A few permission problems
Nicklas Norling
exinor at exinor.net
Tue Jul 19 11:12:53 UTC 2005
Daniel J Walsh wrote:
> Nicklas Norling wrote:
>
>> Hi.
>>
>> I've got a system updated from old redhat releases to FC2-3 and now 4.
>> I've just downloaded selinux-policy-targeted and have been able to
>> fix most of
>> my problems with setsebool etc. while in permissive mode. However a
>> few more
>> difficult issues still intrigues me and I'd love it if someone would
>> offer some help.
>>
>> <snip>
>
>>
>> The httpd problem appears to be python related. Not sure which of my
>> web applications is triggering it
>> (if any). Maybe MoinMoin Wiki but I can't seem to trigger it myself,
>> maybe a search spider is triggering it.
>>
>> Jul 16 02:00:54 spock kernel: audit(1121472054.557:119): avc:
>> denied { getattr } for pid=20378 comm="python" name="var" dev=hda3
>> ino=163841 scontext=root:system_r:httpd_sys_script_t
>> tcontext=system_u:object_r:var_t tclass=dir
>>
> Yes the question would be which file/dir is it trying to read under /var
>
Indeed, I shall keep my eyes open and report back if I can figure it out.
>>
>> named is denied some fun?
>>
>> Jul 14 15:39:10 spock named[1771]: exiting
>> Jul 14 15:39:12 spock kernel: audit(1121348352.535:98): avc: denied
>> { read } for pid=16108 comm="named-checkconf" name
>> ="[196624]" dev=pipefs ino=196624 scontext=root:system_r:named_t
>> tcontext=root:system_r:unconfined_t tclass=fifo_file
>> Jul 14 15:39:12 spock named[16110]: starting BIND 9.3.1 -u named
>>
> Is this only happening on a yum update/RPM install?
>
Yes it does. I read between the line(s) that is expected. Still looks
worrying to a noob like myself.
> <snip>
>
>>
>> webalizer is being asked to put it's resulting webpages into a local
>> users web directory in support of per user usage stat. The users
>> webfolder has the correct objects set for httpd security.
>>
>> Jul 11 04:02:17 spock kernel: audit(1121047337.762:57): avc: denied
>> { search } for pid=3409 comm="webalizer" name="home" dev=hda3
>> ino=819203 scontext=system_u:system_r:webalizer_t
>> tcontext=system_u:object_r:home_root_t tclass=dir
>> Jul 11 04:02:17 spock kernel: audit(1121047337.762:58): avc: denied
>> { search } for pid=3409 comm="webalizer" name="joakim" dev=hda3
>> ino=458781 scontext=system_u:system_r:webalizer_t
>> tcontext=user_u:object_r:user_home_dir_t tclass=dir
>>
> You will need to write your own policy for this. Alternatively you
> could create a directory under /var/www with the
> label httpd_sys_content_t and allow webalizer to write their and allow
> users to read it.
>
Hmm, ok. Maybe webalizer should have a boolean for accessing http home
dir provided httpd_enable_homedirs=1?
Or maybe my way of doing this is so odd it's worth the trouble.
>> tclass=file
>> In addition to this I have a shared folder with 'public' material,
>> files that I offer to for download/upload. This folder is shared to
>> my users with ftp as well as samba. Is this even possible to do with
>> selinux?
>>
>> Jul 16 15:24:31 spock kernel: audit(1121520271.993:127): avc:
>> denied { search } for pid=21818 comm="smbd" name="/" dev=hdc1 ino=2
>> scontext=system_u:system_r:smbd_t
>> tcontext=system_u:object_r:ftpd_anon_t tclass=dir
>> Jul 16 15:24:32 spock kernel: audit(1121520272.060:128): avc:
>> denied { getattr } for pid=21818 comm="smbd" name="pub" dev=hdc1
>> ino=32769 scontext=system_u:system_r:smbd_t
>> tcontext=system_u:object_r:ftpd_anon_t tclass=dir
>> Jul 16 15:24:32 spock kernel: audit(1121520272.156:129): avc:
>> denied { read } for pid=21818 comm="smbd" name="pub" dev=hdc1
>> ino=32769 scontext=system_u:system_r:smbd_t
>> tcontext=system_u:object_r:ftpd_anon_t tclass=dir
>>
>> audit2allow suggests:
>> allow smbd_t ftpd_anon_t:dir { getattr read search };
>>
> You could add this rule to your local.te file. We have discussed this
> in the past and maybe a boolean allowing all apps to read "shared
> data" would work.
>
Ok, I think adding the rule is the way to go for me. Some more learning
to do.
I would encourage a boolean for shared data location. I think labeling a
folder and it's subcontent with a specific label and then have different
services be able to use it might be a start. That way I could disallow
smb the rights but allow ftpd and httpd (as an example). I think that
would be a great improvment from my point of view.
Since 01:22:00 this day my server is in enforce mode. The only thing
I've found so far is sendmail being denied access to urandom and random.
I have sendmail setup with SMTP AUTH as well as certs for performing
STARTTLS with any TLS-able connecting MTA.
/var/log/messages
Jul 19 08:09:38 spock kernel: audit(1121753378.808:188): avc: denied {
getattr } for pid=20520 comm="sendmail" name="urandom" dev=tmpfs
ino=846
scontext=root:system_r:system_mail_ttcontext=system_u:object_r:urandom_device_t
tclass=chr_file
Jul 19 08:09:38 spock kernel: audit(1121753378.808:189): avc: denied {
getattr } for pid=20520 comm="sendmail" name="random" dev=tmpfs ino=844
scontext=root:system_r:system_mail_ttcontext=system_u:object_r:random_device_t
tclass=chr_file
/var/log/maillog
Jul 19 08:09:38 spock sendmail[20520]: j6J69cMx020520: from=<edited>,
size=874, class=0, nrcpts=1,
msgid=<bd1035dcc05d7b2d6a16b046ae4bdd04 at www.exinor.net>,
bodytype=8BITMIME, relay=apache at localhost
Jul 19 08:09:38 spock sendmail[20520]: j6J69cMx020520: STARTTLS=client,
error: connect failed=-1, SSL_error=5, timedout=0, errno=2
Jul 19 08:09:38 spock sendmail[20520]: ruleset=tls_server,
arg1=SOFTWARE, relay=[127.0.0.1], reject=403 4.7.0TLS handshake.
Jul 19 08:09:38 spock sendmail[20520]: j6J69cMx020520: to=<edited>,
ctladdr=<edited> (48/48), delay=00:00:00, xdelay=00:00:00, mailer=relay,
pri=30874, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: 403
4.7.0 TLS handshake.
Jul 19 08:09:38 spock sendmail[20521]: STARTTLS=server, error: accept
failed=0, SSL_error=5, timedout=0,errno=0
Jul 19 08:09:38 spock sendmail[20521]: j6J69cai020521: localhost
[127.0.0.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
audit2allow -d -l
allow system_mail_t random_device_t:chr_file getattr;
allow system_mail_t urandom_device_t:chr_file getattr;
Policy rpm installed: selinux-policy-targeted-1.25.1-9.noarch.rpm
Apart from this DoS on sendmail my system appears to be working as expected.
Personally I'd love to see permissive mode similar to enforcing when it
come's to avc's. I don't like the idea of turning on enforcing to see
things not work and then turn it off. Much rather would I use permissive
mode to investigate what will go wrong so I can fix problems before I
DoS myself.
Thanks a lot for all your help Daniel, I sure appretiate it!
/Nicke
More information about the fedora-selinux-list
mailing list