A few permission problems

Daniel J Walsh dwalsh at redhat.com
Mon Jul 18 18:39:39 UTC 2005 

Nicklas Norling wrote:

> Hi.
>
> I've got a system updated from old redhat releases to FC2-3 and now 4.
> I've just downloaded selinux-policy-targeted and have been able to fix 
> most of
> my problems with setsebool etc. while in permissive mode. However a 
> few more
> difficult issues still intrigues me and I'd love it if someone would 
> offer some help.
>
> First:
> [root at spock ~]# audit2allow -i /var/log/messages -l
> allow dovecot_auth_t selinux_config_t:file { getattr read };
> allow httpd_sys_script_t var_t:dir getattr;
> allow named_t unconfined_t:fifo_file read;
> allow smbd_t selinux_config_t:dir search;
> allow smbd_t selinux_config_t:file { getattr read };
> allow webalizer_t home_root_t:dir search;
> allow webalizer_t user_home_dir_t:dir search;
>
>
> The dovecot-auth problem seems to occur with every new connection to 
> dovecot:
>
> Jul 16 14:00:16 spock kernel: audit(1121515216.305:122): avc:  denied  
> { read } for  pid=21686 comm="dovecot-auth" name="config" dev=hda3 
> ino=394549 scontext=root:system_r:dovecot_auth_t 
> tcontext=system_u:object_r:selinux_config_t tclass=file
> Jul 16 14:00:16 spock kernel: audit(1121515216.305:123): avc:  denied  
> { getattr } for  pid=21686 comm="dovecot-auth" name="config" dev=hda3 
> ino=394549 scontext=root:system_r:dovecot_auth_t 
> tcontext=system_u:object_r:selinux_config_t tclass=file
>
The would be suppressed by a dontaudit rule if you were running in 
enforcing.  Always attempt to reproduce AVC messages in enforcing mode, 
since these are the ones we will fix.  Permissive mode should only be 
run temporarily to get around a problem.  Targeted policy gives a lot of 
"False" avc messages.

>
> The httpd problem appears to be python related. Not sure which of my 
> web applications is triggering it
> (if any). Maybe MoinMoin Wiki but I can't seem to trigger it myself, 
> maybe a search spider is triggering it.
>
> Jul 16 02:00:54 spock kernel: audit(1121472054.557:119): avc:  denied  
> { getattr } for  pid=20378 comm="python" name="var" dev=hda3 
> ino=163841 scontext=root:system_r:httpd_sys_script_t 
> tcontext=system_u:object_r:var_t tclass=dir
>
Yes the question would be which file/dir is it trying to  read under /var

>
> named is denied some fun?
>
> Jul 14 15:39:10 spock named[1771]: exiting
> Jul 14 15:39:12 spock kernel: audit(1121348352.535:98): avc:  denied  
> { read } for  pid=16108 comm="named-checkconf" name
> ="[196624]" dev=pipefs ino=196624 scontext=root:system_r:named_t 
> tcontext=root:system_r:unconfined_t tclass=fifo_file
> Jul 14 15:39:12 spock named[16110]: starting BIND 9.3.1 -u named
>
Is this only happening on a yum update/RPM install?

>
> Samba appears to wan't to read in the selinux config file? Every 
> access to a home directory triggers this despite the correct sebool is 
> set.
>
> Jul 15 02:43:18 spock kernel: audit(1121388198.077:104): avc:  denied  
> { search } for  pid=17122 comm="smbd" name="selinu
> x" dev=hda3 ino=394114 scontext=system_u:system_r:smbd_t 
> tcontext=system_u:object_r:selinux_config_t tclass=dir
> Jul 15 02:43:18 spock kernel: audit(1121388198.077:105): avc:  denied  
> { read } for  pid=17122 comm="smbd" name="config"
> dev=hda3 ino=394549 scontext=system_u:system_r:smbd_t 
> tcontext=system_u:object_r:selinux_config_t tclass=file
> Jul 15 02:43:18 spock kernel: audit(1121388198.078:106): avc:  denied  
> { getattr } for  pid=17122 comm="smbd" name="config" dev=hda3 
> ino=394549 scontext=system_u:system_r:smbd_t 
> tcontext=system_u:object_r:selinux_config_t tclass=file
>
These should be dontaudited.  Again run under enforcing mode.

>
> webalizer is being asked to put it's resulting webpages into a local 
> users web directory in support of per user usage stat. The users 
> webfolder has the correct objects set for httpd security.
>
> Jul 11 04:02:17 spock kernel: audit(1121047337.762:57): avc:  denied  
> { search } for  pid=3409 comm="webalizer" name="home" dev=hda3 
> ino=819203 scontext=system_u:system_r:webalizer_t 
> tcontext=system_u:object_r:home_root_t tclass=dir
> Jul 11 04:02:17 spock kernel: audit(1121047337.762:58): avc:  denied  
> { search } for  pid=3409 comm="webalizer" name="joakim" dev=hda3 
> ino=458781 scontext=system_u:system_r:webalizer_t 
> tcontext=user_u:object_r:user_home_dir_t tclass=dir
>
You will need to write your own policy for this.    Alternatively you 
could create a directory under /var/www with the
label httpd_sys_content_t and allow webalizer to write their and allow 
users to read it.

> tclass=file
> In addition to this I have a shared folder with 'public' material, 
> files that I offer to for download/upload. This folder is shared to my 
> users with ftp as well as samba. Is this even possible to do with 
> selinux?
>
> Jul 16 15:24:31 spock kernel: audit(1121520271.993:127): avc:  denied  
> { search } for  pid=21818 comm="smbd" name="/" dev=hdc1 ino=2 
> scontext=system_u:system_r:smbd_t 
> tcontext=system_u:object_r:ftpd_anon_t tclass=dir
> Jul 16 15:24:32 spock kernel: audit(1121520272.060:128): avc:  denied  
> { getattr } for  pid=21818 comm="smbd" name="pub" dev=hdc1 ino=32769 
> scontext=system_u:system_r:smbd_t 
> tcontext=system_u:object_r:ftpd_anon_t tclass=dir
> Jul 16 15:24:32 spock kernel: audit(1121520272.156:129): avc:  denied  
> { read } for  pid=21818 comm="smbd" name="pub" dev=hdc1 ino=32769 
> scontext=system_u:system_r:smbd_t 
> tcontext=system_u:object_r:ftpd_anon_t tclass=dir
>
> audit2allow suggests:
> allow smbd_t ftpd_anon_t:dir { getattr read search };
>
You could add this rule to your local.te file.  We have discussed this 
in the past and maybe a boolean allowing all apps to read "shared data" 
would work.

> Greatful for any tips, hoping to enforce soon!
> /Nicke
>
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list



--

More information about the fedora-selinux-list mailing list