A few policy changes I had to make
Rodrigo Damazio
rodrigo.damazio at poli.usp.br
Thu Dec 9 13:57:50 UTC 2004
I've made the dontaudit changes you suggested and they
everything seems to still work. However, I'm still having problems with
apache - I use too many PHP functions which do various things such as
executing external programs, opening sockets, connecting to postgres,
etc. that generate avc denied errors. I tried, thus, to remove apache.te
from domains/program, just to find out that mailman depended on it - it
gives me an error about mailman_cgi_exec_t (which, indeed, is only
defined if apache.te is defined, but it appears in the mailman.fc file
without an ifdef - adding an ifdef made it all work perfectly. I wonder
if there's a way to use selinux with apache without limiting php functions.
Rodrigo
Daniel J Walsh wrote:
> Rodrigo Damazio wrote:
>
>> Hello. I started playing with SELinux on FC2, and recently
>> moved to FC3, and I must say it's much better now, with the targeted
>> policy. Congrats on this.
>> I still had to change a few things in my policies, though.
>> Following is a collection of the avc errors justifying my changes.
>> I'm not experienced with SElinux yet, so I may be doing something
>> wrong...please let me know if these changes are correct or not. Also,
>> the unlink allow for httpd_t is because, for some reason, when I try
>> to remove a file from within PHP, it uses httpd_t instead of
>> httpd_sys_script_t . I would also like a rule(which I'm not sure how
>> to write) to allow PHP programs to execute external programs, since I
>> have a script which receives an uploaded file, does a lot of
>> processing with it through external programs, and stores it in the
>> database - when I run that, it gives me avc execute errors trying to
>> run bash and the other utilities.
>>
>> Apache:
>> Nov 12 16:50:46 fireball kernel: audit(1100285446.637:0): avc:
>> denied { connectto } for pid=2522 exe=/usr/sbin/httpd
>> path=/tmp/.s.PGSQL.5432 scontext=user_u:system_r:httpd_t
>> tcontext=user_u:system_r:unconfined_t tclass=unix_stream_socket
>>
>> NTPd:
>> Nov 11 19:51:49 fireball kernel: audit(1100209909.743:0): avc:
>> denied { create } for pid=2293 exe=/usr/sbin/ntpd
>> scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t
>> tclass=netlink_route_socket
>> Nov 11 19:51:49 fireball kernel: audit(1100209909.745:0): avc:
>> denied { bind } for pid=2293 exe=/usr/sbin/ntpd
>> scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t
>> tclass=netlink_route_socket
>> Nov 11 19:51:49 fireball kernel: audit(1100209909.745:0): avc:
>> denied { getattr } for pid=2293 exe=/usr/sbin/ntpd
>> scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t
>> tclass=netlink_route_socket
>> Nov 11 19:51:49 fireball kernel: audit(1100209909.747:0): avc:
>> denied { write } for pid=2293 exe=/usr/sbin/ntpd
>> scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t
>> tclass=netlink_route_socket
>> Nov 11 19:51:49 fireball kernel: audit(1100209909.749:0): avc:
>> denied { net_admin } for pid=2293 exe=/usr/sbin/ntpd capability=12
>> scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t
>> tclass=capability
>> Nov 11 19:51:49 fireball kernel: audit(1100209909.750:0): avc:
>> denied { nlmsg_read } for pid=2293 exe=/usr/sbin/ntpd
>> scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t
>> tclass=netlink_route_socket
>> Nov 11 19:51:49 fireball kernel: audit(1100209909.752:0): avc:
>> denied { read } for pid=2293 exe=/usr/sbin/ntpd
>> scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t
>> tclass=netlink_route_socket
>>
>> DHCPd:
>> Nov 12 23:37:25 fireball kernel: audit(1100309845.314:0): avc:
>> denied { create } for pid=10002 exe=/usr/sbin/dhcpd
>> scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t
>> tclass=netlink_route_socket
>> Nov 12 23:37:25 fireball kernel: audit(1100309845.317:0): avc:
>> denied { bind } for pid=10002 exe=/usr/sbin/dhcpd
>> scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t
>> tclass=netlink_route_socket
>> Nov 12 23:37:25 fireball kernel: audit(1100309845.320:0): avc:
>> denied { getattr } for pid=10002 exe=/usr/sbin/dhcpd
>> scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t
>> tclass=netlink_route_socket
>> Nov 12 23:37:25 fireball kernel: audit(1100309845.323:0): avc:
>> denied { write } for pid=10002 exe=/usr/sbin/dhcpd
>> scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t
>> tclass=netlink_route_socket
>> Nov 12 23:37:25 fireball kernel: audit(1100309845.325:0): avc:
>> denied { net_admin } for pid=10002 exe=/usr/sbin/dhcpd
>> capability=12 scontext=root:system_r:dhcpd_t
>> tcontext=root:system_r:dhcpd_t tclass=capability
>> Nov 12 23:37:25 fireball kernel: audit(1100309845.326:0): avc:
>> denied { nlmsg_read } for pid=10002 exe=/usr/sbin/dhcpd
>> scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t
>> tclass=netlink_route_socket
>> Nov 12 23:37:25 fireball kernel: audit(1100309845.327:0): avc:
>> denied { read } for pid=10002 exe=/usr/sbin/dhcpd
>> scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t
>> tclass=netlink_route_socket
>> Nov 12 23:37:25 fireball kernel: audit(1100309845.909:0): avc:
>> denied { unlink } for pid=10008 exe=/usr/sbin/dhcpd
>> name=dhcpd.leases~ dev=hda1 ino=425472 scontext=root:system_r:dhcpd_t
>> tcontext=system_u:object_r:file_t tclass=file
>>
>> named:
>> Nov 12 23:41:25 fireball kernel: audit(1100310085.797:0): avc:
>> denied { create } for pid=10183 exe=/usr/sbin/named
>> scontext=root:system_r:named_t tcontext=root:system_r:named_t
>> tclass=netlink_route_socket
>> Nov 12 23:41:25 fireball kernel: audit(1100310085.798:0): avc:
>> denied { bind } for pid=10183 exe=/usr/sbin/named
>> scontext=root:system_r:named_t tcontext=root:system_r:named_t
>> tclass=netlink_route_socket
>> Nov 12 23:41:25 fireball kernel: audit(1100310085.799:0): avc:
>> denied { getattr } for pid=10183 exe=/usr/sbin/named
>> scontext=root:system_r:named_t tcontext=root:system_r:named_t
>> tclass=netlink_route_socket
>> Nov 12 23:41:25 fireball kernel: audit(1100310085.803:0): avc:
>> denied { write } for pid=10183 exe=/usr/sbin/named
>> scontext=root:system_r:named_t tcontext=root:system_r:named_t
>> tclass=netlink_route_socket
>> Nov 12 23:41:25 fireball kernel: audit(1100310085.806:0): avc:
>> denied { nlmsg_read } for pid=10183 exe=/usr/sbin/named
>> scontext=root:system_r:named_t tcontext=root:system_r:named_t
>> tclass=netlink_route_socket
>> Nov 12 23:41:25 fireball kernel: audit(1100310085.809:0): avc:
>> denied { read } for pid=10183 exe=/usr/sbin/named
>> scontext=root:system_r:named_t tcontext=root:system_r:named_t
>> tclass=netlink_route_socket
>>
>> Thanks,
>> Rodrigo
>>
>> ------------------------------------------------------------------------
>>
>> diff -ru src.orig/policy/domains/program/apache.te
>> src/policy/domains/program/apache.te
>> --- src.orig/policy/domains/program/apache.te 2004-11-01
>> 19:36:22.000000000 -0200
>> +++ src/policy/domains/program/apache.te 2004-11-12
>> 23:54:36.127952796 -0200
>> @@ -285,6 +285,8 @@
>> # Allow httpd to work with postgresql
>> #
>> allow httpd_t tmp_t:sock_file rw_file_perms;
>> +allow httpd_t tmp_t:unix_stream_socket rw_file_perms;
>> +allow httpd_t unconfined_t:unix_stream_socket rw_file_perms;
>> ') dnl targeted policy
>>
>>
> This would allow httpd to talk to any unix_stream_socket (XWindows for
> example.) I am going to try to add postgresql.te (As we have with
> mysql.te) to targeted policy to see if it fixes this
> and does not cause other problems.
>
>>
>> #
>> diff -ru src.orig/policy/domains/program/dhcpd.te
>> src/policy/domains/program/dhcpd.te
>> --- src.orig/policy/domains/program/dhcpd.te 2004-11-01
>> 19:36:22.000000000 -0200
>> +++ src/policy/domains/program/dhcpd.te 2004-11-12
>> 23:38:18.000000000 -0200
>> @@ -33,13 +33,14 @@
>> can_ypbind(dhcpd_t)
>> allow dhcpd_t self:unix_dgram_socket create_socket_perms;
>> allow dhcpd_t self:unix_stream_socket create_socket_perms;
>> +allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms;
>>
>>
>>
> Added, but have never seen this before.
>
>> allow dhcpd_t var_lib_t:dir search;
>>
>> allow dhcpd_t devtty_t:chr_file { read write };
>>
>> # Use capabilities
>> -allow dhcpd_t dhcpd_t:capability { net_raw net_bind_service };
>> +allow dhcpd_t dhcpd_t:capability { net_raw net_admin
>> net_bind_service };
>>
>>
>>
> net_admin is a strong capability Allows you to bring up and down
> network interfaces, iptable rules. Do you have any idea what it is
> trying to do that would cause this? Could you try to
> dontaudit it and see what happens.
> dontaudit dhcpd_t self:capability net_admin;
>
>> # Allow access to the dhcpd file types
>> type dhcp_state_t, file_type, sysadmfile;
>> diff -ru src.orig/policy/domains/program/named.te
>> src/policy/domains/program/named.te
>> --- src.orig/policy/domains/program/named.te 2004-11-01
>> 19:36:22.000000000 -0200
>> +++ src/policy/domains/program/named.te 2004-11-12
>> 23:42:38.000000000 -0200
>> @@ -60,6 +60,7 @@
>> # Bind to the named port.
>> allow named_t dns_port_t:udp_socket name_bind;
>> allow named_t { dns_port_t rndc_port_t }:tcp_socket name_bind;
>> +allow named_t self:netlink_route_socket r_netlink_socket_perms;
>>
>>
>>
> Added. but again have not seen this.
>
>> bool named_write_master_zones false;
>>
>> diff -ru src.orig/policy/domains/program/ntpd.te
>> src/policy/domains/program/ntpd.te
>> --- src.orig/policy/domains/program/ntpd.te 2004-11-01
>> 19:36:22.000000000 -0200
>> +++ src/policy/domains/program/ntpd.te 2004-11-12
>> 23:33:18.000000000 -0200
>> @@ -22,7 +22,7 @@
>> # for SSP
>> allow ntpd_t urandom_device_t:chr_file read;
>>
>> -allow ntpd_t self:capability { setgid setuid sys_time
>> net_bind_service ipc_lock sys_chroot };
>> +allow ntpd_t self:capability { setgid setuid sys_time
>> net_bind_service ipc_lock sys_chroot net_admin };
>>
>>
> This should definitely not be allowed. I can't see why ntpd would
> want to modify your network environment.
>
>> allow ntpd_t self:process { setcap setsched };
>> # ntpdate wants sys_nice
>> dontaudit ntpd_t self:capability { fsetid sys_nice };
>> @@ -39,6 +39,7 @@
>> allow ntpd_t ntp_port_t:udp_socket name_bind;
>> allow ntpd_t self:unix_dgram_socket create_socket_perms;
>> allow ntpd_t self:unix_stream_socket create_socket_perms;
>> +allow ntpd_t self:netlink_route_socket r_netlink_socket_perms;
>>
>>
>>
> Same as previous comments about netlink_sockets
>
>> # so the start script can change firewall entries
>> allow initrc_t net_conf_t:file { getattr read ioctl };
>> diff -ru src.orig/policy/macros/program/apache_macros.te
>> src/policy/macros/program/apache_macros.te
>> --- src.orig/policy/macros/program/apache_macros.te 2004-11-01
>> 19:36:22.000000000 -0200
>> +++ src/policy/macros/program/apache_macros.te 2004-11-12
>> 23:01:49.000000000 -0200
>> @@ -106,6 +106,7 @@
>> ############################################################################
>>
>> r_dir_file(httpd_$1_script_t, httpd_$1_script_ro_t)
>> create_dir_file(httpd_$1_script_t, httpd_$1_script_rw_t)
>> +allow httpd_t { httpd_$1_script_rw_t }:{ file dir lnk_file } {
>> unlink };
>> ra_dir_file(httpd_$1_script_t, httpd_$1_script_ra_t)
>>
>> if (httpd_enable_cgi) && (httpd_unified) {
>>
>>
>>
>>
> The update policy has the following which would cover this case.
>
> r_dir_file(httpd_t, httpd_sys_script_ro_t)
> create_dir_file(httpd_t, httpd_sys_script_rw_t)
> ra_dir_file(httpd_t, httpd_sys_script_ra_t)
>
>> ------------------------------------------------------------------------
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
More information about the fedora-selinux-list
mailing list