A few permission problems

Nicklas Norling exinor at exinor.net
Tue Jul 19 11:12:53 UTC 2005


Daniel J Walsh wrote:

> Nicklas Norling wrote:
>
>> Hi.
>>
>> I've got a system updated from old redhat releases to FC2-3 and now 4.
>> I've just downloaded selinux-policy-targeted and have been able to 
>> fix most of
>> my problems with setsebool etc. while in permissive mode. However a 
>> few more
>> difficult issues still intrigues me and I'd love it if someone would 
>> offer some help.
>>
>> <snip>
>
>>
>> The httpd problem appears to be python related. Not sure which of my 
>> web applications is triggering it
>> (if any). Maybe MoinMoin Wiki but I can't seem to trigger it myself, 
>> maybe a search spider is triggering it.
>>
>> Jul 16 02:00:54 spock kernel: audit(1121472054.557:119): avc:  
>> denied  { getattr } for  pid=20378 comm="python" name="var" dev=hda3 
>> ino=163841 scontext=root:system_r:httpd_sys_script_t 
>> tcontext=system_u:object_r:var_t tclass=dir
>>
> Yes the question would be which file/dir is it trying to  read under /var
>
Indeed, I shall keep my eyes open and report back if I can figure it out.

>>
>> named is denied some fun?
>>
>> Jul 14 15:39:10 spock named[1771]: exiting
>> Jul 14 15:39:12 spock kernel: audit(1121348352.535:98): avc:  denied  
>> { read } for  pid=16108 comm="named-checkconf" name
>> ="[196624]" dev=pipefs ino=196624 scontext=root:system_r:named_t 
>> tcontext=root:system_r:unconfined_t tclass=fifo_file
>> Jul 14 15:39:12 spock named[16110]: starting BIND 9.3.1 -u named
>>
> Is this only happening on a yum update/RPM install?
>
Yes it does. I read between the line(s) that is expected. Still looks 
worrying to a noob like myself.

> <snip>
>
>>
>> webalizer is being asked to put it's resulting webpages into a local 
>> users web directory in support of per user usage stat. The users 
>> webfolder has the correct objects set for httpd security.
>>
>> Jul 11 04:02:17 spock kernel: audit(1121047337.762:57): avc:  denied  
>> { search } for  pid=3409 comm="webalizer" name="home" dev=hda3 
>> ino=819203 scontext=system_u:system_r:webalizer_t 
>> tcontext=system_u:object_r:home_root_t tclass=dir
>> Jul 11 04:02:17 spock kernel: audit(1121047337.762:58): avc:  denied  
>> { search } for  pid=3409 comm="webalizer" name="joakim" dev=hda3 
>> ino=458781 scontext=system_u:system_r:webalizer_t 
>> tcontext=user_u:object_r:user_home_dir_t tclass=dir
>>
> You will need to write your own policy for this.    Alternatively you 
> could create a directory under /var/www with the
> label httpd_sys_content_t and allow webalizer to write their and allow 
> users to read it.
>
Hmm, ok. Maybe webalizer should have a boolean for accessing http home 
dir provided httpd_enable_homedirs=1?
Or maybe my way of doing this is so odd it's worth the trouble.

>> tclass=file
>> In addition to this I have a shared folder with 'public' material, 
>> files that I offer to for download/upload. This folder is shared to 
>> my users with ftp as well as samba. Is this even possible to do with 
>> selinux?
>>
>> Jul 16 15:24:31 spock kernel: audit(1121520271.993:127): avc:  
>> denied  { search } for  pid=21818 comm="smbd" name="/" dev=hdc1 ino=2 
>> scontext=system_u:system_r:smbd_t 
>> tcontext=system_u:object_r:ftpd_anon_t tclass=dir
>> Jul 16 15:24:32 spock kernel: audit(1121520272.060:128): avc:  
>> denied  { getattr } for  pid=21818 comm="smbd" name="pub" dev=hdc1 
>> ino=32769 scontext=system_u:system_r:smbd_t 
>> tcontext=system_u:object_r:ftpd_anon_t tclass=dir
>> Jul 16 15:24:32 spock kernel: audit(1121520272.156:129): avc:  
>> denied  { read } for  pid=21818 comm="smbd" name="pub" dev=hdc1 
>> ino=32769 scontext=system_u:system_r:smbd_t 
>> tcontext=system_u:object_r:ftpd_anon_t tclass=dir
>>
>> audit2allow suggests:
>> allow smbd_t ftpd_anon_t:dir { getattr read search };
>>
> You could add this rule to your local.te file.  We have discussed this 
> in the past and maybe a boolean allowing all apps to read "shared 
> data" would work.
>
Ok, I think adding the rule is the way to go for me. Some more learning 
to do.
I would encourage a boolean for shared data location. I think labeling a 
folder and it's subcontent with a specific label and then have different 
services be able to use it might be a start. That way I could disallow 
smb the rights but allow ftpd and httpd (as an example). I think that 
would be a great improvment from my point of view.

Since 01:22:00 this day my server is in enforce mode. The only thing 
I've found so far is sendmail being denied access to urandom and random. 
I have sendmail setup with SMTP AUTH as well as certs for performing 
STARTTLS with any TLS-able connecting MTA.

/var/log/messages
Jul 19 08:09:38 spock kernel: audit(1121753378.808:188): avc:  denied  { 
getattr } for  pid=20520 comm="sendmail" name="urandom" dev=tmpfs 
ino=846 
scontext=root:system_r:system_mail_ttcontext=system_u:object_r:urandom_device_t 
tclass=chr_file
Jul 19 08:09:38 spock kernel: audit(1121753378.808:189): avc:  denied  { 
getattr } for  pid=20520 comm="sendmail" name="random" dev=tmpfs ino=844 
scontext=root:system_r:system_mail_ttcontext=system_u:object_r:random_device_t 
tclass=chr_file

/var/log/maillog
Jul 19 08:09:38 spock sendmail[20520]: j6J69cMx020520: from=<edited>, 
size=874, class=0, nrcpts=1, 
msgid=<bd1035dcc05d7b2d6a16b046ae4bdd04 at www.exinor.net>, 
bodytype=8BITMIME, relay=apache at localhost
Jul 19 08:09:38 spock sendmail[20520]: j6J69cMx020520: STARTTLS=client, 
error: connect failed=-1, SSL_error=5, timedout=0, errno=2
Jul 19 08:09:38 spock sendmail[20520]: ruleset=tls_server, 
arg1=SOFTWARE, relay=[127.0.0.1], reject=403 4.7.0TLS handshake.
Jul 19 08:09:38 spock sendmail[20520]: j6J69cMx020520: to=<edited>, 
ctladdr=<edited> (48/48), delay=00:00:00, xdelay=00:00:00, mailer=relay, 
pri=30874, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: 403 
4.7.0 TLS handshake.
Jul 19 08:09:38 spock sendmail[20521]: STARTTLS=server, error: accept 
failed=0, SSL_error=5, timedout=0,errno=0
Jul 19 08:09:38 spock sendmail[20521]: j6J69cai020521: localhost 
[127.0.0.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA

audit2allow -d -l
allow system_mail_t random_device_t:chr_file getattr;
allow system_mail_t urandom_device_t:chr_file getattr;

Policy rpm installed: selinux-policy-targeted-1.25.1-9.noarch.rpm

Apart from this DoS on sendmail my system appears to be working as expected.

Personally I'd love to see permissive mode similar to enforcing when it 
come's to avc's. I don't like the idea of turning on enforcing to see 
things not work and then turn it off. Much rather would I use permissive 
mode to investigate what will go wrong so I can fix problems before I 
DoS myself.

Thanks a lot for all your help Daniel, I sure appretiate it!
/Nicke




More information about the fedora-selinux-list mailing list