From daniela.gradim at fortevisiomedica.com Tue Mar 1 09:17:34 2005 From: daniela.gradim at fortevisiomedica.com (Daniela Gradim) Date: Tue, 01 Mar 2005 10:17:34 +0100 Subject: Problem to running BackupPC with selinux Message-ID: <1109668653.3910.5.camel@localhost.localdomain> I make the changes to httpd works fine but now when I try to run BackupPC I get those messages. I tried to run chcon but still didn't work. Mar 1 09:42:19 backup backuppc: BackupPC shutdown failed Mar 1 09:42:19 backup kernel: audit(1109666539.876:0): avc: denied { read write } for pid=29112 exe=/usr/bin/perl name=1 dev=devpts ino=3 scontext=root:system_r:httpd_sys_script_t tcontext=root:object_r:devpts_t tclass=chr_file Mar 1 09:42:19 backup kernel: audit(1109666539.876:0): avc: denied { read write } for pid=29112 exe=/usr/bin/perl path=/dev/pts/1 dev=devpts ino=3 scontext=root:system_r:httpd_sys_script_t tcontext=root:object_r:devpts_t tclass=chr_fileMar 1 09:42:20 backup kernel: audit(1109666540.145:0): avc: denied { listen } for pid=29138 exe=/usr/bin/perl path=/home/httpd/html/BackupPC/data/log/BackupPC.sock scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=unix_stream_socket Thanks -- Daniela Gradim B.Sc. daniela.gradim at fortevisiomedica.com Mobile phone: +46-(0)765-48 99 95 --------------------------------------------------------------------- Forte Visio Medica AB Hammarby Fabriksv?g 23 S-120 33 Stockholm Sweden Phone: +46-(0)8-440 03 00 Fax: +46-(0)765-310 100 --------------------------------------------------------------------- THIS COMMUNICATION IS ONLY INTENDED FOR THE USE OF THE INDIVIDUAL, OR ENTITY, TO WHICH IT IS DIRECTED AND MAY CONTAIN INFORMATION THAT IS PRIVILIGED, CONFIDENTIAL AND EXEMPT FROM DISCLOSURE UNDER APPLICABLE LAW. IF RECEIVED IN ERROR: PLEASE NOTIFY US IMMEDIATELY THROUGH info at fortevisiomedica.com. --------------------------------------------------------------------- From niki.waibel at newlogic.com Tue Mar 1 15:41:26 2005 From: niki.waibel at newlogic.com (Niki Waibel) Date: Tue, 01 Mar 2005 16:41:26 +0100 (CET) Subject: nis+ and selinux targeted (nscd/ntpd problems) Message-ID: <200503011541.j21FfQPr015128@enterprise2.newlogic.at> if you run FC3 and nis-utils-1.4.1 it is necessary to add the following in /etc/selinux/targeted/src/policy/domains/misc/custom.te to make nscd running properly: === allow nscd_t file_t:file { read write }; #EXE=/usr/sbin/nscd NAME=passwd : read write allow nscd_t file_t:file getattr; #EXE=/usr/sbin/nscd PATH=/var/db/nscd/passwd : getattr #EXE=/usr/sbin/nscd PATH=/var/db/nscd/group : getattr #EXE=/usr/sbin/nscd PATH=/var/db/nscd/hosts : getattr allow nscd_t var_t:file { getattr read }; #EXE=/usr/sbin/nscd NAME=NIS_COLD_START : read #EXE=/usr/sbin/nscd PATH=/var/nis/NIS_COLD_START : getattr allow nscd_t var_run_t:sock_file write; #EXE=/usr/sbin/nscd NAME=keyservsock : write allow nscd_t unconfined_t:unix_stream_socket connectto; #EXE=/usr/sbin/nscd PATH=/var/run/keyservsock : connectto === i dont know if === allow nscd_t file_t:file { read write }; allow nscd_t file_t:file getattr; allow nscd_t var_t:file { getattr read }; === are really a good choice ... nscd (if you have nisplus in /etc/nsswitch.conf) accesses the files in /var/db/nscd (getattr, read, write) and /var/nis. maybe there should be sthg like var_nis_t and var_db_nscd_t? i am not sure if /etc/{passwd,group,hosts} are accessed as well... using nis+ i've also figured out that ntpd needs some add rules: === allow ntpd_t var_t:file { getattr read }; #EXE=/usr/sbin/ntpd NAME=NIS_COLD_START : read #EXE=/usr/sbin/ntpd PATH=/var/nis/NIS_COLD_START : getattr allow ntpd_t var_run_t:sock_file write; #EXE=/usr/sbin/ntpd NAME=keyservsock : write allow ntpd_t unconfined_t:unix_stream_socket connectto; #EXE=/usr/sbin/ntpd PATH=/var/run/keyservsock : connectto === can this be integrated into the std targeted policy? -- niki w. waibel - system administrator @ newlogic technologies ag From smooge at gmail.com Tue Mar 1 19:05:55 2005 From: smooge at gmail.com (Stephen J. Smoogen) Date: Tue, 1 Mar 2005 12:05:55 -0700 Subject: Reports from the conferance Message-ID: <80d7e40905030111055defe0a4@mail.gmail.com> Hi I was unable to get the ducks put in a row to get to the conferance this week. Will there be published whitepapers afterwords and various howtos? Thanks -- Stephen J Smoogen. CSIRT/Linux System Administrator From mayerf at tresys.com Wed Mar 2 14:44:47 2005 From: mayerf at tresys.com (Frank Mayer) Date: Wed, 2 Mar 2005 09:44:47 -0500 Subject: Reports from the conferance In-Reply-To: <80d7e40905030111055defe0a4@mail.gmail.com> Message-ID: We will publish the presentation slides from each speaker on the symposium web site sometime next week. Frank -----Original Message----- From: fedora-selinux-list-bounces at redhat.com [mailto:fedora-selinux-list-bounces at redhat.com] On Behalf Of Stephen J. Smoogen Sent: Tuesday, March 01, 2005 2:06 PM To: Fedora-Selinux-List Subject: Reports from the conferance Hi I was unable to get the ducks put in a row to get to the conferance this week. Will there be published whitepapers afterwords and various howtos? Thanks -- Stephen J Smoogen. CSIRT/Linux System Administrator -- fedora-selinux-list mailing list fedora-selinux-list at redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list From dravet at calumet.purdue.edu Wed Mar 2 21:45:27 2005 From: dravet at calumet.purdue.edu (Jason Dravet) Date: Wed, 2 Mar 2005 15:45:27 -0600 Subject: selinux and ASP for Linux Message-ID: <200503022147.j22Llcuu011707@nwi.calumet.purdue.edu> I have installed Sun's new asp for Linux (4.02) product on my Linux server. What the software does is provide asp support to httpd on Linux platforms. The Sun installer adds a module to the system so httpd can handle asp requests. When I try to start httpd I get the following messages. If I run setenforce 0 and start httpd, asp works great so the problem is with the way asp and selinux interact. I have to run with selinux enabled so disabling it is not a solution. What do I have to do to get this to work? I have contacted Sun but they don't know anything about selinux. Mar 1 19:45:28 cisit6 kernel: audit(1109727928.415:0): avc: denied { write } for pid=8390 exe=/usr/sbin/httpd path=/opt/casp/INSTALL/database/tmp/tmp.0.5541 dev=dm-0 ino=426791 scontext=root:system_r:httpd_t tcontext=root:object_r:usr_t tclass=file Mar 1 19:45:28 cisit6 kernel: audit(1109727928.459:0): avc: denied { write } for pid=8395 exe=/usr/sbin/httpd path=/opt/casp/INSTALL/database/tmp/tmp.0.5541 dev=dm-0 ino=426791 scontext=root:system_r:httpd_t tcontext=root:object_r:usr_t tclass=file Mar 1 19:45:28 cisit6 kernel: audit(1109727928.476:0): avc: denied { write } for pid=8396 exe=/usr/sbin/httpd path=/opt/casp/INSTALL/database/tmp/tmp.0.5541 dev=dm-0 ino=426791 scontext=root:system_r:httpd_t tcontext=root:object_r:usr_t tclass=file Mar 1 19:46:02 cisit6 httpd: httpd shutdown failed Mar 1 19:46:02 cisit6 kernel: audit(1109727962.718:0): avc: denied { execute } for pid=8765 path=/opt/casp/module/linux2_i686_optimized/apache_2.0.x/20020903/standard/m od_casp2.so dev=dm-0 ino=633455 scontext=root:system_r:httpd_t tcontext=root:object_r:usr_t tclass=file Mar 1 19:46:02 cisit6 httpd: Syntax error on line 191 of /etc/httpd/conf/httpd.conf: Mar 1 19:46:02 cisit6 httpd: Cannot load /opt/casp/module/linux2_i686_optimized/apache_2.0.x/20020903/standard/mod_ca sp2.so into server: /opt/casp/module/linux2_i686_optimized/apache_2.0.x/20020903/standard/mod_ca sp2.so: failed to map segment from shared object: Permission denied Mar 1 19:46:02 cisit6 httpd: httpd startup failed Mar 1 19:48:26 cisit6 kernel: audit(1109728106.456:0): avc: denied { execute } for pid=10537 path=/opt/casp/module/linux2_i686_optimized/apache_2.0.x/20020903/standard/m od_casp2.so dev=dm-0 ino=633455 scontext=root:system_r:httpd_t tcontext=root:object_r:usr_t tclass=file Mar 1 19:48:26 cisit6 httpd: Syntax error on line 191 of /etc/httpd/conf/httpd.conf: Mar 1 19:48:26 cisit6 httpd: Cannot load /opt/casp/module/linux2_i686_optimized/apache_2.0.x/20020903/standard/mod_ca sp2.so into server: /opt/casp/module/linux2_i686_optimized/apache_2.0.x/20020903/standard/mod_ca sp2.so: failed to map segment from shared object: Permission denied Mar 1 19:48:26 cisit6 httpd: httpd startup failed Mar 1 19:51:04 cisit6 kernel: audit(1109728264.423:0): avc: denied { execute } for pid=10548 path=/opt/casp/module/linux2_i686_optimized/apache_2.0.x/20020903/standard/m od_casp2.so dev=dm-0 ino=633455 scontext=root:system_r:httpd_t tcontext=root:object_r:usr_t tclass=file Mar 1 19:51:04 cisit6 httpd: Syntax error on line 191 of /etc/httpd/conf/httpd.conf: Mar 1 19:51:04 cisit6 httpd: Cannot load /opt/casp/module/linux2_i686_optimized/apache_2.0.x/20020903/standard/mod_ca sp2.so into server: /opt/casp/module/linux2_i686_optimized/apache_2.0.x/20020903/standard/mod_ca sp2.so: failed to map segment from shared object: Permission denied Thanks for your time, Jason Dravet From walters at redhat.com Wed Mar 2 21:59:56 2005 From: walters at redhat.com (Colin Walters) Date: Wed, 02 Mar 2005 16:59:56 -0500 Subject: selinux and ASP for Linux In-Reply-To: <200503022147.j22Llcuu011707@nwi.calumet.purdue.edu> References: <200503022147.j22Llcuu011707@nwi.calumet.purdue.edu> Message-ID: <1109800797.3985.27.camel@nexus.verbum.private> On Wed, 2005-03-02 at 15:45 -0600, Jason Dravet wrote: >I have installed Sun's new asp for Linux (4.02) product on my Linux server. >What the software does is provide asp support to httpd on Linux platforms. >The Sun installer adds a module to the system so httpd can handle asp >requests. When I try to start httpd I get the following messages. If I run >setenforce 0 and start httpd, asp works great so the problem is with the way >asp and selinux interact. I have to run with selinux enabled so disabling >it is not a solution. What do I have to do to get this to work? I have >contacted Sun but they don't know anything about selinux. First, note that you can disable SELinux enforcement just for httpd without doing setenforce 0; see: http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#using-s-c-securitylevel >Mar 1 19:45:28 cisit6 kernel: audit(1109727928.415:0): avc: denied { write } >for pid=8390 exe=/usr/sbin/httpd >path=/opt/casp/INSTALL/database/tmp/tmp.0.5541 dev=dm-0 ino=426791 >scontext=root:system_r:httpd_t tcontext=root:object_r:usr_t tclass=file Hmmm. Hard to say what this is. You could try: chcon -R -h -t httpd_sys_content_t /opt/casp/INSTALL/ >path=/opt/casp/module/linux2_i686_optimized/apache_2.0.x/20020903/standard/m >od_casp2.so dev=dm-0 ino=633455 scontext=root:system_r:httpd_t >tcontext=root:object_r:usr_t tclass=file My suggestion: chcon -h -t shlib_t /opt/casp/module/linux2_i686_optimized/apache_2.0.x/20020903/standard/*.so From hongwei at wustl.edu Wed Mar 2 22:13:11 2005 From: hongwei at wustl.edu (Hongwei Li) Date: Wed, 2 Mar 2005 16:13:11 -0600 (CST) Subject: File Contexts error? Message-ID: <4588.128.252.85.103.1109801591.squirrel@morpheus.wustl.edu> Hi, I have run up2date to update many packages of my fc3 system. My system info: RedHat FC3 linux, kernel 2.6.10-1.766_FC3, selinux enforced (targeted), iptables enabled selinux-policy-targeted: 1.17.30-2.19 Then, the root received the following mail: Invalid File Contexts /etc/blkid.tab /etc/asound.state /etc/ld.so.cache /etc/.pwd.lock /etc/hotplug/usb.usermap /etc/freshclam.conf /etc/sysconfig/firstboot /etc/sysconfig/hwconf /.autofsck /.fonts.cache-1 /lost+found /root/install.log /root/install.log.syslog /lib/modules/2.6.10-1.766_FC3/modules.ccwmap /lib/modules/2.6.10-1.766_FC3/modules.alias /lib/modules/2.6.10-1.766_FC3/modules.dep /lib/modules/2.6.10-1.766_FC3/modules.inputmap /lib/modules/2.6.10-1.766_FC3/modules.usbmap /lib/modules/2.6.10-1.766_FC3/modules.isapnpmap /lib/modules/2.6.10-1.766_FC3/modules.pcimap /lib/modules/2.6.10-1.766_FC3/modules.ieee1394map /lib/modules/2.6.10-1.766_FC3/modules.symbols /lib/modules/2.6.9-1.667/modules.ccwmap /lib/modules/2.6.9-1.667/modules.alias /lib/modules/2.6.9-1.667/modules.dep /lib/modules/2.6.9-1.667/modules.inputmap /lib/modules/2.6.9-1.667/modules.usbmap /lib/modules/2.6.9-1.667/modules.isapnpmap /lib/modules/2.6.9-1.667/modules.pcimap /lib/modules/2.6.9-1.667/modules.ieee1394map /lib/modules/2.6.9-1.667/modules.symbols /home/lost+found /tmp/lost+found /usr/lost+found /var/log/rpmpkgs /var/log/httpd/ssl_error_log /var/log/httpd/ssl_request_log /var/log/httpd/ssl_access_log /var/log/httpd/error_log /var/log/httpd/access_log /var/log/yum.log /var/lost+found /var/run/utmp /var/lib/squirrelmail/prefs/qlily.pref /var/lib/squirrelmail/prefs/qlily.abook /var/lib/php/session/sess_bd54786e5c301c251fd139a22c129872 I don't know which package's updating caused this problem. Then, I run: # restorecon -R /etc/* # restorecon -R /var/* # restorecon -R /lib/* # restorecon -R /usr/* I got a lot of warning about sybolic links, that's probably okay. Now, the problem is that the user qlily cannot login to squirrelmail. The error message is: Preference file, /var/lib/squirrelmail/prefs/qlily.pref.tmp, could not be opened. Contact your system administrator to resolve this issue. Check the files: # ls -lZ /var/lib/squirrelmail/prefs/qlily.* -rw-r--r-- apache apache system_u:object_r:var_lib_t /var/lib/squirrelmail/prefs/qlily.abook -rw------- apache apache system_u:object_r:var_lib_t /var/lib/squirrelmail/prefs/qlily.pref -rw-r--r-- apache apache system_u:object_r:var_lib_t /var/lib/squirrelmail/prefs/qlily.pref.tmp and the log shows: Mar 2 15:49:03 pippo kernel: audit(1109800143.922:0): avc: denied { write } for pid=1458 exe=/usr/sbin/httpd name=qlily.pref.tmp dev=hda2 ino=2540354 scontext=root:system_r:httpd_t tcontext=system_u:object_r:var_lib_t tclass=file Mar 2 15:49:03 pippo kernel: audit(1109800143.924:0): avc: denied { write } for pid=1458 exe=/usr/sbin/httpd name=sess_bd54786e5c301c251fd139a22c129872 dev=hda2 ino=2540345 scontext=root:system_r:httpd_t tcontext=system_u:object_r:var_lib_t tclass=file .... qlily is the only user I created so far in the system. This user can send/receive email through pine. To test the situation, I created another user msnet. He can login to ssh console, but cannot login to squirrelmail, the error message is: You must be logged in to access this page although the password is correct. his pref file is: # ls -lZ /var/lib/squirrelmail/prefs/msnet.pref -rw------- apache apache root:object_r:httpd_var_lib_t /var/lib/squirrelmail/prefs/msnet.pref What's wrong? What package updating caused this problem? How to fix the problem? Thanks a lot! Hongwei Li From dravet at calumet.purdue.edu Wed Mar 2 23:20:00 2005 From: dravet at calumet.purdue.edu (Jason Dravet) Date: Wed, 2 Mar 2005 17:20:00 -0600 Subject: selinux and ASP for Linux Message-ID: <200503022322.j22NMAKc015712@nwi.calumet.purdue.edu> >On Wed, 2005-03-02 at 15:45 -0600, Jason Dravet wrote: >>I have installed Sun's new asp for Linux (4.02) product on my Linux >>server. >>What the software does is provide asp support to httpd on Linux platforms. >>The Sun installer adds a module to the system so httpd can handle asp >>requests. When I try to start httpd I get the following messages. If I >>run >>setenforce 0 and start httpd, asp works great so the problem is with the >>way >>asp and selinux interact. I have to run with selinux enabled so disabling >>it is not a solution. What do I have to do to get this to work? I have >>contacted Sun but they don't know anything about selinux. > >First, note that you can disable SELinux enforcement just for httpd >without doing setenforce 0; see: >http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#using-s-c->securit ylevel > >>Mar 1 19:45:28 cisit6 kernel: audit(1109727928.415:0): avc: denied {write} >>for pid=8390 exe=/usr/sbin/httpd >>path=/opt/casp/INSTALL/database/tmp/tmp.0.5541 dev=dm-0 ino=426791 >>scontext=root:system_r:httpd_t tcontext=root:object_r:usr_t tclass=file > >Hmmm. Hard to say what this is. You could try: > > chcon -R -h -t httpd_sys_content_t /opt/casp/INSTALL/ > >>path=/opt/casp/module/linux2_i686_optimized/apache_2.0.x/20020903/standard >>/mod_casp2.so dev=dm-0 ino=633455 scontext=root:system_r:httpd_t >>tcontext=root:object_r:usr_t tclass=file > >My suggestion: > > chcon -h -t shlib_t >/opt/casp/module/linux2_i686_optimized/apache_2.0.x/20020903/standard/*.so I used setenforce 0 just to check if asp actually installed correctly. I know that I can off selinux just for httpd, but as I said turn off selinux (or any part there of) is not an option at this time. I did the two commands that you suggested and now I get the following messages so progress is being made: Mar 2 16:49:18 cisit6 kernel: audit(1109803758.925:0): avc: denied { execute } for pid=5438 path=/opt/casp/server/lib/linux2_i686_optimized/libcasp2ap.so dev=dm-0 ino=551452 scontext=root:system_r:httpd_t tcontext=root:object_r:usr_t tclass=file Mar 2 16:49:18 cisit6 httpd: mod_casp2: failed to open /opt/casp/server/lib/linux2_i686_optimized/libcasp2ap.so, aborting. Mar 2 16:49:18 cisit6 httpd: mod_casp2: /opt/casp/server/lib/linux2_i686_optimized/libcasp2ap.so: failed to map segment from shared object: Permission denied Mar 2 16:49:18 cisit6 httpd: httpd startup failed So I did a chcon -h -t shlib_t /opt/casp/server/lib/linux2_i686_optimized/libcasp2ap.so which got me to Starting httpd: casp2ap: error loading Sun Java System Active Server Pages dispatcher library - /opt/casp/server/lib/linux2_i686_optimized/libaspdisp.so casp2ap: /opt/casp/server/lib/linux2_i686_optimized/libaspdisp.so: failed to map segment from shared object: Permission denied so then I did chcon -h -t shlib_t /opt/casp/server/lib/linux2_i686_optimized/libaspdisp.so and now it appears to be working fine. The simple tests have passed with flying colors. I have to test the database parts next. So in short to get asp for linux working you have to do the following: chcon -R -h -t httpd_sys_content_t /opt/casp/INSTALL/ chcon -h -t shlib_t /opt/casp/module/linux2_i686_optimized/apache_2.0.x/20020903/standard/*.so chcon -h -t shlib_t /opt/casp/server/lib/linux2_i686_optimized/libcasp2ap.so chcon -h -t shlib_t /opt/casp/server/lib/linux2_i686_optimized/libaspdisp.so Can this be added to the targeted policy in the future? Thanks for all of your help, Jason Dravet From dravet at calumet.purdue.edu Thu Mar 3 00:48:24 2005 From: dravet at calumet.purdue.edu (Jason Dravet) Date: Wed, 2 Mar 2005 18:48:24 -0600 Subject: selinux and ASP for Linux Message-ID: <200503030050.j230oYn0018816@nwi.calumet.purdue.edu> While asp works, I get the following in my /var/log/messages Mar 2 17:14:05 cisit6 kernel: audit(1109805245.364:0): avc: denied { read write } for pid=5516 exe=/opt/casp/tools/bin/linux2_i686/perl5/bin/perl name=1 dev=devpts ino=3 scontext=root:system_r:httpd_sys_script_t tcontext=root:object_r:devpts_t tclass=chr_file Mar 2 17:14:05 cisit6 kernel: audit(1109805245.365:0): avc: denied { read write } for pid=5516 exe=/opt/casp/tools/bin/linux2_i686/perl5/bin/perl path=/dev/pts/1 dev=devpts ino=3 scontext=root:system_r:httpd_sys_script_t tcontext=root:object_r:devpts_t tclass=chr_file Mar 2 17:14:05 cisit6 kernel: audit(1109805245.367:0): avc: denied { execute } for pid=5516 path=/usr/lib/locale/locale-archive dev=dm-0 ino=263488 scontext=root:system_r:httpd_sys_script_t tcontext=root:object_r:locale_t tclass=file Mar 2 17:14:05 cisit6 kernel: audit(1109805245.368:0): avc: denied { execute } for pid=5516 path=/usr/lib/locale/en_US.utf8/LC_IDENTIFICATION dev=dm-0 ino=261166 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:locale_t tclass=file What can I do to fix this? I have not had time to try a database connection yet. I am sure that will generate a few more avc messages. Thanks, Jason Dravet From walters at redhat.com Thu Mar 3 03:42:32 2005 From: walters at redhat.com (Colin Walters) Date: Wed, 02 Mar 2005 22:42:32 -0500 Subject: selinux and ASP for Linux In-Reply-To: <200503022322.j22NMAKc015712@nwi.calumet.purdue.edu> References: <200503022322.j22NMAKc015712@nwi.calumet.purdue.edu> Message-ID: <1109821353.4583.8.camel@nexus.verbum.private> On Wed, 2005-03-02 at 17:20 -0600, Jason Dravet wrote: >So in short to get asp for linux working you have to do the following: > >chcon -R -h -t httpd_sys_content_t /opt/casp/INSTALL/ I'm not sure this is *really* what you want by the way - by default both httpd_t and httpd_sys_script_t have complete access to it (modulo DAC of course). Without knowing more about the program I couldn't say. >chcon -h -t shlib_t >/opt/casp/module/linux2_i686_optimized/apache_2.0.x/20020903/standard/*.so >chcon -h -t shlib_t /opt/casp/server/lib/linux2_i686_optimized/libcasp2ap.so >chcon -h -t shlib_t /opt/casp/server/lib/linux2_i686_optimized/libaspdisp.so > >Can this be added to the targeted policy in the future? Well...these regexps exist in types.fc already: /opt/.*/lib(64)?(/.*)? system_u:object_r:lib_t /opt/.*/lib(64)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t So I think actually you could have done: restorecon /opt/casp/module/linux2_i686_optimized/apache_2.0.x/20020903/standard/*.so /opt/casp/server/lib/linux2_i686_optimized/*.so Note that if the package was installed via RPM this labeling would have occurred automatically. But we do have a difficulty with 3rd-party generic plugin installation and Apache; again Apache is basically unique among the targeted daemons in this respect. From hongwei at wustl.edu Thu Mar 3 15:18:10 2005 From: hongwei at wustl.edu (Hongwei Li) Date: Thu, 3 Mar 2005 09:18:10 -0600 (CST) Subject: File Contexts error? In-Reply-To: <4588.128.252.85.103.1109801591.squirrel@morpheus.wustl.edu> References: <4588.128.252.85.103.1109801591.squirrel@morpheus.wustl.edu> Message-ID: <2056.128.252.85.103.1109863090.squirrel@morpheus.wustl.edu> > Hi, > > I have run up2date to update many packages of my fc3 system. My system > info: > RedHat FC3 linux, kernel 2.6.10-1.766_FC3, selinux enforced (targeted), > iptables enabled > selinux-policy-targeted: 1.17.30-2.19 > > Then, the root received the following mail: > > Invalid File Contexts > > /etc/blkid.tab > /etc/asound.state > /etc/ld.so.cache > /etc/.pwd.lock > /etc/hotplug/usb.usermap > /etc/freshclam.conf > /etc/sysconfig/firstboot > /etc/sysconfig/hwconf > /.autofsck > /.fonts.cache-1 > /lost+found > /root/install.log > /root/install.log.syslog > /lib/modules/2.6.10-1.766_FC3/modules.ccwmap > /lib/modules/2.6.10-1.766_FC3/modules.alias > /lib/modules/2.6.10-1.766_FC3/modules.dep > /lib/modules/2.6.10-1.766_FC3/modules.inputmap > /lib/modules/2.6.10-1.766_FC3/modules.usbmap > /lib/modules/2.6.10-1.766_FC3/modules.isapnpmap > /lib/modules/2.6.10-1.766_FC3/modules.pcimap > /lib/modules/2.6.10-1.766_FC3/modules.ieee1394map > /lib/modules/2.6.10-1.766_FC3/modules.symbols > /lib/modules/2.6.9-1.667/modules.ccwmap > /lib/modules/2.6.9-1.667/modules.alias > /lib/modules/2.6.9-1.667/modules.dep > /lib/modules/2.6.9-1.667/modules.inputmap > /lib/modules/2.6.9-1.667/modules.usbmap > /lib/modules/2.6.9-1.667/modules.isapnpmap > /lib/modules/2.6.9-1.667/modules.pcimap > /lib/modules/2.6.9-1.667/modules.ieee1394map > /lib/modules/2.6.9-1.667/modules.symbols > /home/lost+found > /tmp/lost+found > /usr/lost+found > /var/log/rpmpkgs > /var/log/httpd/ssl_error_log > /var/log/httpd/ssl_request_log > /var/log/httpd/ssl_access_log > /var/log/httpd/error_log > /var/log/httpd/access_log > /var/log/yum.log > /var/lost+found > /var/run/utmp > /var/lib/squirrelmail/prefs/qlily.pref > /var/lib/squirrelmail/prefs/qlily.abook > /var/lib/php/session/sess_bd54786e5c301c251fd139a22c129872 > > I don't know which package's updating caused this problem. Then, I run: > > # restorecon -R /etc/* > # restorecon -R /var/* > # restorecon -R /lib/* > # restorecon -R /usr/* > > I got a lot of warning about sybolic links, that's probably okay. Now, > the problem is that the user qlily cannot login to squirrelmail. The > error message is: > > Preference file, /var/lib/squirrelmail/prefs/qlily.pref.tmp, could not be > opened. Contact your system administrator to resolve this issue. > > Check the files: > > # ls -lZ /var/lib/squirrelmail/prefs/qlily.* > -rw-r--r-- apache apache system_u:object_r:var_lib_t > /var/lib/squirrelmail/prefs/qlily.abook > -rw------- apache apache system_u:object_r:var_lib_t > /var/lib/squirrelmail/prefs/qlily.pref > -rw-r--r-- apache apache system_u:object_r:var_lib_t > /var/lib/squirrelmail/prefs/qlily.pref.tmp > > and the log shows: > > Mar 2 15:49:03 pippo kernel: audit(1109800143.922:0): avc: denied { > write } for pid=1458 exe=/usr/sbin/httpd name=qlily.pref.tmp dev=hda2 > ino=2540354 scontext=root:system_r:httpd_t > tcontext=system_u:object_r:var_lib_t tclass=file > Mar 2 15:49:03 pippo kernel: audit(1109800143.924:0): avc: denied { > write } for pid=1458 exe=/usr/sbin/httpd > name=sess_bd54786e5c301c251fd139a22c129872 dev=hda2 ino=2540345 > scontext=root:system_r:httpd_t tcontext=system_u:object_r:var_lib_t > tclass=file > .... > > qlily is the only user I created so far in the system. This user can > send/receive email through pine. To test the situation, I created another > user msnet. He can login to ssh console, but cannot login to > squirrelmail, the error message is: > > You must be logged in to access this page > > although the password is correct. his pref file is: > > # ls -lZ /var/lib/squirrelmail/prefs/msnet.pref > -rw------- apache apache root:object_r:httpd_var_lib_t > /var/lib/squirrelmail/prefs/msnet.pref > > What's wrong? What package updating caused this problem? How to fix the > problem? > > Thanks a lot! > > Hongwei Li > > > Hi, I have solved the problem. If some people encounter the same problem, here is what I did: # fixfiles relable (reboot) Then, all users can log in squirrelmail, read/send mails normally. I created another new user account, it also works. However, I still have a question. The file contexts properties for the existing users and new user are different. In my case, qlily is the existing user (the "fixfiles relabel" solved the problem for this account), and mmst is a new user created after running fixfiles relable. Please see: # ls -lZ /var/spool/mail/ -rw-rw---- mmst mail root:object_r:mail_spool_t mmst -rw-rw---- qlily mail system_u:object_r:mail_spool_t qlily # ls -lZ /var/lib/squirrelmail/prefs/ -rw-r--r-- apache apache user_u:object_r:httpd_squirrelmail_t mmst.abook -rw------- apache apache user_u:object_r:httpd_squirrelmail_t mmst.pref -rw-r--r-- apache apache system_u:object_r:httpd_squirrelmail_t qlily.abook -rw------- apache apache system_u:object_r:httpd_squirrelmail_t qlily.pref Why are they different, but no error message and they don't have any problem when they login, read/send mails in pine or squirrelmail? Strange features of selinux! Thanks! Hongwei Li From dravet at calumet.purdue.edu Thu Mar 3 19:09:00 2005 From: dravet at calumet.purdue.edu (Jason Dravet) Date: Thu, 3 Mar 2005 13:09:00 -0600 Subject: selinux and ASP for Linux Message-ID: <200503031911.j23JBBUD004871@nwi.calumet.purdue.edu> Here is what I come up with so far to get ASP for Linux to work: chcon -R -h -t httpd_sys_content_t /opt/casp/INSTALL/ chcon -h -t httpd_sys_content_t /opt/casp/module/linux2_i686_optimized/apache_2.0.x/20020903/standard/*.so restorecon /opt/casp/server/lib/linux2_i686_optimized/* I tried a chcon -R -h -t httpd_sys_script_t /opt/casp/INSTALL and I get Permission denied I also tried the chcon -R -h -t httpd_t /opt/casp/INSTALL and again I get Permission denied I did a restorecon on /opt/casp/module/linux2_i686_optimized/apache_2.0.x/20020903/standard/*.so but that gave me Mar 1 19:48:26 cisit6 httpd: Cannot load /opt/casp/module/linux2_i686_optimized/apache_2.0.x/20020903/standard/mod_ca sp2.so into server: /opt/casp/module/linux2_i686_optimized/apache_2.0.x/20020903/standard/mod_ca sp2.so: failed to map segment from shared object: Permission denied While the three commands at the top get things to work I get the following in my /var/log/messages: Mar 3 13:06:29 cisit6 kernel: audit(1109876789.001:0): avc: denied { read } for pid=9976 exe=/opt/casp/tools/bin/linux2_i686/perl5/bin/perl path=/proc/5896/cmdline dev=proc ino=386400268 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:unconfined_t tclass=file Mar 3 13:06:29 cisit6 kernel: audit(1109876789.001:0): avc: denied { read write } for pid=9976 exe=/opt/casp/tools/bin/linux2_i686/perl5/bin/perl path=socket:[42392] dev=sockfs ino=42392 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:unconfined_t tclass=tcp_socket Mar 3 13:06:29 cisit6 kernel: audit(1109876789.001:0): avc: denied { read write } for pid=9976 exe=/opt/casp/tools/bin/linux2_i686/perl5/bin/perl path=/tmp/.pm-chili-psm dev=dm-0 ino=48581 scontext=root:system_r:httpd_sys_script_t tcontext=root:object_r:tmp_t tclass=file Mar 3 13:06:29 cisit6 kernel: audit(1109876789.002:0): avc: denied { read write } for pid=9976 exe=/opt/casp/tools/bin/linux2_i686/perl5/bin/perl path=/tmp/.casp5101/.pm-chili-psm dev=dm-0 ino=81192 scontext=root:system_r:httpd_sys_script_t tcontext=root:object_r:tmp_t tclass=file Mar 3 13:06:29 cisit6 kernel: audit(1109876789.002:0): avc: denied { read write } for pid=9976 exe=/opt/casp/tools/bin/linux2_i686/perl5/bin/perl path=socket:[43453] dev=sockfs ino=43453 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:unconfined_t tclass=tcp_socket Mar 3 13:06:29 cisit6 kernel: audit(1109876789.002:0): avc: denied { read write } for pid=9976 exe=/opt/casp/tools/bin/linux2_i686/perl5/bin/perl path=socket:[43465] dev=sockfs ino=43465 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:unconfined_t tclass=tcp_socket Mar 3 13:06:29 cisit6 kernel: audit(1109876789.006:0): avc: denied { execute } for pid=9976 path=/usr/lib/locale/locale-archive dev=dm-0 ino=263488 scontext=root:system_r:httpd_sys_script_t tcontext=root:object_r:locale_t tclass=file Mar 3 13:06:29 cisit6 kernel: audit(1109876789.007:0): avc: denied { execute } for pid=9976 path=/usr/lib/locale/en_US.utf8/LC_IDENTIFICATION dev=dm-0 ino=261166 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:locale_t tclass=file Is there any good documentation for selinux that I can read to try to figure how to fix the above? Something that can explain what the messages mean. Thanks, Jason From linuxuser at rhjensen.com Fri Mar 4 22:23:26 2005 From: linuxuser at rhjensen.com (R. Jensen) Date: Fri, 04 Mar 2005 16:23:26 -0600 Subject: Policies for bastille? Message-ID: <4228DFDE.7080203@rhjensen.com> I recently downloaded Bastille and was unable to get the PSAD portion to install. [Bastille is trying to install /usr/sbin/psad (among others)]. [root at lankhmar log]# ls -ldZ /usr/sbin drwxr-xr-x root root system_u:object_r:sbin_t So I would *expect* an SELinux error if the psad isn't of sbin_t. [But I don't see any avc messages in the log.] Here's a portion of Bastille's error log: {Fri Mar 4 11:15:28 2005} Failed to place /psad as /usr/sbin/psad {Fri Mar 4 11:15:28 2005} #ERROR: chmod: File /usr/sbin/psad doesn't exist! {Fri Mar 4 11:15:28 2005} Failed to place /psadwatchd as /usr/sbin/psadwatchd {Fri Mar 4 11:15:28 2005} #ERROR: chmod: File /usr/sbin/psadwatchd doesn't exist! {Fri Mar 4 11:15:28 2005} Failed to place /kmsgsd as /usr/sbin/kmsgsd {Fri Mar 4 11:15:28 2005} #ERROR: chmod: File /usr/sbin/kmsgsd doesn't exist! Does this look like an SELinux issue or just Bastille? Richard. From rirving at antient.org Sat Mar 5 02:04:50 2005 From: rirving at antient.org (Richard Irving) Date: Fri, 04 Mar 2005 21:04:50 -0500 Subject: Here is an interesting one In-Reply-To: <4228DFDE.7080203@rhjensen.com> References: <4228DFDE.7080203@rhjensen.com> Message-ID: <422913C2.1030406@antient.org> Recently, I was playing with the hook programs that can be run, and read via the snmpd daemon.... (like a remote df, or a remote iostat... etc) The snmpd daemon is given a program to run, if a certain MIB is strobed... This runs fine, when I as root, spawn the SNMPD daemon. However, when the automatic boot in rc5.d starts it, (and it is the identical script file I use to start it with manually), during init, it appears to work, as the daemon starts.... but, I get no data back. I -do-, however, find the following in the logs, however.... Mar 4 17:00:02 smoker kernel: audit(1109973602.066:0): avc: denied { write } for pid=1180 exe=/usr/sbin/snmpd path=pipe:[135310] dev=pipefs ino=135310 scontext=user_u:system_r:snmpd_t tcontext=user_u:system_r:snmpd_t tclass=fifo_file The source and the targets appear to be the same, yet it is denied. ???? Ideas ? init script: -rwxr-xr-x root root system_u:object_r:initrc_exec_t /etc/rc.d/init.d/snmpd An example of a Target file, ran by snmpd: -r-xr-xr-x root root root:object_r:etc_t /etc/snmp/snmpload It looks as though it cannot properly inherit the childs pipe, when ran by init ? From ivg2 at cornell.edu Sat Mar 5 05:17:43 2005 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Sat, 05 Mar 2005 00:17:43 -0500 Subject: Here is an interesting one In-Reply-To: <422913C2.1030406@antient.org> References: <4228DFDE.7080203@rhjensen.com> <422913C2.1030406@antient.org> Message-ID: <1109999863.6774.2.camel@cobra.ivg2.net> --- snmpd.te 2005-03-05 00:13:17.000000000 -0500 +++ snmpd.new 2005-03-05 00:13:46.000000000 -0500 @@ -45,6 +45,7 @@ allow snmpd_t proc_t:dir search; allow snmpd_t proc_t:file r_file_perms; allow snmpd_t self:file { getattr read }; +allow snmpd_t self:fifo_file { read write }; ifdef(`distro_redhat', ` ifdef(`rpm.te', ` -- Ivan Gyurdiev Cornell University From rirving at antient.org Sat Mar 5 19:05:00 2005 From: rirving at antient.org (Richard Irving) Date: Sat, 05 Mar 2005 14:05:00 -0500 Subject: Here is an interesting one In-Reply-To: <1109999863.6774.2.camel@cobra.ivg2.net> References: <4228DFDE.7080203@rhjensen.com> <422913C2.1030406@antient.org> <1109999863.6774.2.camel@cobra.ivg2.net> Message-ID: <422A02DC.3060806@antient.org> Ivan Gyurdiev wrote: > --- snmpd.te 2005-03-05 00:13:17.000000000 -0500 > +++ snmpd.new 2005-03-05 00:13:46.000000000 -0500 > @@ -45,6 +45,7 @@ > allow snmpd_t proc_t:dir search; > allow snmpd_t proc_t:file r_file_perms; > allow snmpd_t self:file { getattr read }; > +allow snmpd_t self:fifo_file { read write }; > > ifdef(`distro_redhat', ` > ifdef(`rpm.te', ` > It was the targeted object, not the context. Dohh! Thanks. Next question, on remaking the policy and policy.conf, it turns out the sources-1.19.15 have a problem. (In a file I haven't touched) I can't seem to find a newer rev of the sources, any idea ? 1.17 and 1.19.1 are the only two I can find.... From jonathansavage at gmail.com Sat Mar 5 20:04:55 2005 From: jonathansavage at gmail.com (Jon Savage) Date: Sat, 5 Mar 2005 12:04:55 -0800 Subject: Policies for bastille? In-Reply-To: <4228DFDE.7080203@rhjensen.com> References: <4228DFDE.7080203@rhjensen.com> Message-ID: <2ad7cea10503051204debc278@mail.gmail.com> On Fri, 04 Mar 2005 16:23:26 -0600, R. Jensen wrote: > I recently downloaded Bastille and was unable to get > the PSAD portion to install. [Bastille is trying to > install /usr/sbin/psad (among others)]. > Does this look like an SELinux issue or just Bastille? I saw the same thing and tried installing Bastille on another machine w/ SELinux disabled but got the same error. Looks like a Bastille issue IMHO. -- Bests, Jon From larsbj at gullik.net Sun Mar 6 18:03:26 2005 From: larsbj at gullik.net (=?iso-8859-1?q?Lars_Gullik_Bj=F8nnes?=) Date: Sun, 06 Mar 2005 19:03:26 +0100 Subject: ntpd drift.TEMP file References: <1373.24.2.210.202.1106508630.squirrel@mail.eastgranby.k12.ct.us> <4c4ba153050123113914160be4@mail.gmail.com> <1767.24.2.210.202.1106535705.squirrel@mail.eastgranby.k12.ct.us> Message-ID: mroselinux at eastgranby.k12.ct.us writes: | Thanks, > | I had driftfile pointing to /etc/ntp and changing it to /var/lib/ntp fixed | it. It's a file I've carried forward for at least four years. You are sure you don't still get the same errors for drift.TEMP? >> Mine (ntp-4.2.0.a.20040617-6) places the drift file in /var/lib/ntp. >> /var/lib/ntp seems appropriately labeled ntp_drift_t. I have the drift file in /var/lib/ntp/drift, but I get selinux errors for drift.TEMP: Mar 6 18:51:26 slabber ntpd[26387]: can't open /var/lib/ntp/drift.TEMP: Permission denied Mar 6 18:51:26 slabber kernel: audit(1110131486.894:0): avc: denied { dac_override } for pid=26387 exe=/usr/sbin/ntpd capability=1 scontext=root:system_r:ntpd_t tcontext=root:system_r:ntpd_t tclass=capability This is an updated FC3 system. -- Lgb From cra at WPI.EDU Sun Mar 6 21:17:20 2005 From: cra at WPI.EDU (Chuck R. Anderson) Date: Sun, 6 Mar 2005 16:17:20 -0500 Subject: ntpd drift.TEMP file In-Reply-To: References: <1373.24.2.210.202.1106508630.squirrel@mail.eastgranby.k12.ct.us> <4c4ba153050123113914160be4@mail.gmail.com> <1767.24.2.210.202.1106535705.squirrel@mail.eastgranby.k12.ct.us> Message-ID: <20050306211720.GF31018@angus.ind.WPI.EDU> On Sun, Mar 06, 2005 at 07:03:26PM +0100, Lars Gullik Bj?nnes wrote: > I have the drift file in /var/lib/ntp/drift, but I get selinux errors > for drift.TEMP: > > Mar 6 18:51:26 slabber ntpd[26387]: can't open > /var/lib/ntp/drift.TEMP: Permission denied > Mar 6 18:51:26 slabber kernel: audit(1110131486.894:0): avc: denied > { dac_override } for pid=26387 exe=/usr/sbin/ntpd capability=1 > scontext=root:system_r:ntpd_t tcontext=root:system_r:ntpd_t > tclass=capability > > This is an updated FC3 system. What are the DAC unix permissions bits and owner/group on the file? I am no expert in SELinux, but that AVC sounds to me like the standard unix permissions are disallowing access to the file. From larsbj at gullik.net Sun Mar 6 21:45:27 2005 From: larsbj at gullik.net (=?iso-8859-1?q?Lars_Gullik_Bj=F8nnes?=) Date: Sun, 06 Mar 2005 22:45:27 +0100 Subject: ntpd drift.TEMP file References: <1373.24.2.210.202.1106508630.squirrel@mail.eastgranby.k12.ct.us> <4c4ba153050123113914160be4@mail.gmail.com> <1767.24.2.210.202.1106535705.squirrel@mail.eastgranby.k12.ct.us> <20050306211720.GF31018@angus.ind.WPI.EDU> Message-ID: "Chuck R. Anderson" writes: | On Sun, Mar 06, 2005 at 07:03:26PM +0100, Lars Gullik Bj?nnes wrote: >> I have the drift file in /var/lib/ntp/drift, but I get selinux errors >> for drift.TEMP: >> >> Mar 6 18:51:26 slabber ntpd[26387]: can't open >> /var/lib/ntp/drift.TEMP: Permission denied >> Mar 6 18:51:26 slabber kernel: audit(1110131486.894:0): avc: denied >> { dac_override } for pid=26387 exe=/usr/sbin/ntpd capability=1 >> scontext=root:system_r:ntpd_t tcontext=root:system_r:ntpd_t >> tclass=capability >> >> This is an updated FC3 system. > | What are the DAC unix permissions bits and owner/group on the file? Of the directory you mean? It is creating the file in the first place that fails. ls -la /var/lib/ntp/ total 24 drwxr-xr-x 2 ntp ntp 4096 Mar 6 22:20 . drwxr-xr-x 14 root root 4096 Feb 22 17:38 .. -rw-r--r-- 1 ntp ntp 7 Mar 6 22:20 drift | I | am no expert in SELinux, but that AVC sounds to me like the standard | unix permissions are disallowing access to the file. >From /etc/selinux/targeted/contexts/file_contexts it seems this should be allowed. But I am not familiar with the format: grep -nr drift * files/file_contexts.pre:676:/var/lib/ntp(/.*)? system_u:object_r:ntp_drift_t files/file_contexts.pre:677:/etc/ntp/data(/.*)? system_u:object_r:ntp_drift_t files/file_contexts:676:/var/lib/ntp(/.*)? system_u:object_r:ntp_drift_t files/file_contexts:677:/etc/ntp/data(/.*)? system_u:object_r:ntp_drift_t -- Lgb From walters at redhat.com Sun Mar 6 23:04:48 2005 From: walters at redhat.com (Colin Walters) Date: Sun, 06 Mar 2005 18:04:48 -0500 Subject: ntpd drift.TEMP file In-Reply-To: References: <1373.24.2.210.202.1106508630.squirrel@mail.eastgranby.k12.ct.us> <4c4ba153050123113914160be4@mail.gmail.com> <1767.24.2.210.202.1106535705.squirrel@mail.eastgranby.k12.ct.us> <20050306211720.GF31018@angus.ind.WPI.EDU> Message-ID: <1110150289.7041.7.camel@nexus.verbum.private> On Sun, 2005-03-06 at 22:45 +0100, Lars Gullik Bj?nnes wrote: >Of the directory you mean? It is creating the file in the first place >that fails. > > ls -la /var/lib/ntp/ >total 24 >drwxr-xr-x 2 ntp ntp 4096 Mar 6 22:20 . >drwxr-xr-x 14 root root 4096 Feb 22 17:38 .. >-rw-r--r-- 1 ntp ntp 7 Mar 6 22:20 drift Do you have ntpd configured to run as root or something? From larsbj at gullik.net Sun Mar 6 23:43:34 2005 From: larsbj at gullik.net (=?iso-8859-1?q?Lars_Gullik_Bj=F8nnes?=) Date: Mon, 07 Mar 2005 00:43:34 +0100 Subject: ntpd drift.TEMP file References: <1373.24.2.210.202.1106508630.squirrel@mail.eastgranby.k12.ct.us> <4c4ba153050123113914160be4@mail.gmail.com> <1767.24.2.210.202.1106535705.squirrel@mail.eastgranby.k12.ct.us> <20050306211720.GF31018@angus.ind.WPI.EDU> <1110150289.7041.7.camel@nexus.verbum.private> Message-ID: Colin Walters writes: | On Sun, 2005-03-06 at 22:45 +0100, Lars Gullik Bj??nnes wrote: > >>Of the directory you mean? It is creating the file in the first place >>that fails. >> >> ls -la /var/lib/ntp/ >>total 24 >>drwxr-xr-x 2 ntp ntp 4096 Mar 6 22:20 . >>drwxr-xr-x 14 root root 4096 Feb 22 17:38 .. >>-rw-r--r-- 1 ntp ntp 7 Mar 6 22:20 drift > | Do you have ntpd configured to run as root or something? This is a FC3 install. No changes done. (the ntp servers have been changed, but that is it.) Kindo strange. -- Lgb From larsbj at gullik.net Mon Mar 7 00:04:16 2005 From: larsbj at gullik.net (=?iso-8859-1?q?Lars_Gullik_Bj=F8nnes?=) Date: Mon, 07 Mar 2005 01:04:16 +0100 Subject: ntpd drift.TEMP file References: <1373.24.2.210.202.1106508630.squirrel@mail.eastgranby.k12.ct.us> <4c4ba153050123113914160be4@mail.gmail.com> <1767.24.2.210.202.1106535705.squirrel@mail.eastgranby.k12.ct.us> <20050306211720.GF31018@angus.ind.WPI.EDU> <1110150289.7041.7.camel@nexus.verbum.private> Message-ID: larsbj at gullik.net (Lars Gullik Bj?nnes) writes: | Colin Walters writes: > | | On Sun, 2005-03-06 at 22:45 +0100, Lars Gullik Bj??nnes wrote: >> >>>Of the directory you mean? It is creating the file in the first place >>>that fails. >>> >>> ls -la /var/lib/ntp/ >>>total 24 >>>drwxr-xr-x 2 ntp ntp 4096 Mar 6 22:20 . >>>drwxr-xr-x 14 root root 4096 Feb 22 17:38 .. >>>-rw-r--r-- 1 ntp ntp 7 Mar 6 22:20 drift >> | | Do you have ntpd configured to run as root or something? > | This is a FC3 install. No changes done. | (the ntp servers have been changed, but that is it.) > | Kindo strange. Hmm da hmm... I seem to have had a rouge process here... most likely created when I tried to start ntpdc... I must have started ntpd manually instead. So disregard all my reports. I'll inform you if I see some bad stuff later. Sorry about the false alarms. -- Lgb From klnmurthy at networkprograms.com Mon Mar 7 07:49:24 2005 From: klnmurthy at networkprograms.com (KLN Murthy) Date: Mon, 7 Mar 2005 13:19:24 +0530 Subject: help required to create SELinux based LiveCD for Fedora core 3 Message-ID: <049b01c522ea$36bc5110$38ca09c0@CDR> Please help me creatng SELinux based LiveCD for Fedora Core 3 with steps. K L N Murthy ( System Administrator ) Network Programs ( India ) Ltd. B-1-C, Sector 10 Noida - 201301 Tel: +91 120 2536622 Fax : +91 120 2536625 ******************************************************************************** Network Programs is a SEI-CMM Level 5 & ISO 9001: 2000 Certified Company ******************************************************************************** The information contained in this communication (including any attachments) is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by responding to this email and delete it from your system. Network Programs (India) Limited is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt. ******************************************************************************** From kwade at redhat.com Mon Mar 7 13:51:18 2005 From: kwade at redhat.com (Karsten Wade) Date: Mon, 07 Mar 2005 05:51:18 -0800 Subject: selinux and ASP for Linux In-Reply-To: <200503031911.j23JBBUD004871@nwi.calumet.purdue.edu> References: <200503031911.j23JBBUD004871@nwi.calumet.purdue.edu> Message-ID: <1110203478.7725.8.camel@erato.phig.org> On Thu, 2005-03-03 at 13:09 -0600, Jason Dravet wrote: > Is there any good documentation for selinux that I can read to try to figure > how to fix the above? Something that can explain what the messages mean. 2.8.1. Understanding an avc: denied Message http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/rhlcommon-section-0055.html#RHLCOMMON-SECTION-0078 If you get to the point where you need to write some local policy to get things working, you might find this chapter helpful: 8. Customizing and Writing Policy http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/selg-chapter-0071.html - Karsten -- Karsten Wade, RHCE * Sr. Tech Writer * http://people.redhat.com/kwade/ gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41 IT executives rate Red Hat #1 for value http://www.redhat.com/promo/vendor/ From dwalsh at redhat.com Mon Mar 7 15:41:01 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 07 Mar 2005 10:41:01 -0500 Subject: selinux and ASP for Linux In-Reply-To: <200503030050.j230oYn0018816@nwi.calumet.purdue.edu> References: <200503030050.j230oYn0018816@nwi.calumet.purdue.edu> Message-ID: <422C760D.9060807@redhat.com> Jason Dravet wrote: >While asp works, I get the following in my /var/log/messages > >Mar 2 17:14:05 cisit6 kernel: audit(1109805245.364:0): avc: denied { read >write } for pid=5516 exe=/opt/casp/tools/bin/linux2_i686/perl5/bin/perl >name=1 dev=devpts ino=3 scontext=root:system_r:httpd_sys_script_t >tcontext=root:object_r:devpts_t tclass=chr_file >Mar 2 17:14:05 cisit6 kernel: audit(1109805245.365:0): avc: denied { read >write } for pid=5516 exe=/opt/casp/tools/bin/linux2_i686/perl5/bin/perl >path=/dev/pts/1 dev=devpts ino=3 scontext=root:system_r:httpd_sys_script_t >tcontext=root:object_r:devpts_t tclass=chr_file >Mar 2 17:14:05 cisit6 kernel: audit(1109805245.367:0): avc: denied { >execute } for pid=5516 path=/usr/lib/locale/locale-archive dev=dm-0 >ino=263488 scontext=root:system_r:httpd_sys_script_t >tcontext=root:object_r:locale_t tclass=file >Mar 2 17:14:05 cisit6 kernel: audit(1109805245.368:0): avc: denied { >execute } for pid=5516 path=/usr/lib/locale/en_US.utf8/LC_IDENTIFICATION >dev=dm-0 ino=261166 scontext=root:system_r:httpd_sys_script_t >tcontext=system_u:object_r:locale_t tclass=file > >What can I do to fix this? I have not had time to try a database connection >yet. I am sure that will generate a few more avc messages. > > > Are you getting this in rawhide or in FC3? Looks to me like you should be able to dontaudit these. Your httpd scripts are trying to access the tty devices, which they should not. Why is it trying to execute locale stuff? >Thanks, > >Jason Dravet > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > From dwalsh at redhat.com Mon Mar 7 15:44:28 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 07 Mar 2005 10:44:28 -0500 Subject: File Contexts error? In-Reply-To: <2056.128.252.85.103.1109863090.squirrel@morpheus.wustl.edu> References: <4588.128.252.85.103.1109801591.squirrel@morpheus.wustl.edu> <2056.128.252.85.103.1109863090.squirrel@morpheus.wustl.edu> Message-ID: <422C76DC.5030809@redhat.com> Hongwei Li wrote: >>Hi, >> >>I have run up2date to update many packages of my fc3 system. My system >>info: >>RedHat FC3 linux, kernel 2.6.10-1.766_FC3, selinux enforced (targeted), >>iptables enabled >>selinux-policy-targeted: 1.17.30-2.19 >> >>Then, the root received the following mail: >> >>Invalid File Contexts >> >>/etc/blkid.tab >>/etc/asound.state >>/etc/ld.so.cache >>/etc/.pwd.lock >>/etc/hotplug/usb.usermap >>/etc/freshclam.conf >>/etc/sysconfig/firstboot >>/etc/sysconfig/hwconf >>/.autofsck >>/.fonts.cache-1 >>/lost+found >>/root/install.log >>/root/install.log.syslog >>/lib/modules/2.6.10-1.766_FC3/modules.ccwmap >>/lib/modules/2.6.10-1.766_FC3/modules.alias >>/lib/modules/2.6.10-1.766_FC3/modules.dep >>/lib/modules/2.6.10-1.766_FC3/modules.inputmap >>/lib/modules/2.6.10-1.766_FC3/modules.usbmap >>/lib/modules/2.6.10-1.766_FC3/modules.isapnpmap >>/lib/modules/2.6.10-1.766_FC3/modules.pcimap >>/lib/modules/2.6.10-1.766_FC3/modules.ieee1394map >>/lib/modules/2.6.10-1.766_FC3/modules.symbols >>/lib/modules/2.6.9-1.667/modules.ccwmap >>/lib/modules/2.6.9-1.667/modules.alias >>/lib/modules/2.6.9-1.667/modules.dep >>/lib/modules/2.6.9-1.667/modules.inputmap >>/lib/modules/2.6.9-1.667/modules.usbmap >>/lib/modules/2.6.9-1.667/modules.isapnpmap >>/lib/modules/2.6.9-1.667/modules.pcimap >>/lib/modules/2.6.9-1.667/modules.ieee1394map >>/lib/modules/2.6.9-1.667/modules.symbols >>/home/lost+found >>/tmp/lost+found >>/usr/lost+found >>/var/log/rpmpkgs >>/var/log/httpd/ssl_error_log >>/var/log/httpd/ssl_request_log >>/var/log/httpd/ssl_access_log >>/var/log/httpd/error_log >>/var/log/httpd/access_log >>/var/log/yum.log >>/var/lost+found >>/var/run/utmp >>/var/lib/squirrelmail/prefs/qlily.pref >>/var/lib/squirrelmail/prefs/qlily.abook >>/var/lib/php/session/sess_bd54786e5c301c251fd139a22c129872 >> >>I don't know which package's updating caused this problem. Then, I run: >> >># restorecon -R /etc/* >># restorecon -R /var/* >># restorecon -R /lib/* >># restorecon -R /usr/* >> >>I got a lot of warning about sybolic links, that's probably okay. Now, >>the problem is that the user qlily cannot login to squirrelmail. The >>error message is: >> >>Preference file, /var/lib/squirrelmail/prefs/qlily.pref.tmp, could not be >>opened. Contact your system administrator to resolve this issue. >> >>Check the files: >> >># ls -lZ /var/lib/squirrelmail/prefs/qlily.* >>-rw-r--r-- apache apache system_u:object_r:var_lib_t >>/var/lib/squirrelmail/prefs/qlily.abook >>-rw------- apache apache system_u:object_r:var_lib_t >>/var/lib/squirrelmail/prefs/qlily.pref >>-rw-r--r-- apache apache system_u:object_r:var_lib_t >>/var/lib/squirrelmail/prefs/qlily.pref.tmp >> >>and the log shows: >> >>Mar 2 15:49:03 pippo kernel: audit(1109800143.922:0): avc: denied { >>write } for pid=1458 exe=/usr/sbin/httpd name=qlily.pref.tmp dev=hda2 >>ino=2540354 scontext=root:system_r:httpd_t >>tcontext=system_u:object_r:var_lib_t tclass=file >>Mar 2 15:49:03 pippo kernel: audit(1109800143.924:0): avc: denied { >>write } for pid=1458 exe=/usr/sbin/httpd >>name=sess_bd54786e5c301c251fd139a22c129872 dev=hda2 ino=2540345 >>scontext=root:system_r:httpd_t tcontext=system_u:object_r:var_lib_t >>tclass=file >>.... >> >>qlily is the only user I created so far in the system. This user can >>send/receive email through pine. To test the situation, I created another >>user msnet. He can login to ssh console, but cannot login to >>squirrelmail, the error message is: >> >>You must be logged in to access this page >> >>although the password is correct. his pref file is: >> >># ls -lZ /var/lib/squirrelmail/prefs/msnet.pref >>-rw------- apache apache root:object_r:httpd_var_lib_t >>/var/lib/squirrelmail/prefs/msnet.pref >> >>What's wrong? What package updating caused this problem? How to fix the >>problem? >> >>Thanks a lot! >> >>Hongwei Li >> >> >> >> >> > >Hi, > >I have solved the problem. If some people encounter the same problem, >here is what I did: > ># fixfiles relable > >(reboot) > >Then, all users can log in squirrelmail, read/send mails normally. I >created another new user account, it also works. > >However, I still have a question. The file contexts properties for the >existing users and new user are different. In my case, qlily is the >existing user (the "fixfiles relabel" solved the problem for this >account), and mmst is a new user created after running fixfiles relable. >Please see: > ># ls -lZ /var/spool/mail/ >-rw-rw---- mmst mail root:object_r:mail_spool_t mmst >-rw-rw---- qlily mail system_u:object_r:mail_spool_t qlily > ># ls -lZ /var/lib/squirrelmail/prefs/ >-rw-r--r-- apache apache user_u:object_r:httpd_squirrelmail_t mmst.abook >-rw------- apache apache user_u:object_r:httpd_squirrelmail_t mmst.pref >-rw-r--r-- apache apache system_u:object_r:httpd_squirrelmail_t >qlily.abook >-rw------- apache apache system_u:object_r:httpd_squirrelmail_t >qlily.pref > >Why are they different, but no error message and they don't have any >problem when they login, read/send mails in pine or squirrelmail? > > > If the system is relabeled, all system files get labeled with user of system_u, when they are created by a user or and service that was restarted by a user they get identified by that users SELinux name (root, user_u). It should not be a problem in targeted policy. I have no idea why you got your other errors. Did you run with SELinux disabled? Dan >Strange features of selinux! > >Thanks! > >Hongwei Li > > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > From dwalsh at redhat.com Mon Mar 7 15:54:07 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 07 Mar 2005 10:54:07 -0500 Subject: upgrade of selinux-policy-targeted doing recursive restorecon on NFS mounts a bad idea In-Reply-To: <1110209629.2760.30.camel@silly> References: <1110209629.2760.30.camel@silly> Message-ID: <422C791F.2070908@redhat.com> Jason Vas Dias wrote: >I'm now doing an upgrade to >selinux-policy-targeted-1.17.30-2.83 on FC3, >and it seems to be doing a recursive restorecon >on all the NFS mounts on the system - including >/home/boston, /mnt/redhat, etc. > >I don't think this is a good idea at all! >This single update of selinux-policy-targeted >is probably going to take all day, and I hope >the restorecon on NFS mounts as root is not >going to harm other people's mounts of shared >NFS systems like /home/boston and /mnt/redhat ! > >Restorecon in recursive mode should ignore NFS mounts - >or the spec file should weed out NFS mounts from the >restorecon command line. > >Should I raise a bug on this ? > > > > > > > > > policycoreutils-1.18.1-2.10 should have this backported from rawhide. Available in fedora-testing From dwalsh at redhat.com Mon Mar 7 15:58:25 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 07 Mar 2005 10:58:25 -0500 Subject: nis+ and selinux targeted (nscd/ntpd problems) In-Reply-To: <200503011541.j21FfQPr015128@enterprise2.newlogic.at> References: <200503011541.j21FfQPr015128@enterprise2.newlogic.at> Message-ID: <422C7A21.50703@redhat.com> Niki Waibel wrote: >if you run FC3 and nis-utils-1.4.1 it is necessary to >add the following in > /etc/selinux/targeted/src/policy/domains/misc/custom.te >to make nscd running properly: > > This looks like you have a labeling problem. Have file_t files around means that you ran with SELinux disabled at some point. So you probably need to relabel the system. touch /.autorelabel reboot will relabel. The directories under /var/db could be relabeled via restorecon -R -v /var/db >=== >allow nscd_t file_t:file { read write }; > #EXE=/usr/sbin/nscd NAME=passwd : read write >allow nscd_t file_t:file getattr; > #EXE=/usr/sbin/nscd PATH=/var/db/nscd/passwd : getattr > #EXE=/usr/sbin/nscd PATH=/var/db/nscd/group : getattr > #EXE=/usr/sbin/nscd PATH=/var/db/nscd/hosts : getattr >allow nscd_t var_t:file { getattr read }; > #EXE=/usr/sbin/nscd NAME=NIS_COLD_START : read > #EXE=/usr/sbin/nscd PATH=/var/nis/NIS_COLD_START : getattr >allow nscd_t var_run_t:sock_file write; > #EXE=/usr/sbin/nscd NAME=keyservsock : write >allow nscd_t unconfined_t:unix_stream_socket connectto; > #EXE=/usr/sbin/nscd PATH=/var/run/keyservsock : connectto >=== > >i dont know if >=== >allow nscd_t file_t:file { read write }; >allow nscd_t file_t:file getattr; >allow nscd_t var_t:file { getattr read }; >=== >are really a good choice ... > >nscd (if you have nisplus in /etc/nsswitch.conf) accesses >the files in /var/db/nscd (getattr, read, write) and /var/nis. >maybe there should be sthg like var_nis_t and var_db_nscd_t? > >i am not sure if /etc/{passwd,group,hosts} are accessed as well... > >using nis+ i've also figured out that ntpd needs some add rules: >=== >allow ntpd_t var_t:file { getattr read }; > #EXE=/usr/sbin/ntpd NAME=NIS_COLD_START : read > #EXE=/usr/sbin/ntpd PATH=/var/nis/NIS_COLD_START : getattr >allow ntpd_t var_run_t:sock_file write; > #EXE=/usr/sbin/ntpd NAME=keyservsock : write >allow ntpd_t unconfined_t:unix_stream_socket connectto; > #EXE=/usr/sbin/ntpd PATH=/var/run/keyservsock : connectto >=== > >can this be integrated into the std targeted policy? > > From jayendren at hivsa.com Tue Mar 1 08:01:00 2005 From: jayendren at hivsa.com (Jayendren Anand Maduray) Date: Tue, 1 Mar 2005 10:01:00 +0200 Subject: fc3 - password change problem - syslog and portmapper In-Reply-To: <421CB8A1.5090503@redhat.com> References: <200502230937.40550.jayendren@hivsa.com> <421CB8A1.5090503@redhat.com> Message-ID: <200503011001.00141.jayendren@hivsa.com> Hi! You are brilliant, let no body, tell u otherwise!! On Wednesday 23 February 2005 19:08, Daniel J Walsh wrote: > Jayendren Anand Maduray wrote: > >Hi! > > > >having problems with selinux for sylog and portmapper. Also cannot change > >password with selinux enable. > >it is running in targeted mode. > >I have been checking with nsa-selinux forum, and some of the ppl recommend > >that i ask this forum. > > You need to relabel you file system. I would update to the latest > policy and relabel your > file system > > yum upgrade selinux-policy-targeted > touch /.autorelabel > reboot > > >from nsa-linux: > > > >On Tue, 2005-02-22 at 08:09 +0200, Jayendren Anand Maduray wrote: > >>Got FC3 running SELINUX in enforcing mode. > >> > >>1. however when i try to change my password, i get the ffg error: > >>SystemError: couldn't get security context of `/etc/passwd': No data > > > >available > > > >>2. also, when i boot up, syslogd, and portmap cannot start, so i disabled > >> it in SELinux. i would like to get this to work, though. > >> > >>i am running kernel Linux shiva 2.6.10-1.741_FC3smp > > > >The most likely scenario is that you never labeled your filesystems, or > >that you ran with SELinux disabled for some period of time and thus > >ended up with some files without security labels. Touch /.autorelabel > >and reboot, or run /sbin/fixfiles relabel and reboot. BTW, this kind of > >question belongs on fedora-selinux-list, not here, IMHO. -- Jayendren Anand Maduray Microsoft Certified Professional Network Plus IT Administrator Perinatal HIV Research Unit Old Potch Road Chris Hani Baragwanath Hospital Soweto South Africa Tel: +27 11 989 9776 Tel: +27 11 989 9999 Fax: +27 11 938 3973 Cel: 082 22 774 94 From jvdias at redhat.com Mon Mar 7 15:33:49 2005 From: jvdias at redhat.com (Jason Vas Dias) Date: Mon, 07 Mar 2005 10:33:49 -0500 Subject: upgrade of selinux-policy-targeted doing recursive restorecon on NFS mounts a bad idea Message-ID: <1110209629.2760.30.camel@silly> I'm now doing an upgrade to selinux-policy-targeted-1.17.30-2.83 on FC3, and it seems to be doing a recursive restorecon on all the NFS mounts on the system - including /home/boston, /mnt/redhat, etc. I don't think this is a good idea at all! This single update of selinux-policy-targeted is probably going to take all day, and I hope the restorecon on NFS mounts as root is not going to harm other people's mounts of shared NFS systems like /home/boston and /mnt/redhat ! Restorecon in recursive mode should ignore NFS mounts - or the spec file should weed out NFS mounts from the restorecon command line. Should I raise a bug on this ? From dravet at calumet.purdue.edu Mon Mar 7 17:13:25 2005 From: dravet at calumet.purdue.edu (Jason Dravet) Date: Mon, 7 Mar 2005 11:13:25 -0600 Subject: selinux and ASP for Linux Message-ID: <200503071715.j27HFZ0C014895@nwi.calumet.purdue.edu> Thank you Karsten for the links, I will read them this afternoon. Daniel, I am using a fully patched FC3 install. I don't know why ASP for Linux is trying to access the tty devices. My guess as to why it is executing locale stuff is because of the ASP for Linux administration page. The locale message only pop up if I goto those pages. For the record ASP for Linux was formally Chilisoft software. Thanks, Jason From hburde at t-online.de Mon Mar 7 17:59:41 2005 From: hburde at t-online.de (Holger Burde) Date: Mon, 07 Mar 2005 18:59:41 +0100 Subject: /proc Q Message-ID: <1110218381.5655.10.camel@marvin.warpnet.com> Hi; Filesystems with no support for persistent labels have no context but i found coresponding type declarations (rawhide.strict: types/procfs.te or fc3:targeted types/procfs.te) and usage (domains/program zebra.te:allow zebra_t proc_t:file { getattr read };). Is this dummy stuff or have i missed something ?? hb -- Holger Burde From sds at tycho.nsa.gov Mon Mar 7 17:55:25 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 07 Mar 2005 12:55:25 -0500 Subject: /proc Q In-Reply-To: <1110218381.5655.10.camel@marvin.warpnet.com> References: <1110218381.5655.10.camel@marvin.warpnet.com> Message-ID: <1110218125.2778.8.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2005-03-07 at 18:59 +0100, Holger Burde wrote: > Hi; > > Filesystems with no support for persistent labels have no context but i > found coresponding type declarations (rawhide.strict: types/procfs.te or > fc3:targeted types/procfs.te) and usage (domains/program zebra.te:allow > zebra_t proc_t:file { getattr read };). Is this dummy stuff or have i > missed something ?? They have labels (on the incore inodes), but they aren't visible to userspace (due to lack of xattr handler for the filesystem). But they are still used for access control. Assignment is done via genfs_contexts in the policy for proc. There has been discussion of a general switch in the VFS so that if the filesystem doesn't support xattrs natively, it would call into the security module (i.e. SELinux) instead, and let SELinux handle the getxattr/setxattr requests based on the incore inode label. -- Stephen Smalley National Security Agency From netdxr at gmail.com Mon Mar 7 19:49:00 2005 From: netdxr at gmail.com (Tom Lisjac) Date: Mon, 7 Mar 2005 12:49:00 -0700 Subject: help required to create SELinux based LiveCD for Fedora core 3 In-Reply-To: <049b01c522ea$36bc5110$38ca09c0@CDR> References: <049b01c522ea$36bc5110$38ca09c0@CDR> Message-ID: <863ff4520503071149876cde9@mail.gmail.com> On Mon, 7 Mar 2005 13:19:24 +0530, KLN Murthy wrote: > Please help me creatng SELinux based LiveCD for Fedora Core 3 with steps. There is a live cd project (Adios 4.1) in the works for FC3. It can be found here: http://dc.qut.edu.au/adios I don't know how well the 4.x series will support SELinux but there is another version called ADIOS-SELinux that's also mentioned on the stie.The older 3.X versions had integrated UML support and excellent documentation for setting up a network simulation using a single workstation... essentially a computer lab on a CD. -Tom From rirving at antient.org Mon Mar 7 22:27:23 2005 From: rirving at antient.org (Richard Irving) Date: Mon, 07 Mar 2005 17:27:23 -0500 Subject: Here is an interesting one In-Reply-To: <422A02DC.3060806@antient.org> References: <4228DFDE.7080203@rhjensen.com> <422913C2.1030406@antient.org> <1109999863.6774.2.camel@cobra.ivg2.net> <422A02DC.3060806@antient.org> Message-ID: <422CD54B.9030502@antient.org> Richard Irving wrote: > Ivan Gyurdiev wrote: > >> --- snmpd.te 2005-03-05 00:13:17.000000000 -0500 >> +++ snmpd.new 2005-03-05 00:13:46.000000000 -0500 >> @@ -45,6 +45,7 @@ > 1.17 and 1.19.1 are the only two I can find.... Thank You, Ivan. I have synced my sources, added the changes, threw in a few extras for a few other functions I chained in on snmpd, as a litmus test... And it runs error, and log entry free. Once the audit, make, and install, reload.. all works well, this system is -smooth-. But, I did still have to: "dontaudit snmpd_t unconfined_t:process signull;" To keep from getting one of the scripts to not log. I'll chase that down later, as it is the -only- unconfined_t entry that was involved, and it was a "signull". Once again, Thanks. > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list From justin.conover at gmail.com Tue Mar 8 16:57:00 2005 From: justin.conover at gmail.com (Justin Conover) Date: Tue, 8 Mar 2005 10:57:00 -0600 Subject: shc - Generic shell script compiler ?? Message-ID: Does anyone see this as being a decent program? Do you think it encrypt's the script well enough or is easily crackable? If it is a decent program, do you see a need for it in Fedora - extra's or something as an added security mechanism. Although I imagine with the fine grained control of SELinux this probably isn't really need, any thoughts? http://www.datsi.fi.upm.es/%7Efrosal/sources/shc.html http://www.datsi.fi.upm.es/%7Efrosal/sources/CHANGES http://www.datsi.fi.upm.es/%7Efrosal/sources/shc-3.7.tgz http://www.linuxsecurity.com/content/view/117920/49/ " shc itself is not a compiler such as cc, it rather encodes and encrypts a shell script and generates C source code with the added expiration capability. It then uses the system compiler to compile a stripped binary which behaves exactly like the original script. Upon execution, the compiled binary will decrypt and execute the code with the shell -c option. Unfortunatelly, it will not give you any speed improvement as a real C program would. shc's main purpose is to protect your shell scripts from modification or inspection. You can use it if you wish to distribute your scripts but don't want them to be easily readable by other people." From justin.conover at gmail.com Tue Mar 8 17:53:57 2005 From: justin.conover at gmail.com (Justin Conover) Date: Tue, 8 Mar 2005 11:53:57 -0600 Subject: mv hard drives with lvm/selinux ? Message-ID: Just wondering if i'm going to move 2x160GB sata drives in raid 1 that are on there own volume with SELinux turned on. Can I simply move these to another box and be able to read them or does this become really tricky? Worst comes to worst I can mv the 80GB of data to another box, mv the harddrives and then mv the data back just wondering if it could be as easy to do it the other way. From walters at redhat.com Tue Mar 8 18:23:13 2005 From: walters at redhat.com (Colin Walters) Date: Tue, 08 Mar 2005 13:23:13 -0500 Subject: mv hard drives with lvm/selinux ? In-Reply-To: References: Message-ID: <1110306194.3853.23.camel@nexus.verbum.private> On Tue, 2005-03-08 at 11:53 -0600, Justin Conover wrote: > Just wondering if i'm going to move 2x160GB sata drives in raid 1 that > are on there own volume with SELinux turned on. Can I simply move > these to another box and be able to read them or does this become > really tricky? If you use mv, cp -a --preserve=all, or rsync -X, security contexts of files should be preserved. However, if you have a default FC3 install you're already using LVM, you might consider simply placing the raid device as part of your existing volume group, and not worrying about copying/moving data around. At least if it works to do RAID under LVM :) From mike at navi.cx Tue Mar 8 21:00:17 2005 From: mike at navi.cx (Mike Hearn) Date: Tue, 08 Mar 2005 21:00:17 +0000 Subject: shc - Generic shell script compiler ?? References: Message-ID: On Tue, 08 Mar 2005 10:57:00 -0600, Justin Conover wrote: > Does anyone see this as being a decent program? Do you think it > encrypt's the script well enough or is easily crackable? Given that it must pass the script to an external interpreter (unless it includes a copy of bash) it's trivially crackable and provides no extra security. If you want to protect valuable shell scripts (????) you'd be better off with an obfuscator or a generic shell->native code compiler. thanks -mike From dwalsh at redhat.com Tue Mar 8 22:24:05 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 08 Mar 2005 17:24:05 -0500 Subject: help required to create SELinux based LiveCD for Fedora core 3 In-Reply-To: <863ff4520503071149876cde9@mail.gmail.com> References: <049b01c522ea$36bc5110$38ca09c0@CDR> <863ff4520503071149876cde9@mail.gmail.com> Message-ID: <422E2605.9030502@redhat.com> Tom Lisjac wrote: >On Mon, 7 Mar 2005 13:19:24 +0530, KLN Murthy > wrote: > > >>Please help me creatng SELinux based LiveCD for Fedora Core 3 with steps. >> >> > >There is a live cd project (Adios 4.1) in the works for FC3. It can be >found here: > >http://dc.qut.edu.au/adios > >I don't know how well the 4.x series will support SELinux but there is >another version called ADIOS-SELinux that's also mentioned on the >stie.The older 3.X versions had integrated UML support and excellent >documentation for setting up a network simulation using a single >workstation... essentially a computer lab on a CD. > > > Does the CD support extended attributes? Without them, I don't think you will get SELinux to work. Dan >-Tom > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > -- Learn, Network and Experience Open Source. Red Hat Summit, New Orleans 2005 http://www.redhat.com/promo/summit/ From netdxr at gmail.com Wed Mar 9 02:40:14 2005 From: netdxr at gmail.com (Tom Lisjac) Date: Tue, 8 Mar 2005 19:40:14 -0700 Subject: help required to create SELinux based LiveCD for Fedora core 3 In-Reply-To: <422E2605.9030502@redhat.com> References: <049b01c522ea$36bc5110$38ca09c0@CDR> <863ff4520503071149876cde9@mail.gmail.com> <422E2605.9030502@redhat.com> Message-ID: <863ff452050308184061f0ca79@mail.gmail.com> On Tue, 08 Mar 2005 17:24:05 -0500, Daniel J Walsh wrote: > Tom Lisjac wrote: > >http://dc.qut.edu.au/adios > > > >I don't know how well the 4.x series will support SELinux but there is > >another version called ADIOS-SELinux that's also mentioned on the > >stie.The older 3.X versions had integrated UML support and excellent > >documentation for setting up a network simulation using a single > >workstation... essentially a computer lab on a CD. > > > Does the CD support extended attributes? Without them, I don't think > you will get SELinux to work. Good point on iso9660. But IIRC, there were quite a few options during the boot process to copy and run portions of the CD from ram or the hard disk with version 3.10... so I wouldn't be surprised if there was some way to demonstrate the functionality of SELinux in the 4.x series. I haven't been able to download the beta releases, but I'm looking forward to trying it when the final version appears on a few local mirrors. -Tom From roger at gwch.net Wed Mar 9 07:43:29 2005 From: roger at gwch.net (Roger Grosswiler) Date: Wed, 09 Mar 2005 08:43:29 +0100 Subject: How changing rule for mysql Message-ID: <422EA921.4060301@gwch.net> Hi, I have this in my log: Mar 9 08:31:16 link kernel: audit(1110353476.148:0): avc: denied { search } for pid=32084 exe=/usr/libexec/mysqld name=webmessenger dev=dm-0 ino=7488135 scontext=root:system_r:mysqld_t tcontext=root:object_r:user_home_t tclass=dir so, i went to http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#id2825232 how i could make mysql working. i was looking for the apache.te (has nothing to do with my problem) for the other example, assuming, i could change a value in something like mysql.te. all i found was /selinux/booleans/mysqld_disable_trans where i think i would have to set 1 1 in it. 1) is this correct? 2) how can i do this with root (root hasnt rights to do that) Thanks Roger From roger at gwch.net Wed Mar 9 08:08:24 2005 From: roger at gwch.net (Roger Grosswiler) Date: Wed, 09 Mar 2005 09:08:24 +0100 Subject: How changing rule for mysql In-Reply-To: <422EA921.4060301@gwch.net> References: <422EA921.4060301@gwch.net> Message-ID: <422EAEF8.2070106@gwch.net> Roger Grosswiler schrieb: > Hi, > > I have this in my log: > > Mar 9 08:31:16 link kernel: audit(1110353476.148:0): avc: denied { > search } for pid=32084 exe=/usr/libexec/mysqld name=webmessenger > dev=dm-0 ino=7488135 scontext=root:system_r:mysqld_t > tcontext=root:object_r:user_home_t tclass=dir > > > so, i went to > http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#id2825232 > > how i could make mysql working. i was looking for the apache.te (has > nothing to do with my problem) for the other example, assuming, i could > change a value in something like mysql.te. > > all i found was /selinux/booleans/mysqld_disable_trans where i think i > would have to set 1 1 in it. > > 1) is this correct? > 2) how can i do this with root (root hasnt rights to do that) > > Thanks > Roger > Hi, Problem seems to be resolved. i /sbin/fixfiles relabled after a policy-upgrade, rebooted - works. Thanks, Roger From justin.conover at gmail.com Wed Mar 9 13:16:56 2005 From: justin.conover at gmail.com (Justin Conover) Date: Wed, 9 Mar 2005 07:16:56 -0600 Subject: mv hard drives with lvm/selinux ? In-Reply-To: <1110306194.3853.23.camel@nexus.verbum.private> References: <1110306194.3853.23.camel@nexus.verbum.private> Message-ID: I might not have to move the box after all, so I can put this test off for now. Thanks for your input though. On Tue, 08 Mar 2005 13:23:13 -0500, Colin Walters wrote: > On Tue, 2005-03-08 at 11:53 -0600, Justin Conover wrote: > > Just wondering if i'm going to move 2x160GB sata drives in raid 1 that > > are on there own volume with SELinux turned on. Can I simply move > > these to another box and be able to read them or does this become > > really tricky? > > If you use mv, cp -a --preserve=all, or rsync -X, security contexts of > files should be preserved. > > However, if you have a default FC3 install you're already using LVM, you > might consider simply placing the raid device as part of your existing > volume group, and not worrying about copying/moving data around. At > least if it works to do RAID under LVM :) > > From sds at tycho.nsa.gov Wed Mar 9 13:25:38 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 09 Mar 2005 08:25:38 -0500 Subject: help required to create SELinux based LiveCD for Fedora core 3 In-Reply-To: <863ff452050308184061f0ca79@mail.gmail.com> References: <049b01c522ea$36bc5110$38ca09c0@CDR> <863ff4520503071149876cde9@mail.gmail.com> <422E2605.9030502@redhat.com> <863ff452050308184061f0ca79@mail.gmail.com> Message-ID: <1110374738.3791.1.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2005-03-08 at 19:40 -0700, Tom Lisjac wrote: > Good point on iso9660. But IIRC, there were quite a few options during > the boot process to copy and run portions of the CD from ram or the > hard disk with version 3.10... so I wouldn't be surprised if there was > some way to demonstrate the functionality of SELinux in the 4.x > series. I haven't been able to download the beta releases, but I'm > looking forward to trying it when the final version appears on a few > local mirrors. Hardened Gentoo used to provide a SELinux LiveCD, I don't know if they still do. http://www.gentoo.org/proj/en/hardened/selinux/index.xml -- Stephen Smalley National Security Agency From mayerf at tresys.com Wed Mar 9 16:19:16 2005 From: mayerf at tresys.com (Frank Mayer) Date: Wed, 9 Mar 2005 11:19:16 -0500 Subject: Selinux symposium presentations Message-ID: <20050309161916.NKTI7908.mm-ismta4.bizmailsrvcs.net@FLM800> FYI, soft copies of all the presentations from last week's SELinux Symposium are now posted on the symposium's web site (www.selinux-symposium.org). In general, I think the symposium was a great success, and the participation was much greater than we originally expected. Hopefully signs of good things to come with this technology. Stay tuned for the dates and call for next year's event! Frank From peter at netresources.co.uk Wed Mar 9 18:18:12 2005 From: peter at netresources.co.uk (Peter George) Date: Wed, 9 Mar 2005 18:18:12 -0000 Subject: [newbie] setenforce 1 breaks ~user Message-ID: I recently upgraded to FC3 +? Apache 2.0. from RH7.3 + Apache 1.3. Currently running ext3 filesystem. /home/*/public_html/ files do not have SELinux extended attributes therefore I cannot change the security context on files.? I cannot see www.domain/~user with # /usr/sbin/setenforce 1 it has to be /usr/sbin/setenforce 0 I know I can force file lelabelling to include extended attributes (forgotten the url with the helpful command just now) with a reboot, and then follow the '# chcon' directives at http://fedora.redhat.com/docs/selinux-apache-fc3/sn-user-homedir.html i.e. # chcon -Rt httpd_sys_content_t /home/*/public_html/ # /usr/sbin/setenforce 1 Any web references or advice appreciated. P -- Peter George CIW CI Training Manager Net Resources Ltd 26 Palmerston Place, Edinburgh, EH12 5AL T: 0131 477 7127? F: 0131 477 7126 http://www.netresources.co.uk -------------- next part -------------- A non-text attachment was scrubbed... Name: winmail.dat Type: application/ms-tnef Size: 3015 bytes Desc: not available URL: From eparis at redhat.com Wed Mar 9 18:34:19 2005 From: eparis at redhat.com (Eric Paris) Date: Wed, 09 Mar 2005 13:34:19 -0500 Subject: [newbie] setenforce 1 breaks ~user In-Reply-To: References: Message-ID: <1110393259.8559.41.camel@dhcp83-70.boston.redhat.com> I think I understand your problem to be that the home directories are just left over from the old system and have absolutely no context. If so you should be able to run restorecon -R -v /home to have everything under /home labeled correctly. I believe anything in /home/[^/]+/public_html will get labeled with system_u:object_r:httpd_user_content_t which should work. If you want to relabel the whole system run touch /.autorelabel reboot On Wed, 2005-03-09 at 18:18 +0000, Peter George wrote: > I recently upgraded to FC3 + Apache 2.0. from RH7.3 + Apache 1.3. Currently running ext3 filesystem. > > /home/*/public_html/ files do not have SELinux extended attributes therefore I cannot change the security context on files. > > I cannot see www.domain/~user with # /usr/sbin/setenforce 1 it has to be /usr/sbin/setenforce 0 > > I know I can force file lelabelling to include extended attributes (forgotten the url with the helpful command just now) with a reboot, and then follow the '# chcon' directives at > http://fedora.redhat.com/docs/selinux-apache-fc3/sn-user-homedir.html > > i.e. > > # chcon -Rt httpd_sys_content_t /home/*/public_html/ > # /usr/sbin/setenforce 1 > > Any web references or advice appreciated. > > P > -- > Peter George CIW CI > Training Manager > Net Resources Ltd > 26 Palmerston Place, Edinburgh, EH12 5AL > T: 0131 477 7127 F: 0131 477 7126 > http://www.netresources.co.uk > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list From peter at netresources.co.uk Wed Mar 9 18:34:23 2005 From: peter at netresources.co.uk (Peter George) Date: Wed, 9 Mar 2005 18:34:23 -0000 Subject: [newbie] setenforce 1 breaks ~user Message-ID: touch /.autorelabel reboot Is the way forward then. Thank you. :-) P -- Peter George CIW CI Training Manager Net Resources Ltd 26 Palmerston Place, Edinburgh, EH12 5AL T: 0131 477 7127 F: 0131 477 7126 http://www.netresources.co.uk -----Original Message----- From: fedora-selinux-list-bounces at redhat.com on behalf of Eric Paris Sent: Wed 09/03/2005 18:34 To: Fedora SELinux support list for users & developers. Subject: Re: [newbie] setenforce 1 breaks ~user I think I understand your problem to be that the home directories are just left over from the old system and have absolutely no context. If so you should be able to run restorecon -R -v /home to have everything under /home labeled correctly. I believe anything in /home/[^/]+/public_html will get labeled with system_u:object_r:httpd_user_content_t which should work. If you want to relabel the whole system run touch /.autorelabel reboot On Wed, 2005-03-09 at 18:18 +0000, Peter George wrote: > I recently upgraded to FC3 + Apache 2.0. from RH7.3 + Apache 1.3. Currently running ext3 filesystem. > > /home/*/public_html/ files do not have SELinux extended attributes therefore I cannot change the security context on files. > > I cannot see www.domain/~user with # /usr/sbin/setenforce 1 it has to be /usr/sbin/setenforce 0 > > I know I can force file lelabelling to include extended attributes (forgotten the url with the helpful command just now) with a reboot, and then follow the '# chcon' directives at > http://fedora.redhat.com/docs/selinux-apache-fc3/sn-user-homedir.html > > i.e. > > # chcon -Rt httpd_sys_content_t /home/*/public_html/ > # /usr/sbin/setenforce 1 > > Any web references or advice appreciated. > > P > -- > Peter George CIW CI > Training Manager > Net Resources Ltd > 26 Palmerston Place, Edinburgh, EH12 5AL > T: 0131 477 7127 F: 0131 477 7126 > http://www.netresources.co.uk > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list -- fedora-selinux-list mailing list fedora-selinux-list at redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list From goncalvespedro at hotmail.com Thu Mar 10 23:51:40 2005 From: goncalvespedro at hotmail.com (=?iso-8859-1?B?UGVkcm8gR29u52FsdmVz?=) Date: Thu, 10 Mar 2005 23:51:40 +0000 Subject: Acess others disk partions(fat32) Message-ID: Hello, I have fedora core 3 and windows installed on my computer but when i?m using fedora i can?t acess to other partions where i have my documents. Before i had mandrakelinux and i could acess easly to others partions. So, i?d like to know what i have to do to solve this problem. Thank you Regards, Pedro Goncalves From dash at redlands.qld.edu.au Thu Mar 10 23:56:04 2005 From: dash at redlands.qld.edu.au (David Ash) Date: Fri, 11 Mar 2005 09:56:04 +1000 Subject: Acess others disk partions(fat32) In-Reply-To: References: Message-ID: <4230DE94.5020909@redlands.qld.edu.au> Pedro Gon?alves wrote: > Hello, > I have fedora core 3 and windows installed on my computer but when i?m > using fedora i can?t acess to other partions where i have my documents. > Before i had mandrakelinux and i could acess easly to others partions. > So, i?d like to know what i have to do to solve this problem. > Thank you > > Regards, > Pedro Goncalves > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > WRONG LIST try fedora-list at redhat.com From wfrazee at wynweb.net Fri Mar 11 00:51:53 2005 From: wfrazee at wynweb.net (Wayne S. Frazee) Date: Fri, 11 Mar 2005 00:51:53 +0000 Subject: Acess others disk partions(fat32) In-Reply-To: <4230DE94.5020909@redlands.qld.edu.au> References: <4230DE94.5020909@redlands.qld.edu.au> Message-ID: <20050311005153.57147.qmail@mail.infinology.com> Heh, sorta. Actually, this might be something for apache consideration. A forum-goer at one of the forums I administrate for a former employer was running into something similar with his linux-based apache 2.0.52 build. Has anyone had similar problems with apache accessing directory roots on fat32 mounted partitions? Personally, I have been unable to re-create the problem as I dont have a fat32 partition to test it on. My NTFS tests have been successful, however. ----------------- Wayne S. Frazee "Any sufficiently developed bug is indistinguishable from a feature." From jorton at redhat.com Fri Mar 11 11:02:33 2005 From: jorton at redhat.com (Joe Orton) Date: Fri, 11 Mar 2005 11:02:33 +0000 Subject: current targeted policy errors Message-ID: <20050311110233.GA8496@redhat.com> There are a bunch of avc messages on bootup with a current-ish Raw Hide system, are these known about? audit(1110459676.136:0): avc: denied { read } for pid=1696 exe=/sbin/ip path=/init dev=rootfs ino=23 scontext=user_u:system_r:ifconfig_t tcontext=system_u:object_r:root_t tclass=file audit(1110459676.264:0): avc: denied { read } for pid=1700 exe=/sbin/iwconfig path=/init dev=rootfs ino=23 scontext=user_u:system_r:ifconfig_t tcontext=system_u:object_r:root_t tclass=file audit(1110459676.343:0): avc: denied { read } for pid=1702 exe=/sbin/ethtool path=/init dev=rootfs ino=23 scontext=user_u:system_r:ifconfig_t tcontext=system_u:object_r:root_t tclass=file (some repeated many times) joe From susan_geller at speakeasy.net Fri Mar 11 20:28:22 2005 From: susan_geller at speakeasy.net (susan_geller at speakeasy.net) Date: Fri, 11 Mar 2005 20:28:22 +0000 Subject: Why is --replacepkgs needed? Message-ID: I was having some trouble with various audit messages after I upgraded to a newer version of the selinux-policy-targeted rpm. I did rpm --verify selinux-policy-targeted and found that several of the files didn't correspond to what is in the rpm. So I did rpm -Uvh --replacepkgs ... and everything magically works. Why can't the rpm packages be made so that the --replacepkgs flag is not needed? Thanks, Susan From justin.conover at gmail.com Sat Mar 12 15:07:04 2005 From: justin.conover at gmail.com (Justin Conover) Date: Sat, 12 Mar 2005 09:07:04 -0600 Subject: mv hard drives with lvm/selinux ? In-Reply-To: References: <1110306194.3853.23.camel@nexus.verbum.private> Message-ID: This kind of brings up another question, if I create a raid 5 with 3 or 4 disk and have my system only one 1 disk, and that one disk blows up. Will it be easy to replace that disk and see the raid5/lvm/selinux files? Or should I take the caution and put my system in a raid 1 too. thx On Wed, 9 Mar 2005 07:16:56 -0600, Justin Conover wrote: > I might not have to move the box after all, so I can put this test off > for now. Thanks for your input though. > > > On Tue, 08 Mar 2005 13:23:13 -0500, Colin Walters wrote: > > On Tue, 2005-03-08 at 11:53 -0600, Justin Conover wrote: > > > Just wondering if i'm going to move 2x160GB sata drives in raid 1 that > > > are on there own volume with SELinux turned on. Can I simply move > > > these to another box and be able to read them or does this become > > > really tricky? > > > > If you use mv, cp -a --preserve=all, or rsync -X, security contexts of > > files should be preserved. > > > > However, if you have a default FC3 install you're already using LVM, you > > might consider simply placing the raid device as part of your existing > > volume group, and not worrying about copying/moving data around. At > > least if it works to do RAID under LVM :) > > > > > From hampton-rh at rainbolthampton.net Sat Mar 12 23:50:42 2005 From: hampton-rh at rainbolthampton.net (David Hampton) Date: Sat, 12 Mar 2005 18:50:42 -0500 Subject: New policy for yam Message-ID: <1110671442.7641.15.camel@hampton-pc.rainbolthampton.net> This is written on an FC3 base system using the selinux-policy-strict- sources-1.22.1-2 policy from March 11th. These are the first policies I've submitted so I'd appreciate any comments on how to write better policies. David -------------- next part -------------- # yam /etc/yam.conf -- system_u:object_r:yam_etc_t /usr/bin/yam system_u:object_r:yam_exec_t /var/yam(/.*)? system_u:object_r:yam_content_t /var/www/yam(/.*)? system_u:object_r:yam_content_t -------------- next part -------------- # DESC yam - Yum/Apt Mirroring # # Author: David Hampton # # # Yam downloads lots of files, indexes them, and makes them available # for upload. Define a type for these file. # type yam_content_t, file_type, sysadmfile, httpdcontent; # # Common definitions used by both the command line and the cron # invocation of yam. # define(`yam_common',` # Update the content being managed by yam. create_dir_file($1_t, yam_content_t) # Content can also be on ISO image files. r_dir_file($1_t, iso9660_t) # Need to go through /var to get to /var/yam # Go through /var/www to get to /var/www/yam allow $1_t var_t:dir { getattr search }; allow $1_t httpd_sys_content_t:dir { getattr search }; # Allow access to locale database, nsswitch, and mtab read_locale($1_t) allow $1_t etc_t:file { getattr read }; allow $1_t etc_runtime_t:file { getattr read }; # Python seems to need things from various places allow $1_t { bin_t sbin_t }:dir { search getattr }; allow $1_t { bin_t sbin_t lib_t usr_t }:file { getattr read }; allow $1_t bin_t:lnk_file read; # Python works fine without reading /proc/meminfo dontaudit $1_t proc_t:dir search; dontaudit $1_t proc_t:file { getattr read }; # Yam wants to run rsync, lftp, mount, and a shell. Allow the latter # two here. Run rsync and lftp in the yam_t context so that we dont # have to give any other programs write access to the yam_t files. general_domain_access($1_t) can_exec($1_t, shell_exec_t) can_exec($1_t, rsync_exec_t) can_exec($1_t, bin_t) can_exec($1_t, usr_t) #/usr/share/createrepo/genpkgmetadata.py ifdef(`mount.te', ` domain_auto_trans($1_t, mount_exec_t, mount_t) ') # Rsync and lftp need to network. They also set files attributes to # match whats on the remote server. can_network_client($1_t) allow $1_t self:capability { chown fowner fsetid dac_override }; # access to sysctl_kernel_t ( proc/sys/kernel/* ) read_sysctl($1_t) # Programs invoked to build package lists need various permissions. # genpkglist creates tmp files in /var/cache/apt/genpkglist allow $1_t var_t:file { getattr read write }; allow $1_t var_t:dir read; # mktemp allow $1_t urandom_device_t:chr_file read; # mv allow $1_t proc_t:lnk_file read; allow $1_t selinux_config_t:dir search; allow $1_t selinux_config_t:file { getattr read }; ') ########## ########## # # Runnig yam from the command line # application_domain(yam, `, nscd_client_domain') role system_r types yam_t; yam_common(yam) etc_domain(yam) tmp_domain(yam) # Terminal access allow yam_t devpts_t:dir search; allow yam_t devtty_t:chr_file { read write }; allow yam_t sshd_t:fd use; allow yam_t sysadm_devpts_t:chr_file { getattr ioctl read write }; # Reading dotfiles... dontaudit yam_t staff_home_dir_t:dir search; # /root allow yam_t home_root_t:dir search; # /home allow yam_t user_home_dir_t:dir { getattr search }; # /home/user ########## ########## # # Running yam from cron # application_domain(yam_crond, `, nscd_client_domain') role system_r types yam_crond_t; ifdef(`crond.te', ` system_crond_entry(yam_exec_t, yam_crond_t) ') yam_common(yam_crond) allow yam_crond_t yam_etc_t:file r_file_perms; file_type_auto_trans(yam_crond_t, tmp_t, yam_tmp_t, `{ file dir }') allow yam_crond_t devtty_t:chr_file { read write }; # Reading dotfiles... # LFTP uses a directory for its dotfiles allow yam_crond_t default_t:dir search; # Don't know why init tries to read this. allow initrc_t yam_etc_t:file read; ########## ########## # The whole point of this program is to make updates available on a # local web server. Allow apache access to these files. ifdef(`apache.te', ` allow httpd_t yam_content_t:dir { getattr search }; allow httpd_t yam_content_t:file { getattr read }; allow httpd_t yam_content_t:lnk_file { getattr read }; ') # Mount needs access to the yam directories in order to mount the ISO # files on a loobpack file system. ifdef(`mount.te', ` allow mount_t yam_content_t:dir mounton; allow mount_t yam_content_t:file { read write }; ') From hampton-rh at rainbolthampton.net Sat Mar 12 23:50:45 2005 From: hampton-rh at rainbolthampton.net (David Hampton) Date: Sat, 12 Mar 2005 18:50:45 -0500 Subject: New policy for tripwire Message-ID: <1110671445.7641.16.camel@hampton-pc.rainbolthampton.net> This is written on an FC3 base system using the selinux-policy-strict- sources-1.22.1-2 policy from March 11th. These are the first policies I've submitted so I'd appreciate any comments on how to write better policies. David -------------- next part -------------- # tripwire /etc/tripwire(/.*)? system_u:object_r:tripwire_etc_t /usr/sbin/siggen system_u:object_r:siggen_exec_t /usr/sbin/tripwire system_u:object_r:tripwire_exec_t /usr/sbin/tripwire-setup-keyfiles system_u:object_r:bin_t /usr/sbin/twadmin system_u:object_r:twadmin_exec_t /usr/sbin/twprint system_u:object_r:twprint_exec_t /var/lib/tripwire(/.*)? system_u:object_r:tripwire_var_lib_t /var/lib/tripwire/report(/.*)? system_u:object_r:tripwire_report_t -------------- next part -------------- # DESC tripwire # # Author: David Hampton # # NOTE: Tripwire creates temp file in its current working directory. # This policy does not allow write access to home directories, so # users will need to either cd to a directory where they have write # permission, or set the TEMPDIRECTORY variable in the tripwire config # file. The latter is preferable, as then the file_type_auto_trans # rules will kick in and label the files as private to tripwire. # Common definitions type tripwire_report_t, file_type, sysadmfile; etcdir_domain(tripwire) var_lib_domain(tripwire) tmp_domain(tripwire) # Macro for defining tripwire domains define(`tripwire_domain',` application_domain($1, `, auth') role system_r types $1_t; # Allow access to common tripwire files allow $1_t tripwire_etc_t:file r_file_perms; allow $1_t tripwire_etc_t:dir r_dir_perms; allow $1_t tripwire_etc_t:lnk_file { getattr read }; file_type_auto_trans($1_t, var_lib_t, tripwire_var_lib_t, file) allow $1_t tripwire_var_lib_t:dir rw_dir_perms; file_type_auto_trans($1_t, tmp_t, tripwire_tmp_t, `{ file dir }') allow $1_t self:process { fork sigchld }; allow $1_t self:capability { setgid setuid dac_override }; # Tripwire needs to read all files on the system general_proc_read_access($1_t) allow $1_t file_type:dir { search getattr read}; allow $1_t file_type:{file chr_file lnk_file sock_file} {getattr read}; allow $1_t file_type:fifo_file { getattr }; allow $1_t device_type:file { getattr read }; allow $1_t sysctl_t:dir { getattr read }; allow $1_t {memory_device_t tty_device_t urandom_device_t zero_device_t}:chr_file getattr; # Tripwire report files create_dir_file($1_t, tripwire_report_t) # gethostid()? allow $1_t self:unix_stream_socket { connect create }; # Running editor program (tripwire forks then runs bash which rins editor) can_exec($1_t, shell_exec_t) can_exec($1_t, bin_t) uses_shlib($1_t) allow $1_t self:dir search; allow $1_t self:file { getattr read }; ') ########## ########## # # When run by a user # tripwire_domain(`tripwire') # Running from the command line allow tripwire_t devpts_t:dir search; allow tripwire_t devtty_t:chr_file { read write }; allow tripwire_t {sysadm_devpts_t user_devpts_t}:chr_file rw_file_perms; allow tripwire_t sshd_t:fd use; ########## ########## # # When run from cron # tripwire_domain(`tripwire_crond') system_crond_entry(tripwire_exec_t, tripwire_crond_t) domain_auto_trans(crond_t, tripwire_exec_t, tripwire_t) # Tripwire uses a temp file in the root home directory #create_dir_file(tripwire_crond_t, root_t) ########## # Twadmin ########## application_domain(twadmin) read_locale(twadmin_t) create_dir_file(twadmin_t, tripwire_etc_t) allow twadmin_t sysadm_tmp_t:file { getattr read write }; # Running from the command line allow twadmin_t sshd_t:fd use; allow twadmin_t sysadm_devpts_t:chr_file rw_file_perms; dontaudit twadmin_t { bin_t sbin_t }:dir search; dontaudit twadmin_t home_root_t:dir search; dontaudit twprint_t user_home_dir_t:dir search; ########## # Twprint ########## application_domain(twprint) read_locale(twprint_t) r_dir_file(twprint_t, tripwire_etc_t) allow twprint_t { var_t var_lib_t }:dir search; r_dir_file(twprint_t, tripwire_var_lib_t) r_dir_file(twprint_t, tripwire_report_t) # Running from the command line allow twprint_t sshd_t:fd use; allow twprint_t sysadm_devpts_t:chr_file rw_file_perms; dontaudit twprint_t { bin_t sbin_t }:dir search; dontaudit twprint_t home_root_t:dir search; ########## # Siggen ########## application_domain(siggen, `, auth') read_locale(siggen_t) # Need permission to read files allow siggen_t file_type:dir { search getattr read}; allow siggen_t file_type:file {getattr read}; # Running from the command line allow siggen_t sshd_t:fd use; allow siggen_t sysadm_devpts_t:chr_file rw_file_perms; From christofer.c.bell at gmail.com Sun Mar 13 00:46:19 2005 From: christofer.c.bell at gmail.com (Christofer C. Bell) Date: Sat, 12 Mar 2005 18:46:19 -0600 Subject: Questions about Apache and SELinux context inheritance Message-ID: <143f0f6c050312164621b2f90c@mail.gmail.com> I have a question about how context inheritance works in SELinux. The correct file context is already defined in /etc/selinux/targeted/contexts/files/file_contexts as: /home/[^/]+/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_user_content_t However, this context is not inherited when creating a public_html directory as a user or as root in a user home directory. In otherwords, when creating a public_html directory, this is what you get: drwxrwxr-x cbell cbell user_u:object_r:user_home_t public_html (I must admit some confusion about the initial user_u user context since this is not defined in file_contexts). Here you see that the user context is set to user_u, the role is set to object_r, and the type is set to user_home_t. This is (in)correctly inherited from the /home directory's context. Simply running restorecon -v -R /home/ (as a user or root) will fix it to read thusly: drwxrwxr-x cbell cbell system_u:object_r:httpd_user_content_t public_html At anyrate, the user label is correctly set to system_u, the role is unchanged with object_r, and the type is changed to http_user_content_t. This is the context I'd like public_html directories to automatically assume when created. Is this possible? Further puzzles: When creating files in this public_html directory (after resetting the directory to the correct context) yields more puzzling results: [cbell at circe public_html]$ touch test [cbell at circe public_html]$ ls -Z -rw-rw-r-- cbell cbell user_u:object_r:httpd_sys_content_t test Note that in this case, the file has been set to user context user_u, role object_r, and type httpd_sys_content_t. This is the type that's supposedly reserved for the machine's public web directories: (from file_contexts) /var/www(/.*)? system_u:object_r:httpd_sys_content_t Again, one must run restorecon to correctly set the context on this file to: -rw-rw-r-- cbell cbell system_u:object_r:httpd_user_content_t test So my questions are fourfold: o How can one cause the correct httpd_user_content_t type to be automatically assigned to user public_html directories (and subdirectories)? o How can one cause the correct httpd_user_content_t type to be automatically assigned to user content (files) in user public_html directores? o Why are files initially receiving a user context of user_u rather than system_u ? And one file, slightly unrelated question: o When I installed this server and restored user data to it, the user context on all the files was set to root rather than user_u (and why not system_u?). I've reset everything to the correct user context with chcon, but I'd like to know why this happened. Thank you all for your insight! -- Chris "Build a man a fire and he will be warm for the rest of the night. Set a man on fire and he will be warm for the rest of his life." -- Unknown From ivg2 at cornell.edu Sun Mar 13 01:34:09 2005 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Sat, 12 Mar 2005 20:34:09 -0500 Subject: Questions about Apache and SELinux context inheritance In-Reply-To: <143f0f6c050312164621b2f90c@mail.gmail.com> References: <143f0f6c050312164621b2f90c@mail.gmail.com> Message-ID: <1110677649.29852.11.camel@cobra.ivg2.net> > So my questions are fourfold: > > o How can one cause the correct httpd_user_content_t type to be > automatically assigned to user public_html directories (and > subdirectories)? Not possible. Put the folder in /etc/skel with the correct context. Maybe this should be done by default in Fedora, or maybe not. > > o How can one cause the correct httpd_user_content_t type to be > automatically assigned to user content (files) in user public_html > directores? Possible w/ file_type_auto_trans rule. Will investigate... > o Why are files initially receiving a user context of user_u rather > than system_u ? This is normal - the user part of the context is set to the user who created the file - no problem here. > And one file, slightly unrelated question: > > o When I installed this server and restored user data to it, the user > context on all the files was set to root rather than user_u (and why > not system_u?). I've reset everything to the correct user context > with chcon, but I'd like to know why this happened. Because you restored the context as root, probably. The user is set to whoever operates on the file. -- Ivan Gyurdiev Cornell University From walters at redhat.com Sun Mar 13 02:18:21 2005 From: walters at redhat.com (Colin Walters) Date: Sat, 12 Mar 2005 21:18:21 -0500 Subject: Questions about Apache and SELinux context inheritance In-Reply-To: <143f0f6c050312164621b2f90c@mail.gmail.com> References: <143f0f6c050312164621b2f90c@mail.gmail.com> Message-ID: <1110680302.4566.80.camel@nexus.verbum.private> I assume you're running the strict policy here; in the future please state explicitly what Fedora release and policy you're using. On Sat, 2005-03-12 at 18:46 -0600, Christofer C. Bell wrote: > However, this context is not inherited when creating a public_html > directory as a user or as root in a user home directory. In > otherwords, when creating a public_html directory, this is what you > get: > > drwxrwxr-x cbell cbell user_u:object_r:user_home_t public_html Security contexts are not typically assigned based on filenames after system initialization. In other words, if you use 'mkdir', the GNOME file manager, or whatever to create a file, it will have a context assigned to it based solely on the security context of its parent directory. You can however later use a command such as "restorecon" to change the security context of a file based on its name. Or you can use "chcon" to assign contexts directly regardless of file name. > (I must admit some confusion about the initial user_u user context > since this is not defined in file_contexts). It's debatable whether it should be system_u or user_u; the user identity component of the security context has a few purposes. One is to identify the creator of an object. If the system created it, then logically the user is system_u. But it's also used in the constraints, for example to ensure a process can't relabel a file with a differing user identity. If you want to allow a user that privilege, the user identity needs to be user_u. Probably by default all files in the user's home directory should be user_u (or staff_u). > At anyrate, the user label is correctly set to system_u, the role is > unchanged with object_r, and the type is changed to > http_user_content_t. This is the context I'd like public_html > directories to automatically assume when created. Is this possible? > Not really. An explicit decision was made to not assign contexts based on filenames after system initialization inside the kernel ("mkdir", "open", etc). Instead, one should modify the system to assign them correctly. In this case we probably should have public_html in /etc/skel as Ivan suggested. Or something similar. > Further puzzles: > > When creating files in this public_html directory (after resetting the > directory to the correct context) yields more puzzling results: > > [cbell at circe public_html]$ touch test > [cbell at circe public_html]$ ls -Z > -rw-rw-r-- cbell cbell user_u:object_r:httpd_sys_content_t test Right; if the directory has type httpd_sys_content_t, any files created inside it will inherit that type. > Note that in this case, the file has been set to user context user_u, > role object_r, and type httpd_sys_content_t. This is the type that's > supposedly reserved for the machine's public web directories: Indeed. > o How can one cause the correct httpd_user_content_t type to be > automatically assigned to user public_html directories (and > subdirectories)? This sounds like a recent bug introduced in the strict policy. > o How can one cause the correct httpd_user_content_t type to be > automatically assigned to user content (files) in user public_html > directores? That will happen automatically when the directory has that type. > o Why are files initially receiving a user context of user_u rather > than system_u ? When they're created after system initalization? Because the user identity is derived from the identity of the creating process. > o When I installed this server and restored user data to it, the user > context on all the files was set to root rather than user_u (and why > not system_u?). I've reset everything to the correct user context > with chcon, but I'd like to know why this happened. Presumably you untarred (or whatever) the data as root:sysadm_r? In that case the files again by default inherit the user identity of the creating process. For restoring data, you should use a tool that preserves security contexts. http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/rhlcommon-chapter-0017.html#RHLCOMMON-SECTION-0067 Also rsync in rawhide has a -X option. From walters at redhat.com Sun Mar 13 02:31:28 2005 From: walters at redhat.com (Colin Walters) Date: Sat, 12 Mar 2005 21:31:28 -0500 Subject: Questions about Apache and SELinux context inheritance In-Reply-To: <143f0f6c050312164621b2f90c@mail.gmail.com> References: <143f0f6c050312164621b2f90c@mail.gmail.com> Message-ID: <1110681088.4566.89.camel@nexus.verbum.private> On Sat, 2005-03-12 at 18:46 -0600, Christofer C. Bell wrote: > I have a question about how context inheritance works in SELinux. > > The correct file context is already defined in > /etc/selinux/targeted/contexts/files/file_contexts as: Ah, sorry, so you are running targeted policy. With all your discussion of users I had assumed it was strict. One thing that might explain a lot then is that httpd_sys_content_t and httpd_user_content_t are exactly the same thing in the targeted policy: domains/program/apache.te: ifdef(`targeted_policy', ` typealias httpd_sys_content_t alias httpd_user_content_t; typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t; From kwade at redhat.com Mon Mar 14 05:39:39 2005 From: kwade at redhat.com (Karsten Wade) Date: Sun, 13 Mar 2005 21:39:39 -0800 Subject: [newbie] setenforce 1 breaks ~user In-Reply-To: References: Message-ID: <1110778779.5546.5.camel@erato.phig.org> On Wed, 2005-03-09 at 18:18 +0000, Peter George wrote: > > Any web references or advice appreciated. I see that your problem was solved, but in the future you may find some of the how-to information here to be useful: http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/rhlcommon-section-0068.html - Karsten -- Karsten Wade, RHCE * Sr. Tech Writer * http://people.redhat.com/kwade/ gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41 Learn, Network and Experience Open Source. Red Hat Summit, New Orleans 2005 http://www.redhat.com/promo/summit/ From florin at andrei.myip.org Mon Mar 14 20:20:25 2005 From: florin at andrei.myip.org (Florin Andrei) Date: Mon, 14 Mar 2005 12:20:25 -0800 Subject: OpenVPN Message-ID: <1110831625.29362.28.camel@stantz.corp.sgi.com> I've seen some effort going into creating SELinux rules for OpenVPN: http://www.nsa.gov/selinux/list-archive/0407/7704.cfm Does anyone know what's the status of that? Usable? Non-usable? -- Florin Andrei http://florin.myip.org/ From dwalsh at redhat.com Tue Mar 15 14:20:30 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 15 Mar 2005 09:20:30 -0500 Subject: New policy for yam In-Reply-To: <1110671442.7641.15.camel@hampton-pc.rainbolthampton.net> References: <1110671442.7641.15.camel@hampton-pc.rainbolthampton.net> Message-ID: <4236EF2E.8090104@redhat.com> David Hampton wrote: >This is written on an FC3 base system using the selinux-policy-strict- >sources-1.22.1-2 policy from March 11th. These are the first policies >I've submitted so I'd appreciate any comments on how to write better >policies. > >David > > Why did you create a yam_crond_t? Why not just transition to yam_t from crond? Dan > > >------------------------------------------------------------------------ > ># yam >/etc/yam.conf -- system_u:object_r:yam_etc_t >/usr/bin/yam system_u:object_r:yam_exec_t >/var/yam(/.*)? system_u:object_r:yam_content_t >/var/www/yam(/.*)? system_u:object_r:yam_content_t > > >------------------------------------------------------------------------ > ># DESC yam - Yum/Apt Mirroring ># ># Author: David Hampton ># > > ># ># Yam downloads lots of files, indexes them, and makes them available ># for upload. Define a type for these file. ># >type yam_content_t, file_type, sysadmfile, httpdcontent; > > ># ># Common definitions used by both the command line and the cron ># invocation of yam. ># >define(`yam_common',` > ># Update the content being managed by yam. >create_dir_file($1_t, yam_content_t) > ># Content can also be on ISO image files. >r_dir_file($1_t, iso9660_t) > ># Need to go through /var to get to /var/yam ># Go through /var/www to get to /var/www/yam >allow $1_t var_t:dir { getattr search }; >allow $1_t httpd_sys_content_t:dir { getattr search }; > ># Allow access to locale database, nsswitch, and mtab >read_locale($1_t) >allow $1_t etc_t:file { getattr read }; >allow $1_t etc_runtime_t:file { getattr read }; > ># Python seems to need things from various places >allow $1_t { bin_t sbin_t }:dir { search getattr }; >allow $1_t { bin_t sbin_t lib_t usr_t }:file { getattr read }; >allow $1_t bin_t:lnk_file read; > ># Python works fine without reading /proc/meminfo >dontaudit $1_t proc_t:dir search; >dontaudit $1_t proc_t:file { getattr read }; > ># Yam wants to run rsync, lftp, mount, and a shell. Allow the latter ># two here. Run rsync and lftp in the yam_t context so that we dont ># have to give any other programs write access to the yam_t files. >general_domain_access($1_t) >can_exec($1_t, shell_exec_t) >can_exec($1_t, rsync_exec_t) >can_exec($1_t, bin_t) >can_exec($1_t, usr_t) #/usr/share/createrepo/genpkgmetadata.py >ifdef(`mount.te', ` >domain_auto_trans($1_t, mount_exec_t, mount_t) >') > ># Rsync and lftp need to network. They also set files attributes to ># match whats on the remote server. >can_network_client($1_t) >allow $1_t self:capability { chown fowner fsetid dac_override }; > ># access to sysctl_kernel_t ( proc/sys/kernel/* ) >read_sysctl($1_t) > ># Programs invoked to build package lists need various permissions. ># genpkglist creates tmp files in /var/cache/apt/genpkglist >allow $1_t var_t:file { getattr read write }; >allow $1_t var_t:dir read; ># mktemp >allow $1_t urandom_device_t:chr_file read; ># mv >allow $1_t proc_t:lnk_file read; >allow $1_t selinux_config_t:dir search; >allow $1_t selinux_config_t:file { getattr read }; >') > > >########## >########## > ># ># Runnig yam from the command line ># >application_domain(yam, `, nscd_client_domain') >role system_r types yam_t; >yam_common(yam) >etc_domain(yam) >tmp_domain(yam) > ># Terminal access >allow yam_t devpts_t:dir search; >allow yam_t devtty_t:chr_file { read write }; >allow yam_t sshd_t:fd use; >allow yam_t sysadm_devpts_t:chr_file { getattr ioctl read write }; > ># Reading dotfiles... >dontaudit yam_t staff_home_dir_t:dir search; # /root >allow yam_t home_root_t:dir search; # /home >allow yam_t user_home_dir_t:dir { getattr search }; # /home/user > > >########## >########## > ># ># Running yam from cron ># >application_domain(yam_crond, `, nscd_client_domain') >role system_r types yam_crond_t; >ifdef(`crond.te', ` >system_crond_entry(yam_exec_t, yam_crond_t) >') > >yam_common(yam_crond) >allow yam_crond_t yam_etc_t:file r_file_perms; >file_type_auto_trans(yam_crond_t, tmp_t, yam_tmp_t, `{ file dir }') > >allow yam_crond_t devtty_t:chr_file { read write }; > ># Reading dotfiles... ># LFTP uses a directory for its dotfiles >allow yam_crond_t default_t:dir search; > ># Don't know why init tries to read this. >allow initrc_t yam_etc_t:file read; > > >########## >########## > ># The whole point of this program is to make updates available on a ># local web server. Allow apache access to these files. >ifdef(`apache.te', ` >allow httpd_t yam_content_t:dir { getattr search }; >allow httpd_t yam_content_t:file { getattr read }; >allow httpd_t yam_content_t:lnk_file { getattr read }; >') > ># Mount needs access to the yam directories in order to mount the ISO ># files on a loobpack file system. >ifdef(`mount.te', ` >allow mount_t yam_content_t:dir mounton; >allow mount_t yam_content_t:file { read write }; >') > > >------------------------------------------------------------------------ > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > -- From rrcoot at verizon.net Tue Mar 15 18:04:59 2005 From: rrcoot at verizon.net (rrcoot at verizon.net) Date: Tue, 15 Mar 2005 12:04:59 -0600 Subject: SELinux policy for ndiswrapper Message-ID: <0IDE00MLXNKBMF01@vms046.mailsrvcs.net> I wrote a policy to get ndiswrapper running in my FC3 strict policy SELinux system. This is the first policy I have created. I would greatly appreciate any pointers or feedback anyone would like to share. This policy is specifically used to allow the kernel_t domain to use the loadndisdriver executable to update the ndiswrapper module with configuration information. With this policy I can now successfully insmod ndiswrapper v1.1 ################################################# # # Define default file contexts for ndis tools # Filename: loadndis.fc # Assumptions: This file assumes that the # loadndisdriver executable is # found under /sbin and the # config files are all under # /etc/ndiswrapper. # # Author: Ryan Gall # #File context for the loadndisdriver executable /sbin/loadndisdriver -- system_u:object_r:loadndis_exec_t #Context for the driver configuration files /etc/ndiswrapper/ -- system_u:object_r:loadndis_content_t ################################################## # # Policy to create a domain for the # loadndisdriver executable # Filename: loadndis.te # Purpose: To isolate the executable to # some normal application stuff # and the loadndisdriver configuration # files. Ultimately allow successful # completion of `insmod ndiswrapper` # in an enforcing strict SELinux # policy. # # Author: Ryan Gall # #Declare our loadndis domain type loadndis_t, domain, privlog; #Let system_r access this new domain role system_r types loadndis_t; #Set up the file contexts for loadndis executable and content type loadndis_exec_t, file_type, sysadmfile; type loadndis_content_t, file_type, sysadmfile; #Transition execution to loadndis domain when executed domain_auto_trans(kernel_t, loadndis_exec_t, loadndis_t) #Needs to be able to search root of filesystem allow loadndis_t root_t:dir search; #Rules for devices allow loadndis_t device_t:dir { rw_dir_perms }; allow loadndis_t device_t:chr_file { read create unlink ioctl }; allow loadndis_t null_device_t:chr_file { rw_file_perms }; allow loadndis_t console_device_t:chr_file { rw_file_perms }; #Capabilities allow loadndis_t self:capability { sys_tty_config }; allow loadndis_t self:capability { mknod }; #Rules for proc filesystem allow loadndis_t proc_t:dir { r_dir_perms }; allow loadndis_t proc_t:file { r_file_perms }; #Sysfs rule allow loadndis_t sysfs_t:dir { search }; #Allow logging allow loadndis_t devlog_t:sock_file { write }; #Create a unix datagram socket allow loadndis_t self:unix_dgram_socket { create_socket_perms }; #Let it access common configuration directories and libraries uses_shlib(loadndis_t) read_locale(loadndis_t) #Finally allow access to our content allow loadndis_t loadndis_content_t:file { r_file_perms }; allow loadndis_t loadndis_content_t:dir { r_dir_perms }; From hampton-rh at rainbolthampton.net Tue Mar 15 18:51:32 2005 From: hampton-rh at rainbolthampton.net (David Hampton) Date: Tue, 15 Mar 2005 13:51:32 -0500 Subject: New policy for yam In-Reply-To: <4236EF2E.8090104@redhat.com> References: <1110671442.7641.15.camel@hampton-pc.rainbolthampton.net> <4236EF2E.8090104@redhat.com> Message-ID: <1110912692.14212.29.camel@hampton-pc.rainbolthampton.net> On Tue, 2005-03-15 at 09:20 -0500, Daniel J Walsh wrote: > Why did you create a yam_crond_t? Why not just transition to yam_t from > crond? When I first started working on the policy I was trying to be as restrictive as possible and differentiate between what peripheral files could be opened when running yam from the command line vs. when running from cron. For example, the cron version requires less access to the terminal and no access to a ssh file descriptor. The two instances also try reading their dot files from different directories. I wrote this policy just after writing an exim policy that distinguished between user, sysadm, and system invocations of the program. Perhaps I went overboard here. David P.S. I'm still tweaking the exim policy. I'll probably post it in a week or so. From cpebenito at tresys.com Tue Mar 15 18:54:57 2005 From: cpebenito at tresys.com (Christopher J. PeBenito) Date: Tue, 15 Mar 2005 13:54:57 -0500 Subject: SELinux policy for ndiswrapper In-Reply-To: <0IDE00MLXNKBMF01@vms046.mailsrvcs.net> References: <0IDE00MLXNKBMF01@vms046.mailsrvcs.net> Message-ID: <1110912897.3232.29.camel@sgc> On Tue, 2005-03-15 at 12:04 -0600, rrcoot at verizon.net wrote: > I wrote a policy to get ndiswrapper running in my FC3 strict policy > SELinux system. This is the first policy I have created. I would > greatly appreciate any pointers or feedback anyone would like to [cut] > # Filename: loadndis.fc > #Context for the driver configuration files > /etc/ndiswrapper/ -- system_u:object_r:loadndis_content_t you probably want this: /etc/ndiswrapper(/.*)? system_u:object_r:loadndis_content_t so you can label all of the driver stuff tha'ts stored under that directory and it's subdirectories. I don't think your pattern will match anything. > # Filename: loadndis.te > #Rules for devices > allow loadndis_t device_t:dir { rw_dir_perms }; > allow loadndis_t device_t:chr_file { read create unlink ioctl }; > allow loadndis_t null_device_t:chr_file { rw_file_perms }; > allow loadndis_t console_device_t:chr_file { rw_file_perms }; It would be better for the device node to have its own type, and type transition the chr_file, that way loadndis_t can only read very specific device nodes: type loadndis_device_t, device_type, dev_fs; file_type_auto_trans(loadndis_t,device_t,loadndis_device_t,chr_file) Or if you really want to go least privilege, you could probably use these rules instead of the above file_type_auto_trans: allow loadndis_t device_t:dir { search write add_name remove_name }; allow loadndis_t loadndis_device_t:chr_file { read create unlink ioctl }; type_transition loadndis_t device_t:chr_file loadndis_device_t; > #Capabilities > allow loadndis_t self:capability { sys_tty_config }; > allow loadndis_t self:capability { mknod }; Just for readability, it would be best to merge these into one line. Just a little nitpick. :) > #Rules for proc filesystem > allow loadndis_t proc_t:dir { r_dir_perms }; > allow loadndis_t proc_t:file { r_file_perms }; Another readability thing, you don't need the braces around r_dir_perms and r_file_perms, as these are macros, and they already provide braces. So the ones you have are redundant. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 From hampton-rh at rainbolthampton.net Wed Mar 16 13:17:32 2005 From: hampton-rh at rainbolthampton.net (David Hampton) Date: Wed, 16 Mar 2005 08:17:32 -0500 Subject: Additions to net_contexts Message-ID: <1110979052.20316.16.camel@hampton-pc.rainbolthampton.net> Here are some additions to net_contexts to define additional privileged ports. I'll be submitting policies that reference these ports over the next week or so as I get them cleaned up. This is based on the file from the selinux-policy-strict-sources-1.22.1-2 rpm on my FC3 system. David -------------- next part -------------- A non-text attachment was scrubbed... Name: net_contexts.diffs Type: text/x-patch Size: 1161 bytes Desc: not available URL: From hampton-rh at rainbolthampton.net Wed Mar 16 13:17:51 2005 From: hampton-rh at rainbolthampton.net (David Hampton) Date: Wed, 16 Mar 2005 08:17:51 -0500 Subject: Tweaks to the clamav policy Message-ID: <1110979071.20316.17.camel@hampton-pc.rainbolthampton.net> I've added support to the (unused) clamav policy to allow listening for service requests on a TCP socket, and for interacting with amavis. I also made some tweaks that tighten up the network access allowed by freshclam, split the freshclam and spamd log files into two different types, and make the clamd control socket a unique type. Thanks. David P.S. These diffs are based on the files from the selinux-policy-strict- sources-1.22.1-2 rpm. -------------- next part -------------- A non-text attachment was scrubbed... Name: clamav.diffs Type: text/x-patch Size: 3700 bytes Desc: not available URL: From hampton-rh at rainbolthampton.net Wed Mar 16 13:18:20 2005 From: hampton-rh at rainbolthampton.net (David Hampton) Date: Wed, 16 Mar 2005 08:18:20 -0500 Subject: Tweaks to the amavis policy Message-ID: <1110979100.20316.18.camel@hampton-pc.rainbolthampton.net> I've added support to the (unused) amavis policy to allow interaction with additional mail filters, and added a new type specifically for quarantined spam and viruses. I also tweaked the network access to limit ports that can be used by amavisd. I'd appreciate any feedback on these changes or tips on how to write better policies. Thanks. David P.S. These diffs are based on the files from the selinux-policy-strict- sources-1.22.1-2 rpm. -------------- next part -------------- A non-text attachment was scrubbed... Name: amavis.diffs Type: text/x-patch Size: 3568 bytes Desc: not available URL: From hampton-rh at rainbolthampton.net Wed Mar 16 13:18:47 2005 From: hampton-rh at rainbolthampton.net (David Hampton) Date: Wed, 16 Mar 2005 08:18:47 -0500 Subject: Tweaks to the dovecot policy Message-ID: <1110979127.20316.20.camel@hampton-pc.rainbolthampton.net> I've added support to the dovecot policy to allow authentication against a dovecot private password file, and added a couple of tweaks that I hope tighten up the security of dovecot a little bit. They make the dovecot configuration file into a unique type, and add a type that can be used to distinguish mail stored by dovecot from other mail stored on the system. David P.S. These diffs are based on the files from the selinux-policy-strict- sources-1.22.1-2 rpm on my FC3 system. -------------- next part -------------- A non-text attachment was scrubbed... Name: dovecot.diffs Type: text/x-patch Size: 3150 bytes Desc: not available URL: From hampton at employees.org Wed Mar 16 13:19:07 2005 From: hampton at employees.org (David Hampton) Date: Wed, 16 Mar 2005 08:19:07 -0500 Subject: New policy for Pop-before-smtp daemon Message-ID: <1110979147.20316.22.camel@hampton-pc.rainbolthampton.net> Here's a new policy to support the pop-before-smtp daemon from http://people.FreeBSD.org/~sheldonh/popb4smtp-nodb.tar.gz . I'd appreciate any feedback on these files or tips on how to write better policies. Thanks. David P.S. This policy is based on the selinux-policy-strict-sources-1.22.1-2 rpm on my FC3 system. -------------- next part -------------- # popb4smtp /usr/local/sbin/popb4smtp-watch -- system_u:object_r:popb4smtp_watch_exec_t /usr/local/sbin/popb4smtp-clean -- system_u:object_r:popb4smtp_clean_exec_t /var/db/popb4smtp(/.*)? system_u:object_r:popb4smtp_db_t /var/run/popb4smtp-watch.pid -- system_u:object_r:popb4smtp_watch_var_run_t /var/run/popb4smtp-clean.pid -- system_u:object_r:popb4smtp_clean_var_run_t -------------- next part -------------- #DESC popb4smtp - SMTP mail authentication based upon POP logs # # Author: David Hampton # Depends: mta.te # # This policy supports one of the two pop-before-smtp daemons # references in the Exim v4 FAQ at http://www.exim.org. This daemon # can be found at # http://people.FreeBSD.org/~sheldonh/popb4smtp-nodb.tar.gz type popb4smtp_db_t, file_type, sysadmfile; # # popb4smtp_watch - Watch the pop log and update database # daemon_domain(popb4smtp_watch, `, privlog') domain_auto_trans(initrc_t, popb4smtp_watch_exec_t, popb4smtp_watch_t) # Read the logs and write the database r_dir_file(popb4smtp_watch_t, var_log_t) create_dir_file(popb4smtp_watch_t, popb4smtp_db_t) allow popb4smtp_watch_t sbin_t:dir search; allow popb4smtp_watch_t {random_device_t urandom_device_t}:chr_file r_file_perms; # logging allow popb4smtp_watch_t self:unix_dgram_socket { connect create write }; # Allow access for the MTA exim to do auth checks r_dir_file(mail_server_domain, popb4smtp_db_t) # # popb4smtp_clean - Periodically clean database # daemon_domain(popb4smtp_clean, `, privlog') domain_auto_trans(initrc_t, popb4smtp_clean_exec_t, popb4smtp_clean_t) create_dir_file(popb4smtp_clean_t, popb4smtp_db_t) allow popb4smtp_clean_t sbin_t:dir search; allow popb4smtp_clean_t {random_device_t urandom_device_t}:chr_file r_file_perms; # logging allow popb4smtp_clean_t self:unix_dgram_socket { connect create write }; -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From sopwith at redhat.com Wed Mar 16 17:28:01 2005 From: sopwith at redhat.com (Elliot Lee) Date: Wed, 16 Mar 2005 12:28:01 -0500 Subject: Fedora Project Mailing Lists reminder Message-ID: This is a reminder of the mailing lists for the Fedora Project, and the purpose of each list. You can view this information at http://fedora.redhat.com/participate/communicate/ When you're using these mailing lists, please take the time to choose the one that is most appropriate to your post. If you don't know the right mailing list to use for a question or discussion, please contact me. This will help you get the best possible answer for your question, and keep other list subscribers happy! Mailing Lists Mailing lists are email addresses which send email to all users subscribed to the mailing list. Sending an email to a mailing list reaches all users interested in discussing a specific topic and users available to help other users with the topic. The following mailing lists are available. To subscribe, send email to -request at redhat.com (replace with the desired mailing list name such as fedora-list) with the word subscribe in the subject. fedora-announce-list - Announcements of changes and events. To stay aware of news, subscribe to this list. fedora-list - For users of releases. If you want help with a problem installing or using , this is the list for you. fedora-test-list - For testers of test releases. If you would like to discuss experiences using TEST releases, this is the list for you. fedora-devel-list - For developers, developers, developers. If you are interested in helping create releases, this is the list for you. fedora-extras-list - For users and developers of Fedora Extras fedora-docs-list - For participants of the docs project fedora-desktop-list - For discussions about desktop issues such as user interfaces, artwork, and usability fedora-config-list - For discussions about the development of configuration tools fedora-tools-list - For discussions about the toolchain (gcc, gdb, etc...) within Fedora fedora-devel-java-list - For discussions about Java-related Fedora development fedora-patches-list - For submitting patches to Fedora maintainers, and used in line with BugWeek fedora-legacy-announce - For announcements about the Fedora Legacy Project fedora-legacy-list - For discussions about the Fedora Legacy Project fedora-selinux-list - For discussions about the Fedora SELinux Project fedora-marketing-list - For discussions about marketing and expanding the Fedora user base fedora-de-list - For discussions about Fedora in the German language fedora-es-list - For discussions about Fedora in the Spanish language fedora-ja-list - For discussions about Fedora in the Japanese language fedora-i18n-list - For discussions about the internationalization of Fedora Core fedora-trans-list - For discussions about translating the software and documentation associated with the Fedora Project German: fedora-trans-de French: fedora-trans-fr Spanish: fedora-trans-es Italian: fedora-trans-it Brazilian Portuguese: fedora-trans-pt_br Japanese: fedora-trans-ja Korean: fedora-trans-ko Simplified Chinese: fedora-trans-zh_cn Traditional Chinese: fedora-trans-zh_tw From rrcoot at verizon.net Wed Mar 16 19:22:04 2005 From: rrcoot at verizon.net (Ryan Gall) Date: Wed, 16 Mar 2005 14:22:04 -0500 Subject: fedora-selinux-list Digest, Vol 13, Issue 16 In-Reply-To: <20050316170029.CB7F673B7E@hormel.redhat.com> References: <20050316170029.CB7F673B7E@hormel.redhat.com> Message-ID: <1111000924.7411.8.camel@laptop.animalshelter.net> > > #Context for the driver configuration files > > /etc/ndiswrapper/ -- system_u:object_r:loadndis_content_t > > you probably want this: > > /etc/ndiswrapper(/.*)? system_u:object_r:loadndis_content_t > > so you can label all of the driver stuff tha'ts stored under that > directory and it's subdirectories. I don't think your pattern will > match anything. > Actually everything does get the correct labels here. I guess it is setting the label on the ndiswrapper directory and then all the child directories and files are inheriting that context. > > # Filename: loadndis.te > > > #Rules for devices > > allow loadndis_t device_t:dir { rw_dir_perms }; > > allow loadndis_t device_t:chr_file { read create unlink ioctl }; > > allow loadndis_t null_device_t:chr_file { rw_file_perms }; > > allow loadndis_t console_device_t:chr_file { rw_file_perms }; > > It would be better for the device node to have its own type, and type > transition the chr_file, that way loadndis_t can only read very specific > device nodes: > > type loadndis_device_t, device_type, dev_fs; > file_type_auto_trans(loadndis_t,device_t,loadndis_device_t,chr_file) > > Or if you really want to go least privilege, you could probably use > these rules instead of the above file_type_auto_trans: > > allow loadndis_t device_t:dir { search write add_name remove_name }; > allow loadndis_t loadndis_device_t:chr_file { read create unlink ioctl }; > type_transition loadndis_t device_t:chr_file loadndis_device_t; Thanks for the tip. I am assuming here that these transitions cause the created device to be relabeled to the new loadndis_device_t, which would then prevent it from messing around with other devices in device_t? > > > #Capabilities > > allow loadndis_t self:capability { sys_tty_config }; > > allow loadndis_t self:capability { mknod }; > > Just for readability, it would be best to merge these into one line. > Just a little nitpick. :) DOH! > > > #Rules for proc filesystem > > allow loadndis_t proc_t:dir { r_dir_perms }; > > allow loadndis_t proc_t:file { r_file_perms }; > > Another readability thing, you don't need the braces around r_dir_perms > and r_file_perms, as these are macros, and they already provide braces. > So the ones you have are redundant. Thanks for the help Chris. Ryan > > -- > Chris PeBenito > Tresys Technology, LLC > (410) 290-1411 x150 > From cpebenito at tresys.com Wed Mar 16 19:59:37 2005 From: cpebenito at tresys.com (Christopher J. PeBenito) Date: Wed, 16 Mar 2005 14:59:37 -0500 Subject: fedora-selinux-list Digest, Vol 13, Issue 16 In-Reply-To: <1111000924.7411.8.camel@laptop.animalshelter.net> References: <20050316170029.CB7F673B7E@hormel.redhat.com> <1111000924.7411.8.camel@laptop.animalshelter.net> Message-ID: <1111003177.3232.36.camel@sgc> On Wed, 2005-03-16 at 14:22 -0500, Ryan Gall wrote: > > > #Context for the driver configuration files > > > /etc/ndiswrapper/ -- system_u:object_r:loadndis_content_t > > > > you probably want this: > > > > /etc/ndiswrapper(/.*)? system_u:object_r:loadndis_content_t > > > > so you can label all of the driver stuff tha'ts stored under that > > directory and it's subdirectories. I don't think your pattern will > > match anything. > > > Actually everything does get the correct labels here. I guess it is > setting the label on the ndiswrapper directory and then all the child > directories and files are inheriting that context. Well if the directory is labeled correctly, and files are created in that directory, then it would get loadndis_content_t. However, if you relabeled, I bet they would end up having the wrong labels. Try running matchpathcon on a file in /etc/ndiswrapper, to see what file context matches. (`matchpathcon /etc/ndiswrapper/somefile`). -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 From smooge at gmail.com Thu Mar 17 18:59:18 2005 From: smooge at gmail.com (Stephen J. Smoogen) Date: Thu, 17 Mar 2005 11:59:18 -0700 Subject: Tweaks to the clamav policy In-Reply-To: <1110979071.20316.17.camel@hampton-pc.rainbolthampton.net> References: <1110979071.20316.17.camel@hampton-pc.rainbolthampton.net> Message-ID: <80d7e40905031710592877a400@mail.gmail.com> Cool. I am having to package up a clamav for our Fedora Core 3 boxes.. and this was worrying me how to work this. On Wed, 16 Mar 2005 08:17:51 -0500, David Hampton wrote: > I've added support to the (unused) clamav policy to allow listening for > service requests on a TCP socket, and for interacting with amavis. I > also made some tweaks that tighten up the network access allowed by > freshclam, split the freshclam and spamd log files into two different > types, and make the clamd control socket a unique type. Thanks. > > David > > P.S. These diffs are based on the files from the selinux-policy-strict- > sources-1.22.1-2 rpm. > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > -- Stephen J Smoogen. CSIRT/Linux System Administrator From dwalsh at redhat.com Thu Mar 17 19:30:31 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 17 Mar 2005 14:30:31 -0500 Subject: New policy for yam In-Reply-To: <1110912692.14212.29.camel@hampton-pc.rainbolthampton.net> References: <1110671442.7641.15.camel@hampton-pc.rainbolthampton.net> <4236EF2E.8090104@redhat.com> <1110912692.14212.29.camel@hampton-pc.rainbolthampton.net> Message-ID: <4239DAD7.8030803@redhat.com> David Hampton wrote: >On Tue, 2005-03-15 at 09:20 -0500, Daniel J Walsh wrote: > > > >>Why did you create a yam_crond_t? Why not just transition to yam_t from >>crond? >> >> > >When I first started working on the policy I was trying to be as >restrictive as possible and differentiate between what peripheral files >could be opened when running yam from the command line vs. when running >from cron. For example, the cron version requires less access to the >terminal and no access to a ssh file descriptor. The two instances also >try reading their dot files from different directories. > >I wrote this policy just after writing an exim policy that distinguished >between user, sysadm, and system invocations of the program. Perhaps I >went overboard here. > >David > >P.S. I'm still tweaking the exim policy. I'll probably post it in a >week or so. > > > > I was just question almost doubling of rules and increase in complexity for little gain in security. Dan -- From dwalsh at redhat.com Thu Mar 17 19:35:27 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 17 Mar 2005 14:35:27 -0500 Subject: Questions about Apache and SELinux context inheritance In-Reply-To: <1110677649.29852.11.camel@cobra.ivg2.net> References: <143f0f6c050312164621b2f90c@mail.gmail.com> <1110677649.29852.11.camel@cobra.ivg2.net> Message-ID: <4239DBFF.8000707@redhat.com> Ivan Gyurdiev wrote: >>So my questions are fourfold: >> >>o How can one cause the correct httpd_user_content_t type to be >>automatically assigned to user public_html directories (and >>subdirectories)? >> >> > >Not possible. Put the folder in /etc/skel with the correct context. >Maybe this should be done by default in Fedora, or maybe not. > > >>o How can one cause the correct httpd_user_content_t type to be >>automatically assigned to user content (files) in user public_html >>directores? >> >> > >Possible w/ file_type_auto_trans rule. >Will investigate... > > > >>o Why are files initially receiving a user context of user_u rather >>than system_u ? >> >> > >This is normal - the user part of the context is set to the user who >created the file - no problem here. > > > >>And one file, slightly unrelated question: >> >>o When I installed this server and restored user data to it, the user >>context on all the files was set to root rather than user_u (and why >>not system_u?). I've reset everything to the correct user context >>with chcon, but I'd like to know why this happened. >> >> > >Because you restored the context as root, probably. >The user is set to whoever operates on the file. > > > Adduser in rawhide and test1 now creates files with the "right" context when it creates the skel. So if you put a public_html directory in /etc/skel. It should get created with the correct context. Dan -- From justin.conover at gmail.com Sun Mar 20 22:39:56 2005 From: justin.conover at gmail.com (Justin Conover) Date: Sun, 20 Mar 2005 16:39:56 -0600 Subject: forkbombs? Message-ID: I'm sure many people have read this by now: http://www.securityfocus.com/columnists/308 Many people probably already know about it and how you need to set limits. Is there something that can be done with selinux or a kernel module to stop it with out the user or admin to have to know they should set something? I ran this on a rawhide box as my user and it killed the box: http://home.tiscali.cz:8080/~cz210552/forkbomb.html I was wondering if something like this should be implemented at the kernel level: http://rexgrep.tripod.com/rexfbd.htm Or if there is something similiar already in the kernel? thx, From Valdis.Kletnieks at vt.edu Sun Mar 20 23:44:48 2005 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Sun, 20 Mar 2005 18:44:48 -0500 Subject: forkbombs? In-Reply-To: Your message of "Sun, 20 Mar 2005 16:39:56 CST." References: Message-ID: <200503202344.j2KNint6008636@turing-police.cc.vt.edu> On Sun, 20 Mar 2005 16:39:56 CST, Justin Conover said: > Or if there is something similiar already in the kernel? There's been a "max user processes" ulimit for *ages*. The only reason it's not shipped set to a value "out of the box" is because systems tend to 2 basic types: 1) Single-user desktops, where fork bombs aren't *that* big a risk, and it's basically "user shoots self in foot". Setting an arbitrary 'ulimit -u 40' will more likely break things than add any *real* security. 2) Multi-user servers, where the installer software has no *idea* what an "appropriate" number value should be. How many instances of Apache, and how many CGI's, will be running at a time, and how many should be allowed before a forkbomb problem is declared? If the sysadmin isn't clued enough to (on a fedora system) 'vi /etc/pam.d/system-auth' and add a line 'session required pam_limits.so', and then put reasonable values into /etc/security/limits, there really isn't anything SELinux can do to supply a reasonable value - we *could* pull a number from an orifice, but it would be in great need of cleaning before use.... (Just as an aside, I'll point out that rexFBD is fundementally *broken* - one of its options (max procs/user) is redundant with the ulimit code already shipping. Meanwhile, its "max forks per second" element is just screaming "Use me to DoS the box" on the one hand (an attacker can run up N-1 forks/sec and then let the module kill the Apache server when it forks the next CGI), and totally Fails To Get The Point - the problem with a forkbomb is that you *can't* handle any more forks/sec because all the *already existing* forked processes are now running up your page rate and causing thrashing of the system. Your system is much less likely to notice a piece of code that does this: for (;;) { if (fork()) {wait();} else exit(); } You can probably run 3,000 of those forks/sec and not feel too bad. On the other hand, this will probably kill you after as few as a few dozen instances: for (;;) { if (!fork()) { int i; char *blam = malloc(25000000); for (;;) for (i=0;i<25000000;i+=4096) { blam[i]++; } } 25M - you probably can't set the RSS limit that low and get work done (hint - the X server probably will barely start in that space). Get only 50 of these running, and you now have 1.25G of memory being dirtied over and over. You're dead unless you have more than 1.25G of memory. You have a more studly box, tweak the 25M and the 50. Once this runs out your RAM and starts to thrash, you are more surely dead than 3,000 fork/sec will ever do to you.... See? The fork bomb isn't even about fork().... -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available URL: From johnatl at mac.com Mon Mar 21 14:31:20 2005 From: johnatl at mac.com (John Johnson) Date: Mon, 21 Mar 2005 09:31:20 -0500 Subject: [newbie] YUM hangs, can't update without reboot with selinux=0 Message-ID: <15bea1e4bab54ea99056943bd040630f@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Everyone! Apologies for my lack of knowledge. If you are inclined to reply RTFM!, by all means do so, but include a link to TFM, please :-) When I run YUM, it runs briefly, then just sits there. Even when I do 'setenforce 0'. If I reboot with selinux=0 and the command line, it works. I can't find any complaints in any logs (tips on this appreciated too). Is there a way to allow updates without two complete shutdowns plus a file fix? Thanks in advance, JJ Fedora Core release 3 (Heidelberg) Linux www.johnjohnson.info 2.6.10-1.770_FC3 #1 Thu Feb 24 14:00:06 EST 2005 i686 i686 i386 GNU/Linux yum version 2.2.0 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQFCPtrB56Q2CqQ+d1wRAqdEAJ9EnOPtQ++Jmx9GsogIPmBj7hGrCQCdEST7 z6Hf/C3zcUKiZXQauhKEgLs= =Jx9V -----END PGP SIGNATURE----- From walters at redhat.com Mon Mar 21 14:52:02 2005 From: walters at redhat.com (Colin Walters) Date: Mon, 21 Mar 2005 09:52:02 -0500 Subject: [newbie] YUM hangs, can't update without reboot with selinux=0 In-Reply-To: <15bea1e4bab54ea99056943bd040630f@mac.com> References: <15bea1e4bab54ea99056943bd040630f@mac.com> Message-ID: <1111416723.4592.75.camel@nexus.verbum.private> On Mon, 2005-03-21 at 09:31 -0500, John Johnson wrote: > When I run YUM, it runs briefly, then just sits there. Even when I do > 'setenforce 0'. If I reboot with selinux=0 and the command line, it > works. I can't find any complaints in any logs (tips on this > appreciated too). Is there a way to allow updates without two complete > shutdowns plus a file fix? And if you do a 'touch /.autorelabel; reboot' and do *not* pass selinux=0, then yum hangs again? My suspicion is that you had some other random problem such as a lack of disk space or stale lock file or something, and the time you rebooted with selinux=0 the problem went away for reasons unrelated to SELinux (such as tmp/lock file cleanup on reboot). From purenrg7 at gmail.com Tue Mar 22 00:48:37 2005 From: purenrg7 at gmail.com (Paul Rumin) Date: Mon, 21 Mar 2005 18:48:37 -0600 Subject: (newbie)Troubles with SE-Linux Message-ID: I would like to preface this with "I am not new to linux, but new to SE-Linux." I am not sure where to begin with this problem. After a clean install of Fedore Core 3 (at least I thought clean), I tried to login in with a user account a few days later. This did not work, so I logged in as root to change my user's password. 1. First, I tried changing the user's password with passwd. Although the program seemed to accept the new password. I still was unable to login in afterwards. 2. So I tried to manually change it within the /etc/passwd file. Knowing that there was a shadow file, I deleted the encrypted password in shadow and the "x" in the /etc/password file. Then, I ran passwd, followed by pwconv. But still nothing. 3. Finally, I tried to just use "su" command into my user's account to no avail. Now I am stuck. My understanding of SE is that you must match securities contents of the files, by using the -Z delimiter, which I did verify. If someone could steer me in the right direction I would appreciate it. Thx, Paul BTW, I did also try userdel/useradd with no success. From r.godzilla at comcast.net Tue Mar 22 01:12:22 2005 From: r.godzilla at comcast.net (Richard E Miles) Date: Mon, 21 Mar 2005 17:12:22 -0800 Subject: (newbie)Troubles with SE-Linux In-Reply-To: References: Message-ID: <20050321171222.7696b446.r.godzilla@comcast.net> On Mon, 21 Mar 2005 18:48:37 -0600 Paul Rumin wrote: > I would like to preface this with "I am not new to linux, but new to > SE-Linux." I am not sure where to begin with this problem. After a > clean install of Fedore Core 3 (at least I thought clean), I tried to > login in with a user account a few days later. This did not work, so > I logged in as root to change my user's password. > > 1. First, I tried changing the user's password with passwd. Although > the program seemed to accept the new password. I still was unable to > login in afterwards. > > 2. So I tried to manually change it within the /etc/passwd file. > Knowing that there was a shadow file, I deleted the encrypted > password in shadow and the "x" in the /etc/password file. Then, I ran > passwd, followed by pwconv. But still nothing. > > 3. Finally, I tried to just use "su" command into my user's account > to no avail. > > > Now I am stuck. My understanding of SE is that you must match > securities contents of the files, by using the -Z delimiter, which I > did verify. > > If someone could steer me in the right direction I would appreciate it. > > Thx, > Paul > > BTW, I did also try userdel/useradd with no success. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list Is your system labeled? If not touch /.autorelabel, then reboot. -- Richard E Miles Federal Way WA. USA registered linux user 46097 From walters at redhat.com Tue Mar 22 01:22:21 2005 From: walters at redhat.com (Colin Walters) Date: Mon, 21 Mar 2005 20:22:21 -0500 Subject: (newbie)Troubles with SE-Linux In-Reply-To: References: Message-ID: <1111454541.2681.4.camel@nexus.verbum.private> On Mon, 2005-03-21 at 18:48 -0600, Paul Rumin wrote: > I would like to preface this with "I am not new to linux, but new to > SE-Linux." I am not sure where to begin with this problem. After a > clean install of Fedore Core 3 (at least I thought clean), I tried to > login in with a user account a few days later. This did not work, so > I logged in as root to change my user's password. > > 1. First, I tried changing the user's password with passwd. Although > the program seemed to accept the new password. I still was unable to > login in afterwards. Unless you're using the "strict" policy (i.e. not the default "targeted" policy), it is very unlikely your problem has anything to do with SELinux. Do you see any "avc: denied" messages in /var/log/messages? My guess is that the login was disabled for other reasons than the password. Anyways, I'd suggest moving this to fedora-list, until you are sure the problem relates to SELinux. One thing you should do is check /var/log/messages for any other (non-SELinux) log messages that may be relevant. From hampton-rh at rainbolthampton.net Tue Mar 22 01:23:10 2005 From: hampton-rh at rainbolthampton.net (David Hampton) Date: Mon, 21 Mar 2005 20:23:10 -0500 Subject: New policy for razor Message-ID: <1111454590.18940.52.camel@hampton-pc.rainbolthampton.net> This is a new strict policy for the razor spam filter. It is based on the selinux-policy-strict-sources-1.23.2-1 fedora RPM. This policy requires the definition of a razor reserved port that was in the net_contexts diff I sent last Wednesday. Please let me know if there are any problems with or changes needed to this policy. David -------------- next part -------------- # razor /etc/razor(/.*)? system_u:object_r:razor_etc_t /usr/bin/razor.* system_u:object_r:razor_exec_t /var/lib/razor(/.*)? system_u:object_r:razor_var_lib_t /var/log/razor-agent.log system_u:object_r:razor_log_t HOME_DIR/\.razor(/.*)? system_u:object_r:ROLE_razor_home_t -------------- next part -------------- # # Razor - Razor is a collaborative, networked system to detect and # block spam using identifying digests of messages. # # Author: David Hampton # ########## # common definitions for razord and all flavors of razor ########## define(`razor_base_domain',` # Razor is one executable and several symlinks allow $1_t razor_exec_t:{ file lnk_file } { getattr read }; # Networking can_network_client_tcp($1_t, razor_port_t) can_resolve($1_t); general_proc_read_access($1_t) # Read system config file r_dir_file($1_t, razor_etc_t) # Update razor common files file_type_auto_trans($1_t, var_log_t, razor_log_t, file) create_dir_file($1_t, razor_log_t) allow $1_t var_lib_t:dir search; create_dir_file($1_t, razor_var_lib_t) allow $1_t bin_t:dir { getattr search }; allow $1_t bin_t:file getattr; allow $1_t lib_t:file { getattr read }; allow $1_t { var_t var_run_t }:dir search; uses_shlib($1_t) # Razor forks other programs to do part of its work. general_domain_access($1_t) can_exec($1_t, bin_t) # mktemp and other randoms allow $1_t { random_device_t urandom_device_t }:chr_file r_file_perms; # Allow access to various files in the /etc/directory including mtab # and nsswitch allow $1_t { etc_t etc_runtime_t }:file { getattr read }; read_locale($1_t) ') # # Define a user domain for a razor # # Note: expects to be called with an argument of user, sysadm define(`razor_domain',` type $1_razor_t, domain, privlog, nscd_client_domain; role $1_r types $1_razor_t; domain_auto_trans($1_t, razor_exec_t, $1_razor_t) razor_base_domain($1_razor) # Per-user config/data files home_domain($1, razor) tmp_domain($1_razor) allow $1_razor_t self:unix_stream_socket create_stream_socket_perms; # Allow razor to be run by hand. Needed by any action other than # invocation from a spam filter. allow $1_razor_t $1_devpts_t:chr_file rw_file_perms; allow $1_razor_t sshd_t:fd use; ') -------------- next part -------------- # # Razor - Vipul's Razor is a distributed, collaborative, spam # detection and filtering network. # # Author: David Hampton # # NOTE: This policy will work with either the ATrpms provided config # file in /etc/razor, or with the default of dumping everything into # $HOME/.razor. type razor_port_t, port_type, reserved_port_type; ########## # Razor query application - from system_r applictions ########## type razor_t, domain, privlog, daemon; type razor_exec_t, file_type, sysadmfile, exec_type; role system_r types razor_t; razor_base_domain(razor) # Razor config file directory. When invoked as razor-admin, it can # update files in this directory. etcdir_domain(razor) create_dir_file(razor_t, razor_etc_t); # Shared razor files updated freuently var_lib_domain(razor) # Log files log_domain(razor) allow razor_t var_log_t:dir search; ifdef(`logrotate.te', ` allow logrotate_t razor_log_t:file r_file_perms; ') ########## ########## # # Some spam filters executes the razor code directly. Allow them access here. # define(`razor_access',` r_dir_file($1, razor_etc_t) allow $1 var_log_t:dir search; allow $1 razor_log_t:file ra_file_perms; r_dir_file($1, razor_var_lib_t) r_dir_file($1, sysadm_razor_home_t) can_network_client_tcp($1, razor_port_t) ') ifdef(`spamd.te', `razor_access(spamd_t)'); ifdef(`amavis.te', `razor_access(amavisd_t)'); From hampton-rh at rainbolthampton.net Tue Mar 22 01:23:14 2005 From: hampton-rh at rainbolthampton.net (David Hampton) Date: Mon, 21 Mar 2005 20:23:14 -0500 Subject: New policy for pyzor Message-ID: <1111454594.18940.54.camel@hampton-pc.rainbolthampton.net> This is a new strict policy for the pyzor spam filter. It is based on the selinux-policy-strict-sources-1.23.2-1 fedora RPM. This policy requires the definition of a pyzor reserved port that was in the net_contexts diff I sent last Wednesday. Please let me know if there are any problems with or changes needed to this policy. David -------------- next part -------------- /etc/pyzor(/.*)? system_u:object_r:pyzor_etc_t /usr/bin/pyzor -- system_u:object_r:pyzor_exec_t /usr/bin/pyzord -- system_u:object_r:pyzord_exec_t /var/lib/pyzord(/.*)? system_u:object_r:pyzor_var_lib_t /var/log/pyzord.log -- system_u:object_r:pyzord_log_t HOME_DIR/\.pyzor(/.*)? system_u:object_r:ROLE_pyzor_home_t -------------- next part -------------- # # Pyzor - Pyzor is a collaborative, networked system to detect and # block spam using identifying digests of messages. # # Author: David Hampton # ########## # common definitions for pyzord and all flavors of pyzor ########## define(`pyzor_base_domain',` # Networking can_network_client_tcp($1_t, http_port_t); can_network_udp($1_t, pyzor_port_t); can_resolve($1_t); general_proc_read_access($1_t) tmp_domain($1) allow $1_t bin_t:dir { getattr search }; allow $1_t bin_t:file getattr; allow $1_t lib_t:file { getattr read }; allow $1_t { var_t var_lib_t var_run_t }:dir search; uses_shlib($1_t) # Python does a getattr on this file allow $1_t pyzor_exec_t:file getattr; # mktemp and other randoms allow $1_t { random_device_t urandom_device_t }:chr_file r_file_perms; # Allow access to various files in the /etc/directory including mtab # and nsswitch allow $1_t { etc_t etc_runtime_t }:file { getattr read }; read_locale($1_t) ') # # Define a user domain for a pyzor # # Note: expects to be called with an argument of user, sysadm define(`pyzor_domain',` type $1_pyzor_t, domain, privlog, nscd_client_domain; role $1_r types $1_pyzor_t; domain_auto_trans($1_t, pyzor_exec_t, $1_pyzor_t) pyzor_base_domain($1_pyzor) # Per-user config/data files home_domain($1, pyzor) # System config files r_dir_file($1_pyzor_t, pyzor_etc_t) # System data files r_dir_file($1_pyzor_t, pyzor_var_lib_t); allow $1_pyzor_t self:unix_stream_socket create_stream_socket_perms; # Allow pyzor to be run by hand. Needed by any action other than # invocation from a spam filter. allow $1_pyzor_t $1_devpts_t:chr_file rw_file_perms; allow $1_pyzor_t sshd_t:fd use; ') -------------- next part -------------- # # Pyzor - Pyzor is a collaborative, networked system to detect and # block spam using identifying digests of messages. # # Author: David Hampton # # NOTE: This policy is based upon the FC3 pyzor rpm from ATrpms. # Pyzor normally dumps everything into $HOME/.pyzor. By putting the # following line to the spamassassin config file: # # pyzor_options --homedir /etc/pyzor # # the various files will be put into appropriate directories. # (I.E. The log file into /var/log, etc.) This policy will work # either way. type pyzor_port_t, port_type, reserved_port_type; ########## # pyzor daemon ########## daemon_domain(pyzord, `, privlog, nscd_client_domain') pyzor_base_domain(pyzord) allow pyzord_t pyzor_port_t:udp_socket name_bind; home_domain_access(pyzord_t, sysadm, pyzor) log_domain(pyzord) # Read shared daemon/client config file r_dir_file(pyzord_t, pyzor_etc_t) # Write shared daemon/client data dir allow pyzord_t var_lib_t:dir search; create_dir_file(pyzord_t, pyzor_var_lib_t) ########## # Pyzor query application - from system_r applictions ########## type pyzor_t, domain, privlog, daemon; type pyzor_exec_t, file_type, sysadmfile, exec_type; role system_r types pyzor_t; pyzor_base_domain(pyzor) # System config/data files etcdir_domain(pyzor) var_lib_domain(pyzor) ########## ########## # # Some spam filters executes the pyzor code directly. Allow them access here. # ifdef(`spamd.te',` domain_auto_trans(spamd_t, pyzor_exec_t, pyzor_t); # pyzor needs access to the email spamassassin is checking allow pyzor_t spamd_tmp_t:file r_file_perms; ') From hampton-rh at rainbolthampton.net Tue Mar 22 01:23:18 2005 From: hampton-rh at rainbolthampton.net (David Hampton) Date: Mon, 21 Mar 2005 20:23:18 -0500 Subject: New policy for DCC Message-ID: <1111454598.18940.57.camel@hampton-pc.rainbolthampton.net> This is a new strict policy for the DCC spam filter. It is based on the selinux-policy-strict-sources-1.23.2-1 fedora RPM. This policy requires the definition of dcc reserved ports that were in the net_contexts diff I sent last Wednesday. Please let me know if there are any problems with or changes needed to this policy. David -------------- next part -------------- # DCC /etc/dcc(/.*)? system_u:object_r:dcc_var_t /etc/dcc/map -- system_u:object_r:dcc_client_map_t /etc/dcc/dccifd -s system_u:object_r:dccifd_sock_t /usr/bin/cdcc system_u:object_r:cdcc_exec_t /usr/bin/dccproc system_u:object_r:dcc_client_exec_t /usr/libexec/dcc/dbclean system_u:object_r:dcc_dbclean_exec_t /usr/libexec/dcc/dccd system_u:object_r:dccd_exec_t /usr/libexec/dcc/dccifd system_u:object_r:dccifd_exec_t /usr/libexec/dcc/dccm system_u:object_r:dccm_exec_t /usr/libexec/dcc/start-.* system_u:object_r:dcc_script_exec_t /usr/libexec/dcc/stop-.* system_u:object_r:dcc_script_exec_t /var/dcc(/.*)? system_u:object_r:dcc_var_t /var/dcc/map -- system_u:object_r:dcc_client_map_t /var/run/dcc system_u:object_r:dcc_var_run_t /var/run/dcc/map -- system_u:object_r:dcc_client_map_t /var/run/dcc/dccifd -s system_u:object_r:dccifd_sock_t -------------- next part -------------- # # DCC - Distributed Checksum Clearinghouse # Author: David Hampton # # # NOTE: DCC has writeable files in /etc/dcc that should probably be in # /var/lib/dcc. For now this policy supports both directories being # writable. # Ports used by dcc type dcc_port_t, port_type, reserved_port_type; # Files common to all dcc programs type dcc_client_map_t, file_type, sysadmfile; type dcc_var_t, file_type, sysadmfile; type dcc_var_run_t, file_type, sysadmfile; ########## ########## # # common to all dcc variants # define(`dcc_common',` # Access files in /var/dcc. The map file can be updated r_dir_file($1_t, dcc_var_t) allow $1_t dcc_client_map_t:file rw_file_perms; # Read mtab, nsswitch and locale allow $1_t { etc_t etc_runtime_t }:file { getattr read }; read_locale($1_t) #Networking can_resolve($1_t) ifelse($2, `server', ` can_network_udp($1_t) ', ` can_network_udp($1_t, `dcc_port_t') ') allow $1_t self:unix_dgram_socket create_socket_perms; # Create private temp files tmp_domain($1) # Triggered by a call to gethostid(2) in dcc client libs allow $1_t self:unix_stream_socket { connect create }; allow $1_t sysadm_su_t:process { sigchld }; allow $1_t dcc_script_t:fd use; dontaudit $1_t kernel_t:fd use; dontaudit $1_t root_t:file read; ') ########## ########## # # dccd - Server daemon that can be accessed over the net # daemon_domain(dccd, `, privlog, nscd_client_domain') dcc_common(dccd, server); # Runs the dbclean program allow dccd_t bin_t:dir search; domain_auto_trans(dccd_t, dcc_dbclean_exec_t, dcc_dbclean_t) #can_exec(dccd_t, dcc_dbclean_t) # The daemon needs to listen on the dcc ports allow dccd_t dcc_port_t:udp_socket name_bind; # Updating dcc_db, flod, ... create_dir_file(dccd_t, dcc_var_t); allow dccd_t self:capability net_admin; allow dccd_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; # Reading /proc/meminfo allow dccd_t proc_t:file { getattr read }; # # cdcc - control dcc daemon # application_domain(cdcc, `, nscd_client_domain') role system_r types cdcc_t; dcc_common(cdcc) # suid program allow cdcc_t self:capability setuid; # Running from the command line allow cdcc_t sshd_t:fd use; allow cdcc_t sysadm_devpts_t:chr_file rw_file_perms; ########## ########## # # DCC Clients # # # dccifd - Spamassassin and general MTA persistent client # daemon_domain(dccifd, `, privlog, nscd_client_domain') dcc_common(dccifd); file_type_auto_trans(dccifd_t, dcc_var_run_t, dccifd_var_run_t, file) # Allow the domain to communicate with other processes allow dccifd_t self:unix_stream_socket create_stream_socket_perms; # Updating dcc_db, flod, ... create_dir_notdevfile(dccifd_t, dcc_var_t); # Updating map, ... allow dccifd_t dcc_client_map_t:file rw_file_perms; # dccifd communications socket type dccifd_sock_t, file_type, sysadmfile; file_type_auto_trans(dccifd_t, dcc_var_t, dccifd_sock_t, sock_file) # # dccm - sendmail milter client # daemon_domain(dccm, `, privlog, nscd_client_domain') dcc_common(dccm); file_type_auto_trans(dccm_t, dcc_var_run_t, dccm_var_run_t, file) # Allow the domain to communicate with other processes allow dccm_t self:unix_stream_socket create_stream_socket_perms; # Updating map, ... create_dir_notdevfile(dccm_t, dcc_var_t); allow dccm_t dcc_client_map_t:file rw_file_perms; # dccm communications socket type dccm_sock_t, file_type, sysadmfile; file_type_auto_trans(dccm_t, dcc_var_run_t, dccm_sock_t, sock_file) # # dccproc - dcc procmail interface # application_domain(dcc_client, `, privlog, nscd_client_domain') role system_r types dcc_client_t; dcc_common(dcc_client) # suid program allow dcc_client_t self:capability setuid; # Running from the command line allow dcc_client_t sshd_t:fd use; allow dcc_client_t sysadm_devpts_t:chr_file rw_file_perms; ########## ########## # # DCC Utilities # # # dbclean - database cleanup tool # application_domain(dcc_dbclean, `, nscd_client_domain') dcc_common(dcc_dbclean) # Updating various files. create_dir_file(dcc_dbclean_t, dcc_var_t); # wants to look at /proc/meminfo allow dcc_dbclean_t proc_t:dir search; allow dcc_dbclean_t proc_t:file { getattr read }; # Running from the command line allow dcc_dbclean_t sshd_t:fd use; allow dcc_dbclean_t sysadm_devpts_t:chr_file rw_file_perms; ########## ########## # # DCC Startup scripts # # These are shell sccripts that start/stop/restart the various dcc # programs. # init_service_domain(dcc_script, `, nscd_client_domain') general_domain_access(dcc_script_t) general_proc_read_access(dcc_script_t) can_exec_any(dcc_script_t) dcc_common(dcc_script) # Allow calling the script from an init script (initrt_t) or from # rc.local (staff_t) domain_auto_trans({ initrc_t staff_t }, dcc_script_exec_t, dcc_script_t) # Start up the daemon process. These scripts run 'su' to change to # the dcc user (even though the default dcc user is root). allow dcc_script_t self:capability setuid; su_restricted_domain(dcc_script, system) role system_r types dcc_script_su_t; domain_auto_trans(dcc_script_su_t, dccd_exec_t, dccd_t) domain_auto_trans(dcc_script_su_t, dccm_exec_t, dccm_t) domain_auto_trans(dcc_script_su_t, dccifd_exec_t, dccifd_t) # Stop the daemon process allow dcc_script_t { dccifd_t dccm_t }:process { sigkill signal }; # Access various DCC files allow dcc_script_t { var_t var_run_t dcc_var_run_t}:dir { getattr search }; allow dcc_script_t { dccifd_var_run_t dccm_var_run_t }:file { getattr read }; allow { dcc_script_t dcc_script_su_t } initrc_t:fd use; allow { dcc_script_t dcc_script_su_t } devpts_t:dir search; allow { dcc_script_t dcc_script_su_t } initrc_devpts_t:chr_file rw_file_perms; allow dcc_script_t devtty_t:chr_file { read write }; allow dcc_script_su_t sysadm_home_dir_t:dir search; allow dcc_script_su_t sysadm_t:process { noatsecure rlimitinh siginh transition }; allow dcc_script_su_t initrc_devpts_t:chr_file { relabelfrom relabelto }; dontaudit dcc_script_su_t kernel_t:fd use; dontaudit dcc_script_su_t root_t:file read; dontaudit dcc_script_t { home_root_t user_home_dir_t}:dir { getattr search }; allow sysadm_t dcc_script_t:fd use; ########## ########## # # External spam checkers need to run and/or talk to DCC # define(`access_dcc',` domain_auto_trans($1_t, dcc_client_exec_t, dcc_client_t); allow $1_t dcc_var_t:dir search; allow $1_t dccifd_sock_t:sock_file { getattr write }; allow $1_t dccifd_t:unix_stream_socket connectto; allow $1_t dcc_script_t:unix_stream_socket connectto; ') ifdef(`amavis.te',`access_dcc(amavisd)') ifdef(`spamd.te',`access_dcc(spamd)') From bench at silentmedia.com Tue Mar 22 07:13:42 2005 From: bench at silentmedia.com (Ben) Date: Mon, 21 Mar 2005 23:13:42 -0800 Subject: targeted policy clashes CGI program under apache Message-ID: <7b0a7469ba41bfe451432ff2d3a12d64@silentmedia.com> I'm attempted to use the latest targeted policy under FC3, and while it generally works well, we're running into some problems when it comes time to pipe data from PHP into a complex CGI we have. The error we see is this: Mar 21 22:17:11 blingbling kernel: audit(1111472231.280:0): avc: denied { getsched } for pid=405 exe=/var/www/test/cgi-bin/clip scontext=user_u:system_r:httpd_sys_script_t tcontext=user_u:system_r:httpd_sys_script_t tclass=process Apache's error log shows this: GThread-ERROR **: file gthread-posix.c: line 135 (): error 'Operation not permitted' during 'pthread_getschedparam (pthread_self(), &policy, &sched)'aborting... My CGI does use glib threads; is that a bad thing? I would like to use SELinux, but there's "like" and "need", and right now I need to get this working. So, if there's no quick fix, is there a way to disable SELinux on just this one CGI, do I have to disable it for all of apache? From christofer.c.bell at gmail.com Tue Mar 22 08:29:47 2005 From: christofer.c.bell at gmail.com (Christofer C. Bell) Date: Tue, 22 Mar 2005 02:29:47 -0600 Subject: targeted policy clashes CGI program under apache In-Reply-To: <7b0a7469ba41bfe451432ff2d3a12d64@silentmedia.com> References: <7b0a7469ba41bfe451432ff2d3a12d64@silentmedia.com> Message-ID: <143f0f6c05032200294460ceab@mail.gmail.com> On Mon, 21 Mar 2005 23:13:42 -0800, Ben wrote: > I would like to use SELinux, but there's "like" and "need", and right > now I need to get this working. So, if there's no quick fix, is there a > way to disable SELinux on just this one CGI, do I have to disable it > for all of apache? Look into audit2allow(8). While using this tool to get your CGI working will remove the same protection on other CGI scripts, you'll be able to maintain some modicum of SELinux protection other than what you're turning off to get this working. Even if your final result is "less secure" than running the full policy, it will be "more secure" than disabling SELinux entirely. -- Chris "Build a man a fire and he will be warm for the rest of the night. Set a man on fire and he will be warm for the rest of his life." -- Unknown From walters at redhat.com Tue Mar 22 13:44:16 2005 From: walters at redhat.com (Colin Walters) Date: Tue, 22 Mar 2005 08:44:16 -0500 Subject: targeted policy clashes CGI program under apache In-Reply-To: <7b0a7469ba41bfe451432ff2d3a12d64@silentmedia.com> References: <7b0a7469ba41bfe451432ff2d3a12d64@silentmedia.com> Message-ID: <1111499056.2681.26.camel@nexus.verbum.private> On Mon, 2005-03-21 at 23:13 -0800, Ben wrote: > My CGI does use glib threads; is that a bad thing? Not a bad thing. I think the CGI script policy author hadn't tested multi-threaded scripts. > I would like to use SELinux, but there's "like" and "need", and right > now I need to get this working. So, if there's no quick fix, is there a > way to disable SELinux on just this one CGI, do I have to disable it > for all of apache? You have three options basically: 1) Disable enforcement for Apache 2) Install policy source and add the permission 3) Wait for a FC3 policy update with this fixed One thing that we had recently discussed doing is adding a httpd_sys_script_unconfined_exec_t type, which when executed by httpd_t would cause a transition to unconfined_t (i.e. not be confined by SELinux). But I don't think this is done yet. For 1), see the Fedora SELinux FAQ. For 2, see: http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/rhlcommon-section-0096.html Or: http://fedora.redhat.com/docs/selinux-apache-fc3/sn-debugging-and-customizing.html#sn-simple-changes-to-policy-source The major caveats with maintaining your own modified policy in this fashion at the moment are that you have to know about using "make" etc. to build it, and it's somewhat fragile with respect to upgrades. Upstream SELinux work is going to make it a lot easier to create and maintain policy changes from a binary policy. From Ruth.Ivimey-Cook at ivimey.org Tue Mar 22 15:30:10 2005 From: Ruth.Ivimey-Cook at ivimey.org (Ruth Ivimey-Cook) Date: Tue, 22 Mar 2005 15:30:10 -0000 Subject: Recent SEL problems on FC3 box - named & dhcpd Message-ID: <200503221551.j2MFpqXK009832@mx2.redhat.com> Hi folks, I have just started having some problems with selinux. I'm using FC3 with the targetted policy. It was running enforced; now merely permissive because of the problems. The box is running BIND/named in master mode (i.e. it is master for some domains, but not supplying those domains to other demons) and a dhcp server. I have today used yum to update both daemons from the updates-released repo, and am now getting errors of this sort (note this is a sample - there are many more): ... audit(1111501062.397:0): avc: denied { search } for pid=6809 exe=/usr/sbin/dhcpd name=/ dev=md1 ino=2 scontext=root:system_r:dhcpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1111501062.397:0): avc: denied { search } for pid=6809 exe=/usr/sbin/dhcpd name=/ dev=md1 ino=2 scontext=root:system_r:dhcpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1111501107.559:0): avc: denied { search } for pid=6828 exe=/usr/sbin/named name=/ dev=md1 ino=2 scontext=root:system_r:named_t tcontext=system_u:object_r:file_t tclass=dir ... audit(1111501250.295:0): avc: denied { write } for pid=6873 exe=/usr/sbin/named name=log dev=tmpfs ino=8452 scontext=root:system_r:named_t tcontext=user_u:object_r:device_t tclass=sock_file audit(1111501250.295:0): avc: denied { sendto } for pid=6873 exe=/usr/sbin/named path=/dev/log scontext=root:system_r:named_t tcontext=user_u:system_r:unconfined_t tclass=unix_dgram_socket audit(1111501302.433:0): avc: denied { search } for pid=6896 exe=/usr/sbin/dhcpd name=/ dev=md1 ino=2 scontext=root:system_r:dhcpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1111501302.433:0): avc: denied { search } for pid=6896 exe=/usr/sbin/dhcpd name=etc dev=md1 ino=1368193 scontext=root:system_r:dhcpd_t tcontext=root:object_r:file_t tclass=dir audit(1111501302.437:0): avc: denied { read } for pid=6896 exe=/usr/sbin/dhcpd name=libc.so.6 dev=md1 ino=295646 scontext=root:system_r:dhcpd_t tcontext=root:object_r:file_t tclass=lnk_file ... Using audit2allow on the full set gives the following: allow dhcpd_t device_t:sock_file write; allow dhcpd_t file_t:dir { add_name search write }; allow dhcpd_t file_t:file { append create execute getattr link read unlink write }; allow dhcpd_t file_t:lnk_file read; allow dhcpd_t unconfined_t:unix_dgram_socket sendto; allow named_t device_t:sock_file write; allow named_t file_t:dir search; allow named_t file_t:file { execute getattr read }; allow named_t file_t:lnk_file read; allow named_t unconfined_t:unix_dgram_socket sendto; Now, would you expect that I should need to modify the settings? Might it be appropriate to recompile the policy even though I've not changed it myself? I have also been seeing many avc:s from attempts to run rndc. The following might be indicative (I just "prompted" these by doing service named status): audit(1111505098.098:0): avc: denied { search } for pid=12690 exe=/usr/sbin/rndc name=/ dev=md1 ino=2 scontext=root:system_r:ndc_t tcontext=system_u:object_r:file_t tclass=dir audit(1111505098.114:0): avc: denied { search } for pid=12690 exe=/usr/sbin/rndc name=etc dev=md1 ino=1368193 scontext=root:system_r:ndc_t tcontext=root:object_r:file_t tclass=dir audit(1111505098.114:0): avc: denied { read } for pid=12690 exe=/usr/sbin/rndc name=ld.so.cache dev=md1 ino=1370938 scontext=root:system_r:ndc_t tcontext=root:object_r:file_t tclass=file audit(1111505098.114:0): avc: denied { getattr } for pid=12690 exe=/usr/sbin/rndc path=/etc/ld.so.cache dev=md1 ino=1370938 scontext=root:system_r:ndc_t tcontext=root:object_r:file_t tclass=file audit(1111505098.114:0): avc: denied { read } for pid=12690 exe=/usr/sbin/rndc name=libcrypto.so.4 dev=md1 ino=211792 scontext=root:system_r:ndc_t tcontext=root:object_r:file_t tclass=lnk_file audit(1111505098.118:0): avc: denied { execute } for pid=12690 path=/lib/libcrypto.so.0.9.7a dev=md1 ino=214229 scontext=root:system_r:ndc_t tcontext=root:object_r:file_t tclass=file From sds at tycho.nsa.gov Tue Mar 22 15:48:37 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 22 Mar 2005 10:48:37 -0500 Subject: Recent SEL problems on FC3 box - named & dhcpd In-Reply-To: <200503221551.j2MFpqXK009832@mx2.redhat.com> References: <200503221551.j2MFpqXK009832@mx2.redhat.com> Message-ID: <1111506517.15346.111.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2005-03-22 at 15:30 +0000, Ruth Ivimey-Cook wrote: > Hi folks, > > I have just started having some problems with selinux. I'm using FC3 with the > targetted policy. It was running enforced; now merely permissive because of the > problems. The box is running BIND/named in master mode (i.e. it is master for > some domains, but not supplying those domains to other demons) and a dhcp > server. I have today used yum to update both daemons from the updates-released > repo, and am now getting errors of this sort (note this is a sample - there are > many more): > > ... > audit(1111501062.397:0): avc: denied { search } for pid=6809 > exe=/usr/sbin/dhcpd name=/ dev=md1 ino=2 scontext=root:system_r:dhcpd_t > tcontext=system_u:object_r:file_t tclass=dir > audit(1111501062.397:0): avc: denied { search } for pid=6809 > exe=/usr/sbin/dhcpd name=/ dev=md1 ino=2 scontext=root:system_r:dhcpd_t > tcontext=system_u:object_r:file_t tclass=dir > audit(1111501107.559:0): avc: denied { search } for pid=6828 > exe=/usr/sbin/named name=/ dev=md1 ino=2 scontext=root:system_r:named_t > tcontext=system_u:object_r:file_t tclass=dir This suggests that your filesystem isn't labeled. Touch /.autorelabel and reboot, or manually boot single-user and run /sbin/fixfiles relabel. Did you install with SELinux enabled, or try enabling it later? How did you enable it? -- Stephen Smalley National Security Agency From Ruth.Ivimey-Cook at ivimey.org Tue Mar 22 16:11:05 2005 From: Ruth.Ivimey-Cook at ivimey.org (Ruth Ivimey-Cook) Date: Tue, 22 Mar 2005 16:11:05 -0000 Subject: Recent SEL problems on FC3 box - named & dhcpd In-Reply-To: <1111506517.15346.111.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <200503221611.j2MGBGIF017812@mx1.redhat.com> > This suggests that your filesystem isn't labeled. Touch > /.autorelabel and reboot, or manually boot single-user and > run /sbin/fixfiles relabel. > Did you install with SELinux enabled, or try enabling it > later? How did you enable it? It is a fresh install of FC3, installed with targetted as default policy. I.e. I have changed nothing since the install (except updating rpms with "yum". Is there some doc on what relabelling means? Ruth From sds at tycho.nsa.gov Tue Mar 22 16:10:08 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 22 Mar 2005 11:10:08 -0500 Subject: Recent SEL problems on FC3 box - named & dhcpd In-Reply-To: <200503221611.j2MGBGIF017812@mx1.redhat.com> References: <200503221611.j2MGBGIF017812@mx1.redhat.com> Message-ID: <1111507808.15346.122.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2005-03-22 at 16:11 +0000, Ruth Ivimey-Cook wrote: > It is a fresh install of FC3, installed with targetted as default policy. I.e. > I have changed nothing since the install (except updating rpms with "yum". Did you preserve any existing filesystems from a prior install of Fedora Core? If so, then they wouldn't get labeled automatically. > Is there some doc on what relabelling means? Assigning security contexts (labels) to the files, stored as extended attributes of the inode. http://fedora.redhat.com/docs/selinux-faq-fc3/ http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/ http://www.nsa.gov/selinux/papers/policy2/t1.html -- Stephen Smalley National Security Agency From walters at redhat.com Tue Mar 22 16:20:03 2005 From: walters at redhat.com (Colin Walters) Date: Tue, 22 Mar 2005 11:20:03 -0500 Subject: Recent SEL problems on FC3 box - named & dhcpd In-Reply-To: <200503221611.j2MGBGIF017812@mx1.redhat.com> References: <200503221611.j2MGBGIF017812@mx1.redhat.com> Message-ID: <1111508403.3892.3.camel@nexus.verbum.private> On Tue, 2005-03-22 at 16:11 +0000, Ruth Ivimey-Cook wrote: > > This suggests that your filesystem isn't labeled. Touch > > /.autorelabel and reboot, or manually boot single-user and > > run /sbin/fixfiles relabel. > > Did you install with SELinux enabled, or try enabling it > > later? How did you enable it? > > It is a fresh install of FC3, installed with targetted as default policy. I.e. > I have changed nothing since the install (except updating rpms with "yum". Did you perhaps create a new filesystem (md1)? Any new filesystems that contain data used by a targeted daemon have to be labeled. This Fedora FAQ is relevant: http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#id2826352 > Is there some doc on what relabelling means? There's some documentation here: http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/rhlcommon-section-0019.html From Ruth.Ivimey-Cook at ivimey.org Tue Mar 22 16:21:30 2005 From: Ruth.Ivimey-Cook at ivimey.org (Ruth Ivimey-Cook) Date: Tue, 22 Mar 2005 16:21:30 -0000 Subject: Recent SEL problems on FC3 box - named & dhcpd In-Reply-To: <1111507808.15346.122.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <200503221621.j2MGLfLg021674@mx1.redhat.com> > Did you preserve any existing filesystems from a prior > install of Fedora Core? If so, then they wouldn't get > labeled automatically. > This was a fresh install fs-wise, although I did copy files from the previous setup using /bin/cp. The old filesystems aren't in use anymore however. I'll do the relabel thing and see... Ruth From bench at silentmedia.com Tue Mar 22 16:25:12 2005 From: bench at silentmedia.com (Ben) Date: Tue, 22 Mar 2005 08:25:12 -0800 Subject: targeted policy clashes CGI program under apache In-Reply-To: <1111499056.2681.26.camel@nexus.verbum.private> References: <7b0a7469ba41bfe451432ff2d3a12d64@silentmedia.com> <1111499056.2681.26.camel@nexus.verbum.private> Message-ID: On Mar 22, 2005, at 5:44 AM, Colin Walters wrote: > You have three options basically: > > 1) Disable enforcement for Apache > 2) Install policy source and add the permission > 3) Wait for a FC3 policy update with this fixed Well, thanks to audit2allow, it looks like 2 will be pretty easy. I'm worried about what you mean when you say it makes updates fragile, however...... what do you mean? From walters at redhat.com Tue Mar 22 16:46:52 2005 From: walters at redhat.com (Colin Walters) Date: Tue, 22 Mar 2005 11:46:52 -0500 Subject: targeted policy clashes CGI program under apache In-Reply-To: References: <7b0a7469ba41bfe451432ff2d3a12d64@silentmedia.com> <1111499056.2681.26.camel@nexus.verbum.private> Message-ID: <1111510013.9685.14.camel@nexus.verbum.private> On Tue, 2005-03-22 at 08:25 -0800, Ben wrote: > On Mar 22, 2005, at 5:44 AM, Colin Walters wrote: > > > You have three options basically: > > > > 1) Disable enforcement for Apache > > 2) Install policy source and add the permission > > 3) Wait for a FC3 policy update with this fixed > > Well, thanks to audit2allow, it looks like 2 will be pretty easy. I'm > worried about what you mean when you say it makes updates fragile, > however...... what do you mean? It should generally work if all you're doing is adding a local.te with a few additional policy rules. I do it myself on my server. From johnatl at mac.com Tue Mar 22 20:27:38 2005 From: johnatl at mac.com (John Johnson) Date: Tue, 22 Mar 2005 15:27:38 -0500 Subject: [newbie] YUM hangs, can't update without reboot with selinux=0 In-Reply-To: <1111416723.4592.75.camel@nexus.verbum.private> References: <15bea1e4bab54ea99056943bd040630f@mac.com> <1111416723.4592.75.camel@nexus.verbum.private> Message-ID: <993a14186bba381c9c1be1c2abf235a7@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 21-Mar-2005, at 09:52, Colin Walters wrote: > On Mon, 2005-03-21 at 09:31 -0500, John Johnson wrote: > >> When I run YUM, it runs briefly, then just sits there. Even when I do > > And if you do a 'touch /.autorelabel; reboot' and do *not* pass > selinux=0, then yum hangs again? > That worked Colin, thanks! Even up2date works now. Maybe I'll find out why after learning more about SE. Thanks again! Regards, JJ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQFCQH++56Q2CqQ+d1wRAgnDAKDIlu8o+gOLEoZLqd/Yco9/Tfsb1QCg6Hkn zGylJfjGo/fW8jNoNS+JPug= =Omzg -----END PGP SIGNATURE----- From walters at redhat.com Tue Mar 22 20:40:15 2005 From: walters at redhat.com (Colin Walters) Date: Tue, 22 Mar 2005 15:40:15 -0500 Subject: [newbie] YUM hangs, can't update without reboot with selinux=0 In-Reply-To: <993a14186bba381c9c1be1c2abf235a7@mac.com> References: <15bea1e4bab54ea99056943bd040630f@mac.com> <1111416723.4592.75.camel@nexus.verbum.private> <993a14186bba381c9c1be1c2abf235a7@mac.com> Message-ID: <1111524015.3709.2.camel@nexus.verbum.private> On Tue, 2005-03-22 at 15:27 -0500, John Johnson wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > On 21-Mar-2005, at 09:52, Colin Walters wrote: > > > On Mon, 2005-03-21 at 09:31 -0500, John Johnson wrote: > > > >> When I run YUM, it runs briefly, then just sits there. Even when I do > > > > And if you do a 'touch /.autorelabel; reboot' and do *not* pass > > selinux=0, then yum hangs again? > > > That worked Colin, thanks! > > Even up2date works now. Maybe I'll find out why after learning more > about SE. Again, I don't think your problem related to SELinux at all. My suggested command should have essentially just restored your system to its state before you booted with selinux=0. In the future, I'd suggest trying other solutions before rebooting with selinux=0, particularly if you don't see any "avc: denied" messages in your system log. From dwalsh at redhat.com Tue Mar 22 20:44:38 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 22 Mar 2005 15:44:38 -0500 Subject: [newbie] YUM hangs, can't update without reboot with selinux=0 In-Reply-To: <993a14186bba381c9c1be1c2abf235a7@mac.com> References: <15bea1e4bab54ea99056943bd040630f@mac.com> <1111416723.4592.75.camel@nexus.verbum.private> <993a14186bba381c9c1be1c2abf235a7@mac.com> Message-ID: <424083B6.5040905@redhat.com> You should always try enforcing=0 at the command line or setenforce 0 To turn off selinux enforcing mode and then see if the problem goes away. selinux=0 should always be a last resort, since if you want selinux turned back on you will need a relabel. Dan -- From Ruth.Ivimey-Cook at ivimey.org Tue Mar 22 21:09:29 2005 From: Ruth.Ivimey-Cook at ivimey.org (Ruth Ivimey-Cook) Date: Tue, 22 Mar 2005 21:09:29 +0000 Subject: Recent SEL problems on FC3 box - named & dhcpd In-Reply-To: <1111506517.15346.111.camel@moss-spartans.epoch.ncsc.mil> References: <200503221551.j2MFpqXK009832@mx2.redhat.com> <1111506517.15346.111.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1111525769.7565.7.camel@filestore.ivimey.org> On Tue, 2005-03-22 at 10:48 -0500, Stephen Smalley wrote: > This suggests that your filesystem isn't labeled. Touch /.autorelabel > and reboot, or manually boot single-user and run /sbin/fixfiles relabel. I've done that, and it does seem to have fixed the problems with named and dhcpd. At least, there are no more avc messages. However, it seems to have disabled my web server. I guess this is because I'm strange and prefer the web root to be /web, not /var/www. I have tried adding lines (below) into apache.fc and then running 'make' in src/policy, but it didn't help. HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_ROLE_content_t /web(/.*)? system_u:object_r:httpd_sys_content_t /web/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t /var/www(/.*)? system_u:object_r:httpd_sys_content_t /var/www/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t I later tried adding the audit2allow lines to apache.te and running make, but that failed too. allow httpd_t default_t:dir { getattr search }; allow httpd_t default_t:file { getattr read }; allow httpd_t default_t:lnk_file read; What am I doing wrong? Ruth -- Ruth Ivimey-Cook From eparis at redhat.com Tue Mar 22 21:13:58 2005 From: eparis at redhat.com (Eric Paris) Date: Tue, 22 Mar 2005 16:13:58 -0500 Subject: Recent SEL problems on FC3 box - named & dhcpd In-Reply-To: <1111525769.7565.7.camel@filestore.ivimey.org> References: <200503221551.j2MFpqXK009832@mx2.redhat.com> <1111506517.15346.111.camel@moss-spartans.epoch.ncsc.mil> <1111525769.7565.7.camel@filestore.ivimey.org> Message-ID: <1111526038.19964.10.camel@paris.rdu.redhat.com> Try running restorecon -v -R /web after the apache.fc changes and running make reload. you will probably see a ls -Z /web does not show up as system_u:object_r:httpd_sys_content_t. Before you run the restorecon. Eric On Tue, 2005-03-22 at 21:09 +0000, Ruth Ivimey-Cook wrote: > On Tue, 2005-03-22 at 10:48 -0500, Stephen Smalley wrote: > > This suggests that your filesystem isn't labeled. Touch /.autorelabel > > and reboot, or manually boot single-user and run /sbin/fixfiles relabel. > > I've done that, and it does seem to have fixed the problems with named > and dhcpd. At least, there are no more avc messages. > > However, it seems to have disabled my web server. I guess this is > because I'm strange and prefer the web root to be /web, not /var/www. > > I have tried adding lines (below) into apache.fc and then running 'make' > in src/policy, but it didn't help. > > HOME_DIR/((www)|(web)|(public_html))(/.+)? > system_u:object_r:httpd_ROLE_content_t > /web(/.*)? system_u:object_r:httpd_sys_content_t > /web/cgi-bin(/.*)? > system_u:object_r:httpd_sys_script_exec_t > /var/www(/.*)? system_u:object_r:httpd_sys_content_t > /var/www/cgi-bin(/.*)? > system_u:object_r:httpd_sys_script_exec_t > > > I later tried adding the audit2allow lines to apache.te and running > make, but that failed too. > > allow httpd_t default_t:dir { getattr search }; > allow httpd_t default_t:file { getattr read }; > allow httpd_t default_t:lnk_file read; > > > What am I doing wrong? > > Ruth > From Ruth.Ivimey-Cook at ivimey.org Tue Mar 22 22:16:04 2005 From: Ruth.Ivimey-Cook at ivimey.org (Ruth Ivimey-Cook) Date: Tue, 22 Mar 2005 22:16:04 +0000 Subject: Recent SEL problems on FC3 box - named & dhcpd In-Reply-To: <1111526038.19964.10.camel@paris.rdu.redhat.com> References: <200503221551.j2MFpqXK009832@mx2.redhat.com> <1111506517.15346.111.camel@moss-spartans.epoch.ncsc.mil> <1111525769.7565.7.camel@filestore.ivimey.org> <1111526038.19964.10.camel@paris.rdu.redhat.com> Message-ID: <1111529764.7651.0.camel@filestore.ivimey.org> On Tue, 2005-03-22 at 16:13 -0500, Eric Paris wrote: > restorecon -v -R /web > > after the apache.fc changes and running make reload. > > you will probably see a ls -Z /web does not show up as > system_u:object_r:httpd_sys_content_t. Before you run the restorecon. Yea! That did it. Thanks, -- Ruth Ivimey-Cook From dragoran at feuerpokemon.de Wed Mar 23 12:11:28 2005 From: dragoran at feuerpokemon.de (dragoran) Date: Wed, 23 Mar 2005 13:11:28 +0100 Subject: using tmpfs for /tmp and selinux Message-ID: <42415CF0.6010102@feuerpokemon.de> Is it possible to use tmpfs for /tmp with selinux (targeted) ... I tryed but got many avcs (tmp_t becomes tmpfs_t) for all files in /tmp From sds at tycho.nsa.gov Wed Mar 23 13:06:57 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 23 Mar 2005 08:06:57 -0500 Subject: using tmpfs for /tmp and selinux In-Reply-To: <42415CF0.6010102@feuerpokemon.de> References: <42415CF0.6010102@feuerpokemon.de> Message-ID: <1111583217.21107.9.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2005-03-23 at 13:11 +0100, dragoran wrote: > Is it possible to use tmpfs for /tmp with selinux (targeted) ... > I tryed but got many avcs (tmp_t becomes tmpfs_t) for all files in /tmp You could try mounting with the context= option, e.g. context=system_u:object_r:tmp_t. This will force the superblock and root directory to tmp_t, and then files created in it should pick up the usual type transitions by default (e.g. mysqld_tmp_t). However, at present, using this option disables the use of getxattr/setxattr and setfscreatecon on the filesystem, so note that ls -Z and similar programs will no longer be able to get or set contexts on /tmp. Note to James: Possibly we should reconsider the disabling of getxattr/setxattr and setfscreatecon for mountpoint labeling for pseudo filesystems like tmpfs, since we are just dealing with an incore inode SID and there is no persistent storage, so there is no inconsistency. -- Stephen Smalley National Security Agency From rrcoot at verizon.net Wed Mar 23 15:34:42 2005 From: rrcoot at verizon.net (Ryan Gall) Date: Wed, 23 Mar 2005 10:34:42 -0500 Subject: SELinux policy for ndiswrapper In-Reply-To: <20050317170053.3287573B00@hormel.redhat.com> References: <20050317170053.3287573B00@hormel.redhat.com> Message-ID: <1111592082.5672.5.camel@laptop.animalshelter.net> > > > > #Context for the driver configuration files > > > > /etc/ndiswrapper/ -- system_u:object_r:loadndis_content_t > > > > > > you probably want this: > > > > > > /etc/ndiswrapper(/.*)? system_u:object_r:loadndis_content_t > > > > > > so you can label all of the driver stuff tha'ts stored under that > > > directory and it's subdirectories. I don't think your pattern will > > > match anything. > > > > > Actually everything does get the correct labels here. I guess it is > > setting the label on the ndiswrapper directory and then all the child > > directories and files are inheriting that context. > > Well if the directory is labeled correctly, and files are created in > that directory, then it would get loadndis_content_t. However, if you > relabeled, I bet they would end up having the wrong labels. Try running > matchpathcon on a file in /etc/ndiswrapper, to see what file context > matches. (`matchpathcon /etc/ndiswrapper/somefile`). > > -- > Chris PeBenito > Tresys Technology, LLC > (410) 290-1411 x150 > You were right Chris, it did not work correctly when I relabeled. Thanks for all your help. Ryan From selinux at gmail.com Wed Mar 23 16:20:35 2005 From: selinux at gmail.com (Tom London) Date: Wed, 23 Mar 2005 08:20:35 -0800 Subject: system-config-printer/cups: unconfined_t:fifo_file {read write} ? Message-ID: <4c4ba15305032308204121203f@mail.gmail.com> Running targeted, latest development stuff. Configuring a 'new' USB printer from 'Desktop->System Settings->Printing' produces a wealth of avcs like: Mar 23 08:08:14 localhost kernel: audit(1111594094.345:0): avc: denied { read } for pid=19983 exe=/usr/sbin/cupsd path=pipe:[194059] dev=pipefs ino=194059 scontext=root:system_r:cupsd_t tcontext=root:system_r:unconfined_t tclass=fifo_file Mar 23 08:08:14 localhost kernel: audit(1111594094.345:0): avc: denied { write } for pid=19983 exe=/usr/sbin/cupsd path=pipe:[194059] dev=pipefs ino=194059 scontext=root:system_r:cupsd_t tcontext=root:system_r:unconfined_t tclass=fifo_file Appears to be asking for allow cupsd_t unconfined_t:fifo_file { read write }; This denial appears not to cause a problem, since the printer works. Should this be a 'dontaudit'? Something else (like a missing transition)? thanks, tom -- Tom London From twaugh at redhat.com Wed Mar 23 16:33:13 2005 From: twaugh at redhat.com (Tim Waugh) Date: Wed, 23 Mar 2005 16:33:13 +0000 Subject: system-config-printer/cups: unconfined_t:fifo_file {read write} ? In-Reply-To: <4c4ba15305032308204121203f@mail.gmail.com> References: <4c4ba15305032308204121203f@mail.gmail.com> Message-ID: <20050323163313.GO12412@redhat.com> On Wed, Mar 23, 2005 at 08:20:35AM -0800, Tom London wrote: > Running targeted, latest development stuff. In enforcing mode? > This denial appears not to cause a problem, since the printer works. > Should this be a 'dontaudit'? Something else (like a missing > transition)? What kind of printer is it? Is it an HPOJ device, with a PTAL transport? Tim. */ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From selinux at gmail.com Wed Mar 23 16:42:15 2005 From: selinux at gmail.com (Tom London) Date: Wed, 23 Mar 2005 08:42:15 -0800 Subject: system-config-printer/cups: unconfined_t:fifo_file {read write} ? In-Reply-To: <20050323163313.GO12412@redhat.com> References: <4c4ba15305032308204121203f@mail.gmail.com> <20050323163313.GO12412@redhat.com> Message-ID: <4c4ba153050323084217beb9b4@mail.gmail.com> On Wed, 23 Mar 2005 16:33:13 +0000, Tim Waugh wrote: > On Wed, Mar 23, 2005 at 08:20:35AM -0800, Tom London wrote: > > > Running targeted, latest development stuff. > > In enforcing mode? Sorry, yes targeted/enforcing. > > > This denial appears not to cause a problem, since the printer works. > > Should this be a 'dontaudit'? Something else (like a missing > > transition)? > > What kind of printer is it? Is it an HPOJ device, with a PTAL > transport? I believe so: an HP PSC950 (combined scanner, printer, copier). > > Tim. > */ -- Tom London From twaugh at redhat.com Wed Mar 23 16:45:07 2005 From: twaugh at redhat.com (Tim Waugh) Date: Wed, 23 Mar 2005 16:45:07 +0000 Subject: system-config-printer/cups: unconfined_t:fifo_file {read write} ? In-Reply-To: <4c4ba153050323084217beb9b4@mail.gmail.com> References: <4c4ba15305032308204121203f@mail.gmail.com> <20050323163313.GO12412@redhat.com> <4c4ba153050323084217beb9b4@mail.gmail.com> Message-ID: <20050323164507.GP12412@redhat.com> On Wed, Mar 23, 2005 at 08:42:15AM -0800, Tom London wrote: > I believe so: an HP PSC950 (combined scanner, printer, copier). Okay, what's going on then is that the ptal backend (/usr/lib*/cups/backend/ptal) needs to write to the named pipe in /var/run/ptal-printd. That named pipe should be getting its label set correctly, but it doesn't look like that's happening. Tim. */ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From dwalsh at redhat.com Wed Mar 23 16:55:44 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 23 Mar 2005 11:55:44 -0500 Subject: system-config-printer/cups: unconfined_t:fifo_file {read write} ? In-Reply-To: <20050323164507.GP12412@redhat.com> References: <4c4ba15305032308204121203f@mail.gmail.com> <20050323163313.GO12412@redhat.com> <4c4ba153050323084217beb9b4@mail.gmail.com> <20050323164507.GP12412@redhat.com> Message-ID: <42419F90.2030101@redhat.com> Tim Waugh wrote: >On Wed, Mar 23, 2005 at 08:42:15AM -0800, Tom London wrote: > > > >>I believe so: an HP PSC950 (combined scanner, printer, copier). >> >> > >Okay, what's going on then is that the ptal backend >(/usr/lib*/cups/backend/ptal) needs to write to the named pipe in >/var/run/ptal-printd. > >That named pipe should be getting its label set correctly, but it >doesn't look like that's happening. > > > What is creating the pipe? Looks like file_type_auto_trans(ptal_t, var_run_t, ptal_var_run_t, { sock_file fifo_file }) is required. >Tim. >*/ > > >------------------------------------------------------------------------ > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > -- From selinux at gmail.com Wed Mar 23 17:11:54 2005 From: selinux at gmail.com (Tom London) Date: Wed, 23 Mar 2005 09:11:54 -0800 Subject: system-config-printer/cups: unconfined_t:fifo_file {read write} ? In-Reply-To: <42419F90.2030101@redhat.com> References: <4c4ba15305032308204121203f@mail.gmail.com> <20050323163313.GO12412@redhat.com> <4c4ba153050323084217beb9b4@mail.gmail.com> <20050323164507.GP12412@redhat.com> <42419F90.2030101@redhat.com> Message-ID: <4c4ba1530503230911600d56b8@mail.gmail.com> > What is creating the pipe? > Looks like > file_type_auto_trans(ptal_t, var_run_t, ptal_var_run_t, { sock_file > fifo_file }) > is required. > > >Tim. > >*/ > > Uhh... I can't seem to find ptal on my system. I have hpijs installed, but not hpoj (that right?) I don't seem to have anything in /etc/init.d for ptal. No ptal, no pipe? Again, I just tried to connect this printer 'for the first time'. I was just trying to print on it.... Do I need hpoj for this? s-c-p didn't seem to complain, and printing works. Could this be an operator (me) miscue? (if so, sorry....) tom -- Tom London From dwalsh at redhat.com Wed Mar 23 17:11:35 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 23 Mar 2005 12:11:35 -0500 Subject: system-config-printer/cups: unconfined_t:fifo_file {read write} ? In-Reply-To: <20050323164507.GP12412@redhat.com> References: <4c4ba15305032308204121203f@mail.gmail.com> <20050323163313.GO12412@redhat.com> <4c4ba153050323084217beb9b4@mail.gmail.com> <20050323164507.GP12412@redhat.com> Message-ID: <4241A347.7010406@redhat.com> Tim Waugh wrote: >On Wed, Mar 23, 2005 at 08:42:15AM -0800, Tom London wrote: > > > >>I believe so: an HP PSC950 (combined scanner, printer, copier). >> >> > >Okay, what's going on then is that the ptal backend >(/usr/lib*/cups/backend/ptal) needs to write to the named pipe in >/var/run/ptal-printd. > >That named pipe should be getting its label set correctly, but it >doesn't look like that's happening. > >Tim. >*/ > > > > Updated policy on my people page to handle this situation. selinux-policy-targeted-1.23.4-4 Dan >------------------------------------------------------------------------ > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > -- From jwcart2 at epoch.ncsc.mil Wed Mar 23 19:14:02 2005 From: jwcart2 at epoch.ncsc.mil (James Carter) Date: Wed, 23 Mar 2005 14:14:02 -0500 Subject: New policy for pyzor In-Reply-To: <1111454594.18940.54.camel@hampton-pc.rainbolthampton.net> References: <1111454594.18940.54.camel@hampton-pc.rainbolthampton.net> Message-ID: <1111605242.3856.24.camel@moss-lions.epoch.ncsc.mil> >From pyzor.te: ########## # pyzor daemon ########## daemon_domain(pyzord, `, privlog, nscd_client_domain') pyzor_base_domain(pyzord) allow pyzord_t pyzor_port_t:udp_socket name_bind; home_domain_access(pyzord_t, sysadm, pyzor) Why home_domain_access()? There is no sysadm_pyzor_home_t defined, so it causes an error. On Mon, 2005-03-21 at 20:23 -0500, David Hampton wrote: > This is a new strict policy for the pyzor spam filter. It is based on > the selinux-policy-strict-sources-1.23.2-1 fedora RPM. This policy > requires the definition of a pyzor reserved port that was in the > net_contexts diff I sent last Wednesday. Please let me know if there > are any problems with or changes needed to this policy. > > David > -- James Carter National Security Agency From hampton-rh at rainbolthampton.net Wed Mar 23 20:37:33 2005 From: hampton-rh at rainbolthampton.net (David Hampton) Date: Wed, 23 Mar 2005 15:37:33 -0500 Subject: New policy for pyzor In-Reply-To: <1111605242.3856.24.camel@moss-lions.epoch.ncsc.mil> References: <1111454594.18940.54.camel@hampton-pc.rainbolthampton.net> <1111605242.3856.24.camel@moss-lions.epoch.ncsc.mil> Message-ID: <1111610253.26996.16.camel@hampton-pc.rainbolthampton.net> On Wed, 2005-03-23 at 14:14 -0500, James Carter wrote: > >From pyzor.te: > Why home_domain_access()? If you don't specify a directory with the --homedir argument, pyzor creates a ~/.pyzor directory to store its files. I've had them created as both /root/.pyzor and /home/david/.pyzor depending upon which uid I use to run the applications. Try something like: cat virus-20050321-104527-01034-08 | pyzor check as various users. > There is no sysadm_pyzor_home_t defined, so it causes an error. Oops. That would be because I forgot to include a diff to base_user_macros.te. Attached below. David -------------- next part -------------- A non-text attachment was scrubbed... Name: base_user_macros.diffs Type: text/x-patch Size: 716 bytes Desc: not available URL: From purenrg7 at gmail.com Wed Mar 23 21:22:46 2005 From: purenrg7 at gmail.com (Paul Rumin) Date: Wed, 23 Mar 2005 15:22:46 -0600 Subject: (newbie)Troubles with SE-Linux In-Reply-To: <20050321171222.7696b446.r.godzilla@comcast.net> References: <20050321171222.7696b446.r.godzilla@comcast.net> Message-ID: Is /.autolabel a program? A file? I did a search on Red Hat Support site and found nothing. I assume you want me to create a file (.autolabel) in the / directory. But this does nothing on my system. If you need more info, just ask what you need. Thanks in advance. Paul On Mon, 21 Mar 2005 17:12:22 -0800, Richard E Miles wrote: > On Mon, 21 Mar 2005 18:48:37 -0600 > Paul Rumin wrote: > > > I would like to preface this with "I am not new to linux, but new to > > SE-Linux." I am not sure where to begin with this problem. After a > > clean install of Fedore Core 3 (at least I thought clean), I tried to > > login in with a user account a few days later. This did not work, so > > I logged in as root to change my user's password. > > > > 1. First, I tried changing the user's password with passwd. Although > > the program seemed to accept the new password. I still was unable to > > login in afterwards. > > > > 2. So I tried to manually change it within the /etc/passwd file. > > Knowing that there was a shadow file, I deleted the encrypted > > password in shadow and the "x" in the /etc/password file. Then, I ran > > passwd, followed by pwconv. But still nothing. > > > > 3. Finally, I tried to just use "su" command into my user's account > > to no avail. > > > > > > Now I am stuck. My understanding of SE is that you must match > > securities contents of the files, by using the -Z delimiter, which I > > did verify. > > > > If someone could steer me in the right direction I would appreciate it. > > > > Thx, > > Paul > > > > BTW, I did also try userdel/useradd with no success. > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > Is your system labeled? If not touch /.autorelabel, then reboot. > -- > Richard E Miles > Federal Way WA. USA > registered linux user 46097 > From sds at tycho.nsa.gov Wed Mar 23 21:21:52 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 23 Mar 2005 16:21:52 -0500 Subject: (newbie)Troubles with SE-Linux In-Reply-To: References: <20050321171222.7696b446.r.godzilla@comcast.net> Message-ID: <1111612912.21107.138.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2005-03-23 at 15:22 -0600, Paul Rumin wrote: > Is /.autolabel a program? A file? I did a search on Red Hat Support > site and found nothing. > I assume you want me to create a file (.autolabel) in the / directory. > But this does nothing on my system. If you need more info, just ask > what you need. Thanks in advance. It is a flag file; you create it, e.g.: touch /.autorelabel and then reboot the system. The system initialization scripts check for it and will relabel the filesystem if the file exists, then delete it. system-config- securitylevel creates it upon significant changes to the SELinux configuration, e.g. enabling/disabling SELinux, switching from targeted to strict policy, etc. -- Stephen Smalley National Security Agency From dragoran at feuerpokemon.de Thu Mar 24 07:43:41 2005 From: dragoran at feuerpokemon.de (dragoran) Date: Thu, 24 Mar 2005 08:43:41 +0100 Subject: using tmpfs for /tmp and selinux In-Reply-To: <1111583217.21107.9.camel@moss-spartans.epoch.ncsc.mil> References: <42415CF0.6010102@feuerpokemon.de> <1111583217.21107.9.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <42426FAD.40109@feuerpokemon.de> Stephen Smalley wrote: >On Wed, 2005-03-23 at 13:11 +0100, dragoran wrote: > > >>Is it possible to use tmpfs for /tmp with selinux (targeted) ... >>I tryed but got many avcs (tmp_t becomes tmpfs_t) for all files in /tmp >> >> > >You could try mounting with the context= option, e.g. >context=system_u:object_r:tmp_t. This will force the superblock and >root directory to tmp_t, and then files created in it should pick up the >usual type transitions by default (e.g. mysqld_tmp_t). However, at >present, using this option disables the use of getxattr/setxattr and >setfscreatecon on the filesystem, so note that ls -Z and similar >programs will no longer be able to get or set contexts on /tmp. > >Note to James: Possibly we should reconsider the disabling of >getxattr/setxattr and setfscreatecon for mountpoint labeling for pseudo >filesystems like tmpfs, since we are just dealing with an incore inode >SID and there is no persistent storage, so there is no inconsistency. > > > doesn't seem to work: Mar 24 08:35:28 chello062178124144 kernel: audit(1111649728.433:0): avc: denied { associate } for pid=4574 exe=/usr/bin/gdm-binary name=.ICE-unix scontext=user_u:object_r:tmp_t tcontext=system_u:object_r:tmp_t tclass=filesystem Mar 24 08:35:28 chello062178124144 kernel: audit(1111649728.433:0): avc: denied { associate } for pid=4574 exe=/usr/bin/gdm-binary name=.X11-unix scontext=user_u:object_r:tmp_t tcontext=system_u:object_r:tmp_t tclass=filesystem Mar 24 08:35:28 chello062178124144 kernel: audit(1111649728.433:0): avc: denied { associate } for pid=4574 exe=/usr/bin/gdm-binary name=.X11-unix scontext=user_u:object_r:tmp_t tcontext=system_u:object_r:tmp_t tclass=filesystem Mar 24 08:35:31 chello062178124144 kernel: audit(1111649731.447:0): avc: denied { associate } for pid=5340 exe=/usr/X11R6/bin/Xorg name=.tX0-lock scontext=user_u:object_r:tmp_t tcontext=system_u:object_r:tmp_t tclass=filesystem From lkcl at lkcl.net Thu Mar 24 10:35:56 2005 From: lkcl at lkcl.net (Luke Kenneth Casson Leighton) Date: Thu, 24 Mar 2005 10:35:56 +0000 Subject: New policy for pyzor In-Reply-To: <1111610253.26996.16.camel@hampton-pc.rainbolthampton.net> References: <1111454594.18940.54.camel@hampton-pc.rainbolthampton.net> <1111605242.3856.24.camel@moss-lions.epoch.ncsc.mil> <1111610253.26996.16.camel@hampton-pc.rainbolthampton.net> Message-ID: <20050324103556.GD7999@lkcl.net> On Wed, Mar 23, 2005 at 03:37:33PM -0500, David Hampton wrote: > On Wed, 2005-03-23 at 14:14 -0500, James Carter wrote: > > >From pyzor.te: > > > Why home_domain_access()? > > If you don't specify a directory with the --homedir argument, pyzor > creates a ~/.pyzor directory to store its files. I've had them created > as both /root/.pyzor and /home/david/.pyzor depending upon which uid I > use to run the applications. ... btw just as an aside, what the heck is razor doing attempting to create /razor.log and /root/razor.log? l. From sds at tycho.nsa.gov Thu Mar 24 13:17:27 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 24 Mar 2005 08:17:27 -0500 Subject: using tmpfs for /tmp and selinux In-Reply-To: <42426FAD.40109@feuerpokemon.de> References: <42415CF0.6010102@feuerpokemon.de> <1111583217.21107.9.camel@moss-spartans.epoch.ncsc.mil> <42426FAD.40109@feuerpokemon.de> Message-ID: <1111670247.12486.5.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2005-03-24 at 08:43 +0100, dragoran wrote: > doesn't seem to work: > Mar 24 08:35:28 chello062178124144 kernel: audit(1111649728.433:0): > avc: denied { associate } for pid=4574 exe=/usr/bin/gdm-binary > name=.ICE-unix scontext=user_u:object_r:tmp_t > tcontext=system_u:object_r:tmp_t tclass=filesystem > Mar 24 08:35:28 chello062178124144 kernel: audit(1111649728.433:0): > avc: denied { associate } for pid=4574 exe=/usr/bin/gdm-binary > name=.X11-unix scontext=user_u:object_r:tmp_t > tcontext=system_u:object_r:tmp_t tclass=filesystem > Mar 24 08:35:28 chello062178124144 kernel: audit(1111649728.433:0): > avc: denied { associate } for pid=4574 exe=/usr/bin/gdm-binary > name=.X11-unix scontext=user_u:object_r:tmp_t > tcontext=system_u:object_r:tmp_t tclass=filesystem > Mar 24 08:35:31 chello062178124144 kernel: audit(1111649731.447:0): > avc: denied { associate } for pid=5340 exe=/usr/X11R6/bin/Xorg > name=.tX0-lock scontext=user_u:object_r:tmp_t > tcontext=system_u:object_r:tmp_t tclass=filesystem Ah, yes - you would need policy changes as well, e.g. allow tmpfile tmp_t:filesystem associate; -- Stephen Smalley National Security Agency From dragoran at feuerpokemon.de Fri Mar 25 13:33:00 2005 From: dragoran at feuerpokemon.de (dragoran) Date: Fri, 25 Mar 2005 14:33:00 +0100 Subject: using tmpfs for /tmp and selinux In-Reply-To: <1111670247.12486.5.camel@moss-spartans.epoch.ncsc.mil> References: <42415CF0.6010102@feuerpokemon.de> <1111583217.21107.9.camel@moss-spartans.epoch.ncsc.mil> <42426FAD.40109@feuerpokemon.de> <1111670247.12486.5.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <4244130C.8030304@feuerpokemon.de> Stephen Smalley wrote: >On Thu, 2005-03-24 at 08:43 +0100, dragoran wrote: > > >>doesn't seem to work: >>Mar 24 08:35:28 chello062178124144 kernel: audit(1111649728.433:0): >>avc: denied { associate } for pid=4574 exe=/usr/bin/gdm-binary >>name=.ICE-unix scontext=user_u:object_r:tmp_t >>tcontext=system_u:object_r:tmp_t tclass=filesystem >>Mar 24 08:35:28 chello062178124144 kernel: audit(1111649728.433:0): >>avc: denied { associate } for pid=4574 exe=/usr/bin/gdm-binary >>name=.X11-unix scontext=user_u:object_r:tmp_t >>tcontext=system_u:object_r:tmp_t tclass=filesystem >>Mar 24 08:35:28 chello062178124144 kernel: audit(1111649728.433:0): >>avc: denied { associate } for pid=4574 exe=/usr/bin/gdm-binary >>name=.X11-unix scontext=user_u:object_r:tmp_t >>tcontext=system_u:object_r:tmp_t tclass=filesystem >>Mar 24 08:35:31 chello062178124144 kernel: audit(1111649731.447:0): >>avc: denied { associate } for pid=5340 exe=/usr/X11R6/bin/Xorg >>name=.tX0-lock scontext=user_u:object_r:tmp_t >>tcontext=system_u:object_r:tmp_t tclass=filesystem >> >> > >Ah, yes - you would need policy changes as well, e.g. > allow tmpfile tmp_t:filesystem associate; > > > in which file should I add this? From sds at tycho.nsa.gov Fri Mar 25 13:59:44 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 25 Mar 2005 08:59:44 -0500 Subject: using tmpfs for /tmp and selinux In-Reply-To: <4244130C.8030304@feuerpokemon.de> References: <42415CF0.6010102@feuerpokemon.de> <1111583217.21107.9.camel@moss-spartans.epoch.ncsc.mil> <42426FAD.40109@feuerpokemon.de> <1111670247.12486.5.camel@moss-spartans.epoch.ncsc.mil> <4244130C.8030304@feuerpokemon.de> Message-ID: <1111759184.15280.47.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2005-03-25 at 14:33 +0100, dragoran wrote: > >Ah, yes - you would need policy changes as well, e.g. > > allow tmpfile tmp_t:filesystem associate; > > > > > > > in which file should I add this? After further discussion on selinux list, it looks like Dan is going to take a different approach and not use a fscontext= or context= mount. Instead, he is just adding a 'restorecon /tmp' line to /etc/rc.d/rc.sysinit so that it will get relabeled to tmp_t at that time, and Dan recently added the following to the policy: allow tmpfile tmpfs_t:filesystem associate; This is similar to how tmpfs mounts are being handled for /dev for use by udev. -- Stephen Smalley National Security Agency From dragoran at feuerpokemon.de Fri Mar 25 14:15:02 2005 From: dragoran at feuerpokemon.de (dragoran) Date: Fri, 25 Mar 2005 15:15:02 +0100 Subject: using tmpfs for /tmp and selinux In-Reply-To: <1111759184.15280.47.camel@moss-spartans.epoch.ncsc.mil> References: <42415CF0.6010102@feuerpokemon.de> <1111583217.21107.9.camel@moss-spartans.epoch.ncsc.mil> <42426FAD.40109@feuerpokemon.de> <1111670247.12486.5.camel@moss-spartans.epoch.ncsc.mil> <4244130C.8030304@feuerpokemon.de> <1111759184.15280.47.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <42441CE6.1090705@feuerpokemon.de> Stephen Smalley wrote: >On Fri, 2005-03-25 at 14:33 +0100, dragoran wrote: > > >>>Ah, yes - you would need policy changes as well, e.g. >>> allow tmpfile tmp_t:filesystem associate; >>> >>> >>> >>> >>> >>in which file should I add this? >> >> > >After further discussion on selinux list, it looks like Dan is going to >take a different approach and not use a fscontext= or context= mount. >Instead, he is just adding a 'restorecon /tmp' line >to /etc/rc.d/rc.sysinit so that it will get relabeled to tmp_t at that >time, and Dan recently added the following to the policy: > allow tmpfile tmpfs_t:filesystem associate; > >This is similar to how tmpfs mounts are being handled for /dev for use >by udev. > > > does this mean that adding restorecon /tmp in rc.sysinit would solve my problem? I am using selinux-policy-targeted-1.17.30-2.90 is allow tmpfile tmpfs_t:filesystem associate; already done in this policy? or do I have to add it myself? I have policy sources installed but I don't know in which file I should add this line before rebuilding the policy. From sds at tycho.nsa.gov Fri Mar 25 14:19:43 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 25 Mar 2005 09:19:43 -0500 Subject: using tmpfs for /tmp and selinux In-Reply-To: <42441CE6.1090705@feuerpokemon.de> References: <42415CF0.6010102@feuerpokemon.de> <1111583217.21107.9.camel@moss-spartans.epoch.ncsc.mil> <42426FAD.40109@feuerpokemon.de> <1111670247.12486.5.camel@moss-spartans.epoch.ncsc.mil> <4244130C.8030304@feuerpokemon.de> <1111759184.15280.47.camel@moss-spartans.epoch.ncsc.mil> <42441CE6.1090705@feuerpokemon.de> Message-ID: <1111760383.15280.58.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2005-03-25 at 15:15 +0100, dragoran wrote: > does this mean that adding restorecon /tmp in rc.sysinit would solve my > problem? > I am using selinux-policy-targeted-1.17.30-2.90 is > > allow tmpfile tmpfs_t:filesystem associate; > > already done in this policy? or do I have to add it myself? I have policy sources installed but I don't know in which file I should add this line before rebuilding the policy. It is in the rawhide policy, doesn't appear to be in the latest policy for FC3 yet. You can temporarily put it in /etc/selinux/targeted/src/policy/domains/misc/local.te and reload your policy for now. The diff Dan proposed for rc.sysinit on selinux list is below. -- Stephen Smalley National Security Agency -------------- next part -------------- A non-text attachment was scrubbed... Name: rc.sysinit.diff Type: text/x-patch Size: 432 bytes Desc: not available URL: From dragoran at feuerpokemon.de Fri Mar 25 14:38:29 2005 From: dragoran at feuerpokemon.de (dragoran) Date: Fri, 25 Mar 2005 15:38:29 +0100 Subject: using tmpfs for /tmp and selinux In-Reply-To: <1111760383.15280.58.camel@moss-spartans.epoch.ncsc.mil> References: <42415CF0.6010102@feuerpokemon.de> <1111583217.21107.9.camel@moss-spartans.epoch.ncsc.mil> <42426FAD.40109@feuerpokemon.de> <1111670247.12486.5.camel@moss-spartans.epoch.ncsc.mil> <4244130C.8030304@feuerpokemon.de> <1111759184.15280.47.camel@moss-spartans.epoch.ncsc.mil> <42441CE6.1090705@feuerpokemon.de> <1111760383.15280.58.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <42442265.9070708@feuerpokemon.de> Stephen Smalley wrote: >On Fri, 2005-03-25 at 15:15 +0100, dragoran wrote: > > >>does this mean that adding restorecon /tmp in rc.sysinit would solve my >>problem? >>I am using selinux-policy-targeted-1.17.30-2.90 is >> >>allow tmpfile tmpfs_t:filesystem associate; >> >>already done in this policy? or do I have to add it myself? I have policy sources installed but I don't know in which file I should add this line before rebuilding the policy. >> >> > >It is in the rawhide policy, doesn't appear to be in the latest policy >for FC3 yet. You can temporarily put it >in /etc/selinux/targeted/src/policy/domains/misc/local.te and reload >your policy for now. The diff Dan proposed for rc.sysinit on selinux >list is below. > > > >------------------------------------------------------------------------ > >--- initscripts-8.05/rc.d/rc.sysinit~ 2005-03-24 15:02:51.000000000 -0500 >+++ initscripts-8.05/rc.d/rc.sysinit 2005-03-24 15:03:11.000000000 -0500 >@@ -593,6 +593,7 @@ > fi > > # Clean up various /tmp bits >+restorecon /tmp > rm -f /tmp/.X*-lock /tmp/.lock.* /tmp/.gdm_socket /tmp/.s.PGSQL.* > rm -rf /tmp/.X*-unix /tmp/.ICE-unix /tmp/.font-unix /tmp/hsperfdata_* \ > /tmp/kde-* /tmp/ksocket-* /tmp/mc-* /tmp/mcop-* /tmp/orbit-* \ > > >------------------------------------------------------------------------ > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > ok now I have the problem that the policy doesn't build: - # make reload make: *** No rule to make target `file_contexts/program/httpd_socket.fc', needed by `file_contexts/file_contexts'. Stop. - I tryed: #stat file_contexts/program/httpd_socket.fc stat: cannot stat `file_contexts/program/httpd_socket.fc': No such file or directory this file does not exists.... file_contexts/file_contexts is attached. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: file_contexts URL: From sds at tycho.nsa.gov Fri Mar 25 14:36:01 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 25 Mar 2005 09:36:01 -0500 Subject: using tmpfs for /tmp and selinux In-Reply-To: <42442265.9070708@feuerpokemon.de> References: <42415CF0.6010102@feuerpokemon.de> <1111583217.21107.9.camel@moss-spartans.epoch.ncsc.mil> <42426FAD.40109@feuerpokemon.de> <1111670247.12486.5.camel@moss-spartans.epoch.ncsc.mil> <4244130C.8030304@feuerpokemon.de> <1111759184.15280.47.camel@moss-spartans.epoch.ncsc.mil> <42441CE6.1090705@feuerpokemon.de> <1111760383.15280.58.camel@moss-spartans.epoch.ncsc.mil> <42442265.9070708@feuerpokemon.de> Message-ID: <1111761361.15280.72.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2005-03-25 at 15:38 +0100, dragoran wrote: > ok now I have the problem that the policy doesn't build: > - > # make reload > make: *** No rule to make target > `file_contexts/program/httpd_socket.fc', needed by > `file_contexts/file_contexts'. Stop. I grabbed a copy of the same policy RPM and installed it here, and had no such problem. The error message means that you have a domains/program/httpd_socket.te file, so the Makefile automatically expects you to also have a file_contexts/program/httpd_socket.fc file with the corresponding file contexts. What is httpd_socket.te? Did you create it yourself (if so, you should have put it under domains/misc to avoid triggering an attempt to find a corresponding .fc file). -- Stephen Smalley National Security Agency From dragoran at feuerpokemon.de Fri Mar 25 14:52:24 2005 From: dragoran at feuerpokemon.de (dragoran) Date: Fri, 25 Mar 2005 15:52:24 +0100 Subject: using tmpfs for /tmp and selinux In-Reply-To: <1111761361.15280.72.camel@moss-spartans.epoch.ncsc.mil> References: <42415CF0.6010102@feuerpokemon.de> <1111583217.21107.9.camel@moss-spartans.epoch.ncsc.mil> <42426FAD.40109@feuerpokemon.de> <1111670247.12486.5.camel@moss-spartans.epoch.ncsc.mil> <4244130C.8030304@feuerpokemon.de> <1111759184.15280.47.camel@moss-spartans.epoch.ncsc.mil> <42441CE6.1090705@feuerpokemon.de> <1111760383.15280.58.camel@moss-spartans.epoch.ncsc.mil> <42442265.9070708@feuerpokemon.de> <1111761361.15280.72.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <424425A8.8050005@feuerpokemon.de> Stephen Smalley wrote: >On Fri, 2005-03-25 at 15:38 +0100, dragoran wrote: > > >>ok now I have the problem that the policy doesn't build: >>- >># make reload >>make: *** No rule to make target >>`file_contexts/program/httpd_socket.fc', needed by >>`file_contexts/file_contexts'. Stop. >> >> > >I grabbed a copy of the same policy RPM and installed it here, and had >no such problem. The error message means that you have a >domains/program/httpd_socket.te file, so the Makefile automatically >expects you to also have a file_contexts/program/httpd_socket.fc file >with the corresponding file contexts. What is httpd_socket.te? Did you >create it yourself (if so, you should have put it under domains/misc to >avoid triggering an attempt to find a corresponding .fc file). > > > I added this file a while ago to fix some php/mysql issues but they got fixed by a errat policy so I deleted the file now and was able to do make reload. From walters at redhat.com Fri Mar 25 15:47:36 2005 From: walters at redhat.com (Colin Walters) Date: Fri, 25 Mar 2005 10:47:36 -0500 Subject: append only file system - selinux? In-Reply-To: <42432A00.1010309@beowulf.net> References: <42432A00.1010309@beowulf.net> Message-ID: <1111765656.3932.61.camel@nexus.verbum.private> On Thu, 2005-03-24 at 15:58 -0500, Chris Stankaitis wrote: > If there is no 2.4 kernel solution, is there a 2.6/selinux solution to > my problem? that would not allow anyone (even root) to do anything but > append to logs? Yes, definitely. SELinux provides a fine-grained "append" permission for files that one can grant to specific domains for specific file types (such as log files). How exactly you implement this depends on which threats you are trying to counter. If you are simply trying to prevent a compromised daemon program which runs as uid 0 from changing logs, you could probably stick with the default Fedora "targeted" policy, which for a number of daemons such as Apache HTTPD already enforces this restriction. If you have daemons outside the targeted set, it is typically not too difficult to pull in the relevant policy from the "strict" into targeted, although there are a few gotchas which we can help with on fedora-selinux-list. In order to confine user logins (e.g. someone logging in as root via sshd), you will need to use the "strict" policy. You then have to make a decision on exactly what permissions to grant to the login. One option is to simply place root into the user_r role (i.e. not sysadm_r). There, the login is restricted in a way similar in effect to a Linux non-zero uid. However, system administration such as restarting daemons is not possible. It is theoretically possible to have a role similar to sysadm_r/sysadm_t but that prevents direct access to log files. However, it seems very likely to me that someone with privileges similar to sysadm_t could indirectly influence log files in other ways; e.g. by simply installing a malicious version of a daemon package. I imagine the same is true of the BSD securitylevel, of course. One nice thing about SELinux though is that you can use a tool such as "apol" to find all of those means of influence; i.e. what is the information flow from user_t to httpd_log_t. With BSD security levels you don't have any such assurance. If you have more questions about SELinux, please ask on fedora-selinux-list. From hampton-rh at rainbolthampton.net Fri Mar 25 17:24:05 2005 From: hampton-rh at rainbolthampton.net (David Hampton) Date: Fri, 25 Mar 2005 12:24:05 -0500 Subject: New policy for pyzor In-Reply-To: <20050324103556.GD7999@lkcl.net> References: <1111454594.18940.54.camel@hampton-pc.rainbolthampton.net> <1111605242.3856.24.camel@moss-lions.epoch.ncsc.mil> <1111610253.26996.16.camel@hampton-pc.rainbolthampton.net> <20050324103556.GD7999@lkcl.net> Message-ID: <1111771445.26996.31.camel@hampton-pc.rainbolthampton.net> On Thu, 2005-03-24 at 10:35 +0000, Luke Kenneth Casson Leighton wrote: > ... btw just as an aside, what the heck is razor doing > attempting to create /razor.log and /root/razor.log? The first time you run razor it can't find a config file telling it where to put its log, so it drops the log into the current working directory. It then attempts to create a ~/.razor home directory and default config file. All subsequent invocations of razor will find the just created config file and put the log where it specifies (which is ~/.razor by default). The /razor.log is probably from the first invocation by a system daemon, and the /root/razor.log from the first time you tested it as root. David From walters at redhat.com Fri Mar 25 17:29:13 2005 From: walters at redhat.com (Colin Walters) Date: Fri, 25 Mar 2005 12:29:13 -0500 Subject: append only file system - selinux? In-Reply-To: <4244413D.1040902@beowulf.net> References: <42432A00.1010309@beowulf.net> <1111765656.3932.61.camel@nexus.verbum.private> <4244413D.1040902@beowulf.net> Message-ID: <1111771753.3932.83.camel@nexus.verbum.private> On Fri, 2005-03-25 at 11:50 -0500, Chris Stankaitis wrote: > Esentially as I mentioned what we need to create is a centralized > logging server where all our boxes will log to, which in itself is setup > in a way so that even root can not modify the logs without it being > painfully obvious that the server had been compromised. I guess the question is - what requirements for system administration do you have? Will the machine run sshd? Should the "root" user be able to perform administration over sshd? If so, what kinds of administration? Restarting daemons? Installing packages? Rebooting? > We would be > turning off logrotate, the box would be a minimal install, with it's > only function to run a logger which would write local messages, as well > as take in the logs from all other servers. If the machine is only running syslogd exposed to the network, i.e. no sshd, then I think you're already basically there with the syslogd policy in Fedora. A compromised or buggy syslogd (even though it runs as uid 0) can only append to log files. For example, try this: yum install setools-gui apol -p /etc/selinux/targeted/policy/policy.18 Then click on the "Analysis" tab. Then "Direct Information Flow". In the starting type box, enter "syslogd_t". In the "Find end types" box, enter ".*_log_t$" (i.e. all types ending in _log_t). Then click "New". Under the "Direct Information Flow Tree", click var_log_t (which is the type of /var/log/messages, which is what you're primarily concerned with). Note that apol tells you the direct flow from syslogd_t to var_log_t is: allow syslogd_t var_log_t : file { ioctl create getattr setattr append link }; The important thing to note here is that there is no "write" permission granted from the syslogd_t domain to files with type var_log_t; only "append". You can also see transitive flows by using the "Transitive Information Flow" tab. > The issue comes when you have to try and restrict root from doing > something :) Right; that's why I'm trying to get more clarification from you as to exactly what "root" means and what that user needs to be able to do. From notting at redhat.com Fri Mar 25 17:56:03 2005 From: notting at redhat.com (Bill Nottingham) Date: Fri, 25 Mar 2005 12:56:03 -0500 Subject: using tmpfs for /tmp and selinux In-Reply-To: <1111759184.15280.47.camel@moss-spartans.epoch.ncsc.mil> References: <42415CF0.6010102@feuerpokemon.de> <1111583217.21107.9.camel@moss-spartans.epoch.ncsc.mil> <42426FAD.40109@feuerpokemon.de> <1111670247.12486.5.camel@moss-spartans.epoch.ncsc.mil> <4244130C.8030304@feuerpokemon.de> <1111759184.15280.47.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <20050325175603.GB15370@nostromo.devel.redhat.com> Stephen Smalley (sds at tycho.nsa.gov) said: > > in which file should I add this? > > After further discussion on selinux list, it looks like Dan is going to > take a different approach and not use a fscontext= or context= mount. > Instead, he is just adding a 'restorecon /tmp' line > to /etc/rc.d/rc.sysinit so that it will get relabeled to tmp_t at that > time, and Dan recently added the following to the policy: > allow tmpfile tmpfs_t:filesystem associate; A question: why don't mounts normally inherit the context of the directory where they're mounted in cases like these? Bill From sds at tycho.nsa.gov Fri Mar 25 18:08:50 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 25 Mar 2005 13:08:50 -0500 Subject: using tmpfs for /tmp and selinux In-Reply-To: <20050325175603.GB15370@nostromo.devel.redhat.com> References: <42415CF0.6010102@feuerpokemon.de> <1111583217.21107.9.camel@moss-spartans.epoch.ncsc.mil> <42426FAD.40109@feuerpokemon.de> <1111670247.12486.5.camel@moss-spartans.epoch.ncsc.mil> <4244130C.8030304@feuerpokemon.de> <1111759184.15280.47.camel@moss-spartans.epoch.ncsc.mil> <20050325175603.GB15370@nostromo.devel.redhat.com> Message-ID: <1111774130.15280.153.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2005-03-25 at 12:56 -0500, Bill Nottingham wrote: > Stephen Smalley (sds at tycho.nsa.gov) said: > > > in which file should I add this? > > > > After further discussion on selinux list, it looks like Dan is going to > > take a different approach and not use a fscontext= or context= mount. > > Instead, he is just adding a 'restorecon /tmp' line > > to /etc/rc.d/rc.sysinit so that it will get relabeled to tmp_t at that > > time, and Dan recently added the following to the policy: > > allow tmpfile tmpfs_t:filesystem associate; > > A question: why don't mounts normally inherit the context of the > directory where they're mounted in cases like these? You would need rather specialized handling of tmpfs in the kernel for that, since: 1) for conventional filesystems, you get the context from the on-disk xattr, not from the mount point, 2) for pseudo filesystems like /proc that don't create a separate instance per mount, you could have multiple mounts at different points, but you can only have one security context assigned. tmpfs is unusual since it creates an instance per mount. Neither the LSM hook nor the kernel function which calls it that performs setup of the superblock and root inode doesn't even have the mount point available to them; you'd have to use a hook in graft_tree or attach_mnt. -- Stephen Smalley National Security Agency From selinux at gmail.com Fri Mar 25 21:39:53 2005 From: selinux at gmail.com (Tom London) Date: Fri, 25 Mar 2005 13:39:53 -0800 Subject: libicudata.so.26.0, prelink, symbolic link, ... Message-ID: <4c4ba15305032513393cddadb2@mail.gmail.com> Running targeted/enforcing, latest rawhide. Noticed the following AVC in log: Mar 25 07:38:36 localhost kernel: audit(1111765116.214:0): avc: denied { execmod } for pid=13994 comm=ld-linux.so.2 path=/usr/lib/openoffice.org1.9.87/program/libicudata.so.26.0 dev=dm-0 ino=164963 scontext=user_u:system_r:crond_t tcontext=system_u:object_r:lib_t tclass=file This appears to be generated by prelink run from cron. Here are entries from prelink.log: Prelinking /usr/lib/openoffice.org1.9.87/program/libicudata.so.26.0 /usr/sbin/prelink: /usr/lib/openoffice.org1.9.87/program/libicudata.so.26.0 Could not trace symbol resolving /usr/sbin/prelink: Could not prelink /usr/lib/openoffice.org1.9.87/program/libicuuc.so.26.0 because its dependency /usr/lib/openoffice.org1.9.87/program/libicudata.so.26.0 could not be prelinked /usr/sbin/prelink: Could not prelink /usr/lib/openoffice.org1.9.87/program/libicule.so.26.0 because its dependency /usr/lib/openoffice.org1.9.87/program/libicuuc.so.26.0 could not be prelinked Prelinking /usr/lib/openoffice.org1.9.87/program/libjvmaccessgcc3.so.3 /usr/sbin/prelink: Could not prelink /usr/lib/openoffice.org1.9.87/program/libvcl680li.so because its dependency /usr/lib/openoffice.org1.9.87/program/libicuuc.so.26.0 could not be prelinked <<<< etc. >>> Interestingly, the AVC seems to be showing the the type of the link instead of the type of the real file: [root at tlondon program]# ls -lZ libicudata* lrwxrwxrwx root root system_u:object_r:lib_t libicudata.so -> libicudata.so.26.0 lrwxrwxrwx root root system_u:object_r:lib_t libicudata.so.26 -> libicudata.so.26.0 -r--r--r-- root root system_u:object_r:shlib_t libicudata.so.26.0 Any significance to this? tom -- Tom London From drepper at redhat.com Fri Mar 25 21:56:00 2005 From: drepper at redhat.com (Ulrich Drepper) Date: Fri, 25 Mar 2005 13:56:00 -0800 Subject: libicudata.so.26.0, prelink, symbolic link, ... In-Reply-To: <4c4ba15305032513393cddadb2@mail.gmail.com> References: <4c4ba15305032513393cddadb2@mail.gmail.com> Message-ID: <424488F0.50507@redhat.com> Tom London wrote: > Running targeted/enforcing, latest rawhide. > > Noticed the following AVC in log: > Mar 25 07:38:36 localhost kernel: audit(1111765116.214:0): avc: > denied { execmod } for pid=13994 comm=ld-linux.so.2 > path=/usr/lib/openoffice.org1.9.87/program/libicudata.so.26.0 dev=dm-0 > ino=164963 scontext=user_u:system_r:crond_t > tcontext=system_u:object_r:lib_t tclass=file /usr/lib/openoffice.org1.9.87/program/libicudata.so.26.0 has text relocations, which shouldn't be the case. This is no SELinux issue, but instead an OO.org build problem. -- ? Ulrich Drepper ? Red Hat, Inc. ? 444 Castro St ? Mountain View, CA ? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 251 bytes Desc: OpenPGP digital signature URL: From ivg2 at cornell.edu Fri Mar 25 22:13:00 2005 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Fri, 25 Mar 2005 15:13:00 -0700 Subject: libicudata.so.26.0, prelink, symbolic link, ... In-Reply-To: <424488F0.50507@redhat.com> References: <4c4ba15305032513393cddadb2@mail.gmail.com> <424488F0.50507@redhat.com> Message-ID: <42448CEC.8080504@cornell.edu> > > /usr/lib/openoffice.org1.9.87/program/libicudata.so.26.0 has text > relocations, which shouldn't be the case. This is no SELinux issue, but > instead an OO.org build problem. I sent a policy patch about this some time ago (to mark it as such).. Can't recall if it wasn't merged, or if I just missed this particular library. Look in /etc/selinux/targeted/src/policy/file_contexts/distros.fc for libicudata. chcon -t textrel_shlib_t to fix it temporarily. There is a vast list of those in the SELinux policy - maybe bugs should be filed in the appropriate apps to fix them. From chris at beowulf.net Fri Mar 25 16:50:05 2005 From: chris at beowulf.net (Chris Stankaitis) Date: Fri, 25 Mar 2005 11:50:05 -0500 Subject: append only file system - selinux? In-Reply-To: <1111765656.3932.61.camel@nexus.verbum.private> References: <42432A00.1010309@beowulf.net> <1111765656.3932.61.camel@nexus.verbum.private> Message-ID: <4244413D.1040902@beowulf.net> Colin Walters wrote: > On Thu, 2005-03-24 at 15:58 -0500, Chris Stankaitis wrote: > > >>If there is no 2.4 kernel solution, is there a 2.6/selinux solution to >>my problem? that would not allow anyone (even root) to do anything but >>append to logs? > > > Yes, definitely. SELinux provides a fine-grained "append" permission > for files that one can grant to specific domains for specific file types > (such as log files). > > How exactly you implement this depends on which threats you are trying > to counter. If you are simply trying to prevent a compromised daemon > program which runs as uid 0 from changing logs, you could probably stick > with the default Fedora "targeted" policy, which for a number of daemons > such as Apache HTTPD already enforces this restriction. If you have > daemons outside the targeted set, it is typically not too difficult to > pull in the relevant policy from the "strict" into targeted, although > there are a few gotchas which we can help with on fedora-selinux-list. > > In order to confine user logins (e.g. someone logging in as root via > sshd), you will need to use the "strict" policy. You then have to make > a decision on exactly what permissions to grant to the login. One > option is to simply place root into the user_r role (i.e. not sysadm_r). > There, the login is restricted in a way similar in effect to a Linux > non-zero uid. However, system administration such as restarting daemons > is not possible. > > It is theoretically possible to have a role similar to sysadm_r/sysadm_t > but that prevents direct access to log files. However, it seems very > likely to me that someone with privileges similar to sysadm_t could > indirectly influence log files in other ways; e.g. by simply installing > a malicious version of a daemon package. I imagine the same is true of > the BSD securitylevel, of course. > > One nice thing about SELinux though is that you can use a tool such as > "apol" to find all of those means of influence; i.e. what is the > information flow from user_t to httpd_log_t. With BSD security levels > you don't have any such assurance. > > If you have more questions about SELinux, please ask on > fedora-selinux-list. > > Esentially as I mentioned what we need to create is a centralized logging server where all our boxes will log to, which in itself is setup in a way so that even root can not modify the logs without it being painfully obvious that the server had been compromised. We would be turning off logrotate, the box would be a minimal install, with it's only function to run a logger which would write local messages, as well as take in the logs from all other servers. The issue comes when you have to try and restrict root from doing something :) I'll pop onto the selinux list and start getting better aquainted with the in's and out's of selinux and the functions which could let us acomplish this. --Chris From dragoran at feuerpokemon.de Sat Mar 26 09:09:34 2005 From: dragoran at feuerpokemon.de (dragoran) Date: Sat, 26 Mar 2005 10:09:34 +0100 Subject: using tmpfs for /tmp and selinux In-Reply-To: <1111774130.15280.153.camel@moss-spartans.epoch.ncsc.mil> References: <42415CF0.6010102@feuerpokemon.de> <1111583217.21107.9.camel@moss-spartans.epoch.ncsc.mil> <42426FAD.40109@feuerpokemon.de> <1111670247.12486.5.camel@moss-spartans.epoch.ncsc.mil> <4244130C.8030304@feuerpokemon.de> <1111759184.15280.47.camel@moss-spartans.epoch.ncsc.mil> <20050325175603.GB15370@nostromo.devel.redhat.com> <1111774130.15280.153.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <424526CE.1020802@feuerpokemon.de> Stephen Smalley wrote: >On Fri, 2005-03-25 at 12:56 -0500, Bill Nottingham wrote: > > >>Stephen Smalley (sds at tycho.nsa.gov) said: >> >> >>>>in which file should I add this? >>>> >>>> >>>After further discussion on selinux list, it looks like Dan is going to >>>take a different approach and not use a fscontext= or context= mount. >>>Instead, he is just adding a 'restorecon /tmp' line >>>to /etc/rc.d/rc.sysinit so that it will get relabeled to tmp_t at that >>>time, and Dan recently added the following to the policy: >>> allow tmpfile tmpfs_t:filesystem associate; >>> >>> >>A question: why don't mounts normally inherit the context of the >>directory where they're mounted in cases like these? >> >> > >You would need rather specialized handling of tmpfs in the kernel for >that, since: >1) for conventional filesystems, you get the context from the on-disk >xattr, not from the mount point, >2) for pseudo filesystems like /proc that don't create a separate >instance per mount, you could have multiple mounts at different points, >but you can only have one security context assigned. > >tmpfs is unusual since it creates an instance per mount. > >Neither the LSM hook nor the kernel function which calls it that >performs setup of the superblock and root inode doesn't even have the >mount point available to them; you'd have to use a hook in graft_tree or >attach_mnt. > > > it still does not work with the restorecon /tmp line and the policy changes.... same avcs... From justin.conover at gmail.com Sun Mar 27 14:48:02 2005 From: justin.conover at gmail.com (Justin Conover) Date: Sun, 27 Mar 2005 08:48:02 -0600 Subject: selinux error and kernel lockups Message-ID: The last 3 kernels in rawhide have hung my box on reboot with this being the last error i see on screen: SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts Any ideas? Kernel-1177 works fine I get the error with these 3 1191 1202 1208 From ivg2 at cornell.edu Mon Mar 28 04:57:35 2005 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Sun, 27 Mar 2005 23:57:35 -0500 Subject: Desktop apps interoperability Message-ID: <1111985855.1514.70.camel@cobra.ivg2.net> Okay, mozilla's handling of saved files is a problem. Here's what it does - files saved under ROLE_home_dir_t, or ROLE_home_t directories turn to ROLE_mozilla_home_t via file_type_auto_trans. Here's what gift does by default - it has a download folder where it puts stuff. The downloaded files turn to ROLE_gift_home_t (context of parent folder, which is ~/.giFT/completed or something). Here's what mencoder does - it saves stuff as ROLE_mplayer_home_t via file_type_auto_trans. ============== This is bad for interoperability. Using the home_domain macro, the user has access to the home_domain type of an application. However one app has no access to the home_domain type of another app. Basically I can never play (mplayer) a movie that I just downloaded, whether or not it was via mozilla, or gift. Alternatively, there could be a common data type - ROLE_home_t. However none of those apps can save its data directly under /home/username as ROLE_home_t, because all of them have a home_domain, and that's where the file_type_auto_trans rule is used. There can't be more than one file_type_auto_trans on the same folder type (right?). Furthermore this seems to be explicitly avoided for mozilla (it does not write to ROLE_home_t for security reasons - overwriting .bashrc?). ============ Ok, here Fundamentally, what I want to know is: 1) Do desktop apps need to be confined? Is it a good idea to confine them? 2) If so, a shared data type is needed for interoperability. Is ROLE_home_t acceptable for that purpose. 3) 0) No 1) Shared data type is needed for interoperability 2) Keeping both application settings, and user data in the same folder is a problem From ivg2 at cornell.edu Mon Mar 28 05:03:32 2005 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Mon, 28 Mar 2005 00:03:32 -0500 Subject: Desktop apps interoperability In-Reply-To: <1111985855.1514.70.camel@cobra.ivg2.net> References: <1111985855.1514.70.camel@cobra.ivg2.net> Message-ID: <1111986213.1514.77.camel@cobra.ivg2.net> Okay that was an unfinished email - sorry for my stupidity - I was editing it and changing things and clicked send by mistake. The problem is accurately described (in the first part of the email) and what I was getting to - I'm trying to imagine how desktop apps can be confined properly in the future (and right now, for that matter). How will they interoperate and share data? I was thinking of a ~/downloads folder with a shared context, but this makes sense for apps that download stuff. In the future if desktop apps are confined (say openoffice, abiword) this becomes a more generic problem. -- Ivan Gyurdiev Cornell University From ivg2 at cornell.edu Mon Mar 28 05:27:31 2005 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Mon, 28 Mar 2005 00:27:31 -0500 Subject: Desktop apps interoperability In-Reply-To: <1111986213.1514.77.camel@cobra.ivg2.net> References: <1111985855.1514.70.camel@cobra.ivg2.net> <1111986213.1514.77.camel@cobra.ivg2.net> Message-ID: <1111987652.1514.97.camel@cobra.ivg2.net> On Mon, 2005-03-28 at 00:03 -0500, Ivan Gyurdiev wrote: > Okay that was an unfinished email - sorry for my stupidity - I was > editing it and changing things and clicked send by mistake. > > The problem is accurately described (in the first part of the email) and > what I was getting to - I'm trying to imagine how desktop apps can be > confined properly in the future (and right now, for that matter). How > will they interoperate and share data? > > I was thinking of a ~/downloads folder with a shared context, but > this makes sense for apps that download stuff. In the future if desktop > apps are confined (say openoffice, abiword) this becomes a more generic > problem. Part of the problem seems to be the way Linux apps treat /home, as the place for everything. Why are both app. settings and user data stored in /home as the default location. That's where the problem comes from, and that seems like a bad idea - the user doesn't care about app settings and system files - they are not to be edited directly. That's why they're hidden in the first place. Now Windows' approach of having "My Documents" and the like is starting to make a lot of sense (even though I absolutely hate those names). If app settings were kept separate, in a non-selinux environment you could export your data files w/out exporting hidden important files like your gpg keys. If app settings were kept separate, you could restorecon those settings to correct contexts. Dwalsh said restorecon skips /home today because it could accidentaly reveal out-of-place gpg keys, or because it might be really big. Both those problems would not apply if settings were in a separate place - you could just restorecon the settings. -- Ivan Gyurdiev Cornell University From lkcl at lkcl.net Mon Mar 28 10:01:40 2005 From: lkcl at lkcl.net (Luke Kenneth Casson Leighton) Date: Mon, 28 Mar 2005 11:01:40 +0100 Subject: Desktop apps interoperability In-Reply-To: <1111987652.1514.97.camel@cobra.ivg2.net> References: <1111985855.1514.70.camel@cobra.ivg2.net> <1111986213.1514.77.camel@cobra.ivg2.net> <1111987652.1514.97.camel@cobra.ivg2.net> Message-ID: <20050328100140.GB3430@lkcl.net> On Mon, Mar 28, 2005 at 12:27:31AM -0500, Ivan Gyurdiev wrote: > Now Windows' approach of having "My Documents" and the like is starting > to make a lot of sense (even though I absolutely hate those names). and the concept of a registry, too. unix has a lot of legacy headaches to answer for that make its useability as a desktop system a pain in the neck. perhaps this is one that's worthwhile raising with the linux standards base people? if it doesn't present a solution "now" it might at least get one into the pipeline and start to make a difference in five to ten years time. l. From lkcl at lkcl.net Mon Mar 28 10:04:49 2005 From: lkcl at lkcl.net (Luke Kenneth Casson Leighton) Date: Mon, 28 Mar 2005 11:04:49 +0100 Subject: Desktop apps interoperability In-Reply-To: <1111985855.1514.70.camel@cobra.ivg2.net> References: <1111985855.1514.70.camel@cobra.ivg2.net> Message-ID: <20050328100449.GC3430@lkcl.net> On Sun, Mar 27, 2005 at 11:57:35PM -0500, Ivan Gyurdiev wrote: > There can't be more than one file_type_auto_trans on the same folder > type (right?). bizarrely, no. i believe this issue was raised some months ago, with the "alternative file context" thing. if file_type_auto_trans also took an executable [domain] as an additional argument, i believe you stand a chance of achieving what you seek. l. From ivg2 at cornell.edu Mon Mar 28 12:15:29 2005 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Mon, 28 Mar 2005 07:15:29 -0500 Subject: Desktop apps interoperability In-Reply-To: <20050328132653.F27857@lemuria.org> References: <1111985855.1514.70.camel@cobra.ivg2.net> <1111986213.1514.77.camel@cobra.ivg2.net> <1111987652.1514.97.camel@cobra.ivg2.net> <20050328132653.F27857@lemuria.org> Message-ID: <1112012129.1514.187.camel@cobra.ivg2.net> On Mon, 2005-03-28 at 13:26 +0200, Tom wrote: > On Mon, Mar 28, 2005 at 12:27:31AM -0500, Ivan Gyurdiev wrote: > > Part of the problem seems to be the way Linux apps treat /home, as the > > place for everything. > > It doesn't. It treats $HOME as the only place that the user has > permission to store his stuff. On a well-configured system, that > assumption is correct. Ah, but that's not true. The user is actively encouraged to store stuff in $HOME, and not elsewhere, because: 1) There's no other folder that exists. The average user makes use of what's already there. 2) The GNOME desktop has a large home icon where you put your files. 3) All applications that have a save dialog open /home as the default. 4) It's designated as a place to store your files in the GNOME Places 5) There's no easy way to export files you care about (minus settings) through Samba, while there is an automatic HOME share you get for /home. 6) From a SELinux viewpoint, why does the user domain *need* access to /home's setting part at all? Those are files created w/out direct user interaction. They could be made accessible to individual application domains, without user_t selinux access. Anyway, more to the point: 7) I can't call file_type_auto_trans twice on the same folder. > If you want applications to share data, there are several ways to > accomplish that goal. Here's just a quick idea: > > * add $HOME/Downloads as a directory > * give it its own type, maybe ROLE_downloads_t > * give mozilla permissions to write there, with file_type_auto_trans > * give mplayer permissions to the resulting files ...that's what I already proposed, but I'm saying that: A) In the future if all desktop apps are restricted, this folder will have to become something more generic that doesn't have anything to do with downloads. It would become the equivalent of a new /home where you keep your files. Are there any plans to restrict desktop apps ? B) Whatever is decided upon needs to work out of the box. It needs to be the default way things work, as opposed to me having to jump through hoops to make SElinux work. Otherwise the average user will just disable any protection and not look back. > voila, mplayer can now play stuff downloaded from the web, without > opening up the big hole of giving it permissions to all mozilla files. Actually now I remember mplayer actually does have access to mozilla files... but as you say that is a hack, which shouldn't be there. However mplayer doesn't have access to gift files, which is what I was thinking of. > The point is - I may or may not want mplayer to play random stuff from > the web with potentially dangerous content. If you want to, evaluate > your security requirements and institute the appropriate solution. This email was titled "Desktop apps interoperability". It implies that we're talking about the average desktop, as opposed to a paranoid environment. The average person does not know (or care) for evaluating security requirements and dealing with selinux. He/she wants transparency, but there's still value in using selinux. If you choose to download the content in question, and choose to run mplayer on it, then it seems to me that it should work without messing with security contexts. -------- In the short run a downloads folder sounds like a good idea to me. If added to skel, and set as the default download folder for mozilla, that would be an improvement, I think. -- Ivan Gyurdiev Cornell University From ivg2 at cornell.edu Mon Mar 28 12:42:59 2005 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Mon, 28 Mar 2005 07:42:59 -0500 Subject: Fedora Core 3 Test Update: kernel-2.6.11-1.7_FC3 In-Reply-To: References: <200503270239.j2R2dliX029585@devserv.devel.redhat.com> <1112008226.1514.138.camel@cobra.ivg2.net> <1112012277.1514.191.camel@cobra.ivg2.net> Message-ID: <1112013779.1514.199.camel@cobra.ivg2.net> On Mon, 2005-03-28 at 14:31 +0200, Aurelien Bompard wrote: > Ivan Gyurdiev wrote: > > > On Mon, 2005-03-28 at 13:46 +0200, Aurelien Bompard wrote: > >> Ivan Gyurdiev wrote: > >> > On Mon, 2005-03-28 at 12:55 +0200, Aurelien Bompard wrote: > >> >> Dave Jones wrote: > >> >> > Product : Fedora Core 3 > >> >> > Name : kernel > >> >> > Version : 2.6.11 > >> >> > Release : 1.7_FC3 > >> >> > >> >> With this kernel, snmpd fails to start, probably due to a selinux > >> >> error : snmpd: /usr/sbin/snmpd: error while loading shared libraries: > >> >> libbeecrypt.so.6: cannot enable executable stack as shared object > >> >> requires: Permission denied > >> > > >> > Are there any related avc messages in the log (dmesg) ? > >> > >> Yes: > >> audit(1112010219.531:0): avc: denied { execmem } for pid=4806 > >> comm=snmpd scontext=user_u:system_r:snmpd_t > >> tcontext=user_u:system_r:snmpd_t tclass=process > > > > I don't get this denial on rawhide - maybe it was fixed. > > See if there is an allow_execmem boolean, and enable that to > > work around the denial. > > Thanks, but the only boolean about snmp on FC3 is snmpd_disable_trans. > Could we have a selinux update too if this kernel is pushed to the official > updates ? cc-ed fedora-selinux-list. -- Ivan Gyurdiev Cornell University From ivg2 at cornell.edu Mon Mar 28 13:46:24 2005 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Mon, 28 Mar 2005 08:46:24 -0500 Subject: Desktop apps interoperability In-Reply-To: <20050328151126.B28232@lemuria.org> References: <1111985855.1514.70.camel@cobra.ivg2.net> <1111986213.1514.77.camel@cobra.ivg2.net> <1111987652.1514.97.camel@cobra.ivg2.net> <20050328132653.F27857@lemuria.org> <1112012129.1514.187.camel@cobra.ivg2.net> <20050328151126.B28232@lemuria.org> Message-ID: <1112017584.1514.239.camel@cobra.ivg2.net> On Mon, 2005-03-28 at 15:11 +0200, Tom wrote: > > > It doesn't. It treats $HOME as the only place that the user has > > > permission to store his stuff. On a well-configured system, that > > > assumption is correct. > > > > Ah, but that's not true. The user is actively encouraged to store stuff > > in $HOME, and not elsewhere, because: > > Because there are many reasons for that. The most important ones > in my book are: > > * other locations might be mounted read-only > * /home may be a remote (e.g. NFS) mount > * various standards define what /usr or /var are for, and storing > user-specific data is not on that list > * security - seperation between system and user data I was suggesting that content should be kept in a sub-folder of /home, not that it should be kept somewhere else. I'm sorry for the misunderstanding. I am suggesting that this folder(s) should be standartized somehow. I am saying that settings should be kept separate. > > 6) From a SELinux viewpoint, why does the user domain *need* access > > to /home's setting part at all? Those are files created w/out direct > > user interaction. They could be made accessible to individual > > application domains, without user_t selinux access. > > These are files that are totally created with user interaction. Just > because Joe Dummy doesn't vi his .muttrc doesn't mean that I don't. That's a valid point - and the way home_domain macro currently works is that it allows the user to access the data. Anyway, I still think there's advantages to keeping settings separate from "content". > > Anyway, more to the point: > > > > 7) I can't call file_type_auto_trans twice on the same folder. > > That is why I suggested a new folder for that specific purpose. I only > need one file_type_auto_trans there, namely when I store the stuff. > > If I recall correctly, I had written a mozilla policy with such a > change a year or so ago. So let's add this folder to /skel with the appropriate context (*different* from the current ROLE_mozilla_home_t), and make it the default for mozilla. See what I write elsewhere first tho. > > A) In the future if all desktop apps are restricted, this folder will > > have to become something more generic that doesn't have anything to do > > with downloads. > > Are you insane? > Generic folders are the bane of anything even resembling security. > Being _specific_ is what SELinux is all about. That's what the ENHANCED > means, if you strip away all the bullshit bingo words. MAC and RBAC are > just the means used. ... that's a valid point, but how do you suggest interoperability should be addressed? When I say "generic" I don't mean that it should be used for everything under the Sun. I mean something that makes sense. Right now most of the system uses user_home_t anyway - that seems pretty generic to me. > Downloads, especially, deserve to be treated differently, as they are > data from untrusted sources. ... all the more reason to put them in their own folder location. > > It would become the equivalent of a new /home where you > > keep your files. Are there any plans to restrict desktop apps ? > > Define "restrict". I mean make them run in their own domain with minimum priviledge required to operate, as opposed to running in user_t. I do not mean that they should be unable to perform their intended operation. > "Mess at will with anything else in $HOME" - why yes, absolutely. If my > movie player has any reasons reading my mail preferences, I really want > to know them. Well, as of right now your movie player has the ability to read user_home_t, as a possible source of movies to play. I can't remember whether it was mplayer or xine that had the capability to act as a movie server, but I know one of them did. Now they can transmit .bashrc, and who knows what over the net. Say I rip a bunch of songs with sound-juicer. Now I want to share them with gift (p2p app). I can't make that work out of the box without changing the context, because gift can't read user_t files. If the songs went into a common "content"-style folder, I could make that readable by gift, mplayer, and whatever needs it, and make them stay away from user_t. > > > B) Whatever is decided upon needs to work out of the box. It needs to be > > the default way things work, as opposed to me having to jump through > > hoops to make SElinux work. Otherwise the average user will just disable > > any protection and not look back. > > There will be hoops. Just like putting on the safety belt when getting > into your car is one. > > I'm sure everyone involved in SELinux development wants to avoid > unnecessary hoops. But some will be necessary, just like a firewall, > two virus scanners and a yearly reinstall are necessary on today's > windos systems. I don't think so. The hoops are unnecessary, and the problem can be solved nicely to fit all people's needs. What you're telling me is that I shouldn't bother with SElinux anymore - my main motivation for playing with this technology at all is that it's applicable to my home machine - not some ultrasecure server in a basement. I want something usable that can improve security at the same time. > > This email was titled "Desktop apps interoperability". It implies that > > we're talking about the average desktop, as opposed to a paranoid > > environment. The average person does not know (or care) for evaluating > > security requirements and dealing with selinux. He/she wants > > transparency, but there's still value in using selinux. > > The average person also doesn't want their home machine turned into a > spammer zombie. At the current growth rate, the average person will > soon be faced with a few hard choices. I mean, you can't seriously buy > Windows XP anymore, because you'll be infected with at least one malware > before the download of SP2 is finished. The only option is OEM versions > that already have at least SP2 applied. What's the point that you're trying to make? If you're implying that security is more important than usability, then I'm not convinced. > > If you choose to download the content in question, and choose to run > > mplayer on it, then it seems to me that it should work without messing > > with security contexts. > > Ah, but maybe you don't want mplayer to access everything you > downloaded? That's a tradeoff I'm inclined to accept - especially since mplayer can stream stuff off the net itself. > In the long term, an explicit transfer (a nice GUI tool would make it > almost painless for the user. In fact, on a drag-and-drop desktop you > could probably add it to the drag&drop process) seems to be the better > solution. How exactly will that work - some details? -- Ivan Gyurdiev Cornell University From sds at tycho.nsa.gov Mon Mar 28 13:36:32 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 28 Mar 2005 08:36:32 -0500 Subject: Desktop apps interoperability In-Reply-To: <20050328100449.GC3430@lkcl.net> References: <1111985855.1514.70.camel@cobra.ivg2.net> <20050328100449.GC3430@lkcl.net> Message-ID: <1112016992.2914.19.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2005-03-28 at 11:04 +0100, Luke Kenneth Casson Leighton wrote: > On Sun, Mar 27, 2005 at 11:57:35PM -0500, Ivan Gyurdiev wrote: > > > There can't be more than one file_type_auto_trans on the same folder > > type (right?). > > bizarrely, no. > > i believe this issue was raised some months ago, with the > "alternative file context" thing. > > if file_type_auto_trans also took an executable [domain] as an > additional argument, i believe you stand a chance of achieving > what you seek. file_type_auto_trans() is based on the domain of the creating process, the type of the parent directory, and optionally the class of the new file. Hence, you can specify different types on the same "folder" type as long as the programs run in different domains. If instead both programs run in the same domain and are acting on the same directory type and creating the same class of file, you have to make the program security-aware if you want to use multiple types on the files (or similarly, if you have a single program that creates multiple files in the same directory and you want them to have different types, the program needs to be security-aware, as with the /etc/passwd and /etc/shadow type preservation issue). -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Mon Mar 28 13:43:39 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 28 Mar 2005 08:43:39 -0500 Subject: Desktop apps interoperability In-Reply-To: <1111985855.1514.70.camel@cobra.ivg2.net> References: <1111985855.1514.70.camel@cobra.ivg2.net> Message-ID: <1112017419.2914.23.camel@moss-spartans.epoch.ncsc.mil> On Sun, 2005-03-27 at 23:57 -0500, Ivan Gyurdiev wrote: > Fundamentally, what I want to know is: > > 1) Do desktop apps need to be confined? Is it a good idea to confine > them? Yes. > 2) If so, a shared data type is needed for interoperability. > Is ROLE_home_t acceptable for that purpose. A shared data type may be fine, but ROLE_home_t isn't what you want to use. And yes, separating settings from data is useful, and yes, littering user's top-level home directories with application settings considered harmful. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Mon Mar 28 14:01:19 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 28 Mar 2005 09:01:19 -0500 Subject: using tmpfs for /tmp and selinux In-Reply-To: <424526CE.1020802@feuerpokemon.de> References: <42415CF0.6010102@feuerpokemon.de> <1111583217.21107.9.camel@moss-spartans.epoch.ncsc.mil> <42426FAD.40109@feuerpokemon.de> <1111670247.12486.5.camel@moss-spartans.epoch.ncsc.mil> <4244130C.8030304@feuerpokemon.de> <1111759184.15280.47.camel@moss-spartans.epoch.ncsc.mil> <20050325175603.GB15370@nostromo.devel.redhat.com> <1111774130.15280.153.camel@moss-spartans.epoch.ncsc.mil> <424526CE.1020802@feuerpokemon.de> Message-ID: <1112018479.2914.31.camel@moss-spartans.epoch.ncsc.mil> On Sat, 2005-03-26 at 10:09 +0100, dragoran wrote: > it still does not work with the restorecon /tmp line and the policy > changes.... > same avcs... Hmmm...Dan reported it working for him with just those two changes. That was on a FC4/devel system with strict policy, but I'd expect it to work fine under FC3 and targeted policy too. Are you sure that you added 'allow tmpfile tmpfs_t:filesystem associate;' to your policy and rebuilt it and installed it? What are the specific avcs that you see? -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Mon Mar 28 14:13:05 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 28 Mar 2005 09:13:05 -0500 Subject: selinux error and kernel lockups In-Reply-To: References: Message-ID: <1112019185.2914.40.camel@moss-spartans.epoch.ncsc.mil> On Sun, 2005-03-27 at 08:48 -0600, Justin Conover wrote: > The last 3 kernels in rawhide have hung my box on reboot with this > being the last error i see on screen: > > SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts That isn't an error message. Just a notification that a binfmt_misc filesystem was set up and is being labeled based on the entry in policy/genfs_contexts. So the hang may have nothing to do with SELinux. -- Stephen Smalley National Security Agency From ivg2 at cornell.edu Mon Mar 28 15:05:58 2005 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Mon, 28 Mar 2005 10:05:58 -0500 Subject: Desktop apps interoperability In-Reply-To: <20050328160935.B28563@lemuria.org> References: <1111985855.1514.70.camel@cobra.ivg2.net> <1111986213.1514.77.camel@cobra.ivg2.net> <1111987652.1514.97.camel@cobra.ivg2.net> <20050328132653.F27857@lemuria.org> <1112012129.1514.187.camel@cobra.ivg2.net> <20050328151126.B28232@lemuria.org> <1112017584.1514.239.camel@cobra.ivg2.net> <20050328160935.B28563@lemuria.org> Message-ID: <1112022358.5811.47.camel@cobra.ivg2.net> On Mon, 2005-03-28 at 16:09 +0200, Tom wrote: > On Mon, Mar 28, 2005 at 08:46:24AM -0500, Ivan Gyurdiev wrote: > > I was suggesting that content should be kept in a sub-folder of /home, > > not that it should be kept somewhere else. I'm sorry for the > > misunderstanding. I am suggesting that this folder(s) should be > > standartized somehow. I am saying that settings should be kept separate. > > ah! What you want is /home/tom/.etc/ ? Something like that - yes. > Aunt Ellie downloads a movie. It goes into the Download folder (or > really anywhere, it doesn't matter much). She drags the movie icon to > the movie player and lets it drop. Movie plays. > > Behind the scenes, the file is relabeled or moved into another > directory where mplayer can access it. How does this relate to the SElinux work to secure the X server? Should the desktop environment be trusted? .. so what you're saying is that nautilus (running as user_t, which has read access to the file in question, as well as appropriate relabel access), should determine its mime type, or use the DND target app, and associate a context with that, which the mime handler can play, then relabel file to that context (can't copy - what if it's huge?).... and do this for every mime handler I attempt to open it with? -- Ivan Gyurdiev Cornell University From sds at tycho.nsa.gov Mon Mar 28 15:12:30 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 28 Mar 2005 10:12:30 -0500 Subject: Desktop apps interoperability In-Reply-To: <1112022358.5811.47.camel@cobra.ivg2.net> References: <1111985855.1514.70.camel@cobra.ivg2.net> <1111986213.1514.77.camel@cobra.ivg2.net> <1111987652.1514.97.camel@cobra.ivg2.net> <20050328132653.F27857@lemuria.org> <1112012129.1514.187.camel@cobra.ivg2.net> <20050328151126.B28232@lemuria.org> <1112017584.1514.239.camel@cobra.ivg2.net> <20050328160935.B28563@lemuria.org> <1112022358.5811.47.camel@cobra.ivg2.net> Message-ID: <1112022750.2914.65.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2005-03-28 at 10:05 -0500, Ivan Gyurdiev wrote: > .. so what you're saying is that nautilus (running as user_t, which has > read access to the file in question, as well as appropriate relabel > access), should determine its mime type, or use the DND target app, and > associate a context with that, which the mime handler can play, then > relabel file to that context (can't copy - what if it's huge?).... and > do this for every mime handler I attempt to open it with? Seems fairly pointless to perform such a relabeling if the context determination is based entirely on untrusted input from the same source as the data itself and the user isn't involved to any greater degree than selecting the file in the first place. If you are going to run it through a filtering pipeline (e.g. malicious code checker), then it makes more sense to set up a relabeling or data copying pipeline using TE to ensure that each filter stage is unbypassable and tamperproof (i.e. an assured pipeline in TE parlance). Note however that relabeling in place is not necessarily safe, as Linux does not yet fully support revocation of access. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Mon Mar 28 16:04:26 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 28 Mar 2005 11:04:26 -0500 Subject: Desktop apps interoperability In-Reply-To: <20050328174753.D29441@lemuria.org> References: <1111985855.1514.70.camel@cobra.ivg2.net> <1111986213.1514.77.camel@cobra.ivg2.net> <1111987652.1514.97.camel@cobra.ivg2.net> <20050328132653.F27857@lemuria.org> <1112012129.1514.187.camel@cobra.ivg2.net> <20050328151126.B28232@lemuria.org> <1112017584.1514.239.camel@cobra.ivg2.net> <20050328160935.B28563@lemuria.org> <1112022358.5811.47.camel@cobra.ivg2.net> <1112022750.2914.65.camel@moss-spartans.epoch.ncsc.mil> <20050328174753.D29441@lemuria.org> Message-ID: <1112025866.2914.88.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2005-03-28 at 17:47 +0200, Tom wrote: > Not so sure about the pointlessness here. The point is that it makes it > more difficult to leverage exploits. Maybe I can break into Firefox, > but with that in place I can't jump from there to mplayer by forcing it > to play something I know will break it. I'm not sure I understand your intent. There are two scenarios: 1) mplayer directly launched by firefox. As the attacker already has control of the firefox process, the only possible benefit of compromising a mplayer process launched by firefox is if it has further permissions needed to achieve his end goal. And how you prevent such abuse of a directly launched mplayer is unclear, e.g. do you intend firefox to engage in an IPC interaction with a process in the desktop session to ask for the downloaded file to be relabeled prior to launching mplayer on it? 2) mplayer launched by something other than firefox, e.g. user shell, nautilus, after prior download of content via firefox. At this point, the user has explicitly selected the downloaded file, thus expressing his intent (modulo any subversion of the user process itself, which is a separate issue), and can hopefully be trusted not to open files that he didn't download explicitly (if not, then how can he be trusted to make decisions about relabeling)? Hence, in this scenario, the relabeling doesn't express the user intent any better than the selection by the user of the downloaded file. Naturally, what you really want there is a trusted path mechanism. -- Stephen Smalley National Security Agency From justin.conover at gmail.com Mon Mar 28 16:10:53 2005 From: justin.conover at gmail.com (Justin Conover) Date: Mon, 28 Mar 2005 10:10:53 -0600 Subject: selinux error and kernel lockups In-Reply-To: <1112019185.2914.40.camel@moss-spartans.epoch.ncsc.mil> References: <1112019185.2914.40.camel@moss-spartans.epoch.ncsc.mil> Message-ID: Yeah, when i set the kernel to selinux=0 it hangs at the swap space On Mon, 28 Mar 2005 09:13:05 -0500, Stephen Smalley wrote: > On Sun, 2005-03-27 at 08:48 -0600, Justin Conover wrote: > > The last 3 kernels in rawhide have hung my box on reboot with this > > being the last error i see on screen: > > > > SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts > > That isn't an error message. Just a notification that a binfmt_misc > filesystem was set up and is being labeled based on the entry in > policy/genfs_contexts. So the hang may have nothing to do with SELinux. > > -- > Stephen Smalley > National Security Agency > > From sds at tycho.nsa.gov Mon Mar 28 16:39:33 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 28 Mar 2005 11:39:33 -0500 Subject: Desktop apps interoperability In-Reply-To: <20050328182020.A29887@lemuria.org> References: <1111987652.1514.97.camel@cobra.ivg2.net> <20050328132653.F27857@lemuria.org> <1112012129.1514.187.camel@cobra.ivg2.net> <20050328151126.B28232@lemuria.org> <1112017584.1514.239.camel@cobra.ivg2.net> <20050328160935.B28563@lemuria.org> <1112022358.5811.47.camel@cobra.ivg2.net> <1112022750.2914.65.camel@moss-spartans.epoch.ncsc.mil> <20050328174753.D29441@lemuria.org> <1112025866.2914.88.camel@moss-spartans.epoch.ncsc.mil> <20050328182020.A29887@lemuria.org> Message-ID: <1112027973.2914.98.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2005-03-28 at 18:20 +0200, Tom wrote: > I think you are right. I did forget about programs launching other > programs. On the other hand, doesn't that give us another option within > SELinux? Can't we make mplayer-launched-by-firefox run in a different > domain than mplayer-run-by-user? In that domain, it would have access > to the downloaded files, but not to the remainder of the user data. Yes, that would make sense to me. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Mon Mar 28 18:23:39 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 28 Mar 2005 13:23:39 -0500 Subject: Desktop apps interoperability In-Reply-To: <20050328182714.GG3430@lkcl.net> References: <1111985855.1514.70.camel@cobra.ivg2.net> <20050328100449.GC3430@lkcl.net> <1112016992.2914.19.camel@moss-spartans.epoch.ncsc.mil> <20050328182714.GG3430@lkcl.net> Message-ID: <1112034219.2914.117.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2005-03-28 at 19:27 +0100, Luke Kenneth Casson Leighton wrote: > ... question: in what ways do you ensure that a security-aware > compromised program is only allowed to create certain filetypes? In the same manner as with a security-unaware program; the domain must be allowed create permission to the file type via an allow rule. -- Stephen Smalley National Security Agency From lkcl at lkcl.net Mon Mar 28 18:27:14 2005 From: lkcl at lkcl.net (Luke Kenneth Casson Leighton) Date: Mon, 28 Mar 2005 19:27:14 +0100 Subject: Desktop apps interoperability In-Reply-To: <1112016992.2914.19.camel@moss-spartans.epoch.ncsc.mil> References: <1111985855.1514.70.camel@cobra.ivg2.net> <20050328100449.GC3430@lkcl.net> <1112016992.2914.19.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <20050328182714.GG3430@lkcl.net> On Mon, Mar 28, 2005 at 08:36:32AM -0500, Stephen Smalley wrote: > On Mon, 2005-03-28 at 11:04 +0100, Luke Kenneth Casson Leighton wrote: > > On Sun, Mar 27, 2005 at 11:57:35PM -0500, Ivan Gyurdiev wrote: > > > > > There can't be more than one file_type_auto_trans on the same folder > > > type (right?). > > > > bizarrely, no. > > > > i believe this issue was raised some months ago, with the > > "alternative file context" thing. > > > > if file_type_auto_trans also took an executable [domain] as an > > additional argument, i believe you stand a chance of achieving > > what you seek. > > file_type_auto_trans() is based on the domain of the creating process, > the type of the parent directory, and optionally the class of the new > file. brain-lapse. of course it is. duh. > [description of how to make programs security-aware] so the issue ivan describes _can_ be solved. ... question: in what ways do you ensure that a security-aware compromised program is only allowed to create certain filetypes? is it to do with using compute_av()? l. From sds at tycho.nsa.gov Mon Mar 28 19:46:06 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 28 Mar 2005 14:46:06 -0500 Subject: Desktop apps interoperability In-Reply-To: <20050328195450.GH3430@lkcl.net> References: <1111985855.1514.70.camel@cobra.ivg2.net> <20050328100449.GC3430@lkcl.net> <1112016992.2914.19.camel@moss-spartans.epoch.ncsc.mil> <20050328182714.GG3430@lkcl.net> <1112034219.2914.117.camel@moss-spartans.epoch.ncsc.mil> <20050328195450.GH3430@lkcl.net> Message-ID: <1112039166.2914.131.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2005-03-28 at 20:54 +0100, Luke Kenneth Casson Leighton wrote: > ... there's nothing special needed? ... > > oh - yes, i get it. create filetype. > nothing to do with file_type_auto_trans itself. file_type_auto_trans() is a macro that expands to file_type_trans() and a type_transition rule specifying the default type for the new files. file_type_trans() is a macro that expands to the set of allow rules needed for the domain to create the file (including appropriate permissions to the parent directory as well as to the file). The allow rules are always needed for such a file creation to occur. The type_transition rule specifies a default in the absence of anything specified by the program via setfscreatecon(3). The ability to use setfscreatecon(3) does require that the domain have one additional permission, setfscreate, but the permission checks governing the actual file creation are the same. This is a general principle in SELinux; the same set of permission checks are applied for operations regardless of whether the type was application-specified or a default value, so that you can always determine what is permissible via the allow rules. The same is true of exec transitions for processes. The set of permission checks doesn't change; only the types involved change. -- Stephen Smalley National Security Agency From lkcl at lkcl.net Mon Mar 28 19:54:50 2005 From: lkcl at lkcl.net (Luke Kenneth Casson Leighton) Date: Mon, 28 Mar 2005 20:54:50 +0100 Subject: Desktop apps interoperability In-Reply-To: <1112034219.2914.117.camel@moss-spartans.epoch.ncsc.mil> References: <1111985855.1514.70.camel@cobra.ivg2.net> <20050328100449.GC3430@lkcl.net> <1112016992.2914.19.camel@moss-spartans.epoch.ncsc.mil> <20050328182714.GG3430@lkcl.net> <1112034219.2914.117.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <20050328195450.GH3430@lkcl.net> On Mon, Mar 28, 2005 at 01:23:39PM -0500, Stephen Smalley wrote: > On Mon, 2005-03-28 at 19:27 +0100, Luke Kenneth Casson Leighton wrote: > > ... question: in what ways do you ensure that a security-aware > > compromised program is only allowed to create certain filetypes? > > In the same manner as with a security-unaware program; the domain must > be allowed create permission to the file type via an allow rule. ... there's nothing special needed? ... oh - yes, i get it. create filetype. nothing to do with file_type_auto_trans itself. l. From rogelio.serrano at gmail.com Mon Mar 28 10:17:14 2005 From: rogelio.serrano at gmail.com (Rogelio Serrano) Date: Mon, 28 Mar 2005 18:17:14 +0800 Subject: Desktop apps interoperability In-Reply-To: <20050328100140.GB3430@lkcl.net> References: <1111985855.1514.70.camel@cobra.ivg2.net> <1111986213.1514.77.camel@cobra.ivg2.net> <1111987652.1514.97.camel@cobra.ivg2.net> <20050328100140.GB3430@lkcl.net> Message-ID: On Mon, 28 Mar 2005 11:01:40 +0100, Luke Kenneth Casson Leighton wrote: > On Mon, Mar 28, 2005 at 12:27:31AM -0500, Ivan Gyurdiev wrote: > > > Now Windows' approach of having "My Documents" and the like is starting > > to make a lot of sense (even though I absolutely hate those names). > > and the concept of a registry, too. > > unix has a lot of legacy headaches to answer for that make its > useability as a desktop system a pain in the neck. > > perhaps this is one that's worthwhile raising with the linux > standards base people? > > if it doesn't present a solution "now" it might at least get one into > the pipeline and start to make a difference in five to ten years time. > > l. > NextStep and Mac OS X solved this problem very elegantly. IMHO. -- Blood is thicker than water... and much tastier John Davidorff Pell From tom at lemuria.org Mon Mar 28 11:26:54 2005 From: tom at lemuria.org (Tom) Date: Mon, 28 Mar 2005 13:26:54 +0200 Subject: Desktop apps interoperability In-Reply-To: <1111987652.1514.97.camel@cobra.ivg2.net>; from ivg2@cornell.edu on Mon, Mar 28, 2005 at 12:27:31AM -0500 References: <1111985855.1514.70.camel@cobra.ivg2.net> <1111986213.1514.77.camel@cobra.ivg2.net> <1111987652.1514.97.camel@cobra.ivg2.net> Message-ID: <20050328132653.F27857@lemuria.org> On Mon, Mar 28, 2005 at 12:27:31AM -0500, Ivan Gyurdiev wrote: > Part of the problem seems to be the way Linux apps treat /home, as the > place for everything. It doesn't. It treats $HOME as the only place that the user has permission to store his stuff. On a well-configured system, that assumption is correct. > Why are both app. settings and user data stored > in /home as the default location. Because otherwise the user couldn't add or edit them. > Now Windows' approach of having "My Documents" and the like is starting > to make a lot of sense (even though I absolutely hate those names). The Linux approach, however, allows much more flexibility. If you want applications to share data, there are several ways to accomplish that goal. Here's just a quick idea: * add $HOME/Downloads as a directory * give it its own type, maybe ROLE_downloads_t * give mozilla permissions to write there, with file_type_auto_trans * give mplayer permissions to the resulting files voila, mplayer can now play stuff downloaded from the web, without opening up the big hole of giving it permissions to all mozilla files. Another solution, for a more paranoid environment would be adding a virus/malware scanner domain that can read mozilla's files and write them out again (after checking and/or cleaning) as a regular ROLE_home_t file. This would ensure that any files fully accessible in the home directory have been scanned. The point is - I may or may not want mplayer to play random stuff from the web with potentially dangerous content. If you want to, evaluate your security requirements and institute the appropriate solution. -- http://web.lemuria.org/pubkey.html pub 1024D/2D7A04F5 2002-05-16 Tom Vogt Key fingerprint = C731 64D1 4BCF 4C20 48A4 29B2 BF01 9FA1 2D7A 04F5 From tom at lemuria.org Mon Mar 28 13:11:26 2005 From: tom at lemuria.org (Tom) Date: Mon, 28 Mar 2005 15:11:26 +0200 Subject: Desktop apps interoperability In-Reply-To: <1112012129.1514.187.camel@cobra.ivg2.net>; from ivg2@cornell.edu on Mon, Mar 28, 2005 at 07:15:29AM -0500 References: <1111985855.1514.70.camel@cobra.ivg2.net> <1111986213.1514.77.camel@cobra.ivg2.net> <1111987652.1514.97.camel@cobra.ivg2.net> <20050328132653.F27857@lemuria.org> <1112012129.1514.187.camel@cobra.ivg2.net> Message-ID: <20050328151126.B28232@lemuria.org> > > It doesn't. It treats $HOME as the only place that the user has > > permission to store his stuff. On a well-configured system, that > > assumption is correct. > > Ah, but that's not true. The user is actively encouraged to store stuff > in $HOME, and not elsewhere, because: Because there are many reasons for that. The most important ones in my book are: * other locations might be mounted read-only * /home may be a remote (e.g. NFS) mount * various standards define what /usr or /var are for, and storing user-specific data is not on that list * security - seperation between system and user data That last one is the one that we don't want to break, on a SECURITY ENHANCED Linux system least of all. All your reasons except for #1 are really just consequences of the fact that /home is where Unix users store their stuff. > 6) From a SELinux viewpoint, why does the user domain *need* access > to /home's setting part at all? Those are files created w/out direct > user interaction. They could be made accessible to individual > application domains, without user_t selinux access. These are files that are totally created with user interaction. Just because Joe Dummy doesn't vi his .muttrc doesn't mean that I don't. It also saves us the headache of writing a policy for each and every file that stores something in $HOME - which means pretty much everything that has an options or settings dialog. > Anyway, more to the point: > > 7) I can't call file_type_auto_trans twice on the same folder. That is why I suggested a new folder for that specific purpose. I only need one file_type_auto_trans there, namely when I store the stuff. If I recall correctly, I had written a mozilla policy with such a change a year or so ago. > A) In the future if all desktop apps are restricted, this folder will > have to become something more generic that doesn't have anything to do > with downloads. Are you insane? Generic folders are the bane of anything even resembling security. Being _specific_ is what SELinux is all about. That's what the ENHANCED means, if you strip away all the bullshit bingo words. MAC and RBAC are just the means used. Downloads, especially, deserve to be treated differently, as they are data from untrusted sources. > It would become the equivalent of a new /home where you > keep your files. Are there any plans to restrict desktop apps ? Define "restrict". "Do their intended operation" - no, I don't think there are any plans to prevent that. "Mess at will with anything else in $HOME" - why yes, absolutely. If my movie player has any reasons reading my mail preferences, I really want to know them. > B) Whatever is decided upon needs to work out of the box. It needs to be > the default way things work, as opposed to me having to jump through > hoops to make SElinux work. Otherwise the average user will just disable > any protection and not look back. There will be hoops. Just like putting on the safety belt when getting into your car is one. I'm sure everyone involved in SELinux development wants to avoid unnecessary hoops. But some will be necessary, just like a firewall, two virus scanners and a yearly reinstall are necessary on today's windos systems. > This email was titled "Desktop apps interoperability". It implies that > we're talking about the average desktop, as opposed to a paranoid > environment. The average person does not know (or care) for evaluating > security requirements and dealing with selinux. He/she wants > transparency, but there's still value in using selinux. The average person also doesn't want their home machine turned into a spammer zombie. At the current growth rate, the average person will soon be faced with a few hard choices. I mean, you can't seriously buy Windows XP anymore, because you'll be infected with at least one malware before the download of SP2 is finished. The only option is OEM versions that already have at least SP2 applied. > If you choose to download the content in question, and choose to run > mplayer on it, then it seems to me that it should work without messing > with security contexts. Ah, but maybe you don't want mplayer to access everything you downloaded? In the long term, an explicit transfer (a nice GUI tool would make it almost painless for the user. In fact, on a drag-and-drop desktop you could probably add it to the drag&drop process) seems to be the better solution. -- http://web.lemuria.org/pubkey.html pub 1024D/2D7A04F5 2002-05-16 Tom Vogt Key fingerprint = C731 64D1 4BCF 4C20 48A4 29B2 BF01 9FA1 2D7A 04F5 From tom at lemuria.org Mon Mar 28 14:09:36 2005 From: tom at lemuria.org (Tom) Date: Mon, 28 Mar 2005 16:09:36 +0200 Subject: Desktop apps interoperability In-Reply-To: <1112017584.1514.239.camel@cobra.ivg2.net>; from ivg2@cornell.edu on Mon, Mar 28, 2005 at 08:46:24AM -0500 References: <1111985855.1514.70.camel@cobra.ivg2.net> <1111986213.1514.77.camel@cobra.ivg2.net> <1111987652.1514.97.camel@cobra.ivg2.net> <20050328132653.F27857@lemuria.org> <1112012129.1514.187.camel@cobra.ivg2.net> <20050328151126.B28232@lemuria.org> <1112017584.1514.239.camel@cobra.ivg2.net> Message-ID: <20050328160935.B28563@lemuria.org> On Mon, Mar 28, 2005 at 08:46:24AM -0500, Ivan Gyurdiev wrote: > I was suggesting that content should be kept in a sub-folder of /home, > not that it should be kept somewhere else. I'm sorry for the > misunderstanding. I am suggesting that this folder(s) should be > standartized somehow. I am saying that settings should be kept separate. ah! What you want is /home/tom/.etc/ ? > > Generic folders are the bane of anything even resembling security. > > Being _specific_ is what SELinux is all about. That's what the ENHANCED > > means, if you strip away all the bullshit bingo words. MAC and RBAC are > > just the means used. > > ... that's a valid point, but how do you suggest interoperability should > be addressed? When I say "generic" I don't mean that it should be used > for everything under the Sun. I mean something that makes sense. I posted my vision below - an explicit transfer. True, you can still trick the user, but it stops any automated exploits. > > Downloads, especially, deserve to be treated differently, as they are > > data from untrusted sources. > > ... all the more reason to put them in their own folder location. As I suggested. :) > > > It would become the equivalent of a new /home where you > > > keep your files. Are there any plans to restrict desktop apps ? > > > > Define "restrict". > > I mean make them run in their own domain with minimum priviledge > required to operate, as opposed to running in user_t. I do not > mean that they should be unable to perform their intended operation. Then yes, I do believe many programs should be restricted. Anything with outside contact (web browser, mail reader, etc.) most definitely. > Say I rip a bunch of songs with sound-juicer. Now I want to share them > with gift (p2p app). I can't make that work out of the box without > changing the context, because gift can't read user_t files. If the songs > went into a common "content"-style folder, I could make that readable by > gift, mplayer, and whatever needs it, and make them stay away from > user_t. I'm still opposed to a generic "content" directory. However, what about a generic "share" directory with proper auto_trans rules? Anything I explicitly move there is readable by anything that knows what read() ist. > I don't think so. The hoops are unnecessary, and the problem can be > solved nicely to fit all people's needs. What you're telling me is that > I shouldn't bother with SElinux anymore - my main motivation for > playing with this technology at all is that it's applicable to my home > machine - not some ultrasecure server in a basement. I want something > usable that can improve security at the same time. SELinux is incredible flexible. It can be configured totally insecure, if you want. :) > > The average person also doesn't want their home machine turned into a > > spammer zombie. At the current growth rate, the average person will > > soon be faced with a few hard choices. I mean, you can't seriously buy > > Windows XP anymore, because you'll be infected with at least one malware > > before the download of SP2 is finished. The only option is OEM versions > > that already have at least SP2 applied. > > What's the point that you're trying to make? > If you're implying that security is more important than usability, then > I'm not convinced. I'm implying that jumping through hoops for security reasons is becoming generally accepted. Most dummy users know that they need a virus scanner. They have no idea what it is, except that it somehow protects them from viruses. In fact, most dummy users I've talked to don't know the difference between a firewall and a virus scanner. However, they are quite willing to put up with whatever inconvenience the virus scanner is putting on them, because the point that it's necessary has been hammered home. Why should Linux be any different? "Ok, aunt Ellie, this is a Linux system. It doesn't need a virus scanner like your windos system did, but [add whatever we finally agree on as the user-friendly-and-still-safe method]" > That's a tradeoff I'm inclined to accept - especially since mplayer can > stream stuff off the net itself. Not if you don't want. That's the beauty of SELinux - I don't care how many kitchen sinks they've built into their software, on _my_ system it does what I allow it to do and nothing else. > > In the long term, an explicit transfer (a nice GUI tool would make it > > almost painless for the user. In fact, on a drag-and-drop desktop you > > could probably add it to the drag&drop process) seems to be the better > > solution. > > How exactly will that work - some details? Aunt Ellie downloads a movie. It goes into the Download folder (or really anywhere, it doesn't matter much). She drags the movie icon to the movie player and lets it drop. Movie plays. Behind the scenes, the file is relabeled or moved into another directory where mplayer can access it. Why is this more secure? Because it requires the intervention of a "trusted 3rd party" (the desktop environment) so you can not force bad data on my mplayer by compromising Firefox. You can not, for example, create movie-player-popup ads. -- http://web.lemuria.org/pubkey.html pub 1024D/2D7A04F5 2002-05-16 Tom Vogt Key fingerprint = C731 64D1 4BCF 4C20 48A4 29B2 BF01 9FA1 2D7A 04F5 From tom at lemuria.org Mon Mar 28 15:41:00 2005 From: tom at lemuria.org (Tom) Date: Mon, 28 Mar 2005 17:41:00 +0200 Subject: Desktop apps interoperability In-Reply-To: <1112022358.5811.47.camel@cobra.ivg2.net>; from ivg2@cornell.edu on Mon, Mar 28, 2005 at 10:05:58AM -0500 References: <1111985855.1514.70.camel@cobra.ivg2.net> <1111986213.1514.77.camel@cobra.ivg2.net> <1111987652.1514.97.camel@cobra.ivg2.net> <20050328132653.F27857@lemuria.org> <1112012129.1514.187.camel@cobra.ivg2.net> <20050328151126.B28232@lemuria.org> <1112017584.1514.239.camel@cobra.ivg2.net> <20050328160935.B28563@lemuria.org> <1112022358.5811.47.camel@cobra.ivg2.net> Message-ID: <20050328174059.C29441@lemuria.org> On Mon, Mar 28, 2005 at 10:05:58AM -0500, Ivan Gyurdiev wrote: > > ah! What you want is /home/tom/.etc/ ? > > Something like that - yes. Ok, that's a good idea. > > Behind the scenes, the file is relabeled or moved into another > > directory where mplayer can access it. > > How does this relate to the SElinux work to secure the X server? Not at all. X doesn't come in here. There's no reason why I can't do something similar in non-X environments. > Should the desktop environment be trusted? Everything is trusted - to a degree. Can I trust my desktop environment to relabel one filetype to one other filetype? For a military system the answer would be no, but for a desktop system I think that's a risk we can take. > .. so what you're saying is that nautilus (running as user_t, which has > read access to the file in question, as well as appropriate relabel > access), should determine its mime type, or use the DND target app, and > associate a context with that, which the mime handler can play, then > relabel file to that context (can't copy - what if it's huge?).... and > do this for every mime handler I attempt to open it with? You could do priviledge seperation and have a relabeling demon running in the background. There's a dozen ways to do it. I really don't care much about which exactly is used. The point I'm adamant about is two-fold: a) no generic directories accesable by anyone and their dog - b) explicit transfers through user interaction are a good idea. Not everything should be transparent. Firefox's "hey, you downloaded this .exe from the 'net, you sure you really wanna run it?" is a _good_ idea. -- http://web.lemuria.org/pubkey.html pub 1024D/2D7A04F5 2002-05-16 Tom Vogt Key fingerprint = C731 64D1 4BCF 4C20 48A4 29B2 BF01 9FA1 2D7A 04F5 From tom at lemuria.org Mon Mar 28 15:47:54 2005 From: tom at lemuria.org (Tom) Date: Mon, 28 Mar 2005 17:47:54 +0200 Subject: Desktop apps interoperability In-Reply-To: <1112022750.2914.65.camel@moss-spartans.epoch.ncsc.mil>; from sds@tycho.nsa.gov on Mon, Mar 28, 2005 at 10:12:30AM -0500 References: <1111985855.1514.70.camel@cobra.ivg2.net> <1111986213.1514.77.camel@cobra.ivg2.net> <1111987652.1514.97.camel@cobra.ivg2.net> <20050328132653.F27857@lemuria.org> <1112012129.1514.187.camel@cobra.ivg2.net> <20050328151126.B28232@lemuria.org> <1112017584.1514.239.camel@cobra.ivg2.net> <20050328160935.B28563@lemuria.org> <1112022358.5811.47.camel@cobra.ivg2.net> <1112022750.2914.65.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <20050328174753.D29441@lemuria.org> On Mon, Mar 28, 2005 at 10:12:30AM -0500, Stephen Smalley wrote: > Seems fairly pointless to perform such a relabeling if the context > determination is based entirely on untrusted input from the same source > as the data itself and the user isn't involved to any greater degree > than selecting the file in the first place. Not so sure about the pointlessness here. The point is that it makes it more difficult to leverage exploits. Maybe I can break into Firefox, but with that in place I can't jump from there to mplayer by forcing it to play something I know will break it. Lots and lots of system compromises I know about took more than one exploit and more than one program needed to be broken. Nevertheless, an explicit "good file" filter is certainly added value. It doesn't have to be a full-blown virus scanner - on a proper SELinux system I would expect any unexpected behaviour in mplayer to be contained. Nevertheless, the filter should at least check whether the data in question is what it claims to be. No need to port the nightmare of .doc files that really are .exe or whatever to Linux. -- http://web.lemuria.org/pubkey.html pub 1024D/2D7A04F5 2002-05-16 Tom Vogt Key fingerprint = C731 64D1 4BCF 4C20 48A4 29B2 BF01 9FA1 2D7A 04F5 From tom at lemuria.org Mon Mar 28 16:20:20 2005 From: tom at lemuria.org (Tom) Date: Mon, 28 Mar 2005 18:20:20 +0200 Subject: Desktop apps interoperability In-Reply-To: <1112025866.2914.88.camel@moss-spartans.epoch.ncsc.mil>; from sds@tycho.nsa.gov on Mon, Mar 28, 2005 at 11:04:26AM -0500 References: <1111987652.1514.97.camel@cobra.ivg2.net> <20050328132653.F27857@lemuria.org> <1112012129.1514.187.camel@cobra.ivg2.net> <20050328151126.B28232@lemuria.org> <1112017584.1514.239.camel@cobra.ivg2.net> <20050328160935.B28563@lemuria.org> <1112022358.5811.47.camel@cobra.ivg2.net> <1112022750.2914.65.camel@moss-spartans.epoch.ncsc.mil> <20050328174753.D29441@lemuria.org> <1112025866.2914.88.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <20050328182020.A29887@lemuria.org> On Mon, Mar 28, 2005 at 11:04:26AM -0500, Stephen Smalley wrote: > I'm not sure I understand your intent. There are two scenarios: > 1) mplayer directly launched by firefox. As the attacker already has [...] > 2) mplayer launched by something other than firefox, e.g. user shell, [...] > user of the downloaded file. Naturally, what you really want there is a > trusted path mechanism. Hmm. I think you are right. I did forget about programs launching other programs. On the other hand, doesn't that give us another option within SELinux? Can't we make mplayer-launched-by-firefox run in a different domain than mplayer-run-by-user? In that domain, it would have access to the downloaded files, but not to the remainder of the user data. -- http://web.lemuria.org/pubkey.html pub 1024D/2D7A04F5 2002-05-16 Tom Vogt Key fingerprint = C731 64D1 4BCF 4C20 48A4 29B2 BF01 9FA1 2D7A 04F5 From casey at schaufler-ca.com Mon Mar 28 16:51:09 2005 From: casey at schaufler-ca.com (Casey Schaufler) Date: Mon, 28 Mar 2005 08:51:09 -0800 (PST) Subject: Desktop apps interoperability In-Reply-To: 6667 Message-ID: <20050328165109.60425.qmail@web31603.mail.mud.yahoo.com> --- Tom wrote: > On Mon, Mar 28, 2005 at 12:27:31AM -0500, Ivan > Gyurdiev wrote: > > Part of the problem seems to be the way Linux apps > treat /home, as the > > place for everything. > > It doesn't. It treats $HOME as the only place that > the user has > permission to store his stuff. On a well-configured > system, that > assumption is correct. Windows and MacOS are designed as single user systems. Unix and Linux are designed as multiuser systems. Configuring a Windows system for multiple concurrent users is quite painful. Configuring unix for a single user seems unnecessarily difficult. Interestly, when we did the B1/LSPP versions of unix the home directory model helped reduce the problem of user sensitivity restrictions by isolating the part of the directory hierarchy that had to be customized for the user. Casey Schaufler casey at schaufler-ca.com __________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ From lfarkas at bppiac.hu Tue Mar 29 12:52:28 2005 From: lfarkas at bppiac.hu (Farkas Levente) Date: Tue, 29 Mar 2005 14:52:28 +0200 Subject: selinux with gosa Message-ID: <42494F8C.5030300@bppiac.hu> hi, is anyone try to use gosa with selinux? since gosa try to write into /var/spool/gosa directory which has var_spool_t type and by default it can write into this directory. what is the prefered why to enable write for gosa into this directory? should i simple change /var/spool/gosa to httpd_sys_script_rw_t? it's working but i don't know what is the right solution. another question how can i add this attrib to the gosa rpm for /var/spool/gosa? yours. -- Levente "Si vis pacem para bellum!" From dwalsh at redhat.com Tue Mar 29 12:56:55 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 29 Mar 2005 07:56:55 -0500 Subject: selinux with gosa In-Reply-To: <42494F8C.5030300@bppiac.hu> References: <42494F8C.5030300@bppiac.hu> Message-ID: <42495097.6010100@redhat.com> Farkas Levente wrote: > hi, > is anyone try to use gosa with selinux? > since gosa try to write into /var/spool/gosa directory which has > var_spool_t type and by default it can write into this directory. what > is the prefered why to enable write for gosa into this directory? > should i simple change /var/spool/gosa to httpd_sys_script_rw_t? it's > working but i don't know what is the right solution. > another question how can i add this attrib to the gosa rpm for > /var/spool/gosa? > yours. > Yes that is a good solution. chcon -R -t httpd_sys_script_rw_t /var/spool/gosa If you are using rawhide you can just add /var/spool/gosa(/.*)? system_u:object_r:httpd_sys_script_rw_t to /etc/selinux/targeted/contexts/files/file_contexts.local And then RPM will pick it up on install. We have not back ported this to FC3/RHEL4 yet. Dan -- From lfarkas at bppiac.hu Tue Mar 29 13:13:24 2005 From: lfarkas at bppiac.hu (Farkas Levente) Date: Tue, 29 Mar 2005 15:13:24 +0200 Subject: selinux with gosa In-Reply-To: <42495097.6010100@redhat.com> References: <42494F8C.5030300@bppiac.hu> <42495097.6010100@redhat.com> Message-ID: <42495474.4090600@bppiac.hu> Daniel J Walsh wrote: > Farkas Levente wrote: > >> hi, >> is anyone try to use gosa with selinux? >> since gosa try to write into /var/spool/gosa directory which has >> var_spool_t type and by default it can write into this directory. what >> is the prefered why to enable write for gosa into this directory? >> should i simple change /var/spool/gosa to httpd_sys_script_rw_t? it's >> working but i don't know what is the right solution. >> another question how can i add this attrib to the gosa rpm for >> /var/spool/gosa? >> yours. >> > Yes that is a good solution. > > chcon -R -t httpd_sys_script_rw_t /var/spool/gosa > > If you are using rawhide you can just add > > /var/spool/gosa(/.*)? system_u:object_r:httpd_sys_script_rw_t > to /etc/selinux/targeted/contexts/files/file_contexts.local > > And then RPM will pick it up on install. We have not back ported this > to FC3/RHEL4 yet. and how can i add this attrin to the rpm? in the rpm there is an empty /var/spool/gosa directory. should i do a chcon -R -t httpd_sys_script_rw_t /var/spool/gosa during the rpm build section and the rpm automaticaly will include the attribs? or what is the prefered way to include file attribs in the rpm packages? thanks in advance. yours. -- Levente "Si vis pacem para bellum!" From matousu at volny.cz Tue Mar 29 13:08:35 2005 From: matousu at volny.cz (matousu at volny.cz) Date: Tue, 29 Mar 2005 15:08:35 +0200 (CEST) Subject: different md5sums for files on /dev/cdrom Message-ID: <0b0fb5941ed99a7e61bcd3e890f542d8@www3.mail.volny.cz> Hi, I have encountered strange problem while reading my files from CDROM. I am still troubleshooting this, so I apreciate any help or notice to the problem I am describing below. HW: ASUS Pundit-R with Intel Prescott, Seagate ST3200822AS as hdc and hda: HL-DT-STDVDRRW GWA-4161B, ATAPI CD/DVD-ROM drive hda: ATAPI 40X DVD-ROM DVD-R CD-R/RW drive, 2048kB Cache, UDMA(33) SW: # uname -a Linux pundit 2.6.10-1.741_FC3smp #1 SMP Thu Jan 13 16:53:16 EST 2005 i686 i686 i386 GNU/Linux - W2k installed on another partition. PROBLEM: I have cdrom A with a file, let say the file is named file.cdrom-fc3, when mounted on fc3 linux. On fc3 linux hdc6 I have file, let say file.w2k-to-fc3, which I have previously read from cdrom A in Windows 2k and saved on shared vfat and transfered to hdc6 after my fc3 linux boot. There is nothing wrong with this file. I have another linux on another machine, dell latitude with RH9 and kernel 2.4.20. Let say the file on cdrom A When I mount the cdrom in this linuxbox become file.rh9 So now we have three files, all of them should have the same md5sum, as the files are based on the same source, and here they are: 0fed8b1345de558c18c5c9fa164b192a file.w2k-to-fc3 ---> OK a1a4a1174be8579bee5c83caa5f696aa file.cdrom-fc3 !!!!! BAD 0fed8b1345de558c18c5c9fa164b192a file.rh9 ---> OK So, the fc3 kernel driver handling the cdrom badly affects the files. This is valid for any cdrom and any file. The main efect is that mpeg or jpeg files are not or are badly readable in fc3. For instance mplayer gives messages like [msmpeg4 @ 0x84e4bc8]Error at MB: 644 [msmpeg4 @ 0x84e4bc8]concealing 2147483647 errors. with artefacts during the playback. But the sideefect within the app is not important now. I have disabled selinux and the behavior of jpeg files is better now, I can read most of them, but still not OK, as visible also from md5sums. I can say, the cdrom drive is OK because it works well in w2k. Also the file on cdrom is OK and healthy. It works in another OSes. So I am suspecting these systems: o kernel driver o cdrom drive hdparameters - I am using default fc3 settings o some another part of kernel sitting over devices, like selinux ? I realy need to solve this so I apreciate _ANY_ info. At least, if i write to wrong list, send me the email to people which are able to help to find the reason of this problem, and advice a solution. Thanks in advance, Petr From sds at tycho.nsa.gov Tue Mar 29 13:54:17 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 29 Mar 2005 08:54:17 -0500 Subject: Desktop apps interoperability In-Reply-To: <20050329113321.GC24833@vnl.com> References: <1111985855.1514.70.camel@cobra.ivg2.net> <1111986213.1514.77.camel@cobra.ivg2.net> <1111987652.1514.97.camel@cobra.ivg2.net> <20050328100140.GB3430@lkcl.net> <20050329113321.GC24833@vnl.com> Message-ID: <1112104457.4339.21.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2005-03-29 at 12:33 +0100, Dale Amon wrote: > I will run screaming if someone imports the registry > concept into Unix. Better start running then. gconf is already being used as a registry, and there is a linux registry aka elektra project as well. -- Stephen Smalley National Security Agency From dwalsh at redhat.com Tue Mar 29 14:07:59 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 29 Mar 2005 09:07:59 -0500 Subject: selinux with gosa In-Reply-To: <42495474.4090600@bppiac.hu> References: <42494F8C.5030300@bppiac.hu> <42495097.6010100@redhat.com> <42495474.4090600@bppiac.hu> Message-ID: <4249613F.30206@redhat.com> Farkas Levente wrote: > Daniel J Walsh wrote: > >> Farkas Levente wrote: >> >>> hi, >>> is anyone try to use gosa with selinux? >>> since gosa try to write into /var/spool/gosa directory which has >>> var_spool_t type and by default it can write into this directory. >>> what is the prefered why to enable write for gosa into this >>> directory? should i simple change /var/spool/gosa to >>> httpd_sys_script_rw_t? it's working but i don't know what is the >>> right solution. >>> another question how can i add this attrib to the gosa rpm for >>> /var/spool/gosa? >>> yours. >>> >> Yes that is a good solution. >> >> chcon -R -t httpd_sys_script_rw_t /var/spool/gosa >> >> If you are using rawhide you can just add >> >> /var/spool/gosa(/.*)? system_u:object_r:httpd_sys_script_rw_t >> to /etc/selinux/targeted/contexts/files/file_contexts.local >> >> And then RPM will pick it up on install. We have not back ported >> this to FC3/RHEL4 yet. > > > and how can i add this attrin to the rpm? in the rpm there is an empty > /var/spool/gosa directory. should i do a > chcon -R -t httpd_sys_script_rw_t /var/spool/gosa > during the rpm build section and the rpm automaticaly will include the > attribs? or what is the prefered way to include file attribs in the > rpm packages? > thanks in advance. > yours. > Currently there is none. You could do it in a post install script, something like [ -x /usr/sbin/selinuxenabled] && /usr/sbin/selinux/enabled && chcon -t httpd_sys_script_rw_t /var/spool/gosa Or you could ask the guy doing the policy for Fedora to add a line to default policy to do this automagically. Oh right that is me. :^) I will add this line to policy and submit it for upstream acceptance. Dan -- From walters at redhat.com Tue Mar 29 15:39:58 2005 From: walters at redhat.com (Colin Walters) Date: Tue, 29 Mar 2005 10:39:58 -0500 Subject: Desktop apps interoperability In-Reply-To: <1112104457.4339.21.camel@moss-spartans.epoch.ncsc.mil> References: <1111985855.1514.70.camel@cobra.ivg2.net> <1111986213.1514.77.camel@cobra.ivg2.net> <1111987652.1514.97.camel@cobra.ivg2.net> <20050328100140.GB3430@lkcl.net> <20050329113321.GC24833@vnl.com> <1112104457.4339.21.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1112110798.3741.24.camel@nexus.verbum.private> On Tue, 2005-03-29 at 08:54 -0500, Stephen Smalley wrote: > On Tue, 2005-03-29 at 12:33 +0100, Dale Amon wrote: > > I will run screaming if someone imports the registry > > concept into Unix. > > Better start running then. gconf is already being used as a registry, > and there is a linux registry aka elektra project as well. People very often confuse "the registry concept" with a specific implementation which they may have had a bad experience with in the past or have heard rumors of other people having a bad experience with. Having some sort of sane mechanism for locating, managing, and monitoring preferences is pretty critical to writing desktop applications. For example, one thing that GConf provides is notification of preference changes. This is a fundamental basis for a lot of how GNOME's "instant-apply" feature works, e.g. if you change the theme all apps automatically update. Doing this kind of thing with "text files" or whatever is going to be hackish at best. To bring this discussion somewhat back on topic, Luke is right in that in order to write a strong SELinux policy for desktop applications, we really need to have fine-grained separation between user data (i.e. OpenOffice documents), user preferences, highly sensitive data such as GPG keys, and random other junk that apps dump in $HOME like error logs. Also relating to the registry: Once we finish D-BUS, the plan is to make GConf be a userspace object manager; for example, to allow Mozilla the ability to read but not write the "http proxy" GConf key, or to disallow it from reading the WEP keys that NetworkManager currently stores there (which is wrong, but...). Having fine-grained labeling on preference keys is much nicer than granting user_mozilla_t access to user_home_t, which grants kind of unconstrained read access to everything, and is better than trying to maintain a text file per key in some hypothetical "text file registry" just so that we can have individual labels on them. From amon at vnl.com Tue Mar 29 11:33:21 2005 From: amon at vnl.com (Dale Amon) Date: Tue, 29 Mar 2005 12:33:21 +0100 Subject: Desktop apps interoperability In-Reply-To: References: <1111985855.1514.70.camel@cobra.ivg2.net> <1111986213.1514.77.camel@cobra.ivg2.net> <1111987652.1514.97.camel@cobra.ivg2.net> <20050328100140.GB3430@lkcl.net> Message-ID: <20050329113321.GC24833@vnl.com> On Mon, Mar 28, 2005 at 06:17:14PM +0800, Rogelio Serrano wrote: > On Mon, 28 Mar 2005 11:01:40 +0100, Luke Kenneth Casson Leighton > wrote: > > On Mon, Mar 28, 2005 at 12:27:31AM -0500, Ivan Gyurdiev wrote: > > > > > Now Windows' approach of having "My Documents" and the like is starting > > > to make a lot of sense (even though I absolutely hate those names). > > > > and the concept of a registry, too. > > > > unix has a lot of legacy headaches to answer for that make its > > useability as a desktop system a pain in the neck. > > > > perhaps this is one that's worthwhile raising with the linux > > standards base people? > > > > if it doesn't present a solution "now" it might at least get one into > > the pipeline and start to make a difference in five to ten years time. > > > > l. > > > > NextStep and Mac OS X solved this problem very elegantly. IMHO. I will run screaming if someone imports the registry concept into Unix. You'll need full AI to get it right. I managed a moderate size university network of NeXT's. The admin interface seems nice at first... but it sucks you in and then you find the problems with upgrades of software; the problem that if you pulled the plug on UFS open files got corrupted... and guess what? The netinfo files were almost always open! Keep it ASCII; keep it in seperate files. By all means try to get application and daemon writers to standardize on their parsing. Not that you ever will. And has to My Documents? Yech. Every user has their own private idea of what setups should exist. Users are users and have their own little worlds; Root is Root and never the twain shall meet. Except perhaps with proper selinux controls... Now I do wish there were a dotfile directory in each home directory and everyone put the dotfiles in it when they are created... but if wishes were fishes I'd have a life time supply of fish'n'chips. -- ------------------------------------------------------ Dale Amon amon at islandone.org +44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" ------------------------------------------------------ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From mike at navi.cx Tue Mar 29 18:17:35 2005 From: mike at navi.cx (Mike Hearn) Date: Tue, 29 Mar 2005 19:17:35 +0100 Subject: Desktop apps interoperability References: <1111985855.1514.70.camel@cobra.ivg2.net> <1111986213.1514.77.camel@cobra.ivg2.net> <1111987652.1514.97.camel@cobra.ivg2.net> <20050328100140.GB3430@lkcl.net> <20050329113321.GC24833@vnl.com> <1112104457.4339.21.camel@moss-spartans.epoch.ncsc.mil> <1112110798.3741.24.camel@nexus.verbum.private> Message-ID: On Tue, 29 Mar 2005 10:39:58 -0500, Colin Walters wrote: > Also relating to the registry: Once we finish D-BUS, the plan is to make > GConf be a userspace object manager You mean making GConf an "AVC" so you can label keys with SELinux contexts? Or do you mean something separate to SELinux? SELinux GConf integration would totally rule, I hope that's what you mean :) thanks -mike From ivg2 at cornell.edu Wed Mar 30 05:01:06 2005 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Wed, 30 Mar 2005 00:01:06 -0500 Subject: Desktop apps interoperability In-Reply-To: <1112027973.2914.98.camel@moss-spartans.epoch.ncsc.mil> References: <1111987652.1514.97.camel@cobra.ivg2.net> <20050328132653.F27857@lemuria.org> <1112012129.1514.187.camel@cobra.ivg2.net> <20050328151126.B28232@lemuria.org> <1112017584.1514.239.camel@cobra.ivg2.net> <20050328160935.B28563@lemuria.org> <1112022358.5811.47.camel@cobra.ivg2.net> <1112022750.2914.65.camel@moss-spartans.epoch.ncsc.mil> <20050328174753.D29441@lemuria.org> <1112025866.2914.88.camel@moss-spartans.epoch.ncsc.mil> <20050328182020.A29887@lemuria.org> <1112027973.2914.98.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1112158866.1536.29.camel@cobra.ivg2.net> How about New Directory Structure (added to /skel, or whatever) ~/content - ROLE_content_t ~/content/desktop - ??? ~/content/downloads - ROLE_untrusted_content_t ~/content/media - ROLE_media_content_t ~/content/documents - ROLE_documents_content_t ~/content/mail - ROLE_mail_content_t ~/content/export_web - ROLE_httpd_user_content_t ~/content/export_samba - ROLE_samba_share_t ~/content/export_p2p - ROLE_p2p_share_t Desktop apps will be restricted to only access the appropriate one. "Downloading" apps will be restricted to download to untrusted_content_t. Now...how to move things to/from ~/content/downloads in a nice user-friendly way? What context for desktop? What role will the desktop play? -- Ivan Gyurdiev Cornell University From ocschwar at MIT.EDU Wed Mar 30 05:56:48 2005 From: ocschwar at MIT.EDU (Omri Schwarz) Date: Wed, 30 Mar 2005 00:56:48 -0500 Subject: Everything got broken. selinux-policy-targeted-1.17.30-2.90 Message-ID: <200503300556.j2U5umcQ021662@bart-savagewood.mit.edu> Hi, everyone. Until two days ago, when I ran up2date, I had a machine running FC3 with SELinux targeted, user homedirs coming in over NFS, Apache running and segregated into httpd_t land, and so on and so forth. I ran up2date. And it all went to hell. The upgrade to selinux-policy-targeted-1.17.30-2.90 prevented console logins, use of sudo, and startups from messagebus and httpd. It allowed, however for SSH logins, and use of 'su'. Right now I have a machine that is using selinux-policy-targeted-1.17.30-2.90.n oarch.rpm, and I suffer from the same errors: # /usr/sbin/getenforce getenforce: getenforce() failed ]# /usr/sbin/getsebool -a getsebool: booleans.c:48: security_get_boolean_names: Assertion `selinux_mnt' failed. Aborted # cat /selinux/enforce 1 # cd /selinux/booleans # ls allow_ypbind mysqld_disable_trans squid_disable_trans dhcpd_disable_trans named_disable_trans syslogd_disable_trans httpd_disable_trans named_write_master_zones use_nfs_home_dirs httpd_enable_cgi nscd_disable_trans use_samba_home_dirs httpd_enable_homedirs ntpd_disable_trans use_syslogng httpd_ssi_exec portmap_disable_trans winbind_disable_trans httpd_tty_comm postgresql_disable_trans ypbind_disable_trans httpd_unified snmpd_disable_trans # cat * 1 10 00 01 11 11 10 01 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0 ]# cat policyvers 18 Now, for the many multifarious wierdnesses that have sprung up on me: I cannot log in to the console. TTY logins fail silently and X logins leave this in the syslog: Mar 29 18:43:42 HOST gdm(pam_unix)[5945]: session opened for user root by (uid=0) Mar 29 18:43:42 HOST gdm[5135]: gdm_cleanup_children: child 5945 crashed of signal 6 Mar 29 18:43:42 HOST gdm[5135]: gdm_cleanup_children: Slave crashed, killing its children Clearly something is denied a resource by selinux, causing a crash that ends the login session. I cannot sudo: % sudo su root Password: root:system_r:unconfined_t is not a valid context Doing a sudo leaves this in /var/log/secure: Mar 30 00:47:29 HOST sudo: omri : TTY=pts/1 ; PWD=/nfs/newline/h1/omri ; USER=root ; COMMAND=/bin/su root And this in /var/log/messages: Mar 30 00:47:29 HOST sudo(pam_unix)[6028]: authentication failure; logname=omri uid=0 euid=0 tty=pts/1 ruser= rhost= user=omri Mar 30 00:47:29 HOST sudo[6028]: pam_krb5[6028]: authentication succeeds for 'omri' (omri at SPACE.MIT.EDU) I can SSH in, but this gets left in the logs: Mar 30 00:43:48 HOST sshd[5941]: error: Failed to set exec security context omri:system_r:unconfined_t for omri. Continuing in permissive mode I can su just fine, which is what lets me play around with these things. The portmapper has its own difficulties: Mar 30 00:55:15 HOST kernel: audit(1112162115.873:0): avc: denied { search } for pid=6178 exe=/sbin/portmap name=etc dev=hda3 ino=229377 scontext=root:system_r:portmap_t tcontext=system_u:object_r:home_root_t tclass=dir Obviously, it's the console logins that I want to solve first and foremost. Any help would be most appreciated. From jeremy at ardley.org Wed Mar 30 09:55:36 2005 From: jeremy at ardley.org (Jeremy Ardley) Date: Wed, 30 Mar 2005 17:55:36 +0800 Subject: httpd controls ? Message-ID: <424A7798.8030504@ardley.org> Hi, I am experimenting with cgi-bin perl scripts to set specific user's passwords. The scripts correctly generate passwords when run from the bash prompt but silently do nothing when invoked on the web page. I assume this is a selinux issue and would like some pointers. 1.Is letting a cgi script change passwords a good idea? 2. If it is safe, how do I persuade selinux to let it happen? Thanks Jeremy From ivg2 at cornell.edu Wed Mar 30 11:49:13 2005 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Wed, 30 Mar 2005 06:49:13 -0500 Subject: Everything got broken. selinux-policy-targeted-1.17.30-2.90 In-Reply-To: <200503300556.j2U5umcQ021662@bart-savagewood.mit.edu> References: <200503300556.j2U5umcQ021662@bart-savagewood.mit.edu> Message-ID: <1112183353.5951.6.camel@cobra.ivg2.net> > I cannot sudo: > > % sudo su root > Password: > root:system_r:unconfined_t is not a valid context Is this in single mode by any chance... the system_r role should be sysadm_r. In fact, single mode STILL does not login properly in rawhide (see bugzilla). The httpd problem might be execmem related or something. The way to debug everything is for you to /usr/sbin/setenforce 0, or boot with enforcing=0, and then look what the denials are. -- Ivan Gyurdiev Cornell University From sds at tycho.nsa.gov Wed Mar 30 12:53:00 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 30 Mar 2005 07:53:00 -0500 Subject: Everything got broken. selinux-policy-targeted-1.17.30-2.90 In-Reply-To: <1112183353.5951.6.camel@cobra.ivg2.net> References: <200503300556.j2U5umcQ021662@bart-savagewood.mit.edu> <1112183353.5951.6.camel@cobra.ivg2.net> Message-ID: <1112187180.8012.8.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2005-03-30 at 06:49 -0500, Ivan Gyurdiev wrote: > > I cannot sudo: > > > > % sudo su root > > Password: > > root:system_r:unconfined_t is not a valid context > > Is this in single mode by any chance... the system_r role should > be sysadm_r. In fact, single mode STILL does not login properly > in rawhide (see bugzilla). No, for targeted policy, system_r is correct. Targeted policy effectively has only one user identity and role (although the others are still defined for compatibility purposes), and only uses domains to isolate particular domains. There are no real user roles and domains under targeted policy. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Wed Mar 30 13:36:55 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 30 Mar 2005 08:36:55 -0500 Subject: Everything got broken. selinux-policy-targeted-1.17.30-2.90 In-Reply-To: <200503300556.j2U5umcQ021662@bart-savagewood.mit.edu> References: <200503300556.j2U5umcQ021662@bart-savagewood.mit.edu> Message-ID: <1112189815.8012.28.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2005-03-30 at 00:56 -0500, Omri Schwarz wrote: > Right now I have a machine that is using selinux-policy-targeted-1.17.30-2.90.n > oarch.rpm, and I suffer from the same errors: > > # /usr/sbin/getenforce > getenforce: getenforce() failed > > ]# /usr/sbin/getsebool -a > getsebool: booleans.c:48: security_get_boolean_names: Assertion `selinux_mnt' > failed. > Aborted > > # cat /selinux/enforce > 1 What does 'id' show? What is in your /etc/selinux/config file? > Mar 30 00:55:15 HOST kernel: audit(1112162115.873:0): avc: denied { search } > for pid=6178 exe=/sbin/portmap name=etc dev=hda3 ino=229377 > scontext=root:system_r:portmap_t tcontext=system_u:object_r:home_root_t > tclass=dir /etc certainly shouldn't be labeled home_root_t. /sbin/fixfiles restore? -- Stephen Smalley National Security Agency From eparis at redhat.com Wed Mar 30 15:11:42 2005 From: eparis at redhat.com (Eric Paris) Date: Wed, 30 Mar 2005 10:11:42 -0500 Subject: Everything got broken. selinux-policy-targeted-1.17.30-2.90 In-Reply-To: <1112189815.8012.28.camel@moss-spartans.epoch.ncsc.mil> References: <200503300556.j2U5umcQ021662@bart-savagewood.mit.edu> <1112189815.8012.28.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1112195502.28382.3.camel@marseille.rdu.redhat.com> If fixfiles doesn't fix that labeling problem on /etc, do you have a user defined whose home directory is in /etc/username? I'm not sure if the genhomedircon that fixed this situation made it into FC3 yet. If you do have a user with a homedirectory in /etc/username, fix your file_contexts so that /etc is not labeled wrong and try fixfiles again..... Eric On Wed, 2005-03-30 at 08:36, Stephen Smalley wrote: > On Wed, 2005-03-30 at 00:56 -0500, Omri Schwarz wrote: > > Right now I have a machine that is using selinux-policy-targeted-1.17.30-2.90.n > > oarch.rpm, and I suffer from the same errors: > > > > # /usr/sbin/getenforce > > getenforce: getenforce() failed > > > > ]# /usr/sbin/getsebool -a > > getsebool: booleans.c:48: security_get_boolean_names: Assertion `selinux_mnt' > > failed. > > Aborted > > > > # cat /selinux/enforce > > 1 > > What does 'id' show? What is in your /etc/selinux/config file? > > > Mar 30 00:55:15 HOST kernel: audit(1112162115.873:0): avc: denied { search } > > for pid=6178 exe=/sbin/portmap name=etc dev=hda3 ino=229377 > > scontext=root:system_r:portmap_t tcontext=system_u:object_r:home_root_t > > tclass=dir > > /etc certainly shouldn't be labeled home_root_t. /sbin/fixfiles restore? From christofer.c.bell at gmail.com Wed Mar 30 15:32:00 2005 From: christofer.c.bell at gmail.com (Christofer C. Bell) Date: Wed, 30 Mar 2005 09:32:00 -0600 Subject: httpd controls ? In-Reply-To: <424A7798.8030504@ardley.org> References: <424A7798.8030504@ardley.org> Message-ID: <143f0f6c050330073232244b66@mail.gmail.com> On Wed, 30 Mar 2005 17:55:36 +0800, Jeremy Ardley wrote: > Hi, > > I am experimenting with cgi-bin perl scripts to set specific user's > passwords. The scripts correctly generate passwords when run from the > bash prompt but silently do nothing when invoked on the web page. > > I assume this is a selinux issue and would like some pointers. Check /var/log/messages for 'avc: denied' messages. If you don't see any, this is not an SELinux issue. If you do see these messages, then see below. > 1.Is letting a cgi script change passwords a good idea? This is more religious issue than anything else, in my opinion. I wouldn't allow it, personally. > 2. If it is safe, how do I persuade selinux to let it happen? Look into use of the audit2allow utility for converting denied messages into rules that allow the behavior that was denied. The the short of it is: # cd /etc/selinux/targeted/src # audit2allow -d -l -o domains/misc/local.te && make load Repeat until your script works and then clean up the local.te file's formatting (not necessary). The long of it (and a good read) is the Red Hat Enterprise Linux 4 SELinux Guide (http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/). I'd suggest reading that, specifically section II before doing what I've suggested here to make sure you have a full understanding of what's going on. Note that you are peeling back layers of SELinux protection by doing this (by granting permissions rather than denying them). In worst case, this part of your system (in this case CGI scripts) will have the same basic Linux DAC (discretionary access controls) protection that you've been using since before SELinux was available. You can't make your system less secure than you would be without SELinux using audit2allow, you can only put yourself in a state where SELinux is effectively disabled. -- Chris "Build a man a fire and he will be warm for the rest of the night. Set a man on fire and he will be warm for the rest of his life." -- Unknown From sds at tycho.nsa.gov Wed Mar 30 15:35:22 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 30 Mar 2005 10:35:22 -0500 Subject: httpd controls ? In-Reply-To: <143f0f6c050330073232244b66@mail.gmail.com> References: <424A7798.8030504@ardley.org> <143f0f6c050330073232244b66@mail.gmail.com> Message-ID: <1112196922.8012.37.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2005-03-30 at 09:32 -0600, Christofer C. Bell wrote: > Look into use of the audit2allow utility for converting denied > messages into rules that allow the behavior that was denied. The the > short of it is: > > # cd /etc/selinux/targeted/src > # audit2allow -d -l -o domains/misc/local.te && make load > > Repeat until your script works and then clean up the local.te file's > formatting (not necessary). The problem with the above sequence is it will directly allow those permissions to the original domain of the script; hence, all CGI scripts would end up having those permissions. Better to define a separate httpd_passwd_t domain modeled after the passwd_t domain in the strict policy and set up a domain transition into this domain only for the script in question. -- Stephen Smalley National Security Agency From hongwei at wustl.edu Wed Mar 30 15:47:41 2005 From: hongwei at wustl.edu (Hongwei Li) Date: Wed, 30 Mar 2005 09:47:41 -0600 (CST) Subject: httpd controls ? In-Reply-To: <143f0f6c050330073232244b66@mail.gmail.com> References: <424A7798.8030504@ardley.org> <143f0f6c050330073232244b66@mail.gmail.com> Message-ID: <3690.128.252.85.103.1112197661.squirrel@morpheus.wustl.edu> >> 2. If it is safe, how do I persuade selinux to let it happen? > > Look into use of the audit2allow utility for converting denied > messages into rules that allow the behavior that was denied. The the > short of it is: > > # cd /etc/selinux/targeted/src > # audit2allow -d -l -o domains/misc/local.te && make load > > Repeat until your script works and then clean up the local.te file's > formatting (not necessary). The long of it (and a good read) is the > Red Hat Enterprise Linux 4 SELinux Guide > (http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/). > I'd suggest reading that, specifically section II before doing what > I've suggested here to make sure you have a full understanding of > what's going on. > I have a question about what you suggested. My system is working normally, but I'd like to know more about audit2allow. My system (fc3, selinux enforced, targeted) does not have src under /etc/selinux/targeted/ that has only: booleans contexts policy and I could not find audit2allow, even from the web site you gave above. Could you provide more information about it? or any links? Thanks! Hongwei Li From christofer.c.bell at gmail.com Wed Mar 30 16:01:33 2005 From: christofer.c.bell at gmail.com (Christofer C. Bell) Date: Wed, 30 Mar 2005 10:01:33 -0600 Subject: httpd controls ? In-Reply-To: <3690.128.252.85.103.1112197661.squirrel@morpheus.wustl.edu> References: <424A7798.8030504@ardley.org> <143f0f6c050330073232244b66@mail.gmail.com> <3690.128.252.85.103.1112197661.squirrel@morpheus.wustl.edu> Message-ID: <143f0f6c05033008015abc5f8f@mail.gmail.com> On Wed, 30 Mar 2005 09:47:41 -0600 (CST), Hongwei Li wrote: > > I have a question about what you suggested. My system is working > normally, but I'd like to know more about audit2allow. My system (fc3, > selinux enforced, targeted) does not have src under /etc/selinux/targeted/ > that has only: booleans contexts policy > > and I could not find audit2allow, even from the web site you gave above. > > Could you provide more information about it? or any links? You simply need to install the selinux-policy-targeted package. You can do this with the default yum configuration as the package is part of the Core distribution. [cbell at circe ~]$ rpm -qi selinux-policy-targeted-sources Name : selinux-policy-targeted-sources Relocations: /usr Version : 1.17.30 Vendor: Red Hat, Inc. Release : 2.90 Build Date: Thu 17 Mar 2005 02:57:18 PM CST Install Date: Fri 25 Mar 2005 05:05:18 AM CST Build Host: tweety.build.redhat.com Group : System Environment/Base Source RPM: selinux-policy-targeted-1.17.30-2.90.src.rpm Size : 462996 License: GPL Signature : DSA/SHA1, Wed 23 Mar 2005 10:39:28 AM CST, Key ID b44269d04f2a6fd2 Packager : Red Hat, Inc. Summary : SELinux example policy configuration source files Description : This subpackage includes the source files used to build the policy configuration. Includes policy.conf and the Makefiles, macros and source files for it. The audit2allow utility should be part of the policycoreutils package. [cbell at circe ~]$ rpm -qf /usr/bin/audit2allow policycoreutils-1.18.1-2.10 -- Chris "Build a man a fire and he will be warm for the rest of the night. Set a man on fire and he will be warm for the rest of his life." -- Unknown From christofer.c.bell at gmail.com Wed Mar 30 16:03:56 2005 From: christofer.c.bell at gmail.com (Christofer C. Bell) Date: Wed, 30 Mar 2005 10:03:56 -0600 Subject: httpd controls ? In-Reply-To: <1112196922.8012.37.camel@moss-spartans.epoch.ncsc.mil> References: <424A7798.8030504@ardley.org> <143f0f6c050330073232244b66@mail.gmail.com> <1112196922.8012.37.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <143f0f6c050330080315538a82@mail.gmail.com> On Wed, 30 Mar 2005 10:35:22 -0500, Stephen Smalley wrote: > On Wed, 2005-03-30 at 09:32 -0600, Christofer C. Bell wrote: > > Look into use of the audit2allow utility for converting denied > > messages into rules that allow the behavior that was denied. The the > > short of it is: > > > > # cd /etc/selinux/targeted/src > > # audit2allow -d -l -o domains/misc/local.te && make load > > > > Repeat until your script works and then clean up the local.te file's > > formatting (not necessary). > > The problem with the above sequence is it will directly allow those > permissions to the original domain of the script; hence, all CGI scripts > would end up having those permissions. Better to define a separate > httpd_passwd_t domain modeled after the passwd_t domain in the strict > policy and set up a domain transition into this domain only for the > script in question. That's a very good point and really bears spelling out. How would one go about creating the new domain and then implementing the proper transition for just one set of CGI scripts? I ask because I (was) running Open WebMail and ran into the case where I needed to effectively disable SELinux controls over all CGI scripts to allow OWM to run. I would have preferred the case where these controls were removed *only* for the relavent scripts, allowing the remaining scripts to keep the protections afforded by the default policy. -- Chris "Build a man a fire and he will be warm for the rest of the night. Set a man on fire and he will be warm for the rest of his life." -- Unknown From sds at tycho.nsa.gov Wed Mar 30 15:58:19 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 30 Mar 2005 10:58:19 -0500 Subject: httpd controls ? In-Reply-To: <3690.128.252.85.103.1112197661.squirrel@morpheus.wustl.edu> References: <424A7798.8030504@ardley.org> <143f0f6c050330073232244b66@mail.gmail.com> <3690.128.252.85.103.1112197661.squirrel@morpheus.wustl.edu> Message-ID: <1112198299.8012.44.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2005-03-30 at 09:47 -0600, Hongwei Li wrote: > I have a question about what you suggested. My system is working > normally, but I'd like to know more about audit2allow. My system (fc3, > selinux enforced, targeted) does not have src under /etc/selinux/targeted/ > that has only: booleans contexts policy > > and I could not find audit2allow, even from the web site you gave above. > > Could you provide more information about it? or any links? Policy sources aren't installed by default, as you don't need them unless you are customizing policy beyond the level of boolean settings. To install the sources, do: yum install selinux-policy-targeted-sources audit2allow is part of policycoreutils and is located in /usr/bin. audit2allow --help will display the usage. A man page was added to the upstream package in version 1.22, but that wouldn't be in FC3. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Wed Mar 30 16:07:18 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 30 Mar 2005 11:07:18 -0500 Subject: httpd controls ? In-Reply-To: <143f0f6c050330080315538a82@mail.gmail.com> References: <424A7798.8030504@ardley.org> <143f0f6c050330073232244b66@mail.gmail.com> <1112196922.8012.37.camel@moss-spartans.epoch.ncsc.mil> <143f0f6c050330080315538a82@mail.gmail.com> Message-ID: <1112198838.8012.54.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2005-03-30 at 10:03 -0600, Christofer C. Bell wrote: > That's a very good point and really bears spelling out. How would one > go about creating the new domain and then implementing the proper > transition for just one set of CGI scripts? I ask because I (was) > running Open WebMail and ran into the case where I needed to > effectively disable SELinux controls over all CGI scripts to allow OWM > to run. I would have preferred the case where these controls were > removed *only* for the relavent scripts, allowing the remaining > scripts to keep the protections afforded by the default policy. Easiest way to create a domain presently is to copy an existing one and edit it, using your favorite filter to replace all occurrences of the old prefix with a new one. By introducing a separate _exec_t type for the new domain (e.g. httpd_passwd_exec_t) and assigning that type to the particular CGI script in question (manually with chcon or via restorecon after updating your file_contexts), you only affect that particular script. Possible resources: The RHEL4 SELinux Guide, http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/ - Understanding and Customizing the Apache HTTP SELinux Policy, http://fedora.redhat.com/docs/selinux-apache-fc3/ - Sourceforge SELinux HOWTOs http://sourceforge.net/docman/?group_id=21266 - SELinux: NSA's Open Source Security Enhanced Linux by Bill McCarty, http://www.oreilly.com/catalog/selinux/ - Tresys Technology Policy Writing Course Slides, http://www.tresys.com/selinux/selinux-course-outline.html - Configuring the SELinux Policy, http://www.nsa.gov/selinux/papers/policy2-abs.cfm -- Stephen Smalley National Security Agency From ocschwar at MIT.EDU Wed Mar 30 16:25:47 2005 From: ocschwar at MIT.EDU (Omri Schwarz) Date: Wed, 30 Mar 2005 11:25:47 -0500 Subject: Everything got broken. selinux-policy-targeted-1.17.30-2.90 Message-ID: <200503301625.j2UGPlDB015477@all-night-tool.mit.edu> (Sorry if I break the threading, but my subscription has not kicked in.) Stephen Smalley says: On Wed, 2005-03-30 at 00:56 -0500, Omri Schwarz wrote: >> Right now I have a machine that is using selinux-policy-targeted-1.17.30-2.9 0.n >> oarch.rpm, and I suffer from the same errors: > >> # /usr/sbin/getenforce >> getenforce: getenforce() failed > >> ]# /usr/sbin/getsebool -a >> getsebool: booleans.c:48: security_get_boolean_names: Assertion `selinux_mnt' >> failed. >> Aborted > >> # cat /selinux/enforce >> 1 >What does 'id' show? What is in your /etc/selinux/config file? % more /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=Enforcing # SELINUXTYPE= can take one of these two values: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted % id uid=10204(omri) gid=101(cdrecording) groups=0(root),48(apache),101(cdrecording) context=user_u:system_r:unconfined_t >> Mar 30 00:55:15 HOST kernel: audit(1112162115.873:0): avc: denied { search } >> for pid=6178 exe=/sbin/portmap name=etc dev=hda3 ino=229377 >> scontext=root:system_r:portmap_t tcontext=system_u:object_r:home_root_t >> tclass=dir >/etc certainly shouldn't be labeled home_root_t. /sbin/fixfiles restore? Done. Afterwards: % ls -lZ / drwxr-xr-x root root system_u:object_r:bin_t bin drwxr-xr-x root root system_u:object_r:boot_t boot drwxr-xr-x root root system_u:object_r:device_t dev drwxr-xr-x root root system_u:object_r:home_root_t etc drwxr-xr-x root root system_u:object_r:home_root_t home drwxr-xr-x root root system_u:object_r:root_t initrd drwxr-xr-x root root system_u:object_r:lib_t lib drwx------ root root system_u:object_r:lost_found_t lost+found drwxr-xr-x root root system_u:object_r:mnt_t media drwxr-xr-x root root system_u:object_r:default_t misc drwxr-xr-x root root system_u:object_r:mnt_t mnt drwxr-xr-x root root nfs drwxr-xr-x root root system_u:object_r:usr_t opt dr-xr-xr-x root root proc drwxr-x--- root root root:object_r:user_home_dir_t root drwxr-xr-x root root system_u:object_r:sbin_t sbin drwxr-xr-x root root selinux drwxr-xr-x root root system_u:object_r:default_t srv drwxr-xr-x root root sys drwxr-xr-x root root system_u:object_r:default_t tftpboot drwxrwxrwt root root system_u:object_r:tmp_t tmp drwxr-xr-x root root system_u:object_r:usr_t usr drwxr-xr-x root root system_u:object_r:var_t var From sds at tycho.nsa.gov Wed Mar 30 16:34:48 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 30 Mar 2005 11:34:48 -0500 Subject: Everything got broken. selinux-policy-targeted-1.17.30-2.90 In-Reply-To: <200503301625.j2UGPlDB015477@all-night-tool.mit.edu> References: <200503301625.j2UGPlDB015477@all-night-tool.mit.edu> Message-ID: <1112200488.8012.64.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2005-03-30 at 11:25 -0500, Omri Schwarz wrote: > drwxr-xr-x root root system_u:object_r:home_root_t etc Still wrong. I take it that you have locally customized your policy sources? Combined with the old genhomedircon and the fact that certain users like news have home directories under /etc in /etc/passwd, this could be the problem. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Wed Mar 30 16:39:08 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 30 Mar 2005 11:39:08 -0500 Subject: Everything got broken. selinux-policy-targeted-1.17.30-2.90 In-Reply-To: <1112200488.8012.64.camel@moss-spartans.epoch.ncsc.mil> References: <200503301625.j2UGPlDB015477@all-night-tool.mit.edu> <1112200488.8012.64.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1112200748.8012.67.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2005-03-30 at 11:34 -0500, Stephen Smalley wrote: > On Wed, 2005-03-30 at 11:25 -0500, Omri Schwarz wrote: > > drwxr-xr-x root root system_u:object_r:home_root_t etc > > Still wrong. I take it that you have locally customized your policy > sources? Combined with the old genhomedircon and the fact that certain > users like news have home directories under /etc in /etc/passwd, this > could be the problem. Actually, though, that should be covered by the existing tests of uid >= UID_MIN and the check of the shell, I would think. Do you have any real users (uid >= 500) in /etc/passwd with a home directory in /etc and a shell other than nologin or false? -- Stephen Smalley National Security Agency From selinux at gmail.com Wed Mar 30 16:50:30 2005 From: selinux at gmail.com (Tom London) Date: Wed, 30 Mar 2005 08:50:30 -0800 Subject: vmware/vmnet: Message-ID: <4c4ba1530503300850699d8e65@mail.gmail.com> Running targeted/enforcing, latest rawhide. Notice the following AVC generated by VMware init sequence: Mar 30 06:33:35 localhost kernel: audit(1112193215.505:0): avc: denied { search } for pid=3690 exe=/sbin/ifconfig name=net dev=sysfs ino=225 scontext=user_u:system_r:ifconfig_t tcontext=system_u:object_r:sysfs_t tclass=dir Mar 30 06:33:35 localhost kernel: vmnet8: failed sysfs registration (-13) This seems to imply: allow ifconfig_t sysfs_t:dir search; ifconfig.te has domain_auto_trans(initrc_t, ifconfig_exec_t, ifconfig_t) So, should ifconfig_t be allowed the same access to sysfs_t as initrc_t, such as r_dir_file(ifconfig_t, sysfs_t) thanks, tom -- Tom London From ocschwar at MIT.EDU Wed Mar 30 16:53:04 2005 From: ocschwar at MIT.EDU (Omri Schwarz) Date: Wed, 30 Mar 2005 11:53:04 -0500 Subject: Everything got broken. selinux-policy-targeted-1.17.30-2.90 In-Reply-To: Your message of "Wed, 30 Mar 2005 11:34:48 EST." <1112200488.8012.64.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <200503301653.j2UGr4Wn018725@all-night-tool.mit.edu> > On Wed, 2005-03-30 at 11:25 -0500, Omri Schwarz wrote: > > drwxr-xr-x root root system_u:object_r:home_root_t etc > > Still wrong. I take it that you have locally customized your policy > sources? Combined with the old genhomedircon and the fact that certain Negative. At the very minimum, I have not intentionally customized the policy sources, although I wonder whether the Redhat Package Manager has in effect done that for me. > users like news have home directories under /etc in /etc/passwd, this > could be the problem. # grep etc /etc/passwd news:x:9:13:news:/etc/news: ntp:x:38:38::/etc/ntp:/sbin/nologin privoxy:x:73:73::/etc/privoxy:/sbin/nologin xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin None of these accounts have an inherent need for a homedir, unless I am mistaken. As you can see, no real users with directories in homedirs in /etc/, but this system does get directory service from a legacy NIS server that lives in Solaris land and cares nothing for such conventions as real accounts starting in 500. I've just wiped the news account (no need for it), changed homedirs for the remaining three, and am running fixfiles restore. # /sbin/fixfiles restore /usr/sbin/setfiles: conflicting specifications for /etc/services and /var/spool/postfix/etc/services, using system_u:object_r:etc_t. (dum dee dum). Update to follow come next reboot. From ocschwar at MIT.EDU Wed Mar 30 17:05:39 2005 From: ocschwar at MIT.EDU (Omri Schwarz) Date: Wed, 30 Mar 2005 12:05:39 -0500 Subject: Everything got broken. selinux-policy-targeted-1.17.30-2.90 In-Reply-To: Your message of "Wed, 30 Mar 2005 11:39:08 EST." <1112200748.8012.67.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <200503301705.j2UH5dMA020247@all-night-tool.mit.edu> > On Wed, 2005-03-30 at 11:34 -0500, Stephen Smalley wrote: > > On Wed, 2005-03-30 at 11:25 -0500, Omri Schwarz wrote: > > > drwxr-xr-x root root system_u:object_r:home_root_t etc > > > > Still wrong. I take it that you have locally customized your policy > > sources? Combined with the old genhomedircon and the fact that certain > > users like news have home directories under /etc in /etc/passwd, this > > could be the problem. > > Actually, though, that should be covered by the existing tests of uid >= > UID_MIN and the check of the shell, I would think. Do you have any real > users (uid >= 500) in /etc/passwd with a home directory in /etc and a > shell other than nologin or false? > The accounts were all redirected. Nevertheless: drwxr-xr-x root root system_u:object_r:home_root_t etc drwxr-x--- root root root:object_r:user_home_dir_t root From dwalsh at redhat.com Wed Mar 30 17:05:07 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 30 Mar 2005 12:05:07 -0500 Subject: Everything got broken. selinux-policy-targeted-1.17.30-2.90 In-Reply-To: <200503301653.j2UGr4Wn018725@all-night-tool.mit.edu> References: <200503301653.j2UGr4Wn018725@all-night-tool.mit.edu> Message-ID: <424ADC43.6000904@redhat.com> Omri Schwarz wrote: >>On Wed, 2005-03-30 at 11:25 -0500, Omri Schwarz wrote: >> >> >>>drwxr-xr-x root root system_u:object_r:home_root_t etc >>> >>> >>Still wrong. I take it that you have locally customized your policy >>sources? Combined with the old genhomedircon and the fact that certain >> >> > >Negative. At the very minimum, I have not intentionally >customized the policy sources, although I wonder whether the >Redhat Package Manager has in effect done that for me. > > > >>users like news have home directories under /etc in /etc/passwd, this >>could be the problem. >> >> > ># grep etc /etc/passwd >news:x:9:13:news:/etc/news: >ntp:x:38:38::/etc/ntp:/sbin/nologin >privoxy:x:73:73::/etc/privoxy:/sbin/nologin >xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin > >None of these accounts have an inherent need for a homedir, >unless I am mistaken. > >As you can see, no real users with directories in homedirs in /etc/, >but this system does get directory service from a legacy NIS server >that lives in Solaris land and cares nothing for such conventions >as real accounts starting in 500. > >I've just wiped the news account (no need for it), changed homedirs >for the remaining three, and am running fixfiles restore. > ># /sbin/fixfiles restore >/usr/sbin/setfiles: conflicting specifications for /etc/services and /var/spool/postfix/etc/services, using system_u:object_r:etc_t. >(dum dee dum). > >Update to follow come next reboot. > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > For now hand edit your /etc/selinux/targeted/contexts/files/file_contexts file and remove the records about /etc and home_roots. And then restorecon -R -v /etc What is UID_MIN set to in /etc/login.defs? Dan -- From sds at tycho.nsa.gov Wed Mar 30 17:05:57 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 30 Mar 2005 12:05:57 -0500 Subject: Everything got broken. selinux-policy-targeted-1.17.30-2.90 In-Reply-To: <200503301705.j2UH5dMA020247@all-night-tool.mit.edu> References: <200503301705.j2UH5dMA020247@all-night-tool.mit.edu> Message-ID: <1112202357.8012.75.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2005-03-30 at 12:05 -0500, Omri Schwarz wrote: > The accounts were all redirected. > Nevertheless: > > drwxr-xr-x root root system_u:object_r:home_root_t etc grep -n home_root_t /etc/selinux/targeted/contexts/files/file_contexts rpm -V selinux-policy-targeted-sources rpm -V selinux-policy-targeted -- Stephen Smalley National Security Agency From ocschwar at MIT.EDU Wed Mar 30 17:15:54 2005 From: ocschwar at MIT.EDU (Omri Schwarz) Date: Wed, 30 Mar 2005 12:15:54 -0500 Subject: Everything got broken. selinux-policy-targeted-1.17.30-2.90 In-Reply-To: Your message of "Wed, 30 Mar 2005 12:05:07 EST." <424ADC43.6000904@redhat.com> Message-ID: <200503301715.j2UHFsoq021604@all-night-tool.mit.edu> > Omri Schwarz wrote: > > >>On Wed, 2005-03-30 at 11:25 -0500, Omri Schwarz wrote: > >> > ># /sbin/fixfiles restore > >/usr/sbin/setfiles: conflicting specifications for /etc/services and /var/spool/postfix/etc/services, using system_u:object_r:etc_t. > >(dum dee dum). > > > >Update to follow come next reboot. > > > >-- > >fedora-selinux-list mailing list > >fedora-selinux-list at redhat.com > >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > > For now hand edit your > /etc/selinux/targeted/contexts/files/file_contexts file and remove the > records > about /etc and home_roots. > And then restorecon -R -v /etc > That worked. There were three lines in the homedir area asking for this. There were also lines for every NFS share available to this host, marking the shares as system_u:object_r:home_root_t. These shares are mounted by way of autofs. Should I add something to the auto.master file to make for an appropriate context? > What is UID_MIN set to in /etc/login.defs? 500. Is there any reason besides useradd and selinux to care about this setting? Many thanks! From sds at tycho.nsa.gov Wed Mar 30 17:10:26 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 30 Mar 2005 12:10:26 -0500 Subject: Everything got broken. selinux-policy-targeted-1.17.30-2.90 In-Reply-To: <200503301715.j2UHFsoq021604@all-night-tool.mit.edu> References: <200503301715.j2UHFsoq021604@all-night-tool.mit.edu> Message-ID: <1112202626.8012.77.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2005-03-30 at 12:15 -0500, Omri Schwarz wrote: > There were also lines for every NFS share available to this host, > marking the shares as system_u:object_r:home_root_t. These shares > are mounted by way of autofs. Should I add something to the > auto.master file to make for an appropriate context? No, they'll just ignored anyway, as NFS doesn't support file security labels yet. -- Stephen Smalley National Security Agency From ocschwar at MIT.EDU Wed Mar 30 17:20:05 2005 From: ocschwar at MIT.EDU (Omri Schwarz) Date: Wed, 30 Mar 2005 12:20:05 -0500 Subject: Everything got broken. selinux-policy-targeted-1.17.30-2.90 In-Reply-To: Your message of "Wed, 30 Mar 2005 12:05:57 EST." <1112202357.8012.75.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <200503301720.j2UHK52k022000@all-night-tool.mit.edu> > On Wed, 2005-03-30 at 12:05 -0500, Omri Schwarz wrote: > > The accounts were all redirected. > > Nevertheless: > > > > drwxr-xr-x root root system_u:object_r:home_root_t etc > > grep -n home_root_t /etc/selinux/targeted/contexts/files/file_contexts > rpm -V selinux-policy-targeted-sources > rpm -V selinux-policy-targeted > # rpm -V selinux-policy-targeted WARNING: Multiple same specifications for /usr/local/lost\+found(/.*)?. WARNING: Multiple same specifications for /usr/local/\.journal. S.5....TC c /etc/selinux/targeted/contexts/files/file_contexts ..5....T. c /etc/selinux/targeted/policy/policy.18 Both have a cdate of today, the former since I followed the prescription to hand edit file_context, and the latter, not so sure. I did to into .../src/policy and do a make clean and make load (as per FC3 SELinux FAQ to see if I could increase the verbosity of the logging). From sds at tycho.nsa.gov Wed Mar 30 17:50:27 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 30 Mar 2005 12:50:27 -0500 Subject: Everything got broken. selinux-policy-targeted-1.17.30-2.90 In-Reply-To: <200503301720.j2UHK52k022000@all-night-tool.mit.edu> References: <200503301720.j2UHK52k022000@all-night-tool.mit.edu> Message-ID: <1112205027.8012.104.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2005-03-30 at 12:20 -0500, Omri Schwarz wrote: > # rpm -V selinux-policy-targeted > WARNING: Multiple same specifications for /usr/local/lost\+found(/.*)?. > WARNING: Multiple same specifications for /usr/local/\.journal. > S.5....TC c /etc/selinux/targeted/contexts/files/file_contexts > ..5....T. c /etc/selinux/targeted/policy/policy.18 > > Both have a cdate of today, the former since I followed the prescription > to hand edit file_context, and the latter, not so sure. > I did to into .../src/policy and do a make clean and make load > (as per FC3 SELinux FAQ to see if I could increase the verbosity of the > logging). Yes, those files would be regenerated by the make load in the policy source directory (or even by installing the policy source package, I think, as that automatically does a build). Based on your description, I assume that genhomedircon is picking up entries from the NIS passwd map that have uids >= 500 and shells other than /sbin/nologin or /bin/false and that have home directories under /etc. So the same problem will recur every time you rebuild/update policy I assume, as it will keep generating these bogus entries in the new file_contexts file. -- Stephen Smalley National Security Agency From tim at birdsnest.maths.tcd.ie Wed Mar 30 12:53:05 2005 From: tim at birdsnest.maths.tcd.ie (Timothy Murphy) Date: Wed, 30 Mar 2005 13:53:05 +0100 Subject: Selinux under FC-4 ? Message-ID: Will I be able to turn off selinux under FC-4 ? Life is hard enough without inventing problems ... -- Timothy Murphy e-mail (<80k only): tim /at/ birdsnest.maths.tcd.ie tel: +353-86-2336090, +353-1-2842366 s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland From ocschwar at MIT.EDU Wed Mar 30 18:08:09 2005 From: ocschwar at MIT.EDU (Omri Schwarz) Date: Wed, 30 Mar 2005 13:08:09 -0500 Subject: Everything got broken. selinux-policy-targeted-1.17.30-2.90 In-Reply-To: Your message of "Wed, 30 Mar 2005 11:25:47 EST." <200503301625.j2UGPlDB015477@all-night-tool.mit.edu> Message-ID: <200503301808.j2UI89Vb028053@all-night-tool.mit.edu> Mea maxima culpa, gentlemen. The source of many of the errors was LibSafePlus, a library recently released and published in Usenix, and which I had ben testing. I would have to look more closely at the getsebool source code to see why specifically it would cause that binary to fail. But it caused many to do so. (LibSafePlus by default adds itself to ld.so.preload.) That solved the sudo and X login problems. I'm curious enough to wonder why I got the specific error messages I got with this library, so I will investigate further at a later date. That leaves the issue of accounts in the NIS directory. There is one that does indeed have an /etc/ home, and I will need to look out for that because I can see that it will continue to cause /etc/ to be mis-contexed, but I suspect this problem will be relatively cosmetic. Many thanks! From sds at tycho.nsa.gov Wed Mar 30 18:00:11 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 30 Mar 2005 13:00:11 -0500 Subject: Selinux under FC-4 ? In-Reply-To: References: Message-ID: <1112205611.8012.115.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2005-03-30 at 13:53 +0100, Timothy Murphy wrote: > Will I be able to turn off selinux under FC-4 ? > > Life is hard enough without inventing problems ... You should always be able to turn it off during the install or subsequently using system-config-securitylevel. No plans to change that AFAIK. But I'm not sure what you mean by the latter statement. -- Stephen Smalley National Security Agency From walters at redhat.com Wed Mar 30 18:56:31 2005 From: walters at redhat.com (Colin Walters) Date: Wed, 30 Mar 2005 13:56:31 -0500 Subject: httpd controls ? In-Reply-To: <143f0f6c050330080315538a82@mail.gmail.com> References: <424A7798.8030504@ardley.org> <143f0f6c050330073232244b66@mail.gmail.com> <1112196922.8012.37.camel@moss-spartans.epoch.ncsc.mil> <143f0f6c050330080315538a82@mail.gmail.com> Message-ID: <1112208991.4373.22.camel@nexus.verbum.private> On Wed, 2005-03-30 at 10:03 -0600, Christofer C. Bell wrote: > That's a very good point and really bears spelling out. How would one > go about creating the new domain and then implementing the proper > transition for just one set of CGI scripts? I ask because I (was) > running Open WebMail and ran into the case where I needed to > effectively disable SELinux controls over all CGI scripts to allow OWM > to run. I would have preferred the case where these controls were > removed *only* for the relavent scripts, allowing the remaining > scripts to keep the protections afforded by the default policy. Dan has written a new domain "httpd_unconfined_t" and corresponding httpd_unconfined_script_exec_t which I believe is in the latest rawhide. You can then mark specific CGI scripts such as ones that change user passwords like so: chcon -t httpd_unconfined_script_exec_t /path/to/my/passwd.cgi Then the script will be unconfined when executed by httpd. Note that in general this is fairly dangerous if the script is actually written in a language like Python, since a malicious httpd_t process could set a number of environment variables like PYTHONPATH before executing the script which could easily lead to a compromise of the unconfined script. I can't think of a good solution for this other than writing your own little C program. Probably we need a specialized interpreter, e.g. /bin/envexec which would take a list of environment variables to preserve, and you could write a little script like: #!/bin/envexec /var/www/cgi-bin/myscript.cgi Then you make that file executable and make its type be httpd_unconfined_script_exec_t. Maybe someone can think of a better way to create wrappers for cleaning the environment without actually writing a new little C program. From ocschwar at MIT.EDU Tue Mar 29 23:50:39 2005 From: ocschwar at MIT.EDU (Omri Schwarz) Date: Tue, 29 Mar 2005 18:50:39 -0500 Subject: selinux-policy-targeted-1.17.30-2.90 troubles. (FC3) Message-ID: <200503292350.j2TNodRm010664@mint-square.mit.edu> A machine installed as FC3 got its update from up2date yesterday and now will no longer allow logins on the console, nor the X console, and will no longer allow the sudoers to sudo. Touching /.autorelabel and rebooting has not fixed the problem. The sudo problem only leaves this message to the console: root:system_r:unconfined_t is not a valid context And this in the logs: Mar 29 18:19:55 HOST sudo: omri : TTY=pts/0 ; PWD=/nfs/newline/h1/omri ; USER=root ; COMMAND=/bin/su root The attempt to log to the X console leaves this in the logs: Mar 29 18:36:22 HOST gdm-binary[5538]: pam_krb5[5538]: authentication succeeds for 'omri' (omri at KRB5REALM) Mar 29 18:36:22 HOST gdm(pam_unix)[5538]: session opened for user omri by (uid=0) Mar 29 18:36:22 HOST gdm[5135]: gdm_cleanup_children: child 5538 crashed of signal 6 Mar 29 18:36:22 HOST gdm[5135]: gdm_cleanup_children: Slave crashed, killing its children Logging in as root leaves what might be slightly more useful: Mar 29 18:43:56 HOST gdm(pam_unix)[6206]: session opened for user root by (uid=0) Mar 29 18:43:56 HOST dbus-daemon-1: avc: could not determine enforcing mode Meanwhile, I can SSH in and su to root without a problem. I am very much an SELinux newbie, and was hoping to learn about this system by installing the targeted policy and seeing it in action, but here I am mystified. None of the messages are enough for me to figure out what needs chcon'ing. So I would be much obliged for any help you could offer. From tim at birdsnest.maths.tcd.ie Thu Mar 31 01:15:51 2005 From: tim at birdsnest.maths.tcd.ie (Timothy Murphy) Date: Thu, 31 Mar 2005 02:15:51 +0100 Subject: Selinux under FC-4 ? References: <1112205611.8012.115.camel@moss-spartans.epoch.ncsc.mil> Message-ID: Stephen Smalley wrote: >> Will I be able to turn off selinux under FC-4 ? >> >> Life is hard enough without inventing problems ... > > You should always be able to turn it off during the install or > subsequently using system-config-securitylevel. No plans to change that > AFAIK. But I'm not sure what you mean by the latter statement. While selinux is probably important for big systems, I don't think it offers much for a home user like myself. It's possible, I suppose, that someone might get through my firewall (shorewall) but it doesn't seem very likely, as I don't run any services visible from outside. On the other hand, when I very gently tested the water with selinux it had a number of unforeseen consequences, and it was clear that I would have to study the matter if I were to run the selinux service. -- Timothy Murphy e-mail (<80k only): tim /at/ birdsnest.maths.tcd.ie tel: +353-86-2336090, +353-1-2842366 s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland From walters at redhat.com Thu Mar 31 02:39:49 2005 From: walters at redhat.com (Colin Walters) Date: Wed, 30 Mar 2005 21:39:49 -0500 Subject: Selinux under FC-4 ? In-Reply-To: References: <1112205611.8012.115.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1112236789.3797.2.camel@nexus.verbum.private> On Thu, 2005-03-31 at 02:15 +0100, Timothy Murphy wrote: > Stephen Smalley wrote: > > >> Will I be able to turn off selinux under FC-4 ? > >> > >> Life is hard enough without inventing problems ... > > > > You should always be able to turn it off during the install or > > subsequently using system-config-securitylevel. No plans to change that > > AFAIK. But I'm not sure what you mean by the latter statement. > > While selinux is probably important for big systems, > I don't think it offers much for a home user like myself. > It's possible, I suppose, that someone might get through my firewall > (shorewall) but it doesn't seem very likely, > as I don't run any services visible from outside. The real threat for your kind of system has always really been flaws in programs like firefox, movie players, image loaders, etc., not network daemons. While it's true that in Fedora right now the targeted SELinux policy does not confine those programs, in the future it will. Disabling it now will also disable the protection we will add in the future. For a home user system you're not likely running Apache HTTPD, so I don't see why you have trouble with the current policy anyways. From dwalsh at redhat.com Thu Mar 31 03:22:10 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 30 Mar 2005 22:22:10 -0500 Subject: selinux-policy-targeted-1.17.30-2.90 troubles. (FC3) In-Reply-To: <200503292350.j2TNodRm010664@mint-square.mit.edu> References: <200503292350.j2TNodRm010664@mint-square.mit.edu> Message-ID: <424B6CE2.3010703@redhat.com> Omri Schwarz wrote: >A machine installed as FC3 got its update from up2date yesterday >and now will no longer allow logins on the console, nor the X console, >and will no longer allow the sudoers to sudo. > >Touching /.autorelabel and rebooting has not fixed the problem. > >The sudo problem only leaves this message to the console: > >root:system_r:unconfined_t is not a valid context > >And this in the logs: > >Mar 29 18:19:55 HOST sudo: omri : TTY=pts/0 ; PWD=/nfs/newline/h1/omri ; >USER=root ; COMMAND=/bin/su root > >The attempt to log to the X console leaves this in the logs: > >Mar 29 18:36:22 HOST gdm-binary[5538]: pam_krb5[5538]: authentication succeeds >for 'omri' (omri at KRB5REALM) >Mar 29 18:36:22 HOST gdm(pam_unix)[5538]: session opened for user omri by >(uid=0) >Mar 29 18:36:22 HOST gdm[5135]: gdm_cleanup_children: child 5538 crashed of >signal 6 >Mar 29 18:36:22 HOST gdm[5135]: gdm_cleanup_children: Slave crashed, killing >its children > >Logging in as root leaves what might be slightly more useful: > >Mar 29 18:43:56 HOST gdm(pam_unix)[6206]: session opened for user root by >(uid=0) >Mar 29 18:43:56 HOST dbus-daemon-1: avc: could not determine enforcing mode > >Meanwhile, I can SSH in and su to root without a problem. > >I am very much an SELinux newbie, and was hoping to learn about this system by >installing the targeted policy and seeing it in action, but here I am >mystified. >None of the messages are enough for me to figure out what needs chcon'ing. > >So I would be much obliged for any help you could offer. > > > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > I am not sure this is an SELinux problem. Did you try to boot with enforcing=0 on the command line? Dan -- From dwalsh at redhat.com Thu Mar 31 03:25:30 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 30 Mar 2005 22:25:30 -0500 Subject: vmware/vmnet: In-Reply-To: <4c4ba1530503300850699d8e65@mail.gmail.com> References: <4c4ba1530503300850699d8e65@mail.gmail.com> Message-ID: <424B6DAA.9000302@redhat.com> Tom London wrote: >Running targeted/enforcing, latest rawhide. > >Notice the following AVC generated by VMware init sequence: >Mar 30 06:33:35 localhost kernel: audit(1112193215.505:0): avc: >denied { search } for pid=3690 exe=/sbin/ifconfig name=net dev=sysfs >ino=225 scontext=user_u:system_r:ifconfig_t >tcontext=system_u:object_r:sysfs_t tclass=dir >Mar 30 06:33:35 localhost kernel: vmnet8: failed sysfs registration (-13) > >This seems to imply: >allow ifconfig_t sysfs_t:dir search; > >ifconfig.te has >domain_auto_trans(initrc_t, ifconfig_exec_t, ifconfig_t) > >So, should ifconfig_t be allowed the same access to sysfs_t as initrc_t, such as >r_dir_file(ifconfig_t, sysfs_t) > >thanks, > tom > > Not sure that it needs this. Have you tried to allow it and seen if it gets more AVC messages? Or attempted to setenforce 0 to see if it asks for others. Dan -- From Valdis.Kletnieks at vt.edu Thu Mar 31 04:42:58 2005 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Wed, 30 Mar 2005 23:42:58 -0500 Subject: Odd boolean in /etc/selinux/strict/booleans? Message-ID: <200503310442.j2V4gxTe013625@turing-police.cc.vt.edu> selinux-policy-strict-1.23.5-2 off Fedora devel tree today... [/etc/selinux]3 grep -ri disable_games . Binary file ./strict/policy/policy.19 matches Binary file ./strict/policy/policy.18 matches ./strict/src/policy/domains/program/games.te:bool disable_games_trans false; ./strict/src/policy/macros/program/games_domain.te:if (! disable_games_trans) { ./strict/src/policy/policy.conf:if (! disable_games_trans) { ./strict/src/policy/policy.conf:if (! disable_games_trans) { ./strict/src/policy/policy.conf:if (! disable_games_trans) { ./strict/src/policy/policy.conf:bool disable_games_trans false; Binary file ./strict/src/policy/policy.19 matches ./strict/booleans:disable_games=0 How come it's disable_games in strict/booleans, but disable_games_trans in the policy? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available URL: From ivg2 at cornell.edu Thu Mar 31 12:23:01 2005 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Thu, 31 Mar 2005 07:23:01 -0500 Subject: Odd boolean in /etc/selinux/strict/booleans? In-Reply-To: <200503310442.j2V4gxTe013625@turing-police.cc.vt.edu> References: <200503310442.j2V4gxTe013625@turing-police.cc.vt.edu> Message-ID: <1112271782.12133.16.camel@cobra.ivg2.net> > How come it's disable_games in strict/booleans, but disable_games_trans in the > policy? disable_games_trans is correct, the file's probably out of date. How come some of those booleans are set to 0 by default - doesn't that match the selinux policy? Is the booleans file supposed to override the src defaults? If so, shouldn't there be only 1s in that file (since the src defaults are all 0)? Also, the securitylevel app marks things "Changed" every time I toggle them. It seems like it would be better if it marked thigs back to "Unchanged" when I toggled them back, to prevent it from writing out every random thing I toggle into booleans.local, whether or not I change it back to where it was. Also, my old booleans file went to booleans.rpmsave. Does that mean that my booleans will be reset upon reboot? If so, should the %post script do something about that to address upgrade path from FC3->FC4? -- Ivan Gyurdiev Cornell University From ivg2 at cornell.edu Thu Mar 31 12:28:30 2005 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Thu, 31 Mar 2005 07:28:30 -0500 Subject: Odd boolean in /etc/selinux/strict/booleans? In-Reply-To: <1112271782.12133.16.camel@cobra.ivg2.net> References: <200503310442.j2V4gxTe013625@turing-police.cc.vt.edu> <1112271782.12133.16.camel@cobra.ivg2.net> Message-ID: <1112272110.12133.18.camel@cobra.ivg2.net> On Thu, 2005-03-31 at 07:23 -0500, Ivan Gyurdiev wrote: > > How come it's disable_games in strict/booleans, but disable_games_trans in the > > policy? > > disable_games_trans is correct, the file's probably out of date. > > How come some of those booleans are set to 0 by default - doesn't > that match the selinux policy? Is the booleans file supposed to > override the src defaults? If so, shouldn't there be only 1s in that > file (since the src defaults are all 0)? > > Also, the securitylevel app marks things "Changed" every time I toggle > them. It seems like it would be better if it marked thigs back to > "Unchanged" when I toggled them back, to prevent it from writing out > every random thing I toggle into booleans.local, whether or not I change > it back to where it was. > > Also, my old booleans file went to booleans.rpmsave. Does that mean that > my booleans will be reset upon reboot? If so, should the %post script do > something about that to address upgrade path from FC3->FC4? Also, should the post script remove nonexistent booleans from booleans.local upon upgrade? -- Ivan Gyurdiev Cornell University From sds at tycho.nsa.gov Thu Mar 31 12:39:39 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 31 Mar 2005 07:39:39 -0500 Subject: Selinux under FC-4 ? In-Reply-To: References: <1112205611.8012.115.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1112272779.11216.19.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2005-03-31 at 02:15 +0100, Timothy Murphy wrote: > While selinux is probably important for big systems, > I don't think it offers much for a home user like myself. Desktop users are vulnerable to exploitation by malicious code and malicious data-driven attacks. http://www.nsa.gov/selinux/papers/inevitability/ http://www.selinux-symposium.org/2005/presentations/session3/3-1-walters.pdf > It's possible, I suppose, that someone might get through my firewall > (shorewall) but it doesn't seem very likely, > as I don't run any services visible from outside. Do you ran any client software that talks to the network (browser, irc, whatever)? If so, it has the potential to be exploited. Or download any code and run it? Or play any downloaded music? Or view any downloaded documents? All of this opens you up to potential exploitation of flaws in the programs you use or active maliciousness in any code you run. > On the other hand, when I very gently tested the water with selinux > it had a number of unforeseen consequences, > and it was clear that I would have to study the matter > if I were to run the selinux service. Yes, there is a learning curve, and it is a paradigm change for security. Nonetheless, necessary if you want to solve fundamental security problems. -- Stephen Smalley National Security Agency From dwalsh at redhat.com Thu Mar 31 13:09:38 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 31 Mar 2005 08:09:38 -0500 Subject: Odd boolean in /etc/selinux/strict/booleans? In-Reply-To: <1112271782.12133.16.camel@cobra.ivg2.net> References: <200503310442.j2V4gxTe013625@turing-police.cc.vt.edu> <1112271782.12133.16.camel@cobra.ivg2.net> Message-ID: <424BF692.5050105@redhat.com> Ivan Gyurdiev wrote: >>How come it's disable_games in strict/booleans, but disable_games_trans in the >>policy? >> >> > >disable_games_trans is correct, the file's probably out of date. > >How come some of those booleans are set to 0 by default - doesn't >that match the selinux policy? Is the booleans file supposed to >override the src defaults? If so, shouldn't there be only 1s in that >file (since the src defaults are all 0)? > >Also, the securitylevel app marks things "Changed" every time I toggle >them. It seems like it would be better if it marked thigs back to >"Unchanged" when I toggled them back, to prevent it from writing out >every random thing I toggle into booleans.local, whether or not I change >it back to where it was. > >Also, my old booleans file went to booleans.rpmsave. Does that mean that >my booleans will be reset upon reboot? If so, should the %post script do >something about that to address upgrade path from FC3->FC4? > > > Bad name in the installed file. It used to be disable_games. We might want to add a boolean back in to prevent users from running games at all. But we would need to remove exec_type from the attribute. Dan -- From dwalsh at redhat.com Thu Mar 31 13:11:28 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 31 Mar 2005 08:11:28 -0500 Subject: Odd boolean in /etc/selinux/strict/booleans? In-Reply-To: <1112272110.12133.18.camel@cobra.ivg2.net> References: <200503310442.j2V4gxTe013625@turing-police.cc.vt.edu> <1112271782.12133.16.camel@cobra.ivg2.net> <1112272110.12133.18.camel@cobra.ivg2.net> Message-ID: <424BF700.8000605@redhat.com> Ivan Gyurdiev wrote: >On Thu, 2005-03-31 at 07:23 -0500, Ivan Gyurdiev wrote: > > >>>How come it's disable_games in strict/booleans, but disable_games_trans in the >>>policy? >>> >>> >>disable_games_trans is correct, the file's probably out of date. >> >>How come some of those booleans are set to 0 by default - doesn't >>that match the selinux policy? Is the booleans file supposed to >>override the src defaults? If so, shouldn't there be only 1s in that >>file (since the src defaults are all 0)? >> >>Also, the securitylevel app marks things "Changed" every time I toggle >>them. It seems like it would be better if it marked thigs back to >>"Unchanged" when I toggled them back, to prevent it from writing out >>every random thing I toggle into booleans.local, whether or not I change >>it back to where it was. >> >>Also, my old booleans file went to booleans.rpmsave. Does that mean that >>my booleans will be reset upon reboot? If so, should the %post script do >>something about that to address upgrade path from FC3->FC4? >> >> > >Also, should the post script remove nonexistent booleans from >booleans.local upon upgrade? > > > We could make the setsebool smarter to handle this. But currently all post is doing is looking for an rpmsave file since booleans will now be replaced, and renaming it to local iff local did not already exist. setsebool now will only modify the specified boolean in the booleans.local file. Dan -- From tim at birdsnest.maths.tcd.ie Thu Mar 31 14:31:06 2005 From: tim at birdsnest.maths.tcd.ie (Timothy Murphy) Date: Thu, 31 Mar 2005 15:31:06 +0100 Subject: Selinux under FC-4 ? References: <1112205611.8012.115.camel@moss-spartans.epoch.ncsc.mil> <1112236789.3797.2.camel@nexus.verbum.private> Message-ID: Colin Walters wrote: > For a home user system you're not likely running Apache HTTPD, so I > don't see why you have trouble with the current policy anyways. Actually I am running httpd on my desktop (for internal use). IIRC, that was where some at least of my selinux problems appeared. However, I'm happy enough for selinux to be there, as long as I can turn it off. One day, when I have lots of time to spare I'll study it ... -- Timothy Murphy e-mail (<80k only): tim /at/ birdsnest.maths.tcd.ie tel: +353-86-2336090, +353-1-2842366 s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland From Valdis.Kletnieks at vt.edu Thu Mar 31 15:08:04 2005 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Thu, 31 Mar 2005 10:08:04 -0500 Subject: using tmpfs for /tmp and selinux In-Reply-To: Your message of "Mon, 28 Mar 2005 09:01:19 EST." <1112018479.2914.31.camel@moss-spartans.epoch.ncsc.mil> References: <42415CF0.6010102@feuerpokemon.de> <1111583217.21107.9.camel@moss-spartans.epoch.ncsc.mil> <42426FAD.40109@feuerpokemon.de> <1111670247.12486.5.camel@moss-spartans.epoch.ncsc.mil> <4244130C.8030304@feuerpokemon.de> <1111759184.15280.47.camel@moss-spartans.epoch.ncsc.mil> <20050325175603.GB15370@nostromo.devel.redhat.com> <1111774130.15280.153.camel@moss-spartans.epoch.ncsc.mil> <424526CE.1020802@feuerpokemon.de> <1112018479.2914.31.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <200503311508.j2VF85w6013515@turing-police.cc.vt.edu> On Mon, 28 Mar 2005 09:01:19 EST, Stephen Smalley said: > On Sat, 2005-03-26 at 10:09 +0100, dragoran wrote: > > it still does not work with the restorecon /tmp line and the policy > > changes.... > > same avcs... > > Hmmm...Dan reported it working for him with just those two changes. > That was on a FC4/devel system with strict policy, but I'd expect it to > work fine under FC3 and targeted policy too. Are you sure that you > added 'allow tmpfile tmpfs_t:filesystem associate;' to your policy and > rebuilt it and installed it? What are the specific avcs that you see? Just a confirmation - this is a 'works for me' on a Fedora -devel system synced up to yesterday's tree - the policy change was in the RPM already, had to make the one-line hack to add the restorecon to rc.sysinit. Am running fine with /tmp on a tmpfs - so now /tmp gets auto-cleaned at each reboot (it's a laptop, so that's a fairly frequent occurrence - somehow, "suspend" just doesn't do it for me). Now if I were really paranoid, I'd enable encrypted swap... :) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available URL: From ivg2 at cornell.edu Thu Mar 31 15:26:42 2005 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Thu, 31 Mar 2005 10:26:42 -0500 Subject: Odd boolean in /etc/selinux/strict/booleans? In-Reply-To: <424BF700.8000605@redhat.com> References: <200503310442.j2V4gxTe013625@turing-police.cc.vt.edu> <1112271782.12133.16.camel@cobra.ivg2.net> <1112272110.12133.18.camel@cobra.ivg2.net> <424BF700.8000605@redhat.com> Message-ID: <1112282802.12770.3.camel@cobra.ivg2.net> > We could make the setsebool smarter to handle this. But currently all > post is doing is looking for an rpmsave file since booleans will now be > replaced, > and renaming it to local iff local did not already exist. No, it's looking for an rpmorig file, which is why it doesn't work. Isn't rpmorig created when it wasn't in the rpm database to begin with? -- Ivan Gyurdiev Cornell University From lfarkas at bppiac.hu Thu Mar 31 15:35:46 2005 From: lfarkas at bppiac.hu (Farkas Levente) Date: Thu, 31 Mar 2005 17:35:46 +0200 Subject: nscd with selinux with ssl Message-ID: <424C18D2.1080300@bppiac.hu> hi, i try to use nscd with ldap and tls. in this case you should define a cacert, cert and key file for nss. but afaik there is no default palce to put these file and there is no default policy to allow nscd to read any kind of pem file(s). it'd be useful to define a standard place for these cert files and allow nscd to read these files. yours. -- Levente "Si vis pacem para bellum!" From dwalsh at redhat.com Thu Mar 31 15:35:15 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 31 Mar 2005 10:35:15 -0500 Subject: nscd with selinux with ssl In-Reply-To: <424C18D2.1080300@bppiac.hu> References: <424C18D2.1080300@bppiac.hu> Message-ID: <424C18B3.3010201@redhat.com> Farkas Levente wrote: > hi, > i try to use nscd with ldap and tls. in this case you should define a > cacert, cert and key file for nss. but afaik there is no default palce > to put these file and there is no default policy to allow nscd to read > any kind of pem file(s). it'd be useful to define a standard place for > these cert files and allow nscd to read these files. > yours. > /usr/share/ssl/certs?? Although I still think this stuff belongs in /etc but I don't make the rules. -- From lfarkas at bppiac.hu Thu Mar 31 15:59:37 2005 From: lfarkas at bppiac.hu (Farkas Levente) Date: Thu, 31 Mar 2005 17:59:37 +0200 Subject: senlinux configuration, are you sure it's the right way? Message-ID: <424C1E69.6030308@bppiac.hu> hi, after i having played a few days with selinux, apache and other daemons and programs the whole selinux configuration seems to me a bit confusing. if i found any kind of problem with the "default" selinux setup which is not big thing since most systems are different and there are a lots of program which are not included in the core distro. i have to report it and the next update will include it. my question why selinux include the default policies? why selinux-policy-* contains the right acces rights for all included deamons, programs? wouldn't it be much better to all package include it's own policy and in the rpm postinstall session reload/add/modify the new policies. this is something similar to the libs. i only install only those lib which needed for me and at the postinstall session run an ldconfig. i wouldn't like to install all libs! why should i install policies for eg. apache when i don't run apache? why should i update selinux-policy-* just because there was a bug in the apache part of the policy when i don't run apache? the current case is something one big monolitic policy configuration which most of the time not suitable for anyone (anyone who run anything else then the default need to modify it or run any webscript or). of course my main problem not with apache policies rather then the whole system and way of configuration of selinux. wouldn't be any easier and modularized way to use selinux and configure it for the needed thing. probably there is need for some core policy but all others policy can be modularized. or do i missed something? just my 2c. yours. -- Levente "Si vis pacem para bellum!" From ivg2 at cornell.edu Thu Mar 31 16:07:51 2005 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Thu, 31 Mar 2005 11:07:51 -0500 Subject: Odd boolean in /etc/selinux/strict/booleans? In-Reply-To: <424BF692.5050105@redhat.com> References: <200503310442.j2V4gxTe013625@turing-police.cc.vt.edu> <1112271782.12133.16.camel@cobra.ivg2.net> <424BF692.5050105@redhat.com> Message-ID: <1112285271.12817.2.camel@cobra.ivg2.net> > Bad name in the installed file. It used to be disable_games. We might > want to add a > boolean back in to prevent users from running games at all. But we > would need to remove > exec_type from the attribute. Prevent users from running games? Why do we want to do that? What's wrong with the current approach to doing this...namely..don't install any games, and then the users won't be running them. -- Ivan Gyurdiev Cornell University From dwalsh at redhat.com Thu Mar 31 16:02:04 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 31 Mar 2005 11:02:04 -0500 Subject: senlinux configuration, are you sure it's the right way? In-Reply-To: <424C1E69.6030308@bppiac.hu> References: <424C1E69.6030308@bppiac.hu> Message-ID: <424C1EFC.8080506@redhat.com> Farkas Levente wrote: > hi, > after i having played a few days with selinux, apache and other > daemons and programs the whole selinux configuration seems to me a bit > confusing. if i found any kind of problem with the "default" selinux > setup which is not big thing since most systems are different and > there are a lots of program which are not included in the core distro. > i have to report it and the next update will include it. my question > why selinux include the default policies? why selinux-policy-* > contains the right acces rights for all included deamons, programs? > wouldn't it be much better to all package include it's own policy and > in the rpm postinstall session reload/add/modify the new policies. > this is something similar to the libs. i only install only those lib > which needed for me and at the postinstall session run an ldconfig. i > wouldn't like to install all libs! why should i install policies for > eg. apache when i don't run apache? why should i update > selinux-policy-* just because there was a bug in the apache part of > the policy when i don't run apache? the current case is something one > big monolitic policy configuration which most of the time not suitable > for anyone (anyone who run anything else then the default need to > modify it or run any webscript or). of course my main problem not with > apache policies rather then the whole system and way of configuration > of selinux. wouldn't be any easier and modularized way to use selinux > and configure it for the needed thing. probably there is need for some > core policy but all others policy can be modularized. or do i missed > something? > just my 2c. > yours. > Yes this is something we are working on. Currenly there are lots of interdendancies in policy that make separating them out difficult. Currently the only way to add or remove a policy, is via source code. So if I want to remove apache policy, I need to install the policy sources and mv apache.te file out of the programs directory. Then recompile and reload the policy. Tresys corporation is working on loadable modules that may be able to solve this problem. We are working towards the point where you would have an apache policy file that would get loaded and unloaded depending on whether you are running apache, and then the policy file could be supplied with the binaries. This is new technology and we are working to improve it. Dan -- From lfarkas at bppiac.hu Thu Mar 31 16:07:19 2005 From: lfarkas at bppiac.hu (Farkas Levente) Date: Thu, 31 Mar 2005 18:07:19 +0200 Subject: nscd with selinux with ssl In-Reply-To: <424C18B3.3010201@redhat.com> References: <424C18D2.1080300@bppiac.hu> <424C18B3.3010201@redhat.com> Message-ID: <424C2037.3080006@bppiac.hu> Daniel J Walsh wrote: > Farkas Levente wrote: > >> hi, >> i try to use nscd with ldap and tls. in this case you should define a >> cacert, cert and key file for nss. but afaik there is no default palce >> to put these file and there is no default policy to allow nscd to read >> any kind of pem file(s). it'd be useful to define a standard place for >> these cert files and allow nscd to read these files. >> yours. >> > /usr/share/ssl/certs?? > > Although I still think this stuff belongs in /etc but I don't make the > rules. the first thing i always do aftera fresh install: ---------------------------- mv /usr/share/ssl /etc cd /usr/share ln -s /etc/ssl ---------------------------- :-) so i definitely agree with you. i don't know make this rule, but it'd be _very_ useful to convince him, that config files should have to be under somewhere /etc/ (but that's another story). and my current pem files are under /etc/ssl/, ---------------------------- # ls -aZ /etc/ssl/certs/cacert.pem -rw-r--r-- root root root:object_r:usr_t /etc/ssl/certs/cacert.pem ---------------------------- and in my messages: ---------------------------- Mar 31 17:08:23 kek kernel: audit(1112281703.777:0): avc: denied { read } for pid=14271 exe=/usr/sbin/nscd name=cacert.pem dev=md0 ino=2291612 scontext=root:system_r:nscd_t tcontext=root:object_r:usr_t tclass=file ---------------------------- that's why i ask for it:-) yours. -- Levente "Si vis pacem para bellum!" From dwalsh at redhat.com Thu Mar 31 16:09:15 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 31 Mar 2005 11:09:15 -0500 Subject: Odd boolean in /etc/selinux/strict/booleans? In-Reply-To: <1112285271.12817.2.camel@cobra.ivg2.net> References: <200503310442.j2V4gxTe013625@turing-police.cc.vt.edu> <1112271782.12133.16.camel@cobra.ivg2.net> <424BF692.5050105@redhat.com> <1112285271.12817.2.camel@cobra.ivg2.net> Message-ID: <424C20AB.5020006@redhat.com> Ivan Gyurdiev wrote: >>Bad name in the installed file. It used to be disable_games. We might >>want to add a >>boolean back in to prevent users from running games at all. But we >>would need to remove >>exec_type from the attribute. >> >> > >Prevent users from running games? Why do we want to do that? >What's wrong with the current approach to doing this...namely..don't >install any games, and then the users won't be running them. > > > I am thinking of the situation where you might want to users in a certain role allowed to play games and others not, on a shared machine. A more interesting example would be to disallow sysadm from running games, mozilla ... Basically a user accidently runs mozilla or a game while newroled to sysadm. Might be nice to have that error out. Ordinarily a transition happens but still It would be nice to prevent this. Dan -- From sds at tycho.nsa.gov Thu Mar 31 16:06:27 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 31 Mar 2005 11:06:27 -0500 Subject: senlinux configuration, are you sure it's the right way? In-Reply-To: <424C1E69.6030308@bppiac.hu> References: <424C1E69.6030308@bppiac.hu> Message-ID: <1112285187.11216.111.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2005-03-31 at 17:59 +0200, Farkas Levente wrote: > my question why > selinux include the default policies? why selinux-policy-* contains the > right acces rights for all included deamons, programs? wouldn't it be > much better to all package include it's own policy and in the rpm > postinstall session reload/add/modify the new policies. That idea has been considered in the past, but it has some issues, e.g. - The current policy doesn't provide a real module abstraction, and lacks a strong dependency model and a way to easily handle variations in the base policy when inserting a new policy "module". That is being addressed by recent work by Tresys Technology to create a real module abstraction for policy; that work should be upstreamed in the near future. - While some aspects of the policy are highly localized (e.g. least privilege requirements on a particular application), other aspects require a global view of the policy (e.g. information flow constraints to ensure confidentiality and integrity guarantees). Hence, it is difficult to truly modularize policy in the same manner as packages. - Policy is intended to organize the system into security equivalence classes, i.e. not every package should have its own policy, and multiple packages should share the same policy. Hence, you need a layer of indirection between the policies and the packages. - Policy should be defined by the security administrator, not by the application writer. The application writer can help by providing information about what resources an application needs in order to function, but ultimately the decision about how to allow the application to interact with the base system should be made by the security admin, sometimes even denying access to the application that may reduce its available functionality or force it to alternative code paths. -- Stephen Smalley National Security Agency From walters at redhat.com Thu Mar 31 16:16:35 2005 From: walters at redhat.com (Colin Walters) Date: Thu, 31 Mar 2005 11:16:35 -0500 Subject: Selinux under FC-4 ? In-Reply-To: References: <1112205611.8012.115.camel@moss-spartans.epoch.ncsc.mil> <1112236789.3797.2.camel@nexus.verbum.private> Message-ID: <1112285795.6265.9.camel@nexus.verbum.private> On Thu, 2005-03-31 at 15:31 +0100, Timothy Murphy wrote: > Colin Walters wrote: > > > For a home user system you're not likely running Apache HTTPD, so I > > don't see why you have trouble with the current policy anyways. > > Actually I am running httpd on my desktop (for internal use). > IIRC, that was where some at least of my selinux problems appeared. Ok. You can turn enforcement off just for Apache, you know: http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#using-s-c-securitylevel This is far more preferable than disabling entirely. > However, I'm happy enough for selinux to be there, > as long as I can turn it off. Please don't do that; reporting bugs instead (and perhaps disabling enforcement for pecific services as an interim measure) will help us solve problems and benefit everyone. From dwalsh at redhat.com Thu Mar 31 16:13:17 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 31 Mar 2005 11:13:17 -0500 Subject: nscd with selinux with ssl In-Reply-To: <424C2037.3080006@bppiac.hu> References: <424C18D2.1080300@bppiac.hu> <424C18B3.3010201@redhat.com> <424C2037.3080006@bppiac.hu> Message-ID: <424C219D.4070206@redhat.com> Farkas Levente wrote: > Daniel J Walsh wrote: > >> Farkas Levente wrote: >> >>> hi, >>> i try to use nscd with ldap and tls. in this case you should define >>> a cacert, cert and key file for nss. but afaik there is no default >>> palce to put these file and there is no default policy to allow nscd >>> to read any kind of pem file(s). it'd be useful to define a standard >>> place for these cert files and allow nscd to read these files. >>> yours. >>> >> /usr/share/ssl/certs?? >> >> Although I still think this stuff belongs in /etc but I don't make >> the rules. > > > the first thing i always do aftera fresh install: > ---------------------------- > mv /usr/share/ssl /etc > cd /usr/share > ln -s /etc/ssl > ---------------------------- > :-) so i definitely agree with you. i don't know make this rule, but > it'd be _very_ useful to convince him, that config files should have > to be under somewhere /etc/ (but that's another story). > and my current pem files are under /etc/ssl/, > ---------------------------- > # ls -aZ /etc/ssl/certs/cacert.pem > -rw-r--r-- root root root:object_r:usr_t > /etc/ssl/certs/cacert.pem > ---------------------------- > and in my messages: > ---------------------------- > Mar 31 17:08:23 kek kernel: audit(1112281703.777:0): avc: denied { > read } for pid=14271 exe=/usr/sbin/nscd name=cacert.pem dev=md0 > ino=2291612 scontext=root:system_r:nscd_t tcontext=root:object_r:usr_t > tclass=file > ---------------------------- > that's why i ask for it:-) > yours. > I believe FC3 policy selinux-policy-targeted-1.17.30-2.90, has nscd.te allow to read usr_t Rawhide has added a type of cert_t, so you could execute chcon -t cert_t /etc/ssl/certs/cacert.pem -- From lfarkas at bppiac.hu Thu Mar 31 16:19:38 2005 From: lfarkas at bppiac.hu (Farkas Levente) Date: Thu, 31 Mar 2005 18:19:38 +0200 Subject: senlinux configuration, are you sure it's the right way? In-Reply-To: <424C1EFC.8080506@redhat.com> References: <424C1E69.6030308@bppiac.hu> <424C1EFC.8080506@redhat.com> Message-ID: <424C231A.8060800@bppiac.hu> Daniel J Walsh wrote: > Farkas Levente wrote: > >> hi, >> after i having played a few days with selinux, apache and other >> daemons and programs the whole selinux configuration seems to me a bit >> confusing. if i found any kind of problem with the "default" selinux >> setup which is not big thing since most systems are different and >> there are a lots of program which are not included in the core distro. >> i have to report it and the next update will include it. my question >> why selinux include the default policies? why selinux-policy-* >> contains the right acces rights for all included deamons, programs? >> wouldn't it be much better to all package include it's own policy and >> in the rpm postinstall session reload/add/modify the new policies. >> this is something similar to the libs. i only install only those lib >> which needed for me and at the postinstall session run an ldconfig. i >> wouldn't like to install all libs! why should i install policies for >> eg. apache when i don't run apache? why should i update >> selinux-policy-* just because there was a bug in the apache part of >> the policy when i don't run apache? the current case is something one >> big monolitic policy configuration which most of the time not suitable >> for anyone (anyone who run anything else then the default need to >> modify it or run any webscript or). of course my main problem not with >> apache policies rather then the whole system and way of configuration >> of selinux. wouldn't be any easier and modularized way to use selinux >> and configure it for the needed thing. probably there is need for some >> core policy but all others policy can be modularized. or do i missed >> something? >> just my 2c. >> yours. >> > Yes this is something we are working on. Currenly there are lots of > interdendancies in policy that make separating them out difficult. > Currently the only way to add or remove a policy, is via source code. > So if I want to remove apache policy, I need to install the policy > sources and mv apache.te file out of the programs directory. Then > recompile and reload the policy. > Tresys corporation is working on loadable modules that may be able to > solve this problem. We are working towards the point where you > would have an apache policy file that would get loaded and unloaded > depending on whether you are running apache, and then the policy file > could be supplied with the binaries. but until this happend wouldn't it be still better to always install policy sources too, binaries install it's own policy source under /etc/selinux/*/src/policy/ and postinstall run a make reload? even it's not the best why imho it's still better then the current one. and the ploicy source not realy a big overhead. anyway my main problem not with the overhead of apache's policy if i don't use policy rather then currently there is no proper way to install/add any package/program/daemon which is not in the core distro and required some policy changes. since it's obvious that you wouldn't like to include and maintain policy for foobar when it's not in the distro (and not even in extras). but if each package install it's own policy the there can a common and working way to do so. what's if there can be apache-policy...rpm then if i don't use selinux then i shouldn't have to install apache-policy even if i install apache. > This is new technology and we are working to improve it. yes, i know that. so i wouldn't like to blame you since you i used to got the quickest response from you:-) only try to suggest some improvement to the current system. -- Levente "Si vis pacem para bellum!" From dwalsh at redhat.com Thu Mar 31 16:22:58 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 31 Mar 2005 11:22:58 -0500 Subject: senlinux configuration, are you sure it's the right way? In-Reply-To: <424C231A.8060800@bppiac.hu> References: <424C1E69.6030308@bppiac.hu> <424C1EFC.8080506@redhat.com> <424C231A.8060800@bppiac.hu> Message-ID: <424C23E2.5000808@redhat.com> Farkas Levente wrote: > Daniel J Walsh wrote: > >> Farkas Levente wrote: >> >>> hi, >>> after i having played a few days with selinux, apache and other >>> daemons and programs the whole selinux configuration seems to me a >>> bit confusing. if i found any kind of problem with the "default" >>> selinux setup which is not big thing since most systems are >>> different and there are a lots of program which are not included in >>> the core distro. i have to report it and the next update will >>> include it. my question why selinux include the default policies? >>> why selinux-policy-* contains the right acces rights for all >>> included deamons, programs? wouldn't it be much better to all >>> package include it's own policy and in the rpm postinstall session >>> reload/add/modify the new policies. this is something similar to the >>> libs. i only install only those lib which needed for me and at the >>> postinstall session run an ldconfig. i wouldn't like to install all >>> libs! why should i install policies for eg. apache when i don't run >>> apache? why should i update selinux-policy-* just because there was >>> a bug in the apache part of the policy when i don't run apache? the >>> current case is something one big monolitic policy configuration >>> which most of the time not suitable for anyone (anyone who run >>> anything else then the default need to modify it or run any >>> webscript or). of course my main problem not with apache policies >>> rather then the whole system and way of configuration of selinux. >>> wouldn't be any easier and modularized way to use selinux and >>> configure it for the needed thing. probably there is need for some >>> core policy but all others policy can be modularized. or do i missed >>> something? >>> just my 2c. >>> yours. >>> >> Yes this is something we are working on. Currenly there are lots of >> interdendancies in policy that make separating them out difficult. >> Currently the only way to add or remove a policy, is via source >> code. So if I want to remove apache policy, I need to install the >> policy sources and mv apache.te file out of the programs directory. >> Then recompile and reload the policy. >> Tresys corporation is working on loadable modules that may be able to >> solve this problem. We are working towards the point where you >> would have an apache policy file that would get loaded and unloaded >> depending on whether you are running apache, and then the policy file >> could be supplied with the binaries. > > > but until this happend wouldn't it be still better to always install > policy sources too, binaries install it's own policy source under > /etc/selinux/*/src/policy/ and postinstall run a make reload? > even it's not the best why imho it's still better then the current > one. and the ploicy source not realy a big overhead. > anyway my main problem not with the overhead of apache's policy if i > don't use policy rather then currently there is no proper way to > install/add any package/program/daemon which is not in the core distro > and required some policy changes. since it's obvious that you wouldn't > like to include and maintain policy for foobar when it's not in the > distro (and not even in extras). but if each package install it's own > policy the there can a common and working way to do so. what's if > there can be apache-policy...rpm then if i don't use selinux then i > shouldn't have to install apache-policy even if i install apache. > >> This is new technology and we are working to improve it. > > > yes, i know that. so i wouldn't like to blame you since you i used to > got the quickest response from you:-) only try to suggest some > improvement to the current system. > Also from Red Hat's perspective having policy sources installed gives us major headaches for support. If users start moving files into/out of unused directories, things are going to start breaking. We don't want some support call because someone decided to try out the latest wizbang policy, and it broke their ABC Application. Also policy sources requires a full build environment to work. Make, M4, checkpolicy ... On a minimal install machine this is a big overhead. -- From lfarkas at bppiac.hu Thu Mar 31 16:27:00 2005 From: lfarkas at bppiac.hu (Farkas Levente) Date: Thu, 31 Mar 2005 18:27:00 +0200 Subject: nscd with selinux with ssl In-Reply-To: <424C219D.4070206@redhat.com> References: <424C18D2.1080300@bppiac.hu> <424C18B3.3010201@redhat.com> <424C2037.3080006@bppiac.hu> <424C219D.4070206@redhat.com> Message-ID: <424C24D4.9080109@bppiac.hu> Daniel J Walsh wrote: > Farkas Levente wrote: > >> Daniel J Walsh wrote: >> >>> Farkas Levente wrote: >>> >>>> hi, >>>> i try to use nscd with ldap and tls. in this case you should define >>>> a cacert, cert and key file for nss. but afaik there is no default >>>> palce to put these file and there is no default policy to allow nscd >>>> to read any kind of pem file(s). it'd be useful to define a standard >>>> place for these cert files and allow nscd to read these files. >>>> yours. >>>> >>> /usr/share/ssl/certs?? >>> >>> Although I still think this stuff belongs in /etc but I don't make >>> the rules. >> >> >> >> the first thing i always do aftera fresh install: >> ---------------------------- >> mv /usr/share/ssl /etc >> cd /usr/share >> ln -s /etc/ssl >> ---------------------------- >> :-) so i definitely agree with you. i don't know make this rule, but >> it'd be _very_ useful to convince him, that config files should have >> to be under somewhere /etc/ (but that's another story). >> and my current pem files are under /etc/ssl/, >> ---------------------------- >> # ls -aZ /etc/ssl/certs/cacert.pem >> -rw-r--r-- root root root:object_r:usr_t >> /etc/ssl/certs/cacert.pem >> ---------------------------- >> and in my messages: >> ---------------------------- >> Mar 31 17:08:23 kek kernel: audit(1112281703.777:0): avc: denied { >> read } for pid=14271 exe=/usr/sbin/nscd name=cacert.pem dev=md0 >> ino=2291612 scontext=root:system_r:nscd_t tcontext=root:object_r:usr_t >> tclass=file >> ---------------------------- >> that's why i ask for it:-) >> yours. >> > I believe FC3 policy selinux-policy-targeted-1.17.30-2.90, has nscd.te > allow to read usr_t > > Rawhide has added a type of cert_t, so you could execute > > chcon -t cert_t /etc/ssl/certs/cacert.pem the truth is that this is a rhel 4 (but there is not redhat-selinux list:-) and afaik on it the latest update is selinux-policy-targeted-1.17.30-2.52.1 so i rather wait for a official update (from you:-) and not run nscd until this happend... thanks anyway. -- Levente "Si vis pacem para bellum!" From dwalsh at redhat.com Thu Mar 31 16:25:20 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 31 Mar 2005 11:25:20 -0500 Subject: nscd with selinux with ssl In-Reply-To: <424C24D4.9080109@bppiac.hu> References: <424C18D2.1080300@bppiac.hu> <424C18B3.3010201@redhat.com> <424C2037.3080006@bppiac.hu> <424C219D.4070206@redhat.com> <424C24D4.9080109@bppiac.hu> Message-ID: <424C2470.4050506@redhat.com> Farkas Levente wrote: > Daniel J Walsh wrote: > >> Farkas Levente wrote: >> >>> Daniel J Walsh wrote: >>> >>>> Farkas Levente wrote: >>>> >>>>> hi, >>>>> i try to use nscd with ldap and tls. in this case you should >>>>> define a cacert, cert and key file for nss. but afaik there is no >>>>> default palce to put these file and there is no default policy to >>>>> allow nscd to read any kind of pem file(s). it'd be useful to >>>>> define a standard place for these cert files and allow nscd to >>>>> read these files. >>>>> yours. >>>>> >>>> /usr/share/ssl/certs?? >>>> >>>> Although I still think this stuff belongs in /etc but I don't make >>>> the rules. >>> >>> >>> >>> >>> the first thing i always do aftera fresh install: >>> ---------------------------- >>> mv /usr/share/ssl /etc >>> cd /usr/share >>> ln -s /etc/ssl >>> ---------------------------- >>> :-) so i definitely agree with you. i don't know make this rule, but >>> it'd be _very_ useful to convince him, that config files should have >>> to be under somewhere /etc/ (but that's another story). >>> and my current pem files are under /etc/ssl/, >>> ---------------------------- >>> # ls -aZ /etc/ssl/certs/cacert.pem >>> -rw-r--r-- root root root:object_r:usr_t >>> /etc/ssl/certs/cacert.pem >>> ---------------------------- >>> and in my messages: >>> ---------------------------- >>> Mar 31 17:08:23 kek kernel: audit(1112281703.777:0): avc: denied { >>> read } for pid=14271 exe=/usr/sbin/nscd name=cacert.pem dev=md0 >>> ino=2291612 scontext=root:system_r:nscd_t >>> tcontext=root:object_r:usr_t tclass=file >>> ---------------------------- >>> that's why i ask for it:-) >>> yours. >>> >> I believe FC3 policy selinux-policy-targeted-1.17.30-2.90, has >> nscd.te allow to read usr_t >> >> Rawhide has added a type of cert_t, so you could execute >> >> chcon -t cert_t /etc/ssl/certs/cacert.pem > > > the truth is that this is a rhel 4 (but there is not redhat-selinux > list:-) and afaik on it the latest update is > selinux-policy-targeted-1.17.30-2.52.1 so i rather wait for a official > update (from you:-) and not run nscd until this happend... > thanks anyway. > Ok you can get the semi-official one from (It is being tested for U1 now.) ftp://people.redhat.com/dwalsh/SELinux/RHEL4/{selinux-policy-targeted, policycoreutils} Dan -- From lfarkas at bppiac.hu Thu Mar 31 16:32:39 2005 From: lfarkas at bppiac.hu (Farkas Levente) Date: Thu, 31 Mar 2005 18:32:39 +0200 Subject: senlinux configuration, are you sure it's the right way? In-Reply-To: <1112285187.11216.111.camel@moss-spartans.epoch.ncsc.mil> References: <424C1E69.6030308@bppiac.hu> <1112285187.11216.111.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <424C2627.8040200@bppiac.hu> Stephen Smalley wrote: > On Thu, 2005-03-31 at 17:59 +0200, Farkas Levente wrote: > >>my question why >>selinux include the default policies? why selinux-policy-* contains the >>right acces rights for all included deamons, programs? wouldn't it be >>much better to all package include it's own policy and in the rpm >>postinstall session reload/add/modify the new policies. > > > That idea has been considered in the past, but it has some issues, e.g. > - The current policy doesn't provide a real module abstraction, and > lacks a strong dependency model and a way to easily handle variations in > the base policy when inserting a new policy "module". That is being > addressed by recent work by Tresys Technology to create a real module > abstraction for policy; that work should be upstreamed in the near > future. > - While some aspects of the policy are highly localized (e.g. least > privilege requirements on a particular application), other aspects > require a global view of the policy (e.g. information flow constraints > to ensure confidentiality and integrity guarantees). Hence, it is > difficult to truly modularize policy in the same manner as packages. the security administrator who create the xxx-policy packages should have to this "global view", but he can still create different packages for different application's policy. and as i said there can be one (some) global policy packages too. > - Policy is intended to organize the system into security equivalence > classes, i.e. not every package should have its own policy, and multiple > packages should share the same policy. Hence, you need a layer of > indirection between the policies and the packages. more package can depend on on policy as more package can depend on one lib. > - Policy should be defined by the security administrator, not by the > application writer. The application writer can help by providing > information about what resources an application needs in order to > function, but ultimately the decision about how to allow the application > to interact with the base system should be made by the security admin, > sometimes even denying access to the application that may reduce its > available functionality or force it to alternative code paths. ok. but the current situation is the same there is one security administrator (called Dan:) who define the policy, and probably he can do the apache-policy package (and the local hacker admins can modify it). i don't assume apache developer should have to do this. -- Levente "Si vis pacem para bellum!" From lfarkas at bppiac.hu Thu Mar 31 16:33:09 2005 From: lfarkas at bppiac.hu (Farkas Levente) Date: Thu, 31 Mar 2005 18:33:09 +0200 Subject: nscd with selinux with ssl In-Reply-To: <424C2470.4050506@redhat.com> References: <424C18D2.1080300@bppiac.hu> <424C18B3.3010201@redhat.com> <424C2037.3080006@bppiac.hu> <424C219D.4070206@redhat.com> <424C24D4.9080109@bppiac.hu> <424C2470.4050506@redhat.com> Message-ID: <424C2645.5080503@bppiac.hu> Daniel J Walsh wrote: > Farkas Levente wrote: > >> Daniel J Walsh wrote: >> >>> Farkas Levente wrote: >>> >>>> Daniel J Walsh wrote: >>>> >>>>> Farkas Levente wrote: >>>>> >>>>>> hi, >>>>>> i try to use nscd with ldap and tls. in this case you should >>>>>> define a cacert, cert and key file for nss. but afaik there is no >>>>>> default palce to put these file and there is no default policy to >>>>>> allow nscd to read any kind of pem file(s). it'd be useful to >>>>>> define a standard place for these cert files and allow nscd to >>>>>> read these files. >>>>>> yours. >>>>>> >>>>> /usr/share/ssl/certs?? >>>>> >>>>> Although I still think this stuff belongs in /etc but I don't make >>>>> the rules. >>>> >>>> >>>> >>>> >>>> >>>> the first thing i always do aftera fresh install: >>>> ---------------------------- >>>> mv /usr/share/ssl /etc >>>> cd /usr/share >>>> ln -s /etc/ssl >>>> ---------------------------- >>>> :-) so i definitely agree with you. i don't know make this rule, but >>>> it'd be _very_ useful to convince him, that config files should have >>>> to be under somewhere /etc/ (but that's another story). >>>> and my current pem files are under /etc/ssl/, >>>> ---------------------------- >>>> # ls -aZ /etc/ssl/certs/cacert.pem >>>> -rw-r--r-- root root root:object_r:usr_t >>>> /etc/ssl/certs/cacert.pem >>>> ---------------------------- >>>> and in my messages: >>>> ---------------------------- >>>> Mar 31 17:08:23 kek kernel: audit(1112281703.777:0): avc: denied { >>>> read } for pid=14271 exe=/usr/sbin/nscd name=cacert.pem dev=md0 >>>> ino=2291612 scontext=root:system_r:nscd_t >>>> tcontext=root:object_r:usr_t tclass=file >>>> ---------------------------- >>>> that's why i ask for it:-) >>>> yours. >>>> >>> I believe FC3 policy selinux-policy-targeted-1.17.30-2.90, has >>> nscd.te allow to read usr_t >>> >>> Rawhide has added a type of cert_t, so you could execute >>> >>> chcon -t cert_t /etc/ssl/certs/cacert.pem >> >> >> >> the truth is that this is a rhel 4 (but there is not redhat-selinux >> list:-) and afaik on it the latest update is >> selinux-policy-targeted-1.17.30-2.52.1 so i rather wait for a official >> update (from you:-) and not run nscd until this happend... >> thanks anyway. >> > Ok you can get the semi-official one from (It is being tested for U1 now.) > ftp://people.redhat.com/dwalsh/SELinux/RHEL4/{selinux-policy-targeted, > policycoreutils} thanks:-) -- Levente "Si vis pacem para bellum!" From lfarkas at bppiac.hu Thu Mar 31 16:39:12 2005 From: lfarkas at bppiac.hu (Farkas Levente) Date: Thu, 31 Mar 2005 18:39:12 +0200 Subject: senlinux configuration, are you sure it's the right way? In-Reply-To: <424C23E2.5000808@redhat.com> References: <424C1E69.6030308@bppiac.hu> <424C1EFC.8080506@redhat.com> <424C231A.8060800@bppiac.hu> <424C23E2.5000808@redhat.com> Message-ID: <424C27B0.6070106@bppiac.hu> Daniel J Walsh wrote: > Also from Red Hat's perspective having policy sources installed gives us > major headaches for support. If users start moving > files into/out of unused directories, things are going to start > breaking. We don't want some support call because someone decided > to try out the latest wizbang policy, and it broke their ABC this can happend now with /etc/selinux directory too... > Application. Also policy sources requires a full build environment to > work. > Make, M4, checkpolicy ... On a minimal install machine this is a big > overhead. i see, that's a bigger problem:-((( so the only solution that package creator should have this enviroment and he has to include binary application specific policy in the binary rpm. which currently can't be added/loaded into the system (could it?). so we have to wait for trsys:-((( -- Levente "Si vis pacem para bellum!" From ivg2 at cornell.edu Thu Mar 31 17:11:40 2005 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Thu, 31 Mar 2005 12:11:40 -0500 Subject: Odd boolean in /etc/selinux/strict/booleans? In-Reply-To: <424C20AB.5020006@redhat.com> References: <200503310442.j2V4gxTe013625@turing-police.cc.vt.edu> <1112271782.12133.16.camel@cobra.ivg2.net> <424BF692.5050105@redhat.com> <1112285271.12817.2.camel@cobra.ivg2.net> <424C20AB.5020006@redhat.com> Message-ID: <1112289101.12948.7.camel@cobra.ivg2.net> On Thu, 2005-03-31 at 11:09 -0500, Daniel J Walsh wrote: > Ivan Gyurdiev wrote: > > >>Bad name in the installed file. It used to be disable_games. We might > >>want to add a > >>boolean back in to prevent users from running games at all. But we > >>would need to remove > >>exec_type from the attribute. > >> > >> > > > >Prevent users from running games? Why do we want to do that? > >What's wrong with the current approach to doing this...namely..don't > >install any games, and then the users won't be running them. > > > > > > > I am thinking of the situation where you might want to users in a > certain role allowed to play games and others not, on a shared > machine. A more interesting example would be to disallow sysadm from > running games, mozilla ... > > Basically a user accidently runs mozilla or a game while newroled to > sysadm. Might be nice to have that error out. > Ordinarily a transition happens but still It would be nice to prevent this. I actually see SElinux as suited for the *opposite* phenomenon. Particularly, while on a legacy machine running mozilla and company as root would not be a very bright idea, on a SElinux-constrained machine it shouldn't be so bad (it's confined, how much damage can it do?). -- Ivan Gyurdiev Cornell University From Hariharan.Vadivelu at honeywell.com Thu Mar 31 17:32:35 2005 From: Hariharan.Vadivelu at honeywell.com (Hariharan, Vadivelu (IE10)) Date: Thu, 31 Mar 2005 10:32:35 -0700 Subject: upgrade from redhat9 Message-ID: <77ED2BF75D59D1439F90412CC5B109741BB81F01@ie10-sahara.hiso.honeywell.com> Hi , Is there any simple way of upgrading to Fedora from redhat 9. I already have redhat9 installed on my m/c ------------------ Hari Haran 9886484326 26588360 ext: 3134 ------------------ From dwalsh at redhat.com Thu Mar 31 18:03:23 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 31 Mar 2005 13:03:23 -0500 Subject: Odd boolean in /etc/selinux/strict/booleans? In-Reply-To: <1112289101.12948.7.camel@cobra.ivg2.net> References: <200503310442.j2V4gxTe013625@turing-police.cc.vt.edu> <1112271782.12133.16.camel@cobra.ivg2.net> <424BF692.5050105@redhat.com> <1112285271.12817.2.camel@cobra.ivg2.net> <424C20AB.5020006@redhat.com> <1112289101.12948.7.camel@cobra.ivg2.net> Message-ID: <424C3B6B.7010002@redhat.com> Ivan Gyurdiev wrote: >On Thu, 2005-03-31 at 11:09 -0500, Daniel J Walsh wrote: > > >>Ivan Gyurdiev wrote: >> >> >> >>>>Bad name in the installed file. It used to be disable_games. We might >>>>want to add a >>>>boolean back in to prevent users from running games at all. But we >>>>would need to remove >>>>exec_type from the attribute. >>>> >>>> >>>> >>>> >>>Prevent users from running games? Why do we want to do that? >>>What's wrong with the current approach to doing this...namely..don't >>>install any games, and then the users won't be running them. >>> >>> >>> >>> >>> >>I am thinking of the situation where you might want to users in a >>certain role allowed to play games and others not, on a shared >>machine. A more interesting example would be to disallow sysadm from >>running games, mozilla ... >> >>Basically a user accidently runs mozilla or a game while newroled to >>sysadm. Might be nice to have that error out. >>Ordinarily a transition happens but still It would be nice to prevent this. >> >> > >I actually see SElinux as suited for the *opposite* phenomenon. >Particularly, while on a legacy machine running mozilla and company as >root would not be a very bright idea, on a SElinux-constrained machine >it shouldn't be so bad (it's confined, how much damage can it do?). > > > > > > > Well actually the more I think about this, this is the job of roles. But the problem here is not disable-trans as no exec. I think we need to maybe stop marking certain defined domains as exec_type. To prevent all users from being able to execute the application without a transition. I think lots of users have had the experience of accidentally running something as root when they did not want too. Even in your example I disable-trans for games and then accidentally run some game as sysadm, bad things can happen. Dan -- From dwalsh at redhat.com Thu Mar 31 18:04:55 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 31 Mar 2005 13:04:55 -0500 Subject: senlinux configuration, are you sure it's the right way? In-Reply-To: <424C27B0.6070106@bppiac.hu> References: <424C1E69.6030308@bppiac.hu> <424C1EFC.8080506@redhat.com> <424C231A.8060800@bppiac.hu> <424C23E2.5000808@redhat.com> <424C27B0.6070106@bppiac.hu> Message-ID: <424C3BC7.1090200@redhat.com> Farkas Levente wrote: > Daniel J Walsh wrote: > > Also from Red Hat's perspective having policy sources installed > gives us > >> major headaches for support. If users start moving >> files into/out of unused directories, things are going to start >> breaking. We don't want some support call because someone decided >> to try out the latest wizbang policy, and it broke their ABC > > > this can happend now with /etc/selinux directory too... > >> Application. Also policy sources requires a full build environment >> to work. >> Make, M4, checkpolicy ... On a minimal install machine this is a big >> overhead. > > > i see, that's a bigger problem:-((( > so the only solution that package creator should have this enviroment > and he has to include binary application specific policy in the binary > rpm. which currently can't be added/loaded into the system (could > it?). so we have to wait for trsys:-((( > The only solution now would be to require policy-sources to be installed and then add their policy to it. Dan -- From ivg2 at cornell.edu Thu Mar 31 18:40:03 2005 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Thu, 31 Mar 2005 13:40:03 -0500 Subject: Odd boolean in /etc/selinux/strict/booleans? In-Reply-To: <424C3B6B.7010002@redhat.com> References: <200503310442.j2V4gxTe013625@turing-police.cc.vt.edu> <1112271782.12133.16.camel@cobra.ivg2.net> <424BF692.5050105@redhat.com> <1112285271.12817.2.camel@cobra.ivg2.net> <424C20AB.5020006@redhat.com> <1112289101.12948.7.camel@cobra.ivg2.net> <424C3B6B.7010002@redhat.com> Message-ID: <1112294403.12948.60.camel@cobra.ivg2.net> > I think we need to maybe stop marking > certain defined > domains as exec_type. To prevent all users from being able to execute > the application > without a transition. If you want to prevent all users from being able to execute the app w/out a transition, then disable_trans to false, and that should suffice, shouldn't it? > Even in your example I disable-trans for games > and then accidentally > run some game as sysadm, bad things can happen. So what you really want is to always transition for sysadm, regardless of what disable_trans is set to. if (! disable_games_trans) { domain_auto_trans($1_t, games_exec_t, $1_games_t) } ifelse($1, sysadm, ` domain_auto_trans(sysadm_t, games_exec_t, sysadm_games_t) ') -- Ivan Gyurdiev Cornell University From dwalsh at redhat.com Thu Mar 31 18:41:38 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 31 Mar 2005 13:41:38 -0500 Subject: Odd boolean in /etc/selinux/strict/booleans? In-Reply-To: <1112294403.12948.60.camel@cobra.ivg2.net> References: <200503310442.j2V4gxTe013625@turing-police.cc.vt.edu> <1112271782.12133.16.camel@cobra.ivg2.net> <424BF692.5050105@redhat.com> <1112285271.12817.2.camel@cobra.ivg2.net> <424C20AB.5020006@redhat.com> <1112289101.12948.7.camel@cobra.ivg2.net> <424C3B6B.7010002@redhat.com> <1112294403.12948.60.camel@cobra.ivg2.net> Message-ID: <424C4462.1040101@redhat.com> Ivan Gyurdiev wrote: >> I think we need to maybe stop marking >>certain defined >>domains as exec_type. To prevent all users from being able to execute >>the application >>without a transition. >> >> > >If you want to prevent all users from being able to execute the app >w/out a transition, then disable_trans to false, and that should >suffice, shouldn't it? > > > >>Even in your example I disable-trans for games >>and then accidentally >>run some game as sysadm, bad things can happen. >> >> > >So what you really want is to always transition for sysadm, >regardless of what disable_trans is set to. > >if (! disable_games_trans) { >domain_auto_trans($1_t, games_exec_t, $1_games_t) >} >ifelse($1, sysadm, ` >domain_auto_trans(sysadm_t, games_exec_t, sysadm_games_t) >') > > > No that is only an example. I am thinking more to the attribute exec_type. Every exec_t we are currently defining as exec_type which allows all users (user_t, staff_t , sysadm_t) to execute the app. If we want the app to be only executable by certain users and to require a trans, we need to eliminate the exec_type attribute on the exec_t. One of the things that has been discussed with MLS is the idea of a secadm for manipulating policy versus a sysadm for doing everything else. The argument in the past was that you could not properly isolate the two so that a hostile user in one domain could not gain access to the other domain. What I am thinking is not how to prevent the hostile user but to prevent the accidental usage by a non hostile user. So if we defined sysadm_r as not being able to execute checkpolicy, load_policy and secadm_r not able to execute anything but checkpolicy, load_policy. We could at least force people to become cognizant of the role they are in. So if I am in secadm_r and I accidently try to run mozilla, it will give me an error. Dan -- From linux_4ever at yahoo.com Thu Mar 31 20:26:43 2005 From: linux_4ever at yahoo.com (Steve G) Date: Thu, 31 Mar 2005 12:26:43 -0800 (PST) Subject: upgrade from redhat9 In-Reply-To: 6667 Message-ID: <20050331202644.73451.qmail@web51503.mail.yahoo.com> >Is there any simple way of upgrading to Fedora from redhat 9. >I already have redhat9 installed on my m/c I did this recently (RH9->FC3). It almost worked. I can say a few things that will help you. First, make sure your machine boots to init 3 first. When you do the upgrade, tell it to let you pick the packages. Make sure policycoreutils and targeted policy are selected. On a normal upgrade they weren't picked up by dependencies. Look around for the other SE Linux tools and make sure they are selected. Also make sure yum is selected. The first time it boots, it should try to relabel the filesystem. If not, you'll need to boot to single user mode and touch /.autorelabel. Then there's gnome...It didn't pick up everything that it needed. I had to manually install several packages and configure the panels by hand. I still don't have the same icons for web browser that a clean install does. Maybe upgrading to FC4 will resync the missing pieces for me. In short it was an adventure. But you can get it almost working. -Steve Grubb __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From dmitry.torokhov at gmail.com Thu Mar 31 22:39:34 2005 From: dmitry.torokhov at gmail.com (Dmitry Torokhov) Date: Thu, 31 Mar 2005 17:39:34 -0500 Subject: Problems with firmware loader and selinux Message-ID: Ahem, with the proper subject this time around... Hi, Apologies if this is not the proper mailing list... I have a FC3 with day-before-yesterday pull from Linus and selinux-policy-targeted installed from rawhide. Everything seems to be working fine ecxept for my wireless card (prism54), which can't get it's firmware loaded. It looks like selinux policy prevents firmware loader to create "firmware" class device. I get avc denied search message for process /sbin/ip (which is ifconfig_t) and tcontext is sysfs_t. It looks like the rights are inherited from "ip" markings whereas I would say that firmware loader is should operate in completely different context. Anyone have any pointers? Thank you in advance, Dmitry P.S. I would appreciate if you CC me as I am not subscribed to the list.