From bobgus at rcn.com Tue Jun 1 07:20:43 2004 From: bobgus at rcn.com (Bob Gustafson) Date: Tue, 1 Jun 2004 02:20:43 -0500 Subject: Dumb question - where does policy.17 go when it is 'loaded'? Message-ID: When a policy is reloaded (i.e., cd /etc/selinux/strict/src/policy; make reload), where does it go? Here we have a local make of the policy: [root at hoho2 policy]# make policy 2>&1 | tee policy.out /usr/bin/checkpolicy -o policy.17 policy.conf /usr/bin/checkpolicy: loading policy configuration from policy.conf security: 5 users, 7 roles, 1248 types, 1 bools security: 42 classes, 306567 rules /usr/bin/checkpolicy: policy configuration loaded /usr/bin/checkpolicy: writing binary representation (version 17) to policy.17 [root at hoho2 policy]# date Tue Jun 1 01:15:00 CDT 2004 [root at hoho2 policy]# ls -lt | head total 11712 -rw------- 1 root root 7465378 Jun 1 01:14 policy.17 -rw-r--r-- 1 root root 330 Jun 1 01:14 policy.out -rw-r--r-- 1 root root 97 May 29 23:57 reload.out drwxr-xr-x 2 root root 4096 May 29 23:57 tmp drwxr-xr-x 4 root root 4096 May 29 12:06 file_contexts -rw-r--r-- 1 root root 4207890 May 29 12:05 policy.conf drwx------ 2 root root 4096 May 29 12:05 flask drwx------ 3 root root 4096 May 29 12:05 macros drwx------ 2 root root 4096 May 29 12:05 types OK, policy.17 is dropped into this directory. [root at hoho2 policy]# ls -l ../../policy total 7308 -rw-r--r-- 1 root root 7465378 May 29 12:06 policy.17 And, the policy.17 in this strict tree - has not been updated Now, zap the local policy.17 [root at hoho2 policy]# rm policy.17 rm: remove regular file `policy.17'? y And now just do a make reload [root at hoho2 policy]# make reload 2>&1 | tee policy.out /usr/sbin/load_policy /etc/selinux/strict/policy/policy.`cat /selinux/policyvers` touch tmp/load Now, check where it went.. [root at hoho2 policy]# ls -l ../../policy total 7308 -rw-r--r-- 1 root root 7465378 May 29 12:06 policy.17 Does not seem to have updated policy in the same (strict) tree Look around for it [root at hoho2 policy]# find / -name policy.17 -print /etc/security/selinux/policy.17 /etc/security/selinux/src/policy/policy.17 /etc/selinux/targeted/src/policy/policy.17 /etc/selinux/targeted/policy/policy.17 /etc/selinux/strict/policy/policy.17 Lots of policies - now check dates [root at hoho2 policy]# ls -l /etc/security/selinux/policy.17 -rw-r--r-- 1 root root 7410154 May 29 12:13 /etc/security/selinux/policy.17 [root at hoho2 policy]# ls -l /etc/security/selinux/src/policy/policy.17 -rw------- 1 root root 7385824 May 7 10:24 /etc/security/selinux/src/policy/policy.17 [root at hoho2 policy]# ls -l /etc/selinux/strict/policy/policy.17 -rw-r--r-- 1 root root 7465378 May 29 12:06 /etc/selinux/strict/policy/policy.17 [root at hoho2 policy]# ls -l /etc/selinux/targeted/policy/policy.17 -rw-r--r-- 1 root root 97919 May 29 12:06 /etc/selinux/targeted/policy/policy.17 [root at hoho2 policy]# ls -l /etc/selinux/targeted/src/policy/policy.17 -rw------- 1 root root 97919 May 28 13:38 /etc/selinux/targeted/src/policy/policy.17 None of the dates have been touched. Where did it go? ----- Now, if policy is 'loaded', why do I now get these errors? [root at hoho2 user1]# rpm -i policycoreutils-1.13-3.src.rpm /etc/security/selinux/file_contexts: invalid context system_u:object_r:at_exec_t on line number 710 /etc/security/selinux/file_contexts: invalid context system_u:object_r:seuser_exec_t on line number 1550 /etc/security/selinux/file_contexts: invalid context system_u:object_r:seuser_conf_t on line number 1551 [root at hoho2 user1]# Also - hmm, I think I have security 'loaded' because I cannot 'su' into root now - unless I know what my role and type and ... are !! - may have to reboot. My guess at this point is that the policy is loaded into memory somewhere - maybe the kernel patches will tell where?? But why is there no disk version? From rhally at mindspring.com Tue Jun 1 08:16:30 2004 From: rhally at mindspring.com (Richard Hally) Date: Tue, 01 Jun 2004 04:16:30 -0400 Subject: Dumb question - where does policy.17 go when it is 'loaded'? In-Reply-To: References: Message-ID: <40BC3B5E.4090004@mindspring.com> Bob Gustafson wrote: > When a policy is reloaded > (i.e., cd /etc/selinux/strict/src/policy; make reload), > where does it go? > > Here we have a local make of the policy: > > [root at hoho2 policy]# make policy 2>&1 | tee policy.out > /usr/bin/checkpolicy -o policy.17 policy.conf > /usr/bin/checkpolicy: loading policy configuration from policy.conf > security: 5 users, 7 roles, 1248 types, 1 bools > security: 42 classes, 306567 rules > /usr/bin/checkpolicy: policy configuration loaded > /usr/bin/checkpolicy: writing binary representation (version 17) to policy.17 > [root at hoho2 policy]# date > Tue Jun 1 01:15:00 CDT 2004 > [root at hoho2 policy]# ls -lt | head > total 11712 > -rw------- 1 root root 7465378 Jun 1 01:14 policy.17 > -rw-r--r-- 1 root root 330 Jun 1 01:14 policy.out > -rw-r--r-- 1 root root 97 May 29 23:57 reload.out > drwxr-xr-x 2 root root 4096 May 29 23:57 tmp > drwxr-xr-x 4 root root 4096 May 29 12:06 file_contexts > -rw-r--r-- 1 root root 4207890 May 29 12:05 policy.conf > drwx------ 2 root root 4096 May 29 12:05 flask > drwx------ 3 root root 4096 May 29 12:05 macros > drwx------ 2 root root 4096 May 29 12:05 types > > OK, policy.17 is dropped into this directory. > > [root at hoho2 policy]# ls -l ../../policy > total 7308 > -rw-r--r-- 1 root root 7465378 May 29 12:06 policy.17 > > And, the policy.17 in this strict tree - has not been updated > > Now, zap the local policy.17 > > [root at hoho2 policy]# rm policy.17 > rm: remove regular file `policy.17'? y > > And now just do a make reload > > [root at hoho2 policy]# make reload 2>&1 | tee policy.out > /usr/sbin/load_policy /etc/selinux/strict/policy/policy.`cat > /selinux/policyvers` > touch tmp/load > > Now, check where it went.. > > [root at hoho2 policy]# ls -l ../../policy > total 7308 > -rw-r--r-- 1 root root 7465378 May 29 12:06 policy.17 > > Does not seem to have updated policy in the same (strict) tree > > Look around for it > > [root at hoho2 policy]# find / -name policy.17 -print > /etc/security/selinux/policy.17 > /etc/security/selinux/src/policy/policy.17 > /etc/selinux/targeted/src/policy/policy.17 > /etc/selinux/targeted/policy/policy.17 > /etc/selinux/strict/policy/policy.17 > > Lots of policies - now check dates > > [root at hoho2 policy]# ls -l /etc/security/selinux/policy.17 > -rw-r--r-- 1 root root 7410154 May 29 12:13 /etc/security/selinux/policy.17 > > [root at hoho2 policy]# ls -l /etc/security/selinux/src/policy/policy.17 > -rw------- 1 root root 7385824 May 7 10:24 > /etc/security/selinux/src/policy/policy.17 > > [root at hoho2 policy]# ls -l /etc/selinux/strict/policy/policy.17 > -rw-r--r-- 1 root root 7465378 May 29 12:06 > /etc/selinux/strict/policy/policy.17 > > [root at hoho2 policy]# ls -l /etc/selinux/targeted/policy/policy.17 > -rw-r--r-- 1 root root 97919 May 29 12:06 > /etc/selinux/targeted/policy/policy.17 > > [root at hoho2 policy]# ls -l /etc/selinux/targeted/src/policy/policy.17 > -rw------- 1 root root 97919 May 28 13:38 > /etc/selinux/targeted/src/policy/policy.17 > > None of the dates have been touched. Where did it go? > > ----- > > Now, if policy is 'loaded', why do I now get these errors? > > [root at hoho2 user1]# rpm -i policycoreutils-1.13-3.src.rpm > /etc/security/selinux/file_contexts: invalid context > system_u:object_r:at_exec_t on line number 710 > /etc/security/selinux/file_contexts: invalid context > system_u:object_r:seuser_exec_t on line number 1550 > /etc/security/selinux/file_contexts: invalid context > system_u:object_r:seuser_conf_t on line number 1551 > [root at hoho2 user1]# > > > Also - hmm, I think I have security 'loaded' because I cannot 'su' into > root now - unless I know what my role and type and ... are !! - may have to > reboot. > > My guess at this point is that the policy is loaded into memory somewhere - > maybe the kernel patches will tell where?? But why is there no disk > version? > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > The Makefile itself is very informative, especially the comments at the beginning. "make policy" does not load(or reload) the policy. HTH Richard Hally From russell at coker.com.au Tue Jun 1 13:23:47 2004 From: russell at coker.com.au (Russell Coker) Date: Tue, 1 Jun 2004 23:23:47 +1000 Subject: mysql issues... In-Reply-To: <200405261626.i4QGQ1GQ001031@turing-police.cc.vt.edu> References: <200405250215.i4P2FFAe027848@turing-police.cc.vt.edu> <200405261417.40958.russell@coker.com.au> <200405261626.i4QGQ1GQ001031@turing-police.cc.vt.edu> Message-ID: <200406012323.47095.russell@coker.com.au> On Thu, 27 May 2004 02:26, Valdis.Kletnieks at vt.edu wrote: > On Wed, 26 May 2004 14:17:40 +1000, Russell Coker said: > > How should we determine who gets mysql client access? Should we have a > > tunable determining whether we allow userdomain? > > That might be a good solution.. OK, I've attached a sample policy file to allow this. I put it in mysqld.te because it goes easiest there. One advantage of doing it this way is that it makes the policy simpler, another is that if an administrator wants to change the policy to allow only dba_t instead of all of userdomain then it's a much easier change for them. On Thu, 27 May 2004 02:31, Stephen Smalley wrote: > Is the client program setgid or setuid presently to give it more > access? If so, then a separate domain is reasonable. Regardless, there > is a potential advantage in limiting access to the client program, e.g. > you can ensure that only well-formed messages constructed by the client > program are sent on that socket as opposed to arbitrary data from the > user. Naturally, it all depends on what you are trying to protect and > what threats you want to counter. The client program is not setgid or setuid, it has no special access and merely implements the protocol. Regarding well-formed messages, given that the authors of the client program apparently did not design it to be run as a trusted program I don't have any great expectations of it's ability to prevent itself from being exploited. This combined with the difficulties of a separate domain (redirection of stdin/stdout not working as expected etc) makes me believe that it's not worth trying such things at this stage. Maybe at a future time if the MySql developers want to add SE Linux support to their database server we could do such things along the way. PS There's a lot of other MySql work that needs to be done to make it work on Fedora. A quick test has revealed to me that installing it in enforcing mode does not work well. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -------------- next part -------------- #DESC Mysqld - Database server # # Author: Russell Coker # X-Debian-Packages: mysql-server # ################################# # # Rules for the mysqld_t domain. # # mysqld_exec_t is the type of the mysqld executable. # daemon_domain(mysqld) allow mysqld_t mysqld_var_run_t:sock_file create_file_perms; etcdir_domain(mysqld) typealias mysqld_etc_t alias etc_mysqld_t; type mysqld_db_t, file_type, sysadmfile; log_domain(mysqld) allow mysqld_t tmp_t:dir { getattr read }; allow mysqld_t usr_t:file { getattr read }; allow mysqld_t self:fifo_file { read write }; allow mysqld_t self:unix_stream_socket create_stream_socket_perms; allow initrc_t mysqld_t:unix_stream_socket { connectto }; allow initrc_t mysqld_var_run_t:sock_file write; allow initrc_t mysqld_log_t:file { write append setattr ioctl }; allow mysqld_t self:capability { setgid setuid }; allow mysqld_t self:process getsched; allow mysqld_t proc_t:file { getattr read }; # Allow access to the mysqld databases create_dir_file(mysqld_t, mysqld_db_t) allow mysqld_t var_lib_t:dir search; can_network(mysqld_t) # read config files r_dir_file(initrc_t, mysqld_etc_t) allow mysqld_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr }; allow mysqld_t etc_t:dir search; allow mysqld_t sysctl_kernel_t:dir search; allow mysqld_t sysctl_kernel_t:file read; can_unix_connect(sysadm_t, mysqld_t) # for /root/.my.cnf - should not be needed allow mysqld_t sysadm_home_dir_t:dir search; allow mysqld_t sysadm_home_t:file { read getattr }; ifdef(`logrotate.te', ` r_dir_file(logrotate_t, mysqld_etc_t) allow logrotate_t mysqld_db_t:dir search; allow logrotate_t mysqld_var_run_t:dir search; allow logrotate_t mysqld_var_run_t:sock_file write; can_unix_connect(logrotate_t, mysqld_t) ') ifdef(`user_db_connect', ` allow userdomain mysqld_var_run_t:dir search; allow userdomain mysqld_var_run_t:sock_file write; ') From pmehta at wideopenwest.com Tue Jun 1 04:46:02 2004 From: pmehta at wideopenwest.com (Pratik Mehta) Date: Mon, 31 May 2004 23:46:02 -0500 Subject: fedora 2 - ls -Z for proc Message-ID: <40BC0A0A.8090606@wideopenwest.com> Hi, When i run on Fedora 2 ls --context or ls -Z for /proc i get: [root at localhost proc]# ls --context dr-xr-xr-x root root (null) 1 dr-xr-xr-x root root (null) 10 dr-xr-xr-x root root (null) 11 dr-xr-xr-x root root (null) 116 But as faye says in his documentation: Running ls --context /proc shows the following listing for the init process (with a process id of 1): dr-xr-xr-x root root system_u:system_r:init_t 1 Why is this so ????? - Pratik From sds at epoch.ncsc.mil Tue Jun 1 14:17:55 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Tue, 01 Jun 2004 10:17:55 -0400 Subject: fedora 2 - ls -Z for proc In-Reply-To: <40BC0A0A.8090606@wideopenwest.com> References: <40BC0A0A.8090606@wideopenwest.com> Message-ID: <1086099475.13325.79.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2004-06-01 at 00:46, Pratik Mehta wrote: > Hi, > > When i run on Fedora 2 ls --context or ls -Z for /proc i get: > [root at localhost proc]# ls --context > dr-xr-xr-x root root (null) 1 > dr-xr-xr-x root root (null) 10 > dr-xr-xr-x root root (null) 11 > dr-xr-xr-x root root (null) 116 > > But as faye says in his documentation: > Running ls --context /proc shows the following listing for the init > process (with a process id of 1): > > dr-xr-xr-x root root system_u:system_r:init_t 1 > > > Why is this so ????? Old SELinux API vs. new SELinux API. As part of getting SELinux into the mainline kernel, we had to completely overhaul the SELinux API. File contexts are now obtained via the underlying extended attribute (xattr) API, which fetches the xattr value from the filesystem implementation; in contrast, under the old API, the file context was obtained from the SELinux code itself, which would simply map the internal security identifier (SID) from the incore inode to a security context and return that context. As a result, unless the filesystem implementation exports xattr handlers, userspace cannot obtain the security contexts on the files. We have implemented fake xattr handlers for the devpts pseudo filesystem to support getting and setting security contexts on ptys (e.g. for sshd), but didn't see it as necessary to do so for proc. Instead, you can obtain the context of a given process via /proc/pid/attr/current, e.g. cat /proc/1/attr/current will show you the context of the init process (if you have permission to do so). Note that libselinux exports a getpidcon() function for this purpose, which is what you should use from any program that wants this information. -- Stephen Smalley National Security Agency From dwalsh at redhat.com Tue Jun 1 14:14:44 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 01 Jun 2004 10:14:44 -0400 Subject: Dumb question - where does policy.17 go when it is 'loaded'? In-Reply-To: References: Message-ID: <40BC8F54.2020102@redhat.com> Bob Gustafson wrote: >When a policy is reloaded > (i.e., cd /etc/selinux/strict/src/policy; make reload), >where does it go? > >Here we have a local make of the policy: > > > Policy.17 should be recreated in /etc/selinux/strict/policy in this scenario. /etc/selinux/targeted/policy if you did this in a targeted policy. >[root at hoho2 policy]# make policy 2>&1 | tee policy.out >/usr/bin/checkpolicy -o policy.17 policy.conf >/usr/bin/checkpolicy: loading policy configuration from policy.conf >security: 5 users, 7 roles, 1248 types, 1 bools >security: 42 classes, 306567 rules >/usr/bin/checkpolicy: policy configuration loaded >/usr/bin/checkpolicy: writing binary representation (version 17) to policy.17 >[root at hoho2 policy]# date >Tue Jun 1 01:15:00 CDT 2004 >[root at hoho2 policy]# ls -lt | head >total 11712 >-rw------- 1 root root 7465378 Jun 1 01:14 policy.17 >-rw-r--r-- 1 root root 330 Jun 1 01:14 policy.out >-rw-r--r-- 1 root root 97 May 29 23:57 reload.out >drwxr-xr-x 2 root root 4096 May 29 23:57 tmp >drwxr-xr-x 4 root root 4096 May 29 12:06 file_contexts >-rw-r--r-- 1 root root 4207890 May 29 12:05 policy.conf >drwx------ 2 root root 4096 May 29 12:05 flask >drwx------ 3 root root 4096 May 29 12:05 macros >drwx------ 2 root root 4096 May 29 12:05 types > >OK, policy.17 is dropped into this directory. > >[root at hoho2 policy]# ls -l ../../policy >total 7308 >-rw-r--r-- 1 root root 7465378 May 29 12:06 policy.17 > >And, the policy.17 in this strict tree - has not been updated > >Now, zap the local policy.17 > >[root at hoho2 policy]# rm policy.17 >rm: remove regular file `policy.17'? y > >And now just do a make reload > >[root at hoho2 policy]# make reload 2>&1 | tee policy.out >/usr/sbin/load_policy /etc/selinux/strict/policy/policy.`cat >/selinux/policyvers` >touch tmp/load > >Now, check where it went.. > >[root at hoho2 policy]# ls -l ../../policy >total 7308 >-rw-r--r-- 1 root root 7465378 May 29 12:06 policy.17 > >Does not seem to have updated policy in the same (strict) tree > >Look around for it > >[root at hoho2 policy]# find / -name policy.17 -print >/etc/security/selinux/policy.17 >/etc/security/selinux/src/policy/policy.17 >/etc/selinux/targeted/src/policy/policy.17 >/etc/selinux/targeted/policy/policy.17 >/etc/selinux/strict/policy/policy.17 > >Lots of policies - now check dates > >[root at hoho2 policy]# ls -l /etc/security/selinux/policy.17 >-rw-r--r-- 1 root root 7410154 May 29 12:13 /etc/security/selinux/policy.17 > >[root at hoho2 policy]# ls -l /etc/security/selinux/src/policy/policy.17 >-rw------- 1 root root 7385824 May 7 10:24 >/etc/security/selinux/src/policy/policy.17 > >[root at hoho2 policy]# ls -l /etc/selinux/strict/policy/policy.17 >-rw-r--r-- 1 root root 7465378 May 29 12:06 >/etc/selinux/strict/policy/policy.17 > >[root at hoho2 policy]# ls -l /etc/selinux/targeted/policy/policy.17 >-rw-r--r-- 1 root root 97919 May 29 12:06 >/etc/selinux/targeted/policy/policy.17 > >[root at hoho2 policy]# ls -l /etc/selinux/targeted/src/policy/policy.17 >-rw------- 1 root root 97919 May 28 13:38 >/etc/selinux/targeted/src/policy/policy.17 > >None of the dates have been touched. Where did it go? > >----- > >Now, if policy is 'loaded', why do I now get these errors? > >[root at hoho2 user1]# rpm -i policycoreutils-1.13-3.src.rpm >/etc/security/selinux/file_contexts: invalid context >system_u:object_r:at_exec_t on line number 710 >/etc/security/selinux/file_contexts: invalid context >system_u:object_r:seuser_exec_t on line number 1550 >/etc/security/selinux/file_contexts: invalid context >system_u:object_r:seuser_conf_t on line number 1551 >[root at hoho2 user1]# > > rpm is currently broken. You can fix this behaviour by linking to the file context file ln -s /etc/selinux/strict/files/file_context /etc/security/selinux/file_contexts > >Also - hmm, I think I have security 'loaded' because I cannot 'su' into >root now - unless I know what my role and type and ... are !! - may have to >reboot. > >My guess at this point is that the policy is loaded into memory somewhere - >maybe the kernel patches will tell where?? But why is there no disk >version? >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > From sds at epoch.ncsc.mil Tue Jun 1 14:42:46 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Tue, 01 Jun 2004 10:42:46 -0400 Subject: Simplistic X11 logins not working.. (newbie questions) In-Reply-To: <20040531190833.GB7869@obfuscation.org> References: <20040531190833.GB7869@obfuscation.org> Message-ID: <1086100966.13325.85.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2004-05-31 at 15:08, Erik Fichtner wrote: > So. I've got vanilla FC2 with SELinux loaded and the standard > policy sources loaded on my laptop. For various reasons (low memory > and a general dislike for all things GNOME; primarily), I'm trying to > make good old xdm work and start boring old twm. This requires a > little bit of manhandling within /etc/X11/xdm/Xsession and /etc/inittab. > No big deal here. [xgk]dm need to be modified to set the SELinux security context for the session. SELinux support has been upstreamed in gdm. Patches for other *dm programs have been floating around for some time, e.g. see http://marc.theaimsgroup.com/?l=selinux&m=107031914600885&w=2. The other alternative is to try to use pam_selinux, but that wouldn't work for gdm (pam_open_session is called from the wrong process to set up the context). -- Stephen Smalley National Security Agency From emf at obfuscation.org Tue Jun 1 16:20:11 2004 From: emf at obfuscation.org (Erik Fichtner) Date: Tue, 1 Jun 2004 09:20:11 -0700 Subject: Simplistic X11 logins not working.. (newbie questions) In-Reply-To: <1086100966.13325.85.camel@moss-spartans.epoch.ncsc.mil> References: <20040531190833.GB7869@obfuscation.org> <1086100966.13325.85.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <20040601162011.GB10722@obfuscation.org> On Tue, Jun 01, 2004 at 10:42:46AM -0400, Stephen Smalley wrote: > [xgk]dm need to be modified to set the SELinux security context for the > session. SELinux support has been upstreamed in gdm. Ah. got it. Yep, works great with gdm. -- Erik Fichtner; Unix Ronin From grier at uiuc.edu Wed Jun 2 16:29:28 2004 From: grier at uiuc.edu (Chris Grier) Date: Wed, 2 Jun 2004 11:29:28 -0500 Subject: fedora policy changes Message-ID: <20040602162928.GA16294@balder> Hi, I'm using Fedora Core 2 with SELinux, and I was wondering if there is an official place to submit (possible) policy changes. I have run across a couple things that might need to be changed, and I would like to submit them for the next versions of the policy packages. I can do bugzilla if thats the right place for these things. The main things I'm looking at right now are for dm-crypt. It seems that there might not be correct labeling to support device mapper. hda6 is the / partition, where the loopback file is (I'm using losetup to setup the loop, and dm-crypt to encrypt, which is then mounted as a user home directory) audit(1086192065.154:0): avc: denied { read } for pid=2844 exe=/sbin/ldconfig name=libdevmapper.so.1.00 dev=hda6 ino=278879 scontext=root:sysadm_r:ldconfig_t tcontext=system_u:object_r:usr_t tclass=file audit(1086192065.179:0): avc: denied { read } for pid=2844 exe=/sbin/ldconfig name=libdevmapper.so dev=hda6 ino=278880 scontext=root:sysadm_r:ldconfig_t tcontext=system_u:object_r:usr_t tclass=lnk_file -- Chris Grier From sds at epoch.ncsc.mil Wed Jun 2 16:32:01 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Wed, 02 Jun 2004 12:32:01 -0400 Subject: Installing the new policy In-Reply-To: References: Message-ID: <1086193921.15871.69.camel@moss-spartans.epoch.ncsc.mil> On Sat, 2004-05-29 at 15:49, Bob Gustafson wrote: > I wonder if the main problem is a missing /etc/selinux/config file which > probably tells pieces of the system which of the policy-strict, etc. files > to use (??) Yes, you need to create it manually at present, I think. It replaces /etc/sysconfig/selinux (so you still need a SELINUX=enforcing line) and adds a SELINUXTYPE= definition to indicate the active policy (e.g. strict or targeted). > I updated my system and did a 'yum install policy\*` (maybe also > selinux-policy\* too) You need an updated libselinux, policycoreutils, and SysVinit in addition to selinux-policy-strict or selinux-policy-targeted. And you need to relabel to get the right types on the /etc/selinux tree. -- Stephen Smalley National Security Agency From sds at epoch.ncsc.mil Wed Jun 2 16:56:15 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Wed, 02 Jun 2004 12:56:15 -0400 Subject: Installing the new policy In-Reply-To: <40B92CB0.5070205@comcast.net> References: <40B92CB0.5070205@comcast.net> Message-ID: <1086195375.15871.99.camel@moss-spartans.epoch.ncsc.mil> On Sat, 2004-05-29 at 20:37, Tom London wrote: > So here's the condensed version; > 1. installing selinux-policy-strict-sources (and selinux-policy-strict) > did not setup /etc/selinux/config, nor did it modify > /etc/sysconfig/selinux. (I must admit that I was confused by the > message thread. Did I need to remove /etc/sysconfig/selinux before doing > the 'yum install selinux-policy-strict-sources'? I thought the install > would add the 'SELINUXTYPE=strict' line to an existing file, but I may > have read this wrong.) I don't think that Dan has set up the spec file to do this yet in %post. So you have to manually create /etc/selinux/config at present. /etc/sysconfig/selinux is obsolete with the newer libselinux and SysVinit. /usr/bin/selinuxconfig will show what libselinux thinks are the active policy paths. > 2. My system was 'setup' to boot by default into 'disabled' mode. This > caused a lot of problems with unlabeled files, directories, etc. I think that this will eventually be covered by changing the spec file to create /etc/selinux/config if it does not already exist. Dan? > 3. I had to 'yum remove setools'. Did this cause my booting or other > problems? No, I don't think it created any of the problems you experienced. But setools will need to be updated to use the new libselinux functions, and rebuilt. > 4. I added both 'SELINUXTYPE=' and 'POLICYTYPE=' lines to > /etc/sysconfig/selinux and to /etc/selinux/config. Are both > needed/correct? /sbin/fixfiles seems to want 'SELINUXTYPE'... SELINUXTYPE is correct. There was a bug in the spec file that was using POLICYTYPE; that should be changed if it hasn't already. > 5. I manually copied /etc/selinux/conf from /etc/sysconfig/selinux. Does > that provide the correct info/format? Yes, except that you need to add a SELINUXTYPE=strict (or targeted) to it, and it is named /etc/selinux/config. You also need to relabel after updating the policy to get /etc/selinux into the right types. Odds of successfully making this transition in enforcing mode are slim, I suspect. -- Stephen Smalley National Security Agency From selinux at comcast.net Wed Jun 2 17:55:14 2004 From: selinux at comcast.net (Tom London) Date: Wed, 02 Jun 2004 10:55:14 -0700 Subject: New policies installed. Minor problem & change(?) Message-ID: <40BE1482.40201@comcast.net> I've installed the latest selinux-policy-strict-1.13.2-4 stuff (along with -sources, libselinux*, etc. dependencies via 'yum update') with system running selinux-policy-strict-1.13.2-2/enforcing. A few 'minor' items noted: 1). The install produced protection/access messages when attempting to write/create /etc/selinux/strict/policy/policy.17 (the usual 'creating in .rpmnew' thing). Did this once for selinux-policy-strict and once for selinux-policy-strict-sources. (I had just completed a 'fixfiles relabel' with selinux-policy-strict-1.13.2-2, so I'm confident that the /etc/selinux directory was properly labeled.) I then did a manual 'mv policy.17 policy.17.rpmsave; mv policy.17.rpmnew policy.17', rebooted single-user, and did a 'fixfiles relabel', and then rebooted multi-user. ('fixfiles relabel/check' now fails if run in enforcing mode ('Permission denied' for file_contexts). Works if you 'setenforce 0' first. Did I miss a change?) 2). Also, there now is a complete absence of 'avc' messages in /var/log/messages. Is this expected? 3). I checked the scripts on the policy rpms and it looks like the reference to 'POLICYTYPE' is gone (replaced with 'SELINUXTYPE'). Is it safe to remove the 'POLICYTYPE=strict' line from /etc/sysconfig/selinux and from /etc/selinux/config? Can I safely remove one file? Thanks for the updates! tom From parklee_fcsel at yahoo.com Wed Jun 2 18:55:30 2004 From: parklee_fcsel at yahoo.com (park lee) Date: Wed, 2 Jun 2004 11:55:30 -0700 (PDT) Subject: How to make SELinux in Fedora work? Message-ID: <20040602185530.39446.qmail@web90110.mail.scd.yahoo.com> On Thu, 27 May 2004 08:16:03 Stephen Smalley wrote: >If you didn't enable SELinux at install time, >then you'll need to install a policy >(yum install policy policy-sources), create or edit >/etc/sysconfig/selinux and set SELINUX=permissive in it, > and relabel your filesystems (via fixfiles relabel). >Once you get your filesystems labeled and have verified >that you can boot without avc denials in your logs, >you can set SELINUX=enforcing in /etc/sysconfig/selinux. I really didn't enable SELinux at install time. Then, I had a try to enable SELinx on my FC2 according to what you said. On my FC2,there was no policy-sources RPM package installed by default. Then I wanted to install the package. but there was something wrong when I using 'yum install policy-sources'. Below is what came on my screen: [root at localhost RPMS]# yum install policy-sources Gathering header information file(s) from server(s) Server: Fedora Core 2 - i386 - Base retrygrab() failed for: http://download.fedora.redhat.com/pub/fedora/linux/core/2/i386/os/headers/header .info Executing failover method failover: out of servers to try Error getting file http://download.fedora.redhat.com/pub/fedora/linux/core/2/i386/os/headers/header .info [Errno 4] IOError: I wonder what's wrong? and here can I use 'rpm -Uvh' to install the package instead of using 'yum install policy-sources'. And there is another question: In 'Fedora Core 2 SELinux FAQ', it said: Q:. How do I temporarily turn off enforcing mode without having to reboot? A:. This situation usually arises when you can't perform an action that is being prevented by policy. Run the command setenforce 0 to turn off enforcing mode in real time. When you are finished, run setenforce 1 to turn enforcing back on Then, my question is: "can we still run 'echo 1 > /selinux/enforce' program to switch into enforcing mode. and switch back to permissive mode with 'echo 0 > /selinux/enforce'. Thank you very much! Sincerely yours, Park Lee 2004-06-03 --------------------------------- Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger -------------- next part -------------- An HTML attachment was scrubbed... URL: From kmacmillan at tresys.com Wed Jun 2 19:32:35 2004 From: kmacmillan at tresys.com (Karl MacMillan) Date: Wed, 2 Jun 2004 15:32:35 -0400 Subject: [ANNOUNCE] Setools version 1.4 released Message-ID: <200406021932.i52JWCSf003064@gotham.columbia.tresys.com> Tresys Setools version 1.4 has been released. It is available from the SELinux sourceforge cvs repository and the Tresys webpage: http://www.tresys.com/selinux/ This release includes several new features including: - Support for binary policies in addition to source policies in libapol. This allows almost all of the tools, including Apol, Seaudit, sesearch, and seinfo, to work with a binary policy. This is especially important as more SELinux systems are deployed without a full policy source tree. - GUI updates to Apol and Seaudit to correctly support binary policies. - Seaudit, sesearch, and seinfo will now load a binary policy by default if no source policy is found. - Numerous bug fixes and policy updates for Seuser allowing it to run correctly under Fedora Core 2. - The installation of policy and labeling of files has been removed from the 'make install' target in order to support systems with policies that are significantly different from the default NSA policy. The new target 'make install-policy' will install the Setools policy files and label the applications and configuration files. - Seinfo now supports conditional policies. - The results tabs in Apol can now be renamed by the user to make them easier to distinguish when many tabs are open simultaneously. Karl MacMillan Tresys Technology http://www.tresys.com (410)290-1411 ext 134 From kmacmillan at tresys.com Wed Jun 2 20:33:19 2004 From: kmacmillan at tresys.com (Karl MacMillan) Date: Wed, 2 Jun 2004 16:33:19 -0400 Subject: Summary of Informal SELinux Meeting on May 6, 2004 Message-ID: <200406022032.i52KWuSf003348@gotham.columbia.tresys.com> An informal meeting of SELinux developers was held on May 6, 2004 at Tresys Technology in Columbia, Maryland. Below are some notes from that meeting. Karl MacMillan Tresys Technology http://www.tresys.com (410)290-1411 ext 134 Summary of Informal SELinux Meeting Columbia, Maryland, USA, 6 May, 2004 An informal meeting involving a group of some of the key contributors to the development of SELinux was held on May 6, 2004, at Tresys Technology, in Columbia, Maryland, USA. A small gathering was initially prompted by Russell Coker's visit to the Washington, D.C. area, but evolved into a larger informal meeting. The purpose of the meeting was to have informal, real-time discussions about the current status, challenges, and future of SELinux. ATTENDANCE Joshua Brindle Hardened Gentoo David Caplan Tresys Technology Jim Carter National Security Agency Russell Coker Red Hat James Griffin Howard Holm National Security Agency Jeff Johnson Red Hat Peter Loscocco National Security Agency Karl MacMillan Tresys Technology Frank Mayer Tresys Technology Stephen Smalley National Security Agency Eamon Walsh National Security Agency Via conference call: James Morris Red Hat Dan Walsh Red Hat WORKSHOP There was discussion of whether there was a need for establishing a regular forum, similar in nature to this meeting, aimed at examining the state of SELinux development. Specific issues discussed included the target audience, duration, scheduling, and potential sponsorship of the meetings. Tresys volunteered to organize an initial meeting in the Baltimore/Washington area some time in the fall. It was assumed that this area would accommodate the largest likely user participation. Additionally, there was some discussion as to whether the audience should be limited to core developers or extend to a more general population. The consensus was to model it after the Ottawa Linux kernel conference, which involves an initial meeting of core contributors followed by a more general symposium. The possibility of adding tutorials to this structure was also discussed. Finally, corporate sponsorship and government participation will be investigated. FEDORA CORE A brief update on the status of SELinux and Fedora Core 2 was given. The need for transparency and limited user interaction with SELinux was mentioned as a motivating requirement for much of the work that Red Hat has done. The discussion quickly branched off into details about the policy and policy management as Russell mentioned specific challenges Red Hat had encountered with their integration of SELinux. POLICY The current state of the public "default" policies was discussed. The set of default policies includes the original example base policy distributed by the NSA, the Fedora core policy, and the recently released targeted (or relaxed) policy. The new targeted policy was written with the aim of isolating a limited set of services or daemons and allowing the rest of the system to be relatively unaffected by the SELinux policy. The purpose of this is to provide an example policy that the general Linux population will be comfortable with (i.e., one that will minimally interfere with their accustomed operations) yet would show how SELinux can provide a level of protection from a service that at some time may be compromised. It makes the initial policy easier to analyze and provides groundwork for slowly introducing increased protection from the policy. Providing the targeted policy as the default might help SELinux gain acceptance, but it is not without potential drawbacks. A possible con to this strategy is that it may make application developers less likely to alter their software to work with SELinux or, where appropriate, be aware of SELinux. This goes against the strong objective to have application developers accept and integrate SELinux controls. Additionally, the targeted policy makes only limited use of the user and role features of SELinux because all users are placed in the same context. It is not clear whether this exposes an area of the policy language that needs additional thought. The desirability of modifying applications to be SELinux aware was discussed. A goal of SELinux is to allow the use of unmodified applications. Certain core system utilities need to be modified to be aware of SELinux (init for example), but in general it is possible to create policies that work with unmodified applications. There was a general consensus that the requirement to modify applications has been a limiting factor to the acceptance of other operating systems with mandatory access controls. This does not mean, however, that it is not desirable to make SELinux specific modifications to certain trusted system services. One example that was mentioned is that it is difficult to create optimal policies for certain types of applications. In particular, the Samba daemon needs the ability to access files with a wide variety of labels in order to service the requests of different users. It is desirable, however, to have SELinux limit the types of files that Samba will access on behalf of a specific user. The standard practices for handling this situation, like executing a separate Samba daemon for each user, will not work in this circumstance because of some details of the SMB/CIFS protocol. It was argued that Samba is a trusted application and it would be appropriate, therefore, to allow it to enforce SELinux access decisions by becoming a user-space object manager. See the "Policy Management" and "Security Enhanced X Status" sections for more details about user-space object managers. The conditional policy features were briefly discussed. It was suggested the conditional policy features could be used to grant privileges to daemons only on startup, similar to a setuid application dropping capabilities. Using the fine-grained labeling of the boolean files in the selinuxfs it is possible for an application to remove access privileges (through setting a boolean) and not have sufficient access privileges to turn them on again. The policy discussion ended with a consensus that it is a mistake to try to overreach on our goals (and likely come up short) on the initial versions of SELinux policies for mainstream users; instead, the initial goal should be to manage expectations of the general community to gain acceptance of type enforcement a little bit at a time. POLICY MANAGEMENT There was a lengthy discussion on how best to manage policy and the associated file context information. It was clear from the discussion that this is an area that has many unsolved challenges. Though no definitive solutions were determined, several motivating requirements emerged from the discussion and are detailed below. Local customizations One of the issues that has arisen as part of the Fedora Core 2 development process is how to handle local customizations to the policy on upgrade. Currently, user modified changes are overwritten by RPM on upgrade of the policy unless they are marked noreplace in the rpm spec file (tunables.te for example). Users must manually merge the changes from the update for files marked noreplace that had local customizations. All of the other customizations to the policy are lost on update. Gentoo handles this problem by presenting the user with diffs for all changes to files in /etc. The general consensus was that this is not an appropriate solution for the target audience of Fedora Core, but no other solution emerged. RPM Integration There was a lengthy discussion of integration with RPM. RPM is seen as a primary delivery mechanism for policy and file labels. Currently, RPM can record a single label for each file in the package and sets that label at installation time. The policy for each application is not contained with the package that provides that application. Instead, the entire policy is contained in a single RPM. After the previous discussions on default policies, it was clear that RPM needs to support multiple policies and that a single label per file is not sufficient. Several people suggested that modifying RPM to support multiple labels per file would solve this problem. Concerns were voiced about placing multiple labels in each package, however. It was argued that this would enlarge the package size, perhaps substantially, without solving the underlying problem of supporting multiple, arbitrary policies. This problem has some similarities to translation strings in that a potentially large number of translations needs to be provided for each package, they are not necessarily known at package creation time, and it is desirable to upgrade the translations without changing the packages. The translations are supported by allowing RPM to query an external translation database at installation time. There was a consensus that a similar scheme should be adopted by RPM for file labels. Policy Packaging and Dependencies There was some discussion about the way policy is currently associated with packages and how the dependency issues are solved. Fedora Core 2 provides a single package with the entire policy for the system. Hardened Gentoo provides a separate package for the policy for each application. The policy packages are automatically installed by marking them as dependencies of the application packages. The Gentoo package management system has a complex infrastructure for optional dependencies to allow the installation of different dependent packages based on user settings or system properties (architecture for example). These optional dependencies allow for considerable flexibility when managing SELinux policy packages. Binary Policy Modules The current work by Tresys on developing binary policy modules was discussed. This will allow for the management of policies without source, provide infrastructure and language support for specifying and tracking dependencies, and optionally manage file labeling on the installation and removal of policy modules. Some of the expected benefits of this work would be the looser coupling between portions of the policy and simplified policy management. For example, adding a user to the policy currently requires a full policy development environment including the source for the entire policy. The binary policy modules would allow the addition of a user without source or policy development tools. The desire to protect certain application by creating a separate domain for each user domain in a system was brought up. This is currently accomplished using macros that will be unavailable in the binary policy modules. It suggested that this could be solved using inheritance. It was agreed to investigate these additional policy language semantics. User-space Object Managers The need for better support of user-space object managers was discussed (see "Security Enhanced X Status" for more discussion). In particular, it was suggested that it is desirable to provide a mechanism that allows the policy for user-space object managers to be selectively separated from each other and the kernel policy. This is access control for policy modification and can be implemented through namespace separation and creating an object abstraction of the policy. Tresys stated that they are starting a research project on this topic which will result in a user-mode policy server based on the binary policy module work. SECURITY ENHANCED X STATUS A summary of the work done by the NSA to adapt user space SELinux type controls to X windows was presented. This work involved two main tasks: creating a user-space access vector cache and implementing the object classes and access control within X. The user-space access vector cache has been completed and is available as part of the standard NSA distribution. The implementation is a port of the kernel access vector cache and includes support for flushing on policy reload. The user-space cache is notified of the policy reloads through a netlink socket. The changes required to implement access control for X include the creation of eleven new object classes and modifications to the X server. The new object classes closely mirror those described in the technical report "Securing The X Window System With SELinux" by NAI labs. It was reported that the X developers are enthusiastic about the SELinux work and have accepted the changes to the X server in a branch of the upstream CVS repository. See http://www.x.org for more information. NFS A report on the progress of integrating SELinux mechanisms into NFS version 3 by the NSA was given. The current implementation was described as relatively simple and experimental. In particular, the implementation does not address many issues and has several assumptions including: * the underlying security problems with NFS are not addressed, * a secure network is assumed, * the client and server must both have the same policy, * and the issues with revocation caused by NFS caching are not addressed. Despite these issues, it is possible to have SELinux access control enforced on NFS mounted file systems. This is done by extending the NFS protocol to handle extended attributes so that a client can retrieve the labels of files of NFS file systems and extending the client to enforce access based on those labels. Additionally, mount options were added to specify that these features should be used. The current implementation is for NFS version 3, but it is expected that in the future work will be done on NFS version 4. It is not clear whether the NFS version 3 implementation will be acceptable upstream, but it is hoped that the future work on NFS version 4 will be. The NFS version 3 patches are available from the NSA website (http://www.nsa.gov/selinux). Finally, it was mentioned that the NFS work has exposed several bugs related to the labeling of sockets created by the kernel. Patches for these problems exist and were merged into the 2.6.6 kernel. TRAINING AND DOCUMENTATION It was reported that there has recently been a large amount of new interest expressed from both the corporate and government side for training. Tresys is in the process of refreshing their SELinux course material and will be offering a new set of classes shortly. The NSA is also working on updating past reference papers to reflect the more recent generation of SELinux. ASSURANCE Assurance was mentioned several times throughout the symposium. No SELinux system has currently been Common Criteria evaluated at any EAL level, though it is expected that one of the distributions that is currently seeking certification will have a system certified that includes SELinux. SELinux cannot be evaluated separately; only a complete system can be evaluated. BUSINESS CASE FOR SELINUX There was a discussion of strategies for making a case for the use of SELinux to decision makers in organizations. It was argued that making the case to managers can be different than making a case to front-line technical people. It was suggested that the fundamental question that needs to be answered for managers is how does the technology solve an important problem that they have. From maillist at wolke7.net Wed Jun 2 22:46:42 2004 From: maillist at wolke7.net (maillist at wolke7.net) Date: Thu, 3 Jun 2004 00:46:42 +0200 (MEST) Subject: Kernel 2.4 on fc2 with selinux? Message-ID: <884.1086216402@www13.gmx.net> Hi, because lacks of sys_call_table in kernel 2.6 and other I must "downgrade" kernel on fc2 from 2.6 to 2.4, but selinux should works furtheron. Are there steps of particular importance to be taken? Should I prefer the clean kernel from kernel.org, or one from fc1 ( which one? src.rpm's ?) ? Is the nsa patch and the clean kernel enough (http://www.nsa.gov/selinux/code/download3.cfm), or any|all of the fc1 patches must be apply to works properly? TIA Marco -- +++ Jetzt WLAN-Router f?r alle DSL-Einsteiger und Wechsler +++ GMX DSL-Powertarife zudem 3 Monate gratis* http://www.gmx.net/dsl From wbrower at ll.mit.edu Wed Jun 2 23:09:49 2004 From: wbrower at ll.mit.edu (William Brower) Date: Thu, 03 Jun 2004 11:09:49 +1200 Subject: Guidance using pam_passwdqc module and Army Regulation 25-2 Message-ID: <40BE5E3D.2020605@ll.mit.edu> Can anyone provide guidance concerning how to integrate the pam_passwdqc module with FC1 or FC2 ? I'll admit to not being a PAM expert, but I have RTFM, but still no luck. Some details: 1) pam_passwdqc can be found here: http://www.openwall.com/passwdqc/ I downloaded and installed the module - things went cleanly and the module was installed in /lib/security/pam_passwdqc.so 2) I tried modifying /etc/pam.d/system-auth to look like this (I know there is a warning about file autogeneration, but frankly, the /etc/pam.d/passwd file seems to direct all real action to this file - should I just modify the /etc/pam.d/passwd file instead??) OLD: password required /lib/security/$ISA/pam_cracklib.so retry=3 type= password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/$ISA/pam_deny.so NEW: #password required /lib/security/$ISA/pam_cracklib.so retry=3 type= password required /lib/security/$ISA/pam_passwdqc.so password sufficient /lib/security/$ISA/pam_unix.so nullok use_first_pass md5 shadow password required /lib/security/$ISA/pam_deny.so Please ignore possible line-wrap on "md5 shadow" lines above. The above fails with: [testuser at sloth testuser]$ passwd Changing password for user testuser. passwd: Authentication token manipulation error Here is my goal. Maybe I can reach it another way entirely: I'm trying to see if I can't make FCx automatically compliant with a new Army regulation (AR25-2) which provides specific password guidance, including the number of required characters from each character set (lower case, upper-case, numbers, punctuation), password length, etc. The regulation can be found here (see section 4-12: Password control): XML: http://docs.usapa.belvoir.army.mil/jw2/xmldemo/r25_2/cover.asp PDF: http://www.usapa.army.mil/pdffiles/r25_2.pdf In a nutshell, the relevant parts are: >e. Generate passwords as follows ? > >(1) The minimum requirement is a 10-character case-sensitive password. >Passwords or phrases longer than 10 characters are recommended when >supported by the IS. Password expiration will be not more than 150 >days. > >(2) The password will be a mix of uppercase letters, lowercase letters, >numbers, and special characters, including at least two of each of the >four types of characters (for example, x$TloTBn2!) and can be user >generated. > >(3) Enforce password policy through implementation or enhancement of >native security mechanisms. > >(4) Passwords will not include such references as social security >numbers (SSNs), birthdays, USERIDs, names, slang, military acronyms, >call signs, dictionary words, consecutive or repetitive characters, >system identification, or names; neither will they be easy to guess >(for example, mypassword, abcde12345). > >(5) Password history configurations will prevent reutilization of the >last 10 passwords when technically possible. > Any help you can offer would be appreciated. Finally, would FC consider adding this module? I think a few distros have done this. Having an out-of-box AR25-2 compliant system would be pretty great from the Army's point of view! Thanks! Bill -- William Brower MIT Lincoln Laboratory Reagan Test Site, Kwajalein, Marshall Islands p: 805.355.1310 f: 805.355.1701 From parklee_fcsel at yahoo.com Thu Jun 3 03:38:31 2004 From: parklee_fcsel at yahoo.com (park lee) Date: Wed, 2 Jun 2004 20:38:31 -0700 (PDT) Subject: issue on 'fixfiles relabel' Message-ID: <20040603033831.2915.qmail@web90106.mail.scd.yahoo.com> Hi, I found in 'Fedora Core 2 SELinux FAQ', there is one item: "Fedora Core ships with a new script fixfiles which supports three options: check, restore, and relabel. This allows users to relabel the file system without having the policy-sources package installed." But ,if I don't install policy-sources package, where are the file_contexts information that used for relabelling? --------------------------------- Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger -------------- next part -------------- An HTML attachment was scrubbed... URL: From russell at coker.com.au Thu Jun 3 03:59:16 2004 From: russell at coker.com.au (Russell Coker) Date: Thu, 3 Jun 2004 13:59:16 +1000 Subject: fedora policy changes In-Reply-To: <20040602162928.GA16294@balder> References: <20040602162928.GA16294@balder> Message-ID: <200406031359.16364.russell@coker.com.au> On Thu, 3 Jun 2004 02:29, Chris Grier wrote: > Hi, I'm using Fedora Core 2 with SELinux, and I was wondering if there > is an official place to submit (possible) policy changes. I have run Here is the best place. > hda6 is the / partition, where the loopback file is (I'm using losetup > to setup the loop, and dm-crypt to encrypt, which is then mounted as a > user home directory) > > audit(1086192065.154:0): avc: denied { read } for pid=2844 > exe=/sbin/ldconfig name=libdevmapper.so.1.00 dev=hda6 ino=278879 > scontext=root:sysadm_r:ldconfig_t tcontext=system_u:object_r:usr_t > tclass=file What directory is libdevmapper.so.1.00 in? -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Thu Jun 3 04:02:02 2004 From: russell at coker.com.au (Russell Coker) Date: Thu, 3 Jun 2004 14:02:02 +1000 Subject: Guidance using pam_passwdqc module and Army Regulation 25-2 In-Reply-To: <40BE5E3D.2020605@ll.mit.edu> References: <40BE5E3D.2020605@ll.mit.edu> Message-ID: <200406031402.02430.russell@coker.com.au> On Thu, 3 Jun 2004 09:09, William Brower wrote: > Can anyone provide guidance concerning how to integrate the pam_passwdqc > module with FC1 or FC2 ? I'll admit to not being a PAM expert, but I > have RTFM, but still no luck. Some details: > > 1) pam_passwdqc can be found here: http://www.openwall.com/passwdqc/ > I downloaded and installed the module - things went cleanly and the > module was installed in /lib/security/pam_passwdqc.so Why do you believe that this is a SE Linux issue? Are you getting any AVC messages when you try to change a password? -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Thu Jun 3 04:06:10 2004 From: russell at coker.com.au (Russell Coker) Date: Thu, 3 Jun 2004 14:06:10 +1000 Subject: Kernel 2.4 on fc2 with selinux? In-Reply-To: <884.1086216402@www13.gmx.net> References: <884.1086216402@www13.gmx.net> Message-ID: <200406031406.10361.russell@coker.com.au> On Thu, 3 Jun 2004 08:46, maillist at wolke7.net wrote: > because lacks of sys_call_table in kernel 2.6 and other > I must "downgrade" kernel on fc2 from 2.6 to 2.4, > but selinux should works furtheron. > > Are there steps of particular importance to be taken? > > Should I prefer the clean kernel from kernel.org, > or one from fc1 ( which one? src.rpm's ?) ? Red Hat has never released a 2.4.x kernel with SE Linux support and has no plans to ever do so. If you want to use SE Linux on a 2.4.x kernel then you need to download the kernel source from kernel.org and patch it with EA/SECATTR patches and the LSM (SE Linux) patch. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From rhally at mindspring.com Thu Jun 3 07:31:25 2004 From: rhally at mindspring.com (Richard Hally) Date: Thu, 03 Jun 2004 03:31:25 -0400 Subject: No avc denied messages Message-ID: <40BED3CD.8050806@mindspring.com> When running kernel 406 in both enforcing and permissive mode with the latest "strict" policy(1-13.2-3) there are no (absolutely none!) avc denied messages. The troubling thing is that there is at least one thing that works in permissive and fails in enforcing. The first thing I checked was postgresql. It starts in permissive and fails to start in enforcing and there are no avc denied messages in either case. What could be the problem? thanks for the help. Richard Hally From ivg2 at cornell.edu Thu Jun 3 08:08:32 2004 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Thu, 03 Jun 2004 02:08:32 -0600 Subject: No avc denied messages In-Reply-To: <40BED3CD.8050806@mindspring.com> References: <40BED3CD.8050806@mindspring.com> Message-ID: <40BEDC80.9090902@cornell.edu> Richard Hally wrote: > When running kernel 406 in both enforcing and permissive mode with the > latest "strict" policy(1-13.2-3) there are no (absolutely none!) avc > denied messages. The troubling thing is that there is at least one thing > that works in permissive and fails in enforcing. The first thing I > checked was postgresql. It starts in permissive and fails to start in > enforcing and there are no avc denied messages in either case. > What could be the problem? > thanks for the help. > Richard Hally The problem is that auditing's disabled. Why it's disabled I have no idea. From tmolina at cablespeed.com Thu Jun 3 10:34:48 2004 From: tmolina at cablespeed.com (Thomas Molina) Date: Thu, 3 Jun 2004 06:34:48 -0400 (EDT) Subject: Installing the new policy In-Reply-To: <1086193921.15871.69.camel@moss-spartans.epoch.ncsc.mil> References: <1086193921.15871.69.camel@moss-spartans.epoch.ncsc.mil> Message-ID: On Wed, 2 Jun 2004, Stephen Smalley wrote: > You need an updated libselinux, policycoreutils, and SysVinit in > addition to selinux-policy-strict or selinux-policy-targeted. And you > need to relabel to get the right types on the /etc/selinux tree. Now I am confused. I did yum search selinux and got: Available package: selinux-doc.noarch 0:1.10-1 from base matches with SELinux documentation Available package: selinux-doc.noarch 0:1.10-1 from base matches with selinux-doc Available package: policy-strict-sources.noarch 0:1.11.3-3 from base matches with SELinux example policy configuration source files Available package: libselinux-devel.i386 0:1.11.4-1 from base matches with Header files and libraries used to build SELinux Available package: libselinux-devel.i386 0:1.11.4-1 from base matches with libselinux-devel 5 results returned There is a policy-strict-sources, but no selinux-policy-strict or selinux-policy-targeted. I don't have an /etc/selinux directory, and I don't have some of the other things you assume I should have. What I do have is: [tmolina at dad tmolina]$ rpm -qa|grep selinux libselinux-1.11.4-1 [tmolina at dad tmolina]$ rpm -qa|grep policy policy-1.11.3-3 checkpolicy-1.10-1 policycoreutils-1.11-2 policy-sources-1.11.3-3 I also did a yum install policy\* as the other person did, so I am not sure what happened. Fedora Core 2 was inadvertently not installed with the recommended selinux, it was updated later and relabeled. Where are the referenced rpms? My system is stock in that regard and points at the default yum/up2date repositories. Should I reinstall from scratch, or can I find and install the "right" stuff from this point? From sds at epoch.ncsc.mil Thu Jun 3 12:24:08 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Thu, 03 Jun 2004 08:24:08 -0400 Subject: Installing the new policy In-Reply-To: References: <1086193921.15871.69.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1086265448.17657.5.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2004-06-03 at 06:34, Thomas Molina wrote: > I also did a yum install policy\* as the other person did, so I am not > sure what happened. Fedora Core 2 was inadvertently not installed with > the recommended selinux, it was updated later and relabeled. Where are > the referenced rpms? My system is stock in that regard and points at the > default yum/up2date repositories. > > Should I reinstall from scratch, or can I find and install the "right" > stuff from this point? The changes that are being discussed are occurring in the development tree, and are intended for inclusion in FC3. To obtain them, you need to uncomment the development entry in /etc/yum.conf (and preferably add some mirror sites too). But only do this if you truly want to experiment with the bleeding edge. -- Stephen Smalley National Security Agency From tmolina at cablespeed.com Thu Jun 3 12:30:39 2004 From: tmolina at cablespeed.com (tmolina at cablespeed.com) Date: Thu, 03 Jun 2004 07:30:39 -0500 Subject: Installing the new policy In-Reply-To: <1086265448.17657.5.camel@moss-spartans.epoch.ncsc.mil> Message-ID: On Thu, 03 Jun 2004 08:24:08 -0400 Stephen Smalley wrote: >The changes that are being discussed are occurring in the >development >tree, and are intended for inclusion in FC3. To obtain >them, you need >to uncomment the development entry in /etc/yum.conf (and >preferably add >some mirror sites too). But only do this if you truly >want to >experiment with the bleeding edge. Thanks. The installation in question is my "stable" configuration. I believe I will wait for FC3 Test 1 and install that on my "test" setup, where I play with bleeding edge stuff. From sds at epoch.ncsc.mil Thu Jun 3 13:00:19 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Thu, 03 Jun 2004 09:00:19 -0400 Subject: How to make SELinux in Fedora work? In-Reply-To: <20040602185530.39446.qmail@web90110.mail.scd.yahoo.com> References: <20040602185530.39446.qmail@web90110.mail.scd.yahoo.com> Message-ID: <1086267619.17657.37.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2004-06-02 at 14:55, park lee wrote: > [root at localhost RPMS]# yum install policy-sources > Gathering header information file(s) from server(s) > Server: Fedora Core 2 - i386 - Base > retrygrab() failed for: > http://download.fedora.redhat.com/pub/fedora/linux/core/2/i386/os/headers/header > .info > Executing failover method > failover: out of servers to try > Error getting file > http://download.fedora.redhat.com/pub/fedora/linux/core/2/i386/os/headers/header > .info > [Errno 4] IOError: > I wonder what's wrong? and here can I use 'rpm -Uvh' to install the > package instead of using 'yum install policy-sources'. Add some mirrors to /etc/yum.conf; look at http://fedora.redhat.com/download/mirrors.html and select several that are near you. For example, you might have: [development] name=Fedora Core $releasever - Development Tree baseurl=http://download.fedora.redhat.com/pub/fedora/linux/core/development/$basearch/ http://ftp.dulug.duke.edu/pub/fedora/linux/core/development/$basearch/ ftp://ftp.dulug.duke.edu/pub/fedora/linux/core/development/$basearch/ ftp://ftp.linux.ncsu.edu/pub/fedora/linux/core/development/$basearch/ ftp://mirror.cs.princeton.edu/pub/mirrors/fedora/linux/core/development/$basearch/ http://distro.ibiblio.org/pub/linux/distributions/fedora/linux/core/development/$basearch/ But replace the URLS with mirrors that are close to you. > Then, my question is: "can we still run 'echo 1 > /selinux/enforce' > program to switch into enforcing mode. and switch back to permissive > mode with 'echo 0 > /selinux/enforce'. Yes, setenforce is just a utility that does the same thing. The advantage of using setenforce rather than directly writing to /selinux/enforce is that if we change the mount point for selinuxfs, setenforce will automtically pick up the new location (via libselinux). -- Stephen Smalley National Security Agency From sds at epoch.ncsc.mil Thu Jun 3 13:07:14 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Thu, 03 Jun 2004 09:07:14 -0400 Subject: Kernel 2.4 on fc2 with selinux? In-Reply-To: <884.1086216402@www13.gmx.net> References: <884.1086216402@www13.gmx.net> Message-ID: <1086268034.17657.44.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2004-06-02 at 18:46, maillist at wolke7.net wrote: > because lacks of sys_call_table in kernel 2.6 and other > I must "downgrade" kernel on fc2 from 2.6 to 2.4, > but selinux should works furtheron. If that is the only reason that you don't want to use 2.6, then you might want to reconsider. You can certainly discover the location of the system call table at module insertion time, but you should really consider rewriting your module to use a better technique. > Is the nsa patch and the clean kernel enough > (http://www.nsa.gov/selinux/code/download3.cfm), > or any|all of the fc1 patches must be apply to works properly? The NSA patch is relative to the ea+acl+nfsacl+sec patch from acl.bestbits.at, since SELinux now relies on extended attributes for file security contexts. Hence, you would first apply the EA patch and then apply the NSA patch. Not sure about the other kernel patches in the FC1 2.4 kernel. -- Stephen Smalley National Security Agency From sds at epoch.ncsc.mil Thu Jun 3 13:11:08 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Thu, 03 Jun 2004 09:11:08 -0400 Subject: How to make SELinux in Fedora work? In-Reply-To: <1086267619.17657.37.camel@moss-spartans.epoch.ncsc.mil> References: <20040602185530.39446.qmail@web90110.mail.scd.yahoo.com> <1086267619.17657.37.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1086268268.17657.49.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2004-06-03 at 09:00, Stephen Smalley wrote: > [development] > name=Fedora Core $releasever - Development Tree > baseurl=http://download.fedora.redhat.com/pub/fedora/linux/core/development/$basearch/ > http://ftp.dulug.duke.edu/pub/fedora/linux/core/development/$basearch/ > ftp://ftp.dulug.duke.edu/pub/fedora/linux/core/development/$basearch/ > ftp://ftp.linux.ncsu.edu/pub/fedora/linux/core/development/$basearch/ > ftp://mirror.cs.princeton.edu/pub/mirrors/fedora/linux/core/development/$basearch/ > http://distro.ibiblio.org/pub/linux/distributions/fedora/linux/core/development/$basearch/ > > But replace the URLS with mirrors that are close to you. Oops, sorry - you don't want the above unless you want to follow the development tree (i.e. the bleeding edge). You just want to add mirrors to your base and updates-released entries in yum.conf. Same idea. -- Stephen Smalley National Security Agency From parklee_fcsel at yahoo.com Thu Jun 3 13:18:53 2004 From: parklee_fcsel at yahoo.com (park lee) Date: Thu, 3 Jun 2004 06:18:53 -0700 (PDT) Subject: How to make SELinux in Fedora work? Message-ID: <20040603131853.41042.qmail@web90109.mail.scd.yahoo.com> Dear sir, Thank you, I still want to ask:"can I use 'rpm -Uvh' to install the policy-sources package instead of using the command of 'yum install policy-sources'"? Respectfully yours, Park Lee 2004-06-03 --------------------------------- Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger -------------- next part -------------- An HTML attachment was scrubbed... URL: From Valdis.Kletnieks at vt.edu Thu Jun 3 06:41:55 2004 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Thu, 03 Jun 2004 02:41:55 -0400 Subject: Runaway .* globs in file_contexts/types.fc (was Re: Installing the new policy) In-Reply-To: Your message of "Wed, 02 Jun 2004 12:32:01 EDT." <1086193921.15871.69.camel@moss-spartans.epoch.ncsc.mil> References: <1086193921.15871.69.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <200406030641.i536ftc9013679@turing-police.cc.vt.edu> - From parklee_fcsel at yahoo.com Thu Jun 3 13:37:14 2004 From: parklee_fcsel at yahoo.com (park lee) Date: Thu, 3 Jun 2004 06:37:14 -0700 (PDT) Subject: Enabling SELinux (was Re: How to make SELinux in Fedora work?) Message-ID: <20040603133714.88354.qmail@web90101.mail.scd.yahoo.com> ON Thu, 27 May 2004 11:07:33 ,Tom London wrote: >Following the attached advice, here's what I did: > 1. Modified /etc/sysconfig/selinux to have 'SELINUX=permissive' > 2. Rebooted single-user and ran 'fixfiles relabel' > 3. Rebooted multi-user For the 2nd item, I want to ask why you must reboot in single-user? can't we run 'fixfiles relabel' directly? Thank you Park Lee 2004-06-03 --------------------------------- Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger -------------- next part -------------- An HTML attachment was scrubbed... URL: From sds at epoch.ncsc.mil Thu Jun 3 13:37:46 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Thu, 03 Jun 2004 09:37:46 -0400 Subject: New policies installed. Minor problem & change(?) In-Reply-To: <40BE1482.40201@comcast.net> References: <40BE1482.40201@comcast.net> Message-ID: <1086269866.17657.69.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2004-06-02 at 13:55, Tom London wrote: > ('fixfiles relabel/check' now fails if run in enforcing mode > ('Permission denied' for file_contexts). Works if you 'setenforce 0' > first. Did I miss a change?) No, this is a bug in the policy; setfiles_t needs r_dir_file(setfiles_t, file_context_t). > 2). Also, there now is a complete absence of 'avc' messages in > /var/log/messages. Is this expected? No. Auditing disabled in latest kernel for some reason. > 3). I checked the scripts on the policy rpms and it looks like the > reference to 'POLICYTYPE' is gone (replaced with 'SELINUXTYPE'). Is it > safe to remove the 'POLICYTYPE=strict' line from /etc/sysconfig/selinux > and from /etc/selinux/config? Can I safely remove one file? Yes, and only /etc/selinux/config should be used now. -- Stephen Smalley National Security Agency From sds at epoch.ncsc.mil Thu Jun 3 13:41:40 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Thu, 03 Jun 2004 09:41:40 -0400 Subject: How to make SELinux in Fedora work? In-Reply-To: <20040603131853.41042.qmail@web90109.mail.scd.yahoo.com> References: <20040603131853.41042.qmail@web90109.mail.scd.yahoo.com> Message-ID: <1086270100.17657.74.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2004-06-03 at 09:18, park lee wrote: > Dear sir, > Thank you, > I still want to ask:"can I use 'rpm -Uvh' to install the > policy-sources > package instead of using the command of 'yum install policy-sources'"? Yes, if you simply want to install the version that was included in the FC2 release. But if you want the latest version, you'll use yum. -- Stephen Smalley National Security Agency From russell at coker.com.au Thu Jun 3 13:59:27 2004 From: russell at coker.com.au (Russell Coker) Date: Thu, 3 Jun 2004 23:59:27 +1000 Subject: Runaway .* globs in file_contexts/types.fc (was Re: Installing the new policy) In-Reply-To: <200406030641.i536ftc9013679@turing-police.cc.vt.edu> References: <1086193921.15871.69.camel@moss-spartans.epoch.ncsc.mil> <200406030641.i536ftc9013679@turing-police.cc.vt.edu> Message-ID: <200406032359.27489.russell@coker.com.au> On Thu, 3 Jun 2004 16:41, Valdis.Kletnieks at vt.edu wrote: > - What globs are runaway? -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From sds at epoch.ncsc.mil Thu Jun 3 14:29:17 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Thu, 03 Jun 2004 10:29:17 -0400 Subject: issue on 'fixfiles relabel' In-Reply-To: <20040603033831.2915.qmail@web90106.mail.scd.yahoo.com> References: <20040603033831.2915.qmail@web90106.mail.scd.yahoo.com> Message-ID: <1086272957.17657.106.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2004-06-02 at 23:38, park lee wrote: > I found in 'Fedora Core 2 SELinux FAQ', there is one item: > "Fedora Core ships with a new script fixfiles which supports three > options: check, restore, and relabel. This allows users to relabel the > file system without having the policy-sources package installed." > > But ,if I don't install policy-sources package, where are the > file_contexts information that used for relabelling? The policy package installs a copy of the file_contexts file to /etc/security/selinux so that it is available for use by fixfiles, setfiles, or restorecon even if policy sources is not available. -- Stephen Smalley National Security Agency From sds at epoch.ncsc.mil Thu Jun 3 14:50:47 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Thu, 03 Jun 2004 10:50:47 -0400 Subject: Enabling SELinux (was Re: How to make SELinux in Fedora work?) In-Reply-To: <20040603133714.88354.qmail@web90101.mail.scd.yahoo.com> References: <20040603133714.88354.qmail@web90101.mail.scd.yahoo.com> Message-ID: <1086274247.17657.126.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2004-06-03 at 09:37, park lee wrote: > ON Thu, 27 May 2004 11:07:33 ,Tom London wrote: > > >Following the attached advice, here's what I did: > > 1. Modified /etc/sysconfig/selinux to have 'SELINUX=permissive' > > 2. Rebooted single-user and ran 'fixfiles relabel' > > 3. Rebooted multi-user > > For the 2nd item, I want to ask why you must reboot in single-user? > can't we run 'fixfiles relabel' directly? It is generally safer to run it in single-user mode, both to ensure that you don't have any stray processes still running in the wrong domain (and thus creating files in the wrong types after the relabel) and to avoid problems with the purging of /tmp performed by relabel (as that will kill files on which windowing applications depend). fixfiles restore avoids the purging of /tmp. -- Stephen Smalley National Security Agency From sds at epoch.ncsc.mil Thu Jun 3 15:26:13 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Thu, 03 Jun 2004 11:26:13 -0400 Subject: No avc denied messages In-Reply-To: <40BEDC80.9090902@cornell.edu> References: <40BED3CD.8050806@mindspring.com> <40BEDC80.9090902@cornell.edu> Message-ID: <1086276373.17657.144.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2004-06-03 at 04:08, Ivan Gyurdiev wrote: > The problem is that auditing's disabled. > Why it's disabled I have no idea. It also appears that the default setting for selinux_enabled has changed in this kernel, so that one has to explicitly specify selinux=1 to enable SELinux. I doubt we want that kind of inconsistency with upstream; the default should be the same to avoid user confusion. -- Stephen Smalley National Security Agency From selinux at comcast.net Thu Jun 3 15:35:00 2004 From: selinux at comcast.net (Tom London) Date: Thu, 03 Jun 2004 08:35:00 -0700 Subject: Enabling SELinux (was Re: How to make SELinux in Fedora work?) In-Reply-To: <1086274247.17657.126.camel@moss-spartans.epoch.ncsc.mil> References: <20040603133714.88354.qmail@web90101.mail.scd.yahoo.com> <1086274247.17657.126.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <40BF4524.6070109@comcast.net> Yes. I had a few 'hang ups' when running fixfiles in multi-user mode. Also, some processes may be left running if you go to single-user via 'telinit 1'. tom Stephen Smalley wrote: >On Thu, 2004-06-03 at 09:37, park lee wrote: > > >>ON Thu, 27 May 2004 11:07:33 ,Tom London wrote: >> >> >> >>>Following the attached advice, here's what I did: >>>1. Modified /etc/sysconfig/selinux to have 'SELINUX=permissive' >>>2. Rebooted single-user and ran 'fixfiles relabel' >>>3. Rebooted multi-user >>> >>> >>For the 2nd item, I want to ask why you must reboot in single-user? >>can't we run 'fixfiles relabel' directly? >> >> > >It is generally safer to run it in single-user mode, both to ensure that >you don't have any stray processes still running in the wrong domain >(and thus creating files in the wrong types after the relabel) and to >avoid problems with the purging of /tmp performed by relabel (as that >will kill files on which windowing applications depend). fixfiles >restore avoids the purging of /tmp. > > > From igor at datanaut.com Thu Jun 3 15:43:42 2004 From: igor at datanaut.com (Igor Borisovsky) Date: Thu, 3 Jun 2004 19:43:42 +0400 Subject: Access to the postgresql data files Message-ID: <200406031544.i53FigG2003180@datanaut.com> Hi. I have a question about selinux policy configuration for FC2. I need to forbid access to the postgresql data files from user root. I guess i have to create certain type for postgresql. Let's name this type pgsql. Thus i have something like that: [root at selinux pgsql]# pwd /var/lib/pgsql [root at selinux pgsql]# ls -aZ drwx------+ postgres postgres postgres:object_r:pgsql_home_dir_t . drwxr-xr-x root root system_u:object_r:var_lib_t .. drwx------ postgres postgres postgres:object_r:pgsql_home_dir_t backups -rw------- postgres postgres postgres:object_r:pgsql_home_t .bash_history -rw-r--r-- postgres postgres postgres:object_r:pgsql_home_t .bash_profile drwx------ postgres postgres postgres:object_r:pgsql_home_dir_t data -rw-r--r-- postgres postgres postgres:object_r:pgsql_home_t initdb.i18n drwxr-xr-x+ postgres postgres postgres:object_r:pgsql_home_t .mc [root at selinux pgsql]# So far user root within sysadm_r role has access to the postgresql data files. I guess i need to find and revoke this permission from sysadm_r role. After looking at the policy.conf file I can't understand this. So how can i prevent access to postgresql data files from user root? Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: From parklee_fcsel at yahoo.com Thu Jun 3 16:29:48 2004 From: parklee_fcsel at yahoo.com (Park Lee) Date: Thu, 3 Jun 2004 09:29:48 -0700 (PDT) Subject: Enabling SELinux (was Re: How to make SELinux in Fedora work?) Message-ID: <20040603162948.54369.qmail@web90106.mail.scd.yahoo.com> Dear sir, Now, I know the reason to run 'fixfiles relabel' in single-user mode. Let's look at the 3 steps again: 1. Modified /etc/sysconfig/selinux to have 'SELINUX=permissive' 2. Rebooted single-user and ran 'fixfiles relabel' 3. Rebooted multi-user Can I take the steps in the order as the following: 1. Rebooted single-user and ran 'fixfiles relabel' 2. Rebooted multi-user 3. Modified /etc/sysconfig/selinux to have 'SELINUX=permissive' 4. Rebooted multi-user That is ,can we first 'fixfiles relabel' in a non-SELinux kernel. and then turn into the SELinux kernel ? Is it safe? Respectfully yours, Park Lee 2004-06-03 --------------------------------- Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger -------------- next part -------------- An HTML attachment was scrubbed... URL: From dwalsh at redhat.com Thu Jun 3 16:42:35 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 03 Jun 2004 12:42:35 -0400 Subject: Enabling SELinux (was Re: How to make SELinux in Fedora work?) In-Reply-To: <20040603162948.54369.qmail@web90106.mail.scd.yahoo.com> References: <20040603162948.54369.qmail@web90106.mail.scd.yahoo.com> Message-ID: <40BF54FB.7050605@redhat.com> Park Lee wrote: > Dear sir, > > Now, I know the reason to run 'fixfiles relabel' in single-user mode. > > Let's look at the 3 steps again: > > 1. Modified /etc/sysconfig/selinux to have 'SELINUX=permissive' > 2. Rebooted single-user and ran 'fixfiles relabel' > 3. Rebooted multi-user > > Can I take the steps in the order as the following: > > 1. Rebooted single-user and ran 'fixfiles relabel' > 2. Rebooted multi-user > 3. Modified /etc/sysconfig/selinux to have 'SELINUX=permissive' > 4. Rebooted multi-user > > That is ,can we first 'fixfiles relabel' in a non-SELinux kernel. and > then turn into the SELinux kernel ? Is it safe? > No, Relabel will not work in a Non SELinux kernel. > > > Respectfully yours, > > Park Lee > > 2004-06-03 > > > > > > > > ------------------------------------------------------------------------ > Do you Yahoo!? > Friends. Fun. Try the all-new Yahoo! Messenger > > > >------------------------------------------------------------------------ > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > From parklee_fcsel at yahoo.com Thu Jun 3 17:11:46 2004 From: parklee_fcsel at yahoo.com (Park Lee) Date: Thu, 3 Jun 2004 10:11:46 -0700 (PDT) Subject: Enabling SELinux (was Re: How to make SELinux in Fedora work?) Message-ID: <20040603171146.10289.qmail@web90108.mail.scd.yahoo.com> On Thu, 03 Jun 2004 12:42:35 ,Daniel J Walsh wrote: >No, Relabel will not work in a Non SELinux kernel. But there are 2 items in The UnOfficial SELinux FAQ? http://www.crypt.gen.nz/selinux/faq.html : I upgraded my SELinux kernel to a new version and now I get lots of errors on booting, what went wrong? Bad things happen if you upgrade your kernel to a newer version which has an incompatible policy with the previous version. You probably forgot to install the policy and/or relabel the filesystems before booting the new version. Boot your system from a non-SELinux kernel and go back and do these things. If one of those messages is "login[1007]: UNABLE TO GET VALID SID FOR root" The SID table is mangled. Try logging in using a different method ( such as connecting over SSH ), otherwise you will need to recover by booting a non-SELinux kernel, then relabel the filesystem and reload the policy ( make reset and make load ). Then, what are those means? Does they mean that relabel can work in a non-SELinux kernel? yours, Park Lee 2004-06-03 --------------------------------- Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger -------------- next part -------------- An HTML attachment was scrubbed... URL: From sds at epoch.ncsc.mil Thu Jun 3 18:54:54 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Thu, 03 Jun 2004 14:54:54 -0400 Subject: Enabling SELinux (was Re: How to make SELinux in Fedora work?) In-Reply-To: <20040603162948.54369.qmail@web90106.mail.scd.yahoo.com> References: <20040603162948.54369.qmail@web90106.mail.scd.yahoo.com> Message-ID: <1086288894.19025.9.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2004-06-03 at 12:29, Park Lee wrote: > That is ,can we first 'fixfiles relabel' in a non-SELinux kernel. and > then turn into the SELinux kernel ? Is it safe? If the kernel has the requisite extended attribute handlers, then you can set the SELinux attributes using that kernel, even if SELinux itself is disabled. However, you may still end up with some files that lack labels, e.g. if any files are created while the relabel is running (after their directories have already been traversed) or after the relabel has completed before the system reboots (including any files created during shutdown). Hence, it is preferable to be running SELinux. -- Stephen Smalley National Security Agency From sds at epoch.ncsc.mil Thu Jun 3 19:12:23 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Thu, 03 Jun 2004 15:12:23 -0400 Subject: Enabling SELinux (was Re: How to make SELinux in Fedora work?) In-Reply-To: <20040603171146.10289.qmail@web90108.mail.scd.yahoo.com> References: <20040603171146.10289.qmail@web90108.mail.scd.yahoo.com> Message-ID: <1086289943.19025.24.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2004-06-03 at 13:11, Park Lee wrote: > Then, what are those means? > Does they mean that relabel can work in a non-SELinux kernel? I suspect that his unofficial FAQ is referring to situations where you can no longer boot a SELinux kernel and need to perform emergency recovery. In such a case, you could boot a non-SELinux kernel that has the extended attribute handlers and relabel your filesystems to deal with most files, although there is still the potential for some unlabeled/mislabeled files as I mentioned due to file creation on that kernel. Also, those particular answers in his FAQ may have been based on the older SELinux, before the move to using the Linux xattr support, where you could relabel on any vanilla kernel since the labels were stored in the persistent label mapping. -- Stephen Smalley National Security Agency From lkcl at lkcl.net Thu Jun 3 19:57:38 2004 From: lkcl at lkcl.net (Luke Kenneth Casson Leighton) Date: Thu, 3 Jun 2004 19:57:38 +0000 Subject: Summary of Informal SELinux Meeting on May 6, 2004 In-Reply-To: <200406022032.i52KWuSf003348@gotham.columbia.tresys.com> References: <200406022032.i52KWuSf003348@gotham.columbia.tresys.com> Message-ID: <20040603195738.GE3856@lkcl.net> On Wed, Jun 02, 2004 at 04:33:19PM -0400, Karl MacMillan wrote: > circumstance because of some details of the SMB/CIFS protocol. It was argued > that Samba is a trusted application and it would be appropriate, therefore, > to allow it to enforce SELinux access decisions by becoming a user-space > object manager. samba is not a single "entity". samba consists of approximately twenty to twenty five separate services, six or seven different network protocols, approximately FIVE different authentication systems or authentication modes, the list goes on. that, in samba(3) they are implemented in only two daemons is both amazing and also, to be quite blunt, short-sighted. at least in samba tng an effort was made to split out the DCE/RPC services into separate programs (with intended and planned work - that was shelved - to split out the Network Neighbourhood arena from the WINS Server from the browsing services) think of all of the services that NT has - NETLOGON, spool / printer, registry, SAM database, Local Security Authority, CMDAT (capability to run remote jobs), EventLog, WINS server, Browser Server to handle the Network Neighbourhood, File server. samba (at least, samba tng) has _all_ of these services, in incomplete form, in the same way that Wine has some of the Win32 API. i just want you to be aware of this before making any recommendations that samba should be considered to be a "trusted application". think of it this way. if somebody decided to implement: - lpd or cupsys - an nfs user-space file server - cron - a dhcp server - a dns server - a syslog server - KDE's DCOP server or Gnome's CORBA services all in the same single monolithic daemon that bound itself to several different ports and several different unix domain sockets, you wouldn't seriously consider saying that "this hybrid is a trusted application" would you? l. From grier at uiuc.edu Fri Jun 4 03:29:12 2004 From: grier at uiuc.edu (Chris Grier) Date: Thu, 3 Jun 2004 22:29:12 -0500 Subject: fedora policy changes In-Reply-To: <200406031359.16364.russell@coker.com.au> References: <20040602162928.GA16294@balder> <200406031359.16364.russell@coker.com.au> Message-ID: <20040604032912.GB19243@balder> On Thu, Jun 03, 2004 at 01:59:16PM +1000, Russell Coker wrote: > On Thu, 3 Jun 2004 02:29, Chris Grier wrote: > > Hi, I'm using Fedora Core 2 with SELinux, and I was wondering if there > > is an official place to submit (possible) policy changes. I have run > > Here is the best place. > > > hda6 is the / partition, where the loopback file is (I'm using losetup > > to setup the loop, and dm-crypt to encrypt, which is then mounted as a > > user home directory) > > > > audit(1086192065.154:0): avc: denied { read } for pid=2844 > > exe=/sbin/ldconfig name=libdevmapper.so.1.00 dev=hda6 ino=278879 > > scontext=root:sysadm_r:ldconfig_t tcontext=system_u:object_r:usr_t > > tclass=file > > What directory is libdevmapper.so.1.00 in? > Symlinked into /usr/local/lib from /usr/local/encap/device-mapper-1.00.17/lib [chris at localhost chris]$ ls -laZd /usr/local/lib drwxr-xr-x+ root root system_u:object_r:lib_t /usr/local/lib So my next guess is that /usr/local/encap/* is not labeled correctly, and this is generating the audits (it IS not labled correctly). I didn't think about this since /usr/local/lib is labeled correctly, athough the files that encap links in are not. Simple to add this to the file contexts though. Thanks. -- Chris Grier From russell at coker.com.au Fri Jun 4 06:37:00 2004 From: russell at coker.com.au (Russell Coker) Date: Fri, 4 Jun 2004 16:37:00 +1000 Subject: Access to the postgresql data files In-Reply-To: <200406031544.i53FigG2003180@datanaut.com> References: <200406031544.i53FigG2003180@datanaut.com> Message-ID: <200406041637.00701.russell@coker.com.au> On Fri, 4 Jun 2004 01:43, "Igor Borisovsky" wrote: > Hi. > I have a question about selinux policy configuration for FC2. > I need to forbid access to the postgresql data files from user root. [...] > I guess i need to find and revoke this permission from sysadm_r role. > After looking at the policy.conf file I can't understand this. > So how can i prevent access to postgresql data files from user root? sysadm_t domain (the default domain for sysadm_r role) has access to almost everything on the system. sysadm_t can run fdisk, useradd, vipw, etc. You can't realistically deny sysadm_t access to any resource without significant changes to the entire policy (such things have been discussed but are a long way from being implemented). You can deny the root user sysadm_r role to deny them such access (but make sure you grant another user sysadm_r so that you can still administer your system). -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Fri Jun 4 07:27:05 2004 From: russell at coker.com.au (Russell Coker) Date: Fri, 4 Jun 2004 17:27:05 +1000 Subject: fedora policy changes In-Reply-To: <20040604032912.GB19243@balder> References: <20040602162928.GA16294@balder> <200406031359.16364.russell@coker.com.au> <20040604032912.GB19243@balder> Message-ID: <200406041727.05139.russell@coker.com.au> On Fri, 4 Jun 2004 13:29, Chris Grier wrote: > > What directory is libdevmapper.so.1.00 in? > > Symlinked into /usr/local/lib from > /usr/local/encap/device-mapper-1.00.17/lib > > [chris at localhost chris]$ ls -laZd /usr/local/lib > drwxr-xr-x+ root root system_u:object_r:lib_t /usr/local/lib > > So my next guess is that /usr/local/encap/* is not labeled correctly, > and this is generating the audits (it IS not labled correctly). I didn't > think about this since /usr/local/lib is labeled correctly, athough the > files that encap links in are not. Simple to add this to the file > contexts though. Thanks. /usr/local is for non-package stuff. We have a few common directories from /usr/local in the standard file contexts files for convenience. But if you do anything serious under /usr/local you have to write your own .fc entries. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Fri Jun 4 08:03:23 2004 From: russell at coker.com.au (Russell Coker) Date: Fri, 4 Jun 2004 18:03:23 +1000 Subject: Summary of Informal SELinux Meeting on May 6, 2004 In-Reply-To: <20040603195738.GE3856@lkcl.net> References: <200406022032.i52KWuSf003348@gotham.columbia.tresys.com> <20040603195738.GE3856@lkcl.net> Message-ID: <200406041803.23026.russell@coker.com.au> On Fri, 4 Jun 2004 05:57, Luke Kenneth Casson Leighton wrote: > ?all in the same single monolithic daemon that bound itself > ?to several different ports and several different unix domain > ?sockets, you wouldn't seriously consider saying that "this > ?hybrid is a trusted application" would you? "trusted" in this context does not mean "the code is great and we can totally trust it", but rather "due to the design of the system we have no choice but to trust it as it can totally break the security if it has a problem". -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From sds at epoch.ncsc.mil Fri Jun 4 11:31:25 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Fri, 04 Jun 2004 07:31:25 -0400 Subject: Summary of Informal SELinux Meeting on May 6, 2004 In-Reply-To: <200406041803.23026.russell@coker.com.au> References: <200406022032.i52KWuSf003348@gotham.columbia.tresys.com> <20040603195738.GE3856@lkcl.net> <200406041803.23026.russell@coker.com.au> Message-ID: <1086348685.19959.19.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2004-06-04 at 04:03, Russell Coker wrote: > On Fri, 4 Jun 2004 05:57, Luke Kenneth Casson Leighton wrote: > > all in the same single monolithic daemon that bound itself > > to several different ports and several different unix domain > > sockets, you wouldn't seriously consider saying that "this > > hybrid is a trusted application" would you? > > "trusted" in this context does not mean "the code is great and we can totally > trust it", but rather "due to the design of the system we have no choice but > to trust it as it can totally break the security if it has a problem". Further point of clarification: It only has to be trusted to maintain separation of data for the security contexts it is allowed to access, e.g. it might be allowed to access data from multiple user roles and maintain their separation without being allowed to access administrator or system files. So the trust is not absolute; the OS is still enforcing some degree of confinement over the application. I think Frank Mayer of Tresys has previously suggested using "trustworthy" vs. "trusted" to distinguish the cases noted by Russell. -- Stephen Smalley National Security Agency From russell at coker.com.au Fri Jun 4 11:42:27 2004 From: russell at coker.com.au (Russell Coker) Date: Fri, 4 Jun 2004 21:42:27 +1000 Subject: Summary of Informal SELinux Meeting on May 6, 2004 In-Reply-To: <1086348685.19959.19.camel@moss-spartans.epoch.ncsc.mil> References: <200406022032.i52KWuSf003348@gotham.columbia.tresys.com> <200406041803.23026.russell@coker.com.au> <1086348685.19959.19.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <200406042142.27120.russell@coker.com.au> On Fri, 4 Jun 2004 21:31, Stephen Smalley wrote: > I think Frank Mayer of Tresys has previously suggested using > "trustworthy" vs. "trusted" to distinguish the cases noted by Russell. That use of the word "trustworthy" seems reasonable. But as long as the word "trusted" is used in it's current manner in terms of computer security there will be confusion. Any suggestions of a term we can use as a synonym for the current use of "trusted" to reduce confusion? -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From sds at epoch.ncsc.mil Fri Jun 4 11:48:36 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Fri, 04 Jun 2004 07:48:36 -0400 Subject: Summary of Informal SELinux Meeting on May 6, 2004 In-Reply-To: <200406042142.27120.russell@coker.com.au> References: <200406022032.i52KWuSf003348@gotham.columbia.tresys.com> <200406041803.23026.russell@coker.com.au> <1086348685.19959.19.camel@moss-spartans.epoch.ncsc.mil> <200406042142.27120.russell@coker.com.au> Message-ID: <1086349716.19959.30.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2004-06-04 at 07:42, Russell Coker wrote: > That use of the word "trustworthy" seems reasonable. But as long as the word > "trusted" is used in it's current manner in terms of computer security there > will be confusion. > > Any suggestions of a term we can use as a synonym for the current use of > "trusted" to reduce confusion? We typically refer to such applications as userspace policy enforcers or userspace object managers (terminology from the Flask architecture), reflecting the fact that they are enforcing policy over their own abstractions/objects. -- Stephen Smalley National Security Agency From sds at epoch.ncsc.mil Fri Jun 4 12:42:13 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Fri, 04 Jun 2004 08:42:13 -0400 Subject: Access to the postgresql data files In-Reply-To: <200406041218.i54CIEh15674@alexru.adsl.kis.ru> References: <200406041218.i54CIEh15674@alexru.adsl.kis.ru> Message-ID: <1086352933.19959.108.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2004-06-04 at 08:15, Igor Borisovsky wrote: > Hi. > I have a question about selinux policy configuration for FC2. > I need to forbid access to the postgresql data files from user root. > I guess i have to create certain type for postgresql. Let's name this type > pgsql. > Thus i have something like that: > [root selinux pgsql]# pwd > /var/lib/pgsql > [root selinux pgsql]# ls -aZ > drwx------+ postgres postgres postgres:object_r:pgsql_home_dir_t . > drwxr-xr-x root root system_u:object_r:var_lib_t .. > drwx------ postgres postgres postgres:object_r:pgsql_home_dir_t backups > -rw------- postgres postgres postgres:object_r:pgsql_home_t .bash_history > -rw-r--r-- postgres postgres postgres:object_r:pgsql_home_t .bash_profile > drwx------ postgres postgres postgres:object_r:pgsql_home_dir_t data > -rw-r--r-- postgres postgres postgres:object_r:pgsql_home_t initdb.i18n > drwxr-xr-x+ postgres postgres postgres:object_r:pgsql_home_t .mc > [root selinux pgsql]# > So far user root within sysadm_r role has access to the postgresql data > files. > I guess i need to find and revoke this permission from sysadm_r role. > After looking at the policy.conf file I can't understand this. > So how can i prevent access to postgresql data files from user root? > Thanks. Russell Coker already responded to your posting on the fedora-selinux-list. I would only add a few comments: 1) If you truly want to start reducing the power of sysadm_t, then you would start by disabling the unrestricted_admin and unlimitedServices tunables in policy/tunable.te and make load. Otherwise, sysadm_t is completely unconfined in the Fedora policy. Then you can remove direct access by sysadm_t to your new types just by omitting the sysadmfile attribute from the type declarations for your new types. But as Russell noted, sysadm_t can easily get around such restrictions, so much more work would be necessary to truly prevent access. 2) If you just want to prevent root from having such access, you could remove sysadm_r from the authorized roles for root, as Russell noted. I think that for SELinux play machines, people have authorized root for only user_r and then authorized another user identity for staff_r and sysadm_r. But in Fedora, I think you would also have to remove pam_selinux from the /etc/pam.d/su configuration to achieve this goal, so that your non-root user can su to uid 0 without having his SELinux user identity changed to root. Otherwise, su will try to change the SELinux user identity to root at the same time. 3) Do you really want to prevent someone with the root password from having access to the database, or do you just want to prevent uid 0 processes from having access? A uid 0 process does not necessarily have the SELinux root user identity; the SELinux user identity is only assigned by particular programs such as login and sshd and is unaffected by setuid programs. -- Stephen Smalley National Security Agency From lkcl at lkcl.net Fri Jun 4 11:15:23 2004 From: lkcl at lkcl.net (Luke Kenneth Casson Leighton) Date: Fri, 4 Jun 2004 11:15:23 +0000 Subject: Summary of Informal SELinux Meeting on May 6, 2004 In-Reply-To: <200406041803.23026.russell@coker.com.au> References: <200406022032.i52KWuSf003348@gotham.columbia.tresys.com> <20040603195738.GE3856@lkcl.net> <200406041803.23026.russell@coker.com.au> Message-ID: <20040604111523.GM3856@lkcl.net> On Fri, Jun 04, 2004 at 06:03:23PM +1000, Russell Coker wrote: > On Fri, 4 Jun 2004 05:57, Luke Kenneth Casson Leighton wrote: > > ?all in the same single monolithic daemon that bound itself > > ?to several different ports and several different unix domain > > ?sockets, you wouldn't seriously consider saying that "this > > ?hybrid is a trusted application" would you? > > "trusted" in this context does not mean "the code is great and we can totally > trust it", but rather "due to the design of the system we have no choice but > to trust it as it can totally break the security if it has a problem". well, the thing is that if you use samba-tng, you _do_ have a choice. each service is separated into its own daemon. you might want to mention this to the samba team because they were totally (and technically unjustifiable) unreasonably adamant that no such thing would be implemented in samba(3). "it's too slow" "using unix domain sockets is insecure" were my favourites. l. From dwalsh at redhat.com Fri Jun 4 14:53:59 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 04 Jun 2004 10:53:59 -0400 Subject: [Fwd: Re: who provides /etc/sysconfig/selinux?] Message-ID: <40C08D07.5000700@redhat.com> -------------- next part -------------- An embedded message was scrubbed... From: Daniel J Walsh Subject: Re: who provides /etc/sysconfig/selinux? Date: Fri, 04 Jun 2004 09:57:36 -0400 Size: 4529 URL: From _bip_ at inbox.ru Fri Jun 4 14:59:35 2004 From: _bip_ at inbox.ru (Igor Borisovsky) Date: Fri, 4 Jun 2004 18:59:35 +0400 Subject: Access to the postgresql data files In-Reply-To: <1086352933.19959.108.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <200406041502.i54F2Nh16193@alexru.adsl.kis.ru> Thanks for reply. Let me explain in more details my problem. I have the database server under RedHat9. The postgresql database contains very important secure data. So nobody should have access to this data directly. Only authorized clients via SSL connections should have access. In the ordinary linux user root can steal postgresql data files or edit pg_hba.conf file to give access to itself. Thus I want to use FC2 to control access to data files for user root. User root should be only linux server administrator. For example, root should be able to create/delete user, install software/hardware, start/stop services. But root must not have access to postgresql files. -----Original Message----- From: Stephen Smalley [mailto:sds at epoch.ncsc.mil] Sent: Friday, June 04, 2004 4:42 PM To: Igor Borisovsky Cc: SELinux at tycho.nsa.gov; Russell Coker; fedora-selinux-list at redhat.com Subject: Re: Access to the postgresql data files On Fri, 2004-06-04 at 08:15, Igor Borisovsky wrote: > Hi. > I have a question about selinux policy configuration for FC2. > I need to forbid access to the postgresql data files from user root. > I guess i have to create certain type for postgresql. Let's name this > type pgsql. > Thus i have something like that: > [root selinux pgsql]# pwd > /var/lib/pgsql > [root selinux pgsql]# ls -aZ > drwx------+ postgres postgres postgres:object_r:pgsql_home_dir_t . > drwxr-xr-x root root system_u:object_r:var_lib_t .. > drwx------ postgres postgres postgres:object_r:pgsql_home_dir_t backups > -rw------- postgres postgres postgres:object_r:pgsql_home_t .bash_history > -rw-r--r-- postgres postgres postgres:object_r:pgsql_home_t .bash_profile > drwx------ postgres postgres postgres:object_r:pgsql_home_dir_t data > -rw-r--r-- postgres postgres postgres:object_r:pgsql_home_t initdb.i18n > drwxr-xr-x+ postgres postgres postgres:object_r:pgsql_home_t .mc > [root selinux pgsql]# > So far user root within sysadm_r role has access to the postgresql > data files. > I guess i need to find and revoke this permission from sysadm_r role. > After looking at the policy.conf file I can't understand this. > So how can i prevent access to postgresql data files from user root? > Thanks. Russell Coker already responded to your posting on the fedora-selinux-list. I would only add a few comments: 1) If you truly want to start reducing the power of sysadm_t, then you would start by disabling the unrestricted_admin and unlimitedServices tunables in policy/tunable.te and make load. Otherwise, sysadm_t is completely unconfined in the Fedora policy. Then you can remove direct access by sysadm_t to your new types just by omitting the sysadmfile attribute from the type declarations for your new types. But as Russell noted, sysadm_t can easily get around such restrictions, so much more work would be necessary to truly prevent access. 2) If you just want to prevent root from having such access, you could remove sysadm_r from the authorized roles for root, as Russell noted. I think that for SELinux play machines, people have authorized root for only user_r and then authorized another user identity for staff_r and sysadm_r. But in Fedora, I think you would also have to remove pam_selinux from the /etc/pam.d/su configuration to achieve this goal, so that your non-root user can su to uid 0 without having his SELinux user identity changed to root. Otherwise, su will try to change the SELinux user identity to root at the same time. 3) Do you really want to prevent someone with the root password from having access to the database, or do you just want to prevent uid 0 processes from having access? A uid 0 process does not necessarily have the SELinux root user identity; the SELinux user identity is only assigned by particular programs such as login and sshd and is unaffected by setuid programs. -- Stephen Smalley National Security Agency From sds at epoch.ncsc.mil Fri Jun 4 15:14:25 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Fri, 04 Jun 2004 11:14:25 -0400 Subject: Access to the postgresql data files In-Reply-To: <200406041502.i54F2Nh16193@alexru.adsl.kis.ru> References: <200406041502.i54F2Nh16193@alexru.adsl.kis.ru> Message-ID: <1086362064.19959.206.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2004-06-04 at 10:59, Igor Borisovsky wrote: > Thanks for reply. > Let me explain in more details my problem. > I have the database server under RedHat9. > The postgresql database contains very important secure data. > So nobody should have access to this data directly. > Only authorized clients via SSL connections should have access. > In the ordinary linux user root can steal postgresql data files or > edit pg_hba.conf file to give access to itself. > Thus I want to use FC2 to control access to data files for user root. > User root should be only linux server administrator. For example, root > should be able to create/delete user, install software/hardware, start/stop > services. But root must not have access to postgresql files. You can use SELinux to ensure that only certain applications have direct access to the files. But if root can install software, then he can just replace those applications with his own code to get access to the files. Or he can replace any code or configuration on which those applications depend, e.g. the kernel, ld.so, whatever. And if there is any user account which is authorized to access those files and you let root manage user accounts, then root can gain access to those accounts. Not to mention issues of raw disk access, whether direct or indirect via filesystem administrative utilities. See the problem? So you would have to strip root of _many_ typical administrative privileges to truly enforce such a guarantee. -- Stephen Smalley National Security Agency From parklee_fcsel at yahoo.com Fri Jun 4 16:26:49 2004 From: parklee_fcsel at yahoo.com (Park Lee) Date: Fri, 4 Jun 2004 09:26:49 -0700 (PDT) Subject: issue on Yum & Xattr Message-ID: <20040604162649.78494.qmail@web90107.mail.scd.yahoo.com> Hi, I have several questions there: When we use the command 'yum', must we keep on line? Can I use it on my local machine? Where is the extended attributes stored? in the inode? Is there any text-based web browser that can be used in SELinux? I greatly appreciate your answer. Yours, Park Lee 2004-06-05 --------------------------------- Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger -------------- next part -------------- An HTML attachment was scrubbed... URL: From sds at epoch.ncsc.mil Fri Jun 4 16:30:56 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Fri, 04 Jun 2004 12:30:56 -0400 Subject: [Fwd: Re: who provides /etc/sysconfig/selinux?] In-Reply-To: <40C08D07.5000700@redhat.com> References: <40C08D07.5000700@redhat.com> Message-ID: <1086366655.19959.249.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2004-06-04 at 10:53, Daniel J Walsh wrote: > Todays selinux-polcy-* RPMS attempt to handle the /etc/selinux/config > and /etc/sysconfig/selinux files in the post install. > > Please check them out. On a system that had not yet installed either selinux-policy-strict or selinux-policy-targeted (just policy and policy-sources and no /etc/selinu/config), I ran: yum update SysVinit libselinux yum install selinux-policy-targeted selinux-policy-targeted-sources It installed the targeted policy as expected, but /etc/selinux/config has SELINUXTYPE=strict in it. -- Stephen Smalley National Security Agency From dwalsh at redhat.com Fri Jun 4 17:24:55 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 04 Jun 2004 13:24:55 -0400 Subject: [Fwd: Re: who provides /etc/sysconfig/selinux?] In-Reply-To: <1086366655.19959.249.camel@moss-spartans.epoch.ncsc.mil> References: <40C08D07.5000700@redhat.com> <1086366655.19959.249.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <40C0B067.80807@redhat.com> Stephen Smalley wrote: >On Fri, 2004-06-04 at 10:53, Daniel J Walsh wrote: > > >>Todays selinux-polcy-* RPMS attempt to handle the /etc/selinux/config >>and /etc/sysconfig/selinux files in the post install. >> >>Please check them out. >> >> > >On a system that had not yet installed either selinux-policy-strict or >selinux-policy-targeted (just policy and policy-sources and no >/etc/selinu/config), I ran: >yum update SysVinit libselinux >yum install selinux-policy-targeted selinux-policy-targeted-sources > >It installed the targeted policy as expected, but /etc/selinux/config >has SELINUXTYPE=strict in it. > > > Yes this is because you were running with strict policy before, so I expected you to run with strict policy afterwards. Yum update would have pulled both strict and targeted. So Initial install gets targeted, upgrade from FC2 with policy gets strict. The one hole in the strategy is upgrading a policy -> targeted without installing strict. Dan From sds at epoch.ncsc.mil Fri Jun 4 17:46:19 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Fri, 04 Jun 2004 13:46:19 -0400 Subject: [Fwd: Re: who provides /etc/sysconfig/selinux?] In-Reply-To: <40C0B067.80807@redhat.com> References: <40C08D07.5000700@redhat.com> <1086366655.19959.249.camel@moss-spartans.epoch.ncsc.mil> <40C0B067.80807@redhat.com> Message-ID: <1086371179.19959.315.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2004-06-04 at 13:24, Daniel J Walsh wrote: > Yes this is because you were running with strict policy before, so I > expected you to run with strict policy afterwards. Yum update would > have pulled both strict and targeted. > > So Initial install gets targeted, upgrade from FC2 with policy gets > strict. The one hole in the strategy is upgrading a policy -> targeted > without installing strict. I'd suggest that each package (selinux-policy-strict, selinux-policy-targeted) set the SELINUXTYPE to its own type (strict or targeted) if it is not already set (or more simply, if /etc/selinux/config does not exist at all). Wouldn't a yum update pull in strict first, so this would still ensure preservation of strict policy in that case? -- Stephen Smalley National Security Agency From dwalsh at redhat.com Fri Jun 4 17:49:22 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 04 Jun 2004 13:49:22 -0400 Subject: [Fwd: Re: who provides /etc/sysconfig/selinux?] In-Reply-To: <1086371179.19959.315.camel@moss-spartans.epoch.ncsc.mil> References: <40C08D07.5000700@redhat.com> <1086366655.19959.249.camel@moss-spartans.epoch.ncsc.mil> <40C0B067.80807@redhat.com> <1086371179.19959.315.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <40C0B622.7050705@redhat.com> Stephen Smalley wrote: >On Fri, 2004-06-04 at 13:24, Daniel J Walsh wrote: > > >>Yes this is because you were running with strict policy before, so I >>expected you to run with strict policy afterwards. Yum update would >>have pulled both strict and targeted. >> >>So Initial install gets targeted, upgrade from FC2 with policy gets >>strict. The one hole in the strategy is upgrading a policy -> targeted >>without installing strict. >> >> > >I'd suggest that each package (selinux-policy-strict, >selinux-policy-targeted) set the SELINUXTYPE to its own type (strict or >targeted) if it is not already set (or more simply, if >/etc/selinux/config does not exist at all). Wouldn't a yum update pull >in strict first, so this would still ensure preservation of strict >policy in that case? > > > To me it looks like Yum picks non-related RPM files randomly or least not via the alphabet. Dan From sds at epoch.ncsc.mil Fri Jun 4 17:59:47 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Fri, 04 Jun 2004 13:59:47 -0400 Subject: [Fwd: Re: who provides /etc/sysconfig/selinux?] In-Reply-To: <40C0B622.7050705@redhat.com> References: <40C08D07.5000700@redhat.com> <1086366655.19959.249.camel@moss-spartans.epoch.ncsc.mil> <40C0B067.80807@redhat.com> <1086371179.19959.315.camel@moss-spartans.epoch.ncsc.mil> <40C0B622.7050705@redhat.com> Message-ID: <1086371987.19959.322.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2004-06-04 at 13:49, Daniel J Walsh wrote: > To me it looks like Yum picks non-related RPM files randomly or least > not via the alphabet. I was thinking that there was a relationship between strict and targeted (e.g. obsoletes), but I suppose that is only between them and the old policy packages. -- Stephen Smalley National Security Agency From selinux at comcast.net Fri Jun 4 18:06:07 2004 From: selinux at comcast.net (Tom London) Date: Fri, 04 Jun 2004 11:06:07 -0700 Subject: Install of latest packages....kernel-2.6.6-1.421 fails, selinux-policy-strict-1.13.3-2 succeeds Message-ID: <40C0BA0F.9010901@comcast.net> I did a 'yum update' to pick up the latest stuff from the development and Arjan's tree. I worked around the rpm conflicts from early stuff in the development tree. The kernel update (421) still fails under strict/enforcing mode. The context labels now appear to be in the rpm file, but I'm getting similar messages: ...... lots and lots of WARNING messages like: WARNING: Couldn't stat /lib/modules/2.6.6-1.421/build/include/asm-i386/ptrace.h: Permission denied WARNING: Couldn't stat /lib/modules/2.6.6-1.421/build/include/asm-i386/bug.h: Permission denied WARNING: Couldn't stat /lib/modules/2.6.6-1.421/build/include/asm-i386/serial.h: Permission denied WARNING: Couldn't stat /lib/modules/2.6.6-1.421/build/mm/Makefile: Permission denied FATAL: Could not open /lib/modules/2.6.6-1.421/modules.dep.temp for writing: Permission denied /bin/bash: /root/.bashrc: Permission denied No dep file found for kernel 2.6.6-1.421 mkinitrd failed My previous workaround (do 'setenforce 0; yum ....' followed by a relabel) did not work this time. The mkinitrd now fails even under permissive mode: [root at dell selinux]# setenforce 0 [root at dell selinux]# yum install kernel Gathering header information file(s) from server(s) Server: Test Linux 2.6-test prerelease kernels Server: Fedora Core 2 - i386 - Base Server: Fedora Core 2 - Development Tree Server: Fedora Core 2 - i386 - Released Updates Finding updated packages Downloading needed headers Resolving dependencies Dependencies resolved I will do the following: [install: kernel 2.6.6-1.421.i686] Is this ok [y/N]: y Downloading Packages Running test transaction: Test transaction complete, Success! kernel 100 % done 1/1 memlock: Cannot allocate memory Couldn't lock into memory, exiting. mkinitrd failed Since the latest kernel's seemed to have auditing off, I can't locate anything interesting in /var/log/messages. (Looks like CONFIG_AUDIT is set to y in 421.) Since the label now appear correct in the rpm file, could this be something in the policy/context files? Any ideas? The install of the 1.13.3-2 policy packages seemed to work OK. It left my /etc/selinux/config file untouched. (I guess I should have removed it prior to install.....sorry). tom From sds at epoch.ncsc.mil Fri Jun 4 18:07:46 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Fri, 04 Jun 2004 14:07:46 -0400 Subject: [Fwd: Re: who provides /etc/sysconfig/selinux?] In-Reply-To: <40C08D07.5000700@redhat.com> References: <40C08D07.5000700@redhat.com> Message-ID: <1086372466.19959.326.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2004-06-04 at 10:53, Daniel J Walsh wrote: > Todays selinux-polcy-* RPMS attempt to handle the /etc/selinux/config > and /etc/sysconfig/selinux files in the post install. > > Please check them out. Shouldn't it default to SELINUX=permissive in the absence of any /etc/sysconfig/selinux file? Do we need a dependency on the newer libselinux, policycoreutils, and SysVinit that are aware of the new policy locations? -- Stephen Smalley National Security Agency From sds at epoch.ncsc.mil Fri Jun 4 18:12:28 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Fri, 04 Jun 2004 14:12:28 -0400 Subject: Install of latest packages....kernel-2.6.6-1.421 fails, selinux-policy-strict-1.13.3-2 succeeds In-Reply-To: <40C0BA0F.9010901@comcast.net> References: <40C0BA0F.9010901@comcast.net> Message-ID: <1086372748.19959.330.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2004-06-04 at 14:06, Tom London wrote: > My previous workaround (do 'setenforce 0; yum ....' followed by a > relabel) did not work this time. The mkinitrd now fails even under > permissive mode: > kernel 100 % done 1/1 > memlock: Cannot allocate memory > Couldn't lock into memory, exiting. > mkinitrd failed Also reported on fedora-devel-list; I don't think it is SELinux-related. 'ulimit -l unlimited' to workaround until a new kernel is available. -- Stephen Smalley National Security Agency From Valdis.Kletnieks at vt.edu Fri Jun 4 18:16:24 2004 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Fri, 04 Jun 2004 14:16:24 -0400 Subject: Runaway .* globs in file_contexts/types.fc Message-ID: <200406041816.i54IGO9g022559@turing-police.cc.vt.edu> OK.. Maybe 3rd time's the charm ;) Running Fedora Core as of last night-ish -devel tree, and installing selinux-policy-strict-1.13.2-4. Spotted while doing the relabelling (I knew there was a reason I try to rememer to run it with '-v' ;): /usr/sbin/setfiles: relabeling /usr/local/lib/xemacs/xemacs-packages/pkginfo/MANIFEST.sounds-au from root:object_r:lib_t to system_u:object_r:shlib_t /usr/sbin/setfiles: relabeling /usr/local/lib/xemacs/xemacs-packages/pkginfo/MANIFEST.sounds-wav from root:object_r:lib_t to system_u:object_r:shlib_t Looks like a runaway glob on '.*\.so'... Whoops. ;) First, the good news.. ;) Some grepping through file_contexts/file_contexts indicates that of the 553 uses of a .* glob, almost all are using it to indicate "to end of filename" with either "/some/path.*" (197 usages) or "/some/path(/.*)?" (313 usages). (Somebody else can audit these 510 to determine if The Other Flavor should have been specified to handle the case of a file called "/some/path-foo" ;) Now, the bad news.. There's 43 cases of "neither of the above" ;) To find the rest: grep '\.\*' file_contexts/file_contexts | egrep -v '\(\/\.\*\)\?[[:space:]]|\.\*[[:space:]]' These 4 mystified me - why "(.*)?" instead of ".*" or "(/.*)?" /var/run/courier(.*)? system_u:object_r:courier_var_run_t /usr/lib(64)?/cyrus-imapd/(.*)? -- system_u:object_r:bin_t /var/www/lrrd(.*)? system_u:object_r:lrrd_var_lib_t /usr/X11R6/lib(64)?/xscreensaver(.*)? system_u:object_r:bin_t I suspect that all 4 were intended to be of the form "foo(/.*)?" - anybody know for sure? Also, anybody know where these come from? /lib(64)?/lvm-10(/.*) system_u:object_r:lvm_exec_t /lib(64)?/lvm-200(/.*) system_u:object_r:lvm_exec_t (I have some /lib/liblvm-10* files, but not /lib/lvm-* - is that from a non-Fedora system? I'm not seeing a /lib/lvm-* file in either the lvm or lvm2 Fedora RPMs) Now, some more good news - close to half the remaining 43 are from types.fc handling of ld_so_t and shlib_t - patch to clean those up attached. ;) Please double-check - I've verified that this patch doesn't unintentionally relabel anything on my system, and does avoid mislabeling the two xemacs files, but there very well might be things that intend to use .* to greedily swallow across a / character for the types I changed.. if it's too drastic, probably 95% of the benefit could be gained by just changing all the \.so.* to be \.so(\.[^/]*)* instead... As an aside, I *tried* to do this against a current Fedora: for i in *.rpm; do rpm -qpl $i >> /tmp/allfiles; done sort -u /tmp/allfiles | /usr/sbin/setfiles -v -d -n -s file_contexts/file_contexts but that just throws a lot of "File not found" for any files in RPMs that aren't on my system. Could we have a -t (for "test") flag that reports "What would the file context be set to if the file existed?" that skips statting the file? It would make automated regression testing of this sort of thing a lot easier. --- file_contexts/types.fc.dist 2004-06-01 21:09:03.000000000 -0400 +++ file_contexts/types.fc 2004-06-03 00:20:41.899373306 -0400 @@ -85,8 +85,8 @@ /var/ftp/bin(/.*)? system_u:object_r:bin_t /var/ftp/bin/ls -- system_u:object_r:ls_exec_t /var/ftp/lib(64)?(/.*)? system_u:object_r:lib_t -/var/ftp/lib(64)?/ld.*\.so.* -- system_u:object_r:ld_so_t -/var/ftp/lib(64)?/lib.*\.so.* -- system_u:object_r:shlib_t +/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t +/var/ftp/lib(64)?/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t /var/ftp/etc(/.*)? system_u:object_r:etc_t # @@ -258,13 +258,13 @@ # /lib(64)? # /lib(64)?(/.*)? system_u:object_r:lib_t -/lib(64)?/ld.*\.so.* -- system_u:object_r:ld_so_t -/lib(64)?/tls/ld.*\.so.* -- system_u:object_r:ld_so_t -/lib(64)?/lib.*\.so.* -- system_u:object_r:shlib_t -/lib(64)?/[^/]*/lib.*\.so.* -- system_u:object_r:shlib_t -/lib(64)?/devfsd/.*\.so.* -- system_u:object_r:shlib_t -/lib(64)?/security/.*\.so.* -- system_u:object_r:shlib_t -/lib(64)?/tls/i686/cmov/.*\.so.* -- system_u:object_r:shlib_t +/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t +/lib(64)?/tls/ld[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t +/lib(64)?/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t +/lib(64)?/[^/]*/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t +/lib(64)?/devfsd/[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t +/lib(64)?/security/[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t +/lib(64)?/tls/i686/cmov/[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t # # /sbin @@ -299,9 +299,9 @@ # /usr/lib(64)? # /usr/lib(64)?(/.*)? system_u:object_r:lib_t -/usr/lib(64)?/lib.*\.so.* -- system_u:object_r:shlib_t +/usr/lib(64)?/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t /usr/lib(64)?/python.*\.so -- system_u:object_r:shlib_t -/usr/lib(64)?/.*/lib[^/]*\.so.* -- system_u:object_r:shlib_t +/usr/lib(64)?/.*/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t /usr/lib(64)?/.*/.*\.so -- system_u:object_r:shlib_t /usr/lib(64)?/autofs/.*\.so -- system_u:object_r:shlib_t /usr/lib(64)?/perl5/man(/.*)? system_u:object_r:man_t @@ -316,21 +316,21 @@ # /usr/.*glibc.*-linux/lib(64)? # /usr/.*glibc.*-linux/lib(64)?(/.*)? system_u:object_r:lib_t -/usr/.*glibc.*-linux/lib(64)?/ld.*\.so.* system_u:object_r:ld_so_t -/usr/.*glibc.*-linux/lib(64)?/lib.*\.so.* system_u:object_r:shlib_t +/usr/.*glibc.*-linux/lib(64)?/ld[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t +/usr/.*glibc.*-linux/lib(64)?/lib[^/]*\.so(\.[^/]*)* system_u:object_r:shlib_t # /usr/.*redhat-linux/lib(64)? # /usr/.*redhat-linux/lib(64)?(/.*)? system_u:object_r:lib_t -/usr/.*redhat-linux/lib(64)?/ld.*\.so.* system_u:object_r:ld_so_t -/usr/.*redhat-linux/lib(64)?/lib.*\.so.* system_u:object_r:shlib_t +/usr/.*redhat-linux/lib(64)?/ld[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t +/usr/.*redhat-linux/lib(64)?/lib[^/]*\.so(\.[^/]*)* system_u:object_r:shlib_t # # /usr/.*linux-libc.*/lib(64)? # /usr/.*linux-libc.*/lib(64)?(/.*)? system_u:object_r:lib_t -/usr/.*linux-libc.*/lib(64)?/ld.*\.so.* system_u:object_r:ld_so_t -/usr/.*linux-libc.*/lib(64)?/lib.*\.so.* system_u:object_r:shlib_t +/usr/.*linux-libc.*/lib(64)?/ld[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t +/usr/.*linux-libc.*/lib(64)?/lib[^/]*\.so(\.[^/]*)* system_u:object_r:shlib_t # # /usr/local @@ -349,7 +349,7 @@ # /usr/local/lib(64)? # /usr/local/lib(64)?(/.*)? system_u:object_r:lib_t -/usr/local/lib(64)?/.*\.so.* -- system_u:object_r:shlib_t +/usr/local/lib(64)?(/.*)+\.so(\.[^/]*)* -- system_u:object_r:shlib_t # # /usr/sbin @@ -365,7 +365,7 @@ # /usr/X11R6/(.*/)?lib(64)? # /usr/X11R6/(.*/)?lib(64)?(/.*)? system_u:object_r:lib_t -/usr/X11R6/(.*/)?lib(64)?/.*\.so.* -- system_u:object_r:shlib_t +/usr/X11R6/(.*/)?lib(64)?(/.*)+\.so(\.[^/]*)* -- system_u:object_r:shlib_t # # /usr/X11R6/man @@ -378,7 +378,7 @@ /usr/kerberos/bin(/.*)? system_u:object_r:bin_t /usr/kerberos/sbin(/.*)? system_u:object_r:sbin_t /usr/kerberos/lib(64)?(/.*)? system_u:object_r:lib_t -/usr/kerberos/lib(64)?/lib.*\.so.* -- system_u:object_r:shlib_t +/usr/kerberos/lib(64)?/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t # # Fonts dir @@ -459,7 +459,7 @@ # /usr/java/j2sdk.*/bin(/.*)? system_u:object_r:bin_t /usr/java/j2sdk.*/jre/lib(64)?/i386(/.*)? system_u:object_r:lib_t -/usr/java/j2re1.*/plugin/i386(/.*)?/lib.*\.so.* -- system_u:object_r:shlib_t +/usr/java/j2re1.*/plugin/i386(/.*)?/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t # # The krb5.conf file is always being tested for writability, so -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available URL: From dwalsh at redhat.com Fri Jun 4 18:30:40 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 04 Jun 2004 14:30:40 -0400 Subject: [Fwd: Re: who provides /etc/sysconfig/selinux?] In-Reply-To: <1086372466.19959.326.camel@moss-spartans.epoch.ncsc.mil> References: <40C08D07.5000700@redhat.com> <1086372466.19959.326.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <40C0BFD0.2040202@redhat.com> Stephen Smalley wrote: >On Fri, 2004-06-04 at 10:53, Daniel J Walsh wrote: > > >>Todays selinux-polcy-* RPMS attempt to handle the /etc/selinux/config >>and /etc/sysconfig/selinux files in the post install. >> >>Please check them out. >> >> > >Shouldn't it default to SELINUX=permissive in the absence of any >/etc/sysconfig/selinux file? > > > No, Well the only way this should happen is on a fresh install or a disabled SELinux box. I don't like permissive because we end up with to many false AVC Messages. A fresh install should put down proper context and with targeted policy, enforcing should work out of the box. Also I have a concern about people forgetting to change permissive to enforcing, and having a false sence of security. >Do we need a dependency on the newer libselinux, policycoreutils, and >SysVinit that are aware of the new policy locations? > > > Probably. Any application that uses default contexts needs to use the new library. From selinux at comcast.net Fri Jun 4 19:41:30 2004 From: selinux at comcast.net (Tom London) Date: Fri, 04 Jun 2004 12:41:30 -0700 Subject: Install of latest packages....kernel-2.6.6-1.421 fails, selinux-policy-strict-1.13.3-2 succeeds Message-ID: <40C0D06A.3090304@comcast.net> Stephen, That did it! Thanks! (You saved me a lot of time, since I usually don't check fedora-devel-list. I guess I should!) I needed to use 'single enforcing=0' to do the 'fixfiles relabel'. Lots needed relabeling (much in /lib/modules/2.6.6-1.421/). kernel-2.6.6-1.421 turns avc messages back on! tom ------------------------------------------------------------------------ * /From/: Stephen Smalley ------------------------------------------------------------------------ On Fri, 2004-06-04 at 14:06, Tom London wrote: > My previous workaround (do 'setenforce 0; yum ....' followed by a > relabel) did not work this time. The mkinitrd now fails even under > permissive mode: > kernel 100 % done 1/1 > memlock: Cannot allocate memory > Couldn't lock into memory, exiting. > mkinitrd failed Also reported on fedora-devel-list; I don't think it is SELinux-related. 'ulimit -l unlimited' to workaround until a new kernel is available. -- Stephen Smalley National Security Agency From selinux at comcast.net Fri Jun 4 21:37:57 2004 From: selinux at comcast.net (Tom London) Date: Fri, 04 Jun 2004 14:37:57 -0700 Subject: kernel install issue: /sbin/depmod - avc's supplied Message-ID: <40C0EBB5.4010207@comcast.net> I'm presuming this is a know issue, but just in case.... kernel installs (via 'yum update') when running in strict/enforcing fail. Now that I have kernel-2.6.6-1.421 installed and running, I have avc's from /var/log/messages. Here are just a few: Jun 4 14:03:16 dell kernel: audit(1086382996.206:0): avc: denied { read } for pid=3643 exe=/sbin/depmod name=toshiba.ko dev=hdb3 ino=1056054 scontext=root:sysadm_r:depmod_t tcontext=system_u:object_r:lib_t tclass=file Jun 4 14:03:16 dell kernel: audit(1086382996.206:0): avc: denied { read } for pid=3643 exe=/sbin/depmod name=ppdev.ko dev=hdb3 ino=1056048 scontext=root:sysadm_r:depmod_t tcontext=system_u:object_r:lib_t tclass=file Jun 4 14:03:16 dell kernel: audit(1086382996.207:0): avc: denied { read } for pid=3643 exe=/sbin/depmod name=edd.ko dev=hdb3 ino=1069944 scontext=root:sysadm_r:depmod_t tcontext=system_u:object_r:lib_t tclass=file Jun 4 14:03:16 dell kernel: audit(1086382996.207:0): avc: denied { getattr } for pid=3643 exe=/sbin/depmod path=/lib/modules/2.6.6-1.422/build/sound/oss/dmasound/Makefile dev=hdb3 ino=1036012 scontext=root:sysadm_r:depmod_t tcontext=system_u:object_r:lib_t tclass=file Jun 4 14:03:16 dell kernel: audit(1086382996.208:0): avc: denied { getattr } for pid=3643 exe=/sbin/depmod path=/lib/modules/2.6.6-1.422/build/sound/oss/dmasound/Kconfig dev=hdb3 ino=1036011 scontext=root:sysadm_r:depmod_t tcontext=system_u:object_r:lib_t tclass=file Jun 4 14:03:16 dell kernel: audit(1086382996.208:0): avc: denied { getattr } for pid=3643 exe=/sbin/depmod path=/lib/modules/2.6.6-1.422/build/sound/oss/Makefile dev=hdb3 ino=1036006 scontext=root:sysadm_r:depmod_t tcontext=system_u:object_r:lib_t tclass=file The contexts in the rpm appear correct (i.e., most are system_u:object_r:modules_object_t, or similar), but the files in /lib/modules/2.6.6-1.422/.... are all labeled system_u:object_r:lib_t. Anyway, /sbin/depmod is having a hell of a time. Thanks to Stephen, the workaround of going into permissive mode prior to 'yum update' seems to work, but the file contexts need fixing. I checked bugzilla for yum but didn't find anything. Has this been filed/fixed? tom From khurtwilliams at gmail.com Sat Jun 5 13:11:51 2004 From: khurtwilliams at gmail.com (Khurt Williams) Date: Sat, 5 Jun 2004 09:11:51 -0400 Subject: Turn on SELinux Message-ID: <3006f9fb040605061164ccc6e1@mail.gmail.com> I installed Fedora Core 2. I did not enable selinux at install. How do I now enable it? From jeempc at sbcglobal.net Sat Jun 5 15:10:40 2004 From: jeempc at sbcglobal.net (abc) Date: Sat, 05 Jun 2004 11:10:40 -0400 Subject: Turn on SELinux In-Reply-To: <3006f9fb040605061164ccc6e1@mail.gmail.com> References: <3006f9fb040605061164ccc6e1@mail.gmail.com> Message-ID: <1086448240.5510.0.camel@localhost.localdomain> On Sat, 2004-06-05 at 09:11, Khurt Williams wrote: > I installed Fedora Core 2. I did not enable selinux at install. How > do I now enable it? > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list This may help http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/ From russell at coker.com.au Sun Jun 6 09:28:09 2004 From: russell at coker.com.au (Russell Coker) Date: Sun, 6 Jun 2004 19:28:09 +1000 Subject: Runaway .* globs in file_contexts/types.fc In-Reply-To: <200406041816.i54IGO9g022559@turing-police.cc.vt.edu> References: <200406041816.i54IGO9g022559@turing-police.cc.vt.edu> Message-ID: <200406061928.09269.russell@coker.com.au> On Sat, 5 Jun 2004 04:16, Valdis.Kletnieks at vt.edu wrote: > Also, anybody know where these come from? > /lib(64)?/lvm-10(/.*) system_u:object_r:lvm_exec_t > /lib(64)?/lvm-200(/.*) system_u:object_r:lvm_exec_t These came from adjusting the Debian path names to the Red Hat naming convention. I'll fix them in my tree. > Please double-check - I've verified that this patch doesn't unintentionally > relabel anything on my system, and does avoid mislabeling the two xemacs > files, but there very well might be things that intend to use .* to > greedily swallow across a / character for the types I changed.. if it's too > drastic, probably 95% of the benefit could be gained by just changing all > the \.so.* to be \.so(\.[^/]*)* instead... I've checked it and verified that it appears to do the correct thing according to the design. I believe it's good enough that everyone should use it. There is one improvement that can be made however. Only class "file" should have type shlib_t or ld_so_t. The following six entries should have "--" added to specify that they only apply to the file class. This will improve the speed of setfiles, and may prevent some corner-cases from causing mis-labelled file system objects that can't be conveniently removed. /usr/.*glibc.*-linux/lib(64)?/ld[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t /usr/.*glibc.*-linux/lib(64)?/lib[^/]*\.so(\.[^/]*)* system_u:object_r:shlib_t /usr/.*redhat-linux/lib(64)?/ld[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t /usr/.*redhat-linux/lib(64)?/lib[^/]*\.so(\.[^/]*)* system_u:object_r:shlib_t /usr/.*linux-libc.*/lib(64)?/ld[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t /usr/.*linux-libc.*/lib(64)?/lib[^/]*\.so(\.[^/]*)* system_u:object_r:shlib_t -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From christopher.albert at mcgill.ca Sat Jun 5 18:43:01 2004 From: christopher.albert at mcgill.ca (chris albert) Date: Sat, 05 Jun 2004 14:43:01 -0400 Subject: Turn on SELinux In-Reply-To: <20040605160027.A1B787590F@hormel.redhat.com> References: <20040605160027.A1B787590F@hormel.redhat.com> Message-ID: <40C21435.9080803@mcgill.ca> On Sat, 2004-06-05 at 09:11, Khurt Williams wrote: >> I installed Fedora Core 2. I did not enable selinux at install. How >> do I now enable it? > >>This may help >>http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/ But it doesn't. I filed a bugzilla request for having post-install-without-selinux selinux installation instructions added to the faq. I used S.Smalley's remark at the end of https://listman.redhat.com/archives/fedora-selinux-list/2004-May/msg00202.html Chris From christopher.albert at mcgill.ca Sat Jun 5 18:56:49 2004 From: christopher.albert at mcgill.ca (chris albert) Date: Sat, 05 Jun 2004 14:56:49 -0400 Subject: Matlab and /var/tmp Message-ID: <40C21771.4090500@mcgill.ca> Hi, Upgraded FC1->FC2, installed selinux later, running in permissive mode, debugging 'avc: denied' messages. Matlab's license manager, called from an init script writes files in /var/tmp and checks them periodically, including inside a subdirectory /var/tmp/.flexlm, which it creates if necessary. The init script, provided in the Matlab distro, asks you in comments to change the user it runs under to an ordinary user, and the initrc_su_t transition works fine for file creation in /var/tmp, as long as you dont have vestigal files and directories there from before the selinux relabling. I noticed also that other leftovers from rpm build processes were there, still unlabelled after the move to selinux. I'm wondering if I missed something, or would it be a good idea to have 'fixfiles relable' flush /var/tmp in the same way it does /tmp. Chris From russell at coker.com.au Sun Jun 6 23:50:14 2004 From: russell at coker.com.au (Russell Coker) Date: Mon, 7 Jun 2004 09:50:14 +1000 Subject: Matlab and /var/tmp In-Reply-To: <40C21771.4090500@mcgill.ca> References: <40C21771.4090500@mcgill.ca> Message-ID: <200406070950.14854.russell@coker.com.au> On Sun, 6 Jun 2004 04:56, chris albert wrote: > I'm wondering if I missed something, or would it be a good idea to have > 'fixfiles relable' flush /var/tmp in the same way it does /tmp. It would probably be a good idea. Although /var/tmp is used for more persistent data than /tmp and there would be more risk of something that is considered important getting lost. I wonder what happens if a regular user creates the matlab directory under /var/tmp as mode 777... -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From christopher.albert at mcgill.ca Mon Jun 7 01:37:03 2004 From: christopher.albert at mcgill.ca (chris albert) Date: Sun, 06 Jun 2004 21:37:03 -0400 Subject: Matlab and /var/tmp In-Reply-To: <200406070950.14854.russell@coker.com.au> References: <40C21771.4090500@mcgill.ca> <200406070950.14854.russell@coker.com.au> Message-ID: <40C3C6BF.3040101@mcgill.ca> Russell Coker wrote: > I wonder what happens if a regular user creates the matlab directory > under /var/tmp as mode 777... > > > I can su to root, stop the license manager, create the /var/tmp/.flexlm directory as an ordinary user at 777 and then restart the license manager without any selinux errors. It seems that it was just this unlabeled directory after the selinux initialization in /var/tmp/ that was generating avc errors, both for the matlab operations which created and read files in this directory, as well as for tmpwatch. Chris From liling at gmail.com Mon Jun 7 06:26:41 2004 From: liling at gmail.com (Ling Li) Date: Sun, 6 Jun 2004 23:26:41 -0700 Subject: What does 'plus' in ls -Z mean? Message-ID: <11669124040606232644c270ea@mail.gmail.com> Some files/directories have '+' when they are displayed with ls -Z. For example, # ls -dZ /lost+found/ drwx------+ root root system_u:object_r:lost_found_t /lost+found/ What does the '+' after the mode 'rwx------' mean? --Ling From igor at datanaut.com Mon Jun 7 07:35:51 2004 From: igor at datanaut.com (Igor Borisovsky) Date: Mon, 7 Jun 2004 11:35:51 +0400 Subject: Access to the postgresql data files In-Reply-To: <1086362064.19959.206.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <200406070738.i577cch00684@alexru.adsl.kis.ru> Ok. I see you. Can you explain me the following thing? As I understand in selinux all permissions must be explicitly granted. Hence there is permission to allow sysadm_t to enter the /var/lib/pgsql directory. I can't find something like this: allow sysadm_t pgsql_home_dir_t:dir {...}; It is interesting how sysadm_t type has access to /var/lib/pgsql directory? Thanks. -----Original Message----- From: owner-selinux at tycho.nsa.gov [mailto:owner-selinux at tycho.nsa.gov] On Behalf Of Stephen Smalley Sent: Friday, June 04, 2004 7:14 PM To: Igor Borisovsky Cc: SELinux at tycho.nsa.gov; 'Russell Coker'; fedora-selinux-list at redhat.com Subject: RE: Access to the postgresql data files On Fri, 2004-06-04 at 10:59, Igor Borisovsky wrote: > Thanks for reply. > Let me explain in more details my problem. > I have the database server under RedHat9. > The postgresql database contains very important secure data. > So nobody should have access to this data directly. > Only authorized clients via SSL connections should have access. > In the ordinary linux user root can steal postgresql data files or > edit pg_hba.conf file to give access to itself. > Thus I want to use FC2 to control access to data files for user root. > User root should be only linux server administrator. For example, root > should be able to create/delete user, install software/hardware, > start/stop services. But root must not have access to postgresql files. You can use SELinux to ensure that only certain applications have direct access to the files. But if root can install software, then he can just replace those applications with his own code to get access to the files. Or he can replace any code or configuration on which those applications depend, e.g. the kernel, ld.so, whatever. And if there is any user account which is authorized to access those files and you let root manage user accounts, then root can gain access to those accounts. Not to mention issues of raw disk access, whether direct or indirect via filesystem administrative utilities. See the problem? So you would have to strip root of _many_ typical administrative privileges to truly enforce such a guarantee. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo at tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From russell at coker.com.au Mon Jun 7 08:23:24 2004 From: russell at coker.com.au (Russell Coker) Date: Mon, 7 Jun 2004 18:23:24 +1000 Subject: Access to the postgresql data files In-Reply-To: <200406070738.i577cch00684@alexru.adsl.kis.ru> References: <200406070738.i577cch00684@alexru.adsl.kis.ru> Message-ID: <200406071823.24869.russell@coker.com.au> On Mon, 7 Jun 2004 17:35, "Igor Borisovsky" wrote: > Ok. I see you. > Can you explain me the following thing? > As I understand in selinux all permissions > must be explicitly granted. Hence there is > permission to allow sysadm_t to enter the /var/lib/pgsql directory. > I can't find something like this: > allow sysadm_t pgsql_home_dir_t:dir {...}; > It is interesting how sysadm_t type has access to /var/lib/pgsql directory? The type pgsql_home_dir_t has attribute sysadmfile, which means sysadm_t gets full access. Remove the sysadmfile attribute and the access will be denied. But if the attribute is granted through the full_user_role() macro then it's probably easiest to just define a new type for this. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From igor at datanaut.com Mon Jun 7 08:59:51 2004 From: igor at datanaut.com (Igor Borisovsky) Date: Mon, 7 Jun 2004 12:59:51 +0400 Subject: Access to the postgresql data files In-Reply-To: <200406071823.24869.russell@coker.com.au> Message-ID: <200406070902.i5792ah00920@alexru.adsl.kis.ru> I used macro full_user_role() for pgsql type. Then I corrected policy.conf file manually. So definitions for the new types looks like this: type pgsql_home_dir_t, file_type, home_dir_type, home_type, user_home_dir_type, user_home_type; type pgsql_home_t, file_type, home_type, user_home_type; (I removed sysadmfile attribute) And finally I launched 'make load'. After that /var/lib/pgsql is still accessible for sysadm_t. -----Original Message----- From: Russell Coker [mailto:russell at coker.com.au] Sent: Monday, June 07, 2004 12:23 PM To: fedora-selinux-list at redhat.com Cc: Igor Borisovsky; 'Stephen Smalley'; SELinux at tycho.nsa.gov Subject: Re: Access to the postgresql data files On Mon, 7 Jun 2004 17:35, "Igor Borisovsky" wrote: > Ok. I see you. > Can you explain me the following thing? > As I understand in selinux all permissions must be explicitly granted. > Hence there is permission to allow sysadm_t to enter the > /var/lib/pgsql directory. > I can't find something like this: > allow sysadm_t pgsql_home_dir_t:dir {...}; It is interesting how > sysadm_t type has access to /var/lib/pgsql directory? The type pgsql_home_dir_t has attribute sysadmfile, which means sysadm_t gets full access. Remove the sysadmfile attribute and the access will be denied. But if the attribute is granted through the full_user_role() macro then it's probably easiest to just define a new type for this. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From sds at epoch.ncsc.mil Mon Jun 7 11:59:37 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Mon, 07 Jun 2004 07:59:37 -0400 Subject: Access to the postgresql data files In-Reply-To: <200406070902.i5792ah00920@alexru.adsl.kis.ru> References: <200406070902.i5792ah00920@alexru.adsl.kis.ru> Message-ID: <1086609577.30328.10.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2004-06-07 at 04:59, Igor Borisovsky wrote: > I used macro full_user_role() for pgsql type. > Then I corrected policy.conf file manually. So definitions for the new types > looks like this: > type pgsql_home_dir_t, file_type, home_dir_type, home_type, > user_home_dir_type, user_home_type; > type pgsql_home_t, file_type, home_type, user_home_type; > (I removed sysadmfile attribute) > And finally I launched 'make load'. After that /var/lib/pgsql is still > accessible for sysadm_t. Did you also disable the unrestricted_admin and unlimitedServices tunables in tunable.te, as I said in my original reply? To further elaborate on what Russell said, type attributes can be associated with types and then used in allow rules (or other rules) to apply a single rule to the set of all types with that attribute. Hence, simply grep'ing policy.conf isn't a reliable means of checking access. If you want to perform policy analysis, look at apol from the setools and setools-gui packages. -- Stephen Smalley National Security Agency From russell at coker.com.au Mon Jun 7 12:18:33 2004 From: russell at coker.com.au (Russell Coker) Date: Mon, 7 Jun 2004 22:18:33 +1000 Subject: Access to the postgresql data files In-Reply-To: <200406070902.i5792ah00920@alexru.adsl.kis.ru> References: <200406070902.i5792ah00920@alexru.adsl.kis.ru> Message-ID: <200406072218.33188.russell@coker.com.au> On Mon, 7 Jun 2004 18:59, "Igor Borisovsky" wrote: > I used macro full_user_role() for pgsql type. > Then I corrected policy.conf file manually. So definitions for the new > types looks like this: > type pgsql_home_dir_t, file_type, home_dir_type, home_type, > user_home_dir_type, user_home_type; sysadm_t has the privhome attribute which gives it full access to the home types through macros/user_macros.te . Trying to edit this all by hand will be really painful, things aren't designed to work in that way and they won't work well. Defining a new type is really easy, requires no hand-modification of the generated policy.conf, and because it's the expected operation it's not going to break anything. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Mon Jun 7 12:36:48 2004 From: russell at coker.com.au (Russell Coker) Date: Mon, 7 Jun 2004 22:36:48 +1000 Subject: What does 'plus' in ls -Z mean? In-Reply-To: <11669124040606232644c270ea@mail.gmail.com> References: <11669124040606232644c270ea@mail.gmail.com> Message-ID: <200406072236.48759.russell@coker.com.au> On Mon, 7 Jun 2004 16:26, Ling Li wrote: > Some files/directories have '+' when they are displayed with ls -Z. For > example, # ls -dZ /lost+found/ > drwx------+ root root system_u:object_r:lost_found_t /lost+found/ > > What does the '+' after the mode 'rwx------' mean? >From the SE Linux patch to ls.c: + modebuf[10] = (FILE_HAS_ACL (f) ? '+' : ' '); I have repeated the same test on my system and found a '+' entry when it's not appropriate. I have verified that the directory in question has no acl, and also verified that /bin/ls does not even check for the presence of an acl by stracing it and seeing that it did not query the "system.posix_acl_access" or "system.posix_acl_default" xattrs, and it did not call listxattr() (to determine whether those xattr's existed). At the moment I believe that there is some memory corruption in the SE Linux code. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From sds at epoch.ncsc.mil Mon Jun 7 12:52:29 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Mon, 07 Jun 2004 08:52:29 -0400 Subject: What does 'plus' in ls -Z mean? In-Reply-To: <200406072236.48759.russell@coker.com.au> References: <11669124040606232644c270ea@mail.gmail.com> <200406072236.48759.russell@coker.com.au> Message-ID: <1086612749.30328.36.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2004-06-07 at 08:36, Russell Coker wrote: > >From the SE Linux patch to ls.c: > + modebuf[10] = (FILE_HAS_ACL (f) ? '+' : ' '); That is copied from the corresponding code for computing the mode string in print_long_format. In turn, FILE_HAS_ACL is based on the f->have_acl flag. But f->have_acl is only assigned a value if format == long_format in gobble_file(). Hence, the flag is not getting initialized properly for the security_format. Patch below should fix. --- ls.c.old 2004-06-07 08:51:24.000000000 -0400 +++ ls.c 2004-06-07 08:51:34.000000000 -0400 @@ -2528,7 +2528,7 @@ } #if HAVE_ACL || USE_ACL - if (format == long_format) + if (format == long_format || format == security_format) { int n = file_has_acl (path, &f->stat); f->have_acl = (0 < n); -- Stephen Smalley National Security Agency From russell at coker.com.au Mon Jun 7 13:13:48 2004 From: russell at coker.com.au (Russell Coker) Date: Mon, 7 Jun 2004 23:13:48 +1000 Subject: What does 'plus' in ls -Z mean? In-Reply-To: <1086612749.30328.36.camel@moss-spartans.epoch.ncsc.mil> References: <11669124040606232644c270ea@mail.gmail.com> <200406072236.48759.russell@coker.com.au> <1086612749.30328.36.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <200406072313.48085.russell@coker.com.au> On Mon, 7 Jun 2004 22:52, Stephen Smalley wrote: > On Mon, 2004-06-07 at 08:36, Russell Coker wrote: > > >From the SE Linux patch to ls.c: > > > > + modebuf[10] = (FILE_HAS_ACL (f) ? '+' : ' '); > > That is copied from the corresponding code for computing the mode string > in print_long_format. In turn, FILE_HAS_ACL is based on the f->have_acl > flag. But f->have_acl is only assigned a value if format == long_format Great work! I've filed the following bugzilla report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=125447 -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From twaugh at redhat.com Mon Jun 7 13:36:47 2004 From: twaugh at redhat.com (Tim Waugh) Date: Mon, 7 Jun 2004 14:36:47 +0100 Subject: What does 'plus' in ls -Z mean? In-Reply-To: <200406072313.48085.russell@coker.com.au> References: <11669124040606232644c270ea@mail.gmail.com> <200406072236.48759.russell@coker.com.au> <1086612749.30328.36.camel@moss-spartans.epoch.ncsc.mil> <200406072313.48085.russell@coker.com.au> Message-ID: <20040607133647.GD1594@redhat.com> On Mon, Jun 07, 2004 at 11:13:48PM +1000, Russell Coker wrote: > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=125447 I used a slightly different patch: --- coreutils-5.2.1/src/ls.c 2004-06-04 09:55:05.010506573 +0100 +++ coreutils-5.2.1/src/ls.c 2004-06-07 14:18:07.448963915 +0100 @@ -2530,7 +2530,11 @@ } #if HAVE_ACL || USE_ACL - if (format == long_format) + if (format == long_format +#ifdef WITH_SELINUX + || format == security_format +#endif + ) { int n = file_has_acl (path, &f->stat); f->have_acl = (0 < n); Fixed in coreutils-5.2.1-15. Thanks, Tim. */ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From selinux at comcast.net Mon Jun 7 22:34:01 2004 From: selinux at comcast.net (Tom London) Date: Mon, 07 Jun 2004 15:34:01 -0700 Subject: context for /var/log/cron.* Message-ID: <40C4ED59.1070403@comcast.net> I noticed that the contexts for the logrotated cron log files are 'restored' by fixfiles/restorecon from system_u:object_r:crond_log_t to system_u:object_r:var_log_t . Would it make sense to change crond.fc from: /var/log/cron -- system_u:object_r:crond_log_t to something like: /var/log/cron.* -- system_u:object_r:crond_log_t tom From Jagan.Kommineni at infotech.monash.edu.au Tue Jun 8 02:18:25 2004 From: Jagan.Kommineni at infotech.monash.edu.au (jagan kommineni) Date: Tue, 08 Jun 2004 12:18:25 +1000 Subject: Request for help .... system call entry pointes ... Message-ID: <40C521F1.A84FC439@csse.monash.edu.au> Hi, In my projects, I am trapping basic system calls like open, read, write, close etc ... for creating POSIX interface semantics for remote file. I am using SOAP protocol to communicate with the remote foles. http://www.csse.monash.edu.au/~jagan/research.htm I rewrite functions such as open, read, write etc... as shown below and I created a library module and preloaded by using LD_PRELOAD environemnt variable. --------------------------------------- for open call, open, _open, __open, __libc_open, open64, _open64, __open64, __libc_open64 for read call read, _read, _read, __libc_read for write call write, _write, __write __libc_write etc ..... ------------------------------------------- It is working pefectly well with Redhat 7.3, but in the recent releases of redhat 8 and 9. I am not able to trap system calls, it seems there are some changes to interfaces for enter in to system calls. If any body have any idea about the new changes, I will be glad to here. my email addess: jagan at csse.monash.edu.au with regards, Jagan Kommineni -------------- next part -------------- A non-text attachment was scrubbed... Name: jagan.vcf Type: text/x-vcard Size: 571 bytes Desc: Card for jagan kommineni URL: From russell at coker.com.au Tue Jun 8 05:17:25 2004 From: russell at coker.com.au (Russell Coker) Date: Tue, 8 Jun 2004 15:17:25 +1000 Subject: context for /var/log/cron.* In-Reply-To: <40C4ED59.1070403@comcast.net> References: <40C4ED59.1070403@comcast.net> Message-ID: <200406081517.25552.russell@coker.com.au> On Tue, 8 Jun 2004 08:34, Tom London wrote: > I noticed that the contexts for the logrotated cron log files are > 'restored' by fixfiles/restorecon from system_u:object_r:crond_log_t to > system_u:object_r:var_log_t . > > Would it make sense to change crond.fc from: > /var/log/cron -- system_u:object_r:crond_log_t > to something like: > /var/log/cron.* -- system_u:object_r:crond_log_t Yes it makes sense. That's been in my tree for a while, it has to be merged in. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From rhally at mindspring.com Tue Jun 8 21:37:56 2004 From: rhally at mindspring.com (Richard Hally) Date: Tue, 08 Jun 2004 17:37:56 -0400 Subject: enforcing mode update errors Message-ID: <40C631B4.7080507@mindspring.com> Below are the error messages from running 'yum update' today while in enforcing mode. Perhaps this will be helpful to someone. warning: /etc/selinux/strict/contexts/files/file_contexts created as /etc/selinux/strict/contexts/files/file_contexts.rpmnew selinux-policy-striwarning: /etc/selinux/strict/policy/policy.17 created as /etc/selinux/strict/policy/policy.17.rpmnew selinux-policy-strict 100 % done 16/116 Can't open '/etc/selinux/strict/policy/policy.17': Permission denied warning: /etc/selinux/targeted/contexts/files/file_contexts created as /etc/selinux/targeted/contexts/files/file_contexts.rpmnew selinux-policy-targeted 100 % done 17/116 python-tools 100 % done 18/116 apr-devel 100 % done 19/116 dietlibc 100 % done 20/116 selinux-policy-strict-sources 100 % done 21/116 make: Entering directory `/etc/selinux/strict/src/policy' /usr/sbin/load_policy /etc/selinux/strict/policy/policy.`cat /selinux/policyvers` Can't open '/etc/selinux/strict/policy/policy.17': Permission denied make: *** [tmp/load] Error 2 make: Leaving directory `/etc/selinux/strict/src/policy' gimp-print-cups 100 % done 22/116 HTH Richard Hally From rhally at mindspring.com Tue Jun 8 21:45:21 2004 From: rhally at mindspring.com (Richard Hally) Date: Tue, 08 Jun 2004 17:45:21 -0400 Subject: errors from setools Message-ID: <40C63371.7000809@mindspring.com> Below is the output from attempting to use 'seinfo' and 'seaudit'. The same error occurs in both enforcing and permissive modes. Perhaps this will be helpful to someone. [root at new2 root]# seinfo Could not open policy /etc/selinux/strict/policy.17! search_for_policyfile_with_ver: No such file or directory Error while searching for default policy: Error in find_default_policy_file(). [root at new2 root]# seaudit Could not open policy /etc/selinux/strict/policy.17?! search_for_policyfile_with_ver: No such file or directory [root at new2 root]# rpm -q setools setools-1.4-1 [root at new2 root]# rpm -q selinux-policy-strict selinux-policy-strict-1.13.4-2 [root at new2 root]# HTH Richard Hally From khurtwilliams at gmail.com Tue Jun 8 23:08:16 2004 From: khurtwilliams at gmail.com (Khurt Williams) Date: Tue, 8 Jun 2004 19:08:16 -0400 Subject: Turn on SELinux In-Reply-To: <40C21435.9080803@mcgill.ca> References: <20040605160027.A1B787590F@hormel.redhat.com> <40C21435.9080803@mcgill.ca> Message-ID: <3006f9fb040608160867bb7f90@mail.gmail.com> The link was very useful. Thanks. On Sat, 05 Jun 2004 14:43:01 -0400, chris albert wrote: > > On Sat, 2004-06-05 at 09:11, Khurt Williams wrote: > > >> I installed Fedora Core 2. I did not enable selinux at install. How > >> do I now enable it? > > > >>This may help > >>http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/ > > But it doesn't. I filed a bugzilla request for having post-install-without-selinux selinux installation instructions added to the faq. > I used S.Smalley's remark at the end of > https://listman.redhat.com/archives/fedora-selinux-list/2004-May/msg00202.html > > Chris > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > From russell at coker.com.au Wed Jun 9 00:42:33 2004 From: russell at coker.com.au (Russell Coker) Date: Wed, 9 Jun 2004 10:42:33 +1000 Subject: enforcing mode update errors In-Reply-To: <40C631B4.7080507@mindspring.com> References: <40C631B4.7080507@mindspring.com> Message-ID: <200406091042.33381.russell@coker.com.au> On Wed, 9 Jun 2004 07:37, Richard Hally wrote: > Below are the error messages from running 'yum update' today while in > enforcing mode. > Perhaps this will be helpful to someone. What AVC messages did you get? -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From rhally at mindspring.com Wed Jun 9 02:43:44 2004 From: rhally at mindspring.com (Richard Hally) Date: Tue, 08 Jun 2004 22:43:44 -0400 Subject: enforcing mode problems Message-ID: <40C67960.7070906@mindspring.com> when running with the latest "strict" policy in enforcing mode, 'su -' does not work. [richard at new2 richard]$ su - Password: could not open session (ctrl-alt-f1 to a console, switch to permissive) [richard at new2 richard]$ su - Password: [root at new2 root]# It works but does't ask if I want a different context. When I went to the console it asked if I wanted a different context. Attached is the syslog messages file. Please see the attached messages file for other "AVC denied" messages as well. HTH Richard Hally p.s. [root at new2 root]# rpm -q selinux-policy-strict selinux-policy-strict-1.13.4-2 -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: messages URL: From selinux at comcast.net Wed Jun 9 02:48:10 2004 From: selinux at comcast.net (Tom London) Date: Tue, 08 Jun 2004 19:48:10 -0700 Subject: enforcing mode problems Message-ID: <40C67A6A.8000606@comcast.net> Did you remember to do a 'fixfiles relabel' after installing the new policy files? If not, I suggest you reboot single-user mode, and then run 'fixfiles relabel'. You probably want fixfiles to clean out /tmp, so move/copy anything you need before running it. tom ------------------------------------------------------------------------ * /From/: Richard Hally * /To/: fedora-selinux-list redhat com * /Subject/: enforcing mode problems * /Date/: Tue, 08 Jun 2004 22:43:44 -0400 ------------------------------------------------------------------------ when running with the latest "strict" policy in enforcing mode, 'su -' does not work. [richard new2 richard]$ su - Password: could not open session (ctrl-alt-f1 to a console, switch to permissive) [richard new2 richard]$ su - Password: [root new2 root]# It works but does't ask if I want a different context. When I went to the console it asked if I wanted a different context. Attached is the syslog messages file. Please see the attached messages file for other "AVC denied" messages as well. HTH Richard Hally p.s. [root new2 root]# rpm -q selinux-policy-strict selinux-policy-strict-1.13.4-2 From rhally at mindspring.com Wed Jun 9 03:05:54 2004 From: rhally at mindspring.com (Richard Hally) Date: Tue, 08 Jun 2004 23:05:54 -0400 Subject: enforcing mode problems In-Reply-To: <40C67A6A.8000606@comcast.net> References: <40C67A6A.8000606@comcast.net> Message-ID: <40C67E92.2000902@mindspring.com> Tom London wrote: > Did you remember to do a 'fixfiles relabel' after installing the new > policy files? > > If not, I suggest you reboot single-user mode, and then run 'fixfiles > relabel'. You probably want fixfiles to clean out /tmp, so move/copy > anything you need before running it. > > tom > ------------------------------------------------------------------------ > > * /From/: Richard Hally > * /To/: fedora-selinux-list redhat com > * /Subject/: enforcing mode problems > * /Date/: Tue, 08 Jun 2004 22:43:44 -0400 > > ------------------------------------------------------------------------ > when running with the latest "strict" policy in enforcing mode, 'su -' > does not work. > > [richard new2 richard]$ su - > Password: > could not open session > > Thanks for the suggestion. This system was installed over the past weekend and updated to the (then) latest strict policy. "fixfiles relabel" was run then to allow going to enforcing mode. "yum update" updated the policy today. I am wondering if "fixfiles relabel" will be necessary every time policy is updated? Richard Hally From selinux at comcast.net Wed Jun 9 03:25:17 2004 From: selinux at comcast.net (Tom London) Date: Tue, 08 Jun 2004 20:25:17 -0700 Subject: enforcing mode problems Message-ID: <40C6831D.5090802@comcast.net> I relabel after each policy change. If you don't, context changes reflected in the new policy files are not made. tom [On my system, yum/rpm seem not to be correctly labeling installed files, so I manually check and change via 'fixfiles' or 'setfiles' as appropriate. You can check by running 'fixfiles check'. This is especially tedious if updating the kernel/coreutils/selinux packages since improper labels could prevent rebooting in enforcing mode. When this happened to me, I added 'enforcing=0' to the boot line so I could relabel files in permissive mode.] ------------------------------------------------------------------------ * /From/: Richard Hally * /To/: "Fedora SELinux support list for users & developers." * /Subject/: Re: enforcing mode problems * /Date/: Tue, 08 Jun 2004 23:05:54 -0400 ------------------------------------------------------------------------ Tom London wrote: Did you remember to do a 'fixfiles relabel' after installing the new policy files? If not, I suggest you reboot single-user mode, and then run 'fixfiles relabel'. You probably want fixfiles to clean out /tmp, so move/copy anything you need before running it. tom ------------------------------------------------------------------------ * /From/: Richard Hally * /To/: fedora-selinux-list redhat com * /Subject/: enforcing mode problems * /Date/: Tue, 08 Jun 2004 22:43:44 -0400 ------------------------------------------------------------------------ when running with the latest "strict" policy in enforcing mode, 'su -' does not work. [richard new2 richard]$ su - Password: could not open session Thanks for the suggestion. This system was installed over the past weekend and updated to the (then) latest strict policy. "fixfiles relabel" was run then to allow going to enforcing mode. "yum update" updated the policy today. I am wondering if "fixfiles relabel" will be necessary every time policy is updated? Richard Hally From rhally at mindspring.com Wed Jun 9 03:28:44 2004 From: rhally at mindspring.com (Richard Hally) Date: Tue, 08 Jun 2004 23:28:44 -0400 Subject: enforcing mode update errors In-Reply-To: <200406091042.33381.russell@coker.com.au> References: <40C631B4.7080507@mindspring.com> <200406091042.33381.russell@coker.com.au> Message-ID: <40C683EC.1010202@mindspring.com> Russell Coker wrote: > On Wed, 9 Jun 2004 07:37, Richard Hally wrote: > >>Below are the error messages from running 'yum update' today while in >>enforcing mode. >>Perhaps this will be helpful to someone. > > > What AVC messages did you get? > Here are the avc messages that I think were from the update: Jun 8 14:49:07 new2 kernel: audit(1086720547.359:0): avc: denied { read } for pid=5967 exe=/usr/sbin/load_policy name=policy.17 dev=hda2 ino=913086 scontext=root:sysadm_r:load_policy_t tcontext=root:object_r:etc_t tclass=file Jun 8 14:49:43 new2 kernel: audit(1086720583.805:0): avc: denied { read } for pid=6032 exe=/usr/sbin/load_policy name=policy.17 dev=hda2 ino=913086 scontext=root:sysadm_r:load_policy_t tcontext=root:object_r:etc_t tclass=file Jun 8 14:50:42 new2 kernel: audit(1086720642.556:0): avc: denied { read } for pid=6040 exe=/usr/sbin/groupadd name=config dev=hda2 ino=914871 scontext=root:sysadm_r:groupadd_t tcontext=system_u:object_r:selinux_config_t tclass=file Jun 8 14:50:42 new2 kernel: audit(1086720642.857:0): avc: denied { read } for pid=6041 exe=/usr/sbin/groupadd name=config dev=hda2 ino=914871 scontext=root:sysadm_r:groupadd_t tcontext=system_u:object_r:selinux_config_t tclass=file Jun 8 14:50:42 new2 kernel: audit(1086720642.860:0): avc: denied { read } for pid=6042 exe=/usr/sbin/groupadd name=config dev=hda2 ino=914871 scontext=root:sysadm_r:groupadd_t tcontext=system_u:object_r:selinux_config_t tclass=file Jun 8 14:50:43 new2 kernel: audit(1086720643.071:0): avc: denied { read } for pid=6043 exe=/usr/sbin/useradd name=config dev=hda2 ino=914871 scontext=root:sysadm_r:useradd_t tcontext=system_u:object_r:selinux_config_t tclass=file Jun 8 14:53:13 new2 kernel: audit(1086720793.835:0): avc: denied { read } for pid=6446 exe=/usr/sbin/userdel name=config dev=hda2 ino=914871 scontext=root:sysadm_r:useradd_t tcontext=system_u:object_r:selinux_config_t tclass=file Jun 8 14:53:14 new2 kernel: audit(1086720794.145:0): avc: denied { read } for pid=6447 exe=/usr/sbin/useradd name=config dev=hda2 ino=914871 scontext=root:sysadm_r:useradd_t tcontext=system_u:object_r:selinux_config_t tclass=file Jun 8 14:54:22 new2 kernel: audit(1086720862.714:0): avc: denied { read } for pid=6504 exe=/usr/sbin/useradd name=config dev=hda2 ino=914871 scontext=root:sysadm_r:useradd_t tcontext=system_u:object_r:selinux_config_t tclass=file ----------------------------------------------------------------------------- And a ton of these(that are probably not related to the policy update:) Jun 8 14:58:49 new2 kernel: audit(1086721129.020:0): avc: denied { read } for pid=6718 exe=/sbin/ldconfig name=libgaim-remote.so.0.0.0 dev=hda2 ino=52056 scontext=root:sysadm_r:ldconfig_t tcontext=root:object_r:lib_t tclass=file Jun 8 14:59:17 new2 kernel: audit(1086721157.931:0): avc: denied { getattr } for pid=6722 exe=/sbin/ldconfig path=/usr/lib/libgaim-remote.so.0.0.0 dev=hda2 ino=52056 scontext=root:sysadm_r:ldconfig_t tcontext=root:object_r:lib_t tclass=file Jun 8 14:59:30 new2 kernel: audit(1086721170.335:0): avc: denied { read } for pid=6722 exe=/sbin/ldconfig name=libgaim-remote.so.0.0.0 dev=hda2 ino=52056 scontext=root:sysadm_r:ldconfig_t tcontext=root:object_r:lib_t tclass=file Jun 8 15:00:13 new2 kernel: audit(1086721213.603:0): avc: denied { getattr } for pid=6760 exe=/sbin/ldconfig path=/usr/lib/libgaim-remote.so.0.0.0 dev=hda2 ino=52056 scontext=root:sysadm_r:ldconfig_t tcontext=root:object_r:lib_t tclass=file Jun 8 15:00:28 new2 kernel: audit(1086721228.071:0): avc: denied { read } for pid=6760 exe=/sbin/ldconfig name=libgaim-remote.so.0.0.0 dev=hda2 ino=52056 scontext=root:sysadm_r:ldconfig_t tcontext=root:object_r:lib_t tclass=file Jun 8 15:02:05 new2 kernel: audit(1086721325.781:0): avc: denied { getattr } for pid=6762 exe=/sbin/ldconfig path=/usr/lib/libgaim-remote.so.0.0.0 dev=hda2 ino=52056 scontext=root:sysadm_r:ldconfig_t tcontext=root:object_r:lib_t tclass=file : THT Richard Hally From rhally at mindspring.com Wed Jun 9 03:58:52 2004 From: rhally at mindspring.com (Richard Hally) Date: Tue, 08 Jun 2004 23:58:52 -0400 Subject: enforcing mode problems In-Reply-To: <40C6831D.5090802@comcast.net> References: <40C6831D.5090802@comcast.net> Message-ID: <40C68AFC.5060009@mindspring.com> Tom London wrote: > I relabel after each policy change. If you don't, context changes > reflected in the new policy files are not made. > > tom > Thanks for the suggestion. > This system was installed over the past weekend and updated to the > (then) latest strict policy. "fixfiles relabel" was run then to allow > going to enforcing mode. "yum update" updated the policy today. I am > wondering if "fixfiles relabel" will be necessary every time policy is > updated? > Richard Hally > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > Yup, boot single fixfiles relabel fixed this problem. Going thru FC2 test1,2,3 I usually remembered to do the relabeling, I guess what threw me off was the problem with yum updating the policies throwing errors. that is in another thread. Thanks for the help Richard Hally From rhallyx at mindspring.com Wed Jun 9 05:42:25 2004 From: rhallyx at mindspring.com (Richard Hally) Date: Wed, 09 Jun 2004 01:42:25 -0400 Subject: other avc denied messages Message-ID: <40C6A341.8020706@mindspring.com> Attached is a syslog messages file that contains avc denied messages from running in enforcing mode. Near the beginning of this file there are avc messages from running 'yum update' to pickup yesterdays updates. there were no errors reported by yum/rpm during this update. Further along in the file are some avc messages that were produced after rebooting in enforcing mode with the "single" option on the kernel line, doing a fixfiles relabel and then continuing to runlevel 5. HTH Richard Hally [root at old1 richard]# rpm -q selinux-policy-strict selinux-policy-strict-1.13.4-2 -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: messages URL: From russell at coker.com.au Wed Jun 9 06:25:50 2004 From: russell at coker.com.au (Russell Coker) Date: Wed, 9 Jun 2004 16:25:50 +1000 Subject: enforcing mode update errors In-Reply-To: <40C683EC.1010202@mindspring.com> References: <40C631B4.7080507@mindspring.com> <200406091042.33381.russell@coker.com.au> <40C683EC.1010202@mindspring.com> Message-ID: <200406091625.50806.russell@coker.com.au> On Wed, 9 Jun 2004 13:28, Richard Hally wrote: > Jun ?8 14:49:07 new2 kernel: audit(1086720547.359:0): avc: ?denied ?{ > read } for ?pid=5967 exe=/usr/sbin/load_policy name=policy.17 dev=hda2 > ino=913086 scontext=root:sysadm_r:load_policy_t > tcontext=root:object_r:etc_t tclass=file The file has the wrong type. Did you create it in permissive mode? -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Wed Jun 9 06:27:52 2004 From: russell at coker.com.au (Russell Coker) Date: Wed, 9 Jun 2004 16:27:52 +1000 Subject: other avc denied messages In-Reply-To: <40C6A341.8020706@mindspring.com> References: <40C6A341.8020706@mindspring.com> Message-ID: <200406091627.52313.russell@coker.com.au> On Wed, 9 Jun 2004 15:42, Richard Hally wrote: > Jun ?9 00:56:51 old1 kernel: audit(1086757011.394:0): avc: ?denied ?{ > execute } for ?pid=9481 exe=/bin/bash name=epson dev=hdc3 ino=575379 > scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:lib_t > tclass=file Jun ?9 00:56:51 old1 kernel: audit(1086757011.532:0): avc: > ?denied ?{ execute } for ?pid=9482 exe=/bin/bash name=canon dev=hdc3 > ino=575374 scontext=system_u:system_r:cupsd_t > tcontext=system_u:object_r:lib_t tclass=file What are these files "canon" and "epson? -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From david.balazic at hermes.si Wed Jun 9 07:42:06 2004 From: david.balazic at hermes.si (David Balazic) Date: Wed, 9 Jun 2004 09:42:06 +0200 Subject: Can not access files in own home directory Message-ID: <600B91D5E4B8D211A58C00902724252C01BC06A1@piramida.hermes.si> Hi! First, is SELinux supposed to work in Fedora Core 2 or is it in beta(alpha) phase ? Because I get a failure right 5 minutes after installation. I did a SELinux enabled install of FC2 ( Workstation type ). In firstboot I created a user. The I tried to log in on VC2 as that user and it gave a SELinux access denied error. bash was denied access to /home/me/.bash_profile The I issued a "ls -a" command and it could only list the file names, but not the properties, again, access was denied. So is SELinux there to be used or to be yet developed ? Or was this an accidental bug ? Should I bugzilla it ? Regards, David ---------------------------------------------------------------------------- ----------- http://noepatents.org/ Innovation, not litigation ! --- David Balazic mailto:david.balazic at hermes.si HERMES Softlab http://www.hermes-softlab.com Zagrebska cesta 104 Phone: +386 2 450 8851 SI-2000 Maribor Slovenija ---------------------------------------------------------------------------- ----------- "Be excellent to each other." - Bill S. Preston, Esq. & "Ted" Theodore Logan ---------------------------------------------------------------------------- ----------- From rhally at mindspring.com Wed Jun 9 07:46:55 2004 From: rhally at mindspring.com (Richard Hally) Date: Wed, 09 Jun 2004 03:46:55 -0400 Subject: enforcing mode update errors In-Reply-To: <200406091625.50806.russell@coker.com.au> References: <40C631B4.7080507@mindspring.com> <200406091042.33381.russell@coker.com.au> <40C683EC.1010202@mindspring.com> <200406091625.50806.russell@coker.com.au> Message-ID: <40C6C06F.20906@mindspring.com> Russell Coker wrote: > On Wed, 9 Jun 2004 13:28, Richard Hally wrote: > >>Jun 8 14:49:07 new2 kernel: audit(1086720547.359:0): avc: denied { >>read } for pid=5967 exe=/usr/sbin/load_policy name=policy.17 dev=hda2 >>ino=913086 scontext=root:sysadm_r:load_policy_t >>tcontext=root:object_r:etc_t tclass=file > > > The file has the wrong type. Did you create it in permissive mode? > It is possible that I did, although I am trying to stay in enforcing mode as much as possible. If I was in permissive mode how could the file have been labeled "etc_t"? RH From rhally at mindspring.com Wed Jun 9 08:14:08 2004 From: rhally at mindspring.com (Richard Hally) Date: Wed, 09 Jun 2004 04:14:08 -0400 Subject: other avc denied messages In-Reply-To: <200406091627.52313.russell@coker.com.au> References: <40C6A341.8020706@mindspring.com> <200406091627.52313.russell@coker.com.au> Message-ID: <40C6C6D0.3020207@mindspring.com> Russell Coker wrote: > On Wed, 9 Jun 2004 15:42, Richard Hally wrote: > >>Jun 9 00:56:51 old1 kernel: audit(1086757011.394:0): avc: denied { >>execute } for pid=9481 exe=/bin/bash name=epson dev=hdc3 ino=575379 >>scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:lib_t >>tclass=file Jun 9 00:56:51 old1 kernel: audit(1086757011.532:0): avc: >> denied { execute } for pid=9482 exe=/bin/bash name=canon dev=hdc3 >>ino=575374 scontext=system_u:system_r:cupsd_t >>tcontext=system_u:object_r:lib_t tclass=file > > > What are these files "canon" and "epson? > As far as I can tell, they have to do with sane-backends or printers. Since cupsd_t is trying to execute them they may be printer/scanner drivers. I did not attempt to do any printing. The only device I have that is related to cups is a HP laser printer. RH From fedora at andrewfarris.com Wed Jun 9 09:04:19 2004 From: fedora at andrewfarris.com (Andrew Farris) Date: Wed, 09 Jun 2004 02:04:19 -0700 Subject: Can not access files in own home directory In-Reply-To: <600B91D5E4B8D211A58C00902724252C01BC06A1@piramida.hermes.si> References: <600B91D5E4B8D211A58C00902724252C01BC06A1@piramida.hermes.si> Message-ID: <1086771859.8887.9.camel@CirithUngol> On Wed, 2004-06-09 at 09:42 +0200, David Balazic wrote: > Hi! > > First, is SELinux supposed to work in Fedora Core 2 or is it in beta(alpha) > phase ? > > Because I get a failure right 5 minutes after installation. > > I did a SELinux enabled install of FC2 ( Workstation type ). > In firstboot I created a user. > > The I tried to log in on VC2 as that user and it gave a SELinux access > denied error. > bash was denied access to /home/me/.bash_profile Boot to runlevel 1 and run 'fixfiles relabel'. The filesystem is most likely not relabeled using the installed policy. This must be done before SELinux will operate correctly. > The I issued a "ls -a" command and it could only list the file names, but > not the properties, > again, access was denied. > > So is SELinux there to be used or to be yet developed ? Yes.. but it is not a drop-in security fix without setup or management.. yet. You will need to deal with deveopment issues periodically. The first one would be getting the newest policy packages, which have changed name from the FC2 install. You should install via yum or apt all of the selinux packages from the Development directories on mirrors: selinux-policy-targeted-1.13.3-2 libselinux-1.13.2-1 libselinux-debuginfo-1.13.2-1 libselinux-devel-1.13.2-1 selinux-doc-1.10-1 selinux-policy-strict-1.13.3-2 selinux-policy-strict-sources-1.13.3-2 selinux-policy-targeted-sources-1.13.3-2 If you want to test out SELinux with minimal fuss you should configure the targeted policy. > Or was this an accidental bug ? > Should I bugzilla it ? Probably not, first try the above -- failure to label the filesystem at install has been discussed some already so its probably not new. More useful info here: http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/ > Regards, > David -- Andrew Farris, CPE senior (California Polytechnic State University, SLO) fedora at andrewfarris.com :: lordmorgul on irc.freenode.net From russell at coker.com.au Wed Jun 9 09:11:55 2004 From: russell at coker.com.au (Russell Coker) Date: Wed, 9 Jun 2004 19:11:55 +1000 Subject: Can not access files in own home directory In-Reply-To: <600B91D5E4B8D211A58C00902724252C01BC06A1@piramida.hermes.si> References: <600B91D5E4B8D211A58C00902724252C01BC06A1@piramida.hermes.si> Message-ID: <200406091911.55998.russell@coker.com.au> On Wed, 9 Jun 2004 17:42, David Balazic wrote: > First, is SELinux supposed to work in Fedora Core 2 or is it in beta(alpha) > phase ? It is supposed to work. > Because I get a failure right 5 minutes after installation. > > I did a SELinux enabled install of FC2 ( Workstation type ). > In firstboot I created a user. This is a known bug, when firstboot creates a user it doesn't give the correct type to the home directory files. Running setfiles is the correct thing to do. But you don't have to label the entire file system, just the home directory for the new user. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Wed Jun 9 11:13:42 2004 From: russell at coker.com.au (Russell Coker) Date: Wed, 9 Jun 2004 21:13:42 +1000 Subject: strange audit messages. Message-ID: <200406092113.42104.russell@coker.com.au> I've attached a small snippet of dmesg output (produced by "dmesg > file"). It's from kernel 2.6.5-1.358. Notice that there are >130 spaces at the start of some lines, and those lines also have their data truncated. It looks as if some memcpy has a bad offset. Arjan and Steve, is this a known bug that's solved in the latest 2.6.6 kernel? -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -------------- next part -------------- A non-text attachment was scrubbed... Name: dmesg.gz Type: application/x-gzip Size: 397 bytes Desc: not available URL: From Daniel.Levine at jhuapl.edu Wed Jun 9 15:02:04 2004 From: Daniel.Levine at jhuapl.edu (Levine, Daniel J.) Date: Wed, 9 Jun 2004 11:02:04 -0400 Subject: Getting the user ID in log messages... Message-ID: <9B1BC8B496577349843830DA4DC9733D05AC0AF9@freedom.dom1.jhuapl.edu> His guys, First let me start off by saying that I've been running Fedora Core 2 with SELinux in permissive mode since a few days after it was released officially with no real system problems. That being said, I'm trying to understand how to do things properly to maintain the integrity of the system and perform the auditing I desire. Is there a good place to look which documents the SELinux relevant commands? The Fedora Core 2 SELinux FAQ has some interesting info, but relatively few commands. A Gentoo related site gave me some command ideas. Perhaps this is on the documentation CD for Fedora Core 2, which I have yet to download? I expected to be able to hunt through the man pages starting with man selinux, but that didn't pan out. I found some other references online called the Getting Started with SE Linux HOWTO and Gentoo SE Linux HOWTO, but these offered some commands not available in the Fedora Core 2 implementation. To be more specific, I have been able to type "id" and "newrole", but not able to type "rlpkg" and "run_init". Re-labeling a file system is something they do with "cd /etc/security/selinux/src/plicy; make relabel", but I was unable to find the equivalent. I have a very specific issue that I'm trying to figure out. For some reason, when a role violation (perhaps there's a better phrase) occurs and a log message is produced in /var/log/messages, I would like see a user id and the context. For example in "Getting Started with SE Linux HOWTO (7. Explanation of log file messages) the example show the following scontext: scontext: faye:user_r:user_t This is great, as I would know to contact the user faye and ask about the situation. But on my Fedora Core 2 machine, my /var/log/messages produces: scontext: user_u:user_r:user_t This is not so useful. As I have no idea who user_u is. I am using NIS for this system. Typing "id" on my system produces: uid=706(dan) gid=20(games) groups=20(games),501(test) context=user_u:user_r:user_t So I guess everything is consistent with the log entry as far as the system is concerned. I just don't want a generic user_u to get filled in for violations. I want the specific user id and name. Perhaps I need to configure some more stuff for use with NIS? Daniel J. Levine Section Supervisor Johns Hopkins University Applied Physics Laboratory 443-778-3952 240-228-3952 -------------- next part -------------- An HTML attachment was scrubbed... URL: From selinux at comcast.net Wed Jun 9 18:04:40 2004 From: selinux at comcast.net (Tom London) Date: Wed, 09 Jun 2004 11:04:40 -0700 Subject: canna .... still wants to access /tmp Message-ID: <40C75138.3020003@comcast.net> Looks like the new policy (selinux-strict-policy-1.13.4-2) removes access to tmp files in canna.te. But canna (Canna-0.3.7p3-2) still wants to access /tmp/. Are there new versions of the canna stuff coming that move the files from /tmp elsewhere? tom Jun 8 09:32:06 dell kernel: audit(1086712326.043:0): avc: denied { search } for pid=2094 exe=/usr/sbin/cannaserver name=tmp dev=hdb3 ino=278529 scontext=system_u:system_r:canna_t tcontext=system_u:object_r:tmp_t tclass=dir Jun 8 09:32:06 dell kernel: audit(1086712326.044:0): avc: denied { search } for pid=2094 exe=/usr/sbin/cannaserver name=tmp dev=hdb3 ino=278529 scontext=system_u:system_r:canna_t tcontext=system_u:object_r:tmp_t tclass=dir Jun 8 09:32:06 dell cannaserver: Jun 8 09:32:06 dell cannaserver: ERROR: Jun 8 09:32:06 dell cannaserver: Another 'cannaserver' is detected. Jun 8 09:32:06 dell cannaserver: If 'cannaserver' is not running, Jun 8 09:32:06 dell cannaserver: "/tmp/.iroha_unix/IROHA" may remain accidentally. Jun 8 09:32:06 dell cannaserver: So, after making sure that 'cannaserver' is not running. Jun 8 09:32:06 dell cannaserver: Please execute following command. Jun 8 09:32:06 dell cannaserver: Jun 8 09:32:06 dell cannaserver: rm /tmp/.iroha_unix/IROHA Jun 8 09:32:06 dell cannaserver: From russell at coker.com.au Thu Jun 10 05:16:38 2004 From: russell at coker.com.au (Russell Coker) Date: Thu, 10 Jun 2004 15:16:38 +1000 Subject: canna .... still wants to access /tmp In-Reply-To: <40C75138.3020003@comcast.net> References: <40C75138.3020003@comcast.net> Message-ID: <200406101516.38514.russell@coker.com.au> On Thu, 10 Jun 2004 04:04, Tom London wrote: > Looks like the new policy (selinux-strict-policy-1.13.4-2) removes > access to tmp files in canna.te. But canna (Canna-0.3.7p3-2) still > wants to access /tmp/. > > Are there new versions of the canna stuff coming that move the files > from /tmp elsewhere? The plan is that canna will be modified to put it's unix domain socket files under /var/run. The current situation is a grave security hole for non-SE systems and systems running the targetted policy. For the current canna implementation you can rename the unix domain socket, create your own socket under the well known name, then proxy data across thus reading the majority of text that the unsuspecting user types. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Thu Jun 10 06:09:58 2004 From: russell at coker.com.au (Russell Coker) Date: Thu, 10 Jun 2004 16:09:58 +1000 Subject: Getting the user ID in log messages... In-Reply-To: <9B1BC8B496577349843830DA4DC9733D05AC0AF9@freedom.dom1.jhuapl.edu> References: <9B1BC8B496577349843830DA4DC9733D05AC0AF9@freedom.dom1.jhuapl.edu> Message-ID: <200406101609.58783.russell@coker.com.au> On Thu, 10 Jun 2004 01:02, "Levine, Daniel J." wrote: > Explanation of log file messages) the example show the following scontext: > > scontext: faye:user_r:user_t > > This is great, as I would know to contact the user faye and ask about the > situation. But on my Fedora Core 2 machine, my /var/log/messages produces: > > scontext: user_u:user_r:user_t In your users file in the SE Linux policy you need the following: user dan roles user_r; Then run "make load". -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From tagoh at redhat.com Thu Jun 10 09:05:09 2004 From: tagoh at redhat.com (Akira TAGOH) Date: Thu, 10 Jun 2004 18:05:09 +0900 (JST) Subject: canna .... still wants to access /tmp In-Reply-To: <200406101516.38514.russell@coker.com.au> References: <40C75138.3020003@comcast.net> <200406101516.38514.russell@coker.com.au> Message-ID: <20040610.180509.628201475.tagoh@redhat.com> >>>>> On Thu, 10 Jun 2004 15:16:38 +1000, >>>>> "RC" == Russell Coker wrote: RC> On Thu, 10 Jun 2004 04:04, Tom London wrote: >> Looks like the new policy (selinux-strict-policy-1.13.4-2) removes >> access to tmp files in canna.te. But canna (Canna-0.3.7p3-2) still >> wants to access /tmp/. >> >> Are there new versions of the canna stuff coming that move the files >> from /tmp elsewhere? RC> The plan is that canna will be modified to put it's unix domain socket files RC> under /var/run. The current situation is a grave security hole for non-SE RC> systems and systems running the targetted policy. I'm ready to go change the socket files under /var/run. Russell, could you change the policy about it? Regards, -- Akira TAGOH From david.balazic at hermes.si Thu Jun 10 06:38:44 2004 From: david.balazic at hermes.si (David Balazic) Date: Thu, 10 Jun 2004 08:38:44 +0200 Subject: Can not access files in own home directory Message-ID: <600B91D5E4B8D211A58C00902724252C01BC06AD@piramida.hermes.si> > From: Russell Coker[SMTP:russell at coker.com.au] > > On Wed, 9 Jun 2004 17:42, David Balazic wrote: > > Because I get a failure right 5 minutes after installation. > > > > I did a SELinux enabled install of FC2 ( Workstation type ). > > In firstboot I created a user. > > This is a known bug, when firstboot creates a user it doesn't give the > correct > type to the home directory files. Running setfiles is the correct thing > to > do. But you don't have to label the entire file system, just the home > directory for the new user. > setfiles requires some "policy" argument, what do I use ? Well, I just run "fixfiles relabel" ( not is runlevel 1, as suggested by Andrew Farris, but level 5, is that a problem ? ). Now login on VCx is OK, but login in X still does not work. Previously it reported that my home dir does not exist, but now after the "fix" , when I enter my username and password an blank blue screen with a mouse pointer ( pointer, not sandwatch ) appears and nothing happens. I waited 30 seconds and switched to VC1 to check out what is happening, but then the screen started to blink. It went black for ~5 seconds, then back to VC1 for a second , then black again and so on. Maybe the X server was restarting. Any clues ? David Bala?ic From Daniel.Levine at jhuapl.edu Thu Jun 10 12:17:00 2004 From: Daniel.Levine at jhuapl.edu (Levine, Daniel J.) Date: Thu, 10 Jun 2004 08:17:00 -0400 Subject: Getting the user ID in log messages... Message-ID: <9B1BC8B496577349843830DA4DC9733D05AC0AFC@freedom.dom1.jhuapl.edu> Russell, Thanks, I managed to figure that out from the "Getting Started with SELinux HOWTO" from the adding a user section. For a standalone system, I can see how this is no big deal. Every time I add a user, I add the user to the /etc/selinux/users file. But suppose I have 100 machines, I would need to add it to 100 systems. This is why I use NIS to manage my password and shadow files. I suppose one homegrown solution would be to put /etc/selinux/users into an NIS map (users.byname) and periodically (every half-hour perhaps) have a cron job perform a ypcat users.byname > /etc/selinux/users. Is there a standard map one could use or a PAM module that's aware of such needs. Suppose I wasn't using something as old as NIS, like OpenLDAP, is there a standard mechanism for putting this information into its databases? And if not, should there be one? Perhaps my problem is simpler to solve than this. All I really need is the user ID of the person who logged in to the system. This identifies whose account was used to perpetrate the illegal access. Could the user ID number and user name be added to the log messages when violations occur? The id command seems to have the information it needs, perhaps the SELinux logger does too? Otherwise, I'd need to do something like I mention above. I'm not really interested in whether the context has the user name. That was just a way of using what seemed to be a built-in capability if I had set things up right. I have no real problem with users running around as user_u:user_r:user_t in the system. I just need to know which user to start talking to when I see they are poking around the system. Daniel J. Levine Section Supervisor Johns Hopkins University Applied Physics Laboratory 443-778-3952 240-228-3952 -----Original Message----- From: Russell Coker [mailto:russell at coker.com.au] Sent: Thursday, June 10, 2004 2:10 AM To: fedora-selinux-list at redhat.com Cc: Levine, Daniel J. Subject: Re: Getting the user ID in log messages... On Thu, 10 Jun 2004 01:02, "Levine, Daniel J." wrote: > Explanation of log file messages) the example show the following scontext: > > scontext: faye:user_r:user_t > > This is great, as I would know to contact the user faye and ask about the > situation. But on my Fedora Core 2 machine, my /var/log/messages produces: > > scontext: user_u:user_r:user_t In your users file in the SE Linux policy you need the following: user dan roles user_r; Then run "make load". -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From david.balazic at hermes.si Thu Jun 10 12:33:20 2004 From: david.balazic at hermes.si (David Balazic) Date: Thu, 10 Jun 2004 14:33:20 +0200 Subject: LIST-ADMIN: Error in mail headers Message-ID: <600B91D5E4B8D211A58C00902724252C01BC06B4@piramida.hermes.si> Hi! The header of mail coming from this list have among other things this : List-Archive: Which is wrong, correct would be something like this : List-Archive: Also there is no owner or administrator listed. Regards, David ---------------------------------------------------------------------------- ----------- http://noepatents.org/ Innovation, not litigation ! --- David Balazic mailto:david.balazic at hermes.si HERMES Softlab http://www.hermes-softlab.com Zagrebska cesta 104 Phone: +386 2 450 8851 SI-2000 Maribor Slovenija ---------------------------------------------------------------------------- ----------- "Be excellent to each other." - Bill S. Preston, Esq. & "Ted" Theodore Logan ---------------------------------------------------------------------------- ----------- From russell at coker.com.au Thu Jun 10 13:46:22 2004 From: russell at coker.com.au (Russell Coker) Date: Thu, 10 Jun 2004 23:46:22 +1000 Subject: Getting the user ID in log messages... In-Reply-To: <9B1BC8B496577349843830DA4DC9733D05AC0AFC@freedom.dom1.jhuapl.edu> References: <9B1BC8B496577349843830DA4DC9733D05AC0AFC@freedom.dom1.jhuapl.edu> Message-ID: <200406102346.22082.russell@coker.com.au> On Thu, 10 Jun 2004 22:17, "Levine, Daniel J." wrote: > Thanks, I managed to figure that out from the "Getting Started with SELinux > HOWTO" from the adding a user section. For a standalone system, I can see > how this is no big deal. Every time I add a user, I add the user to the > /etc/selinux/users file. But suppose I have 100 machines, I would need to > add it to 100 systems. This is why I use NIS to manage my password and > shadow files. I suppose one homegrown solution would be to put > /etc/selinux/users into an NIS map (users.byname) and periodically (every > half-hour perhaps) have a cron job perform a ypcat users.byname > > /etc/selinux/users. Is there a standard map one could use or a PAM module > that's aware of such needs. There is no standard way of doing this. Maybe you will set the standard if you do it first! ;) Having a cron job automatically generate and load a SE Linux policy has it's own issues as well. > Suppose I wasn't using something as old as NIS, like OpenLDAP, is there a > standard mechanism for putting this information into its databases? And if > not, should there be one? Probably there should. But we'll need to get an OID assigned for this. > Perhaps my problem is simpler to solve than this. All I really need is the > user ID of the person who logged in to the system. This identifies whose > account was used to perpetrate the illegal access. Could the user ID > number and user name be added to the log messages when violations occur? At the moment no. Maybe this is something for the audit facility rather than SE Linux kernel code. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From dwalsh at redhat.com Thu Jun 10 13:44:14 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 10 Jun 2004 09:44:14 -0400 Subject: Can not access files in own home directory In-Reply-To: <600B91D5E4B8D211A58C00902724252C01BC06AD@piramida.hermes.si> References: <600B91D5E4B8D211A58C00902724252C01BC06AD@piramida.hermes.si> Message-ID: <40C865AE.7030908@redhat.com> setfiles takes the file_contexts file as the second parameter, if you look at fixfiles that is all that it is doing is execing setfiles. So with strict policy you would run setfiles /etc/selinux/strict/contexts/files/file_contexts /home to relabel homedirs. After running fixfiles relabel you should always reboot in order to start programs under the right context, If you do this in level 5 there is a chance the applications will write files out with bad context after the relabel, before the reboot. David Balazic wrote: >>From: Russell Coker[SMTP:russell at coker.com.au] >> >>On Wed, 9 Jun 2004 17:42, David Balazic wrote: >> >> >>>Because I get a failure right 5 minutes after installation. >>> >>>I did a SELinux enabled install of FC2 ( Workstation type ). >>>In firstboot I created a user. >>> >>> >>This is a known bug, when firstboot creates a user it doesn't give the >>correct >>type to the home directory files. Running setfiles is the correct thing >>to >>do. But you don't have to label the entire file system, just the home >>directory for the new user. >> >> >> >setfiles requires some "policy" argument, what do I use ? >Well, I just run "fixfiles relabel" ( not is runlevel 1, as suggested by >Andrew Farris, >but level 5, is that a problem ? ). >Now login on VCx is OK, but login in X still does not work. Previously it >reported that >my home dir does not exist, but now after the "fix" , when I enter my >username and >password an blank blue screen with a mouse pointer ( pointer, not sandwatch >) appears >and nothing happens. I waited 30 seconds and switched to VC1 to check out >what is >happening, but then the screen started to blink. It went black for ~5 >seconds, then back >to VC1 for a second , then black again and so on. Maybe the X server was >restarting. > >Any clues ? > >David Bala?ic > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > From Daniel.Levine at jhuapl.edu Thu Jun 10 14:50:36 2004 From: Daniel.Levine at jhuapl.edu (Levine, Daniel J.) Date: Thu, 10 Jun 2004 10:50:36 -0400 Subject: Getting the user ID in log messages... Message-ID: <9B1BC8B496577349843830DA4DC9733D05AC0AFE@freedom.dom1.jhuapl.edu> I'm curious why the ypcat cron with a make reload would present its own issues. I guess it must be a security context issue since I'm new to it. Is there a better alternative to visiting each machine manually and adding the line to /etc/selinux/users (assuming that's where it is on my Fedora Core 2 machine)? I see there's something about local policy changes being placed in /etc/security/selinux/src/policy/domains/misc/. Can I also put a users in there (or somewhere else). If so, I suppose I could have a central NFS auto-mounted location for my local users file. So at boot time, I have a nice sane policy (your default which maps all users to user user_u. But when everything is finished booting I have some additional information for my users wherever you tell me to add it. I guess my rc.local would then need to perform a make reload to incorporate this additional information. Would this be an easy and sustainable way to achieve what I want? Do you have any better ideas? I can't be the only person who wants to do this, can I? I feel like what I'm asking is not unreasonable. Is SELinux intended for single machines working in insecure environments? Daniel J. Levine Section Supervisor Johns Hopkins University Applied Physics Laboratory 443-778-3952 240-228-3952 -----Original Message----- From: Russell Coker [mailto:russell at coker.com.au] Sent: Thursday, June 10, 2004 9:46 AM To: fedora-selinux-list at redhat.com Cc: Levine, Daniel J.; Stephen Smalley Subject: Re: Getting the user ID in log messages... On Thu, 10 Jun 2004 22:17, "Levine, Daniel J." wrote: > Thanks, I managed to figure that out from the "Getting Started with SELinux > HOWTO" from the adding a user section. For a standalone system, I can see > how this is no big deal. Every time I add a user, I add the user to the > /etc/selinux/users file. But suppose I have 100 machines, I would need to > add it to 100 systems. This is why I use NIS to manage my password and > shadow files. I suppose one homegrown solution would be to put > /etc/selinux/users into an NIS map (users.byname) and periodically (every > half-hour perhaps) have a cron job perform a ypcat users.byname > > /etc/selinux/users. Is there a standard map one could use or a PAM module > that's aware of such needs. There is no standard way of doing this. Maybe you will set the standard if you do it first! ;) Having a cron job automatically generate and load a SE Linux policy has it's own issues as well. > Suppose I wasn't using something as old as NIS, like OpenLDAP, is there a > standard mechanism for putting this information into its databases? And if > not, should there be one? Probably there should. But we'll need to get an OID assigned for this. > Perhaps my problem is simpler to solve than this. All I really need is the > user ID of the person who logged in to the system. This identifies whose > account was used to perpetrate the illegal access. Could the user ID > number and user name be added to the log messages when violations occur? At the moment no. Maybe this is something for the audit facility rather than SE Linux kernel code. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From sds at epoch.ncsc.mil Thu Jun 10 18:34:19 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Thu, 10 Jun 2004 14:34:19 -0400 Subject: Getting the user ID in log messages... In-Reply-To: <9B1BC8B496577349843830DA4DC9733D05AC0AFC@freedom.dom1.jhuapl.edu> References: <9B1BC8B496577349843830DA4DC9733D05AC0AFC@freedom.dom1.jhuapl.edu> Message-ID: <1086892459.4397.57.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2004-06-10 at 08:17, Levine, Daniel J. wrote: > Perhaps my problem is simpler to solve than this. All I really need is the > user ID of the person who logged in to the system. This identifies whose > account was used to perpetrate the illegal access. Could the user ID number > and user name be added to the log messages when violations occur That is something which is best handled by the audit framework. Boot with audit=1. The audit framework already includes support for setting a login uid; someone just needs to patch login and friends to use it. -- Stephen Smalley National Security Agency From don.patterson at tresys.com Thu Jun 10 18:41:00 2004 From: don.patterson at tresys.com (Don Patterson) Date: Thu, 10 Jun 2004 14:41:00 -0400 Subject: errors from setools In-Reply-To: <40C63371.7000809@mindspring.com> Message-ID: Evidently, the setools Makefile was not configured correctly for the setools package in the fedora rawhide tree. Currently, the selinux-strict policy install path is hard-coded in the Makefile, so tools such as seaudit, seinfo, and sesearch will use the installed selinux-strict policy by default. In your case, it should have been looking for /etc/selinux/strict/policy/policy.17 instead of /etc/selinux/strict/policy.17. A bug report has been entered in bugzilla with the proper patch. (http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=125737) However, our tools should handle this situation more gracefully and this will be fixed in the next release. Please note that we plan to work on correctly supporting multiple policies soon. Thank you. Don Patterson Tresys Technology http://www.tresys.com -Don -----Original Message----- From: fedora-selinux-list-bounces at redhat.com [mailto:fedora-selinux-list-bounces at redhat.com] On Behalf Of Richard Hally Sent: Tuesday, June 08, 2004 4:45 PM To: fedora-selinux-list at redhat.com Subject: errors from setools Below is the output from attempting to use 'seinfo' and 'seaudit'. The same error occurs in both enforcing and permissive modes. Perhaps this will be helpful to someone. [root at new2 root]# seinfo Could not open policy /etc/selinux/strict/policy.17! search_for_policyfile_with_ver: No such file or directory Error while searching for default policy: Error in find_default_policy_file(). [root at new2 root]# seaudit Could not open policy /etc/selinux/strict/policy.17?! search_for_policyfile_with_ver: No such file or directory [root at new2 root]# rpm -q setools setools-1.4-1 [root at new2 root]# rpm -q selinux-policy-strict selinux-policy-strict-1.13.4-2 [root at new2 root]# HTH Richard Hally -- fedora-selinux-list mailing list fedora-selinux-list at redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list From sds at epoch.ncsc.mil Thu Jun 10 19:30:09 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Thu, 10 Jun 2004 15:30:09 -0400 Subject: enforcing mode problems In-Reply-To: <40C6831D.5090802@comcast.net> References: <40C6831D.5090802@comcast.net> Message-ID: <1086895809.4397.104.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2004-06-08 at 23:25, Tom London wrote: > [On my system, yum/rpm seem not to be correctly labeling installed > files, so I manually check and change via 'fixfiles' or 'setfiles' as > appropriate. This is because rpm hasn't been updated for the new policy layout, so it cannot find the file_contexts configuration. Until it is updated, I have just created a symlink, i.e. ln -sf /etc/selinux/strict/contexts/files/file_contexts /etc/security/selinux/file_contexts -- Stephen Smalley National Security Agency From sds at epoch.ncsc.mil Thu Jun 10 19:50:26 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Thu, 10 Jun 2004 15:50:26 -0400 Subject: Getting the user ID in log messages... In-Reply-To: <9B1BC8B496577349843830DA4DC9733D05AC0AFE@freedom.dom1.jhuapl.edu> References: <9B1BC8B496577349843830DA4DC9733D05AC0AFE@freedom.dom1.jhuapl.edu> Message-ID: <1086897026.4397.123.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2004-06-10 at 10:50, Levine, Daniel J. wrote: > I'm curious why the ypcat cron with a make reload would present its own > issues. I guess it must be a security context issue since I'm new to it. crond is typically not authorized to perform such operations in the policy. But even if you were willing to trust crond in this manner, there is the question of the input to crond. Are you just trying to add all of these users and only authorize them for user_r? If so, then that is less of a concern. But if you want to pull user-role authorizations from a NIS map, then you obviously have other trust dependencies, e.g. protection of the server, authentication and integrity protection for the client-server communications, etc. If so, I suppose I could have a central > NFS auto-mounted location for my local users file. So at boot time, I have > a nice sane policy (your default which maps all users to user user_u. But > when everything is finished booting I have some additional information for > my users wherever you tell me to add it. I guess my rc.local would then > need to perform a make reload to incorporate this additional information. > Would this be an easy and sustainable way to achieve what I want? Easy, sustainable, and unsafe, obviously. Compromise of the server or spoofing the server would allow you to inject arbitrary user-role authorizations. > Do you have any better ideas? I can't be the only person who wants to do > this, can I? I feel like what I'm asking is not unreasonable. Is SELinux > intended for single machines working in insecure environments? We have to walk before we can run. Distributed policy management is something that needs to be built for SELinux, but we couldn't get there if we didn't have SELinux at all... -- Stephen Smalley National Security Agency From selinux at comcast.net Thu Jun 10 20:09:05 2004 From: selinux at comcast.net (Tom London) Date: Thu, 10 Jun 2004 13:09:05 -0700 Subject: enforcing mode problems Message-ID: <40C8BFE1.5060208@comcast.net> Thanks for this workaround! What a work saver. I've also bugzilla'ed it here: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=125477 ------------------------------------------------------------------------ * /From/: Stephen Smalley * /To/: "Fedora SELinux support list for users & developers." * /Cc/: Daniel J Walsh * /Subject/: Re: enforcing mode problems * /Date/: Thu, 10 Jun 2004 15:30:09 -0400 ------------------------------------------------------------------------ On Tue, 2004-06-08 at 23:25, Tom London wrote: > [On my system, yum/rpm seem not to be correctly labeling installed > files, so I manually check and change via 'fixfiles' or 'setfiles' as > appropriate. This is because rpm hasn't been updated for the new policy layout, so it cannot find the file_contexts configuration. Until it is updated, I have just created a symlink, i.e. ln -sf /etc/selinux/strict/contexts/files/file_contexts /etc/security/selinux/file_contexts -- Stephen Smalley National Security Agency From belfrancis2001 at yahoo.ca Fri Jun 11 12:33:24 2004 From: belfrancis2001 at yahoo.ca (Francis K Shim) Date: Fri, 11 Jun 2004 08:33:24 -0400 Subject: Newbie - From audit log message ("avc: denied") to an appropriate fix Message-ID: <1086957204.4096.31.camel@sol800.cawthra.com> Originally, I had Fedora Core 1 linux distro and then decided to simply upgrade to Fedora Core 2 via manually rpm-ing the necessary packages. Everything went pretty much as expected and now I have the Selinux policy packages all installed. I decided to start reading the obvious README in /etc/security/selinux/src/policy and then went to the NSA SELinux website. I did the make load and make relabel and reboot cycle, leaving the SELinux in permissive mode. Now, I am ready to take the next step: reading the audit logging messages and taking some action per audit. I just need some more insight and expertise from someone to enlighten me as to which direction to take. To start off with I am looking at the following audit line (with some editing out of irrelevant info) from "dmesg": audit(...): avc: denied { search } for pid=458 exe=/usr/bin/rhgb name=.themes dev=hda... ino=... scontext=system_u:system_r:rhgb_t tcontext=root:object_r:staff_home_t tclass=dir This audit line reports that the process (pid=458) running the executable program (/usr/bin/rhgb), the RedHat Graphics Boot program, was trying to access the target object ".themes" (a directory). Okay, the rhgb process is running in the source context with an identity of "system_u" (System user) in the role of "system_r" (System role) within the domain of "rhgb_t" (RedHat Graphics Boot domain) and is trying to access the directory target object ".themes" which has a target context with an identity of "root" in the role of "system_r" (System role) with a type of "staff_home_t" (Staff Home object type). Given that the audit process denies the "search" on this access, that means that the rhgb domain does not have "search" access to a staff_home_t type object. Okay, I guess I should go to the /etc/security/selinux/src/policy directory and edit the policy.conf(?) file to add a suitable transition policy... but I am not confident as to what. Any good tips and comments? Thanks, Frank -- Francis K Shim From igor at datanaut.com Fri Jun 11 13:13:20 2004 From: igor at datanaut.com (Igor Borisovsky) Date: Fri, 11 Jun 2004 17:13:20 +0400 Subject: Needs to prevent executing su. Message-ID: <200406111315.i5BDFvh20359@alexru.adsl.kis.ru> Hi. How to prevent executing 'su postgres' command by root? Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: From russell at coker.com.au Fri Jun 11 13:30:07 2004 From: russell at coker.com.au (Russell Coker) Date: Fri, 11 Jun 2004 23:30:07 +1000 Subject: Newbie - From audit log message ("avc: denied") to an appropriate fix In-Reply-To: <1086957204.4096.31.camel@sol800.cawthra.com> References: <1086957204.4096.31.camel@sol800.cawthra.com> Message-ID: <200406112330.07291.russell@coker.com.au> On Fri, 11 Jun 2004 22:33, Francis K Shim wrote: > To start off with I am looking at the following audit line (with some > editing out of irrelevant info) from "dmesg": > > audit(...): avc: denied { search } > for pid=458 exe=/usr/bin/rhgb > name=.themes dev=hda... ino=... > scontext=system_u:system_r:rhgb_t > tcontext=root:object_r:staff_home_t > tclass=dir > > This audit line reports that the process (pid=458) running the > executable program (/usr/bin/rhgb), the RedHat Graphics Boot program, > was trying to access the target object ".themes" (a directory). I think that is a bug in rhgb. I can imagine a situation where the administrator may put bogus data in the .themes directory. While the system is operational there will be no problem as the admin never logs in to X as root. But then after some months of uptime the machine is rebooted and fails to correctly complete the boot process because rhgb stuffs up. Please file a bugzilla about this. > Okay, the rhgb process is running in the source context with an identity > of "system_u" (System user) in the role of "system_r" (System role) > within the domain of "rhgb_t" (RedHat Graphics Boot domain) and is > trying to access the directory target object ".themes" which has a > target context with an identity of "root" in the role of "system_r" > (System role) with a type of "staff_home_t" (Staff Home object type). > > Given that the audit process denies the "search" on this access, that > means that the rhgb domain does not have "search" access to a > staff_home_t type object. Correct. When I wrote the rhgb policy I did not have a /root/.themes directory (I never use X as root), so such an access was not required. > Okay, I guess I should go to the /etc/security/selinux/src/policy > directory and edit the policy.conf(?) file to add a suitable transition > policy... but I am not confident as to what. policy.conf is a generated file, editing it by hand is a bad idea. You can edit domains/program/rhgb.te and then run "make load" to install the new policy. Alternately you can create a new file domains/misc/custom.te to have such rules to keep your policy separate from policy that is provided by RPMs. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Fri Jun 11 13:36:22 2004 From: russell at coker.com.au (Russell Coker) Date: Fri, 11 Jun 2004 23:36:22 +1000 Subject: Needs to prevent executing su. In-Reply-To: <200406111315.i5BDFvh20359@alexru.adsl.kis.ru> References: <200406111315.i5BDFvh20359@alexru.adsl.kis.ru> Message-ID: <200406112336.22300.russell@coker.com.au> On Fri, 11 Jun 2004 23:13, "Igor Borisovsky" wrote: > How to prevent executing 'su postgres' command by root? If the identity "root" is only permitted the "user_r" role (as implemented on several SE Linux machines) then they will not be able to run the su command, or perform other administrative tasks (including access to postgres data files). If "root" operates in the traditional unix manner (IE having full control over the machine) then why try to restrict it from "su postgres" as it can already access all such files? -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From igor at datanaut.com Fri Jun 11 13:53:52 2004 From: igor at datanaut.com (Igor Borisovsky) Date: Fri, 11 Jun 2004 17:53:52 +0400 Subject: Needs to prevent executing su. In-Reply-To: <200406112336.22300.russell@coker.com.au> Message-ID: <200406111356.i5BDujh20422@alexru.adsl.kis.ru> root operates as server administrator. Now selinux policy configuration forbids root access to the postgresql data files. Postgresql database contains secure data. Therefore root must not be able to access to this information. Instead of there is database administrator. This person is authorized to do all database related operations. So I need to prevent executing 'su postgres' for root. -----Original Message----- From: Russell Coker [mailto:russell at coker.com.au] Sent: Friday, June 11, 2004 5:36 PM To: fedora-selinux-list at redhat.com Cc: Igor Borisovsky Subject: Re: Needs to prevent executing su. On Fri, 11 Jun 2004 23:13, "Igor Borisovsky" wrote: > How to prevent executing 'su postgres' command by root? If the identity "root" is only permitted the "user_r" role (as implemented on several SE Linux machines) then they will not be able to run the su command, or perform other administrative tasks (including access to postgres data files). If "root" operates in the traditional unix manner (IE having full control over the machine) then why try to restrict it from "su postgres" as it can already access all such files? -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From jeempc at sbcglobal.net Fri Jun 11 14:26:06 2004 From: jeempc at sbcglobal.net (jeem machine) Date: Fri, 11 Jun 2004 07:26:06 -0700 (PDT) Subject: LIST-ADMIN: Error in mail headers In-Reply-To: <600B91D5E4B8D211A58C00902724252C01BC06B4@piramida.hermes.si> Message-ID: <20040611142606.2942.qmail@web80803.mail.yahoo.com> X-Apparently-To: jeempc at sbcglobal.net via web80809.mail.yahoo.com; Thu, 10 Jun 2004 05:33:49 -0700 Return-Path: Received: from yipvmf-ext.prodigy.net (EHLO yipvmf.prodigy.net) (207.115.63.33) by mta820.mail.sc5.yahoo.com with SMTP; Thu, 10 Jun 2004 05:33:48 -0700 X-Originating-IP: [209.132.177.30] Received: from hormel.redhat.com (hormel.redhat.com [209.132.177.30]) by yipvmf.prodigy.net (8.12.10/8.12.10) with ESMTP id i5ACXlQv072288; Thu, 10 Jun 2004 08:33:48 -0400 Received: from listman.util.phx.redhat.com (listman.util.phx.redhat.com [10.8.4.110]) by hormel.redhat.com (Postfix) with ESMTP id 682EE7383D; Thu, 10 Jun 2004 08:33:47 -0400 (EDT) Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com [172.16.52.254]) by listman.util.phx.redhat.com (8.12.10/8.12.10) with ESMTP id i5ACXjNv022149; Thu, 10 Jun 2004 08:33:46 -0400 Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by int-mx1.corp.redhat.com (8.11.6/8.11.6) with ESMTP id i5ACXj010555; Thu, 10 Jun 2004 08:33:45 -0400 Received: from guardian.hermes.si (guardian.hermes.si [193.77.5.150]) by mx3.redhat.com (8.12.10/8.12.10) with ESMTP id i5ACXdXn012957; Thu, 10 Jun 2004 08:33:39 -0400 Received: from primus.hermes.si (primus.hermes.si [193.77.5.98]) by guardian.hermes.si (8.9.3/8.9.3) with ESMTP id OAA10108; Thu, 10 Jun 2004 14:33:24 +0200 (METDST) Received: from localhost (localhost.localdomain [127.0.0.1]) by primus.hermes.si (Postfix) with ESMTP id C173A73C73; Thu, 10 Jun 2004 14:33:20 +0200 (CEST) Received: from primus.hermes.si ([127.0.0.1]) by localhost (primus.hermes.si [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 32586-10; Thu, 10 Jun 2004 14:33:20 +0200 (CEST) Received: from piramida.hermes.si (piramida.hermes.si [10.49.197.3]) by primus.hermes.si (Postfix) with ESMTP id 91EB073C78; Thu, 10 Jun 2004 14:33:20 +0200 (CEST) Received: by piramida.hermes.si with Internet Mail Service (5.5.2657.72) id ; Thu, 10 Jun 2004 14:33:21 +0200 Message-ID: <600B91D5E4B8D211A58C00902724252C01BC06B4 at piramida.hermes.si> From: "David Balazic" Add to Address Book To: "'fedora-selinux-list at redhat.com'" CC: "'fedora-selinux-list-bounces at redhat.com'" Date: Thu, 10 Jun 2004 14:33:20 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: text/plain X-Virus-Scanned: by amavisd-new at hermes.si (internal) X-RedHat-Spam-Score: 0 Subject: LIST-ADMIN: Error in mail headers X-BeenThere: fedora-selinux-list at redhat.com X-Mailman-Version: 2.1.5 Precedence: junk Reply-to: "Fedora SELinux support list for users & developers." List-Id: "Fedora SELinux support list for users & developers." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: fedora-selinux-list-bounces at redhat.com Errors-To: fedora-selinux-list-bounces at redhat.com Content-Length: 465 That's what I get. Jeem --- David Balazic wrote: > Hi! > > The header of mail coming from this list have among > other things this : > > List-Archive: > > Which is wrong, correct would be something like this > : > > List-Archive: > > > Also there is no owner or administrator listed. > > Regards, > David > > ---------------------------------------------------------------------------- > ----------- > http://noepatents.org/ Innovation, not > litigation ! > --- > David Balazic > mailto:david.balazic at hermes.si > HERMES Softlab > http://www.hermes-softlab.com > Zagrebska cesta 104 Phone: +386 2 450 > 8851 > SI-2000 Maribor > Slovenija > ---------------------------------------------------------------------------- > ----------- > "Be excellent to each other." - > Bill S. Preston, Esq. & "Ted" Theodore Logan > ---------------------------------------------------------------------------- > ----------- > > > > > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list From bleher at informatik.uni-muenchen.de Fri Jun 11 14:31:52 2004 From: bleher at informatik.uni-muenchen.de (Thomas Bleher) Date: Fri, 11 Jun 2004 16:31:52 +0200 Subject: Needs to prevent executing su. In-Reply-To: <200406111356.i5BDujh20422@alexru.adsl.kis.ru> References: <200406112336.22300.russell@coker.com.au> <200406111356.i5BDujh20422@alexru.adsl.kis.ru> Message-ID: <20040611143152.GA2110@cip.ifi.lmu.de> * Igor Borisovsky [2004-06-11 15:53]: > root operates as server administrator. Now selinux policy configuration > forbids root access to the postgresql data files. > Postgresql database contains secure data. Therefore root must not be able to > access to this information. > Instead of there is database administrator. This person is authorized to do > all database related operations. > So I need to prevent executing 'su postgres' for root. You should note that every uid==0 process can change its uid to anything else, SELinux doesn't restrict this at all. You can test this as root and user_r with the following perl command: $ perl -MPOSIX -e 'POSIX::setuid(1000);system("id");' So you should probably define a new role (say dataop_r) which gets access to the database and make sure that root is not authorized for it. I still don't think that it is possible to prevent sysadm_r from accessing the database (think about replacing binaries, changing the policy, raw disk access, ...) but others have already said that. Thomas -- http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA D09E C562 2BAE B2F4 ABE7 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From selinux at comcast.net Fri Jun 11 16:03:07 2004 From: selinux at comcast.net (Tom London) Date: Fri, 11 Jun 2004 09:03:07 -0700 Subject: kernel-2.6.6-1.427... update questions? Message-ID: <40C9D7BB.5010607@comcast.net> kernel-2.6.6-1.427 has made it to the 'released updates' tree. My other system that is running this version is also running the new selinux-policy packages, and I previously needed to add 'selinux=1' to the boot params. Before I test it out on my 'real machine', anyone know if .427 will work with the old policy packages, file tree (/etc/security/selinux vs. /etc/selinux) and config file (/etc/sysconfig/selinux vs. /etc/selinux/config)? Do I still need the 'selinux=1' boot param? thanks tom From selinux at comcast.net Fri Jun 11 16:45:38 2004 From: selinux at comcast.net (Tom London) Date: Fri, 11 Jun 2004 09:45:38 -0700 Subject: kernel-2.6.6-1.427... update questions? (answered) In-Reply-To: <40C9D7BB.5010607@comcast.net> References: <40C9D7BB.5010607@comcast.net> Message-ID: <40C9E1B2.3000309@comcast.net> OK. I tested the waters myself. 1. 'selinux=1' is no longer needed as bootparam. 2. kernel-2.6.6-1.427 works just fine with 'old' policy packages. 3. works fine with 'old' /etc/sysconfig/selinux. I installed and test booted it: came up in enforcing mode with no problems. tom Tom London wrote: > kernel-2.6.6-1.427 has made it to the 'released updates' tree. > > My other system that is running this version is also running the new > selinux-policy packages, and I previously needed to add 'selinux=1' to > the boot params. > > Before I test it out on my 'real machine', anyone know if .427 will > work with the old policy packages, file tree (/etc/security/selinux > vs. /etc/selinux) and config file (/etc/sysconfig/selinux vs. > /etc/selinux/config)? Do I still need the 'selinux=1' boot param? > > thanks > tom > From selinux at comcast.net Fri Jun 11 17:43:27 2004 From: selinux at comcast.net (Tom London) Date: Fri, 11 Jun 2004 10:43:27 -0700 Subject: avc's missing again? Message-ID: <40C9EF3F.30000@comcast.net> I just noticed that I am no longer getting avc messages in /var/log/messages for my 'run out of the development tree' system. It is running kernel-2.6.6-1.427, selinux-policy-strict-1.13.4-2 and libselinux-1.13.2-4. I only get 'blank lines' in /var/log/messages and 'last line repeated 47 times' type messages. Seems to have started 2 days ago. The same kernel running with the old policy files (policy-1.11.3-3 and libselinux-1.11.4-1) produce avc messages in the log. The config file for the kernel appears to have AUDIT set to 'y'..... Anyone seeing this? tom From selinux at comcast.net Fri Jun 11 18:18:29 2004 From: selinux at comcast.net (Tom London) Date: Fri, 11 Jun 2004 11:18:29 -0700 Subject: run_init uses /etc/security/initrc_context (was; avc's missing again?) In-Reply-To: <40C9EF3F.30000@comcast.net> References: <40C9EF3F.30000@comcast.net> Message-ID: <40C9F775.8010101@comcast.net> After digging a bit, I determined that the problem is that syslog is not running. I tried to start it manually with 'run_init /etc/rc.d/init.d/syslog start' but got: Could not open file: /etc/security/initrc_context Indeed, this file no longer exists (now /etc/selinux/strict/contexts/initrc_context) Creating a symbolic link 'ln -sf /etc/selinux/strict/contexts/initrc_context /etc/security/initrc_context' did not seem to work, nor did copying the file (and copying context) to /etc/security (get same message). I'm running policycoreutils-1.13.3. Is there a newer one? Bugzilla'ed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=125809 tom [I'm guessing that updating to selinux-policy-strict-1.13.4-2 may have removed /etc/security/initrc_context. That possible?] Tom London wrote: > I just noticed that I am no longer getting avc messages in > /var/log/messages for my 'run out of the development tree' system. > > It is running kernel-2.6.6-1.427, selinux-policy-strict-1.13.4-2 and > libselinux-1.13.2-4. > I only get 'blank lines' in /var/log/messages and 'last line repeated > 47 times' type messages. > > Seems to have started 2 days ago. The same kernel running with the > old policy files (policy-1.11.3-3 and libselinux-1.11.4-1) produce avc > messages in the log. > > The config file for the kernel appears to have AUDIT set to 'y'..... > > Anyone seeing this? > > tom > > From bleher at informatik.uni-muenchen.de Fri Jun 11 18:59:24 2004 From: bleher at informatik.uni-muenchen.de (Thomas Bleher) Date: Fri, 11 Jun 2004 20:59:24 +0200 Subject: Needs to prevent executing su. In-Reply-To: <20040611143152.GA2110@cip.ifi.lmu.de> References: <200406112336.22300.russell@coker.com.au> <200406111356.i5BDujh20422@alexru.adsl.kis.ru> <20040611143152.GA2110@cip.ifi.lmu.de> Message-ID: <20040611185924.GA2154@jmh.mhn.de> * Thomas Bleher [2004-06-11 16:32]: > You should note that every uid==0 process can change its uid to anything > else, SELinux doesn't restrict this at all. > You can test this as root and user_r with the following perl command: > $ perl -MPOSIX -e 'POSIX::setuid(1000);system("id");' I thought about this a bit more and think that my previous posting was incorrect. (I'm not sure and can't test ATM, so it would be nice if someone could correct me if I'm wrong). Setting the uid in a program should be covered by the setuid capability, so this is controllable by SELinux policy. What is not covered (IIRC) are setuid executables. Thomas -- http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA D09E C562 2BAE B2F4 ABE7 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From selinux at comcast.net Fri Jun 11 19:58:10 2004 From: selinux at comcast.net (Tom London) Date: Fri, 11 Jun 2004 12:58:10 -0700 Subject: Problem with sysklogd-1.4.1-17 (was: Re: run_init uses /etc/security/initrc_context (was; avc's missing again?)) In-Reply-To: <40C9F775.8010101@comcast.net> References: <40C9EF3F.30000@comcast.net> <40C9F775.8010101@comcast.net> Message-ID: <40CA0ED2.20200@comcast.net> Sigh..... Still more.... appears this is a problem with sysklogd-1.4.1-17 (see: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=125650). The problem with run_init is probably a tangent..... tom Tom London wrote: > After digging a bit, I determined that the problem is that syslog is > not running. > > I tried to start it manually with 'run_init /etc/rc.d/init.d/syslog > start' but got: > Could not open file: /etc/security/initrc_context > > Indeed, this file no longer exists (now > /etc/selinux/strict/contexts/initrc_context) > > Creating a symbolic link 'ln -sf > /etc/selinux/strict/contexts/initrc_context > /etc/security/initrc_context' did not seem to work, nor did copying > the file (and copying context) to /etc/security (get same message). > > I'm running policycoreutils-1.13.3. Is there a newer one? > > Bugzilla'ed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=125809 > > tom > [I'm guessing that updating to selinux-policy-strict-1.13.4-2 may have > removed /etc/security/initrc_context. That possible?] > > Tom London wrote: > >> I just noticed that I am no longer getting avc messages in >> /var/log/messages for my 'run out of the development tree' system. >> >> It is running kernel-2.6.6-1.427, selinux-policy-strict-1.13.4-2 and >> libselinux-1.13.2-4. >> I only get 'blank lines' in /var/log/messages and 'last line repeated >> 47 times' type messages. >> >> Seems to have started 2 days ago. The same kernel running with the >> old policy files (policy-1.11.3-3 and libselinux-1.11.4-1) produce >> avc messages in the log. >> >> The config file for the kernel appears to have AUDIT set to 'y'..... >> >> Anyone seeing this? >> >> tom >> >> > > From russell at coker.com.au Sat Jun 12 08:18:20 2004 From: russell at coker.com.au (Russell Coker) Date: Sat, 12 Jun 2004 18:18:20 +1000 Subject: Needs to prevent executing su. In-Reply-To: <20040611185924.GA2154@jmh.mhn.de> References: <200406112336.22300.russell@coker.com.au> <20040611143152.GA2110@cip.ifi.lmu.de> <20040611185924.GA2154@jmh.mhn.de> Message-ID: <200406121818.20820.russell@coker.com.au> On Sat, 12 Jun 2004 04:59, Thomas Bleher wrote: > Setting the uid in a program should be covered by the setuid capability, > so this is controllable by SELinux policy. What is not covered (IIRC) > are setuid executables. Yes, the setuid capability covers the ability to call the setuid() system call. If a setuid binary has a type that triggers a domain_auto_trans() rule then the target domain will be checked for setuid capability. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Sat Jun 12 08:18:58 2004 From: russell at coker.com.au (Russell Coker) Date: Sat, 12 Jun 2004 18:18:58 +1000 Subject: Needs to prevent executing su. In-Reply-To: <200406111356.i5BDujh20422@alexru.adsl.kis.ru> References: <200406111356.i5BDujh20422@alexru.adsl.kis.ru> Message-ID: <200406121818.58320.russell@coker.com.au> On Fri, 11 Jun 2004 23:53, "Igor Borisovsky" wrote: > root operates as server administrator. Now selinux policy configuration > forbids root access to the postgresql data files. > Postgresql database contains secure data. Therefore root must not be able > to access to this information. > Instead of there is database administrator. This person is authorized to do > all database related operations. > So I need to prevent executing 'su postgres' for root. The solution is that you use SE Linux to control which domains can access the files in question, and not use Unix permissions to do this. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From david.balazic at hermes.si Sat Jun 12 11:34:25 2004 From: david.balazic at hermes.si (David Balazic) Date: Sat, 12 Jun 2004 13:34:25 +0200 Subject: Various problems on fresh FC2 install Message-ID: <600B91D5E4B8D211A58C00902724252C01BC06C9@piramida.hermes.si> Hi! I discovered more problems with SELinux. I will describe each and wait for your comment ;-) This is all on a fresh clean install of FC2 with SELinux enabled. ( I did once run "fixfiles relabel" ) ======== root under context root:staff_r:staff_t can not use rpm -q : NOTE: onyl when writing this mail I noticed, that it actually prints the expected output. Are the audit messages a problem ? I think I did not see them when running under the root:sysadm_r:sysadm_t context Fedora Core release 2 (Tettnang) Kernel 2.6.5-1.358 on an i686 localhost login: root Password: Your default context is root:sysadm_r:sysadm_t. Do you want to choose a different one? [n]y [2] root:staff_r:staff_t Enter number of choice: 2 Last login: Fri Jun 11 19:37:37 on tty2 [root at localhost root]# rpm -q kernel audit(1086975532.470:0): avc: denied { dac_override } for pid=2612 exe=/usr/lib/rpm/rpmq capability=1 scontext=root:staff_r:staff_t tcontext=root:staff_r:staff_t tclass=capability audit(1086975532.470:0): avc: denied { dac_read_search } for pid=2612 exe=/usr/lib/rpm/rpmq capability=2 scontext=root:staff_r:staff_t tcontext=root:staff_r:staff_t tclass=capability audit(1086975532.472:0): avc: denied { dac_override } for pid=2612 exe=/usr/lib/rpm/rpmq capability=1 scontext=root:staff_r:staff_t tcontext=root:staff_r:staff_t tclass=capability audit(1086975532.472:0): avc: denied { dac_read_search } for pid=2612 exe=/usr/lib/rpm/rpmq capability=2 scontext=root:staff_r:staff_t tcontext=root:staff_r:staff_t tclass=capability audit(1086975532.489:0): avc: denied { dac_override } for pid=2612 exe=/usr/lib/rpm/rpmq capability=1 scontext=root:staff_r:staff_t tcontext=root:staff_r:staff_t tclass=capability audit(1086975532.489:0): avc: denied { dac_read_search } for pid=2612 exe=/usr/lib/rpm/rpmq capability=2 scontext=root:staff_r:staff_t tcontext=root:staff_r:staff_t tclass=capability kernel-2.6.5-1.358 kernel-2.4.22-1.2061.nptl [root at localhost root]# ======== grub fails with the default root root:sysadm_r:sysadm_t : [root at localhost root]# grub Probing devices to guess BIOS drives. This may take a long time. audit(1086973995.955:0): avc: denied { read } for pid=2576 exe=/sbin/grub name=linux dev=hde2 ino=148612 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:usr_t tclass=file Error opening terminal: linux. [root at localhost root]# it works with [2] root:staff_r:staff_t grub-install does not work at all : [root at localhost root]# grub-install /dev/hde # this is root:staff_r:staff_t audit(1086974024.461:0): avc: denied { write } for pid=3140 exe=/bin/rm name=grub dev=hde1 ino=9841 scontext=root:staff_r:staff_t tcontext=system_u:object_r:boot_t tclass=dir rm: cannot remove `/boot/grub/stage1': Permission denied [root at localhost root]# [root at localhost root]# grub-install /dev/hde # root:sysadm_r:sysadm_t audit(1086974089.530:0): avc: denied { read } for pid=3193 exe=/bin/cp name=stage1 dev=hde2 ino=180241 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:usr_t tclass=file cp: cannot open `/usr/share/grub/i386-redhat/stage1' for reading: Permission denied ================== tvtime can not acces /dev/rtc and /dev/video0 : [stein at localhost stein]$ tvtime Running tvtime 0.9.12. rtctimer: Cannot open /dev/rtc: Permission denied rtctimer: Cannot open /dev/misc/rtc: No such file or directory Enhanced Real Time Clock support in your kernel is necessary for smooth video. We strongly recommend that you load the 'rtc' kernel module before starting tvtime, and make sure that your user has access to the device file (/dev/rtc or /dev/misc/rtc). See our support page at http://tvtime.net/ for more information. Reading configuration from /etc/tvtime/tvtime.xml Reading configuration from /home/stein/.tvtime/tvtime.xml videoinput: Cannot open capture device /dev/video0: Permission denied Thank you for using tvtime. [stein at localhost stein]$ rpm -q tvtime tvtime-0.9.12-5 ================== Regards, David ---------------------------------------------------------------------------- ----------- http://noepatents.org/ Innovation, not litigation ! --- David Balazic mailto:david.balazic at hermes.si HERMES Softlab http://www.hermes-softlab.com Zagrebska cesta 104 Phone: +386 2 450 8851 SI-2000 Maribor Slovenija ---------------------------------------------------------------------------- ----------- "Be excellent to each other." - Bill S. Preston, Esq. & "Ted" Theodore Logan ---------------------------------------------------------------------------- ----------- From russell at coker.com.au Sat Jun 12 11:38:37 2004 From: russell at coker.com.au (Russell Coker) Date: Sat, 12 Jun 2004 21:38:37 +1000 Subject: strange AVC messages with kernel 2.6.6-1.427 Message-ID: <200406122138.37552.russell@coker.com.au> With the latest kernel I am getting some strange AVC messages I didn't get with 2.6.5-1.358. audit(1087039822.666:0): avc: denied { getattr } for pid=5262 exe=/usr/sbin/pppd path=/ dev=hda1 ino=16381 scontext=rjc:system_r:pppd_t tcontext=system_u:object_r:root_t tclass=chr_file audit(1087039822.684:0): avc: denied { getattr } for pid=5262 exe=/usr/sbin/pppd path=/ dev=hda1 ino=16381 scontext=rjc:system_r:pppd_t tcontext=system_u:object_r:root_t tclass=chr_file There is no device node 16381 on the file system. Running the same command repeatedly gives similar messages with different inode numbers, so I guess it's some sort of temporary file. The machine is in enforcing mode and nothing that might want to create a root_t chr_file has permission to do so... -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Sat Jun 12 12:56:29 2004 From: russell at coker.com.au (Russell Coker) Date: Sat, 12 Jun 2004 22:56:29 +1000 Subject: Various problems on fresh FC2 install In-Reply-To: <600B91D5E4B8D211A58C00902724252C01BC06C9@piramida.hermes.si> References: <600B91D5E4B8D211A58C00902724252C01BC06C9@piramida.hermes.si> Message-ID: <200406122256.29264.russell@coker.com.au> On Sat, 12 Jun 2004 21:34, David Balazic wrote: > grub fails with the default root root:sysadm_r:sysadm_t : > > [root at localhost root]# grub > Probing devices to guess BIOS drives. This may take a long time. > audit(1086973995.955:0): avc: denied { read } for pid=2576 > exe=/sbin/grub name=linux dev=hde2 ino=148612 > scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:usr_t > tclass=file > Error opening terminal: linux. > [root at localhost root]# I've attached a modified bootloader.te to allow that. > it works with [2] root:staff_r:staff_t > > grub-install does not work at all : > > [root at localhost root]# grub-install /dev/hde # this is > root:staff_r:staff_t audit(1086974024.461:0): avc: denied { write } for > pid=3140 exe=/bin/rm name=grub dev=hde1 ino=9841 > scontext=root:staff_r:staff_t > tcontext=system_u:object_r:boot_t tclass=dir > rm: cannot remove `/boot/grub/stage1': Permission denied > [root at localhost root]# It is not designed that you will run grub as staff_r. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -------------- next part -------------- #DESC Bootloader - Lilo boot loader/manager # # Author: Russell Coker # X-Debian-Packages: lilo # ################################# # # Rules for the bootloader_t domain. # # bootloader_exec_t is the type of the bootloader executable. # type bootloader_t, domain, privlog, privmem, fs_domain; type bootloader_exec_t, file_type, sysadmfile, exec_type; etc_domain(bootloader) typealias bootloader_etc_t alias etc_bootloader_t; role sysadm_r types bootloader_t; role system_r types bootloader_t; allow bootloader_t var_t:dir search; create_append_log_file(bootloader_t, var_log_t) allow bootloader_t var_log_t:file write; # for nscd dontaudit bootloader_t var_run_t:dir search; domain_auto_trans(sysadm_t, bootloader_exec_t, bootloader_t) allow bootloader_t { initrc_t privfd }:fd use; tmp_domain(bootloader) allow bootloader_t bootloader_tmp_t:devfile_class_set create_file_perms; read_locale(bootloader_t) # for tune2fs file_type_auto_trans(bootloader_t, root_t, bootloader_tmp_t, file) # for /vmlinuz sym link allow bootloader_t root_t:lnk_file read; allow bootloader_t { etc_t device_t }:dir r_dir_perms; allow bootloader_t etc_t:file r_file_perms; allow bootloader_t etc_t:lnk_file read; uses_shlib(bootloader_t) allow bootloader_t { fixed_disk_device_t removable_device_t }:blk_file rw_file_perms; # LVM2 / Device Mapper's /dev/mapper/control # maybe we should change the labeling for this ifdef(`lvm.te', ` allow bootloader_t lvm_control_t:chr_file rw_file_perms; domain_auto_trans(bootloader_t, lvm_exec_t, lvm_t) r_dir_file(bootloader_t, lvm_etc_t) ') # uncomment the following line if you use "lilo -p" #file_type_auto_trans(bootloader_t, etc_t, bootloader_etc_t, file); can_exec(bootloader_t, { bootloader_exec_t shell_exec_t ls_exec_t bin_t sbin_t }) allow bootloader_t shell_exec_t:lnk_file read; allow bootloader_t { bin_t sbin_t }:dir search; allow bootloader_t { bin_t sbin_t }:lnk_file read; allow bootloader_t { modules_dep_t modules_object_t }:file read; dontaudit bootloader_t modules_dep_t:file ioctl; allow bootloader_t modules_object_t:dir { read search }; allow bootloader_t modules_conf_t:file read; # for ldd ifdef(`fsadm.te', ` allow bootloader_t fsadm_exec_t:file { rx_file_perms execute_no_trans }; ') ifdef(`modutil.te', ` allow bootloader_t insmod_exec_t:file { rx_file_perms execute_no_trans }; ') dontaudit bootloader_t { staff_home_dir_t sysadm_home_dir_t }:dir search; allow bootloader_t boot_t:dir { create rw_dir_perms }; allow bootloader_t boot_t:{ file lnk_file } create_file_perms; allow bootloader_t load_policy_exec_t:file { getattr read }; allow bootloader_t random_device_t:chr_file { getattr read }; ifdef(`rpm.te', ` # for mke2fs domain_auto_trans(bootloader_t, mount_exec_t, mount_t); allow mount_t bootloader_tmp_t:dir mounton; # new file system defaults to file_t, granting file_t access is still bad. allow bootloader_t file_t:dir create_dir_perms; allow bootloader_t file_t:{ file lnk_file blk_file chr_file } create_file_perms; allow bootloader_t self:unix_stream_socket create_socket_perms; allow bootloader_t boot_runtime_t:file { read getattr unlink }; # for memlock allow bootloader_t zero_device_t:chr_file { getattr read }; allow bootloader_t self:capability ipc_lock; ') allow bootloader_t self:capability { fsetid sys_rawio sys_admin mknod chown }; # allow bootloader to get attributes of any device node allow bootloader_t file_type:dir_file_class_set getattr; dontaudit bootloader_t devpts_t:dir create_dir_perms; allow bootloader_t self:process { fork signal_perms }; allow bootloader_t self:lnk_file read; allow bootloader_t self:dir search; allow bootloader_t self:file { getattr read }; allow bootloader_t self:fifo_file rw_file_perms; allow bootloader_t fs_t:filesystem getattr; allow bootloader_t proc_t:dir { getattr search }; allow bootloader_t proc_t:file r_file_perms; allow bootloader_t proc_t:lnk_file { getattr read }; allow bootloader_t self:dir { getattr search read }; allow bootloader_t sysctl_kernel_t:dir search; allow bootloader_t sysctl_kernel_t:file { getattr read }; allow bootloader_t etc_runtime_t:file r_file_perms; allow bootloader_t devtty_t:chr_file rw_file_perms; allow bootloader_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms; allow bootloader_t initrc_t:fifo_file { read write }; ifdef(`dpkg.te', ` # for making an initrd can_exec(bootloader_t, mount_exec_t) ifdef(`chroot.te', ` can_exec(bootloader_t, chroot_exec_t) ')dnl end chroot.te ')dnl end dpkg.te # for reading BIOS data allow bootloader_t memory_device_t:chr_file r_file_perms; allow bootloader_t policy_config_t:dir { search read }; allow bootloader_t policy_config_t:file read; allow bootloader_t lib_t:file { getattr read }; allow bootloader_t sysfs_t:dir getattr; allow bootloader_t urandom_device_t:chr_file read; allow bootloader_t { usr_t var_t }:file { getattr read }; r_dir_file(bootloader_t, src_t) From rhallyx at mindspring.com Sun Jun 13 06:29:05 2004 From: rhallyx at mindspring.com (Richard Hally) Date: Sun, 13 Jun 2004 02:29:05 -0400 Subject: avc denied from kernel 427 update Message-ID: <40CBF431.4060404@mindspring.com> Below a few of the over 100 warning and error messages from doing yum update today.(6/12/04) Of the ones that didn't scroll off, they are all about the 427/build directory tree. This is in enforcing mode using the most recent strict policy that existed before todays update to selinux-policy-strict-sources-1.13.4-5. The avc denied messages are further below. HTH Richard Hally ----------------------------------------------------------------------------------------------------- from yum update: ... WARNING: Couldn't stat /lib/modules/2.6.6-1.427/build/.config: Permission denied WARNING: Couldn't stat /lib/modules/2.6.6-1.427/build/init/Makefile: Permission denied WARNING: Couldn't stat /lib/modules/2.6.6-1.427/build/init/Kconfig: Permission denied FATAL: Could not open /lib/modules/2.6.6-1.427/modules.dep.temp for writing: Permission denied /bin/bash: /root/.bashrc: Permission denied No dep file found for kernel 2.6.6-1.427 mkinitrd failed ------------------------------------------------------------------- And here are some of the avc denied messages Jun 12 19:27:20 new2 kernel: audit(1087082831.128:0): avc: denied { getattr } for pid=5774 exe=/sbin/depmod path=/lib/modules/2.6.6-1.427/build/net/ipv4/Kconfig dev=hda2 ino=543312 scontext=root:sysadm_r:depmod_t tcontext=system_u:object_r:lib_t tclass=file Jun 12 19:27:20 new2 kernel: audit(1087082831.142:0): avc: denied { getattr } for pid=5774 exe=/sbin/depmod path=/lib/modules/2.6.6-1.427/build/.config dev=hda2 ino=525543 scontext=root:sysadm_r:depmod_t tcontext=system_u:object_r:lib_t tclass=file Jun 12 19:27:20 new2 kernel: audit(1087082831.142:0): avc: denied { getattr } for pid=5774 exe=/sbin/depmod path=/lib/modules/2.6.6-1.427/build/init/Makefile dev=hda2 ino=525592 scontext=root:sysadm_r:depmod_t tcontext=system_u:object_r:lib_t tclass=file Jun 12 19:27:20 new2 kernel: audit(1087082831.142:0): avc: denied { getattr } for pid=5774 exe=/sbin/depmod path=/lib/modules/2.6.6-1.427/build/init/Kconfig dev=hda2 ino=525591 scontext=root:sysadm_r:depmod_t tcontext=system_u:object_r:lib_t tclass=file Jun 12 19:27:20 new2 kernel: audit(1087082831.142:0): avc: denied { write } for pid=5774 exe=/sbin/depmod name=2.6.6-1.427 dev=hda2 ino=525541 scontext=root:sysadm_r:depmod_t tcontext=system_u:object_r:lib_t tclass=dir From selinux at comcast.net Sun Jun 13 06:52:53 2004 From: selinux at comcast.net (Tom London) Date: Sat, 12 Jun 2004 23:52:53 -0700 Subject: avc denied from kernel 427 update Message-ID: <40CBF9C5.20403@comcast.net> The warnings seem to be caused by 'rpm' not assigning the proper contexts to 'installed' files. The 'FATAL' message from 'mkinitrd' seems to be due to a problem with 'ulimit' defaults. A workaround until fixed, install/update kernel only in permissive mode, and make sure you do a 'ulimit -l unlimited' before running 'yum' (so you'll enter 'setenforce 0; ulimit -l unlimited'). I think you'll still get the warnings, but the command will succeed without the fatal error. After the yum 'succeeds', you probably will need to correct the context labels for the kernel files. Easiest way to do that is to run FC=/etc/selinux/strict/contexts/files/file_contexts setfiles -v $FC /lib/modules/2.6.6-1.427 setfiles -v $FC /boot BEFORE you reboot, or to reboot single-user, permissive mode (by adding 'single enforcing=0' to the boot params) and then running 'fixfiles relabel'. Then you can reboot multi-user as usual. If you've updated more than just the kernel package, you probably want to do the 'boot single-user/permissive, run fixfiles' path. tom -------------------------------------- * From: Richard Hally * To: fedora-selinux-list redhat com * Subject: avc denied from kernel 427 update * Date: Sun, 13 Jun 2004 02:29:05 -0400 Below a few of the over 100 warning and error messages from doing yum update today.(6/12/04) Of the ones that didn't scroll off, they are all about the 427/build directory tree. This is in enforcing mode using the most recent strict policy that existed before todays update to selinux-policy-strict-sources-1.13.4-5. The avc denied messages are further below. HTH Richard Hally ----------------------------------------------------------------------------------------------------- from yum update: ... WARNING: Couldn't stat /lib/modules/2.6.6-1.427/build/.config: Permission denied WARNING: Couldn't stat /lib/modules/2.6.6-1.427/build/init/Makefile: Permission denied WARNING: Couldn't stat /lib/modules/2.6.6-1.427/build/init/Kconfig: Permission denied FATAL: Could not open /lib/modules/2.6.6-1.427/modules.dep.temp for writing: Permission denied /bin/bash: /root/.bashrc: Permission denied No dep file found for kernel 2.6.6-1.427 mkinitrd failed ------------------------------------------------------------------- And here are some of the avc denied messages Jun 12 19:27:20 new2 kernel: audit(1087082831.128:0): avc: denied { getattr } for pid=5774 exe=/sbin/depmod path=/lib/modules/2.6.6-1.427/build/net/ipv4/Kconfig dev=hda2 ino=543312 scontext=root:sysadm_r:depmod_t tcontext=system_u:object_r:lib_t tclass=file Jun 12 19:27:20 new2 kernel: audit(1087082831.142:0): avc: denied { getattr } for pid=5774 exe=/sbin/depmod path=/lib/modules/2.6.6-1.427/build/.config dev=hda2 ino=525543 scontext=root:sysadm_r:depmod_t tcontext=system_u:object_r:lib_t tclass=file Jun 12 19:27:20 new2 kernel: audit(1087082831.142:0): avc: denied { getattr } for pid=5774 exe=/sbin/depmod path=/lib/modules/2.6.6-1.427/build/init/Makefile dev=hda2 ino=525592 scontext=root:sysadm_r:depmod_t tcontext=system_u:object_r:lib_t tclass=file Jun 12 19:27:20 new2 kernel: audit(1087082831.142:0): avc: denied { getattr } for pid=5774 exe=/sbin/depmod path=/lib/modules/2.6.6-1.427/build/init/Kconfig dev=hda2 ino=525591 scontext=root:sysadm_r:depmod_t tcontext=system_u:object_r:lib_t tclass=file Jun 12 19:27:20 new2 kernel: audit(1087082831.142:0): avc: denied { write } for pid=5774 exe=/sbin/depmod name=2.6.6-1.427 dev=hda2 ino=525541 scontext=root:sysadm_r:depmod_t tcontext=system_u:object_r:lib_t tclass=dir [Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index] Copyright ? 2004 Red Hat, Inc. All rights reserved. Search by Google Privacy Policy : Careers at Red Hat : Legal statement : Patent promise : Contact Red Hat Log in to Your Account From rhallyx at mindspring.com Sun Jun 13 06:55:37 2004 From: rhallyx at mindspring.com (Richard Hally) Date: Sun, 13 Jun 2004 02:55:37 -0400 Subject: multiple context error from updating sysklogd Message-ID: <40CBFA69.1070404@mindspring.com> Here is a error from updating the sysklogd package that appearently comes from some file context problem. The last line about the post script failing has to do with being in enforcing mode but the catch-22 is that the avc denied messages are incomplete which is the reason I am replacing the sysklogd package in the first place. The partial avc denied messages are further below. When doing the same rpm command in permissive mode, the context error is still produce but the post script runs. HTH Richard Hally --------------------------------------shell messages------------------------------------------------------------ [root at new2 richard]# rpm -U --oldpackage sysklogd-1.4.1-16.i386.rpm ERROR: Multiple different specifications for /usr/sbin/imapd (system_u:object_r:imapd_exec_t and system_u:object_r:inetd_child_exec_t). warning: sysklogd-1.4.1-16.i386.rpm: V3 DSA signature: NOKEY, key ID 4f2a6fd2 error: %post(sysklogd-1.4.1-16) scriptlet failed, exit status 255 [root at new2 richard]# setenforce 0 ----------------------------var log messages--------------------------------------------------------------------- Jun 13 02:34:31 new2 last message repeated 3 times Jun 13 02:34:31 new2 exiting on signal 15 Jun 13 02:34:31 new2 syslogd 1.4.1: restart. Jun 13 02:34:31 new2 syslog: syslogd startup succeeded Jun 13 02:34:31 new2 kernel: klogd 1.4.1, log source = /proc/kmsg started. Jun 13 02:34:31 new2 kernel: audit(1087108471.340:0): avc: denied { getattr } for pid=1 exe=/sbin/init Jun 13 02:34:31 new2 kernel: audit(1087108471.340:0): avc: denied { read write } for pid=1 exe=/sbin/init Jun 13 02:34:31 new2 syslog: klogd startup succeeded Jun 13 02:34:31 new2 syslog: syslogd shutdown succeeded From russell at coker.com.au Sun Jun 13 07:34:19 2004 From: russell at coker.com.au (Russell Coker) Date: Sun, 13 Jun 2004 17:34:19 +1000 Subject: multiple context error from updating sysklogd In-Reply-To: <40CBFA69.1070404@mindspring.com> References: <40CBFA69.1070404@mindspring.com> Message-ID: <200406131734.19503.russell@coker.com.au> On Sun, 13 Jun 2004 16:55, Richard Hally wrote: > ERROR: Multiple different specifications for /usr/sbin/imapd Remove the imapd entry from rpm.fc and do "make file_contexts/file_contexts" in the policy source directory. Maybe remove the entries for POP servers at the same time. Those entries in rpm.fc will only work for the targetted policy. > audit(1087108471.340:0): avc: denied { getattr } for > pid=1 exe=/sbin/init > Jun 13 02:34:31 new2 kernel: This is a kernel bug. James, any ideas? -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From rhally at mindspring.com Sun Jun 13 07:47:42 2004 From: rhally at mindspring.com (Richard Hally) Date: Sun, 13 Jun 2004 03:47:42 -0400 Subject: avc denied from kernel 427 update In-Reply-To: <40CBF9C5.20403@comcast.net> References: <40CBF9C5.20403@comcast.net> Message-ID: <40CC069E.9000806@mindspring.com> Tom London wrote: > The warnings seem to be caused by 'rpm' not assigning the proper > contexts to 'installed' files. > > The 'FATAL' message from 'mkinitrd' seems to be due to a problem with > 'ulimit' defaults. > > A workaround until fixed, install/update kernel only in permissive mode, > and make sure you do a 'ulimit -l unlimited' before running 'yum' (so > you'll enter 'setenforce 0; ulimit -l unlimited'). I think you'll still > get the warnings, but the command will succeed without the fatal error. > -------------------------------------- > * From: Richard Hally > * To: fedora-selinux-list redhat com > * Subject: avc denied from kernel 427 update > * Date: Sun, 13 Jun 2004 02:29:05 -0400 > > Below a few of the over 100 warning and error messages from doing yum > update today.(6/12/04) Of the ones that didn't scroll off, they are all > about the 427/build directory tree. > This is in enforcing mode using the most recent strict policy that > existed before todays update to > selinux-policy-strict-sources-1.13.4-5. The avc denied messages are > further below. > HTH > Richard Hally > Thanks for the reminders about ulimit and resetting file contexts after an update of policy. My simplistic approach is: setenforce 0 rpm -e kernel-2.6.6-1.427 ulimit -l unlimited yum install kernel reboot single enforcing=0 (with the 422 kernel, the 427 kernel is FUBAR) fixfiles relabel rpm -e kernel-2.6.6-1.427 ! Richard Hally From igor at datanaut.com Sun Jun 13 08:43:00 2004 From: igor at datanaut.com (Igor Borisovsky) Date: Sun, 13 Jun 2004 12:43:00 +0400 Subject: Needs to prevent executing su. In-Reply-To: <200406121818.58320.russell@coker.com.au> Message-ID: <200406130845.i5D8jdh32537@alexru.adsl.kis.ru> I commented using su_domain() in the admin_domain() macro. So root(in sysadm_t) can't execute su command at all. But it will be better if root can't execute su command only for one certain user. -----Original Message----- From: Russell Coker [mailto:russell at coker.com.au] Sent: Saturday, June 12, 2004 12:19 PM To: fedora-selinux-list at redhat.com Cc: Igor Borisovsky Subject: Re: Needs to prevent executing su. On Fri, 11 Jun 2004 23:53, "Igor Borisovsky" wrote: > root operates as server administrator. Now selinux policy > configuration forbids root access to the postgresql data files. > Postgresql database contains secure data. Therefore root must not be > able to access to this information. > Instead of there is database administrator. This person is authorized > to do all database related operations. > So I need to prevent executing 'su postgres' for root. The solution is that you use SE Linux to control which domains can access the files in question, and not use Unix permissions to do this. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Sun Jun 13 09:20:16 2004 From: russell at coker.com.au (Russell Coker) Date: Sun, 13 Jun 2004 19:20:16 +1000 Subject: Needs to prevent executing su. In-Reply-To: <200406130845.i5D8jdh32537@alexru.adsl.kis.ru> References: <200406130845.i5D8jdh32537@alexru.adsl.kis.ru> Message-ID: <200406131920.16567.russell@coker.com.au> On Sun, 13 Jun 2004 18:43, "Igor Borisovsky" wrote: > I commented using su_domain() in the admin_domain() macro. > So root(in sysadm_t) can't execute su command at all. > But it will be better if root can't execute su command only for one certain > user. This gains you nothing. The "root" user as sysadm_t can directly access all the postgres files unless you make some other significant changes to the policy. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From igor at datanaut.com Sun Jun 13 13:26:34 2004 From: igor at datanaut.com (igor at datanaut.com) Date: Sun, 13 Jun 2004 09:26:34 -0400 Subject: Needs to prevent executing su. In-Reply-To: <200406131920.16567.russell@coker.com.au> References: <200406130845.i5D8jdh32537@alexru.adsl.kis.ru> <200406131920.16567.russell@coker.com.au> Message-ID: <20040613092634.l8asgkksgwwgk4sg@mail.datanaut.com> Thanks for reply. Now root can't access to the postgresql data files. I'd tweaked selinux policy for that. I just need to prevent executing 'su postgres' command by root. > On Sun, 13 Jun 2004 18:43, "Igor Borisovsky" wrote: >> I commented using su_domain() in the admin_domain() macro. >> So root(in sysadm_t) can't execute su command at all. >> But it will be better if root can't execute su command only for one certain >> user. > > This gains you nothing. The "root" user as sysadm_t can directly access all > the postgres files unless you make some other significant changes to the > policy. > > -- > http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages > http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark > http://www.coker.com.au/postal/ Postal SMTP/POP benchmark > http://www.coker.com.au/~russell/ My home page From selinux at comcast.net Sun Jun 13 16:57:06 2004 From: selinux at comcast.net (Tom London) Date: Sun, 13 Jun 2004 09:57:06 -0700 Subject: avc denied from kernel 427 update Message-ID: <40CC8762.5020605@comcast.net> Hmmm.... worked for me. I'm running 427 on two machines. One with the 'old policy' stuff, the other with all the latest packages from the development tree (including 'new selinux-policy' stuff). A suggestion from Stephen Smalley may help you. I haven't tried to install a new kernel since doing this. Also, I noticed an updated rpm package in the development tree..... tom ------------------------------------------------------------------------ * /From/: Stephen Smalley * /Date/: Thu, 10 Jun 2004 15:30:09 -0400 ------------------------------------------------------------------------ On Tue, 2004-06-08 at 23:25, Tom London wrote: > [On my system, yum/rpm seem not to be correctly labeling installed > files, so I manually check and change via 'fixfiles' or 'setfiles' as > appropriate. This is because rpm hasn't been updated for the new policy layout, so it cannot find the file_contexts configuration. Until it is updated, I have just created a symlink, i.e. ln -sf /etc/selinux/strict/contexts/files/file_contexts /etc/security/selinux/file_contexts -- Stephen Smalley National Security Agency From selinux at comcast.net Sun Jun 13 19:27:29 2004 From: selinux at comcast.net (Tom London) Date: Sun, 13 Jun 2004 12:27:29 -0700 Subject: 431 kernel install - file contexts fixed! (was Re: avc denied from kernel 427 update) In-Reply-To: <40CC8762.5020605@comcast.net> References: <40CC8762.5020605@comcast.net> Message-ID: <40CCAAA1.3030407@comcast.net> New packages improve things dramatically. I just did a 'yum update kernel*' to install the 431 kernel from Arjan's tree. The install succeeded, and I was running in enforcing mode. The context labels now appear to be correct except for those created by 'depmod', 'mkinitrd' and the fiddling with /boot/grub/grub.conf. (Files installed from kernel-sourcecode package are all correctly labeled!) Except for grub.conf, the types appear correct but the user is 'root' instead of 'system_u'. grub.conf is labeled 'root:object_r:boot_t' instead of 'system_u:object_r:boot_runtime_t'. (Are 'restorecon' commands needed in the postinstall scriptlet? elsewhere?) tom [BTW, the system boots fine even without fixing the labels mentioned above.] Tom London wrote: > Hmmm.... worked for me. I'm running 427 on two machines. One with > the 'old policy' stuff, the other with all the latest packages from > the development tree (including 'new selinux-policy' stuff). > > A suggestion from Stephen Smalley may help you. I haven't tried to > install a new kernel since doing this. Also, I noticed an updated rpm > package in the development tree..... > > tom > ------------------------------------------------------------------------ > > * /From/: Stephen Smalley > * /Date/: Thu, 10 Jun 2004 15:30:09 -0400 > > ------------------------------------------------------------------------ > > On Tue, 2004-06-08 at 23:25, Tom London wrote: > >> [On my system, yum/rpm seem not to be correctly labeling installed >> files, so I manually check and change via 'fixfiles' or 'setfiles' as >> appropriate. > > > This is because rpm hasn't been updated for the new policy layout, so it > cannot find the file_contexts configuration. Until it is updated, I > have just created a symlink, i.e. > ln -sf /etc/selinux/strict/contexts/files/file_contexts > /etc/security/selinux/file_contexts > From Valdis.Kletnieks at vt.edu Mon Jun 14 01:19:08 2004 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Sun, 13 Jun 2004 21:19:08 -0400 Subject: strange AVC messages with kernel 2.6.6-1.427 In-Reply-To: Your message of "Sat, 12 Jun 2004 21:38:37 +1000." <200406122138.37552.russell@coker.com.au> References: <200406122138.37552.russell@coker.com.au> Message-ID: <200406140119.i5E1J8cH005643@turing-police.cc.vt.edu> On Sat, 12 Jun 2004 21:38:37 +1000, Russell Coker said: > With the latest kernel I am getting some strange AVC messages I didn't get > with 2.6.5-1.358. > > audit(1087039822.666:0): avc: denied { getattr } for pid=5262 > exe=/usr/sbin/pppd path=/ dev=hda1 ino=16381 scontext=rjc:system_r:pppd_t > tcontext=system_u:object_r:root_t tclass=chr_file > audit(1087039822.684:0): avc: denied { getattr } for pid=5262 > exe=/usr/sbin/pppd path=/ dev=hda1 ino=16381 scontext=rjc:system_r:pppd_t > tcontext=system_u:object_r:root_t tclass=chr_file > > There is no device node 16381 on the file system. Running the same command > repeatedly gives similar messages with different inode numbers, so I guess > it's some sort of temporary file. The machine is in enforcing mode and > nothing that might want to create a root_t chr_file has permission to do > so... I've been seeing this (avc points at a file that 'find -inum' can't find) with some recent 2.6.6 and 2.6.7-rc -mm kernels as well. I suspect (but haven't verified yet, I'll have to remember to boot single user and check) that the operation in question is referencing a file in /var (for instance), and that ino=16381 is in fact the inode *for the directory 'var' in /* and that while crossing over the mount point it's getting confused about the difference between the root inode of the mounted filesystem and the inode of the directory it's mounted on.... I'll try to remember to double-check this when I next reboot the laptop and follow up on it tomorrow... -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available URL: From rhallyx at mindspring.com Mon Jun 14 05:24:34 2004 From: rhallyx at mindspring.com (Richard Hally) Date: Mon, 14 Jun 2004 01:24:34 -0400 Subject: avc denied messages from rhgb Message-ID: <40CD3692.3000703@mindspring.com> While booting the 427 kernel in enforcing mode with selinux-policy-strict-1.13.4-5, the following avc denied messages occur: Jun 13 21:04:03 new2 kernel: audit(1087160614.345:0): avc: denied { search } for pid=535 exe=/usr/bin/rhgb name=root dev=hda2 ino=130305 scontext=system_u:system_r:rhgb_t tcontext=root:object_r:staff_home_dir_t tclass=dir Jun 13 21:04:03 new2 last message repeated 9 times Jun 13 21:04:03 new2 kernel: audit(1087160614.346:0): avc: denied { search } for pid=535 exe=/usr/bin/rhgb name=root dev=hda2 ino=130305 scontext=system_u:system_r:rhgb_t tcontext=root:object_r:staff_home_dir_t tclass=dir Jun 13 21:04:03 new2 last message repeated 3 times Jun 13 21:04:03 new2 kernel: audit(1087160614.706:0): avc: denied { search } for pid=535 exe=/usr/bin/rhgb name=root dev=hda2 ino=130305 scontext=system_u:system_r:rhgb_t tcontext=root:object_r:staff_home_dir_t tclass=dir Jun 13 21:04:03 new2 last message repeated 2 times Jun 13 21:04:03 new2 kernel: audit(1087160614.707:0): avc: denied { search } for pid=535 exe=/usr/bin/rhgb name=root dev=hda2 ino=130305 scontext=system_u:system_r:rhgb_t tcontext=root:object_r:staff_home_dir_t tclass=dir Jun 13 21:04:03 new2 kernel: audit(1087160615.167:0): avc: denied { search } for pid=535 exe=/usr/bin/rhgb name=root dev=hda2 ino=130305 scontext=system_u:system_r:rhgb_t tcontext=root:object_r:staff_home_dir_t tclass=dir Jun 13 21:04:03 new2 last message repeated 7 times HTH Richard Hally From rhallyx at mindspring.com Mon Jun 14 05:27:22 2004 From: rhallyx at mindspring.com (Richard Hally) Date: Mon, 14 Jun 2004 01:27:22 -0400 Subject: avc denied messages from lvm.static Message-ID: <40CD373A.9010109@mindspring.com> While booting the 427 kernel in enforcing mode with selinux-policy-strict-1.13.4-5, the following avc denied messages occur: Jun 13 21:04:03 new2 kernel: audit(1087175021.671:0): avc: denied { search } for pid=931 exe=/sbin/lvm.static dev=devpts ino=1 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:devpts_t tclass=dir Jun 13 21:04:03 new2 kernel: audit(1087175022.193:0): avc: denied { getattr } for pid=931 exe=/sbin/lvm.static path=/dev/shm dev=hda2 ino=1091316 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:file_t tclass=dir HTH Richard Hally From rhallyx at mindspring.com Mon Jun 14 05:31:00 2004 From: rhallyx at mindspring.com (Richard Hally) Date: Mon, 14 Jun 2004 01:31:00 -0400 Subject: avc denied messages from microcode_ctl Message-ID: <40CD3814.60202@mindspring.com> While booting the 427 kernel in enforcing mode with selinux-policy-strict-1.13.4-5, the following avc denied messages occur: Jun 13 21:04:03 new2 kernel: audit(1087175026.816:0): avc: denied { write } for pid=1247 exe=/sbin/microcode_ctl name=microcode dev=hda2 ino=1070659 scontext=system_u:system_r:cpucontrol_t tcontext=system_u:object_r:device_t tclass=chr_file HTH Richard Hally From rhallyx at mindspring.com Mon Jun 14 05:35:18 2004 From: rhallyx at mindspring.com (Richard Hally) Date: Mon, 14 Jun 2004 01:35:18 -0400 Subject: avc denied messages from umount Message-ID: <40CD3916.9080607@mindspring.com> While booting the 427 kernel in enforcing mode with selinux-policy-strict-1.13.4-5, the following avc denied messages occur: Jun 13 21:04:22 new2 kernel: audit(1087175062.270:0): avc: denied { use } for pid=2392 exe=/bin/umount path=/dev/ptmx dev=hda2 ino=1064811 scontext=system_u:system_r:mount_t tcontext=system_u:system_r:rhgb_gph_t tclass=fd Jun 13 21:04:22 new2 kernel: audit(1087175062.270:0): avc: denied { read write } for pid=2392 exe=/bin/umount path=socket:[1429] dev=sockfs ino=1429 scontext=system_u:system_r:mount_t tcontext=system_u:system_r:rhgb_t tclass=unix_stream_socket HTH Richard Hally From rhallyx at mindspring.com Mon Jun 14 05:40:09 2004 From: rhallyx at mindspring.com (Richard Hally) Date: Mon, 14 Jun 2004 01:40:09 -0400 Subject: avc denied messages from ssh-agent Message-ID: <40CD3A39.6000709@mindspring.com> While booting to run level 5 with the 427 kernel in enforcing mode and selinux-policy-strict-1.13.4-5, the following avc denied messages occur: Jun 13 21:04:52 new2 gdm(pam_unix)[2828]: session opened for user richard by (uid=0) Jun 13 21:04:52 new2 kernel: audit(1087175092.764:0): avc: denied { search } for pid=2923 exe=/usr/bin/ssh-agent name=selinux dev=hda2 ino=913073 scontext=richard:staff_r:staff_ssh_agent_t tcontext=system_u:object_r:selinux_config_t tclass=dir Jun 13 21:04:52 new2 kernel: audit(1087175092.764:0): avc: denied { read } for pid=2923 exe=/usr/bin/ssh-agent name=mounts dev=proc ino=-268435447 scontext=richard:staff_r:staff_ssh_agent_t tcontext=system_u:object_r:proc_t tclass=lnk_file HTH Richard Hally From rhallyx at mindspring.com Mon Jun 14 05:46:11 2004 From: rhallyx at mindspring.com (Richard Hally) Date: Mon, 14 Jun 2004 01:46:11 -0400 Subject: avc denied messages from gnome-vfs-daemon and nautilus Message-ID: <40CD3BA3.7070606@mindspring.com> While booting to run level 5 and logging in, with the 427 kernel in enforcing mode and selinux-policy-strict-1.13.4-5, the following avc denied messages occur: Jun 13 21:05:09 new2 kernel: audit(1087175109.179:0): avc: denied { getattr } for pid=3137 exe=/usr/libexec/gnome-vfs-daemon path=/initrd dev=ram0 ino=2 scontext=richard:staff_r:staff_t tcontext=system_u:object_r:file_t tclass=dir Jun 13 21:05:09 new2 kernel: audit(1087175109.839:0): avc: denied { getattr } for pid=3148 exe=/usr/bin/nautilus path=/initrd dev=ram0 ino=2 scontext=richard:staff_r:staff_t tcontext=system_u:object_r:file_t tclass=dir Jun 13 21:05:09 new2 kernel: audit(1087175109.957:0): avc: denied { getattr } for pid=3149 exe=/usr/bin/nautilus path=/initrd dev=ram0 ino=2 scontext=richard:staff_r:staff_t tcontext=system_u:object_r:file_t tclass=dir HTH Richard Hally From rhallyx at mindspring.com Mon Jun 14 06:01:04 2004 From: rhallyx at mindspring.com (Richard Hally) Date: Mon, 14 Jun 2004 02:01:04 -0400 Subject: avc denied messages from system cron Message-ID: <40CD3F20.3060900@mindspring.com> While running the 427 kernel in enforcing mode and selinux-policy-strict-1.13.4-5, the following avc denied messages occur from the system cron hourly job: Jun 13 22:01:00 new2 kernel: audit(1087178460.748:0): avc: denied { read } for pid=3306 exe=/bin/bash name=mtab dev=hda2 ino=869481 scontext=system_u:system_r:crond_t tcontext=system_u:object_r:etc_runtime_t tclass=file Jun 13 22:01:00 new2 kernel: audit(1087178460.748:0): avc: denied { getattr } for pid=3306 exe=/bin/bash path=/proc/meminfo dev=proc ino=-268435454 scontext=system_u:system_r:crond_t tcontext=system_u:object_r:proc_t tclass=file Jun 13 22:01:00 new2 kernel: audit(1087178460.792:0): avc: denied { getattr } for pid=3306 exe=/bin/bash path=/usr/bin/run-parts dev=hda2 ino=55784 scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t tclass=file HTH Richard Hally From russell at coker.com.au Mon Jun 14 05:48:44 2004 From: russell at coker.com.au (Russell Coker) Date: Mon, 14 Jun 2004 15:48:44 +1000 Subject: Needs to prevent executing su. In-Reply-To: <20040613092634.l8asgkksgwwgk4sg@mail.datanaut.com> References: <200406130845.i5D8jdh32537@alexru.adsl.kis.ru> <200406131920.16567.russell@coker.com.au> <20040613092634.l8asgkksgwwgk4sg@mail.datanaut.com> Message-ID: <200406141548.44962.russell@coker.com.au> On Sun, 13 Jun 2004 23:26, igor at datanaut.com wrote: > Thanks for reply. > Now root can't access to the postgresql data files. > I'd tweaked selinux policy for that. > I just need to prevent executing 'su postgres' command by root. If you tweaked the policy such that sysadm_t can't access the files, and if the postgres user does not have a SE Linux identity then su to the postgres user will not grant access to the files. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From igor at datanaut.com Mon Jun 14 07:48:21 2004 From: igor at datanaut.com (Igor Borisovsky) Date: Mon, 14 Jun 2004 11:48:21 +0400 Subject: Needs to prevent executing su. In-Reply-To: <200406141548.44962.russell@coker.com.au> Message-ID: <200406140750.i5E7oth03416@alexru.adsl.kis.ru> >If you tweaked the policy such that sysadm_t can't access the files, >and if the postgres user does not have a SE Linux identity then su to >the postgres user will not grant access to the files. Let me explain in more details my problem. What I did: 1. prevented root access to the postgresql data files located at /var/lib/pgsql; 2. created custom pgsql_t type and pgsql_r role; 3. created selinux user postgres: user postgres roles pgsql_r; 4. all postgresql directories and files has a proper types(e.g. pgsql_home_dir_t, pgsql_home_t). Therefore I have two persons: root and postgres. User root is the server administrator, but he can't access to the postgresql data files. And user postgres is the database administrator. He will do all database related operations(e.g. database backup). Hence postgres has access to the postgresql data files. So for security reason i need to prevent transition from user root to user postgres. From russell at coker.com.au Mon Jun 14 08:13:02 2004 From: russell at coker.com.au (Russell Coker) Date: Mon, 14 Jun 2004 18:13:02 +1000 Subject: avc denied messages from gnome-vfs-daemon and nautilus In-Reply-To: <40CD3BA3.7070606@mindspring.com> References: <40CD3BA3.7070606@mindspring.com> Message-ID: <200406141813.02143.russell@coker.com.au> On Mon, 14 Jun 2004 15:46, Richard Hally wrote: > While booting to run level 5 and logging in, with the 427 kernel in > enforcing mode and selinux-policy-strict-1.13.4-5, > the following avc denied messages occur: > > Jun 13 21:05:09 new2 kernel: audit(1087175109.179:0): avc: denied { > getattr } > for pid=3137 exe=/usr/libexec/gnome-vfs-daemon path=/initrd dev=ram0 > ino=2 scontext=richard:staff_r:staff_t tcontext=system_u:object_r:file_t > tclass=dir /initrd should not be mounted at that time. I have filed a bugzilla entry: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=125925 From russell at coker.com.au Mon Jun 14 10:20:17 2004 From: russell at coker.com.au (Russell Coker) Date: Mon, 14 Jun 2004 20:20:17 +1000 Subject: avc denied messages from system cron In-Reply-To: <40CD3F20.3060900@mindspring.com> References: <40CD3F20.3060900@mindspring.com> Message-ID: <200406142020.17304.russell@coker.com.au> On Mon, 14 Jun 2004 16:01, Richard Hally wrote: > Jun 13 22:01:00 new2 kernel: audit(1087178460.748:0): avc: denied { > read } for pid=3306 exe=/bin/bash name=mtab dev=hda2 ino=869481 > scontext=system_u:system_r:crond_t > tcontext=system_u:object_r:etc_runtime_t tclass=file > Jun 13 22:01:00 new2 kernel: audit(1087178460.748:0): avc: denied { > getattr } > for pid=3306 exe=/bin/bash path=/proc/meminfo dev=proc ino=-268435454 > scontext=system_u:system_r:crond_t tcontext=system_u:object_r:proc_t > tclass=file > Jun 13 22:01:00 new2 kernel: audit(1087178460.792:0): avc: denied { > getattr } > for pid=3306 exe=/bin/bash path=/usr/bin/run-parts dev=hda2 ino=55784 > scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t > tclass=file Do any other cron jobs execute correctly? I don't think that in the normal operation of the system there should be a bash script launched in the crond_t domain which tries to run run-parts. I think that your crond is acting as if it does not support SE Linux. What version of libselinux do you have installed? Maybe there is a bug in libselinux which made cron misbehave. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Mon Jun 14 11:00:39 2004 From: russell at coker.com.au (Russell Coker) Date: Mon, 14 Jun 2004 21:00:39 +1000 Subject: avc denied messages from rhgb In-Reply-To: <40CD3692.3000703@mindspring.com> References: <40CD3692.3000703@mindspring.com> Message-ID: <200406142100.39204.russell@coker.com.au> On Mon, 14 Jun 2004 15:24, Richard Hally wrote: > While booting the 427 kernel in enforcing mode with > selinux-policy-strict-1.13.4-5, > the following avc denied messages occur: > > Jun 13 21:04:03 new2 kernel: audit(1087160614.345:0): avc: denied { > search } for pid=535 exe=/usr/bin/rhgb name=root dev=hda2 ino=130305 > scontext=system_u:system_r:rhgb_t > tcontext=root:object_r:staff_home_dir_t tclass=dir https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=125932 I've filed a bug report against RHGB regarding this. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Mon Jun 14 11:28:04 2004 From: russell at coker.com.au (Russell Coker) Date: Mon, 14 Jun 2004 21:28:04 +1000 Subject: avc denied messages from lvm.static In-Reply-To: <40CD373A.9010109@mindspring.com> References: <40CD373A.9010109@mindspring.com> Message-ID: <200406142128.04825.russell@coker.com.au> On Mon, 14 Jun 2004 15:27, Richard Hally wrote: > While booting the 427 kernel in enforcing mode with > selinux-policy-strict-1.13.4-5, > the following avc denied messages occur: > > Jun 13 21:04:03 new2 kernel: audit(1087175021.671:0): avc: denied { > search } for pid=931 exe=/sbin/lvm.static dev=devpts ino=1 > scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:devpts_t > tclass=dir I guess we should add that, I'll put it in my tree now. > Jun 13 21:04:03 new2 kernel: audit(1087175022.193:0): avc: denied { > getattr } > for pid=931 exe=/sbin/lvm.static path=/dev/shm dev=hda2 ino=1091316 > scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:file_t > tclass=dir It looks like you don't have /dev/shm mounted. Have you done anything deliberately to cause this? -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Mon Jun 14 10:17:16 2004 From: russell at coker.com.au (Russell Coker) Date: Mon, 14 Jun 2004 20:17:16 +1000 Subject: avc denied messages from microcode_ctl In-Reply-To: <40CD3814.60202@mindspring.com> References: <40CD3814.60202@mindspring.com> Message-ID: <200406142017.16843.russell@coker.com.au> On Mon, 14 Jun 2004 15:31, Richard Hally wrote: > While booting the 427 kernel in enforcing mode with > selinux-policy-strict-1.13.4-5, > the following avc denied messages occur: > > Jun 13 21:04:03 new2 kernel: audit(1087175026.816:0): avc: denied { > write } for pid=1247 exe=/sbin/microcode_ctl name=microcode dev=hda2 > ino=1070659 scontext=system_u:system_r:cpucontrol_t > tcontext=system_u:object_r:device_t tclass=chr_file /u?dev/cpu/.* -c system_u:object_r:cpu_device_t The above line in file_contexts/types.fc should cover /dev/cpu/microcode. I think that the problem you are having is because for some (unknown) reason those device nodes were mis-labeled. I don't know what might have caused this, I have not been able to reproduce it. I suggest just using setfiles to relabel /dev/cpu. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Mon Jun 14 11:35:31 2004 From: russell at coker.com.au (Russell Coker) Date: Mon, 14 Jun 2004 21:35:31 +1000 Subject: Needs to prevent executing su. In-Reply-To: <200406140750.i5E7oth03416@alexru.adsl.kis.ru> References: <200406140750.i5E7oth03416@alexru.adsl.kis.ru> Message-ID: <200406142135.31644.russell@coker.com.au> On Mon, 14 Jun 2004 17:48, "Igor Borisovsky" wrote: > Let me explain in more details my problem. > What I did: > 1. prevented root access to the postgresql data files located at > /var/lib/pgsql; Presumably you mean that you prevented sysadm_t access. > 2. created custom pgsql_t type and pgsql_r role; > 3. created selinux user postgres: > user postgres roles pgsql_r; > 4. all postgresql directories and files has a proper types(e.g. > pgsql_home_dir_t, pgsql_home_t). > Therefore I have two persons: root and postgres. User root is the server > administrator, but > he can't access to the postgresql data files. And user postgres is the > database administrator. > He will do all database related operations(e.g. database backup). Hence > postgres has access > to the postgresql data files. So for security reason i need to prevent > transition from user root to user postgres. Then you will need to prevent sysadm_t from accessing pgsql_home_dir_t and pgsql_home_t as well... You could change macros/program/su_macros.te, replace the following line: domain_trans($1_su_t, shell_exec_t, userdomain) With: domain_trans($1_su_t, shell_exec_t, { user_t staff_t sysadm_t }) -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From francis.shim at sympatico.ca Mon Jun 14 12:13:45 2004 From: francis.shim at sympatico.ca (Francis K Shim) Date: Mon, 14 Jun 2004 08:13:45 -0400 Subject: avc denied messages from lvm.static In-Reply-To: <200406142128.04825.russell@coker.com.au> References: <40CD373A.9010109@mindspring.com> <200406142128.04825.russell@coker.com.au> Message-ID: <1087215225.2206.6.camel@sol800.cawthra.com> I am just adding the audit output I got with regards to lvm.static: audit(1087215619.565:0): avc: denied { read } for pid=835 exe=/sbin/lvm.static name=dri dev=hda6 ino=409347 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:dri_device_t tclass=dir audit(1087215619.575:0): avc: denied { search } for pid=835 exe=/sbin/lvm.static name=dri dev=hda6 ino=409347 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:dri_device_t tclass=dir audit(1087215621.189:0): avc: denied { getattr } for pid=835 exe=/sbin/lvm.static path=/dev/shm dev=hda6 ino=603157 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:file_t tclass=dir audit(1087215621.189:0): avc: denied { read } for pid=835 exe=/sbin/lvm.static name=shm dev=hda6 ino=603157 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:file_t tclass=dir Regards, Frank On Mon, 2004-06-14 at 07:28, Russell Coker wrote: > On Mon, 14 Jun 2004 15:27, Richard Hally wrote: > > While booting the 427 kernel in enforcing mode with > > selinux-policy-strict-1.13.4-5, > > the following avc denied messages occur: > > > > Jun 13 21:04:03 new2 kernel: audit(1087175021.671:0): avc: denied { > > search } for pid=931 exe=/sbin/lvm.static dev=devpts ino=1 > > scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:devpts_t > > tclass=dir > > I guess we should add that, I'll put it in my tree now. > > > Jun 13 21:04:03 new2 kernel: audit(1087175022.193:0): avc: denied { > > getattr } > > for pid=931 exe=/sbin/lvm.static path=/dev/shm dev=hda2 ino=1091316 > > scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:file_t > > tclass=dir > > It looks like you don't have /dev/shm mounted. Have you done anything > deliberately to cause this? -- Francis K Shim From rhallyx at mindspring.com Mon Jun 14 18:59:15 2004 From: rhallyx at mindspring.com (Richard Hally) Date: Mon, 14 Jun 2004 14:59:15 -0400 Subject: avc denied messages from microcode_ctl In-Reply-To: <200406142017.16843.russell@coker.com.au> References: <40CD3814.60202@mindspring.com> <200406142017.16843.russell@coker.com.au> Message-ID: <40CDF583.9000904@mindspring.com> Russell Coker wrote: >On Mon, 14 Jun 2004 15:31, Richard Hally wrote: > > >>While booting the 427 kernel in enforcing mode with >>selinux-policy-strict-1.13.4-5, >>the following avc denied messages occur: >> >>Jun 13 21:04:03 new2 kernel: audit(1087175026.816:0): avc: denied { >>write } for pid=1247 exe=/sbin/microcode_ctl name=microcode dev=hda2 >>ino=1070659 scontext=system_u:system_r:cpucontrol_t >>tcontext=system_u:object_r:device_t tclass=chr_file >> >> > >/u?dev/cpu/.* -c system_u:object_r:cpu_device_t > >The above line in file_contexts/types.fc should cover /dev/cpu/microcode. I >think that the problem you are having is because for some (unknown) reason >those device nodes were mis-labeled. I don't know what might have caused >this, I have not been able to reproduce it. > >I suggest just using setfiles to relabel /dev/cpu. > > > There is no /udev/cpu. There is a /udev/microcode. It is labeled device_t. Richard Hally From rhallyx at mindspring.com Mon Jun 14 19:10:57 2004 From: rhallyx at mindspring.com (Richard Hally) Date: Mon, 14 Jun 2004 15:10:57 -0400 Subject: avc denied messages from system cron In-Reply-To: <200406142020.17304.russell@coker.com.au> References: <40CD3F20.3060900@mindspring.com> <200406142020.17304.russell@coker.com.au> Message-ID: <40CDF841.1000200@mindspring.com> Russell Coker wrote: >On Mon, 14 Jun 2004 16:01, Richard Hally wrote: > > >>Jun 13 22:01:00 new2 kernel: audit(1087178460.748:0): avc: denied { >>read } for pid=3306 exe=/bin/bash name=mtab dev=hda2 ino=869481 >>scontext=system_u:system_r:crond_t >>tcontext=system_u:object_r:etc_runtime_t tclass=file >>Jun 13 22:01:00 new2 kernel: audit(1087178460.748:0): avc: denied { >>getattr } >>for pid=3306 exe=/bin/bash path=/proc/meminfo dev=proc ino=-268435454 >>scontext=system_u:system_r:crond_t tcontext=system_u:object_r:proc_t >>tclass=file >>Jun 13 22:01:00 new2 kernel: audit(1087178460.792:0): avc: denied { >>getattr } >>for pid=3306 exe=/bin/bash path=/usr/bin/run-parts dev=hda2 ino=55784 >>scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t >>tclass=file >> >> > >Do any other cron jobs execute correctly? > > No, I get errors from other system cron jobs as well. I don't run any user cron jobs. Cron works correctly in permissive mode. >I don't think that in the normal operation of the system there should be a >bash script launched in the crond_t domain which tries to run run-parts. I >think that your crond is acting as if it does not support SE Linux. > >What version of libselinux do you have installed? Maybe there is a bug in >libselinux which made cron misbehave. > > > I have vixie-cron-3.0.1-89 and libselinux-1.13.3-2 here are a couple of the mail(1) messages root gets: Message 1: From root at localhost.localdomain Mon Jun 14 05:01:00 2004 Date: Mon, 14 Jun 2004 05:01:00 -0400 From: root at localhost.localdomain (Cron Daemon) To: root at localhost.localdomain Subject: Cron run-parts /etc/cron.hourly X-Cron-Env: X-Cron-Env: X-Cron-Env: X-Cron-Env: X-Cron-Env: /bin/bash: line 1: run-parts: command not found Message 4: From mailman at localhost.localdomain Mon Jun 14 08:00:01 2004 Date: Mon, 14 Jun 2004 08:00:01 -0400 From: root at localhost.localdomain (Cron Daemon) To: mailman at localhost.localdomain Subject: Cron /usr/bin/python -S /var/mailman/cron/checkdbs X-Cron-Env: X-Cron-Env: X-Cron-Env: X-Cron-Env: /bin/sh: line 1: /usr/bin/python: Permission denied & Richard Hally From kvogelsa at ccs.neu.edu Mon Jun 14 19:38:51 2004 From: kvogelsa at ccs.neu.edu (Kirk Vogelsang) Date: Mon, 14 Jun 2004 15:38:51 -0400 (EDT) Subject: (Non)Domain Transitioning Message-ID: I'm having some problems getting the snortcenter agent (miniserv.pl) to start snort and transition snort to the appropriate snort_t domain. When miniserv starts snort, snort continues to run in the miniserv domain, snort_agent_t (domain I created.) avc messages show miniserv starting snort with execute_no_trans, which I believe is the problem: audit(108724131.465:0): avc: denied { execute_no_trans } for pid=7136 exe=/bin//bash path=/usr/tools/adm/packages/snort/bin/snort dev=sda2 ino=256078 scontext=system_u:system_r:snort_agent_t tcontext=system_u:object_r:snort_exec_t tclass=file When snort is started via run_init, it runs appropriately within the snort_t domain. I have: allow snort_agent_t snort_exec_t:file { read execute entrypoint }; ... ... allow snort_agent_t snort_t:process transition; My question: How do I force a process (snort) to transition to the correct domain (snort_t) when exec'd from another domain (snort_agent_t)? ----- Kirk M. Vogelsang Northeastern University College of Computer Science From Daniel.Levine at jhuapl.edu Mon Jun 14 20:20:48 2004 From: Daniel.Levine at jhuapl.edu (Levine, Daniel J.) Date: Mon, 14 Jun 2004 16:20:48 -0400 Subject: Where's my policy source? Message-ID: <9B1BC8B496577349843830DA4DC9733D05AC0B10@freedom.dom1.jhuapl.edu> Hey guys, When I first installed my Fedora Core 2 (release) OS with SELinux, I installed most of the packages I needed, but forgot that AMD doesn't get installed by default. So afterwards I found the am-utils RPM and installed it. Now I get spurious amd related messages from SELinux. I was probably root when I installed am-utils and chances are it didn't put the right contexts on the files an such. So, I figured I needed to re-label my file system so the amd related files would have the correct SELinux contexts on them. This is what it would do for me right? Well, so I got to /etc/security/selinux and I don't have a src directory! I'm pretty sure I picked Workstation Install and added various other packages that I thought I needed at installation time. Am-utils is the only after-the-fact package I installed. So, where is the policy source? I'm looking in the right place right? Now I do see in the SELinux getting started HOWTO that they do something like: make -C /etc/selinux relabel Should this cause my amd audit violation messages to go away? How would I have added the am-utils RPM so that its files were labeled correctly in the first place? Thanks, Daniel J. Levine Section Supervisor Johns Hopkins University Applied Physics Laboratory 443-778-3952 240-228-3952 From russell at coker.com.au Tue Jun 15 01:50:29 2004 From: russell at coker.com.au (Russell Coker) Date: Tue, 15 Jun 2004 11:50:29 +1000 Subject: avc denied messages from microcode_ctl In-Reply-To: <40CDF583.9000904@mindspring.com> References: <40CD3814.60202@mindspring.com> <200406142017.16843.russell@coker.com.au> <40CDF583.9000904@mindspring.com> Message-ID: <200406151150.29455.russell@coker.com.au> On Tue, 15 Jun 2004 04:59, Richard Hally wrote: > >I suggest just using setfiles to relabel /dev/cpu. > > There is no /udev/cpu. ?There is a ?/udev/microcode. It is labeled > device_t. There is no /dev/microcode listed in Documentation/devices.txt in the kernel source tree from kernel.org. Please show me the "ls -l /dev/microcode" output. We'll have to add an entry to file_contexts/types.fc for it. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Tue Jun 15 02:05:35 2004 From: russell at coker.com.au (Russell Coker) Date: Tue, 15 Jun 2004 12:05:35 +1000 Subject: (Non)Domain Transitioning In-Reply-To: References: Message-ID: <200406151205.35050.russell@coker.com.au> On Tue, 15 Jun 2004 05:38, Kirk Vogelsang wrote: > I'm having some problems getting the snortcenter agent (miniserv.pl) > to start snort and transition snort to the appropriate snort_t domain. > When miniserv starts snort, snort continues to run in the miniserv > domain, snort_agent_t (domain I created.) > > avc messages show miniserv starting snort with execute_no_trans, > which I believe is the problem: The following policy should do it. domain_auto_trans(snort_agent_t, snort_exec_t, snort_t) -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From selinux at comcast.net Tue Jun 15 02:13:40 2004 From: selinux at comcast.net (Tom London) Date: Mon, 14 Jun 2004 19:13:40 -0700 Subject: avc denied messages from microcode_ctl Message-ID: <40CE5B54.7080808@comcast.net> [root at dell root]# ls -l /udev/microcode crw------- 1 root root 10, 184 May 25 13:56 /udev/microcode [root at dell root]# ls -lZ /udev/microcode crw------- root root system_u:object_r:device_t /udev/microcode [root at dell root]# ------------------------------------------------------------------------ * /From/: Russell Coker * /To/: Richard Hally * /Cc/: fedora-selinux-list redhat com * /Subject/: Re: avc denied messages from microcode_ctl * /Date/: Tue, 15 Jun 2004 11:50:29 +1000 ------------------------------------------------------------------------ On Tue, 15 Jun 2004 04:59, Richard Hally wrote: > >I suggest just using setfiles to relabel /dev/cpu. > > There is no /udev/cpu. There is a /udev/microcode. It is labeled > device_t. There is no /dev/microcode listed in Documentation/devices.txt in the kernel source tree from kernel.org. Please show me the "ls -l /dev/microcode" output. We'll have to add an entry to file_contexts/types.fc for it. From russell at coker.com.au Tue Jun 15 02:25:00 2004 From: russell at coker.com.au (Russell Coker) Date: Tue, 15 Jun 2004 12:25:00 +1000 Subject: avc denied messages from lvm.static In-Reply-To: <1087215225.2206.6.camel@sol800.cawthra.com> References: <40CD373A.9010109@mindspring.com> <200406142128.04825.russell@coker.com.au> <1087215225.2206.6.camel@sol800.cawthra.com> Message-ID: <200406151225.00789.russell@coker.com.au> On Mon, 14 Jun 2004 22:13, Francis K Shim wrote: > I am just adding the audit output I got with regards to lvm.static: > > audit(1087215619.565:0): avc: denied { read } for pid=835 > exe=/sbin/lvm.static name=dri dev=hda6 ino=409347 > scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:dri_device_t > tclass=dir > audit(1087215619.575:0): avc: denied { search } for pid=835 > exe=/sbin/lvm.static name=dri dev=hda6 ino=409347 > scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:dri_device_t > tclass=dir We will put in dontaudit rules for that. > audit(1087215621.189:0): avc: denied { getattr } for pid=835 > exe=/sbin/lvm.static path=/dev/shm dev=hda6 ino=603157 > scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:file_t > tclass=dir > audit(1087215621.189:0): avc: denied { read } for pid=835 > exe=/sbin/lvm.static name=shm dev=hda6 ino=603157 > scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:file_t > tclass=dir This is strange, you are the second person to report that /dev/shm is not mounted. Have you done anything to make it not be mounted? I think that we have a bug here related to /dev/shm, please send me your /etc/fstab (by private mail). -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Tue Jun 15 02:42:09 2004 From: russell at coker.com.au (Russell Coker) Date: Tue, 15 Jun 2004 12:42:09 +1000 Subject: avc denied messages from microcode_ctl In-Reply-To: <40CE5B54.7080808@comcast.net> References: <40CE5B54.7080808@comcast.net> Message-ID: <200406151242.09281.russell@coker.com.au> On Tue, 15 Jun 2004 12:13, Tom London wrote: > [root at dell root]# ls -l /udev/microcode > crw------- 1 root root 10, 184 May 25 13:56 /udev/microcode > [root at dell root]# ls -lZ /udev/microcode > crw------- root root system_u:object_r:device_t > /udev/microcode > [root at dell root]# It seems that /dev/cpu/[0-9]+/microcode has moved to /dev/microcode. I think that's a good thing. Add the following to file_contexts/types.fc right after the /dev/cpu entry and then things should be fine. /u?dev/microcode -c system_u:object_r:cpu_device_t -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From fedora at andrewfarris.com Tue Jun 15 05:48:39 2004 From: fedora at andrewfarris.com (Andrew Farris) Date: Mon, 14 Jun 2004 22:48:39 -0700 Subject: Where's my policy source? In-Reply-To: <9B1BC8B496577349843830DA4DC9733D05AC0B10@freedom.dom1.jhuapl.edu> References: <9B1BC8B496577349843830DA4DC9733D05AC0B10@freedom.dom1.jhuapl.edu> Message-ID: <1087278519.29912.8.camel@CirithUngol> On Mon, 2004-06-14 at 16:20 -0400, Levine, Daniel J. wrote: > Hey guys, > > When I first installed my Fedora Core 2 (release) OS with SELinux, I > installed most of the packages I needed, but forgot that AMD doesn't get > installed by default. So afterwards I found the am-utils RPM and installed > it. Now I get spurious amd related messages from SELinux. I was probably > root when I installed am-utils and chances are it didn't put the right > contexts on the files an such. > > So, I figured I needed to re-label my file system so the amd related files > would have the correct SELinux contexts on them. This is what it would do > for me right? Probably. That is the first step to take to work things out. > Well, so I got to /etc/security/selinux and I don't have a src directory! > I'm pretty sure I picked Workstation Install and added various other > packages that I thought I needed at installation time. Am-utils is the only > after-the-fact package I installed. > > So, where is the policy source? I'm looking in the right place right? Now > I do see in the SELinux getting started HOWTO that they do something like: > make -C /etc/selinux relabel The policy-sources package has changed, as did the other selinux packages. You should install the newest packages from rawhide, they are: selinux-policy-strict (and -sources) selinux-policy-targeted (and -sources) selinux-doc libselinux The sources will now be in the directory /etc/selinux and the config file will also be in that tree as /etc/selinux/config rather than in /etc/sysconfig. -- Andrew Farris, CPE senior (California Polytechnic State University, SLO) fedora at andrewfarris.com :: lordmorgul on irc.freenode.net From david.balazic at hermes.si Tue Jun 15 07:28:29 2004 From: david.balazic at hermes.si (David Balazic) Date: Tue, 15 Jun 2004 09:28:29 +0200 Subject: Kernel installation Message-ID: <600B91D5E4B8D211A58C00902724252C01BC06D7@piramida.hermes.si> Hi! On afresh FC2 install I get this : [root at localhost root]# rpm -i /mnt/cdrom/fc2updates/kernel-2.6.6-1.427.i686.rpm warning: /mnt/cdrom/fc2updates/kernel-2.6.6-1.427.i686.rpm: V3 DSA signature: NOKEY, key ID 4f2a6fd2 audit(1087049637.996:0): avc: denied { transition } for pid=2632 exe=/bin/bash path=/sbin/dmsetup dev=hde2 ino=1261594 scontext=root:sysadm_r:bootloader_t tcontext=root:system_r:lvm_t tclass=process /bin/bash: /root/.bashrc: Permission denied [root at localhost root]# It appears to work after that, but I'll report it just in case ;) The same avc error happens wirth other kernels, even with one 2.4.x form older Fedora/RHL version. Regards, David Bala?ic ---------------------------------------------------------------------------- ----------- http://noepatents.org/ Innovation, not litigation ! --- David Balazic mailto:david.balazic at hermes.si HERMES Softlab http://www.hermes-softlab.com Zagrebska cesta 104 Phone: +386 2 450 8851 SI-2000 Maribor Slovenija ---------------------------------------------------------------------------- ----------- "Be excellent to each other." - Bill S. Preston, Esq. & "Ted" Theodore Logan ---------------------------------------------------------------------------- ----------- From rhallyx at mindspring.com Tue Jun 15 09:20:31 2004 From: rhallyx at mindspring.com (Richard Hally) Date: Tue, 15 Jun 2004 05:20:31 -0400 Subject: avc denied from postgresql Message-ID: <40CEBF5F.9020609@mindspring.com> During bootup the postgresql server fails to start and produced the following avc denied message: Jun 15 05:09:12 new2 su(pam_unix)[2414]: session opened for user postgres by (uid=0) Jun 15 05:09:13 new2 kernel: audit(1087290553.569:0): avc: denied { write } for pid=2445 exe=/usr/bin/postgres name=data dev=hda2 ino=788097 scontext=user_u:user_r:user_t tcontext=system_u:object_r:var_lib_t tclass=dir Jun 15 05:09:14 new2 su(pam_unix)[2414]: session closed for user postgres Jun 15 05:09:15 new2 postgresql: Starting postgresql service: failed This is in enforcing mode with the strict policy selinux-policy-strict-1.13.4-5 Thanks for any help, Richard Hally From sds at epoch.ncsc.mil Tue Jun 15 12:10:29 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Tue, 15 Jun 2004 08:10:29 -0400 Subject: strange AVC messages with kernel 2.6.6-1.427 In-Reply-To: <200406122138.37552.russell@coker.com.au> References: <200406122138.37552.russell@coker.com.au> Message-ID: <1087301429.14630.3.camel@moss-spartans.epoch.ncsc.mil> On Sat, 2004-06-12 at 07:38, Russell Coker wrote: > With the latest kernel I am getting some strange AVC messages I didn't get > with 2.6.5-1.358. > > audit(1087039822.666:0): avc: denied { getattr } for pid=5262 > exe=/usr/sbin/pppd path=/ dev=hda1 ino=16381 scontext=rjc:system_r:pppd_t > tcontext=system_u:object_r:root_t tclass=chr_file > audit(1087039822.684:0): avc: denied { getattr } for pid=5262 > exe=/usr/sbin/pppd path=/ dev=hda1 ino=16381 scontext=rjc:system_r:pppd_t > tcontext=system_u:object_r:root_t tclass=chr_file > > There is no device node 16381 on the file system. Running the same command > repeatedly gives similar messages with different inode numbers, so I guess > it's some sort of temporary file. The machine is in enforcing mode and > nothing that might want to create a root_t chr_file has permission to do > so... Have you rebooted with a policy that includes the devnull initial SID and context? -- Stephen Smalley National Security Agency From russell at coker.com.au Tue Jun 15 12:53:00 2004 From: russell at coker.com.au (Russell Coker) Date: Tue, 15 Jun 2004 22:53:00 +1000 Subject: avc denied from postgresql In-Reply-To: <40CEBF5F.9020609@mindspring.com> References: <40CEBF5F.9020609@mindspring.com> Message-ID: <200406152253.00552.russell@coker.com.au> On Tue, 15 Jun 2004 19:20, Richard Hally wrote: > During bootup the postgresql server fails to start and produced the > following avc denied message: > > Jun 15 05:09:12 new2 su(pam_unix)[2414]: session opened for user > postgres by (uid=0) > Jun 15 05:09:13 new2 kernel: audit(1087290553.569:0): avc: denied { > write } for pid=2445 exe=/usr/bin/postgres name=data dev=hda2 > ino=788097 scontext=user_u:user_r:user_t > tcontext=system_u:object_r:var_lib_t tclass=dir Have you added the following line to postgresql.fc? /var/lib/pgsql(/.*)? system_u:object_r:postgresql_db_t As for the source domain being user_t, I'll have to do some tests on that, it's not what's planned. It's probably an unexpected interaction between the recent su changes and the use of su in postgres startup scripts. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From selinux at comcast.net Tue Jun 15 17:13:31 2004 From: selinux at comcast.net (Tom London) Date: Tue, 15 Jun 2004 10:13:31 -0700 Subject: 'unable to relabel' in /dev.... MAKEDEV-3.7-2 Message-ID: <40CF2E3B.90808@comcast.net> Running off of the development tree, MAKEDEV-3.7-2 creates lots of new files. Running 'fixfiles relabel' or 'setfiles -v $FC /dev' generates lots of error messages like: /dev/ptyu7: Permission denied /usr/sbin/setfiles: unable to relabel /dev/ptyu7 to system_u:object_r:device_t /dev/ptyd7: Permission denied /usr/sbin/setfiles: unable to relabel /dev/ptyd7 to system_u:object_r:device_t /dev/ptyde: Permission denied /usr/sbin/setfiles: unable to relabel /dev/ptyde to system_u:object_r:device_t /dev/ptyac: Permission denied /usr/sbin/setfiles: unable to relabel /dev/ptyac to system_u:object_r:device_t /dev/ptys1: Permission denied /usr/sbin/setfiles: unable to relabel /dev/ptys1 to system_u:object_r:device_t /dev/ircomm9: Permission denied /usr/sbin/setfiles: unable to relabel /dev/ircomm9 to system_u:object_r:device_t /dev/ptyre: Permission denied /usr/sbin/setfiles: unable to relabel /dev/ptyre to system_u:object_r:device_t Here is an 'ls -l' of one of the files: [root at dell dev]# ls -l ptyu7 crw-rw-rw- 1 root tty 2, 87 Jun 14 12:42 ptyu7 [root at dell dev]# ls -lZ $_ crw-rw-rw- root tty root:object_r:device_t ptyu7 [root at dell dev]# I'm running selinux-policy-strict-1.13.4-6, with file_contexts augmented with Russell Coker's fix for /udev/microcode. tom From selinux at comcast.net Tue Jun 15 22:07:36 2004 From: selinux at comcast.net (Tom London) Date: Tue, 15 Jun 2004 15:07:36 -0700 Subject: 'unable to relabel' in /dev.... MAKEDEV-3.7-2, AVCs provided In-Reply-To: <40CF2E3B.90808@comcast.net> References: <40CF2E3B.90808@comcast.net> Message-ID: <40CF7328.5060002@comcast.net> Relabeling works in permissive mode. I worked around a broken sysklogd to get AVCs for this. These were produced by running 'restorecon -v /dev/ircomm0; setenforce 0; restorecon -v /dev/ircomm0': audit(1087336052.916:0): avc: denied { relabelto } for pid=4459 exe=/sbin/restorecon name=ircomm0 dev=hdb3 ino=153075 scontext=root:sysadm_r:restorecon_t tcontext=system_u:object_r:device_t tclass=chr_file audit(1087336122.785:0): avc: granted { setenforce } for pid=4461 exe=/usr/bin/setenforce scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:security_t tclass=security audit(1087336125.404:0): avc: denied { relabelto } for pid=4462 exe=/sbin/restorecon name=ircomm0 dev=hdb3 ino=153075 scontext=root:sysadm_r:restorecon_t tcontext=system_u:object_r:device_t tclass=chr_file I'm confused.... restorecon.te has entries: allow restorecon_t device_type:{ chr_file blk_file } { getattr relabelfrom relabelto }; allow restorecon_t device_t:{ chr_file blk_file } { getattr relabelfrom }; The AVCs imply 'relabelto' is needed on the second line too, or is this an issue with MAKEDEV creating the files improperly? tom Tom London wrote: > Running off of the development tree, MAKEDEV-3.7-2 creates lots of new > files. Running 'fixfiles relabel' or 'setfiles -v $FC /dev' generates > lots of error messages like: > > /dev/ptyu7: Permission denied > /usr/sbin/setfiles: unable to relabel /dev/ptyu7 to > system_u:object_r:device_t > /dev/ptyd7: Permission denied > /usr/sbin/setfiles: unable to relabel /dev/ptyd7 to > system_u:object_r:device_t > /dev/ptyde: Permission denied > /usr/sbin/setfiles: unable to relabel /dev/ptyde to > system_u:object_r:device_t > /dev/ptyac: Permission denied > /usr/sbin/setfiles: unable to relabel /dev/ptyac to > system_u:object_r:device_t > /dev/ptys1: Permission denied > /usr/sbin/setfiles: unable to relabel /dev/ptys1 to > system_u:object_r:device_t > /dev/ircomm9: Permission denied > /usr/sbin/setfiles: unable to relabel /dev/ircomm9 to > system_u:object_r:device_t > /dev/ptyre: Permission denied > /usr/sbin/setfiles: unable to relabel /dev/ptyre to > system_u:object_r:device_t > > Here is an 'ls -l' of one of the files: > [root at dell dev]# ls -l ptyu7 > crw-rw-rw- 1 root tty 2, 87 Jun 14 12:42 ptyu7 > [root at dell dev]# ls -lZ $_ > crw-rw-rw- root tty root:object_r:device_t ptyu7 > [root at dell dev]# > > I'm running selinux-policy-strict-1.13.4-6, with file_contexts > augmented with Russell Coker's fix for /udev/microcode. > > tom > From mike at flyn.org Wed Jun 16 00:56:23 2004 From: mike at flyn.org (W. Michael Petullo) Date: Wed, 16 Jun 2004 00:56:23 +0000 Subject: Where should an RPM install .te/.fc files? Message-ID: <1087347383l.24782l.0l@imp.flyn.org> Hello everyone, I maintain an RPM that installs .te and .fc files. In the past, contributing to the system's SELinux policy could be done by installing files in /etc/security/selinux/src/policy (I'm not sure this is right to begin with): %policy %{_sysconfdir}/security/selinux/src/policy/macros/ pam_mount_macros.te %policy %{_sysconfdir}/security/selinux/src/policy/file_contexts/misc/ pam_mount.fc However, now policies may be in /etc/selinux/strict/src/policy/ or / etc/selinux/targeted/src/policy/. It is also possible that only one of these directories exists. What is the proper procedure for an RPM to contribute to the system's SELinux policy? My RPM introduces new contexts and provides new allow statements. The Fedora Core 2 SELinux FAQ does not seem to address these questions, though it does allude to SELinux-related RPM hooks. -- Mike From russell at coker.com.au Wed Jun 16 01:50:41 2004 From: russell at coker.com.au (Russell Coker) Date: Wed, 16 Jun 2004 11:50:41 +1000 Subject: 'unable to relabel' in /dev.... MAKEDEV-3.7-2, AVCs provided In-Reply-To: <40CF7328.5060002@comcast.net> References: <40CF2E3B.90808@comcast.net> <40CF7328.5060002@comcast.net> Message-ID: <200406161150.41197.russell@coker.com.au> On Wed, 16 Jun 2004 08:07, Tom London wrote: > I'm confused.... restorecon.te has entries: > allow restorecon_t device_type:{ chr_file blk_file } { getattr > relabelfrom relabelto }; > allow restorecon_t device_t:{ chr_file blk_file } { getattr relabelfrom }; Ideally there should be no device nodes with type device_t, we should have correct labels assigned to all of them. Therefore changing a label from something in device_type to device_t is generally not desired. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Wed Jun 16 01:54:24 2004 From: russell at coker.com.au (Russell Coker) Date: Wed, 16 Jun 2004 11:54:24 +1000 Subject: 'unable to relabel' in /dev.... MAKEDEV-3.7-2 In-Reply-To: <40CF2E3B.90808@comcast.net> References: <40CF2E3B.90808@comcast.net> Message-ID: <200406161154.24986.russell@coker.com.au> On Wed, 16 Jun 2004 03:13, Tom London wrote: > Running off of the development tree, MAKEDEV-3.7-2 creates lots of new > files. Running 'fixfiles relabel' or 'setfiles -v $FC /dev' generates > lots of error messages like: > > /dev/ptyu7: Permission denied > /usr/sbin/setfiles: unable to relabel /dev/ptyu7 to > system_u:object_r:device_t The /dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f] device nodes do not work on SE Linux and almost certainly never will. I am under the impression that /dev/[tp]ty* are strongly deprecated and not used in any software we ship. Is it time to completely remove them from Fedora? -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From selinux at comcast.net Wed Jun 16 03:32:13 2004 From: selinux at comcast.net (Tom London) Date: Tue, 15 Jun 2004 20:32:13 -0700 Subject: 'unable to relabel' in /dev.... MAKEDEV-3.7-2, AVCs provided In-Reply-To: <200406161150.41197.russell@coker.com.au> References: <40CF2E3B.90808@comcast.net> <40CF7328.5060002@comcast.net> <200406161150.41197.russell@coker.com.au> Message-ID: <40CFBF3D.6010905@comcast.net> OK. I think I understand what is going on: Some of the packages in the development tree do not have context labels, that is, 'rpm -q --filecontext MAKEDEV' shows no context labels (just file names). So the special files in /dev got created with type 'device_t'.... sigh. I'm guessing that as we get closer to 'release' or 'update' packages this will not be as big a problem. In the interim, I'll stick with running something like rpm -ql Package | xargs restorecon after installs/upgrades. Its what I deserve for running off of the development tree! thanks, tom Russell Coker wrote: >On Wed, 16 Jun 2004 08:07, Tom London wrote: > > >>I'm confused.... restorecon.te has entries: >>allow restorecon_t device_type:{ chr_file blk_file } { getattr >>relabelfrom relabelto }; >>allow restorecon_t device_t:{ chr_file blk_file } { getattr relabelfrom }; >> >> > >Ideally there should be no device nodes with type device_t, we should have >correct labels assigned to all of them. Therefore changing a label from >something in device_type to device_t is generally not desired. > > > From rhallyx at mindspring.com Wed Jun 16 04:31:58 2004 From: rhallyx at mindspring.com (Richard Hally) Date: Wed, 16 Jun 2004 00:31:58 -0400 Subject: avc denied from postgresql In-Reply-To: <200406152253.00552.russell@coker.com.au> References: <40CEBF5F.9020609@mindspring.com> <200406152253.00552.russell@coker.com.au> Message-ID: <40CFCD3E.8090400@mindspring.com> Russell Coker wrote: >On Tue, 15 Jun 2004 19:20, Richard Hally wrote: > > >>During bootup the postgresql server fails to start and produced the >>following avc denied message: >> >>Jun 15 05:09:12 new2 su(pam_unix)[2414]: session opened for user >>postgres by (uid=0) >>Jun 15 05:09:13 new2 kernel: audit(1087290553.569:0): avc: denied { >>write } for pid=2445 exe=/usr/bin/postgres name=data dev=hda2 >>ino=788097 scontext=user_u:user_r:user_t >>tcontext=system_u:object_r:var_lib_t tclass=dir >> >> > >Have you added the following line to postgresql.fc? >/var/lib/pgsql(/.*)? system_u:object_r:postgresql_db_t > > > > With the above change to the postgresql.fc I get the following avc denied messages when booting: Jun 16 00:19:15 new2 su(pam_unix)[2452]: session opened for user postgres by (uid=0) Jun 16 00:19:15 new2 kernel: audit(1087359555.469:0): avc: denied { search } for pid=2453 exe=/bin/su name=pgsql dev=hda2 ino=722952 scontext=system_u:system_r:initrc_su_t tcontext=system_u:object_r:postgresql_db_t tclass=dir Jun 16 00:19:15 new2 kernel: audit(1087359555.496:0): avc: denied { search } for pid=2453 exe=/bin/bash name=pgsql dev=hda2 ino=722952 scontext=user_u:user_r:user_t tcontext=system_u:object_r:postgresql_db_t tclass=dir Jun 16 00:19:15 new2 kernel: audit(1087359555.521:0): avc: denied { search } for pid=2453 exe=/bin/bash name=pgsql dev=hda2 ino=722952 scontext=user_u:user_r:user_t tcontext=system_u:object_r:postgresql_db_t tclass=dir Jun 16 00:19:15 new2 last message repeated 3 times Jun 16 00:19:15 new2 kernel: audit(1087359555.604:0): avc: denied { search } for pid=2453 exe=/bin/bash name=pgsql dev=hda2 ino=722952 scontext=user_u:user_r:user_t tcontext=system_u:object_r:postgresql_db_t tclass=dir Jun 16 00:19:15 new2 kernel: audit(1087359555.674:0): avc: denied { search } for pid=2453 exe=/bin/bash name=pgsql dev=hda2 ino=722952 scontext=user_u:user_r:user_t tcontext=system_u:object_r:postgresql_db_t tclass=dir Jun 16 00:19:15 new2 kernel: audit(1087359555.710:0): avc: denied { search } for pid=2473 exe=/bin/bash name=pgsql dev=hda2 ino=722952 scontext=user_u:user_r:user_t tcontext=system_u:object_r:postgresql_db_t tclass=dir Jun 16 00:19:15 new2 kernel: audit(1087359555.714:0): avc: denied { search } for pid=2484 exe=/bin/sed name=pgsql dev=hda2 ino=722952 scontext=user_u:user_r:user_t tcontext=system_u:object_r:postgresql_db_t tclass=dir Jun 16 00:19:15 new2 su(pam_unix)[2452]: session closed for user postgres Jun 16 00:19:15 new2 kernel: audit(1087359555.993:0): avc: denied { search } for pid=2482 exe=/usr/bin/postgres name=pgsql dev=hda2 ino=722952 scontext=user_u:user_r:user_t tcontext=system_u:object_r:postgresql_db_t tclass=dir Jun 16 00:19:16 new2 postgresql: Starting postgresql service: failed HTH Richard Hally From russell at coker.com.au Wed Jun 16 04:50:14 2004 From: russell at coker.com.au (Russell Coker) Date: Wed, 16 Jun 2004 14:50:14 +1000 Subject: Where should an RPM install .te/.fc files? In-Reply-To: <1087347383l.24782l.0l@imp.flyn.org> References: <1087347383l.24782l.0l@imp.flyn.org> Message-ID: <200406161450.14469.russell@coker.com.au> On Wed, 16 Jun 2004 10:56, "W. Michael Petullo" wrote: > I maintain an RPM that installs .te and .fc files. In the past, > contributing to the system's SELinux policy could be done by installing > files in /etc/security/selinux/src/policy (I'm not sure this is right > to begin with): > > %policy %{_sysconfdir}/security/selinux/src/policy/macros/ > pam_mount_macros.te > However, now policies may be in /etc/selinux/strict/src/policy/ or / > etc/selinux/targeted/src/policy/. It is also possible that only one of > these directories exists. I don't think that your macros file fits in with the targetted policy, and I think that the general aims of the targetted policy don't involve that sort of thing (but this hasn't been considered much so far). It's probably best to install the files under only the strict directory. It is also possible that only one of those directories exists. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From iyigunler at itu.edu.tr Wed Jun 16 12:56:41 2004 From: iyigunler at itu.edu.tr (Ismail Iyigunler) Date: Wed, 16 Jun 2004 15:56:41 +0300 Subject: problem relabeling with FC2 Message-ID: <1087390601.40d0438977de8@webmail.students.itu.edu.tr> Hi I'm using Fedora Core 2 with kernel 2.6.6 with SELinux. However some of my directories' (in /proc for example) security context still looks "(null)". I tried the instructions in GettingStartedWithNewSELinux.pdf to relabel all the file system, but i did not work (both permissive and enforcing mode): [root at santiago /]# [root at santiago /]# make -C /etc/security/selinux/src/policy/ relabel make: Entering directory /etc/security/selinux/src/policy/ Cleaning out /tmp rm -rf /tmp/.??* /tmp/* /usr/bin/setfiles file_context/file_context 'mount | grep -v bind | grep -v " context=" | awk ' /(ext[23]|xfs).*rw{print $3}' /usr/bin/setfiles: read 1426 spesifications /usr/bin/setfiles: labeling files under / /usr/bin/setfiles: error while labeling files under / make:*** [relabel] Error 1 make: Leaving directory '/etc/security/selinux/src/policy' [root at santiago policy]# What have I missed? Could anyone help me on this? Your attention is greatly appreciated. Thank you. ------------------------------------------------- This mail sent through IMP: http://webmail.students.itu.edu.tr From russell at coker.com.au Wed Jun 16 13:24:09 2004 From: russell at coker.com.au (Russell Coker) Date: Wed, 16 Jun 2004 23:24:09 +1000 Subject: problem relabeling with FC2 In-Reply-To: <1087390601.40d0438977de8@webmail.students.itu.edu.tr> References: <1087390601.40d0438977de8@webmail.students.itu.edu.tr> Message-ID: <200406162324.09404.russell@coker.com.au> On Wed, 16 Jun 2004 22:56, Ismail Iyigunler wrote: > I'm using Fedora Core 2 with kernel 2.6.6 with SELinux. However some of my > directories' (in /proc for example) security context still looks "(null)". There is no kernel support for exporting the security context of files in /proc to user space via the XATTR interface. So "ls -Z /proc" will always show "(null)". This has been discussed on the main SE Linux list, it's currently not considered to be worth the effort of changing this. Some other file systems that lack the virtual XATTR support that devpts has will get it added. > [root at santiago /]# make -C /etc/security/selinux/src/policy/ relabel > [...] > /usr/bin/setfiles: read 1426 spesifications > /usr/bin/setfiles: labeling files under / > /usr/bin/setfiles: error while labeling files under / > make:*** [relabel] Error 1 > make: Leaving directory '/etc/security/selinux/src/policy' > [root at santiago policy]# Are there any AVC messages displayed about setfiles? Are you in enforcing mode? -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From alan at redhat.com Wed Jun 16 07:54:12 2004 From: alan at redhat.com (Alan Cox) Date: Wed, 16 Jun 2004 03:54:12 -0400 Subject: 'unable to relabel' in /dev.... MAKEDEV-3.7-2 In-Reply-To: <200406161154.24986.russell@coker.com.au> References: <40CF2E3B.90808@comcast.net> <200406161154.24986.russell@coker.com.au> Message-ID: <20040616075412.GA19237@devserv.devel.redhat.com> On Wed, Jun 16, 2004 at 11:54:24AM +1000, Russell Coker wrote: > I am under the impression that /dev/[tp]ty* are strongly deprecated and not > used in any software we ship. Is it time to completely remove them from > Fedora? Some third party software still uses them. If they don't work with SELinux I don't see a problem in them still being there. From iyigunler at itu.edu.tr Wed Jun 16 14:08:29 2004 From: iyigunler at itu.edu.tr (Ismail Iyigunler) Date: Wed, 16 Jun 2004 17:08:29 +0300 Subject: problem relabeling with FC2 In-Reply-To: <200406162324.09404.russell@coker.com.au> References: <1087390601.40d0438977de8@webmail.students.itu.edu.tr> <200406162324.09404.russell@coker.com.au> Message-ID: <1087394909.40d0545d226c8@webmail.students.itu.edu.tr> Hi But there are some directories and files shown as "(null)". like /lost+found or /sys. Is this normal? There's no AVC messages shown for it, also in /var/log/messages, and this happens both in enforcing and permissive mode. Quoting Russell Coker : > On Wed, 16 Jun 2004 22:56, Ismail Iyigunler wrote: > > I'm using Fedora Core 2 with kernel 2.6.6 with SELinux. However some of my > > directories' (in /proc for example) security context still looks "(null)". > > There is no kernel support for exporting the security context of files > in /proc to user space via the XATTR interface. So "ls -Z /proc" will always > > show "(null)". This has been discussed on the main SE Linux list, it's > currently not considered to be worth the effort of changing this. > > Some other file systems that lack the virtual XATTR support that devpts has > will get it added. > > > [root at santiago /]# make -C /etc/security/selinux/src/policy/ relabel > > > [...] > > /usr/bin/setfiles: read 1426 spesifications > > /usr/bin/setfiles: labeling files under / > > /usr/bin/setfiles: error while labeling files under / > > make:*** [relabel] Error 1 > > make: Leaving directory '/etc/security/selinux/src/policy' > > [root at santiago policy]# > > Are there any AVC messages displayed about setfiles? Are you in enforcing > mode? > > -- > http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages > http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark > http://www.coker.com.au/postal/ Postal SMTP/POP benchmark > http://www.coker.com.au/~russell/ My home page > ------------------------------------------------- This mail sent through IMP: http://webmail.students.itu.edu.tr From sds at epoch.ncsc.mil Wed Jun 16 14:22:11 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Wed, 16 Jun 2004 10:22:11 -0400 Subject: problem relabeling with FC2 In-Reply-To: <1087394909.40d0545d226c8@webmail.students.itu.edu.tr> References: <1087390601.40d0438977de8@webmail.students.itu.edu.tr> <200406162324.09404.russell@coker.com.au> <1087394909.40d0545d226c8@webmail.students.itu.edu.tr> Message-ID: <1087395730.16125.36.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2004-06-16 at 10:08, Ismail Iyigunler wrote: > Hi > > But there are some directories and files shown as "(null)". like /lost+found > or /sys. Is this normal? For /sys, yes. /lost+found should have a visible context, assuming it is on a filesystem that supports them (e.g. ext3). See http://www.redhat.com/archives/fedora-selinux-list/2004-June/msg00004.html > There's no AVC messages shown for it, also in /var/log/messages, and this > happens both in enforcing and permissive mode. The kernel internally has a context for the inode, but it isn't exported to userspace due to the lack of an xattr handler. -- Stephen Smalley National Security Agency From mike at flyn.org Wed Jun 16 16:48:58 2004 From: mike at flyn.org (mike at flyn.org) Date: Wed, 16 Jun 2004 11:48:58 -0500 Subject: Where should an RPM install .te/.fc files? Message-ID: <20040616154858.8390B31504@neuromancer.voxel.net> >> I maintain an RPM that installs .te and .fc files. In the past, >> contributing to the system's SELinux policy could be done by installing >> files in /etc/security/selinux/src/policy (I'm not sure this is right >> to begin with): >> %policy %{_sysconfdir}/security/selinux/src/policy/macros/ >> pam_mount_macros.te >> However, now policies may be in /etc/selinux/strict/src/policy/ or / >> etc/selinux/targeted/src/policy/. It is also possible that only one of >> these directories exists. > I don't think that your macros file fits in with the targetted policy, and > I think that the general aims of the targetted policy don't involve that > sort of thing (but this hasn't been considered much so far). > It's probably best to install the files under only the strict directory. > It is also possible that only one of those directories exists. Installing exclusively under the strict policy make sense. The things I am explicitly allowing should probably already be allowed by the targeted policy. However, what about the case where a user does not have the strict policy installed? In this case my RPM will install its policy files to an otherwise empty policy source tree. This may result in directories like /etc/selinux/strict being orphans -- not owned by any RPM. Should this be avoided somehow? Thanks for your help! -- Mike From Valdis.Kletnieks at vt.edu Wed Jun 16 15:50:16 2004 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Wed, 16 Jun 2004 11:50:16 -0400 Subject: 'unable to relabel' in /dev.... MAKEDEV-3.7-2 In-Reply-To: Your message of "Wed, 16 Jun 2004 03:54:12 EDT." <20040616075412.GA19237@devserv.devel.redhat.com> References: <40CF2E3B.90808@comcast.net> <200406161154.24986.russell@coker.com.au> <20040616075412.GA19237@devserv.devel.redhat.com> Message-ID: <200406161550.i5GFoGHn019080@turing-police.cc.vt.edu> On Wed, 16 Jun 2004 03:54:12 EDT, Alan Cox said: > On Wed, Jun 16, 2004 at 11:54:24AM +1000, Russell Coker wrote: > > I am under the impression that /dev/[tp]ty* are strongly deprecated and not > > used in any software we ship. Is it time to completely remove them from > > Fedora? > > Some third party software still uses them. If they don't work with SELinux > I don't see a problem in them still being there. Looks like Linus picked up the LEGACY_PTY support back around 2.6.4-rc1 back in February, and nobody's said much about finding anything that was impacted by it. At the time, there was a lot of discussion and not many people mentioned any actual users of BSD ptys.... I don't see any reason that Fedora couldn't change the kernel config default to 'CONFIG_LEGACY_PTY=n' in the devel tree and see if anybody notices. It's certainly less intrusive than dropping exec-shield in and seeing who noticed, and THAT was considered acceptable... -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available URL: From jhooper at tlcontact.com Wed Jun 16 18:51:09 2004 From: jhooper at tlcontact.com (Jason Hooper) Date: Wed, 16 Jun 2004 13:51:09 -0500 Subject: ntp Message-ID: <200406161852.i5GIq8e1011976@mx1.redhat.com> could someone point me in the direction of getting ntp to work with selinux on fedora C2? does anyone have experience with this? is it supposed to just work with the default file_contexts? any help is appreciated...thanks j .. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhooper at tlcontact.com Wed Jun 16 18:51:09 2004 From: jhooper at tlcontact.com (Jason Hooper) Date: Wed, 16 Jun 2004 13:51:09 -0500 Subject: ntp Message-ID: <200406161852.i5GIq8e1011976@mx1.redhat.com> An embedded and charset-unspecified text was scrubbed... Name: not available URL: -------------- next part -------------- An embedded message was scrubbed... From: "Jason Hooper" Subject: ntp Date: Wed, 16 Jun 2004 13:51:09 -0500 Size: 4732 URL: From selinux at comcast.net Wed Jun 16 22:54:42 2004 From: selinux at comcast.net (Tom London) Date: Wed, 16 Jun 2004 15:54:42 -0700 Subject: /usr/bin/run-parts->system_u:object_r:bin_t (?!) Message-ID: <40D0CFB2.2090603@comcast.net> /usr/bin/run-parts has context system_u:object_r:bin_t under selinux-policy-strict-1.13.4-6 (and earlier). crond_t.te has entries to search bin_t dirs, but not to read/getattr/execute bin_t files. Here is the AVC for run-parts: audit(1087423260.368:0): avc: denied { getattr } for pid=4135 exe=/bin/bash path=/usr/bin/run-parts dev=hdb3 ino=1006312 scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t tclass=file thanks. tom From russell at coker.com.au Thu Jun 17 00:43:01 2004 From: russell at coker.com.au (Russell Coker) Date: Thu, 17 Jun 2004 10:43:01 +1000 Subject: /usr/bin/run-parts->system_u:object_r:bin_t (?!) In-Reply-To: <40D0CFB2.2090603@comcast.net> References: <40D0CFB2.2090603@comcast.net> Message-ID: <200406171043.01939.russell@coker.com.au> On Thu, 17 Jun 2004 08:54, Tom London wrote: > /usr/bin/run-parts has context system_u:object_r:bin_t under > selinux-policy-strict-1.13.4-6 (and earlier). > > crond_t.te has entries to search bin_t dirs, but not to > read/getattr/execute bin_t files. > > Here is the AVC for run-parts: > audit(1087423260.368:0): avc: denied { getattr } for pid=4135 > exe=/bin/bash path=/usr/bin/run-parts dev=hdb3 ino=1006312 > scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t > tclass=file This appears to be a bug in crond, it should not be executing that program in crond_t. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From selinux at comcast.net Thu Jun 17 01:10:49 2004 From: selinux at comcast.net (Tom London) Date: Wed, 16 Jun 2004 18:10:49 -0700 Subject: /usr/bin/run-parts->system_u:object_r:bin_t (?!) In-Reply-To: <200406171043.01939.russell@coker.com.au> References: <40D0CFB2.2090603@comcast.net> <200406171043.01939.russell@coker.com.au> Message-ID: <40D0EF99.8060701@comcast.net> Is it possible that the 'mrtg_exec_t' issue is the same? crond seems to want to execute /usr/bin/mrtg (system_u:object:r:mrtg_exec_t) as crond_t as well..... tom Russell Coker wrote: >On Thu, 17 Jun 2004 08:54, Tom London wrote: > > >>/usr/bin/run-parts has context system_u:object_r:bin_t under >>selinux-policy-strict-1.13.4-6 (and earlier). >> >>crond_t.te has entries to search bin_t dirs, but not to >>read/getattr/execute bin_t files. >> >>Here is the AVC for run-parts: >>audit(1087423260.368:0): avc: denied { getattr } for pid=4135 >>exe=/bin/bash path=/usr/bin/run-parts dev=hdb3 ino=1006312 >>scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t >>tclass=file >> >> > >This appears to be a bug in crond, it should not be executing that program in >crond_t. > > > From russell at coker.com.au Thu Jun 17 03:01:18 2004 From: russell at coker.com.au (Russell Coker) Date: Thu, 17 Jun 2004 13:01:18 +1000 Subject: ntp In-Reply-To: <200406161852.i5GIq8e1011976@mx1.redhat.com> References: <200406161852.i5GIq8e1011976@mx1.redhat.com> Message-ID: <200406171301.18311.russell@coker.com.au> On Thu, 17 Jun 2004 04:51, "Jason Hooper" wrote: > could someone point me in the direction of getting ntp to work with selinux > on fedora C2? does anyone have experience with this? is it supposed to > just work with the default file_contexts? any help is > appreciated...thanks For the typical operation (synchronising from a master server somewhere on the net) it is supposed to just work, it does for me. I have a rawhide machine running the strict SE Linux policy synchronising with an NTP server right now, and I don't believe that FC2 differs from the current rawhide in any significant way related to NTP. Does ntpd support directly interfacing with GPS hardware or other accurate time sources? If so some extra policy will be needed to support this. If you see any AVC messages related to ntpd then please post them to this list. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Thu Jun 17 03:58:42 2004 From: russell at coker.com.au (Russell Coker) Date: Thu, 17 Jun 2004 13:58:42 +1000 Subject: /usr/bin/run-parts->system_u:object_r:bin_t (?!) In-Reply-To: <40D0EF99.8060701@comcast.net> References: <40D0CFB2.2090603@comcast.net> <200406171043.01939.russell@coker.com.au> <40D0EF99.8060701@comcast.net> Message-ID: <200406171358.42846.russell@coker.com.au> On Thu, 17 Jun 2004 11:10, Tom London wrote: > Is it possible that the 'mrtg_exec_t' issue is the same? ?crond seems to > want to execute /usr/bin/mrtg (system_u:object:r:mrtg_exec_t) as crond_t > as well..... Yes. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From udjinrg at forenet.by Thu Jun 17 09:09:57 2004 From: udjinrg at forenet.by (Maxim Britov) Date: Thu, 17 Jun 2004 12:09:57 +0300 Subject: mount reiserfs (novice) Message-ID: <20040617120957.2dea34f4@maxim-l.office.modum.by> I can't mount reiserfs. I just begin study SE Linux. Could you help me? FC2+updates: mount /dev/hdc2 /mnt/disk # dmesg ReiserFS: hdc2: found reiserfs format "3.6" with standard journal ReiserFS: hdc2: using ordered data mode ReiserFS: hdc2: journal params: device hdc2, size 8192, journal first block 18, max trans len 1024, max batch 900, max commit age 30, max trans age 30 ReiserFS: hdc2: checking transaction log (hdc2) ReiserFS: hdc2: Using r5 hash to sort names audit(1087473997.967:0): avc: denied { search } for pid=2885 exe=/bin/mount dev=hdc2 ino=2 scontext=root:sysadm_r:mount_t tcontext=system_u:object_r:unlabeled_t tclass=dir ReiserFS: hdc2: warning: xattrs/ACLs enabled and couldn't find/create .reiserfs_priv. Failing mount. # id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:sysadm_r:sysadm_t # ls -Z drwxr-xr-x root root system_u:object_r:mnt_t cdrom drwxr-xr-x+ root root system_u:object_r:mnt_t disk mkfs.ext2 and mount - works fine. -- MaxBritov GnuPG KeyID 0x4580A6D66F3DB1FB Keyserver hkp://keyserver.kjsl.com Fingerprint: 4059 B5C5 8985 5A47 8F5A 8623 4580 A6D6 6F3D B1FB JABBER: maxbritov on jabber.org/jabber.ru ICQ 198171258 From russell at coker.com.au Thu Jun 17 11:29:00 2004 From: russell at coker.com.au (Russell Coker) Date: Thu, 17 Jun 2004 21:29:00 +1000 Subject: mount reiserfs (novice) In-Reply-To: <20040617120957.2dea34f4@maxim-l.office.modum.by> References: <20040617120957.2dea34f4@maxim-l.office.modum.by> Message-ID: <200406172129.00895.russell@coker.com.au> On Thu, 17 Jun 2004 19:09, Maxim Britov wrote: > I can't mount reiserfs. I just begin study SE Linux. Could you help me? > > # dmesg > ReiserFS: hdc2: found reiserfs format "3.6" with standard journal > ReiserFS: hdc2: using ordered data mode > ReiserFS: hdc2: journal params: device hdc2, size 8192, journal first block > 18, max trans len 1024, max batch 900, max commit age 30, max trans age 30 > ReiserFS: hdc2: checking transaction log (hdc2) > ReiserFS: hdc2: Using r5 hash to sort names > audit(1087473997.967:0): avc: denied { search } for pid=2885 > exe=/bin/mount dev=hdc2 ino=2 scontext=root:sysadm_r:mount_t > tcontext=system_u:object_r:unlabeled_t tclass=dir ReiserFS: hdc2: warning: > xattrs/ACLs enabled and couldn't find/create .reiserfs_priv. Failing mount. I've just reproduced this bug on the kernel.org 2.6.7 kernel. It seems that there is a hidden directory on a ReiserFS file system used for XATTRs which is unlabeled. Allowing mount to search this directory does no good as many (most?) operations also need it (eg setfiles). I've CC'd the ReiserFS mailing list. I would be happy to work with ReiserFS developers in debugging this and testing the fix. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Thu Jun 17 11:36:45 2004 From: russell at coker.com.au (Russell Coker) Date: Thu, 17 Jun 2004 21:36:45 +1000 Subject: mount reiserfs (novice) In-Reply-To: <200406172129.00895.russell@coker.com.au> References: <20040617120957.2dea34f4@maxim-l.office.modum.by> <200406172129.00895.russell@coker.com.au> Message-ID: <200406172136.45131.russell@coker.com.au> On Thu, 17 Jun 2004 21:29, Russell Coker wrote: > I've just reproduced this bug on the kernel.org 2.6.7 kernel. It seems > that there is a hidden directory on a ReiserFS file system used for XATTRs > which is unlabeled. Allowing mount to search this directory does no good > as many (most?) operations also need it (eg setfiles). We should probably change the policy now to include the following line, and also do sed -e "s/xfs/xfs|reiserfs/" on the Makefile. fs_use_xattr reiserfs system_u:object_r:fs_t; -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From sds at epoch.ncsc.mil Thu Jun 17 11:46:28 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Thu, 17 Jun 2004 07:46:28 -0400 Subject: /usr/bin/run-parts->system_u:object_r:bin_t (?!) In-Reply-To: <200406171043.01939.russell@coker.com.au> References: <40D0CFB2.2090603@comcast.net> <200406171043.01939.russell@coker.com.au> Message-ID: <1087472788.25033.4.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2004-06-16 at 20:43, Russell Coker wrote: > This appears to be a bug in crond, it should not be executing that program in > crond_t. Yes, the current vixie-cron in rawhide is broken; fails to set its exec context before executing cron jobs due to a logic error. Dan already knows. -- Stephen Smalley National Security Agency From sds at epoch.ncsc.mil Thu Jun 17 12:36:29 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Thu, 17 Jun 2004 08:36:29 -0400 Subject: mount reiserfs (novice) In-Reply-To: <200406172129.00895.russell@coker.com.au> References: <20040617120957.2dea34f4@maxim-l.office.modum.by> <200406172129.00895.russell@coker.com.au> Message-ID: <1087475789.25033.31.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2004-06-17 at 07:29, Russell Coker wrote: > I've just reproduced this bug on the kernel.org 2.6.7 kernel. It seems that > there is a hidden directory on a ReiserFS file system used for XATTRs which > is unlabeled. Allowing mount to search this directory does no good as many > (most?) operations also need it (eg setfiles). > > I've CC'd the ReiserFS mailing list. I would be happy to work with ReiserFS > developers in debugging this and testing the fix. You might want to also read this thread: http://marc.theaimsgroup.com/?l=linux-kernel&m=108619875326417&w=2 Dmitry found a workaround for his immediate problem just by using the following patch to prevent deadlock when the xattr directories and files are being created: http://marc.theaimsgroup.com/?l=linux-kernel&m=108635056719373&w=2 However, I suspect that we need a new inode security hook so that filesystem implementations like reiserfs can tell security modules like SELinux that certain inodes are private to the filesystem and should not be labeled or access controlled by the security module. Something like the following patch, but we would have to work out the details of how SELinux would implement this hook function. diff -ru -X dontdiff linux-2.6.7-rc2.old/fs/reiserfs/namei.c linux-2.6.7-rc2/fs/reiserfs/namei.c --- linux-2.6.7-rc2.old/fs/reiserfs/namei.c 2004-06-01 09:09:30.000000000 -0400 +++ linux-2.6.7-rc2/fs/reiserfs/namei.c 2004-06-03 16:00:52.712349408 -0400 @@ -14,6 +14,7 @@ #include #include #include +#include #include #include #include @@ -351,8 +352,10 @@ } /* Propogate the priv_object flag so we know we're in the priv tree */ - if (is_reiserfs_priv_object (dir)) + if (is_reiserfs_priv_object (dir)) { REISERFS_I(inode)->i_flags |= i_priv_object; + security_inode_mark_private(inode); + } } reiserfs_write_unlock(dir->i_sb); if ( retval == IO_ERROR ) { diff -ru -X dontdiff linux-2.6.7-rc2.old/fs/reiserfs/xattr_acl.c linux-2.6.7-rc2/fs/reiserfs/xattr_acl.c --- linux-2.6.7-rc2.old/fs/reiserfs/xattr_acl.c 2004-06-01 09:09:30.000000000 -0400 +++ linux-2.6.7-rc2/fs/reiserfs/xattr_acl.c 2004-06-03 16:00:17.954633384 -0400 @@ -5,6 +5,7 @@ #include #include #include +#include #include #include #include @@ -332,6 +333,7 @@ * it introduces locking cycles */ if (is_reiserfs_priv_object (dir)) { REISERFS_I(inode)->i_flags |= i_priv_object; + security_inode_mark_private(inode); goto apply_umask; } diff -ru -X dontdiff linux-2.6.7-rc2.old/fs/reiserfs/xattr.c linux-2.6.7-rc2/fs/reiserfs/xattr.c --- linux-2.6.7-rc2.old/fs/reiserfs/xattr.c 2004-06-01 09:09:30.000000000 -0400 +++ linux-2.6.7-rc2/fs/reiserfs/xattr.c 2004-06-03 15:59:32.060610336 -0400 @@ -37,6 +37,7 @@ #include #include #include +#include #include #include #include @@ -183,6 +184,7 @@ } /* Newly created object.. Need to mark it private */ REISERFS_I(xadir->d_inode)->i_flags |= i_priv_object; + security_inode_mark_private(xadir->d_inode); } dput (xaroot); @@ -232,6 +234,7 @@ } /* Newly created object.. Need to mark it private */ REISERFS_I(xafile->d_inode)->i_flags |= i_priv_object; + security_inode_mark_private(xafile->d_inode); } out: @@ -1304,6 +1307,7 @@ if (!err && dentry) { s->s_root->d_op = &xattr_lookup_poison_ops; REISERFS_I(dentry->d_inode)->i_flags |= i_priv_object; + security_inode_mark_private(dentry->d_inode); REISERFS_SB(s)->priv_root = dentry; } else if (!(mount_flags & MS_RDONLY)) { /* xattrs are unavailable */ /* If we're read-only it just means that the dir hasn't been diff -ru -X dontdiff linux-2.6.7-rc2.old/include/linux/security.h linux-2.6.7-rc2/include/linux/security.h --- linux-2.6.7-rc2.old/include/linux/security.h 2004-05-09 22:32:54.000000000 -0400 +++ linux-2.6.7-rc2/include/linux/security.h 2004-06-03 16:14:56.831023864 -0400 @@ -412,6 +412,11 @@ * associated with @dentry into @buffer. @buffer may be NULL to * request the size of the buffer required. * Returns number of bytes used/required on success. + * @inode_mark_private: + * Set up the security state of @inode to reflect the fact that the inode + * is private, i.e. used internally by the filesystem for purposes such + * as xattr storage and not accessible by userspace. This property should + * then be inherited by all nodes under this node. * * Security hooks for file operations * @@ -1108,6 +1113,7 @@ int (*inode_getsecurity)(struct dentry *dentry, const char *name, void *buffer, size_t size); int (*inode_setsecurity)(struct dentry *dentry, const char *name, const void *value, size_t size, int flags); int (*inode_listsecurity)(struct dentry *dentry, char *buffer); + void (*inode_mark_private)(struct inode *inode); int (*file_permission) (struct file * file, int mask); int (*file_alloc_security) (struct file * file); @@ -1587,6 +1593,11 @@ return security_ops->inode_listsecurity(dentry, buffer); } +static inline void security_inode_mark_private(struct inode *inode) +{ + security_ops->inode_mark_private(inode); +} + static inline int security_file_permission (struct file *file, int mask) { return security_ops->file_permission (file, mask); @@ -2226,6 +2237,11 @@ return 0; } +static inline void security_inode_mark_private(struct inode *inode) +{ + return; +} + static inline int security_file_permission (struct file *file, int mask) { return 0; diff -ru -X dontdiff linux-2.6.7-rc2.old/security/dummy.c linux-2.6.7-rc2/security/dummy.c --- linux-2.6.7-rc2.old/security/dummy.c 2004-06-01 09:09:31.000000000 -0400 +++ linux-2.6.7-rc2/security/dummy.c 2004-06-03 16:16:11.174721904 -0400 @@ -462,6 +462,11 @@ return 0; } +static void dummy_inode_mark_private(struct inode *inode) +{ + return; +} + static int dummy_file_permission (struct file *file, int mask) { return 0; @@ -949,6 +954,7 @@ set_to_dummy_if_null(ops, inode_getsecurity); set_to_dummy_if_null(ops, inode_setsecurity); set_to_dummy_if_null(ops, inode_listsecurity); + set_to_dummy_if_null(ops, inode_mark_private); set_to_dummy_if_null(ops, file_permission); set_to_dummy_if_null(ops, file_alloc_security); set_to_dummy_if_null(ops, file_free_security); -- Stephen Smalley National Security Agency From jhooper at tlcontact.com Thu Jun 17 14:03:12 2004 From: jhooper at tlcontact.com (Jason Hooper) Date: Thu, 17 Jun 2004 09:03:12 -0500 Subject: ntp In-Reply-To: <200406171301.18311.russell@coker.com.au> Message-ID: <200406171404.i5HE4CXn011116@mx3.redhat.com> Yeah it seems like it should just work...yet it doesn't...wierd. I have two machines trying to sync ( well, three, but the third one works and is not selinux ) I get this avc on both : Machine1 : Jan 3 02:11:03 doh1 kernel: audit(1041581463.810:0): avc: denied { write } for pid=1694 exe=/usr/sbin/ntpdate path=/ dev=hda3 ino=3367 scontext=root:system_r:ntpd_t tcontext=system_u:object_r:root_t tclass=chr_file Machine2 : Jun 17 06:11:33 doh2 kernel: audit(1087470693.719:0): avc: denied { write } for pid=2335 exe=/usr/sbin/ntpdate path=/ dev=hda2 ino=5060 scontext=root:system_r:ntpd_t tcontext=system_u:object_r:root_t tclass=chr_file Machine2 has an ntpd.te file while machine1 does not. Does that matter in this case? I can send it if its needed. Thanks again for the help .. -----Original Message----- From: Russell Coker [mailto:russell at coker.com.au] Sent: Wednesday, June 16, 2004 10:01 PM To: fedora-selinux-list at redhat.com Cc: Jason Hooper Subject: Re: ntp On Thu, 17 Jun 2004 04:51, "Jason Hooper" wrote: > could someone point me in the direction of getting ntp to work with selinux > on fedora C2? does anyone have experience with this? is it supposed to > just work with the default file_contexts? any help is > appreciated...thanks For the typical operation (synchronising from a master server somewhere on the net) it is supposed to just work, it does for me. I have a rawhide machine running the strict SE Linux policy synchronising with an NTP server right now, and I don't believe that FC2 differs from the current rawhide in any significant way related to NTP. Does ntpd support directly interfacing with GPS hardware or other accurate time sources? If so some extra policy will be needed to support this. If you see any AVC messages related to ntpd then please post them to this list. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From david.balazic at hermes.si Thu Jun 17 14:06:07 2004 From: david.balazic at hermes.si (David Balazic) Date: Thu, 17 Jun 2004 16:06:07 +0200 Subject: ntp Message-ID: <600B91D5E4B8D211A58C00902724252C01BC06E8@piramida.hermes.si> What if you set your system to permissive mode and see what is ntpdate trying to do ? > ---------- > From: > fedora-selinux-list-bounces at redhat.com[SMTP:fedora-selinux-list-bounces at re > dhat.com] on behalf of Jason Hooper[SMTP:jhooper at tlcontact.com] > Reply To: Fedora SELinux support list for users & developers. > Sent: 17. junij 2004 16:03 > To: fedora-selinux-list at redhat.com > Subject: RE: ntp > > Yeah it seems like it should just work...yet it doesn't...wierd. I have > two machines trying to sync ( well, three, but the third one works and is > not selinux ) > > I get this avc on both : > > Machine1 : > > Jan 3 02:11:03 doh1 kernel: audit(1041581463.810:0): avc: denied { > write > } for pid=1694 exe=/usr/sbin/ntpdate path=/ dev=hda3 ino=3367 > scontext=root:system_r:ntpd_t tcontext=system_u:object_r:root_t > tclass=chr_file > > Machine2 : > > Jun 17 06:11:33 doh2 kernel: audit(1087470693.719:0): avc: denied { > write > } for pid=2335 exe=/usr/sbin/ntpdate path=/ dev=hda2 ino=5060 > scontext=root:system_r:ntpd_t tcontext=system_u:object_r:root_t > tclass=chr_file > > Machine2 has an ntpd.te file while machine1 does not. Does that matter > in > this case? I can send it if its needed. > > Thanks again for the help > > .. > > > -----Original Message----- > From: Russell Coker [mailto:russell at coker.com.au] > Sent: Wednesday, June 16, 2004 10:01 PM > To: fedora-selinux-list at redhat.com > Cc: Jason Hooper > Subject: Re: ntp > > On Thu, 17 Jun 2004 04:51, "Jason Hooper" wrote: > > could someone point me in the direction of getting ntp to work with > selinux > > on fedora C2? does anyone have experience with this? is it supposed > to > > just work with the default file_contexts? any help is > > appreciated...thanks > > For the typical operation (synchronising from a master server somewhere on > the > net) it is supposed to just work, it does for me. I have a rawhide > machine > running the strict SE Linux policy synchronising with an NTP server right > now, and I don't believe that FC2 differs from the current rawhide in any > significant way related to NTP. > > Does ntpd support directly interfacing with GPS hardware or other accurate > time sources? If so some extra policy will be needed to support this. > > If you see any AVC messages related to ntpd then please post them to this > list. > > -- > http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages > http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark > http://www.coker.com.au/postal/ Postal SMTP/POP benchmark > http://www.coker.com.au/~russell/ My home page > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > From sds at epoch.ncsc.mil Thu Jun 17 14:09:33 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Thu, 17 Jun 2004 10:09:33 -0400 Subject: ntp In-Reply-To: <200406171404.i5HE4CXn011116@mx3.redhat.com> References: <200406171404.i5HE4CXn011116@mx3.redhat.com> Message-ID: <1087481373.25033.59.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2004-06-17 at 10:03, Jason Hooper wrote: > Jan 3 02:11:03 doh1 kernel: audit(1041581463.810:0): avc: denied { write > } for pid=1694 exe=/usr/sbin/ntpdate path=/ dev=hda3 ino=3367 > scontext=root:system_r:ntpd_t tcontext=system_u:object_r:root_t > tclass=chr_file Mismatch between your kernel and policy. RedHat released a kernel update for FC2 without updating the policy accordingly. If you update to selinux-policy-strict in the devel tree, you should be ok. But note that this also requires updating SysVinit, libselinux, and possibly other components as the policy layout has changed completely in the devel tree. -- Stephen Smalley National Security Agency From david.balazic at hermes.si Thu Jun 17 14:12:55 2004 From: david.balazic at hermes.si (David Balazic) Date: Thu, 17 Jun 2004 16:12:55 +0200 Subject: ntp Message-ID: <600B91D5E4B8D211A58C00902724252C01BC06E9@piramida.hermes.si> > From: > fedora-selinux-list-bounces at redhat.com[SMTP:fedora-selinux-list-bounces at re > dhat.com] on behalf of Stephen Smalley[SMTP:sds at epoch.ncsc.mil] > > On Thu, 2004-06-17 at 10:03, Jason Hooper wrote: > > Jan 3 02:11:03 doh1 kernel: audit(1041581463.810:0): avc: denied { > write > > } for pid=1694 exe=/usr/sbin/ntpdate path=/ dev=hda3 ino=3367 > > scontext=root:system_r:ntpd_t tcontext=system_u:object_r:root_t > > tclass=chr_file > > Mismatch between your kernel and policy. RedHat released a kernel > update for FC2 without updating the policy accordingly. If you update > to selinux-policy-strict in the devel tree, you should be ok. But note > that this also requires updating SysVinit, libselinux, and possibly > other components as the policy layout has changed completely in the > devel tree. > > First, is SELinux supposed to work in Fedora Core 2 or is it in beta(alpha) > phase ? It is supposed to work. Khm, khm ... it is alpha/beta after all, isn't it ? > -- > Stephen Smalley > National Security Agency > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > From sds at epoch.ncsc.mil Thu Jun 17 14:45:02 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Thu, 17 Jun 2004 10:45:02 -0400 Subject: ntp In-Reply-To: <600B91D5E4B8D211A58C00902724252C01BC06E9@piramida.hermes.si> References: <600B91D5E4B8D211A58C00902724252C01BC06E9@piramida.hermes.si> Message-ID: <1087483502.25033.75.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2004-06-17 at 10:12, David Balazic wrote: > Khm, khm ... it is alpha/beta after all, isn't it ? Shrug. If you want to be conservative, you can just patch your policy to include the devnull initial SID rather than trying to update to rawhide. -- Stephen Smalley National Security Agency From david.balazic at hermes.si Thu Jun 17 14:48:49 2004 From: david.balazic at hermes.si (David Balazic) Date: Thu, 17 Jun 2004 16:48:49 +0200 Subject: ntp Message-ID: <600B91D5E4B8D211A58C00902724252C01BC06EA@piramida.hermes.si> Look, I would love to take part in the polishing of SELinux on Fedora, but I have no time at all for that, really. I will turn SELinux off on my system. Actually it's a question if I will use FC2 at all. I have very little time for FC and even that is then used for bug hunting/reporting and not actual "using"... Regards, DB > ---------- > From: > fedora-selinux-list-bounces at redhat.com[SMTP:fedora-selinux-list-bounces at re > dhat.com] on behalf of Stephen Smalley[SMTP:sds at epoch.ncsc.mil] > Reply To: Fedora SELinux support list for users & developers. > Sent: 17. junij 2004 16:45 > To: Fedora SELinux support list for users & developers. > Subject: RE: ntp > > On Thu, 2004-06-17 at 10:12, David Balazic wrote: > > Khm, khm ... it is alpha/beta after all, isn't it ? > > Shrug. If you want to be conservative, you can just patch your policy > to include the devnull initial SID rather than trying to update to > rawhide. > > -- > Stephen Smalley > National Security Agency > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > From jhooper at tlcontact.com Thu Jun 17 14:54:42 2004 From: jhooper at tlcontact.com (Jason Hooper) Date: Thu, 17 Jun 2004 09:54:42 -0500 Subject: ntp In-Reply-To: <1087483502.25033.75.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <200406171455.i5HEtge1004178@mx1.redhat.com> That all seems like a lot of work. Also, whos to say they wont update the kernel again the same way and im back on the list 6 mo from now. And it seems to work in permissive mode, but that's not selinux exactly is it... # ntpdate -q ntp-2.cso.uiuc.edu Looking for host ntp-2.cso.uiuc.edu and service ntp host found : ntp-2.gw.uiuc.edu server 130.126.24.44, stratum 2, offset -46708.392381, delay 0.04820 17 Jun 22:51:14 ntpdate[1431]: step time server 130.126.24.44 offset -46708.392381 sec .. -----Original Message----- From: fedora-selinux-list-bounces at redhat.com [mailto:fedora-selinux-list-bounces at redhat.com] On Behalf Of Stephen Smalley Sent: Thursday, June 17, 2004 9:45 AM To: Fedora SELinux support list for users & developers. Subject: RE: ntp On Thu, 2004-06-17 at 10:12, David Balazic wrote: > Khm, khm ... it is alpha/beta after all, isn't it ? Shrug. If you want to be conservative, you can just patch your policy to include the devnull initial SID rather than trying to update to rawhide. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list at redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list From francis.shim at sympatico.ca Thu Jun 17 11:43:02 2004 From: francis.shim at sympatico.ca (Francis K Shim) Date: Thu, 17 Jun 2004 07:43:02 -0400 Subject: Mozilla accessing java engine yield denials Message-ID: <1087472582.2260.8.camel@sol800.cawthra.com> Edited to show relevant details more clearly: denied { execute } exe=/bin/bash name=java scontext=user:staff_r:staff_mozilla_t tcontext=system_u:object_r:usr_t tclass=file denied { execute_no_trans } exe=/bin/bash path=/usr/java/j2re1.4.2_01/bin/java scontext=user:staff_r:staff_mozilla_t tcontext=system_u:object_r:usr_t tclass=file denied { search } exe=/usr/java/j2re1.4.2_01/bin/java name=vm scontext=user:staff_r:staff_mozilla_t tcontext=system_u:object_r:sysctl_vm_t tclass=dir -- Francis K Shim From francis.shim at sympatico.ca Thu Jun 17 12:08:53 2004 From: francis.shim at sympatico.ca (Francis K Shim) Date: Thu, 17 Jun 2004 08:08:53 -0400 Subject: X-user xauthed to execute a "root"/system level configuration helper yield denials Message-ID: <1087474133.2260.35.camel@sol800.cawthra.com> Edited to make relevant details clear: execute_no_trans exe=/usr/sbin/userhelper path=/usr/X11R6/bin/xauth scontext=user:staff_r:staff_userhelper_t tcontext=system_u:object_r:xauth_exec_t tclass=file write exe=/usr/X11R6/bin/xauth name=user scontext=user:staff_r:staff_userhelper_t tcontext=user:object_r:staff_home_dir_t tclass=dir add_name exe=/usr/X11R6/bin/xauth name=.Xauthority-c scontext=USER:staff_r:staff_userhelper_t tcontext=USER:object_r:staff_home_dir_t tclass=dir create exe=/usr/X11R6/bin/xauth name=.Xauthority-c scontext=USER:staff_r:staff_userhelper_t tcontext=USER:object_r:staff_home_dir_t tclass=file link exe=/usr/X11R6/bin/xauth name=.Xauthority-c scontext=USER:staff_r:staff_userhelper_t tcontext=USER:object_r:staff_home_dir_t tclass=file write exe=/usr/X11R6/bin/xauth name=.Xauthority scontext=USER:staff_r:staff_userhelper_t tcontext=system_u:object_r:staff_home_xauth_t tclass=file remove_name exe=/usr/X11R6/bin/xauth name=.Xauthority-c scontext=USER:staff_r:staff_userhelper_t tcontext=USER:object_r:staff_home_dir_t tclass=dir unlink exe=/usr/X11R6/bin/xauth name=.Xauthority-c scontext=USER:staff_r:staff_userhelper_t tcontext=USER:object_r:staff_home_dir_t tclass=file setattr exe=/usr/sbin/userhelper name=.xauthxxxxx scontext=USER:staff_r:staff_userhelper_t tcontext=USER:object_r:staff_home_dir_t tclass=file write exe=/usr/X11R6/bin/xauth path=.xauthxxxxx scontext=USER:staff_r:staff_userhelper_t tcontext=USER:object_r:staff_home_dir_t tclass=file read exe=/usr/X11R6/bin/xauth name=.xauthxxxxx scontext=USER:staff_r:staff_userhelper_t tcontext=USER:object_r:staff_home_dir_t tclass=file getattr exe=/usr/X11R6/bin/xauth path=/home/USER/.xauthgxxxxx scontext=USER:staff_r:staff_userhelper_t tcontext=USER:object_r:staff_home_dir_t tclass=file execute_no_trans exe=/usr/sbin/userhelper path=/usr/X11R6/bin/xauth scontext=USER:staff_r:staff_userhelper_t tcontext=system_u:object_r:xauth_exec_t tclass=file write exe=/usr/X11R6/bin/xauth name=.Xauthority scontext=USER:staff_r:staff_userhelper_t tcontext=system_u:object_r:staff_home_xauth_t tclass=file read exe=/sbin/iptables path=/var/run/sudo/USER/unknown scontext=USER:system_r:iptables_t tcontext=USER:object_r:pam_var_run_t tclass=file read exe=/sbin/hwclock path=/var/run/sudo/USER/unknown scontext=USER:system_r:hwclock_t tcontext=USER:object_r:pam_var_run_t tclass=file execute_no_trans exe=/usr/sbin/userhelper path=/usr/X11R6/bin/xauth scontext=USER:staff_r:staff_userhelper_t tcontext=system_u:object_r:xauth_exec_t tclass=file write exe=/usr/X11R6/bin/xauth name=.Xauthority scontext=USER:staff_r:staff_userhelper_t tcontext=system_u:object_r:staff_home_xauth_t tclass=file read exe=/sbin/iptables path=/var/run/sudo/USER/unknown scontext=USER:system_r:iptables_t tcontext=USER:object_r:pam_var_run_t tclass=file read exe=/usr/sbin/ntpdate path=/var/run/sudo/USER/unknown scontext=USER:system_r:ntpd_t tcontext=USER:object_r:pam_var_run_t tclass=file read exe=/sbin/hwclock path=/var/run/sudo/USER/unknown scontext=USER:system_r:hwclock_t tcontext=USER:object_r:pam_var_run_t tclass=file write exe=/usr/sbin/userhelper name=USER scontext=USER:staff_r:staff_userhelper_t tcontext=USER:object_r:staff_home_dir_t tclass=dir remove_name exe/usr/sbin/userhelper name=.xauthxxxxx scontext=USER:staff_r:staff_userhelper_t tcontext=USER:object_r:staff_home_dir_t tclass=dir unlink exe=/usr/sbin/userhelper name=.xauthxxxxx scontext=USER:staff_r:staff_userhelper_t tcontext=USER:object_r:staff_home_dir_t tclass=file -- Francis K Shim From russell at coker.com.au Fri Jun 18 04:27:17 2004 From: russell at coker.com.au (Russell Coker) Date: Fri, 18 Jun 2004 14:27:17 +1000 Subject: ntp In-Reply-To: <200406171404.i5HE4CXn011116@mx3.redhat.com> References: <200406171404.i5HE4CXn011116@mx3.redhat.com> Message-ID: <200406181427.17890.russell@coker.com.au> On Fri, 18 Jun 2004 00:03, "Jason Hooper" wrote: > Yeah it seems like it should just work...yet it doesn't...wierd. I have > two machines trying to sync ( well, three, but the third one works and is > not selinux ) > > I get this avc on both : > > Machine1 : > > Jan 3 02:11:03 doh1 kernel: audit(1041581463.810:0): avc: denied { write > } for pid=1694 exe=/usr/sbin/ntpdate path=/ dev=hda3 ino=3367 > scontext=root:system_r:ntpd_t tcontext=system_u:object_r:root_t > tclass=chr_file > > Machine2 has an ntpd.te file while machine1 does not. Does that matter in > this case? I can send it if its needed. To be pedantic, you would not have a domain of "ntpd_t" unless there was ntpd.te installed. Machine1 may have installed a binary policy, or the source policy may have been changed, but ntpd.te was certainly used. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Fri Jun 18 04:35:48 2004 From: russell at coker.com.au (Russell Coker) Date: Fri, 18 Jun 2004 14:35:48 +1000 Subject: X-user xauthed to execute a "root"/system level configuration helper yield denials In-Reply-To: <1087474133.2260.35.camel@sol800.cawthra.com> References: <1087474133.2260.35.camel@sol800.cawthra.com> Message-ID: <200406181435.48683.russell@coker.com.au> On Thu, 17 Jun 2004 22:08, Francis K Shim wrote: > Edited to make relevant details clear: > > execute_no_trans > exe=/usr/sbin/userhelper > path=/usr/X11R6/bin/xauth > scontext=user:staff_r:staff_userhelper_t > tcontext=system_u:object_r:xauth_exec_t > tclass=file In macros/program/userhelper_macros.te at (or near) line 133 there is the following: domain_trans($1_userhelper_t, xauth_exec_t, $1_xauth_t) That expands to: domain_auto_trans(staff_userhelper_t, xauth_exec_t, staff_xauth_t) It's strange that you aren't seeing it automatically run in staff_xauth_t. What version of the policy are you using? > read > exe=/sbin/iptables > path=/var/run/sudo/USER/unknown > scontext=USER:system_r:iptables_t > tcontext=USER:object_r:pam_var_run_t > tclass=file > read > exe=/usr/sbin/ntpdate > path=/var/run/sudo/USER/unknown > scontext=USER:system_r:ntpd_t > tcontext=USER:object_r:pam_var_run_t > tclass=file > read > exe=/sbin/hwclock > path=/var/run/sudo/USER/unknown > scontext=USER:system_r:hwclock_t > tcontext=USER:object_r:pam_var_run_t > tclass=file For these, I guess that the file handle is inherited from userhelper. The code which opens /var/run/sudo/USER/unknown should either set it as close-on-exec or explicitly close it before a child is executed. > write > exe=/usr/sbin/userhelper > name=USER > scontext=USER:staff_r:staff_userhelper_t > tcontext=USER:object_r:staff_home_dir_t > tclass=dir > remove_name > exe/usr/sbin/userhelper > name=.xauthxxxxx > scontext=USER:staff_r:staff_userhelper_t > tcontext=USER:object_r:staff_home_dir_t > tclass=dir > unlink > exe=/usr/sbin/userhelper > name=.xauthxxxxx > scontext=USER:staff_r:staff_userhelper_t > tcontext=USER:object_r:staff_home_dir_t > tclass=file What's this about? -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From iyigunler at itu.edu.tr Fri Jun 18 12:42:54 2004 From: iyigunler at itu.edu.tr (Ismail Iyigunler) Date: Fri, 18 Jun 2004 15:42:54 +0300 Subject: organizing the audit messages Message-ID: <1087562574.40d2e34e0c738@webmail.students.itu.edu.tr> Hi Can we compose the audit messages for building a simple database to find which user with which security context, executed which command and when he/she did this ? How can we build this ? Thanks! ------------------------------------------------- This mail sent through IMP: http://webmail.students.itu.edu.tr From francis.shim at sympatico.ca Fri Jun 18 11:38:15 2004 From: francis.shim at sympatico.ca (Francis K Shim) Date: Fri, 18 Jun 2004 07:38:15 -0400 Subject: X-user xauthed to execute a "root"/system level configuration helper yield denials In-Reply-To: <200406181435.48683.russell@coker.com.au> References: <1087474133.2260.35.camel@sol800.cawthra.com> <200406181435.48683.russell@coker.com.au> Message-ID: <1087558695.2648.14.camel@sol800.cawthra.com> On Fri, 2004-06-18 at 00:35, Russell Coker wrote: > On Thu, 17 Jun 2004 22:08, Francis K Shim wrote: > > Edited to make relevant details clear: > > > > execute_no_trans > > exe=/usr/sbin/userhelper > > path=/usr/X11R6/bin/xauth > > scontext=user:staff_r:staff_userhelper_t > > tcontext=system_u:object_r:xauth_exec_t > > tclass=file > > In macros/program/userhelper_macros.te at (or near) line 133 there is the > following: > domain_trans($1_userhelper_t, xauth_exec_t, $1_xauth_t) > > That expands to: > domain_auto_trans(staff_userhelper_t, xauth_exec_t, staff_xauth_t) > > It's strange that you aren't seeing it automatically run in staff_xauth_t. > What version of the policy are you using? I checked the userhelper_macros.te file and what I have is the following: ifdef(`xauth.te', ` domain_trans($1_userhelper_t, xauth_exec_t, $1_xauth_t) allow $1_userhelper_t $1_home_xauth_t:file { getattr read }; ') The versions of the packages are as follows: policy-sources-1.11.3-3 checkpolicy-1.10-1 policy-1.11.3-3 policycoreutils-1.11-2 libselinux-1.11.4-1 > > read > > exe=/sbin/iptables > > path=/var/run/sudo/USER/unknown > > scontext=USER:system_r:iptables_t > > tcontext=USER:object_r:pam_var_run_t > > tclass=file > > read > > exe=/usr/sbin/ntpdate > > path=/var/run/sudo/USER/unknown > > scontext=USER:system_r:ntpd_t > > tcontext=USER:object_r:pam_var_run_t > > tclass=file > > read > > exe=/sbin/hwclock > > path=/var/run/sudo/USER/unknown > > scontext=USER:system_r:hwclock_t > > tcontext=USER:object_r:pam_var_run_t > > tclass=file > > For these, I guess that the file handle is inherited from userhelper. The > code which opens /var/run/sudo/USER/unknown should either set it as > close-on-exec or explicitly close it before a child is executed. Okay. I am using the GNOME desktop manager and session manager so my guess would be that it would be the gnome userhelper application. > > > write > > exe=/usr/sbin/userhelper > > name=USER > > scontext=USER:staff_r:staff_userhelper_t > > tcontext=USER:object_r:staff_home_dir_t > > tclass=dir > > remove_name > > exe/usr/sbin/userhelper > > name=.xauthxxxxx > > scontext=USER:staff_r:staff_userhelper_t > > tcontext=USER:object_r:staff_home_dir_t > > tclass=dir > > unlink > > exe=/usr/sbin/userhelper > > name=.xauthxxxxx > > scontext=USER:staff_r:staff_userhelper_t > > tcontext=USER:object_r:staff_home_dir_t > > tclass=file > > What's this about? I am not sure; however, I do remember restarting the userhelper application and noticing that I was not being prompted for the root password the second time around!!!... however, the third restart and on, it seemed to prompt for the password. Puzzling. It might have to do with a timing of the close of the child process from above. -- Francis K Shim From don.patterson at tresys.com Fri Jun 18 16:02:32 2004 From: don.patterson at tresys.com (Don Patterson) Date: Fri, 18 Jun 2004 12:02:32 -0400 Subject: organizing the audit messages In-Reply-To: <1087562574.40d2e34e0c738@webmail.students.itu.edu.tr> Message-ID: It sounds like you may be able to use the seaudit tool that comes with the setools package. Here is a brief overview of the tool: SeAudit is an audit log analysis tool for Security Enhanced Linux (SE Linux) audit messages. The tool parses a given syslog and extracts all load policy messages, AVC messages and change of boolean messages from conditional policies. SeAudit also provides real-time log monitoring. The tool has three main functions: 1) Browse and sort SE Linux audit messages. 2) Filter an audit log based on fields in the messages. 3) Query the policy based on data from a given audit message. You can also use globbing expressions to construct more flexible search filters. Check it out (http://www.tresys.com/selinux/selinux_policy_tools.html) and see if it meets your goals. We would welcome any feedback based upon your experience with our tool(s). Thank you. -Don -----Original Message----- From: fedora-selinux-list-bounces at redhat.com [mailto:fedora-selinux-list-bounces at redhat.com] On Behalf Of Ismail Iyigunler Sent: Friday, June 18, 2004 7:43 AM To: fedora-selinux-list at redhat.com Subject: organizing the audit messages Hi Can we compose the audit messages for building a simple database to find which user with which security context, executed which command and when he/she did this ? How can we build this ? Thanks! ------------------------------------------------- This mail sent through IMP: http://webmail.students.itu.edu.tr -- fedora-selinux-list mailing list fedora-selinux-list at redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list From selinux at comcast.net Fri Jun 18 19:00:44 2004 From: selinux at comcast.net (Tom London) Date: Fri, 18 Jun 2004 12:00:44 -0700 Subject: up2date/seaudit/... not working (EXPLAINED) Message-ID: <40D33BDC.4090807@comcast.net> Running off of the development tree, I couldn't get graphical apps (like up2date, seaudit, ...) working when su'ed as root. All of this works fine on a 'stock FC2' machine (running off of the base and released-updates trees). The problem seems to be that the latest packages cause 'su' to change the settings of XAUTHORITY environment variable from 'XAUTHORITY=/home/USER/.Xauthority' to 'XAUTHORITY=/root/.xauthABCD' (ABCD the usual 'uniqueness' stuff). If you manually reset XAUTHORITY back to '/home/USER/.Xauthority', the apps work again. Here's a bit of added strangeness: if you start 'xauth' in another user window and then try 'su -l', XAUTHORITY is not changed in the root shell. No AVCs against /root/.authABCD either.... [On the 'stock FC2' machine, XAUTHORITY is not modified by su.] I've bugzilla'ed this (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=126300) against coreutils, but I'm not sure that is the right place (e.g., pam?). (All my systems run with SELinux enabled, so I can only assume this is occurring on SELinux-disabled systems as well.) Can someone explain why 'su' would be changing XAUTHORITY ? thanks, tom From sds at epoch.ncsc.mil Fri Jun 18 20:24:18 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Fri, 18 Jun 2004 16:24:18 -0400 Subject: up2date/seaudit/... not working (EXPLAINED) In-Reply-To: <40D33BDC.4090807@comcast.net> References: <40D33BDC.4090807@comcast.net> Message-ID: <1087590258.27697.201.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2004-06-18 at 15:00, Tom London wrote: > Running off of the development tree, I couldn't get graphical apps (like > up2date, seaudit, ...) working when su'ed as root. All of this works > fine on a 'stock FC2' machine (running off > of the base and released-updates trees). Try moving the 'pam_selinux.so open multiple' line before the 'pam_xauth.so' line in /etc/pam.d/su. Dan, this is necessary under the current policy to get xauth to run with the right permissions for the new domain. -- Stephen Smalley National Security Agency From nalin at redhat.com Fri Jun 18 20:28:15 2004 From: nalin at redhat.com (Nalin Dahyabhai) Date: Fri, 18 Jun 2004 16:28:15 -0400 Subject: up2date/seaudit/... not working (EXPLAINED) In-Reply-To: <40D33BDC.4090807@comcast.net> References: <40D33BDC.4090807@comcast.net> Message-ID: <20040618202815.GB22872@redhat.com> On Fri, Jun 18, 2004 at 12:00:44PM -0700, Tom London wrote: > Running off of the development tree, I couldn't get graphical apps (like > up2date, seaudit, ...) working when su'ed as root. All of this works > fine on a 'stock FC2' machine (running off > of the base and released-updates trees). > > The problem seems to be that the latest packages cause 'su' to change > the settings of XAUTHORITY environment variable from > 'XAUTHORITY=/home/USER/.Xauthority' to > 'XAUTHORITY=/root/.xauthABCD' (ABCD the usual 'uniqueness' stuff). > > If you manually reset XAUTHORITY back to '/home/USER/.Xauthority', the > apps work > again. > > Here's a bit of added strangeness: if you start 'xauth' in another user > window and then > try 'su -l', XAUTHORITY is not changed in the root shell. No AVCs against > /root/.authABCD either.... > > [On the 'stock FC2' machine, XAUTHORITY is not modified by su.] > > I've bugzilla'ed this > (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=126300) > against coreutils, but I'm not sure that is the right place (e.g., > pam?). (All my systems > run with SELinux enabled, so I can only assume this is occurring on > SELinux-disabled > systems as well.) > > Can someone explain why 'su' would be changing XAUTHORITY ? The pam_xauth module reads the cookie for the current display for the invoking user and creates a temporary cookie file containing just that cookie for the target user. While this isn't always necessary, if the invoking user's $XAUTHORITY is in an NFS-mounted directory coming from a server which uses root-squashing (and $XAUTHORITY is usually set to ~/.Xauthority, so it happens), it becomes necessary because $XAUTHORITY would otherwise be inaccessible. If for some reason pam_xauth isn't able to do what it attempts to do, it leaves the XAUTHORITY environment variable unchanged, so the behavior you were seeing before was probably a bug of some kind. I'm not sure how running another copy of 'xauth' would affect this, really. xauth locks files when it opens them, but that should cause 'su' to just sit there until the copy of xauth which it started fails, and you didn't mention any such delay. Nalin From selinux at comcast.net Fri Jun 18 20:45:18 2004 From: selinux at comcast.net (Tom London) Date: Fri, 18 Jun 2004 13:45:18 -0700 Subject: up2date/seaudit/... not working (EXPLAINED) Message-ID: <40D3545E.6080904@comcast.net> That fixed it!!!!! 'su' no longer takes 20 seconds to complete! The root shell still has XAUTHORITY set to /root/.xauthABCD, but commands (like seaudit, up2date) now work. Thanks for the speedy response! tom ------------------------------------------------------------------------ * /From/: Stephen Smalley * /To/: "Fedora SELinux support list for users & developers." * /Cc/: Russell Coker , Daniel J Walsh * /Subject/: Re: up2date/seaudit/... not working (EXPLAINED) * /Date/: Fri, 18 Jun 2004 16:24:18 -0400 ------------------------------------------------------------------------ On Fri, 2004-06-18 at 15:00, Tom London wrote: > Running off of the development tree, I couldn't get graphical apps (like > up2date, seaudit, ...) working when su'ed as root. All of this works > fine on a 'stock FC2' machine (running off > of the base and released-updates trees). Try moving the 'pam_selinux.so open multiple' line before the 'pam_xauth.so' line in /etc/pam.d/su. Dan, this is necessary under the current policy to get xauth to run with the right permissions for the new domain. -- Stephen Smalley National Security Agency From selinux at comcast.net Fri Jun 18 20:54:34 2004 From: selinux at comcast.net (Tom London) Date: Fri, 18 Jun 2004 13:54:34 -0700 Subject: xauth changes XAUTHORITY in su (was Re: up2date/seaudit/... not working (EXPLAINED)) Message-ID: <40D3568A.6030007@comcast.net> Nalin, Stephen Smalley's fix (move line in /etc/pam.d/su) fixed much of the problem, but running 'xauth' in another window still changes the setting of XAUTHORITY in the root shell that su spawns.... So, without xauth running, XAUTHORITY gets set to /root/.xauthABCD; with xauth running, XAUTHORITY is unmodified (i.e., its value is /home/USER/.Xauthority). tom [I didn't report that prior to the fix, 'su' was taking 20 seconds to complete after entering the correct password. This delay is now gone.] ------------------------------------------------------------------------ * /From/: Nalin Dahyabhai * /To/: fedora-selinux-list redhat com * /Subject/: Re: up2date/seaudit/... not working (EXPLAINED) * /Date/: Fri, 18 Jun 2004 16:28:15 -0400 ------------------------------------------------------------------------ On Fri, Jun 18, 2004 at 12:00:44PM -0700, Tom London wrote: > Running off of the development tree, I couldn't get graphical apps (like > up2date, seaudit, ...) working when su'ed as root. All of this works > fine on a 'stock FC2' machine (running off > of the base and released-updates trees). > > The problem seems to be that the latest packages cause 'su' to change > the settings of XAUTHORITY environment variable from > 'XAUTHORITY=/home/USER/.Xauthority' to > 'XAUTHORITY=/root/.xauthABCD' (ABCD the usual 'uniqueness' stuff). > > If you manually reset XAUTHORITY back to '/home/USER/.Xauthority', the > apps work > again. > > Here's a bit of added strangeness: if you start 'xauth' in another user > window and then > try 'su -l', XAUTHORITY is not changed in the root shell. No AVCs against > /root/.authABCD either.... > > [On the 'stock FC2' machine, XAUTHORITY is not modified by su.] > > I've bugzilla'ed this > (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=126300) > against coreutils, but I'm not sure that is the right place (e.g., > pam?). (All my systems > run with SELinux enabled, so I can only assume this is occurring on > SELinux-disabled > systems as well.) > > Can someone explain why 'su' would be changing XAUTHORITY ? The pam_xauth module reads the cookie for the current display for the invoking user and creates a temporary cookie file containing just that cookie for the target user. While this isn't always necessary, if the invoking user's $XAUTHORITY is in an NFS-mounted directory coming from a server which uses root-squashing (and $XAUTHORITY is usually set to ~/.Xauthority, so it happens), it becomes necessary because $XAUTHORITY would otherwise be inaccessible. If for some reason pam_xauth isn't able to do what it attempts to do, it leaves the XAUTHORITY environment variable unchanged, so the behavior you were seeing before was probably a bug of some kind. I'm not sure how running another copy of 'xauth' would affect this, really. xauth locks files when it opens them, but that should cause 'su' to just sit there until the copy of xauth which it started fails, and you didn't mention any such delay. Nalin From n3npq at nc.rr.com Sat Jun 19 01:17:23 2004 From: n3npq at nc.rr.com (Jeff Johnson) Date: Fri, 18 Jun 2004 21:17:23 -0400 Subject: Where should an RPM install .te/.fc files? In-Reply-To: <200406171318.30847.russell@coker.com.au> References: <200406171318.30847.russell@coker.com.au> Message-ID: <40D39423.2030804@nc.rr.com> Russell Coker wrote: >---------- Forwarded Message ---------- > >Subject: Re: Where should an RPM install .te/.fc files? >Date: Thu, 17 Jun 2004 02:48 >From: "mike at flyn.org" >To: fedora-selinux-list at redhat.com > > > >>>I maintain an RPM that installs .te and .fc files. In the past, >>>contributing to the system's SELinux policy could be done by installing >>>files in /etc/security/selinux/src/policy (I'm not sure this is right >>>to begin with): >>> >>>%policy >>>%{_sysconfdir}/security/selinux/src/policy/macros/pam_mount_macros.te >>> >>> As noted, the path for installing *.fc and *.te files has changed. Also, the %policy marker to include an absolute path in both the metadata header as well as as a file in the payload is not necessary. The original goal was to have rpm attempt "make reload" as well as setting file contexts, but there are too many unsolved problems trying to install policy piece wise to attempt. >>>However, now policies may be in /etc/selinux/strict/src/policy/ or / >>>etc/selinux/targeted/src/policy/. It is also possible that only one of >>>these directories exists. >>> rpm will create directories in order to install files, so you need not worry about whether the directores exist. That is pure mechanism however, the comments below apply to the intent, rather than the mechanics, of installing *.te and *.fc files. >>> >>> >>I don't think that your macros file fits in with the targetted policy, and >>I think that the general aims of the targetted policy don't involve that >>sort of thing (but this hasn't been considered much so far). >> >>It's probably best to install the files under only the strict directory. >> >>It is also possible that only one of those directories exists. >> >> > >Installing exclusively under the strict policy make sense. The things I am >explicitly allowing should probably already be allowed by the targeted >policy. However, what about the case where a user does not have the strict >policy installed? In this case my RPM will install its policy files to an >otherwise empty policy source tree. This may result in directories like >/etc/selinux/strict being orphans -- not owned by any RPM. Should this be >avoided somehow? > > Even if rpm creates "orphan" directories on the path needed for installing a file, the file context will still be set according to the currently configured regexes. That still isn't quite correct behavior, as "orphan" directories under not under rpm control, so any tools based on paths from an rpmdb will fail to change the "orphan" directory paths. The best way (imho) to add 3rd party *.te and *.fc files to either the targeted or strict trees and avoid "orphan" directories is to add a file dependency on the parent directory. E.g., add Requires: /etc/selinux/targeted/src/pollicy if installing a file into that directory. That will avoid any "orphan" directory problems by forcing the package that owns the directory to be installed first. Note that any dependency on the package that "owns" the directory is sufficient, use a package rather than a file dependency if you wish. There is still the problem of how and when "make reload" is to be done for the tree when there are aadditional *.te and *.fc files being added. Probably the best answer for right now is to attempt the same operation in %post that is attempted by the selinux-policy-{targeted,strict} package itself. There is the erasure reload case that needs to be handled in %postun as well. Make sure you disambiguate erasure from upgrade by testing $1 in the %postun script. Here's what ypbind does, every package with a %preun and/or %postun has examples: if [ "$1" -ge 1 ]; then /sbin/service ypbind condrestart > /dev/null 2>&1 fi exit 0 The $1 argument is the number of instances of the pkg that will be installed after the script is run, $1 == 0 is the pure erasure case, >= 1 is the package upgrade case. 73 de Jeff From thesource at ldb-jab.org Sat Jun 19 20:52:35 2004 From: thesource at ldb-jab.org (Lawrence Bowie) Date: Sat, 19 Jun 2004 16:52:35 -0400 Subject: C2 or B1 Message-ID: <40D4A793.6060602@ldb-jab.org> At this point SELinux does not have official "Orange Book" classification, right? Thanks, LDB From russell at coker.com.au Sun Jun 20 03:24:56 2004 From: russell at coker.com.au (Russell Coker) Date: Sun, 20 Jun 2004 13:24:56 +1000 Subject: C2 or B1 In-Reply-To: <40D4A793.6060602@ldb-jab.org> References: <40D4A793.6060602@ldb-jab.org> Message-ID: <200406201324.56395.russell@coker.com.au> On Sun, 20 Jun 2004 06:52, Lawrence Bowie wrote: > At this point SELinux does not have official "Orange Book" > classification, right? Classification applies to complete OS installations. SE Linux is not an OS, it is a security enhancement for Linux, and therefore it is not eligible for certification on it's own. It is expected that Linux distributions incorporating SE Linux technology will do well in certification tests. AFAIK no-one has done such tests yet, and Red Hat Enterprise Linux 4 when it's released next year is likely to be the first Linux distribution to go through the certification process with SE Linux enabled. Also I believe that classifications such as "C2" and "B1" are obsolete and have been for years. http://csrc.nist.gov/cc/ http://www.commoncriteriaportal.org/public/developer/index.php?menu=1 Above is a link to information on the Common Criteria (replacement for the "Orange Book"). Computer systems are evaluated against a "Protection Profile" (PP). Conformance to that PP is evaluated according to an "Evaluation Assurance Level" (EAL) which is a numerical rating that indicates how well you achieved the goals of the PP. A higher EAL number does not necessarily mean a more secure system, a lower EAL number for a different PP may be more difficult to achieve. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Sun Jun 20 03:35:28 2004 From: russell at coker.com.au (Russell Coker) Date: Sun, 20 Jun 2004 13:35:28 +1000 Subject: Lawrence Bowie Message-ID: <200406201335.28011.russell@coker.com.au> : host mail.ldb-jab.org[216.55.187.221] said: 550 5.0.0 ... We don't accept mail from spammers and freaks (in reply to MAIL FROM command) Lawrence, there's probably not much point in asking questions on this list if you are going to refuse mail from the main people who are involved in working on SE Linux in Fedora. Could someone please forward this message to Lawrence in case he doesn't accept mail from me which comes from the list server. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From rhallyx at mindspring.com Mon Jun 21 00:47:20 2004 From: rhallyx at mindspring.com (Richard Hally) Date: Sun, 20 Jun 2004 20:47:20 -0400 Subject: mozilla not starting in enforcing mode Message-ID: <40D63018.6070108@mindspring.com> After the most recent update to the strict policy (selinux-policy-strict-1.13.7-1), Mozilla web browser will not start in enforcing mode. It does *not* produce *any* avc denied messages in enforcing mode. Below are the avc denied messages that are produced when it does start in permissive mode: Jun 20 20:31:30 new2 kernel: audit(1087777890.697:0): avc: denied { write } for pid=3471 exe=/usr/lib/mozilla-1.6/mozilla-xremote-client name=X0 dev=hda2 ino=1840568 scontext=richard:staff_r:staff_mozilla_t tcontext=system_u:object_r:xdm_tmp_t tclass=sock_file Jun 20 20:31:34 new2 kernel: audit(1087777894.263:0): avc: denied { unlink } for pid=3457 exe=/usr/lib/mozilla-1.6/mozilla-bin name=.fonts.cache-1 dev=hda2 ino=1091707 scontext=richard:staff_r:staff_mozilla_t tcontext=richard:object_r:staff_home_t tclass=file Here is part of the output from fixfiles relabel prior to testing this problem : /usr/sbin/setfiles: read 1499 specifications /usr/sbin/setfiles: labeling files under / /usr/sbin/setfiles: relabeling /home/richard/.fonts.cache-1 from richard:object_r:staff_mozilla_rw_t to richard:object_r:staff_home_t /usr/sbin/setfiles: relabeling /.autofsck from system_u:object_r:root_t to system_u:object_r:default_t /usr/sbin/setfiles: hash table stats: 374956 elements, 62564/65536 buckets used, longest chain length 15 HTH Richard Hally From russell at coker.com.au Mon Jun 21 04:01:37 2004 From: russell at coker.com.au (Russell Coker) Date: Mon, 21 Jun 2004 14:01:37 +1000 Subject: mozilla not starting in enforcing mode In-Reply-To: <40D63018.6070108@mindspring.com> References: <40D63018.6070108@mindspring.com> Message-ID: <200406211401.37489.russell@coker.com.au> On Mon, 21 Jun 2004 10:47, Richard Hally wrote: > Jun 20 20:31:30 new2 kernel: audit(1087777890.697:0): avc: denied { > write } for pid=3471 exe=/usr/lib/mozilla-1.6/mozilla-xremote-client > name=X0 dev=hda2 ino=1840568 scontext=richard:staff_r:staff_mozilla_t > tcontext=system_u:object_r:xdm_tmp_t tclass=sock_file That's a known issue. The policy regarding X client applications connecting to servers needs to be re-written to make it cleaner. For the moment just allow this. > Jun 20 20:31:34 new2 kernel: audit(1087777894.263:0): avc: denied { > unlink } for pid=3457 exe=/usr/lib/mozilla-1.6/mozilla-bin > name=.fonts.cache-1 dev=hda2 ino=1091707 > scontext=richard:staff_r:staff_mozilla_t > tcontext=richard:object_r:staff_home_t tclass=file This is an instance of the big problem with having multiple domains used for applications run from the user's account. They have files that are used by multiple applications and there is no consistent way of managing them. The .fonts.cache file is used by many programs other than mozilla, most of which run as staff_t (in the case of staff_r logins) and therefore the type is staff_home_t. Labelling the file as staff_mozilla_rw_t is not going to work as I think that some programs will unlink and recreate it. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From jrajiv at hclinsys.com Mon Jun 21 04:30:53 2004 From: jrajiv at hclinsys.com (Rajiv) Date: Mon, 21 Jun 2004 10:00:53 +0530 Subject: support for gigabit architecture Message-ID: <005201c45748$8aed0ef0$39140897@PMORND> Dear All, Does fedora kernel support gigabit architecture. I would like to implement a 128-node clustering that is driven by 10-Gigabit switch. Kindly give your suggestions on what swich, and what network card to use in the market. Regards, Rajiv -------------- next part -------------- An HTML attachment was scrubbed... URL: From rhally at mindspring.com Mon Jun 21 06:25:33 2004 From: rhally at mindspring.com (Richard Hally) Date: Mon, 21 Jun 2004 02:25:33 -0400 Subject: mozilla not starting in enforcing mode In-Reply-To: <200406211401.37489.russell@coker.com.au> References: <40D63018.6070108@mindspring.com> <200406211401.37489.russell@coker.com.au> Message-ID: <40D67F5D.8030806@mindspring.com> Russell Coker wrote: > On Mon, 21 Jun 2004 10:47, Richard Hally wrote: > >>Jun 20 20:31:30 new2 kernel: audit(1087777890.697:0): avc: denied { >>write } for pid=3471 exe=/usr/lib/mozilla-1.6/mozilla-xremote-client >>name=X0 dev=hda2 ino=1840568 scontext=richard:staff_r:staff_mozilla_t >>tcontext=system_u:object_r:xdm_tmp_t tclass=sock_file > > > That's a known issue. The policy regarding X client applications connecting > to servers needs to be re-written to make it cleaner. For the moment just > allow this. > > > Do you know what changed from the previous policy to cause this avc denied message or what else may have changed to cause Mozilla to no longer start? What change may have caused the execution of mozilla-xremote-client? My version of Mozilla is the same on both of my test systems and the one with the previous (1.13.4-6) policy doesn't have this problem. And I can't find any the difference that is causing this?? Richard Hally From markoer at markoer.org Mon Jun 21 09:22:12 2004 From: markoer at markoer.org (Marco Ermini) Date: Mon, 21 Jun 2004 11:22:12 +0200 (CEST) Subject: support for gigabit architecture In-Reply-To: <005201c45748$8aed0ef0$39140897@PMORND> References: <005201c45748$8aed0ef0$39140897@PMORND> Message-ID: <35241.62.101.98.215.1087809732.squirrel@62.101.98.215> Rajiv disse: > Dear All, > Does fedora kernel support gigabit architecture. I would like to implement > a 128-node clustering that is driven by 10-Gigabit switch. [...] I use an economical Realtek 1 Giga card and it works well. Don't know about 10 Giga cards, AFAIK Intel cards should work. Just do a search on their site. Bye -- Marco Ermini http://www.markoer.org Dubium sapientiae initium. (Descartes) << This message is for the designated recipient only and may contain privileged or confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. >> From davidjs at netspace.net.au Mon Jun 21 10:10:34 2004 From: davidjs at netspace.net.au (david) Date: Mon, 21 Jun 2004 20:10:34 +1000 Subject: slow to internet response Message-ID: <1087738786.2837.9.camel@localhost.localdomain> hi all having a problem with the response time in core2 this machine is dual boot and the response time is not the same in the other os, therefore it must be in the se side of the linux as it wasnt there before i installed core2 i did a fresh install what happens is that there is at least a five to ten second gap between the actual response on the router when any html site is selected once it has found that site, ie web mail it changes the pages to the respective request at normal speed changes but that lag is on all new page requests and other core1, windows machines on the same network dont have it i am the only one so far to be using core2 please if you reply you will have to be very informative as to where to find the things that you ask me to forward to you as i am very new to linux, but happily learning everyday thanks david From davidjs at netspace.net.au Mon Jun 21 10:10:45 2004 From: davidjs at netspace.net.au (david) Date: Mon, 21 Jun 2004 20:10:45 +1000 Subject: mounting ntfs volume Message-ID: <1087742606.3137.2.camel@localhost.localdomain> hi all what commands do i need to put into, i think fstab to mount a ntfs volume and have read rights at user? umask=0222 doesnt give it to me thanks david From russell at coker.com.au Mon Jun 21 11:10:28 2004 From: russell at coker.com.au (Russell Coker) Date: Mon, 21 Jun 2004 21:10:28 +1000 Subject: slow to internet response In-Reply-To: <1087738786.2837.9.camel@localhost.localdomain> References: <1087738786.2837.9.camel@localhost.localdomain> Message-ID: <200406212110.28139.russell@coker.com.au> On Mon, 21 Jun 2004 20:10, david wrote: > having a problem with the response time in core2 > this machine is dual boot and the response time is not the same in the > other os, therefore it must be in the se side of the linux as it wasnt > there before i installed core2 > i did a fresh install > what happens is that there is at least a five to ten second gap between SE Linux does not cause any performance hit that you are going to notice. It certainly won't cause a 5-10 second delay. I suspect that you have a problem with DNS. DNS problems commonly cause such delays. It might be best to ask on fedora-user about this. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From alexander.dalloz at uni-bielefeld.de Mon Jun 21 13:54:54 2004 From: alexander.dalloz at uni-bielefeld.de (Alexander Dalloz) Date: Mon, 21 Jun 2004 15:54:54 +0200 Subject: slow to internet response In-Reply-To: <1087738786.2837.9.camel@localhost.localdomain> References: <1087738786.2837.9.camel@localhost.localdomain> Message-ID: <1087826093.3189.112.camel@serendipity.dogma.lan> Am Mo, den 21.06.2004 schrieb david um 12:10: > hi all > having a problem with the response time in core2 > this machine is dual boot and the response time is not the same in the > other os, therefore it must be in the se side of the linux as it wasnt > there before i installed core2 > i did a fresh install > what happens is that there is at least a five to ten second gap between > the actual response on the router when any html site is selected > once it has found that site, ie web mail it changes the pages to the > respective request at normal speed changes That issue was recently discussed on the fedora-list at redhat.com as caused by ipv6 resolution. echo "NETWORKING_IPV6=no" >> /etc/sysconfig/network and after a network restart the lags are certainly gone. Alexander -- Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13 Fedora GNU/Linux Core 2 (Tettnang) on Athlon CPU kernel 2.6.6-1.435 Serendipity 15:52:05 up 1 day, 21:39, load average: 0.02, 0.12, 0.22 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Dies ist ein digital signierter Nachrichtenteil URL: From ldb at ldb-jab.org Sun Jun 20 12:53:35 2004 From: ldb at ldb-jab.org (Lawrence Bowie) Date: Sun, 20 Jun 2004 08:53:35 -0400 Subject: Lawrence Bowie In-Reply-To: <200406201335.28011.russell@coker.com.au> References: <200406201335.28011.russell@coker.com.au> Message-ID: <40D588CF.3060207@ldb-jab.org> crap ... I apologize profusely ... it is fixed now ... ... LDB Russell Coker wrote: >: host mail.ldb-jab.org[216.55.187.221] said: 550 5.0.0 > ... We don't accept mail from spammers and freaks >(in reply to MAIL FROM command) > >Lawrence, there's probably not much point in asking questions on this list if >you are going to refuse mail from the main people who are involved in working >on SE Linux in Fedora. > >Could someone please forward this message to Lawrence in case he doesn't >accept mail from me which comes from the list server. > > > From selinux at comcast.net Mon Jun 21 16:56:20 2004 From: selinux at comcast.net (Tom London) Date: Mon, 21 Jun 2004 09:56:20 -0700 Subject: update report....(>1000 updates and still ticking!) Message-ID: <40D71334.5070807@comcast.net> I just completed 'eating' over 1000 updates from the development tree on my 'bleeding edge' SELinux/strict/enforcing system. Updates included new SELinux packages, new kernel, new gnome/kde, ... just about new everything. I detected NO significant SELinux installation issues!!!! This is quite impressive (I'm sure it is the result of much hard work). No packages failed to install, and I as far a I could detect, most packages are labeling correctly. In particular, the dev/MAKEDEV packages appear fixed (no problems in /dev or /udev), the kernel goes in smoothly (/lib/modules/{build,kernel} labeled properly), etc. etc. etc. So far, I've detected only 3 'nits': the mozilla socket issue referred in http://www.redhat.com/archives/fedora-selinux-list/2004-June/msg00235.html, a labeling issue for the mozilla plugin for users of j2sdk, and 'gaim' no longer working properly (fails both in enforcing and permissive mode, so I suspect its not SELinux related). Credit (and a tip of the hat) to the team! tom From alexis.wagner at polymtl.ca Mon Jun 21 18:19:45 2004 From: alexis.wagner at polymtl.ca (Alexis Wagner) Date: Mon, 21 Jun 2004 14:19:45 -0400 Subject: yum install policy-sources Message-ID: <1087841985.40d726c1e6463@www.imp.polymtl.ca> Hi, I am trying to install policy-sources with yum and I get the following "error" : # yum install policy-sources Gathering header information file(s) from server(s) Server: SELinux repository Server: Fedora Core 2 - Development Tree Finding updated packages Downloading needed headers Cannot find a package matching policy-sources No actions to take I am using this server for SELinux repository in yum.conf : ftp://people.redhat.com/dwalsh/SELinux/Fedora Is there another way to install the latest policy-sources ? Thank you, Alexis Wagner From selinux at comcast.net Mon Jun 21 18:28:15 2004 From: selinux at comcast.net (Tom London) Date: Mon, 21 Jun 2004 11:28:15 -0700 Subject: yum install policy-sources Message-ID: <40D728BF.6000100@comcast.net> Yeah, its not called that anymore if you are downloading from the development tree. You want 'selinux-policy-strict-sources' or 'selinux-policy-targeted-sources'. tom * /From/: Alexis Wagner * /To/: "Fedora SELinux support list for users & developers." * /Subject/: yum install policy-sources * /Date/: Mon, 21 Jun 2004 14:19:45 -0400 ------------------------------------------------------------------------ Hi, I am trying to install policy-sources with yum and I get the following "error" : # yum install policy-sources Gathering header information file(s) from server(s) Server: SELinux repository Server: Fedora Core 2 - Development Tree Finding updated packages Downloading needed headers Cannot find a package matching policy-sources No actions to take I am using this server for SELinux repository in yum.conf : ftp://people.redhat.com/dwalsh/SELinux/Fedora Is there another way to install the latest policy-sources ? Thank you, Alexis Wagner From sds at epoch.ncsc.mil Mon Jun 21 20:32:30 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Mon, 21 Jun 2004 16:32:30 -0400 Subject: yum install policy-sources In-Reply-To: <40D728BF.6000100@comcast.net> References: <40D728BF.6000100@comcast.net> Message-ID: <1087849950.4567.168.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2004-06-21 at 14:28, Tom London wrote: > Yeah, its not called that anymore if you are downloading from the > development tree. > > You want 'selinux-policy-strict-sources' or > 'selinux-policy-targeted-sources'. You should also use the Fedora development tree rather than Dan's site, unless you specifically want something that is only available from his site. I think the Fedora development tree is more up-to-date. -- Stephen Smalley National Security Agency From selinux at comcast.net Mon Jun 21 21:38:03 2004 From: selinux at comcast.net (Tom London) Date: Mon, 21 Jun 2004 14:38:03 -0700 Subject: Strange AVC from privoxy write Message-ID: <40D7553B.9090601@comcast.net> Running the latest packages from the development tree. I configured mozilla to connect to privoxy (through the usual port 8118). All works OK until I try to 'add a URL pattern' to one of privoxy's config files through the browser. I get the following AVC (notice the blank space/empty fields): Jun 21 14:20:30 dell kernel: audit(1087852830.344:0): avc: denied { write } for pid=13411 exe=/usr/sbin/privoxy and a privoxy err page reporting the write error. Retrying after 'setenforce 0' produces the same AVC (but the 'write' succeeds). Haven't seen an AVC like this before..... is this the expected behavior? tom From russell at coker.com.au Tue Jun 22 02:31:56 2004 From: russell at coker.com.au (Russell Coker) Date: Tue, 22 Jun 2004 12:31:56 +1000 Subject: Strange AVC from privoxy write In-Reply-To: <40D7553B.9090601@comcast.net> References: <40D7553B.9090601@comcast.net> Message-ID: <200406221231.56858.russell@coker.com.au> On Tue, 22 Jun 2004 07:38, Tom London wrote: > Jun 21 14:20:30 dell > kernel: > audit(1087852830.344:0): avc: denied { write } for pid=13411 > exe=/usr/sbin/privoxy http://www.redhat.com/archives/fedora-selinux-list/2004-June/msg00109.html This looks similar to an issue I previously reported. Please check the message at the above URL and let us know if it's the same. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From selinux at comcast.net Tue Jun 22 02:42:01 2004 From: selinux at comcast.net (Tom London) Date: Mon, 21 Jun 2004 19:42:01 -0700 Subject: Strange AVC from privoxy write In-Reply-To: <200406221231.56858.russell@coker.com.au> References: <40D7553B.9090601@comcast.net> <200406221231.56858.russell@coker.com.au> Message-ID: <40D79C79.2020009@comcast.net> Yes. /var/log/messages looks pretty much the same. (sorry, I didn't realize that mail/list stuff would munge the white space). The white space looks very similar. I can reproduce at will from privoxy or gnome-session (gaim, I think). Other AVCs look 'normal'..... Let me know if you need more log data on this. I'm running kernel-2.6.7-1.441 from Arjan's tree, and the latest pkgs from the development tree. tom Russell Coker wrote: >On Tue, 22 Jun 2004 07:38, Tom London wrote: > > >>Jun 21 14:20:30 dell >>kernel: >>audit(1087852830.344:0): avc: denied { write } for pid=13411 >>exe=/usr/sbin/privoxy >> >> > >http://www.redhat.com/archives/fedora-selinux-list/2004-June/msg00109.html > >This looks similar to an issue I previously reported. Please check the >message at the above URL and let us know if it's the same. > > > From sds at epoch.ncsc.mil Tue Jun 22 12:40:41 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Tue, 22 Jun 2004 08:40:41 -0400 Subject: Strange AVC from privoxy write In-Reply-To: <200406221231.56858.russell@coker.com.au> References: <40D7553B.9090601@comcast.net> <200406221231.56858.russell@coker.com.au> Message-ID: <1087908040.6237.10.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2004-06-21 at 22:31, Russell Coker wrote: > On Tue, 22 Jun 2004 07:38, Tom London wrote: > > Jun 21 14:20:30 dell > > kernel: > > audit(1087852830.344:0): avc: denied { write } for pid=13411 > > exe=/usr/sbin/privoxy > > http://www.redhat.com/archives/fedora-selinux-list/2004-June/msg00109.html > > This looks similar to an issue I previously reported. Please check the > message at the above URL and let us know if it's the same. I also see such messages in my /var/log/messages, but do not know the cause. I've forward the mail to Rik Faith, who wrote the kernel audit framework; he may have a better idea as to what is happening. It would be interesting to revert to using printk for avc_audit and see whether the same error occurs. -- Stephen Smalley National Security Agency From edwarner99 at yahoo.com Tue Jun 22 12:54:01 2004 From: edwarner99 at yahoo.com (edwarner99 at yahoo.com) Date: Tue, 22 Jun 2004 05:54:01 -0700 (PDT) Subject: FC2 Startup Errors Message-ID: <20040622125401.79832.qmail@web14007.mail.yahoo.com> I am getting these errors when I reboot FC2. I don't know what they mean. I have more, but this is the jist of the errors. I can log in as a user, but I have root privileges. audit(1087859536.934:0): avc: denied { getattr } for pid=1 exe=/sbin/init path=/dev/initctl dev=hda2 ino=73143 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=fifo_file audit(1087859536.934:0): avc: denied { read write } for pid=1 exe=/sbin/init name=initctl dev=hda2 ino=73143 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=fifo_file audit(1087859538.846:0): avc: denied { getattr } for pid=278 exe=/sbin/initlog path=/dev/log dev=hda2 ino=65553 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=sock_file audit(1087859538.846:0): avc: denied { write } for pid=278 exe=/sbin/initlog name=log dev=hda2 ino=65553 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=sock_file audit(1087859538.925:0): avc: denied { syslog_console } for pid=446 exe=/bin/dmesg scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:kernel_t tclass=system audit(1087859539.090:0): avc: denied { search } for pid=450 exe=/sbin/sysctl name=net dev= ino=-268435354 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sysctl_net_t tclass=dir audit(1087859539.090:0): avc: denied { write } for pid=450 exe=/sbin/sysctl name=ip_forward dev= ino=-268435331 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sysctl_net_t tclass=file audit(1087859539.090:0): avc: denied { getattr } for pid=450 exe=/sbin/sysctl path=/proc/sys/net/ipv4/ip_forward dev= ino=-268435331 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sysctl_net_t tclass=file audit(1087859539.092:0): avc: denied { search } for pid=450 exe=/sbin/sysctl name=unix dev= ino=-268435042 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sysctl_net_unix_t tclass=dir audit(1087859539.093:0): avc: denied { write } for pid=450 exe=/sbin/sysctl name=max_dgram_qlen dev= ino=-268435041 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sysctl_net_unix_t tclass=file audit(1087859539.093:0): avc: denied { getattr } for pid=450 exe=/sbin/sysctl path=/proc/sys/net/unix/max_dgram_qlen dev= ino=-268435041 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sysctl_net_unix_t tclass=file audit(1087859539.093:0): avc: denied { search } for pid=450 exe=/sbin/sysctl name=vm dev= ino=-268435370 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sysctl_vm_t tclass=dir audit(1087859539.093:0): avc: denied { write } for pid=450 exe=/sbin/sysctl name=overcommit_memory dev= ino=-268435369 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sysctl_vm_t tclass=file audit(1087859539.093:0): avc: denied { getattr } for pid=450 exe=/sbin/sysctl path=/proc/sys/vm/overcommit_memory dev= ino=-268435369 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sysctl_vm_t tclass=file audit(1087859539.093:0): avc: denied { search } for pid=450 exe=/sbin/sysctl name=dev dev= ino=-268435240 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sysctl_dev_t tclass=dir audit(1087859539.094:0): avc: denied { write } for pid=450 exe=/sbin/sysctl name=speed_limit_min dev= ino=-268435120 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sysctl_dev_t tclass=file audit(1087859539.094:0): avc: denied { getattr } for pid=450 exe=/sbin/sysctl path=/proc/sys/dev/raid/speed_limit_min dev= ino=-268435120 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sysctl_dev_t tclass=file __________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail From sds at epoch.ncsc.mil Tue Jun 22 13:07:12 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Tue, 22 Jun 2004 09:07:12 -0400 Subject: FC2 Startup Errors In-Reply-To: <20040622125401.79832.qmail@web14007.mail.yahoo.com> References: <20040622125401.79832.qmail@web14007.mail.yahoo.com> Message-ID: <1087909632.6237.26.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2004-06-22 at 08:54, edwarner99 at yahoo.com wrote: > I am getting these errors when I reboot FC2. > I don't know what they mean. I have more, but this is > the jist of the errors. > > I can log in as a user, but I have root privileges. > > audit(1087859536.934:0): avc: denied { getattr } for > pid=1 exe=/sbin/init path=/dev/initctl dev=hda2 > ino=73143 scontext=system_u:system_r:kernel_t > tcontext=system_u:object_r:file_t tclass=fifo_file The audit message indicates that you are running with SELinux enabled, but have not labeled your filesystem. I'm not sure what you mean by your statement about root privileges. Do you want SELinux to be enabled? If so, then run fixfiles relabel to label your filesystems. If not, then edit /etc/sysconfig/selinux accordingly to disable it. -- Stephen Smalley National Security Agency From edwarner99 at yahoo.com Tue Jun 22 17:29:22 2004 From: edwarner99 at yahoo.com (edwarner99 at yahoo.com) Date: Tue, 22 Jun 2004 10:29:22 -0700 (PDT) Subject: FC2 Startup Errors In-Reply-To: <20040622160018.E9C0673C5D@hormel.redhat.com> Message-ID: <20040622172922.29110.qmail@web14006.mail.yahoo.com> > Message: 10 > Date: Tue, 22 Jun 2004 09:07:12 -0400 > From: Stephen Smalley > Subject: Re: FC2 Startup Errors > To: "Fedora SELinux support list for users & > developers." > > Message-ID: > <1087909632.6237.26.camel at moss-spartans.epoch.ncsc.mil> > Content-Type: text/plain > > On Tue, 2004-06-22 at 08:54, edwarner99 at yahoo.com > wrote: > > I am getting these errors when I reboot FC2. > > I don't know what they mean. I have more, but this > is > > the jist of the errors. > > > > I can log in as a user, but I have root > privileges. > > > > audit(1087859536.934:0): avc: denied { getattr } > for > > pid=1 exe=/sbin/init path=/dev/initctl dev=hda2 > > ino=73143 scontext=system_u:system_r:kernel_t > > tcontext=system_u:object_r:file_t tclass=fifo_file > > > The audit message indicates that you are running > with SELinux enabled, > but have not labeled your filesystem. I'm not sure > what you mean by > your statement about root privileges. Do you want > SELinux to be > enabled? If so, then run fixfiles relabel to label > your filesystems. > If not, then edit /etc/sysconfig/selinux accordingly > to disable it. > > -- > Stephen Smalley > National Security Agency After I rebooted, I can run as a user with root privileges. In the logs, it states there is an unknown user -u. I'm a little confused about selinux to begin with. I have read the documents. I run a small lan, so do you suggest I turn off selinux? Thanks, __________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail From selinux at comcast.net Tue Jun 22 18:05:09 2004 From: selinux at comcast.net (Tom London) Date: Tue, 22 Jun 2004 11:05:09 -0700 Subject: Strange AVC from privoxy write In-Reply-To: <1087908040.6237.10.camel@moss-spartans.epoch.ncsc.mil> References: <40D7553B.9090601@comcast.net> <200406221231.56858.russell@coker.com.au> <1087908040.6237.10.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <40D874D5.1010908@comcast.net> I couldn't find a bugzilla on this to attach my log... Is there one open? tom Stephen Smalley wrote: >On Mon, 2004-06-21 at 22:31, Russell Coker wrote: > > >>On Tue, 22 Jun 2004 07:38, Tom London wrote: >> >> >>>Jun 21 14:20:30 dell >>>kernel: >>>audit(1087852830.344:0): avc: denied { write } for pid=13411 >>>exe=/usr/sbin/privoxy >>> >>> >>http://www.redhat.com/archives/fedora-selinux-list/2004-June/msg00109.html >> >>This looks similar to an issue I previously reported. Please check the >>message at the above URL and let us know if it's the same. >> >> > >I also see such messages in my /var/log/messages, but do not know the >cause. I've forward the mail to Rik Faith, who wrote the kernel audit >framework; he may have a better idea as to what is happening. >It would be interesting to revert to using printk for avc_audit and see >whether the same error occurs. > > > From sds at epoch.ncsc.mil Tue Jun 22 18:05:26 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Tue, 22 Jun 2004 14:05:26 -0400 Subject: FC2 Startup Errors In-Reply-To: <20040622172922.29110.qmail@web14006.mail.yahoo.com> References: <20040622172922.29110.qmail@web14006.mail.yahoo.com> Message-ID: <1087927526.6237.119.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2004-06-22 at 13:29, edwarner99 at yahoo.com wrote: > After I rebooted, I can run as a user with root > privileges. In the logs, it states there is an unknown > user -u. It is likely that SELinux is running in permissive mode, i.e. logging denials as warnings but not actually preventing access. /etc/sysconfig/selinux (or in rawhide, /etc/selinux/config) specifies the initial state, and setenforce can be used to switch at runtime, subject to access control once you are in enforcing mode. You don't want to switch to enforcing mode without labeling your filesystems via 'fixfiles relabel' and rebooting. > I'm a little confused about selinux to begin with. I > have read the documents. I run a small lan, so do you > suggest I turn off selinux? Did you read the Fedora SELinux FAQ? http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/ I can't advise you either way. The paper available from http://www.nsa.gov/selinux/papers/inevit-abs.cfm talks about why mandatory access controls in the operating system (which is what SELinux provides) are critical to system security. -- Stephen Smalley National Security Agency From sds at epoch.ncsc.mil Tue Jun 22 18:07:50 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Tue, 22 Jun 2004 14:07:50 -0400 Subject: Strange AVC from privoxy write In-Reply-To: <40D874D5.1010908@comcast.net> References: <40D7553B.9090601@comcast.net> <200406221231.56858.russell@coker.com.au> <1087908040.6237.10.camel@moss-spartans.epoch.ncsc.mil> <40D874D5.1010908@comcast.net> Message-ID: <1087927670.6237.123.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2004-06-22 at 14:05, Tom London wrote: > I couldn't find a bugzilla on this to attach my log... > > Is there one open? Not AFAIK. -- Stephen Smalley National Security Agency From Valdis.Kletnieks at vt.edu Tue Jun 22 18:23:02 2004 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Tue, 22 Jun 2004 14:23:02 -0400 Subject: FC2 Startup Errors In-Reply-To: Your message of "Tue, 22 Jun 2004 10:29:22 PDT." <20040622172922.29110.qmail@web14006.mail.yahoo.com> References: <20040622172922.29110.qmail@web14006.mail.yahoo.com> Message-ID: <200406221823.i5MIN2n8025595@turing-police.cc.vt.edu> On Tue, 22 Jun 2004 10:29:22 PDT, edwarner99 at yahoo.com said: > After I rebooted, I can run as a user with root > privileges. In the logs, it states there is an unknown > user -u. A little hard to diagnose without seeing the actual error message(s) in the logs, with a few lines of context before and after so we can guess when it happens. But a quick 'grep -e -u /etc/init.d/*' indicates the most likely culprit is one of these 4 lines: % grep -e 'id -u' /etc/init.d/* /etc/init.d/identd:[ `id -u` -ne 0 ] && exit 1 /etc/init.d/irqbalance:[ `id -u` = 0 ] || exit 0 /etc/init.d/rawdevices: ID=`id -u` /etc/init.d/xinetd:[ `id -u` = 0 ] || exit 1 (No, I don't know how /usr/bin/id gets confused into thinking -u is a userid and not a flag, and I may be looking in the wrong place due to the lack of any real information....) > I'm a little confused about selinux to begin with. I > have read the documents. I run a small lan, so do you > suggest I turn off selinux? The proper question is: What is your threat model, and does SELinux do anything to help with it? It's possible you run a small lan, but have a security concern that SELinux can help with. It's possible that you run a very large network, and don't have any threats that SELinux can help with. Basically, you have to decide whether you're worried about the sort of things that SELinux stops (basically, it does damage containment - even if an attacker gets full control of a process that's in one security context, they are limited in what data in other contexts they can access, and what system operations they can perform (for instance, if the program is in a security context that doesn't include the permission to use the exec*() family of system calls, an exploit that does the usual "exec() and get a /bin/sh" shellcode Just Won't Work). Whether the added security is worth the added administration effort is something you have to decide for yourself. Note however, that the more people use it and report any problems, the faster it will become more transparent to the sysadmin.... -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available URL: From selinux at comcast.net Tue Jun 22 18:50:26 2004 From: selinux at comcast.net (Tom London) Date: Tue, 22 Jun 2004 11:50:26 -0700 Subject: Strange AVC from privoxy write In-Reply-To: <1087927670.6237.123.camel@moss-spartans.epoch.ncsc.mil> References: <40D7553B.9090601@comcast.net> <200406221231.56858.russell@coker.com.au> <1087908040.6237.10.camel@moss-spartans.epoch.ncsc.mil> <40D874D5.1010908@comcast.net> <1087927670.6237.123.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <40D87F72.1080902@comcast.net> I've bugzilla'ed it here so it doesn't get lost: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=126515 Interesting....the privoxy AVC now logs correctly, but I found older and newer ones in my log and logrotated logs. Seems to be pretty irregular. Sigh. tom Stephen Smalley wrote: >On Tue, 2004-06-22 at 14:05, Tom London wrote: > > >>I couldn't find a bugzilla on this to attach my log... >> >>Is there one open? >> >> > >Not AFAIK. > > > From cra at WPI.EDU Tue Jun 22 22:01:35 2004 From: cra at WPI.EDU (Charles R. Anderson) Date: Tue, 22 Jun 2004 18:01:35 -0400 Subject: mozilla not starting in enforcing mode In-Reply-To: <200406211401.37489.russell@coker.com.au> References: <40D63018.6070108@mindspring.com> <200406211401.37489.russell@coker.com.au> Message-ID: <20040622220135.GD5108@angus.ind.WPI.EDU> On Mon, Jun 21, 2004 at 02:01:37PM +1000, Russell Coker wrote: > is staff_home_t. Labelling the file as staff_mozilla_rw_t is not going to > work as I think that some programs will unlink and recreate it. Has any thought been given to automatically, through policy, applying certain labels to files as they are created? From edwarner99 at yahoo.com Tue Jun 22 22:27:48 2004 From: edwarner99 at yahoo.com (edwarner99 at yahoo.com) Date: Tue, 22 Jun 2004 15:27:48 -0700 (PDT) Subject: FC2 Startup Errors In-Reply-To: <20040622160018.E9C0673C5D@hormel.redhat.com> Message-ID: <20040622222748.70959.qmail@web14003.mail.yahoo.com> Message: 10 Date: Tue, 22 Jun 2004 09:07:12 -0400 From: Stephen Smalley Subject: Re: FC2 Startup Errors To: "Fedora SELinux support list for users & developers." Message-ID: <1087909632.6237.26.camel at moss-spartans.epoch.ncsc.mil> Content-Type: text/plain On Tue, 2004-06-22 at 08:54, edwarner99 at yahoo.com wrote: > I am getting these errors when I reboot FC2. > I don't know what they mean. I have more, but this is > the jist of the errors. > > I can log in as a user, but I have root privileges. > > audit(1087859536.934:0): avc: denied { getattr } for > pid=1 exe=/sbin/init path=/dev/initctl dev=hda2 > ino=73143 scontext=system_u:system_r:kernel_t > tcontext=system_u:object_r:file_t tclass=fifo_file Do you want SELinux to be enabled? If so, then run fixfiles relabel to label your filesystems. If not, then edit /etc/sysconfig/selinux accordingly to disable it. I don't have a /etc/sysconfig/selinux, but I do have a /etc/security/selinux What do I have to do to disable? I placed selinux=0 in grub.conf on the kernel line. That seemed to kill everything. Was this the right way? __________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail From russell at coker.com.au Wed Jun 23 03:07:59 2004 From: russell at coker.com.au (Russell Coker) Date: Wed, 23 Jun 2004 13:07:59 +1000 Subject: mozilla not starting in enforcing mode In-Reply-To: <20040622220135.GD5108@angus.ind.WPI.EDU> References: <40D63018.6070108@mindspring.com> <200406211401.37489.russell@coker.com.au> <20040622220135.GD5108@angus.ind.WPI.EDU> Message-ID: <200406231307.59529.russell@coker.com.au> On Wed, 23 Jun 2004 08:01, "Charles R. Anderson" wrote: > On Mon, Jun 21, 2004 at 02:01:37PM +1000, Russell Coker wrote: > > is staff_home_t. Labelling the file as staff_mozilla_rw_t is not going > > to work as I think that some programs will unlink and recreate it. > > Has any thought been given to automatically, through policy, applying > certain labels to files as they are created? Yes that is done. If mozilla creates the file in question and nothing else unlinks it then things will be fine. However if something else creates it first or unlinks it and re-creates it then it gets a type that Mozilla may not be permitted write or read/write access (depending on policy). -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From rhallyx at mindspring.com Wed Jun 23 03:57:18 2004 From: rhallyx at mindspring.com (Richard Hally) Date: Tue, 22 Jun 2004 23:57:18 -0400 Subject: policy problem with netlink sockets Message-ID: <40D8FF9E.7010708@mindspring.com> Attached in the 'spew' file is the last 200 lines from doing a make reload of the latest strict policy (selinux-policy-strict-sources-1.13.7-1). Below are some of the avc denied messages generated immediately after the newly made policy was loaded. Does this need to be put into bugzilla? Richard Hally Jun 22 23:37:38 new2 kernel: audit(1087961858.402:0): avc: granted { load_policy } for pid=13433 exe=/usr/sbin/load_policy scontext=root:sysadm_r:load_policy_t tcontext=system_u:object_r:security_t tclass=security Jun 22 23:37:38 new2 kernel: security: 6 users, 7 roles, 1254 types, 1 bools Jun 22 23:37:38 new2 kernel: security: 51 classes, 340144 rules Jun 22 23:41:25 new2 kernel: audit(1087962085.540:0): avc: denied { create } for pid=3051 exe=/usr/bin/gnome-session scontext=richard:staff_r:staff_t tcontext=richard:staff_r:staff_t tclass=netlink_route_socket Jun 22 23:41:25 new2 kernel: audit(1087962085.540:0): avc: denied { bind } for pid=3051 exe=/usr/bin/gnome-session scontext=richard:staff_r:staff_t tcontext=richard:staff_r:staff_t tclass=netlink_route_socket Jun 22 23:41:25 new2 kernel: audit(1087962085.540:0): avc: denied { getattr } for pid=3051 exe=/usr/bin/gnome-session scontext=richard:staff_r:staff_t tcontext=richard:staff_r:staff_t tclass=netlink_route_socket Jun 22 23:41:25 new2 kernel: audit(1087962085.540:0): avc: denied { write } for pid=3051 exe=/usr/bin/gnome-session scontext=richard:staff_r:staff_t tcontext=richard:staff_r:staff_t tclass=netlink_route_socket Jun 22 23:41:25 new2 kernel: audit(1087962085.540:0): avc: denied { nlmsg_read } for pid=3051 exe=/usr/bin/gnome-session scontext=richard:staff_r:staff_t tcontext=richard:staff_r:staff_t tclass=netlink_route_socket Jun 22 23:41:25 new2 kernel: audit(1087962085.540:0): avc: denied { read } for pid=3051 exe=/usr/bin/gnome-session scontext=richard:staff_r:staff_t tcontext=richard:staff_r:staff_t tclass=netlink_route_socket : -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: spew URL: From russell at coker.com.au Wed Jun 23 07:53:52 2004 From: russell at coker.com.au (Russell Coker) Date: Wed, 23 Jun 2004 17:53:52 +1000 Subject: policy problem with netlink sockets In-Reply-To: <40D8FF9E.7010708@mindspring.com> References: <40D8FF9E.7010708@mindspring.com> Message-ID: <200406231753.52665.russell@coker.com.au> On Wed, 23 Jun 2004 13:57, Richard Hally wrote: > Attached in the 'spew' file is the last 200 lines from doing a make > reload of the latest strict policy > (selinux-policy-strict-sources-1.13.7-1). Below are some of the avc > denied messages generated immediately after the newly made policy was > loaded. Does this need to be put into bugzilla? I don't think this needs to be put in bugzilla at this stage. The transition to the new netlink controls is going to be painful, it requires new kernel (which you appear to have), new checkpolicy (which you also appear to have), and changes to the policy source (which needs on-going work). It will probably take us a couple of weeks to sort out the major issues. If you still have problems then it will be a good time to file some bug reports. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From cra at WPI.EDU Wed Jun 23 13:06:02 2004 From: cra at WPI.EDU (Charles R. Anderson) Date: Wed, 23 Jun 2004 09:06:02 -0400 Subject: mozilla not starting in enforcing mode In-Reply-To: <200406231307.59529.russell@coker.com.au> References: <40D63018.6070108@mindspring.com> <200406211401.37489.russell@coker.com.au> <20040622220135.GD5108@angus.ind.WPI.EDU> <200406231307.59529.russell@coker.com.au> Message-ID: <20040623130602.GA12898@angus.ind.WPI.EDU> On Wed, Jun 23, 2004 at 01:07:59PM +1000, Russell Coker wrote: > > Has any thought been given to automatically, through policy, applying > > certain labels to files as they are created? > > Yes that is done. If mozilla creates the file in question and nothing else > unlinks it then things will be fine. However if something else creates it > first or unlinks it and re-creates it then it gets a type that Mozilla may > not be permitted write or read/write access (depending on policy). I realize that file creation inherits the parent process's context. What I was suggesting was something to override that based on filesystem path pattern, parent directory context, or something like that. From sds at epoch.ncsc.mil Thu Jun 24 12:33:06 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Thu, 24 Jun 2004 08:33:06 -0400 Subject: mozilla not starting in enforcing mode In-Reply-To: <20040623130602.GA12898@angus.ind.WPI.EDU> References: <40D63018.6070108@mindspring.com> <200406211401.37489.russell@coker.com.au> <20040622220135.GD5108@angus.ind.WPI.EDU> <200406231307.59529.russell@coker.com.au> <20040623130602.GA12898@angus.ind.WPI.EDU> Message-ID: <1088080386.24434.11.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2004-06-23 at 09:06, Charles R. Anderson wrote: > I realize that file creation inherits the parent process's context. > What I was suggesting was something to override that based on > filesystem path pattern, parent directory context, or something like > that. New files default to the security type of the parent directory, unless the policy includes a file_type_auto_trans() macro (or type_transition rule) that specifies a different type based on the creating process domain, parent directory type, and file class. -- Stephen Smalley National Security Agency From selinux at comcast.net Thu Jun 24 16:35:45 2004 From: selinux at comcast.net (Tom London) Date: Thu, 24 Jun 2004 09:35:45 -0700 Subject: typo in new fixifiles Message-ID: <40DB02E1.7040502@comcast.net> New fixfiles has lines like: if [ $1 != "" ]; then These produce shell errors. I think they could be: if [ x$1 != "x" ]; then or some such..... tom From rpjday at mindspring.com Thu Jun 24 16:34:49 2004 From: rpjday at mindspring.com (Robert P. J. Day) Date: Thu, 24 Jun 2004 12:34:49 -0400 (EDT) Subject: typo in new fixifiles In-Reply-To: <40DB02E1.7040502@comcast.net> References: <40DB02E1.7040502@comcast.net> Message-ID: On Thu, 24 Jun 2004, Tom London wrote: > New fixfiles has lines like: > if [ $1 != "" ]; then > > These produce shell errors. I think they could be: > if [ x$1 != "x" ]; then isn't it sufficient to just check whether [ "$1" != "" ] there's also always: [ -n "$1" ] (IIRC, checking whether a string is non-zero length) rday From selinux at comcast.net Thu Jun 24 16:49:31 2004 From: selinux at comcast.net (Tom London) Date: Thu, 24 Jun 2004 09:49:31 -0700 Subject: /u?dev/microcode ? Message-ID: <40DB061B.9030608@comcast.net> A previous posting indicated that /u?dev/microcode should be labeled as system_u:object_r:cpu_device_t. Is this still needed? Added to file_contexts/types.fc? tom From ivg2 at cornell.edu Thu Jun 24 18:57:55 2004 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Thu, 24 Jun 2004 12:57:55 -0600 Subject: Strict policy test, 1.13.7-1, denies: lvm.static, klogd, udev, httpd, xfs, xorg, dmesg Message-ID: <1088103476.3151.7.camel@localhost.bluenet> Hi, these are the results of running strict policy selinux. Kernel: 2.6.7-1.448 Selinux-strict: 1.13.7-1 Filesystems: / is xfs, /tmp is tmpfs (is that a problem? xattrs?), /boot is ext3 I relabeled prior to running this test. I know there's a new version released today and I'll try that soon. I'm sorry if any of this are duplicates or have been fixed. ================================================================== audit2allow: allow dmesg_t staff_home_t:file { write }; allow dmesg_t user_home_t:file { write }; allow httpd_t bin_t:dir { getattr }; allow httpd_t httpd_log_t:file { write }; allow httpd_t sbin_t:dir { getattr }; allow httpd_t snmpd_var_lib_t:file { getattr write }; allow klogd_t boot_t:lnk_file { read }; allow lvm_t device_t:file { getattr }; allow lvm_t selinux_config_t:dir { search }; allow udev_t var_lock_t:dir { search }; allow xdm_xserver_t xdm_tmpfs_t:dir { getattr }; allow xfs_t tmpfs_t:dir { search }; ==================================================================== Denies summary - all of those occur during normal startup, and the dmesg ones are me trying to pipe dmesg to a log file in my home folder as root. LVM.STATIC 1) name = selinux tclass = dir denied { search } exe=lvm.static scontext = system_u:system_r:lvm_t tcontext = system_u:object_r:selinux_config_t 2) path = /dev/vcsa01 or /dev/vcsa05 tclass = file denied { getattr } exe=lvm.static scontext = system_u:system_r:lvm_t tcontext = system_u:object_r:device_t KLOGD 3) name = System.map tclass = lnk_file denied { read } exe=/sbin/klogd scontext = system_u:system_r:klog_t tcontext = system_u:object_r:boot_t UDEV 4) name = lock tclass = dir denied { search } exe=/bin/bash scontext = system_u:system_r:udev_t tcontext = system_u:object_r:var_lock_t HTTPD 5) name = /sbin or /usr/sbin tclass = dir denied { getattr } exe = /usr/sbin/httpd scontext = system_u:system_r:httpd_t tcontext = system_u:object_r:sbin_t 6) name = /bin or /usr/bin or /usr/X11R6/bin tclass = dir denied { getattr } exe = /usr/sbin/httpd scontext = system_u:system_r:httpd_t tcontext = system_u:object_r:bin_t 7) name = jk2.shm tclass = file denied { write } exe = /usr/sbin/httpd scontext = system_u:system_r:httpd_t tcontext = system_u:object_r:httpd_log_t 8) path = /usr/share/snmp/mibs/.index tclass = file denied { getattr } exe = /usr/sbin/httpd scontext = system_u:system_r:httpd_t tcontext = system_u:object_r:snmpd_var_lib_t name = .index tclass = file denied { write } exe = /usr/sbin/httpd scontext = system_u:system_r:httpd_t tcontext = system_u:object_r:snmpd_var_lib_t XFS 9) dev = tmpfs tclass = dir denied { search } exe = /usr/X11R6/bin/xfs scontext = system_u:system_r:xfs_t tcontext = system_u:object_r:tmpfs_t Xorg 10) dev = tmpfs path = /tmp/.X11-unix tclass = dir denied { getattr } exe = /usr/X11R6/bin/Xorg scontext = system_u:system_r:xdm_xserver_t tcontext = system_u:object_r:xdm_tmpfs_t Dmesg 11) path = /home/-username-/log tclass = file denied { write } exe = /bin/dmesg scontext = root:system_r:dmesg_t tcontext = root:object_r:user_home_t -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From ivg2 at cornell.edu Thu Jun 24 20:21:26 2004 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Thu, 24 Jun 2004 14:21:26 -0600 Subject: How to properly upgrade policy Message-ID: <1088108488.6023.2.camel@localhost.bluenet> What's the proper way to upgrade the selinux policy? yum and rpm leave me with .rpmnew files every single time. I assume I'm supposed to manually overwrite the old ones. Is that so? warning: /etc/selinux/strict/contexts/files/file_contexts created as / etc/selinux/strict/contexts/files/file_contexts.rpmnew selinux-policy-strict 39 % done warning: /etc/selinux/strict/policy/ policy.17 created as /etc/selinux/strict/policy/policy.17.rpmnew selinux-policy-strict 100 % done 30/144 warning: /etc/selinux/targeted/contexts/files/file_contexts created as / etc/selinux/targeted/contexts/files/file_contexts.rpmnew selinux-policy-targeted 100 % done 31/144 Do I need to run make relabel? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From sds at epoch.ncsc.mil Thu Jun 24 20:45:33 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Thu, 24 Jun 2004 16:45:33 -0400 Subject: How to properly upgrade policy In-Reply-To: <1088108488.6023.2.camel@localhost.bluenet> References: <1088108488.6023.2.camel@localhost.bluenet> Message-ID: <1088109933.24434.115.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2004-06-24 at 16:21, Ivan Gyurdiev wrote: > What's the proper way to upgrade the selinux policy? > > yum and rpm leave me with .rpmnew files every single time. This suggests that you installed the policy source package as well, or locally modified your policy directly. If you install or update the policy source package (selinux-policy-strict-sources), then it should rebuild the policy files from source and load the new ones automatically as part of the %post. Updating the policy package (selinux-policy-strict) will then leave you with .rpmnew files because it sees that the files have been locally rebuilt. >I assume I'm supposed to manually overwrite the old ones. Is that so? Or update policy sources to get them regenerated. > Do I need to run make relabel? > > ______________________________________________________________________ It is generally safest to do so, but often unnecessary (only if there is a relevant change to file_contexts that affects you). Relabeling is not presently automatically performed upon a policy update. -- Stephen Smalley National Security Agency From ivg2 at cornell.edu Thu Jun 24 21:00:34 2004 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Thu, 24 Jun 2004 15:00:34 -0600 Subject: How to properly upgrade policy In-Reply-To: <1088109933.24434.115.camel@moss-spartans.epoch.ncsc.mil> References: <1088108488.6023.2.camel@localhost.bluenet> <1088109933.24434.115.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1088110834.6023.6.camel@localhost.bluenet> On Thu, 2004-06-24 at 16:45 -0400, Stephen Smalley wrote: > On Thu, 2004-06-24 at 16:21, Ivan Gyurdiev wrote: > > What's the proper way to upgrade the selinux policy? > > > > yum and rpm leave me with .rpmnew files every single time. > > This suggests that you installed the policy source package as well, or > locally modified your policy directly. If you install or update the > policy source package (selinux-policy-strict-sources), then it should > rebuild the policy files from source and load the new ones automatically > as part of the %post. Updating the policy package > (selinux-policy-strict) will then leave you with .rpmnew files because > it sees that the files have been locally rebuilt. Yes, I have the sources package instaled - I need it to make relabel don't I? Since I upgrade through yum, and rawhide updates the sources package with the other one, I always update them together. However, the resulting files are not the same - file_contexts and file_contexts. rpmnew are different, and the binary policy differs too. > > Do I need to run make relabel? > > > > ______________________________________________________________________ > It is generally safest to do so, but often unnecessary (only if there is > a relevant change to file_contexts that affects you). Relabeling is not > presently automatically performed upon a policy update. Are there plans to change that? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From rhallyx at mindspring.com Fri Jun 25 02:58:46 2004 From: rhallyx at mindspring.com (Richard Hally) Date: Thu, 24 Jun 2004 22:58:46 -0400 Subject: lack of AVC denied messages Message-ID: <40DB94E6.9080609@mindspring.com> After recent updates Mozilla web browser will not start while in enforcing mode. The troubling thing is that it does not produce any avc denied messages. Further, after switching to permissive mode, starting Mozilla web browser, exiting, generating allow rules from the avc denied messages, incorporating them into the policy, doing a 'make reload' and trying Mozilla again in enforcing mode it still will not start and does not produce and avc denied messages. Considering that the recommended method for generating policy is to "debug it into existence" i.e. run things and look at the avc denied messages, this lack of avc denied message indicates there is something fundamentally wrong here and indicates a mode of failure we may not have considered before. Or is it just a bug? Thanks for any help, Richard Hally kernel 2.6.7.-1.448 selinux-policy-strict-sources-1.13.8-1 sysklogd-1.4.1-20 From rhally at mindspring.com Fri Jun 25 03:52:04 2004 From: rhally at mindspring.com (Richard Hally) Date: Thu, 24 Jun 2004 23:52:04 -0400 Subject: lack of AVC denied messages In-Reply-To: <40DB94E6.9080609@mindspring.com> References: <40DB94E6.9080609@mindspring.com> Message-ID: <40DBA164.4040100@mindspring.com> Richard Hally wrote: > After recent updates Mozilla web browser will not start while in > enforcing mode. The troubling thing is that it does not produce any avc > denied messages. Further, after switching to permissive mode, starting > Mozilla web browser, exiting, generating allow rules from the avc denied > messages, incorporating them into the policy, doing a 'make reload' and > trying Mozilla again in enforcing mode it still will not start and > does not produce and avc denied messages. > Considering that the recommended method for generating policy is to > "debug it into existence" i.e. run things and look at the avc denied > messages, this lack of avc denied message indicates there is something > fundamentally wrong here and indicates a mode of failure we may not have > considered before. > Or is it just a bug? > > Thanks for any help, > Richard Hally > > kernel 2.6.7.-1.448 > selinux-policy-strict-sources-1.13.8-1 > sysklogd-1.4.1-20 > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > Sorry for the reply to my own message. After remembering (and using) the 'enableaudit' option for making policy, the needed avc denied messages to generate the allow rules were produced. But this raises the larger question of how are we going to handle the dontaudit rules in the future? And how do we distinguish between those that are for "harmless" denials and those that are not? Richard Hally From russell at coker.com.au Fri Jun 25 04:11:34 2004 From: russell at coker.com.au (Russell Coker) Date: Fri, 25 Jun 2004 14:11:34 +1000 Subject: /u?dev/microcode ? In-Reply-To: <40DB061B.9030608@comcast.net> References: <40DB061B.9030608@comcast.net> Message-ID: <200406251411.34994.russell@coker.com.au> On Fri, 25 Jun 2004 02:49, Tom London wrote: > A previous posting indicated that /u?dev/microcode should be labeled as > system_u:object_r:cpu_device_t. > > Is this still needed? Added to file_contexts/types.fc? Yes it's still needed. If it's not yet in the fedora policy then it soon will be. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From ivg2 at cornell.edu Fri Jun 25 05:14:19 2004 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Thu, 24 Jun 2004 23:14:19 -0600 Subject: Targeted policy test, 1.13.8-1, denies: httpd In-Reply-To: <1088103476.3151.7.camel@localhost.bluenet> References: <1088103476.3151.7.camel@localhost.bluenet> Message-ID: <1088140459.3176.4.camel@localhost.bluenet> Here's the targeted policy. It has some of the httpd errors from the strict policy test. Kernel: 2.6.7-1.448 Selinux-targeted: 1.13.8-1 I relabeled prior to running this test. I'm sorry if any of this are duplicates or have been fixed. ================================================================== audit2allow: allow httpd_t bin_t:dir { getattr }; allow httpd_t httpd_log_t:file { write }; allow httpd_t sbin_t:dir { getattr }; =================================================================== HTTPD 1) name = /sbin or /usr/sbin tclass = dir denied { getattr } exe = /usr/sbin/httpd scontext = system_u:system_r:httpd_t tcontext = system_u:object_r:sbin_t 2) name = /bin or /usr/bin or /usr/X11R6/bin tclass = dir denied { getattr } exe = /usr/sbin/httpd scontext = system_u:system_r:httpd_t tcontext = system_u:object_r:bin_t 3) name = jk2.shm tclass = file denied { write } exe = /usr/sbin/httpd scontext = system_u:system_r:httpd_t tcontext = system_u:object_r:httpd_log_t -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From russell at coker.com.au Fri Jun 25 08:26:31 2004 From: russell at coker.com.au (Russell Coker) Date: Fri, 25 Jun 2004 18:26:31 +1000 Subject: lack of AVC denied messages In-Reply-To: <40DBA164.4040100@mindspring.com> References: <40DB94E6.9080609@mindspring.com> <40DBA164.4040100@mindspring.com> Message-ID: <200406251826.31010.russell@coker.com.au> On Fri, 25 Jun 2004 13:52, Richard Hally wrote: > Sorry for the reply to my own message. > After remembering (and using) the 'enableaudit' option for making > policy, the needed avc denied messages to generate the allow rules were > produced. > But this raises the larger question of how are we going to handle the > dontaudit rules in the future? And how do we distinguish between those > that are for "harmless" denials and those that are not? Mozilla is a difficult program in this regard. In normal operation it will try to stat() many files and read many directories that you don't want it to so dontaudit rules are needed. Then when you get mis-labelled files and directories you don't see any AVC messages because of the dontaudit rules. It's especially difficult because it's a program that users run. If the same problem occurs with a daemon then the person who runs it can just load a new policy to investigate it. The person who has a Mozilla program often does not have this option. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From dwalsh at redhat.com Fri Jun 25 10:17:34 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 25 Jun 2004 06:17:34 -0400 Subject: How to properly upgrade policy In-Reply-To: <1088110834.6023.6.camel@localhost.bluenet> References: <1088108488.6023.2.camel@localhost.bluenet> <1088109933.24434.115.camel@moss-spartans.epoch.ncsc.mil> <1088110834.6023.6.camel@localhost.bluenet> Message-ID: <40DBFBBE.8070204@redhat.com> Ivan Gyurdiev wrote: >On Thu, 2004-06-24 at 16:45 -0400, Stephen Smalley wrote: > > >>On Thu, 2004-06-24 at 16:21, Ivan Gyurdiev wrote: >> >> >>>What's the proper way to upgrade the selinux policy? >>> >>>yum and rpm leave me with .rpmnew files every single time. >>> >>> >>This suggests that you installed the policy source package as well, or >>locally modified your policy directly. If you install or update the >>policy source package (selinux-policy-strict-sources), then it should >>rebuild the policy files from source and load the new ones automatically >>as part of the %post. Updating the policy package >>(selinux-policy-strict) will then leave you with .rpmnew files because >>it sees that the files have been locally rebuilt. >> >> > >Yes, I have the sources package instaled - I need it to make relabel >don't I? Since I upgrade through yum, and rawhide updates the sources >package with the other one, I always update them together. However, the >resulting files are not the same - file_contexts and file_contexts. >rpmnew are different, and the binary policy differs too. > > > > >>>Do I need to run make relabel? >>> >>>______________________________________________________________________ >>> >>> >>It is generally safest to do so, but often unnecessary (only if there is >>a relevant change to file_contexts that affects you). Relabeling is not >>presently automatically performed upon a policy update. >> >> > >Are there plans to change that? > > > > No because this could be a very long process. We are hoping to not change policy very often and less often change File Contexts. Especially with Targeted policy. I have modified fixfiles to be able to use RPM files as input and we are looking into a cron script to walk the file system on a regular basis to inform users of problems in the file context. This script could either repair the problems automatically (Not recommended), or easily allow the administrator to fix them the next morning. Setfiles and restorecon have a new qualifier (-o filename) which will record the file paths of any files that the tools find with the incorrect security context. So if you run setfiles -n -v -o /tmp/badfilecontexts, you would have a report and a file with all the paths of files with bad file contexts. If everything looks ok, you could run restorecon -f /tmp/badfilecontexts and clean them up quickly. Dan >------------------------------------------------------------------------ > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > From sds at epoch.ncsc.mil Fri Jun 25 12:01:10 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Fri, 25 Jun 2004 08:01:10 -0400 Subject: /u?dev/microcode ? In-Reply-To: <200406251411.34994.russell@coker.com.au> References: <40DB061B.9030608@comcast.net> <200406251411.34994.russell@coker.com.au> Message-ID: <1088164870.6872.1.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2004-06-25 at 00:11, Russell Coker wrote: > On Fri, 25 Jun 2004 02:49, Tom London wrote: > > A previous posting indicated that /u?dev/microcode should be labeled as > > system_u:object_r:cpu_device_t. > > > > Is this still needed? Added to file_contexts/types.fc? > > Yes it's still needed. If it's not yet in the fedora policy then it soon will > be. Current file_contexts/types.fc already has the following entry: /u?dev/cpu/.* -c system_u:object_r:cpu_device_t And ls -Z /dev/cpu/0/microcode does show the right context. -- Stephen Smalley National Security Agency From sds at epoch.ncsc.mil Fri Jun 25 12:07:22 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Fri, 25 Jun 2004 08:07:22 -0400 Subject: /u?dev/microcode ? In-Reply-To: <1088164870.6872.1.camel@moss-spartans.epoch.ncsc.mil> References: <40DB061B.9030608@comcast.net> <200406251411.34994.russell@coker.com.au> <1088164870.6872.1.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1088165242.6872.5.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2004-06-25 at 08:01, Stephen Smalley wrote: > Current file_contexts/types.fc already has the following entry: > /u?dev/cpu/.* -c system_u:object_r:cpu_device_t > > And ls -Z /dev/cpu/0/microcode does show the right context. Sorry, I misread the original posting. There is no entry for a /udev/microcode in types.fc. -- Stephen Smalley National Security Agency From bobgus at rcn.com Fri Jun 25 15:28:57 2004 From: bobgus at rcn.com (Bob Gustafson) Date: Fri, 25 Jun 2004 10:28:57 -0500 Subject: How to properly upgrade policy In-Reply-To: <40DBFBBE.8070204@redhat.com> References: <1088110834.6023.6.camel@localhost.bluenet> <1088108488.6023.2.camel@localhost.bluenet> <1088109933.24434.115.camel@moss-spartans.epoch.ncsc.mil> <1088110834.6023.6.camel@localhost.bluenet> Message-ID: On Fri, 25 Jun 2004 06:17:34 -0400, Dan Walsh wrote: >Ivan Gyurdiev wrote: > >>On Thu, 2004-06-24 at 16:45 -0400, Stephen Smalley wrote: >> >> >>>On Thu, 2004-06-24 at 16:21, Ivan Gyurdiev wrote: >>> >>> >>>>What's the proper way to upgrade the selinux policy? >>>> >>>>yum and rpm leave me with .rpmnew files every single time. >>>> >>>> >>>This suggests that you installed the policy source package as well, or >>>locally modified your policy directly. If you install or update the >>>policy source package (selinux-policy-strict-sources), then it should >>>rebuild the policy files from source and load the new ones automatically >>>as part of the %post. Updating the policy package >>>(selinux-policy-strict) will then leave you with .rpmnew files because >>>it sees that the files have been locally rebuilt. >>> >>> >> >>Yes, I have the sources package instaled - I need it to make relabel >>don't I? Since I upgrade through yum, and rawhide updates the sources >>package with the other one, I always update them together. However, the >>resulting files are not the same - file_contexts and file_contexts. >>rpmnew are different, and the binary policy differs too. >> >> >> >> >>>>Do I need to run make relabel? >>>> >>>>______________________________________________________________________ >>>> >>>> >>>It is generally safest to do so, but often unnecessary (only if there is >>>a relevant change to file_contexts that affects you). Relabeling is not >>>presently automatically performed upon a policy update. >>> >>> >> >>Are there plans to change that? >> >> >> >> >No because this could be a very long process. We are hoping to not >change policy very often and less often change File Contexts. >Especially with Targeted policy. I have modified fixfiles to be able to >use RPM files as input and we are looking into a cron script to walk the >file system on a regular basis to inform users of problems in the file >context. This script could either repair the problems automatically >(Not recommended), or easily allow the administrator to fix them the >next morning. > >Setfiles and restorecon have a new qualifier (-o filename) which will >record the file paths of any files that the tools find with the >incorrect security context. So if you run setfiles -n -v -o >/tmp/badfilecontexts, you would have a report and a file with all the >paths of files with bad file contexts. If everything looks ok, you >could run restorecon -f /tmp/badfilecontexts and clean them up quickly. > >Dan > Sounds pretty good in the long term. However, looking my output from fixfiles, it seems as though there are gross changes in policy that are occasionally occuring during this development phase (object_r -> system_r). It would be nice to get some sort of indication that a fixfiles run would be helpful when these gross changes occur. ---- There was a note awhile ago saying that the log from fixfiles would remain in the /tmp area, even though 'Y' was chosen to zap the /tmp files prior to relabel. Does this file survive the necessary following reboot? (I did not see it when I looked just now). ---- There was some talk of changing PAM so that it would better handle the 'su' operation. Has this been done? I ask this because I cannot get into any of my root priviledged Gnome applications anymore. This had been a problem, then it was fixed, now it is a problem (for me) again. It seemed as though the proposed PAM change would also enable a shutdown direct from Gnome - even though Gnome had originally been started up as a user application (it would of course ask for a root password). ----- I am currently (as of an hour ago) current on 'yum update' and I did a complete 'fixfiles relabel' at init 1 state before my last boot. BobG From dwalsh at redhat.com Fri Jun 25 15:28:16 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 25 Jun 2004 11:28:16 -0400 Subject: How to properly upgrade policy In-Reply-To: References: <1088110834.6023.6.camel@localhost.bluenet> <1088108488.6023.2.camel@localhost.bluenet> <1088109933.24434.115.camel@moss-spartans.epoch.ncsc.mil> <1088110834.6023.6.camel@localhost.bluenet> Message-ID: <40DC4490.5000901@redhat.com> Bob Gustafson wrote: >On Fri, 25 Jun 2004 06:17:34 -0400, Dan Walsh wrote: > > >>Ivan Gyurdiev wrote: >> >> >> >>>On Thu, 2004-06-24 at 16:45 -0400, Stephen Smalley wrote: >>> >>> >>> >>> >>>>On Thu, 2004-06-24 at 16:21, Ivan Gyurdiev wrote: >>>> >>>> >>>> >>>> >>>>>What's the proper way to upgrade the selinux policy? >>>>> >>>>>yum and rpm leave me with .rpmnew files every single time. >>>>> >>>>> >>>>> >>>>> >>>>This suggests that you installed the policy source package as well, or >>>>locally modified your policy directly. If you install or update the >>>>policy source package (selinux-policy-strict-sources), then it should >>>>rebuild the policy files from source and load the new ones automatically >>>>as part of the %post. Updating the policy package >>>>(selinux-policy-strict) will then leave you with .rpmnew files because >>>>it sees that the files have been locally rebuilt. >>>> >>>> >>>> >>>> >>>Yes, I have the sources package instaled - I need it to make relabel >>>don't I? Since I upgrade through yum, and rawhide updates the sources >>>package with the other one, I always update them together. However, the >>>resulting files are not the same - file_contexts and file_contexts. >>>rpmnew are different, and the binary policy differs too. >>> >>> >>> >>> >>> >>> >>>>>Do I need to run make relabel? >>>>> >>>>>______________________________________________________________________ >>>>> >>>>> >>>>> >>>>> >>>>It is generally safest to do so, but often unnecessary (only if there is >>>>a relevant change to file_contexts that affects you). Relabeling is not >>>>presently automatically performed upon a policy update. >>>> >>>> >>>> >>>> >>>Are there plans to change that? >>> >>> >>> >>> >>> >>> >>No because this could be a very long process. We are hoping to not >>change policy very often and less often change File Contexts. >>Especially with Targeted policy. I have modified fixfiles to be able to >>use RPM files as input and we are looking into a cron script to walk the >>file system on a regular basis to inform users of problems in the file >>context. This script could either repair the problems automatically >>(Not recommended), or easily allow the administrator to fix them the >>next morning. >> >>Setfiles and restorecon have a new qualifier (-o filename) which will >>record the file paths of any files that the tools find with the >>incorrect security context. So if you run setfiles -n -v -o >>/tmp/badfilecontexts, you would have a report and a file with all the >>paths of files with bad file contexts. If everything looks ok, you >>could run restorecon -f /tmp/badfilecontexts and clean them up quickly. >> >>Dan >> >> >> > >Sounds pretty good in the long term. > >However, looking my output from fixfiles, it seems as though there are >gross changes in policy that are occasionally occuring during this >development phase (object_r -> system_r). > >It would be nice to get some sort of indication that a fixfiles run would >be helpful when these gross changes occur. > >---- >There was a note awhile ago saying that the log from fixfiles would remain >in the /tmp area, even though 'Y' was chosen to zap the /tmp files prior to >relabel. Does this file survive the necessary following reboot? (I did not >see it when I looked just now). > > Log files are stored in /var/tmp to avoid the conflict. They should survive the reboot. >---- >There was some talk of changing PAM so that it would better handle the 'su' >operation. Has this been done? I ask this because I cannot get into any of >my root priviledged Gnome applications anymore. This had been a problem, >then it was fixed, now it is a problem (for me) again. > > > We moved around the pam_xauth and pam_selinux open calls in /etc/pam.d/su (coreutils) >It seemed as though the proposed PAM change would also enable a shutdown >direct from Gnome - even though Gnome had originally been started up as a >user application (it would of course ask for a root password). > >----- >I am currently (as of an hour ago) current on 'yum update' and I did a >complete 'fixfiles relabel' at init 1 state before my last boot. > >BobG >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > From sds at epoch.ncsc.mil Fri Jun 25 16:17:16 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Fri, 25 Jun 2004 12:17:16 -0400 Subject: How to properly upgrade policy In-Reply-To: References: <1088110834.6023.6.camel@localhost.bluenet> <1088108488.6023.2.camel@localhost.bluenet> <1088109933.24434.115.camel@moss-spartans.epoch.ncsc.mil> <1088110834.6023.6.camel@localhost.bluenet> Message-ID: <1088180235.6872.109.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2004-06-25 at 11:28, Bob Gustafson wrote: > However, looking my output from fixfiles, it seems as though there are > gross changes in policy that are occasionally occuring during this > development phase (object_r -> system_r). Files shouldn't be labeled with system_r, and I see no instances of system_r in either the strict or targeted file_contexts file. Details? -- Stephen Smalley National Security Agency From selinux at comcast.net Fri Jun 25 16:26:33 2004 From: selinux at comcast.net (Tom London) Date: Fri, 25 Jun 2004 09:26:33 -0700 Subject: How to properly upgrade policy Message-ID: <40DC5239.8030703@comcast.net> These are VERY nice changes, automating what I've been doing manually. An observation: the package 'install' process has gotten much better with file contexts. Any thoughts on automating the assignment of file contexts to the files created by package scripts (e.g., /boot/grub/grub.conf, depmod files, /etc/selinux/config, ...)? Would be nice to have a 'SELinux package description' that describes the package's desired/default contexts. That would allow inspection prior to install, tools to check consistency with installed file_contexts, etc. 'rpm -q --filecontext' is almost it. Any way to add the other stuff to it, or something like it? tom [Sorry if this is old hat....] Dan Walsh wrote: > Setfiles and restorecon have a new qualifier (-o filename) which will > record the file paths of any files that the tools find with the > incorrect security context. So if you run setfiles -n -v -o > /tmp/badfilecontexts, you would have a report and a file with all the > paths of files with bad file contexts. If everything looks ok, you > could run restorecon -f /tmp/badfilecontexts and clean them up quickly. From gbpeck at sbcglobal.net Fri Jun 25 16:34:15 2004 From: gbpeck at sbcglobal.net (Gary Peck) Date: Fri, 25 Jun 2004 09:34:15 -0700 Subject: restorecon vs. setfiles In-Reply-To: <40ABB2DE.5090107@redhat.com> References: <20040519022249.GC3717@realify.com> <40AACEEC.4040805@nogin.org> <40AACF8A.7010407@redhat.com> <1084968582.30873.3.camel@moss-spartans.epoch.ncsc.mil> <40ABB2DE.5090107@redhat.com> Message-ID: <20040625163415.GI16241@realify.com> > >matchpathcon takes a pathname and optional file mode as input > >parameters for matching against the file contexts configuration. It > >doesn't attempt to stat the file itself to obtain the mode because it > >is sometimes used by programs that are creating new files (e.g. udev) > >and want to know the context for the file they are about to create, > >so it requires the caller to provide the mode. restorecon currently > >passes 0 as the mode, so no mode matching is performed. > > > >So this is a bug in restorecon; it needs to be changed to stat the > >file and provide the mode. Looks like a similar bug might be present in rpm, or at least the end result is similar. Whenever I install new RPM's from Rawhide, *.so* files get installed with object_r:lib_t context. If I run "/sbin/fixfiles restore" right afterward, they get relabeled back to object_r:shlib_t. Either rpm has an old policy version on the Rawhide build machines, or it's not labeling files correctly. Also, the dev package in Rawhide comes with all files labeled as object_r:device_t. After running fixfiles, some of those get relabeled to the correct object_r:fixed_disk_device_t, object_r:tty_device_t, object_r:sound_device_t, etc. dev should have the correct contexts to begin with. Various files in /usr/sbin also don't have the correct contexts as shipped in the RPM's. This is all with selinux-policy-targeted-1.13.8-1, policycoreutils-1.13.3-2, and rpm-4.3.2-0.4. Gary From Valdis.Kletnieks at vt.edu Fri Jun 25 16:44:45 2004 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Fri, 25 Jun 2004 12:44:45 -0400 Subject: How to properly upgrade policy In-Reply-To: Your message of "Fri, 25 Jun 2004 10:28:57 CDT." References: <1088110834.6023.6.camel@localhost.bluenet> <1088108488.6023.2.camel@localhost.bluenet> <1088109933.24434.115.camel@moss-spartans.epoch.ncsc.mil> <1088110834.6023.6.camel@localhost.bluenet> Message-ID: <200406251644.i5PGij26029130@turing-police.cc.vt.edu> On Fri, 25 Jun 2004 10:28:57 CDT, Bob Gustafson said: > However, looking my output from fixfiles, it seems as though there are > gross changes in policy that are occasionally occuring during this > development phase (object_r -> system_r). > > It would be nice to get some sort of indication that a fixfiles run would > be helpful when these gross changes occur. In the generalized case, how would it know? (I mean, other than the already mentioned 'fixfiles -n -v -o' and look at the logfile and restorecon)? (Personally, I think a nightly cron job that does something like: fixfiles -n -v -o /var/tmp/whatever; mail -s "Incorrect contexts" root < /var/tmp/whatever is The Right Behavior. I owe whoever thought of it a beer :) Right now, *my* single biggest mangler of contexts is all the local and 3rd-party stuff that gets into system directories via 'make install' rather than via RPM (so far this morning, I've already had one package that I did a 'cvs update' and then 'make/make install', and since it supports plugins, the following clean-up relabeled about 30 *.so files to shlib_t.... See above-mentioned Right Behavior, and guess who doesn't always remember to run fixfiles after a 'make install' and needs to be nagged. :) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available URL: From sds at epoch.ncsc.mil Fri Jun 25 16:59:21 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Fri, 25 Jun 2004 12:59:21 -0400 Subject: restorecon vs. setfiles In-Reply-To: <20040625163415.GI16241@realify.com> References: <20040519022249.GC3717@realify.com> <40AACEEC.4040805@nogin.org> <40AACF8A.7010407@redhat.com> <1084968582.30873.3.camel@moss-spartans.epoch.ncsc.mil> <40ABB2DE.5090107@redhat.com> <20040625163415.GI16241@realify.com> Message-ID: <1088182761.6872.138.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2004-06-25 at 12:34, Gary Peck wrote: > Looks like a similar bug might be present in rpm, or at least the end > result is similar. Whenever I install new RPM's from Rawhide, *.so* > files get installed with object_r:lib_t context. If I run > "/sbin/fixfiles restore" right afterward, they get relabeled back to > object_r:shlib_t. Either rpm has an old policy version on the Rawhide > build machines, or it's not labeling files correctly. > > Also, the dev package in Rawhide comes with all files labeled as > object_r:device_t. After running fixfiles, some of those get relabeled > to the correct object_r:fixed_disk_device_t, object_r:tty_device_t, > object_r:sound_device_t, etc. dev should have the correct contexts to > begin with. Various files in /usr/sbin also don't have the correct > contexts as shipped in the RPM's. > > This is all with selinux-policy-targeted-1.13.8-1, > policycoreutils-1.13.3-2, and rpm-4.3.2-0.4. I don't believe that rpm is computing file contexts at package build time anymore, since there are multiple policies (strict and targeted) now. It should instead compute the file contexts when unpacking the package based on your local file_contexts configuration, whose path is obtained from /usr/lib/rpm/macros using /etc/selinux/config to determine the active policy. It seems to be working for me. -- Stephen Smalley National Security Agency From dwalsh at redhat.com Fri Jun 25 16:53:56 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 25 Jun 2004 12:53:56 -0400 Subject: How to properly upgrade policy In-Reply-To: <200406251644.i5PGij26029130@turing-police.cc.vt.edu> References: <1088110834.6023.6.camel@localhost.bluenet> <1088108488.6023.2.camel@localhost.bluenet> <1088109933.24434.115.camel@moss-spartans.epoch.ncsc.mil> <1088110834.6023.6.camel@localhost.bluenet> <200406251644.i5PGij26029130@turing-police.cc.vt.edu> Message-ID: <40DC58A4.206@redhat.com> Valdis.Kletnieks at vt.edu wrote: >On Fri, 25 Jun 2004 10:28:57 CDT, Bob Gustafson said: > > > >>However, looking my output from fixfiles, it seems as though there are >>gross changes in policy that are occasionally occuring during this >>development phase (object_r -> system_r). >> >>It would be nice to get some sort of indication that a fixfiles run would >>be helpful when these gross changes occur. >> >> > >In the generalized case, how would it know? (I mean, other than the already >mentioned 'fixfiles -n -v -o' and look at the logfile and restorecon)? > >(Personally, I think a nightly cron job that does something like: > >fixfiles -n -v -o /var/tmp/whatever; mail -s "Incorrect contexts" root < /var/tmp/whatever >mail -s "Incorrect contexts" root < /var/tmp/whatever > > That is the idea although you might want fixfiles -n -v -o /var/tmp/whateverfixfiles -n -v -o /var/tmp/whatever || mail -s "Incorrect contexts" root < /var/tmp/whatever So you only get mail when it finds something. Of course this means fixfiles exits with a status. I will look into this. >is The Right Behavior. I owe whoever thought of it a beer :) > >Right now, *my* single biggest mangler of contexts is all the local and 3rd-party >stuff that gets into system directories via 'make install' rather than via RPM >(so far this morning, I've already had one package that I did a 'cvs update' >and then 'make/make install', and since it supports plugins, the following >clean-up relabeled about 30 *.so files to shlib_t.... > >See above-mentioned Right Behavior, and guess who doesn't always remember >to run fixfiles after a 'make install' and needs to be nagged. :) > > >------------------------------------------------------------------------ > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > From dwalsh at redhat.com Fri Jun 25 16:56:22 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 25 Jun 2004 12:56:22 -0400 Subject: restorecon vs. setfiles In-Reply-To: <1088182761.6872.138.camel@moss-spartans.epoch.ncsc.mil> References: <20040519022249.GC3717@realify.com> <40AACEEC.4040805@nogin.org> <40AACF8A.7010407@redhat.com> <1084968582.30873.3.camel@moss-spartans.epoch.ncsc.mil> <40ABB2DE.5090107@redhat.com> <20040625163415.GI16241@realify.com> <1088182761.6872.138.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <40DC5936.1040004@redhat.com> Stephen Smalley wrote: >On Fri, 2004-06-25 at 12:34, Gary Peck wrote: > > >>Looks like a similar bug might be present in rpm, or at least the end >>result is similar. Whenever I install new RPM's from Rawhide, *.so* >>files get installed with object_r:lib_t context. If I run >>"/sbin/fixfiles restore" right afterward, they get relabeled back to >>object_r:shlib_t. Either rpm has an old policy version on the Rawhide >>build machines, or it's not labeling files correctly. >> >>Also, the dev package in Rawhide comes with all files labeled as >>object_r:device_t. After running fixfiles, some of those get relabeled >>to the correct object_r:fixed_disk_device_t, object_r:tty_device_t, >>object_r:sound_device_t, etc. dev should have the correct contexts to >>begin with. Various files in /usr/sbin also don't have the correct >>contexts as shipped in the RPM's. >> >>This is all with selinux-policy-targeted-1.13.8-1, >>policycoreutils-1.13.3-2, and rpm-4.3.2-0.4. >> >> > >I don't believe that rpm is computing file contexts at package build >time anymore, since there are multiple policies (strict and targeted) >now. It should instead compute the file contexts when unpacking the >package based on your local file_contexts configuration, whose path is >obtained from /usr/lib/rpm/macros using /etc/selinux/config to determine >the active policy. It seems to be working for me. > > > Any chance the so files are getting created in a post install script? rpm should be working the same as restorecon and setfiles. Dan From sds at epoch.ncsc.mil Fri Jun 25 17:44:15 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Fri, 25 Jun 2004 13:44:15 -0400 Subject: restorecon vs. setfiles In-Reply-To: <40DC5936.1040004@redhat.com> References: <20040519022249.GC3717@realify.com> <40AACEEC.4040805@nogin.org> <40AACF8A.7010407@redhat.com> <1084968582.30873.3.camel@moss-spartans.epoch.ncsc.mil> <40ABB2DE.5090107@redhat.com> <20040625163415.GI16241@realify.com> <1088182761.6872.138.camel@moss-spartans.epoch.ncsc.mil> <40DC5936.1040004@redhat.com> Message-ID: <1088185455.6872.183.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2004-06-25 at 12:56, Daniel J Walsh wrote: > Any chance the so files are getting created in a post install script? > rpm should be working the same as restorecon and setfiles. The .so symlink might be created by %post, but that is ok, as it just gets the type of the parent directory anyway. Only the actual shared object should have shlib_t, and that should be installed by rpm. rpm source code appears to be passing the mode as part of the lookup, so I don't think that is the issue. rpm -Uvh --force libselinux*.rpm keeps the correct security context on /lib/libselinux.so.1 for me, both on a strict policy machine and a targeted policy machine. rpm is 4.3.2-0.4; I haven't updated to -1 yet. -- Stephen Smalley National Security Agency From tmolina at redhat.com Fri Jun 25 10:38:28 2004 From: tmolina at redhat.com (Thomas Molina) Date: Fri, 25 Jun 2004 06:38:28 -0400 (EDT) Subject: How to properly upgrade policy In-Reply-To: <40DBFBBE.8070204@redhat.com> References: <1088108488.6023.2.camel@localhost.bluenet> <1088109933.24434.115.camel@moss-spartans.epoch.ncsc.mil> <1088110834.6023.6.camel@localhost.bluenet> <40DBFBBE.8070204@redhat.com> Message-ID: > >>>What's the proper way to upgrade the selinux policy? > >>> > >>>yum and rpm leave me with .rpmnew files every single time. > >>> > >>> > >>This suggests that you installed the policy source package as well, or > >>locally modified your policy directly. If you install or update the > >>policy source package (selinux-policy-strict-sources), then it should > >>rebuild the policy files from source and load the new ones automatically > >>as part of the %post. Updating the policy package > >>(selinux-policy-strict) will then leave you with .rpmnew files because > >>it sees that the files have been locally rebuilt. Let me nail this down for my own benefit; maybe I am dense. If you install the policy source package you should refrain from also installing the policy package? So is it one or the other, but not both? From sds at epoch.ncsc.mil Fri Jun 25 17:58:09 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Fri, 25 Jun 2004 13:58:09 -0400 Subject: How to properly upgrade policy In-Reply-To: References: <1088108488.6023.2.camel@localhost.bluenet> <1088109933.24434.115.camel@moss-spartans.epoch.ncsc.mil> <1088110834.6023.6.camel@localhost.bluenet> <40DBFBBE.8070204@redhat.com> Message-ID: <1088186288.6872.197.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2004-06-25 at 06:38, Thomas Molina wrote: > Let me nail this down for my own benefit; maybe I am dense. If you > install the policy source package you should refrain from also installing > the policy package? > > So is it one or the other, but not both? At present, policy-sources requires policy. Dan, is there a reason for that requires? Otherwise, I would say yes. It doesn't hurt to have policy installed as well, but it seems pointless, as updates of policy won't touch the locally rebuilt files created by the policy sources install/update. -- Stephen Smalley National Security Agency From unorlist at yahoo.com Fri Jun 25 18:50:56 2004 From: unorlist at yahoo.com (Earl) Date: Fri, 25 Jun 2004 11:50:56 -0700 (PDT) Subject: VMWare config issue (Newbie) Message-ID: <20040625185056.78688.qmail@web52003.mail.yahoo.com> All, I'm just learning so forgive the trivial nature of the question: FC2, Installed VMWare workstation 4.5x, unable to run configuration script, just "yum-ed" so I'm up to date, relableled, rebooted, still cannot run configuration script... [root at host root]# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:sysadm_r:sysadm_t [root at host root]# /usr/bin/vmware-config.pl Can't open perl script "/usr/bin/vmware-config.pl": Permission denied [root at host root]# ls -Z /usr/bin/vmware-config.pl -r-xr-xr-x+ root root system_u:object_r:vmware_exec_t /usr/bin/vmware-config.pl Looks like a context problem to me but I am unsure what to change... my context, that of the script itself or modify context files and relabel? I have the docs, have been reading, but I have not been able to understand some of the genreal concepts. Any advice will be appreciated. Earl __________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail From bobgus at rcn.com Fri Jun 25 19:07:16 2004 From: bobgus at rcn.com (Bob Gustafson) Date: Fri, 25 Jun 2004 14:07:16 -0500 Subject: How to properly upgrade policy In-Reply-To: <1088180235.6872.109.camel@moss-spartans.epoch.ncsc.mil> References: <1088110834.6023.6.camel@localhost.bluenet> <1088108488.6023.2.camel@localhost.bluenet> <1088109933.24434.115.camel@moss-spartans.epoch.ncsc.mil> <1088110834.6023.6.camel@localhost.bluenet> Message-ID: On Fri, 25 Jun 2004 12:17:16 -0400, Stephen Smalley wrote: >On Fri, 2004-06-25 at 11:28, Bob Gustafson wrote: >> However, looking my output from fixfiles, it seems as though there are >> gross changes in policy that are occasionally occuring during this >> development phase (object_r -> system_r). > >Files shouldn't be labeled with system_r, and I see no instances of >system_r in either the strict or targeted file_contexts file. Details? > >-- >Stephen Smalley >National Security Agency > I was looking around for the log of my fixfiles run at the time I wrote the message and did not find them in /tmp. Later found them in /var/tmp Faulty memory created the (object_r -> system_r) shown above. Some of the actual lines (317) are shown below: Many of the relabelings were from root: to system_u (not _r) /usr/sbin/setfiles: relabeling /usr/share/texmf/web2c/pdflatex.log from root:object_r:rpm_script_tmp_t to system_u:object_r:usr_t /usr/sbin/setfiles: relabeling /usr/share/texmf/web2c/pdfjadetex.fmt from root:object_r:rpm_script_tmp_t to system_u:object_r:usr_t /usr/sbin/setfiles: relabeling /usr/share/texmf/web2c/pdfxmltex.log from root:object_r:rpm_script_tmp_t to system_u:object_r:usr_t /usr/sbin/setfiles: relabeling /usr/share/texmf/web2c/amstex.fmt from root:object_r:rpm_script_tmp_t to system_u:object_r:usr_t /usr/sbin/setfiles: relabeling /usr/share/texmf/web2c/bamstex.log from root:object_r:rpm_script_tmp_t to system_u:object_r:usr_t /usr/sbin/setfiles: relabeling /usr/share/texmf/web2c/cont-en.efmt from root:object_r:rpm_script_tmp_t to system_u:object_r:usr_t /usr/sbin/setfiles: relabeling /usr/share/texmf/web2c/elatex.log from root:object_r:rpm_script_tmp_t to system_u:object_r:usr_t /usr/sbin/setfiles: relabeling /usr/share/texmf/web2c/lambda.oft from root:object_r:rpm_script_tmp_t to system_u:object_r:usr_t From sds at epoch.ncsc.mil Fri Jun 25 19:10:26 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Fri, 25 Jun 2004 15:10:26 -0400 Subject: How to properly upgrade policy In-Reply-To: References: <1088110834.6023.6.camel@localhost.bluenet> <1088108488.6023.2.camel@localhost.bluenet> <1088109933.24434.115.camel@moss-spartans.epoch.ncsc.mil> <1088110834.6023.6.camel@localhost.bluenet> Message-ID: <1088190626.6872.200.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2004-06-25 at 15:07, Bob Gustafson wrote: > Many of the relabelings were from root: to system_u (not _r) That is ok. setfiles just sets the user identities on all files to system_u initially, but subsequent file creation at runtime will leave them with the user identity of the creating process. -- Stephen Smalley National Security Agency From sds at epoch.ncsc.mil Fri Jun 25 19:42:39 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Fri, 25 Jun 2004 15:42:39 -0400 Subject: VMWare config issue (Newbie) In-Reply-To: <20040625185056.78688.qmail@web52003.mail.yahoo.com> References: <20040625185056.78688.qmail@web52003.mail.yahoo.com> Message-ID: <1088192559.6872.212.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2004-06-25 at 14:50, Earl wrote: > All, > > I'm just learning so forgive the trivial nature of the > question: > > FC2, Installed VMWare workstation 4.5x, unable to run > configuration script, just "yum-ed" so I'm up to date, > relableled, rebooted, still cannot run configuration > script... > [root at host root]# id > uid=0(root) gid=0(root) > groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) > context=root:sysadm_r:sysadm_t > [root at host root]# /usr/bin/vmware-config.pl > Can't open perl script "/usr/bin/vmware-config.pl": > Permission denied > [root at host root]# ls -Z /usr/bin/vmware-config.pl > -r-xr-xr-x+ root root > system_u:object_r:vmware_exec_t > /usr/bin/vmware-config.pl > > Looks like a context problem to me but I am unsure > what to change... my context, that of the script > itself or modify context files and relabel? > > I have the docs, have been reading, but I have not > been able to understand some of the genreal concepts. > > Any advice will be appreciated. audit2allow -d -l | grep vmware_t should show you the relevant missing allow statements from the policy. On FC2, you can then add them to your policy by doing the following: yum install policy-sources cd /etc/security/selinux/src/policy audit2allow -d -l | grep vmware_t >> domains/misc/local.te make load But I'm not clear that vmware-config.pl should be labeled vmware_exec_t at all (vs. bin_t). What is the advantage of running the configuration script in vmware_t vs. sysadm_t? There are no type transition rules for vmware_t (except for /var/run files), so it doesn't help keep the configuration in the right type. -- Stephen Smalley National Security Agency From rosa at gwu.edu Fri Jun 25 20:26:16 2004 From: rosa at gwu.edu (Olga Gelbart) Date: Fri, 25 Jun 2004 16:26:16 -0400 Subject: FC2 SELinux Installation issue (Newbie) In-Reply-To: <1088192559.6872.212.camel@moss-spartans.epoch.ncsc.mil> References: <20040625185056.78688.qmail@web52003.mail.yahoo.com> <1088192559.6872.212.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <40DC8A68.4080308@gwu.edu> Hello everyone, Sorry for a newbie question. I have never worked with SELinux before. I am a doctoral student in computer science, and as part of my research project I have to install SELinux. I have a FC2 (2.6.6 kernel) machine. I downloaded, compiled and installed an SELinux-patched 2.6.6 kernel from NSA, then I installed the user utilities (policycoreutils, libselinux, etc -- downloaded from NSA's website as well). Since I have FC2, I am assuming that I don't need to install patched utitilies, since they are now included into FC2. I only have root user at this point, so I didn't edit the default policy file that came with the installation. I just did a 'make relabel' and booted into the SELinux kernel. If I just log in and run, for e.g., "ls -Z" I get the error that the kernel has to support SELinux. If I then cd into /etc/security/selinux/src/policy and do a "make load", then 'ls -Z' or 'id' work properly and show me the context. Now if I reboot, it the system forgets what I just did, and I have to do a 'make load' again. Something is not starting up at boot, I would guess. I tried 'selinux=1' at boot, but that doesn't change anything. I would really appreciate it it anyone has any suggestions. thanks a lot, Olga Gelbart Department of Computer Science The George Washington University From don.patterson at tresys.com Fri Jun 25 21:05:28 2004 From: don.patterson at tresys.com (Don Patterson) Date: Fri, 25 Jun 2004 17:05:28 -0400 Subject: FC2 SELinux Installation issue (Newbie) In-Reply-To: <40DC8A68.4080308@gwu.edu> Message-ID: <20040625210535.VJJF9899.mm-ismta3.bizmailsrvcs.net@ICEMAN> Because SELinux is disabled by default in FC2, you need to change the SELinux mode to either permissive mode or enforcing mode. It sounds like you may have this set to "SELINUX=Disabled" in the configuration file, which turns enforcing off and skips loading a policy at boot. See http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/index.html#id29341 53 for more information. Don Patterson Tresys Technology www.tresys.com -----Original Message----- From: fedora-selinux-list-bounces at redhat.com [mailto:fedora-selinux-list-bounces at redhat.com] On Behalf Of Olga Gelbart Sent: Friday, June 25, 2004 3:26 PM To: Fedora SELinux support list for users & developers. Subject: FC2 SELinux Installation issue (Newbie) Hello everyone, Sorry for a newbie question. I have never worked with SELinux before. I am a doctoral student in computer science, and as part of my research project I have to install SELinux. I have a FC2 (2.6.6 kernel) machine. I downloaded, compiled and installed an SELinux-patched 2.6.6 kernel from NSA, then I installed the user utilities (policycoreutils, libselinux, etc -- downloaded from NSA's website as well). Since I have FC2, I am assuming that I don't need to install patched utitilies, since they are now included into FC2. I only have root user at this point, so I didn't edit the default policy file that came with the installation. I just did a 'make relabel' and booted into the SELinux kernel. If I just log in and run, for e.g., "ls -Z" I get the error that the kernel has to support SELinux. If I then cd into /etc/security/selinux/src/policy and do a "make load", then 'ls -Z' or 'id' work properly and show me the context. Now if I reboot, it the system forgets what I just did, and I have to do a 'make load' again. Something is not starting up at boot, I would guess. I tried 'selinux=1' at boot, but that doesn't change anything. I would really appreciate it it anyone has any suggestions. thanks a lot, Olga Gelbart Department of Computer Science The George Washington University -- fedora-selinux-list mailing list fedora-selinux-list at redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list From rosa at gwu.edu Fri Jun 25 21:28:50 2004 From: rosa at gwu.edu (Olga Gelbart) Date: Fri, 25 Jun 2004 17:28:50 -0400 Subject: FC2 SELinux Installation issue (Newbie) In-Reply-To: <20040625210535.VJJF9899.mm-ismta3.bizmailsrvcs.net@ICEMAN> References: <20040625210535.VJJF9899.mm-ismta3.bizmailsrvcs.net@ICEMAN> Message-ID: <40DC9912.9030401@gwu.edu> Thanks! I checked /etc/sysconfig/selinux file and set "SELinux=enforcing" (in all the documentation I read, I have never seen this file mentioned anywhere). Of course, now I have another problem. When I boot into SELinux kernel, I am asked to enter runlevel (I put either 3 or 5 and got the same results). After that I get whole bunch of "avc: denied {read} message for /bin/bash and the system just hangs. Is my policy set up wrong? Can someone point me to a sample policy I can test on my machine? I would really appreciate that! Thanks, Olga Gelbart Department of Computer Science The George Washington University Don Patterson wrote: >Because SELinux is disabled by default in FC2, you need to change the >SELinux mode to either permissive mode or enforcing mode. It sounds like you >may have this set to "SELINUX=Disabled" in the configuration file, which >turns enforcing off and skips loading a policy at boot. See >http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/index.html#id29341 >53 for more information. > >Don Patterson >Tresys Technology >www.tresys.com > >-----Original Message----- >From: fedora-selinux-list-bounces at redhat.com >[mailto:fedora-selinux-list-bounces at redhat.com] On Behalf Of Olga Gelbart >Sent: Friday, June 25, 2004 3:26 PM >To: Fedora SELinux support list for users & developers. >Subject: FC2 SELinux Installation issue (Newbie) > >Hello everyone, > Sorry for a newbie question. I have never worked with SELinux before. > I am a doctoral student in computer science, and as part of my >research project I have to install SELinux. I have a FC2 (2.6.6 kernel) >machine. I downloaded, compiled and installed an SELinux-patched 2.6.6 >kernel from NSA, then I installed the user utilities (policycoreutils, >libselinux, etc -- downloaded from NSA's website as well). Since I have >FC2, I am assuming that I don't need to install patched utitilies, since >they are now included into FC2. I only have root user at this point, >so I didn't edit the default policy file that came with the >installation. I just did a 'make relabel' and booted into the SELinux >kernel. If I just log in and run, for e.g., "ls -Z" I get the error that >the kernel has to support SELinux. If I then cd into >/etc/security/selinux/src/policy and do a "make load", then 'ls -Z' or >'id' work properly and show me the context. Now if I reboot, it the >system forgets what I just did, and I have to do a 'make load' again. >Something is not starting up at boot, I would guess. I tried 'selinux=1' >at boot, but that doesn't change anything. > >I would really appreciate it it anyone has any suggestions. > >thanks a lot, >Olga Gelbart >Department of Computer Science >The George Washington University > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > From Valdis.Kletnieks at vt.edu Fri Jun 25 21:57:18 2004 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Fri, 25 Jun 2004 17:57:18 -0400 Subject: FC2 SELinux Installation issue (Newbie) In-Reply-To: Your message of "Fri, 25 Jun 2004 17:28:50 EDT." <40DC9912.9030401@gwu.edu> References: <20040625210535.VJJF9899.mm-ismta3.bizmailsrvcs.net@ICEMAN> <40DC9912.9030401@gwu.edu> Message-ID: <200406252157.i5PLvIj2011149@turing-police.cc.vt.edu> On Fri, 25 Jun 2004 17:28:50 EDT, Olga Gelbart said: > Thanks! I checked /etc/sysconfig/selinux file and set > "SELinux=enforcing" (in all the documentation I read, I have never seen > this file mentioned anywhere). Of course, now I have another problem. > When I boot into SELinux kernel, I am asked to enter runlevel (I put > either 3 or 5 and got the same results). After that I get whole bunch of > "avc: denied {read} message for /bin/bash and the system just hangs. Is > my policy set up wrong? Can someone point me to a sample policy I can > test on my machine? I would really appreciate that! Probably a botched relabel. 1) Boot with 'selinux=0' to disable it entirely. 2) Edit the selinux file and set to 'selinux=permissive'. 3) Reboot. 4) make relabel, then set 'selinux=enforcing' and reboot again. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available URL: From selinux at comcast.net Fri Jun 25 22:23:04 2004 From: selinux at comcast.net (Tom London) Date: Fri, 25 Jun 2004 15:23:04 -0700 Subject: FC2 SELinux Installation issue (Newbie) Message-ID: <40DCA5C8.7050206@comcast.net> I believe you can boot in permissive mode (without editing the config file) by entering enforcing=0 as a boot parameter. So, this may be simpler.... 1. Boot with 'enforcing=0 single' to get to single-user mode/permissive. 2. 'fixfiles relabel' (or 'make relabel' if needed) 3. Reboot tom > ------------------------------------------------------------------------ > > * /From/: Valdis Kletnieks vt edu > > ------------------------------------------------------------------------ > >Probably a botched relabel. > >1) Boot with 'selinux=0' to disable it entirely. >2) Edit the selinux file and set to 'selinux=permissive'. >3) Reboot. >4) make relabel, then set 'selinux=enforcing' and reboot again. > > From n3npq at nc.rr.com Fri Jun 25 22:31:36 2004 From: n3npq at nc.rr.com (Jeff Johnson) Date: Fri, 25 Jun 2004 18:31:36 -0400 Subject: How to properly upgrade policy In-Reply-To: <40DC5239.8030703@comcast.net> References: <40DC5239.8030703@comcast.net> Message-ID: <40DCA7C8.5020006@nc.rr.com> Tom London wrote: > These are VERY nice changes, automating what I've been doing manually. > > An observation: the package 'install' process has gotten much better > with file > contexts. Well, that isn't a complement to rpm, but rather that policy is changing much more carefully imho. > > Any thoughts on automating the assignment of file contexts to the > files created by package scripts (e.g., /boot/grub/grub.conf, depmod > files, > /etc/selinux/config, ...)? Would be nice to have a 'SELinux package > description' that describes the package's desired/default contexts. That > would allow inspection prior to install, tools to check consistency with > installed file_contexts, etc. 'rpm -q --filecontext' is almost > it. Any way to add the other stuff to it, or something like it? Sure there's been thought, as well as a request for a syntax marker within package headers for files generated as a side effect of doing a package install. This is not going to work mostly because the side effect file probably does not exist when a package is installed, and hence there's no way set the file context from within the installer because the file is not being \created by the installer. The deeper problem is not the handful (perhaps big) of files that are created as a side effect of installing a package, but rather files in /home which are not (and will never be) in a package at all. So the current thought is to attempt to set file contexts not only when installing a package, but also through other means, like a cron script. The slocate database has been suggested as a means to enumerate all paths for appling the existing file context regexes. That will work, but will probably (I haven't checked yet) the file type as well. 73 de Jeff From rosa at gwu.edu Fri Jun 25 22:57:44 2004 From: rosa at gwu.edu (Olga Gelbart) Date: Fri, 25 Jun 2004 18:57:44 -0400 Subject: FC2 SELinux Installation issue (Newbie) In-Reply-To: <200406252157.i5PLvIj2011149@turing-police.cc.vt.edu> References: <20040625210535.VJJF9899.mm-ismta3.bizmailsrvcs.net@ICEMAN> <40DC9912.9030401@gwu.edu> <200406252157.i5PLvIj2011149@turing-police.cc.vt.edu> Message-ID: <40DCADE8.5070002@gwu.edu> Thank you. That worked! Valdis.Kletnieks at vt.edu wrote: >On Fri, 25 Jun 2004 17:28:50 EDT, Olga Gelbart said: > > >>Thanks! I checked /etc/sysconfig/selinux file and set >>"SELinux=enforcing" (in all the documentation I read, I have never seen >>this file mentioned anywhere). Of course, now I have another problem. >>When I boot into SELinux kernel, I am asked to enter runlevel (I put >>either 3 or 5 and got the same results). After that I get whole bunch of >>"avc: denied {read} message for /bin/bash and the system just hangs. Is >>my policy set up wrong? Can someone point me to a sample policy I can >>test on my machine? I would really appreciate that! >> >> > >Probably a botched relabel. > >1) Boot with 'selinux=0' to disable it entirely. >2) Edit the selinux file and set to 'selinux=permissive'. >3) Reboot. >4) make relabel, then set 'selinux=enforcing' and reboot again. > > >------------------------------------------------------------------------ > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ivg2 at cornell.edu Sat Jun 26 05:54:41 2004 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Fri, 25 Jun 2004 23:54:41 -0600 Subject: No Comments? In-Reply-To: <1088140459.3176.4.camel@localhost.bluenet> References: <1088103476.3151.7.camel@localhost.bluenet> <1088140459.3176.4.camel@localhost.bluenet> Message-ID: <1088229282.3727.1.camel@localhost.bluenet> Should I file bugzilla(s)? Are those duplicates? fixed? bugs? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From russell at coker.com.au Sat Jun 26 06:43:32 2004 From: russell at coker.com.au (Russell Coker) Date: Sat, 26 Jun 2004 16:43:32 +1000 Subject: How to properly upgrade policy In-Reply-To: <200406251644.i5PGij26029130@turing-police.cc.vt.edu> References: <1088110834.6023.6.camel@localhost.bluenet> <200406251644.i5PGij26029130@turing-police.cc.vt.edu> Message-ID: <200406261643.33045.russell@coker.com.au> On Sat, 26 Jun 2004 02:44, Valdis.Kletnieks at vt.edu wrote: > Right now, *my* single biggest mangler of contexts is all the local and > 3rd-party stuff that gets into system directories via 'make install' rather > than via RPM (so far this morning, I've already had one package that I did > a 'cvs update' and then 'make/make install', and since it supports plugins, > the following clean-up relabeled about 30 *.so files to shlib_t.... Why not just build RPMs of all your third-party stuff? -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Sat Jun 26 08:15:10 2004 From: russell at coker.com.au (Russell Coker) Date: Sat, 26 Jun 2004 18:15:10 +1000 Subject: VMWare config issue (Newbie) In-Reply-To: <1088192559.6872.212.camel@moss-spartans.epoch.ncsc.mil> References: <20040625185056.78688.qmail@web52003.mail.yahoo.com> <1088192559.6872.212.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <200406261815.10749.russell@coker.com.au> On Sat, 26 Jun 2004 05:42, Stephen Smalley wrote: > But I'm not clear that vmware-config.pl should be labeled vmware_exec_t > at all (vs. bin_t). What is the advantage of running the configuration > script in vmware_t vs. sysadm_t? There are no type transition rules for > vmware_t (except for /var/run files), so it doesn't help keep the > configuration in the right type. Yes, vmware-config.pl should be labelled as bin_t (IE removed from vmware.fc). But that's a small issue compared to all the other vmware issues. We want to have support for multiple domains for vmware for different user roles, and the policy should be easily configurable for one user to be able to launch vmware in different domains for NetTop type stuff. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From rhallyx at mindspring.com Sat Jun 26 08:59:36 2004 From: rhallyx at mindspring.com (Richard Hally) Date: Sat, 26 Jun 2004 04:59:36 -0400 Subject: avc denied message from booting Message-ID: <40DD3AF8.7010504@mindspring.com> Below is part of the syslog messages from booting in enforcing mode with the latest policy. Perhaps it will be useful. Richard Hally Jun 26 04:39:43 new2 rc: Starting readahead: succeeded Jun 26 04:39:44 new2 messagebus: messagebus startup succeeded Jun 26 04:39:45 new2 kernel: audit(1088239185.333:0): avc: denied { read write } for pid=2385 exe=/bin/umount path=/dev/ptmx dev=hda2 ino=1064807 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:ptmx_t tclass=chr_file Jun 26 04:39:45 new2 udev[2511]: creating device node '/dev/vcs3' From dwalsh at redhat.com Sat Jun 26 10:35:35 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Sat, 26 Jun 2004 06:35:35 -0400 Subject: How to properly upgrade policy In-Reply-To: <1088186288.6872.197.camel@moss-spartans.epoch.ncsc.mil> References: <1088108488.6023.2.camel@localhost.bluenet> <1088109933.24434.115.camel@moss-spartans.epoch.ncsc.mil> <1088110834.6023.6.camel@localhost.bluenet> <40DBFBBE.8070204@redhat.com> <1088186288.6872.197.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <40DD5177.8050106@redhat.com> Stephen Smalley wrote: >On Fri, 2004-06-25 at 06:38, Thomas Molina wrote: > > >>Let me nail this down for my own benefit; maybe I am dense. If you >>install the policy source package you should refrain from also installing >>the policy package? >> >>So is it one or the other, but not both? >> >> > >At present, policy-sources requires policy. Dan, is there a reason for >that requires? Otherwise, I would say yes. It doesn't hurt to have >policy installed as well, but it seems pointless, as updates of policy >won't touch the locally rebuilt files created by the policy sources >install/update. > > > policy-sources does not include the contexts files. So you always need policy installed. Policy-sources only replaces policy.## and file_contexts file. From selinux at comcast.net Sat Jun 26 18:36:20 2004 From: selinux at comcast.net (Tom London) Date: Sat, 26 Jun 2004 11:36:20 -0700 Subject: typo in src/policy/file_contexts/types.fc ??? Message-ID: <40DDC224.9070900@comcast.net> I'm not certain about this, but types.fc has an entry: /var/lib(64)?/nfs/rpc_pipes(/*)? <> I don't have such a file/directory, but I do have one called /var/lib/nfs/rpc_pipefs. Should that entry be: /var/lib(64)?/nfs/rpc_pipefs(/*)? <> tom From selinux at comcast.net Sat Jun 26 20:42:14 2004 From: selinux at comcast.net (Tom London) Date: Sat, 26 Jun 2004 13:42:14 -0700 Subject: selinux-policy-strict-1.13.9-1, difficulty. Message-ID: <40DDDFA6.9080505@comcast.net> I updated to selinux-policy-strict-1.13.9-1 off of the development tree, and immediately had problems: 'su' no longer is accessible graphical login/X no longer works. I bugzilla'ed this (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=126788) and attached a copy of the AVCs produced when rebooting with 'enforcing=0'. tom From rhally at mindspring.com Sat Jun 26 21:46:26 2004 From: rhally at mindspring.com (Richard Hally) Date: Sat, 26 Jun 2004 17:46:26 -0400 Subject: selinux-policy-strict-1.13.9-1, difficulty. In-Reply-To: <40DDDFA6.9080505@comcast.net> References: <40DDDFA6.9080505@comcast.net> Message-ID: <40DDEEB2.4090000@mindspring.com> Tom London wrote: > I updated to selinux-policy-strict-1.13.9-1 off of the development tree, > and > immediately had problems: > 'su' no longer is accessible > graphical login/X no longer works. > > I bugzilla'ed this > (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=126788) > and attached a copy of the AVCs produced when rebooting with 'enforcing=0'. > > tom > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > I'm not having the same problem, having just finished doing a "yum update" from the /development tree(including the above policy). The procedure I followed (because of the new policy) was immediately reboot with "a" selected at the grub menu and adding 'single' to the kernel line. doing fixfile relabel(delete /tmp? y) and then doing "reboot" at the prompt. the system comes up in enforcing mode to runlevel 5, I can do the graphical loging and su -. There are many more avc denied messages in /var/log/messages than previously(many having to do with hotplug). Perhaps trying the above approach to relabeling will at least get you logged in. HTH Richard Hally From ivg2 at cornell.edu Sat Jun 26 23:24:48 2004 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Sat, 26 Jun 2004 17:24:48 -0600 Subject: selinux-policy-strict-1.13.9-1, difficulty. In-Reply-To: <40DDEEB2.4090000@mindspring.com> References: <40DDDFA6.9080505@comcast.net> <40DDEEB2.4090000@mindspring.com> Message-ID: <1088292289.3542.36.camel@localhost.bluenet> Test Results: selinux-policy-strict-1.13.9-1 Kernel: 2.6.7-1.456 I relabeled in permissive mode prior to running in enforcing mode. However, I notice things that didn't get labeled. I've been running the targeted policy prior to this - perhaps that's a factor. Also I use tmpfs, which I think causes some of the issues (but def. not all). In /var/log/dmesg (early before init): UNLABELED: path = /initrd/dev/root dev = ram0 tclass = blk_file denied { getattr } exe = /bin/bash scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:unabeled_t HOTPLUG: path = /etc/hotplug.d/default/udev.hotplug tclass = file denied { getattr } exe = /bin/bash scontext = system_u:system_r:hotplug_t tcontext = system_u:object_r:udev_helper_exec_t name = dbus tclass = dir denied { search } exe = /usr/libexec/hal.hotplug scontext = system_u:system_r:hotplug_t tcontext = system_u:object_r:dbus_var_run_t LVM: name = control tclass = chr_file denied { unlink } exe = /bin/rm scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:lvm_control_t name = selinux or var tclass = dir denied { search } exe = /sbin/lvm.static scontext = system_u:system_r:lvm_t tcontext = system_u:object_r:selinux_config_t (for selinux) tcontext = system_u:object_r:var_t (for var) Others: name = config tclass = file denied { read } exe = /usr/bin/id scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:selinux_config_t tmpfs being a problem? ====================== dev = tmpfs tclass = dir denied { read } exe = /bin/bash scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:tmpfs_t =============================================== In /var/log/messages: UNLABELED: path = /etc/ld.so.cache tclass = file denied { getattr } exe = /bin/env scontext = system_u:system_r:kernel_t tcontext = system_u:object_r:unlabeled_t dev = pipefs path = pipe:[851] tclass = fifo_file denied { getattr } { write } exe = /bin/env scontext = system_u:system_r:kernel_t tcontext = system_u:object_r:unabeled_t path = /lib/ld-2.3.3.so tlcass = file denied { read } exe = /bin/bash scontext = system_u:system_r:kernel_t tcontext = system_u:object_r:unlabeled_t HOTPLUG: name = hotplug tclass = dir denied { search } exe = /bin/bash scontext = system_u:system_r:kernel_t tcontext = system_u:object_r:hotplug_etc_t name = hal.hotplug tclass = lnk_file denied { read } exe = /bin/bash scontext = system_u:system_r:kernel_t tcontext = system_u:object_r:etc_t path = /etc/hotplug.d/default/udev.hotplug tclass = file denied { getattr } exe = /bin/bash scontext = system_u:system_r:kernel_t tcontext = system_u:object_r:udev_helper_exec_t VAR name = var tclass = dir denied { search } exe = /bin/bash denied { search } exe = /sbin/lvm_static scontext = system_u:system_r:kernel_t (bash) scontext = system_u:system_r:lvm_t (lvm_static) tcontext = system_u:object_r:var_t ...some of the errors from /var/log/dmesg repeat... Also dev = selinuxfs tclass = dir denied { search } exe = /bin/bash scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:security_t More tmpfs denies... READAHEAD: name = aliases tclass = file denied { read } exe = /usr/sbin/readahead scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:etc_aliases_t name = crontab tclass = file denied { read } exe = /usr/sbin/readahead scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:system_cron_spool_t name = ssh_host_dsa_key, ssh_host_key, ssh_host_rsa_key tclass = file denied { read } exe = /usr/sbin/readahead scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:sshd_key_t name = dhclient-eth0.leases tclass = file denied { read } exe = /usr/sbin/readahead scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:dhcpc_state_t name = state tclass = file denied { read } exe = /usr/sbin/readahead scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:var_lib_nfs_t MODPROBE dev = proc path = /proc/sys/dev/parport/parport0/autoprobe tclass = file denied { read } exe = /sbin/modprobe scontext = system_u:system_r:insmod_t tcontext = system_u:object_r:sysctl_dev_t KLOGD (this was there in the last version too) name = System.map tclass = lnk_file denied { read } exe = /sbin/klogd scontext = system_u:system_r:klogd_t tcontext = system_u:object_r:boot_t SELINUX name = config tclass = file denied { read } exe = /usr/bin/selinuxenabled scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:selinux_config_t I think there was one for ls trying to read selinux files too, but I lost it. Also: name = config tclass = file denied { read } exe = /usr/bin/find scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:selinux_config_t Then there's all the httpd errors I posted in my other two mails (on previous versions). Then I get about a million of those: class = tcp_socket denied { name_bind } exe = /usr/sbin/htt_server scontext = user_u:user_r:user_t tcontext = system_u:object_r:port_t until I log in and kill htt_server.\ Sorry for the long post :) I won't test the target policy anymore since it isn't very interesting in my case - the only daemon I have that it protects is httpd. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From gbpeck at sbcglobal.net Sun Jun 27 00:12:34 2004 From: gbpeck at sbcglobal.net (Gary Peck) Date: Sat, 26 Jun 2004 17:12:34 -0700 Subject: restorecon vs. setfiles In-Reply-To: <1088185455.6872.183.camel@moss-spartans.epoch.ncsc.mil> References: <20040519022249.GC3717@realify.com> <40AACEEC.4040805@nogin.org> <40AACF8A.7010407@redhat.com> <1084968582.30873.3.camel@moss-spartans.epoch.ncsc.mil> <40ABB2DE.5090107@redhat.com> <20040625163415.GI16241@realify.com> <1088182761.6872.138.camel@moss-spartans.epoch.ncsc.mil> <40DC5936.1040004@redhat.com> <1088185455.6872.183.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <20040627001234.GJ16241@realify.com> On Fri, Jun 25, 2004 at 01:44:15PM -0400, Stephen Smalley wrote: > rpm source code appears to be passing the mode as part of the lookup, > so I don't think that is the issue. > > rpm -Uvh --force libselinux*.rpm keeps the correct security context on > /lib/libselinux.so.1 for me, both on a strict policy machine and a > targeted policy machine. rpm is 4.3.2-0.4; I haven't updated to -1 > yet. Could this be an issue with apt? I'm actually using apt-get to install these packages. When I tried using "rpm -Uvh ..." directly, it seemed to set the contexts correctly as you say. However, when I did it with apt-get again, I saw the same problem. Here's some files from the mozilla package with their correct contexts: system_u:object_r:shlib_t /usr/lib/mozilla-1.7/components/libaccessibility.so system_u:object_r:shlib_t /usr/lib/mozilla-1.7/components/libaddrbook.so system_u:object_r:shlib_t /usr/lib/mozilla-1.7/components/libappcomps.so system_u:object_r:shlib_t /usr/lib/mozilla-1.7/components/libautoconfig.so Then I run "apt-get install mozilla", which upgrades mozilla from 1.7-0.3.1 to 1.7-0.3.2. Afterwards, these same files (but from the new version of mozilla) have the following contexts: root:object_r:lib_t /usr/lib/mozilla-1.7/components/libaccessibility.so root:object_r:lib_t /usr/lib/mozilla-1.7/components/libaddrbook.so root:object_r:lib_t /usr/lib/mozilla-1.7/components/libappcomps.so root:object_r:lib_t /usr/lib/mozilla-1.7/components/libautoconfig.so I assumed that apt's behaviour should be the same since it's just using rpm underneath, but maybe there's extra rpm API calls that need to be made by apt when it's running on a SELinux system? This is with apt-0.5.15cnc6-0.fdr.11.2, rpm-4.3.2-0.4. gary From gbpeck at sbcglobal.net Sun Jun 27 00:27:42 2004 From: gbpeck at sbcglobal.net (Gary Peck) Date: Sat, 26 Jun 2004 17:27:42 -0700 Subject: apt and selinux (was: Re: restorecon vs. setfiles) In-Reply-To: <20040627001234.GJ16241@realify.com> References: <20040519022249.GC3717@realify.com> <40AACEEC.4040805@nogin.org> <40AACF8A.7010407@redhat.com> <1084968582.30873.3.camel@moss-spartans.epoch.ncsc.mil> <40ABB2DE.5090107@redhat.com> <20040625163415.GI16241@realify.com> <1088182761.6872.138.camel@moss-spartans.epoch.ncsc.mil> <40DC5936.1040004@redhat.com> <1088185455.6872.183.camel@moss-spartans.epoch.ncsc.mil> <20040627001234.GJ16241@realify.com> Message-ID: <20040627002742.GK16241@realify.com> On Sat, Jun 26, 2004 at 05:12:34PM -0700, Gary Peck wrote: > Could this be an issue with apt? I'm actually using apt-get to install > these packages. When I tried using "rpm -Uvh ..." directly, it seemed to > set the contexts correctly as you say. However, when I did it with > apt-get again, I saw the same problem. Here's some files from the > mozilla package with their correct contexts: > > system_u:object_r:shlib_t /usr/lib/mozilla-1.7/components/libaccessibility.so > system_u:object_r:shlib_t /usr/lib/mozilla-1.7/components/libaddrbook.so > system_u:object_r:shlib_t /usr/lib/mozilla-1.7/components/libappcomps.so > system_u:object_r:shlib_t /usr/lib/mozilla-1.7/components/libautoconfig.so > > Then I run "apt-get install mozilla", which upgrades mozilla from > 1.7-0.3.1 to 1.7-0.3.2. Afterwards, these same files (but from the new > version of mozilla) have the following contexts: > > root:object_r:lib_t /usr/lib/mozilla-1.7/components/libaccessibility.so > root:object_r:lib_t /usr/lib/mozilla-1.7/components/libaddrbook.so > root:object_r:lib_t /usr/lib/mozilla-1.7/components/libappcomps.so > root:object_r:lib_t /usr/lib/mozilla-1.7/components/libautoconfig.so > > I assumed that apt's behaviour should be the same since it's just using > rpm underneath, but maybe there's extra rpm API calls that need to be > made by apt when it's running on a SELinux system? > > This is with apt-0.5.15cnc6-0.fdr.11.2, rpm-4.3.2-0.4. Ok, I'm pretty sure it's an apt problem now. I tried installing the same package twice, once with apt using the rpm API directly (apt-get install ...), and once with apt calling the rpm binary externally (apt-get -o RPM::PM="external" install ...). When using the API, I see the same problem as above. When calling the rpm binary, the contexts get set correctly. I've CC'ed the apt-rpm list as it's probably a more appropriate place for this discussion. Anyone there care to comment? gary From russell at coker.com.au Sun Jun 27 09:06:58 2004 From: russell at coker.com.au (Russell Coker) Date: Sun, 27 Jun 2004 19:06:58 +1000 Subject: selinux-policy-strict-1.13.9-1, difficulty. In-Reply-To: <1088292289.3542.36.camel@localhost.bluenet> References: <40DDDFA6.9080505@comcast.net> <40DDEEB2.4090000@mindspring.com> <1088292289.3542.36.camel@localhost.bluenet> Message-ID: <200406271906.58192.russell@coker.com.au> On Sun, 27 Jun 2004 09:24, Ivan Gyurdiev wrote: > In /var/log/dmesg (early before init): We have given up on the idea of loading policy in the initrd. Therefore policy should not be loaded before init and you should not have any AVC messages before init loads the policy. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From ivg2 at cornell.edu Sun Jun 27 10:02:37 2004 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Sun, 27 Jun 2004 04:02:37 -0600 Subject: selinux-policy-strict-1.13.9-1, difficulty. In-Reply-To: <200406271906.58192.russell@coker.com.au> References: <40DDDFA6.9080505@comcast.net> <40DDEEB2.4090000@mindspring.com> <1088292289.3542.36.camel@localhost.bluenet> <200406271906.58192.russell@coker.com.au> Message-ID: <1088330557.3407.2.camel@localhost.bluenet> On Sun, 2004-06-27 at 19:06 +1000, Russell Coker wrote: > On Sun, 27 Jun 2004 09:24, Ivan Gyurdiev wrote: > > In /var/log/dmesg (early before init): > > We have given up on the idea of loading policy in the initrd. Therefore > policy should not be loaded before init and you should not have any AVC > messages before init loads the policy Ok, you're right - my mistake. The messages occur immediately after init starts but are logged in /var/ log/dmesg and not /var/log/messages. Strange - I can't log in anymore either. I used to be able to immediately after relabel and reboot. I also seem to get more messages. Not quite sure what's going on. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From dwalsh at redhat.com Sun Jun 27 10:01:48 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Sun, 27 Jun 2004 06:01:48 -0400 Subject: selinux-policy-strict-1.13.9-1, difficulty. In-Reply-To: <1088292289.3542.36.camel@localhost.bluenet> References: <40DDDFA6.9080505@comcast.net> <40DDEEB2.4090000@mindspring.com> <1088292289.3542.36.camel@localhost.bluenet> Message-ID: <40DE9B0C.6090009@redhat.com> Ivan Gyurdiev wrote: >Test Results: selinux-policy-strict-1.13.9-1 >Kernel: 2.6.7-1.456 > >I relabeled in permissive mode prior to running in enforcing mode. >However, I notice things that didn't get labeled. >I've been running the targeted policy prior to this - perhaps that's a >factor. Also I use tmpfs, which I think causes some of the issues (but >def. not all). > >In /var/log/dmesg (early before init): > >UNLABELED: > > path = /initrd/dev/root > dev = ram0 > tclass = blk_file > denied { getattr } exe = /bin/bash > scontext = system_u:system_r:initrc_t > tcontext = system_u:object_r:unabeled_t > >HOTPLUG: > > path = /etc/hotplug.d/default/udev.hotplug > tclass = file > denied { getattr } exe = /bin/bash > scontext = system_u:system_r:hotplug_t > tcontext = system_u:object_r:udev_helper_exec_t > > name = dbus > tclass = dir > denied { search } exe = /usr/libexec/hal.hotplug > scontext = system_u:system_r:hotplug_t > tcontext = system_u:object_r:dbus_var_run_t > > >LVM: > name = control > tclass = chr_file > denied { unlink } exe = /bin/rm > scontext = system_u:system_r:initrc_t > tcontext = system_u:object_r:lvm_control_t > > name = selinux or var > tclass = dir > denied { search } exe = /sbin/lvm.static > scontext = system_u:system_r:lvm_t > tcontext = system_u:object_r:selinux_config_t (for selinux) > tcontext = system_u:object_r:var_t (for var) > >Others: > > name = config > tclass = file > denied { read } exe = /usr/bin/id > scontext = system_u:system_r:initrc_t > tcontext = system_u:object_r:selinux_config_t > > > tmpfs being a problem? > ====================== > dev = tmpfs > tclass = dir > denied { read } exe = /bin/bash > scontext = system_u:system_r:initrc_t > tcontext = system_u:object_r:tmpfs_t > >=============================================== > >In /var/log/messages: > >UNLABELED: > > path = /etc/ld.so.cache > tclass = file > denied { getattr } exe = /bin/env > scontext = system_u:system_r:kernel_t > tcontext = system_u:object_r:unlabeled_t > > dev = pipefs > path = pipe:[851] > tclass = fifo_file > denied { getattr } { write } exe = /bin/env > scontext = system_u:system_r:kernel_t > tcontext = system_u:object_r:unabeled_t > > path = /lib/ld-2.3.3.so > tlcass = file > denied { read } exe = /bin/bash > scontext = system_u:system_r:kernel_t > tcontext = system_u:object_r:unlabeled_t > >HOTPLUG: > > name = hotplug > tclass = dir > denied { search } exe = /bin/bash > scontext = system_u:system_r:kernel_t > tcontext = system_u:object_r:hotplug_etc_t > > name = hal.hotplug > tclass = lnk_file > denied { read } exe = /bin/bash > scontext = system_u:system_r:kernel_t > tcontext = system_u:object_r:etc_t > > path = /etc/hotplug.d/default/udev.hotplug > tclass = file > denied { getattr } exe = /bin/bash > scontext = system_u:system_r:kernel_t > tcontext = system_u:object_r:udev_helper_exec_t > >VAR > name = var > tclass = dir > denied { search } exe = /bin/bash > denied { search } exe = /sbin/lvm_static > scontext = system_u:system_r:kernel_t (bash) > scontext = system_u:system_r:lvm_t (lvm_static) > tcontext = system_u:object_r:var_t > >...some of the errors from /var/log/dmesg repeat... >Also > dev = selinuxfs > tclass = dir > denied { search } exe = /bin/bash > scontext = system_u:system_r:initrc_t > tcontext = system_u:object_r:security_t > >More tmpfs denies... > > >READAHEAD: > > name = aliases > tclass = file > denied { read } exe = /usr/sbin/readahead > scontext = system_u:system_r:initrc_t > tcontext = system_u:object_r:etc_aliases_t > > name = crontab > tclass = file > denied { read } exe = /usr/sbin/readahead > scontext = system_u:system_r:initrc_t > tcontext = system_u:object_r:system_cron_spool_t > > name = ssh_host_dsa_key, ssh_host_key, ssh_host_rsa_key > tclass = file > denied { read } exe = /usr/sbin/readahead > scontext = system_u:system_r:initrc_t > tcontext = system_u:object_r:sshd_key_t > > name = dhclient-eth0.leases > tclass = file > denied { read } exe = /usr/sbin/readahead > scontext = system_u:system_r:initrc_t > tcontext = system_u:object_r:dhcpc_state_t > > name = state > tclass = file > denied { read } exe = /usr/sbin/readahead > scontext = system_u:system_r:initrc_t > tcontext = system_u:object_r:var_lib_nfs_t > >MODPROBE > > dev = proc > path = /proc/sys/dev/parport/parport0/autoprobe > tclass = file > denied { read } exe = /sbin/modprobe > scontext = system_u:system_r:insmod_t > tcontext = system_u:object_r:sysctl_dev_t > >KLOGD (this was there in the last version too) > name = System.map > tclass = lnk_file > denied { read } exe = /sbin/klogd > scontext = system_u:system_r:klogd_t > tcontext = system_u:object_r:boot_t > >SELINUX > > name = config > tclass = file > denied { read } exe = /usr/bin/selinuxenabled > scontext = system_u:system_r:initrc_t > tcontext = system_u:object_r:selinux_config_t > >I think there was one for ls trying to read selinux files too, but I >lost it. Also: > > name = config > tclass = file > denied { read } exe = /usr/bin/find > scontext = system_u:system_r:initrc_t > tcontext = system_u:object_r:selinux_config_t > >Then there's all the httpd errors I posted in my other two mails (on >previous versions). > >Then I get about a million of those: > > class = tcp_socket > denied { name_bind } exe = /usr/sbin/htt_server > scontext = user_u:user_r:user_t > tcontext = system_u:object_r:port_t > > > until I log in and kill htt_server.\ > > > >Sorry for the long post :) >I won't test the target policy anymore since it isn't very interesting >in my case - the only daemon I have that it protects is httpd. > > > > >------------------------------------------------------------------------ > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > Please attach the AVC Messages. The problems are probably being caused by update to other applications like hotplug. Dan From dwalsh at redhat.com Sun Jun 27 10:36:07 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Sun, 27 Jun 2004 06:36:07 -0400 Subject: selinux-policy-strict-1.13.9-1, difficulty. In-Reply-To: <40DE9B0C.6090009@redhat.com> References: <40DDDFA6.9080505@comcast.net> <40DDEEB2.4090000@mindspring.com> <1088292289.3542.36.camel@localhost.bluenet> <40DE9B0C.6090009@redhat.com> Message-ID: <40DEA317.80202@redhat.com> Daniel J Walsh wrote: > Ivan Gyurdiev wrote: > >> Test Results: selinux-policy-strict-1.13.9-1 >> Kernel: 2.6.7-1.456 >> >> I relabeled in permissive mode prior to running in enforcing mode. >> However, I notice things that didn't get labeled. I've been running >> the targeted policy prior to this - perhaps that's a >> factor. Also I use tmpfs, which I think causes some of the issues (but >> def. not all). >> >> In /var/log/dmesg (early before init): >> >> UNLABELED: >> >> path = /initrd/dev/root >> dev = ram0 >> tclass = blk_file >> denied { getattr } exe = /bin/bash >> scontext = system_u:system_r:initrc_t >> tcontext = system_u:object_r:unabeled_t >> >> HOTPLUG: >> >> path = /etc/hotplug.d/default/udev.hotplug >> tclass = file >> denied { getattr } exe = /bin/bash >> scontext = system_u:system_r:hotplug_t >> tcontext = system_u:object_r:udev_helper_exec_t >> >> name = dbus >> tclass = dir >> denied { search } exe = /usr/libexec/hal.hotplug >> scontext = system_u:system_r:hotplug_t >> tcontext = system_u:object_r:dbus_var_run_t >> >> >> LVM: >> name = control >> tclass = chr_file >> denied { unlink } exe = /bin/rm >> scontext = system_u:system_r:initrc_t >> tcontext = system_u:object_r:lvm_control_t >> >> name = selinux or var >> tclass = dir >> denied { search } exe = /sbin/lvm.static >> scontext = system_u:system_r:lvm_t >> tcontext = system_u:object_r:selinux_config_t (for selinux) >> tcontext = system_u:object_r:var_t (for var) >> >> Others: >> >> name = config >> tclass = file >> denied { read } exe = /usr/bin/id >> scontext = system_u:system_r:initrc_t >> tcontext = system_u:object_r:selinux_config_t >> >> >> tmpfs being a problem? >> ====================== >> dev = tmpfs >> tclass = dir >> denied { read } exe = /bin/bash >> scontext = system_u:system_r:initrc_t >> tcontext = system_u:object_r:tmpfs_t >> >> =============================================== >> >> In /var/log/messages: >> >> UNLABELED: >> >> path = /etc/ld.so.cache >> tclass = file >> denied { getattr } exe = /bin/env >> scontext = system_u:system_r:kernel_t >> tcontext = system_u:object_r:unlabeled_t >> >> dev = pipefs >> path = pipe:[851] >> tclass = fifo_file >> denied { getattr } { write } exe = /bin/env >> scontext = system_u:system_r:kernel_t >> tcontext = system_u:object_r:unabeled_t >> >> path = /lib/ld-2.3.3.so >> tlcass = file >> denied { read } exe = /bin/bash >> scontext = system_u:system_r:kernel_t >> tcontext = system_u:object_r:unlabeled_t >> >> HOTPLUG: >> >> name = hotplug >> tclass = dir >> denied { search } exe = /bin/bash >> scontext = system_u:system_r:kernel_t >> tcontext = system_u:object_r:hotplug_etc_t >> >> name = hal.hotplug >> tclass = lnk_file >> denied { read } exe = /bin/bash >> scontext = system_u:system_r:kernel_t >> tcontext = system_u:object_r:etc_t >> >> path = /etc/hotplug.d/default/udev.hotplug >> tclass = file >> denied { getattr } exe = /bin/bash >> scontext = system_u:system_r:kernel_t >> tcontext = system_u:object_r:udev_helper_exec_t >> >> VAR >> name = var >> tclass = dir >> denied { search } exe = /bin/bash >> denied { search } exe = /sbin/lvm_static >> scontext = system_u:system_r:kernel_t (bash) >> scontext = system_u:system_r:lvm_t (lvm_static) >> tcontext = system_u:object_r:var_t >> >> ...some of the errors from /var/log/dmesg repeat... >> Also >> dev = selinuxfs >> tclass = dir >> denied { search } exe = /bin/bash >> scontext = system_u:system_r:initrc_t >> tcontext = system_u:object_r:security_t >> >> More tmpfs denies... >> >> >> READAHEAD: >> >> name = aliases >> tclass = file >> denied { read } exe = /usr/sbin/readahead >> scontext = system_u:system_r:initrc_t >> tcontext = system_u:object_r:etc_aliases_t >> >> name = crontab >> tclass = file >> denied { read } exe = /usr/sbin/readahead >> scontext = system_u:system_r:initrc_t >> tcontext = system_u:object_r:system_cron_spool_t >> >> name = ssh_host_dsa_key, ssh_host_key, ssh_host_rsa_key >> tclass = file >> denied { read } exe = /usr/sbin/readahead >> scontext = system_u:system_r:initrc_t >> tcontext = system_u:object_r:sshd_key_t >> >> name = dhclient-eth0.leases >> tclass = file >> denied { read } exe = /usr/sbin/readahead >> scontext = system_u:system_r:initrc_t >> tcontext = system_u:object_r:dhcpc_state_t >> >> name = state >> tclass = file >> denied { read } exe = /usr/sbin/readahead >> scontext = system_u:system_r:initrc_t >> tcontext = system_u:object_r:var_lib_nfs_t >> >> MODPROBE >> >> dev = proc >> path = /proc/sys/dev/parport/parport0/autoprobe >> tclass = file >> denied { read } exe = /sbin/modprobe >> scontext = system_u:system_r:insmod_t >> tcontext = system_u:object_r:sysctl_dev_t >> >> KLOGD (this was there in the last version too) >> name = System.map >> tclass = lnk_file >> denied { read } exe = /sbin/klogd >> scontext = system_u:system_r:klogd_t >> tcontext = system_u:object_r:boot_t >> >> SELINUX >> >> name = config >> tclass = file >> denied { read } exe = /usr/bin/selinuxenabled >> scontext = system_u:system_r:initrc_t >> tcontext = system_u:object_r:selinux_config_t >> >> I think there was one for ls trying to read selinux files too, but I >> lost it. Also: >> >> name = config >> tclass = file >> denied { read } exe = /usr/bin/find >> scontext = system_u:system_r:initrc_t >> tcontext = system_u:object_r:selinux_config_t >> >> Then there's all the httpd errors I posted in my other two mails (on >> previous versions). >> >> Then I get about a million of those: >> >> class = tcp_socket >> denied { name_bind } exe = /usr/sbin/htt_server >> scontext = user_u:user_r:user_t >> tcontext = system_u:object_r:port_t >> >> >> until I log in and kill htt_server.\ >> >> >> >> Sorry for the long post :) >> I won't test the target policy anymore since it isn't very interesting >> in my case - the only daemon I have that it protects is httpd. >> >> >> >> ------------------------------------------------------------------------ >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> http://www.redhat.com/mailman/listinfo/fedora-selinux-list >> >> > Please attach the AVC Messages. The problems are probably being > caused by update to other applications like hotplug. > > Dan 1.13.9 went out with tunables turned off. 1.13.10 fixes this problem. > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list From dwalsh at redhat.com Sun Jun 27 10:42:38 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Sun, 27 Jun 2004 06:42:38 -0400 Subject: How to properly upgrade policy In-Reply-To: References: <1088108488.6023.2.camel@localhost.bluenet> <1088109933.24434.115.camel@moss-spartans.epoch.ncsc.mil> <1088110834.6023.6.camel@localhost.bluenet> <40DBFBBE.8070204@redhat.com> Message-ID: <40DEA49E.2070407@redhat.com> Thomas Molina wrote: >>>>>What's the proper way to upgrade the selinux policy? >>>>> >>>>>yum and rpm leave me with .rpmnew files every single time. >>>>> >>>>> >>>>> >>>>> >>>>This suggests that you installed the policy source package as well, or >>>>locally modified your policy directly. If you install or update the >>>>policy source package (selinux-policy-strict-sources), then it should >>>>rebuild the policy files from source and load the new ones automatically >>>>as part of the %post. Updating the policy package >>>>(selinux-policy-strict) will then leave you with .rpmnew files because >>>>it sees that the files have been locally rebuilt. >>>> >>>> > >Let me nail this down for my own benefit; maybe I am dense. If you >install the policy source package you should refrain from also installing >the policy package? > >So is it one or the other, but not both? > > No policy-sources contains files that can be used to rebuild the policy (policy.18) file. It also contains sources to rebuild file_contexts file. Other files in policy (default_contexts, initrc_context ...) are not part of policy-sources. So policy-sources gives you the ability to modify some of the files in the policy package. >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > From himainu-ynakam at miomio.jp Sun Jun 27 11:33:49 2004 From: himainu-ynakam at miomio.jp (Yuichi Nakamura) Date: Sun, 27 Jun 2004 20:33:49 +0900 Subject: Policy for webalizer Message-ID: <200406271133.i5RBXpH0029485@mms-r00.iijmio.jp> Hi. I found that webalizer does not work from cron on FedoraCore2. It seems that there is no policy for webalizer. I wrote policy for webalizer. I tested it from command line and cron. Please use. (1) copy webalizer policies to policy source dir. #cp webalizer.te /etc/security/selinux/src/policy/domains/program #cp webalizer.fc /etc/security/selinux/src/policy/file_contexts/program (2) append the following to /etc/security/selinux/src/policy/domains/program/apache.te . r_dir_file(httpd_t,webalizer_usage_t) (3) reload and relabel #cd /etc/security/selinux/src/policy/ #make reload #setfiles file_contexts/file_contexts /usr/bin /var /etc Thank you. --- Yuichi Nakamura Japan SELinux Users Group(JPSEG) http://www.selinux.gr.jp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: webalizer.te Type: application/octet-stream Size: 1852 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: webalizer.fc Type: application/octet-stream Size: 230 bytes Desc: not available URL: From russell at coker.com.au Sun Jun 27 12:18:31 2004 From: russell at coker.com.au (Russell Coker) Date: Sun, 27 Jun 2004 22:18:31 +1000 Subject: Policy for webalizer In-Reply-To: <200406271133.i5RBXpH0029485@mms-r00.iijmio.jp> References: <200406271133.i5RBXpH0029485@mms-r00.iijmio.jp> Message-ID: <200406272218.31524.russell@coker.com.au> On Sun, 27 Jun 2004 21:33, Yuichi Nakamura wrote: > I found that webalizer does not work from cron on FedoraCore2. > > It seems that there is no policy for webalizer. > I wrote policy for webalizer. > I tested it from command line and cron. > Please use. I think you should use etc_domain(webalizer) instead of defining webalizer_conf_t and var_lib_domain(webalizer) instead of webalizer_write_t. We could have /var/www/usage labelled as httpd_sys_content_t. That gives less types (less pain) for no significant decrease in security. I should probably make a similar change to calamaris_t. For access to locale_t you want read_locale(webalizer_t). As a general rule we don't want to allow any daemons access to the administrator console if we can avoid it. I'm not sure what the best thing to do for webalizer is in this regard. I've made some minor changes, please check the attached files and tell me what you think. PS I've been running webalizer in logrotate_t domain for a couple of years. This isn't ideal though as I needed to put some entries in custom.te for it - not something I could distribute. Having a webalizer_t is a good improvement. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -------------- next part -------------- ##webalizer_t: domain for webalizer # 2004.6.19 # by Yuichi Nakamura (ynakam @ selinux.gr.jp) application_domain(webalizer) # to use from cron system_crond_entry(webalizer_exec_t,webalizer_t) role system_r types webalizer_t; ##type definision # type for usage file type webalizer_usage_t,file_type,sysadmfile; # type for /var/lib/webalizer type webalizer_write_t,file_type,sysadmfile; # type for webalizer.conf etc_domain(webalizer) #read apache log allow webalizer_t var_log_t:dir r_dir_perms; r_dir_file(webalizer_t, httpd_log_t) #r/w /var/lib/webalizer var_lib_domain(webalizer) #read /var/www/usage create_dir_file(webalizer_t, httpd_sys_content_t) #read system files under /etc allow webalizer_t { etc_t etc_runtime_t }:file { getattr read }; read_locale(webalizer_t) # can use tmp file tmp_domain(webalizer) # can read /proc read_sysctl(webalizer_t) allow webalizer_t proc_t:dir { search }; allow webalizer_t proc_t:file r_file_perms; # network can_network(webalizer_t) #process communication inside webalizer itself general_domain_access(webalizer_t) allow webalizer_t self:capability { dac_override }; -------------- next part -------------- /usr/bin/webalizer system_u:object_r:webalizer_exec_t /var/lib/webalizer(/.*)? system_u:object_r:webalizer_var_lib_t /etc/webalizer.conf system_u:object_r:webalizer_etc_t From ivg2 at cornell.edu Sun Jun 27 12:41:37 2004 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Sun, 27 Jun 2004 06:41:37 -0600 Subject: selinux-policy-strict-1.13.9-1, difficulty. In-Reply-To: <40DEA317.80202@redhat.com> References: <40DDDFA6.9080505@comcast.net> <40DDEEB2.4090000@mindspring.com> <1088292289.3542.36.camel@localhost.bluenet> <40DE9B0C.6090009@redhat.com> <40DEA317.80202@redhat.com> Message-ID: <1088340098.3643.6.camel@localhost.bluenet> > 1.13.9 went out with tunables turned off. 1.13.10 fixes this problem. Yes, that fixes 90% of all problems. The AVCs left look familiar. Here's all of them. I left one of each kind. Udev: audit(1088316302.804:0): avc: denied { execute } for pid=260 exe=/ bin/bash name=udev.hotplug dev=hda7 ino=35718314 scontext=system_u: system_r:kernel_t tcontext=system_u:object_r:udev_helper_exec_t tclass=file Lvm.static: audit(1088337913.192:0): avc: denied { search } for pid=854 exe=/ sbin/lvm.static name=selinux dev=hda7 ino=21763330 scontext=system_u: system_r:lvm_t tcontext=system_u:object_r:selinux_config_t tclass=d audit(1088337922.000:0): avc: denied { getattr } for pid=854 exe=/ sbin/lvm.static path=/dev/vcsa01 dev=hda7 ino=12734292 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:device_t tclass=file audit(1088337922.006:0): avc: denied { getattr } for pid=854 exe=/ sbin/lvm.static path=/dev/vcsa05 dev=hda7 ino=12613346 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:device_t tclass=fileir Hal: audit(1088337915.701:0): avc: denied { search } for pid=903 exe=/usr/ libexec/hal.dev name=dbus dev=hda7 ino=2677359 scontext=system_u: system_r:udev_t tcontext=system_u:object_r:dbusd_var_run_t tclass=dir Restorecon: audit(1088337917.431:0): avc: denied { use } for pid=912 exe=/sbin/ restorecon path=/dev/null dev=hda7 ino=15237714 scontext=system_u: system_r:restorecon_t tcontext=system_u:system_r:hotplug_t tclass=fd audit(1088337917.431:0): avc: denied { read write } for pid=912 exe=/ sbin/restorecon path=socket:[966] dev=sockfs ino=966 scontext=system_u: system_r:restorecon_t tcontext=system_u:system_r:udev_t tclass=unix_dgram_socket Sulogin: Jun 27 06:17:21 cobra kernel: audit(1088337927.587:0): avc: denied { search } for pid=1605 exe=/sbin/sulogin name=selinux dev=hda7 ino=21763330 scontext=system_u:system_r:sulogin_t tcontext=system_u: object_r:selinux_config_t tclass=dir Klogd: Jun 27 06:17:21 cobra kernel: audit(1088338640.308:0): avc: denied { read } for pid=2222 exe=/sbin/klogd name=System.map dev=hda1 ino=13 scontext=system_u:system_r:klogd_t tcontext=system_u:object_r:boot_t tclass=lnk_file Lock: Jun 27 06:17:34 cobra kernel: audit(1088338654.709:0): avc: denied { search } for pid=2439 exe=/bin/bash name=lock dev=hda7 ino=31349249 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:var_lock_t tclass=dir Httpd: Jun 27 06:17:39 cobra kernel: audit(1088338659.767:0): avc: denied { getattr } for pid=2429 exe=/usr/sbin/httpd path=/sbin dev=hda7 ino=4283144 scontext=system_u:system_r:httpd_t tcontext=system_u: object_r:sbin_t tclass=dir Jun 27 06:17:39 cobra kernel: audit(1088338659.767:0): avc: denied { getattr } for pid=2429 exe=/usr/sbin/httpd path=/usr/sbin dev=hda7 ino=1662509 scontext=system_u:system_r:httpd_t tcontext=system_u: object_r:sbin_t tclass=dir Jun 27 06:17:39 cobra kernel: audit(1088338659.768:0): avc: denied { getattr } for pid=2429 exe=/usr/sbin/httpd path=/bin dev=hda7 ino=132 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:bin_t tclass=dir Jun 27 06:17:39 cobra kernel: audit(1088338659.768:0): avc: denied { getattr } for pid=2429 exe=/usr/sbin/httpd path=/usr/bin dev=hda7 ino=4283629 scontext=system_u:system_r:httpd_t tcontext=system_u: object_r:bin_t tclass=dir Jun 27 06:17:39 cobra kernel: audit(1088338659.768:0): avc: denied { getattr } for pid=2429 exe=/usr/sbin/httpd path=/usr/X11R6/bin dev=hda7 ino=5645421 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:bin_t tclass=dir Jun 27 06:17:41 cobra kernel: audit(1088338661.210:0): avc: denied { getattr } for pid=2451 exe=/usr/sbin/httpd path=/sbin dev=hda7 ino=4283144 scontext=system_u:system_r:httpd_t tcontext=system_u: object_r:sbin_t tclass=dir Jun 27 06:17:41 cobra kernel: audit(1088338661.441:0): avc: denied { write } for pid=2451 exe=/usr/sbin/httpd name=jk2.shm dev=hda7 ino=22857853 scontext=system_u:system_r:httpd_t tcontext=system_u: object_r:httpd_log_t tclass=file Jun 27 06:17:50 cobra kernel: audit(1088338670.336:0): avc: denied { getattr } for pid=2451 exe=/usr/sbin/httpd path=/usr/share/snmp/ mibs/.index dev=hda7 ino=5977546 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:snmpd_var_lib_t tclass=file Jun 27 06:17:50 cobra kernel: audit(1088338670.337:0): avc: denied { write } for pid=2451 exe=/usr/sbin/httpd name=.index dev=hda7 ino=5977546 scontext=system_u:system_r:httpd_t tcontext=system_u: object_r:snmpd_var_lib_t tclass=file xfs: Jun 27 06:18:30 cobra kernel: audit(1088338710.740:0): avc: denied { search } for pid=2672 exe=/usr/X11R6/bin/xfs dev=tmpfs ino=2786 scontext=system_u:system_r:xfs_t tcontext=system_u:object_r:tmpfs_t tclass=dir Xorg: Jun 27 06:18:57 cobra kernel: audit(1088338737.144:0): avc: denied { getattr } for pid=3276 exe=/usr/X11R6/bin/Xorg path=/tmp/.X11-unix dev=tmpfs ino=6547 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:object_r:xdm_tmpfs_t tclass=dir -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From himainu-ynakam at miomio.jp Sun Jun 27 13:37:03 2004 From: himainu-ynakam at miomio.jp (Yuichi Nakamura) Date: Sun, 27 Jun 2004 22:37:03 +0900 Subject: Policy for webalizer In-Reply-To: <200406272218.31524.russell@coker.com.au> References: <200406272218.31524.russell@coker.com.au> Message-ID: <200406271337.i5RDb5cN011052@mms-r01.iijmio.jp> I checked your changes and webalizer worked, thank you. Russell Coker wrote: > As a general rule we don't want to allow any daemons access to the > administrator console if we can avoid it. I'm not sure what the best thing > to do for webalizer is in this regard. I am not sure. What can attacker do , when he obtains write access right to console file? > We could have /var/www/usage labelled as httpd_sys_content_t. That gives less > types (less pain) for no significant decrease in security. I should probably > make a similar change to calamaris_t. I think we should pay attention when we give write access to homepage, because many users think homepage is important. In this configuration, if attacker has webalizer_t domain by some way, he can compromise whole homepages. And if administrator misconfigured /etc/webalizer.conf, homepages may be broken. I think we should give new type to /var/www/usage . --- Yuichi Nakamura Japan SELinux Users Group(JPSEG) http://www.selinux.gr.jp/ From tmolina at cablespeed.com Sun Jun 27 13:40:19 2004 From: tmolina at cablespeed.com (tmolina at cablespeed.com) Date: Sun, 27 Jun 2004 09:40:19 -0400 (EDT) Subject: How to properly upgrade policy In-Reply-To: <40DEA49E.2070407@redhat.com> References: <1088108488.6023.2.camel@localhost.bluenet> <1088109933.24434.115.camel@moss-spartans.epoch.ncsc.mil> <1088110834.6023.6.camel@localhost.bluenet> <40DBFBBE.8070204@redhat.com> <40DEA49E.2070407@redhat.com> Message-ID: > >Let me nail this down for my own benefit; maybe I am dense. If you > >install the policy source package you should refrain from also installing > >the policy package? > > > >So is it one or the other, but not both? > > > > > No policy-sources contains files that can be used to rebuild the policy > (policy.18) file. It also contains sources to rebuild file_contexts > file. Other files in policy (default_contexts, initrc_context ...) are > not part of policy-sources. So policy-sources gives you the ability to > modify some of the files in the policy package. I originally installed both policy-sources and policy in a Fedora testing cycle. I can mess with stuff and have an occasionally messy system during testing cycles. For production systems that is unacceptable. Once the configuration has been nailed down regarding the installed applications and the set of data they operate on, no further changes/rebuilds of policy should be necessary. My view is that on a user system only policy should be necessary. Being able to "fixfiles relabel" would be nice. Changing a file's context would be nice, too. My impression is that some/many of the diagnostic programs I would like to have are split between policy and policy-sources. Can we have a situation (maybe it is already this way and I just don't understand) where I (as a system adminstrator) can log in, change a file's context and/or relabel the whole system with only policy installed? If the file context is incorrect because of a problem with the policy I should be able to edit and rebuild the policy on an administrator's system (which would have the policy-sources) and download/install to the user's system, optionally relabeling the system in the process. From selinux at comcast.net Sun Jun 27 17:25:38 2004 From: selinux at comcast.net (Tom London) Date: Sun, 27 Jun 2004 10:25:38 -0700 Subject: selinux-policy-strict-1.13.9-1, difficulty. Message-ID: <40DF0312.5010404@comcast.net> Yup, selinux-policy-strict-1.13.10-1 works. Thanks! tom From pmatilai at welho.com Mon Jun 28 13:11:37 2004 From: pmatilai at welho.com (Panu Matilainen) Date: Mon, 28 Jun 2004 16:11:37 +0300 (EEST) Subject: [apt-rpm] apt and selinux (was: Re: restorecon vs. setfiles) In-Reply-To: <20040627002742.GK16241@realify.com> References: <20040519022249.GC3717@realify.com> <40AACEEC.4040805@nogin.org> <40AACF8A.7010407@redhat.com> <1084968582.30873.3.camel@moss-spartans.epoch.ncsc.mil> <40ABB2DE.5090107@redhat.com> <20040625163415.GI16241@realify.com> <1088182761.6872.138.camel@moss-spartans.epoch.ncsc.mil> <40DC5936.1040004@redhat.com> <1088185455.6872.183.camel@moss-spartans.epoch.ncsc.mil> <20040627001234.GJ16241@realify.com> <20040627002742.GK16241@realify.com> Message-ID: On Sat, 26 Jun 2004, Gary Peck wrote: > On Sat, Jun 26, 2004 at 05:12:34PM -0700, Gary Peck wrote: > > Could this be an issue with apt? I'm actually using apt-get to install > > these packages. When I tried using "rpm -Uvh ..." directly, it seemed to > > set the contexts correctly as you say. However, when I did it with > > apt-get again, I saw the same problem. Here's some files from the > > mozilla package with their correct contexts: > > > > system_u:object_r:shlib_t /usr/lib/mozilla-1.7/components/libaccessibility.so > > system_u:object_r:shlib_t /usr/lib/mozilla-1.7/components/libaddrbook.so > > system_u:object_r:shlib_t /usr/lib/mozilla-1.7/components/libappcomps.so > > system_u:object_r:shlib_t /usr/lib/mozilla-1.7/components/libautoconfig.so > > > > Then I run "apt-get install mozilla", which upgrades mozilla from > > 1.7-0.3.1 to 1.7-0.3.2. Afterwards, these same files (but from the new > > version of mozilla) have the following contexts: > > > > root:object_r:lib_t /usr/lib/mozilla-1.7/components/libaccessibility.so > > root:object_r:lib_t /usr/lib/mozilla-1.7/components/libaddrbook.so > > root:object_r:lib_t /usr/lib/mozilla-1.7/components/libappcomps.so > > root:object_r:lib_t /usr/lib/mozilla-1.7/components/libautoconfig.so > > > > I assumed that apt's behaviour should be the same since it's just using > > rpm underneath, but maybe there's extra rpm API calls that need to be > > made by apt when it's running on a SELinux system? > > > > This is with apt-0.5.15cnc6-0.fdr.11.2, rpm-4.3.2-0.4. > > Ok, I'm pretty sure it's an apt problem now. I tried installing the same > package twice, once with apt using the rpm API directly (apt-get install > ...), and once with apt calling the rpm binary externally (apt-get -o > RPM::PM="external" install ...). When using the API, I see the same > problem as above. When calling the rpm binary, the contexts get set > correctly. > > I've CC'ed the apt-rpm list as it's probably a more appropriate place > for this discussion. Anyone there care to comment? I wouldn't call it an apt-problem, you just need to put it into same context as rpm. This should already be the case on Fedora Core 2, dunno about upstream selinux policy packages - this is from stock FC2 /etc/security/selinux/src/policy/file_contexts/program/rpm.fc: /usr/bin/apt-get -- system_u:object_r:rpm_exec_t /usr/bin/apt-shell -- system_u:object_r:rpm_exec_t /usr/bin/synaptic -- system_u:object_r:rpm_exec_t - Panu - From sds at epoch.ncsc.mil Mon Jun 28 13:58:11 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Mon, 28 Jun 2004 09:58:11 -0400 Subject: How to properly upgrade policy In-Reply-To: <40DD5177.8050106@redhat.com> References: <1088108488.6023.2.camel@localhost.bluenet> <1088109933.24434.115.camel@moss-spartans.epoch.ncsc.mil> <1088110834.6023.6.camel@localhost.bluenet> <40DBFBBE.8070204@redhat.com> <1088186288.6872.197.camel@moss-spartans.epoch.ncsc.mil> <40DD5177.8050106@redhat.com> Message-ID: <1088431091.17133.41.camel@moss-spartans.epoch.ncsc.mil> On Sat, 2004-06-26 at 06:35, Daniel J Walsh wrote: > policy-sources does not include the contexts files. So you always need > policy installed. Policy-sources only replaces policy.## and > file_contexts file. Wouldn't it be straightforward to change the policy-sources %post to do a 'make install load' instead of just 'make load', so that the appconfig files are also installed by it? In which case, you wouldn't need policy at all anymore? -- Stephen Smalley National Security Agency From sds at epoch.ncsc.mil Mon Jun 28 14:05:21 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Mon, 28 Jun 2004 10:05:21 -0400 Subject: FC2 SELinux Installation issue (Newbie) In-Reply-To: <40DC8A68.4080308@gwu.edu> References: <20040625185056.78688.qmail@web52003.mail.yahoo.com> <1088192559.6872.212.camel@moss-spartans.epoch.ncsc.mil> <40DC8A68.4080308@gwu.edu> Message-ID: <1088431521.17133.45.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2004-06-25 at 16:26, Olga Gelbart wrote: > I have a FC2 (2.6.6 kernel) > machine. I downloaded, compiled and installed an SELinux-patched 2.6.6 > kernel from NSA, then I installed the user utilities (policycoreutils, > libselinux, etc -- downloaded from NSA's website as well). Since I have > FC2, I am assuming that I don't need to install patched utitilies, since > they are now included into FC2. You don't need to download or build the kernel or userland from nsa.gov/selinux if you have installed FC2; FC2 already includes all of the SELinux code and has its own policy packages. -- Stephen Smalley National Security Agency From sds at epoch.ncsc.mil Mon Jun 28 14:39:38 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Mon, 28 Jun 2004 10:39:38 -0400 Subject: How to properly upgrade policy In-Reply-To: References: <1088108488.6023.2.camel@localhost.bluenet> <1088109933.24434.115.camel@moss-spartans.epoch.ncsc.mil> <1088110834.6023.6.camel@localhost.bluenet> <40DBFBBE.8070204@redhat.com> <40DEA49E.2070407@redhat.com> Message-ID: <1088433578.17133.48.camel@moss-spartans.epoch.ncsc.mil> On Sun, 2004-06-27 at 09:40, tmolina at cablespeed.com wrote: > My view is that on a user system only policy should be necessary. Being > able to "fixfiles relabel" would be nice. Changing a file's context would > be nice, too. My impression is that some/many of the diagnostic programs > I would like to have are split between policy and policy-sources. fixfiles, setfiles, and restorecon are part of policycoreutils, not any selinux-policy-* package. chcon (ala chown/chmod) is part of coreutils. The installed file_contexts configuration is part of selinux-policy-* but is also rebuilt by selinux-policy-*-sources. So you don't need policy sources for relabeling. -- Stephen Smalley National Security Agency From unorlist at yahoo.com Mon Jun 28 15:13:06 2004 From: unorlist at yahoo.com (Earl) Date: Mon, 28 Jun 2004 08:13:06 -0700 (PDT) Subject: VMWare config issue (Newbie) In-Reply-To: <1088192559.6872.212.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <20040628151306.40693.qmail@web52005.mail.yahoo.com> --- Stephen Smalley wrote: > On Fri, 2004-06-25 at 14:50, Earl wrote: > > All, > > > > I'm just learning so forgive the trivial nature of > the > > question: > > > > FC2, Installed VMWare workstation 4.5x, unable to > run > > configuration script, just "yum-ed" so I'm up to > date, > > relableled, rebooted, still cannot run > configuration > > script... > > [root at host root]# id > > uid=0(root) gid=0(root) > groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) > > context=root:sysadm_r:sysadm_t > > [root at host root]# /usr/bin/vmware-config.pl > > Can't open perl script > "/usr/bin/vmware-config.pl": > > Permission denied > > [root at host root]# ls -Z /usr/bin/vmware-config.pl > > -r-xr-xr-x+ root root > > system_u:object_r:vmware_exec_t > > /usr/bin/vmware-config.pl > > > > Looks like a context problem to me but I am unsure > > what to change... my context, that of the script > > itself or modify context files and relabel? > > > > I have the docs, have been reading, but I have not > > been able to understand some of the genreal > concepts. > > > > Any advice will be appreciated. > > audit2allow -d -l | grep vmware_t should show you > the relevant missing > allow statements from the policy. On FC2, you can > then add them to your > policy by doing the following: > > yum install policy-sources > cd /etc/security/selinux/src/policy > audit2allow -d -l | grep vmware_t >> > domains/misc/local.te > make load Already had policy-sources. Did the rest, no I get: # /usr/bin/vmware-config.pl Setup is unable to find the "more" program on your machine. Please make sure it is installed. Do you want to specify the location of this program by hand? [yes] What is the location of the "more" program on your machine? /bin/more The answer "/bin/more" is invalid. It must be the complete name of a binary file. # ls -Z /bin/more -rwxr-xr-x+ root root system_u:object_r:bin_t /bin/more > But I'm not clear that vmware-config.pl should be > labeled vmware_exec_t > at all (vs. bin_t). What is the advantage of > running the configuration > script in vmware_t vs. sysadm_t? There are no type > transition rules for > vmware_t (except for /var/run files), so it doesn't > help keep the > configuration in the right type. > > -- > Stephen Smalley > National Security Agency __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From unorlist at yahoo.com Mon Jun 28 16:10:49 2004 From: unorlist at yahoo.com (Earl) Date: Mon, 28 Jun 2004 09:10:49 -0700 (PDT) Subject: VMWare config issue (Newbie) In-Reply-To: <200406261815.10749.russell@coker.com.au> Message-ID: <20040628161049.96099.qmail@web52003.mail.yahoo.com> Removed vmware-config.pl from: /etc/security/selinux/src/policy/file_contexts/program/vmware.fc and relabeled. vmware-config.pl works. Is anyone aware of a SELinux + VMWare "cookbook" to implement something like NetTop? Earl --- Russell Coker wrote: > On Sat, 26 Jun 2004 05:42, Stephen Smalley > wrote: > > But I'm not clear that vmware-config.pl should be > labeled vmware_exec_t > > at all (vs. bin_t). What is the advantage of > running the configuration > > script in vmware_t vs. sysadm_t? There are no > type transition rules for > > vmware_t (except for /var/run files), so it > doesn't help keep the > > configuration in the right type. > > Yes, vmware-config.pl should be labelled as bin_t > (IE removed from vmware.fc). > > But that's a small issue compared to all the other > vmware issues. We want to > have support for multiple domains for vmware for > different user roles, and > the policy should be easily configurable for one > user to be able to launch > vmware in different domains for NetTop type stuff. > > -- > http://www.coker.com.au/selinux/ My NSA Security > Enhanced Linux packages > http://www.coker.com.au/bonnie++/ Bonnie++ hard > drive benchmark > http://www.coker.com.au/postal/ Postal SMTP/POP > benchmark > http://www.coker.com.au/~russell/ My home page > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > __________________________________ Do you Yahoo!? Yahoo! Mail - Helps protect you from nasty viruses. http://promotions.yahoo.com/new_mail From sds at epoch.ncsc.mil Mon Jun 28 18:53:52 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Mon, 28 Jun 2004 14:53:52 -0400 Subject: [apt-rpm] apt and selinux (was: Re: restorecon vs. setfiles) In-Reply-To: References: <20040519022249.GC3717@realify.com> <40AACEEC.4040805@nogin.org> <40AACF8A.7010407@redhat.com> <1084968582.30873.3.camel@moss-spartans.epoch.ncsc.mil> <40ABB2DE.5090107@redhat.com> <20040625163415.GI16241@realify.com> <1088182761.6872.138.camel@moss-spartans.epoch.ncsc.mil> <40DC5936.1040004@redhat.com> <1088185455.6872.183.camel@moss-spartans.epoch.ncsc.mil> <20040627001234.GJ16241@realify.com> <20040627002742.GK16241@realify.com> Message-ID: <1088448832.17133.75.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2004-06-28 at 09:11, Panu Matilainen wrote: > I wouldn't call it an apt-problem, you just need to put it into same > context as rpm. This should already be the case on Fedora Core 2, dunno > about upstream selinux policy packages - this is from stock FC2 > /etc/security/selinux/src/policy/file_contexts/program/rpm.fc: > /usr/bin/apt-get -- system_u:object_r:rpm_exec_t > /usr/bin/apt-shell -- system_u:object_r:rpm_exec_t > /usr/bin/synaptic -- system_u:object_r:rpm_exec_t It isn't just a policy issue; rpm had to be modified for SELinux to set file security contexts when creating files. Those changes are in the upstream rpm, and yum seems to work as expected when updating. -- Stephen Smalley National Security Agency From Valdis.Kletnieks at vt.edu Mon Jun 28 19:58:17 2004 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Mon, 28 Jun 2004 15:58:17 -0400 Subject: How to properly upgrade policy In-Reply-To: Your message of "Sat, 26 Jun 2004 16:43:32 +1000." <200406261643.33045.russell@coker.com.au> References: <1088110834.6023.6.camel@localhost.bluenet> <200406251644.i5PGij26029130@turing-police.cc.vt.edu> <200406261643.33045.russell@coker.com.au> Message-ID: <200406281958.i5SJwICm032624@turing-police.cc.vt.edu> On Sat, 26 Jun 2004 16:43:32 +1000, Russell Coker said: > On Sat, 26 Jun 2004 02:44, Valdis.Kletnieks at vt.edu wrote: > > Right now, *my* single biggest mangler of contexts is all the local and > > 3rd-party stuff that gets into system directories via 'make install' rather > > than via RPM (so far this morning, I've already had one package that I did > > a 'cvs update' and then 'make/make install', and since it supports plugins, > > the following clean-up relabeled about 30 *.so files to shlib_t.... > > Why not just build RPMs of all your third-party stuff? Laziness, mostly. There's a few CVS trees that I follow that are fast-moving targets. It's easier to just have a 2-line shell script that does a 'make install' and a 'setfiles ../file-contexts /usr/local' than to create a .spec file and keep it up to date and get rpmbuild and cvs to play nice for a CVS tree that you're syncing to more than twice a week... ;) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available URL: From bobgus at rcn.com Mon Jun 28 20:22:39 2004 From: bobgus at rcn.com (Bob Gustafson) Date: Mon, 28 Jun 2004 15:22:39 -0500 Subject: Has the boot param syntax/semantics changed? Message-ID: I have been using 'selinux=1 enforcing=0' with the thought that my system will work, but if things are not right, an avc message will appear in my log files. The /etc/selinux/config file had the contents [root at hoho2 user1]# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcinfg - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. #SELINUX=disabled SELINUX=enforcing SELINUXTYPE=strict POLICYTYPE=strict [root at hoho2 user1]# I was dutifully going to 'init 1' and doing 'fixfiles relabel' after every update of policy or selinux related software - and then rebooting. [I still got lots of avc messages] Then I changed the /etc/selinux/config to the version shown below and rebooted. I got far less messages, and I was even able to go to root when clicking on gnome applications that required higher priority (with above config contents, whatever I typed was not enough, gnome kept coming back for more) [root at hoho2 user1]# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcinfg - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. #SELINUX=disabled SELINUX=enforcing #SELINUXTYPE=strict SELINUXTYPE=permissive POLICYTYPE=strict [root at hoho2 user1]# My assumption has been that the boot parameters override the contents of the /etc/selinux/config file, and that the boot param 'enforcing=0' will make the selinux a permissive one. Have these assumptions changed? From selinux at comcast.net Mon Jun 28 21:02:03 2004 From: selinux at comcast.net (Tom London) Date: Mon, 28 Jun 2004 14:02:03 -0700 Subject: Has the boot param syntax/semantics changed? Message-ID: <40E0874B.3050306@comcast.net> > > ------------------------------------------------------------------------ > > * /From/: Bob Gustafson > > ------------------------------------------------------------------------ > [root hoho2 user1]# cat /etc/selinux/config > ># This file controls the state of SELinux on the system. ># SELINUX= can take one of these three values: ># enforcinfg - SELinux security policy is enforced. ># permissive - SELinux prints warnings instead of enforcing. ># disabled - No SELinux policy is loaded. >#SELINUX=disabled >SELINUX=enforcing >SELINUXTYPE=strict >POLICYTYPE=strict >[root hoho2 user1]# > >Then I changed the /etc/selinux/config to the version shown below and rebooted. > >I got far less messages, and I was even able to go to root when clicking on >gnome applications that required higher priority (with above config >contents, whatever I typed was not enough, gnome kept coming back for more) > >[root hoho2 user1]# cat /etc/selinux/config ># This file controls the state of SELinux on the system. ># SELINUX= can take one of these three values: ># enforcinfg - SELinux security policy is enforced. ># permissive - SELinux prints warnings instead of enforcing. ># disabled - No SELinux policy is loaded. >#SELINUX=disabled >SELINUX=enforcing >#SELINUXTYPE=strict >SELINUXTYPE=permissive >POLICYTYPE=strict >[root hoho2 user1]# > >My assumption has been that the boot parameters override the contents of >the /etc/selinux/config file, and that the boot param 'enforcing=0' will >make the selinux a permissive one. > >Have these assumptions changed? > > Well, the names have changed a bit ;) POLICYTYPE is no longer operative, so I think you have booted up in 'targeted' mode, not strict. 'enforcing=0' still works for me. Here is what you need for strict: # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcinfg - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=strict tom From gbpeck at sbcglobal.net Mon Jun 28 22:32:22 2004 From: gbpeck at sbcglobal.net (Gary Peck) Date: Mon, 28 Jun 2004 18:32:22 -0400 Subject: [apt-rpm] apt and selinux (was: Re: restorecon vs. setfiles) In-Reply-To: <1088448832.17133.75.camel@moss-spartans.epoch.ncsc.mil> References: <1084968582.30873.3.camel@moss-spartans.epoch.ncsc.mil> <40ABB2DE.5090107@redhat.com> <20040625163415.GI16241@realify.com> <1088182761.6872.138.camel@moss-spartans.epoch.ncsc.mil> <40DC5936.1040004@redhat.com> <1088185455.6872.183.camel@moss-spartans.epoch.ncsc.mil> <20040627001234.GJ16241@realify.com> <20040627002742.GK16241@realify.com> <1088448832.17133.75.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <20040628223221.GC2887@taz> On Mon, Jun 28, 2004 at 02:53:52PM -0400, Stephen Smalley wrote: > On Mon, 2004-06-28 at 09:11, Panu Matilainen wrote: > > I wouldn't call it an apt-problem, you just need to put it into same > > context as rpm. This should already be the case on Fedora Core 2, dunno > > about upstream selinux policy packages - this is from stock FC2 > > /etc/security/selinux/src/policy/file_contexts/program/rpm.fc: > > /usr/bin/apt-get -- system_u:object_r:rpm_exec_t > > /usr/bin/apt-shell -- system_u:object_r:rpm_exec_t > > /usr/bin/synaptic -- system_u:object_r:rpm_exec_t The context is not the problem. I'm running the targeted policy from FCdev, which makes both /bin/rpm and /usr/bin/apt* system_u:object_r:bin_t. rpm works fine, however, whereas apt-get does not. > It isn't just a policy issue; rpm had to be modified for SELinux to > set file security contexts when creating files. Those changes are in > the upstream rpm, and yum seems to work as expected when updating. I believe apt needs similar modifications. The attached patch to apt fixes the problem for me. I'm not too familiar with rpm, apt, or selinux internals, so this patch might need some work. I just took the code from rpm's lib/rpminstall.c/rpmInstall() function which seemed to be missing in apt's apt-pkg/rpm/rpmpm.cc/pkgRPMLibPM::Process() function. Before the patch, running "apt-get install --reinstall zlib" produced this result: # rpm -q --fscontext zlib /usr/lib/libz.so.1 root:object_r:lib_t /usr/lib/libz.so.1.2.1.1 root:object_r:lib_t /usr/share/doc/zlib-1.2.1.1 system_u:object_r:usr_t /usr/share/doc/zlib-1.2.1.1/README system_u:object_r:usr_t After the patch, running "apt-get install --reinstall zlib" produced this result: # rpm -q --fscontext zlib /usr/lib/libz.so.1 system_u:object_r:lib_t /usr/lib/libz.so.1.2.1.1 system_u:object_r:shlib_t /usr/share/doc/zlib-1.2.1.1 system_u:object_r:usr_t /usr/share/doc/zlib-1.2.1.1/README system_u:object_r:usr_t The correct result, according to rpm, is the second one: # rpm -q --recontext zlib /usr/lib/libz.so.1 system_u:object_r:lib_t /usr/lib/libz.so.1.2.1.1 system_u:object_r:shlib_t /usr/share/doc/zlib-1.2.1.1 system_u:object_r:usr_t /usr/share/doc/zlib-1.2.1.1/README system_u:object_r:usr_t gary -------------- next part -------------- --- apt-0.5.15cnc6/apt-pkg/rpm/rpmpm.cc.selinux 2004-06-28 17:30:52.996194951 -0400 +++ apt-0.5.15cnc6/apt-pkg/rpm/rpmpm.cc 2004-06-28 17:45:12.394104099 -0400 @@ -778,6 +778,21 @@ TS = rpmtransCreateSet(DB, Dir.c_str()); #endif +#if RPM_VERSION >= 0x040300 + if (!(tsFlags & RPMTRANS_FLAG_NOCONTEXTS)) { + rpmsx sx = rpmtsREContext(TS); + if (sx == NULL) { + const char *fn = rpmGetPath("%{?_install_file_context_path}", NULL); + if (fn != NULL && *fn != '\0') { + sx = rpmsxNew(fn); + (void) rpmtsSetREContext(TS, sx); + } + fn = (const char *) _free(fn); + } + sx = rpmsxFree(sx); + } +#endif + if (_config->FindB("RPM::OldPackage", true) || !upgrade.empty()) { probFilter |= RPMPROB_FILTER_OLDPACKAGE; } @@ -921,6 +936,10 @@ Opts->Value == "--excludeconfigs") *tsFlags |= RPMTRANS_FLAG_NOCONFIGS; #endif +#if RPM_VERSION >= 0x040300 + else if (Opts->Value == "--nocontexts") + *tsFlags |= RPMTRANS_FLAG_NOCONTEXTS; +#endif // Problem filter flags else if (Opts->Value == "--replacefiles") From bobgus at rcn.com Tue Jun 29 02:10:19 2004 From: bobgus at rcn.com (Bob Gustafson) Date: Mon, 28 Jun 2004 21:10:19 -0500 Subject: Has the boot param syntax/semantics changed? In-Reply-To: <40E0874B.3050306@comcast.net> Message-ID: On Mon, 28 Jun 2004 14:02:03 -0700, Tom London wrote: >> >> ------------------------------------------------------------------------ >> >> * /From/: Bob Gustafson >> >> ------------------------------------------------------------------------ >> [root hoho2 user1]# cat /etc/selinux/config >> >># This file controls the state of SELinux on the system. >># SELINUX= can take one of these three values: >># enforcinfg - SELinux security policy is enforced. >># permissive - SELinux prints warnings instead of enforcing. >># disabled - No SELinux policy is loaded. >>#SELINUX=disabled >>SELINUX=enforcing >>SELINUXTYPE=strict >>POLICYTYPE=strict >>[root hoho2 user1]# >> >>Then I changed the /etc/selinux/config to the version shown below and >>rebooted. >> >>I got far less messages, and I was even able to go to root when clicking on >>gnome applications that required higher priority (with above config >>contents, whatever I typed was not enough, gnome kept coming back for more) >> >>[root hoho2 user1]# cat /etc/selinux/config >># This file controls the state of SELinux on the system. >># SELINUX= can take one of these three values: >># enforcinfg - SELinux security policy is enforced. >># permissive - SELinux prints warnings instead of enforcing. >># disabled - No SELinux policy is loaded. >>#SELINUX=disabled >>SELINUX=enforcing >>#SELINUXTYPE=strict >>SELINUXTYPE=permissive >>POLICYTYPE=strict >>[root hoho2 user1]# >> >>My assumption has been that the boot parameters override the contents of >>the /etc/selinux/config file, and that the boot param 'enforcing=0' will >>make the selinux a permissive one. >> >>Have these assumptions changed? >> >> >Well, the names have changed a bit ;) POLICYTYPE is no longer >operative, so I think >you have booted up in 'targeted' mode, not strict. 'enforcing=0' still >works for me. > >Here is what you need for strict: > ># This file controls the state of SELinux on the system. ># SELINUX= can take one of these three values: ># enforcinfg - SELinux security policy is enforced. ># permissive - SELinux prints warnings instead of enforcing. ># disabled - No SELinux policy is loaded. >SELINUX=enforcing > ># SELINUXTYPE= can take one of these two values: ># targeted - Only targeted network daemons are protected. ># strict - Full SELinux protection. >SELINUXTYPE=strict > >tom If POLICYTYPE is no longer used, then the file that contains that deprecated param should be either overwritten during the 'yum update' process, or a note or message should show up somewhere (visibly) during the 'yum update' process. If the user's config file is not changed, but the program changes in the 'yum update', then there is a problem (perhaps even a 'process bug'). Is there a 'permissive' value for SELINUXTYPE? Using the boot param 'enforcing=0' seems to be different than setting the SELINUXTYPE=permissive for me. enforcing=0 was less permissive... BobG From selinux at comcast.net Tue Jun 29 03:58:10 2004 From: selinux at comcast.net (Tom London) Date: Mon, 28 Jun 2004 20:58:10 -0700 Subject: Has the boot param syntax/semantics changed? Message-ID: <40E0E8D2.7000801@comcast.net> Yeah, you don't want to set SELINUXTYPE to permissive. That appears to be the same as selecting the 'targeted' policy. (I guess, 'not strict'). (The comment in the config file says SELINUXTYPE can take one of two values, targeted or strict). To select permissive mode, you set SELINUX=permissive. For me, setting SELINUX to permissive is the same as booting with 'enforcing=0'. tom > ------------------------------------------------------------------------ > > * /From/: Bob Gustafson > > If POLICYTYPE is no longer used, then the file that contains that >deprecated param should be either overwritten during the 'yum update' >process, or a note or message should show up somewhere (visibly) during the >'yum update' process. > >If the user's config file is not changed, but the program changes in the >'yum update', then there is a problem (perhaps even a 'process bug'). > >Is there a 'permissive' value for SELINUXTYPE? > >Using the boot param 'enforcing=0' seems to be different than setting the >SELINUXTYPE=permissive for me. > >enforcing=0 was less permissive... > >BobG > > From rhallyx at mindspring.com Tue Jun 29 06:14:17 2004 From: rhallyx at mindspring.com (Richard Hally) Date: Tue, 29 Jun 2004 02:14:17 -0400 Subject: additions to strict policy Message-ID: <40E108B9.3000606@mindspring.com> Below (and as an attached file) are some policy allow rules to be added to the strict policy. These allow rules were developed by running the latest /devel tree using selinux-policy-strict-sources-1.13.10-3 and putting the resulting avc denied messages through audit2allow. Most are necessary to perform normal operations while in enforcing mode. Some of the rules marked "#from booting" may be candidates for dontaudit rules. Thanks for the help, Richard Hally #from " logrotate -f /etc/logrotate.conf" while root(sysadm_r) allow logrotate_t devpts_t:dir { search }; allow logrotate_t initrc_t:process { transition }; allow logrotate_t mysqld_log_t:file { execute }; allow logrotate_t mysqld_log_t:file { execute_no_trans }; allow logrotate_t privoxy_log_t:file { execute }; allow logrotate_t privoxy_log_t:file { execute_no_trans }; allow logrotate_t selinux_config_t:dir { search }; allow logrotate_t selinux_config_t:file { getattr read }; allow logrotate_t staff_home_dir_t:dir { read search }; allow logrotate_t var_t:file { getattr }; allow logrotate_t var_t:file { read }; # from booting allow lvm_t file_t:dir { getattr read }; allow mount_t ptmx_t:chr_file { read write }; allow mount_t rhgb_gph_t:fd { use }; allow mount_t rhgb_t:unix_stream_socket { read write }; allow rhgb_t staff_home_dir_t:dir { search }; # from booting allow udev_t dbusd_t:unix_stream_socket { connectto }; allow udev_t dbusd_var_run_t:dir { search }; allow udev_t dbusd_var_run_t:sock_file { write }; allow udev_t file_t:dir { search }; # from exe=/usr/bin/mDNSResponder during boot allow user_t dns_port_t:udp_socket { name_bind }; # from starting mozilla as staff_r allow staff_mozilla_t file_t:dir { getattr }; allow staff_mozilla_t staff_home_t:file { unlink }; allow staff_mozilla_t xdm_tmp_t:dir { search }; # from normal gnome session as staff_r allow staff_screensaver_t xdm_tmp_t:dir { search }; allow staff_screensaver_t xdm_tmp_t:sock_file { write }; allow staff_t file_t:dir { getattr }; allow staff_t staff_t:netlink_route_socket { create }; #from starting postgresql server during boot and using postgresql as user. allow initrc_su_t postgresql_db_t:dir { search }; allow user_t postgresql_db_t:dir { add_name getattr read remove_name search write }; allow user_t postgresql_db_t:file { create getattr read rename unlink write }; allow staff_t user_tmp_t:sock_file { write }; allow staff_t user_t:unix_stream_socket { connectto }; -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: addthese.te URL: From pmatilai at welho.com Tue Jun 29 10:00:37 2004 From: pmatilai at welho.com (Panu Matilainen) Date: Tue, 29 Jun 2004 13:00:37 +0300 (EEST) Subject: [apt-rpm] apt and selinux (was: Re: restorecon vs. setfiles) In-Reply-To: <20040628223221.GC2887@taz> References: <1084968582.30873.3.camel@moss-spartans.epoch.ncsc.mil> <40ABB2DE.5090107@redhat.com> <20040625163415.GI16241@realify.com> <1088182761.6872.138.camel@moss-spartans.epoch.ncsc.mil> <40DC5936.1040004@redhat.com> <1088185455.6872.183.camel@moss-spartans.epoch.ncsc.mil> <20040627001234.GJ16241@realify.com> <20040627002742.GK16241@realify.com> <1088448832.17133.75.camel@moss-spartans.epoch.ncsc.mil> <20040628223221.GC2887@taz> Message-ID: On Mon, 28 Jun 2004, Gary Peck wrote: > On Mon, Jun 28, 2004 at 02:53:52PM -0400, Stephen Smalley wrote: > > On Mon, 2004-06-28 at 09:11, Panu Matilainen wrote: > > > I wouldn't call it an apt-problem, you just need to put it into same > > > context as rpm. This should already be the case on Fedora Core 2, dunno > > > about upstream selinux policy packages - this is from stock FC2 > > > /etc/security/selinux/src/policy/file_contexts/program/rpm.fc: > > > /usr/bin/apt-get -- system_u:object_r:rpm_exec_t > > > /usr/bin/apt-shell -- system_u:object_r:rpm_exec_t > > > /usr/bin/synaptic -- system_u:object_r:rpm_exec_t > > The context is not the problem. I'm running the targeted policy from > FCdev, which makes both /bin/rpm and /usr/bin/apt* > system_u:object_r:bin_t. rpm works fine, however, whereas apt-get does > not. Ok, the policy has changed in the development tree since FC2 release, apt-rpm *was* working ok with the above context settings the last I looked. > > > It isn't just a policy issue; rpm had to be modified for SELinux to > > set file security contexts when creating files. Those changes are in > > the upstream rpm, and yum seems to work as expected when updating. > > I believe apt needs similar modifications. The attached patch to apt > fixes the problem for me. I'm not too familiar with rpm, apt, or selinux > internals, so this patch might need some work. I just took the code > from rpm's lib/rpminstall.c/rpmInstall() function which seemed to be > missing in apt's apt-pkg/rpm/rpmpm.cc/pkgRPMLibPM::Process() function. Much of the code in pkgRPMLibPM is lifted more-or-less directly from rpmInstall(), no problem with that :) I'll have a closer look at this one of these days but basically the patch seems fine to me if that's what rpm itself does. - Panu - From sds at epoch.ncsc.mil Tue Jun 29 13:01:14 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Tue, 29 Jun 2004 09:01:14 -0400 Subject: Has the boot param syntax/semantics changed? In-Reply-To: <40E0E8D2.7000801@comcast.net> References: <40E0E8D2.7000801@comcast.net> Message-ID: <1088514074.21992.60.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2004-06-28 at 23:58, Tom London wrote: > Yeah, you don't want to set SELINUXTYPE to permissive. That appears to > be the > same as selecting the 'targeted' policy. (I guess, 'not strict'). > (The comment in the config file says SELINUXTYPE can take one of two > values, targeted or strict). If you set SELINUXTYPE= to a name that does not exist under /etc/selinux, then /sbin/init will fail to load a policy, so it should die if enforcing or proceed under permissive/no-policy otherwise. -- Stephen Smalley National Security Agency From bobgus at rcn.com Tue Jun 29 13:15:49 2004 From: bobgus at rcn.com (Bob Gustafson) Date: Tue, 29 Jun 2004 08:15:49 -0500 Subject: Has the boot param syntax/semantics changed? In-Reply-To: <40E0E8D2.7000801@comcast.net> Message-ID: Yeah, got it. I have my params set to: [root at hoho2 etc]# cat selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcinfg - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. #SELINUX=disabled SELINUX=permissive SELINUXTYPE=strict Also just for good measure - my boot params are 'selinux=1 enforcing=0' Would be nice if the routines parsing these values would holler out if there are syntax errors (or manual mis-readings.., incorrect values, etc.) BobG On Mon, 28 Jun 2004 20:58:10 -0700, Tom London wrote: >Yeah, you don't want to set SELINUXTYPE to permissive. That appears to >be the >same as selecting the 'targeted' policy. (I guess, 'not strict'). >(The comment in the config file says SELINUXTYPE can take one of two >values, targeted or strict). > >To select permissive mode, you set SELINUX=permissive. For me, setting >SELINUX to permissive is the same as booting with 'enforcing=0'. > >tom > From sds at epoch.ncsc.mil Tue Jun 29 13:38:32 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Tue, 29 Jun 2004 09:38:32 -0400 Subject: Has the boot param syntax/semantics changed? In-Reply-To: References: Message-ID: <1088516312.21992.82.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2004-06-29 at 09:15, Bob Gustafson wrote: > Would be nice if the routines parsing these values would holler out if > there are syntax errors (or manual mis-readings.., incorrect values, etc.) Run selinuxconfig to see your current configuration settings. /sbin/init should log a warning if it cannot open the policy file, e.g. due to bad configuration setting for the SELINUXTYPE, but there might be an issue with the present call to log(). -- Stephen Smalley National Security Agency From bobgus at rcn.com Tue Jun 29 14:03:32 2004 From: bobgus at rcn.com (Bob Gustafson) Date: Tue, 29 Jun 2004 09:03:32 -0500 Subject: Has the boot param syntax/semantics changed? In-Reply-To: <1088516312.21992.82.camel@moss-spartans.epoch.ncsc.mil> References: Message-ID: On Tue, 29 Jun 2004 09:38:32 -0400, Stephen Smalley wrote: >On Tue, 2004-06-29 at 09:15, Bob Gustafson wrote: >> Would be nice if the routines parsing these values would holler out if >> there are syntax errors (or manual mis-readings.., incorrect values, etc.) > >Run selinuxconfig to see your current configuration settings. [root at hoho2 etc]# selinuxconfig selinux state="permissive" policypath="/etc/selinux/strict" default_type_path="/etc/selinux/strict/contexts/default_type" default_context_path="/etc/selinux/strict/contexts/default_contexts" default_failsafe_context_path="/etc/selinux/strict/contexts/failsafe_context" binary_policy_path="/etc/selinux/strict/policy/policy" user_contexts_path="/etc/selinux/strict/contexts/users/" contexts_path="/etc/selinux/strict/contexts" [root at hoho2 etc]# Hmm, that looks pretty useful. I wonder what it would have looked like with the wrong values in the /etc/selinux/config? And to what effect? > >/sbin/init should log a warning if it cannot open the policy file, e.g. >due to bad configuration setting for the SELINUXTYPE, but there might be >an issue with the present call to log(). I did not see any failures, but clearly I had the wrong values in my /etc/selinux/config file: [root at hoho2 log]# grep policy messages* messages:Jun 27 06:48:25 hoho2 kernel: audit(1088336905.471:0): avc: granted { load_policy } for pid=4626 exe=/usr/sbin/load_policy scontext=root:sysadm_r:lo ad_policy_t tcontext=system_u:object_r:security_t tclass=security messages:Jun 27 06:48:50 hoho2 kernel: audit(1088336930.238:0): avc: granted { load_policy } for pid=4688 exe=/usr/sbin/load_policy scontext=root:sysadm_r:lo ad_policy_t tcontext=system_u:object_r:security_t tclass=security ... ... BobG From sds at epoch.ncsc.mil Tue Jun 29 14:08:48 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Tue, 29 Jun 2004 10:08:48 -0400 Subject: Has the boot param syntax/semantics changed? In-Reply-To: References: Message-ID: <1088518128.21992.95.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2004-06-29 at 10:03, Bob Gustafson wrote: > Hmm, that looks pretty useful. > > I wonder what it would have looked like with the wrong values in the > /etc/selinux/config? For the SELINUXTYPE=, there is no fixed set of legitimate values, because anyone might install their own "foo" policy under /etc/selinux. So with SELINUXTYPE=permissive, you would have just seen output like: policypath="/etc/selinux/permissive" default_type_path="/etc/selinux/permissive/contexts/default_type" ... > And to what effect? Since the "permissive" directory didn't exist, init wouldn't be able to load a policy. If enforcing, then init should have died immediately with an error. If permissive, it should have logged a warning and proceeded in permissive with no policy loaded. > I did not see any failures, but clearly I had the wrong values in my > /etc/selinux/config file: It likely wouldn't be captured in /var/log/messages, since this is happening _before_ syslogd is started. But there should be a message on the console (but I agree that I also do not see one, so this is a bug). -- Stephen Smalley National Security Agency From selinux at comcast.net Tue Jun 29 14:34:46 2004 From: selinux at comcast.net (Tom London) Date: Tue, 29 Jun 2004 07:34:46 -0700 Subject: kernel-2.6.7-1.439: 'new' AVCs at boot time Message-ID: <40E17E06.4090508@comcast.net> kernel-2.6.7-1.439 produces the AVCs shown below. Appears to be having some problem early on dealing with /proc (or /sys) ? (looks like inode#1121665 is the mount point /proc or /sys on /). This didn't happen with earlier kernels. It appears to cause no problems. tom -------------------------------------------------- Jun 29 07:04:05 vaio kernel: SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts Jun 29 07:04:05 vaio kernel: audit(1088492566.426:0): avc: denied { search } for pid=226 exe=/bin/bash name=proc dev=hda2 ino=1121665 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:file_t tclass=dir Jun 29 07:04:05 vaio kernel: audit(1088492566.462:0): avc: denied { search } for pid=231 exe=/bin/bash name=proc dev=hda2 ino=1121665 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:file_t tclass=dir Jun 29 07:04:05 vaio kernel: audit(1088492566.500:0): avc: denied { search } for pid=236 exe=/bin/bash name=proc dev=hda2 ino=1121665 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:file_t tclass=dir Jun 29 07:04:06 vaio kernel: audit(1088492566.538:0): avc: denied { search } for pid=241 exe=/bin/bash name=proc dev=hda2 ino=1121665 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:file_t tclass=dir Jun 29 07:04:06 vaio kernel: audit(1088492566.571:0): avc: denied { search } for pid=245 exe=/bin/bash name=proc dev=hda2 ino=1121665 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:file_t tclass=dir Jun 29 07:04:06 vaio kernel: audit(1088492566.611:0): avc: denied { search } for pid=251 exe=/bin/bash name=proc dev=hda2 ino=1121665 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:file_t tclass=dir Jun 29 07:04:06 vaio kernel: audit(1088492566.651:0): avc: denied { search } for pid=257 exe=/bin/bash name=proc dev=hda2 ino=1121665 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:file_t tclass=dir Jun 29 07:04:06 vaio kernel: audit(1088492566.721:0): avc: denied { search } for pid=272 exe=/bin/bash name=proc dev=hda2 ino=1121665 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:file_t tclass=dir Jun 29 07:04:06 vaio kernel: audit(1088492566.756:0): avc: denied { search } for pid=277 exe=/bin/bash name=proc dev=hda2 ino=1121665 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:file_t tclass=dir Jun 29 07:04:06 vaio kernel: audit(1088492566.793:0): avc: denied { search } for pid=282 exe=/bin/bash name=proc dev=hda2 ino=1121665 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:file_t tclass=dir Jun 29 07:04:06 vaio kernel: audit(1088492566.832:0): avc: denied { search } for pid=287 exe=/bin/bash name=proc dev=hda2 ino=1121665 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:file_t tclass=dir Jun 29 07:04:06 vaio kernel: audit(1088492566.855:0): avc: denied { search } for pid=289 exe=/bin/bash name=proc dev=hda2 ino=1121665 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:file_t tclass=dir Jun 29 07:04:06 vaio kernel: audit(1088492566.883:0): avc: denied { search } for pid=293 exe=/bin/bash name=proc dev=hda2 ino=1121665 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:file_t tclass=dir Jun 29 07:04:06 vaio kernel: audit(1088492566.915:0): avc: denied { search } for pid=297 exe=/bin/bash name=proc dev=hda2 ino=1121665 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:file_t tclass=dir Jun 29 07:04:06 vaio kernel: audit(1088492566.954:0): avc: denied { search } for pid=303 exe=/bin/bash name=proc dev=hda2 ino=1121665 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:file_t tclass=dir Jun 29 07:04:06 vaio kernel: audit(1088492566.994:0): avc: denied { search } for pid=309 exe=/bin/bash name=proc dev=hda2 ino=1121665 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:file_t tclass=dir Jun 29 07:04:06 vaio kernel: audit(1088492567.049:0): avc: denied { search } for pid=318 exe=/bin/bash name=proc dev=hda2 ino=1121665 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:file_t tclass=dir Jun 29 07:04:06 vaio kernel: audit(1088492567.072:0): avc: denied { search } for pid=320 exe=/bin/bash name=proc dev=hda2 ino=1121665 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:file_t tclass=dir Jun 29 07:04:06 vaio kernel: audit(1088492567.178:0): avc: denied { search } for pid=334 exe=/bin/bash name=proc dev=hda2 ino=1121665 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:file_t tclass=dir Jun 29 07:04:06 vaio kernel: audit(1088492567.181:0): avc: denied { search } for pid=332 exe=/bin/bash name=proc dev=hda2 ino=1121665 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:file_t tclass=dir Jun 29 07:04:06 vaio kernel: SELinux: initialized (dev ramfs, type ramfs), uses genfs_contexts From sds at epoch.ncsc.mil Tue Jun 29 15:28:21 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Tue, 29 Jun 2004 11:28:21 -0400 Subject: kernel-2.6.7-1.439: 'new' AVCs at boot time In-Reply-To: <40E17E06.4090508@comcast.net> References: <40E17E06.4090508@comcast.net> Message-ID: <1088522901.21992.110.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2004-06-29 at 10:34, Tom London wrote: > kernel-2.6.7-1.439 produces the AVCs shown below. Appears to be having > some problem early on dealing with /proc (or /sys) ? (looks like > inode#1121665 > is the mount point /proc or /sys on /). > > This didn't happen with earlier kernels. It appears to cause no problems. It should be harmless, as any attempt by udev to access proc before it is mounted is going to fail anyway, so this just changes the error condition (ENOENT -> EACCES). -- Stephen Smalley National Security Agency From russell at coker.com.au Tue Jun 29 16:34:26 2004 From: russell at coker.com.au (Russell Coker) Date: Wed, 30 Jun 2004 02:34:26 +1000 Subject: kernel-2.6.7-1.439: 'new' AVCs at boot time In-Reply-To: <1088522901.21992.110.camel@moss-spartans.epoch.ncsc.mil> References: <40E17E06.4090508@comcast.net> <1088522901.21992.110.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <200406300234.26189.russell@coker.com.au> On Wed, 30 Jun 2004 01:28, Stephen Smalley wrote: > It should be harmless, as any attempt by udev to access proc before it > is mounted is going to fail anyway, so this just changes the error > condition (ENOENT -> EACCES). We will have to add a dontaudit rule for it as we do for a number of other domains that may access mount points before the file system is mounted. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From selinux at comcast.net Tue Jun 29 22:35:57 2004 From: selinux at comcast.net (Tom London) Date: Tue, 29 Jun 2004 15:35:57 -0700 Subject: RFE: show change of enforcing state in log ? Message-ID: <40E1EECD.3040904@comcast.net> How difficult would it be to add 'old state->new state' to the log on a change in the enforcing state? Currently, 'setenforce' appears to be logged as a toggle.... tom From ynakam at hitachisoft.jp Wed Jun 30 02:43:34 2004 From: ynakam at hitachisoft.jp (Yuichi Nakamura) Date: Wed, 30 Jun 2004 11:43:34 +0900 Subject: avc denied from postgresql In-Reply-To: <40CFCD3E.8090400@mindspring.com> References: <40CEBF5F.9020609@mindspring.com> <200406152253.00552.russell@coker.com.au> <40CFCD3E.8090400@mindspring.com> Message-ID: <20040630114334.4ca86d5e.ynakam@hitachisoft.jp> On Wed, 16 Jun 2004 00:31:58 -0400 Richard Hally wrote: > With the above change to the postgresql.fc I get the following avc > denied messages when booting: You must add /usr/bin/postgres -- system_u:object_r:postgresql_exec_t to postgresql.fc and , comment out session optional /lib/security/$ISA/pam_selinux.so multiple from /etc/pam.d/su. -- --------- Yuichi Nakamura Research & Development Department Hitachi Software Engineering Co., Ltd. http://www.selinux.hitachi-sk.co.jp/en/