Selinux error help

Dan Track dan.track at gmail.com
Wed Feb 7 16:34:26 UTC 2007


On 2/7/07, Stephen Smalley <sds at tycho.nsa.gov> wrote:
> On Wed, 2007-02-07 at 12:40 +0000, Dan Track wrote:
> > Hi
> >
> > I'm hoping someone can help me with this. I'm running a process that's
> > getting the following violations:
> >
> > Feb  7 11:54:34 jupiter kernel: audit(1170849274.441:2160): avc:
> > denied  { getattr } for  pid=11754 comm="beltane_cp" name="yule"
> > dev=sda3 ino=145930 scontext=root:system_r:httpd_sys_script_t
> > tcontext=system_u:object_r:var_lib_t tclass=dir
> > Feb  7 11:54:35 jupiter kernel: audit(1170849275.859:2161): avc:
> > denied  { getsession } for  pid=27224 comm="httpd"
> > scontext=root:system_r:httpd_t tcontext=root:system_r:unconfined_t
> > tclass=process
> >
> > What I did next was to run the following:
> >
> > audit2allow -i /var/log/messages
> >
> > and I get the following output
> >
> > allow httpd_sys_script_t var_lib_t:dir getattr;
> > allow httpd_t unconfined_t:process getsession;
> >
> > Which I enter into
> >
> > /etc/selinux/targeted/src/policy/domains/misc/local.te
>
> Suggestion:  Take such questions to fedora-selinux-list in the future.
>
> So this is a FC4 system?  In FC5 and later, you would instead be
> creating a loadable policy module.
>
> > Then from the policy directory I run
> >
> > make load
> >
> > Upon which I get the following error
> >
> > /usr/bin/checkpolicy -o /etc/selinux/targeted/policy/policy.18 policy.conf
> > /usr/bin/checkpolicy:  loading policy configuration from policy.conf
> > security:  3 users, 4 roles, 355 types, 26 bools
> > security:  55 classes, 22619 rules
> > assertion on line 25169 violated by allow httpd_t unconfined_t:process
> > { getsession };
> > make: *** [/etc/selinux/targeted/policy/policy.18] Error 1
> >
> > I don't know what this means, I've tried to look it up i.e google
> > search, but to no avail. Any ideas?
>
> The policy includes a set of assertions (neverallow rules) to catch
> common errors and potentially unsafe rules.  In a FC4 or earlier policy,
> they would live in the file policy/assert.te.  In this case, the
> neverallow rule is guarding against accidentally allowing a confined
> process like httpd from operating on an unconfined process, as that
> could open you up to an attack, although this particular access
> (getsession i.e. getsid(2)) is relatively benign unto itself - the more
> interesting question is what will your process then try to do with the
> session ID it gets for the unconfined process.
>
> If you truly need to allow it, you can adjust or remove the neverallow
> rule from policy/assert.te.
> -
> --
> Stephen Smalley
> National Security Agency
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>
Hi Stephen

Firstly apologies for sending to the wrong list.

Thanks for the advice it was really an eye opener. I trawlled through
the assert.te file in my selinux src directory, however I can tell
which rule to remove, could you please guide to which rule it is.
Currently my file looks like this:

neverallow { domain -unrestricted -snmpd_t -pegasus_t }
unconfined_t:process ~sigchld;

# Confined domains must never see unconfined domain's /proc/pid entries.
neverallow { domain -unrestricted -snmpd_t -pegasus_t }
unconfined_t:dir { getattr search };

#
# Verify that every type that can be entered by
# a domain is also tagged as a domain.
#
neverallow domain ~domain:process transition;

# for gross mistakes in policy
neverallow domain domain:dir ~r_dir_perms;
neverallow domain domain:file_class_set ~{ setattr rw_file_perms };
neverallow domain file_type:process *;
neverallow ~{ domain unlabeled_t } *:process *;


Many thanks
Dan




More information about the fedora-list mailing list