From mike at netlyncs.com Sat Mar 6 12:59:38 2004 From: mike at netlyncs.com (Mike Chambers) Date: Sat, 06 Mar 2004 06:59:38 -0600 Subject: [Fedora-selinux-list] Initial Email Message-ID: <1078577978.8389.1.camel@bart.netlyncs.com> Testing the list and initializing the archive list. -- Mike Chambers Madisonville, KY "It's only funny until someone gets hurt...Then it's hilarious!" From mike at netlyncs.com Sat Mar 6 13:02:22 2004 From: mike at netlyncs.com (Mike Chambers) Date: Sat, 06 Mar 2004 07:02:22 -0600 Subject: [Fedora-selinux-list] Initial Email In-Reply-To: <1078577978.8389.1.camel@bart.netlyncs.com> References: <1078577978.8389.1.camel@bart.netlyncs.com> Message-ID: <1078578142.8406.1.camel@bart.netlyncs.com> On Sat, 2004-03-06 at 06:59, Mike Chambers wrote: > Testing the list and initializing the archive list. If your going to be consistent, might want to edit the administrative stuff and remove the subject [Fedora-selinux-list] content. -- Mike Chambers Madisonville, KY "It's only funny until someone gets hurt...Then it's hilarious!" From jmorris at redhat.com Sat Mar 6 14:56:47 2004 From: jmorris at redhat.com (James Morris) Date: Sat, 6 Mar 2004 09:56:47 -0500 (EST) Subject: [Fedora-selinux-list] Initial Email In-Reply-To: <1078578142.8406.1.camel@bart.netlyncs.com> Message-ID: On Sat, 6 Mar 2004, Mike Chambers wrote: > On Sat, 2004-03-06 at 06:59, Mike Chambers wrote: > > Testing the list and initializing the archive list. > > If your going to be consistent, might want to edit the administrative > stuff and remove the subject [Fedora-selinux-list] content. Done, hopefully. Welcome to the list everyone! - James -- James Morris From bkauling at initdefault.de Sat Mar 6 15:04:53 2004 From: bkauling at initdefault.de (Bernd Kauling) Date: 06 Mar 2004 16:04:53 +0100 Subject: what is SELinux? Message-ID: <1078585493.3944.2.camel@Anki.mynet> Hi everyone, I don't know, if i am the first one with a question here (i don't hope so). I read an announcement of this list in the fedora-Mailinglist. So i got subscribed here :) But what the heck is SELinux? sorry for my bad english :) regards: Bernd From toddb at shredsnow.com Sat Mar 6 14:40:38 2004 From: toddb at shredsnow.com (Todd) Date: Sat, 6 Mar 2004 06:40:38 -0800 (PST) Subject: [Fedora-selinux-list] Initial Email In-Reply-To: Message-ID: <20040306063839.G24029-100000@secproc.net> On Sat, 6 Mar 2004, James Morris wrote: > On Sat, 6 Mar 2004, Mike Chambers wrote: > > > On Sat, 2004-03-06 at 06:59, Mike Chambers wrote: > > > Testing the list and initializing the archive list. > > > > If your going to be consistent, might want to edit the administrative > > stuff and remove the subject [Fedora-selinux-list] content. > > Done, hopefully. > > Welcome to the list everyone! Thanks. Is there any way to keep the [Fedora-selinux-list] content tag? It makes it a lot easier to keep track of when you get a few hundred msgs a day. Thanks. - Todd > > > - James > -- > James Morris > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > From jmorris at redhat.com Sat Mar 6 15:17:10 2004 From: jmorris at redhat.com (James Morris) Date: Sat, 6 Mar 2004 10:17:10 -0500 (EST) Subject: what is SELinux? In-Reply-To: <1078585493.3944.2.camel@Anki.mynet> Message-ID: On 6 Mar 2004, Bernd Kauling wrote: > Hi everyone, > > I don't know, if i am the first one with a question here (i don't hope > so). I read an announcement of this list in the fedora-Mailinglist. > So i got subscribed here :) > > But what the heck is SELinux? > Security Enhanced Linux, http://www.nsa.gov/selinux/ It's been merged into the 2.6 kernel, and Fedora is one of the distributions which is integrating it into the OS. - James -- James Morris From jmorris at redhat.com Sat Mar 6 15:18:07 2004 From: jmorris at redhat.com (James Morris) Date: Sat, 6 Mar 2004 10:18:07 -0500 (EST) Subject: [Fedora-selinux-list] Initial Email In-Reply-To: <20040306063839.G24029-100000@secproc.net> Message-ID: On Sat, 6 Mar 2004, Todd wrote: > Thanks. Is there any way to keep the [Fedora-selinux-list] content tag? It > makes it a lot easier to keep track of when you get a few hundred msgs a > day. It's a global setting, which has just been disabled. I'd suggest using procmail to sort email into mailboxes, or similar. - James -- James Morris From jwboyer at charter.net Sat Mar 6 15:17:31 2004 From: jwboyer at charter.net (Josh Boyer) Date: Sat, 6 Mar 2004 09:17:31 -0600 Subject: [Fedora-selinux-list] Initial Email In-Reply-To: <20040306063839.G24029-100000@secproc.net> References: <20040306063839.G24029-100000@secproc.net> Message-ID: <200403060917.31778.jwboyer@charter.net> On Saturday 06 March 2004 08:40 am, Todd wrote: > Thanks. Is there any way to keep the [Fedora-selinux-list] content tag? It > makes it a lot easier to keep track of when you get a few hundred msgs a > day. which mailer are you using? I just create a Filter on the mailing list and have them filed into a different folder. could you do that? josh From toddb at shredsnow.com Sat Mar 6 15:00:31 2004 From: toddb at shredsnow.com (Todd) Date: Sat, 6 Mar 2004 07:00:31 -0800 (PST) Subject: [Fedora-selinux-list] Initial Email In-Reply-To: Message-ID: <20040306065701.R24029-100000@secproc.net> On Sat, 6 Mar 2004, James Morris wrote: > On Sat, 6 Mar 2004, Todd wrote: > > > Thanks. Is there any way to keep the [Fedora-selinux-list] content tag? It > > makes it a lot easier to keep track of when you get a few hundred msgs a > > day. > > It's a global setting, which has just been disabled. I'd suggest using > procmail to sort email into mailboxes, or similar. Understood. Out of sight, out of mind. ;P Thanks. - Todd From toddb at shredsnow.com Sat Mar 6 15:03:03 2004 From: toddb at shredsnow.com (Todd) Date: Sat, 6 Mar 2004 07:03:03 -0800 (PST) Subject: [Fedora-selinux-list] Initial Email In-Reply-To: <200403060917.31778.jwboyer@charter.net> Message-ID: <20040306070052.X24029-100000@secproc.net> On Sat, 6 Mar 2004, Josh Boyer wrote: > On Saturday 06 March 2004 08:40 am, Todd wrote: > > Thanks. Is there any way to keep the [Fedora-selinux-list] content tag? It > > makes it a lot easier to keep track of when you get a few hundred msgs a > > day. > > which mailer are you using? I just create a Filter on the mailing list and > have them filed into a different folder. could you do that? Sure could. Thanks for the suggestion. I would tend not to read them as much using filtering. Just a challenge I need to overcome. Enough time spent OT... Thanks again. - Todd From bkauling at initdefault.de Sat Mar 6 15:44:47 2004 From: bkauling at initdefault.de (Bernd Kauling) Date: 06 Mar 2004 16:44:47 +0100 Subject: what is SELinux? In-Reply-To: References: Message-ID: <1078587886.3944.4.camel@Anki.mynet> Oh yeah, thats exactly what i am searching for :) thank you for the explaination. regards: Bernd Am Sam, 2004-03-06 um 16.17 schrieb James Morris: > On 6 Mar 2004, Bernd Kauling wrote: > > > Hi everyone, > > > > I don't know, if i am the first one with a question here (i don't hope > > so). I read an announcement of this list in the fedora-Mailinglist. > > So i got subscribed here :) > > > > But what the heck is SELinux? > > > > Security Enhanced Linux, http://www.nsa.gov/selinux/ > > It's been merged into the 2.6 kernel, and Fedora is one of the > distributions which is integrating it into the OS. > > > - James From bill at blackfordcomputing.com Sat Mar 6 16:11:04 2004 From: bill at blackfordcomputing.com (Bill Blackford) Date: Sat, 6 Mar 2004 08:11:04 -0800 (PST) Subject: [Fedora-selinux-list] Initial Email In-Reply-To: <20040306070052.X24029-100000@secproc.net> References: <200403060917.31778.jwboyer@charter.net> <20040306070052.X24029-100000@secproc.net> Message-ID: <3931.216.134.160.215.1078589464.squirrel@www.blackfordcomputing.com> I'm using squirelmail in an ssl vhost. Is there a way to configure imap to send these mesaages directly to an imap folder prior to my webmail host grabbing it? I know this can be done with imap, but I'm not using a standard mail client. Thanks. > > On Sat, 6 Mar 2004, Josh Boyer wrote: > >> On Saturday 06 March 2004 08:40 am, Todd wrote: >> > Thanks. Is there any way to keep the [Fedora-selinux-list] content >> tag? It >> > makes it a lot easier to keep track of when you get a few hundred msgs >> a >> > day. >> >> which mailer are you using? I just create a Filter on the mailing list >> and >> have them filed into a different folder. could you do that? > > Sure could. Thanks for the suggestion. I would tend not to read them as > much using filtering. Just a challenge I need to overcome. Enough time > spent OT... > > Thanks again. > > - Todd > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > -- Bill Blackford Network Engineer / System Administrator Blackford Computing bill at blackfordcomputing.com www.blackfordcomputing.com From bugzilla at sympatico.ca Sat Mar 6 17:19:44 2004 From: bugzilla at sympatico.ca (Youssef Makki) Date: Sat, 06 Mar 2004 12:19:44 -0500 Subject: what is SELinux? In-Reply-To: <1078587886.3944.4.camel@Anki.mynet> References: <1078587886.3944.4.camel@Anki.mynet> Message-ID: <1078593584.8130.56.camel@localhost.localdomain> Discussion here will be concerning SELinux specific issues like configuration ..etc, or can it include security issues, perhaps if they are somehow related (or not so)? On Sat, 2004-03-06 at 10:44, Bernd Kauling wrote: > Oh yeah, thats exactly what i am searching for :) > thank you for the explaination. > > regards: Bernd > > Am Sam, 2004-03-06 um 16.17 schrieb James Morris: > > On 6 Mar 2004, Bernd Kauling wrote: > > > > > Hi everyone, > > > > > > I don't know, if i am the first one with a question here (i don't hope > > > so). I read an announcement of this list in the fedora-Mailinglist. > > > So i got subscribed here :) > > > > > > But what the heck is SELinux? > > > > > > > Security Enhanced Linux, http://www.nsa.gov/selinux/ > > > > It's been merged into the 2.6 kernel, and Fedora is one of the > > distributions which is integrating it into the OS. > > > > > > - James > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list From jwboyer at charter.net Sat Mar 6 19:00:01 2004 From: jwboyer at charter.net (Josh Boyer) Date: Sat, 6 Mar 2004 13:00:01 -0600 Subject: dmesg avcs Message-ID: <200403061300.01380.jwboyer@charter.net> This is my first stab at working with selinux, so be gentle ;). I am getting these avc messages when I run dmesg: avc: denied { use } for pid=2674 exe=/bin/dmesg path=/dev/pts/2 dev= ino=4 scontext=root:system_r:dmesg_t tcontext=jwboyer:user_r:user_t tclass=fd avc: denied { read write } for pid=2674 exe=/bin/dmesg path=/dev/pts/2 dev= ino=4 scontext=root:system_r:dmesg_t tcontext=root:object_r:user_devpts_t tclass=chr_file So in the dmesg.te file, i defined the following rules: allow dmesg_t user_devpts_t:chr_file { read write getattr }; allow dmesg_t user_t:fd { use }; does that look correct? from my understanding, the 2 rules i added allow the dmesg_t domain read, write, and getattr access to pts char files... josh From dax at gurulabs.com Sat Mar 6 19:31:04 2004 From: dax at gurulabs.com (Dax Kelson) Date: Sat, 06 Mar 2004 12:31:04 -0700 Subject: Best way to get started? Message-ID: <1078601463.2920.12.camel@mentor.gurulabs.com> What do the RH folk recommend? * Install FC2T1 and then "yum upgrade"? * Perform a rawhide install? Are there any "manual" steps required? Dax Kelson From hparker at homershut.net Sat Mar 6 18:46:57 2004 From: hparker at homershut.net (Homer) Date: Sat, 06 Mar 2004 12:46:57 -0600 Subject: [Fedora-selinux-list] Initial Email In-Reply-To: <3931.216.134.160.215.1078589464.squirrel@www.blackfordcomputing.com> References: <200403060917.31778.jwboyer@charter.net> <20040306070052.X24029-100000@secproc.net> <3931.216.134.160.215.1078589464.squirrel@www.blackfordcomputing.com> Message-ID: <1078598817.7305.2.camel@localhost.homershut.net> On Sat, 2004-03-06 at 10:11, Bill Blackford wrote: > I'm using squirelmail in an ssl vhost. Is there a way to configure imap to > send these mesaages directly to an imap folder prior to my webmail host > grabbing it? I know this can be done with imap, but I'm not using a > standard mail client. Procmail is your friend. -- Homer Parker /"\ ASCII Ribbon Campaign BOFH for homershut.net \ / No HTML/RTF in email http://www.homershut.net x No Word docs in email telnet://bbs.homershut.net / \ Respect for open standards "Bill Gates reports on security progress made and the challenges ahead." -- Microsoft's Homepage, on the day an SQL Server bug crippled large sections of the Internet. From daniel-wittenberg at starken.com Sat Mar 6 19:56:00 2004 From: daniel-wittenberg at starken.com (Daniel Wittenberg) Date: Sat, 6 Mar 2004 13:56:00 -0600 Subject: Best way to get started? In-Reply-To: <1078601463.2920.12.camel@mentor.gurulabs.com> References: <1078601463.2920.12.camel@mentor.gurulabs.com> Message-ID: <1078602960.404a2cd0d9a33@securemail.starken.com> Not to sound like an ass, but I can see this list getting outta control, so just to clarify, this is for selinux related items as it pertains to fedora, right? Dan Quoting Dax Kelson : > What do the RH folk recommend? > > * Install FC2T1 and then "yum upgrade"? > * Perform a rawhide install? > > Are there any "manual" steps required? > > Dax Kelson > From jeff at ollie.clive.ia.us Sat Mar 6 20:03:50 2004 From: jeff at ollie.clive.ia.us (Jeffrey C. Ollie) Date: Sat, 06 Mar 2004 14:03:50 -0600 Subject: Installing new policy? Message-ID: <1078603430.17009.6.camel@oak.ollie.clive.ia.us> When new policy & policy-sources packages get downloaded and installed from development, do I need to do: cd /etc/security/selinux/src/policy make load make relabel or is that only when first enabling SELinux? Jeff From daniel-wittenberg at starken.com Sat Mar 6 20:08:48 2004 From: daniel-wittenberg at starken.com (Daniel Wittenberg) Date: Sat, 6 Mar 2004 14:08:48 -0600 Subject: Installing new policy? In-Reply-To: <1078603430.17009.6.camel@oak.ollie.clive.ia.us> References: <1078603430.17009.6.camel@oak.ollie.clive.ia.us> Message-ID: <1078603728.404a2fd04b454@securemail.starken.com> Has anyone started a selinux+fedora how-to? Is the old Red Hat Documentation being updated for fedora? That seems like it would be a good place to start from and add on to. Dan Quoting "Jeffrey C. Ollie" : > When new policy & policy-sources packages get downloaded and installed > from development, do I need to do: > > cd /etc/security/selinux/src/policy > make load > make relabel > > or is that only when first enabling SELinux? > > Jeff > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > From jmorris at redhat.com Sat Mar 6 21:54:36 2004 From: jmorris at redhat.com (James Morris) Date: Sat, 6 Mar 2004 16:54:36 -0500 (EST) Subject: Installing new policy? In-Reply-To: <1078603430.17009.6.camel@oak.ollie.clive.ia.us> Message-ID: On Sat, 6 Mar 2004, Jeffrey C. Ollie wrote: > When new policy & policy-sources packages get downloaded and installed > from development, do I need to do: > > cd /etc/security/selinux/src/policy > make load > make relabel > Yes. - James -- James Morris From jmorris at redhat.com Sat Mar 6 21:59:09 2004 From: jmorris at redhat.com (James Morris) Date: Sat, 6 Mar 2004 16:59:09 -0500 (EST) Subject: Best way to get started? In-Reply-To: <1078601463.2920.12.camel@mentor.gurulabs.com> Message-ID: On Sat, 6 Mar 2004, Dax Kelson wrote: > What do the RH folk recommend? > > * Install FC2T1 and then "yum upgrade"? > * Perform a rawhide install? > > Are there any "manual" steps required? What I've done is start with FC2T1, then yum upgrade policy-sources, policycoreutils, checkpolicy, libselinux, libselinux-devel. Boot into single user mode, then: cd /etc/security/selinux/src/policy make make relabel Then reboot. That was a little while back, so the full yum upgrade might be a good idea too. - James -- James Morris From dax at gurulabs.com Sat Mar 6 22:06:07 2004 From: dax at gurulabs.com (Dax Kelson) Date: Sat, 06 Mar 2004 15:06:07 -0700 Subject: Best way to get started? In-Reply-To: <1078602960.404a2cd0d9a33@securemail.starken.com> References: <1078601463.2920.12.camel@mentor.gurulabs.com> <1078602960.404a2cd0d9a33@securemail.starken.com> Message-ID: <1078610767.2920.15.camel@mentor.gurulabs.com> On Sat, 2004-03-06 at 12:56, Daniel Wittenberg wrote: > Not to sound like an ass, but I can see this list getting outta control, so just > to clarify, this is for selinux related items as it pertains to fedora, right? > > Dan Hi Dan were you meaning to respond to my question, or start a new thread with a new subject? My question was about a on-topic for the list as it gets. Dax From jwboyer at charter.net Sat Mar 6 23:00:17 2004 From: jwboyer at charter.net (Josh Boyer) Date: Sat, 6 Mar 2004 17:00:17 -0600 Subject: Best way to get started? In-Reply-To: References: Message-ID: <200403061700.17857.jwboyer@charter.net> On Saturday 06 March 2004 03:59 pm, James Morris wrote: > cd /etc/security/selinux/src/policy > make > make relabel > > Then reboot. That was a little while back, so the full yum upgrade might > be a good idea too. what does the reboot do that 'make load' doesn't? so far when tinkering around with some .te files, i have always just done a 'make load' and restarted the app and the changes take effect. josh From jmorris at redhat.com Sat Mar 6 23:51:49 2004 From: jmorris at redhat.com (James Morris) Date: Sat, 6 Mar 2004 18:51:49 -0500 (EST) Subject: Best way to get started? In-Reply-To: <200403061700.17857.jwboyer@charter.net> Message-ID: On Sat, 6 Mar 2004, Josh Boyer wrote: > On Saturday 06 March 2004 03:59 pm, James Morris wrote: > > cd /etc/security/selinux/src/policy > > make > > make relabel > > > > Then reboot. That was a little while back, so the full yum upgrade might > > be a good idea too. > > what does the reboot do that 'make load' doesn't? so far when tinkering > around with some .te files, i have always just done a 'make load' and > restarted the app and the changes take effect. That should be fine. I rebooted after doing the initial filesystem labeling in single user mode (which was recommded to my by Dan Walsh). - Jame -- James Morris From rhally at mindspring.com Sun Mar 7 01:59:23 2004 From: rhally at mindspring.com (Richard Hally) Date: Sat, 6 Mar 2004 20:59:23 -0500 Subject: AVC denied messages from booting? Message-ID: I'm running in SELinux permissive mode and after booting up to runlevel 5 and logging in, I look at /var/log/messages and see quite few AVC denied messages. Is this happening on other peoples systems? I have been downloading all the latest policy (and related) packages and the rest of the /development tree for the last few weeks but it doesn't look like there are fewer AVC denied messages each time I boot with each new kernel and policy. Should I expect the default policy to allow me to boot an "Everything installed" /development updated system with no AVC denied messages? At some point in the near future? More generally, what is the Red Hat plan and objective for developing the policy they package? Thanks for any help, Richard Hally -------------- next part -------------- A non-text attachment was scrubbed... Name: winmail.dat Type: application/ms-tnef Size: 3516 bytes Desc: not available URL: From russell at coker.com.au Sun Mar 7 03:59:07 2004 From: russell at coker.com.au (Russell Coker) Date: Sun, 7 Mar 2004 14:59:07 +1100 Subject: AVC denied messages from booting? In-Reply-To: References: Message-ID: <200403071459.07885.russell@coker.com.au> On Sun, 7 Mar 2004 12:59, "Richard Hally" wrote: > I'm running in SELinux permissive mode and after booting up to runlevel 5 > and logging in, I look at /var/log/messages and see quite few AVC denied > messages. Is this happening on other peoples systems? Yes. Please attach the list of messages and we'll fix them. > I have been downloading all the latest policy (and related) packages and > the rest of the /development tree for the last few weeks but it doesn't > look like there are fewer AVC denied messages each time I boot with each > new kernel and policy. Should I expect the default policy to allow me to > boot an "Everything installed" /development updated system with no AVC > denied messages? At some point in the near future? > More generally, what is the Red Hat plan and objective for developing the > policy they package? There should be very few AVC messages. In some cases applications may attempt things that they shouldn't do but which are not suitable for dontaudit rules, so we won't get to 0 AVC messages without changing some code. PS The below information was contained in the attachment to your message. You might want to turn that off and then rename the directory for security reasons. C:\Documents and Settings\richard\Application Data\Microsoft\Outlook\outlook.pst -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Sun Mar 7 04:05:27 2004 From: russell at coker.com.au (Russell Coker) Date: Sun, 7 Mar 2004 15:05:27 +1100 Subject: Best way to get started? In-Reply-To: <200403061700.17857.jwboyer@charter.net> References: <200403061700.17857.jwboyer@charter.net> Message-ID: <200403071505.27005.russell@coker.com.au> On Sun, 7 Mar 2004 10:00, Josh Boyer wrote: > On Saturday 06 March 2004 03:59 pm, James Morris wrote: > > cd /etc/security/selinux/src/policy > > make > > make relabel > > > > Then reboot. That was a little while back, so the full yum upgrade might > > be a good idea too. > > what does the reboot do that 'make load' doesn't? so far when tinkering > around with some .te files, i have always just done a 'make load' and > restarted the app and the changes take effect. For such things I generally boot with "init=/bin/bash", mount the file systems, /proc, /selinux, then do "make load ; make relabel" and then "exec init". For machines where I don't have console access (EG logging in by ssh) I just run "make load ; make relabel", then restart all processes to get the right context, starting with "telinit u" to restart init, "killall -9 mingetty", using "runcon root:sysadm_r:sysadm_t /bin/bash" to get a shell in the right context for restarting daemons, and then restarting sshd etc. This method works well once you've had some practise, I've even upgraded machines to SE Linux without being on the same continent. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Sun Mar 7 04:15:39 2004 From: russell at coker.com.au (Russell Coker) Date: Sun, 7 Mar 2004 15:15:39 +1100 Subject: dmesg avcs In-Reply-To: <200403061300.01380.jwboyer@charter.net> References: <200403061300.01380.jwboyer@charter.net> Message-ID: <200403071515.39372.russell@coker.com.au> On Sun, 7 Mar 2004 06:00, Josh Boyer wrote: > This is my first stab at working with selinux, so be gentle ;). > > I am getting these avc messages when I run dmesg: > > avc: denied { use } for pid=2674 exe=/bin/dmesg path=/dev/pts/2 dev= > ino=4 scontext=root:system_r:dmesg_t tcontext=jwboyer:user_r:user_t > tclass=fd > > avc: denied { read write } for pid=2674 exe=/bin/dmesg path=/dev/pts/2 > dev= ino=4 scontext=root:system_r:dmesg_t > tcontext=root:object_r:user_devpts_t tclass=chr_file This should not be possible. You should only be able to enter the dmesg_t domain from sysadm_t, anaconda_t, or initrc_t. None of those domains should have a terminal labeled with user_devpts_t open at the time. How exactly are you running dmesg? What is the context of the program that runs it? > So in the dmesg.te file, i defined the following rules: > > allow dmesg_t user_devpts_t:chr_file { read write getattr }; > allow dmesg_t user_t:fd { use }; > > does that look correct? from my understanding, the 2 rules i added allow > the dmesg_t domain read, write, and getattr access to pts char files... We don't want dmesg_t programs to be under the control of user_t programs. If dmesg_t can be reached from user_t and can access it's terminals then user_t has a chance at getting sys_admin capability (if the user_r user in question has UID==0). sys_admin capability should give full control of the machine. Of course this would still rely on exploiting dmesg, but I doubt that the people who wrote dmesg expected it to run as a privileged program... -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From pauln at truemesh.com Sun Mar 7 07:38:33 2004 From: pauln at truemesh.com (Paul Nasrat) Date: Sun, 7 Mar 2004 07:38:33 +0000 Subject: Non x86 policy/file contexts Message-ID: <20040307073832.GU16792@lichen.truemesh.com> I note that currently bootloader.fc does not have entries say for ppc: /sbin/ybin.* -- system_u:object_r:bootloader_exec_t /etc/yaboot\.conf.* -- system_u:object_r:bootloader_etc_t Also should /vmlinuz.* be /vmlinu(x|z).* Or silo for sparc. As there are fedora efforts on these platforms and policy-sources may feed other distros (eg ydl, aurora) is it worth RFE with patches to bootloader.te, or is non x86 considered unsupported. Cheers Paul From russell at coker.com.au Sun Mar 7 11:12:26 2004 From: russell at coker.com.au (Russell Coker) Date: Sun, 7 Mar 2004 22:12:26 +1100 Subject: Non x86 policy/file contexts In-Reply-To: <20040307073832.GU16792@lichen.truemesh.com> References: <20040307073832.GU16792@lichen.truemesh.com> Message-ID: <200403072212.26703.russell@coker.com.au> On Sun, 7 Mar 2004 18:38, Paul Nasrat wrote: > I note that currently bootloader.fc does not have entries say for ppc: > > /sbin/ybin.*????--??????system_u:object_r:bootloader_exec_t > /etc/yaboot\.conf.*?????--??????system_u:object_r:bootloader_etc_t I've just put that in my tree, I'll put a new snapshot online tonight with that. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From mike at netlyncs.com Sun Mar 7 11:15:23 2004 From: mike at netlyncs.com (Mike Chambers) Date: Sun, 07 Mar 2004 05:15:23 -0600 Subject: Upgrading selinux packages Message-ID: <1078658123.12410.1.camel@bart.netlyncs.com> If new policy type packages and such are put out, can just updating them once selinux is ran/setup (make make relabel) or is something else required? Also, I too have seen lots of those audit: avc: type messages after I initiated selinux last night and rebooting. -- Mike Chambers Madisonville, KY "It's only funny until someone gets hurt...Then it's hilarious!" From jwboyer at charter.net Sun Mar 7 13:18:35 2004 From: jwboyer at charter.net (Josh Boyer) Date: Sun, 7 Mar 2004 07:18:35 -0600 Subject: dmesg avcs In-Reply-To: <200403071515.39372.russell@coker.com.au> References: <200403061300.01380.jwboyer@charter.net> <200403071515.39372.russell@coker.com.au> Message-ID: <200403070718.35381.jwboyer@charter.net> On Saturday 06 March 2004 10:15 pm, Russell Coker wrote: > This should not be possible. You should only be able to enter the dmesg_t > domain from sysadm_t, anaconda_t, or initrc_t. None of those domains > should have a terminal labeled with user_devpts_t open at the time. > > How exactly are you running dmesg? What is the context of the program that > runs it? start konsole. su - to root. run dmesg. the output from ps -e --context for the bash shell: 2011 root:sysadm_r:sysadm_t -bash > We don't want dmesg_t programs to be under the control of user_t programs. > If dmesg_t can be reached from user_t and can access it's terminals then > user_t has a chance at getting sys_admin capability (if the user_r user in > question has UID==0). sys_admin capability should give full control of the > machine. ok. i should do more reading on how the rules and domain transitions function. josh From jwboyer at charter.net Sun Mar 7 13:24:38 2004 From: jwboyer at charter.net (Josh Boyer) Date: Sun, 7 Mar 2004 07:24:38 -0600 Subject: Upgrading selinux packages In-Reply-To: <1078658123.12410.1.camel@bart.netlyncs.com> References: <1078658123.12410.1.camel@bart.netlyncs.com> Message-ID: <200403070724.38738.jwboyer@charter.net> On Sunday 07 March 2004 05:15 am, Mike Chambers wrote: > If new policy type packages and such are put out, can just updating them > once selinux is ran/setup (make make relabel) or is something else > required? already been asked. from James Morris: cd /etc/security/selinux/src/policy make make relabel Then reboot. That was a little while back, so the full yum upgrade might be a good idea too. > Also, I too have seen lots of those audit: avc: type messages after I > initiated selinux last night and rebooting. did you edit the /etc/security/selinux/src/policy/users file and add your normal user to it? that helped with alot of the avc message, but i still have quite a few too. josh From jwboyer at charter.net Sun Mar 7 16:02:56 2004 From: jwboyer at charter.net (Josh Boyer) Date: Sun, 7 Mar 2004 10:02:56 -0600 Subject: what to do with AVCs Message-ID: <200403071002.56457.jwboyer@charter.net> What is the preferred way to report AVC messages? Should we open a bug for each application and list the AVCs in there, or should we post them to the list, etc? Bugs would probably be the easiest to track and manage, since duplicates could be marked as such. But then again, I can see lots of bugs being opened that don't need to be... What do the developers prefer? josh From notting at redhat.com Mon Mar 8 07:20:36 2004 From: notting at redhat.com (Bill Nottingham) Date: Mon, 8 Mar 2004 02:20:36 -0500 Subject: Installing new policy? In-Reply-To: References: <1078603430.17009.6.camel@oak.ollie.clive.ia.us> Message-ID: <20040308072035.GE10213@devserv.devel.redhat.com> James Morris (jmorris at redhat.com) said: > > When new policy & policy-sources packages get downloaded and installed > > from development, do I need to do: > > > > cd /etc/security/selinux/src/policy > > make load > > make relabel > > > > Yes. Does this mean policy *never* gets updated on a new rpm install without manual intevention? This seems bad. Bill From mitch48 at sbcglobal.net Mon Mar 8 08:05:25 2004 From: mitch48 at sbcglobal.net (Tom Mitchell) Date: Mon, 8 Mar 2004 00:05:25 -0800 Subject: Installing new policy? In-Reply-To: <20040308072035.GE10213@devserv.devel.redhat.com> References: <1078603430.17009.6.camel@oak.ollie.clive.ia.us> <20040308072035.GE10213@devserv.devel.redhat.com> Message-ID: <20040308080525.GA31568@xtl1.xtl.tenegg.com> On Mon, Mar 08, 2004 at 02:20:36AM -0500, Bill Nottingham wrote: > James Morris (jmorris at redhat.com) said: > > > When new policy & policy-sources packages get downloaded and installed > > > from development, do I need to do: > > > > > > cd /etc/security/selinux/src/policy > > > make load > > > make relabel > > > > > > > Yes. > > Does this mean policy *never* gets updated on a new rpm install > without manual intevention? This seems bad. If I understand this... In development cycles having the "current" best practice policy does make sense for some, but not outside the context of "default policy development". The more general procedure would be to cd /etc/security/selinux/src/policy # examine, compare with current, update for local needs, scratch, validate... then # iff all is ok make load make relabel In fact the "policy" on "policy updates" should be the most constrained in the pile. -- T o m M i t c h e l l /dev/null the ultimate in secure storage. mitch48-at-sbcglobal-dot-net From aleksey at nogin.org Mon Mar 8 01:14:34 2004 From: aleksey at nogin.org (Aleksey Nogin) Date: Sun, 07 Mar 2004 17:14:34 -0800 Subject: Best way to get started? In-Reply-To: References: Message-ID: <404BC8FA.9090201@nogin.org> On 06.03.2004 13:59, James Morris wrote: > What I've done is start with FC2T1, then yum upgrade policy-sources, > policycoreutils, checkpolicy, libselinux, libselinux-devel. Boot into > single user mode, then: > > > cd /etc/security/selinux/src/policy > make > make relabel > Is policy-sources really necessary (if I just want to test the standard default policies)? What I did is installed policycoreutils and policy, and run /usr/sbin/setfiles /etc/security/selinux/file_contexts / /usr/sbin/load_policy /etc/security/selinux/policy.15 and rebooted. Would the above have the same effect as using policy-sources? -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907 From rms at 1407.org Mon Mar 8 09:35:27 2004 From: rms at 1407.org (Rui Miguel Seabra) Date: Mon, 08 Mar 2004 09:35:27 +0000 Subject: help! some avc messages... Message-ID: <1078738527.1791.29.camel@roque> Hi, I'm terribly newbie in what relates to selinux. I understand the concept but not the hows and whats. I also confess I haven't really looked deeply into the matter since for the time being I'm running fedora's 2.4 Linux, since X is nearly useless for me with 2.6 due to the synaptics keyboard. However, I decided to take a peek at the non-X parts, but things don't look that pretty. I installed FC1, then after some time I jumped into development, so I have a fairly updated development package set. I suspect that what might have happened is that some packages were installed in an improper order so something may have been set in a bad way. How do I take care of the avc messages I'm catching for almost anything? Follows a bzip2'ed dmesg from right after boot. TIA, Rui -- + No matter how much you do, you never do enough -- unknown + Whatever you do will be insignificant, | but it is very important that you do it -- Gandhi + So let's do it...? Please AVOID sending me WORD, EXCEL or POWERPOINT attachments. See http://www.fsf.org/philosophy/no-word-attachments.html -------------- next part -------------- A non-text attachment was scrubbed... Name: selinux.txt.bz2 Type: application/x-bzip Size: 4130 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From dwalsh at redhat.com Mon Mar 8 14:07:46 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 08 Mar 2004 09:07:46 -0500 Subject: dmesg avcs In-Reply-To: <200403061300.01380.jwboyer@charter.net> References: <200403061300.01380.jwboyer@charter.net> Message-ID: <404C7E32.5090201@redhat.com> Josh Boyer wrote: >This is my first stab at working with selinux, so be gentle ;). > >I am getting these avc messages when I run dmesg: > >avc: denied { use } for pid=2674 exe=/bin/dmesg path=/dev/pts/2 dev= ino=4 >scontext=root:system_r:dmesg_t tcontext=jwboyer:user_r:user_t tclass=fd > >avc: denied { read write } for pid=2674 exe=/bin/dmesg path=/dev/pts/2 dev= >ino=4 scontext=root:system_r:dmesg_t tcontext=root:object_r:user_devpts_t >tclass=chr_file > >So in the dmesg.te file, i defined the following rules: > >allow dmesg_t user_devpts_t:chr_file { read write getattr }; >allow dmesg_t user_t:fd { use }; > >does that look correct? from my understanding, the 2 rules i added allow the >dmesg_t domain read, write, and getattr access to pts char files... > > > Yes, but this might not be necessary. If the dmesg code was working correctly and you saw these messages you might want to dontaudit them. dontaudit dmesg_t userdomain:fd { use }; Would eliminate the terminal error for all userdomains (user, staff and sysadm). >josh > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > From notting at redhat.com Mon Mar 8 16:07:43 2004 From: notting at redhat.com (Bill Nottingham) Date: Mon, 8 Mar 2004 11:07:43 -0500 Subject: Installing new policy? In-Reply-To: <20040308080525.GA31568@xtl1.xtl.tenegg.com> References: <1078603430.17009.6.camel@oak.ollie.clive.ia.us> <20040308072035.GE10213@devserv.devel.redhat.com> <20040308080525.GA31568@xtl1.xtl.tenegg.com> Message-ID: <20040308160743.GB30208@devserv.devel.redhat.com> Tom Mitchell (mitch48 at sbcglobal.net) said: > If I understand this... > > In development cycles having the "current" best practice policy does make sense > for some, but not outside the context of "default policy development". Yes, but if you're pushing new policy that actually fixes bugs (think post-release here), you'd want that automatically installed on upgrade. Bill From pauln at truemesh.com Mon Mar 8 16:06:06 2004 From: pauln at truemesh.com (Paul Nasrat) Date: Mon, 8 Mar 2004 16:06:06 +0000 Subject: Installing new policy? In-Reply-To: <20040308160743.GB30208@devserv.devel.redhat.com> References: <1078603430.17009.6.camel@oak.ollie.clive.ia.us> <20040308072035.GE10213@devserv.devel.redhat.com> <20040308080525.GA31568@xtl1.xtl.tenegg.com> <20040308160743.GB30208@devserv.devel.redhat.com> Message-ID: <20040308160605.GC16792@lichen.truemesh.com> On Mon, Mar 08, 2004 at 11:07:43AM -0500, Bill Nottingham wrote: > Tom Mitchell (mitch48 at sbcglobal.net) said: > > If I understand this... > > > > In development cycles having the "current" best practice policy does make sense > > for some, but not outside the context of "default policy development". > > Yes, but if you're pushing new policy that actually fixes bugs > (think post-release here), you'd want that automatically installed > on upgrade. I believe Jeff was working on this, however the hooks would have to be in rpm I imagine as you probably don't want rpm_script_t having write access to policy_src_t right? Paul From russell at coker.com.au Mon Mar 8 16:21:34 2004 From: russell at coker.com.au (Russell Coker) Date: Tue, 9 Mar 2004 03:21:34 +1100 Subject: Installing new policy? In-Reply-To: <20040308160605.GC16792@lichen.truemesh.com> References: <1078603430.17009.6.camel@oak.ollie.clive.ia.us> <20040308160743.GB30208@devserv.devel.redhat.com> <20040308160605.GC16792@lichen.truemesh.com> Message-ID: <200403090321.34850.russell@coker.com.au> On Tue, 9 Mar 2004 03:06, Paul Nasrat wrote: > On Mon, Mar 08, 2004 at 11:07:43AM -0500, Bill Nottingham wrote: > > Tom Mitchell (mitch48 at sbcglobal.net) said: > > > If I understand this... > > > > > > In development cycles having the "current" best practice policy does > > > make sense for some, but not outside the context of "default policy > > > development". > > > > Yes, but if you're pushing new policy that actually fixes bugs > > (think post-release here), you'd want that automatically installed > > on upgrade. > > I believe Jeff was working on this, however the hooks would have to be in > rpm I imagine as you probably don't want rpm_script_t having write access > to policy_src_t right? At the moment rpm_script_t has access to so much that there's no point in trying to impose any serious restriction on it. I suspect that limiting rpm_script_t in any significant way will have to wait until we have multiple domains for rpm for installing packages with different signatures. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From mitch48 at yahoo.com Mon Mar 8 17:53:54 2004 From: mitch48 at yahoo.com (Tom Mitchell) Date: Mon, 8 Mar 2004 09:53:54 -0800 Subject: Installing new policy? In-Reply-To: <200403090321.34850.russell@coker.com.au> References: <1078603430.17009.6.camel@oak.ollie.clive.ia.us> <20040308160743.GB30208@devserv.devel.redhat.com> <20040308160605.GC16792@lichen.truemesh.com> <200403090321.34850.russell@coker.com.au> Message-ID: <20040308175354.GA3178@xtl1.xtl.tenegg.com> On Tue, Mar 09, 2004 at 03:21:34AM +1100, Russell Coker wrote: > On Tue, 9 Mar 2004 03:06, Paul Nasrat wrote: > > On Mon, Mar 08, 2004 at 11:07:43AM -0500, Bill Nottingham wrote: > > > Tom Mitchell (mitch48 at sbcglobal.net) said: > > > > If I understand this... > > > > > > > > In development cycles having the "current" best practice policy does > > > > make sense for some, but not outside the context of "default policy > > > > development". > > > > > > Yes, but if you're pushing new policy that actually fixes bugs > > > (think post-release here), you'd want that automatically installed > > > on upgrade. > > > > I believe Jeff was working on this, however the hooks would have to be in > > rpm I imagine as you probably don't want rpm_script_t having write access > > to policy_src_t right? > > At the moment rpm_script_t has access to so much that there's no point in > trying to impose any serious restriction on it. > > I suspect that limiting rpm_script_t in any significant way will have to wait > until we have multiple domains for rpm for installing packages with different > signatures. Are there thoughts for design changes to rpm. Hooks where the trust/level of rpm changes when packages are unsigned, when rpm is going to install or update digital signatures or updates to rpm itself. Some interesting flags... rpm --nosignature --nopreun --nopostun At what level do scriptlets run. For now what are the tactical thoughts on updating policy during development. Is it as simple as kernel (/usr/src/linux*) where the top level dir famous name is a link to a versioned dir or will rpmnew/rpmsave be the norm. Since "rpm" is not universal what strategy has a chance of working with or without rpm so higher level SELinux documentation will get the right thing to happen. Do/should tools like up2date and yum have standard exclusion rules (like kernel*) that will keep the old and the new side by side for comparison. cd /etc/security/selinux/src diff -d policy policy.previous # stop look and listen. cd /etc/security/selinux/src/policy # policy could be a symlink to policy.newest make make relabel If you're pushing new policy that actually fixes bugs will it break site policy? I would be unhappy if my co-lo box had this line changed. ;-) # uncomment to allow ssh logins as sysadm_r:sysadm_t define(`ssh_sysadm_login') -- T o m M i t c h e l l /dev/null the ultimate in secure storage. mitch48-at-sbcglobal-dot-net From lamont at gurulabs.com Mon Mar 8 18:18:12 2004 From: lamont at gurulabs.com (Lamont R. Peterson) Date: Mon, 08 Mar 2004 11:18:12 -0700 Subject: [Fedora-selinux-list] Initial Email In-Reply-To: <1078598817.7305.2.camel@localhost.homershut.net> References: <200403060917.31778.jwboyer@charter.net> <20040306070052.X24029-100000@secproc.net> <3931.216.134.160.215.1078589464.squirrel@www.blackfordcomputing.com> <1078598817.7305.2.camel@localhost.homershut.net> Message-ID: <1078769891.2975.0.camel@wraith.lrp.advansoft.us> On Sat, 2004-03-06 at 11:46, Homer wrote: > Procmail is your friend. I like maildrop. Easier syntax for programmers, I think. -- Lamont Peterson Senior Instructor Guru Labs -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From dwalsh at redhat.com Mon Mar 8 19:37:25 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 08 Mar 2004 14:37:25 -0500 Subject: Best way to get started? In-Reply-To: <1078601463.2920.12.camel@mentor.gurulabs.com> References: <1078601463.2920.12.camel@mentor.gurulabs.com> Message-ID: <404CCB75.6090805@redhat.com> Dax Kelson wrote: >What do the RH folk recommend? > >* Install FC2T1 and then "yum upgrade"? >* Perform a rawhide install? > >Are there any "manual" steps required? > >Dax Kelson > > > Rawhide install. The installer is supposed to set the file context. If you do it the other way you need to do a make relabel from the source policy. Dan >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > From dwalsh at redhat.com Mon Mar 8 19:38:36 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 08 Mar 2004 14:38:36 -0500 Subject: Installing new policy? In-Reply-To: <1078603430.17009.6.camel@oak.ollie.clive.ia.us> References: <1078603430.17009.6.camel@oak.ollie.clive.ia.us> Message-ID: <404CCBBC.4070301@redhat.com> Jeffrey C. Ollie wrote: >When new policy & policy-sources packages get downloaded and installed >from development, do I need to do: > >cd /etc/security/selinux/src/policy >make load >make relabel > >or is that only when first enabling SELinux? > > Usually a make load is all that is necessary. You need to relabel when the file context changes, but we are trying to keep that to a minimum. >Jeff > > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > From dwalsh at redhat.com Mon Mar 8 19:40:26 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 08 Mar 2004 14:40:26 -0500 Subject: Best way to get started? In-Reply-To: <200403061700.17857.jwboyer@charter.net> References: <200403061700.17857.jwboyer@charter.net> Message-ID: <404CCC2A.9000602@redhat.com> Josh Boyer wrote: >On Saturday 06 March 2004 03:59 pm, James Morris wrote: > > >> cd /etc/security/selinux/src/policy >> make >> make relabel >> >>Then reboot. That was a little while back, so the full yum upgrade might >>be a good idea too. >> >> > >what does the reboot do that 'make load' doesn't? so far when tinkering >around with some .te files, i have always just done a 'make load' and >restarted the app and the changes take effect. > > Make load will recompile the policy file, where reboot will only load the existing policy file. >josh > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > From rms at 1407.org Mon Mar 8 19:39:40 2004 From: rms at 1407.org (Rui Miguel Seabra) Date: Mon, 08 Mar 2004 19:39:40 +0000 Subject: Best way to get started? In-Reply-To: <404CCC2A.9000602@redhat.com> References: <200403061700.17857.jwboyer@charter.net> <404CCC2A.9000602@redhat.com> Message-ID: <1078774779.28875.1.camel@roque> On Mon, 2004-03-08 at 14:40 -0500, Daniel J Walsh wrote: > Josh Boyer wrote: > >On Saturday 06 March 2004 03:59 pm, James Morris wrote: > >> cd /etc/security/selinux/src/policy > >> make > >> make relabel I have no makefile here... what package/action am I missing? TIA, Rui -- + No matter how much you do, you never do enough -- unknown + Whatever you do will be insignificant, | but it is very important that you do it -- Gandhi + So let's do it...? Please AVOID sending me WORD, EXCEL or POWERPOINT attachments. See http://www.fsf.org/philosophy/no-word-attachments.html -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From dwalsh at redhat.com Mon Mar 8 19:44:57 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 08 Mar 2004 14:44:57 -0500 Subject: AVC denied messages from booting? In-Reply-To: References: Message-ID: <404CCD39.6040204@redhat.com> Richard Hally wrote: >I'm running in SELinux permissive mode and after booting up to runlevel 5 >and logging in, I look at /var/log/messages and see quite few AVC denied >messages. Is this happening on other peoples systems? > > In a non enforcing mode you will get a lot more messages than enforcing mode, since the kernel is just logging that if you were in enforcing the access would have been denier. So if an app was going to try to read a bunch of files in a directory, and got a denial on read it would stop in enforcing mode, in non enforcing mode it will get a denial for each file in the directory that it reads. >I have been downloading all the latest policy (and related) packages and the >rest of the /development tree for the last few weeks but it doesn't look >like there are fewer AVC denied messages each time I boot with each new >kernel and policy. Should I expect the default policy to allow me to boot an >"Everything installed" /development updated system with no AVC denied >messages? At some point in the near future? > > That is the goal. This of course would be if the user and apps don't try to do something that they are not allowed to do. IE if you install a fresh system in enforcinf mode and cat /etc/shadow you will generate an denial message. >More generally, what is the Red Hat plan and objective for developing the >policy they package? > > > >Thanks for any help, > >Richard Hally > > > From jmorris at redhat.com Mon Mar 8 20:23:55 2004 From: jmorris at redhat.com (James Morris) Date: Mon, 8 Mar 2004 15:23:55 -0500 (EST) Subject: Best way to get started? In-Reply-To: <1078774779.28875.1.camel@roque> Message-ID: On Mon, 8 Mar 2004, Rui Miguel Seabra wrote: > On Mon, 2004-03-08 at 14:40 -0500, Daniel J Walsh wrote: > > Josh Boyer wrote: > > >On Saturday 06 March 2004 03:59 pm, James Morris wrote: > > >> cd /etc/security/selinux/src/policy > > >> make > > >> make relabel > > I have no makefile here... what package/action am I missing? policy-sources -- James Morris From daniel-wittenberg at starken.com Mon Mar 8 20:31:27 2004 From: daniel-wittenberg at starken.com (Daniel Wittenberg) Date: Mon, 8 Mar 2004 14:31:27 -0600 Subject: initial steps Message-ID: <1078777887.404cd81fd53cc@securemail.starken.com> I'd like to start playing with this, and haven't worked with selinux at all. Anyone know of a good quick-start guide? Dan From rhally at mindspring.com Mon Mar 8 20:50:19 2004 From: rhally at mindspring.com (Richard Hally) Date: Mon, 8 Mar 2004 15:50:19 -0500 Subject: initial steps In-Reply-To: <1078777887.404cd81fd53cc@securemail.starken.com> Message-ID: Here is a url for a HOWTO and a FAQ that might be useful. Richard Hally -----Original Message----- From: fedora-selinux-list-admin at redhat.com [mailto:fedora-selinux-list-admin at redhat.com] On Behalf Of Daniel Wittenberg Sent: Monday, March 08, 2004 3:31 PM To: fedora-selinux-list at redhat.com Subject: initial steps I'd like to start playing with this, and haven't worked with selinux at all. Anyone know of a good quick-start guide? Dan -- fedora-selinux-list mailing list fedora-selinux-list at redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list From rhally at mindspring.com Mon Mar 8 20:50:50 2004 From: rhally at mindspring.com (Richard Hally) Date: Mon, 8 Mar 2004 15:50:50 -0500 Subject: initial steps In-Reply-To: <1078777887.404cd81fd53cc@securemail.starken.com> Message-ID: Sorry here is the url: http://sourceforge.net/docman/?group_id=21266 Richard Hally -----Original Message----- From: fedora-selinux-list-admin at redhat.com [mailto:fedora-selinux-list-admin at redhat.com] On Behalf Of Daniel Wittenberg Sent: Monday, March 08, 2004 3:31 PM To: fedora-selinux-list at redhat.com Subject: initial steps I'd like to start playing with this, and haven't worked with selinux at all. Anyone know of a good quick-start guide? Dan -- fedora-selinux-list mailing list fedora-selinux-list at redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list From jwboyer at charter.net Tue Mar 9 00:52:33 2004 From: jwboyer at charter.net (Josh Boyer) Date: Mon, 8 Mar 2004 18:52:33 -0600 Subject: kdeinit avcs Message-ID: <200403081852.33581.jwboyer@charter.net> I get these avcs when running kopete: avc: denied { write } for pid=4371 exe=/usr/bin/kdeinit name=cleaned dev=hda5 ino=1567855 scontext=jwboyer:user_r:user_t tcontext=system_u:object_r:file_t tclass=file avc: denied { write } for pid=4371 exe=/usr/bin/kdeinit name=l dev=hda5 ino=1567856 scontext=jwboyer:user_r:user_t tcontext=system_u:object_r:file_t tclass=dir avc: denied { add_name } for pid=4371 exe=/usr/bin/kdeinit name=loginnet.passport.com_login.srf_42a239b5.new scontext=jwboyer:user_r:user_t tcontext=system_u:object_r:file_t tclass=dir avc: denied { create } for pid=4371 exe=/usr/bin/kdeinit name=loginnet.passport.com_login.srf_42a239b5.new scontext=jwboyer:user_r:user_t tcontext=jwboyer:object_r:file_t tclass=file avc: denied { write } for pid=4371 exe=/usr/bin/kdeinit path=/var/tmp/kdecache-jwboyer/http/l/loginnet.passport.com_login.srf_42a239b5.new dev=hda5 ino=1571952 scontext=jwboyer:user_r:user_t tcontext=jwboyer:object_r:file_t tclass=file to solve issues like this, should i define a new policy for kdeinit, put kdeinit into a different domain, define some dontaudit rules, etc? there are lots of avcs to deal with, and i am just trying to determine what an appropriate fix for some of them are. thx, josh From russell at coker.com.au Tue Mar 9 04:33:36 2004 From: russell at coker.com.au (Russell Coker) Date: Tue, 9 Mar 2004 15:33:36 +1100 Subject: Installing new policy? In-Reply-To: <20040308175354.GA3178@xtl1.xtl.tenegg.com> References: <1078603430.17009.6.camel@oak.ollie.clive.ia.us> <200403090321.34850.russell@coker.com.au> <20040308175354.GA3178@xtl1.xtl.tenegg.com> Message-ID: <200403091533.36036.russell@coker.com.au> On Tue, 9 Mar 2004 04:53, Tom Mitchell wrote: > If you're pushing new policy that actually fixes bugs will it break site > policy? I would be unhappy if my co-lo box had this line changed. ;-) > ? ?# uncomment to allow ssh logins as sysadm_r:sysadm_t > ? ?define(`ssh_sysadm_login') This is a difficult issue. For Debian I have it ask a heap of questions at policy upgrade time about replacing policy files, but lots of people seem to dislike that. One possibility is to replace files that have not been changed. However that means that if a macro changes without the calling code changing then it could break policy compiles. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Tue Mar 9 04:40:00 2004 From: russell at coker.com.au (Russell Coker) Date: Tue, 9 Mar 2004 15:40:00 +1100 Subject: kdeinit avcs In-Reply-To: <200403081852.33581.jwboyer@charter.net> References: <200403081852.33581.jwboyer@charter.net> Message-ID: <200403091540.00853.russell@coker.com.au> On Tue, 9 Mar 2004 11:52, Josh Boyer wrote: > I get these avcs when running kopete: Firstly one thing to note is that KDE does weird stuff with executables, so everything seems to be "kdeinit". This limits what can be done with SE Linux policy as everything runs in the domain for kdeinit (user_t in this case). > avc: denied { write } for pid=4371 exe=/usr/bin/kdeinit > path=/var/tmp/kdecache-jwboyer/http/l/loginnet.passport.com_login.srf_42a23 >9b5.new dev=hda5 ino=1571952 scontext=jwboyer:user_r:user_t > tcontext=jwboyer:object_r:file_t tclass=file Generally nothing should be labelled as file_t. The problem is that when installing we can't relabel /tmp and /var/tmp properly as there's no good way of knowing which file should have each context. If you logout and then do "rm -rf /var/tmp/kdecache-jwboyer" and the same for any other KDE stuff that may be hanging around in /var/tmp (maybe ksocket-jwboyer and kde-jwboyer, and mcop-jwboyer) then your next login should have it working properly. > to solve issues like this, should i define a new policy for kdeinit, put > kdeinit into a different domain, define some dontaudit rules, etc? Running different domains for different parts of KDE will be really difficult. They all want read/write access to the same config files, and it becomes a real mess. This is just background info not related to the solution to your problem. > there are lots of avcs to deal with, and i am just trying to determine what > an appropriate fix for some of them are. The appropriate fix for the problems you show is to correctly label the files under /var/tmp. This means removing the kde temporary files while you are logged out. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From sct at redhat.com Tue Mar 9 07:11:18 2004 From: sct at redhat.com (Stephen C. Tweedie) Date: 09 Mar 2004 07:11:18 +0000 Subject: Installing new policy? In-Reply-To: <200403091533.36036.russell@coker.com.au> References: <1078603430.17009.6.camel@oak.ollie.clive.ia.us> <200403090321.34850.russell@coker.com.au> <20040308175354.GA3178@xtl1.xtl.tenegg.com> <200403091533.36036.russell@coker.com.au> Message-ID: <1078816278.2460.0.camel@sisko.scot.redhat.com> Hi, On Tue, 2004-03-09 at 04:33, Russell Coker wrote: > One possibility is to replace files that have not been changed. However that > means that if a macro changes without the calling code changing then it could > break policy compiles. That's basically what %config will do in rpm. It's probably the simplest default behaviour for things like tunables.te. --Stephen From russell at coker.com.au Tue Mar 9 11:57:27 2004 From: russell at coker.com.au (Russell Coker) Date: Tue, 9 Mar 2004 22:57:27 +1100 Subject: Installing new policy? In-Reply-To: <1078816278.2460.0.camel@sisko.scot.redhat.com> References: <1078603430.17009.6.camel@oak.ollie.clive.ia.us> <200403091533.36036.russell@coker.com.au> <1078816278.2460.0.camel@sisko.scot.redhat.com> Message-ID: <200403092257.27675.russell@coker.com.au> On Tue, 9 Mar 2004 18:11, "Stephen C. Tweedie" wrote: > On Tue, 2004-03-09 at 04:33, Russell Coker wrote: > > One possibility is to replace files that have not been changed. However > > that means that if a macro changes without the calling code changing then > > it could break policy compiles. > > That's basically what %config will do in rpm. It's probably the > simplest default behaviour for things like tunables.te. Yes, that will work quite well for tunable.te except when we add a new entry that defaults to enabled. If we produce a new policy that has define(`do_whatever') in the default tunable.te then users of the old policy won't get it. This may make things more difficult for us. But I guess we could make every default be a non-define (IE if you keep the old tunable.te you get the new default). More difficult is macros/program/ directory, if someone changes files in that then the upgrade becomes a lot more difficult to manage. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From sct at redhat.com Tue Mar 9 13:20:44 2004 From: sct at redhat.com (Stephen C. Tweedie) Date: 09 Mar 2004 13:20:44 +0000 Subject: Installing new policy? In-Reply-To: <200403092257.27675.russell@coker.com.au> References: <1078603430.17009.6.camel@oak.ollie.clive.ia.us> <200403091533.36036.russell@coker.com.au> <1078816278.2460.0.camel@sisko.scot.redhat.com> <200403092257.27675.russell@coker.com.au> Message-ID: <1078838444.2460.28.camel@sisko.scot.redhat.com> Hi, On Tue, 2004-03-09 at 11:57, Russell Coker wrote: > > That's basically what %config will do in rpm. It's probably the > > simplest default behaviour for things like tunables.te. > > Yes, that will work quite well for tunable.te except when we add a new entry > that defaults to enabled. If we produce a new policy that has > define(`do_whatever') in the default tunable.te then users of the old policy > won't get it. That's true, but they _will_ get log output telling that the new config file has been created as tunables.te.rpmnew, and they can merge it themselves. There's really no straightforward way to get any better automation for it than that, right now, unless we move each tunable to a separate file in a tunables/ directory (and it might well make sense to do that, at least to group related tunables together.) Cheers, Stephen From dwalsh at redhat.com Tue Mar 9 14:56:43 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 09 Mar 2004 09:56:43 -0500 Subject: Installing new policy? In-Reply-To: <200403091533.36036.russell@coker.com.au> References: <1078603430.17009.6.camel@oak.ollie.clive.ia.us> <200403090321.34850.russell@coker.com.au> <20040308175354.GA3178@xtl1.xtl.tenegg.com> <200403091533.36036.russell@coker.com.au> Message-ID: <404DDB2B.50209@redhat.com> Russell Coker wrote: >On Tue, 9 Mar 2004 04:53, Tom Mitchell wrote: > > >>If you're pushing new policy that actually fixes bugs will it break site >>policy? I would be unhappy if my co-lo box had this line changed. ;-) >> # uncomment to allow ssh logins as sysadm_r:sysadm_t >> define(`ssh_sysadm_login') >> >> > >This is a difficult issue. For Debian I have it ask a heap of questions at >policy upgrade time about replacing policy files, but lots of people seem to >dislike that. > >One possibility is to replace files that have not been changed. However that >means that if a macro changes without the calling code changing then it could >break policy compiles. > > RPM should leave the tunable.te file and create a tunable.te.rpmnew file. From dwalsh at redhat.com Tue Mar 9 15:15:05 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 09 Mar 2004 10:15:05 -0500 Subject: what to do with AVCs In-Reply-To: <200403071002.56457.jwboyer@charter.net> References: <200403071002.56457.jwboyer@charter.net> Message-ID: <404DDF79.6060802@redhat.com> Josh Boyer wrote: >What is the preferred way to report AVC messages? Should we open a bug for >each application and list the AVCs in there, or should we post them to the >list, etc? > >Bugs would probably be the easiest to track and manage, since duplicates could >be marked as such. But then again, I can see lots of bugs being opened that >don't need to be... > >What do the developers prefer? > >josh > > Bugzilla is fine. >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > From dwalsh at redhat.com Tue Mar 9 15:17:04 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 09 Mar 2004 10:17:04 -0500 Subject: Best way to get started? In-Reply-To: <404BC8FA.9090201@nogin.org> References: <404BC8FA.9090201@nogin.org> Message-ID: <404DDFF0.3050606@redhat.com> Aleksey Nogin wrote: > On 06.03.2004 13:59, James Morris wrote: > > >> What I've done is start with FC2T1, then yum upgrade policy-sources, >> policycoreutils, checkpolicy, libselinux, libselinux-devel. Boot >> into single user mode, then: >> >> >> cd /etc/security/selinux/src/policy >> make >> make relabel >> > > Is policy-sources really necessary (if I just want to test the > standard default policies)? What I did is installed policycoreutils > and policy, and run > > /usr/sbin/setfiles /etc/security/selinux/file_contexts / You want to run setfiles on all ext3 file systems setfiles /etc/security/selinux/file_contexts `mount | awk '/(ext[23]| xfs).*rw/{print $$3}'` > /usr/sbin/load_policy /etc/security/selinux/policy.15 > > and rebooted. Would the above have the same effect as using > policy-sources? > From dwalsh at redhat.com Tue Mar 9 15:18:41 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 09 Mar 2004 10:18:41 -0500 Subject: Installing new policy? In-Reply-To: <20040308072035.GE10213@devserv.devel.redhat.com> References: <1078603430.17009.6.camel@oak.ollie.clive.ia.us> <20040308072035.GE10213@devserv.devel.redhat.com> Message-ID: <404DE051.1020808@redhat.com> Bill Nottingham wrote: >James Morris (jmorris at redhat.com) said: > > >>>When new policy & policy-sources packages get downloaded and installed >>>from development, do I need to do: >>> >>>cd /etc/security/selinux/src/policy >>>make load >>>make relabel >>> >>> >>> >>Yes. >> >> > >Does this mean policy *never* gets updated on a new rpm install >without manual intevention? This seems bad. > >Bill > > No we are working to make rpm do this automatically. >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > From dax at gurulabs.com Tue Mar 9 17:45:42 2004 From: dax at gurulabs.com (Dax Kelson) Date: Tue, 09 Mar 2004 10:45:42 -0700 Subject: Fresh rawhide install / AVC messages Message-ID: <1078854342.2921.4.camel@mentor.gurulabs.com> Last night I did a fresh "Everything" rawhide install. On the first boot, I got the following AVC messages. Is enforcing mode expected to work? Is this helpful? audit(1078849141.136:0): avc: denied { create } for pid=942 exe=/usr/sbin/updfstab name=floppy scontext=system_u:system_r:updfstab_t tcontext=system_u:object_r:mnt_t tclass=dir audit(1078849141.160:0): avc: denied { read write } for pid=943 exe=/sbin/pam_console_apply path=/dev/pts/0 dev= ino=2 scontext=system_u:system_r:pam_console_t tcontext=system_u:object_r:initrc_devpts_t tclass=chr_file audit(1078849141.979:0): avc: denied { write } for pid=953 exe=/usr/sbin/cpuspeed name=scaling_governor dev= ino=335 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:sysfs_t tclass=file audit(1078849148.792:0): avc: denied { getattr } for pid=1141 exe=/bin/bash path=/etc/ntp.conf dev=hda8 ino=19690 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:ntpd_etc_t tclass=file audit(1078849148.796:0): avc: denied { rename } for pid=1160 exe=/bin/mv name=ntp.conf dev=hda8 ino=19690 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:ntpd_etc_t tclass=file audit(1078849148.797:0): avc: denied { getattr } for pid=1161 exe=/bin/bash path=/tmp dev=hda8 ino=588673 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmp_t tclass=dir audit(1078849148.798:0): avc: denied { search } for pid=1161 exe=/bin/bash name=tmp dev=hda8 ino=588673 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmp_t tclass=dir audit(1078849148.798:0): avc: denied { write } for pid=1161 exe=/bin/bash name=tmp dev=hda8 ino=588673 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmp_t tclass=dir audit(1078849148.798:0): avc: denied { add_name } for pid=1161 exe=/bin/bash name=sh-thd-1078853309 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmp_t tclass=dir audit(1078849148.798:0): avc: denied { create } for pid=1161 exe=/bin/bash name=sh-thd-1078853309 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmp_t tclass=file audit(1078849148.825:0): avc: denied { getattr } for pid=1161 exe=/bin/bash path=/tmp/sh-thd-1078853309 dev=hda8 ino=1684441 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmp_t tclass=file audit(1078849148.825:0): avc: denied { write } for pid=1161 exe=/bin/bash path=/tmp/sh-thd-1078853309 dev=hda8 ino=1684441 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmp_t tclass=file audit(1078849148.825:0): avc: denied { read } for pid=1161 exe=/bin/bash name=sh-thd-1078853309 dev=hda8 ino=1684441 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmp_t tclass=file audit(1078849148.825:0): avc: denied { remove_name } for pid=1161 exe=/bin/bash name=sh-thd-1078853309 dev=hda8 ino=1684441 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmp_t tclass=dir audit(1078849148.825:0): avc: denied { unlink } for pid=1161 exe=/bin/bash name=sh-thd-1078853309 dev=hda8 ino=1684441 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmp_t tclass=file audit(1078849148.832:0): avc: denied { rename } for pid=1162 exe=/bin/mv name=step-tickers dev=hda8 ino=164396 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_t tclass=file audit(1078849162.352:0): avc: denied { write } for pid=954 exe=/usr/sbin/cpuspeed name=scaling_setspeed dev= ino=339 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:sysfs_t tclass=file audit(1078849214.284:0): avc: denied { read } for pid=3923 exe=/usr/bin/python name=backend.pyo dev=hda8 ino=148720 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:usr_t tclass=file audit(1078849214.285:0): avc: denied { getattr } for pid=3923 exe=/usr/bin/python path=/usr/share/printconf/util/backend.pyo dev=hda8 ino=148720 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:usr_t tclass=file audit(1078849230.652:0): avc: denied { write } for pid=4290 exe=/usr/sbin/sendmail.sendmail name=aliases.db dev=hda8 ino=19435 scontext=system_u:system_r:sendmail_t tcontext=system_u:object_r:etc_t tclass=file audit(1078849230.652:0): avc: denied { lock } for pid=4290 exe=/usr/sbin/sendmail.sendmail path=/etc/aliases.db dev=hda8 ino=19435 scontext=system_u:system_r:sendmail_t tcontext=system_u:object_r:etc_t tclass=file audit(1078849246.286:0): avc: denied { create } for pid=4526 exe=/usr/bin/python key=0 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=shm audit(1078849246.286:0): avc: denied { unix_read unix_write } for pid=4526 exe=/usr/bin/python key=0 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=shm audit(1078849246.286:0): avc: denied { read write } for pid=4526 exe=/usr/bin/python key=0 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=shm audit(1078849246.287:0): avc: denied { unix_read unix_write } for pid=51 exe=/usr/X11R6/bin/XFree86 key=0 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:system_r:initrc_t tclass=shm audit(1078849246.287:0): avc: denied { read write } for pid=51 exe=/usr/X11R6/bin/XFree86 key=0 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:system_r:initrc_t tclass=shm audit(1078849246.287:0): avc: denied { getattr associate } for pid=51 exe=/usr/X11R6/bin/XFree86 key=0 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:system_r:initrc_t tclass=shm audit(1078849246.287:0): avc: denied { destroy } for pid=4526 exe=/usr/bin/python key=0 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=shm audit(1078849252.927:0): avc: denied { execute } for pid=4547 path=/dev/zero dev=hda8 ino=1614427 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:zero_device_t tclass=chr_file audit(1078849252.927:0): avc: denied { execute } for pid=4547 path=/dev/mem dev=hda8 ino=1602518 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:memory_device_t tclass=chr_file audit(1078849255.467:0): avc: denied { read } for pid=4526 exe=/usr/bin/python name=shadow dev=hda8 ino=19457 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:shadow_t tclass=file audit(1078849255.468:0): avc: denied { lock } for pid=4526 exe=/usr/bin/python path=/etc/shadow dev=hda8 ino=19457 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:shadow_t tclass=file audit(1078849262.589:0): avc: denied { write } for pid=954 exe=/usr/sbin/cpuspeed name=scaling_setspeed dev= ino=339 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:sysfs_t tclass=file audit(1078849274.909:0): avc: denied { ioctl } for pid=4583 exe=/bin/bash path=/dev/pts/0 dev= ino=2 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:initrc_devpts_t tclass=chr_file audit(1078849274.910:0): avc: denied { search } for pid=4583 exe=/bin/bash dev= ino=1 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:devpts_t tclass=dir audit(1078849375.870:0): avc: denied { write } for pid=4858 exe=/bin/dmesg path=/root/first-dmesg.txt dev=hda8 ino=1095620 scontext=root:system_r:dmesg_t tcontext=root:object_r:sysadm_home_t tclass=file From dennis at dgilmore.net Tue Mar 9 23:49:07 2004 From: dennis at dgilmore.net (Dennis Gilmore) Date: Wed, 10 Mar 2004 09:49:07 +1000 Subject: possible pam issue Message-ID: <200403100949.13588.dennis@dgilmore.net> I have setup the policy on my test desktop and today went to run up2date as my user account when propmted i entered my root password and got the following error [dennis at asgard dennis]$ up2date Could not set exec context to user_u:sysadm_r:sysadm_t. its the only problem i have had so far though i need to read more of the documentation yet to get down and dirty Dennis -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: signature URL: From mitch48 at yahoo.com Wed Mar 10 01:40:58 2004 From: mitch48 at yahoo.com (Tom Mitchell) Date: Tue, 9 Mar 2004 17:40:58 -0800 Subject: up2date, Large Medium and small updates.... Message-ID: <20040310014058.GA14562@xtl1.xtl.tenegg.com> Today up2date found a very long list of package updates on rawhide 500+ for me. Since the box is a test box ... I let it. I am curious if labels/attributes on all the new files will be correct for SELinux after this and other up2date (rpm) actions (excluding changes to /etc/security/selinux/src/policy/....). The more general question is that for Large Medium and small updates.... there may always be a question when one or more "makes" in the policy area will be needed. Is there a good way to check... will make check-all do the right thing? cd /etc/security/selinux/src/policy make ????? # lots of choices... make relabel # necessary? when and how to check ... Is it necessary/useful to do stuff like this before or after a reboot? Is there a difference from vanilla in how promptly a reboot and other housecleaning for SELinux is needed? i.e. will audit go nuts... Also I have taken to adding an alternate boot section in /boot/grub/grub.conf. Is this useful, useless, sane, silly, underkill, overkill. Thus...: title Fedora Core (2.6.3-2.1.246) root (hd0,0) kernel /vmlinuz-2.6.3-2.1.246 ro root=LABEL=/ initrd /initrd-2.6.3-2.1.246.img title Fedora Core NoSELinux (2.6.3-2.1.246) root (hd0,0) kernel /vmlinuz-2.6.3-2.1.246 ro root=LABEL=/ selinux=0 initrd /initrd-2.6.3-2.1.246.img Hmmm... too many questions for one subject line... -- T o m M i t c h e l l /dev/null the ultimate in secure storage. mitch48-at-sbcglobal-dot-net From russell at coker.com.au Wed Mar 10 07:21:47 2004 From: russell at coker.com.au (Russell Coker) Date: Wed, 10 Mar 2004 18:21:47 +1100 Subject: Fresh rawhide install / AVC messages In-Reply-To: <1078854342.2921.4.camel@mentor.gurulabs.com> References: <1078854342.2921.4.camel@mentor.gurulabs.com> Message-ID: <200403101821.47328.russell@coker.com.au> On Wed, 10 Mar 2004 04:45, Dax Kelson wrote: > On the first boot, I got the following AVC messages. Is enforcing mode > expected to work? Is this helpful? This is helpful! > audit(1078849141.136:0): avc: denied { create } for pid=942 > exe=/usr/sbin/updfstab name=floppy scontext=system_u:system_r:updfstab_t > tcontext=system_u:object_r:mnt_t tclass=dir audit(1078849141.160:0): avc: allow updfstab_t mnt_t:dir create_dir_perms; It's in my tree now. > denied { read write } for pid=943 exe=/sbin/pam_console_apply > path=/dev/pts/0 dev= ino=2 scontext=system_u:system_r:pam_console_t > tcontext=system_u:object_r:initrc_devpts_t tclass=chr_file I've attached a modified pamconsole.te to fix this. I've also included it in my policy archive on http://www.coker.com.au/selinux/policy.tgz . > audit(1078849141.979:0): avc: denied { write } for pid=953 > exe=/usr/sbin/cpuspeed name=scaling_governor dev= ino=335 > scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:sysfs_t I have attached a first cut at cpuspeed policy, it won't work but if you try it out I'll get more information and be able to write more policy. What is the full path name for this scaling_governor file? > audit(1078849148.792:0): avc: denied { getattr } for > pid=1141 exe=/bin/bash path=/etc/ntp.conf dev=hda8 ino=19690 > scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:ntpd_etc_t > tclass=file audit(1078849148.796:0): avc: denied { rename } for pid=1160 > exe=/bin/mv name=ntp.conf dev=hda8 ino=19690 > scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:ntpd_etc_t > tclass=file audit(1078849148.797:0): avc: denied { getattr } for > pid=1161 exe=/bin/bash path=/tmp dev=hda8 ino=588673 This is a problem. Is this standard functionality of the dhcp client or have you written your own scripts? The problem we face is that the dhcp client as a standard function will replace /etc/resolv.conf. The /etc/resolv.conf file is given the type resolv_conf_t because so many programs want to re-write it. Now we can give the ntpd config file the same type. But in that case we will probably want to rename it to net_conf_t or something. This is all conditional on this being standard functionality of the dhcp client. If it's your customisation then you can just change ntpd.fc to label the file as resolv_conf_t. Although I suspect that if this is a customisation of yours it'll become a standard thing soon enough, it sounds like a good idea! > tclass=dir audit(1078849148.798:0): avc: denied { search } for pid=1161 > exe=/bin/bash name=tmp dev=hda8 ino=588673 > scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmp_t > tclass=dir audit(1078849148.798:0): avc: denied { write } for pid=1161 > exe=/bin/bash name=tmp dev=hda8 ino=588673 > scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmp_t > tclass=dir audit(1078849148.798:0): avc: denied { add_name } for > pid=1161 exe=/bin/bash name=sh-thd-1078853309 What is this for? The following is the policy needed to address that. If it's a standard thing then I'll put it in my policy tree. tmp_domain(dhcpc) > audit(1078849214.284:0): > avc: denied { read } for pid=3923 exe=/usr/bin/python name=backend.pyo > dev=hda8 ino=148720 scontext=system_u:system_r:cupsd_t > tcontext=system_u:object_r:usr_t tclass=file audit(1078849214.285:0): avc: > denied { getattr } for pid=3923 exe=/usr/bin/python > path=/usr/share/printconf/util/backend.pyo dev=hda8 ino=148720 > scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:usr_t > tclass=file Below is the policy, it's now in my tree. allow cupsd_t usr_t:file { read getattr }; > audit(1078849230.652:0): avc: denied { write } for pid=4290 > exe=/usr/sbin/sendmail.sendmail name=aliases.db dev=hda8 ino=19435 > scontext=system_u:system_r:sendmail_t tcontext=system_u:object_r:etc_t > tclass=file audit(1078849230.652:0): avc: denied { lock } for pid=4290 > exe=/usr/sbin/sendmail.sendmail path=/etc/aliases.db dev=hda8 ino=19435 > scontext=system_u:system_r:sendmail_t tcontext=system_u:object_r:etc_t /etc/aliases.db should have type etc_aliases_t. > audit(1078849246.286:0): avc: denied { create } for pid=4526 > exe=/usr/bin/python key=0 scontext=system_u:system_r:initrc_t > tcontext=system_u:system_r:initrc_t tclass=shm audit(1078849246.286:0): > avc: denied { unix_read unix_write } for pid=4526 exe=/usr/bin/python > key=0 scontext=system_u:system_r:initrc_t > tcontext=system_u:system_r:initrc_t tclass=shm audit(1078849246.286:0): > avc: denied { read write } for pid=4526 exe=/usr/bin/python key=0 > scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t > tclass=shm Any idea what this program is? > audit(1078849246.287:0): avc: denied { unix_read unix_write } > for pid=51 exe=/usr/X11R6/bin/XFree86 key=0 > scontext=system_u:system_r:xdm_xserver_t > tcontext=system_u:system_r:initrc_t tclass=shm Looks like it's an X client. Something using RHGB I guess. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -------------- next part -------------- #DESC Pamconsole - PAM console # X-Debian-Packages: # # pam_console_apply daemon_base_domain(pam_console) allow pam_console_t etc_t:file { getattr read ioctl }; allow pam_console_t self:unix_stream_socket create_stream_socket_perms; allow pam_console_t self:capability { chown fowner fsetid }; # for /var/run/console.lock checking allow pam_console_t { var_t var_run_t }:dir search; # mouse_device_t is for joy sticks allow pam_console_t { framebuf_device_t v4l_device_t apm_bios_t sound_device_t misc_device_t tty_device_t scanner_device_t mouse_device_t removable_device_t scsi_generic_device_t }:chr_file { getattr setattr }; allow pam_console_t { removable_device_t fixed_disk_device_t }:blk_file { getattr setattr }; allow pam_console_t mnt_t:dir r_dir_perms; ifdef(`gpm.te', ` allow pam_console_t gpmctl_t:sock_file { getattr setattr }; ') -------------- next part -------------- # cpuspeed /usr/sbin/cpuspeed -- system_u:object_r:cpuspeed_exec_t -------------- next part -------------- #DESC cpuspeed - domain for microcode_ctl and other programs to speed CPU # # Author: Russell Coker # daemon_base_domain(cpuspeed) From russell at coker.com.au Wed Mar 10 08:03:18 2004 From: russell at coker.com.au (Russell Coker) Date: Wed, 10 Mar 2004 19:03:18 +1100 Subject: up2date, Large Medium and small updates.... In-Reply-To: <20040310014058.GA14562@xtl1.xtl.tenegg.com> References: <20040310014058.GA14562@xtl1.xtl.tenegg.com> Message-ID: <200403101903.18346.russell@coker.com.au> On Wed, 10 Mar 2004 12:40, Tom Mitchell wrote: > The more general question is that for Large Medium and small updates.... > there may always be a question when one or more "makes" in the policy > area will be needed. Is there a good way to check... will make > check-all do the right thing? > > cd /etc/security/selinux/src/policy > make ????? # lots of choices... > make relabel # necessary? when and how to check ... > > Is it necessary/useful to do stuff like this before or after a reboot? > Is there a difference from vanilla in how promptly a reboot and other > housecleaning for SELinux is needed? i.e. will audit go nuts... In general use there should not be any need for a relabel except after severe file system corruption, a backup/restore with non-XATTR aware backup software, or booting a non-SE Linux kernel. > Also I have taken to adding an alternate boot section in > /boot/grub/grub.conf. Is this useful, useless, sane, silly, > underkill, overkill. Thus...: Grub is really good for allowing you to edit the kernel command line before booting it. So if you have problems you can always tell it to boot the kernel with selinux=0 appended even if that is not in your grub.conf. If you accidentally boot a non-SE kernel then /etc/mtab and a few other files will get the wrong label, which will be really annoying for you. We are working on these issues, but in the mean-time you probably don't want to make it too easy to accidentally boot a non-SE kernel. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From dax at gurulabs.com Wed Mar 10 08:19:39 2004 From: dax at gurulabs.com (Dax Kelson) Date: Wed, 10 Mar 2004 01:19:39 -0700 (MST) Subject: Fresh rawhide install / AVC messages In-Reply-To: <200403101821.47328.russell@coker.com.au> Message-ID: On Wed, 10 Mar 2004, Russell Coker wrote: > On Wed, 10 Mar 2004 04:45, Dax Kelson wrote: > > On the first boot, I got the following AVC messages. Is enforcing mode > > expected to work? Is this helpful? > > This is helpful! Great! I'm still trying to wrap my brain around all this, so hopefully I'll be able to provide actual fixes--rather than just information--in the future. I think a fair amount of these were triggered from RH's "firstboot" program that does some post-install tasks on the first boot (surprise surprise) of a freshly installed system. I have made no custom changes to my box at this point. > I have attached a first cut at cpuspeed policy, it won't work but if you try > it out I'll get more information and be able to write more policy. What is > the full path name for this scaling_governor file? /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor Tomorrow I'll see if I can try it out. > > audit(1078849148.792:0): avc: denied { getattr } for > > pid=1141 exe=/bin/bash path=/etc/ntp.conf dev=hda8 ino=19690 > > scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:ntpd_etc_t > > tclass=file audit(1078849148.796:0): avc: denied { rename } for pid=1160 > > exe=/bin/mv name=ntp.conf dev=hda8 ino=19690 > > scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:ntpd_etc_t > > tclass=file audit(1078849148.797:0): avc: denied { getattr } for > > pid=1161 exe=/bin/bash path=/tmp dev=hda8 ino=588673 > > This is a problem. Is this standard functionality of the dhcp client or have > you written your own scripts? This is standard behavior on RHL8.0 and above if the DHCP server sends the 'time-server' options. I don't know off hand if it is RH specific or stock dhclient. > The problem we face is that the dhcp client as a standard function will > replace /etc/resolv.conf. The /etc/resolv.conf file is given the type > resolv_conf_t because so many programs want to re-write it. > > Now we can give the ntpd config file the same type. But in that case we will > probably want to rename it to net_conf_t or something. > > This is all conditional on this being standard functionality of the dhcp > client. If it's your customisation then you can just change ntpd.fc to label > the file as resolv_conf_t. Although I suspect that if this is a > customisation of yours it'll become a standard thing soon enough, it sounds > like a good idea! net_conf_t sounds good. I'd imagine we are going to encouter other cases besides resolv.conf and ntp.conf. > > tclass=dir audit(1078849148.798:0): avc: denied { search } for pid=1161 > > exe=/bin/bash name=tmp dev=hda8 ino=588673 > > scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmp_t > > tclass=dir audit(1078849148.798:0): avc: denied { write } for pid=1161 > > exe=/bin/bash name=tmp dev=hda8 ino=588673 > > scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmp_t > > tclass=dir audit(1078849148.798:0): avc: denied { add_name } for > > pid=1161 exe=/bin/bash name=sh-thd-1078853309 > > What is this for? The following is the policy needed to address that. If > it's a standard thing then I'll put it in my policy tree. > > tmp_domain(dhcpc) I don't know, what's it doing? :) It is a standard thing as I've made no custom changes. > > audit(1078849246.286:0): avc: denied { create } for pid=4526 > > exe=/usr/bin/python key=0 scontext=system_u:system_r:initrc_t > > tcontext=system_u:system_r:initrc_t tclass=shm audit(1078849246.286:0): > > avc: denied { unix_read unix_write } for pid=4526 exe=/usr/bin/python > > key=0 scontext=system_u:system_r:initrc_t > > tcontext=system_u:system_r:initrc_t tclass=shm audit(1078849246.286:0): > > avc: denied { read write } for pid=4526 exe=/usr/bin/python key=0 > > scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t > > tclass=shm > > Any idea what this program is? Maybe it is firstboot. Dax Kelson From rhally at mindspring.com Wed Mar 10 08:27:52 2004 From: rhally at mindspring.com (Richard Hally) Date: Wed, 10 Mar 2004 03:27:52 -0500 Subject: up2date, Large Medium and small updates.... In-Reply-To: <200403101903.18346.russell@coker.com.au> Message-ID: Fwiw, in grub I set up duplicate sections for a permissive kernel and an enforcing kernel using ENFORCING on the title line and enforcing=1 on the kernel line. Richard Hally > Also I have taken to adding an alternate boot section in > /boot/grub/grub.conf. Is this useful, useless, sane, silly, > underkill, overkill. Thus...: Grub is really good for allowing you to edit the kernel command line before booting it. So if you have problems you can always tell it to boot the kernel with selinux=0 appended even if that is not in your grub.conf. If you accidentally boot a non-SE kernel then /etc/mtab and a few other files will get the wrong label, which will be really annoying for you. We are working on these issues, but in the mean-time you probably don't want to make it too easy to accidentally boot a non-SE kernel. From mitch48 at yahoo.com Wed Mar 10 09:18:08 2004 From: mitch48 at yahoo.com (Tom Mitchell) Date: Wed, 10 Mar 2004 01:18:08 -0800 Subject: up2date, Large Medium and small updates.... In-Reply-To: References: <200403101903.18346.russell@coker.com.au> Message-ID: <20040310091808.GA16869@xtl1.xtl.tenegg.com> On Wed, Mar 10, 2004 at 03:27:52AM -0500, Richard Hally wrote: > Fwiw, in grub I set up duplicate sections for a permissive kernel and an > enforcing kernel using ENFORCING on the title line and enforcing=1 on the > kernel line. > > Richard Hally > > > > Also I have taken to adding an alternate boot section in > > /boot/grub/grub.conf. Is this useful, useless, sane, silly, > > underkill, overkill. Thus...: > > Grub is really good for allowing you to edit the kernel command line before > booting it. So if you have problems you can always tell it to boot the > kernel with selinux=0 appended even if that is not in your grub.conf. > > If you accidentally boot a non-SE kernel then /etc/mtab and a few other > files will get the wrong label, which will be really annoying for you. We are > working on these issues, but in the mean-time you probably don't want to > make it too easy to accidentally boot a non-SE kernel. Good to know.... I like the enforcing difference... I will move that way. Setting enforcing to true is the next thing on my list. Thank to all. Later, tom -- T o m M i t c h e l l /dev/null the ultimate in secure storage. From russell at coker.com.au Wed Mar 10 10:20:40 2004 From: russell at coker.com.au (Russell Coker) Date: Wed, 10 Mar 2004 21:20:40 +1100 Subject: Fresh rawhide install / AVC messages In-Reply-To: References: Message-ID: <200403102120.40352.russell@coker.com.au> On Wed, 10 Mar 2004 19:19, Dax Kelson wrote: > I have made no custom changes to my box at this point. OK. > > I have attached a first cut at cpuspeed policy, it won't work but if you > > try it out I'll get more information and be able to write more policy. > > What is the full path name for this scaling_governor file? > > /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor > > Tomorrow I'll see if I can try it out. I guess we'll need something like: allow cpuspeed_t sysfs_t:dir search; allow cpuspeed_t sysfs_t:file rw_file_perms; > > > scontext=system_u:system_r:dhcpc_t > > > tcontext=system_u:object_r:ntpd_etc_t tclass=file > > > audit(1078849148.797:0): avc: denied { getattr } for pid=1161 > > > exe=/bin/bash path=/tmp dev=hda8 ino=588673 > > > > This is a problem. Is this standard functionality of the dhcp client or > > have you written your own scripts? > > This is standard behavior on RHL8.0 and above if the DHCP server sends the > 'time-server' options. I don't know off hand if it is RH specific or stock > dhclient. Regardless of whether it's RH specific or standard dhclient it's something that has to be supported. > > The problem we face is that the dhcp client as a standard function will > > replace /etc/resolv.conf. The /etc/resolv.conf file is given the type > > resolv_conf_t because so many programs want to re-write it. > > > > Now we can give the ntpd config file the same type. But in that case we > > will probably want to rename it to net_conf_t or something. > > > > This is all conditional on this being standard functionality of the dhcp > > client. If it's your customisation then you can just change ntpd.fc to > > label the file as resolv_conf_t. Although I suspect that if this is a > > customisation of yours it'll become a standard thing soon enough, it > > sounds like a good idea! > > net_conf_t sounds good. I'd imagine we are going to encouter other cases > besides resolv.conf and ntp.conf. What else might we have? net_conf_t doesn't seem ideal to me, but I can't think of anything better at the moment. Also one other thing to note is that /etc/yp.conf has the same type, this may not be what we want. > > > tclass=dir audit(1078849148.798:0): avc: denied { search } for > > > pid=1161 exe=/bin/bash name=tmp dev=hda8 ino=588673 > > > scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmp_t > > > tclass=dir audit(1078849148.798:0): avc: denied { write } for > > > pid=1161 exe=/bin/bash name=tmp dev=hda8 ino=588673 > > > scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmp_t > > > tclass=dir audit(1078849148.798:0): avc: denied { add_name } for > > > pid=1161 exe=/bin/bash name=sh-thd-1078853309 > > > > What is this for? The following is the policy needed to address that. > > If it's a standard thing then I'll put it in my policy tree. > > > > tmp_domain(dhcpc) > > I don't know, what's it doing? :) > > It is a standard thing as I've made no custom changes. OK, I've added the tmp_domain() rule to my tree. > > > audit(1078849246.286:0): avc: denied { create } for pid=4526 > > > exe=/usr/bin/python key=0 scontext=system_u:system_r:initrc_t > > > tcontext=system_u:system_r:initrc_t tclass=shm audit(1078849246.286:0): > > > avc: denied { unix_read unix_write } for pid=4526 > > > exe=/usr/bin/python key=0 scontext=system_u:system_r:initrc_t > > > tcontext=system_u:system_r:initrc_t tclass=shm audit(1078849246.286:0): > > > avc: denied { read write } for pid=4526 exe=/usr/bin/python key=0 > > > scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t > > > tclass=shm > > > > Any idea what this program is? > > Maybe it is firstboot. I'll have to do some tests with that. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Wed Mar 10 10:31:55 2004 From: russell at coker.com.au (Russell Coker) Date: Wed, 10 Mar 2004 21:31:55 +1100 Subject: up2date, Large Medium and small updates.... In-Reply-To: References: Message-ID: <200403102131.55172.russell@coker.com.au> On Wed, 10 Mar 2004 19:27, "Richard Hally" wrote: > Fwiw, in grub I set up duplicate sections for a permissive kernel and an > enforcing kernel using ENFORCING on the title line and enforcing=1 on the > kernel line. That's the way to do it. I sometimes do the same on my machines. If you accidentally boot in permissive mode it won't do anything other than fail to enforce security decisions, after it's booted you can then put it in enforcing mode. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From sct at redhat.com Wed Mar 10 11:12:54 2004 From: sct at redhat.com (Stephen C. Tweedie) Date: 10 Mar 2004 11:12:54 +0000 Subject: up2date, Large Medium and small updates.... In-Reply-To: <200403101903.18346.russell@coker.com.au> References: <20040310014058.GA14562@xtl1.xtl.tenegg.com> <200403101903.18346.russell@coker.com.au> Message-ID: <1078917173.8051.3.camel@sisko.scot.redhat.com> Hi, On Wed, 2004-03-10 at 08:03, Russell Coker wrote: > > Is it necessary/useful to do stuff like this before or after a reboot? > > Is there a difference from vanilla in how promptly a reboot and other > > housecleaning for SELinux is needed? i.e. will audit go nuts... > > In general use there should not be any need for a relabel except after severe > file system corruption, a backup/restore with non-XATTR aware backup > software, or booting a non-SE Linux kernel. In practice I find my own SELinux test box becomes unbootable if I work with `setenforce 0` for any length of time, and it takes a relabel to fix things. The main breakage seems to be that at boot time, e2fsck can't access the glibc gconv modules list. I've changed my relabel scripts so next time it happens, I'll do a setfiles -v and record exactly what inodes are mislabelled. Cheers, Stephen From sct at redhat.com Wed Mar 10 11:24:30 2004 From: sct at redhat.com (Stephen C. Tweedie) Date: 10 Mar 2004 11:24:30 +0000 Subject: up2date, Large Medium and small updates.... In-Reply-To: References: Message-ID: <1078917870.8051.16.camel@sisko.scot.redhat.com> Hi, On Wed, 2004-03-10 at 08:27, Richard Hally wrote: > If you accidentally boot a non-SE kernel then /etc/mtab and a few other > files > will get the wrong label, which will be really annoying for you. Yep, I noticed that one too. Hard to miss it when the box won't boot. :-) I've been wondering how to minimise the pain of this. If we can get a shortlist of the inodes most likely to be bitten by bad labels, we can check those on boot time, detect if there's a problem, and relabel from (say) all of /etc (we can extend the list as we learn where the problems are going to be.) The more we make these things automatic, the less likely our users will be to turn selinux off in frustration, so it's probably something we should do for fc2-final. --Stephen From sct at redhat.com Wed Mar 10 11:37:53 2004 From: sct at redhat.com (Stephen C. Tweedie) Date: 10 Mar 2004 11:37:53 +0000 Subject: up2date, Large Medium and small updates.... In-Reply-To: <20040310014058.GA14562@xtl1.xtl.tenegg.com> References: <20040310014058.GA14562@xtl1.xtl.tenegg.com> Message-ID: <1078918673.8051.26.camel@sisko.scot.redhat.com> Hi, On Wed, 2004-03-10 at 01:40, Tom Mitchell wrote: > The more general question is that for Large Medium and small updates.... > there may always be a question when one or more "makes" in the policy > area will be needed. Is there a good way to check... will make > check-all do the right thing? > > cd /etc/security/selinux/src/policy > make ????? # lots of choices... > make relabel # necessary? when and how to check ... > > Is it necessary/useful to do stuff like this before or after a reboot? It shouldn't be necessary. But if there's something wrong --- unexpected actions in a %post script, the rpm was built from the wrong policy's file context list --- it might be. I've added a new target in my own policy makefile: checklabels: $(FC) $(SETFILES) $(SETFILES) -v $(FC) `mount | awk '/(ext[23]| xfs).*rw/{print $$3}'` which passes the "-v" option to setfiles so that in addition to fixing labels, it logs those inodes with the wrong labels. --Stephen From notting at redhat.com Wed Mar 10 13:19:12 2004 From: notting at redhat.com (Bill Nottingham) Date: Wed, 10 Mar 2004 08:19:12 -0500 Subject: Fresh rawhide install / AVC messages In-Reply-To: References: <200403101821.47328.russell@coker.com.au> Message-ID: <20040310131912.GB29053@devserv.devel.redhat.com> Dax Kelson (dax at gurulabs.com) said: > > I have attached a first cut at cpuspeed policy, it won't work but if you try > > it out I'll get more information and be able to write more policy. What is > > the full path name for this scaling_governor file? > > /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor Of course, you want cpu* in the policy. > > > audit(1078849148.792:0): avc: denied { getattr } for > > > pid=1141 exe=/bin/bash path=/etc/ntp.conf dev=hda8 ino=19690 > > > scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:ntpd_etc_t > > > tclass=file audit(1078849148.796:0): avc: denied { rename } for pid=1160 > > > exe=/bin/mv name=ntp.conf dev=hda8 ino=19690 > > > scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:ntpd_etc_t > > > tclass=file audit(1078849148.797:0): avc: denied { getattr } for > > > pid=1161 exe=/bin/bash path=/tmp dev=hda8 ino=588673 > > > > This is a problem. Is this standard functionality of the dhcp client or have > > you written your own scripts? > > This is standard behavior on RHL8.0 and above if the DHCP server sends the > 'time-server' options. I don't know off hand if it is RH specific or stock > dhclient. I believe it's an upstream thing. /sbin/dhclient-script has all the things that dhclient tries to do. Bill From n3npq at nc.rr.com Wed Mar 10 13:48:18 2004 From: n3npq at nc.rr.com (Jeff Johnson) Date: Wed, 10 Mar 2004 08:48:18 -0500 Subject: Installing new policy Message-ID: <404F1CA2.2020304@nc.rr.com> > At the moment rpm_script_t has access to so much that there's no point in > trying to impose any serious restriction on it. > I suspect that limiting rpm_script_t in any significant way will have > to wait until we have multiple domains for rpm for installing packages > with different signatures. What is the logical connection between rpm_scriptlet_t has too much access. and rpm needs multiple domains based on signature "trust". Are there alternatives is what I'm asking. 73 de Jeff From lamont at gurulabs.com Wed Mar 10 17:16:25 2004 From: lamont at gurulabs.com (Lamont R. Peterson) Date: Wed, 10 Mar 2004 10:16:25 -0700 Subject: Fresh rawhide install / AVC messages In-Reply-To: References: Message-ID: <1078938984.2915.15.camel@wraith.lrp.advansoft.us> On Wed, 2004-03-10 at 01:19, Dax Kelson wrote: > On Wed, 10 Mar 2004, Russell Coker wrote: [SNIP] > I think a fair amount of these were triggered from RH's "firstboot" > program that does some post-install tasks on the first boot (surprise > surprise) of a freshly installed system. > > I have made no custom changes to my box at this point. [SNIP] > > > audit(1078849246.286:0): avc: denied { create } for pid=4526 > > > exe=/usr/bin/python key=0 scontext=system_u:system_r:initrc_t > > > tcontext=system_u:system_r:initrc_t tclass=shm audit(1078849246.286:0): > > > avc: denied { unix_read unix_write } for pid=4526 exe=/usr/bin/python > > > key=0 scontext=system_u:system_r:initrc_t > > > tcontext=system_u:system_r:initrc_t tclass=shm audit(1078849246.286:0): > > > avc: denied { read write } for pid=4526 exe=/usr/bin/python key=0 > > > scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t > > > tclass=shm > > > > Any idea what this program is? > > Maybe it is firstboot. Firstboot was what came to mind when I read Dax's original message. Since firstboot exists to perform one-time, first-time (though not entirely necessary) things I think we should look at adding policy just for firstboot. Then, the last thing that firstboot should do is to remove the firstboot only policy into the appropriate "unused" directory. -- Lamont Peterson Senior Instructor Guru Labs -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From mitch48 at yahoo.com Wed Mar 10 17:54:03 2004 From: mitch48 at yahoo.com (Tom Mitchell) Date: Wed, 10 Mar 2004 09:54:03 -0800 Subject: ntp.... was Re: Fresh rawhide install / AVC messages In-Reply-To: <200403102120.40352.russell@coker.com.au> References: <200403102120.40352.russell@coker.com.au> Message-ID: <20040310175403.GB19591@xtl1.xtl.tenegg.com> On Wed, Mar 10, 2004 at 09:20:40PM +1100, Russell Coker wrote: > > > > This is standard behavior on RHL8.0 and above if the DHCP server sends the > > 'time-server' options. I don't know off hand if it is RH specific or stock > > dhclient. > > Regardless of whether it's RH specific or standard dhclient it's something > that has to be supported. > > > > The problem we face is that the dhcp client as a standard function will > > > replace /etc/resolv.conf. The /etc/resolv.conf file is given the type > > > resolv_conf_t because so many programs want to re-write it. > > > > > > Now we can give the ntpd config file the same type. But in that case we > > > will probably want to rename it to net_conf_t or something. .... > net_conf_t doesn't seem ideal to me, but I can't think of anything better at > the moment. I am almost confused by dhcp... How does /etc/ntp.conf differ from /etc/adjtime /bin/date, adjtime(system call) in this discussion. All interact with the time of day. I might trust my dhcp server to give me an IP address but do I also want it to set the time of day. Then what else do I trust it to do? How do I manage the list of things that dhcp might update? For example if I have a well crafted /etc/ntp.conf file will that file be lost if I move to a different DHCP served net. If I look at /usr/share/doc/dhcp-3.0pl2/dhcpd.conf.sample dhcp can set a list of common things. Some are important, not all involve files that trigger audit. option nis-domain "domain.org"; option domain-name "domain.org"; option domain-name-servers 192.168.1.1; option time-offset -18000; # Eastern Standard Time option ntp-servers 192.168.1.1; option netbios-name-servers 192.168.1.1; See man 5 dhcpd-options for more options. -- T o m M i t c h e l l /dev/null the ultimate in secure storage. From sbonnevi at redhat.com Wed Mar 10 18:47:56 2004 From: sbonnevi at redhat.com (Steven Bonneville) Date: Wed, 10 Mar 2004 13:47:56 -0500 Subject: Fresh rawhide install / AVC messages In-Reply-To: <20040310170003.6482.8121.Mailman@listman.back-rdu.redhat.com> References: <20040310170003.6482.8121.Mailman@listman.back-rdu.redhat.com> Message-ID: <20040310184756.GB18170@sbonnevi.rdu.redhat.com> Russell Coker wrote: > > > The problem we face is that the dhcp client as a standard function will > > > replace /etc/resolv.conf. The /etc/resolv.conf file is given the type > > > resolv_conf_t because so many programs want to re-write it. > > > > > > Now we can give the ntpd config file the same type. But in that case we > > > will probably want to rename it to net_conf_t or something. > > > > > > This is all conditional on this being standard functionality of the dhcp > > > client. If it's your customisation then you can just change ntpd.fc to > > > label the file as resolv_conf_t. Although I suspect that if this is a > > > customisation of yours it'll become a standard thing soon enough, it > > > sounds like a good idea! > > > > net_conf_t sounds good. I'd imagine we are going to encouter other cases > > besides resolv.conf and ntp.conf. > > What else might we have? > > net_conf_t doesn't seem ideal to me, but I can't think of anything better at > the moment. > > Also one other thing to note is that /etc/yp.conf has the same type, this may > not be what we want. As far as /etc/yp.conf goes, that's exactly what we want. I was going to add that dhclient may also mess with /etc/yp.conf if it gets the right options in the DHCP response. -- Steve Bonneville From notting at redhat.com Wed Mar 10 19:18:10 2004 From: notting at redhat.com (Bill Nottingham) Date: Wed, 10 Mar 2004 14:18:10 -0500 Subject: errors with labels after running for a while Message-ID: <20040310191810.GB3221@devserv.devel.redhat.com> This is after running for a while, occasionally flipping enforcing on and off. Might be interesting to look at. Bill /usr/sbin/setfiles -v -n file_contexts/file_contexts `mount | awk '/(ext[23]| xfs).*rw/{print $3}'` /usr/sbin/setfiles: unable to stat file /dev/tty1 /usr/sbin/setfiles: unable to stat file /dev/tty2 /usr/sbin/setfiles: error while labeling files under / /usr/sbin/setfiles: read 1272 specifications /usr/sbin/setfiles: labeling files under / /usr/sbin/setfiles: relabeling /etc/modules.conf from system_u:object_r:etc_t to system_u:object_r:modules_conf_t /usr/sbin/setfiles: relabeling /etc/auto.master from root:object_r:etc_t to system_u:object_r:etc_t /usr/sbin/setfiles: relabeling /etc/ptal/ptal-printd-like from system_u:object_r:etc_runtime_t to system_u:object_r:etc_t /usr/sbin/setfiles: relabeling /etc/hotplug/usb.usermap from system_u:object_r:etc_t to system_u:object_r:hotplug_etc_t /usr/sbin/setfiles: relabeling /etc/mtab from root:object_r:etc_runtime_t to system_u:object_r:etc_runtime_t /usr/sbin/setfiles: relabeling /etc/.pwd.lock from system_u:object_r:shadow_t to system_u:object_r:etc_t /usr/sbin/setfiles: relabeling /etc/security/selinux/src/policy/file_contexts/misc from root:object_r:policy_src_t to system_u:object_r:policy_src_t /usr/sbin/setfiles: relabeling /etc/security/selinux/src/policy/policy.conf from root:object_r:policy_src_t to system_u:object_r:policy_src_t /usr/sbin/setfiles: relabeling /etc/security/selinux/src/policy/tmp/load from root:object_r:policy_src_t to system_u:object_r:policy_src_t /usr/sbin/setfiles: relabeling /etc/security/selinux/src/policy/tmp/program_used_flags.te from root:object_r:policy_src_t to system_u:object_r:policy_src_t /usr/sbin/setfiles: relabeling /etc/security/selinux/src/policy.conf from root:object_r:policy_src_t to system_u:object_r:policy_src_t /usr/sbin/setfiles: relabeling /etc/security/selinux/file_contexts from root:object_r:policy_config_t to system_u:object_r:policy_config_t /usr/sbin/setfiles: relabeling /etc/rndc.key from system_u:object_r:etc_t to system_u:object_r:rndc_conf_t make: *** [checklabels] Error 1 From dax at gurulabs.com Wed Mar 10 22:10:24 2004 From: dax at gurulabs.com (Dax Kelson) Date: Wed, 10 Mar 2004 15:10:24 -0700 Subject: Fresh rawhide install / AVC messages In-Reply-To: <1078938984.2915.15.camel@wraith.lrp.advansoft.us> References: <1078938984.2915.15.camel@wraith.lrp.advansoft.us> Message-ID: <1078956624.2979.4.camel@mentor.gurulabs.com> On Wed, 2004-03-10 at 10:16, Lamont R. Peterson wrote: > Since firstboot exists to perform one-time, first-time (though not > entirely necessary) things I think we should look at adding policy just > for firstboot. Then, the last thing that firstboot should do is to > remove the firstboot only policy into the appropriate "unused" > directory. The "firstboot" command itself doesn't perform those tasks AFAIK. It launches external commands (system-config-time, authconfig, etc). I think only maybe the last AVC message was triggered by firstboot itself. I could be wrong though (of course). Dax From mitch48 at sbcglobal.net Thu Mar 11 01:21:35 2004 From: mitch48 at sbcglobal.net (Tom Mitchell) Date: Wed, 10 Mar 2004 17:21:35 -0800 Subject: After my date today...WARNING: Multiple same specifications Message-ID: <20040311012135.GH21275@xtl1.xtl.tenegg.com> In /etc/security/selinux/src # make policy; make install; make load; make relabel I see a lot of these, they look harmless, are they? .... WARNING: Multiple same specifications for /etc/issue\.net. WARNING: Multiple same specifications for /etc/sysconfig/hwconf. WARNING: Multiple same specifications for /etc/asound\.state. WARNING: Multiple same specifications for /etc/ld\.so\.cache. WARNING: Multiple same specifications for /etc/ld\.so\.preload. .... -- T o m M i t c h e l l /dev/null the ultimate in secure storage. From russell at coker.com.au Wed Mar 10 15:39:20 2004 From: russell at coker.com.au (Russell Coker) Date: Thu, 11 Mar 2004 02:39:20 +1100 Subject: up2date, Large Medium and small updates.... In-Reply-To: <1078917870.8051.16.camel@sisko.scot.redhat.com> References: <1078917870.8051.16.camel@sisko.scot.redhat.com> Message-ID: <200403110239.20502.russell@coker.com.au> On Wed, 10 Mar 2004 22:24, "Stephen C. Tweedie" wrote: > > If you accidentally boot a non-SE kernel then /etc/mtab and a few other > > files > > will get the wrong label, which will be really annoying for you. > > Yep, I noticed that one too. Hard to miss it when the box won't boot. /etc/mtab is a special case in that it's quite trivial and also very annoying. I will change the policy to allow mount_t to read and unlink file_t:file. Then it should be able to do it's stuff. Please put the following in your policy and see if it solves things for you next time you boot a non-SE kernel (sorry I don't have a machine I feel like booting a non-SE kernel on at the moment). allow mount_t file_t:file { getattr read unlink }; -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Wed Mar 10 15:34:13 2004 From: russell at coker.com.au (Russell Coker) Date: Thu, 11 Mar 2004 02:34:13 +1100 Subject: Installing new policy In-Reply-To: <404F1CA2.2020304@nc.rr.com> References: <404F1CA2.2020304@nc.rr.com> Message-ID: <200403110234.13406.russell@coker.com.au> On Thu, 11 Mar 2004 00:48, Jeff Johnson wrote: > > At the moment rpm_script_t has access to so much that there's no point in > > trying to impose any serious restriction on it. > > > > I suspect that limiting rpm_script_t in any significant way will have > > to wait until we have multiple domains for rpm for installing packages > > with different signatures. > > What is the logical connection between > rpm_scriptlet_t has too much access. > and > rpm needs multiple domains based on signature "trust". > > Are there alternatives is what I'm asking. Currently we have no control over what can be done by scriptlets, and no control over how it's done. Some operations can be performed in several ways. For the packages that we develop we can develop proceedures for how to do these things that require the minimum of access. For the packages developed by other people they will have to get used to the idea that some of the people who use their packages will not trust scriptlets that they want to run, and therefore they should design them to do the minimum amount of work. When we start getting that under control we can do something about limiting rpm_script_t. But at the moment it wants to do everything, and there's little we can do about it without breaking heaps of rpms. We have enough pain at the moment. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Wed Mar 10 15:03:37 2004 From: russell at coker.com.au (Russell Coker) Date: Thu, 11 Mar 2004 02:03:37 +1100 Subject: Fresh rawhide install / AVC messages In-Reply-To: <20040310131912.GB29053@devserv.devel.redhat.com> References: <200403101821.47328.russell@coker.com.au> <20040310131912.GB29053@devserv.devel.redhat.com> Message-ID: <200403110203.37650.russell@coker.com.au> On Thu, 11 Mar 2004 00:19, Bill Nottingham wrote: > Dax Kelson (dax at gurulabs.com) said: > > > I have attached a first cut at cpuspeed policy, it won't work but if > > > you try it out I'll get more information and be able to write more > > > policy. What is the full path name for this scaling_governor file? > > > > /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor > > Of course, you want cpu* in the policy. We don't have separate labelling for objects under /sys at the moment. So we can't give it only access to the CPU entries. This is something that may need to be changed. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From jwboyer at charter.net Thu Mar 11 11:46:40 2004 From: jwboyer at charter.net (Josh Boyer) Date: Thu, 11 Mar 2004 05:46:40 -0600 Subject: kdeinit avcs In-Reply-To: <200403091540.00853.russell@coker.com.au> References: <200403081852.33581.jwboyer@charter.net> <200403091540.00853.russell@coker.com.au> Message-ID: <200403110546.42020.jwboyer@charter.net> On Monday 08 March 2004 10:40 pm, Russell Coker wrote: > > The appropriate fix for the problems you show is to correctly label the > files under /var/tmp. This means removing the kde temporary files while > you are logged out. yep, this fixed it for the most part. thx, josh From aleksey at nogin.org Thu Mar 11 12:38:53 2004 From: aleksey at nogin.org (Aleksey Nogin) Date: Thu, 11 Mar 2004 04:38:53 -0800 Subject: AVC messages at boot and kdm login (latest Rawhide) Message-ID: <40505DDD.6050001@nogin.org> After "update -u"; "load_policy /etc/security/selinux/policy.15"; reboot into single user; "setfiles /etc/security/selinux/file_contexts / /boot"; reboot, I see Mar 11 04:19:44 dell kernel: audit(1079007536.909:0): avc: denied { execute } for pid=15 exe=/sbin/init name=bash dev=hda2 ino=3662881 scontext=system_u:system_r:init_t tcontext=system_u:object_r:shell_exec_t tclass=file Mar 11 04:19:49 dell kernel: audit(1079007547.555:0): avc: denied { mounton } for pid=327 exe=/bin/mount path=/var/lib/rpc_pipes dev=hda2 ino=425580 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:var_lib_t tclass=dir Mar 11 04:19:49 dell kernel: audit(1079007550.054:0): avc: denied { execute } for pid=378 exe=/sbin/init name=bash dev=hda2 ino=3662881 scontext=system_u:system_r:init_t tcontext=system_u:object_r:shell_exec_t tclass=file Mar 11 04:19:49 dell kernel: audit(1079007582.402:0): avc: denied { mounton } for pid=1179 exe=/bin/mount path=/var/lib/rpc_pipes dev=hda2 ino=425580 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:var_lib_t tclass=dir Mar 11 04:19:49 dell kernel: audit(1079007583.849:0): avc: denied { dac_override } for pid=1296 exe=/bin/bash capability=1 scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=capability Mar 11 04:19:50 dell kernel: audit(1079007590.445:0): avc: denied { fsetid } for pid=1504 exe=/bin/chmod capability=4 scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=capability Mar 11 04:19:53 dell kernel: audit(1079007591.541:0): avc: denied { dac_override } for pid=1614 exe=/usr/sbin/sendmail.sendmail capability=1 scontext=system_u:system_r:sendmail_t tcontext=system_u:system_r:sendmail_t tclass=capability Mar 11 04:19:53 dell kernel: audit(1079007592.875:0): avc: denied { read write } for pid=1661 exe=/usr/sbin/gpm name=gpmdata dev=hda2 ino=72912 scontext=system_u:system_r:gpm_t tcontext=system_u:object_r:device_t tclass=fifo_file Mar 11 04:19:53 dell kernel: audit(1079007592.976:0): avc: denied { read write } for pid=1665 exe=/usr/sbin/gpm name=event0 dev=hda2 ino=4219044 scontext=system_u:system_r:gpm_t tcontext=system_u:object_r:device_t tclass=chr_file Mar 11 04:19:53 dell kernel: audit(1079007592.976:0): avc: denied { ioctl } for pid=1665 exe=/usr/sbin/gpm path=/dev/input/event0 dev=hda2 ino=4219044 scontext=system_u:system_r:gpm_t tcontext=system_u:object_r:device_t tclass=chr_file Mar 11 04:20:25 dell kernel: audit(1079007625.518:0): avc: denied { execute } for pid=2098 exe=/sbin/init name=bash dev=hda2 ino=3662881 scontext=system_u:system_r:init_t tcontext=system_u:object_r:shell_exec_t tclass=file Mar 11 04:20:29 dell kernel: audit(1079007629.554:0): avc: denied { read } for pid=2098 exe=/usr/bin/kdm name=mem dev=hda2 ino=2683359 scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:memory_device_t tclass=chr_file Mar 11 04:20:36 dell kernel: audit(1079007636.465:0): avc: denied { read } for pid=2112 exe=/usr/X11R6/bin/XFree86 name=event0 dev=hda2 ino=4219044 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:object_r:device_t tclass=chr_file Mar 11 04:20:36 dell kernel: audit(1079007636.466:0): avc: denied { ioctl } for pid=2112 exe=/usr/X11R6/bin/XFree86 path=/dev/input/event0 dev=hda2 ino=4219044 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:object_r:device_t tclass=chr_file Mar 11 04:20:36 dell kernel: audit(1079007636.466:0): avc: denied { write } for pid=2112 exe=/usr/X11R6/bin/XFree86 name=event0 dev=hda2 ino=4219044 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:object_r:device_t tclass=chr_file Mar 11 04:20:38 dell kernel: audit(1079007638.174:0): avc: denied { getattr } for pid=2112 exe=/usr/X11R6/bin/XFree86 path=/dev/input/event0 dev=hda2 ino=4219044 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:object_r:device_t tclass=chr_file Mar 11 04:20:39 dell kernel: audit(1079007639.611:0): avc: denied { search } for pid=2113 exe=/usr/bin/kdm name=root dev=hda2 ino=294337 scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:default_t tclass=dir Mar 11 04:20:42 dell kernel: audit(1079007642.899:0): avc: denied { write } for pid=2121 exe=/usr/bin/kdm_greet name=.qtrc.lock dev=hda2 ino=670527 scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:lib_t tclass=file Mar 11 04:20:47 dell kernel: audit(1079007647.551:0): avc: denied { write } for pid=2122 exe=/usr/bin/krootimage name=.qtrc.lock dev=hda2 ino=670527 scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:lib_t tclass=file Mar 11 04:20:52 dell kernel: audit(1079007652.672:0): avc: denied { setattr } for pid=2113 exe=/usr/bin/kdm name=sg0 dev=hda2 ino=2688146 scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:scsi_generic_device_t tclass=chr_file Mar 11 04:20:52 dell kernel: audit(1079007652.936:0): avc: denied { entrypoint } for pid=2131 exe=/usr/bin/kdm path=/etc/kde/kdm/Xsession dev=hda2 ino=1226634 scontext=user_u:user_r:user_t tcontext=system_u:object_r:etc_t tclass=file Mar 11 04:20:54 dell kernel: audit(1079007654.232:0): avc: denied { getattr } for pid=2131 exe=/bin/tcsh path=/var/log/messages dev=hda2 ino=3613840 scontext=user_u:user_r:user_t tcontext=system_u:object_r:var_log_t tclass=file And another interesting one I saw later: Mar 11 04:21:32 dell kernel: audit(1079007691.925:0): avc: denied { search } for pid=2363 exe=/usr/bin/ksysguardd scontext=user_u:user_r:user_t tcontext=system_u:object_r:sysctl_dev_t tclass=dir -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907 From russell at coker.com.au Thu Mar 11 13:16:06 2004 From: russell at coker.com.au (Russell Coker) Date: Fri, 12 Mar 2004 00:16:06 +1100 Subject: errors with labels after running for a while In-Reply-To: <20040310191810.GB3221@devserv.devel.redhat.com> References: <20040310191810.GB3221@devserv.devel.redhat.com> Message-ID: <200403120016.06965.russell@coker.com.au> On Thu, 11 Mar 2004 06:18, Bill Nottingham wrote: > /usr/sbin/setfiles: relabeling /etc/modules.conf from > system_u:object_r:etc_t to system_u:object_r:modules_conf_t This is a problem. Do you know what might have created that file? > /usr/sbin/setfiles: relabeling /etc/auto.master from root:object_r:etc_t > to system_u:object_r:etc_t /usr/sbin/setfiles: relabeling When you re-create a file the identity will match the identity of the creating process. Presumably you edited the file as root:sysadm_r:sysadm_t. When you relabel /etc after running for some time you see all the files you modified as root. > /etc/ptal/ptal-printd-like from system_u:object_r:etc_runtime_t to > system_u:object_r:etc_t /usr/sbin/setfiles: relabeling How is this file created? Maybe we should put in a file_contexts entry for it? What package(s) use it? > /etc/hotplug/usb.usermap from system_u:object_r:etc_t to > system_u:object_r:hotplug_etc_t I guess that some script created that file. /etc/hotplug(/.*)? system_u:object_r:hotplug_etc_t I'll change the hotplug.fc file to have the above and the directory will be labelled as hotplug_etc_t to solve this. > /usr/sbin/setfiles: relabeling /etc/.pwd.lock from > system_u:object_r:shadow_t to system_u:object_r:etc_t /etc/\.pwd\.lock -- system_u:object_r:shadow_t I'll add the above to types.fc. > /usr/sbin/setfiles: relabeling /etc/rndc.key from system_u:object_r:etc_t > to system_u:object_r:rndc_conf_t make: *** [checklabels] Error 1 This is a serious problem. How was the rndc.key file created? -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Thu Mar 11 13:41:35 2004 From: russell at coker.com.au (Russell Coker) Date: Fri, 12 Mar 2004 00:41:35 +1100 Subject: AVC messages at boot and kdm login (latest Rawhide) In-Reply-To: <40505DDD.6050001@nogin.org> References: <40505DDD.6050001@nogin.org> Message-ID: <200403120041.35920.russell@coker.com.au> On Thu, 11 Mar 2004 23:38, Aleksey Nogin wrote: > Mar 11 04:19:44 dell kernel: audit(1079007536.909:0): avc: denied { > execute } for pid=15 exe=/sbin/init name=bash dev=hda2 ino=3662881 > scontext=system_u:system_r:init_t > tcontext=system_u:object_r:shell_exec_t tclass=file Why is init trying to execute the shell directly? Surely it should be executing rc.sysinit, sulogin, or something else? > Mar 11 04:19:49 dell kernel: audit(1079007547.555:0): avc: denied { > mounton } for pid=327 exe=/bin/mount path=/var/lib/rpc_pipes dev=hda2 > ino=425580 scontext=system_u:system_r:mount_t > tcontext=system_u:object_r:var_lib_t tclass=dir What is this about? > Mar 11 04:19:49 dell kernel: audit(1079007583.849:0): avc: denied { > dac_override } for pid=1296 exe=/bin/bash capability=1 > scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t > tclass=capability > Mar 11 04:19:50 dell kernel: audit(1079007590.445:0): avc: denied { > fsetid } for pid=1504 exe=/bin/chmod capability=4 > scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t > tclass=capability I guess it doesn't do any harm to add dac_override, I'll put it in my tree. Why does it need fsetid? What file is it chmod'ing? > Mar 11 04:19:53 dell kernel: audit(1079007591.541:0): avc: denied { > dac_override } for pid=1614 exe=/usr/sbin/sendmail.sendmail > capability=1 scontext=system_u:system_r:sendmail_t > tcontext=system_u:system_r:sendmail_t tclass=capability I'll look into this later. > Mar 11 04:19:53 dell kernel: audit(1079007592.875:0): avc: denied { > read write } for pid=1661 exe=/usr/sbin/gpm name=gpmdata dev=hda2 > ino=72912 scontext=system_u:system_r:gpm_t > tcontext=system_u:object_r:device_t tclass=fifo_file That should have type gpmctl_t, I'll change gpm.fc. > Mar 11 04:19:53 dell kernel: audit(1079007592.976:0): avc: denied { > read write } for pid=1665 exe=/usr/sbin/gpm name=event0 dev=hda2 > ino=4219044 scontext=system_u:system_r:gpm_t > tcontext=system_u:object_r:device_t tclass=chr_file > Mar 11 04:19:53 dell kernel: audit(1079007592.976:0): avc: denied { > ioctl } for pid=1665 exe=/usr/sbin/gpm path=/dev/input/event0 dev=hda2 > ino=4219044 scontext=system_u:system_r:gpm_t > tcontext=system_u:object_r:device_t tclass=chr_file How does /dev/input really work? As I understand it event0 could be a keyboard or a mouse. So maybe we want a separate type for this so that when using gpm it can access it, but when the user is granted direct mouse access they can't read the keyboard directly. Does this make sense? > Mar 11 04:20:29 dell kernel: audit(1079007629.554:0): avc: denied { > read } for pid=2098 exe=/usr/bin/kdm name=mem dev=hda2 ino=2683359 > scontext=system_u:system_r:xdm_t > tcontext=system_u:object_r:memory_device_t tclass=chr_file That's a bug in kdm. It should use /dev/random instead. Reading arbitary kernel memory as a source of random numbers is bogus anyway. > Mar 11 04:20:36 dell kernel: audit(1079007636.465:0): avc: denied { > read } for pid=2112 exe=/usr/X11R6/bin/XFree86 name=event0 dev=hda2 > ino=4219044 scontext=system_u:system_r:xdm_xserver_t > tcontext=system_u:object_r:device_t tclass=chr_file This will be easy to solve once we solve the gpm issue above. > Mar 11 04:20:42 dell kernel: audit(1079007642.899:0): avc: denied { > write } for pid=2121 exe=/usr/bin/kdm_greet name=.qtrc.lock dev=hda2 > ino=670527 scontext=system_u:system_r:xdm_t > tcontext=system_u:object_r:lib_t tclass=file What directory is this in? We just need to get the directory in question labeled as var_lib_xdm_t. > Mar 11 04:20:52 dell kernel: audit(1079007652.672:0): avc: denied { > setattr } for pid=2113 exe=/usr/bin/kdm name=sg0 dev=hda2 ino=2688146 > scontext=system_u:system_r:xdm_t > tcontext=system_u:object_r:scsi_generic_device_t tclass=chr_file dontaudit or allow? What should we do? It probably doesn't matter much as the default policy does not permit the user to access the SCSI generic device. > Mar 11 04:20:52 dell kernel: audit(1079007652.936:0): avc: denied { > entrypoint } for pid=2131 exe=/usr/bin/kdm path=/etc/kde/kdm/Xsession > dev=hda2 ino=1226634 scontext=user_u:user_r:user_t > tcontext=system_u:object_r:etc_t tclass=file /etc/kde/kdm/Xsession -- system_u:object_r:xsession_exec_t We need to add the above to xdm.fc. > Mar 11 04:20:54 dell kernel: audit(1079007654.232:0): avc: denied { > getattr } for pid=2131 exe=/bin/tcsh path=/var/log/messages dev=hda2 > ino=3613840 scontext=user_u:user_r:user_t > tcontext=system_u:object_r:var_log_t tclass=file That is because the user is trying to do bad things. The file is set mode 0600 in Unix permissions and equivalent in SE Linux permissions by default. > And another interesting one I saw later: > > Mar 11 04:21:32 dell kernel: audit(1079007691.925:0): avc: denied { > search } for pid=2363 exe=/usr/bin/ksysguardd > scontext=user_u:user_r:user_t tcontext=system_u:object_r:sysctl_dev_t > tclass=dir The problem here is that the user wants access to lots of info on the machine, and we don't want to give it all up. Maybe we can make this a tunable. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From n3npq at nc.rr.com Thu Mar 11 13:56:22 2004 From: n3npq at nc.rr.com (Jeff Johnson) Date: Thu, 11 Mar 2004 08:56:22 -0500 Subject: Installing new policy In-Reply-To: <200403110234.13406.russell@coker.com.au> References: <404F1CA2.2020304@nc.rr.com> <200403110234.13406.russell@coker.com.au> Message-ID: <40507006.6050309@nc.rr.com> Russell Coker wrote: >On Thu, 11 Mar 2004 00:48, Jeff Johnson wrote: > > >>>At the moment rpm_script_t has access to so much that there's no point in >>>trying to impose any serious restriction on it. >>> >>>I suspect that limiting rpm_script_t in any significant way will have >>>to wait until we have multiple domains for rpm for installing packages >>>with different signatures. >>> >>> >>What is the logical connection between >> rpm_scriptlet_t has too much access. >>and >> rpm needs multiple domains based on signature "trust". >> >>Are there alternatives is what I'm asking. >> >> > >Currently we have no control over what can be done by scriptlets, and no >control over how it's done. > >Some operations can be performed in several ways. For the packages that we >develop we can develop proceedures for how to do these things that require >the minimum of access. For the packages developed by other people they will >have to get used to the idea that some of the people who use their packages >will not trust scriptlets that they want to run, and therefore they should >design them to do the minimum amount of work. When we start getting that >under control we can do something about limiting rpm_script_t. > >But at the moment it wants to do everything, and there's little we can do >about it without breaking heaps of rpms. We have enough pain at the moment. > > > Pain and the need for limiting rpm_cript_t well understood, not nudging ;-) Adding --noscripts --notriggers automagically to each package not signed with trusted signature is an alternative that starts to avoid a lot of selinux pain. And, since very few 3rd party add-on packages are essential to system integrity, ther are few consequences running the scripts after that fact in an entirely different domain of execution. There are still issues with trojan'ed files in payload, forcing chmod -x or chmod 000 might start to limit damage. So it's the logical connection that leads from rpm_script_t has too much access to rpm needs multiple domains based on signature that I am seeking. selinux is not the only way to limit damage if you catch my drift. But selinux is gonna need a trust proof mark. What is done with the proof mark is different question. 73 de Jeff From dwalsh at redhat.com Thu Mar 11 14:01:53 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 11 Mar 2004 09:01:53 -0500 Subject: AVC messages at boot and kdm login (latest Rawhide) In-Reply-To: <200403120041.35920.russell@coker.com.au> References: <40505DDD.6050001@nogin.org> <200403120041.35920.russell@coker.com.au> Message-ID: <40507151.9050302@redhat.com> Russell Coker wrote: >On Thu, 11 Mar 2004 23:38, Aleksey Nogin wrote: > > >>Mar 11 04:19:44 dell kernel: audit(1079007536.909:0): avc: denied { >>execute } for pid=15 exe=/sbin/init name=bash dev=hda2 ino=3662881 >>scontext=system_u:system_r:init_t >>tcontext=system_u:object_r:shell_exec_t tclass=file >> >> > >Why is init trying to execute the shell directly? Surely it should be >executing rc.sysinit, sulogin, or something else? > > > This is a bug in the policy file. Anyone install the March 10th install should update the policy file to policy-1.8-3 or greater. The init script is executing rhgb script to put up graphical boot. >>Mar 11 04:19:49 dell kernel: audit(1079007547.555:0): avc: denied { >>mounton } for pid=327 exe=/bin/mount path=/var/lib/rpc_pipes dev=hda2 >>ino=425580 scontext=system_u:system_r:mount_t >>tcontext=system_u:object_r:var_lib_t tclass=dir >> >> > >What is this about? > > > This is something new with nfs-utils. Allows nfs util ability to communicate with the kernel. Fixed in latest policy. >>Mar 11 04:19:49 dell kernel: audit(1079007583.849:0): avc: denied { >>dac_override } for pid=1296 exe=/bin/bash capability=1 >>scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t >>tclass=capability >>Mar 11 04:19:50 dell kernel: audit(1079007590.445:0): avc: denied { >>fsetid } for pid=1504 exe=/bin/chmod capability=4 >>scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t >>tclass=capability >> >> > >I guess it doesn't do any harm to add dac_override, I'll put it in my tree. > >Why does it need fsetid? What file is it chmod'ing? > > > grep chmod /sbin/dhclient-script chmod 644 /etc/resolv.conf >>Mar 11 04:19:53 dell kernel: audit(1079007591.541:0): avc: denied { >>dac_override } for pid=1614 exe=/usr/sbin/sendmail.sendmail >>capability=1 scontext=system_u:system_r:sendmail_t >>tcontext=system_u:system_r:sendmail_t tclass=capability >> >> > >I'll look into this later. > > > >>Mar 11 04:19:53 dell kernel: audit(1079007592.875:0): avc: denied { >>read write } for pid=1661 exe=/usr/sbin/gpm name=gpmdata dev=hda2 >>ino=72912 scontext=system_u:system_r:gpm_t >>tcontext=system_u:object_r:device_t tclass=fifo_file >> >> > >That should have type gpmctl_t, I'll change gpm.fc. > > > >>Mar 11 04:19:53 dell kernel: audit(1079007592.976:0): avc: denied { >>read write } for pid=1665 exe=/usr/sbin/gpm name=event0 dev=hda2 >>ino=4219044 scontext=system_u:system_r:gpm_t >>tcontext=system_u:object_r:device_t tclass=chr_file >>Mar 11 04:19:53 dell kernel: audit(1079007592.976:0): avc: denied { >>ioctl } for pid=1665 exe=/usr/sbin/gpm path=/dev/input/event0 dev=hda2 >>ino=4219044 scontext=system_u:system_r:gpm_t >>tcontext=system_u:object_r:device_t tclass=chr_file >> >> > >How does /dev/input really work? As I understand it event0 could be a >keyboard or a mouse. So maybe we want a separate type for this so that when >using gpm it can access it, but when the user is granted direct mouse access >they can't read the keyboard directly. > >Does this make sense? > > > >>Mar 11 04:20:29 dell kernel: audit(1079007629.554:0): avc: denied { >>read } for pid=2098 exe=/usr/bin/kdm name=mem dev=hda2 ino=2683359 >>scontext=system_u:system_r:xdm_t >>tcontext=system_u:object_r:memory_device_t tclass=chr_file >> >> > >That's a bug in kdm. It should use /dev/random instead. Reading arbitary >kernel memory as a source of random numbers is bogus anyway. > > > Enter a bugzilla. >>Mar 11 04:20:36 dell kernel: audit(1079007636.465:0): avc: denied { >>read } for pid=2112 exe=/usr/X11R6/bin/XFree86 name=event0 dev=hda2 >>ino=4219044 scontext=system_u:system_r:xdm_xserver_t >>tcontext=system_u:object_r:device_t tclass=chr_file >> >> > >This will be easy to solve once we solve the gpm issue above. > > > >>Mar 11 04:20:42 dell kernel: audit(1079007642.899:0): avc: denied { >>write } for pid=2121 exe=/usr/bin/kdm_greet name=.qtrc.lock dev=hda2 >>ino=670527 scontext=system_u:system_r:xdm_t >>tcontext=system_u:object_r:lib_t tclass=file >> >> > >What directory is this in? We just need to get the directory in question >labeled as var_lib_xdm_t. > > > >>Mar 11 04:20:52 dell kernel: audit(1079007652.672:0): avc: denied { >>setattr } for pid=2113 exe=/usr/bin/kdm name=sg0 dev=hda2 ino=2688146 >>scontext=system_u:system_r:xdm_t >>tcontext=system_u:object_r:scsi_generic_device_t tclass=chr_file >> >> > >dontaudit or allow? What should we do? > >It probably doesn't matter much as the default policy does not permit the user >to access the SCSI generic device. > > > >>Mar 11 04:20:52 dell kernel: audit(1079007652.936:0): avc: denied { >>entrypoint } for pid=2131 exe=/usr/bin/kdm path=/etc/kde/kdm/Xsession >>dev=hda2 ino=1226634 scontext=user_u:user_r:user_t >>tcontext=system_u:object_r:etc_t tclass=file >> >> > >/etc/kde/kdm/Xsession -- system_u:object_r:xsession_exec_t > >We need to add the above to xdm.fc. > > > >>Mar 11 04:20:54 dell kernel: audit(1079007654.232:0): avc: denied { >>getattr } for pid=2131 exe=/bin/tcsh path=/var/log/messages dev=hda2 >>ino=3613840 scontext=user_u:user_r:user_t >>tcontext=system_u:object_r:var_log_t tclass=file >> >> > >That is because the user is trying to do bad things. The file is set mode >0600 in Unix permissions and equivalent in SE Linux permissions by default. > > > >>And another interesting one I saw later: >> >>Mar 11 04:21:32 dell kernel: audit(1079007691.925:0): avc: denied { >>search } for pid=2363 exe=/usr/bin/ksysguardd >>scontext=user_u:user_r:user_t tcontext=system_u:object_r:sysctl_dev_t >>tclass=dir >> >> > >The problem here is that the user wants access to lots of info on the machine, >and we don't want to give it all up. Maybe we can make this a tunable. > > > From russell at coker.com.au Thu Mar 11 10:50:43 2004 From: russell at coker.com.au (Russell Coker) Date: Thu, 11 Mar 2004 21:50:43 +1100 Subject: ntp.... was Re: Fresh rawhide install / AVC messages In-Reply-To: <20040310175403.GB19591@xtl1.xtl.tenegg.com> References: <200403102120.40352.russell@coker.com.au> <20040310175403.GB19591@xtl1.xtl.tenegg.com> Message-ID: <200403112150.43247.russell@coker.com.au> On Thu, 11 Mar 2004 04:54, Tom Mitchell wrote: > > net_conf_t doesn't seem ideal to me, but I can't think of anything better > > at the moment. > > I am almost confused by dhcp... > > How does /etc/ntp.conf differ from /etc/adjtime /bin/date, > adjtime(system call) in this discussion. All interact with the time > of day. /etc/adjtime is used to account for inaccuracies of the hardware clock on the motherboard, so that after some time of power-off the clock compensation can be made for those inaccuracies. Nothing to do with dhcpc. /bin/date is not relevant either. AFAIK there is no way of transferring the system time in the DHCP protocol (correct me if I'm wrong), so it doesn't have anything to do with this issue. > I might trust my dhcp server to give me an IP address but do I also > want it to set the time of day. Then what else do I trust it to do? > How do I manage the list of things that dhcp might update? Apparently it's a standard feature to allow dhcpc to set the IP address of the NTP server. You can surely reconfigure your dhcpc to not do this. Also as a local customisation you could relabel /etc/ntp.conf to etc_t and thus deny dhcpc_t write access to it (ntpd_t has read access to etc_t:file). > For example if I have a well crafted /etc/ntp.conf file will that file > be lost if I move to a different DHCP served net. Maybe. That depends on what your DHCP client does. > If I look at /usr/share/doc/dhcp-3.0pl2/dhcpd.conf.sample dhcp can set > a list of common things. Some are important, not all involve files > that trigger audit. > option nis-domain "domain.org"; > option domain-name "domain.org"; > option domain-name-servers 192.168.1.1; > option time-offset -18000; # Eastern Standard Time > option ntp-servers 192.168.1.1; > option netbios-name-servers 192.168.1.1; > > See man 5 dhcpd-options for more options. Interesting. Is the time offset supported in dhcpc? If so we'll need policy for that. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Thu Mar 11 14:59:06 2004 From: russell at coker.com.au (Russell Coker) Date: Fri, 12 Mar 2004 01:59:06 +1100 Subject: Installing new policy In-Reply-To: <40507006.6050309@nc.rr.com> References: <404F1CA2.2020304@nc.rr.com> <200403110234.13406.russell@coker.com.au> <40507006.6050309@nc.rr.com> Message-ID: <200403120159.06383.russell@coker.com.au> On Fri, 12 Mar 2004 00:56, Jeff Johnson wrote: > Adding --noscripts --notriggers automagically to each package not signed > with > trusted signature is an alternative that starts to avoid a lot of > selinux pain. And, > since very few 3rd party add-on packages are essential to system > integrity, ther > are few consequences running the scripts after that fact in an entirely > different > domain of execution. As a future development I was thinking of having untrusted_bin_t and untrusted_etc_t and other similar types for files in such packages. Then we could allow the scripts unrestricted access to those files but read-only access to other files. It's just an idea that will need a lot of testing. But it could allow us to have a package that wants to run some scripts to mangle it's own config files work well without modifications. > There are still issues with trojan'ed files in payload, forcing chmod -x > or chmod 000 > might start to limit damage. That depends on how we want to do it. We could just have an executable type untrusted_bin_t which prevents execution by sysadm_t, or something similar. Some input from customers regarding what they want might be good. > So it's the logical connection that leads from > rpm_script_t has too much access > to > rpm needs multiple domains based on signature > that I am seeking. selinux is not the only way to limit damage if you > catch my drift. True. But I am thinking about SE Linux. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From notting at redhat.com Thu Mar 11 15:10:56 2004 From: notting at redhat.com (Bill Nottingham) Date: Thu, 11 Mar 2004 10:10:56 -0500 Subject: errors with labels after running for a while In-Reply-To: <200403120016.06965.russell@coker.com.au> References: <20040310191810.GB3221@devserv.devel.redhat.com> <200403120016.06965.russell@coker.com.au> Message-ID: <20040311151055.GA6349@devserv.devel.redhat.com> Russell Coker (russell at coker.com.au) said: > > /usr/sbin/setfiles: relabeling /etc/modules.conf from > > system_u:object_r:etc_t to system_u:object_r:modules_conf_t > > This is a problem. Do you know what might have created that file? Bad %post from nfs-utils. It will be fixed in a future build. > > /usr/sbin/setfiles: relabeling /etc/auto.master from root:object_r:etc_t > > to system_u:object_r:etc_t /usr/sbin/setfiles: relabeling > > When you re-create a file the identity will match the identity of the creating > process. Presumably you edited the file as root:sysadm_r:sysadm_t. When you > relabel /etc after running for some time you see all the files you modified > as root. scp'd it, actually. Although, it does point out that we probably need to patch more editors. > > /etc/ptal/ptal-printd-like from system_u:object_r:etc_runtime_t to > > system_u:object_r:etc_t /usr/sbin/setfiles: relabeling > > How is this file created? Maybe we should put in a file_contexts entry for > it? What package(s) use it? Tim - this is something to do with hpoj and foomatic? > > /usr/sbin/setfiles: relabeling /etc/rndc.key from system_u:object_r:etc_t > > to system_u:object_r:rndc_conf_t make: *** [checklabels] Error 1 > > This is a serious problem. How was the rndc.key file created? %post of bind. Bill From aleksey at nogin.org Thu Mar 11 15:12:13 2004 From: aleksey at nogin.org (Aleksey Nogin) Date: Thu, 11 Mar 2004 07:12:13 -0800 Subject: AVC messages at boot and kdm login (latest Rawhide) In-Reply-To: <200403120041.35920.russell@coker.com.au> References: <40505DDD.6050001@nogin.org> <200403120041.35920.russell@coker.com.au> Message-ID: <405081CD.9080302@nogin.org> On 11.03.2004 05:41, Russell Coker wrote: >>Mar 11 04:19:53 dell kernel: audit(1079007592.976:0): avc: denied { >>read write } for pid=1665 exe=/usr/sbin/gpm name=event0 dev=hda2 >>ino=4219044 scontext=system_u:system_r:gpm_t >>tcontext=system_u:object_r:device_t tclass=chr_file >>Mar 11 04:19:53 dell kernel: audit(1079007592.976:0): avc: denied { >>ioctl } for pid=1665 exe=/usr/sbin/gpm path=/dev/input/event0 dev=hda2 >>ino=4219044 scontext=system_u:system_r:gpm_t >>tcontext=system_u:object_r:device_t tclass=chr_file > > > How does /dev/input really work? As I understand it event0 could be a > keyboard or a mouse. So maybe we want a separate type for this so that when > using gpm it can access it, but when the user is granted direct mouse access > they can't read the keyboard directly. > > Does this make sense? May be. This is already reported - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=117369 >>Mar 11 04:20:29 dell kernel: audit(1079007629.554:0): avc: denied { >>read } for pid=2098 exe=/usr/bin/kdm name=mem dev=hda2 ino=2683359 >>scontext=system_u:system_r:xdm_t >>tcontext=system_u:object_r:memory_device_t tclass=chr_file > > > That's a bug in kdm. It should use /dev/random instead. Reading arbitary > kernel memory as a source of random numbers is bogus anyway. OK, entered in Bugzilla - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=118051 >>Mar 11 04:20:42 dell kernel: audit(1079007642.899:0): avc: denied { >>write } for pid=2121 exe=/usr/bin/kdm_greet name=.qtrc.lock dev=hda2 >>ino=670527 scontext=system_u:system_r:xdm_t >>tcontext=system_u:object_r:lib_t tclass=file > > > What directory is this in? /usr/lib/qt-3.3/etc/settings/qtrc > We just need to get the directory in question > labeled as var_lib_xdm_t. Well, should it be writing to it, or just reading? I do not see why it would be reasonable for kdm_greet to touch it... >>Mar 11 04:20:52 dell kernel: audit(1079007652.672:0): avc: denied { >>setattr } for pid=2113 exe=/usr/bin/kdm name=sg0 dev=hda2 ino=2688146 >>scontext=system_u:system_r:xdm_t >>tcontext=system_u:object_r:scsi_generic_device_t tclass=chr_file > > > dontaudit or allow? What should we do? > > It probably doesn't matter much as the default policy does not permit the user > to access the SCSI generic device. Well, I have a symlink /dev/cdwriter -> /dev/sg0. Not sure if it is still meaningful or whether it is left from the "hdc=ide_scsi" times. -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907 From aleksey at nogin.org Thu Mar 11 15:19:55 2004 From: aleksey at nogin.org (Aleksey Nogin) Date: Thu, 11 Mar 2004 07:19:55 -0800 Subject: How do I make sudo "trusted"? Message-ID: <4050839B.2010901@nogin.org> Contrast the following two: % su -c id Password: uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:sysadm_r:sysadm_t % sudo id Password: uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=user_u:user_r:user_t How do I change my local policy so have sudo grant the same sysadm permissions as su does? Is it possible to make it tunable? Or is this something that is very dangerous and should not be done? Thanks! -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907 From sds at epoch.ncsc.mil Thu Mar 11 15:36:24 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Thu, 11 Mar 2004 10:36:24 -0500 Subject: How do I make sudo "trusted"? In-Reply-To: <4050839B.2010901@nogin.org> References: <4050839B.2010901@nogin.org> Message-ID: <1079019384.5752.49.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2004-03-11 at 10:19, Aleksey Nogin wrote: > Contrast the following two: > > % su -c id > Password: > uid=0(root) gid=0(root) > groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) > context=root:sysadm_r:sysadm_t > > % sudo id > Password: > uid=0(root) gid=0(root) > groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) > context=user_u:user_r:user_t > > How do I change my local policy so have sudo grant the same sysadm > permissions as su does? Is it possible to make it tunable? Or is this > something that is very dangerous and should not be done? Thanks! sudo authenticates the current user, not the target user, so having it change the SELinux user identity would be dangerous. It can change roles (if the current user identity is authorized for the role) via the -r option. Hence, if you add yourself to policy/users and authorize yourself for staff_r and sysadm_r and reload your policy, then you should be able to do sudo -r sysadm_r . In order to have sudo safely change the SELinux user identity (to root), you would need another mechanism for specifying what roles/domains are permitted to the calling user, e.g. new fields in /etc/sudoers. Even then, you still need to start from staff_r in order to reach sysadm_r; the policy doesn't allow user_r to transition to sysadm_r (if SELinux is in enforcing mode). -- Stephen Smalley National Security Agency From aleksey at nogin.org Thu Mar 11 15:38:40 2004 From: aleksey at nogin.org (Aleksey Nogin) Date: Thu, 11 Mar 2004 07:38:40 -0800 Subject: AVCs on bringing up a network device via hotplug. Message-ID: <40508800.9060206@nogin.org> audit(1079019200.094:0): avc: denied { net_admin } for pid=18206 exe=/sbin/nameif capability=12 scontext=system_u:system_r:hotplug_t tcontext=system_u:system_r:hotplug_t tclass=capability audit(1079019200.519:0): avc: denied { getattr } for pid=18144 exe=/bin/bash path=/etc/dhclient.conf dev=hda2 ino=231943 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:dhcp_etc_t tclass=file audit(1079019200.521:0): avc: denied { write } for pid=18221 exe=/bin/bash name=etc dev=hda2 ino=228929 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:etc_t tclass=dir audit(1079019200.521:0): avc: denied { add_name } for pid=18221 exe=/bin/bash name=dhclient-wvlan0.conf.ifupnew scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:etc_t tclass=dir audit(1079019200.521:0): avc: denied { create } for pid=18221 exe=/bin/bash name=dhclient-wvlan0.conf.ifupnew scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:etc_t tclass=file audit(1079019200.541:0): avc: denied { read } for pid=18221 exe=/bin/grep name=dhclient.conf dev=hda2 ino=231943 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:dhcp_etc_t tclass=file audit(1079019200.542:0): avc: denied { search } for pid=17337 exe=/usr/bin/fam name=sys dev= ino=4120 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:sysctl_t tclass=dir audit(1079019200.542:0): avc: denied { getattr } for pid=17337 exe=/usr/bin/fam path=/etc/mtab dev=hda2 ino=229229 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:etc_runtime_t tclass=file audit(1079019200.572:0): avc: denied { write } for pid=18221 exe=/bin/grep path=/etc/dhclient-wvlan0.conf.ifupnew dev=hda2 ino=2191270 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:etc_t tclass=file audit(1079019200.574:0): avc: denied { write } for pid=18222 exe=/bin/bash name=dhclient.conf dev=hda2 ino=231943 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:dhcp_etc_t tclass=file audit(1079019200.580:0): avc: denied { remove_name } for pid=18223 exe=/bin/rm name=dhclient-wvlan0.conf.ifupnew dev=hda2 ino=2191270 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:etc_t tclass=dir audit(1079019200.580:0): avc: denied { unlink } for pid=18223 exe=/bin/rm name=dhclient-wvlan0.conf.ifupnew dev=hda2 ino=2191270 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:etc_t tclass=file audit(1079019200.778:0): avc: denied { dac_override } for pid=18241 exe=/bin/bash capability=1 scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=capability audit(1079019203.873:0): avc: denied { fsetid } for pid=18339 exe=/bin/chmod capability=4 scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=capability % ls --context /etc/dhclient* -rw-r--r--+ root root system_u:object_r:dhcp_etc_t /etc/dhclient.conf lrwxrwxrwx root root system_u:object_r:etc_t /etc/dhclient-eth0.conf -> dhclient.conf lrwxrwxrwx root root system_u:object_r:etc_t /etc/dhclient-wvlan0.conf -> dhclient.conf -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907 From twaugh at redhat.com Thu Mar 11 16:03:11 2004 From: twaugh at redhat.com (Tim Waugh) Date: Thu, 11 Mar 2004 16:03:11 +0000 Subject: errors with labels after running for a while In-Reply-To: <20040311151055.GA6349@devserv.devel.redhat.com> References: <20040310191810.GB3221@devserv.devel.redhat.com> <200403120016.06965.russell@coker.com.au> <20040311151055.GA6349@devserv.devel.redhat.com> Message-ID: <20040311160311.GI22468@redhat.com> On Thu, Mar 11, 2004 at 10:10:56AM -0500, Bill Nottingham wrote: > > > /etc/ptal/ptal-printd-like from system_u:object_r:etc_runtime_t to > > > system_u:object_r:etc_t /usr/sbin/setfiles: relabeling > > > > How is this file created? Maybe we should put in a file_contexts entry for > > it? What package(s) use it? > > Tim - this is something to do with hpoj and foomatic? Yes, ptal-printd (from hpoj) creates it. [root at cyberelk root]# cat /etc/ptal/ptal-printd-like # ptal-init tells ptal-printd to use this file as a template for the # security settings (mode, owner and group) for the named pipes in # "/var/run/ptal-printd". The actual contents of this file are # ignored. It was originally created on Tue Dec 2 13:37:14 GMT 2003 # based on "/dev/lp0". Tim. */ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From notting at redhat.com Thu Mar 11 16:17:49 2004 From: notting at redhat.com (Bill Nottingham) Date: Thu, 11 Mar 2004 11:17:49 -0500 Subject: AVC messages at boot and kdm login (latest Rawhide) In-Reply-To: <200403120041.35920.russell@coker.com.au> References: <40505DDD.6050001@nogin.org> <200403120041.35920.russell@coker.com.au> Message-ID: <20040311161749.GE6349@devserv.devel.redhat.com> Russell Coker (russell at coker.com.au) said: > > Mar 11 04:19:53 dell kernel: audit(1079007592.976:0): avc: denied { > > read write } for pid=1665 exe=/usr/sbin/gpm name=event0 dev=hda2 > > ino=4219044 scontext=system_u:system_r:gpm_t > > tcontext=system_u:object_r:device_t tclass=chr_file > > Mar 11 04:19:53 dell kernel: audit(1079007592.976:0): avc: denied { > > ioctl } for pid=1665 exe=/usr/sbin/gpm path=/dev/input/event0 dev=hda2 > > ino=4219044 scontext=system_u:system_r:gpm_t > > tcontext=system_u:object_r:device_t tclass=chr_file > > How does /dev/input really work? As I understand it event0 could be a > keyboard or a mouse. So maybe we want a separate type for this so that when > using gpm it can access it, but when the user is granted direct mouse access > they can't read the keyboard directly. > > Does this make sense? X will need access to eventX as well. Bill From notting at redhat.com Thu Mar 11 16:18:14 2004 From: notting at redhat.com (Bill Nottingham) Date: Thu, 11 Mar 2004 11:18:14 -0500 Subject: AVC messages at boot and kdm login (latest Rawhide) In-Reply-To: <405081CD.9080302@nogin.org> References: <40505DDD.6050001@nogin.org> <200403120041.35920.russell@coker.com.au> <405081CD.9080302@nogin.org> Message-ID: <20040311161814.GF6349@devserv.devel.redhat.com> Aleksey Nogin (aleksey at nogin.org) said: > >It probably doesn't matter much as the default policy does not permit the > >user to access the SCSI generic device. > > Well, I have a symlink /dev/cdwriter -> /dev/sg0. Not sure if it is > still meaningful or whether it is left from the "hdc=ide_scsi" times. Leftover. I need to whack that code. :) Bill From notting at redhat.com Thu Mar 11 16:20:57 2004 From: notting at redhat.com (Bill Nottingham) Date: Thu, 11 Mar 2004 11:20:57 -0500 Subject: AVCs on bringing up a network device via hotplug. In-Reply-To: <40508800.9060206@nogin.org> References: <40508800.9060206@nogin.org> Message-ID: <20040311162057.GG6349@devserv.devel.redhat.com> Perhaps we need a network-init role, used by /etc/init.d/network, that hotplug (and others) can transition to? Bill From pauln at truemesh.com Thu Mar 11 16:37:27 2004 From: pauln at truemesh.com (Paul Nasrat) Date: Thu, 11 Mar 2004 16:37:27 +0000 Subject: AVC messages at boot and kdm login (latest Rawhide) In-Reply-To: <20040311161749.GE6349@devserv.devel.redhat.com> References: <40505DDD.6050001@nogin.org> <200403120041.35920.russell@coker.com.au> <20040311161749.GE6349@devserv.devel.redhat.com> Message-ID: <20040311163725.GD25031@raq465.uk2net.com> On Thu, Mar 11, 2004 at 11:17:49AM -0500, Bill Nottingham wrote: > Russell Coker (russell at coker.com.au) said: > > How does /dev/input really work? As I understand it event0 could be a > > keyboard or a mouse. So maybe we want a separate type for this so that when > > using gpm it can access it, but when the user is granted direct mouse access > > they can't read the keyboard directly. > > > > Does this make sense? > > X will need access to eventX as well. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=117369 I guess that init 5 is ok as that is running under system_r:xdm_xserver_t so we can set that up as with gpm. A user starts user_xserver_t, I'm still finding my feet around policy is this enough to restrict by type. Paul From aleksey at nogin.org Thu Mar 11 16:33:37 2004 From: aleksey at nogin.org (Aleksey Nogin) Date: Thu, 11 Mar 2004 08:33:37 -0800 Subject: AVCs on bringing up a network device via hotplug. In-Reply-To: <20040311162057.GG6349@devserv.devel.redhat.com> References: <40508800.9060206@nogin.org> <20040311162057.GG6349@devserv.devel.redhat.com> Message-ID: <405094E1.2050604@nogin.org> On 11.03.2004 08:20, Bill Nottingham wrote: > Perhaps we need a network-init role, used by /etc/init.d/network, > that hotplug (and others) can transition to? Yes, this seems like a good idea. "and others" should probably include at least APM/ACPI (for suspend/resume scripts). But also note that part of the AVCs comes from the following fragment of /sbin/ifup: ... # Remove any temporary references which were previously added to dhclient config if [ -w /etc/dhclient-${DEVICE}.conf ] && [ -x /sbin/dhclient ] ; then LC_ALL=C grep -v "# temporary RHL ifup addition" /etc/dhclient-${DEVICE}.conf > /etc/dhclient-${DEVICE}.conf.ifupnew 2> /dev/null cat /etc/dhclient-${DEVICE}.conf.ifupnew > /etc/dhclient-${DEVICE}.conf rm -f /etc/dhclient-${DEVICE}.conf.ifupnew fi if [ -n "${DYNCONFIG}" ]; then PUMPARGS=$PUMPARGS DHCPCDARGS="$DHCPCDARGS -n" DHCLIENTARGS="${DHCLIENTARGS} -1 -q -lf /var/lib/dhcp/dhclient-${DEVICE}.leases -pf /var/run/dhclient-${DEVICE}.pid -cf /etc/dhclient-${DEVICE}.conf" if [ -n "${DHCP_HOSTNAME}" ]; then # Send a host-name to the DHCP server (requ. by some dhcp servers). PUMPARGS="${PUMPARGS} -h ${DHCP_HOSTNAME}" DHCPCDARGS="${DHCPCDARGS} -h ${DHCP_HOSTNAME}" if [ -x /sbin/dhclient ] ; then if [ -w /etc/dhclient-${DEVICE}.conf ] ; then if ! LC_ALL=C grep "send *host-name *\"${DHCP_HOSTNAME}\"" /etc/dhclient-${DEVICE}.conf > /dev/null 2>&1 ; then echo "send host-name \"${DHCP_HOSTNAME}\"; # temporary RHL ifup addition" >> /etc/dhclient-${DEVICE}.conf fi elif ! [ -e /etc/dhclient-${DEVICE}.conf ] ; then echo "send host-name \"${DHCP_HOSTNAME}\"; # temporary RHL ifup addition" >> /etc/dhclient-${DEVICE}.conf fi fi fi ... It seems that the least it could do is to check whether a "temporary RHL ifup addition" line is in fact present in the config _before_ trying to mess with it. And in general, allowing the ifup script to mess with the DHCP config does not seem like such a good idea. -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907 From aleksey at nogin.org Thu Mar 11 16:36:27 2004 From: aleksey at nogin.org (Aleksey Nogin) Date: Thu, 11 Mar 2004 08:36:27 -0800 Subject: nsupdate and netlink_socket AVCs Message-ID: <4050958B.50201@nogin.org> If I attempt to use nsupdate from under an ordinary user (which shouldn't be a problem, should it?), then I see audit(1079022100.499:0): avc: denied { bind } for pid=18759 exe=/usr/bin/nsupdate scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=netlink_socket audit(1079022100.499:0): avc: denied { getattr } for pid=18759 exe=/usr/bin/nsupdate scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=netlink_socket audit(1079022100.499:0): avc: denied { write } for pid=18759 exe=/usr/bin/nsupdate scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=netlink_socket audit(1079022100.500:0): avc: denied { read } for pid=18759 exe=/usr/bin/nsupdate scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=netlink_socket Not sure what this is all about. -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907 From sbonnevi at redhat.com Thu Mar 11 16:50:18 2004 From: sbonnevi at redhat.com (Steven Bonneville) Date: Thu, 11 Mar 2004 11:50:18 -0500 Subject: ntp.... was Re: Fresh rawhide install / AVC messages Message-ID: <20040311165018.GA20018@sbonnevi.rdu.redhat.com> Tom Mitchell wrote: > I might trust my dhcp server to give me an IP address but do I also > want it to set the time of day. Then what else do I trust it to do? > How do I manage the list of things that dhcp might update? > > For example if I have a well crafted /etc/ntp.conf file will that file > be lost if I move to a different DHCP served net. I don't have FC2t1 handy at the moment, but on RHEL 3 I believe that you can set the following options in /etc/sysconfig/network-scripts/ifcfg-* files: PEERDNS=no (/etc/resolv.conf) PEERNTP=no (/etc/ntp.conf, /etc/ntp/step-tickers) PEERNIS=no (/etc/yp.conf) If set to no, then those files won't get modified even if appropriate DHCP options are sent. See /sbin/dhclient-script for details. -- Steve Bonneville From dwalsh at redhat.com Thu Mar 11 21:11:37 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 11 Mar 2004 16:11:37 -0500 Subject: errors with labels after running for a while In-Reply-To: <20040311160311.GI22468@redhat.com> References: <20040310191810.GB3221@devserv.devel.redhat.com> <200403120016.06965.russell@coker.com.au> <20040311151055.GA6349@devserv.devel.redhat.com> <20040311160311.GI22468@redhat.com> Message-ID: <4050D609.20201@redhat.com> Added a context for it. From dwalsh at redhat.com Thu Mar 11 21:18:43 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 11 Mar 2004 16:18:43 -0500 Subject: nsupdate and netlink_socket AVCs In-Reply-To: <4050958B.50201@nogin.org> References: <4050958B.50201@nogin.org> Message-ID: <4050D7B3.9050205@redhat.com> Aleksey Nogin wrote: Is nsupdate a program to be run by an ordinary user? If yes we need to define a security context for nsupdate to allow it to access the netlink_sockets. If we allow users access that any rogue app the user runs could access the network devices. Dan > If I attempt to use nsupdate from under an ordinary user (which > shouldn't be a problem, should it?), then I see > > audit(1079022100.499:0): avc: denied { bind } for pid=18759 > exe=/usr/bin/nsupdate scontext=user_u:user_r:user_t > tcontext=user_u:user_r:user_t tclass=netlink_socket > audit(1079022100.499:0): avc: denied { getattr } for pid=18759 > exe=/usr/bin/nsupdate scontext=user_u:user_r:user_t > tcontext=user_u:user_r:user_t tclass=netlink_socket > audit(1079022100.499:0): avc: denied { write } for pid=18759 > exe=/usr/bin/nsupdate scontext=user_u:user_r:user_t > tcontext=user_u:user_r:user_t tclass=netlink_socket > audit(1079022100.500:0): avc: denied { read } for pid=18759 > exe=/usr/bin/nsupdate scontext=user_u:user_r:user_t > tcontext=user_u:user_r:user_t tclass=netlink_socket > > Not sure what this is all about. > From n3npq at nc.rr.com Thu Mar 11 21:17:53 2004 From: n3npq at nc.rr.com (Jeff Johnson) Date: Thu, 11 Mar 2004 16:17:53 -0500 Subject: How do I make sudo "trusted"? In-Reply-To: <1079019384.5752.49.camel@moss-spartans.epoch.ncsc.mil> References: <4050839B.2010901@nogin.org> <1079019384.5752.49.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <4050D781.8090000@nc.rr.com> Stephen Smalley wrote: >On Thu, 2004-03-11 at 10:19, Aleksey Nogin wrote: > > >>Contrast the following two: >> >>% su -c id >>Password: >>uid=0(root) gid=0(root) >>groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) >>context=root:sysadm_r:sysadm_t >> >>% sudo id >>Password: >>uid=0(root) gid=0(root) >>groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) >>context=user_u:user_r:user_t >> >>How do I change my local policy so have sudo grant the same sysadm >>permissions as su does? Is it possible to make it tunable? Or is this >>something that is very dangerous and should not be done? Thanks! >> >> > >sudo authenticates the current user, not the target user, so having it >change the SELinux user identity would be dangerous. It can change >roles (if the current user identity is authorized for the role) via the >-r option. Hence, if you add yourself to policy/users and authorize >yourself for staff_r and sysadm_r and reload your policy, then you >should be able to do sudo -r sysadm_r . > >In order to have sudo safely change the SELinux user identity (to root), >you would need another mechanism for specifying what roles/domains are >permitted to the calling user, e.g. new fields in /etc/sudoers. Even >then, you still need to start from staff_r in order to reach sysadm_r; >the policy doesn't allow user_r to transition to sysadm_r (if SELinux is >in enforcing mode). > > > All true. But there's always sudo su - 73 de Jeff From jmorris at redhat.com Thu Mar 11 21:51:43 2004 From: jmorris at redhat.com (James Morris) Date: Thu, 11 Mar 2004 16:51:43 -0500 (EST) Subject: nsupdate and netlink_socket AVCs In-Reply-To: <4050D7B3.9050205@redhat.com> Message-ID: On Thu, 11 Mar 2004, Daniel J Walsh wrote: > Aleksey Nogin wrote: > Is nsupdate a program to be run by an ordinary user? > If yes we need to define a security context for nsupdate to allow it to > access the netlink_sockets. > > If we allow users access that any rogue app the user runs could access > the network devices. > Btw, longer term, we will be implementing finer grained Netlink controls, so policy will be able to e.g. query the routing table but not update it. - James -- James Morris From mitch48 at sbcglobal.net Fri Mar 12 02:18:41 2004 From: mitch48 at sbcglobal.net (Tom Mitchell) Date: Thu, 11 Mar 2004 18:18:41 -0800 Subject: ntp.... was Re: Fresh rawhide install / AVC messages Message-ID: <20040312021841.GA29970@xtl1.xtl.tenegg.com> On Thu, Mar 11, 2004 at 11:50:18AM -0500, Steven Bonneville wrote: > Tom Mitchell wrote: > > > I might trust my dhcp server to give me an IP address but do I also > > want it to set the time of day. Then what else do I trust it to do? > > How do I manage the list of things that dhcp might update? > > > > For example if I have a well crafted /etc/ntp.conf file will that file > > be lost if I move to a different DHCP served net. > > I don't have FC2t1 handy at the moment, but on RHEL 3 I believe that you can > set the following options in /etc/sysconfig/network-scripts/ifcfg-* files: > > PEERDNS=no (/etc/resolv.conf) > PEERNTP=no (/etc/ntp.conf, /etc/ntp/step-tickers) > PEERNIS=no (/etc/yp.conf) > > If set to no, then those files won't get modified even if appropriate > DHCP options are sent. See /sbin/dhclient-script for details. I missed the PEER*=no flags when I first glanced at the script. This looks like the the correct place to manage the long list of DHCP-able config items. This permits a default "policy" configuration for the expected common situation of a responsible ISP or IT department. Individual DHCP decisions can be made and set without the complexity of editing policy. -- Cool -- My concern was the cyber cafe or hotel that a traveling businessman encounters. There have already been rumors of bad boys snooping bits and doing naughty things in the cyber cafes. DHCP smelled like a potential problem where time of day, DNS, SMTP and a list of other "important" administrative decisions could be silently co-opted. Since all these issues exist regardless of SELinux the common and correct place do address this is via /sbin/dhclient-scrip and the associated config tools. -- Excellent -- -- T o m M i t c h e l l /dev/null the ultimate in secure storage. From mitch48 at yahoo.com Fri Mar 12 00:03:04 2004 From: mitch48 at yahoo.com (Tom Mitchell) Date: Thu, 11 Mar 2004 16:03:04 -0800 Subject: ntp.... was Re: Fresh rawhide install / AVC messages In-Reply-To: <20040311165018.GA20018@sbonnevi.rdu.redhat.com> References: <20040311165018.GA20018@sbonnevi.rdu.redhat.com> Message-ID: <20040312000303.GA28173@xtl1.xtl.tenegg.com> On Thu, Mar 11, 2004 at 11:50:18AM -0500, Steven Bonneville wrote: > Tom Mitchell wrote: > > > I might trust my dhcp server to give me an IP address but do I also > > want it to set the time of day. Then what else do I trust it to do? > > How do I manage the list of things that dhcp might update? > > > > For example if I have a well crafted /etc/ntp.conf file will that file > > be lost if I move to a different DHCP served net. > > I don't have FC2t1 handy at the moment, but on RHEL 3 I believe that you can > set the following options in /etc/sysconfig/network-scripts/ifcfg-* files: > > PEERDNS=no (/etc/resolv.conf) > PEERNTP=no (/etc/ntp.conf, /etc/ntp/step-tickers) > PEERNIS=no (/etc/yp.conf) > > If set to no, then those files won't get modified even if appropriate > DHCP options are sent. See /sbin/dhclient-script for details. I missed the PEER*=no flags when I first glanced at the script. This looks like the the correct place to manage the long list of DHCP-able config items. This permits a default "policy" configuration for the expected common situation of a responsible ISP or IT department. Individual DHCP decisions can be made and set without the complexity of editing policy. -- Cool -- My concern was the cyber cafe or hotel that a traveling businessman encounters. There have already been rumors of bad boys snooping bits and doing naughty things in the cyber cafes. DHCP smelled like a potential problem where time of day, DNS, SMTP and a list of other "important" administrative decisions could be silently co-opted. Since all these issues exist regardless of SELinux the common and correct place do address this is via /sbin/dhclient-scrip and the associated config tools. -- Excellent -- -- T o m M i t c h e l l /dev/null the ultimate in secure storage. From aleksey at nogin.org Fri Mar 12 03:26:20 2004 From: aleksey at nogin.org (Aleksey Nogin) Date: Thu, 11 Mar 2004 19:26:20 -0800 Subject: nsupdate and netlink_socket AVCs In-Reply-To: <4050D7B3.9050205@redhat.com> References: <4050958B.50201@nogin.org> <4050D7B3.9050205@redhat.com> Message-ID: <40512DDC.9090503@nogin.org> On 11.03.2004 13:18, Daniel J Walsh wrote: > Is nsupdate a program to be run by an ordinary user? Yes. But if I understand correctly, it only needs to communicate over UDP or TCP to a DNS server from an unprivileged port. I do not know why it wants netlink_sockets. > If yes we need to > define a security context for nsupdate to allow it to access the > netlink_sockets. Are you sure? _Why_ does nsupdate need it? Is it not an nsupdate deficiency? -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907 From dwalsh at redhat.com Fri Mar 12 04:45:41 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 11 Mar 2004 23:45:41 -0500 Subject: nsupdate and netlink_socket AVCs In-Reply-To: <40512DDC.9090503@nogin.org> References: <4050958B.50201@nogin.org> <4050D7B3.9050205@redhat.com> <40512DDC.9090503@nogin.org> Message-ID: <40514075.3020508@redhat.com> Aleksey Nogin wrote: > On 11.03.2004 13:18, Daniel J Walsh wrote: > >> Is nsupdate a program to be run by an ordinary user? > > > Yes. But if I understand correctly, it only needs to communicate over > UDP or TCP to a DNS server from an unprivileged port. I do not know > why it wants netlink_sockets. > >> If yes we need to define a security context for nsupdate to allow it >> to access the netlink_sockets. > > > Are you sure? _Why_ does nsupdate need it? Is it not an nsupdate > deficiency? Taking a quick look at the code it is doing some stuff to determine if it has IPV4 and IPV6 support. You can define a security context for it and give it netlink access. If you take a look at the named.te file and copied the section on ncd_exec_t/ncd_t to nsupdate_exec_t/nsupdate_t you could get a good start on it. Then add allow nsupdate_t self:netlink_socket create_socket_perms; Dan From russell at coker.com.au Fri Mar 12 06:17:14 2004 From: russell at coker.com.au (Russell Coker) Date: Fri, 12 Mar 2004 17:17:14 +1100 Subject: AVC messages at boot and kdm login (latest Rawhide) In-Reply-To: <40507151.9050302@redhat.com> References: <40505DDD.6050001@nogin.org> <200403120041.35920.russell@coker.com.au> <40507151.9050302@redhat.com> Message-ID: <200403121717.14147.russell@coker.com.au> On Fri, 12 Mar 2004 01:01, Daniel J Walsh wrote: > >>Mar 11 04:19:49 dell kernel: audit(1079007583.849:0): avc: denied { > >>dac_override } for pid=1296 exe=/bin/bash capability=1 > >>scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t > >>tclass=capability > >>Mar 11 04:19:50 dell kernel: audit(1079007590.445:0): avc: denied { > >>fsetid } for pid=1504 exe=/bin/chmod capability=4 > >>scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t > >>tclass=capability > > > >I guess it doesn't do any harm to add dac_override, I'll put it in my > > tree. > > > >Why does it need fsetid? What file is it chmod'ing? > > grep chmod /sbin/dhclient-script > chmod 644 /etc/resolv.conf /* Overrides the following restrictions that the effective user ID shall match the file owner ID when setting the S_ISUID and S_ISGID bits on that file; that the effective group ID (or one of the supplementary group IDs) shall match the file owner ID when setting the S_ISGID bit on that file; that the S_ISUID and S_ISGID bits are cleared on successful return from chown(2) (not implemented). */ #define CAP_FSETID 4 Either something strange is being done or the kernel comment from capability.h is wrong. I am hesitant to add fsetid without being sure of this, there's the issue of hiding bugs, and the potential problem of future policy allowing user_t to execute something that dhcpc_t can write and then allowing an inappropriate SETGID. > >>Mar 11 04:19:53 dell kernel: audit(1079007591.541:0): avc: denied { > >>dac_override } for pid=1614 exe=/usr/sbin/sendmail.sendmail > >>capability=1 scontext=system_u:system_r:sendmail_t > >>tcontext=system_u:system_r:sendmail_t tclass=capability > > > >I'll look into this later. > >>Mar 11 04:19:53 dell kernel: audit(1079007592.976:0): avc: denied { > >>read write } for pid=1665 exe=/usr/sbin/gpm name=event0 dev=hda2 > >>ino=4219044 scontext=system_u:system_r:gpm_t > >>tcontext=system_u:object_r:device_t tclass=chr_file > >>Mar 11 04:19:53 dell kernel: audit(1079007592.976:0): avc: denied { > >>ioctl } for pid=1665 exe=/usr/sbin/gpm path=/dev/input/event0 dev=hda2 > >>ino=4219044 scontext=system_u:system_r:gpm_t > >>tcontext=system_u:object_r:device_t tclass=chr_file > > > >How does /dev/input really work? As I understand it event0 could be a > >keyboard or a mouse. So maybe we want a separate type for this so that > > when using gpm it can access it, but when the user is granted direct > > mouse access they can't read the keyboard directly. > > > >Does this make sense? > >That's a bug in kdm. It should use /dev/random instead. Reading arbitary > >kernel memory as a source of random numbers is bogus anyway. > > Enter a bugzilla. Done, #118123. > >>Mar 11 04:20:36 dell kernel: audit(1079007636.465:0): avc: denied { > >>read } for pid=2112 exe=/usr/X11R6/bin/XFree86 name=event0 dev=hda2 > >>ino=4219044 scontext=system_u:system_r:xdm_xserver_t > >>tcontext=system_u:object_r:device_t tclass=chr_file > > > >This will be easy to solve once we solve the gpm issue above. > > > >>Mar 11 04:20:42 dell kernel: audit(1079007642.899:0): avc: denied { > >>write } for pid=2121 exe=/usr/bin/kdm_greet name=.qtrc.lock dev=hda2 > >>ino=670527 scontext=system_u:system_r:xdm_t > >>tcontext=system_u:object_r:lib_t tclass=file > > > >What directory is this in? We just need to get the directory in question > >labeled as var_lib_xdm_t. > > > >>Mar 11 04:20:52 dell kernel: audit(1079007652.672:0): avc: denied { > >>setattr } for pid=2113 exe=/usr/bin/kdm name=sg0 dev=hda2 ino=2688146 > >>scontext=system_u:system_r:xdm_t > >>tcontext=system_u:object_r:scsi_generic_device_t tclass=chr_file > > > >dontaudit or allow? What should we do? > > > >It probably doesn't matter much as the default policy does not permit the > > user to access the SCSI generic device. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From aleksey at nogin.org Fri Mar 12 06:39:14 2004 From: aleksey at nogin.org (Aleksey Nogin) Date: Thu, 11 Mar 2004 22:39:14 -0800 Subject: How do I make sudo "trusted"? In-Reply-To: <1079019384.5752.49.camel@moss-spartans.epoch.ncsc.mil> References: <4050839B.2010901@nogin.org> <1079019384.5752.49.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <40515B12.8030906@nogin.org> On 11.03.2004 07:36, Stephen Smalley wrote: > sudo authenticates the current user, not the target user, Well, sudo + sudoers does authenticate the "I am somebody who can act on behalf of the target user", why is this insufficient? > so having it change the SELinux user identity would be dangerous. Even if explicitly permitted by sudoers? > It can change > roles (if the current user identity is authorized for the role) via the > -r option. Hence, if you add yourself to policy/users and authorize > yourself for staff_r and sysadm_r and reload your policy, then you > should be able to do sudo -r sysadm_r . Do you expect everybody who are used to doing things via sudo (a lot of places where more than one user has admin access have policies insisting on sudo - in particular because sudo will log everything) to be willing to figure this out? Why is this information (e.g. "user x is allowed to act as root when re-authenticated") has to be listed in _two_ separate places (sudoers and policies)? > In order to have sudo safely change the SELinux user identity (to root), > you would need another mechanism for specifying what roles/domains are > permitted to the calling user, e.g. new fields in /etc/sudoers. That would be the best solution IMHO. Should I file a Bugzilla RFE? > Even > then, you still need to start from staff_r in order to reach sysadm_r; > the policy doesn't allow user_r to transition to sysadm_r (if SELinux is > in enforcing mode). Not sure I understand what you are saying - it works with su, why can't it be made to work with sudo? ---- On 11.03.2004 13:17, Jeff Johnson wrote: > All true. > > But there's always > sudo su - I wish it was that easy... audit(1079073344.898:0): avc: denied { execute } for pid=20828 exe=/usr/bin/sudo name=su dev=hda2 ino=3662894 scontext=user_u:user_r:sudo_t tcontext=system_u:object_r:su_exec_t tclass=file audit(1079073344.898:0): avc: denied { entrypoint } for pid=20828 exe=/usr/bin/sudo path=/bin/su dev=hda2 ino=3662894 scontext=user_u:user_r:user_t tcontext=system_u:object_r:su_exec_t tclass=file audit(1079073344.898:0): avc: denied { read } for pid=20828 exe=/usr/bin/sudo path=/bin/su dev=hda2 ino=3662894 scontext=user_u:user_r:sudo_t tcontext=system_u:object_r:su_exec_t tclass=file audit(1079073344.930:0): avc: denied { search } for pid=20828 exe=/bin/su dev= ino=791 scontext=user_u:user_r:user_t tcontext=system_u:object_r:security_t tclass=dir audit(1079073344.930:0): avc: denied { read write } for pid=20828 exe=/bin/su name=access dev= ino=6 scontext=user_u:user_r:user_t tcontext=system_u:object_r:security_t tclass=file audit(1079073344.930:0): avc: denied { compute_av } for pid=20828 exe=/bin/su scontext=user_u:user_r:user_t tcontext=system_u:object_r:security_t tclass=security audit(1079073344.935:0): avc: denied { read } for pid=20828 exe=/bin/su name=shadow dev=hda2 ino=229911 scontext=user_u:user_r:user_t tcontext=system_u:object_r:shadow_t tclass=file audit(1079073344.935:0): avc: denied { getattr } for pid=20828 exe=/bin/su path=/etc/shadow dev=hda2 ino=229911 scontext=user_u:user_r:user_t tcontext=system_u:object_r:shadow_t tclass=file audit(1079073345.026:0): avc: denied { compute_user } for pid=20828 exe=/bin/su scontext=user_u:user_r:user_t tcontext=system_u:object_r:security_t tclass=security audit(1079073345.079:0): avc: denied { check_context } for pid=20828 exe=/bin/su scontext=user_u:user_r:user_t tcontext=system_u:object_r:security_t tclass=security audit(1079073345.080:0): avc: denied { compute_relabel } for pid=20828 exe=/bin/su scontext=user_u:user_r:user_t tcontext=system_u:object_r:security_t tclass=security audit(1079073345.080:0): avc: denied { relabelfrom } for pid=20828 exe=/bin/su name=7 dev= ino=9 scontext=user_u:user_r:user_t tcontext=user_u:object_r:user_devpts_t tclass=chr_file audit(1079073345.080:0): avc: denied { relabelto } for pid=20828 exe=/bin/su name=7 dev= ino=9 scontext=user_u:user_r:user_t tcontext=root:object_r:sysadm_devpts_t tclass=chr_file audit(1079073345.080:0): avc: denied { write } for pid=20828 exe=/bin/su name=exec dev= ino=1364983829 scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=file audit(1079073345.080:0): avc: denied { setexec } for pid=20828 exe=/bin/su scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=process audit(1079073345.082:0): avc: denied { setuid } for pid=20829 exe=/bin/su capability=7 scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=capability audit(1079073345.083:0): avc: denied { transition } for pid=20829 exe=/bin/su path=/bin/bash dev=hda2 ino=3662881 scontext=user_u:user_r:user_t tcontext=root:sysadm_r:sysadm_t tclass=process audit(1079073345.083:0): avc: denied { siginh } for pid=20829 exe=/bin/bash scontext=user_u:user_r:user_t tcontext=root:sysadm_r:sysadm_t tclass=process audit(1079073345.084:0): avc: denied { rlimitinh } for pid=20829 exe=/bin/bash scontext=user_u:user_r:user_t tcontext=root:sysadm_r:sysadm_t tclass=process audit(1079073345.084:0): avc: denied { noatsecure } for pid=20829 exe=/bin/bash scontext=user_u:user_r:user_t tcontext=root:sysadm_r:sysadm_t tclass=process -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907 From mitch48 at sbcglobal.net Fri Mar 12 07:27:29 2004 From: mitch48 at sbcglobal.net (Tom Mitchell) Date: Thu, 11 Mar 2004 23:27:29 -0800 Subject: Can the CTRL+ALT+F1 login and its list be annotated? Message-ID: <20040312072729.GA2598@xtl1.xtl.tenegg.com> If I confuse X (as I may have right now) I can still login on at a tty with one of: Control+Alt+F1 Control+Alt+F2 .... Control+Alt+F6 Then as root I am presented with a question, then a selection list of rolls to login with. Is it possible to annotate these in a way that invites new users to make the most appropriate selection? Assuming I am close, something like this. [1]root:sysadm_r:sysadm_t (default) administration and user management roll [2]root:staff_r:staff_t minimum privilege for root, "newrole -r role" expected [3]root:system_r:system_t "DO NOT USE -- reserved init, daemons and kernel." -- T o m M i t c h e l l /dev/null the ultimate in secure storage. From sds at epoch.ncsc.mil Fri Mar 12 12:56:41 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Fri, 12 Mar 2004 07:56:41 -0500 Subject: How do I make sudo "trusted"? In-Reply-To: <4050D781.8090000@nc.rr.com> References: <4050839B.2010901@nogin.org> <1079019384.5752.49.camel@moss-spartans.epoch.ncsc.mil> <4050D781.8090000@nc.rr.com> Message-ID: <1079096200.3523.1.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2004-03-11 at 16:17, Jeff Johnson wrote: > All true. > > But there's always > sudo su - With SELinux in enforcing mode, that would still require root password authentication; pam_rootok performs a SELinux permission check (in addition to the usual test) to see whether the calling domain is authorized to bypass normal authentication. And the role and domain transitions would still need to be authorized; if you started from user_r, SELinux wouldn't let you get to sysadm_r (unless someone has messed up the policy). -- Stephen Smalley National Security Agency From djnichol at scc.net Fri Mar 12 13:25:58 2004 From: djnichol at scc.net (Doug Nicholson) Date: Fri, 12 Mar 2004 07:25:58 -0600 Subject: SELinux Documentation In-Reply-To: <1079096200.3523.1.camel@moss-spartans.epoch.ncsc.mil> References: <4050839B.2010901@nogin.org> <1079019384.5752.49.camel@moss-spartans.epoch.ncsc.mil> <4050D781.8090000@nc.rr.com> <1079096200.3523.1.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1079097957.2840.13.camel@turing.mathechyst.com> Is there documentation on SELinux other than the various papers, HOWTOs, and FAQs? In particular, is anyone specifically working on the guidance documents listed on the to do page at the NSA site? Doug Nicholson djnichol at scc.net From aleksey at nogin.org Fri Mar 12 20:10:31 2004 From: aleksey at nogin.org (Aleksey Nogin) Date: Fri, 12 Mar 2004 12:10:31 -0800 Subject: USERCTL=yes - ifup by non-privileged user AVCs. Message-ID: <40521937.6080604@nogin.org> I have USERCTL=yes in my /etc/sysconfig/network-scripts/ifcfg-wvlan0 and I run "ifup wvlan0" as a non-privileged user. Of course, this generates a long list of AVC messages. Should there be some special policy provisions for the usernetctl? security_compute_sid: invalid context user_u:user_r:insmod_t for scontext=user_u:user_r:user_t tcontext=system_u:object_r:insmod_exec_t tclass=process audit(1079121920.219:0): avc: denied { read write } for pid=1123 exe=/sbin/insmod path=/dev/pts/9 dev= ino=11 scontext=user_u:user_r:insmod_t tcontext=user_u:object_r:user_devpts_t tclass=chr_file audit(1079121920.231:0): avc: denied { getattr } for pid=1046 exe=/bin/bash path=/etc/dhclient.conf dev=hda2 ino=231943 scontext=user_u:user_r:user_t tcontext=system_u:object_r:dhcp_etc_t tclass=file audit(1079121920.233:0): avc: denied { create } for pid=1124 exe=/bin/bash name=dhclient-wvlan0.conf.ifupnew scontext=user_u:user_r:user_t tcontext=user_u:object_r:etc_t tclass=file audit(1079121920.234:0): avc: denied { getattr } for pid=17337 exe=/usr/bin/fam path=/etc/mtab dev=hda2 ino=229229 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:etc_runtime_t tclass=file audit(1079121920.237:0): avc: denied { read } for pid=1124 exe=/bin/grep name=dhclient.conf dev=hda2 ino=231943 scontext=user_u:user_r:user_t tcontext=system_u:object_r:dhcp_etc_t tclass=file audit(1079121920.254:0): avc: denied { write } for pid=1124 exe=/bin/grep path=/etc/dhclient-wvlan0.conf.ifupnew dev=hda2 ino=2191270 scontext=user_u:user_r:user_t tcontext=user_u:object_r:etc_t tclass=file audit(1079121920.259:0): avc: denied { write } for pid=1125 exe=/bin/bash name=dhclient.conf dev=hda2 ino=231943 scontext=user_u:user_r:user_t tcontext=system_u:object_r:dhcp_etc_t tclass=file audit(1079121920.268:0): avc: denied { unlink } for pid=1126 exe=/bin/rm name=dhclient-wvlan0.conf.ifupnew dev=hda2 ino=2191270 scontext=user_u:user_r:user_t tcontext=user_u:object_r:etc_t tclass=file audit(1079121920.421:0): avc: denied { search } for pid=1144 exe=/sbin/dhclient name=dhcp dev=hda2 ino=1815097 scontext=user_u:user_r:user_t tcontext=system_u:object_r:dhcp_state_t tclass=dir audit(1079121920.422:0): avc: denied { read } for pid=1144 exe=/sbin/dhclient name=dhclient-wvlan0.leases dev=hda2 ino=1815259 scontext=user_u:user_r:user_t tcontext=system_u:object_r:dhcpc_state_t tclass=file audit(1079121920.422:0): avc: denied { write } for pid=1144 exe=/sbin/dhclient name=dhclient-wvlan0.leases dev=hda2 ino=1815259 scontext=user_u:user_r:user_t tcontext=system_u:object_r:dhcpc_state_t tclass=file audit(1079121920.442:0): avc: denied { getattr } for pid=1144 exe=/sbin/dhclient path=/var/lib/dhcp/dhclient-wvlan0.leases dev=hda2 ino=1815259 scontext=user_u:user_r:user_t tcontext=system_u:object_r:dhcpc_state_t tclass=file wvlan0: New link status: Connected (0001) audit(1079121921.923:0): avc: denied { create } for pid=1144 exe=/sbin/dhclient scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=packet_socket audit(1079121921.923:0): avc: denied { bind } for pid=1144 exe=/sbin/dhclient scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=packet_socket audit(1079121921.928:0): avc: denied { setopt } for pid=1144 exe=/sbin/dhclient scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=packet_socket audit(1079121921.928:0): avc: denied { name_bind } for pid=1144 exe=/sbin/dhclient src=68 scontext=user_u:user_r:user_t tcontext=system_u:object_r:dhcpc_port_t tclass=udp_socket audit(1079121921.929:0): avc: denied { write } for pid=1144 exe=/sbin/dhclient scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=packet_socket audit(1079121922.935:0): avc: denied { read } for pid=1144 exe=/sbin/dhclient path=socket:[5287768] dev= ino=5287768 scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=packet_socket audit(1079121923.662:0): avc: denied { write } for pid=1247 exe=/sbin/dhclient name=dhclient-wvlan0.pid dev=hda2 ino=179909 scontext=user_u:user_r:user_t tcontext=system_u:object_r:dhcpc_var_run_t tclass=file -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907 From russell at coker.com.au Sat Mar 13 05:28:45 2004 From: russell at coker.com.au (Russell Coker) Date: Sat, 13 Mar 2004 16:28:45 +1100 Subject: AVC messages at boot and kdm login (latest Rawhide) In-Reply-To: <405081CD.9080302@nogin.org> References: <40505DDD.6050001@nogin.org> <200403120041.35920.russell@coker.com.au> <405081CD.9080302@nogin.org> Message-ID: <200403131628.45087.russell@coker.com.au> On Fri, 12 Mar 2004 02:12, Aleksey Nogin wrote: > > How does /dev/input really work? As I understand it event0 could be a > > keyboard or a mouse. So maybe we want a separate type for this so that > > when using gpm it can access it, but when the user is granted direct > > mouse access they can't read the keyboard directly. > > > > Does this make sense? > > May be. This is already reported - > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=117369 OK, that's fixed in my tree. > >>Mar 11 04:20:42 dell kernel: audit(1079007642.899:0): avc: denied { > >>write } for pid=2121 exe=/usr/bin/kdm_greet name=.qtrc.lock dev=hda2 > >>ino=670527 scontext=system_u:system_r:xdm_t > >>tcontext=system_u:object_r:lib_t tclass=file > > > > What directory is this in? > > /usr/lib/qt-3.3/etc/settings/qtrc > > > We just need to get the directory in question > > labeled as var_lib_xdm_t. > > Well, should it be writing to it, or just reading? I do not see why it > would be reasonable for kdm_greet to touch it... You may be right, but I think that's the smallest of our xdm related issues. Currently the xdms want to do lots of stuff, creating files inside user home dirs, chmod on device nodes, etc. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Sat Mar 13 05:39:59 2004 From: russell at coker.com.au (Russell Coker) Date: Sat, 13 Mar 2004 16:39:59 +1100 Subject: AVCs on bringing up a network device via hotplug. In-Reply-To: <40508800.9060206@nogin.org> References: <40508800.9060206@nogin.org> Message-ID: <200403131639.59984.russell@coker.com.au> On Fri, 12 Mar 2004 02:38, Aleksey Nogin wrote: > audit(1079019200.094:0): avc: denied { net_admin } for pid=18206 > exe=/sbin/nameif capability=12 scontext=system_u:system_r:hotplug_t > tcontext=system_u:system_r:hotplug_t tclass=capability What happens if you give /sbin/nameif the type ifconfig_exec_t? > audit(1079019200.519:0): avc: denied { getattr } for pid=18144 > exe=/bin/bash path=/etc/dhclient.conf dev=hda2 ino=231943 > scontext=system_u:system_r:hotplug_t > tcontext=system_u:object_r:dhcp_etc_t tclass=file > audit(1079019200.521:0): avc: denied { write } for pid=18221 > exe=/bin/bash name=etc dev=hda2 ino=228929 > scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:etc_t > tclass=dir > audit(1079019200.521:0): avc: denied { add_name } for pid=18221 > exe=/bin/bash name=dhclient-wvlan0.conf.ifupnew > scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:etc_t > tclass=dir > audit(1079019200.521:0): avc: denied { create } for pid=18221 > exe=/bin/bash name=dhclient-wvlan0.conf.ifupnew > scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:etc_t > tclass=file It looks like it's replacing the dhclient.conf file. We don't want to give hotplug write access to etc_t (/etc/passwd), we could do the following: file_type_auto_trans(hotplug_t, etc_t, dhcp_etc_t, { file lnk_file }) But then we might have the same problem with hotplug wanting to write some other type of file. Could we use a /etc/dhcpc/ directory? > audit(1079019200.778:0): avc: denied { dac_override } for pid=18241 > exe=/bin/bash capability=1 scontext=system_u:system_r:dhcpc_t > tcontext=system_u:system_r:dhcpc_t tclass=capability > audit(1079019203.873:0): avc: denied { fsetid } for pid=18339 > exe=/bin/chmod capability=4 scontext=system_u:system_r:dhcpc_t > tcontext=system_u:system_r:dhcpc_t tclass=capability I've already added dac_override to my tree, I'm still cnsidering fsetid (see my message in the other thread). -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From aleksey at nogin.org Sat Mar 13 19:40:03 2004 From: aleksey at nogin.org (Aleksey Nogin) Date: Sat, 13 Mar 2004 11:40:03 -0800 Subject: [policy-sources-1.8-10] tmpwatch ACLs. Message-ID: <40536393.4070908@nogin.org> audit(1079205620.091:0): avc: denied { getattr } for pid=4269 exe=/usr/sbin/tmpwatch path=/tmp/foo dev=hda2 ino=212920 scontext=system_u:system_r:tmpreaper_t tcontext=system_u:object_r:file_t tclass=file audit(1079205620.271:0): avc: denied { unlink } for pid=4269 exe=/usr/sbin/tmpwatch name=before.new dev=hda2 ino=1357435 scontext=system_u:system_r:tmpreaper_t tcontext=system_u:object_r:file_t tclass=file -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907 From aleksey at nogin.org Sat Mar 13 19:53:25 2004 From: aleksey at nogin.org (Aleksey Nogin) Date: Sat, 13 Mar 2004 11:53:25 -0800 Subject: [policy-sources-1.8-10] slocate AVCs. Message-ID: <405366B5.8030309@nogin.org> This is from the slocate's updatedb cron job, if I am not mistaken. audit(1079205055.953:0): avc: denied { getattr } for pid=4254 exe=/usr/bin/slocate path=/dev/cfs0 dev=hda2 ino=2681888 scontext=system_u:system_r:locate_t tcontext=system_u:object_r:device_t tclass=chr_file audit(1079205058.981:0): avc: denied { getattr } for pid=4254 exe=/usr/bin/slocate path=/dev/scramdisk/master dev=hda2 ino=3581551 scontext=system_u:system_r:locate_t tcontext=system_u:object_r:device_t tclass=blk_file audit(1079205059.464:0): avc: denied { getattr } for pid=4254 exe=/usr/bin/slocate path=/var/lib/rpc_pipes dev= ino=5855 scontext=system_u:system_r:locate_t tcontext=system_u:object_r:rpc_pipefs_t tclass=dir audit(1079205061.343:0): avc: denied { read } for pid=4254 exe=/usr/bin/slocate dev= ino=5855 scontext=system_u:system_r:locate_t tcontext=system_u:object_r:rpc_pipefs_t tclass=dir audit(1079205061.343:0): avc: denied { search } for pid=4254 exe=/usr/bin/slocate dev= ino=5855 scontext=system_u:system_r:locate_t tcontext=system_u:object_r:rpc_pipefs_t tclass=dir -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907 From aleksey at nogin.org Sat Mar 13 20:53:33 2004 From: aleksey at nogin.org (Aleksey Nogin) Date: Sat, 13 Mar 2004 12:53:33 -0800 Subject: How do I make sudo "trusted"? In-Reply-To: <1079019384.5752.49.camel@moss-spartans.epoch.ncsc.mil> References: <4050839B.2010901@nogin.org> <1079019384.5752.49.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <405374CD.6070600@nogin.org> On 11.03.2004 07:36, Stephen Smalley wrote: > Hence, if you add yourself to policy/users and authorize > yourself for staff_r and sysadm_r and reload your policy, then you > should be able to do sudo -r sysadm_r . What is the difference between the sysadm_r and system_r? When should I be using sudo -r sysadm_r and when sudo -r system_r -t sysadm_t ? Thanks! -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907 From tmcgaha1 at comcast.net Sun Mar 14 02:40:03 2004 From: tmcgaha1 at comcast.net (Tim McGaha) Date: Sat, 13 Mar 2004 21:40:03 -0500 Subject: dumb question Message-ID: <4053C603.3070800@comcast.net> I am running FC2 Test 1 and have SELinux installed and running. Services control panel won't open. I'm a newbie and it's probably something simple. Here is from the CLI [root at TimsFC2 root]# system-config-services (system-config-services:3329): libglade-WARNING **: could not find glade file 's erviceconf.glade' (system-config-services:3329): GLib-GObject-CRITICAL **: file gobject.c: line 12 22 (g_object_get): assertion `G_IS_OBJECT (object)' failed (system-config-services:3329): GLib-GObject-CRITICAL **: file gobject.c: line 12 22 (g_object_get): assertion `G_IS_OBJECT (object)' failed Segmentation fault From rhally at mindspring.com Sun Mar 14 02:45:36 2004 From: rhally at mindspring.com (Richard Hally) Date: Sat, 13 Mar 2004 21:45:36 -0500 Subject: dumb question In-Reply-To: <4053C603.3070800@comcast.net> Message-ID: I filed a bug (#118217) on this problem earlier today. Richard Hally -----Original Message----- From: fedora-selinux-list-bounces at redhat.com [mailto:fedora-selinux-list-bounces at redhat.com] On Behalf Of Tim McGaha Sent: Saturday, March 13, 2004 9:40 PM To: fedora-selinux-list at redhat.com Subject: dumb question I am running FC2 Test 1 and have SELinux installed and running. Services control panel won't open. I'm a newbie and it's probably something simple. Here is from the CLI [root at TimsFC2 root]# system-config-services (system-config-services:3329): libglade-WARNING **: could not find glade file 's erviceconf.glade' (system-config-services:3329): GLib-GObject-CRITICAL **: file gobject.c: line 12 22 (g_object_get): assertion `G_IS_OBJECT (object)' failed (system-config-services:3329): GLib-GObject-CRITICAL **: file gobject.c: line 12 22 (g_object_get): assertion `G_IS_OBJECT (object)' failed Segmentation fault -- fedora-selinux-list mailing list fedora-selinux-list at redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list From russell at coker.com.au Sun Mar 14 04:47:23 2004 From: russell at coker.com.au (Russell Coker) Date: Sun, 14 Mar 2004 15:47:23 +1100 Subject: [policy-sources-1.8-10] tmpwatch ACLs. In-Reply-To: <40536393.4070908@nogin.org> References: <40536393.4070908@nogin.org> Message-ID: <200403141547.23894.russell@coker.com.au> On Sun, 14 Mar 2004 06:40, Aleksey Nogin wrote: > audit(1079205620.091:0): avc: denied { getattr } for pid=4269 > exe=/usr/sbin/tmpwatch path=/tmp/foo dev=hda2 ino=212920 > scontext=system_u:system_r:tmpreaper_t tcontext=system_u:object_r:file_t > tclass=file > audit(1079205620.271:0): avc: denied { unlink } for pid=4269 > exe=/usr/sbin/tmpwatch name=before.new dev=hda2 ino=1357435 > scontext=system_u:system_r:tmpreaper_t tcontext=system_u:object_r:file_t > tclass=file If you have such files existing in /tmp then you have a problem. Allowing an unlink of file_t files is probably OK, I'll add that to my tree. But the case for file_t directories is more difficult. We don't want to allow tmpreaper to go wildly removing trees of files labeled file_t. The issue is the same as for home_type. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Sun Mar 14 04:51:30 2004 From: russell at coker.com.au (Russell Coker) Date: Sun, 14 Mar 2004 15:51:30 +1100 Subject: [policy-sources-1.8-10] slocate AVCs. In-Reply-To: <405366B5.8030309@nogin.org> References: <405366B5.8030309@nogin.org> Message-ID: <200403141551.30780.russell@coker.com.au> On Sun, 14 Mar 2004 06:53, Aleksey Nogin wrote: > This is from the slocate's updatedb cron job, if I am not mistaken. > > audit(1079205055.953:0): avc: denied { getattr } for pid=4254 > exe=/usr/bin/slocate path=/dev/cfs0 dev=hda2 ino=2681888 > scontext=system_u:system_r:locate_t tcontext=system_u:object_r:device_t > tclass=chr_file I've allowed this in my tree. > audit(1079205059.464:0): avc: denied { getattr } for pid=4254 > exe=/usr/bin/slocate path=/var/lib/rpc_pipes dev= ino=5855 > scontext=system_u:system_r:locate_t > tcontext=system_u:object_r:rpc_pipefs_t tclass=dir > audit(1079205061.343:0): avc: denied { read } for pid=4254 > exe=/usr/bin/slocate dev= ino=5855 scontext=system_u:system_r:locate_t > tcontext=system_u:object_r:rpc_pipefs_t tclass=dir > audit(1079205061.343:0): avc: denied { search } for pid=4254 > exe=/usr/bin/slocate dev= ino=5855 scontext=system_u:system_r:locate_t > tcontext=system_u:object_r:rpc_pipefs_t tclass=dir I've put in a dontaudit rule for this in my tree. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Sun Mar 14 04:58:20 2004 From: russell at coker.com.au (Russell Coker) Date: Sun, 14 Mar 2004 15:58:20 +1100 Subject: dumb question In-Reply-To: <4053C603.3070800@comcast.net> References: <4053C603.3070800@comcast.net> Message-ID: <200403141558.20527.russell@coker.com.au> On Sun, 14 Mar 2004 13:40, Tim McGaha wrote: > I am running FC2 Test 1 and have SELinux installed and running. > > Services control panel won't open. I'm a newbie and it's probably > something simple. Here is from the CLI The most important issue is, what AVC messages were generated? If you run "dmesg" and paste the relevant section of the result then it'll make it much easier to track things down. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Sun Mar 14 05:15:01 2004 From: russell at coker.com.au (Russell Coker) Date: Sun, 14 Mar 2004 16:15:01 +1100 Subject: How do I make sudo "trusted"? In-Reply-To: <40515B12.8030906@nogin.org> References: <4050839B.2010901@nogin.org> <1079019384.5752.49.camel@moss-spartans.epoch.ncsc.mil> <40515B12.8030906@nogin.org> Message-ID: <200403141615.01069.russell@coker.com.au> On Fri, 12 Mar 2004 17:39, Aleksey Nogin wrote: > > In order to have sudo safely change the SELinux user identity (to root), > > you would need another mechanism for specifying what roles/domains are > > permitted to the calling user, e.g. new fields in /etc/sudoers. > > That would be the best solution IMHO. Should I file a Bugzilla RFE? Good idea. If you would like to contribute some code then that would be appreciated, the people doing SE Linux coding are all fairly busy at the moment... > > But there's always > > sudo su - > > I wish it was that easy... > > audit(1079073344.898:0): avc: denied { execute } for pid=20828 > exe=/usr/bin/sudo name=su dev=hda2 ino=3662894 > scontext=user_u:user_r:sudo_t tcontext=system_u:object_r:su_exec_t > tclass=file > audit(1079073344.898:0): avc: denied { entrypoint } for pid=20828 > exe=/usr/bin/sudo path=/bin/su dev=hda2 ino=3662894 > scontext=user_u:user_r:user_t tcontext=system_u:object_r:su_exec_t > tclass=file sudo_t transitions to another domain upon executing shell_exec_t. If you execute a binary that's not of type shell_exec_t then that doesn't work. The following may work: sudo sh -c su - -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Sun Mar 14 06:07:08 2004 From: russell at coker.com.au (Russell Coker) Date: Sun, 14 Mar 2004 17:07:08 +1100 Subject: ntp.... was Re: Fresh rawhide install / AVC messages In-Reply-To: <20040312021841.GA29970@xtl1.xtl.tenegg.com> References: <20040312021841.GA29970@xtl1.xtl.tenegg.com> Message-ID: <200403141707.08056.russell@coker.com.au> On Fri, 12 Mar 2004 13:18, Tom Mitchell wrote: > My concern was the cyber cafe or hotel that a traveling businessman > encounters. ?There have already been rumors of bad boys snooping bits > and doing naughty things in the cyber cafes. ?DHCP smelled like a > potential problem where time of day, DNS, SMTP and a list of other > "important" administrative decisions could be silently co-opted. Yes, Internet cafe's can break your security in more ways than you want to imagine. If you don't do certificate checking with SSL then they can just proxy all connections too... -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From aleksey at nogin.org Sun Mar 14 06:36:02 2004 From: aleksey at nogin.org (Aleksey Nogin) Date: Sat, 13 Mar 2004 22:36:02 -0800 Subject: [policy-sources-1.8-10] tmpwatch ACLs. In-Reply-To: <200403141547.23894.russell@coker.com.au> References: <40536393.4070908@nogin.org> <200403141547.23894.russell@coker.com.au> Message-ID: <4053FD52.10706@nogin.org> On 13.03.2004 20:47, Russell Coker wrote: > If you have such files existing in /tmp then you have a problem. You know, I am starting to think that they probably stayed around across a setfiles invocation, and it would not happen with a stable policy. Sorry about the confusion. > Allowing an > unlink of file_t files is probably OK, I'll add that to my tree. Would it be a better idea to change how file_contexts marks files in /tmp and see whether that is sufficient? -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907 From tmcgaha1 at comcast.net Sun Mar 14 07:20:39 2004 From: tmcgaha1 at comcast.net (Tim McGaha) Date: Sun, 14 Mar 2004 02:20:39 -0500 Subject: dumb question In-Reply-To: <200403141558.20527.russell@coker.com.au> References: <4053C603.3070800@comcast.net> <200403141558.20527.russell@coker.com.au> Message-ID: <405407C7.5090201@comcast.net> Russell Coker wrote: >On Sun, 14 Mar 2004 13:40, Tim McGaha wrote: > > >>I am running FC2 Test 1 and have SELinux installed and running. >> >>Services control panel won't open. I'm a newbie and it's probably >>something simple. Here is from the CLI >> >> > >The most important issue is, what AVC messages were generated? > >If you run "dmesg" and paste the relevant section of the result then it'll >make it much easier to track things down. > > > The dmesg output is sort of long. I looked through to see if any pid was related to the output but nothing looks familiar. I don't really want to post the entire list of AVC messages. From faye at lurking-grue.org Sun Mar 14 07:53:12 2004 From: faye at lurking-grue.org (Faye Coker) Date: Sun, 14 Mar 2004 18:53:12 +1100 Subject: SELinux Documentation Message-ID: <200403141853.12601.faye@lurking-grue.org> On Sat, 13 Mar 2004 00:25, Doug Nicholson wrote: > Is there documentation on SELinux other than the various papers, HOWTOs, > and FAQs? In particular, is anyone specifically working on the guidance > documents listed on the to do page at the NSA site? > > Doug Nicholson > djnichol at scc.net I have an introduction to policy writing HOWTO just about finished (I will put it up on Sourceforge when complete). I have also started work on documenting stuff listed on the NSA's to do page. After that, I hope to start work on a book. faye -- Faye Coker faye at lurking-grue.org From russell at coker.com.au Sun Mar 14 07:53:22 2004 From: russell at coker.com.au (Russell Coker) Date: Sun, 14 Mar 2004 18:53:22 +1100 Subject: USERCTL=yes - ifup by non-privileged user AVCs. In-Reply-To: <40521937.6080604@nogin.org> References: <40521937.6080604@nogin.org> Message-ID: <200403141853.22286.russell@coker.com.au> On Sat, 13 Mar 2004 07:10, Aleksey Nogin wrote: > I have USERCTL=yes in my /etc/sysconfig/network-scripts/ifcfg-wvlan0 and > I run "ifup wvlan0" as a non-privileged user. Of course, this generates > a long list of AVC messages. Should there be some special policy > provisions for the usernetctl? > > security_compute_sid: invalid context user_u:user_r:insmod_t for > scontext=user_u:user_r:user_t tcontext=system_u:object_r:insmod_exec_t > tclass=process You just don't do such things as user_r, they should be done as sysadm_r. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Sun Mar 14 13:59:40 2004 From: russell at coker.com.au (Russell Coker) Date: Mon, 15 Mar 2004 00:59:40 +1100 Subject: [policy-sources-1.8-10] tmpwatch ACLs. In-Reply-To: <4053FD52.10706@nogin.org> References: <40536393.4070908@nogin.org> <200403141547.23894.russell@coker.com.au> <4053FD52.10706@nogin.org> Message-ID: <200403150059.40118.russell@coker.com.au> On Sun, 14 Mar 2004 17:36, Aleksey Nogin wrote: > > Allowing an > > unlink of file_t files is probably OK, I'll add that to my tree. > > Would it be a better idea to change how file_contexts marks files in > /tmp and see whether that is sufficient? Not all existing files in /tmp will be labeled by setfiles. The problem is that you have multiple users who may put files in /tmp, and determining which user is responsible for a particular file is inconvenient. I guess we could have a program that looks at the UID of a file and then assigns it a type based on the role(s) that are permitted for the user who's name matches the UID. But this is ugly, and I expect that we will find cases of SETUID/SETGID programs creating files in /tmp that will cause problems with this if we try implementing it. This is why we are looking at removing files from /tmp as part of a file system label. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Sun Mar 14 14:32:37 2004 From: russell at coker.com.au (Russell Coker) Date: Mon, 15 Mar 2004 01:32:37 +1100 Subject: errors with labels after running for a while In-Reply-To: <20040311151055.GA6349@devserv.devel.redhat.com> References: <20040310191810.GB3221@devserv.devel.redhat.com> <200403120016.06965.russell@coker.com.au> <20040311151055.GA6349@devserv.devel.redhat.com> Message-ID: <200403150132.37888.russell@coker.com.au> On Fri, 12 Mar 2004 02:10, Bill Nottingham wrote: > > > /usr/sbin/setfiles: relabeling /etc/rndc.key from > > > system_u:object_r:etc_t to system_u:object_r:rndc_conf_t make: *** > > > [checklabels] Error 1 > > > > This is a serious problem. How was the rndc.key file created? > > %post of bind. Which program in the bind postinst does this? -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From aleksey at nogin.org Sun Mar 14 22:50:52 2004 From: aleksey at nogin.org (Aleksey Nogin) Date: Sun, 14 Mar 2004 14:50:52 -0800 Subject: [policy-sources-1.8-10] tmpwatch ACLs. In-Reply-To: <200403150059.40118.russell@coker.com.au> References: <40536393.4070908@nogin.org> <200403141547.23894.russell@coker.com.au> <4053FD52.10706@nogin.org> <200403150059.40118.russell@coker.com.au> Message-ID: <4054E1CC.6020305@nogin.org> On 14.03.2004 05:59, Russell Coker wrote: > This is why we are looking at removing files from /tmp as part of a file > system label. Yes, this seems reasonable (provided it makes sure that there are no user processes running on the system before doing it). -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907 From sds at epoch.ncsc.mil Mon Mar 15 13:39:20 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Mon, 15 Mar 2004 08:39:20 -0500 Subject: How do I make sudo "trusted"? In-Reply-To: <1079019384.5752.49.camel@moss-spartans.epoch.ncsc.mil> References: <4050839B.2010901@nogin.org> <1079019384.5752.49.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1079357960.2289.66.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2004-03-11 at 10:36, Stephen Smalley wrote: > Even > then, you still need to start from staff_r in order to reach sysadm_r; > the policy doesn't allow user_r to transition to sysadm_r (if SELinux is > in enforcing mode). Ah, my mistake - the Fedora Core devel policy allows this transition unless you disable the unlimitedUsers tunable. -- Stephen Smalley National Security Agency From notting at redhat.com Mon Mar 15 14:40:52 2004 From: notting at redhat.com (Bill Nottingham) Date: Mon, 15 Mar 2004 09:40:52 -0500 Subject: errors with labels after running for a while In-Reply-To: <200403150132.37888.russell@coker.com.au> References: <20040310191810.GB3221@devserv.devel.redhat.com> <200403120016.06965.russell@coker.com.au> <20040311151055.GA6349@devserv.devel.redhat.com> <200403150132.37888.russell@coker.com.au> Message-ID: <20040315144052.GA19833@devserv.devel.redhat.com> Russell Coker (russell at coker.com.au) said: > > > This is a serious problem. How was the rndc.key file created? > > > > %post of bind. > > Which program in the bind postinst does this? postinstall scriptlet (using /bin/sh): /sbin/chkconfig --add named if [ -f etc/named.boot -a ! -f etc/named.conf ]; then if [ -x /usr/sbin/named-bootconf ]; then cat etc/named.boot | /usr/sbin/named-bootconf > etc/named.conf chmod 644 etc/named.conf fi fi if [ ! -e /etc/rndc.key.rpmnew ]; then sed -e "s/@KEY@/`/usr/sbin/dns-keygen`/" /etc/rndc.key >/etc/rndc.key.tmp mv -f /etc/rndc.key.tmp /etc/rndc.key fi chmod 0640 /etc/rndc.conf etc/rndc.key chown root:named /etc/rndc.conf etc/rndc.key /sbin/ldconfig exit 0 sed & mv, actually. Bill From sds at epoch.ncsc.mil Mon Mar 15 14:47:28 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Mon, 15 Mar 2004 09:47:28 -0500 Subject: errors with labels after running for a while In-Reply-To: <20040315144052.GA19833@devserv.devel.redhat.com> References: <20040310191810.GB3221@devserv.devel.redhat.com> <200403120016.06965.russell@coker.com.au> <20040311151055.GA6349@devserv.devel.redhat.com> <200403150132.37888.russell@coker.com.au> <20040315144052.GA19833@devserv.devel.redhat.com> Message-ID: <1079362048.2289.102.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2004-03-15 at 09:40, Bill Nottingham wrote: > postinstall scriptlet (using /bin/sh): > /sbin/chkconfig --add named > if [ -f etc/named.boot -a ! -f etc/named.conf ]; then > if [ -x /usr/sbin/named-bootconf ]; then > cat etc/named.boot | /usr/sbin/named-bootconf > etc/named.conf > chmod 644 etc/named.conf > fi > fi > if [ ! -e /etc/rndc.key.rpmnew ]; then > sed -e "s/@KEY@/`/usr/sbin/dns-keygen`/" /etc/rndc.key >/etc/rndc.key.tmp > mv -f /etc/rndc.key.tmp /etc/rndc.key > fi > chmod 0640 /etc/rndc.conf etc/rndc.key > chown root:named /etc/rndc.conf etc/rndc.key > /sbin/ldconfig > exit 0 > > sed & mv, actually. Can you add a '/usr/sbin/restorecon etc/rndc.key' (and likewise for any similarly created files)? That should restore the context on it based on the installed file_contexts file. -- Stephen Smalley National Security Agency From notting at redhat.com Mon Mar 15 16:02:13 2004 From: notting at redhat.com (Bill Nottingham) Date: Mon, 15 Mar 2004 11:02:13 -0500 Subject: USERCTL=yes - ifup by non-privileged user AVCs. In-Reply-To: <200403141853.22286.russell@coker.com.au> References: <40521937.6080604@nogin.org> <200403141853.22286.russell@coker.com.au> Message-ID: <20040315160213.GB9130@devserv.devel.redhat.com> Russell Coker (russell at coker.com.au) said: > > I have USERCTL=yes in my /etc/sysconfig/network-scripts/ifcfg-wvlan0 and > > I run "ifup wvlan0" as a non-privileged user. Of course, this generates > > a long list of AVC messages. Should there be some special policy > > provisions for the usernetctl? > > > > security_compute_sid: invalid context user_u:user_r:insmod_t for > > scontext=user_u:user_r:user_t tcontext=system_u:object_r:insmod_exec_t > > tclass=process > > You just don't do such things as user_r, they should be done as sysadm_r. This breaks installed systems, though. I suppose usernetctl needs to change roles. Bill From dwalsh at redhat.com Mon Mar 15 16:35:15 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 15 Mar 2004 11:35:15 -0500 Subject: errors with labels after running for a while In-Reply-To: <1079362048.2289.102.camel@moss-spartans.epoch.ncsc.mil> References: <20040310191810.GB3221@devserv.devel.redhat.com> <200403120016.06965.russell@coker.com.au> <20040311151055.GA6349@devserv.devel.redhat.com> <200403150132.37888.russell@coker.com.au> <20040315144052.GA19833@devserv.devel.redhat.com> <1079362048.2289.102.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <4055DB43.7070509@redhat.com> Stephen Smalley wrote: >On Mon, 2004-03-15 at 09:40, Bill Nottingham wrote: > > >>postinstall scriptlet (using /bin/sh): >>/sbin/chkconfig --add named >>if [ -f etc/named.boot -a ! -f etc/named.conf ]; then >> if [ -x /usr/sbin/named-bootconf ]; then >> cat etc/named.boot | /usr/sbin/named-bootconf > etc/named.conf >> chmod 644 etc/named.conf >> fi >>fi >>if [ ! -e /etc/rndc.key.rpmnew ]; then >> sed -e "s/@KEY@/`/usr/sbin/dns-keygen`/" /etc/rndc.key >/etc/rndc.key.tmp >> mv -f /etc/rndc.key.tmp /etc/rndc.key >>fi >>chmod 0640 /etc/rndc.conf etc/rndc.key >>chown root:named /etc/rndc.conf etc/rndc.key >>/sbin/ldconfig >>exit 0 >> >>sed & mv, actually. >> >> > >Can you add a '/usr/sbin/restorecon etc/rndc.key' (and likewise for any >similarly created files)? That should restore the context on it based >on the installed file_contexts file. > > > bind 9-2-3-9 has this patch > if [ -x /usr/sbin/restorecon ]; then > # > # Restore selinux file_context > # > /usr/sbin/restorecon /etc/rndc.key > fi From russell at coker.com.au Mon Mar 15 16:37:32 2004 From: russell at coker.com.au (Russell Coker) Date: Tue, 16 Mar 2004 03:37:32 +1100 Subject: errors with labels after running for a while In-Reply-To: <1079362048.2289.102.camel@moss-spartans.epoch.ncsc.mil> References: <20040310191810.GB3221@devserv.devel.redhat.com> <20040315144052.GA19833@devserv.devel.redhat.com> <1079362048.2289.102.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <200403160337.32756.russell@coker.com.au> On Tue, 16 Mar 2004 01:47, Stephen Smalley wrote: > > sed & mv, actually. > > Can you add a '/usr/sbin/restorecon etc/rndc.key' (and likewise for any > similarly created files)? That should restore the context on it based > on the installed file_contexts file. In such cases restorecon is the only option. In general when developing a package it's easiest to do the following things: 1) Put config files in a sub-directory of /etc whenever possible. Files take their type from the type of the parent directory by default. This means that we get the right label without any effort. Also programs that create files in that directory will not need write permission to etc_t (which may become important in later evolutions of the software). 2) Have a single script that creates the file. If creating the file in question is a relatively common operation then having a script to do it is easiest as we can have domain_auto_trans() rules to give the right context for the script. Of course there is the requirement that when doing a domain_auto_trans() on a script execution the target domain must not be more privileged than the source domain, otherwise you make a security hole. Having a single script to perform an operation generally gives us the best range of options for changing how it works on the SE Linux side with minimum disturbance to the rpm side. 3) Make sure that you create the temporary file in the target directory. mv across file systems is not atomic, and you get type labeling issues. The bind script in question is correct in this regard, but I'm just mentioning it now as it's a common mistake. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From aleksey at nogin.org Mon Mar 15 19:54:33 2004 From: aleksey at nogin.org (Aleksey Nogin) Date: Mon, 15 Mar 2004 11:54:33 -0800 Subject: How do I make sudo "trusted"? In-Reply-To: <200403141615.01069.russell@coker.com.au> References: <4050839B.2010901@nogin.org> <1079019384.5752.49.camel@moss-spartans.epoch.ncsc.mil> <40515B12.8030906@nogin.org> <200403141615.01069.russell@coker.com.au> Message-ID: <405609F9.3000300@nogin.org> On 13.03.2004 21:15, Russell Coker wrote: > sudo_t transitions to another domain upon executing shell_exec_t. If you > execute a binary that's not of type shell_exec_t then that doesn't work. Is there a reason for that? This is kind of unfortunatye - one of the big advantages of sudo is that it logs everything and having to execute the shell first is kind of inconvenient. Can transition on an ordinary bin_t be added? -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907 From rhally at mindspring.com Tue Mar 16 04:01:35 2004 From: rhally at mindspring.com (Richard Hally) Date: Mon, 15 Mar 2004 23:01:35 -0500 Subject: message on fedore-test-list Message-ID: The messages below were on the fedora-test-list and I was wondering if someone on this list would be interested in them? ---------------------------------------------------------------------------- ------------------------------------------------------ I have tracked this down further and discovered that it is the SE Linux stuff that is messing up pump. I have found a newer version of pump now and I'm going to try it. However, I have to say that the way it fails is not intuitive to me. When pump (dhcp client) sends out the discover packet (with a SE Linux enabled kernel), the packet actually goes out, it just fails because the UDP checksum is bad. This is not what I would expect out of SE Linux. I would have thought that it would have returned some no-priviledge error to the program (pump) indicating that it failed. Instead to just send out a broken packet seems pretty weird. -Scott -----Original Message----- From: fedora-test-list-admin at redhat.com [mailto:fedora-test-list-admin at redhat.com] On Behalf Of Edwards, Scott (MED, Kelly IT Resouces) Sent: Monday, March 08, 2004 1:12 PM To: 'fedora-test-list at redhat.com' Subject: Pump on FC2T1? I have been trying to use pump (dhcp client) on FC2T1 and can't seem to get it to work. I have tried it on FC1 and FC1 with a 2.6 Kernel and it seems to work fine on them. When I'm running pump on FC2T1 I get several messages from the dhcpd server that "5 bad udp checksums in 5 packets". I am going to keep digging into it, but I wanted to ask if there is something that is a known problem that I'm unaware of? Any pointers would be welcome. Thanks * Scott -- fedora-test-list mailing list -------------- next part -------------- A non-text attachment was scrubbed... Name: winmail.dat Type: application/ms-tnef Size: 5124 bytes Desc: not available URL: From dwalsh at redhat.com Tue Mar 16 04:38:47 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 15 Mar 2004 23:38:47 -0500 Subject: How do I make sudo "trusted"? In-Reply-To: <405609F9.3000300@nogin.org> References: <4050839B.2010901@nogin.org> <1079019384.5752.49.camel@moss-spartans.epoch.ncsc.mil> <40515B12.8030906@nogin.org> <200403141615.01069.russell@coker.com.au> <405609F9.3000300@nogin.org> Message-ID: <405684D7.40802@redhat.com> Aleksey Nogin wrote: > On 13.03.2004 21:15, Russell Coker wrote: > >> sudo_t transitions to another domain upon executing shell_exec_t. If >> you execute a binary that's not of type shell_exec_t then that >> doesn't work. > > > Is there a reason for that? This is kind of unfortunatye - one of the > big advantages of sudo is that it logs everything and having to > execute the shell first is kind of inconvenient. Can transition on an > ordinary bin_t be added? I have just modified sudo to exec $SHELL -c COMMAND when in SELinux mode. This should cause the transitions to happen properly. SELinux will start the default shell under the context of the user, or the context overridden by the -r qualifier. Then if the user specified a command with context, the transition should happen. so if the user specified sudo -r sysadm_r rpm -Uhv bind-9.2.3-9.i386.rpm rpm should end up running in rpm_t context, Just as if you had started a shell as sysadm_t and executed the rpm command. Dan From rms at 1407.org Tue Mar 16 09:29:48 2004 From: rms at 1407.org (Rui Miguel Seabra) Date: Tue, 16 Mar 2004 09:29:48 +0000 Subject: How do I make sudo "trusted"? In-Reply-To: <405684D7.40802@redhat.com> References: <4050839B.2010901@nogin.org> <1079019384.5752.49.camel@moss-spartans.epoch.ncsc.mil> <40515B12.8030906@nogin.org> <200403141615.01069.russell@coker.com.au> <405609F9.3000300@nogin.org> <405684D7.40802@redhat.com> Message-ID: <1079429387.1952.10.camel@roque> On Mon, 2004-03-15 at 23:38 -0500, Daniel J Walsh wrote: > I have just modified sudo to exec > $SHELL -c COMMAND when in SELinux mode. What if SHELL=/home/rms/my_shell_that_ignores_-c_and_gives_prompt? -- + No matter how much you do, you never do enough -- unknown + Whatever you do will be insignificant, | but it is very important that you do it -- Gandhi + So let's do it...? Please AVOID sending me WORD, EXCEL or POWERPOINT attachments. See http://www.fsf.org/philosophy/no-word-attachments.html -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From dwalsh at redhat.com Tue Mar 16 12:47:59 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 16 Mar 2004 07:47:59 -0500 Subject: How do I make sudo "trusted"? In-Reply-To: <1079429387.1952.10.camel@roque> References: <4050839B.2010901@nogin.org> <1079019384.5752.49.camel@moss-spartans.epoch.ncsc.mil> <40515B12.8030906@nogin.org> <200403141615.01069.russell@coker.com.au> <405609F9.3000300@nogin.org> <405684D7.40802@redhat.com> <1079429387.1952.10.camel@roque> Message-ID: <4056F77F.6040904@redhat.com> Rui Miguel Seabra wrote: >On Mon, 2004-03-15 at 23:38 -0500, Daniel J Walsh wrote: > > >>I have just modified sudo to exec >>$SHELL -c COMMAND when in SELinux mode. >> >> > >What if SHELL=/home/rms/my_shell_that_ignores_-c_and_gives_prompt? > > It will not work. But this is a somewhat contrived situation, and easily worked around. I do not see this as a panacea, but required to get SELinux to work properly. Dan > > >------------------------------------------------------------------------ > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > From penny-cornette at insight.rr.com Wed Mar 17 00:39:19 2004 From: penny-cornette at insight.rr.com (Penny Cornette) Date: Tue, 16 Mar 2004 19:39:19 -0500 Subject: dmesg errors Message-ID: <40579E37.8020407@insight.rr.com> Attached is the dmesg errors grepped to output avc errors. Also, I am having trouble with logging out of gnome. Instead of poweroff command, I get an unkmown user error dialog message. Poweroff does nothing. I have to run this from root to get it to poweroff. Sorry for the alias. Jim -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: dmes.jc URL: From barryyupuilee at sbcglobal.net Tue Mar 16 18:46:14 2004 From: barryyupuilee at sbcglobal.net (Barry Yu) Date: Tue, 16 Mar 2004 10:46:14 -0800 Subject: The abc of SELinux Message-ID: <000001c40bbc$9a07dbe0$7b00a8c0@xpbarry> To understand the who idea of SELinx from the very beginning - The abc of it, where could I find the doc and infos? -------------- next part -------------- An HTML attachment was scrubbed... URL: From fedora at andrewfarris.com Wed Mar 17 02:01:34 2004 From: fedora at andrewfarris.com (Andrew Farris) Date: Tue, 16 Mar 2004 18:01:34 -0800 Subject: The abc of SELinux In-Reply-To: <000001c40bbc$9a07dbe0$7b00a8c0@xpbarry> References: <000001c40bbc$9a07dbe0$7b00a8c0@xpbarry> Message-ID: <1079488894.4143.21.camel@CirithUngol> On Tue, 2004-03-16 at 10:46 -0800, Barry Yu wrote: > To understand the who idea of SELinx from the very beginning - The abc > of it, where could I find the doc and infos? As I understand it, this is basically the beginning (which might not 'technically' be true). Good enough. http://www.nsa.gov/selinux/ -- "The only thing neccessary for the triumph of evil is for good men to do nothing." (Edmond Burke) Andrew Farris, CPE major California Polytechnic University, SLO fedora at andrewfarris.com From dwalsh at redhat.com Wed Mar 17 04:53:01 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 16 Mar 2004 23:53:01 -0500 Subject: dmesg errors In-Reply-To: <40579E37.8020407@insight.rr.com> References: <40579E37.8020407@insight.rr.com> Message-ID: <4057D9AD.6020904@redhat.com> Penny Cornette wrote: > Attached is the dmesg errors grepped to output avc errors. > > Also, I am having trouble with logging out of gnome. Instead of > poweroff command, I get an unkmown user error dialog message. Poweroff > does nothing. I have to run this from root to get it to poweroff. > > Sorry for the alias. > > Jim > > > You should turn off sgi_fam chkconfig sgi_fam off This is generating most of the errors and will be turned off by default in Test2. I have added fixes for a few of your other problems. policy-1.8-19 Thanks for the messages. Dan >------------------------------------------------------------------------ > >audit(1079481254.697:0): avc: denied { search } for pid=3307 exe=/usr/X11R6/bin/XFree86 name=console dev=hdb2 ino=752210 scontext=user_u:user_r:user_xserver_t tcontext=system_u:object_r:xdm_var_run_t tclass=dir >audit(1079481256.567:0): avc: denied { read } for pid=3310 exe=/bin/bash name=mtab dev=hdb2 ino=294773 scontext=user_u:user_r:user_xserver_t tcontext=system_u:object_r:file_t tclass=file >audit(1079481256.567:0): avc: denied { getattr } for pid=3310 exe=/bin/bash path=/etc/mtab dev=hdb2 ino=294773 scontext=user_u:user_r:user_xserver_t tcontext=system_u:object_r:file_t tclass=file >audit(1079481260.180:0): avc: denied { search } for pid=3312 exe=/usr/bin/ssh-agent name=home dev=hdb2 ino=1030177 scontext=user_u:user_r:user_ssh_agent_t tcontext=system_u:object_r:home_root_t tclass=dir >audit(1079481273.536:0): avc: denied { search } for pid=3307 exe=/usr/X11R6/bin/XFree86 name=.gnome2 dev=hdb2 ino=33285 scontext=user_u:user_r:user_xserver_t tcontext=system_u:object_r:user_home_t tclass=dir >audit(1079481273.536:0): avc: denied { read } for pid=3307 exe=/usr/X11R6/bin/XFree86 name=fonts.dir dev=hdb2 ino=801265 scontext=user_u:user_r:user_xserver_t tcontext=user_u:object_r:user_home_t tclass=file >audit(1079481273.536:0): avc: denied { getattr } for pid=3307 exe=/usr/X11R6/bin/XFree86 path=/home/jim/.gnome2/share/cursor-fonts/fonts.dir dev=hdb2 ino=801265 scontext=user_u:user_r:user_xserver_t tcontext=user_u:object_r:user_home_t tclass=file >audit(1079481275.105:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=sys dev= ino=4120 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:sysctl_t tclass=dir >audit(1079481275.109:0): avc: denied { listen } for pid=3342 exe=/usr/bin/fam path=/tmp/.fam_socket scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=unix_stream_socket >audit(1079481275.173:0): avc: denied { chown } for pid=3342 exe=/usr/bin/fam capability=0 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=capability >audit(1079481275.175:0): avc: denied { write } for pid=3335 exe=/usr/libexec/gnome-settings-daemon name=.famjOWPcN dev=hdb2 ino=278074 scontext=user_u:user_r:user_t tcontext=system_u:object_r:inetd_child_tmp_t tclass=sock_file >audit(1079481275.175:0): avc: denied { connectto } for pid=3335 exe=/usr/libexec/gnome-settings-daemon path=/tmp/.famjOWPcN scontext=user_u:user_r:user_t tcontext=system_u:system_r:inetd_child_t tclass=unix_stream_socket >audit(1079481275.178:0): avc: denied { accept } for pid=3342 exe=/usr/bin/fam path=/tmp/.famjOWPcN scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=unix_stream_socket >audit(1079481275.180:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mtab dev=hdb2 ino=294773 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:file_t tclass=file >audit(1079481275.180:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/etc/mtab dev=hdb2 ino=294773 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:file_t tclass=file >audit(1079481275.181:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mounts dev= ino=4105 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:proc_t tclass=lnk_file >audit(1079481275.181:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=3342 dev= ino=219021314 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=dir >audit(1079481275.181:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mounts dev= ino=219021328 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=file >audit(1079481275.181:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/proc/3342/mounts dev= ino=219021328 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=file >audit(1079481275.276:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/usr/share/mime-info/gnome-vfs.keys dev=hdb2 ino=229748 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:usr_t tclass=file >audit(1079481275.727:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=home dev=hdb2 ino=1030177 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:home_root_t tclass=dir >audit(1079481275.727:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=jim dev=hdb2 ino=1848978 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_dir_t tclass=dir >audit(1079481275.727:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=.gnome dev=hdb2 ino=2224863 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_t tclass=dir >audit(1079481275.729:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/home/jim/.gnome/mime-info dev=hdb2 ino=1112366 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_t tclass=dir >audit(1079481275.730:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mime-info dev=hdb2 ino=1112366 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_t tclass=dir >audit(1079481275.766:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/home/jim/.gnome/mime-info/user.mime dev=hdb2 ino=1111959 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_t tclass=file >audit(1079481279.834:0): avc: denied { write } for pid=3366 exe=/usr/bin/magicdev name=fd0 dev=hdb2 ino=65586 scontext=user_u:user_r:user_t tcontext=system_u:object_r:removable_device_t tclass=blk_file >audit(1079481279.835:0): avc: denied { ioctl } for pid=3366 exe=/usr/bin/magicdev path=/dev/fd0 dev=hdb2 ino=65586 scontext=user_u:user_r:user_t tcontext=system_u:object_r:removable_device_t tclass=blk_file >audit(1079481282.526:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mounts dev= ino=4105 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:proc_t tclass=lnk_file >audit(1079481282.526:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mounts dev= ino=219021328 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=file >audit(1079481282.526:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/proc/3342/mounts dev= ino=219021328 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=file >audit(1079481286.686:0): avc: denied { use } for pid=3416 exe=/sbin/pam_timestamp_check path=/dev/tty2 dev=hdb2 ino=71750 scontext=user_u:user_r:pam_t tcontext=system_u:system_r:local_login_t tclass=fd >audit(1079481286.688:0): avc: denied { sys_tty_config } for pid=3416 exe=/sbin/pam_timestamp_check capability=26 scontext=user_u:user_r:pam_t tcontext=user_u:user_r:pam_t tclass=capability >audit(1079481292.262:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/home/jim dev=hdb2 ino=1848978 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_dir_t tclass=dir >audit(1079481300.966:0): avc: denied { read } for pid=3425 exe=/bin/bash name=mtab dev=hdb2 ino=294773 scontext=system_u:system_r:system_crond_t tcontext=system_u:object_r:file_t tclass=file >audit(1079481305.741:0): avc: denied { setattr } for pid=3433 exe=/usr/libexec/mixer_applet2 name=registry.xml dev=hdb2 ino=2175537 scontext=user_u:user_r:user_t tcontext=system_u:object_r:var_t tclass=file >audit(1079481306.919:0): avc: denied { chown } for pid=3342 exe=/usr/bin/fam capability=0 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=capability >audit(1079481306.930:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=jim dev=hdb2 ino=1848978 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_dir_t tclass=dir >audit(1079481318.752:0): avc: denied { read } for pid=3439 exe=/bin/bash name=mtab dev=hdb2 ino=294773 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:object_r:file_t tclass=file >audit(1079481318.753:0): avc: denied { getattr } for pid=3439 exe=/bin/bash path=/etc/mtab dev=hdb2 ino=294773 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:object_r:file_t tclass=file >audit(1079481321.152:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=home dev=hdb2 ino=1030177 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:home_root_t tclass=dir >audit(1079481321.152:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=jim dev=hdb2 ino=1848978 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_dir_t tclass=dir >audit(1079482042.883:0): avc: denied { search } for pid=3501 exe=/bin/su name=root dev=hdb2 ino=359745 scontext=user_u:user_r:user_su_t tcontext=root:object_r:staff_home_dir_t tclass=dir >audit(1079482042.898:0): avc: denied { write } for pid=3501 exe=/bin/su name=root dev=hdb2 ino=359745 scontext=user_u:user_r:user_su_t tcontext=root:object_r:staff_home_dir_t tclass=dir >audit(1079482042.898:0): avc: denied { add_name } for pid=3501 exe=/bin/su name=.xauthtZDJwx scontext=user_u:user_r:user_su_t tcontext=root:object_r:staff_home_dir_t tclass=dir >audit(1079482042.898:0): avc: denied { create } for pid=3501 exe=/bin/su name=.xauthtZDJwx scontext=user_u:user_r:user_su_t tcontext=user_u:object_r:staff_home_dir_t tclass=file >audit(1079482042.923:0): avc: denied { setattr } for pid=3501 exe=/bin/su name=.xauthtZDJwx dev=hdb2 ino=360078 scontext=user_u:user_r:user_su_t tcontext=user_u:object_r:staff_home_dir_t tclass=file >audit(1079482500.573:0): avc: denied { read } for pid=3539 exe=/bin/bash name=mtab dev=hdb2 ino=294773 scontext=system_u:system_r:system_crond_t tcontext=system_u:object_r:file_t tclass=file >audit(1079482629.580:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mounts dev= ino=4105 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:proc_t tclass=lnk_file >audit(1079482629.580:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=3342 dev= ino=219021314 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=dir >audit(1079482629.580:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mounts dev= ino=219021328 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=file >audit(1079482629.581:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/proc/3342/mounts dev= ino=219021328 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=file >audit(1079482629.581:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/home/jim dev=hdb2 ino=1848978 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_dir_t tclass=dir >audit(1079482650.058:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=sys dev= ino=4120 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:sysctl_t tclass=dir >audit(1079482650.109:0): avc: denied { chown } for pid=3342 exe=/usr/bin/fam capability=0 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=capability >audit(1079482650.109:0): avc: denied { listen } for pid=3342 exe=/usr/bin/fam path=/tmp/.famrrGRJP scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=unix_stream_socket >audit(1079482650.115:0): avc: denied { write } for pid=3554 exe=/usr/bin/kdeinit name=.famrrGRJP dev=hdb2 ino=278715 scontext=user_u:user_r:user_t tcontext=system_u:object_r:inetd_child_tmp_t tclass=sock_file >audit(1079482650.115:0): avc: denied { connectto } for pid=3554 exe=/usr/bin/kdeinit path=/tmp/.famrrGRJP scontext=user_u:user_r:user_t tcontext=system_u:system_r:inetd_child_t tclass=unix_stream_socket >audit(1079482650.116:0): avc: denied { accept } for pid=3342 exe=/usr/bin/fam path=/tmp/.famrrGRJP scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=unix_stream_socket >audit(1079482650.287:0): avc: denied { getattr } for pid=3555 exe=/usr/bin/kdeinit path=/var/tmp/kdecache-jim dev=hdb2 ino=376975 scontext=user_u:user_r:user_t tcontext=system_u:object_r:file_t tclass=dir >audit(1079482650.288:0): avc: denied { search } for pid=3555 exe=/usr/bin/kdeinit name=kdecache-jim dev=hdb2 ino=376975 scontext=user_u:user_r:user_t tcontext=system_u:object_r:file_t tclass=dir >audit(1079482650.334:0): avc: denied { read } for pid=3555 exe=/usr/bin/kdeinit name=ksycoca dev=hdb2 ino=376415 scontext=user_u:user_r:user_t tcontext=user_u:object_r:file_t tclass=file >audit(1079482650.335:0): avc: denied { getattr } for pid=3555 exe=/usr/bin/kdeinit path=/var/tmp/kdecache-jim/ksycoca dev=hdb2 ino=376415 scontext=user_u:user_r:user_t tcontext=user_u:object_r:file_t tclass=file >audit(1079482651.439:0): avc: denied { write } for pid=3555 exe=/usr/bin/kdeinit name=ksycoca dev=hdb2 ino=376415 scontext=user_u:user_r:user_t tcontext=user_u:object_r:file_t tclass=file >audit(1079482651.441:0): avc: denied { write } for pid=3555 exe=/usr/bin/kdeinit name=kdecache-jim dev=hdb2 ino=376975 scontext=user_u:user_r:user_t tcontext=system_u:object_r:file_t tclass=dir >audit(1079482651.441:0): avc: denied { add_name } for pid=3555 exe=/usr/bin/kdeinit name=ksycocaO5zZ9b.new scontext=user_u:user_r:user_t tcontext=system_u:object_r:file_t tclass=dir >audit(1079482651.441:0): avc: denied { create } for pid=3555 exe=/usr/bin/kdeinit name=ksycocaO5zZ9b.new scontext=user_u:user_r:user_t tcontext=user_u:object_r:file_t tclass=file >audit(1079482651.442:0): avc: denied { setattr } for pid=3555 exe=/usr/bin/kdeinit name=ksycocaO5zZ9b.new dev=hdb2 ino=376480 scontext=user_u:user_r:user_t tcontext=user_u:object_r:file_t tclass=file >audit(1079482660.017:0): avc: denied { remove_name } for pid=3555 exe=/usr/bin/kdeinit name=ksycocaO5zZ9b.new dev=hdb2 ino=376480 scontext=user_u:user_r:user_t tcontext=system_u:object_r:file_t tclass=dir >audit(1079482660.017:0): avc: denied { rename } for pid=3555 exe=/usr/bin/kdeinit name=ksycocaO5zZ9b.new dev=hdb2 ino=376480 scontext=user_u:user_r:user_t tcontext=user_u:object_r:file_t tclass=file >audit(1079482660.017:0): avc: denied { unlink } for pid=3555 exe=/usr/bin/kdeinit name=ksycoca dev=hdb2 ino=376415 scontext=user_u:user_r:user_t tcontext=user_u:object_r:file_t tclass=file >audit(1079482660.024:0): avc: denied { write } for pid=3555 exe=/usr/bin/kdeinit name=ksycocastamp dev=hdb2 ino=376977 scontext=user_u:user_r:user_t tcontext=system_u:object_r:file_t tclass=file >audit(1079482660.175:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=.kde dev=hdb2 ino=737042 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_t tclass=dir >audit(1079482660.176:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/home/jim/.kde/share/servicetypes dev=hdb2 ino=801647 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_t tclass=dir >audit(1079482660.177:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=servicetypes dev=hdb2 ino=801647 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_t tclass=dir >audit(1079482660.179:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/usr/share/servicetypes/kcomprfilter.desktop dev=hdb2 ino=196659 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:usr_t tclass=file >audit(1079482660.787:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/usr/share/applications/redhat-web.desktop dev=hdb2 ino=1717246 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:usr_t tclass=lnk_file >audit(1079482810.277:0): avc: denied { setattr } for pid=3567 exe=/usr/bin/gnome-volume-control name=registry.xml dev=hdb2 ino=2175537 scontext=user_u:user_r:user_t tcontext=system_u:object_r:var_t tclass=file > > >------------------------------------------------------------------------ > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > From lists at ebourne.me.uk Wed Mar 17 10:01:22 2004 From: lists at ebourne.me.uk (Martin Ebourne) Date: Wed, 17 Mar 2004 10:01:22 +0000 Subject: dmesg errors (sgi_fam) In-Reply-To: <4057D9AD.6020904@redhat.com> References: <40579E37.8020407@insight.rr.com> <4057D9AD.6020904@redhat.com> Message-ID: <20040317100122.owcu80s8wog0c0g4@ebourne.me.uk> Daniel J Walsh wrote: > You should turn off sgi_fam > chkconfig sgi_fam off > > This is generating most of the errors and will be turned off by default > in Test2. Its not clear here whether fam will be turned off just for test2 while issues are sorted out, or permanently including the FC2 final release. If the latter then I'd be concerned about losing the file monitoring functionality and I suspect a lot of users will complain that the file browsers are broken and not updating correctly. I've googled for an explanation of what the problem is with fam/selinux but didn't come up with anything. I'd be curious to know what it is. Or even if there's a new replacement which supercedes it. Cheers, Martin. From russell at coker.com.au Wed Mar 17 11:24:11 2004 From: russell at coker.com.au (Russell Coker) Date: Wed, 17 Mar 2004 22:24:11 +1100 Subject: dmesg errors (sgi_fam) In-Reply-To: <20040317100122.owcu80s8wog0c0g4@ebourne.me.uk> References: <40579E37.8020407@insight.rr.com> <4057D9AD.6020904@redhat.com> <20040317100122.owcu80s8wog0c0g4@ebourne.me.uk> Message-ID: <200403172224.11992.russell@coker.com.au> On Wed, 17 Mar 2004 21:01, Martin Ebourne wrote: > I've googled for an explanation of what the problem is with fam/selinux but > didn't come up with anything. I'd be curious to know what it is. Or even if > there's a new replacement which supercedes it. The problem is that famd is an application which accepts network connections, wants read access to every file that any user can access. If you want to have a secure system you don't want many such programs. Remote famd operation is only for non-polling notifications over the network. For most people having polling for file status changes on NFS will probably be OK. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From lists at ebourne.me.uk Wed Mar 17 11:39:15 2004 From: lists at ebourne.me.uk (Martin Ebourne) Date: Wed, 17 Mar 2004 11:39:15 +0000 Subject: dmesg errors (sgi_fam) In-Reply-To: <200403172224.11992.russell@coker.com.au> References: <40579E37.8020407@insight.rr.com> <4057D9AD.6020904@redhat.com> <20040317100122.owcu80s8wog0c0g4@ebourne.me.uk> <200403172224.11992.russell@coker.com.au> Message-ID: <20040317113915.s0d8g0oog8wsskgk@ebourne.me.uk> Russell Coker wrote: > The problem is that famd is an application which accepts network connections, > wants read access to every file that any user can access. If you want to > have a secure system you don't want many such programs. Surely it doesn't need access to the file contents - just to stat them, so access to directories (still a security issue, I agree). > Remote famd operation is only for non-polling notifications over the network. > For most people having polling for file status changes on NFS will probably > be OK. I agree with disabling remote famd, but the original post appeared to be disabling the daemon entirely, which I expect would prevent local file monitoring too. Or do gnome/kde use dnotify directly? Also, I thought RH/Fedora already shipped with remote famd disabled. Cheers, Martin. From russell at coker.com.au Wed Mar 17 13:24:21 2004 From: russell at coker.com.au (Russell Coker) Date: Thu, 18 Mar 2004 00:24:21 +1100 Subject: dmesg errors (sgi_fam) In-Reply-To: <20040317113915.s0d8g0oog8wsskgk@ebourne.me.uk> References: <40579E37.8020407@insight.rr.com> <200403172224.11992.russell@coker.com.au> <20040317113915.s0d8g0oog8wsskgk@ebourne.me.uk> Message-ID: <200403180024.21238.russell@coker.com.au> On Wed, 17 Mar 2004 22:39, Martin Ebourne wrote: > Russell Coker wrote: > > The problem is that famd is an application which accepts network > > connections, wants read access to every file that any user can access. > > If you want to have a secure system you don't want many such programs. > > Surely it doesn't need access to the file contents - just to stat them, so > access to directories (still a security issue, I agree). Giving access to file names is still a security issue. If it can run with only { getattr search } access to directories and getattr access to files then it won't be so bad. Of course being able to remotely monitor what files someone is writing too also provides some issues (and for some files the names are predictable). > > Remote famd operation is only for non-polling notifications over the > > network. For most people having polling for file status changes on NFS > > will probably be OK. > > I agree with disabling remote famd, but the original post appeared to be > disabling the daemon entirely, which I expect would prevent local file > monitoring too. Or do gnome/kde use dnotify directly? I don't think that the command Dan suggested would turn it off entirely. The libfam functionality linked into applications should still do everything you want locally. > Also, I thought RH/Fedora already shipped with remote famd disabled. Not last time I checked. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From aleksey at nogin.org Wed Mar 17 21:03:51 2004 From: aleksey at nogin.org (Aleksey Nogin) Date: Wed, 17 Mar 2004 13:03:51 -0800 Subject: Should system-config-users be made SELinux-aware? Message-ID: <4058BD37.3060209@nogin.org> I have filed an RFE - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=118571 asking for system-config-users to allow editing user roles. Do people think it's a good idea? -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907 From dwalsh at redhat.com Thu Mar 18 04:01:37 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 17 Mar 2004 23:01:37 -0500 Subject: dmesg errors (sgi_fam) In-Reply-To: <200403180024.21238.russell@coker.com.au> References: <40579E37.8020407@insight.rr.com> <200403172224.11992.russell@coker.com.au> <20040317113915.s0d8g0oog8wsskgk@ebourne.me.uk> <200403180024.21238.russell@coker.com.au> Message-ID: <40591F21.2050408@redhat.com> Russell Coker wrote: >On Wed, 17 Mar 2004 22:39, Martin Ebourne wrote: > > >>Russell Coker wrote: >> >> >>>The problem is that famd is an application which accepts network >>>connections, wants read access to every file that any user can access. >>>If you want to have a secure system you don't want many such programs. >>> >>> >>Surely it doesn't need access to the file contents - just to stat them, so >>access to directories (still a security issue, I agree). >> >> > >Giving access to file names is still a security issue. If it can run with >only { getattr search } access to directories and getattr access to files >then it won't be so bad. Of course being able to remotely monitor what files >someone is writing too also provides some issues (and for some files the >names are predictable). > > We have turned it off for test2 and intend to have a replacement. Basically we need one that runs in user space and has access to all files that the user has access to. Currently famd does stuff with portmapper and still requires a network communication even if it is only allowing localhost. In FC1 it was locked down to localhost. We realize the that fam provides a needed feature, and are working to replace it. Dan > > >>>Remote famd operation is only for non-polling notifications over the >>>network. For most people having polling for file status changes on NFS >>>will probably be OK. >>> >>> >>I agree with disabling remote famd, but the original post appeared to be >>disabling the daemon entirely, which I expect would prevent local file >>monitoring too. Or do gnome/kde use dnotify directly? >> >> > >I don't think that the command Dan suggested would turn it off entirely. The >libfam functionality linked into applications should still do everything you >want locally. > > > >>Also, I thought RH/Fedora already shipped with remote famd disabled. >> >> > >Not last time I checked. > > > From aleksey at nogin.org Thu Mar 18 04:13:33 2004 From: aleksey at nogin.org (Aleksey Nogin) Date: Wed, 17 Mar 2004 20:13:33 -0800 Subject: How do I make sudo "trusted"? In-Reply-To: <405684D7.40802@redhat.com> References: <4050839B.2010901@nogin.org> <1079019384.5752.49.camel@moss-spartans.epoch.ncsc.mil> <40515B12.8030906@nogin.org> <200403141615.01069.russell@coker.com.au> <405609F9.3000300@nogin.org> <405684D7.40802@redhat.com> Message-ID: <405921ED.8010902@nogin.org> On 15.03.2004 20:38, Daniel J Walsh wrote: >>> sudo_t transitions to another domain upon executing shell_exec_t. If >>> you execute a binary that's not of type shell_exec_t then that >>> doesn't work. >> >> >> >> Is there a reason for that? This is kind of unfortunatye - one of the >> big advantages of sudo is that it logs everything and having to >> execute the shell first is kind of inconvenient. Can transition on an >> ordinary bin_t be added? > > > I have just modified sudo to exec > $SHELL -c COMMAND when in SELinux mode. This is indeed a big security hole - see https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=118602 > This should cause the transitions to happen properly. Nope. audit(1079581466.332:0): avc: denied { transition } for pid=3247 exe=/usr/bin/sudo path=/bin/tcsh dev=hda2 ino=3662912 scontext=aleksey:staff_r:sudo_t tcontext=aleksey:system_r:sysadm_t tclass=process on calling sudo -r system_r -t sysadm_t id -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907 From aleksey at nogin.org Thu Mar 18 04:14:52 2004 From: aleksey at nogin.org (Aleksey Nogin) Date: Wed, 17 Mar 2004 20:14:52 -0800 Subject: Syslog to /dev/tty10 Message-ID: <4059223C.9010807@nogin.org> If I want syslogd to log to a tty, what is the "proper" way of allowing it? Should I augment the local file contexts to set /dev/tty10 to be var_log_t? Or should I augment the local policies to allow syslogd_t processes more access? Or should I do something else? Thanks! -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907 From russell at coker.com.au Thu Mar 18 04:31:16 2004 From: russell at coker.com.au (Russell Coker) Date: Thu, 18 Mar 2004 15:31:16 +1100 Subject: Syslog to /dev/tty10 In-Reply-To: <4059223C.9010807@nogin.org> References: <4059223C.9010807@nogin.org> Message-ID: <200403181531.16900.russell@coker.com.au> On Thu, 18 Mar 2004 15:14, Aleksey Nogin wrote: > If I want syslogd to log to a tty, what is the "proper" way of allowing it? > > Should I augment the local file contexts to set /dev/tty10 to be > var_log_t? Or should I augment the local policies to allow syslogd_t > processes more access? Or should I do something else? allow syslogd_t tty_device_t:chr_file { getattr write }; Should hopefully do it. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From aleksey at nogin.org Thu Mar 18 05:07:32 2004 From: aleksey at nogin.org (Aleksey Nogin) Date: Wed, 17 Mar 2004 21:07:32 -0800 Subject: Syslog to /dev/tty10 In-Reply-To: <200403181531.16900.russell@coker.com.au> References: <4059223C.9010807@nogin.org> <200403181531.16900.russell@coker.com.au> Message-ID: <40592E94.3070104@nogin.org> On 17.03.2004 20:31, Russell Coker wrote: > On Thu, 18 Mar 2004 15:14, Aleksey Nogin wrote: > >>If I want syslogd to log to a tty, what is the "proper" way of allowing it? >> >>Should I augment the local file contexts to set /dev/tty10 to be >>var_log_t? Or should I augment the local policies to allow syslogd_t >>processes more access? Or should I do something else? > > > allow syslogd_t tty_device_t:chr_file { getattr write }; > > Should hopefully do it. Thanks! But what I am seeing (before any mods) is Mar 17 19:38:58 dell kernel: audit(1079581129.323:0): avc: denied { append } for pid=1744 exe=/sbin/syslogd name=tty10 dev=hda2 ino=2688363 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tty_device_t tclass=chr_file Mar 17 19:38:58 dell kernel: audit(1079581129.323:0): avc: denied { ioctl } for pid=1744 exe=/sbin/syslogd path=/dev/tty10 dev=hda2 ino=2688363 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tty_device_t tclass=chr_file and I am not sure whether giving ioctl access is a reasonable or too much. -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907 From penny-cornette at insight.rr.com Thu Mar 18 05:22:23 2004 From: penny-cornette at insight.rr.com (Jim Cornette) Date: Thu, 18 Mar 2004 00:22:23 -0500 Subject: Http clean install - and many problems with the initial install Message-ID: <4059320F.4080106@insight.rr.com> I just installed Fedora core development from 3/17 and after the install, gdm did not recognize that there was actually a home directory created. This also happened with the root account. Anyway, user regular had files that it did not seem to own within using mc to visually see the files present. all the files looked like the default for broken symlinks. With the root user. gdm did not see the /root directory and would not start. Next, I thought that I'd telinit to runlevel 1 and change to /etc/security/selinux/src/policy to run make, then make relabel. I ran make and there was nothing to make. Performing an ls on the directory only yielded a file_x and nothing more. I edited my grub.conf file and am now running with SELinux off. I then checked if policy was installed, it was. Then checked if policy-sources was installed, it wasn't. I then ran up2date policy-sources and it downloaded policy sources, then checkpolicy as a requirement. Checking the directory now, there are other files installed. The below mess is what I did so far. I will run make and make relabel tomorrow. I also have a lot of mail to root with errors galore. This might help narrow down some problems. Also, thanks for the suggestion of turning off fam for the other installation that I have. I'll try to see if the error count goes down. paste below of activity (from gnome-terminal) [root at cornette-development root]# rpm -q policy policy-1.8-19 [root at cornette-development root]# rpm -q policy-sources package policy-sources is not installed [root at cornette-development root]# up2date policy-sources http://fedora.redhat.com/download/up2date-mirrors/fedora-core-rawhide using mirror: http://mirrors.kernel.org/fedora/core/development/i386/ Fetching Obsoletes list for channel: fedora-core-rawhide... Fetching rpm headers... ######################################## Name Version Rel ---------------------------------------------------------- policy-sources 1.8 19 noarch Testing package set / solving RPM inter-dependencies... ######################################## policy-sources-1.8-19.noarc ########################## Done. checkpolicy-1.8-1.i386.rpm: ########################## Done. Preparing ########################################### [100%] Installing... 1:checkpolicy ########################################### [100%] 2:policy-sources ########################################### [100%] make: Entering directory `/etc/security/selinux/src/policy' mkdir -p tmp ( cd domains/program/ ; for n in *.te ; do echo "define(\`$n')"; done ) > tmp/program_used_flags.te.tmp ( cd domains/misc/ ; for n in *.te ; do echo "define(\`$n')"; done ) >> tmp/program_used_flags.te.tmp mv tmp/program_used_flags.te.tmp tmp/program_used_flags.te mkdir -p tmp m4 -Imacros -s flask/security_classes flask/initial_sids flask/access_vectors tunable.te attrib.te tmp/program_used_flags.te macros/program/apache_macros.te macros/program/chkpwd_macros.te macros/program/chroot_macros.te macros/program/clamav_macros.te macros/program/crond_macros.te macros/program/crontab_macros.te macros/program/fingerd_macros.te macros/program/gpg_macros.te macros/program/gph_macros.te macros/program/irc_macros.te macros/program/login_macros.te macros/program/lpr_macros.te macros/program/mount_macros.te macros/program/mozilla_macros.te macros/program/mta_macros.te macros/program/newrole_macros.te macros/program/rhgb_macros.te macros/program/run_program_macros.te macros/program/screen_macros.te macros/program/sendmail_macros.te macros/program/slocate_macros.te macros/program/ssh_agent_macros.te macros/program/ssh_macros.te macros/program/su_macros.te macros/program/uml_macros.te macros/program/xauth_macros.te macros/program/x_client_macros.te macros/program/xserver_macros.te macros/program/ypbind_macros.te macros/admin_macros.te macros/base_user_macros.te macros/core_macros.te macros/global_macros.te macros/mini_user_macros.te macros/user_macros.te types/device.te types/devpts.te types/file.te types/network.te types/nfs.te types/procfs.te types/security.te domains/admin.te domains/user.te domains/misc/auth-net.te domains/misc/fcron.te domains/misc/kernel.te domains/misc/startx.te domains/program/acct.te domains/program/amanda.te domains/program/amavis.te domains/program/anaconda.te domains/program/apache.te domains/program/apmd.te domains/program/atd.te domains/program/auditd.te domains/program/authbind.te domains/program/automount.te domains/program/backup.te domains/program/bluetooth.te domains/program/bootloader.te domains/program/calamaris.te domains/program/canna.te domains/program/cardmgr.te domains/program/checkpolicy.te domains/program/chkpwd.te domains/program/chroot.te domains/program/ciped.te domains/program/clamav.te domains/program/consoletype.te domains/program/courier.te domains/program/cpucontrol.te domains/program/cpuspeed.te domains/program/crack.te domains/program/crond.te domains/program/crontab.te domains/program/cups.te domains/program/cyrus.te domains/program/dbusd.te domains/program/ddt-client.te domains/program/devfsd.te domains/program/dhcpc.te domains/program/dhcpd.te domains/program/dictd.te domains/program/dmesg.te domains/program/fingerd.te domains/program/firstboot.te domains/program/fsadm.te domains/program/fs_daemon.te domains/program/ftpd.te domains/program/games.te domains/program/getty.te domains/program/gnome-pty-helper.te domains/program/gpg.te domains/program/gpm.te domains/program/hostname.te domains/program/hotplug.te domains/program/hwclock.te domains/program/ifconfig.te domains/program/imazesrv.te domains/program/inetd.te domains/program/initrc.te domains/program/init.te domains/program/innd.te domains/program/ipsec.te domains/program/iptables.te domains/program/ircd.te domains/program/irc.te domains/program/irqbalance.te domains/program/jabberd.te domains/program/klogd.te domains/program/kudzu.te domains/program/lcd.te domains/program/ldconfig.te domains/program/loadkeys.te domains/program/load_policy.te domains/program/login.te domains/program/logrotate.te domains/program/lpd.te domains/program/lpr.te domains/program/lrrd.te domains/program/lvm.te domains/program/mailman.te domains/program/mdadm.te domains/program/modutil.te domains/program/monopd.te domains/program/mount.te domains/program/mozilla.te domains/program/mrtg.te domains/program/mta.te domains/program/mysqld.te domains/program/named.te domains/program/nessusd.te domains/program/netsaint.te domains/program/netutils.te domains/program/newrole.te domains/program/nscd.te domains/program/nsd.te domains/program/ntpd.te domains/program/oav-update.te domains/program/openca-ca.te domains/program/pamconsole.te domains/program/pam.te domains/program/passwd.te domains/program/perdition.te domains/program/ping.te domains/program/portmap.te domains/program/portslave.te domains/program/postfix.te domains/program/postgresql.te domains/program/pppd.te domains/program/prelink.te domains/program/privoxy.te domains/program/procmail.te domains/program/pump.te domains/program/pxe.te domains/program/quota.te domains/program/radius.te domains/program/radvd.te domains/program/restorecon.te domains/program/rhgb.te domains/program/rlogind.te domains/program/rpcd.te domains/program/rpm.te domains/program/rshd.te domains/program/samba.te domains/program/scannerdaemon.te domains/program/screen.te domains/program/sendmail.te domains/program/setfiles.te domains/program/seuser.te domains/program/slapd.te domains/program/slocate.te domains/program/slrnpull.te domains/program/snmpd.te domains/program/snort.te domains/program/sound-server.te domains/program/sound.te domains/program/spamd.te domains/program/speedmgmt.te domains/program/squid.te domains/program/ssh-agent.te domains/program/ssh.te domains/program/sudo.te domains/program/sulogin.te domains/program/su.te domains/program/sxid.te domains/program/syslogd.te domains/program/sysstat.te domains/program/tcpd.te domains/program/tftpd.te domains/program/tmpreaper.te domains/program/traceroute.te domains/program/transproxy.te domains/program/udev.te domains/program/uml.te domains/program/updfstab.te domains/program/uptimed.te domains/program/usbmodules.te domains/program/useradd.te domains/program/userhelper.te domains/program/utempter.te domains/program/vmware.te domains/program/watchdog.te domains/program/xauth.te domains/program/xdm.te domains/program/xfs.te domains/program/xserver.te domains/program/ypbind.te domains/program/ypserv.te domains/program/zebra.te assert.te rbac users constraints initial_sid_contexts fs_use genfs_contexts net_contexts > policy.conf.tmp mv policy.conf.tmp policy.conf mkdir -p /etc/security/selinux/src install -m 644 policy.conf /etc/security/selinux/src/policy.conf mkdir -p /etc/security/selinux /usr/bin/checkpolicy -c -o /etc/security/selinux/policy.15 /etc/security/selinux/src/policy.conf /usr/bin/checkpolicy: loading policy configuration from /etc/security/selinux/src/policy.conf security: 3 users, 5 roles, 1161 types, 1 bools security: 30 classes, 198929 rules /usr/bin/checkpolicy: policy configuration loaded /usr/bin/checkpolicy: writing binary representation (version 15) to /etc/security/selinux/policy.15 warning: discarding booleans and conditional rules mkdir -p file_contexts/misc m4 file_contexts/types.fc file_contexts/program/acct.fc file_contexts/program/amanda.fc file_contexts/program/amavis.fc file_contexts/program/anaconda.fc file_contexts/program/apache.fc file_contexts/program/apmd.fc file_contexts/program/atd.fc file_contexts/program/auditd.fc file_contexts/program/authbind.fc file_contexts/program/automount.fc file_contexts/program/backup.fc file_contexts/program/bluetooth.fc file_contexts/program/bootloader.fc file_contexts/program/calamaris.fc file_contexts/program/canna.fc file_contexts/program/cardmgr.fc file_contexts/program/checkpolicy.fc file_contexts/program/chkpwd.fc file_contexts/program/chroot.fc file_contexts/program/ciped.fc file_contexts/program/clamav.fc file_contexts/program/consoletype.fc file_contexts/program/courier.fc file_contexts/program/cpucontrol.fc file_contexts/program/cpuspeed.fc file_contexts/program/crack.fc file_contexts/program/crond.fc file_contexts/program/crontab.fc file_contexts/program/cups.fc file_contexts/program/cyrus.fc file_contexts/program/dbusd.fc file_contexts/program/ddt-client.fc file_contexts/program/devfsd.fc file_contexts/program/dhcpc.fc file_contexts/program/dhcpd.fc file_contexts/program/dictd.fc file_contexts/program/dmesg.fc file_contexts/program/fingerd.fc file_contexts/program/firstboot.fc file_contexts/program/fsadm.fc file_contexts/program/fs_daemon.fc file_contexts/program/ftpd.fc file_contexts/program/games.fc file_contexts/program/getty.fc file_contexts/program/gnome-pty-helper.fc file_contexts/program/gpg.fc file_contexts/program/gpm.fc file_contexts/program/hostname.fc file_contexts/program/hotplug.fc file_contexts/program/hwclock.fc file_contexts/program/ifconfig.fc file_contexts/program/imazesrv.fc file_contexts/program/inetd.fc file_contexts/program/initrc.fc file_contexts/program/init.fc file_contexts/program/innd.fc file_contexts/program/ipsec.fc file_contexts/program/iptables.fc file_contexts/program/ircd.fc file_contexts/program/irc.fc file_contexts/program/irqbalance.fc file_contexts/program/jabberd.fc file_contexts/program/klogd.fc file_contexts/program/kudzu.fc file_contexts/program/lcd.fc file_contexts/program/ldconfig.fc file_contexts/program/loadkeys.fc file_contexts/program/load_policy.fc file_contexts/program/login.fc file_contexts/program/logrotate.fc file_contexts/program/lpd.fc file_contexts/program/lpr.fc file_contexts/program/lrrd.fc file_contexts/program/lvm.fc file_contexts/program/mailman.fc file_contexts/program/mdadm.fc file_contexts/program/modutil.fc file_contexts/program/monopd.fc file_contexts/program/mount.fc file_contexts/program/mozilla.fc file_contexts/program/mrtg.fc file_contexts/program/mta.fc file_contexts/program/mysqld.fc file_contexts/program/named.fc file_contexts/program/nessusd.fc file_contexts/program/netsaint.fc file_contexts/program/netutils.fc file_contexts/program/newrole.fc file_contexts/program/nscd.fc file_contexts/program/nsd.fc file_contexts/program/ntpd.fc file_contexts/program/oav-update.fc file_contexts/program/openca-ca.fc file_contexts/program/pamconsole.fc file_contexts/program/pam.fc file_contexts/program/passwd.fc file_contexts/program/perdition.fc file_contexts/program/ping.fc file_contexts/program/portmap.fc file_contexts/program/portslave.fc file_contexts/program/postfix.fc file_contexts/program/postgresql.fc file_contexts/program/pppd.fc file_contexts/program/prelink.fc file_contexts/program/privoxy.fc file_contexts/program/procmail.fc file_contexts/program/pump.fc file_contexts/program/pxe.fc file_contexts/program/quota.fc file_contexts/program/radius.fc file_contexts/program/radvd.fc file_contexts/program/restorecon.fc file_contexts/program/rhgb.fc file_contexts/program/rlogind.fc file_contexts/program/rpcd.fc file_contexts/program/rpm.fc file_contexts/program/rshd.fc file_contexts/program/samba.fc file_contexts/program/scannerdaemon.fc file_contexts/program/screen.fc file_contexts/program/sendmail.fc file_contexts/program/setfiles.fc file_contexts/program/seuser.fc file_contexts/program/slapd.fc file_contexts/program/slocate.fc file_contexts/program/slrnpull.fc file_contexts/program/snmpd.fc file_contexts/program/snort.fc file_contexts/program/sound-server.fc file_contexts/program/sound.fc file_contexts/program/spamd.fc file_contexts/program/speedmgmt.fc file_contexts/program/squid.fc file_contexts/program/ssh-agent.fc file_contexts/program/ssh.fc file_contexts/program/sudo.fc file_contexts/program/sulogin.fc file_contexts/program/su.fc file_contexts/program/sxid.fc file_contexts/program/syslogd.fc file_contexts/program/sysstat.fc file_contexts/program/tcpd.fc file_contexts/program/tftpd.fc file_contexts/program/tmpreaper.fc file_contexts/program/traceroute.fc file_contexts/program/transproxy.fc file_contexts/program/udev.fc file_contexts/program/uml.fc file_contexts/program/updfstab.fc file_contexts/program/uptimed.fc file_contexts/program/usbmodules.fc file_contexts/program/useradd.fc file_contexts/program/userhelper.fc file_contexts/program/utempter.fc file_contexts/program/vmware.fc file_contexts/program/watchdog.fc file_contexts/program/xauth.fc file_contexts/program/xdm.fc file_contexts/program/xfs.fc file_contexts/program/xserver.fc file_contexts/program/ypbind.fc file_contexts/program/ypserv.fc file_contexts/program/zebra.fc > file_contexts/file_contexts.tmp rm file_contexts/file_contexts.tmp mkdir -p /etc/security/selinux install -m 644 file_contexts/file_contexts /etc/security/selinux/file_contexts /usr/sbin/load_policy /etc/security/selinux/policy.15 /usr/sbin/load_policy: security_load_policy failed make: *** [reload] Error 3 make: Leaving directory `/etc/security/selinux/src/policy' The following packages were added to your selection to satisfy dependencies: Name Version Release -------------------------------------------------------------- checkpolicy 1.8 1 [root at cornette-development root]# pwd /root [root at cornette-development root]# cd /etc/security/selinux/src/policy [root at cornette-development policy]# ls appconfig file_contexts mls remove-unwanted-policy assert.te flask net_contexts tmp attrib.te fs_use policy.15 tunable.te ChangeLog genfs_contexts policy.conf types constraints initial_sid_contexts policy.spec users COPYING macros rbac VERSION domains Makefile README From aleksey at nogin.org Thu Mar 18 05:26:29 2004 From: aleksey at nogin.org (Aleksey Nogin) Date: Wed, 17 Mar 2004 21:26:29 -0800 Subject: I got a mess when both policy and policy sources got upgraded. Message-ID: <40593305.4070707@nogin.org> Just filed https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=118604 : 1) I installed policy-sources (which required installing the policy package as well). 2) I modified /etc/security/selinux/src/policy/users (to include myself with appropriate staff roles) and started using the locally augmented policy. 3) After a while, I ran "up2date -u" which picked up that both policy and policy-sources need to be updated. 4) up2date -u upgraded the policy package. !!! At this point, the default policy got installed and loaded, !!! overriding the local changes. All the processes that were running in !!! context aleksey:staff_r:staff_t became system_u:object_r:unlabeled_t 5) Later in the up2date -u, the policy-source package was upgraded, the new locally-augmented policy got rebuilt and loaded and things got back to normal. But the mis-labeled processes stayed mislabeled (which caused some files to become mislabeled too). P.S. At a minimum, the policy files in the policy package should be %config(noreplace). But the best solution would be to _only_ one package that would include all the source files and would always do the make-and-install-and-reload on upgrade. P.P.S Sticking with just one (source-based) policy package would also make it easier to implement the RFE in https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=118571 . -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907 From russell at coker.com.au Thu Mar 18 05:34:55 2004 From: russell at coker.com.au (Russell Coker) Date: Thu, 18 Mar 2004 16:34:55 +1100 Subject: Http clean install - and many problems with the initial install In-Reply-To: <4059320F.4080106@insight.rr.com> References: <4059320F.4080106@insight.rr.com> Message-ID: <200403181634.55544.russell@coker.com.au> On Thu, 18 Mar 2004 16:22, Jim Cornette wrote: > I just installed Fedora core development from 3/17 and after the > install, gdm did not recognize that there was actually a home directory > created. What did "ls -alZ" as sysadm_r report? > Anyway, user regular had files that it did not seem to own within using > mc to visually see the files present. all the files looked like the > default for broken symlinks. Sounds like the wrong type was on the files and they could not be stat()'d. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Thu Mar 18 05:35:51 2004 From: russell at coker.com.au (Russell Coker) Date: Thu, 18 Mar 2004 16:35:51 +1100 Subject: Syslog to /dev/tty10 In-Reply-To: <40592E94.3070104@nogin.org> References: <4059223C.9010807@nogin.org> <200403181531.16900.russell@coker.com.au> <40592E94.3070104@nogin.org> Message-ID: <200403181635.51681.russell@coker.com.au> On Thu, 18 Mar 2004 16:07, Aleksey Nogin wrote: > > allow syslogd_t tty_device_t:chr_file { getattr write }; > > > > Should hopefully do it. > > Thanks! > > But what I am seeing (before any mods) is > > Mar 17 19:38:58 dell kernel: audit(1079581129.323:0): avc: denied { > append } for pid=1744 exe=/sbin/syslogd name=tty10 dev=hda2 ino=2688363 > scontext=system_u:system_r:syslogd_t > tcontext=system_u:object_r:tty_device_t tclass=chr_file > Mar 17 19:38:58 dell kernel: audit(1079581129.323:0): avc: denied { > ioctl } for pid=1744 exe=/sbin/syslogd path=/dev/tty10 dev=hda2 > ino=2688363 scontext=system_u:system_r:syslogd_t > tcontext=system_u:object_r:tty_device_t tclass=chr_file > > and I am not sure whether giving ioctl access is a reasonable or too much. OK, give it { append getattr ioctl } then. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From sds at epoch.ncsc.mil Thu Mar 18 13:37:39 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Thu, 18 Mar 2004 08:37:39 -0500 Subject: How do I make sudo "trusted"? In-Reply-To: <405921ED.8010902@nogin.org> References: <4050839B.2010901@nogin.org> <1079019384.5752.49.camel@moss-spartans.epoch.ncsc.mil> <40515B12.8030906@nogin.org> <200403141615.01069.russell@coker.com.au> <405609F9.3000300@nogin.org> <405684D7.40802@redhat.com> <405921ED.8010902@nogin.org> Message-ID: <1079617058.12704.25.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2004-03-17 at 23:13, Aleksey Nogin wrote: > on calling > sudo -r system_r -t sysadm_t id sysadm_r, not system_r. -- Stephen Smalley National Security Agency From sds at epoch.ncsc.mil Thu Mar 18 16:17:13 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Thu, 18 Mar 2004 11:17:13 -0500 Subject: How do I make sudo "trusted"? In-Reply-To: <405374CD.6070600@nogin.org> References: <4050839B.2010901@nogin.org> <1079019384.5752.49.camel@moss-spartans.epoch.ncsc.mil> <405374CD.6070600@nogin.org> Message-ID: <1079626633.12704.99.camel@moss-spartans.epoch.ncsc.mil> On Sat, 2004-03-13 at 15:53, Aleksey Nogin wrote: > On 11.03.2004 07:36, Stephen Smalley wrote: > > > Hence, if you add yourself to policy/users and authorize > > yourself for staff_r and sysadm_r and reload your policy, then you > > should be able to do sudo -r sysadm_r . > > What is the difference between the sysadm_r and system_r? When should I > be using > > sudo -r sysadm_r > > and when > > sudo -r system_r -t sysadm_t You shouldn't need to do the latter ever. I suspect that sudo should default to switching to sysadm_r, as that will be the expected behavior. It can use get_default_context to obtain a default context for the user and /etc/security/default_contexts can be set up to make it default to sysadm_r:sysadm_t. -- Stephen Smalley National Security Agency From sds at epoch.ncsc.mil Thu Mar 18 16:42:00 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Thu, 18 Mar 2004 11:42:00 -0500 Subject: How do I make sudo "trusted"? In-Reply-To: <40515B12.8030906@nogin.org> References: <4050839B.2010901@nogin.org> <1079019384.5752.49.camel@moss-spartans.epoch.ncsc.mil> <40515B12.8030906@nogin.org> Message-ID: <1079628120.12704.131.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2004-03-12 at 01:39, Aleksey Nogin wrote: > Well, sudo + sudoers does authenticate the "I am somebody who can act on > behalf of the target user", why is this insufficient? It might be sufficient (if you are willing to fully trust sudo and /etc/sudoers), although it would mean that you would lose the preservation of the SELinux user identity for its auditing on kernel operations. Your counterargument is presumably that sudo will log sufficiently (but again that presumes trust in sudo, and doesn't provide auditing on the kernel operations). To do this, you would need to patch sudo to set the SELinux user identity to the new value; you cannot just use pam_selinux as is done for su, as the pam user identity is set to the old identity since that is the identity that is authenticated. > Do you expect everybody who are used to doing things via sudo (a lot of > places where more than one user has admin access have policies insisting > on sudo - in particular because sudo will log everything) to be willing > to figure this out? Why is this information (e.g. "user x is allowed to > act as root when re-authenticated") has to be listed in _two_ separate > places (sudoers and policies)? SELinux policy doesn't specify who is allowed to act as Linux uid 0 when re-authenticated. It does specify what roles you can enter. Whether or not sudo should change the SELinux user identity is certainly open to debate; we (NSA) didn't try integrating SELinux with sudo, so this is something that RH has to work out. > > In order to have sudo safely change the SELinux user identity (to root), > > you would need another mechanism for specifying what roles/domains are > > permitted to the calling user, e.g. new fields in /etc/sudoers. > > That would be the best solution IMHO. Should I file a Bugzilla RFE? I'm in favor of being able to specify roles and domains in /etc/sudoers regardless of whether sudo changes the SELinux user identity. > > Even > > then, you still need to start from staff_r in order to reach sysadm_r; > > the policy doesn't allow user_r to transition to sysadm_r (if SELinux is > > in enforcing mode). > > Not sure I understand what you are saying - it works with su, why can't > it be made to work with sudo? It isn't permitted in the upstream policy, just the RH policy. user_r is more confined in the upstream policy. -- Stephen Smalley National Security Agency From aleksey at nogin.org Thu Mar 18 18:43:14 2004 From: aleksey at nogin.org (Aleksey Nogin) Date: Thu, 18 Mar 2004 10:43:14 -0800 Subject: How do I make sudo "trusted"? In-Reply-To: <1079626633.12704.99.camel@moss-spartans.epoch.ncsc.mil> References: <4050839B.2010901@nogin.org> <1079019384.5752.49.camel@moss-spartans.epoch.ncsc.mil> <405374CD.6070600@nogin.org> <1079626633.12704.99.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <4059EDC2.3000603@nogin.org> On 18.03.2004 08:17, Stephen Smalley wrote: >>What is the difference between the sysadm_r and system_r? When should I >>be using >> >>sudo -r sysadm_r >> >>and when >> >>sudo -r system_r -t sysadm_t > > > You shouldn't need to do the latter ever. So what is the difference between the sysadm_r and system_r? How does it relate to the # sample for administrative user ifdef(`direct_sysadm_daemon', ` #user jadmin roles { staff_r sysadm_r system_r }; ', ` #user jadmin roles { staff_r sysadm_r }; ') in the /etc/security/selinux/src/policy/users? Thanks! -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907 From dwalsh at redhat.com Thu Mar 18 19:32:58 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 18 Mar 2004 14:32:58 -0500 Subject: How do I make sudo "trusted"? In-Reply-To: <4059EDC2.3000603@nogin.org> References: <4050839B.2010901@nogin.org> <1079019384.5752.49.camel@moss-spartans.epoch.ncsc.mil> <405374CD.6070600@nogin.org> <1079626633.12704.99.camel@moss-spartans.epoch.ncsc.mil> <4059EDC2.3000603@nogin.org> Message-ID: <4059F96A.80203@redhat.com> I have done some major work today on sudo. Added an SELinux shell sesh. That does nothing but exec the command a second time. This will eliminate the globing problems. I also have it automatically transitioning to sysadm_r if you are able to. Sudo and policy rpm are required to make this work. Dan From sds at epoch.ncsc.mil Thu Mar 18 20:21:37 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Thu, 18 Mar 2004 15:21:37 -0500 Subject: How do I make sudo "trusted"? In-Reply-To: <4059EDC2.3000603@nogin.org> References: <4050839B.2010901@nogin.org> <1079019384.5752.49.camel@moss-spartans.epoch.ncsc.mil> <405374CD.6070600@nogin.org> <1079626633.12704.99.camel@moss-spartans.epoch.ncsc.mil> <4059EDC2.3000603@nogin.org> Message-ID: <1079641297.12704.186.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2004-03-18 at 13:43, Aleksey Nogin wrote: > So what is the difference between the sysadm_r and system_r? How does it > relate to the > > # sample for administrative user > ifdef(`direct_sysadm_daemon', ` > #user jadmin roles { staff_r sysadm_r system_r }; > ', ` > #user jadmin roles { staff_r sysadm_r }; > ') > > in the /etc/security/selinux/src/policy/users? Thanks! sysadm_r is intended for administrative sessions. system_r is intended for system processes; it is the initial role for /sbin/init and its descendants. Including system_r in the set of role authorizations for administrators is a temporary workaround to support direct restarting of daemons from an admin shell; the daemon should then automatically transition into system_r:, assuming it has a domain. -- Stephen Smalley National Security Agency From aleksey at nogin.org Fri Mar 19 08:52:51 2004 From: aleksey at nogin.org (Aleksey Nogin) Date: Fri, 19 Mar 2004 00:52:51 -0800 Subject: XFree86 accessing /dev/urandom AVCs. Message-ID: <405AB4E3.5060707@nogin.org> Not sure where these come from (possibly it's because of my using the vnc module in X). Safe to dontaudit? audit(1079686139.241:0): avc: denied { getattr } for pid=9439 exe=/usr/X11R6/bin/XFree86 path=/dev/urandom dev=hda2 ino=2689265 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file audit(1079686139.241:0): avc: denied { ioctl } for pid=9439 exe=/usr/X11R6/bin/XFree86 path=/dev/urandom dev=hda2 ino=2689265 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907 From aleksey at nogin.org Fri Mar 19 08:57:04 2004 From: aleksey at nogin.org (Aleksey Nogin) Date: Fri, 19 Mar 2004 00:57:04 -0800 Subject: [policy-1.8-19] Reading the hostname AVCs Message-ID: <405AB5E0.9060503@nogin.org> When running hostname (or hostname -s) to _get_ (not set) the hostname as a "staff" user - under sysadm_r: audit(1079685457.360:0): avc: denied { read } for pid=9499 exe=/bin/hostname name=resolv.conf dev=hda2 ino=229950 scontext=aleksey:sysadm_r:hostname_t tcontext=system_u:object_r:net_conf_t tclass=file audit(1079685457.361:0): avc: denied { getattr } for pid=9499 exe=/bin/hostname path=/etc/resolv.conf dev=hda2 ino=229950 scontext=aleksey:sysadm_r:hostname_t tcontext=system_u:object_r:net_conf_t tclass=file audit(1079685457.361:0): avc: denied { create } for pid=9499 exe=/bin/hostname scontext=aleksey:sysadm_r:hostname_t tcontext=aleksey:sysadm_r:hostname_t tclass=unix_stream_socket audit(1079685457.361:0): avc: denied { connect } for pid=9499 exe=/bin/hostname scontext=aleksey:sysadm_r:hostname_t tcontext=aleksey:sysadm_r:hostname_t tclass=unix_stream_socket The socket ones are coming from, I believe, trying to access /var/run/nscd/socket that does not exist (nscd was never used on this machine). -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907 From aleksey at nogin.org Fri Mar 19 09:03:11 2004 From: aleksey at nogin.org (Aleksey Nogin) Date: Fri, 19 Mar 2004 01:03:11 -0800 Subject: [policy-1.8-19] Running /bin/mail as a sysadm_r user AVCs Message-ID: <405AB74F.6040402@nogin.org> I ran "... | mail -s ... aleksey" while running under sysadm_r and I got: audit(1079685757.727:0): avc: denied { read } for pid=9687 exe=/usr/sbin/sendmail.sendmail name=self dev= ino=2 scontext=aleksey:sysadm_r:sysadm_mail_t tcontext=system_u:object_r:proc_t tclass=lnk_file audit(1079685757.727:0): avc: denied { search } for pid=9687 exe=/usr/sbin/sendmail.sendmail name=9687 dev= ino=634847234 scontext=aleksey:sysadm_r:sysadm_mail_t tcontext=aleksey:sysadm_r:sysadm_mail_t tclass=dir audit(1079685757.751:0): avc: denied { dac_override } for pid=9688 exe=/usr/sbin/sendmail.sendmail capability=1 scontext=system_u:system_r:sendmail_t tcontext=system_u:system_r:sendmail_t tclass=capability The first one is probably an issue with how the kernel manages /proc - /proc/self IMHO should not be system_u:object_r:proc_t. -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907 From aleksey at nogin.org Fri Mar 19 09:47:16 2004 From: aleksey at nogin.org (Aleksey Nogin) Date: Fri, 19 Mar 2004 01:47:16 -0800 Subject: [policy-1.8-22] Bringing a device via hotplug AVCs Message-ID: <405AC1A4.80609@nogin.org> The list is now much smaller than it used to be. I see: audit(1079689114.447:0): avc: denied { read } for pid=1615 exe=/sbin/route name=resolv.conf dev=hda2 ino=229950 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:net_conf_t tclass=file audit(1079689114.448:0): avc: denied { getattr } for pid=1615 exe=/sbin/route path=/etc/resolv.conf dev=hda2 ino=229950 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:net_conf_t tclass=file audit(1079689115.057:0): avc: denied { udp_recv } for saddr=131.215.9.49 src=53 daddr=192.168.1.100 dest=32771 netif=wvlan0 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:netif_t tclass=netif audit(1079689115.057:0): avc: denied { udp_recv } for saddr=131.215.9.49 src=53 daddr=192.168.1.100 dest=32771 netif=wvlan0 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:node_t tclass=node audit(1079689115.057:0): avc: denied { recv_msg } for saddr=131.215.9.49 src=53 daddr=192.168.1.100 dest=32771 netif=wvlan0 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:dns_port_t tclass=udp_socket -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907 From aleksey at nogin.org Fri Mar 19 10:08:44 2004 From: aleksey at nogin.org (Aleksey Nogin) Date: Fri, 19 Mar 2004 02:08:44 -0800 Subject: What is the best way to find out (in a script) whether SElinux is used? Message-ID: <405AC6AC.3030505@nogin.org> I want to have a script that acts slightly differently depending on whether SELinux is being used or not. What is the best way to do it? My initial attempts to use "-e /etc/security/selinux" or "-e /selinux/enforce" all create log messages: audit(1079689937.170:0): avc: denied { getattr } for pid=2662 exe=/bin/bash path=/etc/security/selinux dev=hda2 ino=3712021 scontext=aleksey:staff_r:staff_t tcontext=system_u:object_r:policy_config_t tclass=dir audit(1079690744.526:0): avc: denied { getattr } for pid=3577 exe=/bin/bash path=/selinux/enforce dev= ino=4 scontext=aleksey:staff_r:staff_t tcontext=system_u:object_r:security_t tclass=file -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907 From aleksey at nogin.org Fri Mar 19 10:27:28 2004 From: aleksey at nogin.org (Aleksey Nogin) Date: Fri, 19 Mar 2004 02:27:28 -0800 Subject: [policy-1.8-22] Bringing a device via hotplug AVCs In-Reply-To: <200403192123.20807.russell@coker.com.au> References: <405AC1A4.80609@nogin.org> <200403192123.20807.russell@coker.com.au> Message-ID: <405ACB10.5080606@nogin.org> On 19.03.2004 02:23, Russell Coker wrote: > The above rule solved all that. I'm not sure that's what we desire though. > Maybe the program that calls /sbin/route should be running in a different > domain? How is this wavelan stuff setup? Why is it different from an > ethernet device? It'd not set up any different - it is a built-in PCMCIA card that is set up to use DHCP for everything. I would imagine that the /sbin/route is called by the ifup script. -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907 From dwalsh at redhat.com Fri Mar 19 12:43:12 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 19 Mar 2004 07:43:12 -0500 Subject: What is the best way to find out (in a script) whether SElinux is used? In-Reply-To: <405AC6AC.3030505@nogin.org> References: <405AC6AC.3030505@nogin.org> Message-ID: <405AEAE0.9080302@redhat.com> Aleksey Nogin wrote: > I want to have a script that acts slightly differently depending on > whether SELinux is being used or not. What is the best way to do it? > > My initial attempts to use "-e /etc/security/selinux" or "-e > /selinux/enforce" all create log messages: > > audit(1079689937.170:0): avc: denied { getattr } for pid=2662 > exe=/bin/bash path=/etc/security/selinux dev=hda2 ino=3712021 > scontext=aleksey:staff_r:staff_t > tcontext=system_u:object_r:policy_config_t tclass=dir > audit(1079690744.526:0): avc: denied { getattr } for pid=3577 > exe=/bin/bash path=/selinux/enforce dev= ino=4 > scontext=aleksey:staff_r:staff_t tcontext=system_u:object_r:security_t > tclass=file > /usr/bin/selinuxenabled Exits with status 0 if enabled. Dan From dwalsh at redhat.com Fri Mar 19 12:46:55 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 19 Mar 2004 07:46:55 -0500 Subject: [policy-1.8-22] Bringing a device via hotplug AVCs In-Reply-To: <405AC1A4.80609@nogin.org> References: <405AC1A4.80609@nogin.org> Message-ID: <405AEBBF.6020803@redhat.com> Aleksey Nogin wrote: > The list is now much smaller than it used to be. I see: > > audit(1079689114.447:0): avc: denied { read } for pid=1615 > exe=/sbin/route name=resolv.conf dev=hda2 ino=229950 > scontext=system_u:system_r:hotplug_t > tcontext=system_u:object_r:net_conf_t tclass=file > audit(1079689114.448:0): avc: denied { getattr } for pid=1615 > exe=/sbin/route path=/etc/resolv.conf dev=hda2 ino=229950 > scontext=system_u:system_r:hotplug_t > tcontext=system_u:object_r:net_conf_t tclass=file > audit(1079689115.057:0): avc: denied { udp_recv } for > saddr=131.215.9.49 src=53 daddr=192.168.1.100 dest=32771 netif=wvlan0 > scontext=system_u:system_r:hotplug_t > tcontext=system_u:object_r:netif_t tclass=netif > audit(1079689115.057:0): avc: denied { udp_recv } for > saddr=131.215.9.49 src=53 daddr=192.168.1.100 dest=32771 netif=wvlan0 > scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:node_t > tclass=node > audit(1079689115.057:0): avc: denied { recv_msg } for > saddr=131.215.9.49 src=53 daddr=192.168.1.100 dest=32771 netif=wvlan0 > scontext=system_u:system_r:hotplug_t > tcontext=system_u:object_r:dns_port_t tclass=udp_socket Aleksey Nogin > wrote: > >> The list is now much smaller than it used to be. I see: >> >> audit(1079689114.447:0): avc: denied { read } for pid=1615 >> exe=/sbin/route name=resolv.conf dev=hda2 ino=229950 >> scontext=system_u:system_r:hotplug_t >> tcontext=system_u:object_r:net_conf_t tclass=file >> audit(1079689114.448:0): avc: denied { getattr } for pid=1615 >> exe=/sbin/route path=/etc/resolv.conf dev=hda2 ino=229950 >> scontext=system_u:system_r:hotplug_t >> tcontext=system_u:object_r:net_conf_t tclass=file >> audit(1079689115.057:0): avc: denied { udp_recv } for >> saddr=131.215.9.49 src=53 daddr=192.168.1.100 dest=32771 netif=wvlan0 >> scontext=system_u:system_r:hotplug_t >> tcontext=system_u:object_r:netif_t tclass=netif >> audit(1079689115.057:0): avc: denied { udp_recv } for >> saddr=131.215.9.49 src=53 daddr=192.168.1.100 dest=32771 netif=wvlan0 >> scontext=system_u:system_r:hotplug_t >> tcontext=system_u:object_r:node_t tclass=node >> audit(1079689115.057:0): avc: denied { recv_msg } for >> saddr=131.215.9.49 src=53 daddr=192.168.1.100 dest=32771 netif=wvlan0 >> scontext=system_u:system_r:hotplug_t >> tcontext=system_u:object_r:dns_port_t tclass=udp_socket >> > > Updated policy to handle all your avc messages, not sure what to do with the last ones though. From aleksey at nogin.org Fri Mar 19 12:48:08 2004 From: aleksey at nogin.org (Aleksey Nogin) Date: Fri, 19 Mar 2004 04:48:08 -0800 Subject: What is the best way to find out (in a script) whether SElinux is used? In-Reply-To: <405AEAE0.9080302@redhat.com> References: <405AC6AC.3030505@nogin.org> <405AEAE0.9080302@redhat.com> Message-ID: <405AEC08.4040009@nogin.org> On 19.03.2004 04:43, Daniel J Walsh wrote: > /usr/bin/selinuxenabled > > Exits with status 0 if enabled. Thanks! -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907 From sds at epoch.ncsc.mil Fri Mar 19 13:18:16 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Fri, 19 Mar 2004 08:18:16 -0500 Subject: [policy-1.8-22] Bringing a device via hotplug AVCs In-Reply-To: <405AEBBF.6020803@redhat.com> References: <405AC1A4.80609@nogin.org> <405AEBBF.6020803@redhat.com> Message-ID: <1079702296.17340.27.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2004-03-19 at 07:46, Daniel J Walsh wrote: > Aleksey Nogin wrote: > > > The list is now much smaller than it used to be. I see: > > > > audit(1079689114.447:0): avc: denied { read } for pid=1615 > > exe=/sbin/route name=resolv.conf dev=hda2 ino=229950 > > scontext=system_u:system_r:hotplug_t > > tcontext=system_u:object_r:net_conf_t tclass=file > > audit(1079689114.448:0): avc: denied { getattr } for pid=1615 > > exe=/sbin/route path=/etc/resolv.conf dev=hda2 ino=229950 > > scontext=system_u:system_r:hotplug_t > > tcontext=system_u:object_r:net_conf_t tclass=file > > audit(1079689115.057:0): avc: denied { udp_recv } for > > saddr=131.215.9.49 src=53 daddr=192.168.1.100 dest=32771 netif=wvlan0 > > scontext=system_u:system_r:hotplug_t > > tcontext=system_u:object_r:netif_t tclass=netif > > audit(1079689115.057:0): avc: denied { udp_recv } for > > saddr=131.215.9.49 src=53 daddr=192.168.1.100 dest=32771 netif=wvlan0 > > scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:node_t > > tclass=node > > audit(1079689115.057:0): avc: denied { recv_msg } for > > saddr=131.215.9.49 src=53 daddr=192.168.1.100 dest=32771 netif=wvlan0 > > scontext=system_u:system_r:hotplug_t > > tcontext=system_u:object_r:dns_port_t tclass=udp_socket Aleksey Nogin > > wrote: > > > >> The list is now much smaller than it used to be. I see: > >> > >> audit(1079689114.447:0): avc: denied { read } for pid=1615 > >> exe=/sbin/route name=resolv.conf dev=hda2 ino=229950 > >> scontext=system_u:system_r:hotplug_t > >> tcontext=system_u:object_r:net_conf_t tclass=file > >> audit(1079689114.448:0): avc: denied { getattr } for pid=1615 > >> exe=/sbin/route path=/etc/resolv.conf dev=hda2 ino=229950 > >> scontext=system_u:system_r:hotplug_t > >> tcontext=system_u:object_r:net_conf_t tclass=file > >> audit(1079689115.057:0): avc: denied { udp_recv } for > >> saddr=131.215.9.49 src=53 daddr=192.168.1.100 dest=32771 netif=wvlan0 > >> scontext=system_u:system_r:hotplug_t > >> tcontext=system_u:object_r:netif_t tclass=netif > >> audit(1079689115.057:0): avc: denied { udp_recv } for > >> saddr=131.215.9.49 src=53 daddr=192.168.1.100 dest=32771 netif=wvlan0 > >> scontext=system_u:system_r:hotplug_t > >> tcontext=system_u:object_r:node_t tclass=node > >> audit(1079689115.057:0): avc: denied { recv_msg } for > >> saddr=131.215.9.49 src=53 daddr=192.168.1.100 dest=32771 netif=wvlan0 > >> scontext=system_u:system_r:hotplug_t > >> tcontext=system_u:object_r:dns_port_t tclass=udp_socket > >> > > > > > Updated policy to handle all your avc messages, not sure what to do with > the last ones though. Should /sbin/route run in netutils_t (in general, both from hotplug_t and from sysadm_t)? In any event, hotplug_t is likely a candidate for unconfined_domain() in the limited policy, as is insmod_t. -- Stephen Smalley National Security Agency From russell at coker.com.au Fri Mar 19 10:13:55 2004 From: russell at coker.com.au (Russell Coker) Date: Fri, 19 Mar 2004 21:13:55 +1100 Subject: [policy-1.8-19] Running /bin/mail as a sysadm_r user AVCs In-Reply-To: <405AB74F.6040402@nogin.org> References: <405AB74F.6040402@nogin.org> Message-ID: <200403192113.55235.russell@coker.com.au> On Fri, 19 Mar 2004 20:03, Aleksey Nogin wrote: > The first one is probably an issue with how the kernel manages /proc - > /proc/self IMHO should not be system_u:object_r:proc_t. That seems like a reasonable idea, I wonder what Steve will think. I've put a new snapshot of my tree on http://www.coker.com.au/selinux/policy.tgz . It has a fix for the hostname issue and changes to sendmail_macros.te and procmail.te to deal with the issues you reported. If you like living on the edge then you can run your machine entirely from my policy instead of Dan's package. Otherwise just selectively copy the files you want. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Fri Mar 19 10:19:34 2004 From: russell at coker.com.au (Russell Coker) Date: Fri, 19 Mar 2004 21:19:34 +1100 Subject: XFree86 accessing /dev/urandom AVCs. In-Reply-To: <405AB4E3.5060707@nogin.org> References: <405AB4E3.5060707@nogin.org> Message-ID: <200403192119.34678.russell@coker.com.au> On Fri, 19 Mar 2004 19:52, Aleksey Nogin wrote: > Not sure where these come from (possibly it's because of my using the > vnc module in X). Safe to dontaudit? > > audit(1079686139.241:0): avc: denied { getattr } for pid=9439 > exe=/usr/X11R6/bin/XFree86 path=/dev/urandom dev=hda2 ino=2689265 > scontext=system_u:system_r:xdm_xserver_t > tcontext=system_u:object_r:urandom_device_t tclass=chr_file > audit(1079686139.241:0): avc: denied { ioctl } for pid=9439 > exe=/usr/X11R6/bin/XFree86 path=/dev/urandom dev=hda2 ino=2689265 > scontext=system_u:system_r:xdm_xserver_t > tcontext=system_u:object_r:urandom_device_t tclass=chr_file As far as I am aware there is no valid ioctl for the urandom device, it takes reads as requests for random data and writes as additions to the entropy pool. Programs that do an IOCTL are bogus, but there's no harm in allowing it. As for getattr, that's valid so I've changed my tree to allow that too. Read was already allowed for SSP (which only does blind reads with no getattr and no ioctl). -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Fri Mar 19 09:47:24 2004 From: russell at coker.com.au (Russell Coker) Date: Fri, 19 Mar 2004 20:47:24 +1100 Subject: [policy-1.8-19] Reading the hostname AVCs In-Reply-To: <405AB5E0.9060503@nogin.org> References: <405AB5E0.9060503@nogin.org> Message-ID: <200403192047.24858.russell@coker.com.au> On Fri, 19 Mar 2004 19:57, Aleksey Nogin wrote: > When running hostname (or hostname -s) to _get_ (not set) the hostname > as a "staff" user - under sysadm_r: > > The socket ones are coming from, I believe, trying to access > /var/run/nscd/socket that does not exist (nscd was never used on this > machine). allow hostname_t net_conf_t:file { getattr read }; allow hostname_t self:unix_stream_socket create_stream_socket_perms; dontaudit hostname_t var_t:dir search; allow hostname_t fs_t:filesystem getattr; The above 4 lines of policy will permit the access to net_cont_t and to creating unix_stream_socket's (although I don't know why it does either of these things). It may need can_network() although so far none of my tests have had it use any TCP/IP functionality. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Fri Mar 19 10:23:20 2004 From: russell at coker.com.au (Russell Coker) Date: Fri, 19 Mar 2004 21:23:20 +1100 Subject: [policy-1.8-22] Bringing a device via hotplug AVCs In-Reply-To: <405AC1A4.80609@nogin.org> References: <405AC1A4.80609@nogin.org> Message-ID: <200403192123.20807.russell@coker.com.au> On Fri, 19 Mar 2004 20:47, Aleksey Nogin wrote: > The list is now much smaller than it used to be. I see: > > audit(1079689114.447:0): avc: denied { read } for pid=1615 > exe=/sbin/route name=resolv.conf dev=hda2 ino=229950 > scontext=system_u:system_r:hotplug_t > tcontext=system_u:object_r:net_conf_t tclass=file > audit(1079689114.448:0): avc: denied { getattr } for pid=1615 > exe=/sbin/route path=/etc/resolv.conf dev=hda2 ino=229950 > scontext=system_u:system_r:hotplug_t > tcontext=system_u:object_r:net_conf_t tclass=file > audit(1079689115.057:0): avc: denied { udp_recv } for > saddr=131.215.9.49 src=53 daddr=192.168.1.100 dest=32771 netif=wvlan0 > scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:netif_t > tclass=netif can_network(hotplug_t) The above rule solved all that. I'm not sure that's what we desire though. Maybe the program that calls /sbin/route should be running in a different domain? How is this wavelan stuff setup? Why is it different from an ethernet device? -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Fri Mar 19 10:29:18 2004 From: russell at coker.com.au (Russell Coker) Date: Fri, 19 Mar 2004 21:29:18 +1100 Subject: What is the best way to find out (in a script) whether SElinux is used? In-Reply-To: <405AC6AC.3030505@nogin.org> References: <405AC6AC.3030505@nogin.org> Message-ID: <200403192129.18221.russell@coker.com.au> On Fri, 19 Mar 2004 21:08, Aleksey Nogin wrote: > I want to have a script that acts slightly differently depending on > whether SELinux is being used or not. What is the best way to do it? > > My initial attempts to use "-e /etc/security/selinux" or "-e > /selinux/enforce" all create log messages: I've attached my archive of man pages for SE Linux APIs. See is_selinux_enabled(3). -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -------------- next part -------------- A non-text attachment was scrubbed... Name: man.tgz Type: application/x-tgz Size: 3627 bytes Desc: not available URL: From sct at redhat.com Sat Mar 20 00:34:43 2004 From: sct at redhat.com (Stephen C. Tweedie) Date: 20 Mar 2004 00:34:43 +0000 Subject: USERCTL=yes - ifup by non-privileged user AVCs. In-Reply-To: <20040315160213.GB9130@devserv.devel.redhat.com> References: <40521937.6080604@nogin.org> <200403141853.22286.russell@coker.com.au> <20040315160213.GB9130@devserv.devel.redhat.com> Message-ID: <1079742882.2846.27.camel@sisko.scot.redhat.com> Hi, On Mon, 2004-03-15 at 16:02, Bill Nottingham wrote: > Russell Coker (russell at coker.com.au) said: > > > security_compute_sid: invalid context user_u:user_r:insmod_t for > > > scontext=user_u:user_r:user_t tcontext=system_u:object_r:insmod_exec_t > > > tclass=process > > > > You just don't do such things as user_r, they should be done as sysadm_r. > > This breaks installed systems, though. I suppose usernetctl needs to > change roles. Is there a bugzilla for this yet? I don't want it to slip through the cracks. --Stephen From aleksey at nogin.org Sat Mar 20 07:54:37 2004 From: aleksey at nogin.org (Aleksey Nogin) Date: Fri, 19 Mar 2004 23:54:37 -0800 Subject: Should cron jobs be allowed to access the user's X session? Message-ID: <405BF8BD.1080905@nogin.org> I have a cron job that pops up a "reminder" message in my X session (provided I have one at that time). Should this be allowed? I am getting: audit(1079766600.874:0): avc: denied { getattr } for pid=5767 exe=/usr/bin/python path=/home dev=hda2 ino=3777313 scontext=aleksey:staff_r:staff_crond_t tcontext=system_u:object_r:home_root_t tclass=dir audit(1079766600.915:0): avc: denied { getsched } for pid=5767 exe=/usr/bin/python scontext=aleksey:staff_r:staff_crond_t tcontext=aleksey:staff_r:staff_crond_t tclass=process audit(1079766601.549:0): avc: denied { search } for pid=5767 exe=/usr/bin/python name=.X11-unix dev=hda2 ino=229366 scontext=aleksey:staff_r:staff_crond_t tcontext=system_u:object_r:xdm_xserver_tmp_t tclass=dir audit(1079766601.550:0): avc: denied { write } for pid=5767 exe=/usr/bin/python name=X0 dev=hda2 ino=229060 scontext=aleksey:staff_r:staff_crond_t tcontext=system_u:object_r:xdm_xserver_tmp_t tclass=sock_file audit(1079766601.576:0): avc: denied { connectto } for pid=5767 exe=/usr/bin/python path=/tmp/.X11-unix/X0 scontext=aleksey:staff_r:staff_crond_t tcontext=system_u:system_r:xdm_xserver_t tclass=unix_stream_socket audit(1079766601.576:0): avc: denied { read } for pid=5767 exe=/usr/bin/python name=.Xauthority dev=hda2 ino=311184 scontext=aleksey:staff_r:staff_crond_t tcontext=system_u:object_r:staff_home_xauth_t tclass=file audit(1079766601.577:0): avc: denied { getattr } for pid=5767 exe=/usr/bin/python path=/home/aleksey/.Xauthority dev=hda2 ino=311184 scontext=aleksey:staff_r:staff_crond_t tcontext=system_u:object_r:staff_home_xauth_t tclass=file audit(1079766602.836:0): avc: denied { search } for pid=5767 exe=/usr/bin/python name=fonts dev=hda2 ino=114501 scontext=aleksey:staff_r:staff_crond_t tcontext=system_u:object_r:fonts_t tclass=dir audit(1079766602.883:0): avc: denied { read } for pid=5767 exe=/usr/bin/python name=fonts.cache-1 dev=hda2 ino=114575 scontext=aleksey:staff_r:staff_crond_t tcontext=system_u:object_r:fonts_t tclass=file audit(1079766602.885:0): avc: denied { getattr } for pid=5767 exe=/usr/bin/python path=/usr/share/fonts dev=hda2 ino=114501 scontext=aleksey:staff_r:staff_crond_t tcontext=system_u:object_r:fonts_t tclass=dir audit(1079766602.885:0): avc: denied { getattr } for pid=5767 exe=/usr/bin/python path=/usr/share/fonts/fonts.cache-1 dev=hda2 ino=114575 scontext=aleksey:staff_r:staff_crond_t tcontext=system_u:object_r:fonts_t tclass=file audit(1079766603.005:0): avc: denied { read } for pid=5767 exe=/usr/bin/python name=OTF dev=hda2 ino=4366585 scontext=aleksey:staff_r:staff_crond_t tcontext=system_u:object_r:fonts_t tclass=dir audit(1079767201.115:0): avc: denied { search } for pid=5794 exe=/usr/bin/python name=.X11-unix dev=hda2 ino=229366 scontext=aleksey:staff_r:staff_crond_t tcontext=system_u:object_r:xdm_xserver_tmp_t tclass=dir audit(1079767201.115:0): avc: denied { write } for pid=5794 exe=/usr/bin/python name=X0 dev=hda2 ino=229060 scontext=aleksey:staff_r:staff_crond_t tcontext=system_u:object_r:xdm_xserver_tmp_t tclass=sock_file audit(1079767201.116:0): avc: denied { read } for pid=5794 exe=/usr/bin/python name=.Xauthority dev=hda2 ino=311184 scontext=aleksey:staff_r:staff_crond_t tcontext=system_u:object_r:staff_home_xauth_t tclass=file audit(1079767201.116:0): avc: denied { getattr } for pid=5794 exe=/usr/bin/python path=/home/aleksey/.Xauthority dev=hda2 ino=311184 scontext=aleksey:staff_r:staff_crond_t tcontext=system_u:object_r:staff_home_xauth_t tclass=file -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907 From aleksey at nogin.org Sat Mar 20 20:42:19 2004 From: aleksey at nogin.org (Aleksey Nogin) Date: Sat, 20 Mar 2004 12:42:19 -0800 Subject: [policy-1.9-5] VNC module in X AVC Message-ID: <405CACAB.6020204@nogin.org> If I have Load "vnc" in my XF86Config, then by default the vnc module will listen on port 5900+display. In policy-1.9-5 this does not seem to be allowed: audit(1079814805.625:0): avc: denied { name_bind } for pid=2025 exe=/usr/X11R6/bin/XFree86 src=5900 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:object_r:port_t tclass=tcp_socket -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907 From russell at coker.com.au Sun Mar 21 02:24:05 2004 From: russell at coker.com.au (Russell Coker) Date: Sun, 21 Mar 2004 13:24:05 +1100 Subject: [policy-1.9-5] VNC module in X AVC In-Reply-To: <405CACAB.6020204@nogin.org> References: <405CACAB.6020204@nogin.org> Message-ID: <200403211324.05328.russell@coker.com.au> On Sun, 21 Mar 2004 07:42, Aleksey Nogin wrote: > If I have > > Load "vnc" > > in my XF86Config, then by default the vnc module will listen on port > 5900+display. In policy-1.9-5 this does not seem to be allowed: 5900 is not in /etc/services, is it standard? If so we need to get /etc/services corrected, and to have the port labeled as xserver_port_t. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From aleksey at nogin.org Sun Mar 21 02:48:15 2004 From: aleksey at nogin.org (Aleksey Nogin) Date: Sat, 20 Mar 2004 18:48:15 -0800 Subject: [policy-1.9-5] VNC module in X AVC In-Reply-To: <200403211324.05328.russell@coker.com.au> References: <405CACAB.6020204@nogin.org> <200403211324.05328.russell@coker.com.au> Message-ID: <405D026F.2020306@nogin.org> On 20.03.2004 18:24, Russell Coker wrote: >>If I have >> >>Load "vnc" >> >>in my XF86Config, then by default the vnc module will listen on port >>5900+display. In policy-1.9-5 this does not seem to be allowed: > > > 5900 is not in /etc/services, is it standard? It is a standard _offset_ for the VNC protocol - 5900 for :0, 5901 for :1 - same as with 6000 for X. > If so we need to > get /etc/services corrected, and to have the port labeled as xserver_port_t. This might be reasonable - to reserve :0 for X and force Xvnc (which might be started by users) use higher display numbers. -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907 From russell at coker.com.au Sun Mar 21 02:56:20 2004 From: russell at coker.com.au (Russell Coker) Date: Sun, 21 Mar 2004 13:56:20 +1100 Subject: [policy-1.9-5] VNC module in X AVC In-Reply-To: <405D026F.2020306@nogin.org> References: <405CACAB.6020204@nogin.org> <200403211324.05328.russell@coker.com.au> <405D026F.2020306@nogin.org> Message-ID: <200403211356.20386.russell@coker.com.au> On Sun, 21 Mar 2004 13:48, Aleksey Nogin wrote: > On 20.03.2004 18:24, Russell Coker wrote: > > If so we need to > > get /etc/services corrected, and to have the port labeled as > > xserver_port_t. > > This might be reasonable - to reserve :0 for X and force Xvnc (which > might be started by users) use higher display numbers. In what situations would users need to start their own VNC servers? What exactly does Xvnc do? Does it do the same sort of stuff as when the user runs "startx" but for remote display only? If so we need a user_vnc_t domain for it etc. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From aleksey at nogin.org Sun Mar 21 03:09:53 2004 From: aleksey at nogin.org (Aleksey Nogin) Date: Sat, 20 Mar 2004 19:09:53 -0800 Subject: [policy-1.9-5] VNC module in X AVC In-Reply-To: <200403211356.20386.russell@coker.com.au> References: <405CACAB.6020204@nogin.org> <200403211324.05328.russell@coker.com.au> <405D026F.2020306@nogin.org> <200403211356.20386.russell@coker.com.au> Message-ID: <405D0781.1010701@nogin.org> On 20.03.2004 18:56, Russell Coker wrote: > What exactly does Xvnc do? It starts a "virtual" X server - it does not attemts to interact with the local hardware, but it will listen on 6000+display port as a normal X server (so the clients can connect) and it will listen on the 5900+display port, so that the vncviewer clients can connect (possibly remote, possibly several simultaneously) and on port 5800+display for http requests (essentially providing a Java version of the VNC client). > Does it do the same sort of stuff as when the user > runs "startx" but for remote display only? This is different. Normally Xvnc is started by the /usr/bin/vncserver script (there is also /etc/rc.d/init.d/vncserver script which might need a separate treatment), which would first start Xvnc and then start appropriate X clients to the newly created display. -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907 From twaugh at redhat.com Sun Mar 21 08:57:27 2004 From: twaugh at redhat.com (Tim Waugh) Date: Sun, 21 Mar 2004 08:57:27 +0000 Subject: [policy-1.9-5] VNC module in X AVC In-Reply-To: <200403211356.20386.russell@coker.com.au> References: <405CACAB.6020204@nogin.org> <200403211324.05328.russell@coker.com.au> <405D026F.2020306@nogin.org> <200403211356.20386.russell@coker.com.au> Message-ID: <20040321085727.GU22468@redhat.com> On Sun, Mar 21, 2004 at 01:56:20PM +1100, Russell Coker wrote: > > This might be reasonable - to reserve :0 for X and force Xvnc (which > > might be started by users) use higher display numbers. > > In what situations would users need to start their own VNC servers? All the time, usually from the vncserver perl script. You might want to start VNC from an ssh login, for example. Note that the vncserver init script will also want to do this. Tim. */ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From rusinskystanislas at yahoo.fr Sun Mar 21 17:24:17 2004 From: rusinskystanislas at yahoo.fr (Rusinsky Stanislas Herman W. A.) Date: Sun, 21 Mar 2004 18:24:17 +0100 Subject: where to get the packages for FC2-t1 Message-ID: <1079889857.7260.5.camel@localhost> Hello, I've searched for the SELinux rpm's for FC2-t1 but couldn't find them. Is there any link to a site with them ? Any link to a HOWTO ? I haven't found information on Fedora site's SELInux page neither. Are Dan Walsh's packages suitable for this version ? Thanks, Stanislas. -- "Many are the plans in a man's heart, but is the Lord's purpose that prevails" Prov. 19.21 From rhally at mindspring.com Sun Mar 21 18:55:58 2004 From: rhally at mindspring.com (Richard Hally) Date: Sun, 21 Mar 2004 13:55:58 -0500 Subject: where to get the packages for FC2-t1 In-Reply-To: <1079889857.7260.5.camel@localhost> Message-ID: Here are a couple of links to HOWTOs https://sourceforge.net/docman/display_doc.php?docid=20372&group_id=21266 https://sourceforge.net/docman/display_doc.php?docid=21959&group_id=21266 Richard Hally -----Original Message----- From: fedora-selinux-list-bounces at redhat.com [mailto:fedora-selinux-list-bounces at redhat.com] On Behalf Of Rusinsky Stanislas Herman W. A. Sent: Sunday, March 21, 2004 12:24 PM To: Fedora SELinux support list for users & developers. Subject: where to get the packages for FC2-t1 Hello, I've searched for the SELinux rpm's for FC2-t1 but couldn't find them. Is there any link to a site with them ? Any link to a HOWTO ? I haven't found information on Fedora site's SELInux page neither. Are Dan Walsh's packages suitable for this version ? Thanks, Stanislas. -- "Many are the plans in a man's heart, but is the Lord's purpose that prevails" Prov. 19.21 -- fedora-selinux-list mailing list fedora-selinux-list at redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list From cra at WPI.EDU Mon Mar 22 06:06:08 2004 From: cra at WPI.EDU (Charles R. Anderson) Date: Mon, 22 Mar 2004 01:06:08 -0500 Subject: /1 and /2 ? Message-ID: <20040322060608.GE20103@angus.ind.WPI.EDU> What the heck are the /1 and /2 files for? [root at foo /]# ls -l /[12] -rw-r--r-- 1 root root 161 Mar 21 22:28 /1 -rw-r--r-- 1 root root 0 Mar 21 22:28 /2 [root at foo /]# cat 1 make: Entering directory `/etc/security/selinux/src/policy' make: Nothing to be done for `/dev/null'. make: Leaving directory `/etc/security/selinux/src/policy' Looks like temp files leftover from something in the install process, since the timestamp is before that of install.log: [root at foo root]# ls -l install.log -rw-r--r-- 1 root root 62700 Mar 21 22:47 install.log and this was a fresh format + everything install. From russell at coker.com.au Mon Mar 22 06:14:20 2004 From: russell at coker.com.au (Russell Coker) Date: Mon, 22 Mar 2004 17:14:20 +1100 Subject: /1 and /2 ? In-Reply-To: <20040322060608.GE20103@angus.ind.WPI.EDU> References: <20040322060608.GE20103@angus.ind.WPI.EDU> Message-ID: <200403221714.20088.russell@coker.com.au> On Mon, 22 Mar 2004 17:06, "Charles R. Anderson" wrote: > What the heck are the /1 and /2 files for? > > [root at foo /]# ls -l /[12] > -rw-r--r-- ?1 root root 161 Mar 21 22:28 /1 > -rw-r--r-- ?1 root root ? 0 Mar 21 22:28 /2 What is the contents of /1? -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From cra at WPI.EDU Mon Mar 22 06:21:18 2004 From: cra at WPI.EDU (Charles R. Anderson) Date: Mon, 22 Mar 2004 01:21:18 -0500 Subject: /1 and /2 ? In-Reply-To: <200403221714.20088.russell@coker.com.au> References: <20040322060608.GE20103@angus.ind.WPI.EDU> <200403221714.20088.russell@coker.com.au> Message-ID: <20040322062118.GG20103@angus.ind.WPI.EDU> On Mon, Mar 22, 2004 at 05:14:20PM +1100, Russell Coker wrote: > On Mon, 22 Mar 2004 17:06, "Charles R. Anderson" wrote: > > What the heck are the /1 and /2 files for? > > > > [root at foo /]# ls -l /[12] > > -rw-r--r-- ?1 root root 161 Mar 21 22:28 /1 > > -rw-r--r-- ?1 root root ? 0 Mar 21 22:28 /2 > > What is the contents of /1? It is in the part of the email you cut out... From cra at WPI.EDU Mon Mar 22 06:25:34 2004 From: cra at WPI.EDU (Charles R. Anderson) Date: Mon, 22 Mar 2004 01:25:34 -0500 Subject: relabel home directory? Message-ID: <20040322062534.GH20103@angus.ind.WPI.EDU> I installed a fresh copy of FC 1.91 200403191323, formatting all partitions except /home. My home directory is not properly labelled, so I cannot log in. A new user created with "useradd" can log in. How do I fix the contexts on my home directory? [root at foo home]# ls --lcontext total 32 drwx------ 18 root:object_r:file_t cra cra 4096 Mar 18 00:35 cra drwx------ 2 (null) root root 16384 Feb 16 16:01 lost+found drwx------ 16 root:object_r:user_home_dir_t test test 4096 Mar 22 01:18 test [root at foo cra]# ls --lcontext .... -rw-r--r-- 1 (null) cra cra 738 Feb 16 23:21 .complete drwxr-x--- 2 (null) cra cra 4096 Mar 18 00:30 Desktop -rw-r--r-- 1 (null) cra cra 2323 Feb 16 23:21 .dircolors -rw-r--r-- 1 (null) cra cra 26 Mar 18 00:30 .dmrc .... From aleksey at nogin.org Mon Mar 22 06:36:02 2004 From: aleksey at nogin.org (Aleksey Nogin) Date: Sun, 21 Mar 2004 22:36:02 -0800 Subject: relabel home directory? In-Reply-To: <20040322062534.GH20103@angus.ind.WPI.EDU> References: <20040322062534.GH20103@angus.ind.WPI.EDU> Message-ID: <405E8952.5010401@nogin.org> On 21.03.2004 22:25, Charles R. Anderson wrote: > I installed a fresh copy of FC 1.91 200403191323, formatting all > partitions except /home. My home directory is not properly labelled, > so I cannot log in. A new user created with "useradd" can log in. > How do I fix the contexts on my home directory? Run /usr/sbin/setfiles /etc/security/selinux/file_contexts /home This will label /home correctly. -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907 From cra at WPI.EDU Mon Mar 22 07:04:36 2004 From: cra at WPI.EDU (Charles R. Anderson) Date: Mon, 22 Mar 2004 02:04:36 -0500 Subject: relabel home directory? In-Reply-To: <405E8952.5010401@nogin.org> References: <20040322062534.GH20103@angus.ind.WPI.EDU> <405E8952.5010401@nogin.org> Message-ID: <20040322070436.GI20103@angus.ind.WPI.EDU> On Sun, Mar 21, 2004 at 10:36:02PM -0800, Aleksey Nogin wrote: > /usr/sbin/setfiles /etc/security/selinux/file_contexts /home > This will label /home correctly. Thanks! From smoogen at lanl.gov Mon Mar 22 15:08:12 2004 From: smoogen at lanl.gov (Stephen Smoogen) Date: Mon, 22 Mar 2004 08:08:12 -0700 Subject: /1 and /2 ? In-Reply-To: <20040322060608.GE20103@angus.ind.WPI.EDU> References: <20040322060608.GE20103@angus.ind.WPI.EDU> Message-ID: <1079968091.2687.3.camel@smoogen2.lanl.gov> On Sun, 2004-03-21 at 23:06, Charles R. Anderson wrote: > What the heck are the /1 and /2 files for? > > [root at foo /]# ls -l /[12] > -rw-r--r-- 1 root root 161 Mar 21 22:28 /1 > -rw-r--r-- 1 root root 0 Mar 21 22:28 /2 > > [root at foo /]# cat 1 > make: Entering directory `/etc/security/selinux/src/policy' > make: Nothing to be done for `/dev/null'. > make: Leaving directory `/etc/security/selinux/src/policy' > I am guessing that somewhere someone is using the old 2>& 1 type line and it didnt work. [I always get csh and bash mixed up myself on these.] > Looks like temp files leftover from something in the install > process, since the timestamp is before that of install.log: > > [root at foo root]# ls -l install.log > -rw-r--r-- 1 root root 62700 Mar 21 22:47 install.log > > and this was a fresh format + everything install. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list -- Stephen John Smoogen smoogen at lanl.gov Los Alamos National Lab CCN-5 Sched 5/40 PH: 4-0645 Ta-03 SM-1498 MailStop B255 DP 10S Los Alamos, NM 87545 -- So shines a good deed in a weary world. = Willy Wonka -- From dwalsh at redhat.com Mon Mar 22 15:28:45 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 22 Mar 2004 10:28:45 -0500 Subject: /1 and /2 ? In-Reply-To: <1079968091.2687.3.camel@smoogen2.lanl.gov> References: <20040322060608.GE20103@angus.ind.WPI.EDU> <1079968091.2687.3.camel@smoogen2.lanl.gov> Message-ID: <405F062D.2090502@redhat.com> Stephen Smoogen wrote: >On Sun, 2004-03-21 at 23:06, Charles R. Anderson wrote: > > >>What the heck are the /1 and /2 files for? >> >>[root at foo /]# ls -l /[12] >>-rw-r--r-- 1 root root 161 Mar 21 22:28 /1 >>-rw-r--r-- 1 root root 0 Mar 21 22:28 /2 >> >>[root at foo /]# cat 1 >>make: Entering directory `/etc/security/selinux/src/policy' >>make: Nothing to be done for `/dev/null'. >>make: Leaving directory `/etc/security/selinux/src/policy' >> >> >> > >I am guessing that somewhere someone is using the old 2>& 1 type line >and it didnt work. [I always get csh and bash mixed up myself on these.] > > > >>Looks like temp files leftover from something in the install >>process, since the timestamp is before that of install.log: >> >>[root at foo root]# ls -l install.log >>-rw-r--r-- 1 root root 62700 Mar 21 22:47 install.log >> >>and this was a fresh format + everything install. >> >> Guilty. I had it backwards in policy-sources. Fixed in next version. >>-- >>fedora-selinux-list mailing list >>fedora-selinux-list at redhat.com >>http://www.redhat.com/mailman/listinfo/fedora-selinux-list >> >> From agibson at ptm.com Mon Mar 22 16:27:58 2004 From: agibson at ptm.com (Adam Gibson) Date: 22 Mar 2004 11:27:58 -0500 Subject: [policy-1.9-5] VNC module in X AVC In-Reply-To: <20040321085727.GU22468@redhat.com> References: <405CACAB.6020204@nogin.org> <200403211324.05328.russell@coker.com.au> <405D026F.2020306@nogin.org> <200403211356.20386.russell@coker.com.au> <20040321085727.GU22468@redhat.com> Message-ID: <1079972878.22815.69.camel@agibson2.protech.ptm.com> As a heavy user of the vnc.o module, I just want to make sure everyone understand the benefit of using the vnc.o X module by adding the info to XF86Config compared to using Xvnc. The vnc.o module automatically exports the default local display :0 that users see on their local monitor. Previously the user had to manually run x0vncviewer after logging in to the local system to export the currently running display (usually ':0' )which was rather kludgy, slow and resource intensive. Before that it was not even possible to do it... they had to just start a new xserver display with Xvnc specifically for remote vnc and run applications separately on that display. This is my XF86Config file additions to get it working under Fedora Core 1 in case others want to test it with SELinux(I wish there was documentation explaining this from RedHat... I had to search for quite some time to figure out how to enable the vnc.o modules that Fedora Core 1 ships with). Under "Module" section Load "Vnc" Under "Screen" section Option "httpdir" "/usr/share/vnc/classes" Option "PasswordFile" "/root/.vnc/passwd" Option "rfbport" "5999" Option "LocalHost" Option "usevnc" Note: I also had to create the /root/.vnc/passwd using /usr/bin/vncpasswd. I have not figured out a way to have a separate password depending on who logs in locally. It is one password for the local display regardless of who is logged in. For single user systems this works fine. On Sun, 2004-03-21 at 03:57, Tim Waugh wrote: > On Sun, Mar 21, 2004 at 01:56:20PM +1100, Russell Coker wrote: > > > > This might be reasonable - to reserve :0 for X and force Xvnc (which > > > might be started by users) use higher display numbers. > > > > In what situations would users need to start their own VNC servers? > > All the time, usually from the vncserver perl script. You might want > to start VNC from an ssh login, for example. > > Note that the vncserver init script will also want to do this. > > Tim. > */ > > ______________________________________________________________________ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list -- Adam Gibson From cra at WPI.EDU Mon Mar 22 17:17:31 2004 From: cra at WPI.EDU (Charles R. Anderson) Date: Mon, 22 Mar 2004 12:17:31 -0500 Subject: [policy-1.9-5] VNC module in X AVC In-Reply-To: <1079972878.22815.69.camel@agibson2.protech.ptm.com> References: <405CACAB.6020204@nogin.org> <200403211324.05328.russell@coker.com.au> <405D026F.2020306@nogin.org> <200403211356.20386.russell@coker.com.au> <20040321085727.GU22468@redhat.com> <1079972878.22815.69.camel@agibson2.protech.ptm.com> Message-ID: <20040322171731.GN20103@angus.ind.WPI.EDU> On Mon, Mar 22, 2004 at 11:27:58AM -0500, Adam Gibson wrote: > As a heavy user of the vnc.o module, I just want to make sure everyone > understand the benefit of using the vnc.o X module by adding the info to > XF86Config compared to using Xvnc. The vnc.o module automatically XFree86 isn't under GPL. VNC is under GPL. Last time I asked about this, this license conflict was the reason vnc.o isn't integrated. Maybe this can change now with X.org. > documentation explaining this from RedHat... I had to search for quite > some time to figure out how to enable the vnc.o modules that Fedora Core > 1 ships with). FC1 ships with vnc.o? FC2-devel doesn't have it. From twaugh at redhat.com Mon Mar 22 17:51:21 2004 From: twaugh at redhat.com (Tim Waugh) Date: Mon, 22 Mar 2004 17:51:21 +0000 Subject: [policy-1.9-5] VNC module in X AVC In-Reply-To: <20040322171731.GN20103@angus.ind.WPI.EDU> References: <405CACAB.6020204@nogin.org> <200403211324.05328.russell@coker.com.au> <405D026F.2020306@nogin.org> <200403211356.20386.russell@coker.com.au> <20040321085727.GU22468@redhat.com> <1079972878.22815.69.camel@agibson2.protech.ptm.com> <20040322171731.GN20103@angus.ind.WPI.EDU> Message-ID: <20040322175120.GD22468@redhat.com> On Mon, Mar 22, 2004 at 12:17:31PM -0500, Charles R. Anderson wrote: > FC1 ships with vnc.o? FC2-devel doesn't have it. It does. It's in the vnc-server package. Tim. */ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From cra at WPI.EDU Mon Mar 22 17:53:07 2004 From: cra at WPI.EDU (Charles R. Anderson) Date: Mon, 22 Mar 2004 12:53:07 -0500 Subject: [policy-1.9-5] VNC module in X AVC In-Reply-To: <20040322175120.GD22468@redhat.com> References: <405CACAB.6020204@nogin.org> <200403211324.05328.russell@coker.com.au> <405D026F.2020306@nogin.org> <200403211356.20386.russell@coker.com.au> <20040321085727.GU22468@redhat.com> <1079972878.22815.69.camel@agibson2.protech.ptm.com> <20040322171731.GN20103@angus.ind.WPI.EDU> <20040322175120.GD22468@redhat.com> Message-ID: <20040322175307.GP20103@angus.ind.WPI.EDU> On Mon, Mar 22, 2004 at 05:51:21PM +0000, Tim Waugh wrote: > > FC1 ships with vnc.o? FC2-devel doesn't have it. > It does. It's in the vnc-server package. So it does. It looks like it is vnc.so in -devel: /usr/X11R6/lib/modules/extensions/vnc.so So was the licensing issue resolved? From twaugh at redhat.com Mon Mar 22 18:13:04 2004 From: twaugh at redhat.com (Tim Waugh) Date: Mon, 22 Mar 2004 18:13:04 +0000 Subject: [policy-1.9-5] VNC module in X AVC In-Reply-To: <20040322175307.GP20103@angus.ind.WPI.EDU> References: <405CACAB.6020204@nogin.org> <200403211324.05328.russell@coker.com.au> <405D026F.2020306@nogin.org> <200403211356.20386.russell@coker.com.au> <20040321085727.GU22468@redhat.com> <1079972878.22815.69.camel@agibson2.protech.ptm.com> <20040322171731.GN20103@angus.ind.WPI.EDU> <20040322175120.GD22468@redhat.com> <20040322175307.GP20103@angus.ind.WPI.EDU> Message-ID: <20040322181304.GE22468@redhat.com> On Mon, Mar 22, 2004 at 12:53:07PM -0500, Charles R. Anderson wrote: > On Mon, Mar 22, 2004 at 05:51:21PM +0000, Tim Waugh wrote: > > > FC1 ships with vnc.o? FC2-devel doesn't have it. > > It does. It's in the vnc-server package. > > So it does. It looks like it is vnc.so in -devel: > > /usr/X11R6/lib/modules/extensions/vnc.so > > So was the licensing issue resolved? The issue isn't between VNC and 4.3.x-style XFree86 licensing -- this is the same sort of thing as shipping Xvnc. Tim. */ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From agibson at ptm.com Mon Mar 22 18:45:07 2004 From: agibson at ptm.com (Adam Gibson) Date: 22 Mar 2004 13:45:07 -0500 Subject: [policy-1.9-5] VNC module in X AVC In-Reply-To: <1079972878.22815.69.camel@agibson2.protech.ptm.com> References: <405CACAB.6020204@nogin.org> <200403211324.05328.russell@coker.com.au> <405D026F.2020306@nogin.org> <200403211356.20386.russell@coker.com.au> <20040321085727.GU22468@redhat.com> <1079972878.22815.69.camel@agibson2.protech.ptm.com> Message-ID: <1079981106.22815.138.camel@agibson2.protech.ptm.com> On Mon, 2004-03-22 at 11:27, Adam Gibson wrote: > As a heavy user of the vnc.o module, I just want to make sure everyone > understand the benefit of using the vnc.o X module by adding the info to --- cut --- > This is my XF86Config file additions to get it working under Fedora Core > 1 in case others want to test it with SELinux(I wish there was > documentation explaining this from RedHat... I had to search for quite > some time to figure out how to enable the vnc.o modules that Fedora Core > 1 ships with). > > Under "Module" section > Load "Vnc" > > Under "Screen" section > Option "httpdir" "/usr/share/vnc/classes" > Option "PasswordFile" "/root/.vnc/passwd" > Option "rfbport" "5999" > Option "LocalHost" > Option "usevnc" > Probably getting a little off subject, but just a note that the Option "LocalHost" makes it only listen on the loopback address(I use port forwarding with SSH so that the connection is encrypted remotely). >From remote system: ssh -L 24000:127.0.0.1:5999 user at RemoteSshHost >From remote system: vncviewer :24000 If you just want to connect directly to the vnc port (5999 as configured above) then just remove or comment the Option "LocalHost". -- Adam Gibson From aleksey at nogin.org Mon Mar 22 20:28:40 2004 From: aleksey at nogin.org (Aleksey Nogin) Date: Mon, 22 Mar 2004 12:28:40 -0800 Subject: [policy-1.9-5] VNC module in X AVC In-Reply-To: <1079972878.22815.69.camel@agibson2.protech.ptm.com> References: <405CACAB.6020204@nogin.org> <200403211324.05328.russell@coker.com.au> <405D026F.2020306@nogin.org> <200403211356.20386.russell@coker.com.au> <20040321085727.GU22468@redhat.com> <1079972878.22815.69.camel@agibson2.protech.ptm.com> Message-ID: <405F4C78.5000207@nogin.org> On 22.03.2004 08:27, Adam Gibson wrote: > As a heavy user of the vnc.o module, I just want to make sure everyone > understand the benefit of using the vnc.o X module by adding the info to > XF86Config compared to using Xvnc. The vnc.o module automatically > exports the default local display :0 that users see on their local > monitor. Yes, and what this allows is for people to run their normal X session without any additional overhead (as opposed to running an Xvnc and vncviewer locally, which is much slower), but still be able to access that session remotely when necessary. > Note: I also had to create the /root/.vnc/passwd using > /usr/bin/vncpasswd. I have not figured out a way to have a separate > password depending on who logs in locally. It is one password for the > local display regardless of who is logged in. For single user systems > this works fine. Have you tried adding an appropriate vncconfig call to the {d,k,x}dm "start session" script? On 22.03.2004 10:45, Adam Gibson wrote: > Probably getting a little off subject, but just a note that the Option > "LocalHost" makes it only listen on the loopback address(I use port > forwarding with SSH so that the connection is encrypted remotely). > >>From remote system: > ssh -L 24000:127.0.0.1:5999 user at RemoteSshHost > >>From remote system: > vncviewer :24000 BTW, the above two commands could be replace with "vncviewer -via RemoteSshHost :0" (if you used the default 5900 rfbport, instead of setting it to 5999). -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907 From penny-cornette at insight.rr.com Mon Mar 22 22:53:52 2004 From: penny-cornette at insight.rr.com (Jim Cornette) Date: Mon, 22 Mar 2004 17:53:52 -0500 Subject: MRTG errors with SELinux on Message-ID: <405F6E80.7090901@insight.rr.com> When I was running this computer yesterday with selinux=1, I got this mail message every few minutes. I am running with selinux=0 now and this message does not show. Also, kmail reported that there was file corruption when launching without having selinux active. I was also set off with a message that I got with usermount when selinux was active. It asked for me to contact my administrator for access to any usually user visible mounts. It works normally with selinux off. There was also a problem with system-config-display. Posted below the mail for the perl or mrtg error is an excerpt from the userland programs that I had errors with. Use of uninitialized value in string at /usr/bin/mrtg line 72. Empty compile time value given to use lib at /usr/bin/mrtg line 72 Use of uninitialized value in concatenation (.) or string at /usr/bin/mrtg line 73. Can't locate MRTG_lib.pm in @INC (@INC contains: /../lib/mrtg2 /usr/lib/perl5/5.8.3/i386-linux-thread-multi /usr/lib/perl5/5.8.3 /usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl/5.8.2 /usr/lib/perl5/site_perl/5.8.1 /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.2 /usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl .) at /usr/bin/mrtg line 78. BEGIN failed--compilation aborted at /usr/bin/mrtg line 78. excerpt from previous mail. ------------------------ The real distractions with SELinux is that everything seems to error out with you don't have premission to perform this task, contact your administrator. The simple task was to mount drives. Message in pop-up states. There are no filesystems which you are allowed to mount or unmount. Contact your administrator. OK! This used to work fine without SELinux. This limitation or additional setup step will cause a lot of grief for users. Now for trying to configure the display. Between running the command from either a regular users terminal or launching from hat >> system settings >> display. The trouble is more obvious that SELinux is getting in the way. Running it from a root shell allows the program to work correctly. gnome-terminal as regular user shows below: system-config-display Could not set exec context to user_u:sysadm_r:sysadm_t. -------------------------- Jim From kwade at redhat.com Mon Mar 22 23:29:51 2004 From: kwade at redhat.com (Karsten Wade) Date: 22 Mar 2004 15:29:51 -0800 Subject: receiving bug reports Message-ID: <1079998190.19280.5842.camel@erato.phig.org> I'm wondering if this list is interested in receiving the bug reports against the Fedora SELinux FAQ. The Fedora SELinux FAQ is focused on answering Fedora specific SELinux questions, and pointing people to other sources of information. This will come out with FC2 test2. Additions and changes to the FAQ will be handled through bugzilla.redhat.com, which is the pattern for the Fedora docs project. For fedora-selinux-list to receive the bug reports, we need to create a bugzilla account, then we cc: the list on additions to the FAQ via bugzilla. This would be a good way to keep everyone aware of new and useful FAQ items. It also keeps us in the discussion about the additions and changes. This same method could be used for any SELinux bugs the list wishes to track. For developers and writers, bugzilla is a handy tool for keeping track of tasks and the discussion around them. However, getting bugzilla traffic may increase the noise on the list for some people[1]. So, I respectfully ask for the opinion and permission of this list. Thanks - Karsten [1] FWIW, proper mail filtering would take care of this noise. -- Karsten Wade, Sr. Tech Writer this is not the .signature you are looking for http://people.redhat.com/kwade/ gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41 From cra at WPI.EDU Tue Mar 23 00:23:05 2004 From: cra at WPI.EDU (Charles R. Anderson) Date: Mon, 22 Mar 2004 19:23:05 -0500 Subject: MRTG errors with SELinux on In-Reply-To: <405F6E80.7090901@insight.rr.com> References: <405F6E80.7090901@insight.rr.com> Message-ID: <20040323002305.GU20103@angus.ind.WPI.EDU> On Mon, Mar 22, 2004 at 05:53:52PM -0500, Jim Cornette wrote: > When I was running this computer yesterday with selinux=1, I got this > mail message every few minutes. I am running with selinux=0 now and this > message does not show. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=118877 From aleksey at nogin.org Wed Mar 24 10:50:46 2004 From: aleksey at nogin.org (Aleksey Nogin) Date: Wed, 24 Mar 2004 02:50:46 -0800 Subject: [policy-1.9-11] ssh-agent takes all the CPU in enforcing mode. Message-ID: <40616806.5090303@nogin.org> What I see in the logs is audit(1080124752.283:0): avc: denied { write } for pid=2885 exe=/usr/bin/ssh-agent path=/home/aleksey/.xsession-errors dev=hda2 ino=310712 scontext=aleksey:staff_r:staff_ssh_agent_t tcontext=aleksey:object_r:staff_home_t tclass=file and strace shows getpid() = 2886 rt_sigaction(SIGPIPE, {0x1b9cc8, [], SA_RESTORER, 0x137478}, {SIG_IGN}, 8) = 0 socket(PF_UNIX, SOCK_DGRAM, 0) = 3 fcntl64(3, F_SETFD, FD_CLOEXEC) = 0 connect(3, {sa_family=AF_UNIX, path="/dev/log"}, 16) = 0 send(3, "<35>Mar 24 02:48:10 ssh-agent[2886]: error: accept from AUTH_SOCKET: Socket operation on non-socket", 99, 0) = 99 rt_sigaction(SIGPIPE, {SIG_IGN}, NULL, 8) = 0 close(3) = 0 select(2, [1], [], NULL, NULL) = 1 (in [1]) accept(1, 0xfeee0800, [110]) = -1 ENOTSOCK (Socket operation on non-socket) time([1080125290]) = 1080125290 getpid() = 2886 going in circles. -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907 From russell at coker.com.au Wed Mar 24 12:54:36 2004 From: russell at coker.com.au (Russell Coker) Date: Wed, 24 Mar 2004 23:54:36 +1100 Subject: [policy-1.9-11] ssh-agent takes all the CPU in enforcing mode. In-Reply-To: <40616806.5090303@nogin.org> References: <40616806.5090303@nogin.org> Message-ID: <200403242354.36317.russell@coker.com.au> On Wed, 24 Mar 2004 21:50, Aleksey Nogin wrote: > What I see in the logs is > > audit(1080124752.283:0): avc: denied { write } for pid=2885 > exe=/usr/bin/ssh-agent path=/home/aleksey/.xsession-errors dev=hda2 > ino=310712 scontext=aleksey:staff_r:staff_ssh_agent_t > tcontext=aleksey:object_r:staff_home_t tclass=file Try using the attached ssh_agent_macros.te. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -------------- next part -------------- # # Macros for ssh agent # # # Author: Russell Coker # # # ssh_agent_domain(domain_prefix) # # Define a derived domain for the ssh program when executed # by a user domain. # # The type declaration for the executable type for this program is # provided separately in domains/program/ssh.te. # define(`ssh_agent_domain',` # Define a derived domain for the ssh-agent program when executed # by a user domain. # Derived domain based on the calling user domain and the program. type $1_ssh_agent_t, domain, privlog; # Transition from the user domain to the derived domain. domain_auto_trans($1_t, ssh_agent_exec_t, $1_ssh_agent_t) # The user role is authorized for this domain. role $1_r types $1_ssh_agent_t; allow $1_ssh_agent_t privfd:fd use; # Write to the user domain tty. allow $1_ssh_agent_t $1_tty_device_t:chr_file rw_file_perms; allow $1_ssh_agent_t $1_devpts_t:chr_file rw_file_perms; # Allow the user shell to signal the ssh program. allow $1_t $1_ssh_agent_t:process signal; # allow ps to show ssh can_ps($1_t, $1_ssh_agent_t) dontaudit $1_ssh_agent_t proc_t:dir { search }; can_ypbind($1_ssh_agent_t) ifdef(`nfs_home_dirs', ` ifdef(`automount.te', ` allow $1_ssh_agent_t autofs_t:dir { search getattr }; ') rw_dir_create_file($1_ssh_agent_t, nfs_t) can_exec($1_ssh_agent_t, nfs_t) ')dnl end nfs_home_dirs uses_shlib($1_ssh_agent_t) read_locale($1_ssh_agent_t) # Access the ssh temporary files. Should we have an own type here # to which only ssh, ssh-agent and ssh-add have access? allow $1_ssh_agent_t $1_tmp_t:dir r_dir_perms; file_type_auto_trans($1_ssh_agent_t, tmp_t, $1_tmp_t) allow $1_ssh_agent_t self:unix_stream_socket create_stream_socket_perms; allow $1_ssh_agent_t self:unix_dgram_socket create_socket_perms; allow $1_ssh_agent_t self:process { fork sigchld setrlimit }; # access the random devices allow $1_ssh_agent_t { random_device_t urandom_device_t }:chr_file read; # for ssh-add can_unix_connect($1_t, $1_ssh_agent_t) # transition back to normal privs upon exec domain_auto_trans($1_ssh_agent_t, { bin_t shell_exec_t }, $1_t) allow $1_ssh_agent_t bin_t:dir search; # allow reading of /usr/bin/X11 (is a symlink) allow $1_ssh_agent_t bin_t:lnk_file read; allow $1_ssh_agent_t { $1_ssh_agent_t $1_t }:process signull; allow $1_ssh_agent_t { home_root_t $1_home_dir_t }:dir search; allow $1_ssh_agent_t $1_home_t:file { getattr write append }; allow $1_ssh_t $1_tmp_t:sock_file write; allow $1_ssh_t $1_t:unix_stream_socket connectto; allow $1_ssh_t $1_ssh_agent_t:unix_stream_socket connectto; # Allow the ssh program to communicate with ssh-agent. allow $1_ssh_t $1_tmp_t:sock_file write; allow $1_ssh_t $1_t:unix_stream_socket connectto; allow $1_ssh_t sshd_t:unix_stream_socket connectto; ')dnl end if ssh_agent From aleksey at nogin.org Wed Mar 24 21:31:18 2004 From: aleksey at nogin.org (Aleksey Nogin) Date: Wed, 24 Mar 2004 13:31:18 -0800 Subject: [policy-1.9-11] ssh-agent takes all the CPU in enforcing mode. In-Reply-To: <200403242354.36317.russell@coker.com.au> References: <40616806.5090303@nogin.org> <200403242354.36317.russell@coker.com.au> Message-ID: <4061FE26.5020303@nogin.org> On 24.03.2004 04:54, Russell Coker wrote: > On Wed, 24 Mar 2004 21:50, Aleksey Nogin wrote: > >>What I see in the logs is >> >>audit(1080124752.283:0): avc: denied { write } for pid=2885 >>exe=/usr/bin/ssh-agent path=/home/aleksey/.xsession-errors dev=hda2 >>ino=310712 scontext=aleksey:staff_r:staff_ssh_agent_t >>tcontext=aleksey:object_r:staff_home_t tclass=file > > > Try using the attached ssh_agent_macros.te. > I added the following two lines to my ssh_agent_macros.te and the problem went away, thanks! > allow $1_ssh_agent_t { home_root_t $1_home_dir_t }:dir search; > allow $1_ssh_agent_t $1_home_t:file { getattr write append }; -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907 From gene at czarc.net Thu Mar 25 17:20:37 2004 From: gene at czarc.net (Gene Czarcinski) Date: Thu, 25 Mar 2004 12:20:37 -0500 Subject: How to start using selinux? Message-ID: <200403251220.37578.gene@czarc.net> OK, it is getting close to when FC2 Test2 is to be available so I thought I would start playing with selinux. Rather than try to update Test1 and get it right, I downloaded FC2 x86_64 development yesterday (finally, a mirror that was current) and did an "everything" install with selinux set to "permissive". I had some initial problems with running kudzu so I have turned it off (not run at bootup). I saw the email about sgi_fam so I set it off also (although I still get a bunch of messages at bootup. The system comes up fine in permissive mode so I tried changing /etc/sysconfig/selinux to "enforcing". Oops, lots more messages during bootup and a lot of services failing startup. Then I got this popup that the "gdm" user did not exist so gdm was not started. I assume that the way things are suppose to work is that the system comes up in enforcing mode the same way it would without selinux but that now I had to do things only with some kind of "role" for anything requiring special privledges. Is there any kind of "cookbook" that explains how to get started? I looked at the stuff in selinux-doc but there is nothing simple there. I am not sure what to report any problems against either. OK, can anyone point me to any "hints" on how to get started? Gene From rhally at mindspring.com Thu Mar 25 19:09:18 2004 From: rhally at mindspring.com (Richard Hally) Date: Thu, 25 Mar 2004 14:09:18 -0500 Subject: How to start using selinux? In-Reply-To: <200403251220.37578.gene@czarc.net> Message-ID: > Here are a couple of links to HOWTOs > > https://sourceforge.net/docman/display_doc.php?docid=20372&group_id=21266 > > https://sourceforge.net/docman/display_doc.php?docid=21959&group_id=21266 > Richard Hally -----Original Message----- From: fedora-selinux-list-bounces at redhat.com [mailto:fedora-selinux-list-bounces at redhat.com] On Behalf Of Gene Czarcinski Sent: Thursday, March 25, 2004 12:21 PM To: fedora-selinux-list at redhat.com Subject: How to start using selinux? OK, it is getting close to when FC2 Test2 is to be available so I thought I would start playing with selinux. Rather than try to update Test1 and get it right, I downloaded FC2 x86_64 development yesterday (finally, a mirror that was current) and did an "everything" install with selinux set to "permissive". I had some initial problems with running kudzu so I have turned it off (not run at bootup). I saw the email about sgi_fam so I set it off also (although I still get a bunch of messages at bootup. The system comes up fine in permissive mode so I tried changing /etc/sysconfig/selinux to "enforcing". Oops, lots more messages during bootup and a lot of services failing startup. Then I got this popup that the "gdm" user did not exist so gdm was not started. I assume that the way things are suppose to work is that the system comes up in enforcing mode the same way it would without selinux but that now I had to do things only with some kind of "role" for anything requiring special privledges. Is there any kind of "cookbook" that explains how to get started? I looked at the stuff in selinux-doc but there is nothing simple there. I am not sure what to report any problems against either. OK, can anyone point me to any "hints" on how to get started? Gene -- fedora-selinux-list mailing list fedora-selinux-list at redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list From jmorris at redhat.com Thu Mar 25 19:58:14 2004 From: jmorris at redhat.com (James Morris) Date: Thu, 25 Mar 2004 14:58:14 -0500 (EST) Subject: How to start using selinux? In-Reply-To: <200403251220.37578.gene@czarc.net> Message-ID: On Thu, 25 Mar 2004, Gene Czarcinski wrote: > I had some initial problems with running kudzu so I have turned it off (not > run at bootup). I saw the email about sgi_fam so I set it off also (although > I still get a bunch of messages at bootup. Can you post these messages, please? Whatever is still not working needs to be fixed :-) - James -- James Morris From gene at czarc.net Thu Mar 25 21:48:47 2004 From: gene at czarc.net (Gene Czarcinski) Date: Thu, 25 Mar 2004 16:48:47 -0500 Subject: How to start using selinux? In-Reply-To: References: Message-ID: <200403251648.47214.gene@czarc.net> On Thursday 25 March 2004 14:58, James Morris wrote: > On Thu, 25 Mar 2004, Gene Czarcinski wrote: > > I had some initial problems with running kudzu so I have turned it off > > (not run at bootup). I saw the email about sgi_fam so I set it off also > > (although I still get a bunch of messages at bootup. > > Can you post these messages, please? > > Whatever is still not working needs to be fixed :-) OK ... the kudzu/sk98lin problem is https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=119011 The messages, etc. are far too much data to put on the mailing list so I am emailing them directly to you (jmorris at redhat.com). The data include /var/log/messages and dmesg for booting up with selinux set to permissive as well as /var/log/messages for booting up with selinux set to enforcing (lots and lots of messages plus failed services). All testing was done an an ASUS mobo with a Opteron 140 and yesterday's snapshot of FC2 x86_64 development. Please not that when the system bootup completed, gdm would not start. In addition, I could not login as root. I have not done anything except play with /etc/sysconfig/selinux changing between enforcing and permissive. Since the default for the install is "enforcing", I would expect the installed system to at least come up and that I could login. To change between enforcing and permissive, I had to reboot into single user mode and after changing /etc/sysconfig/selinux to rebot to have it take effect. Gene From jmorris at redhat.com Thu Mar 25 22:02:36 2004 From: jmorris at redhat.com (James Morris) Date: Thu, 25 Mar 2004 17:02:36 -0500 (EST) Subject: How to start using selinux? In-Reply-To: <200403251648.47214.gene@czarc.net> Message-ID: On Thu, 25 Mar 2004, Gene Czarcinski wrote: > > The messages, etc. are far too much data to put on the mailing list so I am > emailing them directly to you (jmorris at redhat.com). Can you either put these one a web site or just send the first few denial messages to the list? - James -- James Morris From gene at czarc.net Thu Mar 25 22:13:08 2004 From: gene at czarc.net (Gene Czarcinski) Date: Thu, 25 Mar 2004 17:13:08 -0500 Subject: How to start using selinux? In-Reply-To: References: Message-ID: <200403251713.08559.gene@czarc.net> On Thursday 25 March 2004 14:09, Richard Hally wrote: > > Here are a couple of links to HOWTOs > > > > https://sourceforge.net/docman/display_doc.php?docid=20372&group_id=21266 > > > > https://sourceforge.net/docman/display_doc.php?docid=21959&group_id=21266 Thanks. There are good but .. What I am looking for is something a bit more "cook bookish". Since the default (current snapshot of FC2 development) is to install with selinux set to enforcing, I am expecting the system to come up (it does not) and then some "cook book" instructions on setting things up so I can begin plying with things. Right now if I bootup with selinux set to enforcing, I cannot do anything .. even login. I was hoping to see something with selinux running where I could then work (play) with the system to understand selinux configuration and usage. Right now, booting up in single user mode is my most useful too since that is the only way I have found to get out of enforcing mode. I am hoping I do not need a two week course to be able to understand how to configure selinux. I do not know what FC2 Test2 will have in it but from what I have seen so far, the default had better be permissive rather than enforcing ... either that or slip the schedule a bit more. Gene From gene at czarc.net Thu Mar 25 22:16:14 2004 From: gene at czarc.net (Gene Czarcinski) Date: Thu, 25 Mar 2004 17:16:14 -0500 Subject: How to start using selinux? In-Reply-To: References: Message-ID: <200403251716.14255.gene@czarc.net> On Thursday 25 March 2004 17:02, James Morris wrote: > On Thu, 25 Mar 2004, Gene Czarcinski wrote: > > The messages, etc. are far too much data to put on the mailing list so I > > am emailing them directly to you (jmorris at redhat.com). > > Can you either put these one a web site or just send the first few denial > messages to the list? Already sent. I can put them on a ftp server. Do you still want me to do that? With all of the messages coming out in enforcing mode, I am not sure what is important and what is not. I am also not sure that the service startup failures were captured. Gene From rhally at mindspring.com Thu Mar 25 22:36:50 2004 From: rhally at mindspring.com (Richard Hally) Date: Thu, 25 Mar 2004 17:36:50 -0500 Subject: How to start using selinux? In-Reply-To: <200403251713.08559.gene@czarc.net> Message-ID: -----Original Message----- From: fedora-selinux-list-bounces at redhat.com [mailto:fedora-selinux-list-bounces at redhat.com] On Behalf Of Gene Czarcinski Sent: Thursday, March 25, 2004 5:13 PM To: fedora-selinux-list at redhat.com Subject: Re: How to start using selinux? On Thursday 25 March 2004 14:09, Richard Hally wrote: > > Here are a couple of links to HOWTOs > > > > https://sourceforge.net/docman/display_doc.php?docid=20372&group_id=21266 > > > > https://sourceforge.net/docman/display_doc.php?docid=21959&group_id=21266 Thanks. There are good but .. What I am looking for is something a bit more "cook bookish". Since the default (current snapshot of FC2 development) is to install with selinux set to enforcing, I am expecting the system to come up (it does not) and then some "cook book" instructions on setting things up so I can begin plying with things. Right now if I bootup with selinux set to enforcing, I cannot do anything .. even login. The recommended way to start off is in permissive mode. Kernel ...253.2.1 does not start in enforcing mode automatically by default. I was hoping to see something with selinux running where I could then work (play) with the system to understand selinux configuration and usage. One thing you can do is duplicate the lines in grub for a particular kernel and add ENFORCING to the title and enforcing=1 to the end of the kernel line. That way you can start off in either mode. The way to see which mode is to "cat /selinux/enforce" 0 is permissive. To change to enforcing while running "echo 1 > /selinux/enforce". Right now, booting up in single user mode is my most useful too since that is the only way I have found to get out of enforcing mode. I am hoping I do not need a two week course to be able to understand how to configure selinux. I do not know what FC2 Test2 will have in it but from what I have seen so far, the default had better be permissive rather than enforcing ... either that or slip the schedule a bit more. Gene -- fedora-selinux-list mailing list fedora-selinux-list at redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list From rhally at mindspring.com Thu Mar 25 22:49:12 2004 From: rhally at mindspring.com (Richard Hally) Date: Thu, 25 Mar 2004 17:49:12 -0500 Subject: FW: How to start using selinux? Message-ID: -----Original Message----- From: fedora-selinux-list-bounces at redhat.com [mailto:fedora-selinux-list-bounces at redhat.com] On Behalf Of Gene Czarcinski Sent: Thursday, March 25, 2004 5:13 PM To: fedora-selinux-list at redhat.com Subject: Re: How to start using selinux? On Thursday 25 March 2004 14:09, Richard Hally wrote: > > Here are a couple of links to HOWTOs > > > > https://sourceforge.net/docman/display_doc.php?docid=20372&group_id=21266 > > > > https://sourceforge.net/docman/display_doc.php?docid=21959&group_id=21266 >Thanks. There are good but .. >What I am looking for is something a bit more "cook bookish". Since the >default (current snapshot of FC2 development) is to install with selinux set >to enforcing, I am expecting the system to come up (it does not) and then >some "cook book" instructions on setting things up so I can begin plying with >things. Right now if I bootup with selinux set to enforcing, I cannot do >anything .. even login. The recommended way to start off is in permissive mode. Kernel ...253.2.1 does not start in enforcing mode automatically by default. >I was hoping to see something with selinux running where I could then work >(play) with the system to understand selinux configuration and usage. One thing you can do is duplicate the lines in grub for a particular kernel and add ENFORCING to the title and enforcing=1 to the end of the kernel line. That way you can start off in either mode. The way to see which mode is to "cat /selinux/enforce" 0 is permissive. To change to enforcing while running "echo 1 > /selinux/enforce". >Right now, booting up in single user mode is my most useful too since that is >the only way I have found to get out of enforcing mode. Richard Hally From russell at coker.com.au Fri Mar 26 02:38:46 2004 From: russell at coker.com.au (Russell Coker) Date: Fri, 26 Mar 2004 13:38:46 +1100 Subject: How to start using selinux? In-Reply-To: <200403251648.47214.gene@czarc.net> References: <200403251648.47214.gene@czarc.net> Message-ID: <200403261338.46641.russell@coker.com.au> On Fri, 26 Mar 2004 08:48, Gene Czarcinski wrote: > OK ... the kudzu/sk98lin problem is > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=119011 You say that occurs when booting with "selinux=0", so the core SE Linux code will be disabled. Unless there is some bug in James' code to disable SE Linux this would not be related to SE Linux at all. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From rhally at mindspring.com Fri Mar 26 07:25:10 2004 From: rhally at mindspring.com (Richard Hally) Date: Fri, 26 Mar 2004 02:25:10 -0500 Subject: avc denied messages from updating Message-ID: Here are some avc denied messages that showed up from doing a yum update while in enforcing mode: Mar 26 01:28:15 old1 kernel: audit(1080282495.299:0): avc: denied { search } for pid=4282 exe=/bin/bash name=1 dev= ino=65538 scontext=root:sysadm_r:rpm_script_t tcontext=system_u:system_r:init_t tclass=dir Mar 26 01:28:15 old1 kernel: audit(1080282495.300:0): avc: denied { search } for pid=4282 exe=/bin/bash name=1 dev= ino=65538 scontext=root:sysadm_r:rpm_script_t tcontext=system_u:system_r:init_t tclass=dir Mar 26 01:35:20 old1 kernel: audit(1080282920.844:0): avc: denied { read } for pid=4397 exe=/sbin/consoletype path=pipe:[18262] dev= ino=18262 scontext=root:system_r:consoletype_t tcontext=root:sysadm_r:rpm_t tclass=fifo_file Richard Hally From rhally at mindspring.com Fri Mar 26 07:39:07 2004 From: rhally at mindspring.com (Richard Hally) Date: Fri, 26 Mar 2004 02:39:07 -0500 Subject: avc denied from logrotate Message-ID: Here are the avc denied messages from doing a logrotate. I get an error message when I try to do the logrotate in enforcing mode. I changed to permissive mode, did the logrotate and the resulting messages are attached: Richard Hally -------------- next part -------------- A non-text attachment was scrubbed... Name: messages.1 Type: application/octet-stream Size: 10969 bytes Desc: not available URL: From rhally at mindspring.com Fri Mar 26 07:43:49 2004 From: rhally at mindspring.com (Richard Hally) Date: Fri, 26 Mar 2004 02:43:49 -0500 Subject: FW: selinux enforcing Message-ID: Here is the message from the "fedora-test-list" In reply to Gene C. on this list (his posting is on my other box), This message is being sent from Mozilla running on the current /development tree (at runlevel 5) in "enforcing mode". Below are the three avc denied messages from when I booted in enforcing mode. This is with the "as provided" policy with one change in the "users" file to add my username as an "admin". Once you have installed the policy and policy-sources and done "make reload" in /etc/security/selinux/src/policy you must also do "make relabel" (it can take a while) to label all the files correctly. Richard Hally from /var/log/messages: Mar 25 20:17:10 old1 kernel: audit(1080263823.652:0): avc: denied { append } for pid=1053 exe=/sbin/syslogd name=news.crit dev=hdc3 ino=196974 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:innd_log_t tclass=file Mar 25 20:17:10 old1 kernel: audit(1080263823.653:0): avc: denied { append } for pid=1053 exe=/sbin/syslogd name=news.err dev=hdc3 ino=196975 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:innd_log_t tclass=file Mar 25 20:17:10 old1 kernel: audit(1080263823.654:0): avc: denied { append } for pid=1053 exe=/sbin/syslogd name=news.notice dev=hdc3 ino=196973 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:innd_log_t tclass=file -- fedora-test-list mailing list fedora-test-list at redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-test-list From aleksey at nogin.org Fri Mar 26 10:54:19 2004 From: aleksey at nogin.org (Aleksey Nogin) Date: Fri, 26 Mar 2004 02:54:19 -0800 Subject: up2date does not work under sudo. Message-ID: <40640BDB.2090005@nogin.org> This seems to be new. With policy-sources-1.9-15 if I try running up2date from sudo -r sysadm_r (from a staff user), it fails to actually install the packages: Name Version Rel Channel ---------------------------------------------------------------------- xorg-x11-xdm 0.0.6.6 0.0.2004_03_11.9rawhide xorg-x11-xfs 0.0.6.6 0.0.2004_03_11.9rawhide Testing package set / solving RPM inter-dependencies... ######################################## xorg-x11-xdm-0.0.6.6-0.0.20 ########################## Done. xorg-x11-xfs-0.0.6.6-0.0.20 ########################## Done. xorg-x11-0.0.6.6-0.0.2004_0 ########################## Done. Preparing ########################################### [100%] The following Packages were marked to be skipped by your configuration: Name Version Rel Reason ------------------------------------------------------------------------------- ocaml 3.07 0.fdr.5.1.90Pkg name/pattern The following packages were added to your selection to satisfy dependencies: Name Version Release -------------------------------------------------------------- xorg-x11 0.0.6.6 0.0.2004_03_11.9 dmesg shows: audit(1080298058.273:0): avc: denied { transition } for pid=3821 exe=/usr/bin/python path=/bin/bash dev=hda2 ino=3662903 scontext=aleksey:sysadm_r:sysadm_t tcontext=aleksey:sysadm_r:rpm_script_t tclass=process audit(1080298058.306:0): avc: denied { transition } for pid=3822 exe=/usr/bin/python path=/bin/bash dev=hda2 ino=3662903 scontext=aleksey:sysadm_r:sysadm_t tcontext=aleksey:sysadm_r:rpm_script_t tclass=process audit(1080298058.333:0): avc: denied { transition } for pid=3823 exe=/usr/bin/python path=/bin/bash dev=hda2 ino=3662903 scontext=aleksey:sysadm_r:sysadm_t tcontext=aleksey:sysadm_r:rpm_script_t tclass=process audit(1080298058.431:0): avc: denied { transition } for pid=3824 exe=/usr/bin/python path=/bin/bash dev=hda2 ino=3662903 scontext=aleksey:sysadm_r:sysadm_t tcontext=aleksey:sysadm_r:rpm_script_t tclass=process -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907 From sds at epoch.ncsc.mil Fri Mar 26 13:21:23 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Fri, 26 Mar 2004 08:21:23 -0500 Subject: up2date does not work under sudo. In-Reply-To: <40640BDB.2090005@nogin.org> References: <40640BDB.2090005@nogin.org> Message-ID: <1080307283.6559.33.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2004-03-26 at 05:54, Aleksey Nogin wrote: > dmesg shows: > > audit(1080298058.273:0): avc: denied { transition } for pid=3821 > exe=/usr/bin/python path=/bin/bash dev=hda2 ino=3662903 > scontext=aleksey:sysadm_r:sysadm_t > tcontext=aleksey:sysadm_r:rpm_script_t tclass=process > audit(1080298058.306:0): avc: denied { transition } for pid=3822 > exe=/usr/bin/python path=/bin/bash dev=hda2 ino=3662903 > scontext=aleksey:sysadm_r:sysadm_t > tcontext=aleksey:sysadm_r:rpm_script_t tclass=process > audit(1080298058.333:0): avc: denied { transition } for pid=3823 > exe=/usr/bin/python path=/bin/bash dev=hda2 ino=3662903 > scontext=aleksey:sysadm_r:sysadm_t > tcontext=aleksey:sysadm_r:rpm_script_t tclass=process > audit(1080298058.431:0): avc: denied { transition } for pid=3824 > exe=/usr/bin/python path=/bin/bash dev=hda2 ino=3662903 > scontext=aleksey:sysadm_r:sysadm_t > tcontext=aleksey:sysadm_r:rpm_script_t tclass=process Should /usr/sbin/up2date be labeled with rpm_exec_t, as is the case for yum? chcon -t rpm_exec_t /usr/sbin/up2date, and add an entry to rpm.fc for future relabels. That should enable the transition from sysadm_t to rpm_t, which is a necessary precursor to transitioning to rpm_script_t. -- Stephen Smalley National Security Agency From aleksey at nogin.org Fri Mar 26 13:35:28 2004 From: aleksey at nogin.org (Aleksey Nogin) Date: Fri, 26 Mar 2004 05:35:28 -0800 Subject: up2date does not work under sudo. In-Reply-To: <1080307283.6559.33.camel@moss-spartans.epoch.ncsc.mil> References: <40640BDB.2090005@nogin.org> <1080307283.6559.33.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <406431A0.5000808@nogin.org> On 26.03.2004 05:21, Stephen Smalley wrote: > Should /usr/sbin/up2date be labeled with rpm_exec_t, as is the case for > yum? Thanks, fixed it in my local policies and filed https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=119208 -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907 From sds at epoch.ncsc.mil Fri Mar 26 13:37:45 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Fri, 26 Mar 2004 08:37:45 -0500 Subject: avc denied from logrotate In-Reply-To: References: Message-ID: <1080308265.6559.49.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2004-03-26 at 02:39, Richard Hally wrote: > Here are the avc denied messages from doing a logrotate. > I get an error message when I try to do the logrotate in enforcing mode. I > changed to > permissive mode, did the logrotate and the resulting messages are attached: With regard to the /etc/init.d/cups condrestart line in /etc/logrotate.d/cups, should logrotate.te include: domain_auto_trans(logrotate_t, initrc_exec_t, initrc_t) so that the init script runs in the proper domain, and any subsequent daemon restarts are transitioned to the right domain? That would run the init script in initrc_t rather than directly in logrotate_t, and eliminate the need for the various domain_auto_trans(logrotate, foo_exec_t, foo_t) rules that I see sprinkled about various daemon .te files, since the usual transition from initrc_t would handle it. -- Stephen Smalley National Security Agency From sds at epoch.ncsc.mil Fri Mar 26 13:50:10 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Fri, 26 Mar 2004 08:50:10 -0500 Subject: avc denied from logrotate In-Reply-To: References: Message-ID: <1080309010.6559.61.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2004-03-26 at 02:39, Richard Hally wrote: > Here are the avc denied messages from doing a logrotate. > I get an error message when I try to do the logrotate in enforcing mode. I > changed to > permissive mode, did the logrotate and the resulting messages are attached: With regard to the innd_log_t denial, is this file written by both syslogd and innd? If it is only written by syslogd, then it shouldn't be labeled innd_log_t. If it can be written by either daemon depending on configuration, then perhaps syslogd.te should include 'create_append_log_file(syslogd_t, logfile)'. Looks like logrotate needs can_exec(logrotate_t, logfile), although I find that disturbing. Possibly need another domain with less permissions that it can transition to when executing these temporary files. Can you enable syscall auditing (boot with audit=1) and re-run logrotate, so that we can see the actual pathname parameters for some of these calls? The slrnpull_spool_t ones look odd, as I wouldn't expect that type on log files, and slrnpull does have its own log type. -- Stephen Smalley National Security Agency From russell at coker.com.au Fri Mar 26 13:53:07 2004 From: russell at coker.com.au (Russell Coker) Date: Sat, 27 Mar 2004 00:53:07 +1100 Subject: FW: selinux enforcing In-Reply-To: References: Message-ID: <200403270053.07531.russell@coker.com.au> On Fri, 26 Mar 2004 18:43, "Richard Hally" wrote: > Mar 25 20:17:10 old1 kernel: audit(1080263823.652:0): avc: denied { > append } for pid=1053 exe=/sbin/syslogd name=news.crit dev=hdc3 > ino=196974 scontext=system_u:system_r:syslogd_t > tcontext=system_u:object_r:innd_log_t tclass=file I've attached a new version of innd.te which should fix this. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -------------- next part -------------- #DESC INN - InterNetNews server # # Author: Faye Coker # X-Debian-Packages: inn # ################################ # Types for the server port and news spool. # type innd_port_t, port_type; type news_spool_t, file_type, sysadmfile; # need privmail attribute so innd can access system_mail_t daemon_domain(innd, `, privmail') # allow innd to create files and directories of type news_spool_t create_dir_file(innd_t, news_spool_t) # allow user domains to read files and directories these types r_dir_file(userdomain, { news_spool_t innd_var_lib_t innd_etc_t }) can_exec(initrc_t, innd_etc_t) can_exec(innd_t, { innd_exec_t bin_t }) ifdef(`hostname.te', ` can_exec(innd_t, hostname_exec_t) ') allow innd_t var_spool_t:dir { getattr search }; can_network(innd_t) can_unix_send( { innd_t sysadm_t }, { innd_t sysadm_t } ) allow innd_t self:unix_dgram_socket create_socket_perms; allow innd_t self:unix_stream_socket create_stream_socket_perms; can_unix_connect(innd_t, self) allow innd_t self:fifo_file rw_file_perms; allow innd_t innd_port_t:tcp_socket name_bind; allow innd_t self:capability { dac_override kill setgid setuid net_bind_service }; allow innd_t self:process setsched; allow innd_t { bin_t sbin_t }:dir search; allow innd_t usr_t:lnk_file read; allow innd_t usr_t:file { getattr read ioctl }; allow innd_t lib_t:file ioctl; allow innd_t etc_t:file { getattr read }; allow innd_t { proc_t etc_runtime_t }:file { getattr read }; allow innd_t urandom_device_t:chr_file read; allow innd_t innd_var_run_t:sock_file create_file_perms; # allow innd to read directories of type innd_etc_t (/etc/news/(/.*)? and symbolic links with that type etcdir_domain(innd) # allow innd to create files under /var/log of type innd_log_t and have a directory for its own files that # it can write to logdir_domain(innd) # allow innd read-write directory permissions to /var/lib/news. var_lib_domain(innd) ifdef(`crond.te', ` system_crond_entry(innd_exec_t, innd_t) ') ifdef(`syslogd.te', ` allow syslogd_t innd_log_t:dir search; allow syslogd_t innd_log_t:file ra_file_perms; ') From sds at epoch.ncsc.mil Fri Mar 26 13:57:01 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Fri, 26 Mar 2004 08:57:01 -0500 Subject: How to start using selinux? In-Reply-To: <200403251716.14255.gene@czarc.net> References: <200403251716.14255.gene@czarc.net> Message-ID: <1080309421.6559.67.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2004-03-25 at 17:16, Gene Czarcinski wrote: > Already sent. I can put them on a ftp server. Do you still want me to do > that? > > With all of the messages coming out in enforcing mode, I am not sure what is > important and what is not. I am also not sure that the service startup > failures were captured. You are more likely to get help if you post at least the first few messages to the entire list. It might also help to see the output from ls -Z / (i.e. is your root filesystem labeled), and ps -eZ (i.e. are your processes running in the right domain). Chris PeBenito of the Hardened Gentoo project just posted a "sestatus" tool on the NSA selinux list the other day that might be helpful in giving status about your system's SELinux setup, see http://marc.theaimsgroup.com/?l=selinux&m=108026017519073&w=2 -- Stephen Smalley National Security Agency From sds at epoch.ncsc.mil Fri Mar 26 14:00:43 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Fri, 26 Mar 2004 09:00:43 -0500 Subject: FW: selinux enforcing In-Reply-To: References: Message-ID: <1080309643.6559.70.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2004-03-26 at 02:43, Richard Hally wrote: > Once you have installed the policy and policy-sources and done > "make reload" in /etc/security/selinux/src/policy you must also do > "make relabel" (it can take a while) to label all the files correctly. The 'make relabel' shouldn't be necessary if you do a clean install, as rpm knows to set the file contexts now, right? Only necessary if you are upgrading an existing system to FC2 devel and need to retroactively apply the labels. -- Stephen Smalley National Security Agency From gene at czarc.net Fri Mar 26 16:25:50 2004 From: gene at czarc.net (Gene Czarcinski) Date: Fri, 26 Mar 2004 11:25:50 -0500 Subject: FW: selinux enforcing In-Reply-To: References: Message-ID: <200403261125.50140.gene@czarc.net> On Friday 26 March 2004 02:43, Richard Hally wrote: > In reply to Gene C. on this list (his posting is on my other box), > This message is being sent from Mozilla running on the current > /development tree (at runlevel 5) in "enforcing mode". Below are the > three avc denied messages from when I booted in enforcing mode. > This is with the "as provided" policy with one change in the "users" > file to add my username as an "admin". > Once you have installed the policy and policy-sources and done > "make reload" in /etc/security/selinux/src/policy you must also do > "make relabel" (it can take a while) to label all the files correctly. OK, now we are cooking. 1. I found that there are RELEASE-NOTES under development/i386 (I am using development/x86_64). This provides much of the info I was lacking. 2. Your info above was just great. After doing "make reload" and "make relabel", most of the error messages disappeared and most services started ... also gdm now works. Now I can start playing with things to see how they work. A comment: I had done a fresh nfs everything install using a development snapshot which is fairly current (Tuesday 24 March). I believe that things should have worked the way they do now without my needing to run "make reload" (and possibly "make relabel"). I did originally come up in permissive mode so maybe that was my problem and everything would have worked if I came up in enforcing mode from the start ... I don't know. I am going to play with this a bit more to see if I can just install and come up with nothing extra being done (except disabling kudzu until that problem is fixed). Thanks to all who provided info. I can already see that the selinux functionality as being delivered in FC2 is just a start ... there will need to be lots of experimenting to see just what to lock down to make this a more secure environment. Gene From cra at WPI.EDU Fri Mar 26 16:53:41 2004 From: cra at WPI.EDU (Charles R. Anderson) Date: Fri, 26 Mar 2004 11:53:41 -0500 Subject: FW: selinux enforcing In-Reply-To: <1080309643.6559.70.camel@moss-spartans.epoch.ncsc.mil> References: <1080309643.6559.70.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <20040326165340.GB27686@angus.ind.WPI.EDU> On Fri, Mar 26, 2004 at 09:00:43AM -0500, Stephen Smalley wrote: > The 'make relabel' shouldn't be necessary if you do a clean install, as > rpm knows to set the file contexts now, right? Only necessary if you > are upgrading an existing system to FC2 devel and need to retroactively > apply the labels. Unless you are not formatting a partition, like /home. You will need to relabel /home: /usr/sbin/setfiles /etc/security/selinux/file_contexts /home From rhally at mindspring.com Fri Mar 26 20:27:23 2004 From: rhally at mindspring.com (Richard Hally) Date: Fri, 26 Mar 2004 15:27:23 -0500 Subject: FW: selinux enforcing In-Reply-To: <1080309643.6559.70.camel@moss-spartans.epoch.ncsc.mil> Message-ID: -----Original Message----- From: fedora-selinux-list-bounces at redhat.com [mailto:fedora-selinux-list-bounces at redhat.com]On Behalf Of Stephen Smalley Sent: Friday, March 26, 2004 9:01 AM To: Fedora SELinux support list for users & developers. Subject: Re: FW: selinux enforcing On Fri, 2004-03-26 at 02:43, Richard Hally wrote: > Once you have installed the policy and policy-sources and done > "make reload" in /etc/security/selinux/src/policy you must also do > "make relabel" (it can take a while) to label all the files correctly. The 'make relabel' shouldn't be necessary if you do a clean install, as rpm knows to set the file contexts now, right? Only necessary if you are upgrading an existing system to FC2 devel and need to retroactively apply the labels. -- Stephen Smalley National Security Agency -- I only do the "make relabel" after installing an updated policy to regression test the relabel and in case there have been changes to the file_contexts provided in the update. The other possible "wrong context" situation may be from running in permissive mode where something that would not happen in enforcing mode was allowed to happen and a file received an incorrect context. Am I on the right track or "do I need a visit from the clue stick"? Richard Hally From sds at epoch.ncsc.mil Fri Mar 26 20:45:58 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Fri, 26 Mar 2004 15:45:58 -0500 Subject: FW: selinux enforcing In-Reply-To: References: Message-ID: <1080333958.6559.128.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2004-03-26 at 15:27, Richard Hally wrote: > I only do the "make relabel" after installing an updated policy to > regression test the relabel and in case there have been changes to the > file_contexts provided in the update. The other possible "wrong context" > situation may be from running in permissive mode where something that would > not happen in enforcing mode was allowed to happen and a file received an > incorrect context. > Am I on the right track or "do I need a visit from the clue stick"? No, that's right. I was just noting that a clean install of fc2 devel with selinux should set the file contexts initially for you, without requiring an initial make relabel, since rpm knows about security contexts now. I'm not 100% certain of that; I suppose a 'make checklabels' after a clean install would be prudent. -- Stephen Smalley National Security Agency From gene at czarc.net Fri Mar 26 20:54:50 2004 From: gene at czarc.net (Gene Czarcinski) Date: Fri, 26 Mar 2004 15:54:50 -0500 Subject: FW: selinux enforcing In-Reply-To: <1080333958.6559.128.camel@moss-spartans.epoch.ncsc.mil> References: <1080333958.6559.128.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <200403261554.50456.gene@czarc.net> On Friday 26 March 2004 15:45, Stephen Smalley wrote: > On Fri, 2004-03-26 at 15:27, Richard Hally wrote: > > I only do the "make relabel" after installing an updated policy to > > regression test the relabel and in case there have been changes to the > > file_contexts provided in the update. The other possible "wrong context" > > situation may be from running in permissive mode where something that > > would not happen in enforcing mode was allowed to happen and a file > > received an incorrect context. > > Am I on the right track or "do I need a visit from the clue stick"? > > No, that's right. I was just noting that a clean install of fc2 devel > with selinux should set the file contexts initially for you, without > requiring an initial make relabel, since rpm knows about security > contexts now. I'm not 100% certain of that; I suppose a 'make > checklabels' after a clean install would be prudent. OK, I just had something a bit strange happen ... I updated some of the packages on my x86_64 system including policy and policy-sources (to 1.9-15). I then rebooted. Oops .. things were a bit stange such as my admin id (defined in users) could not find the its home directory. Login as root and ran "make reload" and "make relabel" and then reboot again. This time things work as expected. >From the above, this should not be happening ... right? Gene From rhallyx at mindspring.com Fri Mar 26 21:20:49 2004 From: rhallyx at mindspring.com (Richard Hally) Date: Fri, 26 Mar 2004 16:20:49 -0500 Subject: logrotate with audit Message-ID: <40649EB1.3080301@mindspring.com> Here are the avc denied messages from a logrotate in permissive mode with auditing turned on. Mar 26 16:04:20 old1 syslogd 1.4.1: restart. Mar 26 16:04:20 old1 kernel: audit(1080335060.125:1634360): syscall=94,0x3 items=0 pid=2626 ppid=2585 loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 Mar 26 16:04:20 old1 kernel: audit(1080335060.126:1634369): avc: denied { unlink } for pid=2626 exe=/usr/sbin/logrotate name=log.5 dev=hdc3 ino=834865 scontext=root:sysadm_r:logrotate_t tcontext=system_u:object_r:slrnpull_spool_t tclass=file Mar 26 16:04:20 old1 kernel: audit(1080335060.126:1634369): syscall=10,0xfeec46dc items=1 pid=2626 ppid=2585 loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 Mar 26 16:04:20 old1 kernel: audit(1080335060.126:1634369): item=0 name=/var/spool/slrnpull/log.5 inode=835221 dev=00:00 From walters at redhat.com Fri Mar 26 22:04:21 2004 From: walters at redhat.com (Colin Walters) Date: Fri, 26 Mar 2004 17:04:21 -0500 Subject: avc denied messages from updating In-Reply-To: References: Message-ID: <1080338661.20692.14.camel@nexus.verbum.private> On Fri, 2004-03-26 at 02:25, Richard Hally wrote: > Here are some avc denied messages that showed up from doing a yum update > while in enforcing mode: > > Mar 26 01:28:15 old1 kernel: audit(1080282495.299:0): avc: denied { > search } for pid=4282 exe=/bin/bash name=1 dev= ino=65538 > scontext=root:sysadm_r:rpm_script_t tcontext=system_u:system_r:init_t > tclass=dir > Mar 26 01:28:15 old1 kernel: audit(1080282495.300:0): avc: denied { > search } for pid=4282 exe=/bin/bash name=1 dev= ino=65538 > scontext=root:sysadm_r:rpm_script_t tcontext=system_u:system_r:init_t > tclass=dir Hmm. Is there a file named "1" in your /? If so, and you do a: ls -ali /1 do you see 65538? If that file exists it's an artifact of an older bug in policy that has been fixed now IIRC. Otherwise, can you do a: find / -inum 65538 (it may take a while, be patient) > Mar 26 01:35:20 old1 kernel: audit(1080282920.844:0): avc: denied { > read } for pid=4397 exe=/sbin/consoletype path=pipe:[18262] dev= > ino=18262 scontext=root:system_r:consoletype_t > tcontext=root:sysadm_r:rpm_t tclass=fifo_file I just sent a patch to dwalsh to fix this one. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From rhallyx at mindspring.com Fri Mar 26 22:11:17 2004 From: rhallyx at mindspring.com (Richard Hally) Date: Fri, 26 Mar 2004 17:11:17 -0500 Subject: avc messages file from reboot Message-ID: <4064AA85.2010603@mindspring.com> Attached is a syslog messages file from rebooting my test box. the shutdown was in permissive mode. The startup was in enforcing mode. At the end of the file are messages pertaining to logrotate failing in enforcing mode and then ending the file by stoping in permissive mode. This may be more useful in seeinng the five file rotation aspect or logrotate. Hope it helps Richard Hally -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: messages.1.lr URL: From gene at czarc.net Fri Mar 26 22:28:51 2004 From: gene at czarc.net (Gene Czarcinski) Date: Fri, 26 Mar 2004 17:28:51 -0500 Subject: selinux file attributes Message-ID: <200403261728.51109.gene@czarc.net> OK, I just did a fresh everything install with today's development snapshot and it is looking good. I let things default to enforcing and was able to login. However ... I then added a couple of other userids. Before doing that with system-config-users, I edited to /etc/security/selinux/src/users file to define one of these as an "admin" user. Oops, I cannot login because it cannot find the home directory (because it has incompatible attributes). OK, so I login as root (role=sysadm_r) and run "fixfiles relabel". Then I logout but now gdm cannot come up! OK, go to a VT and login as root ... run "make reload" and "make relabel" and then reboot. While s-c-u should handle the application of proper attributes (it needs to be selinux aware and supporting), I should not need to keep running relabel. One of the other things I noticed is that after installation the partitions lost-found directory did not have any attributes ... after running relabel it did. Shouldn't this be handled by the installer? I wonder what happens if you format a new partition? Gene From rhally at mindspring.com Fri Mar 26 22:53:52 2004 From: rhally at mindspring.com (Richard Hally) Date: Fri, 26 Mar 2004 17:53:52 -0500 Subject: avc denied messages from updating In-Reply-To: <1080338661.20692.14.camel@nexus.verbum.private> Message-ID: -----Original Message----- From: fedora-selinux-list-bounces at redhat.com [mailto:fedora-selinux-list-bounces at redhat.com]On Behalf Of Colin Walters Sent: Friday, March 26, 2004 5:04 PM To: fedora-selinux-list at redhat.com Subject: Re: avc denied messages from updating On Fri, 2004-03-26 at 02:25, Richard Hally wrote: > Here are some avc denied messages that showed up from doing a yum update > while in enforcing mode: > > Mar 26 01:28:15 old1 kernel: audit(1080282495.299:0): avc: denied { > search } for pid=4282 exe=/bin/bash name=1 dev= ino=65538 > scontext=root:sysadm_r:rpm_script_t tcontext=system_u:system_r:init_t > tclass=dir > Mar 26 01:28:15 old1 kernel: audit(1080282495.300:0): avc: denied { > search } for pid=4282 exe=/bin/bash name=1 dev= ino=65538 > scontext=root:sysadm_r:rpm_script_t tcontext=system_u:system_r:init_t > tclass=dir Hmm. Is there a file named "1" in your /? If so, and you do a: ls -ali /1 do you see 65538? If that file exists it's an artifact of an older bug in policy that has been fixed now IIRC. ________________________________ Yes, now that you mention it I remember that bug. I deleted /1 and /2 as well. Thanks, Richard Hally From gene at czarc.net Fri Mar 26 23:08:54 2004 From: gene at czarc.net (Gene Czarcinski) Date: Fri, 26 Mar 2004 18:08:54 -0500 Subject: su to user Message-ID: <200403261808.54573.gene@czarc.net> OK, how is this suppose to work or is there a bug here ... I am logged in as an admin user but have a couple of regular (non priv) users defined to the system. From the admin user I do "su - genec" and enter genec's password. I then get a prompt to see if I want to change the security context (default=y) and I try role:user_r and type:user_t ... nope, will not accept those (what should I be specifying?). Try again but respond "n" to the prompt ... I get in but there is an error message that su cannot change the directory. Once in I can change the directory. How should this be working. Note: if I ssh into the box I can "su - xx" with no prompts for context changes. Gene From russell at coker.com.au Sat Mar 27 00:47:49 2004 From: russell at coker.com.au (Russell Coker) Date: Sat, 27 Mar 2004 11:47:49 +1100 Subject: avc denied messages from updating In-Reply-To: References: Message-ID: <200403271147.49645.russell@coker.com.au> On Fri, 26 Mar 2004 18:25, "Richard Hally" wrote: > Here are some avc denied messages that showed up from doing a yum update > while in enforcing mode: > > Mar 26 01:28:15 old1 kernel: audit(1080282495.299:0): avc: denied { > search } for pid=4282 exe=/bin/bash name=1 dev= ino=65538 > scontext=root:sysadm_r:rpm_script_t tcontext=system_u:system_r:init_t > tclass=dir Strange that this hasn't been noticed before. Add the following: can_ps(rpm_script_t, domain) -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From mitch48 at sbcglobal.net Sat Mar 27 01:23:32 2004 From: mitch48 at sbcglobal.net (Tom Mitchell) Date: Fri, 26 Mar 2004 17:23:32 -0800 Subject: Should Yum and up2date understand SELinux roles Message-ID: <20040327012332.GB17815@xtl1.xtl.tenegg.com> Should yum check "id" for sysadm_r role? Since %pre and %post actions are problematic a partial install could result that may not be simple to fix. Here is a yum session that shows the interaction that is prompting my question. Note the scriptlet error followed by "Transaction(s) Complete". # yum install xorg-x11-100dpi-fonts Gathering header information file(s) from server(s) Server: Fedora Core 1.91 - Development Tree Finding updated packages Downloading needed headers Resolving dependencies Dependencies resolved I will do the following: [install: xorg-x11-100dpi-fonts 0.0.6.6-0.0.2004_03_11.9.i386] Is this ok [y/N]: y Downloading Packages Getting xorg-x11-100dpi-fonts-0.0.6.6-0.0.2004_03_11.9.i386.rpm xorg-x11-100dpi-fonts-0.0 100% |=========================| 4.2 MB 05:26 Running test transaction: Test transaction complete, Success! xorg-x11-100dpi-fonts 100 % done 1/1 error: setexeccon(root:staff_r:rpm_script_t) fails from context "root:staff_r:staff_t": Invalid argument error: %post(xorg-x11-100dpi-fonts-0.0.6.6-0.0.2004_03_11.9) scriptlet failed, exit status 255 Installed: xorg-x11-100dpi-fonts 0.0.6.6-0.0.2004_03_11.9.i386 Transaction(s) Complete # id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:staff_r:staff_t # newrole -r sysadm_r Authenticating root. Password: # rpm -e xorg-x11-100dpi-fonts # yum install xorg-x11-100dpi-fonts Gathering header information file(s) from server(s) Server: Fedora Core 1.91 - Development Tree Finding updated packages Downloading needed headers Resolving dependencies Dependencies resolved I will do the following: [install: xorg-x11-100dpi-fonts 0.0.6.6-0.0.2004_03_11.9.i386] Is this ok [y/N]: y Downloading Packages Running test transaction: Test transaction complete, Success! xorg-x11-100dpi-fonts 100 % done 1/1 Installed: xorg-x11-100dpi-fonts 0.0.6.6-0.0.2004_03_11.9.i386 Transaction(s) Complete -- T o m M i t c h e l l /dev/null the ultimate in secure storage. From dwalsh at redhat.com Sat Mar 27 18:34:51 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Sat, 27 Mar 2004 13:34:51 -0500 Subject: selinux file attributes In-Reply-To: <200403261728.51109.gene@czarc.net> References: <200403261728.51109.gene@czarc.net> Message-ID: <4065C94B.10700@redhat.com> Gene Czarcinski wrote: >OK, I just did a fresh everything install with today's development snapshot >and it is looking good. I let things default to enforcing and was able to >login. > >However ... I then added a couple of other userids. Before doing that with >system-config-users, I edited to /etc/security/selinux/src/users file to >define one of these as an "admin" user. > >Oops, I cannot login because it cannot find the home directory (because it has >incompatible attributes). OK, so I login as root (role=sysadm_r) and run >"fixfiles relabel". Then I logout but now gdm cannot come up! OK, go to a >VT and login as root ... run "make reload" and "make relabel" and then >reboot. > >While s-c-u should handle the application of proper attributes (it needs to be >selinux aware and supporting), I should not need to keep running relabel. > > Yes, s-c-u needs to be more SELinux aware. Currently user management needs to be worked on before final release. >One of the other things I noticed is that after installation the partitions >lost-found directory did not have any attributes ... after running relabel it >did. Shouldn't this be handled by the installer? I wonder what happens if >you format a new partition? > > >Gene > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > From aleksey at nogin.org Sun Mar 28 01:00:36 2004 From: aleksey at nogin.org (Aleksey Nogin) Date: Sat, 27 Mar 2004 17:00:36 -0800 Subject: selinux file attributes In-Reply-To: <4065C94B.10700@redhat.com> References: <200403261728.51109.gene@czarc.net> <4065C94B.10700@redhat.com> Message-ID: <406623B4.4090204@nogin.org> On 27.03.2004 10:34, Daniel J Walsh wrote: >> While s-c-u should handle the application of proper attributes (it >> needs to be selinux aware and supporting), I should not need to keep >> running relabel. >> >> > Yes, s-c-u needs to be more SELinux aware. Currently user management > needs to be worked on before final release. See also https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=118571 -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907 From aleksey at nogin.org Sun Mar 28 01:12:57 2004 From: aleksey at nogin.org (Aleksey Nogin) Date: Sat, 27 Mar 2004 17:12:57 -0800 Subject: How do I make sure programs have write access to their own tty? Message-ID: <40662699.3040706@nogin.org> When I run (from staff_r) things via sudo, then sometimes it turns out that the programs I run end up not being able to communicate back to me as they are denied access to the tty they are running on (see https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=119209 for details). Is there some way within the SELinux framework to give programs write access to the tty they are running on w/o giving them write access to all the ttys of the same type? -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907 From gene at czarc.net Sun Mar 28 01:40:55 2004 From: gene at czarc.net (Gene Czarcinski) Date: Sat, 27 Mar 2004 20:40:55 -0500 Subject: selinux file attributes In-Reply-To: <406623B4.4090204@nogin.org> References: <200403261728.51109.gene@czarc.net> <4065C94B.10700@redhat.com> <406623B4.4090204@nogin.org> Message-ID: <200403272040.55513.gene@czarc.net> On Saturday 27 March 2004 20:00, Aleksey Nogin wrote: > On 27.03.2004 10:34, Daniel J Walsh wrote: > >> While s-c-u should handle the application of proper attributes (it > >> needs to be selinux aware and supporting), I should not need to keep > >> running relabel. > > > > Yes, s-c-u needs to be more SELinux aware. Currently user management > > needs to be worked on before final release. > > See also https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=118571 Yes, there a two or three (mine, yours, ?) related bugzilla reports which look at this from different perspectives. Regardless, something needs to be done for FC2 final or it is going to be very confusing for the user. Gene From ee2494 at ee.teiath.gr Sun Mar 28 17:36:45 2004 From: ee2494 at ee.teiath.gr (Zaharioudakis Nikos) Date: Sun, 28 Mar 2004 20:36:45 +0300 Subject: newbie question about installation In-Reply-To: <20040328170010.231F573B6E@hormel.redhat.com> References: <20040328170010.231F573B6E@hormel.redhat.com> Message-ID: <1080495405.40670d2dc9598@webmail.ee.teiath.gr> I just managed to download the FC2t1, bandwidth in Greece is not always a simple thing. does this version have any selinux features so I can play with and give back any feedback ? Nikos Zaharioudakis From gene at czarc.net Sun Mar 28 18:06:16 2004 From: gene at czarc.net (Gene Czarcinski) Date: Sun, 28 Mar 2004 13:06:16 -0500 Subject: newbie question about installation In-Reply-To: <1080495405.40670d2dc9598@webmail.ee.teiath.gr> References: <20040328170010.231F573B6E@hormel.redhat.com> <1080495405.40670d2dc9598@webmail.ee.teiath.gr> Message-ID: <200403281306.16865.gene@czarc.net> On Sunday 28 March 2004 12:36, Zaharioudakis Nikos wrote: > I just managed to download the FC2t1, bandwidth in Greece is not always a > simple thing. does this version have any selinux features so I can play > with and give back any feedback ? Unfortunately you will need FC2 Test2 which will be available early next week or a snapshot of the current development tree. You could update a Test 1 system to what is currently in development (which is pretty much Test2) but that is very prone to error and pretty much replaces everything in Test1. Gene From kwade at redhat.com Mon Mar 29 04:40:46 2004 From: kwade at redhat.com (Karsten Wade) Date: 28 Mar 2004 20:40:46 -0800 Subject: Fedora SELinux FAQ Message-ID: <1080535245.3256.2699.camel@erato.phig.org> Releasing in time for Fedora Core 2 test2, this FAQ collects some of the most useful and important information you need to get started in using SELinux under Fedora Core. http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/ The FAQ includes general SELinux concepts as well as questions from testers, and details a few of the new Fedora Core capabilities shipping in test2. Answers in this FAQ have been written with SELinux and Fedora Core developers. Starting immediately, the FAQ is receiving updates via http://bugzilla.redhat.com, with traffic Cc:ed to fedora-selinux-list at redhat.com (see below). We expect the FAQ to be a useful resource following the test release. The rest of this email is for anyone who is interested in contributing changes or additions to the FAQ. ## SELinux FAQ Process for Fedora Core 2 test2 1. FAQ is available at http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/. 2. When a developer has a patch or addition for the FAQ, here is the process used: 2.1 Reporter uses the link provided in the FAQ, which goes to a saved bugzilla template that has component, assigned, Cc:, blocker, etc. fields pre-filled. 2.2 Reporter fills out the rest of the bug report, and submits. A copy is sent to fedora-selinux-list. 2.3 Subsequent conversation can happen via bugzilla as a thread of the initial bug report. When the conversation is complete, the FAQ is updated. 2.4 The bug report is ideally closed, noting the conclusion of the report, and providing all relevant links. 3. Patches should be XML diffs (preferred) or plain text changes showing the before and after or just the text addition (not a real patch). ## 30 -- Karsten Wade, Sr. Tech Writer this is not the .signature you are looking for http://people.redhat.com/kwade/ gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41 From russell at coker.com.au Mon Mar 29 05:56:58 2004 From: russell at coker.com.au (Russell Coker) Date: Mon, 29 Mar 2004 16:56:58 +1100 Subject: newbie question about installation In-Reply-To: <200403281306.16865.gene@czarc.net> References: <20040328170010.231F573B6E@hormel.redhat.com> <1080495405.40670d2dc9598@webmail.ee.teiath.gr> <200403281306.16865.gene@czarc.net> Message-ID: <200403291556.58318.russell@coker.com.au> On Mon, 29 Mar 2004 04:06, Gene Czarcinski wrote: > On Sunday 28 March 2004 12:36, Zaharioudakis Nikos wrote: > > I just managed to download the FC2t1, bandwidth in Greece is not always a > > simple thing. does this version have any selinux features so I can play > > with and give back any feedback ? > > Unfortunately you will need FC2 Test2 which will be available early next > week or a snapshot of the current development tree. You could update a > Test 1 system to what is currently in development (which is pretty much > Test2) but that is very prone to error and pretty much replaces everything > in Test1. To have things working in the most convenient manner FC2T2 will be good. But getting FC2T1 to work isn't particularly difficult, you just need to install the latest kernel (not really required but strongly recommended), policy (or policy-sources), policycoreutils, and checkpolicy. Then run "make -C /etc/security/selinux/src/policy relabel" and reboot, with a bit of luck it should be working. NB If you install the packages I list above they will drag in other dependencies, so you will probably end up downloading about 20M. Much easier than getting all of FC2T2. But if you want to seriously use the machine (rather than just learning about SE Linux) then getting the latest version will be beneficial. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From russell at coker.com.au Mon Mar 29 13:51:07 2004 From: russell at coker.com.au (Russell Coker) Date: Tue, 30 Mar 2004 00:51:07 +1100 Subject: fedora.us FC2 test2 1.91 repository status In-Reply-To: <406810A8.7090902@redhat.com> References: <406810A8.7090902@redhat.com> Message-ID: <200403292351.07566.russell@coker.com.au> On Mon, 29 Mar 2004 22:03, Warren Togami wrote: > fedora.us apt and yum for 1.91 is not yet ready, so for now you will > need to copy the old 1.90 version and edit the configs. ?It still seems > to be binary compatible for now. ?However we have no idea if apt will > work with selinux enforcement enabled. What is the location of apt-get? /usr/bin? All we need to do is have apt-get labeled as rpm_exec_t and it should all just work. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From dwalsh at redhat.com Mon Mar 29 14:09:39 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 29 Mar 2004 09:09:39 -0500 Subject: Should Yum and up2date understand SELinux roles In-Reply-To: <20040327012332.GB17815@xtl1.xtl.tenegg.com> References: <20040327012332.GB17815@xtl1.xtl.tenegg.com> Message-ID: <40682E23.4060908@redhat.com> Tom Mitchell wrote: >Should yum check "id" for sysadm_r role? > >Since %pre and %post actions are problematic a partial install could >result that may not be simple to fix. > >Here is a yum session that shows the interaction that is prompting my >question. Note the scriptlet error followed by "Transaction(s) Complete". > > > # yum install xorg-x11-100dpi-fonts > Gathering header information file(s) from server(s) > Server: Fedora Core 1.91 - Development Tree > Finding updated packages > Downloading needed headers > Resolving dependencies > Dependencies resolved > I will do the following: > [install: xorg-x11-100dpi-fonts 0.0.6.6-0.0.2004_03_11.9.i386] > Is this ok [y/N]: y > Downloading Packages > Getting xorg-x11-100dpi-fonts-0.0.6.6-0.0.2004_03_11.9.i386.rpm > xorg-x11-100dpi-fonts-0.0 100% |=========================| 4.2 MB 05:26 > Running test transaction: > Test transaction complete, Success! > xorg-x11-100dpi-fonts 100 % done 1/1 > error: setexeccon(root:staff_r:rpm_script_t) fails from context "root:staff_r:staff_t": Invalid argument > error: %post(xorg-x11-100dpi-fonts-0.0.6.6-0.0.2004_03_11.9) scriptlet failed, exit status 255 > Installed: xorg-x11-100dpi-fonts 0.0.6.6-0.0.2004_03_11.9.i386 > Transaction(s) Complete > > # id > uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:staff_r:staff_t > > # newrole -r sysadm_r > Authenticating root. > Password: > > # rpm -e xorg-x11-100dpi-fonts > > # yum install xorg-x11-100dpi-fonts > Gathering header information file(s) from server(s) > Server: Fedora Core 1.91 - Development Tree > Finding updated packages > Downloading needed headers > Resolving dependencies > Dependencies resolved > I will do the following: > [install: xorg-x11-100dpi-fonts 0.0.6.6-0.0.2004_03_11.9.i386] > Is this ok [y/N]: y > Downloading Packages > Running test transaction: > Test transaction complete, Success! > xorg-x11-100dpi-fonts 100 % done 1/1 > Installed: xorg-x11-100dpi-fonts 0.0.6.6-0.0.2004_03_11.9.i386 > Transaction(s) Complete > > > > No if unlimitedUsers tunable is set the following rule needs to be added to rpm.te ifdef(`unlimitedUsers', ` domain_auto_trans(staff_t, rpm_exec_t, rpm_t) ') > > > > > > From dwalsh at redhat.com Mon Mar 29 14:12:27 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 29 Mar 2004 09:12:27 -0500 Subject: su to user In-Reply-To: <200403261808.54573.gene@czarc.net> References: <200403261808.54573.gene@czarc.net> Message-ID: <40682ECB.4070603@redhat.com> Gene Czarcinski wrote: >OK, how is this suppose to work or is there a bug here ... > >I am logged in as an admin user but have a couple of regular (non priv) users >defined to the system. From the admin user I do "su - genec" and enter >genec's password. I then get a prompt to see if I want to change the >security context (default=y) and I try role:user_r and type:user_t ... nope, >will not accept those (what should I be specifying?). > >Try again but respond "n" to the prompt ... I get in but there is an error >message that su cannot change the directory. Once in I can change the >directory. How should this be working. > >Note: if I ssh into the box I can "su - xx" with no prompts for context >changes. > >Gene > > The ssh behavior is currect. The only time you should get prompted for security contexts is if the user has the ability to have more than one security context. This is a bug and should be put in bugzilla. >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > From sds at epoch.ncsc.mil Mon Mar 29 17:12:09 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Mon, 29 Mar 2004 12:12:09 -0500 Subject: How do I make sure programs have write access to their own tty? In-Reply-To: <40662699.3040706@nogin.org> References: <40662699.3040706@nogin.org> Message-ID: <1080580329.18373.118.camel@moss-spartans.epoch.ncsc.mil> On Sat, 2004-03-27 at 20:12, Aleksey Nogin wrote: > When I run (from staff_r) things via sudo, then sometimes it turns out > that the programs I run end up not being able to communicate back to me > as they are denied access to the tty they are running on (see > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=119209 for details). > > Is there some way within the SELinux framework to give programs write > access to the tty they are running on w/o giving them write access to > all the ttys of the same type? Types are security equivalence classes. So if you've placed a set of objects into a single type, then they are accessible in the same manner. Now, you can have programs transition into derived domains that preserve their call chain information, and use that to control access to types, e.g staff_t runs program foo in staff_foo_t and sysadm_t run program foo in sysadm_foo_t, and $1_foo_t only gets access to $1_devpts_t. However, in this particular case, where sudo is performing an explicit role change, I would expect that sudo would relabel the pty based on the new user domain, so it should be relabeled to sysadm_devpts_t while the command is being executed, and then reset to its original type. -- Stephen Smalley National Security Agency From mitch48 at sbcglobal.net Mon Mar 29 23:37:50 2004 From: mitch48 at sbcglobal.net (Tom Mitchell) Date: Mon, 29 Mar 2004 15:37:50 -0800 Subject: Should Yum and up2date understand SELinux roles In-Reply-To: <40682E23.4060908@redhat.com> References: <20040327012332.GB17815@xtl1.xtl.tenegg.com> <40682E23.4060908@redhat.com> Message-ID: <20040329233750.GA22286@xtl1.xtl.tenegg.com> On Mon, Mar 29, 2004 at 09:09:39AM -0500, Daniel J Walsh wrote: > Date: Mon, 29 Mar 2004 09:09:39 -0500 > From: Daniel J Walsh > To: "Fedora SELinux support list for users & developers." > Subject: Re: Should Yum and up2date understand SELinux roles > Reply-To: "Fedora SELinux support list for users & developers." > > Tom Mitchell wrote: > > >Should yum check "id" for sysadm_r role? > > .... > No if unlimitedUsers tunable is set the following rule needs to be added > to rpm.te > > ifdef(`unlimitedUsers', ` > domain_auto_trans(staff_t, rpm_exec_t, rpm_t) > ') > Thank you unlimitedUsers was set (will make the change and retest soon). Will your small snip of policy be in a future version of rpm.te? -- T o m M i t c h e l l /dev/null the ultimate in secure storage. From nutello at sweetness.com Mon Mar 29 23:42:59 2004 From: nutello at sweetness.com (Rudi Chiarito) Date: Tue, 30 Mar 2004 01:42:59 +0200 Subject: Postfix and SELinux Message-ID: <20040329234259.GD5236@server4.8080.it> I successfully - or so it seems - convinced a box to work in enforcing mode, but as of today I still see these error messages whenever postfix is started: Mar 29 17:33:35 pizza kernel: audit(1080603215.577:0): avc: denied { write } for pid=5102 exe=/usr/sbin/postalias name=aliases.db dev=sda3 ino=245461 scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:postfix_etc_t tclass=file Mar 29 17:33:36 pizza kernel: audit(1080603216.592:0): avc: denied { search } for pid=5103 exe=/bin/bash dev= ino=1 scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:devpts_t tclass=dir Mar 29 17:33:36 pizza kernel: audit(1080603216.597:0): avc: denied { execute } for pid=5104 exe=/bin/bash name=master dev=sda3 ino=1407396 scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:lib_t tclass=file Does this ring a bell? As far as I can tell, all contexts are properly set. To play safe, I even removed and reinstalled the postfix RPM. The system has all the latest Raw Hide packages. Rudi From russell at coker.com.au Tue Mar 30 08:55:24 2004 From: russell at coker.com.au (Russell Coker) Date: Tue, 30 Mar 2004 19:55:24 +1100 Subject: Postfix and SELinux In-Reply-To: <20040329234259.GD5236@server4.8080.it> References: <20040329234259.GD5236@server4.8080.it> Message-ID: <200403301855.24222.russell@coker.com.au> On Tue, 30 Mar 2004 09:42, Rudi Chiarito wrote: > I successfully - or so it seems - convinced a box to work in enforcing > mode, but as of today I still see these error messages whenever postfix > is started: > > Mar 29 17:33:35 pizza kernel: audit(1080603215.577:0): avc: denied { > write } for pid=5102 exe=/usr/sbin/postalias name=aliases.db dev=sda3 > ino=245461 scontext=root:system_r:postfix_master_t > tcontext=system_u:object_r:postfix_etc_t tclass=file > Mar 29 17:33:36 pizza kernel: audit(1080603216.592:0): avc: denied { > search } for pid=5103 exe=/bin/bash dev= ino=1 > scontext=root:system_r:postfix_master_t > tcontext=system_u:object_r:devpts_t tclass=dir Add the following to postfix.te: allow postfix_master_t postfix_etc_t:file rw_file_perms; allow postfix_master_t devpts_t:dir search; > Mar 29 17:33:36 pizza kernel: audit(1080603216.597:0): avc: denied { > execute } for pid=5104 exe=/bin/bash name=master dev=sda3 ino=1407396 > scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:lib_t > tclass=file What is this "master" file? Please run "find / -inum 1407396" and tell me what it reports. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From nico33b at yahoo.fr Tue Mar 30 10:30:12 2004 From: nico33b at yahoo.fr (=?iso-8859-1?q?Nic=A4?=) Date: Tue, 30 Mar 2004 05:30:12 -0500 (EST) Subject: Pb installing Policy Message-ID: <20040330103012.83527.qmail@web40902.mail.yahoo.com> Hi all, Im getting trouble installing policy on my Fedora Core 1. I have upgraded the list of packages present on Daniel Walsh ftp server (ftp://people.redhat.com/dwalsh/SELinux/) using the selUpgrade script. When I try to load the policy here is what I get : root]# make -C /etc/security/selinux/src/policy relabel make: Entre dans le r??pertoire `/etc/security/selinux/src/policy' /usr/sbin/setfiles file_contexts/file_contexts `mount | awk '/(ext[23]| xfs).*rw/{print $3}'` /usr/sbin/setfiles: read 423 specifications /usr/sbin/setfiles: invalid context system_u:object_r:default_t on line number 39 /usr/sbin/setfiles: invalid context system_u:object_r:root_t on line number 44 /usr/sbin/setfiles: invalid context system_u:object_r:home_root_t on line number 53 /usr/sbin/setfiles: invalid context system_u:object_r:user_home_dir_t on line number 54 /usr/sbin/setfiles: invalid context system_u:object_r:user_home_t on line number 55 /usr/sbin/setfiles: invalid context system_u:object_r:mnt_t on line number 59 /usr/sbin/setfiles: invalid context system_u:object_r:var_t on line number 64 /usr/sbin/setfiles: invalid context system_u:object_r:catman_t on line number 65 /usr/sbin/setfiles: invalid context system_u:object_r:catman_t on line number 66 /usr/sbin/setfiles: invalid context system_u:object_r:var_yp_t on line number 67 Nico __________________________________________________________ L?che-vitrine ou l?che-?cran ? magasinage.yahoo.ca From nutello at sweetness.com Tue Mar 30 12:21:21 2004 From: nutello at sweetness.com (Rudi Chiarito) Date: Tue, 30 Mar 2004 14:21:21 +0200 Subject: Postfix and SELinux In-Reply-To: <200403301855.24222.russell@coker.com.au> References: <20040329234259.GD5236@server4.8080.it> <200403301855.24222.russell@coker.com.au> Message-ID: <20040330122121.GA22538@server4.8080.it> On Tue, Mar 30, 2004 at 07:55:24PM +1100, Russell Coker wrote: > What is this "master" file? Please run "find / -inum 1407396" and tell me > what it reports. "master" is one of the subprograms that make up postfix. They all reside in /usr/libexec/postfix and at the moment have a system_u:object_r:lib_t context. With your fix, I still get the name=master message, plus these two: Mar 30 05:56:15 pizza kernel: audit(1080647775.335:0): avc: denied { getattr } for pid=2310 exe=/usr/sbin/postalias path=/dev/pts/2 dev= ino=4 scontext=root:system_r:postfix_master_t tcontext=root:object_r:sysadm_devpts_t tclass=chr_file Mar 30 05:56:15 pizza kernel: audit(1080647775.381:0): avc: denied { execute_no_trans } for pid=2312 exe=/bin/bash path=/usr/libexec/postfix/master dev=sda3 ino=1407394 scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:lib_t tclass=file Thank you very much for your help, Rudi From sds at epoch.ncsc.mil Tue Mar 30 13:11:38 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Tue, 30 Mar 2004 08:11:38 -0500 Subject: Postfix and SELinux In-Reply-To: <200403301855.24222.russell@coker.com.au> References: <20040329234259.GD5236@server4.8080.it> <200403301855.24222.russell@coker.com.au> Message-ID: <1080652298.20950.17.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2004-03-30 at 03:55, Russell Coker wrote: > Add the following to postfix.te: > allow postfix_master_t postfix_etc_t:file rw_file_perms; Is that truly what you want, i.e. allowing it to rewrite any file with that type? Should the aliases.db file be moved into a separate type, so that only it needs to be writable? > allow postfix_master_t devpts_t:dir search; > > > Mar 29 17:33:36 pizza kernel: audit(1080603216.597:0): avc: denied { > > execute } for pid=5104 exe=/bin/bash name=master dev=sda3 ino=1407396 > > scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:lib_t > > tclass=file > > What is this "master" file? Please run "find / -inum 1407396" and tell me > what it reports. Even better, boot with audit=1 so that the supplementary audit records will report the pathname passed to the system call. -- Stephen Smalley National Security Agency From sds at epoch.ncsc.mil Tue Mar 30 13:16:31 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Tue, 30 Mar 2004 08:16:31 -0500 Subject: Pb installing Policy In-Reply-To: <20040330103012.83527.qmail@web40902.mail.yahoo.com> References: <20040330103012.83527.qmail@web40902.mail.yahoo.com> Message-ID: <1080652591.20950.22.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2004-03-30 at 05:30, Nic? wrote: > Im getting trouble installing policy on my Fedora Core > 1. I have upgraded the list of packages present on > Daniel Walsh ftp server > (ftp://people.redhat.com/dwalsh/SELinux/) using the > selUpgrade script. I think that those packages are obsolete, since Fedora Core 2 test2 is available and comes with SELinux enabled by default. I'd suggest installing test2 instead if you want to experiment with Fedora and SELinux. -- Stephen Smalley National Security Agency From nico33b at yahoo.fr Tue Mar 30 13:31:53 2004 From: nico33b at yahoo.fr (=?iso-8859-1?q?Nic=A4?=) Date: Tue, 30 Mar 2004 08:31:53 -0500 (EST) Subject: Pb installing Policy In-Reply-To: <1080652591.20950.22.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <20040330133153.59433.qmail@web40906.mail.yahoo.com> Is there a mirror site to download FC2 test 2 because I can t connect to download.fedora.redhat.com (too many users!) thanks by advance Nico --- Stephen Smalley a ?crit : > On Tue, 2004-03-30 at 05:30, Nic?? wrote: > > Im getting trouble installing policy on my Fedora > Core > > 1. I have upgraded the list of packages present on > > Daniel Walsh ftp server > > (ftp://people.redhat.com/dwalsh/SELinux/) using > the > > selUpgrade script. > > I think that those packages are obsolete, since > Fedora Core 2 test2 is > available and comes with SELinux enabled by default. > I'd suggest > installing test2 instead if you want to experiment > with Fedora and > SELinux. > > -- > Stephen Smalley > National Security Agency > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list __________________________________________________________ L?che-vitrine ou l?che-?cran ? magasinage.yahoo.ca From sds at epoch.ncsc.mil Tue Mar 30 13:33:48 2004 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Tue, 30 Mar 2004 08:33:48 -0500 Subject: Pb installing Policy In-Reply-To: <20040330133153.59433.qmail@web40906.mail.yahoo.com> References: <20040330133153.59433.qmail@web40906.mail.yahoo.com> Message-ID: <1080653628.20950.24.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2004-03-30 at 08:31, Nic? wrote: > Is there a mirror site to download FC2 test 2 because > I can t connect to download.fedora.redhat.com (too > many users!) http://fedora.redhat.com/download/mirrors.html -- Stephen Smalley National Security Agency From mattdm at mattdm.org Tue Mar 30 15:32:09 2004 From: mattdm at mattdm.org (Matthew Miller) Date: Tue, 30 Mar 2004 10:32:09 -0500 Subject: SELinux vs. sudo and usermode Message-ID: <20040330153209.GA4282@jadzia.bu.edu> In many ways, the sudo and usermode programs are kludgy attempts to achieve what SE Linux does for real -- separate out root powers. Certain users can be delegated to run only certain programs with root privileges. Sudo also acts as the sysadmin's swiss army knife. Common practice here is to have all sysadmins use sudo for _anything_ that needs to be run as root. This has the advantage of documenting all actions (by agreement, not enforced, of course), and the convenience of not needing to actually know the root password. Likewise, the usermode program allows any user to provide the root password in order to run the various system-config-* programs. I have a patch (see ) which allows members of a given group ("wheel", typically) to authenticate with their *own* credentials to gain access to these programs. (Other users are prompted for the root password.) There's an obvious security tradeoff, here: instead of needing to know two passwords, one only needs one's own. On the other hand, it removes the need to manage root passwords for desktop users or for large numbers of machines, and is an undeniable convenience. So, since I'm just diving into SE Linux -- how does this _work_ in the Brave New World? Is sudo obsolete? Is my usermode patch now pointless? Can this be accomplished another way? *Should* it be accomplished at all? Thanks! -- Matthew Miller mattdm at mattdm.org Boston University Linux ------> From alden at math.ohio-state.edu Tue Mar 30 15:53:32 2004 From: alden at math.ohio-state.edu (Dave Alden) Date: Tue, 30 Mar 2004 10:53:32 -0500 Subject: selinux and NFS? Message-ID: <20040330155332.GA3876@math.ohio-state.edu> Hi, I'm wondering how selinux is going to interact with non-FC2 machines? My mail server and "home" server are both running RedHat 8.0 for now and this summer I'm planning on taking them to RHEL 3. My users login to 3 different systems (Mac OS X, Solaris and RedHat/Fedora linux) and get the same home directory. Am I going to have to disable selinux? ...thnx, ...dave From jmorris at redhat.com Tue Mar 30 17:03:38 2004 From: jmorris at redhat.com (James Morris) Date: Tue, 30 Mar 2004 12:03:38 -0500 (EST) Subject: selinux and NFS? In-Reply-To: <20040330155332.GA3876@math.ohio-state.edu> Message-ID: On Tue, 30 Mar 2004, Dave Alden wrote: > Hi, > I'm wondering how selinux is going to interact with non-FC2 machines? My > mail server and "home" server are both running RedHat 8.0 for now and this > summer I'm planning on taking them to RHEL 3. My users login to 3 different > systems (Mac OS X, Solaris and RedHat/Fedora linux) and get the same home > directory. Am I going to have to disable selinux? No, SELinux does nothing to NFS over the wire at this stage. You can specify the security context of an NFS mount locally with the context= option to mount. This is something the kernel only sees locally, the remote server is not aware of anything. e.g. # mount -t nfs -o context=system_u:object_r:tmp_t server:/some/path /mnt/wherever All of the files on the mount will appear to have the context system_u:object_r:tmp_t to SELinux. - James -- James Morris From dwalsh at redhat.com Tue Mar 30 20:52:13 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 30 Mar 2004 15:52:13 -0500 Subject: Should Yum and up2date understand SELinux roles In-Reply-To: <20040329233750.GA22286@xtl1.xtl.tenegg.com> References: <20040327012332.GB17815@xtl1.xtl.tenegg.com> <40682E23.4060908@redhat.com> <20040329233750.GA22286@xtl1.xtl.tenegg.com> Message-ID: <4069DDFD.2030302@redhat.com> Tom Mitchell wrote: >On Mon, Mar 29, 2004 at 09:09:39AM -0500, Daniel J Walsh wrote: > > >>Date: Mon, 29 Mar 2004 09:09:39 -0500 >>From: Daniel J Walsh >>To: "Fedora SELinux support list for users & developers." >>Subject: Re: Should Yum and up2date understand SELinux roles >>Reply-To: "Fedora SELinux support list for users & developers." >> >>Tom Mitchell wrote: >> >> >> >>>Should yum check "id" for sysadm_r role? >>> >>> >>> >.... > > >>No if unlimitedUsers tunable is set the following rule needs to be added >>to rpm.te >> >>ifdef(`unlimitedUsers', ` >>domain_auto_trans(staff_t, rpm_exec_t, rpm_t) >>') >> >> >> > >Thank you unlimitedUsers was set (will make the change and retest soon). >Will your small snip of policy be in a future version of rpm.te? > > > > Yes it is in policy-1.9.1-2. Yum update should grab it. From aleksey at nogin.org Tue Mar 30 23:54:17 2004 From: aleksey at nogin.org (Aleksey Nogin) Date: Tue, 30 Mar 2004 15:54:17 -0800 Subject: udev and SELinux. Message-ID: <406A08A9.80608@nogin.org> I briefly tried installing udev and it seems that it was creating devices with the default device_t type instead of the one dictated by SELinux policies. Is this a known issue? Should I file a Bugzilla report? -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907 From rhallyx at mindspring.com Wed Mar 31 03:58:10 2004 From: rhallyx at mindspring.com (Richard Hally) Date: Tue, 30 Mar 2004 22:58:10 -0500 Subject: install of kernel 2.6.4-1.298 does not work Message-ID: <406A41D2.4030001@mindspring.com> when I ran up2date today it appeared to install kernel 2.6.4-1.298. There were no errors reported. But it did not update grub as usual, it did not put any files in /boot, and when I do rpm -q kernel it does not show 2.6.4-1.298 (It shows the other kernels 253 etc) [root at old1 boot]# rpm -q kernel kernel-2.6.3-2.1.242 kernel-2.6.3-2.1.253 kernel-2.6.3-2.1.246 kernel-2.6.3-2.1.253.2.1 Below are the messages in the up2date log file. [Tue Mar 30 20:50:28 2004] up2date installing packages: ['GConf2-2.6.0-1', 'GConf2-devel-2.6.0-1', 'Guppi-0.40.3-18', 'Guppi-devel-0.40.3-18', 'ImageMagick-5.5.7.15-1.3', 'ImageMagick-c++-5.5.7.15-1.3', 'ImageMagick-c++-devel-5.5.7.15-1.3', 'ImageMagick-devel-5.5.7.15-1.3', 'ImageMagick-perl-5.5.7.15-1.3', 'Maelstrom-3.0.6-3', 'a2ps-4.13b-37', 'amanda-2.4.4p2-3', 'amanda-client-2.4.4p2-3', 'amanda-devel-2.4.4p2-3', 'amanda-server-2.4.4p2-3', 'anaconda-9.92-0.20040323181753', 'anaconda-runtime-9.92-0.20040323181753', 'apr-0.9.4-11', 'apr-devel-0.9.4-11', 'apr-util-0.9.4-12', 'apr-util-devel-0.9.4-12', 'aumix-2.8-8', 'beecrypt-3.1.0-3', 'beecrypt-devel-3.1.0-3', 'beecrypt-python-3.1.0-3', 'bind-9.2.3-13', 'bind-chroot-9.2.3-13', 'bind-devel-9.2.3-13', 'bind-libs-9.2.3-13', 'bind-utils-9.2.3-13', 'binutils-2.15.90.0.1.1-2', 'busybox-1.00.pre8-2', 'busybox-anaconda-1.00.pre8-2', 'control-center-2.5.4-2', 'dhclient-3.0.1rc12-4', 'dhcp-3.0.1rc12-4', 'dhcp-devel-3.0.1rc12-4', 'esound-0.2.34-1', 'esound-devel-0.2.34-1', 'file-4.07-3', 'freeglut-2.2.0-11', 'freeglut-devel-2.2.0-11', 'gaim-0.75.99-20040328cvs', 'gedit-2.5.92-1', 'gedit-devel-2.5.92-1', 'glibc-2.3.3-20', 'glibc-common-2.3.3-20', 'glibc-devel-2.3.3-20', 'glibc-headers-2.3.3-20', 'glibc-profile-2.3.3-20', 'glibc-utils-2.3.3-20', 'gnome-mime-data-2.4.1-3', 'gnome-vfs2-2.6.0-1', 'gnome-vfs2-devel-2.6.0-1', 'gnome-vfs2-smb-2.6.0-1', 'gok-0.9.10-2', 'gpm-1.20.1-45', 'gpm-devel-1.20.1-45', 'hotplug-2004_03_11-1', 'htdig-3.2.0b5-7', 'htdig-web-3.2.0b5-7', 'httpd-2.0.49-1', 'httpd-devel-2.0.49-1', 'httpd-manual-2.0.49-1', 'hwdata-0.114-1', 'initscripts-7.49-1', 'ipxutils-2.2.4-1', 'kdebase-3.2.1-1.5', 'kdebase-devel-3.2.1-1.5', 'kdegames-3.2.1-2', 'kdegames-devel-3.2.1-2', 'kdenetwork-3.2.1-3', 'kdenetwork-devel-3.2.1-3', 'kdepim-3.2.1-4', 'kdepim-devel-3.2.1-4', 'kernel-2.6.4-1.298', 'kernel-doc-2.6.4-1.298', 'kernel-source-2.6.4-1.298', 'kernel-utils-2.4-9.1.126', 'kinput2-canna-wnn6-v3.1-17', 'less-382-3', 'libbonobo-2.6.0-2', 'libbonobo-devel-2.6.0-2', 'libselinux-1.6-5', 'libselinux-devel-1.6-5', 'libwnck-2.5.90-3', 'libwnck-devel-2.5.90-3', 'libxml2-2.6.8-1', 'libxml2-devel-2.6.8-1', 'libxml2-python-2.6.8-1', 'lm_sensors-2.8.3-5', 'lm_sensors-devel-2.8.3-5', 'man-1.5m2-5', 'mod_ssl-2.0.49-1', 'modutils-2.4.26-14', 'ncpfs-2.2.4-1', 'neon-0.24.4-4', 'neon-devel-0.24.4-4', 'net-snmp-5.1.1-1', 'net-snmp-devel-5.1.1-1', 'net-snmp-perl-5.1.1-1', 'net-snmp-utils-5.1.1-1', 'nptl-devel-2.3.3-20', 'nscd-2.3.3-20', 'nss_ldap-217-1', 'openssl-0.9.7a-35', 'openssl-devel-0.9.7a-35', 'openssl-perl-0.9.7a-35', 'pcre-4.5-2', 'pcre-devel-4.5-2', 'policy-1.9.1-2', 'policy-sources-1.9.1-2', 'policycoreutils-1.9-16', 'qt-3.3.1-0.7', 'qt-MySQL-3.3.1-0.7', 'qt-ODBC-3.3.1-0.7', 'qt-PostgreSQL-3.3.1-0.7', 'qt-designer-3.3.1-0.7', 'qt-devel-3.3.1-0.7', 'rhythmbox-0.7.1-2', 'rp-pppoe-3.5-12', 'rpmdb-fedora-1.91-0.20040330', 'samba-3.0.3-1.pre1', 'samba-client-3.0.3-1.pre1', 'samba-common-3.0.3-1.pre1', 'samba-swat-3.0.3-1.pre1', 'sash-3.7-3', 'setools-1.2.1-3', 'setools-devel-1.2.1-3', 'setools-gui-1.2.1-3', 'shared-mime-info-0.14-1', 'slocate-2.7-8', 'sylpheed-0.9.10-2', 'system-config-bind-2.0.2-4', 'system-config-date-1.7.3-1', 'system-config-display-1.0.12-1', 'system-config-netboot-0.1.3-4', 'system-config-printer-0.6.98-1', 'system-config-printer-gui-0.6.98-1', 'system-config-samba-1.2.9-1', 'system-config-securitylevel-1.3.9-1', 'system-config-securitylevel-tui-1.3.9-1', 'system-config-services-0.8.8-4', 'tetex-2.0.2-13', 'tetex-afm-2.0.2-13', 'tetex-doc-2.0.2-13', 'tetex-dvips-2.0.2-13', 'tetex-fonts-2.0.2-13', 'tetex-latex-2.0.2-13', 'tetex-xdvi-2.0.2-13', 'udev-023-1', 'util-linux-2.12-15', 'vim-X11-6.2.403-1', 'vim-common-6.2.403-1', 'vim-enhanced-6.2.403-1', 'vim-minimal-6.2.403-1', 'vnc-4.0-1.beta4.9', 'vnc-server-4.0-1.beta4.9', 'w3m-0.5-1', 'webalizer-2.01_10-22', 'xinitrc-3.38-1', 'zip-2.3-22'] [Tue Mar 30 22:05:51 2004] up2date Modifying bootloader config to include the new kernel info [Tue Mar 30 22:05:51 2004] up2date Adding 2.6.4-1.298 to bootloader config [Tue Mar 30 22:05:51 2004] up2date Adding 2.6.4-1.298 to bootloader config [Tue Mar 30 22:05:52 2004] up2date Running lilo with the new configuration [Tue Mar 30 22:05:53 2004] up2date Modifying bootloader config to include the new kernel info [Tue Mar 30 22:05:53 2004] up2date Adding 2.6.4-1.298 to bootloader config [Tue Mar 30 22:05:53 2004] up2date Running lilo with the new configuration [root at old1 boot]# This shows (supposedly) that all those packages were updated. If the kernel was not installed when the log says it was, how many others were not really updated? another problem is that I use grub! ( have never used lilo on this box) and it was not updated. the log shows that the kernel install tried to update lilo. btw I am running in enforcing mode as root (with role sysmgr_r): Where do I start with the bug reports? the kernel 'cause it did not install? up2date because it did not report any errors when something was very worng? selinux policy? there are hundreds of avc denied messages... please let me know how to proceed with getting my system updated in enforcing mode and if there is additional information I can provide. the messages file is 796261 bytes and I have saved a copy. thanks, Richard Hally Richard Hally From dwalsh at redhat.com Wed Mar 31 05:16:39 2004 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 31 Mar 2004 00:16:39 -0500 Subject: udev and SELinux. In-Reply-To: <406A08A9.80608@nogin.org> References: <406A08A9.80608@nogin.org> Message-ID: <406A5437.4050204@redhat.com> Aleksey Nogin wrote: > I briefly tried installing udev and it seems that it was creating > devices with the default device_t type instead of the one dictated by > SELinux policies. Is this a known issue? Should I file a Bugzilla report? > Udev is coded to create the context with the correct context. It should work. Dan From aleksey at nogin.org Wed Mar 31 07:42:42 2004 From: aleksey at nogin.org (Aleksey Nogin) Date: Tue, 30 Mar 2004 23:42:42 -0800 Subject: Is arbitrary access to rpm_t by sysadm_r a security problem? Message-ID: <406A7672.5000008@nogin.org> I would imagine sysadm_r can do a lot anyway, but just in case it is a problem, here it is: % id uid=500(aleksey) gid=500(aleksey) groups=500(aleksey) context=aleksey:sysadm_r:sysadm_t % rpm -q rpm --pipe id uid=500(aleksey) gid=500(aleksey) groups=500(aleksey) context=aleksey:sysadm_r:rpm_t Basically, the --pipe option to rpm seems to be giving sysadm_r full access to sysadm_r:rpm_t -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907 From russell at coker.com.au Wed Mar 31 08:47:24 2004 From: russell at coker.com.au (Russell Coker) Date: Wed, 31 Mar 2004 18:47:24 +1000 Subject: Is arbitrary access to rpm_t by sysadm_r a security problem? In-Reply-To: <406A7672.5000008@nogin.org> References: <406A7672.5000008@nogin.org> Message-ID: <200403311847.25218.russell@coker.com.au> On Wed, 31 Mar 2004 17:42, Aleksey Nogin wrote: > I would imagine sysadm_r can do a lot anyway, but just in case it is a > problem, here it is: > > % id > uid=500(aleksey) gid=500(aleksey) groups=500(aleksey) > context=aleksey:sysadm_r:sysadm_t > % rpm -q rpm --pipe id > uid=500(aleksey) gid=500(aleksey) groups=500(aleksey) > context=aleksey:sysadm_r:rpm_t > > Basically, the --pipe option to rpm seems to be giving sysadm_r full > access to sysadm_r:rpm_t By design sysadm_r can do everything, including disabling SE Linux. So being able to get rpm_t is no problem. In future we will provide an option to have a secadm_r role to perform security administration and a sysadm_r role that can only be used for basic sysadm tasks. Such a mode of operation will conflict with the --pipe command for rpm. When we implement that we will have to do something about the --pipe command, either disable it or have it cause a domain transition back to the calling domain. Another thing that will need to be done is to have multiple contexts for running rpm for different package signatures. This will probably require having the current rpm functionality split into two executables. This means that one can be used for parsing the command line, checking the signature, and running the --pipe operation. The other could do the real work. These are just some wild ideas. Hopefully Jeff will be available to give some better ones. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From pauln at truemesh.com Wed Mar 31 09:37:54 2004 From: pauln at truemesh.com (Paul Nasrat) Date: Wed, 31 Mar 2004 09:37:54 +0000 Subject: Is arbitrary access to rpm_t by sysadm_r a security problem? In-Reply-To: <200403311847.25218.russell@coker.com.au> References: <406A7672.5000008@nogin.org> <200403311847.25218.russell@coker.com.au> Message-ID: <20040331093753.GD23468@lichen.truemesh.com> On Wed, Mar 31, 2004 at 06:47:24PM +1000, Russell Coker wrote: > On Wed, 31 Mar 2004 17:42, Aleksey Nogin wrote: > > I would imagine sysadm_r can do a lot anyway, but just in case it is a > > problem, here it is: > > > > % id > > uid=500(aleksey) gid=500(aleksey) groups=500(aleksey) > > context=aleksey:sysadm_r:sysadm_t > > % rpm -q rpm --pipe id > > uid=500(aleksey) gid=500(aleksey) groups=500(aleksey) > > context=aleksey:sysadm_r:rpm_t > > > > Basically, the --pipe option to rpm seems to be giving sysadm_r full > > access to sysadm_r:rpm_t > Another thing that will need to be done is to have multiple contexts for > running rpm for different package signatures. Or even signatures determining if scripts/triggers allowed. Is the current plan to make the trust/role mapping configurable, where would this be done - within rpmdb or outside. I'm curious as to how other implementations work - is this implemented for Debian at all and how. > This will probably require > having the current rpm functionality split into two executables. This means > that one can be used for parsing the command line, checking the signature, > and running the --pipe operation. The other could do the real work. How does this tie in with other uses of rpmlib - eg rpm-python or the C bindings. Most people won't be calling rpm directly. Paul From aleksey at nogin.org Wed Mar 31 10:11:56 2004 From: aleksey at nogin.org (Aleksey Nogin) Date: Wed, 31 Mar 2004 02:11:56 -0800 Subject: Is arbitrary access to rpm_t by sysadm_r a security problem? In-Reply-To: <20040331093753.GD23468@lichen.truemesh.com> References: <406A7672.5000008@nogin.org> <200403311847.25218.russell@coker.com.au> <20040331093753.GD23468@lichen.truemesh.com> Message-ID: <406A996C.2020304@nogin.org> On 31.03.2004 01:37, Paul Nasrat wrote: >>This will probably require >>having the current rpm functionality split into two executables. This means >>that one can be used for parsing the command line, checking the signature, >>and running the --pipe operation. The other could do the real work. > > > How does this tie in with other uses of rpmlib - eg rpm-python or the C > bindings. Most people won't be calling rpm directly. I am guessing that the "internal" trusted executable could be called from rpmlib and be the one doing all the stuff that requires special permissions and this way it would not matter what "front end" (rpm/apt/yum/up2date/etc) is used. I have no idea whether the current rpmlib API would support something like this, so I could be wrong. -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907 From tjb at unh.edu Wed Mar 31 15:50:48 2004 From: tjb at unh.edu (Thomas J. Baker) Date: Wed, 31 Mar 2004 10:50:48 -0500 Subject: install of kernel 2.6.4-1.298 does not work In-Reply-To: <406A41D2.4030001@mindspring.com> References: <406A41D2.4030001@mindspring.com> Message-ID: <1080748248.27486.8.camel@wintermute.sr.unh.edu> On Tue, 2004-03-30 at 22:58, Richard Hally wrote: > when I ran up2date today it appeared to install kernel 2.6.4-1.298. > There were no errors reported. But it did not update grub as usual, it > did not put any files in /boot, and when I do rpm -q kernel it does not > show 2.6.4-1.298 (It shows the other kernels 253 etc) > [root at old1 boot]# rpm -q kernel > kernel-2.6.3-2.1.242 > kernel-2.6.3-2.1.253 > kernel-2.6.3-2.1.246 > kernel-2.6.3-2.1.253.2.1 > I had similar problems. Clean install of test2 with selinux in enforcing mode followed by a yum update. Many of the postinstall scripts reported failures and after a reboot (to boot the new kernel that didn't get installed) lots of things were very broken. Permissions on directories in /var were all messed up (as root I couldn't cd to /var/log to try to figure out what was going). So I did a clean install of test2 again, setting selinux to warn only, and things are much happier. It seems like the default policy of selinux kept many files from being updated properly. Let me know if you file a bug report so I can add to it. tjb -- ======================================================================= | Thomas Baker email: tjb at unh.edu | | Systems Programmer | | Research Computing Center voice: (603) 862-4490 | | University of New Hampshire fax: (603) 862-1761 | | 332 Morse Hall | | Durham, NH 03824 USA http://wintermute.sr.unh.edu/~tjb | ======================================================================= From gene at czarc.net Wed Mar 31 16:46:51 2004 From: gene at czarc.net (Gene Czarcinski) Date: Wed, 31 Mar 2004 11:46:51 -0500 Subject: install of kernel 2.6.4-1.298 does not work In-Reply-To: <1080748248.27486.8.camel@wintermute.sr.unh.edu> References: <406A41D2.4030001@mindspring.com> <1080748248.27486.8.camel@wintermute.sr.unh.edu> Message-ID: <200403311146.51488.gene@czarc.net> On Wednesday 31 March 2004 10:50, Thomas J. Baker wrote: > On Tue, 2004-03-30 at 22:58, Richard Hally wrote: > > when I ran up2date today it appeared to install kernel 2.6.4-1.298. > > There were no errors reported. But it did not update grub as usual, it > > did not put any files in /boot, and when I do rpm -q kernel it does not > > show 2.6.4-1.298 (It shows the other kernels 253 etc) > > [root at old1 boot]# rpm -q kernel > > kernel-2.6.3-2.1.242 > > kernel-2.6.3-2.1.253 > > kernel-2.6.3-2.1.246 > > kernel-2.6.3-2.1.253.2.1 > > I had similar problems. Clean install of test2 with selinux in enforcing > mode followed by a yum update. Many of the postinstall scripts reported > failures and after a reboot (to boot the new kernel that didn't get > installed) lots of things were very broken. Permissions on directories > in /var were all messed up (as root I couldn't cd to /var/log to try to > figure out what was going). So I did a clean install of test2 again, > setting selinux to warn only, and things are much happier. It seems like > the default policy of selinux kept many files from being updated > properly. > > Let me know if you file a bug report so I can add to it. This is an selinux - rpm problem ... see: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=119538 Gene