hooks Initializing Cryptographic API ksign: Installing public key data Loading keyring - Added public key B58771416977B91B - User ID: Red Hat, Inc. (Kernel Module GPG key) io scheduler noop registered io scheduler anticipatory registered io scheduler deadline registered io scheduler cfq registered (default) pci_hotplug: PCI Hot Plug PCI Core version: 0.5 Real Time Clock Driver v1.12ac Non-volatile memory driver v1.2 Linux agpgart interface v0.101 (c) Dave Jones agpgart: Detected an Intel i815 Chipset. agpgart: AGP aperture is 64M @ 0xe0000000 Serial: 8250/16550 driver $Revision: 1.90 $ 4 ports, IRQ sharing enabled RAMDISK driver initialized: 16 RAM disks of 16384K size 4096 blocksize Uniform Multi-Platform E-IDE driver Revision: 7.00alpha2 ide: Assuming 33MHz system bus speed for PIO modes; override with idebus=xx ICH2: IDE controller at PCI slot 0000:00:1f.1 ICH2: chipset revision 0 ICH2: not 100% native mode: will probe irqs later ide0: BM-DMA at 0x6c00-0x6c07, BIOS settings: hda:DMA, hdb:DMA Probing IDE interface ide0... hda: Virtual HDD [0], ATA DISK drive hdb: PRL CD-ROM [1], ATAPI CD/DVD-ROM drive ide0 at 0x1f0-0x1f7,0x3f6 on irq 14 Probing IDE interface ide1... hda: max request size: 512KiB hda: 21504672 sectors (11010 MB) w/2048KiB Cache, CHS=16383/255/63, UDMA(100) hda: cache flushes supported hda: hda1 hda2 ide-floppy driver 0.99.newide usbcore: registered new driver hiddev usbcore: registered new driver usbhid drivers/usb/input/hid-core.c: v2.6:USB HID core driver PNP: No PS/2 controller found. Probing ports directly. serio: i8042 AUX port at 0x60,0x64 irq 12 serio: i8042 KBD port at 0x60,0x64 irq 1 mice: PS/2 mouse device common for all mice md: md driver 0.90.3 MAX_MD_DEVS=256, MD_SB_DISKS=27 md: bitmap version 4.39 TCP bic registered Initializing IPsec netlink socket NET: Registered protocol family 1 NET: Registered protocol family 17 Using IPI No-Shortcut mode Freeing unused kernel memory: 236k freed Time: tsc clocksource has been installed. Write protecting the kernel read-only data: 400k input: AT Translated Set 2 keyboard as /class/input/input0 input: ImExPS/2 Generic Explorer Mouse as /class/input/input1 USB Universal Host Controller Interface driver v3.0 PCI: Setting latency timer of device 0000:00:1d.0 to 64 uhci_hcd 0000:00:1d.0: UHCI Host Controller uhci_hcd 0000:00:1d.0: new USB bus registered, assigned bus number 1 uhci_hcd 0000:00:1d.0: irq 11, io base 0x00005000 usb usb1: configuration #1 chosen from 1 choice hub 1-0:1.0: USB hub found hub 1-0:1.0: 2 ports detected ohci_hcd: 2005 April 22 USB 1.1 'Open' Host Controller (OHCI) Driver (PCI) PCI: Setting latency timer of device 0000:00:1d.7 to 64 ehci_hcd 0000:00:1d.7: EHCI Host Controller ehci_hcd 0000:00:1d.7: new USB bus registered, assigned bus number 2 PCI: cache line size of 32 is not supported by device 0000:00:1d.7 ehci_hcd 0000:00:1d.7: irq 9, io mem 0xc1000000 ehci_hcd 0000:00:1d.7: USB 2.0 started, EHCI 1.00, driver 10 Dec 2004 usb usb2: configuration #1 chosen from 1 choice hub 2-0:1.0: USB hub found hub 2-0:1.0: 8 ports detected device-mapper: ioctl: 4.11.0-ioctl (2006-09-14) initialised: dm- devel at redhat.com EXT3-fs: INFO: recovery required on readonly filesystem. EXT3-fs: write access will be enabled during recovery. kjournald starting. Commit interval 5 seconds EXT3-fs: recovery complete. EXT3-fs: mounted filesystem with ordered data mode. security: 5 users, 7 roles, 2082 types, 89 bools, 16 sens, 1024 cats security: 59 classes, 142541 rules SELinux: Completing initialization. SELinux: Setting up existing superblocks. SELinux: initialized (dev dm-0, type ext3), uses xattr SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses genfs_contexts SELinux: initialized (dev devpts, type devpts), uses transition SIDs SELinux: initialized (dev eventpollfs, type eventpollfs), uses task SIDs SELinux: initialized (dev inotifyfs, type inotifyfs), uses genfs_contexts SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts SELinux: initialized (dev pipefs, type pipefs), uses task SIDs SELinux: initialized (dev sockfs, type sockfs), uses task SIDs SELinux: initialized (dev cpuset, type cpuset), not configured for labeling SELinux: initialized (dev proc, type proc), uses genfs_contexts SELinux: initialized (dev bdev, type bdev), uses genfs_contexts SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts audit(1175447907.119:2): policy loaded auid=4294967295 TSC appears to be running slowly. Marking it as unstable Time: pit clocksource has been installed. audit(1175447925.086:3): avc: denied { execute_no_trans } for pid=596 comm="udevd" name="dmsetup" dev=dm-0 ino=1731818 scontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file audit(1175447925.086:4): avc: denied { read } for pid=596 comm="udevd" name="dmsetup" dev=dm-0 ino=1731818 scontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file input: PC Speaker as /class/input/input2 intel_rng: FWH not detected ne2k-pci.c:v1.03 9/22/2003 D. Becker/P. Gortmaker http://www.scyld.com/network/ne2k-pci.html eth0: RealTek RTL-8029 found at 0x4c00, IRQ 10, 00:69:2A:37:D7:46. Floppy drive(s): fd0 is 1.44M FDC 0 is an 8272A hdb: ATAPI 24X DVD-ROM DVD-R CD-R/RW drive, 2048kB Cache, UDMA(25) Uniform CD-ROM driver Revision: 3.20 PCI: Setting latency timer of device 0000:00:1f.5 to 64 intel8x0_measure_ac97_clock: measured 54809 usecs intel8x0: measured clock 149464 rejected intel8x0: clocking to 48000 lp: driver loaded but no devices found sonypi: Sony Programmable I/O Controller Driver v1.26. audit(1175447949.980:5): avc: denied { read write } for pid=995 comm="loadkeys" name="tty0" dev=tmpfs ino=634 scontext=system_u:system_r:loadkeys_t:s0-s15:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file md: Autodetecting RAID arrays. md: autorun ... md: ... autorun DONE. device-mapper: multipath: version 1.0.5 loaded audit(1175447968.794:6): avc: denied { write } for pid=1021 comm="multipath.stati" name="control" dev=tmpfs ino=736 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file hdb: packet command error: status=0x51 { DriveReady SeekComplete Error } hdb: packet command error: error=0x50 { LastFailedSense=0x05 } ide: failed opcode was: unknown hdb: packet command error: status=0x51 { DriveReady SeekComplete Error } hdb: packet command error: error=0x50 { LastFailedSense=0x05 } ide: failed opcode was: unknown EXT3 FS on dm-0, internal journal kjournald starting. Commit interval 5 seconds EXT3 FS on hda1, internal journal EXT3-fs: mounted filesystem with ordered data mode. SELinux: initialized (dev hda1, type ext3), uses xattr SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs Adding 655352k swap on /dev/VolGroup00/LogVol01. Priority:-1 extents: 1 across:655352k SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts NET: Registered protocol family 10 lo: Disabled Privacy Extensions IPv6 over IPv4 tunneling driver ip6_tables: (C) 2000-2006 Netfilter Core Team ip_tables: (C) 2000-2006 Netfilter Core Team Netfilter messages via NETLINK v0.30. ip_conntrack version 2.4 (2560 buckets, 20480 max) - 228 bytes per conntrack process `sysctl' is using deprecated sysctl (syscall) net.ipv6.neigh.lo.retrans_time; Use net.ipv6.neigh.lo.retrans_time_ms instead. ================================= [ INFO: inconsistent lock state ] 2.6.18-8.1.1.lspp.72.el5 #1 --------------------------------- inconsistent {hardirq-on-W} -> {in-hardirq-W} usage. ifup-eth/1510 [HC1[1]:SC1[2]:HE0:SE0] takes: (&ei_local->page_lock){++..}, at: [] ei_interrupt +0x46/0x2c3 [8390] {hardirq-on-W} state was registered at: [] __lock_acquire+0x3a4/0x90d [] lock_acquire+0x4b/0x6a [] _spin_lock+0x19/0x28 [] ei_start_xmit+0xa6/0x243 [8390] [] dev_hard_start_xmit+0x1a5/0x202 [] __qdisc_run+0xdf/0x19d [] dev_queue_xmit+0x147/0x25a [] mld_sendpack+0x1ad/0x27d [ipv6] [] mld_ifc_timer_expire+0x18e/0x1b6 [ipv6] [] run_timer_softirq+0x108/0x167 [] __do_softirq+0x78/0xf2 [] do_softirq+0x5a/0xbe [] 0xffffffff irq event stamp: 87 hardirqs last enabled at (86): [] _spin_unlock_irqrestore +0x36/0x3c hardirqs last disabled at (87): [] common_interrupt+0x1b/0x2c softirqs last enabled at (0): [] copy_process+0x330/0x1327 softirqs last disabled at (47): [] do_softirq+0x5a/0xbe other info that might help us debug this: 3 locks held by ifup-eth/1510: #0: (&mm->mmap_sem){----}, at: [] do_page_fault+0x14f/0x4a4 #1: (&mm->page_table_lock){--..}, at: [] do_wp_page +0x296/0x3d7 #2: (&dev->_xmit_lock){-...}, at: [] __qdisc_run+0x60/0x19d stack backtrace: [] show_trace_log_lvl+0x12/0x25 [] show_trace+0xd/0x10 [] dump_stack+0x19/0x1b [] print_usage_bug+0x1cf/0x1dc [] mark_lock+0x96/0x353 [] __lock_acquire+0x325/0x90d [] lock_acquire+0x4b/0x6a [] _spin_lock+0x19/0x28 [] ei_interrupt+0x46/0x2c3 [8390] [] handle_IRQ_event+0x20/0x4d [] __do_IRQ+0x94/0xef [] do_IRQ+0x9e/0xbd [] common_interrupt+0x25/0x2c [] enable_irq+0x8b/0x94 [] ei_start_xmit+0x22b/0x243 [8390] [] dev_hard_start_xmit+0x1a5/0x202 [] __qdisc_run+0xdf/0x19d [] dev_queue_xmit+0x147/0x25a [] mld_sendpack+0x1ad/0x27d [ipv6] [] mld_ifc_timer_expire+0x18e/0x1b6 [ipv6] [] run_timer_softirq+0x108/0x167 [] __do_softirq+0x78/0xf2 [] do_softirq+0x5a/0xbe [] irq_exit+0x3d/0x3f [] do_IRQ+0xb0/0xbd [] common_interrupt+0x25/0x2c [] __handle_mm_fault+0x7cb/0x841 [] do_page_fault+0x201/0x4a4 [] error_code+0x39/0x40 ======================= SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts NET: Registered protocol family 15 Bluetooth: Core ver 2.10 NET: Registered protocol family 31 Bluetooth: HCI device and connection manager initialized Bluetooth: HCI socket layer initialized Bluetooth: L2CAP ver 2.8 Bluetooth: L2CAP socket layer initialized Bluetooth: RFCOMM socket layer initialized Bluetooth: RFCOMM TTY layer initialized Bluetooth: RFCOMM ver 1.8 Bluetooth: HIDP (Human Interface Emulation) ver 1.1 SELinux: initialized (dev autofs, type autofs), uses genfs_contexts SELinux: initialized (dev autofs, type autofs), uses genfs_contexts SELinux: initialized (dev autofs, type autofs), uses genfs_contexts eth0: no IPv6 routers present mtrr: your processor doesn't support write-combining From paul.moore at hp.com Mon Apr 2 18:29:13 2007 From: paul.moore at hp.com (Paul Moore) Date: Mon, 2 Apr 2007 14:29:13 -0400 Subject: [redhat-lspp] LSPP kickstart config v0.25 released In-Reply-To: <20070329220328.GA539@w-m-p.com> References: <20070329220328.GA539@w-m-p.com> Message-ID: <200704021429.13915.paul.moore@hp.com> On Thursday, March 29 2007 6:03:28 pm Klaus Weidner wrote: > Hello all, > > bumped versions for kernel (.72) and cups (-11.8) to match the current > repository. No other changes. I'm wondering if we should enable XFRM over loopback in the kickstart file, thoughts? # sysctl net.ipv4.conf.lo.disable_xfrm=0 # sysctl net.ipv4.conf.lo.disable_policy=0 -- paul moore linux security @ hp From ltcgcw at us.ibm.com Mon Apr 2 19:18:59 2007 From: ltcgcw at us.ibm.com (George C. Wilson) Date: Mon, 2 Apr 2007 14:18:59 -0500 Subject: [redhat-lspp] [RFC] rbac-self-test v0.5 Message-ID: <20070402191859.GA7460@us.ibm.com> The latest rbac-self-test is attached. It contains a number of fixes over the last version. Most importantly, it now generates a success audit record and has some missing return code checks. I would appreciate any comments on the code or the policy. This may be close enough for Klaus to include in the certification RPM, which would help it get some testing. -- George Wilson IBM Linux Technology Center -------------- next part -------------- #!/usr/bin/python ################################################################################ # # # The RBACPP Self Test # # # # Performs various tests on the system to verify RBACPP compliance. # # # # Copyright (C) 2006,2007 IBM Corporation # # Licensed under GNU General Public License # # # # This program is free software; you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # # the Free Software Foundation; either version 2 of the License, or # # (at your option) any later version. # # # # This program is distributed in the hope that it will be useful, # # but WITHOUT ANY WARRANTY; without even the implied warranty of # # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # # GNU General Public License for more details. # # # # You should have received a copy of the GNU General Public License # # along with this program; see the file COPYING. If not, write to # # the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA. # # # # Author: George C. Wilson # # # ################################################################################ # # # USE # # # # 1. First take a snapshot of the filesystem hashes using AIDE. # # # # rbacpp-self-test --snapshot --verbose # # # # 2. Run the the self test in normal mode. # # # # rbacpp-self-test --verbose # # # # 3. Add the command to your crontab. # # # # rbacpp-self-test # # # # 4. Check the audit and system logs for failures. # # # ################################################################################ import string import re import os import os.path import errno import sys import shutil import pwd import syslog import socket import selinux import audit class SelfTest: # # init # # Returns: None # def __init__(self): self.default_failure_action = 'single' self.config_file = '/etc/security/rbac-self-test.conf' self.program_name = os.path.basename(sys.argv[0]) self.read = False self.write = True self.SystemHigh = 'SystemHigh' self.SystemLow = 'SystemLow' self.expectSuccess = False self.expectFailure = True self.success = True self.failure = False self.failure_action_performed = False return(None) # # usage # # Returns: 0 - Success # def usage(self): print self.program_name + ': [--snapshot] [--verbose]' return(0) # # Parse args # # Returns: rc: 0 - Success, 1 - Failure # def args_parse(self): self.opt_snapshot = False self.opt_verbose = False rc = 0 for opt in sys.argv[1:]: if opt == '--snapshot' or opt == '-s': self.opt_snapshot = True elif opt == '--verbose' or opt == '-v': self.opt_verbose = True else: rc = 1 return(rc) # # Init failure action from config file. # # Returns: 0 - Successfully logged audit message, errno or -1 on failure # def failure_action_init(self): rc = 0 self.failure_action = self.default_failure_action try: action_file = open(self.config_file, 'r') if action_file.closed == False: action_list = action_file.readlines() action = action_list[0] action = action.strip() action_file.close() except IOError, (oserrno, strerror): self.message_log('Cannot read auditd action: ' + self.config_file + ': ' + strerror) rc = oserrno except: raise if rc == 0: if ((action == 'single') or (action == 'log')): self.failure_action = action else: self.message_log('Invalid failure action: ' + action) rc = -1 return (rc) # # Perform the failure action. # # Return: 0 in success, errno or -1 on failure # def failure_action_perform(self): rc = 0 # Just do it once, prevent recursion. if self.failure_action_performed == False: if self.failure_action == 'single': try: rc = os.spawnv(os.P_WAIT, '/sbin/telinit', ('/sbin/telinit', '1')) self.failure_action_performed = True if rc != 0: self.message_log('/sbin/telinit 1 failed, rc = ' + str(rc)) except OSError, (oserrno, strerror): self.message_log('Cannot run /sbin/telinit s to go to single user mode: '+ strerror) rc = oserrno except: raise elif self.failure_action != 'log': self.failure_action_performed = True self.message_log('Invalid audit failure action - logging only') rc = -1 return(rc) # # Log an audit message # # Returns: 0 - Successfully logged audit message, 1 - Failure # def message_log(self, message, successful = False): rc = 0 try: hostname = socket.gethostname() try: hostaddr = socket.gethostbyname(hostname) except: hostaddr = 'unknown' except: hostname = 'unknown' try: ttyname = os.readlink('/proc/self/fd/0') if ttyname.find('/dev') != 0: ttyname = 'notatty' except: ttyname = 'unknown' message = self.program_name + ': ' + message if (successful == True): audit_record_type = audit.AUDIT_TEST else: audit_record_type = audit.AUDIT_ANOM_RBAC_FAIL try: audit.audit_log_user_message(self.audit_fd, audit_record_type, message, hostname, hostaddr, ttyname, successful) except: print 'Attention: Cannot log audit record' rc = 1 try: syslog.openlog('Security') syslog.syslog(syslog.LOG_AUTH|syslog.LOG_EMERG, 'Attention: Cannot log audit record (message was: ' + message + ')') syslog.closelog() except: print 'Attention: Cannot log syslog record' if self.opt_verbose == True: print message self.failure_action_perform() return(rc) # # Initialize audit. # # Returns: An audit handle; Non-negative integer - Success, -1 - Failure # def audit_open(self): rc = 0 self.audit_fd = -1 rc = self.failure_action_init() if rc != 0: self.message_log('Cannot set failure action in audit init') if rc == 0: try: self.audit_fd = audit.audit_open() except: self.message_log('Cannot open audit') rc = 1 return(rc) # # Deinitialize audit. # # Returns: 0 - Success, 1 - Failure # def audit_close(self): rc = 0 if self.audit_fd >= 0: try: audit.audit_close(self.audit_fd) except: self.message_log('Cannot close audit') rc = 1 return(rc) # # Verify SELinux is enabled, enforcing, and MLS. # # Returns: 0 - Success, 1 - Failure # def selinux_verify(self): rc = 0 try: if selinux.is_selinux_enabled() != 1: self.message_log('SELinux is not enabled') rc = 1 except: self.message_log('Cannot check whether SELinux is enabled') rc = 1 if rc == 0: try: if selinux.security_getenforce() != 1: self.message_log('SELinux is not in enforcing mode') rc = 1 except: self.message_log('Cannot check whether SELinux is enforcing') rc = 1 if rc == 0: try: if selinux.is_selinux_mls_enabled() != 1: self.message_log('SELinux MLS is not enabled') rc = 1 except: self.message_log('Cannot check whether SELinux MLS is enabled') rc = 1 return(rc) # # Verify auditd is running # # Returns: 0 - Success, 1 - Failure # def auditd_verify(self): rc = 0 try: if audit.audit_is_enabled(self.audit_fd) != 1: self.message_log('The audit daemon is not running') rc = 1 except: self.message_log('Cannot get audit status') rc = 1 return(rc) # # Take an AIDE snapshot of configuration files. # # Returns: 0 - Success, spawnv rc or errno on failure # def snapshot_take(self): rc = 0 if rc == 0: try: rc = os.spawnv(os.P_WAIT, '/usr/sbin/aide', ('/usr/sbin/aide', '--init')) except OSError, (oserrno, strerror): self.message_log('Cannot initialize AIDE database, errno = ' + str(oserrno) + ': ' + strerror) rc = oserrno except: raise if rc == 0: try: os.unlink('/var/lib/aide/aide.db.gz') except OSError, (oserrno, strerror): if oserrno != errno.ENOENT: self.message_log('Cannot remove old AIDE database, errno = ' + str(oserrno) + ': ' + strerror) rc = oserrno except: raise if rc == 0: try: shutil.move('/var/lib/aide/aide.db.new.gz', '/var/lib/aide/aide.db.gz') except OSError, (oserrno, strerror): self.message_log('Cannot move new AIDE database into place, errno = ' + str(oserrno) + ': ' + strerror) rc = oserrno except: raise return(rc) # # Verify integrity of configuration files. # # Returns: 0 - Success; spawnv rc or errno - Failure # def snapshot_verify(self): rc = 0 try: rc = os.spawnv(os.P_WAIT, '/usr/sbin/aide', ('/usr/sbin/aide', '--check')) except OSError, (oserrno, strerror): self.message_log('Cannot verify AIDE database, errno = ' + str(oserrno) + ': ' + strerror) rc = oserrno except: raise if rc != 0: self.message_log('Cannot verify AIDE database') return(rc) # # internal "runcon" # # Returns: 0 - Success; spawnv rc or errno, or -1 - Failure # def runcon(self, context, program, *args): rc = 0 progargs = (program,) + args try: rc = selinux.setexeccon(context) except: self.message_log('Cannot set exec context to ' + context) rc = -1 if rc != 1: try: rc = os.spawnv(os.P_WAIT, program, progargs) except OSError, (oserrno, strerror): self.message_log('Cannot spawnv ' + str(progargs) + ': ' + strerror) rc = oserrno except: raise return(rc) # # mlsfile_test # # Test reading/writing from level2 to level1 # # Returns: 0 - Success, 1 - Failure # def mlsfile_test(self, write, level2, level1, expectfail): rc = 0 context1 = 'root:sysadm_r:rbacselftest_t:' + level1 context2 = 'root:sysadm_r:rbacselftesthelper_t:' + level2 if write == True: testopname = 'write' testop = 'w' else: testopname = 'read' testop = 'r' rc = self.runcon(context1, '/usr/sbin/rbac-self-test-helper', context1, 'w') if rc != 0: self.message_log('Helper cannot complete create with context ' + context1) rc = 1 testrc = self.runcon(context2, '/usr/sbin/rbac-self-test-helper', context1, testop) if testrc != 0: testrc = 1 if expectfail == True: testrc = int(not testrc) rc = self.runcon(context1, '/usr/sbin/rbac-self-test-helper', context1, 'd') if rc != 0: self.message_log('Helper cannot complete delete with context ' + context1) if testrc != 0: self.message_log('MLS file test: write at ' + context1 + ', ' + testopname + ' at ' + context2 + ' failed') return(testrc) # # Main # # Exits: 0 - Success, 1 - Failure # def main(): rc = 0 st = SelfTest() if rc == 0: st.audit_open() if rc == 0: rc = st.args_parse() if rc != 0: st.usage() if rc == 0 and st.audit_fd < 0: rc = 1 if rc == 0 and st.opt_snapshot == True: rc = st.snapshot_take() else: if rc == 0: rc = st.selinux_verify() if rc == 0: rc = st.auditd_verify() if rc == 0: rc = st.snapshot_verify() if rc == 0: rc = st.mlsfile_test(st.read, st.SystemHigh, st.SystemLow, st.expectSuccess) if rc == 0: rc = st.mlsfile_test(st.read, st.SystemLow, st.SystemHigh, st.expectFailure) if rc == 0: rc = st.mlsfile_test(st.write, st.SystemHigh, st.SystemLow, st.expectFailure) # Stronger than BLP if rc == 0: rc = st.mlsfile_test(st.write, st.SystemLow, st.SystemHigh, st.expectFailure) if rc == 0: st.message_log('The RBAC self test succeeded', st.success) if st.opt_verbose == True: print 'The RBAC self test succeeded.' else: st.message_log('The RBAC self test failed', st.failure) if st.opt_verbose == True: print 'The RBAC self test failed.' if rc == 0: st.audit_close() return(rc) if __name__ == "__main__": sys.exit(main()) -------------- next part -------------- #!/usr/bin/python ################################################################################ # # # The RBACPP Self Test Helper # # # # Writes, reads, and deletes test files in /var/run for rbac-self-test. # # # # Copyright (C) 2007 IBM Corporation # # Licensed under GNU General Public License # # # # This program is free software; you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # # the Free Software Foundation; either version 2 of the License, or # # (at your option) any later version. # # # # This program is distributed in the hope that it will be useful, # # but WITHOUT ANY WARRANTY; without even the implied warranty of # # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # # GNU General Public License for more details. # # # # You should have received a copy of the GNU General Public License # # along with this program; see the file COPYING. If not, write to # # the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA. # # # # Author: George C. Wilson # # # ################################################################################ import sys import os import selinux def main(): f = None rc = 0 datafile_basename = '/var/run/rbac-self-test-' if len(sys.argv) == 3: context = sys.argv[1] op = sys.argv[2] datafile_name = datafile_basename + context if (op != 'r') and (op != 'w') and (op != 'd'): print 'op must be either \'r\', \'w\', or \'d\'' rc = 1 else: print 'usage: helper ' rc = 1 if rc == 0: if (op == 'd'): try: os.unlink(datafile_name) except: print 'Cannot unlink file ' + datafile_name rc = 1 else: try: f = open(datafile_name , op) except: print 'Cannot open file ' + datafile_name rc = 1 if rc == 0: if op == 'w': try: f.write(context) except: print 'Cannot write to file ' + datafile_name rc = 1 elif op == 'r': try: junk = f.read() except: print 'Cannot read file ' + datafile_name rc = 1 else: print 'Bad file operator ' + op rc = 1 if f != None: try: f.close() except: print 'Cannot close file ' + datafile_name rc = 1 return(rc) if __name__ == "__main__": sys.exit(main()) -------------- next part -------------- .TH RBAC-SELF-TEST "1" "March 2007" "rbac-self-test 1.0" "User Commands" .SH NAME rbac-self-test \- Perform a set of tests on the system to ensure compliance with RBACPP Section FPT_TST.1. .SH SYNOPSIS .B rbac-self-test [\fIOPTION\fR]... .SH DESCRIPTION .\" Add any additional description here .PP Performs a set of tests that verify SELinux is functioning and configuration files are intact. .PP 1. Log into the system as root/sysadm_r/SystemHigh. .PP 2. Create or edit /etc/security/rbac-self-test.conf. It must contain one of the keywords \fBsingle\fR or \fBlog\fR on first line. The \fBsingle\fR option tells rbac-self-test to change to single user mode when an error is encountered so that an administrator can take corrective action. The \fBlog\fR keyword causes rbac-self-test only to log anomalous events. The default is \fBsingle\fR if there is not configuration file or the file contains an invalid keyword. .PP 3. Setup the aide database. One can do this via the --snapshot argument to rbac-self-test. .PP \fBrbac-self-test --snapshot --verbose\fR .PP For more information on the aide program see the aide(1) manpage. .PP 4. Run rbac-self-test in verbose mode to verify correct operation. .PP \fBrbac-self-test --verbose\fR .PP 5. Run rbac-self-test on demand as required or add it to crontab to execute it periodically. .PP \fBrbac-self-test\fR .PP 6. Check the audit and system logs for failures. .SH OPTIONS .TP \fB\-s\fR, \fB\-\-snapshot\fR take a snapshot of configuration file hashes as defined in the aide configuration file .TP \fB\-v\fR, \fB\-\-verbose\fR display output to stdout in addition to producing and audit record .SH EXIT .PP Exit status is 0 if OK; 1 if there is an error. .SH AUTHOR George C. Wilson at the IBM Corporation .SH "REPORTING BUGS" Report bugs to . .SH COPYRIGHT Copyright \(co 2007 IBM Corporation .br This is free software. You may redistribute copies of it under the terms of the GNU General Public License . There is NO WARRANTY, to the extent permitted by law. -------------- next part -------------- # installation paths SHAREDIR := /usr/share/selinux AWK ?= gawk NAME ?= $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config) MLSENABLED := $(shell cat /selinux/mls) ifeq ($(MLSENABLED),) MLSENABLED := 1 endif ifeq ($(MLSENABLED),1) MCSFLAG=-mcs endif TYPE ?= $(NAME)${MCSFLAG} HEADERDIR := $(SHAREDIR)/devel/include include $(HEADERDIR)/Makefile -------------- next part -------------- policy_module(local,1.0) gen_require(` type secadm_t, secadm_devpts_t, secadm_tty_device_t; type rbacselftest_exec_t; role secadm_r; ') rbacselftest_run(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t }) gen_require(` type sysadm_t, sysadm_devpts_t, sysadm_tty_device_t; role sysadm_r; ') rbacselftest_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) gen_require(` type auditd_log_t; ') allow secadm_t auditd_log_t:file write; allow sysadm_t self:process transition; -------------- next part -------------- /usr/local/bin/test-setexeccon -- gen_context(system_u:object_r:rbacselftest_exec_t,mls_systemlow) /usr/sbin/rbac-self-test -- gen_context(system_u:object_r:rbacselftest_exec_t,mls_systemlow) /usr/sbin/rbac-self-test-helper -- gen_context(system_u:object_r:rbacselftesthelper_exec_t,mls_systemlow) /var/run/rbac-self-test-SystemLow -- gen_context(system_u:object_r:rbacselftest_var_run_t,mls_systemlow) /var/run/rbac-self-test-SystemHigh -- gen_context(system_u:object_r:rbacselftest_var_run_t,mls_systemhigh) /etc/security/rbac-self-test.conf -- gen_context(system_u:object_r:rbacselftest_etc_t,mls_systemhigh) -------------- next part -------------- ## RBAC Self Test ######################################## ## ## Execute rbacselftest in the rbacselftest domain. ## ## ## ## The type of the process performing this action. ## ## # interface(`rbacselftest_domtrans',` gen_require(` type rbacselftest_t, rbacselftest_exec_t; ') corecmd_search_sbin($1) domain_auto_trans($1,rbacselftest_exec_t,rbacselftest_t) allow $1 rbacselftest_t:fd use; allow rbacselftest_t $1:fd use; allow rbacselftest_t $1:fifo_file rw_file_perms; allow rbacselftest_t $1:process sigchld; ') ######################################## ## ## Execute rbacselftest programs in the rbacselftest domain. ## ## ## ## Domain allowed access. ## ## ## ## ## The role to allow the AIDE domain. ## ## ## ## ## The type of the terminal allow the AIDE domain to use. ## ## # interface(`rbacselftest_run',` gen_require(` type rbacselftest_t; ') rbacselftest_domtrans($1) role $2 types rbacselftest_t; allow rbacselftest_t $3:chr_file rw_file_perms; ') -------------- next part -------------- policy_module(rbacselftest,1.0) gen_require(` type aide_db_t; type aide_exec_t; type sshd_t; type secadm_t; type sysadm_t; type newrole_exec_t; type sysadm_devpts_t; type sysadm_tty_device_t; type init_exec_t; type initctl_t; type var_lib_t; attribute mlsprocsetsl; attribute mlsfileread; attribute mlsfilewrite; ') ######################################## # # rbacselftest declarations # type rbacselftest_t; type rbacselftest_exec_t; domain_type(rbacselftest_t) domain_entry_file(rbacselftest_t,rbacselftest_exec_t) # rbacselftest database type rbacselftest_var_run_t; files_type(rbacselftest_var_run_t) # rbacselftest etc type rbacselftest_etc_t; files_type(rbacselftest_etc_t) ######################################## # # helper declarations # type rbacselftesthelper_t; type rbacselftesthelper_exec_t; domain_type(rbacselftesthelper_t) domain_entry_file(rbacselftesthelper_t,rbacselftesthelper_exec_t) ######################################## # # rbacselftest local policy # seutil_use_newrole_fds(rbacselftest_t) # database actions # pid file allow rbacselftest_t rbacselftest_var_run_t:file manage_file_perms; allow rbacselftest_t rbacselftest_var_run_t:dir rw_dir_perms; files_pid_filetrans(rbacselftest_t, rbacselftest_var_run_t, { file dir }) # audit allow rbacselftest_t self:capability {audit_write audit_control}; allow rbacselftest_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; # aide aide_domtrans(rbacselftest_t) allow rbacselftest_t var_lib_t:dir write; allow rbacselftest_t aide_db_t:dir rw_dir_perms; allow rbacselftest_t aide_db_t:dir create_file_perms; # binaries corecmd_exec_bin(rbacselftest_t) corecmd_exec_sbin(rbacselftest_t) corecmd_exec_shell(rbacselftest_t) # Shell allow rbacselftest_t shell_exec_t:file entrypoint; # login locallogin_use_fds(rbacselftest_t) # init allow rbacselftest_t init_exec_t:file execute; allow rbacselftest_t init_exec_t:file execute_no_trans; allow rbacselftest_t initctl_t:fifo_file write; # ssh allow rbacselftest_t sshd_t:fd use; # secadm_t allow secadm_t rbacselftest_exec_t:file { setattr write execute }; # sysadm_t allow secadm_t rbacselftest_exec_t:file { setattr write execute }; # /var/run allow rbacselftest_t var_run_t:file manage_file_perms; allow rbacselftest_t var_run_t:dir rw_dir_perms; allow rbacselftest_t rbacselftest_var_run_t:file { getattr setattr create read write }; allow rbacselftest_t var_run_t:file { getattr setattr create read write }; # and more allow rbacselftest_t self:fd use; allow rbacselftest_t self:process { noatsecure rlimitinh siginh }; allow rbacselftest_t sysadm_devpts_t:chr_file write; allow rbacselftest_t sysadm_tty_device_t:chr_file { read write }; # Allow to execute own exec type - may not be wise - change helper to help type. #allow rbacselftest_t rbacselftest_exec_t:file execute_no_trans; # bin_t allow rbacselftest_t bin_t:file entrypoint; ######################################## # # helper policy # # /var/run allow rbacselftesthelper_t var_run_t:file manage_file_perms; allow rbacselftesthelper_t var_run_t:dir rw_dir_perms; allow rbacselftesthelper_t rbacselftest_var_run_t:file { getattr setattr create read write }; allow rbacselftesthelper_t var_run_t:file { getattr setattr create read write }; # Allow rbacselftest_t to execute rbacselftesthelper_exec_t allow rbacselftest_t rbacselftesthelper_exec_t:file entrypoint; allow rbacselftest_t rbacselftesthelper_exec_t:file execute; allow rbacselftest_t rbacselftesthelper_t:process transition; allow rbacselftest_t rbacselftesthelper_t:process { noatsecure rlimitinh siginh }; allow rbacselftesthelper_t local_login_t:fd use; allow rbacselftesthelper_t rbacselftest_t:process sigchld; allow rbacselftesthelper_t sysadm_tty_device_t:chr_file { read write }; allow rbacselftesthelper_t rbacselftest_t:fd use; files_read_all_files(rbacselftesthelper_t) libs_use_shared_libs(rbacselftesthelper_t) libs_use_ld_so(rbacselftesthelper_t) ######################################## # # Local policy # allow rbacselftest_t self:capability { dac_override fowner }; allow rbacselftest_t self:process { setfscreate setexec transition }; # Permit getting enforcing mode + other SELinux perms selinux_get_enforce_mode(rbacselftest_t) selinux_get_fs_mount(rbacselftest_t) selinux_search_fs(rbacselftest_t) selinux_compute_access_vector(rbacselftest_t) selinux_compute_create_context(rbacselftest_t) selinux_compute_relabel_context(rbacselftest_t) selinux_compute_user_contexts(rbacselftest_t) selinux_validate_context(rbacselftest_t) # Permit getting audit status logging_read_audit_config(rbacselftest_t) logging_manage_all_logs(rbacselftest_t) logging_manage_audit_config(rbacselftest_t) logging_manage_audit_log(rbacselftest_t) logging_read_all_logs(rbacselftest_t) logging_read_audit_log(rbacselftest_t) logging_send_syslog_msg(rbacselftest_t) logging_write_generic_logs(rbacselftest_t) # MLS overrides mls_file_read_up(rbacselftest_t) mls_file_write_down(rbacselftest_t) mls_process_set_level(rbacselftest_t) mls_fd_share_all_levels(rbacselftest_t) mls_fd_use_all_levels(rbacselftest_t) #mls_rangetrans_target(rbacselftest_t) mls_rangetrans_source(rbacselftest_t) #mls_file_writable_within_range(rbacselftest_t) mls_context_translate_all_levels(rbacselftest_t) mls_file_downgrade(rbacselftest_t) mls_file_upgrade(rbacselftest_t) # General perms files_read_all_files(rbacselftest_t) libs_use_shared_libs(rbacselftest_t) libs_use_ld_so(rbacselftest_t) role sysadm_r types rbacselftest_t; role sysadm_r types rbacselftest_exec_t; role sysadm_r types rbacselftesthelper_t; role sysadm_r types rbacselftesthelper_exec_t; From loulwas at us.ibm.com Mon Apr 2 22:19:38 2007 From: loulwas at us.ibm.com (Loulwa Salem) Date: Mon, 02 Apr 2007 17:19:38 -0500 Subject: [redhat-lspp] LSPP Development Telecon 04/02/2007 Minutes Message-ID: <4611817A.3010807@us.ibm.com> 04/02/2007 lspp Meeting Minutes: =============================== Attendees Robin Redden (IBM) - RR Lawrence Wilson (IBM) - LW George Wilson (IBM) - GW Kris Wilson (IBM) - KEW Loulwa Salem (IBM) - LS Debora Velarde (IBM) - DV Michael Thompson (IBM) - MT Joy Latten (IBM) - JL Klaus Kiwi (IBM) - KK Trevor Highland (IBM) - TH Steve Grubb (Red Hat) - SG Dan Walsh (Red Hat) - DW Eric Paris (Red Hat) - EP Lisa Smith (HP) - LMS Linda Knippers (HP) - LK Amy Griffis (HP) - AG Matt Anderson (HP) - MA Paul Moore (HP) - PM Klaus Weidner (Atsec) - KW Chad Hanson (TCS) - CH Joe Nall - JN Agenda: General Issues Bug Discussion Repo: http://people.redhat.com/sgrubb/files/lspp/ RHEL 5+ Packages acl-2.2.39-2.1.el5 * aide-0.12-8.el5 audit-1.3.1-3.el5 audit-libs-1.3.1-3.el5 audit-libs-devel-1.3.1-3.el5 audit-libs-python-1.3.1-3.el5 cups-1.2.4-11.8.el5 cups-devel-1.2.4-11.8.el5 cups-libs-1.2.4-11.8.el5 ipsec-tools-0.6.5-6.2.el5 kernel-2.6.18-8.1.1.lspp.72.el5 kernel-devel-2.6.18-8.1.1.lspp.72.el5 kernel-doc-2.6.18-8.1.1.lspp.72.el5 libacl-2.2.39-2.1.el5 libacl-devel-2.2.39-2.1.el5 libselinux-1.33.4-4.el5 libselinux-devel-1.33.4-4.el5 libselinux-python-1.33.4-4.el5 mcstrans-0.2.3-1.el5 openssh-4.3p2-20.el5 openssh-askpass-4.3p2-20.el5 openssh-clients-4.3p2-20.el5 openssh-server-4.3p2-20.el5 * pam-0.99.6.2-3.18.el5 * pam-devel-0.99.6.2-3.18.el5 selinux-policy-2.4.6-45.el5 selinux-policy-devel-2.4.6-45.el5 selinux-policy-mls-2.4.6-45.el5 selinux-policy-strict-2.4.6-45.el5 selinux-policy-targeted-2.4.6-45.el5 vixie-cron-4.1-67.el5 lspp-eal4-config-ibm-0.25-1 (likely 26 for *'d above) rbac-self-test (TBD in config RPM) Tracker Bug: https://bugzilla.redhat.com/bugzilla/showdependencytree.cgi?id=224041 Query: https://bugzilla.redhat.com/bugzilla/buglist.cgi?cmdtype=runnamed&namedcmd=RHEL%205.0%20LSPP&namedowner=syeghiay at redhat.com&order=bugs.bug_id GW: Someone saw a lockup I think LS: that was Joe, he sent out an email to the list. JN: yeah. I saw a lockup, I sent the dmesg output where you see the lockup. If I stress it I see where it hangs and is not responsive at all. I am not sure how to debug it GW: is this on .72? JN: both 72 and 71. I am trying to get another machine since mine right now has all these user space applications on it as well EP: when it's hung, does the magic sys-request key work? JN: I can't get what you're saying. but it just hangs MA: for final kernel are we disabling that? GW: it's usually disabled through proc. Ok, any general issue before we get started on the bug list. We were discussing the lockup Joe was seeing, he is running in a virtualized environment is that 32 bit kernel? JN: yes GW: ok, other issues .. I'll note there are at least 3 bugs I know of that we need to add to the list. SG: I think I also took three bugs off the list GW: we are down to 9. very good Bug List: 218386 med nor pow eparis at redhat.com ASSI LSPP: labeled ipsec does not work over loopback JL: I think I have it working. I prefer to have one more day of stress for my peace of mind. So far no problems. I'll ifdef all our changes. I think it'll be better chance to get them upstream that way. JN: are we gonna package configurations that set local ipaddress for ipsec? or will it be manual configs later KW: good idea to add that to configuration script. JN: It's dramatically slow with initial sockets now when you make connection PM: I'd be nervous about turning ipsec on unless we have to KW: So we can add the sysctl to the kickstart script JN: My question is are we gonna have labeled sockets by default KW: no, but if people activate ipsec, that should work then. JL: you mean in the script to have it on by default? KW: this is based on a mail that paul sent to the mail list. My understanding that this won't do anything unless you turn it on, which will then enable negotiation with localhost. PM: I misunderstood your initial statement Klaus, now I think that's an excellent idea. JL: I think it's a good idea too. it'll throw people off at first if they think it is not working. KW: if you have kind of labeled networking then people think it is not protecting local host JN: if you are not enabling by default, would domains talk to each other if allow rules allow it KW: yes JN: how would you get lspp certification then? KW: it says you have to enable ipsec or cipso for the evaluation. The evaluator says it's ok that you have to choose one or other in configuration to have the evaluated system JN: so it's not on by default KW: yes. you have to do the configuration JN: we have been using an rpm that does our configuration for us for some time PM: once Joy posts this updated patch, would it be possible to spin an ipsec tools package so we can test with it SG: that would be the plan, question is how long it takes to happen? The maintainer is in England so if we get it early on, we might be able to get one in the same day, otherwise we might wait until next day GW: So we're gonna carry an ipsec package, do we need a bug for that then? SG: it has one EP: is that bug still against kernel JL: we need to change it against tools GW: I'll change it now and I put a comment that joy will do another day of testing. 225443 med nor ppc dwalsh at redhat.com ASSI LSPP: No console login on first boot SG: I closed it. Dan has that in a new policy. GW: I have not verified it LK: we want that open GW: yeah, until we verify it at least KW: did it work for Debbie? she sent me a note on Friday SG: policy change that dan made was about 1 hour ago, and it's still not pushed out KW: ok, so probably she didn't have it then DV: yeah, I'll try with the new policy GW: Klaus.. by the way, I also sent you a patch for pam and aide. SG: I'll push policy as soon as telecon is over GW: I'll test with it 228366 med nor All aviro at redhat.com ASSI LSPP: audit does not log obj label for signal recipient SG: Eric, I think we need an update on that bugzilla. I think it was included and it's status is awaiting test EP: yes correct GW: ok, I'm making note of that 231090 med urg ppc katzj at redhat.com ASSI LSPP: getattr causes python Segfault GW: needs to be retested, this was a bug opened by Kylie KK: is it specific to s390? GW: no, ppc KK: Ok, I can test it, can you add me to CC list? GW: yes, thank you 231392 hig med All eparis at redhat.com NEW LSPP: Misc soft-lockups in x86_64 lspp.67 kernel EP: most of those were solved, but one was still seen. stephen Smalley and I looked at it, and we are not sure what the problem is. I don't think it is a blocking thing, since it shows that the cpu was slow getting back to us. I'll look at it but if we and IBM can't reproduce it, I think it'll fall to the side 231529 hig med All twaugh at redhat.com ASSI [LSPP] bogus audit records with cups printing SG: I'm still working on it, I haven't decided one way or another on that one yet GW: putting note in bug. 233153 med med x86 dwalsh at redhat.com ASSI LSPP: semanage not always removing entry from /etc/selinu... LS: joy and I are looking at it, we are trying to figure out how the test case is functioning. It seems like the test case is not cleaning up properly. We will run it and see if we still see the same behavior. GW: noting that in the bug 234077 med med ppc eparis at redhat.com NEW LSPP: ppc 32-bit pread not correctly auditing 4th arg (of... EP: that one looks like it's not lspp blocker so I can take it off the list. It is working as designed and I just need to explain that MT: ok, can you please explain it. EP: we were passing 64 bit offset and since we are in 32 bit in userspace, it gets broken into registers, so we always get 0 for the upper registers. MT: have you tried logging in something that will show a value EP: I'll work on that today if I get chance. It looks like pwrite will also have this problem. All the calls that have this 32/64 issue will, and possible they always did but no one noticed before. I sent a message to David Woodhouse who is the ppc/audit guy asking if he has ideas on how to log this. Looks like that one will likely get explained in there as not a bug MT: klaus you also said that it is not a security bug as well. 234485 med med All eparis at redhat.com ASSI LSPP: when searching for larval SAs check the protocol too JL: It's done. I tested and it's been accepted into upstream kernel. GW: I am updating the bug SG: was that in .72 kernel? JL: I put a note in the bug in .. it was in the .70 kernel EP: this fix has been in there for quite a number of releases JL: I don't know if I have power to change states in RH bugs, so I am adding notes to them EP: that's what you should be doing. thanks 234491 med med All harald at redhat.com ASSI LSPP: kernel sends additional ACQUIRES that racoon is not... JL: already submitted patch to ipsec tools but they didn't pick it up yet SG: did you attach bug to bugzilla JL: let me check .. GW: would you please attach the patch? SG: if we can get that one along with the other patch, we can probably put them in the same release. JL: I sent the patch out on the list at some point, but I'll attach it to the bug GW: I'll make a not in the bug 234781 incorrect info in pam selinux audit record GW: linda reported this one LK: I had a conversation with our evaluator. It's not blocking anything. it's just wrong SG: we should make sure it's fixed and pushed out so it's not lost in the cracks. It sounds likes it's simple to fix LK: If it was simple I would make a patch, but it seems the info is not available to the audit record, so we either need to change where we audit from or pass more info around GW: I'll add it's not lspp blocking but good to fix to the bug 234885 aide pol causes .. GW: just opened this, I attached a policy module to make aide work correctly. one issue is the /var/log/aide directory is getting set to low DW: there is a bug in file context description, a "?" mark was missing. I took most of your changes and added couple of extra ones. Hopefully the -50 policy will fix the problem. GW: ok.. thank you 234889 cups jobs with sysadm_r... KK: I was talking with Matt and I wanted to hear klaus W and other's opinion on this. Everyone on system has fileread perms to read up, but not true for print jobs. This seems stricter than mls for me. just wanted to get other people's opinion about it KW: in general it is not a problem if you are being more strict .. but good to have it LK: my question, when did sysadm_t get the overrides? DW: secadm used to have it, and then sysadm needed it to change level and such KW: I think late last year that happend when secadm got deprecated DW: sysadm needed to do change con KW: sysadm needed to do all that secadm used to do LK: ok, I see. I remember that I just wanted to check. DW: .. KK: we need to change to lpr_t, and since lpr_t does not have the attribute, it can't read up. It is just adding mlsfilereadup in the ldp_t interface. DW: I'll take a look at it MA: as long as there is a note on there. it seems all they get is job title which we don't consider it to be sensitive info. KK: only role using this interface is sysadm .. so I think it is secure to allow it to mlsfileread to lpr_t. DW: I'll look at it GW: Anything else MT: I have question for steve and klaus. when you do autorelabel, is there supposed to be audit message generated? SG: yes, I've seen it before KW: not a requirement to have it since this is not a normal system use EP: Is audit even running then SG: answer is yes and no .. It's auditing but it's not going to audit log EP: probably going to the console then picked up later SG: in the past we talked about having mode of audit daemon when it starts up, it can queue everything and then dump it there, to make sure it is not full. KW: it's not critical to do that. SG: if we do something on boot up and it gets AVC that don't get audited, that might be a customer issue. MT: second question; we are using pam_tally2 to record failed loging. when you successfully log in it resets it. KW: it is exactly what it should behave like MT: ok we were not sure KW: it is there to limit attempts you can make. GW: anyone else has anything to talk about KW: george qustion for you .. do you think self tests are ready to be integrated? GW: yes, it's close. Even if it is not 100% there, I think we should package it and push it out anyway so people can run it and give me feedpack. I'll try to make spec file changes and produce a patch for you SG: at some point we also need to go over the audit lspp.conf file. I took a short look at that couple of weeks ago, but I think we need to expand watches considerably. so far we have not come up with what files are security relevant. GW: we have idea what they are SG: I think we need to open a bugzilla for that to track it and as group we can decide GW: and I think those would be similar to what the aide policy is checking. we might want to watch a significant subset of what we watch with aide SG: is there an aide configurations separate than what is shipped GW: I think it might be similar SG: aide is directory oriented, but watches are based on file buy file so audit system can be fine grained. I'll open a bugzilla. I wanted to wait until the end, and it looks like we are close to the end. I wanted to see what packages make it, for example printing and selinux subdirs that we didn't worry about in CAPP need to be added now GW: this aide has specific files in it too, I am just looking at configuration now SG: there is an overlap, but aide is directory oriented while audit system can't do recursive auditing on directories so... GW: we can harmonize audit configurations then. Any other issues. we are getting near the end. What about things that need to make it into the update. you said some need to make it in .. SG: that was some internal milestones. all these lspp changes are in any new development we are doing. GW: ok. Anything else anyone wants to talk about. ok .. we'll adjourn .. thanks everyone From klaus at atsec.com Tue Apr 3 14:14:58 2007 From: klaus at atsec.com (Klaus Weidner) Date: Tue, 3 Apr 2007 09:14:58 -0500 Subject: [redhat-lspp] LSPP kickstart config v0.26 released Message-ID: <20070403141458.GB539@w-m-p.com> Hello all, bumped versions to match the current repository, and fixed a s390x inconsistency. Changes: packages: new selinux policy packages: update aide, new pam (thanks George!) packages: s390x: use 64bit keyutils, ks had specified the 32bit one. (thanks Trevor!) Please get the packages the script requests in the postinstall phase from the http://people.redhat.com/sgrubb/files/lspp/ repository. Workarounds: If the script requires a package that has been replaced by a newer one in the repository, you can do a quick&dirty workaround instead of starting over - put the newer .rpm file in /root/rpms/ and rename it to the expected old name in a "!" escape. If you need to do that, please let me know what the new version is (preferably as a patch to the lspp-config/kickstart/src/rpms.lst file, which is the source for the list in the individual kickstart files). RPM download: http://klaus.vh.swiftco.net/lspp/SRPMS/ http://klaus.vh.swiftco.net/lspp/RPMS/noarch/ Git repository: http://klaus.vh.swiftco.net/lspp/git/ -Klaus From paul.moore at hp.com Tue Apr 3 14:44:15 2007 From: paul.moore at hp.com (Paul Moore) Date: Tue, 3 Apr 2007 10:44:15 -0400 Subject: [redhat-lspp] LSPP kickstart config v0.26 released In-Reply-To: <20070403141458.GB539@w-m-p.com> References: <20070403141458.GB539@w-m-p.com> Message-ID: <200704031044.15805.paul.moore@hp.com> On Tuesday, April 3 2007 10:14:58 am Klaus Weidner wrote: > bumped versions to match the current repository, and fixed a s390x > inconsistency. > > Changes: > > packages: new selinux policy > > packages: update aide, new pam (thanks George!) > > packages: s390x: use 64bit keyutils, ks had specified the 32bit one. > (thanks Trevor!) I thought we agreed on the LSPP call yesterday to include the sysctl changes to support labeled IPsec over loopback - did that change make it into v0.26 and just fall off the ChangeLog? -- paul moore linux security @ hp From klaus at atsec.com Tue Apr 3 14:47:49 2007 From: klaus at atsec.com (Klaus Weidner) Date: Tue, 3 Apr 2007 09:47:49 -0500 Subject: [redhat-lspp] LSPP kickstart config v0.26 released In-Reply-To: <200704031044.15805.paul.moore@hp.com> References: <20070403141458.GB539@w-m-p.com> <200704031044.15805.paul.moore@hp.com> Message-ID: <20070403144749.GC539@w-m-p.com> On Tue, Apr 03, 2007 at 10:44:15AM -0400, Paul Moore wrote: > On Tuesday, April 3 2007 10:14:58 am Klaus Weidner wrote: > > bumped versions to match the current repository, and fixed a s390x > > inconsistency. > > > > Changes: > > > > packages: new selinux policy > > > > packages: update aide, new pam (thanks George!) > > > > packages: s390x: use 64bit keyutils, ks had specified the 32bit one. > > (thanks Trevor!) > > I thought we agreed on the LSPP call yesterday to include the sysctl changes > to support labeled IPsec over loopback - did that change make it into v0.26 > and just fall off the ChangeLog? You're right, sorry I forgot to include that change. New version coming up. -Klaus From klaus at atsec.com Tue Apr 3 14:53:34 2007 From: klaus at atsec.com (Klaus Weidner) Date: Tue, 3 Apr 2007 09:53:34 -0500 Subject: [redhat-lspp] LSPP kickstart config v0.27 released Message-ID: <20070403145334.GA9116@w-m-p.com> Hello all, added the missing sysctl.conf change as discussed in the conf call. Changes in 0.27: sysctl.conf: activate labeled IPSec policy on localhost (thanks Paul!) Changes in 0.26: packages: new selinux policy packages: update aide, new pam (thanks George!) packages: s390x: use 64bit keyutils, ks had specified the 32bit one. (thanks Trevor!) Please get the packages the script requests in the postinstall phase from the http://people.redhat.com/sgrubb/files/lspp/ repository. Workarounds: If the script requires a package that has been replaced by a newer one in the repository, you can do a quick&dirty workaround instead of starting over - put the newer .rpm file in /root/rpms/ and rename it to the expected old name in a "!" escape. If you need to do that, please let me know what the new version is (preferably as a patch to the lspp-config/kickstart/src/rpms.lst file, which is the source for the list in the individual kickstart files). RPM download: http://klaus.vh.swiftco.net/lspp/SRPMS/ http://klaus.vh.swiftco.net/lspp/RPMS/noarch/ Git repository: http://klaus.vh.swiftco.net/lspp/git/ -Klaus From klaus at atsec.com Thu Apr 5 18:32:25 2007 From: klaus at atsec.com (Klaus Weidner) Date: Thu, 5 Apr 2007 13:32:25 -0500 Subject: [redhat-lspp] LSPP kickstart config v0.28 released Message-ID: <20070405183225.GA20378@w-m-p.com> Hello all, package version updates only this time. Changes in 0.28: packages: new openssh packages: new PAM packages (thanks George!) Changes in 0.27: sysctl.conf: activate labeled IPSec policy on localhost (thanks Paul!) Changes in 0.26: packages: new selinux policy packages: update aide, new pam (thanks George!) packages: s390x: use 64bit keyutils, ks had specified the 32bit one. (thanks Trevor!) Please get the packages the script requests in the postinstall phase from the http://people.redhat.com/sgrubb/files/lspp/ repository. Workarounds: If the script requires a package that has been replaced by a newer one in the repository, you can do a quick&dirty workaround instead of starting over - put the newer .rpm file in /root/rpms/ and rename it to the expected old name in a "!" escape. If you need to do that, please let me know what the new version is (preferably as a patch to the lspp-config/kickstart/src/rpms.lst file, which is the source for the list in the individual kickstart files). RPM download: http://klaus.vh.swiftco.net/lspp/SRPMS/ http://klaus.vh.swiftco.net/lspp/RPMS/noarch/ Git repository: http://klaus.vh.swiftco.net/lspp/git/ -Klaus From toml at us.ibm.com Thu Apr 5 19:21:35 2007 From: toml at us.ibm.com (Tom Lendacky) Date: Thu, 5 Apr 2007 14:21:35 -0500 Subject: [redhat-lspp] DAEMON_END audit record question Message-ID: When stopping and starting the audit daemon I noticed that the DAEMON_END audit record contains a subject field. However, ausearch does not find the record when you perform a search for the subject. Shouldn't ausearch be able to find the record if it contains a subject? The DAEMON_START audit record doesn't contain a subject and this seems a little bit inconsistent. Should it contain a subject value or does it and the DAEMON_END record really not require a subject (and thus ausearch not supporting searching that record by subject)? Thanks, Tom Lendacky (toml at us.ibm.com) -------------- next part -------------- An HTML attachment was scrubbed... URL: From sgrubb at redhat.com Thu Apr 5 20:39:17 2007 From: sgrubb at redhat.com (Steve Grubb) Date: Thu, 5 Apr 2007 16:39:17 -0400 Subject: [redhat-lspp] DAEMON_END audit record question In-Reply-To: References: Message-ID: <200704051639.17773.sgrubb@redhat.com> On Thursday 05 April 2007 15:21:35 Tom Lendacky wrote: > When stopping and starting the audit daemon I noticed that the > DAEMON_END audit record contains a subject field. However, > ausearch does not find the record when you perform a search for the > subject. Shouldn't ausearch be able to find the record if it > contains a subject? Yes, it should. I guess we need a bz filed. > The DAEMON_START audit record doesn't contain a subject and this seems a > little bit inconsistent. The audit daemon isn't linked with libselinux. The stop message subject is collected by the kernel, but there simply is no mechanism for that on startup short of linking libselinux and calling one of its functions. > Should it contain a subject value or does it and the DAEMON_END record > really not require a subject (and thus ausearch not supporting > searching that record by subject)? That's a good question. For stop, I think so. For start I'm not sure. -Steve From joe at nall.com Fri Apr 6 18:58:21 2007 From: joe at nall.com (Joe Nall) Date: Fri, 6 Apr 2007 13:58:21 -0500 Subject: [redhat-lspp] Can processes syslog(3) at levels above SystemLow? Message-ID: <4F360037-D447-4C0C-9376-730126B10C48@nall.com> In mls enforcing mode will non-SystemLow processes be able to generate syslog(3) entries? On my bastardized FC6+LSPP system, ps -ZC syslogd LABEL PID TTY TIME CMD system_u:system_r:syslogd_t:SystemLow-SystemHigh 1725 ? 00:00:00 syslogd but ls -Z /var/log/messages -rw------- root root system_u:object_r:var_log_t:SystemLow /var/log/ messages implying that SystemHigh processes can log to a SystemLow file. joe From klaus at atsec.com Fri Apr 6 22:10:57 2007 From: klaus at atsec.com (Klaus Weidner) Date: Fri, 6 Apr 2007 17:10:57 -0500 Subject: [redhat-lspp] LSPP kickstart config v0.29 released Message-ID: <20070406221057.GB17276@w-m-p.com> Hello all, This version uses separate PAM files for CAPP mode, thanks to Linda for implementing that. This also gets rid of the context selection in CAPP mode. Changes in 0.29: packages: Add policycoreutils (thanks George!) capp-lspp script: use separate CAPP mode pam.d/ files (thanks Linda!) kickstart: remove i386-WS from architectures, it's not supported (thx Linda!) capp-lspp service: don't complain if udevd is not running (thanks Trevor!) Please get the packages the script requests in the postinstall phase from the http://people.redhat.com/sgrubb/files/lspp/ repository. Workarounds: If the script requires a package that has been replaced by a newer one in the repository, you can do a quick&dirty workaround instead of starting over - put the newer .rpm file in /root/rpms/ and rename it to the expected old name in a "!" escape. If you need to do that, please let me know what the new version is (preferably as a patch to the lspp-config/kickstart/src/rpms.lst file, which is the source for the list in the individual kickstart files). RPM download: http://klaus.vh.swiftco.net/lspp/SRPMS/ http://klaus.vh.swiftco.net/lspp/RPMS/noarch/ Git repository: http://klaus.vh.swiftco.net/lspp/git/ -Klaus From ltcgcw at us.ibm.com Mon Apr 9 02:56:03 2007 From: ltcgcw at us.ibm.com (George C. Wilson) Date: Sun, 8 Apr 2007 21:56:03 -0500 Subject: [redhat-lspp] [Reminder] LSPP Bug Telecon Mon., Apr. 9 Message-ID: <20070409025602.GA530@us.ibm.com> IBM hosts the LSPP Bug Telecon every Monday at 20:00 UTC. If you would like to participate and are not already an attendee, please reply directly to me with your contact information. I will respond with an invitation after review by the existing participants. Please note that the number of attendees may be limited by our call center's restrictions on maximum lines per conference. -- George Wilson IBM Linux Technology Center From klaus at atsec.com Mon Apr 9 18:22:20 2007 From: klaus at atsec.com (Klaus Weidner) Date: Mon, 9 Apr 2007 13:22:20 -0500 Subject: [redhat-lspp] LSPP kickstart config v0.30 released Message-ID: <20070409182220.GC17276@w-m-p.com> Hello all, This version adds George's "rbac-self-test" to the RPM package. It's not run as part of the installation, just installed along with the necessary policy to make it work. Many thanks to George for integrating this. Changes in 0.30: commit c2b44e390102e5c4448d71eb2cc9b2558a29a34d Author: George Wilson Date: Sat Apr 7 19:18:31 2007 -0500 capp-lspp-config.in: mods for rbac-self-test Make capp-lspp-config mods to build and load rbac-self-test policy and label the self test. Policy needs to be reduced to a single file and minimized. It also needs to work at SystemHigh. However, the changes do not break existing functionality so far as I can tell with both command line and kickstart tests. commit f775a10ed59ed42b58c667c7b5a964247c25d862 Author: George Wilson Date: Sat Apr 7 15:09:40 2007 -0500 Add rbac-self-test files. Still need to build policy during install--don't want to build policy on potentially non-TOE machine. But this at least seems not to break the build. Please get the packages the script requests in the postinstall phase from the http://people.redhat.com/sgrubb/files/lspp/ repository. Workarounds: If the script requires a package that has been replaced by a newer one in the repository, you can do a quick&dirty workaround instead of starting over - put the newer .rpm file in /root/rpms/ and rename it to the expected old name in a "!" escape. If you need to do that, please let me know what the new version is (preferably as a patch to the lspp-config/kickstart/src/rpms.lst file, which is the source for the list in the individual kickstart files). RPM download: http://klaus.vh.swiftco.net/lspp/SRPMS/ http://klaus.vh.swiftco.net/lspp/RPMS/noarch/ Git repository: http://klaus.vh.swiftco.net/lspp/git/ -Klaus From klaus at atsec.com Tue Apr 10 19:03:08 2007 From: klaus at atsec.com (Klaus Weidner) Date: Tue, 10 Apr 2007 14:03:08 -0500 Subject: [redhat-lspp] LSPP kickstart config v0.31 released Message-ID: <20070410190308.GD17276@w-m-p.com> Hello all, bumping version numbers to match the current repository (thanks George), no other changes. Changes in 0.31: commit 8a2dc98ac07a9239be044571f4e9dae8757f8b41 Author: George Wilson Date: Tue Apr 10 13:44:35 2007 -0500 Bump audit, kernel, and SELinux policy versions. Please get the packages the script requests in the postinstall phase from the http://people.redhat.com/sgrubb/files/lspp/ repository. Workarounds: If the script requires a package that has been replaced by a newer one in the repository, you can do a quick&dirty workaround instead of starting over - put the newer .rpm file in /root/rpms/ and rename it to the expected old name in a "!" escape. If you need to do that, please let me know what the new version is (preferably as a patch to the lspp-config/kickstart/src/rpms.lst file, which is the source for the list in the individual kickstart files). RPM download: http://klaus.vh.swiftco.net/lspp/SRPMS/ http://klaus.vh.swiftco.net/lspp/RPMS/noarch/ Git repository: http://klaus.vh.swiftco.net/lspp/git/ -Klaus From klaus at atsec.com Tue Apr 10 20:26:52 2007 From: klaus at atsec.com (Klaus Weidner) Date: Tue, 10 Apr 2007 15:26:52 -0500 Subject: [redhat-lspp] LSPP kickstart config v0.32 released Message-ID: <20070410202652.GE17276@w-m-p.com> Hello all, another new SELinux policy (thanks George for the notification), no other changes. Changes in 0.32: commit 801bdcec8251c75e05f98ad21a9bbfdc49c6e1a2 Author: George Wilson Date: Tue Apr 10 15:03:35 2007 -0500 Bump SELinux policy to 54. Please get the packages the script requests in the postinstall phase from the http://people.redhat.com/sgrubb/files/lspp/ repository. Workarounds: If the script requires a package that has been replaced by a newer one in the repository, you can do a quick&dirty workaround instead of starting over - put the newer .rpm file in /root/rpms/ and rename it to the expected old name in a "!" escape. If you need to do that, please let me know what the new version is (preferably as a patch to the lspp-config/kickstart/src/rpms.lst file, which is the source for the list in the individual kickstart files). RPM download: http://klaus.vh.swiftco.net/lspp/SRPMS/ http://klaus.vh.swiftco.net/lspp/RPMS/noarch/ Git repository: http://klaus.vh.swiftco.net/lspp/git/ -Klaus From klaus at atsec.com Tue Apr 10 22:21:28 2007 From: klaus at atsec.com (Klaus Weidner) Date: Tue, 10 Apr 2007 17:21:28 -0500 Subject: [redhat-lspp] LSPP kickstart config v0.33 released Message-ID: <20070410222128.GF17276@w-m-p.com> Hello all, new ipsec tools (thanks George for the notification), no other changes. Changes in 0.33: commit 3bc60247e5d9f09201fbf4405fd9c027ad56bb4a Author: George Wilson Date: Tue Apr 10 15:58:40 2007 -0500 Bump ipsec-tools version. Please get the packages the script requests in the postinstall phase from the http://people.redhat.com/sgrubb/files/lspp/ repository. Workarounds: If the script requires a package that has been replaced by a newer one in the repository, you can do a quick&dirty workaround instead of starting over - put the newer .rpm file in /root/rpms/ and rename it to the expected old name in a "!" escape. If you need to do that, please let me know what the new version is (preferably as a patch to the lspp-config/kickstart/src/rpms.lst file, which is the source for the list in the individual kickstart files). RPM download: http://klaus.vh.swiftco.net/lspp/SRPMS/ http://klaus.vh.swiftco.net/lspp/RPMS/noarch/ Git repository: http://klaus.vh.swiftco.net/lspp/git/ -Klaus From loulwas at us.ibm.com Tue Apr 10 22:42:32 2007 From: loulwas at us.ibm.com (Loulwa Salem) Date: Tue, 10 Apr 2007 17:42:32 -0500 Subject: [redhat-lspp] LSPP Development Telecon 04/09/2007 Minutes Message-ID: <461C12D8.5030704@us.ibm.com> 04/09/2007 lspp Meeting Minutes: =============================== Attendees Lawrence Wilson (IBM) - LW George Wilson (IBM) - GW Kris Wilson (IBM) - KEW Loulwa Salem (IBM) - LS Joy Latten (IBM) - JL Klaus Kiwi (IBM) - KK Irina Boverman (Red Hat) - IB Steve Grubb (Red Hat) - SG Dan Walsh (Red Hat) - DW Eric Paris (Red Hat) - EP Lisa Smith (HP) - LMS Linda Knippers (HP) - LK Amy Griffis (HP) - AG Matt Anderson (HP) - MA Paul Moore (HP) - PM Klaus Weidner (Atsec) - KW Ken Hake (Atsec) - KH Chad Hanson (TCS) - CH Joe Nall - JN Agenda: General Issues Bug Discussion Repo: http://people.redhat.com/sgrubb/files/lspp/ RHEL 5+ Packages acl-2.2.39-2.1.el5 aide-0.12-8.el5 audit-1.3.1-3.el5 audit-libs-1.3.1-3.el5 audit-libs-devel-1.3.1-3.el5 audit-libs-python-1.3.1-3.el5 cups-1.2.4-11.8.el5 cups-devel-1.2.4-11.8.el5 cups-libs-1.2.4-11.8.el5 ipsec-tools-0.6.5-6.2.el5 kernel-2.6.18-8.1.1.lspp.72.el5 kernel-devel-2.6.18-8.1.1.lspp.72.el5 kernel-doc-2.6.18-8.1.1.lspp.72.el5 libacl-2.2.39-2.1.el5 libacl-devel-2.2.39-2.1.el5 libselinux-1.33.4-4.el5 libselinux-devel-1.33.4-4.el5 libselinux-python-1.33.4-4.el5 mcstrans-0.2.3-1.el5 openssh-4.3p2-21.el5 openssh-askpass-4.3p2-21.el5 openssh-clients-4.3p2-21.el5 openssh-server-4.3p2-21.el5 pam-0.99.6.2-3.19.el5 pam-devel-0.99.6.2-3.19.el5 policycoreutils-1.33.12-7.el5 policycoreutils-newrole-1.33.12-7.el5 selinux-policy-2.4.6-50.el5 selinux-policy-devel-2.4.6-50.el5 selinux-policy-mls-2.4.6-50.el5 selinux-policy-strict-2.4.6-50.el5 selinux-policy-targeted-2.4.6-50.el5 vixie-cron-4.1-67.el5 lspp-eal4-config-ibm-0.29-1 rbac-self-test (patches submitted for config RPM) Tracker Bug: https://bugzilla.redhat.com/bugzilla/showdependencytree.cgi?id=224041 Query: https://bugzilla.redhat.com/bugzilla/buglist.cgi?cmdtype=runnamed&namedcmd=RHEL%205.0% 20LSPP&namedowner=syeghiay at redhat.com&order=bugs.bug_id JN: I opened a few bugs today, bug# 235720. also an issue with /var/log/messages being system low KW: have you tried if processes can send msgs to higher levels JN: It either can write down or syslog can't work above systemlow, either way is broken. I assumed write down worked since sytemlogd is running at systemLow-high KW: ... you have to look and see LK: what's the bug number JN: bug 235725 GW: we may need to add both to list. General items for discussion? we need to talk about severity of bugs Joe just opened. Also, I sent klaus patches for self tests to incorporate them into KS config package. Other issues people want to bring up before we dive into bug list KW: I posted version of KS that has that integrated self tests if people want to test it GW: I would appreciate testing and feedback. I know policy does not work at systemhigh and I am trying to fix that KW: I think this also was the last piece we needed, also thanks to Linda for her patches. I think the script is now complete; if people have any issue let us know as soon as possible. Bug List: (Sun Apr 8 22:23:46 EDT 2007 - 12 bugs found.) ID Sev Pri Plt Assignee Status Summary 218386 med nor pow harald at redhat.com ASSI LSPP: labeled ipsec does not work over loopback JL: I submitted patch to ipsec tools but did not hear back. over weekend I left stress tests running and noticed today that on 72 kernel with latest racoon, if you leave it running, after a certain amount of hours (about 17 in this case) racoon stopped negotiating SA. The complaint was it could no longer open shared key file, and could no longer do the is_selinux_enabled call. George and I noticed that on the machine initiating there was huge amount of file descriptors (fd) open. I'm investigating that now, at first I thought it was result of my loopback patch, but then I ran it with just racoon (without my patch) and I see it in that too. so it's not result of the patch KW: sounds like something is opened but not closed. use lsof to see GW: yes we used that, and we saw lots of sockets still opened JL: I'm trying to debug it, and not sure why I have not seen this before. When I initially saw this it had been running for 36 hours. I need to go back and check more SG: try the GA version, to see if it's a patch we added or something already there. JL: I have a bug opened for that, I'll look it up SG: about those patches, status is we just got the ok to build that one. overnight I should have a new ipsec-tools package out. JL: I don't think this is result of loopback patch, so if everyone wants to try it I'd welcome that GW: can people maybe run a cron job with lsof to monitor it while they are running with the loopback patch JL: it usually happens on racoon that is on the initiator side. The bug is 235680 GW: that one is on the list actually, and you had all the info in it? JL: yes. GW: is that the only problem you see with loopback JL: I don't think it is related to loopback GW: should that be built then JL: yes, the sooner we test and use that the better GW: is the plan going to be to build that one then steve? SG: yeah, we just got ok to do build on that one. same with 234491. JL: both of those patches I sent to ipsec tools and I am still waiting on response. SG: we got ok on both of those. GW: Ok thanks. 225443 med nor ppc dwalsh at redhat.com MODI LSPP: No console login on first boot GW: I was still seeing that and got confirmation from Linda and matt as well. matt installed the extra audit module and saw more messages LK: I don't think we tried the latest policy GW: yeah, I have not seen it. SG: I think we are still waiting on the build GW: .50 is the last version in repo LK: so only .50 is there. we are waiting then to verify this one. 228366 med nor All aviro at redhat.com ASSI LSPP: audit does not log obj label for signal recipient SG: thinking amy updated that one and Eric was supposed to check on it. I'll check on that LK: yes amy updated it 231090 med urg ppc katzj at redhat.com ASSI LSPP: getattr causes python Segfault GW: klaus k added a dump on the fifth. KK: I can use some help with this bug, I can't get a test case running for i386. and the syscall giving me problem is found on i386, z and ppc. GW: so this is impacting ppc and s390 SG: I've never seen it, not sure if Jeremy is looking at it. It crashes on my x86, so it's hard to really tell if it's a bug in test case or kernel or python bug. On the machine it is supposed to work on it's not working. I don't know what to think. I feel Jeremy is in the same boat. GW: you are having problem reproducing it. SG: Jeremy says that first thing to do is go through test case and fix bugs in test case. GW: the problem is that it should run on i386 or x86_64 SG: it ought to be on all IB: is that applicable to version 2 of the test case? SG: I have to check IB: it's attached to the bug KK: this status is specific to ppc and it was not available to i386. I also attached the back trace where I am having this segfault. SG: also you need strace to go with it. KK: I can try attaching the strace also SG: have you tried running in GDB KK: yes the backtrace from GDB is in the comment. And with python debug installed. SG: does gdp do anything that looks like null pointer. what is it crashing on KK: it looks like it is trying to assert structure member. it is trying to access exec_exe type and whole thing segfaults. strange thing is that I can't see any misuse of c function we are using inside the swig libraries. It should be able to execute if we have mac permission. I can try working further with it and provide strace. I think strace was running indefinetely with this test case, and didn't have time to look at it further. but I'll look into it GW: what else can we do to make progress on this Steve? SG: can you have anyone else look at it. Jeremy is looking at FC and extras merge, so I think he'll be busy LK: I built v2 on i386 and it runs. so you might try it to make it easier to trouble shoot. SG: ok, i'll try GW: klaus k is looking at it, maybe we can all take a look at it and get more info. So we need info from our side LK: test case does not build on x86_64 cause of syscall number 231392 hig med All eparis at redhat.com NEW LSPP: Misc soft-lockups in x86_64 lspp.67 kernel LS: this is the lockup I saw last time and I can't reproduce it. Someone said it was going to be left aside if we can't reproduce it SG: I thought it might be the soft lockup detection code that has the problem. one thing to consider is the tests have alot of overhead, so it may have a delay to get back from CPU. once we remove all debug code, it should be faster. GW: so we still have debug code? SG: yes .. since we are still adding patches GW: none of us can run with that in SG: right .. I think we added all the patches we need for now. EP: there is one that Joe added .. James will look at it, I'll be out rest of the week. GW: do we have target for .73 kernel. EP: I can get it out tomorrow, but definetely there will be at least one more coming GW: ok, I am trying to get a read on what to expect. EP: I'll get you one tomorrow, but once James is done we'll get another one GW: good. both Linda and I need to have idea on when we'll have it. 231529 hig med All twaugh at redhat.com ASSI [LSPP] bogus audit records with cups printing SG: still looking at that, but leaning towards closing it. GW: ok, exactly what I had from last week 233153 med med x86 dwalsh at redhat.com ASSI LSPP: semanage not always removing entry from /etc/selinu... LS: joy and I we looking at this, but did not find anything yet. JL: it's not semanage it seems. it's a library call to libsemanage DW: you know how this happened JL: so far we are still trying to figure it out LS: the test case has a comment that says it has to make direct calls to libsemanage because you can't directly manipulate nodes from semanage. so we are still trying to figure out all the functions it's going through DW: why are you calling the library. semanage then should handle nodes, you might want to open a bug about that. LS: ok .. so we'll open one 234491 med med All harald at redhat.com ASSI LSPP: kernel sends additional ACQUIRES that racoon is not... GW: we already talked about this. It's getting ready to be built 234923 med med All sgrubb at redhat.com ASSI LSPP: update lspp.rules file for evaluation SG: have not had chance to look at this yet 235321 med med All sgrubb at redhat.com NEW LSPP: audit DAEMON_CONFIG record truncated SG: worked on this and right now writing a patch to the daemon 235398 med med All sgrubb at redhat.com NEW LSPP: ausearch does not correctly find out of order records SG: this has existed since RHEL4 and was scheduled to be fixed in auparse library. I don't know about switching everything to auparse LK: question is does it block evaluation when it didn't in the past. maybe we can get an opinion from klaus GW: it may be problem for audit selection KW: I think it is border line. you can argue that the file is human readable and data is in the file, so can argue that it is not a big deal, but the expectation is that audit parsing functions will work as you expect them to. I'll check with evaluator. SG: later this week I may look at doing that fix. LK: as a work around, someone can always sort the audit log. SG: well, it's a nasty workaround. The tool now can take stdin, so you can do some shell work to get everything together then pipe it into ausearch. if we do have to fix this one it'll be end of this week, or early next week to start looking at it. They way to fix it is probably in ausearch tool, then I'll step up the audit version. GW: let's see what evaluator thinks. 235468 hig med All sgrubb at redhat.com MODI LSPP: ausearch does not return DAEMON_END record when sea... SG: patch done and will get packaged 235475 hig med i38 jmorris at redhat.com ASSI LSPP: Panic when running IPSEC labeled loopback on LSPP k... GW: assigned to james, we don't have read when that one will be done JN: only way to do it is to put a bigger setrans.conf. I can reliably panic the box in two lines of code GW: so far it's only on 32 bit JN: I only tried it on 32 bit GW: has anyone tried this on 64 bit? LK: I care about 32 bit SG: is 32 bit going to be evaluated LK: that's the plan JN: I can try it on 64 bit. GW: and just because we have not seen it on 64 bit doesn't mean it's not a problem JN: problm maybe that vendor supplied translation files are not very stressful. when we started exploring limits we ran into these issues SG: last eval there was lots of testing with file names at maximum size, I don't know if we are stressing the context size. I know Linda found an issue and based on that, I found similar issues in few other places. I'm fixing that but we should have tests to stress the context. I think selinux is smart and it tries to consolidate them. JN: I did all even and all odd to avoid it consolidating. SG: ok, good GW: it will help us all to try to invoke this. I'll give this a shot on ppc to see what happens SG: I'm wondering if pam has everything the way it should be so it's not truncating anything. if you log in with long context, are we gonna get all that info in PAM. it's alot of gray area GW: yeah, there are lots of possibilities for breaking. we have tests that use large number of categories, but not running on 32 bit. 235675 med med All esandeen at redhat.com ASSI LSPP: INFO: possible recursive locking detected GW: Linda found this one LK: I don't know anything about it more that what I put in there, it seems it had to do with pre-link. GW: could this have been provoked by debug stuff in kernel LK: I assumed the debug coded causes it to be detected, but not happen EP: I doubt it'll cause it, but debug shows you the message. I'll try to get someone to look at it GW: you say it's possible, so it might not be happening LK: yes. and everything kept running, so I'm not sure. 235680 med med pow harald at redhat.com ASSI LSPP: racoon is unable to open files after running for 17... GW: already talked about that one. this is the fd leak in racoon. IB: who is looking into that GW: Joy is looking into that actively SG: it's not a fd leak, but socket leak.. right? GW: yes .. 235725 med med All dwalsh at redhat.com MODI In LSPP configuration /var/log/messages is SystemLow SG: seems like messages should be at syshigh. if it opens up anything else, which it may have info that you don't want people to see. so probably all files that syslog writes to should be high. LK: why is it actually working JN: I didn't look at code alot. the daemon is running low-high and writing it's files at low. it really just had not been looked at GW: sounds like a downgrade to me SG: you can send info to syslog,and get info LK: can someone identify what in policy is allowing it to happen. I was looking if type has special privileges or is it a trusted object JN: I think it's because it's a low-high daemon. if I did this on permissive system it's one of two bug .. KW: if you are testing in permissive you can't tell if protection is working or not. KK: it won't make difference if it's sytemlow-high, since sysadm for example has overrides. SG: what did we do for audit daemon .. if it fails it writes to syslog SG: I agree, stuff should be high. DW: it's a trusted object so you can write to it not read from it. LK: are there any tools like log rotate that will break or are they running at the right level DW: logrotate has overrides I believe. LK: so who wants to look at this DW: me, I'll take a look at it. 235720 med med i38 harald at redhat.com NEW LSPP: setkey -D fails for large numbers of Security Assoc... JN: I used the setrans.conf file attached and script that goes with it which creates 100s of SA, when you get to 195 it stops. CH: are you using setkey to display that JN: yes CH: that does not work. GW: we talked about this.. you have to use netlink CH: yeah, so you need to not use pfkey. that's a fundamental pfkey issue GW: has anyone made changes to ipsec to use netlink, since we talked about that CH: we never got around to it since we switched to openswan which already uses netlink SG: we heard from alot of networking people that ipsec-tools is not the way we want to do things next time CH: Venkat is working on porting things to openswan. JL: so you have all the code we need in openswan? CH: not yet SG: and we don't package openswan with RHEL CH: right .. it's in Fedora JN: so is this a duplicate of another bug? JL: Chad, are you planning on submitting it to openswan. CH: yes JL: It'll be a good idea since alot of people prefer openswan. out of curiosity, does openswan have the loopback issue CH: I think it does, but I don't know the answer to that. James morris prefers that I remember JL: yes, he liked it more, he says it has better SA management CH: and the openswan mailing list is more active than ipsec. LK: would that be an option for what we are doing now JL: does it have an IKE daemon? CH: I believe that's what Pluto is GW: yes I'm curious about Linda's question too LK: is it blocking bug from an evaluating perspective CH: they are all there, but kernel won't allow you to dump them all out. temporary hack is to change a kernel line to not have a resource limit. SG: that particular issue is not going to be decision for me or Eric to make, so we would need to take it internally LK: so we'll just live with it? trying to figure this out CH: it existed with ipsec for a while. JN: I think it'll be an issue that will happen alot PM: and I think it'll happen even not only on loopback, but also creating SAs.. and many other scenarios JN: if I run simplest data, I end up with few hundreds on the box PM: and expand that for each SPD .. I guess the point I am making is that even if not on localhost, trying to talk to remote host will cause you to create lots of SAs anyway JN: I agree GW: RH bug 181617 is about the same issue. it was closed by steve, with comment "patch applied in April". was that openswan since this is against rawhide SG: this was April of last year? LK: yes, but it was closed last September. JL: I'll look at mailing list archive to see if there was a patch CH: there was no patch from our part since this was a design issue GW: we've known about this for long time. should we have been doing our work on openswan CH: it's not in RHEL .. GW: should we have opened issue tracker(IT) to include openswan before SG: it's possible, even if you open one now, I would fight for it given the circumstances EP: do you have documentation that people can take a look at for openswan CH: not yet .. PM: if you are working on it, it would be good to share it since we are just learning this about it GW: seems to be a good direction for us to pursue. We knew about this a long time ago, I wish we lobbied this long time ago SG: we can lobby still GW: but it won't be possible for this evaluation. we are trying to have everything closed at this point. maybe it can be added to 5.1, I don't know though, adding packages in updates is not looked upon kindly. SG: looks like in changelog there was something around April 18 where we applied a patch to ipsec tools. I'll look to see if there was a patch that got lost somewhere. GW: that would be great to see if we have fix for this. people are going to be hitting this. GW: so we are not done yet and it looks like next week is earliest we will have anything SG: bug number is dropping, but we still got more to go. GW: yes, we are getting close SG: I'll be publishing the .52 policy in few minutes, and hopefully tomorrow ipsec-tools will be out KW: I talked to Stephan on audit bug we talked about, and he agrees that it is not a show stopper as long as it is logging. no immediate need to fix it GW: do we have to document it. KW: wouldn't hurt to do that GW: any other issues to bring up? Thanks Joe for helping test and bring up those last two issues JN: you're welcome DW: I'll put out a package with syslog logs at systemhigh for people to try. I'll put it out tomorrow SG: if you want to open feature request about openswan, go ahead and open it in case we need it. assign it to me and I'll work on the politics on this side GW: should that be an issue tracker SG: probably go through the proper channel to request feature. Actually I'll open a bugzilla, then you can attach issue tracker to it. we can get that started at least GW: anything else? ok, we'll adjourn and we'll continue testing. bye. Thanks From klaus at atsec.com Wed Apr 11 19:46:04 2007 From: klaus at atsec.com (Klaus Weidner) Date: Wed, 11 Apr 2007 14:46:04 -0500 Subject: [redhat-lspp] LSPP kickstart config v0.33 released In-Reply-To: <20070410222128.GF17276@w-m-p.com> References: <20070410222128.GF17276@w-m-p.com> Message-ID: <20070411194603.GG17276@w-m-p.com> On Tue, Apr 10, 2007 at 05:21:28PM -0500, Klaus Weidner wrote: > Hello all, > > new ipsec tools (thanks George for the notification), no other changes. The RPMs were not being built due to a config error, please try again if you were missing those earlier. I've bumped the version to 0.34 with no content changes. -Klaus From joe at nall.com Wed Apr 11 20:08:51 2007 From: joe at nall.com (Joe Nall) Date: Wed, 11 Apr 2007 15:08:51 -0500 Subject: [redhat-lspp] new ipsec-tools package Message-ID: I'm not having any luck with this package: /var/log/message Apr 11 14:56:39 fc6work racoon: ERROR: no configuration found for 127.0.0.1. Apr 11 14:56:39 fc6work racoon: ERROR: failed to begin ipsec sa negotication. Apr 11 14:57:09 fc6work racoon: INFO: security context doi: 1 Apr 11 14:57:09 fc6work racoon: INFO: security context algorithm: 1 Apr 11 14:57:09 fc6work racoon: INFO: security context length: 44 Apr 11 14:57:09 fc6work racoon: INFO: security context: system_u:system_r:jcdx_ep_t:s0-s15:c0.c1023 Apr 11 14:57:09 fc6work racoon: ERROR: no configuration found for 127.0.0.1. Apr 11 14:57:09 fc6work racoon: ERROR: failed to begin ipsec sa negotication. Apr 11 14:57:39 fc6work racoon: INFO: security context doi: 1 Apr 11 14:57:39 fc6work racoon: INFO: security context algorithm: 1 Apr 11 14:57:39 fc6work racoon: INFO: security context length: 43 setkey -DP ... 127.0.0.1[any] 127.0.0.1[any] any in prio def ipsec esp/transport//require created: Apr 11 09:46:32 2007 lastused: lifetime: 0(s) validtime: 0(s) security context doi: 1 security context algorithm: 1 security context length: 46 security context: system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023 spid=8 seq=13 pid=3351 refcnt=1 10.211.55.6[any] 10.211.55.6[any] any in prio def ipsec esp/transport//require created: Apr 11 09:46:32 2007 lastused: lifetime: 0(s) validtime: 0(s) security context doi: 1 security context algorithm: 1 security context length: 46 security context: system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023 spid=32 seq=12 pid=3351 refcnt=1 127.0.0.1[any] 127.0.0.1[any] any out prio def ipsec esp/transport//require created: Apr 11 09:46:32 2007 lastused: Apr 11 15:00:11 2007 lifetime: 0(s) validtime: 0(s) security context doi: 1 security context algorithm: 1 security context length: 46 security context: system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023 spid=1 seq=11 pid=3351 refcnt=41 10.211.55.6[any] 10.211.55.6[any] any out prio def ipsec esp/transport//require created: Apr 11 09:46:32 2007 lastused: Apr 11 14:59:39 2007 lifetime: 0(s) validtime: 0(s) security context doi: 1 security context algorithm: 1 security context length: 46 security context: system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023 spid=25 seq=10 pid=3357 refcnt=3 127.0.0.1[any] 127.0.0.1[any] any fwd prio def ipsec esp/transport//require created: Apr 11 09:46:32 2007 lastused: lifetime: 0(s) validtime: 0(s) security context doi: 1 security context algorithm: 1 security context length: 46 security context: system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023 spid=18 seq=9 pid=3357 refcnt=1 10.211.55.6[any] 10.211.55.6[any] any fwd prio def ipsec esp/transport//require created: Apr 11 09:46:32 2007 lastused: lifetime: 0(s) validtime: 0(s) security context doi: 1 security context algorithm: 1 security context length: 46 security context: system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023 spid=42 seq=8 pid=3357 refcnt=1 /var/log/audit/audit.log has lots of polmatch avcs type=AVC msg=audit(1176302177.663:28): avc: denied { polmatch } for pid=2129 comm="cupsd" scontext=system_u:system_r:cupsd_t:s15:c0.c1023 tcontext=system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023 tclass=association type=AVC msg=audit(1176302177.663:28): avc: denied { sendto } for pid=2129 comm="cupsd" scontext=system_u:system_r:cupsd_t:s15:c0.c1023 tcontext=system_u:system_r:cupsd_t:s15:c0.c1023 tclass=association type=SYSCALL msg=audit(1176302177.663:28): arch=40000003 syscall=102 success=no exit=-3 a0=3 a1=bfe48050 a2=2baff4 a3=2 items=0 ppid=2128 pid=2129 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="cupsd" exe="/usr/sbin/cupsd" subj=system_u:system_r:cupsd_t:s15:c0.c1023 key=(null) I'm running a modified version of the 2.5.2 policy with xace changes from Eamon Walsh. I'll try to build a box with current LSPP policy to determine if it a policy issue. joe From paul.moore at hp.com Wed Apr 11 20:38:22 2007 From: paul.moore at hp.com (Paul Moore) Date: Wed, 11 Apr 2007 16:38:22 -0400 Subject: [redhat-lspp] new ipsec-tools package In-Reply-To: References: Message-ID: <200704111638.22883.paul.moore@hp.com> On Wednesday, April 11 2007 4:08:51 pm Joe Nall wrote: > I'm not having any luck with this package: > > /var/log/message > > Apr 11 14:56:39 fc6work racoon: ERROR: no configuration found for > 127.0.0.1. > Apr 11 14:56:39 fc6work racoon: ERROR: failed to begin ipsec sa > negotication. > Apr 11 14:57:09 fc6work racoon: INFO: security context doi: 1 > Apr 11 14:57:09 fc6work racoon: INFO: security context algorithm: 1 > Apr 11 14:57:09 fc6work racoon: INFO: security context length: 44 > Apr 11 14:57:09 fc6work racoon: INFO: security context: > system_u:system_r:jcdx_ep_t:s0-s15:c0.c1023 > Apr 11 14:57:09 fc6work racoon: ERROR: no configuration found for > 127.0.0.1. > Apr 11 14:57:09 fc6work racoon: ERROR: failed to begin ipsec sa > negotication. > Apr 11 14:57:39 fc6work racoon: INFO: security context doi: 1 > Apr 11 14:57:39 fc6work racoon: INFO: security context algorithm: 1 > Apr 11 14:57:39 fc6work racoon: INFO: security context length: 43 > > {snip} > > /var/log/audit/audit.log has lots of polmatch avcs > > type=AVC msg=audit(1176302177.663:28): avc: denied { polmatch } > for pid=2129 comm="cupsd" > scontext=system_u:system_r:cupsd_t:s15:c0.c1023 > tcontext=system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023 > tclass=association > type=AVC msg=audit(1176302177.663:28): avc: denied { sendto } for > pid=2129 comm="cupsd" scontext=system_u:system_r:cupsd_t:s15:c0.c1023 > tcontext=system_u:system_r:cupsd_t:s15:c0.c1023 tclass=association > type=SYSCALL msg=audit(1176302177.663:28): arch=40000003 syscall=102 > success=no exit=-3 a0=3 a1=bfe48050 a2=2baff4 a3=2 items=0 ppid=2128 > pid=2129 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > sgid=0 fsgid=0 tty=(none) comm="cupsd" exe="/usr/sbin/cupsd" > subj=system_u:system_r:cupsd_t:s15:c0.c1023 key=(null) > Do you see any polmatch denials with with a scontext value of "system_u:system_r:jcdx_ep_t:s0-s15:c0.c1023"? The AVC denials above are all for CUPS ... -- paul moore linux security @ hp From latten at austin.ibm.com Wed Apr 11 20:31:55 2007 From: latten at austin.ibm.com (Joy Latten) Date: Wed, 11 Apr 2007 15:31:55 -0500 Subject: [redhat-lspp] new ipsec-tools package In-Reply-To: References: Message-ID: <1176323516.3085.726.camel@faith.austin.ibm.com> On Wed, 2007-04-11 at 15:08 -0500, Joe Nall wrote: > I'm not having any luck with this package: > > /var/log/message > > Apr 11 14:56:39 fc6work racoon: ERROR: no configuration found for > 127.0.0.1. > Apr 11 14:56:39 fc6work racoon: ERROR: failed to begin ipsec sa > negotication. > Apr 11 14:57:09 fc6work racoon: INFO: security context doi: 1 > Apr 11 14:57:09 fc6work racoon: INFO: security context algorithm: 1 > Apr 11 14:57:09 fc6work racoon: INFO: security context length: 44 > Apr 11 14:57:09 fc6work racoon: INFO: security context: > system_u:system_r:jcdx_ep_t:s0-s15:c0.c1023 > Apr 11 14:57:09 fc6work racoon: ERROR: no configuration found for > 127.0.0.1. > Apr 11 14:57:09 fc6work racoon: ERROR: failed to begin ipsec sa > negotication. > Apr 11 14:57:39 fc6work racoon: INFO: security context doi: 1 > Apr 11 14:57:39 fc6work racoon: INFO: security context algorithm: 1 > Apr 11 14:57:39 fc6work racoon: INFO: security context length: 43 Joe, I think this might be happening because of missing info in your racoon.conf. Do you have a "remote " statement in your racoon.conf. Please see the racoon.conf I attached to the bz 235475. I will also send to the list my config for labeled ipsec over loopback so other can also start testing on it. > setkey -DP > ... > 127.0.0.1[any] 127.0.0.1[any] any > in prio def ipsec > esp/transport//require > created: Apr 11 09:46:32 2007 lastused: > lifetime: 0(s) validtime: 0(s) > security context doi: 1 > security context algorithm: 1 > security context length: 46 > security context: system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023 > spid=8 seq=13 pid=3351 > refcnt=1 > 10.211.55.6[any] 10.211.55.6[any] any > in prio def ipsec > esp/transport//require > created: Apr 11 09:46:32 2007 lastused: > lifetime: 0(s) validtime: 0(s) > security context doi: 1 > security context algorithm: 1 > security context length: 46 > security context: system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023 > spid=32 seq=12 pid=3351 > refcnt=1 > 127.0.0.1[any] 127.0.0.1[any] any > out prio def ipsec > esp/transport//require > created: Apr 11 09:46:32 2007 lastused: Apr 11 15:00:11 2007 > lifetime: 0(s) validtime: 0(s) > security context doi: 1 > security context algorithm: 1 > security context length: 46 > security context: system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023 > spid=1 seq=11 pid=3351 > refcnt=41 > 10.211.55.6[any] 10.211.55.6[any] any > out prio def ipsec > esp/transport//require > created: Apr 11 09:46:32 2007 lastused: Apr 11 14:59:39 2007 > lifetime: 0(s) validtime: 0(s) > security context doi: 1 > security context algorithm: 1 > security context length: 46 > security context: system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023 > spid=25 seq=10 pid=3357 > refcnt=3 > 127.0.0.1[any] 127.0.0.1[any] any > fwd prio def ipsec > esp/transport//require > created: Apr 11 09:46:32 2007 lastused: > lifetime: 0(s) validtime: 0(s) > security context doi: 1 > security context algorithm: 1 > security context length: 46 > security context: system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023 > spid=18 seq=9 pid=3357 > refcnt=1 > 10.211.55.6[any] 10.211.55.6[any] any > fwd prio def ipsec > esp/transport//require > created: Apr 11 09:46:32 2007 lastused: > lifetime: 0(s) validtime: 0(s) > security context doi: 1 > security context algorithm: 1 > security context length: 46 > security context: system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023 > spid=42 seq=8 pid=3357 > refcnt=1 > ipsec policy looks good. > /var/log/audit/audit.log has lots of polmatch avcs > > type=AVC msg=audit(1176302177.663:28): avc: denied { polmatch } > for pid=2129 comm="cupsd" > scontext=system_u:system_r:cupsd_t:s15:c0.c1023 > tcontext=system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023 > tclass=association > type=AVC msg=audit(1176302177.663:28): avc: denied { sendto } for > pid=2129 comm="cupsd" scontext=system_u:system_r:cupsd_t:s15:c0.c1023 > tcontext=system_u:system_r:cupsd_t:s15:c0.c1023 tclass=association > type=SYSCALL msg=audit(1176302177.663:28): arch=40000003 syscall=102 > success=no exit=-3 a0=3 a1=bfe48050 a2=2baff4 a3=2 items=0 ppid=2128 > pid=2129 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > sgid=0 fsgid=0 tty=(none) comm="cupsd" exe="/usr/sbin/cupsd" > subj=system_u:system_r:cupsd_t:s15:c0.c1023 key=(null) > Yes, this is a policy issue here. cupsd_t does not have permission to use ipsec policy containing label, ipsec_spd_t. In the latest LSPP policy, Dan W. has added ipsec policy such that everything in "domain" has permission to use default ipsec policy type, ipsec_spd_t. I am not absolutely sure, but I THINK Chris P. also made the changes to general selinux policy. Joy From joe at nall.com Wed Apr 11 20:57:21 2007 From: joe at nall.com (Joe Nall) Date: Wed, 11 Apr 2007 15:57:21 -0500 Subject: [redhat-lspp] new ipsec-tools package In-Reply-To: <1176323516.3085.726.camel@faith.austin.ibm.com> References: <1176323516.3085.726.camel@faith.austin.ibm.com> Message-ID: <5519C4FE-CA62-448C-BFF1-2ACAFACC08A2@nall.com> On Apr 11, 2007, at 3:31 PM, Joy Latten wrote: > On Wed, 2007-04-11 at 15:08 -0500, Joe Nall wrote: >> I'm not having any luck with this package: >> > > Joe, I think this might be happening because of missing info in > your racoon.conf. Do you have a "remote " > statement > in your racoon.conf. Please see the racoon.conf I attached to the bz > 235475. You are correct, adding the following statement got it working. remote anonymous { exchange_mode main,aggressive; doi ipsec_doi; situation identity_only; my_identifier address; lifetime time 1 hour ; # sec,min,hour initial_contact on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } Joy can you try the following (should cause a panic) runcon "root:sysadm_r:sysadm_t:s2:c0,c2,c4,c6,c8,c10,c12,c14,c16,c18,c20,c22,c2 4,c26,c28,c30,c32,c34,c36,c38,c40,c42,c44,c46,c48,c50,c52,c54,c56,c58,c6 0,c62,c64,c66,c68,c70,c72,c74,c76,c78,c80,c82,c84,c86,c88,c90,c92,c94,c9 6,c98,c100,c102,c104,c106,c108,c110,c112,c114,c116,c118,c120,c122,c124,c 126,c128,c130,c132,c134,c136,c138,c140,c142,c144,c146,c148,c150,c152,c15 4,c156,c158,c160,c162,c164,c166,c168,c170,c172,c174,c176,c178,c180,c182, c184,c186,c188,c190,c192,c194,c196,c198,c200,c202,c204,c206,c208,c210,c2 12,c214,c216,c218,c220,c222,c224,c226,c228,c230,c232,c234,c236,c238,c240 ,c242,c244,c246,c248,c250,c252,c254,c256,c258,c260,c262,c264,c266,c268,c 270,c272,c274,c276,c278,c280,c282,c284,c286,c288,c290,c292,c294,c296,c29 8,c300,c302,c304,c306,c308,c310,c312,c314,c316,c318,c320,c322,c324,c326, c328,c330,c332,c334,c336,c338,c340,c342,c344,c346,c348,c350,c352,c354,c3 56,c358,c360,c362,c364,c366,c368,c370,c372,c374,c376,c378,c380,c382,c384 ,c386,c388,c390,c392,c394,c396,c398,c400,c402,c404,c406,c408,c410,c412,c 414,c416,c418,c420,c422,c424,c426,c428,c430,c432,c434,c436,c438,c440,c44 2,c444,c446,c448,c450,c452,c454,c456,c458,c460,c462,c464,c466,c468,c470, c472,c474,c476,c478,c480,c482,c484,c486,c488,c490,c492,c494,c496,c498,c5 00,c502,c504,c506,c508,c510,c512,c514,c516,c518,c520,c522,c524,c526,c528 ,c530,c532,c534,c536,c538,c540,c542,c544,c546,c548,c550,c552,c554,c556,c 558,c560,c562,c564,c566,c568,c570,c572,c574,c576,c578,c580,c582,c584,c58 6,c588,c590,c592,c594,c596,c598,c600,c602,c604,c606,c608,c610,c612,c614, c616,c618,c620,c622,c624,c626,c628,c630,c632,c634,c636,c638,c640,c642,c6 44,c646,c648,c650,c652,c654,c656,c658,c660,c662,c664,c666,c668,c670,c672 ,c674,c676,c678,c680,c682,c684,c686,c688,c690,c692,c694,c696,c698,c700,c 702,c704,c706,c708,c710,c712,c714,c716,c718,c720,c722,c724,c726,c728,c73 0,c732,c734,c736,c738,c740,c742,c744,c746,c748,c750,c752,c754,c756,c758, c760,c762,c764,c766,c768,c770,c772,c774,c776,c778,c780,c782,c784,c786,c7 88,c790,c792,c794,c796,c798,c800,c802,c804,c806,c808,c810,c812,c814,c816 ,c818,c820,c822,c824,c826,c828,c830,c832,c834,c836,c838,c840,c842,c844,c 846,c848,c850,c852,c854,c856,c858,c860,c862,c864,c866,c868,c870,c872,c87 4,c876,c878,c880,c882,c884,c886,c888,c890,c892,c894,c896,c898,c900,c902, c904,c906,c908,c910,c912,c914,c916,c918,c920,c922,c924,c926,c928,c930,c9 32,c934,c936,c938,c940,c942,c944,c946,c948,c950,c952,c954,c956,c958,c960 ,c962,c964,c966,c968,c970,c972,c974,c976,c978,c980,c982,c984,c986,c988,c 990,c992,c994,c996,c998,c1000,c1002,c1004,c1006,c1008,c1010,c1012,c1014, c1016,c1018,c1020,c1022" -- ping localhost joe From latten at austin.ibm.com Wed Apr 11 22:33:24 2007 From: latten at austin.ibm.com (Joy Latten) Date: Wed, 11 Apr 2007 17:33:24 -0500 Subject: [redhat-lspp] new ipsec-tools package In-Reply-To: <5519C4FE-CA62-448C-BFF1-2ACAFACC08A2@nall.com> References: <1176323516.3085.726.camel@faith.austin.ibm.com> <5519C4FE-CA62-448C-BFF1-2ACAFACC08A2@nall.com> Message-ID: <1176330804.3085.728.camel@faith.austin.ibm.com> When I issue the runcon below, I am told this is an invalid context. Is there something else I should do first? Joy On Wed, 2007-04-11 at 15:57 -0500, Joe Nall wrote: > "root:sysadm_r:sysadm_t:s2:c0,c2,c4,c6,c8,c10,c12,c14,c16,c18,c20,c22,c2 > 4,c26,c28,c30,c32,c34,c36,c38,c40,c42,c44,c46,c48,c50,c52,c54,c56,c58,c6 > 0,c62,c64,c66,c68,c70,c72,c74,c76,c78,c80,c82,c84,c86,c88,c90,c92,c94,c9 > 6,c98,c100,c102,c104,c106,c108,c110,c112,c114,c116,c118,c120,c122,c124,c > 126,c128,c130,c132,c134,c136,c138,c140,c142,c144,c146,c148,c150,c152,c15 > 4,c156,c158,c160,c162,c164,c166,c168,c170,c172,c174,c176,c178,c180,c182, > c184,c186,c188,c190,c192,c194,c196,c198,c200,c202,c204,c206,c208,c210,c2 > 12,c214,c216,c218,c220,c222,c224,c226,c228,c230,c232,c234,c236,c238,c240 > ,c242,c244,c246,c248,c250,c252,c254,c256,c258,c260,c262,c264,c266,c268,c > 270,c272,c274,c276,c278,c280,c282,c284,c286,c288,c290,c292,c294,c296,c29 > 8,c300,c302,c304,c306,c308,c310,c312,c314,c316,c318,c320,c322,c324,c326, > c328,c330,c332,c334,c336,c338,c340,c342,c344,c346,c348,c350,c352,c354,c3 > 56,c358,c360,c362,c364,c366,c368,c370,c372,c374,c376,c378,c380,c382,c384 > ,c386,c388,c390,c392,c394,c396,c398,c400,c402,c404,c406,c408,c410,c412,c > 414,c416,c418,c420,c422,c424,c426,c428,c430,c432,c434,c436,c438,c440,c44 > 2,c444,c446,c448,c450,c452,c454,c456,c458,c460,c462,c464,c466,c468,c470, > c472,c474,c476,c478,c480,c482,c484,c486,c488,c490,c492,c494,c496,c498,c5 > 00,c502,c504,c506,c508,c510,c512,c514,c516,c518,c520,c522,c524,c526,c528 > ,c530,c532,c534,c536,c538,c540,c542,c544,c546,c548,c550,c552,c554,c556,c > 558,c560,c562,c564,c566,c568,c570,c572,c574,c576,c578,c580,c582,c584,c58 > 6,c588,c590,c592,c594,c596,c598,c600,c602,c604,c606,c608,c610,c612,c614, > c616,c618,c620,c622,c624,c626,c628,c630,c632,c634,c636,c638,c640,c642,c6 > 44,c646,c648,c650,c652,c654,c656,c658,c660,c662,c664,c666,c668,c670,c672 > ,c674,c676,c678,c680,c682,c684,c686,c688,c690,c692,c694,c696,c698,c700,c > 702,c704,c706,c708,c710,c712,c714,c716,c718,c720,c722,c724,c726,c728,c73 > 0,c732,c734,c736,c738,c740,c742,c744,c746,c748,c750,c752,c754,c756,c758, > c760,c762,c764,c766,c768,c770,c772,c774,c776,c778,c780,c782,c784,c786,c7 > 88,c790,c792,c794,c796,c798,c800,c802,c804,c806,c808,c810,c812,c814,c816 > ,c818,c820,c822,c824,c826,c828,c830,c832,c834,c836,c838,c840,c842,c844,c > 846,c848,c850,c852,c854,c856,c858,c860,c862,c864,c866,c868,c870,c872,c87 > 4,c876,c878,c880,c882,c884,c886,c888,c890,c892,c894,c896,c898,c900,c902, > c904,c906,c908,c910,c912,c914,c916,c918,c920,c922,c924,c926,c928,c930,c9 > 32,c934,c936,c938,c940,c942,c944,c946,c948,c950,c952,c954,c956,c958,c960 > ,c962,c964,c966,c968,c970,c972,c974,c976,c978,c980,c982,c984,c986,c988,c > 990,c992,c994,c996,c998,c1000,c1002,c1004,c1006,c1008,c1010,c1012,c1014, > c1016,c1018,c1020,c1022" -- ping localhost > From joe at nall.com Wed Apr 11 23:24:16 2007 From: joe at nall.com (Joe Nall) Date: Wed, 11 Apr 2007 18:24:16 -0500 Subject: [redhat-lspp] new ipsec-tools package In-Reply-To: <1176330804.3085.728.camel@faith.austin.ibm.com> References: <1176323516.3085.726.camel@faith.austin.ibm.com> <5519C4FE-CA62-448C-BFF1-2ACAFACC08A2@nall.com> <1176330804.3085.728.camel@faith.austin.ibm.com> Message-ID: <7610C19D-F1D1-4308-BCB7-7A1D82A00CE2@nall.com> Is this line in /etc/selinux/mls/seusers? root:root:s0-s15:c0.c1023 joe On Apr 11, 2007, at 5:33 PM, Joy Latten wrote: > When I issue the runcon below, I am told this is an invalid > context. Is > there something else I should do first? > > Joy > > On Wed, 2007-04-11 at 15:57 -0500, Joe Nall wrote: >> "root:sysadm_r:sysadm_t:s2:c0,c2,c4,c6,c8,c10,c12,c14,c16,c18,c20,c22 >> ,c2 >> 4,c26,c28,c30,c32,c34,c36,c38,c40,c42,c44,c46,c48,c50,c52,c54,c56,c58 >> ,c6 >> 0,c62,c64,c66,c68,c70,c72,c74,c76,c78,c80,c82,c84,c86,c88,c90,c92,c94 >> ,c9 >> 6,c98,c100,c102,c104,c106,c108,c110,c112,c114,c116,c118,c120,c122,c12 >> 4,c >> 126,c128,c130,c132,c134,c136,c138,c140,c142,c144,c146,c148,c150,c152, >> c15 >> 4,c156,c158,c160,c162,c164,c166,c168,c170,c172,c174,c176,c178,c180,c1 >> 82, >> c184,c186,c188,c190,c192,c194,c196,c198,c200,c202,c204,c206,c208,c210 >> ,c2 >> 12,c214,c216,c218,c220,c222,c224,c226,c228,c230,c232,c234,c236,c238,c >> 240 >> ,c242,c244,c246,c248,c250,c252,c254,c256,c258,c260,c262,c264,c266,c26 >> 8,c >> 270,c272,c274,c276,c278,c280,c282,c284,c286,c288,c290,c292,c294,c296, >> c29 >> 8,c300,c302,c304,c306,c308,c310,c312,c314,c316,c318,c320,c322,c324,c3 >> 26, >> c328,c330,c332,c334,c336,c338,c340,c342,c344,c346,c348,c350,c352,c354 >> ,c3 >> 56,c358,c360,c362,c364,c366,c368,c370,c372,c374,c376,c378,c380,c382,c >> 384 >> ,c386,c388,c390,c392,c394,c396,c398,c400,c402,c404,c406,c408,c410,c41 >> 2,c >> 414,c416,c418,c420,c422,c424,c426,c428,c430,c432,c434,c436,c438,c440, >> c44 >> 2,c444,c446,c448,c450,c452,c454,c456,c458,c460,c462,c464,c466,c468,c4 >> 70, >> c472,c474,c476,c478,c480,c482,c484,c486,c488,c490,c492,c494,c496,c498 >> ,c5 >> 00,c502,c504,c506,c508,c510,c512,c514,c516,c518,c520,c522,c524,c526,c >> 528 >> ,c530,c532,c534,c536,c538,c540,c542,c544,c546,c548,c550,c552,c554,c55 >> 6,c >> 558,c560,c562,c564,c566,c568,c570,c572,c574,c576,c578,c580,c582,c584, >> c58 >> 6,c588,c590,c592,c594,c596,c598,c600,c602,c604,c606,c608,c610,c612,c6 >> 14, >> c616,c618,c620,c622,c624,c626,c628,c630,c632,c634,c636,c638,c640,c642 >> ,c6 >> 44,c646,c648,c650,c652,c654,c656,c658,c660,c662,c664,c666,c668,c670,c >> 672 >> ,c674,c676,c678,c680,c682,c684,c686,c688,c690,c692,c694,c696,c698,c70 >> 0,c >> 702,c704,c706,c708,c710,c712,c714,c716,c718,c720,c722,c724,c726,c728, >> c73 >> 0,c732,c734,c736,c738,c740,c742,c744,c746,c748,c750,c752,c754,c756,c7 >> 58, >> c760,c762,c764,c766,c768,c770,c772,c774,c776,c778,c780,c782,c784,c786 >> ,c7 >> 88,c790,c792,c794,c796,c798,c800,c802,c804,c806,c808,c810,c812,c814,c >> 816 >> ,c818,c820,c822,c824,c826,c828,c830,c832,c834,c836,c838,c840,c842,c84 >> 4,c >> 846,c848,c850,c852,c854,c856,c858,c860,c862,c864,c866,c868,c870,c872, >> c87 >> 4,c876,c878,c880,c882,c884,c886,c888,c890,c892,c894,c896,c898,c900,c9 >> 02, >> c904,c906,c908,c910,c912,c914,c916,c918,c920,c922,c924,c926,c928,c930 >> ,c9 >> 32,c934,c936,c938,c940,c942,c944,c946,c948,c950,c952,c954,c956,c958,c >> 960 >> ,c962,c964,c966,c968,c970,c972,c974,c976,c978,c980,c982,c984,c986,c98 >> 8,c >> 990,c992,c994,c996,c998,c1000,c1002,c1004,c1006,c1008,c1010,c1012,c10 >> 14, >> c1016,c1018,c1020,c1022" -- ping localhost >> From latten at austin.ibm.com Wed Apr 11 23:08:31 2007 From: latten at austin.ibm.com (Joy Latten) Date: Wed, 11 Apr 2007 18:08:31 -0500 Subject: [redhat-lspp] new ipsec-tools package In-Reply-To: <1176330804.3085.728.camel@faith.austin.ibm.com> References: <1176323516.3085.726.camel@faith.austin.ibm.com> <5519C4FE-CA62-448C-BFF1-2ACAFACC08A2@nall.com> <1176330804.3085.728.camel@faith.austin.ibm.com> Message-ID: <1176332912.3085.736.camel@faith.austin.ibm.com> On Wed, 2007-04-11 at 17:33 -0500, Joy Latten wrote: > When I issue the runcon below, I am told this is an invalid context. Is > there something else I should do first? Ok, I replied to quick. I had not cut and paste correctly. Yes, I do get a kernel BUG. And I am running lspp kernel 73 and latest stuff on sgrubb's repo. Also, this doesn't have anything to do with loopback. To verify this I started up racoon between two machines and did same command except did a ping to the other host. kernel BUG in xfrm_send_acquire at net/xfrm/xfrm_user.c:1781! cpu 0x3: Vector: 700 (Program Check) at [c0000000421bb2e0] pc: c00000000033b074: .xfrm_send_acquire+0x240/0x2c8 lr: c00000000033b014: .xfrm_send_acquire+0x1e0/0x2c8 sp: c0000000421bb560 msr: 8000000000029032 current = 0xc00000000fce8f00 paca = 0xc000000000464b00 pid = 2303, comm = ping kernel BUG in xfrm_send_acquire at net/xfrm/xfrm_user.c:1781! enter ? for help 3:mon> t [c0000000421bb650] c00000000033538c .km_query+0x6c/0xec [c0000000421bb6f0] c000000000337374 .xfrm_state_find+0x7f4/0xb88 [c0000000421bb7f0] c000000000332350 .xfrm_tmpl_resolve+0xc4/0x21c [c0000000421bb8d0] c0000000003326e8 .xfrm_lookup+0x1a0/0x5b0 [c0000000421bba00] c0000000002e6ea0 .ip_route_output_flow+0x88/0xb4 [c0000000421bbaa0] c0000000003106d8 .ip4_datagram_connect+0x218/0x374 [c0000000421bbbd0] c00000000031bc00 .inet_dgram_connect+0xac/0xd4 [c0000000421bbc60] c0000000002b11ac .sys_connect+0xd8/0x120 [c0000000421bbd90] c0000000002d38d0 .compat_sys_socketcall+0xdc/0x214 [c0000000421bbe30] c00000000000869c syscall_exit+0x0/0x40 --- Exception: c00 (System Call) at 0000000007f0ca9c SP (fc0ef8f0) is in userspace 3:mon> Joy From twaugh at redhat.com Thu Apr 12 11:35:48 2007 From: twaugh at redhat.com (Tim Waugh) Date: Thu, 12 Apr 2007 12:35:48 +0100 Subject: [redhat-lspp] CUPS configuration: Get-Notifications Message-ID: <1176377748.5213.19.camel@cyberelk.elk> Something that occurred to me today is that for LSPP, CUPS should be configured to restrict the IPP notification operations: Create-Subscription Renew-Subscription Get-Notifications Otherwise, information about jobs and printers can be discovered. The way subscriptions work is that I make an IPP connection to the local CUPS server is made, and a 'Create-Subscription' operation sets up the list of events to notify me of. Then, later, a 'Get-Notifications' operation retrieves a list of events such as job-created, printer-added. These events carry information such as job IDs, job names etc. Tim. */ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From klaus at atsec.com Thu Apr 12 16:35:42 2007 From: klaus at atsec.com (Klaus Weidner) Date: Thu, 12 Apr 2007 11:35:42 -0500 Subject: [redhat-lspp] LSPP kickstart config v0.35 released Message-ID: <20070412163542.GH17276@w-m-p.com> Hello all, new ipsec tools and SELinux policy packages, no other changes. Changes in 0.35: commit 5ddf2afc7759b293e3a7edc4b2de923f0eae033a Author: Klaus Weidner Date: Thu Apr 12 11:32:38 2007 -0500 packages: bumped ipsec-tools version commit fce31a843ba0356840d5d39f8977a7de78d23e9f Author: George Wilson Date: Wed Apr 11 19:34:13 2007 -0500 Bump policy to 55 Changes in 0.34: Fix build issues that were preventing RPMs from being created. Workaround for Debian rpm which defines _sysconfdir as /usr/etc/ Please get the packages the script requests in the postinstall phase from the http://people.redhat.com/sgrubb/files/lspp/ repository. Workarounds: If the script requires a package that has been replaced by a newer one in the repository, you can do a quick&dirty workaround instead of starting over - put the newer .rpm file in /root/rpms/ and rename it to the expected old name in a "!" escape. If you need to do that, please let me know what the new version is (preferably as a patch to the lspp-config/kickstart/src/rpms.lst file, which is the source for the list in the individual kickstart files). RPM download: http://klaus.vh.swiftco.net/lspp/SRPMS/ http://klaus.vh.swiftco.net/lspp/RPMS/noarch/ Git repository: http://klaus.vh.swiftco.net/lspp/git/ -Klaus From raghuveer at in.ibm.com Thu Apr 12 17:55:07 2007 From: raghuveer at in.ibm.com (Raghuveer R) Date: Thu, 12 Apr 2007 23:25:07 +0530 Subject: [redhat-lspp] problem with cron Message-ID: <1176400507.6500.17.camel@ragragha.in.ibm.com> Hi all, I am trying to run a cron job on kernel 2.6.18-8.1.1.lspp.73.el5, but it is not being executed. Environment - kernel-2.6.18-8.1.1.lspp.73.el5 crontabs-1.10-8 vixie-cron-4.1-67.el5 selinux-policy-mls-2.4.6-55.el5 selinux-policy-2.4.6-55.el5 audit-1.3.1-4.el5 I am trying to do the following - 1) run_init /etc/init.d/crond restart 2) add a cron job as follows crontab - << EOF `date '+%M' | awk '{ print ($1+2)%60 " * * * * " }'` /a.out EOF where a.out is the following compiled c program - #include #include #include main() { int fd, n; char *buf="this is a piece of text\n"; n = strlen(buf); if ( (fd = open("a.txt", O_RDWR, O_CREAT | O_TRUNC)) < 0) perror("open"); else if( write(fd, buf, n) < n ) perror("write"); close(fd); } The modification time of a.txt does not change after the cron job is supposed to have run. I do understand that there are better ways of doing this. But the issue here is that cron is not running jobs in the above mentioned environment. What could be the problem here? Thanks, Raghuveer From Valdis.Kletnieks at vt.edu Thu Apr 12 18:14:07 2007 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Thu, 12 Apr 2007 14:14:07 -0400 Subject: [redhat-lspp] problem with cron In-Reply-To: Your message of "Thu, 12 Apr 2007 23:25:07 +0530." <1176400507.6500.17.camel@ragragha.in.ibm.com> References: <1176400507.6500.17.camel@ragragha.in.ibm.com> Message-ID: <21041.1176401647@turing-police.cc.vt.edu> On Thu, 12 Apr 2007 23:25:07 +0530, Raghuveer R said: > crontab - << EOF > `date '+%M' | awk '{ print ($1+2)%60 " * * * * " > }'` /a.out Just for grins and giggles, can you do a 'crontab -l' and see what, if anything, is in the crontab? I wonder if your fancy `exec` backticking managed to not get expanded.... -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available URL: From linda.knippers at hp.com Thu Apr 12 18:17:06 2007 From: linda.knippers at hp.com (Linda Knippers) Date: Thu, 12 Apr 2007 14:17:06 -0400 Subject: [redhat-lspp] problem with cron In-Reply-To: <1176400507.6500.17.camel@ragragha.in.ibm.com> References: <1176400507.6500.17.camel@ragragha.in.ibm.com> Message-ID: <461E77A2.3000206@hp.com> Raghuveer R wrote: > Hi all, > > I am trying to run a cron job on kernel 2.6.18-8.1.1.lspp.73.el5, but it > is not being executed. > > Environment - > kernel-2.6.18-8.1.1.lspp.73.el5 > crontabs-1.10-8 > vixie-cron-4.1-67.el5 > selinux-policy-mls-2.4.6-55.el5 > selinux-policy-2.4.6-55.el5 > audit-1.3.1-4.el5 > > I am trying to do the following - > 1) run_init /etc/init.d/crond restart > 2) add a cron job as follows > crontab - << EOF > `date '+%M' | awk '{ print ($1+2)%60 " * * * * " > }'` /a.out > EOF > where a.out is the following compiled c program - > > #include > #include > #include #include will avoid the compiler warning. > > main() > { > int fd, n; > char *buf="this is a piece of text\n"; > n = strlen(buf); > if ( (fd = open("a.txt", O_RDWR, O_CREAT | O_TRUNC)) < 0) Your test is broken here. I think you want O_RDWR|O_CREAT|O_TRUNC, and a final argument to define the mode bits. If you run this and the file doesn't exist your test will fail. > perror("open"); > else if( write(fd, buf, n) < n ) > perror("write"); > close(fd); > } > > The modification time of a.txt does not change after the cron job is > supposed to have run. > > I do understand that there are better ways of doing this. But the issue > here is that cron is not running jobs in the above mentioned > environment. > > What could be the problem here? When I fixed the test program it worked for me. If it doesn't work for you then I'd start looking for AVCs or some indication of why the program can't be exec'd or can't open the file. I assume it works for you outside of cron, right? -- ljk > > Thanks, > Raghuveer > > -- > redhat-lspp mailing list > redhat-lspp at redhat.com > https://www.redhat.com/mailman/listinfo/redhat-lspp From sgrubb at redhat.com Thu Apr 12 20:40:03 2007 From: sgrubb at redhat.com (Steve Grubb) Date: Thu, 12 Apr 2007 16:40:03 -0400 Subject: [redhat-lspp] lspp 74 kernel released Message-ID: <200704121640.03199.sgrubb@redhat.com> Hi, The lspp.74 kernel has been published to the lspp yum repo at: http://people.redhat.com/sgrubb/files/lspp - patch to fix soft-lockups loading policy (231392) Please let me know if there any problems with this kernel. -Steve From klaus at atsec.com Thu Apr 12 22:34:42 2007 From: klaus at atsec.com (Klaus Weidner) Date: Thu, 12 Apr 2007 17:34:42 -0500 Subject: [redhat-lspp] LSPP kickstart config v0.36 released Message-ID: <20070412223442.GI17276@w-m-p.com> Hello all, bump kernel version (to match the one Steve just released), and disable the audit dispatcher as recommended by Steve. Changes in 0.36: packages: bump kernel to lspp.74 disable "dispatcher" in auditd.conf (thanks George!) Please get the packages the script requests in the postinstall phase from the http://people.redhat.com/sgrubb/files/lspp/ repository. Workarounds: If the script requires a package that has been replaced by a newer one in the repository, you can do a quick&dirty workaround instead of starting over - put the newer .rpm file in /root/rpms/ and rename it to the expected old name in a "!" escape. If you need to do that, please let me know what the new version is (preferably as a patch to the lspp-config/kickstart/src/rpms.lst file, which is the source for the list in the individual kickstart files). RPM download: http://klaus.vh.swiftco.net/lspp/SRPMS/ http://klaus.vh.swiftco.net/lspp/RPMS/noarch/ Git repository: http://klaus.vh.swiftco.net/lspp/git/ -Klaus From loulwas at us.ibm.com Fri Apr 13 00:19:47 2007 From: loulwas at us.ibm.com (Loulwa Salem) Date: Thu, 12 Apr 2007 19:19:47 -0500 Subject: [redhat-lspp] secadm can overwrite audit log but not append to it Message-ID: <461ECCA3.3060607@us.ibm.com> I was running some test cases and ran into a scenario where secadm_r was permitted to write to /var/log/audit/audit.log I was not expecting secadm to be able to perform that operation. However secadm_r was denied appends to the log. and I get AVC messages for append perms in the log (See output below) I am running with the latest .74 kernel and policy.54 in Enforcing ofcourse It doesn't really make sense to me that secadm can completely overwrite the audit log but can't append to it. I didn't think secadm should even have write permission to audit log in the first place Any thoughts on this .. ? Thanks - Loulwa Here are the steps I did... [root/secadm_r/SystemLow at joy-hv4 bin]# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=staff_u:secadm_r:secadm_t:SystemLow-SystemHigh [root/secadm_r/SystemLow at joy-hv4 bin]# ls -Z /var/log/audit/audit.log -rw-r----- root root system_u:object_r:auditd_log_t:SystemHigh /var/log/audit/audit.log [root/secadm_r/SystemLow at joy-hv4 bin]# echo "boo" > /var/log/audit/audit.log [root/secadm_r/SystemLow at joy-hv4 bin]# cat /var/log/audit/audit.log boo [root/secadm_r/SystemLow at joy-hv4 bin]# echo "boo2" >> /var/log/audit/audit.log -bash: /var/log/audit/audit.log: Permission denied [root/secadm_r/SystemLow at joy-hv4 bin]# cat /var/log/audit/audit.log boo type=AVC msg=audit(1176408498.736:844): avc: denied { append } for pid=3853 comm="bash" name="audit.log" dev=dm-2 ino=294916 scontext=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:auditd_log_t:s15:c0.c1023 tclass=file type=SYSCALL msg=audit(1176408498.736:844): arch=14 syscall=5 success=no exit=-13 a0=1011d668 a1=10441 a2=1b6 a3=10117fc8 items=0 ppid=3850 pid=3853 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 comm="bash" exe="/bin/bash" subj=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1176408498.737:845): avc: denied { append } for pid=3853 comm="bash" name="audit.log" dev=dm-2 ino=294916 scontext=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:auditd_log_t:s15:c0.c1023 tclass=file type=SYSCALL msg=audit(1176408498.737:845): arch=14 syscall=5 success=no exit=-13 a0=1011d668 a1=10401 a2=0 a3=10117fc8 items=0 ppid=3850 pid=3853 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 comm="bash" exe="/bin/bash" subj=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023 key=(null) From linda.knippers at hp.com Fri Apr 13 00:48:18 2007 From: linda.knippers at hp.com (Linda Knippers) Date: Thu, 12 Apr 2007 20:48:18 -0400 Subject: [redhat-lspp] secadm can overwrite audit log but not append to it In-Reply-To: <461ECCA3.3060607@us.ibm.com> References: <461ECCA3.3060607@us.ibm.com> Message-ID: <461ED352.80304@hp.com> Loulwa Salem wrote: > I was running some test cases and ran into a scenario where secadm_r was > permitted to write to /var/log/audit/audit.log > I was not expecting secadm to be able to perform that operation. However > secadm_r was denied appends to the log. and I get AVC messages for > append perms in the log (See output below) > > I am running with the latest .74 kernel and policy.54 in Enforcing ofcourse > > It doesn't really make sense to me that secadm can completely overwrite > the audit log but can't append to it. I didn't think secadm should even > have write permission to audit log in the first place > > Any thoughts on this .. ? I think one way or another, you've uncovered a bug and should file a bugzilla. Either the append should work or the truncate/write shouldn't. I can envision cases where one might want to allow someone to append but not truncate but you're seeing the opposite. I don't recall whether this is supposed to work for secadm_r or not but I'm thinking that it should. I assume both operations work with sysadm_r? -- ljk > > Thanks > - Loulwa > > > > > Here are the steps I did... > > [root/secadm_r/SystemLow at joy-hv4 bin]# id > uid=0(root) gid=0(root) > groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) > context=staff_u:secadm_r:secadm_t:SystemLow-SystemHigh > > [root/secadm_r/SystemLow at joy-hv4 bin]# ls -Z /var/log/audit/audit.log > -rw-r----- root root system_u:object_r:auditd_log_t:SystemHigh > /var/log/audit/audit.log > > [root/secadm_r/SystemLow at joy-hv4 bin]# echo "boo" > > /var/log/audit/audit.log > [root/secadm_r/SystemLow at joy-hv4 bin]# cat /var/log/audit/audit.log > boo > > [root/secadm_r/SystemLow at joy-hv4 bin]# echo "boo2" >> > /var/log/audit/audit.log > -bash: /var/log/audit/audit.log: Permission denied > [root/secadm_r/SystemLow at joy-hv4 bin]# cat /var/log/audit/audit.log > boo > type=AVC msg=audit(1176408498.736:844): avc: denied { append } for > pid=3853 comm="bash" name="audit.log" dev=dm-2 ino=294916 > scontext=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023 > tcontext=system_u:object_r:auditd_log_t:s15:c0.c1023 tclass=file > type=SYSCALL msg=audit(1176408498.736:844): arch=14 syscall=5 success=no > exit=-13 a0=1011d668 a1=10441 a2=1b6 a3=10117fc8 items=0 ppid=3850 > pid=3853 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 tty=pts2 comm="bash" exe="/bin/bash" > subj=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023 key=(null) > type=AVC msg=audit(1176408498.737:845): avc: denied { append } for > pid=3853 comm="bash" name="audit.log" dev=dm-2 ino=294916 > scontext=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023 > tcontext=system_u:object_r:auditd_log_t:s15:c0.c1023 tclass=file > type=SYSCALL msg=audit(1176408498.737:845): arch=14 syscall=5 success=no > exit=-13 a0=1011d668 a1=10401 a2=0 a3=10117fc8 items=0 ppid=3850 > pid=3853 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 tty=pts2 comm="bash" exe="/bin/bash" > subj=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023 key=(null) > > -- > redhat-lspp mailing list > redhat-lspp at redhat.com > https://www.redhat.com/mailman/listinfo/redhat-lspp From sgrubb at redhat.com Fri Apr 13 01:41:57 2007 From: sgrubb at redhat.com (Steve Grubb) Date: Thu, 12 Apr 2007 21:41:57 -0400 Subject: [redhat-lspp] lspp 75 kernel released Message-ID: <200704122141.57681.sgrubb@redhat.com> Hi, The lspp.75 kernel has been published to the lspp yum repo at: http://people.redhat.com/sgrubb/files/lspp - apply patch to fix panic when running IPSEC labeled loopback (235475) Please let me know if there any problems with this kernel. -Steve From klaus at atsec.com Fri Apr 13 15:21:17 2007 From: klaus at atsec.com (Klaus Weidner) Date: Fri, 13 Apr 2007 10:21:17 -0500 Subject: [redhat-lspp] LSPP kickstart config v0.37 released Message-ID: <20070413152117.GA22746@w-m-p.com> Hello all, new kernel version to match the one Steve just released. Changes in 0.37: packages: bump kernel version to .75 Please get the packages the script requests in the postinstall phase from the http://people.redhat.com/sgrubb/files/lspp/ repository. Workarounds: If the script requires a package that has been replaced by a newer one in the repository, you can do a quick&dirty workaround instead of starting over - put the newer .rpm file in /root/rpms/ and rename it to the expected old name in a "!" escape. If you need to do that, please let me know what the new version is (preferably as a patch to the lspp-config/kickstart/src/rpms.lst file, which is the source for the list in the individual kickstart files). RPM download: http://klaus.vh.swiftco.net/lspp/SRPMS/ http://klaus.vh.swiftco.net/lspp/RPMS/noarch/ Git repository: http://klaus.vh.swiftco.net/lspp/git/ -Klaus From dwalsh at redhat.com Fri Apr 13 18:59:23 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 13 Apr 2007 14:59:23 -0400 Subject: [redhat-lspp] secadm can overwrite audit log but not append to it In-Reply-To: <461ED352.80304@hp.com> References: <461ECCA3.3060607@us.ibm.com> <461ED352.80304@hp.com> Message-ID: <461FD30B.6030109@redhat.com> Linda Knippers wrote: > Loulwa Salem wrote: > >> I was running some test cases and ran into a scenario where secadm_r was >> permitted to write to /var/log/audit/audit.log >> I was not expecting secadm to be able to perform that operation. However >> secadm_r was denied appends to the log. and I get AVC messages for >> append perms in the log (See output below) >> >> I am running with the latest .74 kernel and policy.54 in Enforcing ofcourse >> >> It doesn't really make sense to me that secadm can completely overwrite >> the audit log but can't append to it. I didn't think secadm should even >> have write permission to audit log in the first place >> >> Any thoughts on this .. ? >> > > I think one way or another, you've uncovered a bug and should file a > bugzilla. Either the append should work or the truncate/write > shouldn't. I can envision cases where one might want to allow > someone to append but not truncate but you're seeing the opposite. > > I don't recall whether this is supposed to work for secadm_r or > not but I'm thinking that it should. I assume both operations work > with sysadm_r? > I am getting permission denied in either case. > -- ljk > > >> Thanks >> - Loulwa >> >> >> >> >> Here are the steps I did... >> >> [root/secadm_r/SystemLow at joy-hv4 bin]# id >> uid=0(root) gid=0(root) >> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) >> context=staff_u:secadm_r:secadm_t:SystemLow-SystemHigh >> >> [root/secadm_r/SystemLow at joy-hv4 bin]# ls -Z /var/log/audit/audit.log >> -rw-r----- root root system_u:object_r:auditd_log_t:SystemHigh >> /var/log/audit/audit.log >> >> [root/secadm_r/SystemLow at joy-hv4 bin]# echo "boo" > >> /var/log/audit/audit.log >> [root/secadm_r/SystemLow at joy-hv4 bin]# cat /var/log/audit/audit.log >> boo >> >> [root/secadm_r/SystemLow at joy-hv4 bin]# echo "boo2" >> >> /var/log/audit/audit.log >> -bash: /var/log/audit/audit.log: Permission denied >> [root/secadm_r/SystemLow at joy-hv4 bin]# cat /var/log/audit/audit.log >> boo >> type=AVC msg=audit(1176408498.736:844): avc: denied { append } for >> pid=3853 comm="bash" name="audit.log" dev=dm-2 ino=294916 >> scontext=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023 >> tcontext=system_u:object_r:auditd_log_t:s15:c0.c1023 tclass=file >> type=SYSCALL msg=audit(1176408498.736:844): arch=14 syscall=5 success=no >> exit=-13 a0=1011d668 a1=10441 a2=1b6 a3=10117fc8 items=0 ppid=3850 >> pid=3853 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 >> fsgid=0 tty=pts2 comm="bash" exe="/bin/bash" >> subj=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023 key=(null) >> type=AVC msg=audit(1176408498.737:845): avc: denied { append } for >> pid=3853 comm="bash" name="audit.log" dev=dm-2 ino=294916 >> scontext=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023 >> tcontext=system_u:object_r:auditd_log_t:s15:c0.c1023 tclass=file >> type=SYSCALL msg=audit(1176408498.737:845): arch=14 syscall=5 success=no >> exit=-13 a0=1011d668 a1=10401 a2=0 a3=10117fc8 items=0 ppid=3850 >> pid=3853 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 >> fsgid=0 tty=pts2 comm="bash" exe="/bin/bash" >> subj=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023 key=(null) >> >> -- >> redhat-lspp mailing list >> redhat-lspp at redhat.com >> https://www.redhat.com/mailman/listinfo/redhat-lspp >> > > -- > redhat-lspp mailing list > redhat-lspp at redhat.com > https://www.redhat.com/mailman/listinfo/redhat-lspp > From linda.knippers at hp.com Fri Apr 13 19:05:46 2007 From: linda.knippers at hp.com (Linda Knippers) Date: Fri, 13 Apr 2007 15:05:46 -0400 Subject: [redhat-lspp] secadm can overwrite audit log but not append to it In-Reply-To: <461FD30B.6030109@redhat.com> References: <461ECCA3.3060607@us.ibm.com> <461ED352.80304@hp.com> <461FD30B.6030109@redhat.com> Message-ID: <461FD48A.4070707@hp.com> Daniel J Walsh wrote: > Linda Knippers wrote: > >> Loulwa Salem wrote: >> >> >>> I was running some test cases and ran into a scenario where secadm_r was >>> permitted to write to /var/log/audit/audit.log >>> I was not expecting secadm to be able to perform that operation. However >>> secadm_r was denied appends to the log. and I get AVC messages for >>> append perms in the log (See output below) >>> >>> I am running with the latest .74 kernel and policy.54 in Enforcing >>> ofcourse >>> >>> It doesn't really make sense to me that secadm can completely overwrite >>> the audit log but can't append to it. I didn't think secadm should even >>> have write permission to audit log in the first place >>> >>> Any thoughts on this .. ? >>> >> >> >> I think one way or another, you've uncovered a bug and should file a >> bugzilla. Either the append should work or the truncate/write >> shouldn't. I can envision cases where one might want to allow >> someone to append but not truncate but you're seeing the opposite. >> >> I don't recall whether this is supposed to work for secadm_r or >> not but I'm thinking that it should. I assume both operations work >> with sysadm_r? >> > > I am getting permission denied in either case. Me too. sysadm_r can do both operations. secadm_r can do neither. -- ljk From mra at hp.com Fri Apr 13 20:14:47 2007 From: mra at hp.com (Matt Anderson) Date: Fri, 13 Apr 2007 16:14:47 -0400 Subject: [redhat-lspp] CUPS configuration: Get-Notifications In-Reply-To: <1176377748.5213.19.camel@cyberelk.elk> References: <1176377748.5213.19.camel@cyberelk.elk> Message-ID: <461FE4B7.7050303@hp.com> Tim Waugh wrote: > Something that occurred to me today is that for LSPP, CUPS should be > configured to restrict the IPP notification operations: > > Create-Subscription > Renew-Subscription > Get-Notifications > > Otherwise, information about jobs and printers can be discovered. The > way subscriptions work is that I make an IPP connection to the local > CUPS server is made, and a 'Create-Subscription' operation sets up the > list of events to notify me of. Then, later, a 'Get-Notifications' > operation retrieves a list of events such as job-created, printer-added. > These events carry information such as job IDs, job names etc. Thanks for bringing this up Tim. Is this the config file lines you were thinking we needed? AuthType Basic Require user @SYSTEM Order deny,allow I added that to my system and the server parsed the config file, accepted the options and was able to start, but I'm not sure how to test the attack you are describing. I get the feeling this would require a custom client. -matt From klaus at atsec.com Fri Apr 13 20:46:55 2007 From: klaus at atsec.com (Klaus Weidner) Date: Fri, 13 Apr 2007 15:46:55 -0500 Subject: [redhat-lspp] LSPP kickstart config v0.38 released Message-ID: <20070413204655.GK17276@w-m-p.com> Hello all, new selinux policy (thanks George) Changes in 0.38: packages: bump policy version to 57 Please get the packages the script requests in the postinstall phase from the http://people.redhat.com/sgrubb/files/lspp/ repository. Workarounds: If the script requires a package that has been replaced by a newer one in the repository, you can do a quick&dirty workaround instead of starting over - put the newer .rpm file in /root/rpms/ and rename it to the expected old name in a "!" escape. If you need to do that, please let me know what the new version is (preferably as a patch to the lspp-config/kickstart/src/rpms.lst file, which is the source for the list in the individual kickstart files). RPM download: http://klaus.vh.swiftco.net/lspp/SRPMS/ http://klaus.vh.swiftco.net/lspp/RPMS/noarch/ Git repository: http://klaus.vh.swiftco.net/lspp/git/ -Klaus From sgrubb at redhat.com Sat Apr 14 13:03:19 2007 From: sgrubb at redhat.com (Steve Grubb) Date: Sat, 14 Apr 2007 09:03:19 -0400 Subject: [redhat-lspp] lspp 76 kernel released Message-ID: <200704140903.19353.sgrubb@redhat.com> Hi, The lspp.76 kernel has been published to the lspp yum repo at: http://people.redhat.com/sgrubb/files/lspp - increase NMI watchdog timeout in attempt to fix soft-lockups loading policy (#231392) Please let me know if there any problems with this kernel. -Steve From ltcgcw at us.ibm.com Sun Apr 15 19:27:15 2007 From: ltcgcw at us.ibm.com (George C. Wilson) Date: Sun, 15 Apr 2007 14:27:15 -0500 Subject: [redhat-lspp] [Reminder] LSPP Bug Telecon Mon., Apr. 16 Message-ID: <20070415192714.GA29933@us.ibm.com> IBM hosts the LSPP Bug Telecon every Monday at 20:00 UTC. If you would like to participate and are not already an attendee, please reply directly to me with your contact information. I will respond with an invitation after review by the existing participants. Please note that the number of attendees may be limited by our call center's restrictions on maximum lines per conference. -- George Wilson IBM Linux Technology Center From raghuveer at in.ibm.com Mon Apr 16 06:13:10 2007 From: raghuveer at in.ibm.com (Raghuveer R) Date: Mon, 16 Apr 2007 11:43:10 +0530 Subject: [redhat-lspp] problem with cron In-Reply-To: <461E77A2.3000206@hp.com> References: <1176400507.6500.17.camel@ragragha.in.ibm.com> <461E77A2.3000206@hp.com> Message-ID: <1176703990.26138.2.camel@ragragha.in.ibm.com> On Thu, 2007-04-12 at 14:17 -0400, Linda Knippers wrote: > Raghuveer R wrote: > > Hi all, > > > > I am trying to run a cron job on kernel 2.6.18-8.1.1.lspp.73.el5, but it > > is not being executed. > > > > Environment - > > kernel-2.6.18-8.1.1.lspp.73.el5 > > crontabs-1.10-8 > > vixie-cron-4.1-67.el5 > > selinux-policy-mls-2.4.6-55.el5 > > selinux-policy-2.4.6-55.el5 > > audit-1.3.1-4.el5 > > > > I am trying to do the following - > > 1) run_init /etc/init.d/crond restart > > 2) add a cron job as follows > > crontab - << EOF > > `date '+%M' | awk '{ print ($1+2)%60 " * * * * " > > }'` /a.out > > EOF > > where a.out is the following compiled c program - > > > > #include > > #include > > #include > > #include will avoid the compiler warning. > > > > > main() > > { > > int fd, n; > > char *buf="this is a piece of text\n"; > > n = strlen(buf); > > if ( (fd = open("a.txt", O_RDWR, O_CREAT | O_TRUNC)) < 0) > > Your test is broken here. I think you want O_RDWR|O_CREAT|O_TRUNC, and a > final argument to define the mode bits. If you run this and the file > doesn't exist your test will fail. > Oh yeah, the test is broken. > > perror("open"); > > else if( write(fd, buf, n) < n ) > > perror("write"); > > close(fd); > > } > > > > The modification time of a.txt does not change after the cron job is > > supposed to have run. > > > > I do understand that there are better ways of doing this. But the issue > > here is that cron is not running jobs in the above mentioned > > environment. > > > > What could be the problem here? > > When I fixed the test program it worked for me. If it doesn't work for > you then I'd start looking for AVCs or some indication of why the program > can't be exec'd or can't open the file. I assume it works for you outside > of cron, right? > I did create a file using touch before running the test. Hence i missed the error. Yes, the tests works fine outside of cron. Thanks, Raghuveer > -- ljk > > > > Thanks, > > Raghuveer > > > > -- > > redhat-lspp mailing list > > redhat-lspp at redhat.com > > https://www.redhat.com/mailman/listinfo/redhat-lspp > > -- > redhat-lspp mailing list > redhat-lspp at redhat.com > https://www.redhat.com/mailman/listinfo/redhat-lspp From raghuveer at in.ibm.com Mon Apr 16 06:14:58 2007 From: raghuveer at in.ibm.com (Raghuveer R) Date: Mon, 16 Apr 2007 11:44:58 +0530 Subject: [redhat-lspp] problem with cron In-Reply-To: <21041.1176401647@turing-police.cc.vt.edu> References: <1176400507.6500.17.camel@ragragha.in.ibm.com> <21041.1176401647@turing-police.cc.vt.edu> Message-ID: <1176704098.26138.4.camel@ragragha.in.ibm.com> On Thu, 2007-04-12 at 14:14 -0400, Valdis.Kletnieks at vt.edu wrote: > On Thu, 12 Apr 2007 23:25:07 +0530, Raghuveer R said: > > > crontab - << EOF > > `date '+%M' | awk '{ print ($1+2)%60 " * * * * " > > }'` /a.out > > Just for grins and giggles, can you do a 'crontab -l' and see > what, if anything, is in the crontab? I wonder if your fancy `exec` > backticking managed to not get expanded.... Yes, crontab -l lists the cron job. Had forgotten to mention that in the previous mail. Thanks, Raghuveer From twaugh at redhat.com Mon Apr 16 12:45:06 2007 From: twaugh at redhat.com (Tim Waugh) Date: Mon, 16 Apr 2007 13:45:06 +0100 Subject: [redhat-lspp] CUPS configuration: Get-Notifications In-Reply-To: <461FE4B7.7050303@hp.com> References: <1176377748.5213.19.camel@cyberelk.elk> <461FE4B7.7050303@hp.com> Message-ID: <1176727506.5451.39.camel@cyberelk.elk> On Fri, 2007-04-13 at 16:14 -0400, Matt Anderson wrote: > Is this the config file lines you were thinking we needed? > > > AuthType Basic > Require user @SYSTEM > Order deny,allow > Yes. > I added that to my system and the server parsed the config file, > accepted the options and was able to start, but I'm not sure how to test > the attack you are describing. I get the feeling this would require a > custom client. You can use the Python bindings for the CUPS API, used by system-config-printer. The most recent version (1.9.21) has support for subscriptions. Fetch: http://cyberelk.net/tim/data/pycups/pycups-1.9.21.tar.bz2 and untar it, and run 'make'. Then run 'python' and paste this in: ==> import cups c=cups.Connection() s=c.createSubscription("/", events=['all']) <== Then print a job or something in another window, and paste this into the Python session: ==> event=c.getNotifications([s])['events'][0] for name, value in event.iteritems(): print name, ":", value c.cancelSubscription(s) <== You should get a dict showing you lots of stuff. Here's what I get after submitting a job, for instance: ==> job-name : (stdin) notify-job-id : 813 notify-natural-langugage : en-us notify-sequence-number : 1 notify-subscribed-event : job-created printer-state-reasons : none job-impressions-completed : 0 printer-is-accepting-jobs : True notify-printer-uri : ipp://cyberelk.elk:631/printers/stylus job-state-reasons : none notify-subscription-id : 10 notify-text : Job created. printer-name : stylus notify-charset : utf-8 printer-up-time : 1176727350 job-state : 3 printer-state : 3 <== Tim. */ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From klaus at atsec.com Mon Apr 16 17:11:52 2007 From: klaus at atsec.com (Klaus Weidner) Date: Mon, 16 Apr 2007 12:11:52 -0500 Subject: [redhat-lspp] LSPP kickstart config v0.39 released Message-ID: <20070416171152.GL17276@w-m-p.com> Hello all, rbac-self-test updates and updated package versions. Changes in 0.39: commit 35b315c91d6b3bbf413c97bec43dc0e600669328 Author: George Wilson Date: Sun Apr 15 12:32:55 2007 -0500 packages: bump ipsec-tools version to .5 commit b0ee0a33569a52f7a9b5cceac7b9e550bb136a89 Author: George Wilson Date: Sat Apr 14 18:09:34 2007 -0500 rbac-self-test: fix rbacselftest.fc Fix test file contexts, make binaries SystemHigh, remove kruft context. commit bac66bdf294b230b55cd0beaf8a9ff0286ad4b24 Author: George Wilson Date: Fri Apr 13 17:09:38 2007 -0500 rbac-self-test: get rid of local.te Merge local.te into rbacselftest.te and remove secadm_r log_t write perm. commit 88db865df1e05da4a94f57728fabea933f10e163 Author: George Wilson Date: Sat Apr 14 14:09:47 2007 -0500 packages: bump kernel version to lspp.76 Please get the packages the script requests in the postinstall phase from the http://people.redhat.com/sgrubb/files/lspp/ repository. Workarounds: If the script requires a package that has been replaced by a newer one in the repository, you can do a quick&dirty workaround instead of starting over - put the newer .rpm file in /root/rpms/ and rename it to the expected old name in a "!" escape. If you need to do that, please let me know what the new version is (preferably as a patch to the lspp-config/kickstart/src/rpms.lst file, which is the source for the list in the individual kickstart files). RPM download: http://klaus.vh.swiftco.net/lspp/SRPMS/ http://klaus.vh.swiftco.net/lspp/RPMS/noarch/ Git repository: http://klaus.vh.swiftco.net/lspp/git/ -Klaus From klaus at atsec.com Mon Apr 16 19:18:53 2007 From: klaus at atsec.com (Klaus Weidner) Date: Mon, 16 Apr 2007 14:18:53 -0500 Subject: [redhat-lspp] LSPP kickstart config v0.40 released Message-ID: <20070416191853.GM17276@w-m-p.com> Hello all, more package updates. (BTW, please let me know if you want me to stop posting announcements to this list for trivial changes to track the package versions or if you want to continue seeing them - but I hope things will settle down soon...) Changes in 0.40: commit d44f8f30ad6e337b95624de5fc033aa7c50ef922 Author: George Wilson Date: Mon Apr 16 14:07:08 2007 -0500 packages: bump selinux-policy to .58, ipsec-tools to .6 Please get the packages the script requests in the postinstall phase from the http://people.redhat.com/sgrubb/files/lspp/ repository. Workarounds: If the script requires a package that has been replaced by a newer one in the repository, you can do a quick&dirty workaround instead of starting over - put the newer .rpm file in /root/rpms/ and rename it to the expected old name in a "!" escape. If you need to do that, please let me know what the new version is (preferably as a patch to the lspp-config/kickstart/src/rpms.lst file, which is the source for the list in the individual kickstart files). RPM download: http://klaus.vh.swiftco.net/lspp/SRPMS/ http://klaus.vh.swiftco.net/lspp/RPMS/noarch/ Git repository: http://klaus.vh.swiftco.net/lspp/git/ -Klaus From krisw at us.ibm.com Mon Apr 16 19:41:58 2007 From: krisw at us.ibm.com (Kris Wilson) Date: Mon, 16 Apr 2007 14:41:58 -0500 Subject: [redhat-lspp] LSPP kickstart config v0.40 released In-Reply-To: <20070416191853.GM17276@w-m-p.com> Message-ID: redhat-lspp-bounces at redhat.com wrote on 04/16/2007 02:18:53 PM: > more package updates. (BTW, please let me know if you want me to stop > posting announcements to this list for trivial changes to track the > package versions or if you want to continue seeing them - but I hope > things will settle down soon...) I like knowing that the script is changing and how, so I want to see the announcements. Thanks! From klaus at atsec.com Tue Apr 17 03:41:00 2007 From: klaus at atsec.com (Klaus Weidner) Date: Mon, 16 Apr 2007 22:41:00 -0500 Subject: [redhat-lspp] CUPS configuration: Get-Notifications In-Reply-To: <461FE4B7.7050303@hp.com> References: <1176377748.5213.19.camel@cyberelk.elk> <461FE4B7.7050303@hp.com> Message-ID: <20070417034100.GN17276@w-m-p.com> On Fri, Apr 13, 2007 at 04:14:47PM -0400, Matt Anderson wrote: > Tim Waugh wrote: > > Something that occurred to me today is that for LSPP, CUPS should be > > configured to restrict the IPP notification operations: > > > > Create-Subscription > > Renew-Subscription > > Get-Notifications Are you sure about the name? The config file refers to "Create-Job-Subscription" not "Create-Subscription". > > Otherwise, information about jobs and printers can be discovered. The > > way subscriptions work is that I make an IPP connection to the local > > CUPS server is made, and a 'Create-Subscription' operation sets up the > > list of events to notify me of. Then, later, a 'Get-Notifications' > > operation retrieves a list of events such as job-created, printer-added. > > These events carry information such as job IDs, job names etc. > > Thanks for bringing this up Tim. > > Is this the config file lines you were thinking we needed? > > > AuthType Basic > Require user @SYSTEM > Order deny,allow > > > I added that to my system and the server parsed the config file, > accepted the options and was able to start, but I'm not sure how to test > the attack you are describing. I get the feeling this would require a > custom client. I've made this change in the config file - since there were already settings for the items you mention mixed with other permissions, I separated those out. Note that the original config file uses "Create-Job-Subscription", not "Create-Subscription" as in your example, and I'm using that below, and adding "Cancel-Subscription" for consistency. The 'sed' approach was getting unmanageable, I now just import a static file instead of modifying the existing one in the script. For reference, below are the changes between the default shipped cupsd.conf and the one currently set up by the evaluated config. Please have a look if that matches what you expect. -Klaus --- /etc/cups/cupsd.conf-20070322-0930 2007-03-21 09:40:04.000000000 -0500 +++ /etc/cups/cupsd.conf 2007-03-23 12:08:14.000000000 -0500 @@ -1,10 +1,11 @@ -# -# "$Id: cupsd.conf.in 5454 2006-04-23 21:46:38Z mike $" +# cupsd.conf # # Sample configuration file for the Common UNIX Printing System (CUPS) # scheduler. See "man cupsd.conf" for a complete description of this # file. # +# Configuration modified for LSPP compliant operation +# MaxLogSize 2000000000 # Log general information in error_log - change "info" to "debug" for @@ -13,13 +14,27 @@ # Administrator user group... SystemGroup sys root +User lp +Group lp + +#Classification selinux # Use the whole SELinux context as the job label +#Classification te # Use the type as the label +#Classification mls # Use the range as the label +Classification mls + +# Allow users to override banners with job-sheets=none,none +# set to No users can still override one banner (e.g. job-sheets=mls,none) +ClassifyOverride No -# Only listen for connections from the local machine. -Listen localhost:631 +# Print the label at the top and bottom of each page +#PerPageLabels Yes + +# MUST disable TCP port in LSPP mode, use socket only +#Listen localhost:631 Listen /var/run/cups/cups.sock -# Show shared printers on the local network. -Browsing On +# No browsing in LSPP mode +Browsing Off BrowseOrder allow,deny # (Change '@LOCAL' to 'ALL' if using directed broadcasts from another subnet.) BrowseAllow @LOCAL @@ -51,11 +66,17 @@ # Set the default printer/job policies... # Job-related operations must be done by the owner or an adminstrator... - + Require user @OWNER @SYSTEM Order deny,allow + + AuthType Basic + Require user @SYSTEM + Order deny,allow + + # All administration operations require an adminstrator to authenticate... AuthType Basic @@ -65,6 +86,7 @@ # Only the owner or an administrator can cancel or authenticate a job... + AuthType Basic Require user @OWNER @SYSTEM Order deny,allow @@ -75,5 +97,4 @@ # -# End of "$Id: cupsd.conf.in 5454 2006-04-23 21:46:38Z mike $". -# +# End of cupsd.conf From klaus at atsec.com Tue Apr 17 04:17:24 2007 From: klaus at atsec.com (Klaus Weidner) Date: Mon, 16 Apr 2007 23:17:24 -0500 Subject: [redhat-lspp] LSPP kickstart config v0.41 released Message-ID: <20070417041724.GO17276@w-m-p.com> Hello all, minor updates and version bump. This incorporates the cups job notification just discussed on this mailing list. Changes in 0.41: postinst: fix syntax error in capp-lspp service script packages: bump selinux-policy version to .59 cups: disable non-adm job notification; use static LSPP mode cupsd.conf file Please get the packages the script requests in the postinstall phase from the http://people.redhat.com/sgrubb/files/lspp/ repository. Workarounds: If the script requires a package that has been replaced by a newer one in the repository, you can do a quick&dirty workaround instead of starting over - put the newer .rpm file in /root/rpms/ and rename it to the expected old name in a "!" escape. If you need to do that, please let me know what the new version is (preferably as a patch to the lspp-config/kickstart/src/rpms.lst file, which is the source for the list in the individual kickstart files). RPM download: http://klaus.vh.swiftco.net/lspp/SRPMS/ http://klaus.vh.swiftco.net/lspp/RPMS/noarch/ Git repository: http://klaus.vh.swiftco.net/lspp/git/ -Klaus From twaugh at redhat.com Tue Apr 17 08:38:51 2007 From: twaugh at redhat.com (Tim Waugh) Date: Tue, 17 Apr 2007 09:38:51 +0100 Subject: [redhat-lspp] CUPS configuration: Get-Notifications In-Reply-To: <20070417034100.GN17276@w-m-p.com> References: <1176377748.5213.19.camel@cyberelk.elk> <461FE4B7.7050303@hp.com> <20070417034100.GN17276@w-m-p.com> Message-ID: <1176799131.4903.8.camel@cyberelk.elk> On Mon, 2007-04-16 at 22:41 -0500, Klaus Weidner wrote: > Are you sure about the name? The config file refers to > "Create-Job-Subscription" not "Create-Subscription". Oops, it's actually two: Create-Job-Subscription and Create-Printer-Subscription. > > Is this the config file lines you were thinking we needed? > > > > So it should be: > > AuthType Basic > > Require user @SYSTEM > > Order deny,allow > > Tim. */ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From klaus at atsec.com Tue Apr 17 17:36:25 2007 From: klaus at atsec.com (Klaus Weidner) Date: Tue, 17 Apr 2007 12:36:25 -0500 Subject: [redhat-lspp] CUPS configuration: Get-Notifications In-Reply-To: <1176799131.4903.8.camel@cyberelk.elk> References: <1176377748.5213.19.camel@cyberelk.elk> <461FE4B7.7050303@hp.com> <20070417034100.GN17276@w-m-p.com> <1176799131.4903.8.camel@cyberelk.elk> Message-ID: <20070417173625.GP17276@w-m-p.com> On Tue, Apr 17, 2007 at 09:38:51AM +0100, Tim Waugh wrote: > On Mon, 2007-04-16 at 22:41 -0500, Klaus Weidner wrote: > > Are you sure about the name? The config file refers to > > "Create-Job-Subscription" not "Create-Subscription". > > Oops, it's actually two: Create-Job-Subscription and > Create-Printer-Subscription. > > > > Is this the config file lines you were thinking we needed? > > > > > > > > So it should be: > > Renew-Subscription Get-Notifications> Ok, I'm using those and adding Cancel-Subscription for consistency. Thank you for checking. -Klaus From klaus at atsec.com Tue Apr 17 17:41:55 2007 From: klaus at atsec.com (Klaus Weidner) Date: Tue, 17 Apr 2007 12:41:55 -0500 Subject: [redhat-lspp] LSPP kickstart config v0.42 released Message-ID: <20070417174155.GQ17276@w-m-p.com> Hello all, please don't use 0.41, that one had a syntax error in the config script. (I forgot to check in a change, sorry). It also updates the cups config as based on the recent discussion. Changes in 0.42: postinst script: fix syntax error (oops, sorry) cupsd.conf: limit "Create-Printer-Subscription" as suggested by Tim Waugh Please get the packages the script requests in the postinstall phase from the http://people.redhat.com/sgrubb/files/lspp/ repository. Workarounds: If the script requires a package that has been replaced by a newer one in the repository, you can do a quick&dirty workaround instead of starting over - put the newer .rpm file in /root/rpms/ and rename it to the expected old name in a "!" escape. If you need to do that, please let me know what the new version is (preferably as a patch to the lspp-config/kickstart/src/rpms.lst file, which is the source for the list in the individual kickstart files). RPM download: http://klaus.vh.swiftco.net/lspp/SRPMS/ http://klaus.vh.swiftco.net/lspp/RPMS/noarch/ Git repository: http://klaus.vh.swiftco.net/lspp/git/ -Klaus From tshighla at us.ibm.com Tue Apr 17 18:40:42 2007 From: tshighla at us.ibm.com (Trevor S Highland) Date: Tue, 17 Apr 2007 13:40:42 -0500 Subject: [redhat-lspp] write access to /selinux/avc/cache_threshold Message-ID: I am trying to open /selinux/avc/cache_threshold for writing as root with the staff_r role. The open succeeds. When I attempt to write to the file, the write succeeds if I write the value that is currently in the file. If I write any other value write returns EPERM. From my understanding staff_r should not have write access to /selinux/avc/cache_threshold. If this is the case, can anyone explain why the open succeeds. Thank you, Trevor -------------- next part -------------- An HTML attachment was scrubbed... URL: From eparis at redhat.com Tue Apr 17 19:16:57 2007 From: eparis at redhat.com (Eric Paris) Date: Tue, 17 Apr 2007 15:16:57 -0400 Subject: [redhat-lspp] write access to /selinux/avc/cache_threshold In-Reply-To: References: Message-ID: <1176837417.4272.2.camel@dhcp59-235.rdu.redhat.com> On Tue, 2007-04-17 at 13:40 -0500, Trevor S Highland wrote: > I am trying to open /selinux/avc/cache_threshold for writing as root > with the staff_r role. The open succeeds. When I attempt to write to > the file, the write succeeds if I write the value that is currently in > the file. If I write any other value write returns EPERM. From my > understanding staff_r should not have write access > to /selinux/avc/cache_threshold. If this is the case, can anyone > explain why the open succeeds. > > Thank you, > Trevor Well the implementation sees this as 2 different operations. The open is taken care of entirely by standard VFS securty hooks. AKA does your shell (staff_r) have permission to open a system_u:object_r:security_t file with write. Apparently policy says that it does and I see no reason why that couldn't be 'fixed' thus solving your inquiry. Dan? The second operation is actually setting the new value, in that case the kernel code looks like: if (new_value != avc_cache_threshold) { ret = task_has_security(current, SECURITY__SETSECPARAM); if (ret) goto out_free; avc_cache_threshold = new_value; } I could buy into switching the task_has_security() hook and the new/old comparison so you don't have the inconsistancy if you don't make a change and always get an EPERM but if you want the open to fail that's not a kernel problem and is just a policy issue. -Eric From klausk at br.ibm.com Wed Apr 18 13:46:39 2007 From: klausk at br.ibm.com (Klaus Heinrich Kiwi) Date: Wed, 18 Apr 2007 10:46:39 -0300 Subject: [redhat-lspp] Re: LSPP kickstart config v0.42 released References: <20070417174155.GQ17276@w-m-p.com> Message-ID: Klaus Weidner wrote: ... > http://klaus.vh.swiftco.net/lspp/git/ > > -Klaus Klaus, I was using .42 today and saw that while updating the required packages, there are a number of configuration files which are unpacked as '.rpmnew'. My question is: Wouldn't this be a problem if the updated packages are different from the GA ones? Wouldn't be better to use '--replacefiles' while updating? Klaus K. -- .:klaus h kiwi :. From sgrubb at redhat.com Wed Apr 18 13:58:48 2007 From: sgrubb at redhat.com (Steve Grubb) Date: Wed, 18 Apr 2007 09:58:48 -0400 Subject: [redhat-lspp] Re: LSPP kickstart config v0.42 released In-Reply-To: References: <20070417174155.GQ17276@w-m-p.com> Message-ID: <200704180958.48554.sgrubb@redhat.com> On Wednesday 18 April 2007 09:46, Klaus Heinrich Kiwi wrote: > My question is: Wouldn't this be a problem if the updated packages are > different from the GA ones? Yes, this would be a problem. -Steve From klaus at atsec.com Wed Apr 18 14:48:50 2007 From: klaus at atsec.com (Klaus Weidner) Date: Wed, 18 Apr 2007 09:48:50 -0500 Subject: [redhat-lspp] Re: LSPP kickstart config v0.42 released In-Reply-To: References: <20070417174155.GQ17276@w-m-p.com> Message-ID: <20070418144850.GR17276@w-m-p.com> On Wed, Apr 18, 2007 at 10:46:39AM -0300, Klaus Heinrich Kiwi wrote: > I was using .42 today and saw that while updating the required packages, > there are a number of configuration files which are unpacked as '.rpmnew'. > My question is: Wouldn't this be a problem if the updated packages are > different from the GA ones? Wouldn't be better to use '--replacefiles' > while updating? This is strange, I just checked the i386 system I installed using 0.42, and a global "find" shows only a single .rpmnew file, ./etc/pam.d/system-auth.rpmnew, and that one gets overwritten anyway by the postinstall script. I'd expect rpmnew files to be created only if config files were manually modified, not when updating unmodified packagess. Of course it can get confused by autogenerated files. I'll add --replacefiles, I'd just like to understand why this didn't happen on my machine... Is it maybe a biarch issue due to duplicate RPMs? Did you install using the standard method, letting the ks postinstall script upgrade the RPM files, or did you manually install RPMs or make configuration changes? And which are the .rpmnew files you see? -Klaus From klausk at br.ibm.com Wed Apr 18 16:17:56 2007 From: klausk at br.ibm.com (Klaus Heinrich Kiwi) Date: Wed, 18 Apr 2007 13:17:56 -0300 Subject: [redhat-lspp] Re: Re: LSPP kickstart config v0.42 released References: <20070417174155.GQ17276@w-m-p.com> <20070418144850.GR17276@w-m-p.com> Message-ID: Klaus Weidner wrote: > On Wed, Apr 18, 2007 at 10:46:39AM -0300, Klaus Heinrich Kiwi wrote: ... > I'll add --replacefiles, I'd just like to understand why this didn't > happen on my machine... Is it maybe a biarch issue due to duplicate RPMs? > Did you install using the standard method, letting the ks postinstall > script upgrade the RPM files, or did you manually install RPMs or make > configuration changes? And which are the .rpmnew files you see? > > -Klaus This is a fresh-install. During post-install, I just specified a local repository web-server (checkered) with the updated rpms. So it was as standard as it gets :) The machine is an LS21, opteron powered x86_64. The rpmnew files: [root/sysadm_r/SystemLow at oracer5 /]# find / -iname '*.rpmnew' /etc/libaudit.conf.rpmnew /etc/pam.d/other.rpmnew /etc/pam.d/config-util.rpmnew /etc/pam.d/system-auth.rpmnew /etc/security/time.conf.rpmnew /etc/security/access.conf.rpmnew /etc/security/console.handlers.rpmnew /etc/security/namespace.conf.rpmnew /etc/security/chroot.conf.rpmnew /etc/security/group.conf.rpmnew /etc/security/namespace.init.rpmnew /etc/security/opasswd.rpmnew /etc/security/limits.conf.rpmnew /etc/security/pam_env.conf.rpmnew [root/sysadm_r/SystemLow at oracer5 /]# Let me know if you need access to the file. I'm in the middle of a HS21 installation, I'll report if I see the same behavior. Klaus K. -- .:klaus h kiwi :. From loulwas at us.ibm.com Wed Apr 18 18:58:41 2007 From: loulwas at us.ibm.com (Loulwa Salem) Date: Wed, 18 Apr 2007 13:58:41 -0500 Subject: [redhat-lspp] LSPP Development Telecon 04/16/2007 Minutes Message-ID: <46266A61.4040805@us.ibm.com> 04/16/2007 lspp Meeting Minutes: =============================== Attendees George Wilson (IBM) - GW Kris Wilson (IBM) - KEW Michael Thompson (IBM) - MT Loulwa Salem (IBM) - LS Debora Velarde (IBM) - DV Joy Latten (IBM) - JL Klaus Kiwi (IBM) - KK Irina Boverman (Red Hat) - IB Steve Grubb (Red Hat) - SG Dan Walsh (Red Hat) - DW Eric Paris (Red Hat) - EP Lisa Smith (HP) - LMS Linda Knippers (HP) - LK Matt Anderson (HP) - MA Paul Moore (HP) - PM Klaus Weidner (Atsec) - KW Ken Hake (Atsec) - KH Chad Hanson (TCS) - CH Joe Nall - JN Agenda: General Issues Bug Discussion Repo: http://people.redhat.com/sgrubb/files/lspp/ RHEL 5+ Packages acl-2.2.39-2.1.el5 aide-0.12-8.el5 audit-1.3.1-4.el5 audit-libs-1.3.1-4.el5 audit-libs-devel-1.3.1-4.el5 audit-libs-python-1.3.1-4.el5 cups-1.2.4-11.8.el5 cups-libs-1.2.4-11.8.el5 ipsec-tools-0.6.5-6.5.el5 kernel-2.6.18-8.1.1.lspp.76.el5 kernel-devel-2.6.18-8.1.1.lspp.76.el5 libacl-2.2.39-2.1.el5 libacl-devel-2.2.39-2.1.el5 libselinux-1.33.4-4.el5 libselinux-devel-1.33.4-4.el5 libselinux-python-1.33.4-4.el5 mcstrans-0.2.3-1.el5 openssh-4.3p2-21.el5 openssh-clients-4.3p2-21.el5 openssh-server-4.3p2-21.el5 pam-0.99.6.2-3.19.el5 pam-devel-0.99.6.2-3.19.el5 policycoreutils-1.33.12-7.el5 policycoreutils-newrole-1.33.12-7.el5 selinux-policy-2.4.6-57.el5 selinux-policy-devel-2.4.6-57.el5 selinux-policy-mls-2.4.6-57.el5 selinux-policy-strict-2.4.6-57.el5 selinux-policy-targeted-2.4.6-57.el5 vixie-cron-4.1-67.el5 lspp-eal4-config-ibm-0.38-1 GW: any general comments before we go into bug list? JN: I just wanted to say thanks for the awesome response for the bugs I submitted GW: well... thank you Joe for taking time to test the product, we sure are appreciative to you taking the time and effort to try it out SG: Yes, that was really great how you found the leaked descriptors bug JN: funny thing about that is that I saw an email from a developer about that a while go, but I finally looked into it GW: anything else we want to bring up JN: we have to work on the setrans.conf so it has labels in them GW: good idea. we talked about that on the list when we got the VG change issue. Also Linda was talking about the audit messages that are not shown with the enable audit. We may want to have an audit mechanism to not audit similar to what we have. Linda, not sure if you brought this up on list? LK: I think we'll have the same issue with the TE don't audit mechanism DW: you didn't bring it up on selinux list, did you? LK: no DW: maybe something we should think about in a greater selinux issue, there is a difference between TE and constraints violation and we treat them the same now GW: any other issues to go through? ok we'll go through the bug list now Tracker Bug: https://bugzilla.redhat.com/bugzilla/showdependencytree.cgi?id=224041 Query: https://bugzilla.redhat.com/bugzilla/buglist.cgi?cmdtype=runnamed&namedcmd=RHEL%205.0%20LSPP&namedowner=syeghiay at redhat.com&order=bugs.bug_id Bug List: Sun Apr 15 15:02:06 EDT 2007 ID Sev Pri Plt Assignee Status Summary 231392 hig med All eparis at redhat.com ASSI LSPP: Misc soft-lockups in x86_64 lspp.67 kernel GW: trying to get read if that one still happens. SG: there were two different attempts to fix it. internally we've been discussing it. It appears there is a lock held for more than 10 seconds. that's why we were interested in getting base line timing. I think the watchdog kicks in when lock is held for more than 10 seconds. we want to figure out what is going on. LS: I'll try the new kernel. Currently my system is running tests, once it's done I'll update and see if I still see the lockup. After the meeting probably and I'll update the bugzilla. KK: I did two runs with the .76 and couldn't reproduce it. my machine is different than what Loulwa is using though. I was asking in bug report, what is the different between the .75 and .76 kernels? the size dropped so much so I was wondering. SG: not sure, they are all the same size, I don't have an explanation really. GW: on ppc we were running with uncompressed kernels, maybe they started compressing them. EP: build system might have changed. GW: we found that the srpms was packaging uncompressed kernels. if it is compressed again inside rpm you might not notice much of a difference. I don't know KK: we still have locking detection enabled though .. right? SG: yes GW: and that'll stay on SG: yes, we have all debug on, if there aren't any more issues, we'll turn the debug off and build another kernel. just waiting to see the soft lockup issue KK: the touch watchdog code is in which one? SG: it's in .75, and the NMI watchdog timeout is in the RHEL 5.1 kernel. GW: so what do we need to do to help close this SG: we need re-test EP: can you give us more info about what is going on in the test case LS: I'll retest after meeting today. As for what the test case is doing, it is basically doing "semodule -R/i/u/r", and I put that in the bugzilla also a while ago. EP: I can put that watchdog suggestion as Stephen suggested .. we can make the messages go away, but I need to track down what is going on SG: with 8-way machine, there is more contention for locks .. EP: the only contention happens if people are trying to do something with linuxfs, but no one should be loading policy at same time KK: when I tried to do the case steve suggested .. I used strict policy without enforcing, I saw lots of embedded messages, it took about 1 minute until I saw system was in a loop state, so I rebooted, and I could not reproduce it .. just for your information GW: what platform KK: ppc - JF21 that I posted results for. It took longer than minute, I saw alot of invalidating context messages. I was using ssh session, but had console open where I was seeing those messages. DW: are you in permissive mode KK: yes DW: you went from strict to MLS KK: the other way, I had mls policy, changed mls to strict in config file then tried to reload. I was in enforcing mode DW: the machine goes out of it's mind. I think all processes would go to unlabeled_t and it would crash. going from one policy to another without full relabel and reboot is not a good idea. KK: I think that's what it was .. DW: every time you update policy, it is basically doing a reload of policy. If you see lots of invalidating policy messages that would be a problem GW: you really want to change config and touch autorelabel and boot. Alright I put a note asking Loulwa to retest and comment on the soft lockup issue LS: will do that after meeting GW: and if anyone can test it too, that would be great. 234923 med med All sgrubb at redhat.com ASSI LSPP: update lspp.rules file for evaluation SG: I'll work on that on Wed. one thing I need to get is a list of packages we consider to be trusted or part of the security infrastructure. I think that has to do with the security target. I'll contact you off the list and double check what packages we need to concentrate on. should be something that won't take more than couple of hours to work on GW: ok, myself and klaus can help you on that 235675 med med All esandeen at redhat.com POST LSPP: INFO: possible recursive locking detected SG: we were waiting for recurrences on that one. On absence of recurrence we are leaning to close it LK: I am not sure about it, since I only saw it twice and never saw it again. the bug fix for upstream is valid though EP: yeah.. seemed appropriate for what you are seeing 236060 hig med ppc dwalsh at redhat.com MODI LSPP: vgchange -a y does not detect vg's GW: there is fix, The fix won't work if you are logged in at systemhigh, you get the locking issue LK: I think it won't work if you are anything higher than systemlow even. I saw Dan's note on that about why we don't want to be at systemhigh.. JN: I think generally you want to do system administration at systemlow, what we've seen is people log in at systemhigh and don't change back .. which causes problems DW: we need to make those files selinux aware. If I am at systemhigh and create a file, my file will be systemhigh unless it has selinux awareness. This goes for any tool you run at systemhigh. GW: so we need to make sure all system administration tools function correctly when we log in at systemlow LK: I always log in at systemlow GW: I think aide needs work . it has to be at systemhigh sometimes DW: does it create any files GW: no, so that should be ok MT: only time we escalate is for audit log GW: this needs to be documented again DW: by nature, just stay away from systemhigh LK: sounds then we are set with this bugzilla IB: so I'll take it off the list GW: we'll just need to make sure its in the documentation 236316 urg med All tmraz at redhat.com ASSI LSPP: Unable to change expired password on ssh login DW: we are working on fixing this internally. it won't hold up lspp, but it needs to be fixed for 5.1 LK: I think it will hold it DW: there is a work around it KW: we need to know about it, since we need that information for the evaluator to run SG: I think we need to fix this Dan. Tomas is working on a fix DW: I'm afraid we'll rush a fix that might have a security problem SG: It just means we need to review it carefully DW: this will involve a helper function EP: did we try this on local login DW: I tried it and it's broken too. what's happening is that pam is trying to manipulate etc_t KW: I thought normally pam components are running as whatever program runs the library DW: right, we want to avoid having those tools manipulate etc_t. GW: so that one is in the works and I updated that we need it fixed. Do you have target date? DW: Tomas is working on it SG: we'll try by end of week, but as Dan mentioned we need to make sure it doesn't open a hole. DW: we need to scrutinize it like we scrutinize the password programs 236479 hig med All dwalsh at redhat.com ASSI LSPP: bad aide fc regex GW: already fixed and I verified it, so it can come off the list. IB: alright, I'll remove it GW: any other issues KW: wanted to talk about adding limitations to cups .. I think it would be good idea MA: yes I agree klaus, only reason I didn't send patch was to verify with Tim first that I was not limiting the wrong thing. It'll be good to add those few lines KW: ok, do you want to submit patch, or should I add them? MA: it'll only be couple of lines, so maybe easier if you add them KW: ok, I will LK: one other random thing, George are you working on policy for rbac self tests GW: yes, I got rid of a problem and still trying to make things work correctly.. Ok, any other items? alright thanks everyone, we'll adjourn From dwalsh at redhat.com Wed Apr 18 20:20:34 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 18 Apr 2007 16:20:34 -0400 Subject: [redhat-lspp] write access to /selinux/avc/cache_threshold In-Reply-To: <1176837417.4272.2.camel@dhcp59-235.rdu.redhat.com> References: <1176837417.4272.2.camel@dhcp59-235.rdu.redhat.com> Message-ID: <46267D92.2090109@redhat.com> Eric Paris wrote: > On Tue, 2007-04-17 at 13:40 -0500, Trevor S Highland wrote: > >> I am trying to open /selinux/avc/cache_threshold for writing as root >> with the staff_r role. The open succeeds. When I attempt to write to >> the file, the write succeeds if I write the value that is currently in >> the file. If I write any other value write returns EPERM. From my >> understanding staff_r should not have write access >> to /selinux/avc/cache_threshold. If this is the case, can anyone >> explain why the open succeeds. >> >> Thank you, >> Trevor >> > > Well the implementation sees this as 2 different operations. The open > is taken care of entirely by standard VFS securty hooks. AKA does your > shell (staff_r) have permission to open a system_u:object_r:security_t > file with write. Apparently policy says that it does and I see no > reason why that couldn't be 'fixed' thus solving your inquiry. Dan? > > The second operation is actually setting the new value, in that case the > kernel code looks like: > > if (new_value != avc_cache_threshold) { > ret = task_has_security(current, SECURITY__SETSECPARAM); > if (ret) > goto out_free; > avc_cache_threshold = new_value; > } > > I could buy into switching the task_has_security() hook and the new/old > comparison so you don't have the inconsistancy if you don't make a > change and always get an EPERM but if you want the open to fail that's > not a kernel problem and is just a policy issue. > > Checks in SELinux happen on read/write not on open. > -Eric > > -- > redhat-lspp mailing list > redhat-lspp at redhat.com > https://www.redhat.com/mailman/listinfo/redhat-lspp > From klaus at atsec.com Thu Apr 19 13:51:12 2007 From: klaus at atsec.com (Klaus Weidner) Date: Thu, 19 Apr 2007 08:51:12 -0500 Subject: [redhat-lspp] LSPP kickstart config v0.43 released Message-ID: <20070419135112.GS17276@w-m-p.com> Hello all, some bugfixes, enhancements to the RBAC self test, and new package versions. This version should get rid of the ".rpmnew" files created when upgrading packages in the postinst section which appeared to be specific to the biarch platforms. Changes in 0.43: commit c70a61017fd885f52fd00d01852cbee19a456596 Author: Klaus Weidner Date: Thu Apr 19 08:46:50 2007 -0500 packages: bump selinux-policy to -60 commit 271bb1105cd591290fda55c78023e02848546f59 Author: George Wilson Date: Wed Apr 18 19:16:55 2007 -0500 packages: bump aide version to .9 commit 6e56aec870463ad85a724e35f66956e57e919708 Author: Klaus Weidner Date: Wed Apr 18 09:48:19 2007 -0500 post-inst: use "rpm --replacefiles" to prevent creating .rpmnew files commit cc2fcb58aa6d6a276d811116b05d1119c41ff7ca Author: George Wilson Date: Tue Apr 17 13:00:27 2007 -0500 rbac-self-test: use internal runcon, update policy Changed rbac-self-test to use self.runcon() rather than os.spawnv() in order to run aide at SystemHigh. This means that rbac-self-test can now be run at SystemLow. Also moved the aide --check to beneath the other checks. Updated policy to get add additional aide db TE permissions and to get rid of newrole permissions. I still need to do more work to minimize the policy. commit f149bef4b133a62a4f39bdc1211af579de28611a Author: George Wilson Date: Mon Apr 16 00:55:14 2007 -0500 rbac-self-test: allow rbacselftest_t aide_db_t:file { create rename }; Please get the packages the script requests in the postinstall phase from the http://people.redhat.com/sgrubb/files/lspp/ repository. Workarounds: If the script requires a package that has been replaced by a newer one in the repository, you can do a quick&dirty workaround instead of starting over - put the newer .rpm file in /root/rpms/ and rename it to the expected old name in a "!" escape. If you need to do that, please let me know what the new version is (preferably as a patch to the lspp-config/kickstart/src/rpms.lst file, which is the source for the list in the individual kickstart files). RPM download: http://klaus.vh.swiftco.net/lspp/SRPMS/ http://klaus.vh.swiftco.net/lspp/RPMS/noarch/ Git repository: http://klaus.vh.swiftco.net/lspp/git/ -Klaus From klaus at atsec.com Thu Apr 19 14:05:06 2007 From: klaus at atsec.com (Klaus Weidner) Date: Thu, 19 Apr 2007 09:05:06 -0500 Subject: [redhat-lspp] write access to /selinux/avc/cache_threshold In-Reply-To: <46267D92.2090109@redhat.com> References: <1176837417.4272.2.camel@dhcp59-235.rdu.redhat.com> <46267D92.2090109@redhat.com> Message-ID: <20070419140506.GT17276@w-m-p.com> On Wed, Apr 18, 2007 at 04:20:34PM -0400, Daniel J Walsh wrote: > Eric Paris wrote: > >Well the implementation sees this as 2 different operations. The open > >is taken care of entirely by standard VFS securty hooks. AKA does your > >shell (staff_r) have permission to open a system_u:object_r:security_t > >file with write. Apparently policy says that it does and I see no > >reason why that couldn't be 'fixed' thus solving your inquiry. Dan? > > Checks in SELinux happen on read/write not on open. Argh, that approach would be a major problem for the LSPP evaluations... When we were classifying the security relevance of system calls, the basic assumption was that the security critical check happens when opening the file, and any additional checks for read/write add additional restrictions that aren't relevant for LSPP compliance. Based on what Eric says, that should at least be the case for the MLS and object type based checks, since the full information about the labels is available to the open() check. I'm not convinced that the read()/write() checks are reliable since there are multiple alternative interfaces such as splice(), and for example I didn't see an obvious LSM hook in net/ipv4/tcp.c:do_tcp_sendpages(). -Klaus From sds at tycho.nsa.gov Thu Apr 19 15:04:49 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 19 Apr 2007 11:04:49 -0400 Subject: [redhat-lspp] write access to /selinux/avc/cache_threshold In-Reply-To: <1176837417.4272.2.camel@dhcp59-235.rdu.redhat.com> References: <1176837417.4272.2.camel@dhcp59-235.rdu.redhat.com> Message-ID: <1176995089.27654.35.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2007-04-17 at 15:16 -0400, Eric Paris wrote: > On Tue, 2007-04-17 at 13:40 -0500, Trevor S Highland wrote: > > I am trying to open /selinux/avc/cache_threshold for writing as root > > with the staff_r role. The open succeeds. When I attempt to write to > > the file, the write succeeds if I write the value that is currently in > > the file. If I write any other value write returns EPERM. From my > > understanding staff_r should not have write access > > to /selinux/avc/cache_threshold. If this is the case, can anyone > > explain why the open succeeds. > > > > Thank you, > > Trevor > > Well the implementation sees this as 2 different operations. The open > is taken care of entirely by standard VFS securty hooks. AKA does your > shell (staff_r) have permission to open a system_u:object_r:security_t > file with write. Apparently policy says that it does and I see no > reason why that couldn't be 'fixed' thus solving your inquiry. Dan? > > The second operation is actually setting the new value, in that case the > kernel code looks like: > > if (new_value != avc_cache_threshold) { > ret = task_has_security(current, SECURITY__SETSECPARAM); > if (ret) > goto out_free; > avc_cache_threshold = new_value; > } > > I could buy into switching the task_has_security() hook and the new/old > comparison so you don't have the inconsistancy if you don't make a > change and always get an EPERM but if you want the open to fail that's > not a kernel problem and is just a policy issue. Odd, I already had a discussion about this issue with Camilo Campo and Kris Wilson of IBM in March and explained it to them at the time. They chose to send me private email about it rather than to the list. Prohiting all writes to security_t by staff_t would prevent use of the policy decision interfaces that are transactional in nature. Setting of things like the enforcing flag, booleans, and cache threshold are checked at write time, not open time. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Thu Apr 19 15:40:16 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 19 Apr 2007 11:40:16 -0400 Subject: [redhat-lspp] write access to /selinux/avc/cache_threshold In-Reply-To: <20070419140506.GT17276@w-m-p.com> References: <1176837417.4272.2.camel@dhcp59-235.rdu.redhat.com> <46267D92.2090109@redhat.com> <20070419140506.GT17276@w-m-p.com> Message-ID: <1176997216.27654.47.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2007-04-19 at 09:05 -0500, Klaus Weidner wrote: > On Wed, Apr 18, 2007 at 04:20:34PM -0400, Daniel J Walsh wrote: > > Eric Paris wrote: > > >Well the implementation sees this as 2 different operations. The open > > >is taken care of entirely by standard VFS securty hooks. AKA does your > > >shell (staff_r) have permission to open a system_u:object_r:security_t > > >file with write. Apparently policy says that it does and I see no > > >reason why that couldn't be 'fixed' thus solving your inquiry. Dan? > > > > Checks in SELinux happen on read/write not on open. > > Argh, that approach would be a major problem for the LSPP evaluations... > When we were classifying the security relevance of system calls, the > basic assumption was that the security critical check happens when > opening the file, and any additional checks for read/write add additional > restrictions that aren't relevant for LSPP compliance. > > Based on what Eric says, that should at least be the case for the MLS and > object type based checks, since the full information about the labels is > available to the open() check. > > I'm not convinced that the read()/write() checks are reliable since there > are multiple alternative interfaces such as splice(), and for example I > didn't see an obvious LSM hook in net/ipv4/tcp.c:do_tcp_sendpages(). SELinux does check generic read/write against the inode at open time, but the per-operation checks for e.g. selinuxfs operations happen within the selinuxfs implementation on read/write. And those aren't bypassable - they aren't happening in the vfs but in the actual underlying operation. -- Stephen Smalley National Security Agency From klaus at atsec.com Thu Apr 19 16:21:48 2007 From: klaus at atsec.com (Klaus Weidner) Date: Thu, 19 Apr 2007 11:21:48 -0500 Subject: [redhat-lspp] write access to /selinux/avc/cache_threshold In-Reply-To: <1176997216.27654.47.camel@moss-spartans.epoch.ncsc.mil> References: <1176837417.4272.2.camel@dhcp59-235.rdu.redhat.com> <46267D92.2090109@redhat.com> <20070419140506.GT17276@w-m-p.com> <1176997216.27654.47.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <20070419162148.GU17276@w-m-p.com> On Thu, Apr 19, 2007 at 11:40:16AM -0400, Stephen Smalley wrote: > On Thu, 2007-04-19 at 09:05 -0500, Klaus Weidner wrote: > > Argh, that approach would be a major problem for the LSPP evaluations... > > When we were classifying the security relevance of system calls, the > > basic assumption was that the security critical check happens when > > opening the file, and any additional checks for read/write add additional > > restrictions that aren't relevant for LSPP compliance. > > > > Based on what Eric says, that should at least be the case for the MLS and > > object type based checks, since the full information about the labels is > > available to the open() check. > > > > I'm not convinced that the read()/write() checks are reliable since there > > are multiple alternative interfaces such as splice(), and for example I > > didn't see an obvious LSM hook in net/ipv4/tcp.c:do_tcp_sendpages(). > > SELinux does check generic read/write against the inode at open time, > but the per-operation checks for e.g. selinuxfs operations happen within > the selinuxfs implementation on read/write. And those aren't bypassable > - they aren't happening in the vfs but in the actual underlying > operation. Thank you for the clarification - would it be fair to say that all objects that contain or transport user data (including network sockets) are guaranteed to have a check at open time? That would be the most important thing for the evaluation. If administrative interfaces such as /selinux or /proc/self/attr/ have different semantics I guess we can live with that, since they do not contain arbitrary user data that would need to be covered by the MLS policy. The administrative actions would then be controlled during the actual operation, and it's an implementation detail that this happens during write() calls. -Klaus From sds at tycho.nsa.gov Thu Apr 19 16:45:47 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 19 Apr 2007 12:45:47 -0400 Subject: [redhat-lspp] write access to /selinux/avc/cache_threshold In-Reply-To: <20070419162148.GU17276@w-m-p.com> References: <1176837417.4272.2.camel@dhcp59-235.rdu.redhat.com> <46267D92.2090109@redhat.com> <20070419140506.GT17276@w-m-p.com> <1176997216.27654.47.camel@moss-spartans.epoch.ncsc.mil> <20070419162148.GU17276@w-m-p.com> Message-ID: <1177001147.27654.91.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2007-04-19 at 11:21 -0500, Klaus Weidner wrote: > On Thu, Apr 19, 2007 at 11:40:16AM -0400, Stephen Smalley wrote: > > On Thu, 2007-04-19 at 09:05 -0500, Klaus Weidner wrote: > > > Argh, that approach would be a major problem for the LSPP evaluations... > > > When we were classifying the security relevance of system calls, the > > > basic assumption was that the security critical check happens when > > > opening the file, and any additional checks for read/write add additional > > > restrictions that aren't relevant for LSPP compliance. > > > > > > Based on what Eric says, that should at least be the case for the MLS and > > > object type based checks, since the full information about the labels is > > > available to the open() check. > > > > > > I'm not convinced that the read()/write() checks are reliable since there > > > are multiple alternative interfaces such as splice(), and for example I > > > didn't see an obvious LSM hook in net/ipv4/tcp.c:do_tcp_sendpages(). > > > > SELinux does check generic read/write against the inode at open time, > > but the per-operation checks for e.g. selinuxfs operations happen within > > the selinuxfs implementation on read/write. And those aren't bypassable > > - they aren't happening in the vfs but in the actual underlying > > operation. > > Thank you for the clarification - would it be fair to say that all > objects that contain or transport user data (including network sockets) > are guaranteed to have a check at open time? That would be the most > important thing for the evaluation. Well, we always apply a check upon open(2) via the selinux_inode_permission() hook function between the task and the inode. Not sure what you are looking for in the case of objects that don't use open(2), like sockets and System V IPC. In the socket case, we don't know information about the peer's label until we get a packet from them, so we can't do it up front. In the IPC case, we hooked ipcperms() to parallel the mode-based checks there and also added hooks throughout to ensure that we had a MAC check whenever they had an ownership check. We also recheck upon descriptor inheritance across execve (if the label is changing) and upon descriptor transfer across local IPC. > If administrative interfaces such as /selinux or /proc/self/attr/ have > different semantics I guess we can live with that, since they do not > contain arbitrary user data that would need to be covered by the MLS > policy. The administrative actions would then be controlled during the > actual operation, and it's an implementation detail that this happens > during write() calls. I don't think selinux is unique in applying more specific checks within its read/write methods; I think you'll see the same kind of thing in other filesystems and drivers for DAC and capability checks (e.g. proc has to apply its ptrace checking at read/write time). -- Stephen Smalley National Security Agency From klaus at atsec.com Fri Apr 20 01:02:14 2007 From: klaus at atsec.com (Klaus Weidner) Date: Thu, 19 Apr 2007 20:02:14 -0500 Subject: [redhat-lspp] LSPP kickstart config v0.44 released Message-ID: <20070420010214.GV17276@w-m-p.com> Hello all, version bump only. Changes in 0.44: commit 17ee3bba1d8c4c017155a12351eeb20ccaaa3e8d Author: George Wilson Date: Thu Apr 19 19:19:54 2007 -0500 packages: bump selinux-policy to -61 Please get the packages the script requests in the postinstall phase from the http://people.redhat.com/sgrubb/files/lspp/ repository. Workarounds: If the script requires a package that has been replaced by a newer one in the repository, you can do a quick&dirty workaround instead of starting over - put the newer .rpm file in /root/rpms/ and rename it to the expected old name in a "!" escape. If you need to do that, please let me know what the new version is (preferably as a patch to the lspp-config/kickstart/src/rpms.lst file, which is the source for the list in the individual kickstart files). RPM download: http://klaus.vh.swiftco.net/lspp/SRPMS/ http://klaus.vh.swiftco.net/lspp/RPMS/noarch/ Git repository: http://klaus.vh.swiftco.net/lspp/git/ -Klaus From paul.moore at hp.com Fri Apr 20 13:32:01 2007 From: paul.moore at hp.com (Paul Moore) Date: Fri, 20 Apr 2007 09:32:01 -0400 Subject: [redhat-lspp] LSPP kickstart config v0.44 released In-Reply-To: <20070420010214.GV17276@w-m-p.com> References: <20070420010214.GV17276@w-m-p.com> Message-ID: <200704200932.01865.paul.moore@hp.com> On Thursday, April 19 2007 9:02:14 pm Klaus Weidner wrote: > version bump only. > > Changes in 0.44: When it gets to 0.100 I don't know about you but I plan to sell ... ;) -- paul moore linux security @ hp From klausk at br.ibm.com Fri Apr 20 16:44:28 2007 From: klausk at br.ibm.com (Klaus Heinrich Kiwi) Date: Fri, 20 Apr 2007 13:44:28 -0300 Subject: [redhat-lspp] Re: LSPP kickstart config v0.44 released References: <20070420010214.GV17276@w-m-p.com> Message-ID: Klaus Weidner wrote: > Hello all, > > version bump only. I thought that '--replacefiles' was suficient to prevent rpm to create configuration files as .rpm.. well, apparently I was wrong.. this happened on a s390x install, using ks 0.43-2 (release 2 here is a package built exactly like 0.43-1, with updated needed rpms only): WARNING: no valid signature: acl-2.2.39-2.1.el5.s390x.rpm WARNING: no valid signature: aide-0.12-9.el5.s390x.rpm WARNING: no valid signature: audit-1.3.1-4.el5.s390x.rpm WARNING: no valid signature: audit-libs-1.3.1-4.el5.s390.rpm WARNING: no valid signature: audit-libs-1.3.1-4.el5.s390x.rpm WARNING: no valid signature: audit-libs-devel-1.3.1-4.el5.s390.rpm WARNING: no valid signature: audit-libs-devel-1.3.1-4.el5.s390x.rpm WARNING: no valid signature: audit-libs-python-1.3.1-4.el5.s390x.rpm WARNING: no valid signature: cups-1.2.4-11.8.el5.s390x.rpm WARNING: no valid signature: cups-libs-1.2.4-11.8.el5.s390.rpm WARNING: no valid signature: cups-libs-1.2.4-11.8.el5.s390x.rpm WARNING: no valid signature: ipsec-tools-0.6.5-6.6.el5.s390x.rpm WARNING: no valid signature: kernel-2.6.18-8.1.1.lspp.76.el5.s390x.rpm WARNING: no valid signature: kernel-devel-2.6.18-8.1.1.lspp.76.el5.s390x.rpm WARNING: no valid signature: libacl-2.2.39-2.1.el5.s390.rpm WARNING: no valid signature: libacl-2.2.39-2.1.el5.s390x.rpm WARNING: no valid signature: libacl-devel-2.2.39-2.1.el5.s390.rpm WARNING: no valid signature: libacl-devel-2.2.39-2.1.el5.s390x.rpm WARNING: no valid signature: libselinux-1.33.4-4.el5.s390.rpm WARNING: no valid signature: libselinux-1.33.4-4.el5.s390x.rpm WARNING: no valid signature: libselinux-devel-1.33.4-4.el5.s390x.rpm WARNING: no valid signature: libselinux-python-1.33.4-4.el5.s390x.rpm WARNING: no valid signature: lspp-eal4-config-ibm-0.43-2.noarch.rpm WARNING: no valid signature: mcstrans-0.2.3-1.el5.s390x.rpm WARNING: no valid signature: openssh-4.3p2-21.el5.s390x.rpm WARNING: no valid signature: openssh-clients-4.3p2-21.el5.s390x.rpm WARNING: no valid signature: openssh-server-4.3p2-21.el5.s390x.rpm WARNING: no valid signature: pam-0.99.6.2-3.19.el5.s390.rpm WARNING: no valid signature: pam-0.99.6.2-3.19.el5.s390x.rpm WARNING: no valid signature: pam-devel-0.99.6.2-3.19.el5.s390x.rpm WARNING: no valid signature: policycoreutils-1.33.12-7.el5.s390x.rpm WARNING: no valid signature: policycoreutils-newrole-1.33.12-7.el5.s390x.rpm WARNING: no valid signature: selinux-policy-2.4.6-61.el5.noarch.rpm WARNING: no valid signature: selinux-policy-devel-2.4.6-61.el5.noarch.rpm WARNING: no valid signature: selinux-policy-mls-2.4.6-61.el5.noarch.rpm WARNING: no valid signature: selinux-policy-strict-2.4.6-61.el5.noarch.rpm WARNING: no valid signature: selinux-policy-targeted-2.4.6-61.el5.noarch.rpm WARNING: no valid signature: vixie-cron-4.1-67.el5.s390x.rpm Install RPMs without valid signatures (not recommended) (y/n) [n] ? y Preparing... ########################################### [100%] 1:audit-libs ########################################### [ 3%] 2:libacl ########################################### [ 5%] 3:audit-libs warning: /etc/libaudit.conf created as /etc/libaudit.conf.rpmnew ########################################### [ 8%] 4:cups-libs ########################################### [ 11%] 5:audit-libs-python ########################################### [ 13%] 6:libacl ########################################### [ 16%] 7:kernel ########################################### [ 18%] 8:cups-libs ########################################### [ 21%] 9:lspp-eal4-config-ibm ########################################### [ 24%] 10:libacl-devel ########################################### [ 26%] 11:audit-libs-devel ########################################### [ 29%] 12:acl ########################################### [ 32%] 13:libacl-devel ########################################### [ 34%] 14:audit ########################################### [ 37%] 15:audit-libs-devel ########################################### [ 39%] 16:kernel-devel ########################################### [ 42%] 17:libselinux ########################################### [ 45%] 18:pam warning: /etc/pam.d/system-auth created as /etc/pam.d/system-auth.rpmnew ########################################### [ 47%] 19:mcstrans ########################################### [ 50%] 20:libselinux ########################################### [ 53%] 21:libselinux-python ########################################### [ 55%] 22:policycoreutils ########################################### [ 58%] 23:selinux-policy ########################################### [ 61%] 24:policycoreutils-newrole########################################### [ 63%] 25:openssh ########################################### [ 66%] 26:pam warning: /etc/pam.d/config-util created as /etc/pam.d/config-util.rpmnew warning: /etc/pam.d/other created as /etc/pam.d/other.rpmnew warning: /etc/pam.d/system-auth created as /etc/pam.d/system-auth.rpmnew warning: /etc/security/access.conf created as /etc/security/access.conf.rpmnew warning: /etc/security/chroot.conf created as /etc/security/chroot.conf.rpmnew warning: /etc/security/console.handlers created as /etc/security/console.handlers.rpmnew warning: /etc/security/group.conf created as /etc/security/group.conf.rpmnew warning: /etc/security/limits.conf created as /etc/security/limits.conf.rpmnew warning: /etc/security/namespace.conf created as /etc/security/namespace.conf.rpmnew warning: /etc/security/namespace.init created as /etc/security/namespace.init.rpmnew warning: /etc/security/opasswd created as /etc/security/opasswd.rpmnew warning: /etc/security/pam_env.conf created as /etc/security/pam_env.conf.rpmnew warning: /etc/security/time.conf created as /etc/security/time.conf.rpmnew ########################################### [ 68%] 27:aide ########################################### [ 71%] 28:cups ########################################### [ 74%] 29:ipsec-tools ########################################### [ 76%] 30:libselinux-devel ########################################### [ 79%] 31:openssh-clients ########################################### [ 82%] 32:openssh-server ########################################### [ 84%] 33:pam-devel ########################################### [ 87%] 34:selinux-policy-devel ########################################### [ 89%] 35:selinux-policy-mls ########################################### [ 92%] 36:selinux-policy-strict ########################################### [ 95%] 37:selinux-policy-targeted########################################### [ 97%] /sbin/restorecon reset /etc/cron.daily/0anacron context system_u:object_r:etc_t:s0->system_u:object_r:bin_t:s0 /sbin/restorecon reset /etc/cron.daily/cups context system_u:object_r:etc_t:s0->system_u:object_r:bin_t:s0 /sbin/restorecon reset /etc/cron.daily/logrotate context system_u:object_r:etc_t:s0->system_u:object_r:bin_t:s0 /sbin/restorecon reset /etc/cron.daily/makewhatis.cron context system_u:object_r:etc_t:s0->system_u:object_r:bin_t:s0 /sbin/restorecon reset /etc/cron.daily/mlocate.cron context system_u:object_r:etc_t:s0->system_u:object_r:bin_t:s0 /sbin/restorecon reset /etc/cron.daily/prelink context system_u:object_r:etc_t:s0->system_u:object_r:bin_t:s0 /sbin/restorecon reset /etc/cron.daily/rpm context system_u:object_r:etc_t:s0->system_u:object_r:bin_t:s0 /sbin/restorecon reset /etc/cron.daily/tmpwatch context system_u:object_r:etc_t:s0->system_u:object_r:bin_t:s0 /sbin/restorecon reset /etc/cron.monthly/0anacron context system_u:object_r:etc_t:s0->system_u:object_r:bin_t:s0 /sbin/restorecon reset /etc/cron.weekly/0anacron context system_u:object_r:etc_t:s0->system_u:object_r:bin_t:s0 /sbin/restorecon reset /etc/cron.weekly/makewhatis.cron context system_u:object_r:etc_t:s0->system_u:object_r:bin_t:s0 38:vixie-cron ########################################### [100%] Switching SELinux to MLS mode... Fixing file labels... /sbin/setfiles: labeling files under / ************************************************matchpathcon_filespec_eval: hash table stats: 44140 elements, 35085/65536 buckets used, longest chain length 3 /sbin/setfiles: labeling files under /boot matchpathcon_filespec_eval: hash table stats: 11 elements, 11/65536 buckets used, longest chain length 1 /sbin/setfiles: labeling files under /var/log matchpathcon_filespec_eval: hash table stats: 18 elements, 18/65536 buckets used, longest chain length 1 /sbin/setfiles: Done. -- .:klaus h kiwi :. From klaus at atsec.com Fri Apr 20 21:53:03 2007 From: klaus at atsec.com (Klaus Weidner) Date: Fri, 20 Apr 2007 16:53:03 -0500 Subject: [redhat-lspp] Re: LSPP kickstart config v0.44 released In-Reply-To: References: <20070420010214.GV17276@w-m-p.com> Message-ID: <20070420215303.GX17276@w-m-p.com> On Fri, Apr 20, 2007 at 01:44:28PM -0300, Klaus Heinrich Kiwi wrote: > I thought that '--replacefiles' was suficient to prevent rpm to create > configuration files as .rpm.. well, apparently I was wrong.. > > 18:pam warning: /etc/pam.d/system-auth created > as /etc/pam.d/system-auth.rpmnew > ########################################### [ 47%] [...] > 26:pam warning: /etc/pam.d/config-util created > as /etc/pam.d/config-util.rpmnew > warning: /etc/pam.d/other created as /etc/pam.d/other.rpmnew > warning: /etc/pam.d/system-auth created as /etc/pam.d/system-auth.rpmnew [...] This does seem to be due to the biarch packages conflicting with themselves, and I don't have any idea how to fix it. Any RPM experts present? I don't think it's urgent to fix it, the extra files are annoying but should not actually change the resulting evaluated config. -Klaus From klaus at atsec.com Sat Apr 21 00:07:16 2007 From: klaus at atsec.com (Klaus Weidner) Date: Fri, 20 Apr 2007 19:07:16 -0500 Subject: [redhat-lspp] LSPP kickstart config v0.45 released Message-ID: <20070421000716.GY17276@w-m-p.com> Hello all, since things seemed to be settling down, here are some more radical changes to keep things exciting ;-) Changes in 0.45 (trivial changes collapsed): postinst: add opportunity/reminder to change system time (thanks George) Limit privileged /sbin/consoletype to admin, provide nonpriv copy for users The /sbin/consoletype program uses consoletype_t to gain MLS override privileges. This privilege is not directly available to normal users, but the analysis to verify this nontrivial. It's also not necessary. Create a copy of the program with no special privileges, and change the /etc/profile.d/lang.* files to use that one instead. rbac-self-test: add environment scrubbing flag (thanks George) spec file: set rbac-self-test mode bits to 0 for g and o (thanks George) preinst: support using multiple disks for the logical volume group install When prompted for the install disk, supply a comma separated list of disks to install on, for example "sda,sdb", the logical volume used for the install will then span across all of them. Also works for the installer command line, for example "instdisk=dasda,dasdb,dasdc". packages: new ipsec-tools and selinux-policy Please get the packages the script requests in the postinstall phase from the http://people.redhat.com/sgrubb/files/lspp/ repository. Workarounds: If the script requires a package that has been replaced by a newer one in the repository, you can do a quick&dirty workaround instead of starting over - put the newer .rpm file in /root/rpms/ and rename it to the expected old name in a "!" escape. If you need to do that, please let me know what the new version is (preferably as a patch to the lspp-config/kickstart/src/rpms.lst file, which is the source for the list in the individual kickstart files). RPM download: http://klaus.vh.swiftco.net/lspp/SRPMS/ http://klaus.vh.swiftco.net/lspp/RPMS/noarch/ Git repository: http://klaus.vh.swiftco.net/lspp/git/ -Klaus From ltcgcw at us.ibm.com Sun Apr 22 21:13:43 2007 From: ltcgcw at us.ibm.com (George C. Wilson) Date: Sun, 22 Apr 2007 16:13:43 -0500 Subject: [redhat-lspp] [Reminder] LSPP Bug Telecon Mon., Apr. 23 Message-ID: <20070422211343.GA29783@us.ibm.com> IBM hosts the LSPP Bug Telecon every Monday at 20:00 UTC. If you would like to participate and are not already an attendee, please reply directly to me with your contact information. I will respond with an invitation after review by the existing participants. Please note that the number of attendees may be limited by our call center's restrictions on maximum lines per conference. -- George Wilson IBM Linux Technology Center From klaus at atsec.com Tue Apr 24 14:47:26 2007 From: klaus at atsec.com (Klaus Weidner) Date: Tue, 24 Apr 2007 09:47:26 -0500 Subject: [redhat-lspp] LSPP kickstart config v0.46 released Message-ID: <20070424144726.GZ17276@w-m-p.com> Hello all, new package versions and a minor bugfix only. Please test! Changes in 0.46: packages: new ipsec-tools, kernel, pam, policycoreutils, policy. The new pam+policy should support changing expired passwords in an ssh session. capp-lspp script: make consoletype modification safe to run multiple times Please get the packages the script requests in the postinstall phase from the http://people.redhat.com/sgrubb/files/lspp/ repository. Workarounds: If the script requires a package that has been replaced by a newer one in the repository, you can do a quick&dirty workaround instead of starting over - put the newer .rpm file in /root/rpms/ and rename it to the expected old name in a "!" escape. If you need to do that, please let me know what the new version is (preferably as a patch to the lspp-config/kickstart/src/rpms.lst file, which is the source for the list in the individual kickstart files). RPM download: http://klaus.vh.swiftco.net/lspp/SRPMS/ http://klaus.vh.swiftco.net/lspp/RPMS/noarch/ Git repository: http://klaus.vh.swiftco.net/lspp/git/ -Klaus From loulwas at us.ibm.com Wed Apr 25 03:23:24 2007 From: loulwas at us.ibm.com (Loulwa Salem) Date: Tue, 24 Apr 2007 22:23:24 -0500 Subject: [redhat-lspp] LSPP Development Telecon 04/23/2007 Minutes Message-ID: <462EC9AC.1050204@us.ibm.com> 04/23/2007 lspp Meeting Minutes: =============================== Attendees Lawrence Wilson (IBM) - LW George Wilson (IBM) - GW Kris Wilson (IBM) - KEW Loulwa Salem (IBM) - LS Debora Velarde (IBM) - DV Michael Thompson (IBM) - MT Joy Latten (IBM) - JL Trevor Highland (IBM) - TH Irina Boverman (Red Hat) - IB Steve Grubb (Red Hat) - SG Dan Walsh (Red Hat) - DW Eric Paris (Red Hat) - EP Lisa Smith (HP) - LMS Matt Anderson (HP) - MA Paul Moore (HP) - PM Klaus Weidner (Atsec) - KW Chad Hanson (TCS) - CH Joe Nall - JN Agenda: General Issues Bug Discussion Repo: http://people.redhat.com/sgrubb/files/lspp/ RHEL 5 LSPP Packages: acl-2.2.39-2.1.el5 aide-0.12-9.el5 audit-1.3.1-4.el5 audit-libs-1.3.1-4.el5 audit-libs-devel-1.3.1-4.el5 audit-libs-python-1.3.1-4.el5 cups-1.2.4-11.8.el5 cups-libs-1.2.4-11.8.el5 ipsec-tools-0.6.5-7.el5 kernel-2.6.18-8.1.1.lspp.76.el5 kernel-devel-2.6.18-8.1.1.lspp.76.el5 libacl-2.2.39-2.1.el5 libacl-devel-2.2.39-2.1.el5 libselinux-1.33.4-4.el5 libselinux-devel-1.33.4-4.el5 libselinux-python-1.33.4-4.el5 lspp-eal4-config-ibm-0.45-1 mcstrans-0.2.3-1.el5 openssh-4.3p2-21.el5 openssh-clients-4.3p2-21.el5 openssh-server-4.3p2-21.el5 pam-0.99.6.2-3.19.el5 pam-devel-0.99.6.2-3.19.el5 policycoreutils-1.33.12-7.el5 policycoreutils-newrole-1.33.12-7.el5 selinux-policy-2.4.6-62.el5 selinux-policy-devel-2.4.6-62.el5 selinux-policy-mls-2.4.6-62.el5 selinux-policy-strict-2.4.6-62.el5 selinux-policy-targeted-2.4.6-62.el5 vixie-cron-4.1-67.el5 Tracker Bug: https://bugzilla.redhat.com/bugzilla/showdependencytree.cgi?id=224041 GW: do we have all known bug fixes in kernel? SG: We are picking up 6 bugs and Eric is building a kernel today. EP: It is in the build system right now. SG: There is a kernel, ipsec-tools and cron packages GW: Any general issues we need to talk about? We need to go down to 0 bugs soon SG: we were looking at spinning a new kernel today, and if no problems arise, we will have final kernel by Wed. We aim for 0 bugs by Friday GW: yeah .. or sooner if possible. That said, I don't want not to discourage anyone from opening bugs ofcourse. KW: one important thing to know, the packages in people page right now, are the packages going to be the same and just signed for final, or new different packages that were built again? SG: the engineering dept will take the exact binary files and sign that. We plan to make those available as soon as we are down to 0 bugs KW: While we go through the list, we should take notes of which packages we are expecting new ones for and which will not be modified other than signing. GW: I can tell you we will have another lspp-config package, aide was not working with cron and I need to make a few changes. KW: I have few small bugs myself to add to that. GW: also the changes that you put in Friday, those received little testing so if folks can use those, it would be good. I think the config would be last to change. KW: There are new features and fixes based on last minute feedback. if you have time to test please look into that. The posting on rhel-lspp list has a summary of changes; this is the .45 version. while on the subject if people have patches they want to include, this would be the best time to do that.. or let me know if you still have any issues. GW: ok, so if you see any issues, let klaus know or post it to the list. KW: even if it's something that you think is behaving strangely, better to ask about it. GW: It's best to load and try on all platforms. anything else for general discussion? ok, let's go through bug list.. Bug List Query: https://bugzilla.redhat.com/bugzilla/buglist.cgi?cmdtype=runnamed&namedcmd=RHEL%205.0%20LSPP&namedowner=syeghiay at redhat.com&order=bugs.bug_id Bug List: (Sun Apr 22 16:48:03 EDT 2007) ID Sev Pri Plt Assignee Status Summary 231392 hig med All eparis at redhat.com ASSI LSPP: Misc soft-lockups in x86_64 lspp.67 kernel GW: It's been decided it's a not an issue correct? EP: yes, we had 3 people look at it. the kernel we are building today should make the messages not appear. it's not a bug, it just takes a while. Basically we will make it intelligently not complain. All who looked at it decided it is not a bug. There is not even a big performance issue here either, and the system is still running.. GW: ok, we'll test on new kernel again once it comes out 234923 med med All sgrubb at redhat.com ASSI LSPP: update lspp.rules file for evaluation SG: I started looking at that last week, had a question or 2 that I sent klaus an email about KW: sorry did not get to those yet.. I will look at them shortly. SG: I did not do much with it yet, been working on other things. GW: this is a nice to have though SG: it's a must have KW: this is not requirement for evaluation. The system is capable of auditing, but there is no requirement of having it out of box configured with all the rules GW: but it'd be good for us to have it ready out of the box KW: yeah. I would consider it a high priority nice to have 236316 urg med All tmraz at redhat.com ASSI LSPP: Unable to change expired password on ssh login SG: Tomas created a patch, and we integrated it over weekend. the way we change the password has policy implications and Dan is working on that KW: something to think about .. is it really something we want to change. The patch is big and Tomas said it is invasive. I think it will affect our work now and has documentation impacts as well. I know you put a lot of work on it, but should we rush it in SG: we think it is the most secure option to fix the problem KW: we can just make it as a limitation and document it DW: it's not just secure shell, but also login is affected KW: never mind .. we need it fixed then. I thought it was only ssh SG: if you have time, please review it .. GW: so that is restricted to being used by secure shell binary SG: well anything that is pam-ified KW: only policy change would be to check password type, or would all pam programs need new rules? DW: yes, there is a new type called update_?? . it's an interface so not too bad. You can run the program but it won't be able to access /etc/shadow. KW: entire thing seems to be TE issue which does not affect MLS/DAC policy. DW: main thing is we don't break some pam application to add functionality PM: is there going to be an audit record if users log in directly. DW: only root should run it SG: if it's run by someone not root it will fail. As for the patch, a lot of code is moved code of the helper function. I think he took something out of original program that did not need to be set-uid root. The check password program is more safe now that it is called only once KW: do you have estimated time when we'll have pam package and policy to test it DW: tomorrow SG: pam package is out, but I won't install it yet since it does not have matching policy to go with it DW: so I would say early tomorrow. SG: By the way, week of may 8, we'll be hard to get hold of because of RH summit. I will give you contact info in case of emergency. GW: hopefully we'll be done by then. and have 0 bugs. Please keep trying to find any bugs 237133 hig med All dwalsh at redhat.com MODI [LSPP] userdom_admin_user_template and cron_per_role_temp... SG: Dan changed status on that one. were we waiting on retest? DW: waiting on retest of policy MT: I checked. it compiles but doesn't seem to work DW: to work, you have to do both ...[ more comments in bug ]. We pulled some roles out of the template. you have to specify both roles MT: is specifying sysadm there intentional. DW: I'll check it. I don't have it in front of me .. MT: ok, I'll talk to you about it offline DW: looks like it might a copy/paste issue. it should be abat 237249 med med All tmraz at redhat.com ASSI LSPP: polyinstantiation behavior correct and documented SG: need to document man page. We should have updated man page. this needs review then closing. I'll take care of that. 237324 med med All dwalsh at redhat.com MODI LSPP: genhomedircon does not pick up default user types c... SG: It was pushed out. what it needs is verification that the package works. DW: what happened there is if you go into semanage.. any user that does not get specific mapping gets that user. if admin wanted to change, you would change that line. you need to look at it and change your default to be staff, then add the user for your home dir/labels to be correct SG: after the meeting if you can check the fix and we can get rid of this bug GW: anything else KW: I saw there is a new pam on lspp repo (.20) is that the new one? SG: yes it is .. the one I pushed out an hour ago KW: but we need the policy. SG: yes. We also pushed out policycoreutils and ipsec-tools. there is fix in ipsec-tools that had a security fix. only other package we will rebuild is vixie-cron that takes care of a DoS attack. as far as I know, we will get new kernel, audit, policy, and vixie cron GW: we are trying to get all packages by Wednesday including kernel? SG: yes. assuming no regressions occur, we'd like to build kernel without debug DW: Micheal I just updated the bugzilla. it was a copy/paste issue... MT: thanks Dan GW: anything else to cover? alright we'll adjourn the meeting .. thanks. From klaus at atsec.com Wed Apr 25 05:55:43 2007 From: klaus at atsec.com (Klaus Weidner) Date: Wed, 25 Apr 2007 00:55:43 -0500 Subject: [redhat-lspp] LSPP kickstart config v0.47 released Message-ID: <20070425055542.GA17276@w-m-p.com> Hello all, new package versions and some bugfixes. The resulting system has known issues, for example "su" fails: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=236316 Changes in 0.47: postinst: /usr/share/rhn/RPM-GPG-KEY doesn't exist, skip silently packages: new vixie-cron packages: new selinux policy capp-lspp-config: don't activate sshd-via-xinetd in CAPP mode capp-lspp-config: don't use fancy PS1 prompt in CAPP mode Please get the packages the script requests in the postinstall phase from the http://people.redhat.com/sgrubb/files/lspp/ repository. Workarounds: If the script requires a package that has been replaced by a newer one in the repository, you can do a quick&dirty workaround instead of starting over - put the newer .rpm file in /root/rpms/ and rename it to the expected old name in a "!" escape. If you need to do that, please let me know what the new version is (preferably as a patch to the lspp-config/kickstart/src/rpms.lst file, which is the source for the list in the individual kickstart files). RPM download: http://klaus.vh.swiftco.net/lspp/SRPMS/ http://klaus.vh.swiftco.net/lspp/RPMS/noarch/ Git repository: http://klaus.vh.swiftco.net/lspp/git/ -Klaus From klaus at atsec.com Wed Apr 25 16:39:30 2007 From: klaus at atsec.com (Klaus Weidner) Date: Wed, 25 Apr 2007 11:39:30 -0500 Subject: [redhat-lspp] LSPP kickstart config v0.48 released Message-ID: <20070425163930.GB17276@w-m-p.com> Hello all, new selinux policy, which should hopefully fix the issues surrounding the recent PAM changes: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=236316 Changes in 0.48: packages: new selinux policy (-65) capp-lspp-config: update file comments only, no content changes Please get the packages the script requests in the postinstall phase from the http://people.redhat.com/sgrubb/files/lspp/ repository. Workarounds: If the script requires a package that has been replaced by a newer one in the repository, you can do a quick&dirty workaround instead of starting over - put the newer .rpm file in /root/rpms/ and rename it to the expected old name in a "!" escape. If you need to do that, please let me know what the new version is (preferably as a patch to the lspp-config/kickstart/src/rpms.lst file, which is the source for the list in the individual kickstart files). RPM download: http://klaus.vh.swiftco.net/lspp/SRPMS/ http://klaus.vh.swiftco.net/lspp/RPMS/noarch/ Git repository: http://klaus.vh.swiftco.net/lspp/git/ -Klaus From klaus at atsec.com Wed Apr 25 18:59:37 2007 From: klaus at atsec.com (Klaus Weidner) Date: Wed, 25 Apr 2007 13:59:37 -0500 Subject: [redhat-lspp] LSPP kickstart config v0.49 released Message-ID: <20070425185937.GC17276@w-m-p.com> Hello all, another new selinux policy. Changes in 0.49: packages: new selinux-policy Please get the packages the script requests in the postinstall phase from the http://people.redhat.com/sgrubb/files/lspp/ repository. Workarounds: If the script requires a package that has been replaced by a newer one in the repository, you can do a quick&dirty workaround instead of starting over - put the newer .rpm file in /root/rpms/ and rename it to the expected old name in a "!" escape. If you need to do that, please let me know what the new version is (preferably as a patch to the lspp-config/kickstart/src/rpms.lst file, which is the source for the list in the individual kickstart files). RPM download: http://klaus.vh.swiftco.net/lspp/SRPMS/ http://klaus.vh.swiftco.net/lspp/RPMS/noarch/ Git repository: http://klaus.vh.swiftco.net/lspp/git/ -Klaus From klaus at atsec.com Wed Apr 25 21:42:27 2007 From: klaus at atsec.com (Klaus Weidner) Date: Wed, 25 Apr 2007 16:42:27 -0500 Subject: [redhat-lspp] LSPP kickstart config v0.50 released Message-ID: <20070425214227.GA4342@w-m-p.com> Hello all, more new packages, thanks George for the help tracking this. Changes in 0.50: packages: bump audit to -5 packages: update kernel version to 2.6.18-8.1.3.lspp.78.el5 Please get the packages the script requests in the postinstall phase from the http://people.redhat.com/sgrubb/files/lspp/ repository. Workarounds: If the script requires a package that has been replaced by a newer one in the repository, you can do a quick&dirty workaround instead of starting over - put the newer .rpm file in /root/rpms/ and rename it to the expected old name in a "!" escape. If you need to do that, please let me know what the new version is (preferably as a patch to the lspp-config/kickstart/src/rpms.lst file, which is the source for the list in the individual kickstart files). RPM download: http://klaus.vh.swiftco.net/lspp/SRPMS/ http://klaus.vh.swiftco.net/lspp/RPMS/noarch/ Git repository: http://klaus.vh.swiftco.net/lspp/git/ -Klaus From klaus at atsec.com Thu Apr 26 00:07:36 2007 From: klaus at atsec.com (Klaus Weidner) Date: Wed, 25 Apr 2007 19:07:36 -0500 Subject: [redhat-lspp] LSPP kickstart config v0.51 released Message-ID: <20070426000736.GB4342@w-m-p.com> Hello all, this time it seems to be fixed, thank you Dan! Note that it isn't on Steve's page yet (but should be tomorrow), see below for the link. Changes in 0.51: packages: new selinux policy to fix the unix_update issues RPMs are currently only available from: http://people.redhat.com/dwalsh/SELinux/RHEL5/u1/noarch/ capp-lspp-config: make /sbin/unix_update executable for root only Please get the packages the script requests in the postinstall phase from the http://people.redhat.com/sgrubb/files/lspp/ repository. Workarounds: If the script requires a package that has been replaced by a newer one in the repository, you can do a quick&dirty workaround instead of starting over - put the newer .rpm file in /root/rpms/ and rename it to the expected old name in a "!" escape. If you need to do that, please let me know what the new version is (preferably as a patch to the lspp-config/kickstart/src/rpms.lst file, which is the source for the list in the individual kickstart files). RPM download: http://klaus.vh.swiftco.net/lspp/SRPMS/ http://klaus.vh.swiftco.net/lspp/RPMS/noarch/ Git repository: http://klaus.vh.swiftco.net/lspp/git/ -Klaus From klaus at atsec.com Thu Apr 26 16:34:06 2007 From: klaus at atsec.com (Klaus Weidner) Date: Thu, 26 Apr 2007 11:34:06 -0500 Subject: [redhat-lspp] LSPP kickstart config v0.52 released Message-ID: <20070426163406.GC4342@w-m-p.com> Hello all, George sent updates to the rbac-self-test, and there are new audit and PAM packages. Changes in 0.52: packages: new PAM (.22) packages: bump audit to -6 rbac-self-test: update policy to work with cron rbac-self-test: change manpage to state login at SystemLow rbac-self-test: remove messages from the helper The self test itself depends only on the exit code from the helper. These messages are expected in many cases and often cannot be written to the terminal. Removing them eliminates confusion. rbac-self-test: move option vars to __init__ Please get the packages the script requests in the postinstall phase from the http://people.redhat.com/sgrubb/files/lspp/ repository. Workarounds: If the script requires a package that has been replaced by a newer one in the repository, you can do a quick&dirty workaround instead of starting over - put the newer .rpm file in /root/rpms/ and rename it to the expected old name in a "!" escape. If you need to do that, please let me know what the new version is (preferably as a patch to the lspp-config/kickstart/src/rpms.lst file, which is the source for the list in the individual kickstart files). RPM download: http://klaus.vh.swiftco.net/lspp/SRPMS/ http://klaus.vh.swiftco.net/lspp/RPMS/noarch/ Git repository: http://klaus.vh.swiftco.net/lspp/git/ -Klaus From klaus at atsec.com Thu Apr 26 17:50:13 2007 From: klaus at atsec.com (Klaus Weidner) Date: Thu, 26 Apr 2007 12:50:13 -0500 Subject: [redhat-lspp] LSPP kickstart config v0.53 released Message-ID: <20070426175013.GD4342@w-m-p.com> Hello all, update to match the new kernel Steve just posted Changes in 0.53: packages: new kernel (.79) Please get the packages the script requests in the postinstall phase from the http://people.redhat.com/sgrubb/files/lspp/ repository. Workarounds: If the script requires a package that has been replaced by a newer one in the repository, you can do a quick&dirty workaround instead of starting over - put the newer .rpm file in /root/rpms/ and rename it to the expected old name in a "!" escape. If you need to do that, please let me know what the new version is (preferably as a patch to the lspp-config/kickstart/src/rpms.lst file, which is the source for the list in the individual kickstart files). RPM download: http://klaus.vh.swiftco.net/lspp/SRPMS/ http://klaus.vh.swiftco.net/lspp/RPMS/noarch/ Git repository: http://klaus.vh.swiftco.net/lspp/git/ -Klaus -- redhat-lspp mailing list redhat-lspp at redhat.com https://www.redhat.com/mailman/listinfo/redhat-lspp From klaus at atsec.com Sat Apr 28 16:47:18 2007 From: klaus at atsec.com (Klaus Weidner) Date: Sat, 28 Apr 2007 11:47:18 -0500 Subject: [redhat-lspp] LSPP kickstart config v0.54 released Message-ID: <20070428164718.GA11540@w-m-p.com> Hello all, update to match the new kernel Steve just posted, and more paranoia in the installer (it shouldn't actually change the installation). Fix RPM download path in built RPMs, if you build your own look at the new make-rpm script variable. Changes in 0.54: packages: new kernel (lspp.80) meta: make RPM download path configurable via "make-rpm" script environment (instead of hardcoding the path in the -post part of the script) capp-lspp-config: restorecon /etc/selinux/mls/ after policy build The script is running in nonenforcing mode during the ks post, and may mess up the file labels. Please get the packages the script requests in the postinstall phase from the http://people.redhat.com/sgrubb/files/lspp/ repository. Workarounds: If the script requires a package that has been replaced by a newer one in the repository, you can do a quick&dirty workaround instead of starting over - put the newer .rpm file in /root/rpms/ and rename it to the expected old name in a "!" escape. If you need to do that, please let me know what the new version is (preferably as a patch to the lspp-config/kickstart/src/rpms.lst file, which is the source for the list in the individual kickstart files). RPM download: http://klaus.vh.swiftco.net/lspp/SRPMS/ http://klaus.vh.swiftco.net/lspp/RPMS/noarch/ Git repository: http://klaus.vh.swiftco.net/lspp/git/ -Klaus From klaus at atsec.com Sat Apr 28 23:39:28 2007 From: klaus at atsec.com (Klaus Weidner) Date: Sat, 28 Apr 2007 18:39:28 -0500 Subject: [redhat-lspp] LSPP kickstart config v0.55 released Message-ID: <20070428233927.GB11540@w-m-p.com> Hello all, very minor change only, fix the mislabeled /root. I'd still like to understand where the mislabeling comes from though... If you had installed recently, just run "restorecon -r /root" to fix this manually. Changes in 0.55: capp-lspp-config: restorecon /root after running script (workaround) Please get the packages the script requests in the postinstall phase from the http://people.redhat.com/sgrubb/files/lspp/ repository. Workarounds: If the script requires a package that has been replaced by a newer one in the repository, you can do a quick&dirty workaround instead of starting over - put the newer .rpm file in /root/rpms/ and rename it to the expected old name in a "!" escape. If you need to do that, please let me know what the new version is (preferably as a patch to the lspp-config/kickstart/src/rpms.lst file, which is the source for the list in the individual kickstart files). RPM download: http://klaus.vh.swiftco.net/lspp/SRPMS/ http://klaus.vh.swiftco.net/lspp/RPMS/noarch/ Git repository: http://klaus.vh.swiftco.net/lspp/git/ -Klaus From ltcgcw at us.ibm.com Sun Apr 29 22:09:21 2007 From: ltcgcw at us.ibm.com (George C. Wilson) Date: Sun, 29 Apr 2007 17:09:21 -0500 Subject: [redhat-lspp] [Update] LSPP Bug Telecon Discontinued Message-ID: <20070429220921.GA406@us.ibm.com> The standing Monday LSPP bug telecon is being discontinued because we are officially down to zero bugs. Please post discussion to the redhat-lspp mailing list. Thanks to all who participated. -- George Wilson IBM Linux Technology Center