From chair at selinux-symposium.org Thu Sep 1 18:59:36 2005 From: chair at selinux-symposium.org (SELinux Symposium Chair) Date: Thu, 01 Sep 2005 14:59:36 -0400 Subject: SELinux Symposium - Call for papers reminder Message-ID: <43174F98.1080902@selinux-symposium.org> This is a reminder that paper proposals for the Second Security Enhanced Linux Symposium are due on September 19, 2005. For more information or to submit your proposal please visit http://www.selinux-symposium.org/. The full text of the call is included below for reference. SECOND SECURITY ENHANCED LINUX SYMPOSIUM (www.selinux-symposium.org) Call for Papers The call for papers for the Second Security Enhanced Linux (SELinux) Symposium is now open. The Symposium is scheduled for February 28-March 2, 2006, at the Wyndham Hotel, Baltimore, Maryland, USA. The event is the only of its kind to examine SELinux and the power of the flexible mandatory access control security it brings to Linux. Last year's inaugural symposium was a tremendous success providing the SELinux development and user community the opportunity to discuss related research results, development plans, and applications. Any topics relating to SELinux technology, flexible mandatory access control, and its application to real-world problem are of interest for this symposium. Such topic include: + Innovations and advancement in SELinux technology + Use and application of SELinux and Type Enforcement + SELinux development experiences and tools + Use and Configuration of MLS and RBAC in securing systems + Updates on the various Linux distributions using SELinux + Practical "root"-less system administration policies + Case studies and application experience SELinux + Related research and development activities + Tools and products supporting/using SELinux + Security evaluation and certification issues + User and customers concerns and needs + Tutorials No marketing pitches will be accepted. The call for papers is open until September 19, 2005. For additional information and submittal requirements, see www.selinux-symposium.org. Technical Committee: Joshua Brindle, Tresys Russell Coker, Red Hat Chad Hanson, TCS Trent Jaeger, Penn State University Pete Loscocco, NSA Karl MacMillan, Tresys Frank Mayer (Chair), Tresys James Morris, Red Hat Doc Shankar, IBM Stephen Smalley, NSA Daniel Walsh, Red Hat From Valdis.Kletnieks at vt.edu Thu Sep 1 21:05:12 2005 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Thu, 01 Sep 2005 17:05:12 -0400 Subject: NeedHelp: Issue on change apache DocumentRoot location on FC3 In-Reply-To: Your message of "Thu, 25 Aug 2005 17:09:31 +0800." <430D8ACB.70009@ncic.ac.cn> References: <430D8ACB.70009@ncic.ac.cn> Message-ID: <200509012105.j81L5CXe029473@turing-police.cc.vt.edu> On Thu, 25 Aug 2005 17:09:31 +0800, KevinKW said: > How can I solve this problem? Any more information needed, please let me > know. Thanks very much! What avc message do you actually get? I'm willing to bet it's something non-obvious, like a borked context on /data itself or similar. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available URL: From gene at czarc.net Fri Sep 2 14:40:57 2005 From: gene at czarc.net (Gene Czarcinski) Date: Fri, 2 Sep 2005 10:40:57 -0400 Subject: MCS Message-ID: <200509021040.57614.gene@czarc.net> I have been reviewing/following the MCS discussions on this mailing list, the LSPP mailing list, and the NSA selinux mailing list and it appears (to me) that MCS (Multiple Category System) capability may be sufficiently implemented to do some testing. While I am more interested in a MLS (Multiple Level System) capability with selinux, MCS is pretty close since it is "simply" MLS (multi-levels, multi-categories) with a single level and multi-categories. However, I do have some questions -- 1. Is most/all of the needed updates available for FC4 or should I plan to use the FC5-development packages? 2. It appears that MCS is only available with targeted policy (not with the strict policy). Are there plans to include it in strict at some future time? 3. To me, a key capability to make either MLS or MCS practical is to implement polyinstantiation of /tmp and /home/ directories so that different levels and/or categories with really have different directories. Has this been implemented? How does it work? 4. How do I enable MCS given that I am now running selinux-targeted in enforcing mode? Comment: While I understand that Red Hat folks would want to make a system upgrade to MCS NOT require a system relabel, I (personally) do not consider it a big deal to require full relabeling to transition to either MCS or MLS. 5. Is it the goal for MCS to make it fully implemented and an installation/upgrade option for FC5? 6. Any tips on using MCS? 7. Is there anything the developers would especially like tested? 8. IIUC, "newrole -l" will be used to switch level & category on an MLS system and "just" category on an MCS system. Is this correct? 9. IIUC, the implementation supports a large number of levels (currently 10 or s0-s9 but could be larger or smaller) and an even larger number of categories (currently 128 or c0-c127 but could be larger or smaller). Is this correct? 10. While the current implementation has levels specified as s0-s9 and categories as c0-c127, there needs to some way to relate these "internal" specifications to something more meaningful to real people. For example, for sensitivity levels specifying s0=unclassified, s1=confidential, s2=secret, etc. In a similar manner, categories need something like c0=foo, c1=bar, c2=CompanyPropin, etc. Has anything been done with this in mind? What are the plans for this? Comment: It sure would be nice to be able to do: newrole -l unclassified:CompanyPropin Any comments/info appreciated. Gene From kms at passback.co.uk Fri Sep 2 14:52:09 2005 From: kms at passback.co.uk (Keith Sharp) Date: Fri, 02 Sep 2005 15:52:09 +0100 Subject: Problems with kerberos and SElinux Message-ID: <1125672729.16902.13.camel@animal.passback.co.uk> Hello, I am running into problem with krb5kdc and SELinux. Version information: selinux-policy-targeted-1.25.3-12 kernel-2.6.12-1.1398_FC4 krb5-server-1.4.1-5 I was working with SELinux targeted and enforcing but I was having problems with kadmin so I decided to disable SELinux using /etc/sysconfig/selinux and reboot. This solved my kadmin problem so I decided to re-enable SELinux so that I could capture traces to raise a bug. When I rebooted with SELinux enabled krb5kdc failed to start and I had the following in /var/log/audit/audit.log: type=AVC msg=audit(1125672380.961:124865): avc: denied { getattr } for pid=1836 comm="krb5kdc" name="krb5kdc_rcache" dev=dm-0 ino=552323 scontext=root:system_r:krb5kdc_t tcontext=system_u:object_r:file_t tclass=file type=SYSCALL msg=audit(1125672380.961:124865): arch=40000003 syscall=195 success=no exit=-13 a0=90a3af0 a1=bff5d968 a2=3a4ff4 a3=0 items=1 pid=1836 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="krb5kdc" exe="/usr/kerberos/sbin/krb5kdc" type=AVC_PATH msg=audit(1125672380.961:124865): path="/var/tmp/krb5kdc_rcache" type=CWD msg=audit(1125672380.961:124865): cwd="/" type=PATH msg=audit(1125672380.961:124865): item=0 name="/var/tmp/krb5kdc_rcache" flags=1 inode=552323 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 and in the log /var/log/krb5kdc.log: krb5kdc: Permission denied in replay cache code - while initializing KDC replay cache 'dfl:krb5kdc_rcache' Is this a known issue, or should I Bugzilla it? Thanks, Keith. From kms at passback.co.uk Fri Sep 2 15:37:20 2005 From: kms at passback.co.uk (Keith Sharp) Date: Fri, 02 Sep 2005 16:37:20 +0100 Subject: Problems with kerberos and SElinux In-Reply-To: <1125672729.16902.13.camel@animal.passback.co.uk> References: <1125672729.16902.13.camel@animal.passback.co.uk> Message-ID: <1125675440.16902.17.camel@animal.passback.co.uk> On Fri, 2005-09-02 at 15:52 +0100, Keith Sharp wrote: > Hello, > > I am running into problem with krb5kdc and SELinux. Version > information: > > selinux-policy-targeted-1.25.3-12 > kernel-2.6.12-1.1398_FC4 > krb5-server-1.4.1-5 > > I was working with SELinux targeted and enforcing but I was having > problems with kadmin so I decided to disable SELinux > using /etc/sysconfig/selinux and reboot. This solved my kadmin problem > so I decided to re-enable SELinux so that I could capture traces to > raise a bug. > > When I rebooted with SELinux enabled krb5kdc failed to start and I had > the following in /var/log/audit/audit.log: > > type=AVC msg=audit(1125672380.961:124865): avc: denied { getattr } for pid=1836 comm="krb5kdc" name="krb5kdc_rcache" dev=dm-0 ino=552323 scontext=root:system_r:krb5kdc_t tcontext=system_u:object_r:file_t tclass=file > type=SYSCALL msg=audit(1125672380.961:124865): arch=40000003 syscall=195 success=no exit=-13 a0=90a3af0 a1=bff5d968 a2=3a4ff4 a3=0 items=1 pid=1836 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="krb5kdc" exe="/usr/kerberos/sbin/krb5kdc" > type=AVC_PATH msg=audit(1125672380.961:124865): path="/var/tmp/krb5kdc_rcache" > type=CWD msg=audit(1125672380.961:124865): cwd="/" > type=PATH msg=audit(1125672380.961:124865): item=0 name="/var/tmp/krb5kdc_rcache" flags=1 inode=552323 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 > > and in the log /var/log/krb5kdc.log: > > krb5kdc: Permission denied in replay cache code - while initializing KDC > replay cache 'dfl:krb5kdc_rcache' > > Is this a known issue, or should I Bugzilla it? Looks like the file /var/tmp/krb5kdc_rcache doesn't have a security context: [root at server ~]# ls -alZ /var/tmp/ drwxrwxrwt root root system_u:object_r:tmp_t . drwxr-xr-x root root system_u:object_r:var_t .. -rw------- root root root:object_r:kadmind_tmp_t kadmin_0 -rw------- root root krb5kdc_rcache How should I go about fixing this? Thanks, Keith. From sds at tycho.nsa.gov Fri Sep 2 16:07:52 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 02 Sep 2005 12:07:52 -0400 Subject: Problems with kerberos and SElinux In-Reply-To: <1125675440.16902.17.camel@animal.passback.co.uk> References: <1125672729.16902.13.camel@animal.passback.co.uk> <1125675440.16902.17.camel@animal.passback.co.uk> Message-ID: <1125677272.21817.77.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2005-09-02 at 16:37 +0100, Keith Sharp wrote: > Looks like the file /var/tmp/krb5kdc_rcache doesn't have a security > context: > > [root at server ~]# ls -alZ /var/tmp/ > drwxrwxrwt root root system_u:object_r:tmp_t . > drwxr-xr-x root root system_u:object_r:var_t .. > -rw------- root root root:object_r:kadmind_tmp_t kadmin_0 > -rw------- root root krb5kdc_rcache > > How should I go about fixing this? This is a result of previously booting with SELinux disabled; while SELinux is disabled, any files created won't be assigned security contexts. Switching to permissive mode is better than disabling SELinux entirely, and can be done temporarily with /usr/sbin/setenforce 0 without needing to touch /etc/selinux/config or reboot. That continues to label files but allows all accesses and just logs the denials for review in the audit.log. Assuming that this file is just a temporary cache, I'd suggest removing it (or moving it aside), and then restart the process that created it in the first place with SELinux enabled (but permissive, if necessary). Possibly fixfiles relabel needs to purge /var/tmp as well as /tmp? -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Fri Sep 2 16:20:23 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 02 Sep 2005 12:20:23 -0400 Subject: MCS In-Reply-To: <200509021040.57614.gene@czarc.net> References: <200509021040.57614.gene@czarc.net> Message-ID: <1125678023.21817.90.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2005-09-02 at 10:40 -0400, Gene Czarcinski wrote: > While I am more interested in a MLS (Multiple Level System) capability with > selinux, MCS is pretty close since it is "simply" MLS (multi-levels, > multi-categories) with a single level and multi-categories. I'll take a stab at answering, although I think that James or Dan will have more precise answers for MCS. MCS and MLS are actually rather different. IIUC, under MCS, clearance determines current access rather than current level, and objects (files) are only labeled with categories upon explicit request by the process (e.g. the user runs chcon on the file to set a category on it). MCS doesn't try to prevent "write down", so it doesn't try to address the trojan horse problem. MCS is effectively a discretionary model to allow users to mark their data with additional tags that further restrict access. The only mandatory aspect is authorizing users for categories by defining their clearance in policy. However, MCS and MLS exercise the same code paths and share the same support infrastructure. They just differ in their specific configuration. > However, I do have some questions -- > > 1. Is most/all of the needed updates available for FC4 or should I plan to > use the FC5-development packages? You'll need the development packages, and some of the MCS-related packages are still only in Dan's own site at present for experimentation AFAIK. See his posting to selinux list. > 2. It appears that MCS is only available with targeted policy (not with the > strict policy). Are there plans to include it in strict at some future time? MCS is based on targeted, as the goal IIUC is for it to replace targeted as the default policy in Fedora. Porting MCS to strict likely wouldn't be hard. Dan also posted links to a MLS (not MCS) policy based on strict available from his site earlier to selinux list. Not clear if he is still maintaining that, although there will ultimately be a MLS policy separate from MCS. > 3. To me, a key capability to make either MLS or MCS practical is to > implement polyinstantiation of /tmp and /home/ directories so that > different levels and/or categories with really have different directories. > Has this been implemented? How does it work? Under development - see Janak's postings to selinux and redhat-lspp lists. It is being done in userspace via per-process namespaces and bind mounts. Currently also depends on a kernel patch that isn't upstream yet for unshare(2). > 4. How do I enable MCS given that I am now running selinux-targeted in > enforcing mode? You need to update to rawhide, and then you can install the MCS packages from Dan's site, I believe. > Comment: While I understand that Red Hat folks would want to make a system > upgrade to MCS NOT require a system relabel, I (personally) do not consider > it a big deal to require full relabeling to transition to either MCS or MLS. But it is critical if they want to make MCS the default in FC5, so that people can upgrade from FC4. > 5. Is it the goal for MCS to make it fully implemented and an > installation/upgrade option for FC5? Fully implemented IIUC. > 6. Any tips on using MCS? > > 7. Is there anything the developers would especially like tested? I'll leave these to Dan or James. > 8. IIUC, "newrole -l" will be used to switch level & category on an MLS > system and "just" category on an MCS system. Is this correct? I would expect so, although possibly newrole could take an option just for category setting. > 9. IIUC, the implementation supports a large number of levels (currently 10 > or s0-s9 but could be larger or smaller) and an even larger number of > categories (currently 128 or c0-c127 but could be larger or smaller). Is > this correct? Yes. No fundamental limitations there. > 10. While the current implementation has levels specified as s0-s9 and > categories as c0-c127, there needs to some way to relate these "internal" > specifications to something more meaningful to real people. For example, for > sensitivity levels specifying s0=unclassified, s1=confidential, s2=secret, > etc. In a similar manner, categories need something like c0=foo, c1=bar, > c2=CompanyPropin, etc. Has anything been done with this in mind? What are > the plans for this? Yes, libselinux will now invoke an external translation library for contexts if it is present on the system. Currently available from Dan's site. -- Stephen Smalley National Security Agency From kms at passback.co.uk Fri Sep 2 16:24:10 2005 From: kms at passback.co.uk (Keith Sharp) Date: Fri, 02 Sep 2005 17:24:10 +0100 Subject: Problems with kerberos and SElinux In-Reply-To: <1125677272.21817.77.camel@moss-spartans.epoch.ncsc.mil> References: <1125672729.16902.13.camel@animal.passback.co.uk> <1125675440.16902.17.camel@animal.passback.co.uk> <1125677272.21817.77.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1125678250.16902.20.camel@animal.passback.co.uk> On Fri, 2005-09-02 at 12:07 -0400, Stephen Smalley wrote: > On Fri, 2005-09-02 at 16:37 +0100, Keith Sharp wrote: > > Looks like the file /var/tmp/krb5kdc_rcache doesn't have a security > > context: > > > > [root at server ~]# ls -alZ /var/tmp/ > > drwxrwxrwt root root system_u:object_r:tmp_t . > > drwxr-xr-x root root system_u:object_r:var_t .. > > -rw------- root root root:object_r:kadmind_tmp_t kadmin_0 > > -rw------- root root krb5kdc_rcache > > > > How should I go about fixing this? > > This is a result of previously booting with SELinux disabled; while > SELinux is disabled, any files created won't be assigned security > contexts. Switching to permissive mode is better than disabling SELinux > entirely, and can be done temporarily with /usr/sbin/setenforce 0 > without needing to touch /etc/selinux/config or reboot. That continues > to label files but allows all accesses and just logs the denials for > review in the audit.log. > > Assuming that this file is just a temporary cache, I'd suggest removing > it (or moving it aside), and then restart the process that created it in > the first place with SELinux enabled (but permissive, if necessary). Removing the file and re-running "service krb5kdc start" seems to have solved the problem. Thanks, Keith. From bench at silentmedia.com Fri Sep 2 17:37:00 2005 From: bench at silentmedia.com (Ben) Date: Fri, 02 Sep 2005 10:37:00 -0700 Subject: Can't use new users? Message-ID: <43188DBC.3060508@silentmedia.com> So last night I installed FC3, added Fedora Extras, and did a yum update. Now I can't use any new users. Behold: [root at dumont ~]# adduser nagios [root at dumont ~]# su - nagios Your default context is user_u:system_r:unconfined_t. Do you want to choose a different one? [n] could not open session /var/log/messages has this to say about it: Sep 2 17:34:21 dumont su[6229]: Warning! Could not relabel /dev/pts/4 with user_u:object_r:devpts_t, not relabeling.Operation not permitted Something doesn't seem quite right, but I'm not sure what I'm missing. Here's are the selinux packages I've got installed: selinux-policy-targeted-1.17.30-3.16 libselinux-1.19.1-8 libselinux-devel-1.19.1-8 From sds at tycho.nsa.gov Fri Sep 2 17:54:30 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 02 Sep 2005 13:54:30 -0400 Subject: Can't use new users? In-Reply-To: <43188DBC.3060508@silentmedia.com> References: <43188DBC.3060508@silentmedia.com> Message-ID: <1125683670.21817.134.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2005-09-02 at 10:37 -0700, Ben wrote: > So last night I installed FC3, added Fedora Extras, and did a yum > update. Now I can't use any new users. Behold: > > [root at dumont ~]# adduser nagios > [root at dumont ~]# su - nagios > Your default context is user_u:system_r:unconfined_t. > > Do you want to choose a different one? [n] > could not open session > > /var/log/messages has this to say about it: > > Sep 2 17:34:21 dumont su[6229]: Warning! Could not relabel /dev/pts/4 > with user_u:object_r:devpts_t, not relabeling.Operation not permitted > > Something doesn't seem quite right, but I'm not sure what I'm missing. > Here's are the selinux packages I've got installed: > > selinux-policy-targeted-1.17.30-3.16 > libselinux-1.19.1-8 > libselinux-devel-1.19.1-8 What is your kernel? -- Stephen Smalley National Security Agency From bench at silentmedia.com Fri Sep 2 17:58:41 2005 From: bench at silentmedia.com (Ben) Date: Fri, 02 Sep 2005 10:58:41 -0700 Subject: Can't use new users? In-Reply-To: <1125683670.21817.134.camel@moss-spartans.epoch.ncsc.mil> References: <43188DBC.3060508@silentmedia.com> <1125683670.21817.134.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <431892D1.5030409@silentmedia.com> 2.6.12-1.1376_FC3 Stephen Smalley wrote: >On Fri, 2005-09-02 at 10:37 -0700, Ben wrote: > > >>So last night I installed FC3, added Fedora Extras, and did a yum >>update. Now I can't use any new users. Behold: >> >>[root at dumont ~]# adduser nagios >>[root at dumont ~]# su - nagios >>Your default context is user_u:system_r:unconfined_t. >> >>Do you want to choose a different one? [n] >>could not open session >> >>/var/log/messages has this to say about it: >> >>Sep 2 17:34:21 dumont su[6229]: Warning! Could not relabel /dev/pts/4 >>with user_u:object_r:devpts_t, not relabeling.Operation not permitted >> >>Something doesn't seem quite right, but I'm not sure what I'm missing. >>Here's are the selinux packages I've got installed: >> >>selinux-policy-targeted-1.17.30-3.16 >>libselinux-1.19.1-8 >>libselinux-devel-1.19.1-8 >> >> > >What is your kernel? > > > From sds at tycho.nsa.gov Fri Sep 2 18:10:55 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 02 Sep 2005 14:10:55 -0400 Subject: Can't use new users? In-Reply-To: <43188DBC.3060508@silentmedia.com> References: <43188DBC.3060508@silentmedia.com> Message-ID: <1125684655.21817.136.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2005-09-02 at 10:37 -0700, Ben wrote: > So last night I installed FC3, added Fedora Extras, and did a yum > update. Now I can't use any new users. Behold: > > [root at dumont ~]# adduser nagios > [root at dumont ~]# su - nagios > Your default context is user_u:system_r:unconfined_t. > > Do you want to choose a different one? [n] > could not open session > > /var/log/messages has this to say about it: > > Sep 2 17:34:21 dumont su[6229]: Warning! Could not relabel /dev/pts/4 > with user_u:object_r:devpts_t, not relabeling.Operation not permitted > > Something doesn't seem quite right, but I'm not sure what I'm missing. > Here's are the selinux packages I've got installed: Hmmm...no avc messages in /var/log/messages prior to the warning? Is it repeatable after /usr/sbin/setenforce 0? -- Stephen Smalley National Security Agency From bench at silentmedia.com Fri Sep 2 18:18:59 2005 From: bench at silentmedia.com (Ben) Date: Fri, 02 Sep 2005 11:18:59 -0700 Subject: Can't use new users? In-Reply-To: <1125684655.21817.136.camel@moss-spartans.epoch.ncsc.mil> References: <43188DBC.3060508@silentmedia.com> <1125684655.21817.136.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <43189793.1020803@silentmedia.com> Huh, setenforce 0 seems to have no effect. I see this when I run it: Sep 2 11:15:45 dumont kernel: audit(1125684945.038:24): avc: granted { setenforce } for pid=6453 comm="setenforce" scontext=root:system_r:unconfined_t tcontext=system_u:object_r:security_t tclass=security .... but everthing remains broken the same way. Stephen Smalley wrote: >On Fri, 2005-09-02 at 10:37 -0700, Ben wrote: > > >>So last night I installed FC3, added Fedora Extras, and did a yum >>update. Now I can't use any new users. Behold: >> >>[root at dumont ~]# adduser nagios >>[root at dumont ~]# su - nagios >>Your default context is user_u:system_r:unconfined_t. >> >>Do you want to choose a different one? [n] >>could not open session >> >>/var/log/messages has this to say about it: >> >>Sep 2 17:34:21 dumont su[6229]: Warning! Could not relabel /dev/pts/4 >>with user_u:object_r:devpts_t, not relabeling.Operation not permitted >> >>Something doesn't seem quite right, but I'm not sure what I'm missing. >>Here's are the selinux packages I've got installed: >> >> > >Hmmm...no avc messages in /var/log/messages prior to the warning? > >Is it repeatable after /usr/sbin/setenforce 0? > > > From sds at tycho.nsa.gov Fri Sep 2 18:29:38 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 02 Sep 2005 14:29:38 -0400 Subject: Can't use new users? In-Reply-To: <43189793.1020803@silentmedia.com> References: <43188DBC.3060508@silentmedia.com> <1125684655.21817.136.camel@moss-spartans.epoch.ncsc.mil> <43189793.1020803@silentmedia.com> Message-ID: <1125685778.21817.148.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2005-09-02 at 11:18 -0700, Ben wrote: > Huh, setenforce 0 seems to have no effect. I see this when I run it: > > Sep 2 11:15:45 dumont kernel: audit(1125684945.038:24): avc: granted > { setenforce } for pid=6453 comm="setenforce" > scontext=root:system_r:unconfined_t > tcontext=system_u:object_r:security_t tclass=security > > .... but everthing remains broken the same way. That message just shows you that permission was granted to switch enforcing mode, so /usr/sbin/getenforce should now show that you are now in Permissive mode, i.e. SELinux will only log permissions that would be denied by policy but not actually enforce the denial. If it is still broken, then the SELinux kernel permission checks are unlikely to be the cause. Not sure it will work on FC3, but try enabling syscall auditing: /sbin/auditctl -e 1 And then try again. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Fri Sep 2 18:31:21 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 02 Sep 2005 14:31:21 -0400 Subject: Can't use new users? In-Reply-To: <43188DBC.3060508@silentmedia.com> References: <43188DBC.3060508@silentmedia.com> Message-ID: <1125685881.21817.150.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2005-09-02 at 10:37 -0700, Ben wrote: > So last night I installed FC3, added Fedora Extras, and did a yum > update. Now I can't use any new users. Behold: BTW, not that it matters for the purposes of tracking down this issue, but any reason why you are using FC3 rather than FC4? -- Stephen Smalley National Security Agency From bench at silentmedia.com Fri Sep 2 18:43:02 2005 From: bench at silentmedia.com (Ben) Date: Fri, 02 Sep 2005 11:43:02 -0700 Subject: Can't use new users? In-Reply-To: <1125685881.21817.150.camel@moss-spartans.epoch.ncsc.mil> References: <43188DBC.3060508@silentmedia.com> <1125685881.21817.150.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <43189D36.2070705@silentmedia.com> Yeah, I'm trying to stay away from the bleeding edge for my file server. :) Stephen Smalley wrote: >On Fri, 2005-09-02 at 10:37 -0700, Ben wrote: > > >>So last night I installed FC3, added Fedora Extras, and did a yum >>update. Now I can't use any new users. Behold: >> >> > >BTW, not that it matters for the purposes of tracking down this issue, >but any reason why you are using FC3 rather than FC4? > > > From bench at silentmedia.com Fri Sep 2 18:50:12 2005 From: bench at silentmedia.com (Ben) Date: Fri, 02 Sep 2005 11:50:12 -0700 Subject: Can't use new users? In-Reply-To: <1125685778.21817.148.camel@moss-spartans.epoch.ncsc.mil> References: <43188DBC.3060508@silentmedia.com> <1125684655.21817.136.camel@moss-spartans.epoch.ncsc.mil> <43189793.1020803@silentmedia.com> <1125685778.21817.148.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <43189EE4.7040400@silentmedia.com> Stephen Smalley wrote: >That message just shows you that permission was granted to switch >enforcing mode, so /usr/sbin/getenforce should now show that you are now >in Permissive mode, i.e. SELinux will only log permissions that would be >denied by policy but not actually enforce the denial. If it is still >broken, then the SELinux kernel permission checks are unlikely to be the >cause. > > getenforce does indeed show Permissive after running setenforce 0, so at least that's working as expected. I can see how this seems like it would make it unlikely to be a SELinux problem at this point, but then how come I still see this when trying to su? Warning! Could not relabel /dev/pts/3 with user_u:object_r:devpts_t, not relabeling.Operation not permitted Interestingly, if I try to ssh in, instead of su, I get this: [root at dumont ~]# ssh nagios at localhost nagios at localhost's password: Last login: Fri Sep 2 11:40:25 2005 from dumont -bash: /etc/profile: Permission denied [root at dumont nagios]# ls -alZ drwx------ nagios nagios root:object_r:user_home_dir_t . drwxr-xr-x root root system_u:object_r:home_root_t .. -rw------- nagios nagios user_u:object_r:user_home_t .bash_history -rw-r--r-- nagios nagios root:object_r:user_home_t .bash_logout -rw-r--r-- nagios nagios root:object_r:user_home_t .bash_profile -rw-r--r-- nagios nagios root:object_r:user_home_t .bashrc -rw-r--r-- nagios nagios root:object_r:user_home_t .emacs -rw-r--r-- nagios nagios root:object_r:user_home_t .gtkrc -rw-r--r-- nagios nagios root:object_r:user_home_t .zshrc .... so it still seems like SELinux is hurting me, even though it's set to be in permissive mode? >Not sure it will work on FC3, but try enabling syscall auditing: > /sbin/auditctl -e 1 >And then try again. > > This didn't seem to have any impact I could see... From sds at tycho.nsa.gov Fri Sep 2 19:05:26 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 02 Sep 2005 15:05:26 -0400 Subject: Can't use new users? In-Reply-To: <43189EE4.7040400@silentmedia.com> References: <43188DBC.3060508@silentmedia.com> <1125684655.21817.136.camel@moss-spartans.epoch.ncsc.mil> <43189793.1020803@silentmedia.com> <1125685778.21817.148.camel@moss-spartans.epoch.ncsc.mil> <43189EE4.7040400@silentmedia.com> Message-ID: <1125687926.21817.167.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2005-09-02 at 11:50 -0700, Ben wrote: > getenforce does indeed show Permissive after running setenforce 0, so at > least that's working as expected. I can see how this seems like it would > make it unlikely to be a SELinux problem at this point, but then how > come I still see this when trying to su? > > Warning! Could not relabel /dev/pts/3 with user_u:object_r:devpts_t, > not relabeling.Operation not permitted The implication is that su (via pam_selinux) is hitting a Linux DAC permission denial when attempting to relabel (setxattr) the pty. I do seem to recall an issue where su was changing its fsuid prior to invoking pam_open_session, thereby preventing the pam_selinux module from relabeling the pty if going from root to non-root. Looking at the history of the coreutils-pam.patch in the public Fedora CVS tree, I see: date: 2004/12/06 15:51:03; author: twaugh; state: Exp; lines: +4 -9 * Mon Dec 6 2004 Tim Waugh 5.2.1-34 - Don't set fs uid until after pam_open_session (bug #77791).. So an obvious question is whether this fix made its way back into FC3. > Interestingly, if I try to ssh in, instead of su, I get this: > > [root at dumont ~]# ssh nagios at localhost > nagios at localhost's password: > Last login: Fri Sep 2 11:40:25 2005 from dumont > -bash: /etc/profile: Permission denied > > > [root at dumont nagios]# ls -alZ > drwx------ nagios nagios root:object_r:user_home_dir_t . > drwxr-xr-x root root system_u:object_r:home_root_t .. > -rw------- nagios nagios user_u:object_r:user_home_t .bash_history > -rw-r--r-- nagios nagios root:object_r:user_home_t .bash_logout > -rw-r--r-- nagios nagios root:object_r:user_home_t .bash_profile > -rw-r--r-- nagios nagios root:object_r:user_home_t .bashrc > -rw-r--r-- nagios nagios root:object_r:user_home_t .emacs > -rw-r--r-- nagios nagios root:object_r:user_home_t .gtkrc > -rw-r--r-- nagios nagios root:object_r:user_home_t .zshrc > > .... so it still seems like SELinux is hurting me, even though it's set > to be in permissive mode? If permissive, SELinux shouldn't be denying any system calls. DAC denials are still possible of course. > >Not sure it will work on FC3, but try enabling syscall auditing: > > /sbin/auditctl -e 1 > >And then try again. > > > > > This didn't seem to have any impact I could see... Yes, it looks like the auditctl shipped in FC3 is non-functional. Pity. -- Stephen Smalley National Security Agency From jmorris at namei.org Fri Sep 2 20:58:27 2005 From: jmorris at namei.org (James Morris) Date: Fri, 2 Sep 2005 16:58:27 -0400 (EDT) Subject: MCS In-Reply-To: <1125678023.21817.90.camel@moss-spartans.epoch.ncsc.mil> References: <200509021040.57614.gene@czarc.net> <1125678023.21817.90.camel@moss-spartans.epoch.ncsc.mil> Message-ID: On Fri, 2 Sep 2005, Stephen Smalley wrote: > > 5. Is it the goal for MCS to make it fully implemented and an > > installation/upgrade option for FC5? > > Fully implemented IIUC. Yes, our hope is to make MCS the default for FC5, and for nobody to notice it's even there unless they start using category labels. It still needs some work. > > 8. IIUC, "newrole -l" will be used to switch level & category on an MLS > > system and "just" category on an MCS system. Is this correct? > > I would expect so, although possibly newrole could take an option just > for category setting. You should not need to change levels under MCS. In fact, a property of MCS is that processes always run at the same level "s0" and the high range clearance is only used for determining access to categories. If this is not enforced by policy yet, it probably should be. I'm planning on documenting MCS in more detail once we have a few more issues sorted out and hopefully ready to enable in rawhide. - James -- James Morris From jmorris at namei.org Fri Sep 2 21:09:09 2005 From: jmorris at namei.org (James Morris) Date: Fri, 2 Sep 2005 17:09:09 -0400 (EDT) Subject: MCS In-Reply-To: <200509021040.57614.gene@czarc.net> References: <200509021040.57614.gene@czarc.net> Message-ID: On Fri, 2 Sep 2005, Gene Czarcinski wrote: > 6. Any tips on using MCS? The usage scenario is intended to be flexible: 1) Create names for your categories 2) Assign users to categories 3) Let users label their files with the categories as they see fit So, a simple example might be: a) Define c1 to mean "Company_Confidential" b) Configure all users to have access to c1 c) Users add this label to files like "secret_product_plan.pdf" d) httpd, ftpd etc. can't access the file anymore e) When printed, this category label is automatically added to the header and footer of each page or a cover sheet (once labeled printing is completed). It's really up to you how you use it, though. > 7. Is there anything the developers would especially like tested? Just using it at all is helpful at this stage. Let us know if you find any problems. - James -- James Morris From gene at czarc.net Fri Sep 2 21:51:35 2005 From: gene at czarc.net (Gene Czarcinski) Date: Fri, 2 Sep 2005 17:51:35 -0400 Subject: MCS In-Reply-To: References: <200509021040.57614.gene@czarc.net> Message-ID: <200509021751.36008.gene@czarc.net> On Friday 02 September 2005 17:09, James Morris wrote: > On Fri, 2 Sep 2005, Gene Czarcinski wrote: > > 6. ?Any tips on using MCS? > > The usage scenario is intended to be flexible: > > 1) Create names for your categories where is this specified? > 2) Assign users to categories where is this specified? > 3) Let users label their files with the categories as they see fit > > So, a simple example might be: > a) Define c1 to mean "Company_Confidential" > b) Configure all users to have access to c1 > c) Users add this label to files like "secret_product_plan.pdf" > d) httpd, ftpd etc. can't access the file anymore > e) When printed, this category label is automatically added to the header > ? ?and footer of each page or a cover sheet (once labeled printing is > ? ?completed). Also, in /etc/sysconfig/selinux, do I need to specify SELINUXTYPE=mcs ? I assume I need to install the packages that are in ftp://people.redhat.com/dwalsh/selinux ... especially those under mcs. BTW, it would be nice if the src.rpm packages were available also (e.g., libsetrans) so that I could look at the code if I have any questions. Also, I assume that polyinstantiation of /tmp and /home is not planned for MCS but intended only for MLS ... correct? I assume this since you did not mention the use of "newrole" with respect to MCS. Gene From bench at silentmedia.com Sat Sep 3 17:15:26 2005 From: bench at silentmedia.com (Ben) Date: Sat, 3 Sep 2005 10:15:26 -0700 Subject: Can't use new users? In-Reply-To: <1125687926.21817.167.camel@moss-spartans.epoch.ncsc.mil> References: <43188DBC.3060508@silentmedia.com> <1125684655.21817.136.camel@moss-spartans.epoch.ncsc.mil> <43189793.1020803@silentmedia.com> <1125685778.21817.148.camel@moss-spartans.epoch.ncsc.mil> <43189EE4.7040400@silentmedia.com> <1125687926.21817.167.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <6E2C511F-369E-46A9-8183-2F4D14BCBBA0@silentmedia.com> I assume not, because I gave up and upgraded to FC4 and the problem went away. Thanks for you help! On Sep 2, 2005, at 12:05 PM, Stephen Smalley wrote: > So an obvious question is whether this fix made its way back into FC3. From bench at silentmedia.com Sun Sep 4 18:10:37 2005 From: bench at silentmedia.com (Ben) Date: Sun, 4 Sep 2005 11:10:37 -0700 Subject: selinux, httpd, and nfs Message-ID: <0BF6CF8B-D93C-4C6A-ABE7-D3DEDCF644FD@silentmedia.com> I'm trying to use NFS to make a bunch of images available for apache. SELinux on the apache server seems to be getting in the way, and this time I think it really is SELinux, because apache can serve the images just fine when I'm not enforcing. When I turn on enforcing, I get permission denied messages. Unfortunately, there are no avc messages being generated, even when I follow the steps listed out here: http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#id2827008 I suspect the issue might have something to do with there being no SELinux attributes on the files in my image directory.... but without any avc messages, it's hard to tell. Interestingly, even when I am enforcing, I can copy and read the files.... just not with apache. I'm using: 2.6.12-1.1447_FC4 libselinux-devel-1.23.10-2 libselinux-1.23.10-2 selinux-policy-targeted-sources-1.25.4-10 selinux-policy-targeted-1.25.4-10 From iocc at fedora-selinux.lists.flashdance.cx Mon Sep 5 01:26:53 2005 From: iocc at fedora-selinux.lists.flashdance.cx (Peter Magnusson) Date: Mon, 5 Sep 2005 03:26:53 +0200 (CEST) Subject: cant create dirs from vsftpd In-Reply-To: <200508291025.21447.lamont@gurulabs.com> References: <200508220310.j7M3AKPs015070@turing-police.cc.vt.edu> <200508291025.21447.lamont@gurulabs.com> Message-ID: On Mon, 29 Aug 2005, Lamont R. Peterson wrote: >>>> Also, Im not so sure that I like that I cant see alot of dirs when Im >>>> logged in at the ftp. >>> >>> Give specific examples, and why you think FTP should be able to see that >> >> system dirs, like /bin in the root and a few dirs and files in my homedir. >> >>> dir? Most security people would consider this behavior in general a >>> feature rather than a bug - but if there's a *specific* corner case that >>> needs different treatment, we probably can fix it. >> >> I expect to see the same files as when I login over ssh or sits in front of >> the computer. I dont see why vsftpd should be special in any way so I dont >> see some dirs or files. > > Perhaps, I'm just a little bit confused. Are you wanting your FTP server to > provide access to the entire filesystem space? It seems like that is what > you are asking for and that is not how FTP works. Correct! My non-anonymous vsftpd server under FC3 works exactly like that. But selinux in FC4 have problems with that. The polcy is broken. > FTP like HTTP serves up files only from a subset of the filesystem space. You > wouldn't want your web server providing access to the entire filesystem, > would you? The same is true of FTP. > > Please, if I am misunderstanding what you are trying to accomplish here, feel > free to explain it. Yes, you are. Im NOT talking about an anonymous ftp server. I login with my user and I expect to have the same files available as when I login over ssh or sits in front of the computer. From sds at tycho.nsa.gov Tue Sep 6 14:37:05 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 06 Sep 2005 10:37:05 -0400 Subject: selinux, httpd, and nfs In-Reply-To: <0BF6CF8B-D93C-4C6A-ABE7-D3DEDCF644FD@silentmedia.com> References: <0BF6CF8B-D93C-4C6A-ABE7-D3DEDCF644FD@silentmedia.com> Message-ID: <1126017425.30529.76.camel@moss-spartans.epoch.ncsc.mil> On Sun, 2005-09-04 at 11:10 -0700, Ben wrote: > I'm trying to use NFS to make a bunch of images available for apache. > SELinux on the apache server seems to be getting in the way, and this > time I think it really is SELinux, because apache can serve the > images just fine when I'm not enforcing. When I turn on enforcing, I > get permission denied messages. > > Unfortunately, there are no avc messages being generated, even when I > follow the steps listed out here: > > http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#id2827008 Just in case you don't know it already, in FC4, audit messages are now directed to a separate audit daemon (auditd) and logged to /var/log/audit/audit.log rather than being handled by klogd/syslogd and going to /var/log/messages. So you need to look in audit.log for any denials. > I suspect the issue might have something to do with there being no > SELinux attributes on the files in my image directory.... but without > any avc messages, it's hard to tell. > > Interestingly, even when I am enforcing, I can copy and read the > files.... just not with apache. Yes, that would make sense, as user sessions are unrestricted by the targeted policy (they are in unconfined_t, e.g. see the output of id -Z). Targeted policy only tries to control specific daemons. This may be affected by one of the policy booleans, e.g. /usr/sbin/getsebool -a | grep httpd and /usr/sbin/getsebool -a | grep nfs. Other resources: man httpd_selinux man nfs_selinux -- Stephen Smalley National Security Agency From ynakam at gwu.edu Tue Sep 6 21:49:49 2005 From: ynakam at gwu.edu (Yuichi Nakamura) Date: Tue, 06 Sep 2005 17:49:49 -0400 Subject: ANN: SELinux Policy Editor 1.2 Message-ID: <4bpcim$48d7v7@iron2-mx.tops.gwu.edu> Hi. We've released SELinux Policy Editor 1.2.0. How to download and install, see http://seedit.sourceforge.net/doc/install/INSTALL.html Documents are updated at http://seedit.sourceforge.net/documents.html Major Changes from 1.0 (1) Improved implementation to support different distributions Now supports Fedora Core4, Turbo Linux 10 Server, Asianux 2.0. (2) Added more sample policy (3) Improved Simplified Policy Description language See http://seedit.sourceforge.net/documents.html for updated simplified policy description language. (4) Developer's policy For developers, simplified policy that uses macros are prepared in seedit-policy-devel package. # Documentations for developer's policy is not prepared yet. # Be careful to use it. (5) policy without RBAC Policy without RBAC(like targeted policy) can be installed when installing from source. For feedback, e-mail to seedit-admin at lists.sourceforge.net . --- Yuichi Nakamura Hitachi Software, The George Washington University Japan SELinux Users Group(JSELUG) Japan Open Source Advocacy Organization(JOSAO) SELinux Policy Editor: http://seedit.sourceforge.net/ From dwalsh at redhat.com Wed Sep 7 12:39:22 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 07 Sep 2005 08:39:22 -0400 Subject: MCS In-Reply-To: <1125678023.21817.90.camel@moss-spartans.epoch.ncsc.mil> References: <200509021040.57614.gene@czarc.net> <1125678023.21817.90.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <431EDF7A.4070509@redhat.com> Stephen Smalley wrote: >On Fri, 2005-09-02 at 10:40 -0400, Gene Czarcinski wrote: > > >>While I am more interested in a MLS (Multiple Level System) capability with >>selinux, MCS is pretty close since it is "simply" MLS (multi-levels, >>multi-categories) with a single level and multi-categories. >> >> > >I'll take a stab at answering, although I think that James or Dan will >have more precise answers for MCS. > >MCS and MLS are actually rather different. IIUC, under MCS, clearance >determines current access rather than current level, and objects (files) >are only labeled with categories upon explicit request by the process >(e.g. the user runs chcon on the file to set a category on it). MCS >doesn't try to prevent "write down", so it doesn't try to address the >trojan horse problem. MCS is effectively a discretionary model to allow >users to mark their data with additional tags that further restrict >access. The only mandatory aspect is authorizing users for categories >by defining their clearance in policy. However, MCS and MLS exercise >the same code paths and share the same support infrastructure. They >just differ in their specific configuration. > > > >>However, I do have some questions -- >> >>1. Is most/all of the needed updates available for FC4 or should I plan to >>use the FC5-development packages? >> >> > >You'll need the development packages, and some of the MCS-related >packages are still only in Dan's own site at present for experimentation >AFAIK. See his posting to selinux list. > > Yes that is correct. libsetrans and targeted policy with mcs are on my people page, but everything else is in rawhide. > > >>2. It appears that MCS is only available with targeted policy (not with the >>strict policy). Are there plans to include it in strict at some future time? >> >> > >MCS is based on targeted, as the goal IIUC is for it to replace targeted >as the default policy in Fedora. Porting MCS to strict likely wouldn't >be hard. Dan also posted links to a MLS (not MCS) policy based on >strict available from his site earlier to selinux list. Not clear if he >is still maintaining that, although there will ultimately be a MLS >policy separate from MCS. > > We will turn it on in strict policy, also by default. Haven't yet because I have been trying to get it to work in targeted. > > >>3. To me, a key capability to make either MLS or MCS practical is to >>implement polyinstantiation of /tmp and /home/ directories so that >>different levels and/or categories with really have different directories. >>Has this been implemented? How does it work? >> >> > >Under development - see Janak's postings to selinux and redhat-lspp >lists. It is being done in userspace via per-process namespaces and >bind mounts. Currently also depends on a kernel patch that isn't >upstream yet for unshare(2). > > > >>4. How do I enable MCS given that I am now running selinux-targeted in >>enforcing mode? >> >> > >You need to update to rawhide, and then you can install the MCS packages >from Dan's site, I believe. > > > Yes. Although it is currently broken in that users/root are only logging in as "s0" not "s0:c0.c127" or "s0:c0,c2,c17" >>Comment: While I understand that Red Hat folks would want to make a system >>upgrade to MCS NOT require a system relabel, I (personally) do not consider >>it a big deal to require full relabeling to transition to either MCS or MLS. >> >> > >But it is critical if they want to make MCS the default in FC5, so that >people can upgrade from FC4. > > Yes we can not force a relabel. > > >>5. Is it the goal for MCS to make it fully implemented and an >>installation/upgrade option for FC5? >> >> > >Fully implemented IIUC. > > > It will not be an option, it will be enabled in both targeted and strict policy. >>6. Any tips on using MCS? >> >> >> Not yet, we are learning as we go. One rule we have now is categories can not have spaces in the translation. Things we are working on: Infrastructure to allow different users to login with different categories. If I want to allow a web site to show "CompanyConfidential" documents what do I need to do? >>7. Is there anything the developers would especially like tested? >> >> > >I'll leave these to Dan or James. > > > Just need people to play with it and figure out where it is broken. >>8. IIUC, "newrole -l" will be used to switch level & category on an MLS >>system and "just" category on an MCS system. Is this correct? >> >> > >I would expect so, although possibly newrole could take an option just >for category setting. > > > We do not intend for people to use newrole in MCS. >>9. IIUC, the implementation supports a large number of levels (currently 10 >>or s0-s9 but could be larger or smaller) and an even larger number of >>categories (currently 128 or c0-c127 but could be larger or smaller). Is >>this correct? >> >> > >Yes. No fundamental limitations there. > > > >>10. While the current implementation has levels specified as s0-s9 and >>categories as c0-c127, there needs to some way to relate these "internal" >>specifications to something more meaningful to real people. For example, for >>sensitivity levels specifying s0=unclassified, s1=confidential, s2=secret, >>etc. In a similar manner, categories need something like c0=foo, c1=bar, >>c2=CompanyPropin, etc. Has anything been done with this in mind? What are >>the plans for this? >> >> > >Yes, libselinux will now invoke an external translation library for >contexts if it is present on the system. Currently available from >Dan's site. > > > -- From dwalsh at redhat.com Wed Sep 7 13:14:44 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 07 Sep 2005 09:14:44 -0400 Subject: FYI SELinux talk at MIT, Boston LUG Message-ID: <431EE7C4.4080905@redhat.com> http://www.blu.org/cgi-bin/calendar/2005-sep -- From dwalsh at redhat.com Wed Sep 7 13:20:20 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 07 Sep 2005 09:20:20 -0400 Subject: cant create dirs from vsftpd In-Reply-To: References: <200508220310.j7M3AKPs015070@turing-police.cc.vt.edu> <200508291025.21447.lamont@gurulabs.com> Message-ID: <431EE914.50708@redhat.com> Peter Magnusson wrote: > On Mon, 29 Aug 2005, Lamont R. Peterson wrote: > >>>>> Also, Im not so sure that I like that I cant see alot of dirs when Im >>>>> logged in at the ftp. >>>> >>>> >>>> Give specific examples, and why you think FTP should be able to see >>>> that >>> >>> >>> system dirs, like /bin in the root and a few dirs and files in my >>> homedir. >>> >>>> dir? Most security people would consider this behavior in general a >>>> feature rather than a bug - but if there's a *specific* corner case >>>> that >>>> needs different treatment, we probably can fix it. >>> >>> >>> I expect to see the same files as when I login over ssh or sits in >>> front of >>> the computer. I dont see why vsftpd should be special in any way so >>> I dont >>> see some dirs or files. >> >> >> Perhaps, I'm just a little bit confused. Are you wanting your FTP >> server to >> provide access to the entire filesystem space? It seems like that is >> what >> you are asking for and that is not how FTP works. > > > Correct! > My non-anonymous vsftpd server under FC3 works exactly like that. But > selinux in FC4 have problems with that. The polcy is broken. > Then you can turn off selinux protection on the ftpd server. >> FTP like HTTP serves up files only from a subset of the filesystem >> space. You >> wouldn't want your web server providing access to the entire filesystem, >> would you? The same is true of FTP. >> >> Please, if I am misunderstanding what you are trying to accomplish >> here, feel >> free to explain it. > > > Yes, you are. Im NOT talking about an anonymous ftp server. I login > with my user and I expect to have the same files available as when I > login over ssh or sits in front of the computer. > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list -- From ahziem1 at mailbolt.com Thu Sep 8 00:22:34 2005 From: ahziem1 at mailbolt.com (Andrew Z) Date: Wed, 07 Sep 2005 18:22:34 -0600 Subject: WebDAV Message-ID: <431F844A.1010406@mailbolt.com> Is there a SELinux policy for use with WebDAV? I have the WebDAV working correctly with Apache and Cadaver, but SELinux prevents writing. I have noticed that there are at least two issues. First, SELinux prevents Apache from writing to httpd_sys_content_t. Second, Apache needs to update its locking database. I don't want to allow write access to all httpd_sys_content_t. type=AVC msg=audit(1126138296.843:56): avc: denied { write } for pid=3525 comm="httpd" name="lockdb.dir" dev=hda7 ino=1011851 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:var_lib_t tclass=file type=SYSCALL msg=audit(1126138296.843:56): arch=40000003 syscall=5 success=yes exit=11 a0=8675e00 a1=42 a2=1b6 a3=886a6c0 items=1 pid=3525 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="httpd" exe="/usr/sbin/httpd" type=CWD msg=audit(1126138296.843:56): cwd="/" type=PATH msg=audit(1126138296.843:56): item=0 name="/var/lib/dav/lockdb.dir" flags=310 inode=1006106 dev=03:07 mode=040700 ouid=48 ogid=48 rdev=00:00 type=AVC msg=audit(1126138520.634:58): avc: denied { write } for pid=3526 comm="httpd" name="lockdb.dir" dev=hda7 ino=1011851 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:var_lib_t tclass=file type=SYSCALL msg=audit(1126138520.634:58): arch=40000003 syscall=5 success=yes exit=11 a0=867dc20 a1=42 a2=1b6 a3=867fbd8 items=1 pid=3526 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="httpd" exe="/usr/sbin/httpd" type=CWD msg=audit(1126138520.634:58): cwd="/" type=PATH msg=audit(1126138520.634:58): item=0 name="/var/lib/dav/lockdb.dir" flags=310 inode=1006106 dev=03:07 mode=040700 ouid=48 ogid=48 rdev=00:00 Andrew From dwalsh at redhat.com Thu Sep 8 12:10:12 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 08 Sep 2005 08:10:12 -0400 Subject: WebDAV In-Reply-To: <431F844A.1010406@mailbolt.com> References: <431F844A.1010406@mailbolt.com> Message-ID: <43202A24.90604@redhat.com> Andrew Z wrote: > > Is there a SELinux policy for use with WebDAV? I have the WebDAV > working correctly with Apache and Cadaver, but SELinux prevents > writing. I have noticed that there are at least two issues. First, > SELinux prevents Apache from writing to httpd_sys_content_t. Second, > Apache needs to update its locking database. I don't want to allow > write access to all httpd_sys_content_t. > type=AVC msg=audit(1126138296.843:56): avc: denied { write } for > pid=3525 comm="httpd" name="lockdb.dir" dev=hda7 ino=1011851 > scontext=system_u:system_r:httpd_t > tcontext=system_u:object_r:var_lib_t tclass=file > type=SYSCALL msg=audit(1126138296.843:56): arch=40000003 syscall=5 > success=yes exit=11 a0=8675e00 a1=42 a2=1b6 a3=886a6c0 items=1 > pid=3525 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 > egid=48 sgid=48 fsgid=48 comm="httpd" exe="/usr/sbin/httpd" > type=CWD msg=audit(1126138296.843:56): cwd="/" > type=PATH msg=audit(1126138296.843:56): item=0 > name="/var/lib/dav/lockdb.dir" flags=310 inode=1006106 dev=03:07 > mode=040700 ouid=48 ogid=48 rdev=00:00 > > > type=AVC msg=audit(1126138520.634:58): avc: denied { write } for > pid=3526 comm="httpd" name="lockdb.dir" dev=hda7 ino=1011851 > scontext=system_u:system_r:httpd_t > tcontext=system_u:object_r:var_lib_t tclass=file > type=SYSCALL msg=audit(1126138520.634:58): arch=40000003 syscall=5 > success=yes exit=11 a0=867dc20 a1=42 a2=1b6 a3=867fbd8 items=1 > pid=3526 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 > egid=48 sgid=48 fsgid=48 comm="httpd" exe="/usr/sbin/httpd" > type=CWD msg=audit(1126138520.634:58): cwd="/" > type=PATH msg=audit(1126138520.634:58): item=0 > name="/var/lib/dav/lockdb.dir" flags=310 inode=1006106 dev=03:07 > mode=040700 ouid=48 ogid=48 rdev=00:00 > > > try chcon -R -t httpd_sys_script_rw_t /var/lib/dav > > Andrew > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list -- From ahziem1 at mailbolt.com Thu Sep 8 12:55:35 2005 From: ahziem1 at mailbolt.com (Andrew Z) Date: Thu, 08 Sep 2005 06:55:35 -0600 Subject: WebDAV In-Reply-To: <43202A24.90604@redhat.com> References: <431F844A.1010406@mailbolt.com> <43202A24.90604@redhat.com> Message-ID: <432034C7.2050601@mailbolt.com> Daniel J Walsh wrote: > Andrew Z wrote: > >> >> Is there a SELinux policy for use with WebDAV? I have the WebDAV >> working correctly with Apache and Cadaver, but SELinux prevents >> writing. I have noticed that there are at least two issues. First, >> SELinux prevents Apache from writing to httpd_sys_content_t. Second, >> Apache needs to update its locking database. I don't want to allow >> write access to all httpd_sys_content_t. >> type=AVC msg=audit(1126138296.843:56): avc: denied { write } for >> pid=3525 comm="httpd" name="lockdb.dir" dev=hda7 ino=1011851 >> scontext=system_u:system_r:httpd_t >> tcontext=system_u:object_r:var_lib_t tclass=file >> type=SYSCALL msg=audit(1126138296.843:56): arch=40000003 syscall=5 >> success=yes exit=11 a0=8675e00 a1=42 a2=1b6 a3=886a6c0 items=1 >> pid=3525 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 >> egid=48 sgid=48 fsgid=48 comm="httpd" exe="/usr/sbin/httpd" >> type=CWD msg=audit(1126138296.843:56): cwd="/" >> type=PATH msg=audit(1126138296.843:56): item=0 >> name="/var/lib/dav/lockdb.dir" flags=310 inode=1006106 dev=03:07 >> mode=040700 ouid=48 ogid=48 rdev=00:00 >> >> >> type=AVC msg=audit(1126138520.634:58): avc: denied { write } for >> pid=3526 comm="httpd" name="lockdb.dir" dev=hda7 ino=1011851 >> scontext=system_u:system_r:httpd_t >> tcontext=system_u:object_r:var_lib_t tclass=file >> type=SYSCALL msg=audit(1126138520.634:58): arch=40000003 syscall=5 >> success=yes exit=11 a0=867dc20 a1=42 a2=1b6 a3=867fbd8 items=1 >> pid=3526 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 >> egid=48 sgid=48 fsgid=48 comm="httpd" exe="/usr/sbin/httpd" >> type=CWD msg=audit(1126138520.634:58): cwd="/" >> type=PATH msg=audit(1126138520.634:58): item=0 >> name="/var/lib/dav/lockdb.dir" flags=310 inode=1006106 dev=03:07 >> mode=040700 ouid=48 ogid=48 rdev=00:00 >> >> >> > try > chcon -R -t httpd_sys_script_rw_t /var/lib/dav > Daniel, Thank you, that worked nicely. Is there also a type for writable directories that solves the next problem? This is creating and writing a file to bar to a directory /var/www/html/dav: type=AVC msg=audit(1126183941.896:260): avc: denied { write } for pid=20312 comm="httpd" name="dav" dev=hda7 ino=1011845 scontext=root:system_r:httpd_t tcontext=system_u:object_r:httpd_sys_content_t tclass=dir type=AVC msg=audit(1126183941.896:260): avc: denied { add_name } for pid=20312 comm="httpd" name="a" scontext=root:system_r:httpd_t tcontext=system_u:object_r:httpd_sys_content_t tclass=dir type=AVC msg=audit(1126183941.896:260): avc: denied { create } for pid=20312 comm="httpd" name="a" scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_sys_content_t tclass=file type=SYSCALL msg=audit(1126183941.896:260): arch=40000003 syscall=5 success=yes exit=14 a0=94dca08 a1=241 a2=1b6 a3=94dce58 items=1 pid=20312 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="httpd" exe="/usr/sbin/httpd" type=CWD msg=audit(1126183941.896:260): cwd="/" type=PATH msg=audit(1126183941.896:260): item=0 name="/var/www/html/dav/foo" flags=310 inode=1011845 dev=03:07 mode=040775 ouid=500 ogid=48 rdev=00:00 type=AVC msg=audit(1126183941.896:261): avc: denied { write } for pid=20312 comm="httpd" name="a" dev=hda7 ino=1011998 scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_sys_content_t tclass=file type=SYSCALL msg=audit(1126183941.896:261): arch=40000003 syscall=4 success=yes exit=28 a0=e a1=94ddb40 a2=1c a3=94dce58 items=0 pid=20312 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="httpd" exe="/usr/sbin/httpd" type=AVC_PATH msg=audit(1126183941.896:261): path="/var/www/html/dav/foo" Andrew From dwalsh at redhat.com Thu Sep 8 14:55:40 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 08 Sep 2005 10:55:40 -0400 Subject: WebDAV In-Reply-To: <432034C7.2050601@mailbolt.com> References: <431F844A.1010406@mailbolt.com> <43202A24.90604@redhat.com> <432034C7.2050601@mailbolt.com> Message-ID: <432050EC.9070806@redhat.com> Andrew Z wrote: > > Daniel J Walsh wrote: > >> Andrew Z wrote: >> >>> >>> Is there a SELinux policy for use with WebDAV? I have the WebDAV >>> working correctly with Apache and Cadaver, but SELinux prevents >>> writing. I have noticed that there are at least two issues. First, >>> SELinux prevents Apache from writing to httpd_sys_content_t. >>> Second, Apache needs to update its locking database. I don't want >>> to allow write access to all httpd_sys_content_t. >>> type=AVC msg=audit(1126138296.843:56): avc: denied { write } for >>> pid=3525 comm="httpd" name="lockdb.dir" dev=hda7 ino=1011851 >>> scontext=system_u:system_r:httpd_t >>> tcontext=system_u:object_r:var_lib_t tclass=file >>> type=SYSCALL msg=audit(1126138296.843:56): arch=40000003 syscall=5 >>> success=yes exit=11 a0=8675e00 a1=42 a2=1b6 a3=886a6c0 items=1 >>> pid=3525 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 >>> egid=48 sgid=48 fsgid=48 comm="httpd" exe="/usr/sbin/httpd" >>> type=CWD msg=audit(1126138296.843:56): cwd="/" >>> type=PATH msg=audit(1126138296.843:56): item=0 >>> name="/var/lib/dav/lockdb.dir" flags=310 inode=1006106 dev=03:07 >>> mode=040700 ouid=48 ogid=48 rdev=00:00 >>> >>> >>> type=AVC msg=audit(1126138520.634:58): avc: denied { write } for >>> pid=3526 comm="httpd" name="lockdb.dir" dev=hda7 ino=1011851 >>> scontext=system_u:system_r:httpd_t >>> tcontext=system_u:object_r:var_lib_t tclass=file >>> type=SYSCALL msg=audit(1126138520.634:58): arch=40000003 syscall=5 >>> success=yes exit=11 a0=867dc20 a1=42 a2=1b6 a3=867fbd8 items=1 >>> pid=3526 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 >>> egid=48 sgid=48 fsgid=48 comm="httpd" exe="/usr/sbin/httpd" >>> type=CWD msg=audit(1126138520.634:58): cwd="/" >>> type=PATH msg=audit(1126138520.634:58): item=0 >>> name="/var/lib/dav/lockdb.dir" flags=310 inode=1006106 dev=03:07 >>> mode=040700 ouid=48 ogid=48 rdev=00:00 >>> >>> >>> >> try >> chcon -R -t httpd_sys_script_rw_t /var/lib/dav >> > Daniel, > > Thank you, that worked nicely. > Is there also a type for writable directories that solves the next > problem? This is creating and writing a file to bar to a directory > /var/www/html/dav: > > type=AVC msg=audit(1126183941.896:260): avc: denied { write } for > pid=20312 comm="httpd" name="dav" dev=hda7 ino=1011845 > scontext=root:system_r:httpd_t > tcontext=system_u:object_r:httpd_sys_content_t tclass=dir > type=AVC msg=audit(1126183941.896:260): avc: denied { add_name } > for pid=20312 comm="httpd" name="a" scontext=root:system_r:httpd_t > tcontext=system_u:object_r:httpd_sys_content_t tclass=dir > type=AVC msg=audit(1126183941.896:260): avc: denied { create } for > pid=20312 comm="httpd" name="a" scontext=root:system_r:httpd_t > tcontext=root:object_r:httpd_sys_content_t tclass=file > type=SYSCALL msg=audit(1126183941.896:260): arch=40000003 syscall=5 > success=yes exit=14 a0=94dca08 a1=241 a2=1b6 a3=94dce58 items=1 > pid=20312 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 > egid=48 sgid=48 fsgid=48 comm="httpd" exe="/usr/sbin/httpd" > type=CWD msg=audit(1126183941.896:260): cwd="/" > type=PATH msg=audit(1126183941.896:260): item=0 > name="/var/www/html/dav/foo" flags=310 inode=1011845 dev=03:07 > mode=040775 ouid=500 ogid=48 rdev=00:00 > type=AVC msg=audit(1126183941.896:261): avc: denied { write } for > pid=20312 comm="httpd" name="a" dev=hda7 ino=1011998 > scontext=root:system_r:httpd_t > tcontext=root:object_r:httpd_sys_content_t tclass=file > type=SYSCALL msg=audit(1126183941.896:261): arch=40000003 syscall=4 > success=yes exit=28 a0=e a1=94ddb40 a2=1c a3=94dce58 items=0 pid=20312 > auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 > fsgid=48 comm="httpd" exe="/usr/sbin/httpd" > type=AVC_PATH msg=audit(1126183941.896:261): > path="/var/www/html/dav/foo" > > > > Andrew I would try the same thing. chcon -R -t httpd_sys_script_rw_t /var/www/html/dav -- From paul at city-fan.org Thu Sep 8 14:57:28 2005 From: paul at city-fan.org (Paul Howarth) Date: Thu, 08 Sep 2005 15:57:28 +0100 Subject: selinux-policy-targeted 1.25.4-10 and dovecot In-Reply-To: <431474F3.9030101@city-fan.org> References: <431474F3.9030101@city-fan.org> Message-ID: <43205158.3030803@city-fan.org> Paul Howarth wrote: > I notice in the changelog that a recent change was: > > * Wed Aug 17 2005 Dan Walsh 1.25.4-4 > - Add more access for amanda > - Allow dovecot to create files in mail_spool_t > > Having installed the updated policy this morning, I found I had to add a > local rule: > > allow dovecot_t mail_spool_t:file write; > > This is needed to allow dovecot to delete mail from the mail spool file > (I use dovecot in pop3 mode). I'm surprised this wasn't the default - is > there a good reason why it isn't? > > Cheers, Paul. > > P.S. there is still a problem with pptp - in pppd.fc > > # Fix pptp sockets > /var/run/pptp(/.*)? -- system_u:object_r:pptp_var_run_t > > should read: > > # Fix pptp sockets > /var/run/pptp(/.*)? system_u:object_r:pptp_var_run_t > > because /var/run/pptp is a directory and the items in that directory > should be sockets, not regular files. I guess I should bugzilla these... One bug, or two? Paul. From dwalsh at redhat.com Thu Sep 8 16:59:53 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 08 Sep 2005 12:59:53 -0400 Subject: selinux-policy-targeted 1.25.4-10 and dovecot In-Reply-To: <43205158.3030803@city-fan.org> References: <431474F3.9030101@city-fan.org> <43205158.3030803@city-fan.org> Message-ID: <43206E09.9030407@redhat.com> Paul Howarth wrote: > Paul Howarth wrote: > >> I notice in the changelog that a recent change was: >> >> * Wed Aug 17 2005 Dan Walsh 1.25.4-4 >> - Add more access for amanda >> - Allow dovecot to create files in mail_spool_t >> >> Having installed the updated policy this morning, I found I had to >> add a local rule: >> >> allow dovecot_t mail_spool_t:file write; >> >> This is needed to allow dovecot to delete mail from the mail spool >> file (I use dovecot in pop3 mode). I'm surprised this wasn't the >> default - is there a good reason why it isn't? >> >> Cheers, Paul. >> >> P.S. there is still a problem with pptp - in pppd.fc >> >> # Fix pptp sockets >> /var/run/pptp(/.*)? -- system_u:object_r:pptp_var_run_t >> >> should read: >> >> # Fix pptp sockets >> /var/run/pptp(/.*)? system_u:object_r:pptp_var_run_t >> >> because /var/run/pptp is a directory and the items in that directory >> should be sockets, not regular files. > > > I guess I should bugzilla these... > > One bug, or two? > > Paul. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list try 1.25.4-10.1 I think it fixes all of these. -- From eric.tanguy at univ-nantes.fr Thu Sep 8 17:11:31 2005 From: eric.tanguy at univ-nantes.fr (Eric Tanguy) Date: Thu, 08 Sep 2005 19:11:31 +0200 Subject: Some errors Message-ID: <1126199492.2871.7.camel@bureau.maison> I see a lot of strange messages from audit when my pc stops, i think this is related to this : in /var/log/audit/audit.log i find these messages : type=SELINUX_ERR msg=audit(1126197472.980:4): SELinux: unrecognized netlink message type=1009 for sclass=49 type=SELINUX_ERR msg=audit(1126197473.080:5): SELinux: unrecognized netlink message type=1009 for sclass=49 It is not possible to add the date and the time in the audit.log lines ? Thanks -- Eric Tanguy | Nantes, France Key : A4B8368F | Key Server : subkeys.pgp.net Fedora Core release 4 (Stentz) sur athlon kernel 2.6.12-1.1447_FC4 From paul at city-fan.org Thu Sep 8 18:06:27 2005 From: paul at city-fan.org (Paul Howarth) Date: Thu, 08 Sep 2005 19:06:27 +0100 Subject: Some errors In-Reply-To: <1126199492.2871.7.camel@bureau.maison> References: <1126199492.2871.7.camel@bureau.maison> Message-ID: <43207DA3.6040305@city-fan.org> Eric Tanguy wrote: > I see a lot of strange messages from audit when my pc stops, i think > this is related to this : > in /var/log/audit/audit.log i find these messages : > type=SELINUX_ERR msg=audit(1126197472.980:4): SELinux: unrecognized > netlink message type=1009 for sclass=49 > type=SELINUX_ERR msg=audit(1126197473.080:5): SELinux: unrecognized > netlink message type=1009 for sclass=49 > It is not possible to add the date and the time in the audit.log lines ? Try: # ausearch -a 4 You may find the output of that more useful. See "man ausearch" for more details. Paul. From paul at city-fan.org Fri Sep 9 06:44:51 2005 From: paul at city-fan.org (Paul Howarth) Date: Fri, 09 Sep 2005 07:44:51 +0100 Subject: selinux-policy-targeted 1.25.4-10 and dovecot In-Reply-To: <43206E09.9030407@redhat.com> References: <431474F3.9030101@city-fan.org> <43205158.3030803@city-fan.org> <43206E09.9030407@redhat.com> Message-ID: <1126248292.11436.182.camel@laurel.intra.city-fan.org> On Thu, 2005-09-08 at 12:59 -0400, Daniel J Walsh wrote: > Paul Howarth wrote: > > > Paul Howarth wrote: > > > >> I notice in the changelog that a recent change was: > >> > >> * Wed Aug 17 2005 Dan Walsh 1.25.4-4 > >> - Add more access for amanda > >> - Allow dovecot to create files in mail_spool_t > >> > >> Having installed the updated policy this morning, I found I had to > >> add a local rule: > >> > >> allow dovecot_t mail_spool_t:file write; > >> > >> This is needed to allow dovecot to delete mail from the mail spool > >> file (I use dovecot in pop3 mode). I'm surprised this wasn't the > >> default - is there a good reason why it isn't? > >> > >> Cheers, Paul. > >> > >> P.S. there is still a problem with pptp - in pppd.fc > >> > >> # Fix pptp sockets > >> /var/run/pptp(/.*)? -- system_u:object_r:pptp_var_run_t > >> > >> should read: > >> > >> # Fix pptp sockets > >> /var/run/pptp(/.*)? system_u:object_r:pptp_var_run_t > >> > >> because /var/run/pptp is a directory and the items in that directory > >> should be sockets, not regular files. > > > > > > I guess I should bugzilla these... > > > > One bug, or two? > > > > Paul. > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > try 1.25.4-10.1 I think it fixes all of these. Yes it does; thanks. (it's in updates-testing: # yum --enablerepo=updates-testing update selinux-policy-targeted-sources) Paul. -- Paul Howarth From malejandra.castillo at gmail.com Fri Sep 9 16:24:18 2005 From: malejandra.castillo at gmail.com (Ma. Alejandra Castillo) Date: Fri, 9 Sep 2005 12:24:18 -0400 Subject: unconfined_t Message-ID: <25a49afb050909092423c12b73@mail.gmail.com> Dear all, i have a question for you, when i execute the comand id -Z for example: id -Z for the users root i obtain this output root:system_r:unconfined_t id -Z for the user mai user_u:system_r:unconfined_t and the same happens with all the users that i have created. why does it appear as unconfined_t?? how can y change this? Saludos -- Ma. Alejandra Castillo M. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sds at tycho.nsa.gov Fri Sep 9 16:26:21 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 09 Sep 2005 12:26:21 -0400 Subject: unconfined_t In-Reply-To: <25a49afb050909092423c12b73@mail.gmail.com> References: <25a49afb050909092423c12b73@mail.gmail.com> Message-ID: <1126283181.15065.120.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2005-09-09 at 12:24 -0400, Ma. Alejandra Castillo wrote: > > Dear all, > > i have a question for you, when i execute the comand id -Z for > example: > > id -Z for the users root i obtain this output > root:system_r:unconfined_t > id -Z for the user mai user_u:system_r:unconfined_t > > and the same happens with all the users that i have created. > > why does it appear as unconfined_t?? > how can y change this? By default, Fedora uses a "targeted" policy that only confines specific daemons and not users. The original policy (called "strict") is also available as an option, but you have to install it and switch over to it. See the Fedora SELinux FAQ, http://fedora.redhat.com/docs/selinux-faq-fc3/ -- Stephen Smalley National Security Agency From tmerritt at email.arizona.edu Fri Sep 9 16:33:13 2005 From: tmerritt at email.arizona.edu (Todd Merritt) Date: Fri, 09 Sep 2005 09:33:13 -0700 Subject: disable setenforce Message-ID: <1126283594.20003.17.camel@hive.ccit.arizona.edu> I can't find where I read this now, could somebody please tell me what I need to add/remove from the strict policy to disallow running of the setenforce command (but still allow changing enforcement mode via rebooting) ? Thanks, Todd From sds at tycho.nsa.gov Fri Sep 9 16:41:30 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 09 Sep 2005 12:41:30 -0400 Subject: disable setenforce In-Reply-To: <1126283594.20003.17.camel@hive.ccit.arizona.edu> References: <1126283594.20003.17.camel@hive.ccit.arizona.edu> Message-ID: <1126284090.15065.126.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2005-09-09 at 09:33 -0700, Todd Merritt wrote: > I can't find where I read this now, could somebody please tell me what I > need to add/remove from the strict policy to disallow running of the > setenforce command (but still allow changing enforcement mode via > rebooting) ? Typically, the can_setenforce() macro defined in macros/core_macros.te is used in the policy to allow processes to change /selinux/enforce (which is how setenforce works). It is used in macros/admin_macros.te to allow administrators to do it, and in domains/program/initrc.te to allow /etc/rc.d/rc.sysinit to do it for emergency recovery situations. So you could remove its individual occurrences or change the macro definition to expand to nothing. You likely also would want to modify the unconfined_domain definition and update the assertion in assert.te to check that it isn't granted anywhere else. Naturally, the problem then becomes dealing with policy updates after making such a customization, so you might want to consider implementing this as a policy boolean or tunable and submitting it for inclusion in the standard policy. That would let you disable it easily without having to make invasive changes to the policy. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Fri Sep 9 16:53:44 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 09 Sep 2005 12:53:44 -0400 Subject: disable setenforce In-Reply-To: <1126283594.20003.17.camel@hive.ccit.arizona.edu> References: <1126283594.20003.17.camel@hive.ccit.arizona.edu> Message-ID: <1126284824.15065.129.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2005-09-09 at 09:33 -0700, Todd Merritt wrote: > I can't find where I read this now, could somebody please tell me what I > need to add/remove from the strict policy to disallow running of the > setenforce command (but still allow changing enforcement mode via > rebooting) ? BTW, if you are going to do that, I assume you also want to remove the ability to reload policy after the initial load? Although that has implications for policy updates... -- Stephen Smalley National Security Agency From tmerritt at email.arizona.edu Fri Sep 9 17:18:35 2005 From: tmerritt at email.arizona.edu (Todd Merritt) Date: Fri, 09 Sep 2005 10:18:35 -0700 Subject: disable setenforce In-Reply-To: <1126284824.15065.129.camel@moss-spartans.epoch.ncsc.mil> References: <1126283594.20003.17.camel@hive.ccit.arizona.edu> <1126284824.15065.129.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1126286315.21068.4.camel@hive.ccit.arizona.edu> On Fri, 2005-09-09 at 12:53 -0400, Stephen Smalley wrote: > On Fri, 2005-09-09 at 09:33 -0700, Todd Merritt wrote: > > I can't find where I read this now, could somebody please tell me what I > > need to add/remove from the strict policy to disallow running of the > > setenforce command (but still allow changing enforcement mode via > > rebooting) ? > > BTW, if you are going to do that, I assume you also want to remove the > ability to reload policy after the initial load? Although that has > implications for policy updates... > I hadn't thought of that. There's no point closing the window and leaving the door open, but that may be more hoops that I care to jump through for this application. From latten at austin.ibm.com Fri Sep 9 21:38:35 2005 From: latten at austin.ibm.com (Joy Latten) Date: Fri, 09 Sep 2005 16:38:35 -0500 Subject: problem booting a 2.6.13 kernel with selinux enabled Message-ID: <1126301915.2618.88.camel@faith.austin.ibm.com> I have installed Fedora Core 4 on my machine with selinux enabled and have followed the instructions to enable MLS. Both are working. I have compiled a 2.6.13 kernel from kernel.org with selinux enabled in my kernel. However, I am unable to boot into my 2.6.13 kernel. When I disable selinux (selinux=0) or set (enforcing=0) my kernel boots up ok. When I boot into my 2.6.13 kernel with selinux enabled, the boot hangs after the SELinux initializations and at the point I believe udev is suppose to get started. When I tried booting into my 2.6.13 kernel with "enforcing=0 single" and did a restorecon /etc/mtab, then did a setenforce 1 to switch to enforcing mode and exited the single user shell to come up in multi-user mode, it worked. I am sure I am stepping around something. :-) (These steps are similar to those in README.mls instructions.) I did get a bunch of the following messages from "dmesg" though: audit(1126300655.450:2839259): avc: denied { search } for pid=2199 comm="klogd" name="/" dev=tmpfs ino=1168 scontext=system_u:system_r:klogd_t:s0-s9:c0.c127 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir I do not understand but am very curious to know why I cannot boot straight into my 2.6.13 kernel? Does 2.6.13 introduce some changes? A colleague experienced similar problem. Has anyone else experienced this problem or can explain to me what is happening? Thanks! Joy Latten From selinux at gmail.com Fri Sep 9 22:40:22 2005 From: selinux at gmail.com (Tom London) Date: Fri, 9 Sep 2005 15:40:22 -0700 Subject: cupsd: minor nit Message-ID: <4c4ba15305090915403775bf04@mail.gmail.com> Running targeted/enforcing, latest rawhide. If I 'remove' a USB printer (via 'rmmod usblp') and then reboot, printconf-tui tries to create the directory /var/cache/foomatic. This fails with: type=AVC msg=audit( 1126301390.416:17): avc: denied { create } for pid=3106 comm="printconf-tui" name="foomatic" scontext=system_u:system_r:cupsd_config_t tcontext=system_u:object_r:var_t tclass=dir type=SYSCALL msg=audit( 1126301390.416:17): arch=40000003 syscall=39 success=no exit=-13 a0=9aefe10 a1=1ed a2=778468 a3=b7345a2c items=1 pid=3106 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="printconf-tui" exe="/usr/bin/python" type=CWD msg=audit(1126301390.416:17): cwd="/" type=PATH msg=audit(1126301390.416:17): item=0 name="/var/cache/foomatic" flags=10 inode=2142136 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 [This seems 'harmless', since printing appears to work, but ...] Does this seem correct? tom --- /tmp/cups.te 2005-09-09 15:38:31.000000000 -0700 +++ ./cups.te 2005-09-09 14:56:26.000000000 -0700 @@ -240,7 +240,7 @@ rw_dir_create_file(cupsd_config_t, cupsd_etc_t) rw_dir_create_file(cupsd_config_t, cupsd_rw_etc_t) file_type_auto_trans(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file) -file_type_auto_trans(cupsd_config_t, var_t, cupsd_rw_etc_t, file) +file_type_auto_trans(cupsd_config_t, var_t, cupsd_rw_etc_t, { file dir }) allow cupsd_config_t var_t:lnk_file read; can_network_tcp(cupsd_config_t) -- Tom London -------------- next part -------------- An HTML attachment was scrubbed... URL: From russell at coker.com.au Mon Sep 12 06:52:48 2005 From: russell at coker.com.au (Russell Coker) Date: Mon, 12 Sep 2005 16:52:48 +1000 Subject: disable setenforce In-Reply-To: <1126283594.20003.17.camel@hive.ccit.arizona.edu> References: <1126283594.20003.17.camel@hive.ccit.arizona.edu> Message-ID: <200509121652.59242.russell@coker.com.au> On Saturday 10 September 2005 02:33, Todd Merritt wrote: > I can't find where I read this now, could somebody please tell me what I > need to add/remove from the strict policy to disallow running of the > setenforce command (but still allow changing enforcement mode via > rebooting) ? I've attached a patch against the latest rawhide policy (which should also work against the latest FC4 policy). This patch adds a new boolean named secure_mode_policyload to cover loading policy, setting boolean states, and setting enforcing mode. It also adds a new boolean named secure_mode_insmod to control module loading. NB Setting secure_mode_policyload to default to 1 at boot time will work, but that means policy can only be loaded once at boot (should be able to install new policy and reboot the machine though). Setting secure_mode_insmod at boot will probably make the boot process fail for all non-trivial machines, the initial values of booleans are set before modules for devices such as Ethernet cards. Setting secure_mode_insmod after the boot process is completed might be a good idea if you have no plans to use USB or Cardbus/PCMCIA, there have been exploits which relied on the ability to trick the system into loading modules (EG the ptrace exploit). We could probably do with more work in this area, but the patch I have attached works reasonably well and adds usefully to the secure_mode functionality so I believe it's worthy of inclusion. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -------------- next part -------------- A non-text attachment was scrubbed... Name: diff Type: text/x-diff Size: 1564 bytes Desc: not available URL: From russell at coker.com.au Mon Sep 12 08:15:26 2005 From: russell at coker.com.au (Russell Coker) Date: Mon, 12 Sep 2005 18:15:26 +1000 Subject: cupsd: minor nit In-Reply-To: <4c4ba15305090915403775bf04@mail.gmail.com> References: <4c4ba15305090915403775bf04@mail.gmail.com> Message-ID: <200509121815.33821.russell@coker.com.au> On Saturday 10 September 2005 08:40, Tom London wrote: > Running targeted/enforcing, latest rawhide. > > If I 'remove' a USB printer (via 'rmmod usblp') and then reboot, > printconf-tui tries to create the directory /var/cache/foomatic. This fails > with: > > [This seems 'harmless', since printing appears to work, but ...] If there is no functionality lost through not allowing this then I don't think it's a good idea to allow it. Why is the directory being created? If the directory in question deserves to exist then should it be created by the package and therefore have no need for the printconf-tui program to create it? -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From twaugh at redhat.com Mon Sep 12 09:51:23 2005 From: twaugh at redhat.com (Tim Waugh) Date: Mon, 12 Sep 2005 09:51:23 +0000 Subject: cupsd: minor nit In-Reply-To: <200509121815.33821.russell@coker.com.au> References: <4c4ba15305090915403775bf04@mail.gmail.com> <200509121815.33821.russell@coker.com.au> Message-ID: <20050912095123.GG7718@redhat.com> On Mon, Sep 12, 2005 at 06:15:26PM +1000, Russell Coker wrote: > Why is the directory being created? If the directory in question > deserves to exist then should it be created by the package and > therefore have no need for the printconf-tui program to create it? It is created to cache some information which otherwise is read from the XML files in /usr/share/foomatic/db. The cache file is to speed up the process. Even if the directory exists, the file will need to be created. Tim. */ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From russell at coker.com.au Mon Sep 12 10:17:38 2005 From: russell at coker.com.au (Russell Coker) Date: Mon, 12 Sep 2005 20:17:38 +1000 Subject: cupsd: minor nit In-Reply-To: <20050912095123.GG7718@redhat.com> References: <4c4ba15305090915403775bf04@mail.gmail.com> <200509121815.33821.russell@coker.com.au> <20050912095123.GG7718@redhat.com> Message-ID: <200509122017.47231.russell@coker.com.au> On Monday 12 September 2005 19:51, Tim Waugh wrote: > On Mon, Sep 12, 2005 at 06:15:26PM +1000, Russell Coker wrote: > > Why is the directory being created? If the directory in question > > deserves to exist then should it be created by the package and > > therefore have no need for the printconf-tui program to create it? > > It is created to cache some information which otherwise is read from > the XML files in /usr/share/foomatic/db. The cache file is to speed > up the process. > > Even if the directory exists, the file will need to be created. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168085 I've submitted the above bugzilla requesting that the package provide this directory. Tom, please review it and make any comments you consider appropriate. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From sds at tycho.nsa.gov Mon Sep 12 12:21:56 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 12 Sep 2005 08:21:56 -0400 Subject: problem booting a 2.6.13 kernel with selinux enabled In-Reply-To: <1126301915.2618.88.camel@faith.austin.ibm.com> References: <1126301915.2618.88.camel@faith.austin.ibm.com> Message-ID: <1126527716.2999.11.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2005-09-09 at 16:38 -0500, Joy Latten wrote: > I have installed Fedora Core 4 on my machine with selinux enabled > and have followed the instructions to enable MLS. Both are working. > > I have compiled a 2.6.13 kernel from kernel.org with selinux enabled in > my kernel. However, I am unable to boot into my 2.6.13 kernel. > When I disable selinux (selinux=0) or set (enforcing=0) my kernel > boots up ok. When I boot into my 2.6.13 kernel with selinux enabled, the > boot hangs after the SELinux initializations and at the point I believe > udev is suppose to get started. > > When I tried booting into my 2.6.13 kernel with "enforcing=0 single" > and did a restorecon /etc/mtab, then did a setenforce 1 to switch to > enforcing mode and exited the single user shell to come up in multi-user > mode, it worked. I am sure I am stepping around something. :-) > (These steps are similar to those in README.mls instructions.) I did get > a bunch of the following messages from "dmesg" > though: > > audit(1126300655.450:2839259): avc: denied { search } for pid=2199 > comm="klogd" name="/" dev=tmpfs ino=1168 > scontext=system_u:system_r:klogd_t:s0-s9:c0.c127 > tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir > > I do not understand but am very curious to know why I cannot boot > straight into my 2.6.13 kernel? Does 2.6.13 introduce some changes? > > A colleague experienced similar problem. Has anyone else experienced > this problem or can explain to me what is happening? Sounds like you didn't enable the tmpfs security labeling support in your kernel .config (CONFIG_TMPFS_SECURITY). That would prevent setting/getting security labels on the tmpfs /dev managed by udev, and thus /dev would be inaccessible to most processes. -- Stephen Smalley National Security Agency From selinux at gmail.com Mon Sep 12 13:29:17 2005 From: selinux at gmail.com (Tom London) Date: Mon, 12 Sep 2005 06:29:17 -0700 Subject: cupsd: minor nit In-Reply-To: <200509122017.47231.russell@coker.com.au> References: <4c4ba15305090915403775bf04@mail.gmail.com> <200509121815.33821.russell@coker.com.au> <20050912095123.GG7718@redhat.com> <200509122017.47231.russell@coker.com.au> Message-ID: <4c4ba15305091206297f4ef5cf@mail.gmail.com> On 9/12/05, Russell Coker wrote: > > On Monday 12 September 2005 19:51, Tim Waugh wrote: > > On Mon, Sep 12, 2005 at 06:15:26PM +1000, Russell Coker wrote: > > > Why is the directory being created? If the directory in question > > > deserves to exist then should it be created by the package and > > > therefore have no need for the printconf-tui program to create it? > > > > It is created to cache some information which otherwise is read from > > the XML files in /usr/share/foomatic/db. The cache file is to speed > > up the process. > > > > Even if the directory exists, the file will need to be created. > > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168085 > > I've submitted the above bugzilla requesting that the package provide this > directory. Tom, please review it and make any comments you consider > appropriate. The fix posted there is much better. Are there more services like this that we should review for directory-create in /var and other places? Will polyinstantiatiation help clean this up? tom -- Tom London -------------- next part -------------- An HTML attachment was scrubbed... URL: From sds at tycho.nsa.gov Mon Sep 12 14:12:47 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 12 Sep 2005 10:12:47 -0400 Subject: problem booting a 2.6.13 kernel with selinux enabled In-Reply-To: <1126527716.2999.11.camel@moss-spartans.epoch.ncsc.mil> References: <1126301915.2618.88.camel@faith.austin.ibm.com> <1126527716.2999.11.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1126534367.2999.83.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2005-09-12 at 08:21 -0400, Stephen Smalley wrote: > Sounds like you didn't enable the tmpfs security labeling support in > your kernel .config (CONFIG_TMPFS_SECURITY). That would prevent > setting/getting security labels on the tmpfs /dev managed by udev, and > thus /dev would be inaccessible to most processes. BTW, 2.6.13-git11 obsoletes this option and the DEVPTS_FS_SECURITY option, as it includes the generic VFS fallback for security attributes. -- Stephen Smalley National Security Agency From russell at coker.com.au Mon Sep 12 14:19:55 2005 From: russell at coker.com.au (Russell Coker) Date: Tue, 13 Sep 2005 00:19:55 +1000 Subject: cupsd: minor nit In-Reply-To: <4c4ba15305091206297f4ef5cf@mail.gmail.com> References: <4c4ba15305090915403775bf04@mail.gmail.com> <200509122017.47231.russell@coker.com.au> <4c4ba15305091206297f4ef5cf@mail.gmail.com> Message-ID: <200509130020.04326.russell@coker.com.au> On Monday 12 September 2005 23:29, Tom London wrote: > > > It is created to cache some information which otherwise is read from > > > the XML files in /usr/share/foomatic/db. The cache file is to speed > > > up the process. > > > > > > Even if the directory exists, the file will need to be created. > > > > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168085 > > > > I've submitted the above bugzilla requesting that the package provide > > this directory. Tom, please review it and make any comments you consider > > appropriate. > > The fix posted there is much better. > > Are there more services like this that we should review for > directory-create in /var and other places? Will polyinstantiatiation help > clean this up? There are probably other services with the same issues. PI will not help at all. The absolute last thing I want to see is multiple PI versions of /var which will cause all sorts of problems for communications between daemons (think about /var/log and /var/run, and I'm sure that some daemons mess with other daemons' files under /var/cache). I don't believe that there is any need for PI for anything other than files and directories created by regular users. That means /tmp and a possibility of home directories for different levels with MLS. I'm sure that someone will disagree however and I am waiting for email debating this point. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From sds at tycho.nsa.gov Mon Sep 12 15:00:35 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 12 Sep 2005 11:00:35 -0400 Subject: disable setenforce In-Reply-To: <200509121652.59242.russell@coker.com.au> References: <1126283594.20003.17.camel@hive.ccit.arizona.edu> <200509121652.59242.russell@coker.com.au> Message-ID: <1126537235.2999.88.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2005-09-12 at 16:52 +1000, Russell Coker wrote: > I've attached a patch against the latest rawhide policy (which should also > work against the latest FC4 policy). > > This patch adds a new boolean named secure_mode_policyload to cover loading > policy, setting boolean states, and setting enforcing mode. It also adds a > new boolean named secure_mode_insmod to control module loading. > > NB Setting secure_mode_policyload to default to 1 at boot time will work, but > that means policy can only be loaded once at boot (should be able to install > new policy and reboot the machine though). Setting secure_mode_insmod at > boot will probably make the boot process fail for all non-trivial machines, > the initial values of booleans are set before modules for devices such as > Ethernet cards. Setting secure_mode_insmod after the boot process is > completed might be a good idea if you have no plans to use USB or > Cardbus/PCMCIA, there have been exploits which relied on the ability to trick > the system into loading modules (EG the ptrace exploit). Did you attach the wrong patch? The one you sent doesn't define new booleans; it just wraps additional rules with the existing secure_mode boolean. -- Stephen Smalley National Security Agency From selinux at gmail.com Mon Sep 12 15:30:37 2005 From: selinux at gmail.com (Tom London) Date: Mon, 12 Sep 2005 08:30:37 -0700 Subject: cupsd: minor nit In-Reply-To: <200509130020.04326.russell@coker.com.au> References: <4c4ba15305090915403775bf04@mail.gmail.com> <200509122017.47231.russell@coker.com.au> <4c4ba15305091206297f4ef5cf@mail.gmail.com> <200509130020.04326.russell@coker.com.au> Message-ID: <4c4ba153050912083024fa5132@mail.gmail.com> On 9/12/05, Russell Coker wrote: > > There are probably other services with the same issues. > > PI will not help at all. The absolute last thing I want to see is multiple > PI > versions of /var which will cause all sorts of problems for communications > between daemons (think about /var/log and /var/run, and I'm sure that some > daemons mess with other daemons' files under /var/cache). > > I don't believe that there is any need for PI for anything other than > files > and directories created by regular users. That means /tmp and a > possibility > of home directories for different levels with MLS. I'm sure that someone > will disagree however and I am waiting for email debating this point. > OK, so the rubric here is that daemon-like services need to have their 'major' directory entries in places like /var created and labeled by their package, not created upon startup. This sounds quite reasonable. So, the normal 'name space' conflicts will likely be detected during package install. Do we need to be concerned with possible 'widening' conflicts on such directories (e.g., two packages wanting to 'own' the same directory, one with a 'wider' label)? tom -- Tom London -------------- next part -------------- An HTML attachment was scrubbed... URL: From russell at coker.com.au Mon Sep 12 22:26:03 2005 From: russell at coker.com.au (Russell Coker) Date: Tue, 13 Sep 2005 08:26:03 +1000 Subject: cupsd: minor nit In-Reply-To: <4c4ba153050912083024fa5132@mail.gmail.com> References: <4c4ba15305090915403775bf04@mail.gmail.com> <200509130020.04326.russell@coker.com.au> <4c4ba153050912083024fa5132@mail.gmail.com> Message-ID: <200509130826.13919.russell@coker.com.au> Thread taken from fedora-selinux-list to fedora-devel-list for a wider audience. The general concept is that a daemon should never create a directory under /var/cache (or similar non-specific places on the file system) at run-time. If /var/cache/$DAEMON is needed then the package of $DAEMON should provide that directory. This prevents the possible problem of name conflicts and allows more restrictive SE Linux access control (preventing a compromised daemon from performing a trivial DOS attack on other daemons). On Tuesday 13 September 2005 01:30, Tom London wrote: > OK, so the rubric here is that daemon-like services need to have their > 'major' directory entries in places like /var created and labeled by their > package, not created upon startup. This sounds quite reasonable. Yes, that's my idea. > So, the normal 'name space' conflicts will likely be detected during > package install. One of several benefits of it. > Do we need to be concerned with possible 'widening' conflicts on such > directories (e.g., two packages wanting to 'own' the same directory, one > with a 'wider' label)? What do you mean "wider"? Do you mean less restrictive permissions? If so then it certainly would be a problem if two packages desired different permissions for a single file system object, whether one is a superset of the other or whether they are disjoint. It is something that we need to be concerned about, but it will hopefully be rare and we can just fix it when it occurs. Detecting and solving such problems is an advantage of my suggestion. When we have such directories in packages we can easily check for such conflicts. At the moment I suspect that such daemon behavior is not uncommon and don't know in what situations it may potentially bite us. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From selinux at gmail.com Tue Sep 13 14:36:42 2005 From: selinux at gmail.com (Tom London) Date: Tue, 13 Sep 2005 07:36:42 -0700 Subject: cupsd: minor nit In-Reply-To: <200509130826.13919.russell@coker.com.au> References: <4c4ba15305090915403775bf04@mail.gmail.com> <200509130020.04326.russell@coker.com.au> <4c4ba153050912083024fa5132@mail.gmail.com> <200509130826.13919.russell@coker.com.au> Message-ID: <4c4ba15305091307366c72b1c1@mail.gmail.com> On 9/12/05, Russell Coker wrote: > Thread taken from fedora-selinux-list to fedora-devel-list for a wider > audience. The general concept is that a daemon should never create a > directory under /var/cache (or similar non-specific places on the file > system) at run-time. If /var/cache/$DAEMON is needed then the package of > $DAEMON should provide that directory. This prevents the possible problem of > name conflicts and allows more restrictive SE Linux access control > (preventing a compromised daemon from performing a trivial DOS attack on > other daemons). > > On Tuesday 13 September 2005 01:30, Tom London wrote: > > OK, so the rubric here is that daemon-like services need to have their > > 'major' directory entries in places like /var created and labeled by their > > package, not created upon startup. This sounds quite reasonable. > > Yes, that's my idea. > > > So, the normal 'name space' conflicts will likely be detected during > > package install. > > One of several benefits of it. > > > Do we need to be concerned with possible 'widening' conflicts on such > > directories (e.g., two packages wanting to 'own' the same directory, one > > with a 'wider' label)? > > What do you mean "wider"? Do you mean less restrictive permissions? If so > then it certainly would be a problem if two packages desired different > permissions for a single file system object, whether one is a superset of the > other or whether they are disjoint. It is something that we need to be > concerned about, but it will hopefully be rare and we can just fix it when it > occurs. > > Detecting and solving such problems is an advantage of my suggestion. When we > have such directories in packages we can easily check for such conflicts. At > the moment I suspect that such daemon behavior is not uncommon and don't know > in what situations it may potentially bite us. > What I'm concerned about are situations (like, e.g., /usr/lib/mozilla) where two packages (e.g., mozplugger and firefox, on my machine) seem to 'provide' the same directory (at least as reported by 'rpm -qif /usr/lib/mozilla'). In such a case, if 'the first to install' package created the directory with a less restrictive context (or some such), would we have a chance for a problem? Do we need some way to coordinate/check this? tom -- Tom London From selinux at gmail.com Tue Sep 13 17:44:46 2005 From: selinux at gmail.com (Tom London) Date: Tue, 13 Sep 2005 10:44:46 -0700 Subject: Latest rawhide: lots of 'type' errors. No graphical login Message-ID: <4c4ba1530509131044138d2660@mail.gmail.com> Running targeted/enforcing, latest rawhide. Today's updates broke lots. Booting hangs with many messages about 'invalid type' from file-contexts, etc. Anyone seeing this or did I break something? tom -- Tom London From sds at tycho.nsa.gov Tue Sep 13 18:11:13 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 13 Sep 2005 14:11:13 -0400 Subject: Latest rawhide: lots of 'type' errors. No graphical login In-Reply-To: <4c4ba1530509131044138d2660@mail.gmail.com> References: <4c4ba1530509131044138d2660@mail.gmail.com> Message-ID: <1126635073.29303.173.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2005-09-13 at 10:44 -0700, Tom London wrote: > Running targeted/enforcing, latest rawhide. > > Today's updates broke lots. Booting hangs with many messages about > 'invalid type' from file-contexts, etc. > > Anyone seeing this or did I break something? Looks like libselinux is broken. And in such a manner that it is looking in /etc/selinux/targeted regardless of what /etc/selinux/config says; I am getting similar errors on the _targeted_ file_contexts file on a machine that is supposed to be using strict policy after updating just now. Dan? -- Stephen Smalley National Security Agency From selinux at gmail.com Tue Sep 13 18:19:20 2005 From: selinux at gmail.com (Tom London) Date: Tue, 13 Sep 2005 11:19:20 -0700 Subject: Latest rawhide: lots of 'type' errors. No graphical login In-Reply-To: <1126635073.29303.173.camel@moss-spartans.epoch.ncsc.mil> References: <4c4ba1530509131044138d2660@mail.gmail.com> <1126635073.29303.173.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <4c4ba15305091311195ebbcc9e@mail.gmail.com> On 9/13/05, Stephen Smalley wrote: > On Tue, 2005-09-13 at 10:44 -0700, Tom London wrote: > > Running targeted/enforcing, latest rawhide. > > > > Today's updates broke lots. Booting hangs with many messages about > > 'invalid type' from file-contexts, etc. > > > > Anyone seeing this or did I break something? > > Looks like libselinux is broken. And in such a manner that it is > looking in /etc/selinux/targeted regardless of what /etc/selinux/config > says; I am getting similar errors on the _targeted_ file_contexts file > on a machine that is supposed to be using strict policy after updating > just now. Dan? > Will backing out the latest libselinux fix? (the only way I could get 'up and running' was to boot with 'selinux=0'). tom -- Tom London From sds at tycho.nsa.gov Tue Sep 13 18:21:00 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 13 Sep 2005 14:21:00 -0400 Subject: Latest rawhide: lots of 'type' errors. No graphical login In-Reply-To: <1126635073.29303.173.camel@moss-spartans.epoch.ncsc.mil> References: <4c4ba1530509131044138d2660@mail.gmail.com> <1126635073.29303.173.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1126635660.29303.178.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2005-09-13 at 14:11 -0400, Stephen Smalley wrote: > On Tue, 2005-09-13 at 10:44 -0700, Tom London wrote: > > Running targeted/enforcing, latest rawhide. > > > > Today's updates broke lots. Booting hangs with many messages about > > 'invalid type' from file-contexts, etc. > > > > Anyone seeing this or did I break something? > > Looks like libselinux is broken. And in such a manner that it is > looking in /etc/selinux/targeted regardless of what /etc/selinux/config > says; I am getting similar errors on the _targeted_ file_contexts file > on a machine that is supposed to be using strict policy after updating > just now. Dan? Just to confirm, reverting to the upstream libselinux 1.26 (not the patched one in Fedora) makes the system work again for me. Looks like there are two problems, one with respect to getting the policy type and one with respect to context validation (the latter likely related to libsetrans). -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Tue Sep 13 18:23:44 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 13 Sep 2005 14:23:44 -0400 Subject: Latest rawhide: lots of 'type' errors. No graphical login In-Reply-To: <4c4ba15305091311195ebbcc9e@mail.gmail.com> References: <4c4ba1530509131044138d2660@mail.gmail.com> <1126635073.29303.173.camel@moss-spartans.epoch.ncsc.mil> <4c4ba15305091311195ebbcc9e@mail.gmail.com> Message-ID: <1126635824.29303.182.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2005-09-13 at 11:19 -0700, Tom London wrote: > Will backing out the latest libselinux fix? (the only way I could get > 'up and running' was to boot with 'selinux=0'). It should. I booted single-user with enforcing=0 and then installed the upstream libselinux 1.26 from our cvs, and it worked fine. Fedora CVS tree has a patch that affects getting the policy type (which seems to be broken, as it always returning targeted even when /etc/selinux/config says strict) and that calls the new libsetrans (which is likely breaking the context validation). -- Stephen Smalley National Security Agency From selinux at gmail.com Tue Sep 13 18:53:10 2005 From: selinux at gmail.com (Tom London) Date: Tue, 13 Sep 2005 11:53:10 -0700 Subject: Latest rawhide: lots of 'type' errors. No graphical login In-Reply-To: <1126635824.29303.182.camel@moss-spartans.epoch.ncsc.mil> References: <4c4ba1530509131044138d2660@mail.gmail.com> <1126635073.29303.173.camel@moss-spartans.epoch.ncsc.mil> <4c4ba15305091311195ebbcc9e@mail.gmail.com> <1126635824.29303.182.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <4c4ba153050913115373bc406a@mail.gmail.com> On 9/13/05, Stephen Smalley wrote: > On Tue, 2005-09-13 at 11:19 -0700, Tom London wrote: > > Will backing out the latest libselinux fix? (the only way I could get > > 'up and running' was to boot with 'selinux=0'). > > It should. I booted single-user with enforcing=0 and then installed the > upstream libselinux 1.26 from our cvs, and it worked fine. Fedora CVS > tree has a patch that affects getting the policy type (which seems to be > broken, as it always returning targeted even when /etc/selinux/config > says strict) and that calls the new libsetrans (which is likely breaking > the context validation). > I did 'rpm -Uvh --oldpackage libselinux*-1.25.7-1*' and rebooted. This appears to 'repair': all appears healthy. Two comments: 1. During reboot, system detected need to relabel 'automagically'. Relabel completed smoothly and system booted normally. 2. This is the first relabel I have had to do in many, many, many months. Allow me to present well deserved kudos to the Selinux/FC team. Notably impressed, tom -- Tom London From dwalsh at redhat.com Tue Sep 13 20:10:04 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 13 Sep 2005 16:10:04 -0400 Subject: Latest rawhide: lots of 'type' errors. No graphical login In-Reply-To: <1126635660.29303.178.camel@moss-spartans.epoch.ncsc.mil> References: <4c4ba1530509131044138d2660@mail.gmail.com> <1126635073.29303.173.camel@moss-spartans.epoch.ncsc.mil> <1126635660.29303.178.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <4327321C.9080206@redhat.com> Stephen Smalley wrote: >On Tue, 2005-09-13 at 14:11 -0400, Stephen Smalley wrote: > > >>On Tue, 2005-09-13 at 10:44 -0700, Tom London wrote: >> >> >>>Running targeted/enforcing, latest rawhide. >>> >>>Today's updates broke lots. Booting hangs with many messages about >>>'invalid type' from file-contexts, etc. >>> >>>Anyone seeing this or did I break something? >>> >>> >>Looks like libselinux is broken. And in such a manner that it is >>looking in /etc/selinux/targeted regardless of what /etc/selinux/config >>says; I am getting similar errors on the _targeted_ file_contexts file >>on a machine that is supposed to be using strict policy after updating >>just now. Dan? >> >> > >Just to confirm, reverting to the upstream libselinux 1.26 (not the >patched one in Fedora) makes the system work again for me. Looks like >there are two problems, one with respect to getting the policy type and >one with respect to context validation (the latter likely related to >libsetrans). > > > Yes this is a known problem and will be in tomorrows rawhide. Waiting for the build machine to complete to update my people page. -- From dwalsh at redhat.com Wed Sep 14 18:21:03 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 14 Sep 2005 14:21:03 -0400 Subject: libselinux should not require libsetrans In-Reply-To: <1126720715.12299.139.camel@moss-spartans.epoch.ncsc.mil> References: <1126720715.12299.139.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <43286A0F.7000409@redhat.com> Stephen Smalley wrote: >Hi, > >In the current Fedora spec file, libselinux has libsetrans as a prereq, >thereby pulling it in on libselinux updates for all users regardless of >policy. However, libsetrans presumes that MCS is enabled and always >appends :s0 to contexts when converting to raw format if they lack it. >This breaks (for example) a system running strict policy, as libselinux >then starts using the MCS-specific libsetrans and it starts >appending :so to raw contexts, but the kernel then rejects those >contexts since it does not have a MLS-enabled policy. > >libsetrans is supposed to be optional, with libselinux gracefully >falling back to no translation if it is absent. I can possibly see >making it a dependency of MCS-enabled targeted policy packages, but not >of libselinux. Yes? > > > Yes for now you can just disable the translation. Edit /etc/mcs.conf and unconmment disable line. MCS Targeted policy will be available by default in tonights rawhide. -- From sds at tycho.nsa.gov Wed Sep 14 18:29:06 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 14 Sep 2005 14:29:06 -0400 Subject: libselinux should not require libsetrans In-Reply-To: <43286A0F.7000409@redhat.com> References: <1126720715.12299.139.camel@moss-spartans.epoch.ncsc.mil> <43286A0F.7000409@redhat.com> Message-ID: <1126722546.12299.164.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2005-09-14 at 14:21 -0400, Daniel J Walsh wrote: > Yes for now you can just disable the translation. Edit /etc/mcs.conf > and unconmment disable line. MCS Targeted policy will be available by > default in tonights rawhide. Ok, uncommenting the disable line has restored the system to a working state again. -- Stephen Smalley National Security Agency From dwalsh at redhat.com Wed Sep 14 18:35:16 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 14 Sep 2005 14:35:16 -0400 Subject: libselinux should not require libsetrans In-Reply-To: <1126722546.12299.164.camel@moss-spartans.epoch.ncsc.mil> References: <1126720715.12299.139.camel@moss-spartans.epoch.ncsc.mil> <43286A0F.7000409@redhat.com> <1126722546.12299.164.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <43286D64.5070109@redhat.com> Stephen Smalley wrote: >On Wed, 2005-09-14 at 14:21 -0400, Daniel J Walsh wrote: > > >>Yes for now you can just disable the translation. Edit /etc/mcs.conf >>and unconmment disable line. MCS Targeted policy will be available by >>default in tonights rawhide. >> >> > >Ok, uncommenting the disable line has restored the system to a working >state again. > > > I am updating the library to disable it if mls is not enabled. -- From sds at tycho.nsa.gov Wed Sep 14 17:58:35 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 14 Sep 2005 13:58:35 -0400 Subject: libselinux should not require libsetrans Message-ID: <1126720715.12299.139.camel@moss-spartans.epoch.ncsc.mil> Hi, In the current Fedora spec file, libselinux has libsetrans as a prereq, thereby pulling it in on libselinux updates for all users regardless of policy. However, libsetrans presumes that MCS is enabled and always appends :s0 to contexts when converting to raw format if they lack it. This breaks (for example) a system running strict policy, as libselinux then starts using the MCS-specific libsetrans and it starts appending :so to raw contexts, but the kernel then rejects those contexts since it does not have a MLS-enabled policy. libsetrans is supposed to be optional, with libselinux gracefully falling back to no translation if it is absent. I can possibly see making it a dependency of MCS-enabled targeted policy packages, but not of libselinux. Yes? -- Stephen Smalley National Security Agency From dwalsh at redhat.com Thu Sep 15 02:21:48 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 14 Sep 2005 22:21:48 -0400 Subject: Introducing Multi-Category Security (MCS) SELinux policy in Rawhide Message-ID: <4328DABC.6040102@redhat.com> Tonights rawhide update for selinux-policy-targeted and selinux-policy-strict include MCS. What is MCS? Multi-category Security (MCS) is a discretionary labeling mechanism for SELinux. It allows users to add meaningful security labels to their own files. Only domains with access to these labels will then be able to access the files. Examples of category labels are "Company Confidential", "Intranet Only" and "Patient Records". MCS can only further restrict access to files, after Unix DAC rules and SELinux MAC Type Enforcement rules have been applied. MCS uses much of the Multi-level Security (MLS) technology present in SELinux, but is designed to be simpler and map more readily to general use. The general idea is to provide end users with more control over the security of their own files and help make SELinux more user-oriented. In the future, we expect to make use of category labels in areas such as labeled printing, where the category label is printed on each page. A reboot is required to turn on the MLS/MCS field on policy. The goal was to allow everything to continue working without the reboot. A relabel should not be necessary. Dan -- From selinux at gmail.com Thu Sep 15 15:15:07 2005 From: selinux at gmail.com (Tom London) Date: Thu, 15 Sep 2005 08:15:07 -0700 Subject: NetworkManager wants security_t:file read... Message-ID: <4c4ba153050915081559ad070b@mail.gmail.com> Running targeted/enforcing, latest rawhide. Get the following from NetworkManager: type=AVC msg=audit(1126796883.544:9): avc: denied { read } for pid=2309 comm="ls" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file type=SYSCALL msg=audit(1126796883.544:9): arch=40000003 syscall=5 success=no exit=-13 a0=bfac4cf4 a1=8000 a2=0 a3=8000 items=1 pid=2309 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ls" exe="/bin/ls" type=CWD msg=audit(1126796883.544:9): cwd="/etc/sysconfig/network-scripts" type=PATH msg=audit(1126796883.544:9): item=0 name="/selinux/mls" flags=101 inode=12 dev=00:0d mode=0100444 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1126796887.764:10): avc: denied { read } for pid=2578 comm="killall" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file type=SYSCALL msg=audit(1126796887.764:10): arch=40000003 syscall=5 success=no exit=-13 a0=bfd0c884 a1=8000 a2=0 a3=8000 items=1 pid=2578 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="killall" exe="/usr/bin/killall" type=CWD msg=audit(1126796887.764:10): cwd="/" type=PATH msg=audit(1126796887.764:10): item=0 name="/selinux/mls" flags=101 inode=12 dev=00:0d mode=0100444 ouid=0 ogid=0 rdev=00:00 allow NetworkManager_t security_t:file read; That right? tom -- Tom London From sds at tycho.nsa.gov Thu Sep 15 15:29:48 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 15 Sep 2005 11:29:48 -0400 Subject: NetworkManager wants security_t:file read... In-Reply-To: <4c4ba153050915081559ad070b@mail.gmail.com> References: <4c4ba153050915081559ad070b@mail.gmail.com> Message-ID: <1126798188.10727.101.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2005-09-15 at 08:15 -0700, Tom London wrote: > Running targeted/enforcing, latest rawhide. > > Get the following from NetworkManager: > > type=AVC msg=audit(1126796883.544:9): avc: denied { read } for > pid=2309 comm="ls" name="mls" dev=selinuxfs ino=12 > scontext=system_u:system_r:NetworkManager_t:s0 > tcontext=system_u:object_r:security_t:s0 tclass=file > type=SYSCALL msg=audit(1126796883.544:9): arch=40000003 syscall=5 > success=no exit=-13 a0=bfac4cf4 a1=8000 a2=0 a3=8000 items=1 pid=2309 > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 comm="ls" exe="/bin/ls" > type=CWD msg=audit(1126796883.544:9): cwd="/etc/sysconfig/network-scripts" > type=PATH msg=audit(1126796883.544:9): item=0 name="/selinux/mls" > flags=101 inode=12 dev=00:0d mode=0100444 ouid=0 ogid=0 rdev=00:00 > type=AVC msg=audit(1126796887.764:10): avc: denied { read } for > pid=2578 comm="killall" name="mls" dev=selinuxfs ino=12 > scontext=system_u:system_r:NetworkManager_t:s0 > tcontext=system_u:object_r:security_t:s0 tclass=file > type=SYSCALL msg=audit(1126796887.764:10): arch=40000003 syscall=5 > success=no exit=-13 a0=bfd0c884 a1=8000 a2=0 a3=8000 items=1 pid=2578 > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 comm="killall" exe="/usr/bin/killall" > type=CWD msg=audit(1126796887.764:10): cwd="/" > type=PATH msg=audit(1126796887.764:10): item=0 name="/selinux/mls" > flags=101 inode=12 dev=00:0d mode=0100444 ouid=0 ogid=0 rdev=00:00 > > allow NetworkManager_t security_t:file read; > > That right? Should be macro-ized and applied to any domain that needs to get/set a context, as it is really due to libsetrans checking to see whether MLS is enabled during library initialization to decide whether or not to enable context translations. -- Stephen Smalley National Security Agency From dwalsh at redhat.com Thu Sep 15 15:51:49 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 15 Sep 2005 11:51:49 -0400 Subject: NetworkManager wants security_t:file read... In-Reply-To: <1126798188.10727.101.camel@moss-spartans.epoch.ncsc.mil> References: <4c4ba153050915081559ad070b@mail.gmail.com> <1126798188.10727.101.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <43299895.8030503@redhat.com> Stephen Smalley wrote: >On Thu, 2005-09-15 at 08:15 -0700, Tom London wrote: > > >>Running targeted/enforcing, latest rawhide. >> >>Get the following from NetworkManager: >> >>type=AVC msg=audit(1126796883.544:9): avc: denied { read } for >>pid=2309 comm="ls" name="mls" dev=selinuxfs ino=12 >>scontext=system_u:system_r:NetworkManager_t:s0 >>tcontext=system_u:object_r:security_t:s0 tclass=file >>type=SYSCALL msg=audit(1126796883.544:9): arch=40000003 syscall=5 >>success=no exit=-13 a0=bfac4cf4 a1=8000 a2=0 a3=8000 items=1 pid=2309 >>auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 >>fsgid=0 comm="ls" exe="/bin/ls" >>type=CWD msg=audit(1126796883.544:9): cwd="/etc/sysconfig/network-scripts" >>type=PATH msg=audit(1126796883.544:9): item=0 name="/selinux/mls" >>flags=101 inode=12 dev=00:0d mode=0100444 ouid=0 ogid=0 rdev=00:00 >>type=AVC msg=audit(1126796887.764:10): avc: denied { read } for >>pid=2578 comm="killall" name="mls" dev=selinuxfs ino=12 >>scontext=system_u:system_r:NetworkManager_t:s0 >>tcontext=system_u:object_r:security_t:s0 tclass=file >>type=SYSCALL msg=audit(1126796887.764:10): arch=40000003 syscall=5 >>success=no exit=-13 a0=bfd0c884 a1=8000 a2=0 a3=8000 items=1 pid=2578 >>auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 >>fsgid=0 comm="killall" exe="/usr/bin/killall" >>type=CWD msg=audit(1126796887.764:10): cwd="/" >>type=PATH msg=audit(1126796887.764:10): item=0 name="/selinux/mls" >>flags=101 inode=12 dev=00:0d mode=0100444 ouid=0 ogid=0 rdev=00:00 >> >>allow NetworkManager_t security_t:file read; >> >>That right? >> >> > >Should be macro-ized and applied to any domain that needs to get/set a >context, as it is really due to libsetrans checking to see whether MLS >is enabled during library initialization to decide whether or not to >enable context translations. > > > dontaudit NetworkManager_t security_t:dir search; Is probably better. -- From malejandra.castillo at gmail.com Thu Sep 15 20:49:23 2005 From: malejandra.castillo at gmail.com (Ma. Alejandra Castillo) Date: Thu, 15 Sep 2005 16:49:23 -0400 Subject: sshd Selinux v/s sshd Selinux disabled ....... Message-ID: <25a49afb050915134960eab5b7@mail.gmail.com> Dear All, A question for you, Which are the benefits/advantages regarding execute these specific services: sshd, samba, postgres and vsftpd over a system platform Selinux-enabled, instead of execute those mentioned services over a system platform SELinux-disabled?? Thanks and Rgds. -- Ma. Alejandra Castillo M. From linux_4ever at yahoo.com Thu Sep 15 22:14:59 2005 From: linux_4ever at yahoo.com (Steve G) Date: Thu, 15 Sep 2005 15:14:59 -0700 (PDT) Subject: sshd Selinux v/s sshd Selinux disabled ....... In-Reply-To: <25a49afb050915134960eab5b7@mail.gmail.com> Message-ID: <20050915221459.1051.qmail@web51501.mail.yahoo.com> >regarding execute these specific services: sshd, samba, postgres and vsftpd over >a system platform Selinux-enabled, These are all network daemons. This means they are subject to possibly malicious traffic. If there is a hole in any of those apps that lets an intruder exploit the app, SE Linux will probably prevent the problem. SE Linux has a basic understanding of what the normal syscalls and files or system resources that are used by the app. If it spots abnormal behavior, it can stop it. -Steve __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From mjs at ces.clemson.edu Thu Sep 15 23:33:43 2005 From: mjs at ces.clemson.edu (Matthew Saltzman) Date: Thu, 15 Sep 2005 19:33:43 -0400 (EDT) Subject: acpid Message-ID: I have ACPI scripts that are supposed to run when Fn-Fx is pressed (for various values of x). The scripts run fine when invoked from a shell, but they fail when invoked by keypress. For example, /etc/acpi/actions/Fn-F3.sh contains: #!/bin/sh if [ -f /var/tmp/acpi-lightoff ]; then /usr/sbin/radeontool light on /bin/rm /var/tmp/acpi-lightoff else /usr/sbin/radeontool light off /bin/touch /var/tmp/acpi-lightoff fi When invoked by keypress, I get the following audit messages, and no action is taken (light stays on, no file touched). Should I be doing something different or is there something in selinux-policy-targeted that needs to be fixed? TIA. type=AVC msg=audit(1126826853.791:2631316): avc: denied { search } for pid=4112 comm="Fn-F3.sh" name="tmp" dev=dm-0 ino=906756 scontext=root:system_r:apmd_t tcontext=system_u:object_r:tmp_t tclass=dir type=SYSCALL msg=audit(1126826853.791:2631316): arch=40000003 syscall=195 success=no exit=-13 a0=88fcda0 a1=bfffb488 a2=960ff4 a3=88fce30 items=1 pid=4112 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="Fn-F3.sh" exe="/bin/bash" type=CWD msg=audit(1126826853.791:2631316): cwd="/" type=PATH msg=audit(1126826853.791:2631316): item=0 name="/var/tmp/acpi-lightoff" flags=1 inode=906756 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1126826853.800:2631748): avc: denied { read } for pid=4114 comm="lspci" name="pci.ids" dev=dm-0 ino=809685 scontext=root:system_r:apmd_t tcontext=system_u:object_r:usr_t tclass=file type=SYSCALL msg=audit(1126826853.800:2631748): arch=40000003 syscall=5 success=no exit=-13 a0=8054e5c a1=0 a2=fbad8001 a3=0 items=1 pid=4114 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="lspci" exe="/sbin/lspci" type=CWD msg=audit(1126826853.800:2631748): cwd="/" type=PATH msg=audit(1126826853.800:2631748): item=0 name="/usr/share/hwdata/pci.ids" flags=101 inode=809685 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1126826853.804:2631869): avc: denied { search } for pid=4115 comm="touch" name="tmp" dev=dm-0 ino=906756 scontext=root:system_r:apmd_t tcontext=system_u:object_r:tmp_t tclass=dir type=SYSCALL msg=audit(1126826853.804:2631869): arch=40000003 syscall=5 success=no exit=-13 a0=bfefbf71 a1=8941 a2=1b6 a3=8941 items=1 pid=4115 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="touch" exe="/bin/touch" type=CWD msg=audit(1126826853.804:2631869): cwd="/" type=PATH msg=audit(1126826853.804:2631869): item=0 name="/var/tmp/acpi-lightoff" flags=310 inode=906756 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1126826853.804:2631870): avc: denied { search } for pid=4115 comm="touch" name="tmp" dev=dm-0 ino=906756 scontext=root:system_r:apmd_t tcontext=system_u:object_r:tmp_t tclass=dir type=SYSCALL msg=audit(1126826853.804:2631870): arch=40000003 syscall=30 success=no exit=-13 a0=bfefbf71 a1=0 a2=804f8bc a3=bfefbf71 items=1 pid=4115 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="touch" exe="/bin/touch" type=CWD msg=audit(1126826853.804:2631870): cwd="/" type=PATH msg=audit(1126826853.804:2631870): item=0 name="/var/tmp/acpi-lightoff" flags=1 inode=906756 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00:00 -- Matthew Saltzman Clemson University Math Sciences mjs AT clemson DOT edu http://www.math.clemson.edu/~mjs From sds at tycho.nsa.gov Fri Sep 16 13:05:28 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 16 Sep 2005 09:05:28 -0400 Subject: sshd Selinux v/s sshd Selinux disabled ....... In-Reply-To: <20050915221459.1051.qmail@web51501.mail.yahoo.com> References: <20050915221459.1051.qmail@web51501.mail.yahoo.com> Message-ID: <1126875928.25919.51.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2005-09-15 at 15:14 -0700, Steve G wrote: > >regarding execute these specific services: sshd, samba, postgres and vsftpd over > >a system platform Selinux-enabled, > > These are all network daemons. This means they are subject to possibly malicious > traffic. If there is a hole in any of those apps that lets an intruder exploit > the app, SE Linux will probably prevent the problem. SE Linux has a basic > understanding of what the normal syscalls and files or system resources that are > used by the app. If it spots abnormal behavior, it can stop it. Note however that whether or not SELinux provides any benefit for a particular case depends on the particular policy configuration, the degree to which the application was designed with least privilege in mind (since the policy has to allow it to do what it needs to do for its purpose), and the nature of the attack. For example, under targeted policy, sshd is unconfined, so SELinux/targeted provides no benefit for that case, whereas SELinux/strict may provide some benefit. Further, while SELinux/strict does put restrictions on what sshd can do, it has to allow sshd to do what it needs for its purpose, which includes transitioning to a user shell (although one can limit it to transitioning to non-privileged user shells and require another authenticated step like newrole/su to gain privilege as yet another hurdle). Decomposing sshd in a way that can be leveraged by SELinux (i.e. separation into multiple executables for the different stages, and putting each stage into separate domains) or introducing dynamic context transitions into sshd to reinforce the existing privilege separation support would help. -- Stephen Smalley National Security Agency From russell at coker.com.au Sat Sep 17 12:35:29 2005 From: russell at coker.com.au (Russell Coker) Date: Sat, 17 Sep 2005 22:35:29 +1000 Subject: disable setenforce In-Reply-To: <1126537235.2999.88.camel@moss-spartans.epoch.ncsc.mil> References: <1126283594.20003.17.camel@hive.ccit.arizona.edu> <200509121652.59242.russell@coker.com.au> <1126537235.2999.88.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <200509172235.40550.russell@coker.com.au> On Tuesday 13 September 2005 01:00, Stephen Smalley wrote: > > NB Setting secure_mode_policyload to default to 1 at boot time will > > work, but that means policy can only be loaded once at boot (should be > > able to install new policy and reboot the machine though). Setting > > secure_mode_insmod at boot will probably make the boot process fail for > > all non-trivial machines, the initial values of booleans are set before > > modules for devices such as Ethernet cards. Setting secure_mode_insmod > > after the boot process is completed might be a good idea if you have no > > plans to use USB or Cardbus/PCMCIA, there have been exploits which relied > > on the ability to trick the system into loading modules (EG the ptrace > > exploit). > > Did you attach the wrong patch? The one you sent doesn't define new > booleans; it just wraps additional rules with the existing secure_mode > boolean. I attached the patch, re-worked it, and then forgot to attach the new patch. The correct patch is attached to this message. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -------------- next part -------------- A non-text attachment was scrubbed... Name: diff Type: text/x-diff Size: 3137 bytes Desc: not available URL: From russell at coker.com.au Sat Sep 17 12:53:05 2005 From: russell at coker.com.au (Russell Coker) Date: Sat, 17 Sep 2005 22:53:05 +1000 Subject: disable setenforce In-Reply-To: <200509172235.40550.russell@coker.com.au> References: <1126283594.20003.17.camel@hive.ccit.arizona.edu> <1126537235.2999.88.camel@moss-spartans.epoch.ncsc.mil> <200509172235.40550.russell@coker.com.au> Message-ID: <200509172253.16022.russell@coker.com.au> On Saturday 17 September 2005 22:35, Russell Coker wrote: > > Did you attach the wrong patch? The one you sent doesn't define new > > booleans; it just wraps additional rules with the existing secure_mode > > boolean. > > I attached the patch, re-worked it, and then forgot to attach the new > patch. > > The correct patch is attached to this message. I hate doing this. Just after I sent the previous patch I discovered a minor bug. When building a policy with ypbind.te included the nested booleans break the compile. The attached patch fixes this. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -------------- next part -------------- A non-text attachment was scrubbed... Name: diff Type: text/x-diff Size: 3233 bytes Desc: not available URL: From chair at selinux-symposium.org Mon Sep 19 17:22:21 2005 From: chair at selinux-symposium.org (SELinux Symposium Chair) Date: Mon, 19 Sep 2005 13:22:21 -0400 Subject: Call for papers deadline extended Message-ID: <1127150541.9704.5.camel@twoface.columbia.tresys.com> By popular request, the deadline for paper submissions for the 2006 SELinux Symposium has been extended to October 1, 2005. See the symposium web site (www.selinux-symposium.org) for the call for papers and submissions requirements. Thank you, SELinux Symposium Chair From hongwei at wustl.edu Mon Sep 19 20:22:15 2005 From: hongwei at wustl.edu (Hongwei Li) Date: Mon, 19 Sep 2005 15:22:15 -0500 (CDT) Subject: selinux and squirrelmail in FC4 Message-ID: <4008.128.252.85.103.1127161335.squirrel@morpheus.wustl.edu> Hello, I have a FC4 system, kernel: 2.6.12-1.1447_FC4, selinux targeted, enforced, installed: selinux-policy-targeted-1.25.4-10.1, selinux-policy-targeted-sources-1.25.4-10.1 squirrelmail-1.4.4-2 If I setenforce 0, then users can log in squirrelmail and read/send emails w/o problems. If I setenforce 1, then users cannot login sm. The error message is: Error connecting to IMAP server: localhost. 13 : Permission denied However, the system log does not show error message about it. So, if I run the selinux command, I got: # audit2allow -l -i /var/log/messages -o /etc/selinux/targeted/src/policy/domains/program/apache.te # make load make: Nothing to be done for `load'. BTW, users can still run pine to read/send emails. I tried to set squirrelmail's server setting using sendmail or smtp, but no help. Can somebody tell how to solve the problem? Thanks! Hongwei Li From paul at city-fan.org Tue Sep 20 07:22:49 2005 From: paul at city-fan.org (Paul Howarth) Date: Tue, 20 Sep 2005 08:22:49 +0100 Subject: selinux and squirrelmail in FC4 In-Reply-To: <4008.128.252.85.103.1127161335.squirrel@morpheus.wustl.edu> References: <4008.128.252.85.103.1127161335.squirrel@morpheus.wustl.edu> Message-ID: <1127200969.8377.130.camel@laurel.intra.city-fan.org> On Mon, 2005-09-19 at 15:22 -0500, Hongwei Li wrote: > Hello, > > I have a FC4 system, kernel: 2.6.12-1.1447_FC4, selinux targeted, enforced, > installed: selinux-policy-targeted-1.25.4-10.1, > selinux-policy-targeted-sources-1.25.4-10.1 > squirrelmail-1.4.4-2 > > If I setenforce 0, then users can log in squirrelmail and read/send emails w/o > problems. If I setenforce 1, then users cannot login sm. The error message > is: > > Error connecting to IMAP server: localhost. > 13 : Permission denied > > However, the system log does not show error message about it. So, if I run > the selinux command, I got: > > # audit2allow -l -i /var/log/messages -o > /etc/selinux/targeted/src/policy/domains/program/apache.te In FC4 the audit messages are in /var/log/audit/audit.log, not /var/log/messages. It would be wise to understand what exactly SELinux is preventing rather than blindly appending rules to allow whatever it's trying to do though. Paul. -- Paul Howarth From hongwei at wustl.edu Tue Sep 20 13:32:22 2005 From: hongwei at wustl.edu (Hongwei Li) Date: Tue, 20 Sep 2005 08:32:22 -0500 (CDT) Subject: selinux and squirrelmail in FC4 In-Reply-To: <4008.128.252.85.103.1127161335.squirrel@morpheus.wustl.edu> References: <4008.128.252.85.103.1127161335.squirrel@morpheus.wustl.edu> Message-ID: <2444.128.252.85.103.1127223142.squirrel@morpheus.wustl.edu> > Hello, > > I have a FC4 system, kernel: 2.6.12-1.1447_FC4, selinux targeted, enforced, > installed: selinux-policy-targeted-1.25.4-10.1, > selinux-policy-targeted-sources-1.25.4-10.1 > squirrelmail-1.4.4-2 > > If I setenforce 0, then users can log in squirrelmail and read/send emails w/o > problems. If I setenforce 1, then users cannot login sm. The error message > is: > > Error connecting to IMAP server: localhost. > 13 : Permission denied > > However, the system log does not show error message about it. So, if I run > the selinux command, I got: > > # audit2allow -l -i /var/log/messages -o > /etc/selinux/targeted/src/policy/domains/program/apache.te > The problem has been fixed by working with audit.log instead of message log. Post it here in case other people have similar problem. Hongwei From Valdis.Kletnieks at vt.edu Tue Sep 20 20:31:41 2005 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Tue, 20 Sep 2005 16:31:41 -0400 Subject: checkpolicy bombing on Fedora devel... Message-ID: <200509202031.j8KKVfeF025740@turing-police.cc.vt.edu> Something is causing checkpolicy to segfault. I ended up building it from the .src.rpm so it was compiled with -g and not stripped. checkpolicy-1.27.1-1, libselinux-1.26-6, updated to -devel tree as of this morning. gdb then says: (gdb) run -M -o policy.20 policy.conf Starting program: /usr/src/redhat/BUILD/checkpolicy-1.27.1/checkpolicy -M -o policy.20 policy.conf Reading symbols from shared object read from target memory...done. Loaded system supplied DSO at 0xffffe000 /usr/src/redhat/BUILD/checkpolicy-1.27.1/checkpolicy: loading policy configuration from policy.conf Program received signal SIGSEGV, Segmentation fault. parse_categories (id=0x8bbff28 "s0", levdatum=0x80a75b8, cats=0x80a00bc) at policy_parse.y:3569 3569 range_start = range_end = cdatum->value - 1; (gdb) where #0 parse_categories (id=0x8bbff28 "s0", levdatum=0x80a75b8, cats=0x80a00bc) at policy_parse.y:3569 #1 0x0804f340 in parse_security_context (c=0x80a00ac) at policy_parse.y:3850 #2 0x080534f2 in yyparse () at policy_parse.y:3925 #3 0x0804a743 in main (argc=5, argv=0xbfeecd74) at checkpolicy.c:549 This ring any bells? Have I dorked up a file ('users' most likely) during the conversion to MCS in a way that didn't flag a syntax error but causes a crash? Hints, etc accepted.. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available URL: From dwalsh at redhat.com Tue Sep 20 20:38:18 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 20 Sep 2005 16:38:18 -0400 Subject: checkpolicy bombing on Fedora devel... In-Reply-To: <200509202031.j8KKVfeF025740@turing-police.cc.vt.edu> References: <200509202031.j8KKVfeF025740@turing-police.cc.vt.edu> Message-ID: <4330733A.4040102@redhat.com> Valdis.Kletnieks at vt.edu wrote: >Something is causing checkpolicy to segfault. I ended up building >it from the .src.rpm so it was compiled with -g and not stripped. > >checkpolicy-1.27.1-1, libselinux-1.26-6, updated to -devel tree as of this morning. > >gdb then says: > >(gdb) run -M -o policy.20 policy.conf >Starting program: /usr/src/redhat/BUILD/checkpolicy-1.27.1/checkpolicy -M -o policy.20 policy.conf >Reading symbols from shared object read from target memory...done. >Loaded system supplied DSO at 0xffffe000 >/usr/src/redhat/BUILD/checkpolicy-1.27.1/checkpolicy: loading policy configuration from policy.conf > >Program received signal SIGSEGV, Segmentation fault. >parse_categories (id=0x8bbff28 "s0", levdatum=0x80a75b8, cats=0x80a00bc) > at policy_parse.y:3569 >3569 range_start = range_end = cdatum->value - 1; >(gdb) where >#0 parse_categories (id=0x8bbff28 "s0", levdatum=0x80a75b8, cats=0x80a00bc) > at policy_parse.y:3569 >#1 0x0804f340 in parse_security_context (c=0x80a00ac) at policy_parse.y:3850 >#2 0x080534f2 in yyparse () at policy_parse.y:3925 >#3 0x0804a743 in main (argc=5, argv=0xbfeecd74) at checkpolicy.c:549 > >This ring any bells? Have I dorked up a file ('users' most likely) during the >conversion to MCS in a way that didn't flag a syntax error but causes a crash? >Hints, etc accepted.. > > >------------------------------------------------------------------------ > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-selinux-list > libsetrans is borked. -- From sds at tycho.nsa.gov Tue Sep 20 20:41:26 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 20 Sep 2005 16:41:26 -0400 Subject: checkpolicy bombing on Fedora devel... In-Reply-To: <200509202031.j8KKVfeF025740@turing-police.cc.vt.edu> References: <200509202031.j8KKVfeF025740@turing-police.cc.vt.edu> Message-ID: <1127248886.14569.172.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2005-09-20 at 16:31 -0400, Valdis.Kletnieks at vt.edu wrote: > Something is causing checkpolicy to segfault. I ended up building > it from the .src.rpm so it was compiled with -g and not stripped. > > checkpolicy-1.27.1-1, libselinux-1.26-6, updated to -devel tree as of this morning. > > gdb then says: > > (gdb) run -M -o policy.20 policy.conf > Starting program: /usr/src/redhat/BUILD/checkpolicy-1.27.1/checkpolicy -M -o policy.20 policy.conf > Reading symbols from shared object read from target memory...done. > Loaded system supplied DSO at 0xffffe000 > /usr/src/redhat/BUILD/checkpolicy-1.27.1/checkpolicy: loading policy configuration from policy.conf > > Program received signal SIGSEGV, Segmentation fault. > parse_categories (id=0x8bbff28 "s0", levdatum=0x80a75b8, cats=0x80a00bc) > at policy_parse.y:3569 > 3569 range_start = range_end = cdatum->value - 1; > (gdb) where > #0 parse_categories (id=0x8bbff28 "s0", levdatum=0x80a75b8, cats=0x80a00bc) > at policy_parse.y:3569 > #1 0x0804f340 in parse_security_context (c=0x80a00ac) at policy_parse.y:3850 > #2 0x080534f2 in yyparse () at policy_parse.y:3925 > #3 0x0804a743 in main (argc=5, argv=0xbfeecd74) at checkpolicy.c:549 > > This ring any bells? Have I dorked up a file ('users' most likely) during the > conversion to MCS in a way that didn't flag a syntax error but causes a crash? > Hints, etc accepted.. >From the info above, you have an id "s0" that is a sensitivity rather than a category, so the hashtab_search fails, but that code path fails to check for such failure and thus crashes rather than reporting it. Try the patch below. Index: checkpolicy/policy_parse.y =================================================================== RCS file: /nfshome/pal/CVS/selinux-usr/checkpolicy/policy_parse.y,v retrieving revision 1.43 diff -u -p -r1.43 policy_parse.y --- checkpolicy/policy_parse.y 16 Sep 2005 17:24:11 -0000 1.43 +++ checkpolicy/policy_parse.y 20 Sep 2005 20:38:34 -0000 @@ -3566,6 +3566,11 @@ parse_categories(char *id, level_datum_t } else { cdatum = (cat_datum_t *)hashtab_search(policydbp->p_cats.table, (hashtab_key_t)id); + if (!cdatum) { + sprintf(errormsg, "unknown category %s", id); + yyerror(errormsg); + return -1; + } range_start = range_end = cdatum->value - 1; } -- Stephen Smalley National Security Agency From Valdis.Kletnieks at vt.edu Tue Sep 20 21:16:25 2005 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Tue, 20 Sep 2005 17:16:25 -0400 Subject: checkpolicy bombing on Fedora devel... In-Reply-To: Your message of "Tue, 20 Sep 2005 16:41:26 EDT." <1127248886.14569.172.camel@moss-spartans.epoch.ncsc.mil> References: <200509202031.j8KKVfeF025740@turing-police.cc.vt.edu> <1127248886.14569.172.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <200509202116.j8KLGPXR028240@turing-police.cc.vt.edu> On Tue, 20 Sep 2005 16:41:26 EDT, Stephen Smalley said: > >From the info above, you have an id "s0" that is a sensitivity rather > than a category, so the hashtab_search fails, but that code path fails > to check for such failure and thus crashes rather than reporting it. > Try the patch below. OK.. No crash, something resembling a useful diagnostic. Probably want to keep the patch.... (gdb) run -M -o policy.20 policy.conf Starting program: /usr/src/redhat/BUILD/checkpolicy-1.27.1/checkpolicy -M -o policy.20 policy.conf Reading symbols from shared object read from target memory...done. Loaded system supplied DSO at 0xffffe000 /usr/src/redhat/BUILD/checkpolicy-1.27.1/checkpolicy: loading policy configuration from policy.conf initial_sid_contexts:9:ERROR 'unknown category s0' at token 'sid' on line 428578: sid security system_u:object_r:security_t:s0:s0 sid kernel system_u:system_r:kernel_t:s0:s0 /usr/src/redhat/BUILD/checkpolicy-1.27.1/checkpolicy: error(s) encountered while parsing configuration "D'oh!" -- H. Simpson After fixing initial_sid_contexts by hand, I got: fs_use:8:ERROR 'unknown category s0' at token ';' on line 428624: fs_use_xattr ext2 system_u:object_r:fs_t:s0:s0; # Requires that a security xattr handler exist for the filesystem. I think I trashed it by running 'make mcsconvert' (possibly twice) trying to deal with the fact that my 'users' file didn't have :s0 type stuff in it.... Ended up doing an 'rpm -e selinux-policy-strict-sources' and then re-installing it, all looks OK now. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available URL: From ktl at bornet.net Wed Sep 21 00:04:15 2005 From: ktl at bornet.net (Tomas Larsson) Date: Wed, 21 Sep 2005 02:04:15 +0200 Subject: Selinux an vsftp Message-ID: I am getting 500 OOPS: failed to open xferlog log file:/var/log/vsftpd.log, so I'm gessing that its something wrong in the selinux-setup Ls -Z looks lime this -rw-r--r-- root root system_u:object_r:var_log_t vsftpd.log And in audit log type=AVC msg=audit(1127260722.483:14084097): avc: denied { append } for pid=622 comm="vsftpd" name="vsftpd.log" dev=dm-0 ino=1143798 scontext=system_u:system_r:ftpd_t tcontext=system_u:object_r:var_log_t tclass=file I'm guessing that I've got something wrong, but cant find what to do With best regards Tomas Larsson Sweden Verus Amicus Est Tamquam Alter Idem From mjs at ces.clemson.edu Wed Sep 21 11:03:41 2005 From: mjs at ces.clemson.edu (Matthew Saltzman) Date: Wed, 21 Sep 2005 07:03:41 -0400 (EDT) Subject: acpid In-Reply-To: References: Message-ID: On Thu, 15 Sep 2005, Matthew Saltzman wrote: > I have ACPI scripts that are supposed to run when Fn-Fx is pressed (for > various values of x). The scripts run fine when invoked from a shell, but > they fail when invoked by keypress. For example, /etc/acpi/actions/Fn-F3.sh > contains: > > #!/bin/sh > > if [ -f /var/tmp/acpi-lightoff ]; then > /usr/sbin/radeontool light on > /bin/rm /var/tmp/acpi-lightoff > else > /usr/sbin/radeontool light off > /bin/touch /var/tmp/acpi-lightoff > fi > > When invoked by keypress, I get the following audit messages, and no action > is taken (light stays on, no file touched). Should I be doing something > different or is there something in selinux-policy-targeted that needs to be > fixed? I've changed the script so that it reads its status directly rather than checking for the file: if [ "$(/usr/sbin/radeontool light)" = "The radeon backlight looks on" ]; then /usr/sbin/radeontool light off else /usr/sbin/radeontool light on fi It still works fine if invoked from the command line and doesn't work if invoked by acpid, unless setenforce 0 is set. How can I fix this, and can it be fixed in selinux-policy-targeted? Thanks. /var/log/acpi reports: [Wed Sep 21 04:37:22 2005] received event "ibm/hotkey HKEY 00000080 00001003" [Wed Sep 21 04:37:22 2005] notifying client 3203[500:500] [Wed Sep 21 04:37:22 2005] executing action "/etc/acpi/actions/Fn-F3.sh" [Wed Sep 21 04:37:22 2005] BEGIN HANDLER MESSAGES Radeon hardware not found in lspci output. Radeon hardware not found in lspci output. [Wed Sep 21 04:37:23 2005] END HANDLER MESSAGES [Wed Sep 21 04:37:23 2005] action exited with status 255 [Wed Sep 21 04:37:23 2005] completed event "ibm/hotkey HKEY 00000080 00001003" /var/log/audit/audit.log reports: type=AVC msg=audit(1127291842.986:3152715): avc: denied { read } for pid=7984 comm="lspci" name="pci.ids" dev=dm-0 ino=809685 scontext=system_u:system_r:apmd_t tcontext=system_u:object_r:usr_t tclass=file type=SYSCALL msg=audit(1127291842.986:3152715): arch=40000003 syscall=5 success=no exit=-13 a0=8054e5c a1=0 a2=fbad8001 a3=0 items=1 pid=7984 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="lspci" exe="/sbin/lspci" type=CWD msg=audit(1127291842.986:3152715): cwd="/" type=PATH msg=audit(1127291842.986:3152715): item=0 name="/usr/share/hwdata/pci.ids" flags=101 inode=809685 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1127291842.997:3153231): avc: denied { read } for pid=7986 comm="lspci" name="pci.ids" dev=dm-0 ino=809685 scontext=system_u:system_r:apmd_t tcontext=system_u:object_r:usr_t tclass=file type=SYSCALL msg=audit(1127291842.997:3153231): arch=40000003 syscall=5 success=no exit=-13 a0=8054e5c a1=0 a2=fbad8001 a3=0 items=1 pid=7986 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="lspci" exe="/sbin/lspci" type=CWD msg=audit(1127291842.997:3153231): cwd="/" type=PATH msg=audit(1127291842.997:3153231): item=0 name="/usr/share/hwdata/pci.ids" flags=101 inode=809685 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 -- Matthew Saltzman Clemson University Math Sciences mjs AT clemson DOT edu http://www.math.clemson.edu/~mjs From dwalsh at redhat.com Wed Sep 21 12:33:57 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 21 Sep 2005 08:33:57 -0400 Subject: Selinux an vsftp In-Reply-To: References: Message-ID: <43315335.5090804@redhat.com> Tomas Larsson wrote: >I am getting 500 OOPS: failed to open xferlog log file:/var/log/vsftpd.log, >so I'm gessing that its something wrong in the selinux-setup > >Ls -Z looks lime this >-rw-r--r-- root root system_u:object_r:var_log_t vsftpd.log > >And in audit log > >type=AVC msg=audit(1127260722.483:14084097): avc: denied { append } for >pid=622 comm="vsftpd" name="vsftpd.log" dev=dm-0 ino=1143798 >scontext=system_u:system_r:ftpd_t tcontext=system_u:object_r:var_log_t >tclass=file > >I'm guessing that I've got something wrong, but cant find what to do > >With best regards > >Tomas Larsson >Sweden > >Verus Amicus Est Tamquam Alter Idem > > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > Looks like a bug in file context. chcon -t xferlog_t /var/log/vsftpd.log should fix it. I will update policy -- From ktl at bornet.net Wed Sep 21 13:21:30 2005 From: ktl at bornet.net (Tomas Larsson) Date: Wed, 21 Sep 2005 15:21:30 +0200 Subject: Selinux an vsftp In-Reply-To: <43315335.5090804@redhat.com> Message-ID: > -----Original Message----- > From: Daniel J Walsh [mailto:dwalsh at redhat.com] > Sent: Wednesday, September 21, 2005 2:34 PM > To: Tomas Larsson > Cc: fedora-selinux-list at redhat.com > Subject: Re: Selinux an vsftp > > > Tomas Larsson wrote: > > >I am getting 500 OOPS: failed to open xferlog log > >file:/var/log/vsftpd.log, so I'm gessing that its something wrong in > >the selinux-setup > > > >Ls -Z looks lime this > >-rw-r--r-- root root system_u:object_r:var_log_t > vsftpd.log > > > >And in audit log > > > >type=AVC msg=audit(1127260722.483:14084097): avc: denied { > append } > >for pid=622 comm="vsftpd" name="vsftpd.log" dev=dm-0 ino=1143798 > >scontext=system_u:system_r:ftpd_t > tcontext=system_u:object_r:var_log_t > >tclass=file > > > >I'm guessing that I've got something wrong, but cant find what to do > > > >With best regards > > > >Tomas Larsson > >Sweden > > > >Verus Amicus Est Tamquam Alter Idem > > > > > >-- > >fedora-selinux-list mailing list fedora-selinux-list at redhat.com > >https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > > Looks like a bug in file context. > > chcon -t xferlog_t /var/log/vsftpd.log > should fix it. > > I will update policy > > -- I've got that one sorted, deleted the logfile and restarted vsftpd. Now got other problems: Need anonymous ftp, configured ftpd correct (I think). Created a user "ftpuser" for anoymous ftp in /var ls -Z looks like this: drwxrwsrwx ftpuser ftpuser system_u:object_r:ftpd_anon_t ftp In ftp I have drwxrwsrwx ftpuser ftpuser system_u:object_r:ftpd_anon_t pub And get 553 errors, TYPE I 200 Switching to Binary mode. PORT 192,168,0,2,6,45 200 PORT command successful. Consider using PASV. STOR 465_v6.pdf 553 Could not create file. Transfer request completed with status: Failed, 1 SubItem(s) failed The audit log look like this type=AVC msg=audit(1127307868.846:713105): avc: denied { write } for pid=9357 comm="vsftpd" name="ftp" dev=dm-0 ino=1143637 scontext=root:system_r:ftpd_t tcontext=system_u:object_r:ftpd_anon_t tclass=dir type=SYSCALL msg=audit(1127307868.846:713105): arch=40000003 syscall=5 success=no exit=-13 a0=96b08c0 a1=84c1 a2=1b6 a3=84c1 items=1 pid=9357 auid=0 uid=501 gid=500 euid=501 suid=501 fsuid=501 egid=500 sgid=500 fsgid=500 comm="vsftpd" exe="/usr/sbin/vsftpd" type=CWD msg=audit(1127307868.846:713105): cwd="/" type=PATH msg=audit(1127307868.846:713105): item=0 name="465_v6.pdf" flags=310 inode=1143637 dev=fd:00 mode=042777 ouid=501 ogid=500 rdev=00:00 type=AVC msg=audit(1127307868.880:713157): avc: denied { getattr } for pid=9357 comm="vsftpd" name="pub" dev=dm-0 ino=1143638 scontext=root:system_r:ftpd_t tcontext=system_u:object_r:ftpd_anon_rw_t tclass=dir type=SYSCALL msg=audit(1127307868.880:713157): arch=40000003 syscall=196 success=no exit=-13 a0=96b0aa0 a1=96b0ab0 a2=66cff4 a3=cc1eec items=1 pid=9357 auid=0 uid=501 gid=500 euid=501 suid=501 fsuid=501 egid=500 sgid=500 fsgid=500 comm="vsftpd" exe="/usr/sbin/vsftpd" type=AVC_PATH msg=audit(1127307868.880:713157): path="/pub" type=CWD msg=audit(1127307868.880:713157): cwd="/" type=PATH msg=audit(1127307868.880:713157): item=0 name="pub" flags=0 inode=1143638 dev=fd:00 mode=042777 ouid=501 ogid=500 rdev=00:00 type=AVC msg=audit(1127308017.113:730070): avc: denied { write } for pid=9357 comm="vsftpd" name="ftp" dev=dm-0 ino=1143637 scontext=root:system_r:ftpd_t tcontext=system_u:object_r:ftpd_anon_t tclass=dir type=SYSCALL msg=audit(1127308017.113:730070): arch=40000003 syscall=5 success=no exit=-13 a0=96b08c0 a1=84c1 a2=1b6 a3=84c1 items=1 pid=9357 auid=0 uid=501 gid=500 euid=501 suid=501 fsuid=501 egid=500 sgid=500 fsgid=500 comm="vsftpd" exe="/usr/sbin/vsftpd" type=CWD msg=audit(1127308017.113:730070): cwd="/" type=PATH msg=audit(1127308017.113:730070): item=0 name="465_v6.pdf" flags=310 inode=1143637 dev=fd:00 mode=042777 ouid=501 ogid=500 rdev=00:00 With best regards Tomas Larsson Sweden Verus Amicus Est Tamquam Alter Idem From dwalsh at redhat.com Wed Sep 21 14:06:15 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 21 Sep 2005 10:06:15 -0400 Subject: Selinux an vsftp In-Reply-To: References: Message-ID: <433168D7.2050806@redhat.com> Tomas Larsson wrote: >>-----Original Message----- >>From: Daniel J Walsh [mailto:dwalsh at redhat.com] >>Sent: Wednesday, September 21, 2005 2:34 PM >>To: Tomas Larsson >>Cc: fedora-selinux-list at redhat.com >>Subject: Re: Selinux an vsftp >> >> >>Tomas Larsson wrote: >> >> >> >>>I am getting 500 OOPS: failed to open xferlog log >>>file:/var/log/vsftpd.log, so I'm gessing that its something wrong in >>>the selinux-setup >>> >>>Ls -Z looks lime this >>>-rw-r--r-- root root system_u:object_r:var_log_t >>> >>> >> vsftpd.log >> >> >>>And in audit log >>> >>>type=AVC msg=audit(1127260722.483:14084097): avc: denied { >>> >>> >>append } >> >> >>>for pid=622 comm="vsftpd" name="vsftpd.log" dev=dm-0 ino=1143798 >>>scontext=system_u:system_r:ftpd_t >>> >>> >>tcontext=system_u:object_r:var_log_t >> >> >>>tclass=file >>> >>>I'm guessing that I've got something wrong, but cant find what to do >>> >>>With best regards >>> >>>Tomas Larsson >>>Sweden >>> >>>Verus Amicus Est Tamquam Alter Idem >>> >>> >>>-- >>>fedora-selinux-list mailing list fedora-selinux-list at redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>> >>> >>> >>> >>Looks like a bug in file context. >> >>chcon -t xferlog_t /var/log/vsftpd.log >>should fix it. >> >>I will update policy >> >>-- >> >> >I've got that one sorted, deleted the logfile and restarted vsftpd. > >Now got other problems: > >Need anonymous ftp, configured ftpd correct (I think). >Created a user "ftpuser" for anoymous ftp in /var >ls -Z looks like this: > >drwxrwsrwx ftpuser ftpuser system_u:object_r:ftpd_anon_t ftp > >In ftp I have >drwxrwsrwx ftpuser ftpuser system_u:object_r:ftpd_anon_t pub > > If you are trying to write to the directory you need ftpd_anon_rw_t and boolean allow_ftpd_anon_write=1 >And get 553 errors, > >TYPE I >200 Switching to Binary mode. >PORT 192,168,0,2,6,45 >200 PORT command successful. Consider using PASV. >STOR 465_v6.pdf >553 Could not create file. >Transfer request completed with status: Failed, 1 SubItem(s) failed > > >The audit log look like this >type=AVC msg=audit(1127307868.846:713105): avc: denied { write } for >pid=9357 comm="vsftpd" name="ftp" dev=dm-0 ino=1143637 >scontext=root:system_r:ftpd_t tcontext=system_u:object_r:ftpd_anon_t >tclass=dir >type=SYSCALL msg=audit(1127307868.846:713105): arch=40000003 syscall=5 >success=no exit=-13 a0=96b08c0 a1=84c1 a2=1b6 a3=84c1 items=1 pid=9357 >auid=0 uid=501 gid=500 euid=501 suid=501 fsuid=501 egid=500 sgid=500 >fsgid=500 comm="vsftpd" exe="/usr/sbin/vsftpd" >type=CWD msg=audit(1127307868.846:713105): cwd="/" >type=PATH msg=audit(1127307868.846:713105): item=0 name="465_v6.pdf" >flags=310 inode=1143637 dev=fd:00 mode=042777 ouid=501 ogid=500 rdev=00:00 >type=AVC msg=audit(1127307868.880:713157): avc: denied { getattr } for >pid=9357 comm="vsftpd" name="pub" dev=dm-0 ino=1143638 >scontext=root:system_r:ftpd_t tcontext=system_u:object_r:ftpd_anon_rw_t >tclass=dir >type=SYSCALL msg=audit(1127307868.880:713157): arch=40000003 syscall=196 >success=no exit=-13 a0=96b0aa0 a1=96b0ab0 a2=66cff4 a3=cc1eec items=1 >pid=9357 auid=0 uid=501 gid=500 euid=501 suid=501 fsuid=501 egid=500 >sgid=500 fsgid=500 comm="vsftpd" exe="/usr/sbin/vsftpd" >type=AVC_PATH msg=audit(1127307868.880:713157): path="/pub" >type=CWD msg=audit(1127307868.880:713157): cwd="/" >type=PATH msg=audit(1127307868.880:713157): item=0 name="pub" flags=0 >inode=1143638 dev=fd:00 mode=042777 ouid=501 ogid=500 rdev=00:00 >type=AVC msg=audit(1127308017.113:730070): avc: denied { write } for >pid=9357 comm="vsftpd" name="ftp" dev=dm-0 ino=1143637 >scontext=root:system_r:ftpd_t tcontext=system_u:object_r:ftpd_anon_t >tclass=dir >type=SYSCALL msg=audit(1127308017.113:730070): arch=40000003 syscall=5 >success=no exit=-13 a0=96b08c0 a1=84c1 a2=1b6 a3=84c1 items=1 pid=9357 >auid=0 uid=501 gid=500 euid=501 suid=501 fsuid=501 egid=500 sgid=500 >fsgid=500 comm="vsftpd" exe="/usr/sbin/vsftpd" >type=CWD msg=audit(1127308017.113:730070): cwd="/" >type=PATH msg=audit(1127308017.113:730070): item=0 name="465_v6.pdf" >flags=310 inode=1143637 dev=fd:00 mode=042777 ouid=501 ogid=500 rdev=00:00 > > >With best regards > >Tomas Larsson >Sweden > >Verus Amicus Est Tamquam Alter Idem > > > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > -- From dwalsh at redhat.com Wed Sep 21 19:38:32 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 21 Sep 2005 15:38:32 -0400 Subject: Anyone in the Boston area tonight who want to talk about SELinux... Message-ID: <4331B6B8.7010305@redhat.com> http://www.blu.org/cgi-bin/calendar/2005-sep James Morris and I will be at MIT. Dan -- From notting at redhat.com Wed Sep 21 20:13:20 2005 From: notting at redhat.com (Bill Nottingham) Date: Wed, 21 Sep 2005 16:13:20 -0400 Subject: changing of sulogin for SELinux roles? Message-ID: <20050921201320.GC11126@nostromo.devel.redhat.com> There's an open bug for changing sulogin to handle multiple accounts with uid 0. Wouldn't it also be useful to change it to check roles as well (for strict policy)? Bill From sds at tycho.nsa.gov Wed Sep 21 20:26:23 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 21 Sep 2005 16:26:23 -0400 Subject: changing of sulogin for SELinux roles? In-Reply-To: <20050921201320.GC11126@nostromo.devel.redhat.com> References: <20050921201320.GC11126@nostromo.devel.redhat.com> Message-ID: <1127334383.2550.188.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2005-09-21 at 16:13 -0400, Bill Nottingham wrote: > There's an open bug for changing sulogin to handle multiple > accounts with uid 0. Wouldn't it also be useful to change > it to check roles as well (for strict policy)? Can you elaborate a little, or point to the bugzilla entry? It presently just uses the default context for "root" from sulogin's domain, where the default can be altered via the default_contexts configuration. Were you thinking of having it allow the user to select a context if multiple contexts are returned like pam_selinux does? -- Stephen Smalley National Security Agency From notting at redhat.com Wed Sep 21 20:32:16 2005 From: notting at redhat.com (Bill Nottingham) Date: Wed, 21 Sep 2005 16:32:16 -0400 Subject: changing of sulogin for SELinux roles? In-Reply-To: <1127334383.2550.188.camel@moss-spartans.epoch.ncsc.mil> References: <20050921201320.GC11126@nostromo.devel.redhat.com> <1127334383.2550.188.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <20050921203216.GA11798@nostromo.devel.redhat.com> Stephen Smalley (sds at tycho.nsa.gov) said: > On Wed, 2005-09-21 at 16:13 -0400, Bill Nottingham wrote: > > There's an open bug for changing sulogin to handle multiple > > accounts with uid 0. Wouldn't it also be useful to change > > it to check roles as well (for strict policy)? > > Can you elaborate a little, or point to the bugzilla entry? 135154/168982. Basically, it currently only authenticates as 'root', while the suggestion was to allow it to authenticate as any user who has uid 0, even if that's not 'root'. > It presently just uses the default context for "root" from sulogin's > domain, where the default can be altered via the default_contexts > configuration. Were you thinking of having it allow the user to select > a context if multiple contexts are returned like pam_selinux does? That's one option. What I initially thought was that, if you have multiple users who are sysadm_r (or whatever), that it would allow you to authenticate as any of them. Bill From sds at tycho.nsa.gov Wed Sep 21 20:33:43 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 21 Sep 2005 16:33:43 -0400 Subject: changing of sulogin for SELinux roles? In-Reply-To: <20050921203216.GA11798@nostromo.devel.redhat.com> References: <20050921201320.GC11126@nostromo.devel.redhat.com> <1127334383.2550.188.camel@moss-spartans.epoch.ncsc.mil> <20050921203216.GA11798@nostromo.devel.redhat.com> Message-ID: <1127334823.2550.192.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2005-09-21 at 16:32 -0400, Bill Nottingham wrote: > 135154/168982. Basically, it currently only authenticates > as 'root', while the suggestion was to allow it to authenticate > as any user who has uid 0, even if that's not 'root'. Ok, so the get_ordered_context_list() call would then take the username they chose instead of always being "root", I suppose. They would then need to define that user in policy and authorize them for sysadm_r (or comparable role) to make it work cleanly. > That's one option. What I initially thought was that, if you > have multiple users who are sysadm_r (or whatever), that it would > allow you to authenticate as any of them. Ah, I see. We don't have a good interface yet to allow sulogin to get such a list of users with a particular role, although the ongoing libsepol/libsemanage work by Ivan should help there. -- Stephen Smalley National Security Agency From mjs at ces.clemson.edu Fri Sep 23 20:09:45 2005 From: mjs at ces.clemson.edu (Matthew Saltzman) Date: Fri, 23 Sep 2005 16:09:45 -0400 (EDT) Subject: acpid In-Reply-To: References: Message-ID: Can nobody here help with this (and if not, where could I go for assistance)? selinux-policy-targeted-1.27.1-2.1 does not solve the problem. Thanks. On Wed, 21 Sep 2005, Matthew Saltzman wrote: > On Thu, 15 Sep 2005, Matthew Saltzman wrote: > >> I have ACPI scripts that are supposed to run when Fn-Fx is pressed (for >> various values of x). The scripts run fine when invoked from a shell, but >> they fail when invoked by keypress. For example, >> /etc/acpi/actions/Fn-F3.sh contains: >> >> #!/bin/sh >> >> if [ -f /var/tmp/acpi-lightoff ]; then >> /usr/sbin/radeontool light on >> /bin/rm /var/tmp/acpi-lightoff >> else >> /usr/sbin/radeontool light off >> /bin/touch /var/tmp/acpi-lightoff >> fi >> >> When invoked by keypress, I get the following audit messages, and no action >> is taken (light stays on, no file touched). Should I be doing something >> different or is there something in selinux-policy-targeted that needs to be >> fixed? > > I've changed the script so that it reads its status directly rather than > checking for the file: > > if [ "$(/usr/sbin/radeontool light)" = "The radeon backlight looks on" > ]; then > /usr/sbin/radeontool light off > else > /usr/sbin/radeontool light on > fi > > It still works fine if invoked from the command line and doesn't work if > invoked by acpid, unless setenforce 0 is set. How can I fix this, and can it > be fixed in selinux-policy-targeted? Thanks. > > /var/log/acpi reports: > > [Wed Sep 21 04:37:22 2005] received event "ibm/hotkey HKEY 00000080 00001003" > [Wed Sep 21 04:37:22 2005] notifying client 3203[500:500] > [Wed Sep 21 04:37:22 2005] executing action "/etc/acpi/actions/Fn-F3.sh" > [Wed Sep 21 04:37:22 2005] BEGIN HANDLER MESSAGES > Radeon hardware not found in lspci output. > Radeon hardware not found in lspci output. > [Wed Sep 21 04:37:23 2005] END HANDLER MESSAGES > [Wed Sep 21 04:37:23 2005] action exited with status 255 > [Wed Sep 21 04:37:23 2005] completed event "ibm/hotkey HKEY 00000080 > 00001003" > > /var/log/audit/audit.log reports: > > type=AVC msg=audit(1127291842.986:3152715): avc: denied { read } for > pid=7984 comm="lspci" name="pci.ids" dev=dm-0 ino=809685 > scontext=system_u:system_r:apmd_t tcontext=system_u:object_r:usr_t > tclass=file > type=SYSCALL msg=audit(1127291842.986:3152715): arch=40000003 syscall=5 > success=no exit=-13 a0=8054e5c a1=0 a2=fbad8001 a3=0 items=1 pid=7984 > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 > comm="lspci" exe="/sbin/lspci" > type=CWD msg=audit(1127291842.986:3152715): cwd="/" > type=PATH msg=audit(1127291842.986:3152715): item=0 > name="/usr/share/hwdata/pci.ids" flags=101 inode=809685 dev=fd:00 > mode=0100644 ouid=0 ogid=0 rdev=00:00 > type=AVC msg=audit(1127291842.997:3153231): avc: denied { read } for > pid=7986 comm="lspci" name="pci.ids" dev=dm-0 ino=809685 > scontext=system_u:system_r:apmd_t tcontext=system_u:object_r:usr_t > tclass=file > type=SYSCALL msg=audit(1127291842.997:3153231): arch=40000003 syscall=5 > success=no exit=-13 a0=8054e5c a1=0 a2=fbad8001 a3=0 items=1 pid=7986 > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 > comm="lspci" exe="/sbin/lspci" > type=CWD msg=audit(1127291842.997:3153231): cwd="/" > type=PATH msg=audit(1127291842.997:3153231): item=0 > name="/usr/share/hwdata/pci.ids" flags=101 inode=809685 dev=fd:00 > mode=0100644 ouid=0 ogid=0 rdev=00:00 > > -- Matthew Saltzman Clemson University Math Sciences mjs AT clemson DOT edu http://www.math.clemson.edu/~mjs From sds at tycho.nsa.gov Fri Sep 23 20:22:29 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 23 Sep 2005 16:22:29 -0400 Subject: acpid In-Reply-To: References: Message-ID: <1127506949.27851.107.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2005-09-23 at 16:09 -0400, Matthew Saltzman wrote: > Can nobody here help with this (and if not, where could I go for > assistance)? selinux-policy-targeted-1.27.1-2.1 does not solve the > problem. >From the audit messages you posted, I would have expected that: - a new type would have been assigned to /usr/share/hwdata, and apmd_t would have been allowed to read it. - tmp_domain(apmd_t) would have been added to enable it to create its own temporary files under /tmp without disturbing anyone else's temporary files. Looking at the latest rawhide targeted policy (1.27.1-5), it looks like the tmp_domain() has been added, it has been directly allowed to read usr_t (which I would have preferred not doing) and it has been made unconfined in targeted policy (which seems overkill). So I would expect your scripts to work just fine with that policy, even though I'd still favor adding a new type for /usr/share/hwdata and not making apmd_t completely unconfined. -- Stephen Smalley National Security Agency From mjs at ces.clemson.edu Fri Sep 23 20:48:55 2005 From: mjs at ces.clemson.edu (Matthew Saltzman) Date: Fri, 23 Sep 2005 16:48:55 -0400 (EDT) Subject: Problem after installing selinux-policy-targeted-1.27.1-2.1.noarch.rpm Message-ID: I ran up2date to get selinux-policy-targeted-1.27.1-2.1.noarch.rpm. up2date hung for a very long time at the end of the installation, so finally, I killed it. At that point, I had two versions of selinux-policy-targeted installed. Verifying each showed that all the files were correct for the new version. But just to be safe (oops), I deleted both and tried to reinstall selinux-policy-targeted-1.27.1-2.1.noarch.rpm. Running up2date now produces: # up2date Could not set exec context to root:sysadm_r:rpm_t. and fails to run. After setenforce 0, I still get the message and up2date runs. Forcing a reinstall of selinux-policy-targeted-1.27.1-2.1.noarch.rpm has no effect. Rebooting has no effect. Relabeling on reboot has no effect. (Actually, after relabeling, rpm --verify produces # rpm --verify selinux-policy-targeted S.5....T. /etc/selinux/targeted/contexts/files/file_contexts.homedirs ) So far, other things appear to work normally, but up2date does not work. How can I fix this? Thanks. Messages in audit.log are: type=USER_AUTH msg=audit(1127508331.874:1624469): user pid=3328 uid=0 auid=4294967295 msg='PAM authentication: user=root exe="/usr/sbin/userhelper" (hostname=?, addr=?, terminal=? result=Success)' type=USER_ACCT msg=audit(1127508331.874:1624478): user pid=3328 uid=0 auid=4294967295 msg='PAM accounting: user=root exe="/usr/sbin/userhelper" (hostname=?, addr=?, terminal=? result=Success)' type=USER_START msg=audit(1127508331.884:1626823): user pid=3328 uid=0 auid=4294967295 msg='PAM session open: user=root exe="/usr/sbin/userhelper" (hostname=?, addr=?, terminal=? result=Success)' type=USER_END msg=audit(1127508331.901:1627077): user pid=3328 uid=0 auid=4294967295 msg='PAM session close: user=root exe="/usr/sbin/userhelper" (hostname=?, addr=?, terminal=? result=Success)' -- Matthew Saltzman Clemson University Math Sciences mjs AT clemson DOT edu http://www.math.clemson.edu/~mjs From ktl at bornet.net Fri Sep 23 21:11:16 2005 From: ktl at bornet.net (Tomas Larsson) Date: Fri, 23 Sep 2005 23:11:16 +0200 Subject: Selinux is denying webalizer Message-ID: Selinux is denying webalizer one logfile. I want webalizer to make a report of vsftps.log, but senlinux is denying webalizer access to the file, what to do? Webilizer is run as a cronjob as root. A snip from auth.log type=PATH msg=audit(1127509217.604:11185427): item=0 name="webalizer.conf" flags=401 inode=32641 dev=fd:00 mode=042777 ouid=0 ogid=0 rdev=00:00 type=CRED_DISP msg=audit(1127509222.415:11193091): user pid=29417 uid=0 auid=0 msg='PAM setcred: user=root exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron result=Success)' type=USER_END msg=audit(1127509222.416:11193110): user pid=29417 uid=0 auid=0 msg='PAM session close: user=root exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron result=Success)' type=AVC msg=audit(1127509223.373:11195697): avc: denied { search } for pid=29635 comm="webalizer" name="root" dev=dm-0 ino=32641 scontext=root:system_r:webalizer_t tcontext=root:object_r:user_home_dir_t tclass=dir type=SYSCALL msg=audit(1127509223.373:11195697): arch=40000003 syscall=33 success=no exit=-13 a0=8060468 a1=0 a2=4a3ff4 a3=80617f0 items=1 pid=29635 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="webalizer" exe="/usr/bin/webalizer" type=CWD msg=audit(1127509223.373:11195697): cwd="/root" type=PATH msg=audit(1127509223.373:11195697): item=0 name="webalizer.conf" flags=401 inode=32641 dev=fd:00 mode=042777 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1127509223.410:11195998): avc: denied { search } for pid=29637 comm="webalizer" name="root" dev=dm-0 ino=32641 scontext=root:system_r:webalizer_t tcontext=root:object_r:user_home_dir_t tclass=dir type=SYSCALL msg=audit(1127509223.410:11195998): arch=40000003 syscall=33 success=no exit=-13 a0=8060468 a1=0 a2=2fcff4 a3=80617f0 items=1 pid=29637 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="webalizer" exe="/usr/bin/webalizer" type=CWD msg=audit(1127509223.410:11195998): cwd="/root" type=PATH msg=audit(1127509223.410:11195998): item=0 name="webalizer.conf" flags=401 inode=32641 dev=fd:00 mode=042777 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1127509223.413:11196024): avc: denied { read } for pid=29637 comm="webalizer" name="vsftpd.log" dev=dm-0 ino=1143800 scontext=root:system_r:webalizer_t tcontext=system_u:object_r:xferlog_t tclass=file type=SYSCALL msg=audit(1127509223.413:11196024): arch=40000003 syscall=5 success=no exit=-13 a0=8f6ff78 a1=8000 a2=1b6 a3=8f6f060 items=1 pid=29637 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="webalizer" exe="/usr/bin/webalizer" type=CWD msg=audit(1127509223.413:11196024): cwd="/root" type=PATH msg=audit(1127509223.413:11196024): item=0 name="/var/log/vsftpd.log" flags=101 inode=1143800 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 type=CRED_DISP msg=audit(1127509224.298:11197719): user pid=29420 uid=0 auid=0 msg='PAM setcred: user=root exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron result=Success)' type=USER_END msg=audit(1127509224.299:11197742): user pid=29420 uid=0 auid=0 msg='PAM session close: user=root exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron result=Success)' type=USER_ACCT msg=audit(1127509261.312:11221084): user pid=29715 uid=0 auid=4294967295 msg='PAM accounting: user=root exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron result=Success)' type=LOGIN msg=audit(1127509261.314:11221153): login pid=29715 uid=0 old auid=4294967295 new auid=0 type=USER_START msg=audit(1127509261.314:11221159): user pid=29715 uid=0 auid=0 msg='PAM session open: user=root exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron result=Success)' type=CRED_ACQ msg=audit(1127509261.314:11221168): user pid=29715 uid=0 auid=0 msg='PAM setcred: user=root exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron result=Success)' type=CRED_DISP msg=audit(1127509261.328:11221481): user pid=29715 uid=0 auid=0 msg='PAM setcred: user=root exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron result=Success)' type=USER_END msg=audit(1127509261.329:11221500): user pid=29715 uid=0 auid=0 msg='PAM session close: user=root exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron result=Success)' With best regards Tomas Larsson Sweden Verus Amicus Est Tamquam Alter Idem From dwalsh at redhat.com Fri Sep 23 21:17:27 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 23 Sep 2005 17:17:27 -0400 Subject: Problem after installing selinux-policy-targeted-1.27.1-2.1.noarch.rpm In-Reply-To: References: Message-ID: <433470E7.4010209@redhat.com> Matthew Saltzman wrote: > I ran up2date to get selinux-policy-targeted-1.27.1-2.1.noarch.rpm. > up2date hung for a very long time at the end of the installation, so > finally, I killed it. At that point, I had two versions of > selinux-policy-targeted installed. Verifying each showed that all the > files were correct for the new version. But just to be safe (oops), I > deleted both and tried to reinstall > selinux-policy-targeted-1.27.1-2.1.noarch.rpm. > > Running up2date now produces: > > # up2date > Could not set exec context to root:sysadm_r:rpm_t. I am updating the policy to put this role back in. Will /usr/sbin/up2date work? > > and fails to run. After setenforce 0, I still get the message and > up2date runs. > > Forcing a reinstall of selinux-policy-targeted-1.27.1-2.1.noarch.rpm > has no effect. Rebooting has no effect. Relabeling on reboot has no > effect. > (Actually, after relabeling, rpm --verify produces > > # rpm --verify selinux-policy-targeted > S.5....T. /etc/selinux/targeted/contexts/files/file_contexts.homedirs > ) > > So far, other things appear to work normally, but up2date does not work. > > How can I fix this? > > Thanks. > > Messages in audit.log are: > > type=USER_AUTH msg=audit(1127508331.874:1624469): user pid=3328 uid=0 > auid=4294967295 msg='PAM authentication: user=root > exe="/usr/sbin/userhelper" (hostname=?, addr=?, terminal=? > result=Success)' > type=USER_ACCT msg=audit(1127508331.874:1624478): user pid=3328 uid=0 > auid=4294967295 msg='PAM accounting: user=root > exe="/usr/sbin/userhelper" (hostname=?, addr=?, terminal=? > result=Success)' > type=USER_START msg=audit(1127508331.884:1626823): user pid=3328 uid=0 > auid=4294967295 msg='PAM session open: user=root > exe="/usr/sbin/userhelper" (hostname=?, addr=?, terminal=? > result=Success)' > type=USER_END msg=audit(1127508331.901:1627077): user pid=3328 uid=0 > auid=4294967295 msg='PAM session close: user=root > exe="/usr/sbin/userhelper" (hostname=?, addr=?, terminal=? > result=Success)' > -- From mjs at ces.clemson.edu Fri Sep 23 21:20:13 2005 From: mjs at ces.clemson.edu (Matthew Saltzman) Date: Fri, 23 Sep 2005 17:20:13 -0400 (EDT) Subject: Problem after installing selinux-policy-targeted-1.27.1-2.1.noarch.rpm In-Reply-To: <433470E7.4010209@redhat.com> References: <433470E7.4010209@redhat.com> Message-ID: On Fri, 23 Sep 2005, Daniel J Walsh wrote: > Matthew Saltzman wrote: > >> I ran up2date to get selinux-policy-targeted-1.27.1-2.1.noarch.rpm. up2date >> hung for a very long time at the end of the installation, so finally, I >> killed it. At that point, I had two versions of selinux-policy-targeted >> installed. Verifying each showed that all the files were correct for the >> new version. But just to be safe (oops), I deleted both and tried to >> reinstall >> selinux-policy-targeted-1.27.1-2.1.noarch.rpm. >> >> Running up2date now produces: >> >> # up2date >> Could not set exec context to root:sysadm_r:rpm_t. > > I am updating the policy to put this role back in. Will /usr/sbin/up2date > work? Yes, as long as I become root first. > >> >> and fails to run. After setenforce 0, I still get the message and up2date >> runs. >> >> Forcing a reinstall of selinux-policy-targeted-1.27.1-2.1.noarch.rpm has no >> effect. Rebooting has no effect. Relabeling on reboot has no effect. >> (Actually, after relabeling, rpm --verify produces >> >> # rpm --verify selinux-policy-targeted >> S.5....T. /etc/selinux/targeted/contexts/files/file_contexts.homedirs >> ) >> >> So far, other things appear to work normally, but up2date does not work. >> >> How can I fix this? >> >> Thanks. >> >> Messages in audit.log are: >> >> type=USER_AUTH msg=audit(1127508331.874:1624469): user pid=3328 uid=0 >> auid=4294967295 msg='PAM authentication: user=root >> exe="/usr/sbin/userhelper" (hostname=?, addr=?, terminal=? result=Success)' >> type=USER_ACCT msg=audit(1127508331.874:1624478): user pid=3328 uid=0 >> auid=4294967295 msg='PAM accounting: user=root exe="/usr/sbin/userhelper" >> (hostname=?, addr=?, terminal=? result=Success)' >> type=USER_START msg=audit(1127508331.884:1626823): user pid=3328 uid=0 >> auid=4294967295 msg='PAM session open: user=root exe="/usr/sbin/userhelper" >> (hostname=?, addr=?, terminal=? result=Success)' >> type=USER_END msg=audit(1127508331.901:1627077): user pid=3328 uid=0 >> auid=4294967295 msg='PAM session close: user=root >> exe="/usr/sbin/userhelper" (hostname=?, addr=?, terminal=? result=Success)' >> > > > -- Matthew Saltzman Clemson University Math Sciences mjs AT clemson DOT edu http://www.math.clemson.edu/~mjs From dwalsh at redhat.com Fri Sep 23 21:23:46 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 23 Sep 2005 17:23:46 -0400 Subject: Selinux is denying webalizer In-Reply-To: References: Message-ID: <43347262.4080400@redhat.com> Tomas Larsson wrote: >Selinux is denying webalizer one logfile. > >I want webalizer to make a report of vsftps.log, but senlinux is denying >webalizer access to the file, what to do? > >Webilizer is run as a cronjob as root. > >A snip from auth.log > > type=PATH msg=audit(1127509217.604:11185427): item=0 name="webalizer.conf" >flags=401 inode=32641 dev=fd:00 mode=042777 ouid=0 ogid=0 rdev=00:00 >type=CRED_DISP msg=audit(1127509222.415:11193091): user pid=29417 uid=0 >auid=0 msg='PAM setcred: user=root exe="/usr/sbin/crond" (hostname=?, >addr=?, terminal=cron result=Success)' >type=USER_END msg=audit(1127509222.416:11193110): user pid=29417 uid=0 >auid=0 msg='PAM session close: user=root exe="/usr/sbin/crond" (hostname=?, >addr=?, terminal=cron result=Success)' >type=AVC msg=audit(1127509223.373:11195697): avc: denied { search } for >pid=29635 comm="webalizer" name="root" dev=dm-0 ino=32641 >scontext=root:system_r:webalizer_t tcontext=root:object_r:user_home_dir_t >tclass=dir >type=SYSCALL msg=audit(1127509223.373:11195697): arch=40000003 syscall=33 >success=no exit=-13 a0=8060468 a1=0 a2=4a3ff4 a3=80617f0 items=1 pid=29635 >auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 >comm="webalizer" exe="/usr/bin/webalizer" >type=CWD msg=audit(1127509223.373:11195697): cwd="/root" >type=PATH msg=audit(1127509223.373:11195697): item=0 name="webalizer.conf" >flags=401 inode=32641 dev=fd:00 mode=042777 ouid=0 ogid=0 rdev=00:00 >type=AVC msg=audit(1127509223.410:11195998): avc: denied { search } for >pid=29637 comm="webalizer" name="root" dev=dm-0 ino=32641 >scontext=root:system_r:webalizer_t tcontext=root:object_r:user_home_dir_t >tclass=dir >type=SYSCALL msg=audit(1127509223.410:11195998): arch=40000003 syscall=33 >success=no exit=-13 a0=8060468 a1=0 a2=2fcff4 a3=80617f0 items=1 pid=29637 >auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 >comm="webalizer" exe="/usr/bin/webalizer" >type=CWD msg=audit(1127509223.410:11195998): cwd="/root" >type=PATH msg=audit(1127509223.410:11195998): item=0 name="webalizer.conf" >flags=401 inode=32641 dev=fd:00 mode=042777 ouid=0 ogid=0 rdev=00:00 >type=AVC msg=audit(1127509223.413:11196024): avc: denied { read } for >pid=29637 comm="webalizer" name="vsftpd.log" dev=dm-0 ino=1143800 >scontext=root:system_r:webalizer_t tcontext=system_u:object_r:xferlog_t >tclass=file >type=SYSCALL msg=audit(1127509223.413:11196024): arch=40000003 syscall=5 >success=no exit=-13 a0=8f6ff78 a1=8000 a2=1b6 a3=8f6f060 items=1 pid=29637 >auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 >comm="webalizer" exe="/usr/bin/webalizer" >type=CWD msg=audit(1127509223.413:11196024): cwd="/root" >type=PATH msg=audit(1127509223.413:11196024): item=0 >name="/var/log/vsftpd.log" flags=101 inode=1143800 dev=fd:00 mode=0100600 >ouid=0 ogid=0 rdev=00:00 >type=CRED_DISP msg=audit(1127509224.298:11197719): user pid=29420 uid=0 >auid=0 msg='PAM setcred: user=root exe="/usr/sbin/crond" (hostname=?, >addr=?, terminal=cron result=Success)' >type=USER_END msg=audit(1127509224.299:11197742): user pid=29420 uid=0 >auid=0 msg='PAM session close: user=root exe="/usr/sbin/crond" (hostname=?, >addr=?, terminal=cron result=Success)' >type=USER_ACCT msg=audit(1127509261.312:11221084): user pid=29715 uid=0 >auid=4294967295 msg='PAM accounting: user=root exe="/usr/sbin/crond" >(hostname=?, addr=?, terminal=cron result=Success)' >type=LOGIN msg=audit(1127509261.314:11221153): login pid=29715 uid=0 old >auid=4294967295 new auid=0 >type=USER_START msg=audit(1127509261.314:11221159): user pid=29715 uid=0 >auid=0 msg='PAM session open: user=root exe="/usr/sbin/crond" (hostname=?, >addr=?, terminal=cron result=Success)' >type=CRED_ACQ msg=audit(1127509261.314:11221168): user pid=29715 uid=0 >auid=0 msg='PAM setcred: user=root exe="/usr/sbin/crond" (hostname=?, >addr=?, terminal=cron result=Success)' >type=CRED_DISP msg=audit(1127509261.328:11221481): user pid=29715 uid=0 >auid=0 msg='PAM setcred: user=root exe="/usr/sbin/crond" (hostname=?, >addr=?, terminal=cron result=Success)' >type=USER_END msg=audit(1127509261.329:11221500): user pid=29715 uid=0 >auid=0 msg='PAM session close: user=root exe="/usr/sbin/crond" (hostname=?, >addr=?, terminal=cron result=Success)' > > >With best regards > >Tomas Larsson >Sweden > >Verus Amicus Est Tamquam Alter Idem > > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > That seems legitimate. I will add to policy. -- From ktl at bornet.net Fri Sep 23 21:40:18 2005 From: ktl at bornet.net (Tomas Larsson) Date: Fri, 23 Sep 2005 23:40:18 +0200 Subject: Selinux is denying webalizer In-Reply-To: <43347262.4080400@redhat.com> Message-ID: With best regards > -----Original Message----- > From: Daniel J Walsh [mailto:dwalsh at redhat.com] > Sent: Friday, September 23, 2005 11:24 PM > To: Tomas Larsson > Cc: fedora-selinux-list at redhat.com > Subject: Re: Selinux is denying webalizer > > > Tomas Larsson wrote: > > >Selinux is denying webalizer one logfile. > > > >I want webalizer to make a report of vsftps.log, but senlinux is > >denying webalizer access to the file, what to do? > > > >Webilizer is run as a cronjob as root. > > > >A snip from auth.log A big cut ----------- >From the original post > >With best regards > > > >Tomas Larsson > >Sweden > > > >Verus Amicus Est Tamquam Alter Idem > > > > > >-- > >fedora-selinux-list mailing list fedora-selinux-list at redhat.com > >https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > > That seems legitimate. I will add to policy. > > -- Yeh, but how do I solve it?? Tomas Larsson Sweden Verus Amicus Est Tamquam Alter Idem From russell at coker.com.au Sat Sep 24 07:06:33 2005 From: russell at coker.com.au (Russell Coker) Date: Sat, 24 Sep 2005 17:06:33 +1000 Subject: kickstart install of rawhide with SE Linux MCS policy Message-ID: <200509241706.42713.russell@coker.com.au> As you have probably noticed there are kudzu dependencies that make upgrading a machine to rawhide a PITA. As an easy method of installing a MCS machine I've created a kick-start config for it. Firstly you have to have a kickstart server (have copied all FC4 files to the server and made suitable configuration to the DHCP server or whatever - neither of these lists is appropriate for the details of kick-start configuration so I won't try to explain). The file ks.cfg refers to "SERV" which should be replaced by the IP address of the NFS and web server used. The file archive.tgz (attached) needs to be on the web server (modifying ks.cfg to have it use an NFS server instead is easy enough). The file rpms.tar referenced in the ks.cfg file needs to contain the following packages from rawhide (or newer versions if available). checkpolicy-1.27.1-1.i386.rpm glibc-2.3.90-12.i686.rpm glibc-common-2.3.90-12.i386.rpm glibc-devel-2.3.90-12.i386.rpm glibc-headers-2.3.90-12.i386.rpm hwdata-0.169-1.noarch.rpm iptables-1.3.2-1.i386.rpm kernel-2.6.13-1.1567_FC5.i686.rpm kudzu-1.2.7-1.i386.rpm libselinux-1.26-6.i386.rpm libselinux-devel-1.26-6.i386.rpm libsemanage-1.3.2-1.i386.rpm libsepol-1.9.4-1.i386.rpm libsetrans-0.1.7-1.i386.rpm mkinitrd-4.2.21-1.i386.rpm module-init-tools-3.2-0.pre7.3.i386.rpm policycoreutils-1.27.1-1.i386.rpm procps-3.2.5-7.i386.rpm selinux-policy-strict-1.27.1-5.noarch.rpm selinux-policy-strict-sources-1.27.1-5.noarch.rpm selinux-policy-targeted-1.27.1-4.noarch.rpm selinux-policy-targeted-sources-1.27.1-4.noarch.rpm udev-069-3.i386.rpm -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -------------- next part -------------- A non-text attachment was scrubbed... Name: ks.cfg.gz Type: application/x-gzip Size: 1064 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: archive.tgz Type: application/x-tgz Size: 1757 bytes Desc: not available URL: From mjs at ces.clemson.edu Sat Sep 24 16:14:58 2005 From: mjs at ces.clemson.edu (Matthew Saltzman) Date: Sat, 24 Sep 2005 12:14:58 -0400 (EDT) Subject: acpid In-Reply-To: <1127506949.27851.107.camel@moss-spartans.epoch.ncsc.mil> References: <1127506949.27851.107.camel@moss-spartans.epoch.ncsc.mil> Message-ID: On Fri, 23 Sep 2005, Stephen Smalley wrote: > On Fri, 2005-09-23 at 16:09 -0400, Matthew Saltzman wrote: >> Can nobody here help with this (and if not, where could I go for >> assistance)? selinux-policy-targeted-1.27.1-2.1 does not solve the >> problem. It also appears that there is a regression in acpid's ability to write log files. My suspend script writes battery usage stats to /var/log/battery.log. Since the most recent update, access to that file is denied. Several records like this appear in audit.log: type=AVC msg=audit(1127578352.719:7582708): avc: denied { append } for pid=3860 comm="thinkpad-T4x-su" name="battery.log" dev=dm-0 ino=910036 scontext=system_u:system_r:apmd_t tcontext=system_u:object_r:var_log_t tclass=file > >> From the audit messages you posted, I would have expected that: > - a new type would have been assigned to /usr/share/hwdata, and apmd_t > would have been allowed to read it. > - tmp_domain(apmd_t) would have been added to enable it to create its > own temporary files under /tmp without disturbing anyone else's > temporary files. > > Looking at the latest rawhide targeted policy (1.27.1-5), it looks like > the tmp_domain() has been added, it has been directly allowed to read > usr_t (which I would have preferred not doing) and it has been made > unconfined in targeted policy (which seems overkill). So I would expect > your scripts to work just fine with that policy, even though I'd still > favor adding a new type for /usr/share/hwdata and not making apmd_t > completely unconfined. > > -- Matthew Saltzman Clemson University Math Sciences mjs AT clemson DOT edu http://www.math.clemson.edu/~mjs From selinux at gmail.com Sat Sep 24 18:30:11 2005 From: selinux at gmail.com (Tom London) Date: Sat, 24 Sep 2005 11:30:11 -0700 Subject: Mozilla needs to create lock (link) file Message-ID: <4c4ba153050924113022d512fe@mail.gmail.com> Running strict enforcing, latest rawhide. Mozilla wants to create a lock/link file: type=AVC msg=audit(1127586026.834:4165): avc: denied { create } for pid=3407 comm="firefox-bin" name="lock" scontext=tbl:staff_r:staff_mozilla_t:s0 tcontext=tbl:object_r:staff_untrusted_content_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1127586026.834:4165): arch=40000003 syscall=83 success=yes exit=0 a0=9d800d0 a1=9d7fd68 a2=8067d00 a3=0 items=2 pid=3407 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="firefox-bin" exe="/usr/lib/firefox-1.5/firefox-bin" type=CWD msg=audit(1127586026.834:4165): cwd="/home/tbl" type=PATH msg=audit(1127586026.834:4165): item=0 name="127.0.0.1:+3407" flags=101 type=PATH msg=audit(1127586026.834:4165): item=1 name="/home/tbl/.mozilla/firefox/yz68q13i.default/lock" flags=10 inode=2786580 dev=03:02 mode=040700 ouid=500 ogid=500 rdev=00:00 allow staff_mozilla_t staff_untrusted_content_t:lnk_file create; Not sure which macro needs to be fiddled..... tom -- Tom London From ivg2 at cornell.edu Sat Sep 24 19:16:08 2005 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Sat, 24 Sep 2005 15:16:08 -0400 Subject: Mozilla needs to create lock (link) file In-Reply-To: <4c4ba153050924113022d512fe@mail.gmail.com> References: <4c4ba153050924113022d512fe@mail.gmail.com> Message-ID: <4335A5F8.9060001@cornell.edu> Tom London wrote: >Running strict enforcing, latest rawhide. > >Mozilla wants to create a lock/link file: >type=AVC msg=audit(1127586026.834:4165): avc: denied { create } for >pid=3407 comm="firefox-bin" name="lock" >scontext=tbl:staff_r:staff_mozilla_t:s0 >tcontext=tbl:object_r:staff_untrusted_content_t:s0 tclass=lnk_file >type=SYSCALL msg=audit(1127586026.834:4165): arch=40000003 syscall=83 >success=yes exit=0 a0=9d800d0 a1=9d7fd68 a2=8067d00 a3=0 items=2 >pid=3407 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 >egid=500 sgid=500 fsgid=500 comm="firefox-bin" >exe="/usr/lib/firefox-1.5/firefox-bin" >type=CWD msg=audit(1127586026.834:4165): cwd="/home/tbl" >type=PATH msg=audit(1127586026.834:4165): item=0 >name="127.0.0.1:+3407" flags=101 >type=PATH msg=audit(1127586026.834:4165): item=1 >name="/home/tbl/.mozilla/firefox/yz68q13i.default/lock" flags=10 >inode=2786580 dev=03:02 mode=040700 ouid=500 ogid=500 rdev=00:00 > >allow staff_mozilla_t staff_untrusted_content_t:lnk_file create; > > > What's the type of /home/tbl/.mozilla? It should be staff_mozilla_home_t (as well as the type of anything down to the lock level). There's a profile script that's supposed to relabel it otherwise. From selinux at gmail.com Sat Sep 24 21:27:19 2005 From: selinux at gmail.com (Tom London) Date: Sat, 24 Sep 2005 14:27:19 -0700 Subject: Mozilla needs to create lock (link) file In-Reply-To: <4335A5F8.9060001@cornell.edu> References: <4c4ba153050924113022d512fe@mail.gmail.com> <4335A5F8.9060001@cornell.edu> Message-ID: <4c4ba15305092414273880f8f7@mail.gmail.com> On 9/24/05, Ivan Gyurdiev wrote: > Tom London wrote: > > >Running strict enforcing, latest rawhide. > > > >Mozilla wants to create a lock/link file: > >type=AVC msg=audit(1127586026.834:4165): avc: denied { create } for > >pid=3407 comm="firefox-bin" name="lock" > >scontext=tbl:staff_r:staff_mozilla_t:s0 > >tcontext=tbl:object_r:staff_untrusted_content_t:s0 tclass=lnk_file > >type=SYSCALL msg=audit(1127586026.834:4165): arch=40000003 syscall=83 > >success=yes exit=0 a0=9d800d0 a1=9d7fd68 a2=8067d00 a3=0 items=2 > >pid=3407 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 > >egid=500 sgid=500 fsgid=500 comm="firefox-bin" > >exe="/usr/lib/firefox-1.5/firefox-bin" > >type=CWD msg=audit(1127586026.834:4165): cwd="/home/tbl" > >type=PATH msg=audit(1127586026.834:4165): item=0 > >name="127.0.0.1:+3407" flags=101 > >type=PATH msg=audit(1127586026.834:4165): item=1 > >name="/home/tbl/.mozilla/firefox/yz68q13i.default/lock" flags=10 > >inode=2786580 dev=03:02 mode=040700 ouid=500 ogid=500 rdev=00:00 > > > >allow staff_mozilla_t staff_untrusted_content_t:lnk_file create; > > > > > > > What's the type of /home/tbl/.mozilla? It should be staff_mozilla_home_t > (as well as the type of anything down to the lock level). There's a > profile script > that's supposed to relabel it otherwise. > Nope. [tbl at fedora firefox]$ ls -ldZ /home/tbl/.mozilla drwx------ tbl tbl tbl:object_r:staff_untrusted_content_t /home/tbl/.mozilla [tbl at fedora firefox]$ ls -ldZ /home/tbl/.mozilla/firefox drwx------ tbl tbl tbl:object_r:staff_untrusted_content_t /home/tbl/.mozilla/firefox [tbl at fedora firefox]$ ls -ldZ /home/tbl/.mozilla/firefox/*default drwx------ tbl tbl tbl:object_r:staff_untrusted_content_t /home/tbl/.mozilla/firefox/yz68q13i.default [tbl at fedora firefox]$ 'restorcon -v -R /home/tbl' returns with no output. Which script? tom -- Tom London From rhally at mindspring.com Sat Sep 24 23:39:18 2005 From: rhally at mindspring.com (Richard Hally) Date: Sat, 24 Sep 2005 19:39:18 -0400 Subject: Mozilla needs to create lock (link) file In-Reply-To: <4c4ba15305092414273880f8f7@mail.gmail.com> References: <4c4ba153050924113022d512fe@mail.gmail.com> <4335A5F8.9060001@cornell.edu> <4c4ba15305092414273880f8f7@mail.gmail.com> Message-ID: <4335E3A6.2030208@mindspring.com> Tom London wrote: > On 9/24/05, Ivan Gyurdiev wrote: > >>Tom London wrote: >> >> >>>Running strict enforcing, latest rawhide. >>> >>>Mozilla wants to create a lock/link file: >>>type=AVC msg=audit(1127586026.834:4165): avc: denied { create } for >>>pid=3407 comm="firefox-bin" name="lock" >>>scontext=tbl:staff_r:staff_mozilla_t:s0 >>>tcontext=tbl:object_r:staff_untrusted_content_t:s0 tclass=lnk_file >>>type=SYSCALL msg=audit(1127586026.834:4165): arch=40000003 syscall=83 >>>success=yes exit=0 a0=9d800d0 a1=9d7fd68 a2=8067d00 a3=0 items=2 >>>pid=3407 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 >>>egid=500 sgid=500 fsgid=500 comm="firefox-bin" >>>exe="/usr/lib/firefox-1.5/firefox-bin" >>>type=CWD msg=audit(1127586026.834:4165): cwd="/home/tbl" >>>type=PATH msg=audit(1127586026.834:4165): item=0 >>>name="127.0.0.1:+3407" flags=101 >>>type=PATH msg=audit(1127586026.834:4165): item=1 >>>name="/home/tbl/.mozilla/firefox/yz68q13i.default/lock" flags=10 >>>inode=2786580 dev=03:02 mode=040700 ouid=500 ogid=500 rdev=00:00 >>> >>>allow staff_mozilla_t staff_untrusted_content_t:lnk_file create; >>> >>> >>> >> >>What's the type of /home/tbl/.mozilla? It should be staff_mozilla_home_t >>(as well as the type of anything down to the lock level). There's a >>profile script >>that's supposed to relabel it otherwise. >> > > Nope. > > [tbl at fedora firefox]$ ls -ldZ /home/tbl/.mozilla > drwx------ tbl tbl tbl:object_r:staff_untrusted_content_t > /home/tbl/.mozilla > [tbl at fedora firefox]$ ls -ldZ /home/tbl/.mozilla/firefox > drwx------ tbl tbl tbl:object_r:staff_untrusted_content_t > /home/tbl/.mozilla/firefox > [tbl at fedora firefox]$ ls -ldZ /home/tbl/.mozilla/firefox/*default > drwx------ tbl tbl tbl:object_r:staff_untrusted_content_t > /home/tbl/.mozilla/firefox/yz68q13i.default > [tbl at fedora firefox]$ > > 'restorcon -v -R /home/tbl' returns with no output. > > Which script? > > tom > -- > Tom London > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > I'm also running rawhide with the strict policy and most of the time firefox will not start. I say most of the time because if I reboot with autorelabel FF will start ok but then if I reboot again without the autorelabel FF will NOT start. (fixfiles relabel does not clear the problem). There is an AVC denied for { execmon } comm="firefox-bin" name="libxpcom_core.so" scontext=richard:staff_r:staff_mozilla_t:s0-s0:c0.c127 tcontext=system_u:object_r:shlib_t:s0 tclass=file However, seatatus shows allow_{execmem,execmod,execstack} active! ?? Richard Hally From matt.baluyos.lists at gmail.com Sun Sep 25 00:07:18 2005 From: matt.baluyos.lists at gmail.com (Matt Arnilo S. Baluyos (Mailing Lists)) Date: Sun, 25 Sep 2005 08:07:18 +0800 Subject: "avc denied" on mounted ISO image for HTTP install Message-ID: Hello everyone, I'm trying to do a network installation via HTTP install. To save space on my HTTP server, I mounted my ISO images into a publicly-accessible directory under my DocumentRoot. mount -o loop /backup/iso/centos-4.1/CentOS-4.1-i386-bin1of4.iso /var/www/html/centos-4.1/disc1 mount -o loop /backup/iso/centos-4.1/CentOS-4.1-i386-bin2of4.iso /var/www/html/centos-4.1/disc2 mount -o loop /backup/iso/centos-4.1/CentOS-4.1-i386-bin3of4.iso /var/www/html/centos-4.1/disc3 mount -o loop /backup/iso/centos-4.1/CentOS-4.1-i386-bin4of4.iso /var/www/html/centos-4.1/disc4 Trying to test the installation on a client machine, I gett a "403 Forbidden" error whenever I browse http://server/centos-4.1/disc1 So I check my /var/log/messages and I found these SELinux error logs: Sep 25 07:47:46 localhost kernel: audit(1127605666.816:0): avc: denied { getattr } for pid=2638 comm=httpd path=/var/www/html/centos-4.1/disc1 dev=loop0 ino=1856 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:iso9660_t tclass=dir Any ideas on how to solve this? I am admittedly a SELinux newbie. Best regards, Matt -- Stand before it and there is no beginning. Follow it and there is no end. Stay with the ancient Tao, Move with the present. From i.pilcher at comcast.net Sun Sep 25 13:46:42 2005 From: i.pilcher at comcast.net (Ian Pilcher) Date: Sun, 25 Sep 2005 08:46:42 -0500 Subject: "avc denied" on mounted ISO image for HTTP install In-Reply-To: References: Message-ID: Matt Arnilo S. Baluyos (Mailing Lists) wrote: > > Sep 25 07:47:46 localhost kernel: audit(1127605666.816:0): avc: > denied { getattr } for pid=2638 comm=httpd > path=/var/www/html/centos-4.1/disc1 dev=loop0 ino=1856 > scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:iso9660_t > tclass=dir > mount -o ro,loop,fscontext=system_u:object_r:httpd_sys_content_t ... -- ======================================================================== Ian Pilcher i.pilcher at comcast.net ======================================================================== From selinux at gmail.com Sun Sep 25 17:40:22 2005 From: selinux at gmail.com (Tom London) Date: Sun, 25 Sep 2005 10:40:22 -0700 Subject: Mozilla needs to create lock (link) file In-Reply-To: <4335E3A6.2030208@mindspring.com> References: <4c4ba153050924113022d512fe@mail.gmail.com> <4335A5F8.9060001@cornell.edu> <4c4ba15305092414273880f8f7@mail.gmail.com> <4335E3A6.2030208@mindspring.com> Message-ID: <4c4ba1530509251040213969@mail.gmail.com> On 9/24/05, Richard Hally wrote: > I'm also running rawhide with the strict policy and most of the time > firefox will not start. I say most of the time because if I reboot with > autorelabel FF will start ok but then if I reboot again without the > autorelabel FF will NOT start. (fixfiles relabel does not clear the > problem). There is an AVC denied for { execmon } comm="firefox-bin" > name="libxpcom_core.so" > scontext=richard:staff_r:staff_mozilla_t:s0-s0:c0.c127 > tcontext=system_u:object_r:shlib_t:s0 tclass=file > > However, seatatus shows allow_{execmem,execmod,execstack} active! > > ?? > Richard Hally > > I believe 'allow_execmod' only enables for texrel_shlib_t. tom -- Tom London From rirving at antient.org Sun Sep 25 18:37:59 2005 From: rirving at antient.org (Richard Irving) Date: Sun, 25 Sep 2005 13:37:59 -0500 Subject: Latest update has a few holes HEADS UP In-Reply-To: <4c4ba1530509251040213969@mail.gmail.com> References: <4c4ba153050924113022d512fe@mail.gmail.com> <4335A5F8.9060001@cornell.edu> <4c4ba15305092414273880f8f7@mail.gmail.com> <4335E3A6.2030208@mindspring.com> <4c4ba1530509251040213969@mail.gmail.com> Message-ID: <4336EE87.3000208@antient.org> FC4 latest update for target sources has a few holes... After applying : selinux-policy-targeted-sources-1.27.1-2.1 selinux-policy-targeted-1.27.1-2.1 The system could no longer run up2date. emitting error: Could not set exec context to root:sysadm_r:rpm_t. An addition to rpm.te of: role system_r types rpm_t; And a remake, didn't seem to catch the change in rpm.te, as it didn't show the files compiled into the version , as the remake ran... ???? Adding the same line to unconfined.te alerted the selinux equivalent to .deps, and all files were recompiled, and the new policy loaded. It is now in the policy.conf file, but near the beginning. However, still no go.... "Could not set exec context to root:sysadm_r:rpm_t." the same error. Finally, adding the line -directly- near the end of policy.conf, worked. (line 126,102 near the samba section) It is cheap work around, but it re-enables system user root to run up2date. I wonder what it is colliding with ? YMMV, and always willing to listen to suggestions. From rirving at antient.org Sun Sep 25 18:45:10 2005 From: rirving at antient.org (Richard Irving) Date: Sun, 25 Sep 2005 13:45:10 -0500 Subject: Latest update has a few holes HEADS UP In-Reply-To: <4336EE87.3000208@antient.org> References: <4c4ba153050924113022d512fe@mail.gmail.com> <4335A5F8.9060001@cornell.edu> <4c4ba15305092414273880f8f7@mail.gmail.com> <4335E3A6.2030208@mindspring.com> <4c4ba1530509251040213969@mail.gmail.com> <4336EE87.3000208@antient.org> Message-ID: <4336F036.9010009@antient.org> Richard Irving wrote: > FC4 latest update for target sources has a few holes... > An additional note: targeted, FC4, X86_64. > After applying : > selinux-policy-targeted-sources-1.27.1-2.1 > selinux-policy-targeted-1.27.1-2.1 > > The system could no longer run up2date. > emitting error: > > Could not set exec context to root:sysadm_r:rpm_t. > > An addition to rpm.te of: > > role system_r types rpm_t; > > And a remake, didn't seem to catch the change in > rpm.te, as it didn't show the files compiled into > the version , as the remake ran... ???? > > Adding the same line to unconfined.te > alerted the selinux equivalent to .deps, > and all files were recompiled, > and the new policy loaded. > > It is now in the policy.conf file, but near the beginning. > However, still no go.... > > "Could not set exec context to root:sysadm_r:rpm_t." > the same error. > > Finally, adding the line > -directly- near the end of policy.conf, worked. > (line 126,102 near the samba section) > > It is cheap work around, but it re-enables system > user root to run up2date. > > I wonder what it is colliding with ? > > YMMV, and always willing to listen to suggestions. > > > > > > > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From fedora at grifent.com Sun Sep 25 20:37:17 2005 From: fedora at grifent.com (John Griffiths) Date: Sun, 25 Sep 2005 16:37:17 -0400 Subject: Postfix email program Message-ID: <43370A7D.2020208@grifent.com> We use the Postfix email system and not sendmail. When selinux is in permissive mode, postfix will start. When selinux is enforcing with selinux-policy-targeted-1.27.1-2.1, it does not start. These are the entries to audit.log when trying to start postfix with selinux enforcing. type=AVC msg=audit(1127679357.877:29): avc: denied { search } for pid=4929 comm="postalias" name="audit" dev=dm-0 ino=1721482 scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:auditd_log_t tclass=dir type=SYSCALL msg=audit(1127679357.877:29): arch=40000003 syscall=195 success=no exit=-13 a0=9498cc0 a1=bfbdd26c a2=496ff4 a3=64 items=1 pid=4929 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="postalias" exe="/usr/sbin/postalias" type=CWD msg=audit(1127679357.877:29): cwd="/var/log/audit" type=PATH msg=audit(1127679357.877:29): item=0 name="DB_CONFIG" flags=1 inode=1721482 dev=fd:00 mode=040750 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1127679357.878:30): avc: denied { search } for pid=4929 comm="postalias" name="audit" dev=dm-0 ino=1721482 scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:auditd_log_t tclass=dir type=SYSCALL msg=audit(1127679357.878:30): arch=40000003 syscall=5 success=no exit=-13 a0=9498cc0 a1=8000 a2=1b6 a3=9498ce8 items=1 pid=4929 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="postalias" exe="/usr/sbin/postalias" type=CWD msg=audit(1127679357.878:30): cwd="/var/log/audit" type=PATH msg=audit(1127679357.878:30): item=0 name="DB_CONFIG" flags=101 inode=1721482 dev=fd:00 mode=040750 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1127679357.878:31): avc: denied { search } for pid=4929 comm="postalias" name="audit" dev=dm-0 ino=1721482 scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:auditd_log_t tclass=dir type=SYSCALL msg=audit(1127679357.878:31): arch=40000003 syscall=195 success=no exit=-13 a0=9498f08 a1=bfbdd2fc a2=496ff4 a3=64 items=1 pid=4929 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="postalias" exe="/usr/sbin/postalias" type=CWD msg=audit(1127679357.878:31): cwd="/var/log/audit" type=PATH msg=audit(1127679357.878:31): item=0 name="__db.002" flags=1 inode=1721482 dev=fd:00 mode=040750 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1127679358.558:32): avc: denied { name_bind } for pid=4975 comm="master" src=10025 scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:amavisd_send_port_t tclass=tcp_socket type=SYSCALL msg=audit(1127679358.558:32): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bfe36550 a2=8065228 a3=bfe365c4 items=0 pid=4975 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="master" exe="/usr/libexec/postfix/master" type=SOCKADDR msg=audit(1127679358.558:32): saddr=020027297F0000010000000000000000 type=SOCKETCALL msg=audit(1127679358.558:32): nargs=3 a0=50 a1=923c3b8 a2=10 I still do not know enough about selinux to know if I can relabel something of if this needs a new policy. Thanks in advance for all help. John From aaznar at zitralia.com Mon Sep 26 10:31:51 2005 From: aaznar at zitralia.com (Armando Aznar) Date: Mon, 26 Sep 2005 12:31:51 +0200 Subject: Problems creating a user Message-ID: <1127730711.3477.1.camel@localhost.localdomain> Hello, i want to do various security tests with selinux. I have enabled the targeted policy, so all the users run with the user "user_u" (then all the users have all the permissions in SELinux). How could i create a user who run with the user "system_u" so this user dont have all the permissions? Thanxx in advance From selinux at gmail.com Mon Sep 26 13:51:25 2005 From: selinux at gmail.com (Tom London) Date: Mon, 26 Sep 2005 06:51:25 -0700 Subject: Inserting USB printer: hald_t cupsd_config_t:dbus Message-ID: <4c4ba15305092606516f64f1b2@mail.gmail.com> Running targeted/enforcing, latest rawhide. Inserting a USB printer produces on the following AVCs in /var/log/messages (not audit.log): Sep 26 06:37:55 localhost kernel: usb 2-1: new full speed USB device using uhci_hcd and address 5 Sep 26 06:37:55 localhost kernel: drivers/usb/class/usblp.c: usblp0: USB Bidirectional printer dev 5 if 0 alt 1 proto 2 vid 0x03F0 pid 0x1E11 Sep 26 06:37:56 localhost dbus: Can't send to audit system: USER_AVC pid=2499 uid=81 loginuid=-1 message=avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.Hal.Manager member=DeviceRemoved dest=org.freedesktop.DBus spid=2517 tpid=4585 scontext=system_u:system_r:hald_t tcontext=system_u:system_r:cupsd_config_t tclass=dbus Sep 26 06:37:56 localhost dbus: Can't send to audit system: USER_AVC pid=2499 uid=81 loginuid=-1 message=avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.Hal.Manager member=DeviceRemoved dest=org.freedesktop.DBus spid=2517 tpid=4585 scontext=system_u:system_r:hald_t tcontext=system_u:system_r:cupsd_config_t tclass=dbus Sep 26 06:37:56 localhost dbus: Can't send to audit system: USER_AVC pid=2499 uid=81 loginuid=-1 message=avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.Hal.Manager member=DeviceRemoved dest=org.freedesktop.DBus spid=2517 tpid=4585 scontext=system_u:system_r:hald_t tcontext=system_u:system_r:cupsd_config_t tclass=dbus Sep 26 06:37:56 localhost dbus: Can't send to audit system: USER_AVC pid=2499 uid=81 loginuid=-1 message=avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.Hal.Manager member=DeviceAdded dest=org.freedesktop.DBus spid=2517 tpid=4585 scontext=system_u:system_r:hald_t tcontext=system_u:system_r:cupsd_config_t tclass=dbus Sep 26 06:37:56 localhost dbus: Can't send to audit system: USER_AVC pid=2499 uid=81 loginuid=-1 message=avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.Hal.Manager member=DeviceAdded dest=org.freedesktop.DBus spid=2517 tpid=4585 scontext=system_u:system_r:hald_t tcontext=system_u:system_r:cupsd_config_t tclass=dbus This patch make sense? tom --- cups.te.save 2005-09-26 06:47:18.000000000 -0700 +++ cups.te 2005-09-26 06:47:44.000000000 -0700 @@ -263,7 +263,7 @@ ifdef(`dbusd.te', ` allow cupsd_t hald_t:dbus send_msg; allow cupsd_config_t hald_t:dbus send_msg; -allow hald_t cupsd_t:dbus send_msg; +allow hald_t { cupsd_t cupsd_config_t }:dbus send_msg; ')dnl end if dbusd.te allow hald_t cupsd_config_t:process signal; -- Tom London From selinux at gmail.com Mon Sep 26 14:46:46 2005 From: selinux at gmail.com (Tom London) Date: Mon, 26 Sep 2005 07:46:46 -0700 Subject: hald_t needs access to hwdata_t ? Message-ID: <4c4ba15305092607465accd19@mail.gmail.com> Running targeted/enforcing, rawhide. Does the following make sense? tom --- hald.te.save 2005-09-26 07:35:02.000000000 -0700 +++ hald.te 2005-09-26 07:35:34.000000000 -0700 @@ -79,6 +79,7 @@ tmp_domain(hald) allow hald_t mnt_t:dir search; r_dir_file(hald_t, proc_net_t) +r_dir_file(hald_t, hwdata_t) # For /usr/libexec/hald-addon-acpi - writes to /var/run/acpid.socket ifdef(`apmd.te', ` Here are the AVCs: type=AVC msg=audit(1127744849.852:7): avc: denied { search } for pid=2462 comm="hald" name="hwdata" dev=dm-0 ino=130882 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:hwdata_t:s0 tclass=dir type=SYSCALL msg=audit(1127744849.852:7): arch=40000003 syscall=5 success=no exit=-13 a0=8077d98 a1=8000 a2=1b6 a3=9759c88 items=1 pid=2462 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="hald" exe="/usr/sbin/hald" type=CWD msg=audit(1127744849.852:7): cwd="/" type=PATH msg=audit(1127744849.852:7): item=0 name="/usr/share/hwdata/pci.ids" flags=101 inode=130882 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1127744849.852:8): avc: denied { search } for pid=2462 comm="hald" name="hwdata" dev=dm-0 ino=130882 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:hwdata_t:s0 tclass=dir type=SYSCALL msg=audit(1127744849.852:8): arch=40000003 syscall=5 success=no exit=-13 a0=8077db8 a1=8000 a2=1b6 a3=9759c88 items=1 pid=2462 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="hald" exe="/usr/sbin/hald" type=CWD msg=audit(1127744849.852:8): cwd="/" type=PATH msg=audit(1127744849.852:8): item=0 name="/usr/share/hwdata/usb.ids" flags=101 inode=130882 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 -- Tom London From mickey at mickeyhill.com Mon Sep 26 16:19:23 2005 From: mickey at mickeyhill.com (Mickey Hill) Date: Mon, 26 Sep 2005 11:19:23 -0500 Subject: AWStats Message-ID: <1127751563.4995.8.camel@host124.murray.rudolphtire.com> Hi all, I have installed awstats (an httpd log file analyzer) from Extras and am having some SELinux issues. I've gotten the same results on FC4 and Rawhide, using current packages and unchanged config files. Below are the steps I went through to get it working. Could someone more knowledgeable provide some feedback on this, or point me in the right direction? Is there a better or more correct way to do this? Is this something that could or should be added to the policy? /usr/share/awstats/wwwroot/cgi-bin/awstats.pl is run as a CGI script by httpd, but is denied. # ls -Z /usr/share/awstats/wwwroot/cgi-bin/ -rwxr-xr-x root root system_u:object_r:usr_t awredir.pl -rwxr-xr-x root root system_u:object_r:usr_t awstats.pl Changing the type gets the script running: # chcon -t httpd_sys_script_exec_t /usr/share/awstats/wwwroot/cgi-bin/* # ls -Z /usr/share/awstats/wwwroot/cgi-bin/ -rwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t awredir.pl -rwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t awstats.pl However, the script reports an error. Error: AWStats database directory defined in config file by 'DirData' parameter (/var/lib/awstats) does not exist or is not writable. # ls -Z /var/lib ... drwxr-xr-x root root system_u:object_r:var_lib_t awstats ... Changing the type allows the script to run: # chcon -t httpd_sys_script_rw_t /var/lib/awstats # ls -Z /var/lib ... drwxr-xr-x root root system_u:object_r:httpd_sys_script_rw_t awstats ... Any thoughts? Thanks, -- Mickey Hill From Valdis.Kletnieks at vt.edu Mon Sep 26 17:05:15 2005 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Mon, 26 Sep 2005 13:05:15 -0400 Subject: Problems creating a user In-Reply-To: Your message of "Mon, 26 Sep 2005 12:31:51 +0200." <1127730711.3477.1.camel@localhost.localdomain> References: <1127730711.3477.1.camel@localhost.localdomain> Message-ID: <200509261705.j8QH5FBt008584@turing-police.cc.vt.edu> On Mon, 26 Sep 2005 12:31:51 +0200, Armando Aznar said: > I have enabled the targeted policy, so all the users run with the user > "user_u" (then all the users have all the permissions in SELinux). > How could i create a user who run with the user "system_u" so this user dont > have all the permissions? This is probably doomed to failure, because the targeted policy cuts a *lot* of corners because it's not making any realistic attempt to protect legitimate system users/types from each other. You really need to start with the 'strict' policy - that has support for separating users. (Basically, in the 'targeted' policy, so many things will treat 'user_u:object_r:unconfined_t' and 'system_u:object_r:unconfined_t' as being equivalent that you're not going to get anywhere useful....) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available URL: From ivg2 at cornell.edu Mon Sep 26 17:28:26 2005 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Mon, 26 Sep 2005 13:28:26 -0400 Subject: Problems creating a user In-Reply-To: <200509261705.j8QH5FBt008584@turing-police.cc.vt.edu> References: <1127730711.3477.1.camel@localhost.localdomain> <200509261705.j8QH5FBt008584@turing-police.cc.vt.edu> Message-ID: <43382FBA.4050008@cornell.edu> >This is probably doomed to failure, because the targeted policy cuts a *lot* >of corners because it's not making any realistic attempt to protect legitimate >system users/types from each other. You really need to start with the 'strict' >policy - that has support for separating users. > > It does not... it has support for separating types of users from other types of users... ...and the boundaries between the types are pretty much set in stone at this time - you can't easily change what roles can do - there's staff_r, sysadm_r, secadm_r, user_r, system_r, and that's it. I wish RBAC would be more flexible...but it isn't (at least not yet). DAC groups would probably be better for what you're trying to accomplish. >(Basically, in the 'targeted' policy, so many things will treat >'user_u:object_r:unconfined_t' and 'system_u:object_r:unconfined_t' as being >equivalent that you're not going to get anywhere useful....) > > They're equivalent in strict policy as well. The user field of the SELinux context is not really used at this time. From sds at tycho.nsa.gov Mon Sep 26 17:19:51 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 26 Sep 2005 13:19:51 -0400 Subject: Problems creating a user In-Reply-To: <200509261705.j8QH5FBt008584@turing-police.cc.vt.edu> References: <1127730711.3477.1.camel@localhost.localdomain> <200509261705.j8QH5FBt008584@turing-police.cc.vt.edu> Message-ID: <1127755191.19016.123.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2005-09-26 at 13:05 -0400, Valdis.Kletnieks at vt.edu wrote: > On Mon, 26 Sep 2005 12:31:51 +0200, Armando Aznar said: > > I have enabled the targeted policy, so all the users run with the user > > "user_u" (then all the users have all the permissions in SELinux). > > > How could i create a user who run with the user "system_u" so this user dont > > have all the permissions? > > This is probably doomed to failure, because the targeted policy cuts a *lot* > of corners because it's not making any realistic attempt to protect legitimate > system users/types from each other. You really need to start with the 'strict' > policy - that has support for separating users. > > (Basically, in the 'targeted' policy, so many things will treat > 'user_u:object_r:unconfined_t' and 'system_u:object_r:unconfined_t' as being > equivalent that you're not going to get anywhere useful....) Just to affirm this point: Targeted policy is not suitable for user separation. Convert to strict policy if you want user separation. (Side bar: The only reason targeted policy even has multiple user identities and roles defined is for context compatibility with strict policy. If the policy language had a notion of user and role aliases to parallel the type alias construct, the users and roles would all just be aliased together for targeted policy.). -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Mon Sep 26 17:25:14 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 26 Sep 2005 13:25:14 -0400 Subject: Problems creating a user In-Reply-To: <43382FBA.4050008@cornell.edu> References: <1127730711.3477.1.camel@localhost.localdomain> <200509261705.j8QH5FBt008584@turing-police.cc.vt.edu> <43382FBA.4050008@cornell.edu> Message-ID: <1127755514.19016.129.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2005-09-26 at 13:28 -0400, Ivan Gyurdiev wrote: > It does not... it has support for separating types of users from other > types of users... That is user separation, just not per-Linux user separation. > ...and the boundaries between the types are pretty much set in stone at > this time - you can't > easily change what roles can do - there's staff_r, sysadm_r, secadm_r, > user_r, system_r, > and that's it. ...unless you modify policy sources. > I wish RBAC would be more flexible...but it isn't (at least not yet). > DAC groups would probably be better for what you're trying to accomplish. Depends on what he wants to accomplish. DAC cannot truly isolate users in any mandatory sense. > >(Basically, in the 'targeted' policy, so many things will treat > >'user_u:object_r:unconfined_t' and 'system_u:object_r:unconfined_t' as being > >equivalent that you're not going to get anywhere useful....) > > > > > They're equivalent in strict policy as well. The user field of the > SELinux context is not really used at this time. The particular example might not be good, but the user identity does come into play in strict policy in bounding the set of roles (and thus the set of domains). -- Stephen Smalley National Security Agency From ivg2 at cornell.edu Mon Sep 26 18:06:17 2005 From: ivg2 at cornell.edu (Ivan Gyurdiev) Date: Mon, 26 Sep 2005 14:06:17 -0400 Subject: Problems creating a user In-Reply-To: <1127755514.19016.129.camel@moss-spartans.epoch.ncsc.mil> References: <1127730711.3477.1.camel@localhost.localdomain> <200509261705.j8QH5FBt008584@turing-police.cc.vt.edu> <43382FBA.4050008@cornell.edu> <1127755514.19016.129.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <43383899.4070303@cornell.edu> >>...and the boundaries between the types are pretty much set in stone at >>this time - you can't >>easily change what roles can do - there's staff_r, sysadm_r, secadm_r, >>user_r, system_r, >>and that's it. >> >> > >...unless you modify policy sources. > > You're right. The problem isn't that RBAC isn't flexible - it's _too_ flexible. I think it would be confusing to admins to write policy. Maybe if we could create some sort of friendly app with the most-common macros an admin could want to use, and their descriptions... I guess we're moving in the right direction with those management apis...hmm From dwalsh at redhat.com Mon Sep 26 19:51:59 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 26 Sep 2005 15:51:59 -0400 Subject: acpid In-Reply-To: <1127506949.27851.107.camel@moss-spartans.epoch.ncsc.mil> References: <1127506949.27851.107.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <4338515F.9050202@redhat.com> Stephen Smalley wrote: >On Fri, 2005-09-23 at 16:09 -0400, Matthew Saltzman wrote: > > >>Can nobody here help with this (and if not, where could I go for >>assistance)? selinux-policy-targeted-1.27.1-2.1 does not solve the >>problem. >> >> > >>From the audit messages you posted, I would have expected that: >- a new type would have been assigned to /usr/share/hwdata, and apmd_t >would have been allowed to read it. > > I am making this change. >- tmp_domain(apmd_t) would have been added to enable it to create its >own temporary files under /tmp without disturbing anyone else's >temporary files. > >Looking at the latest rawhide targeted policy (1.27.1-5), it looks like >the tmp_domain() has been added, it has been directly allowed to read >usr_t (which I would have preferred not doing) and it has been made >unconfined in targeted policy (which seems overkill). So I would expect >your scripts to work just fine with that policy, even though I'd still >favor adding a new type for /usr/share/hwdata and not making apmd_t >completely unconfined. > > > The problem is there is no standard scripts for this yet. Trying to lock down acpid is a moving target at this time, until the distros settle on a standard way of doing this. So until then it is better to run unconfined. If in FC5 timeframe a standard develops in Fedora, I will make the policy work and remove the unconfined_domain. -- From dwalsh at redhat.com Mon Sep 26 19:54:43 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 26 Sep 2005 15:54:43 -0400 Subject: Latest update has a few holes HEADS UP In-Reply-To: <4336F036.9010009@antient.org> References: <4c4ba153050924113022d512fe@mail.gmail.com> <4335A5F8.9060001@cornell.edu> <4c4ba15305092414273880f8f7@mail.gmail.com> <4335E3A6.2030208@mindspring.com> <4c4ba1530509251040213969@mail.gmail.com> <4336EE87.3000208@antient.org> <4336F036.9010009@antient.org> Message-ID: <43385203.3070300@redhat.com> Richard Irving wrote: > Richard Irving wrote: > >> FC4 latest update for target sources has a few holes... >> > An additional note: targeted, FC4, X86_64. > >> After applying : >> selinux-policy-targeted-sources-1.27.1-2.1 >> selinux-policy-targeted-1.27.1-2.1 >> >> The system could no longer run up2date. >> emitting error: >> >> Could not set exec context to root:sysadm_r:rpm_t. >> >> An addition to rpm.te of: >> >> role system_r types rpm_t; >> >> And a remake, didn't seem to catch the change in >> rpm.te, as it didn't show the files compiled into >> the version , as the remake ran... ???? >> >> Adding the same line to unconfined.te >> alerted the selinux equivalent to .deps, >> and all files were recompiled, >> and the new policy loaded. >> >> It is now in the policy.conf file, but near the beginning. >> However, still no go.... >> >> "Could not set exec context to root:sysadm_r:rpm_t." >> the same error. >> >> Finally, adding the line >> -directly- near the end of policy.conf, worked. >> (line 126,102 near the samba section) >> >> It is cheap work around, but it re-enables system >> user root to run up2date. >> >> I wonder what it is colliding with ? >> >> YMMV, and always willing to listen to suggestions. >> >> >> >> >> >> >> >> >> >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list 2.2 puts the sysadm_r back in. It is not needed in targeted for Rawhide. -- From mjs at ces.clemson.edu Mon Sep 26 20:44:23 2005 From: mjs at ces.clemson.edu (Matthew Saltzman) Date: Mon, 26 Sep 2005 16:44:23 -0400 (EDT) Subject: acpid In-Reply-To: <4338515F.9050202@redhat.com> References: <1127506949.27851.107.camel@moss-spartans.epoch.ncsc.mil> <4338515F.9050202@redhat.com> Message-ID: Should this have been fixed in selinux-policy-targeted-1.27.1-2.2, or is that still behind the Rawhide one? This works from console but not from Fn-F3. Thanks. script: #!/bin/sh if [ "$(/usr/sbin/radeontool light)" = "The radeon backlight looks on" ]; then /usr/sbin/radeontool light off else /usr/sbin/radeontool light on fi acpid.log: --------- [Mon Sep 26 16:37:59 2005] received event "ibm/hotkey HKEY 00000080 00001003" [Mon Sep 26 16:37:59 2005] notifying client 3001[500:500] [Mon Sep 26 16:37:59 2005] executing action "/etc/acpi/actions/Fn-F3.sh" [Mon Sep 26 16:37:59 2005] BEGIN HANDLER MESSAGES can't open /dev/mem Are you root? can't open /dev/mem Are you root? [Mon Sep 26 16:37:59 2005] END HANDLER MESSAGES [Mon Sep 26 16:37:59 2005] action exited with status 255 [Mon Sep 26 16:37:59 2005] completed event "ibm/hotkey HKEY 00000080 00001003" audit.log: --------- type=AVC msg=audit(1127767197.001:907558): avc: denied { read write } for pid=6106 comm="radeontool" name="mem" dev=tmpfs ino=901 scontext=system_u:system_r:apmd_t tcontext=system_u:object_r:memory_device_t tclass=chr_file type=SYSCALL msg=audit(1127767197.001:907558): arch=40000003 syscall=5 success=no exit=-13 a0=8049c06 a1=2 a2=bfca76e8 a3=bfca72f8 items=1 pid=6106 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="radeontool" exe="/usr/sbin/radeontool" type=CWD msg=audit(1127767197.001:907558): cwd="/" type=PATH msg=audit(1127767197.001:907558): item=0 name="/dev/mem" flags=101 inode=901 dev=00:0d mode=020640 ouid=0 ogid=9 rdev=01:01 type=AVC msg=audit(1127767197.066:908249): avc: denied { read write } for pid=6108 comm="radeontool" name="mem" dev=tmpfs ino=901 scontext=system_u:system_r:apmd_t tcontext=system_u:object_r:memory_device_t tclass=chr_file type=SYSCALL msg=audit(1127767197.066:908249): arch=40000003 syscall=5 success=no exit=-13 a0=8049c06 a1=2 a2=bf952a78 a3=bf952688 items=1 pid=6108 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="radeontool" exe="/usr/sbin/radeontool" type=CWD msg=audit(1127767197.066:908249): cwd="/" type=PATH msg=audit(1127767197.066:908249): item=0 name="/dev/mem" flags=101 inode=901 dev=00:0d mode=020640 ouid=0 ogid=9 rdev=01:01 On Mon, 26 Sep 2005, Daniel J Walsh wrote: > Stephen Smalley wrote: > >> On Fri, 2005-09-23 at 16:09 -0400, Matthew Saltzman wrote: >> >>> Can nobody here help with this (and if not, where could I go for >>> assistance)? selinux-policy-targeted-1.27.1-2.1 does not solve the >>> problem. >>> >> >>> From the audit messages you posted, I would have expected that: >> - a new type would have been assigned to /usr/share/hwdata, and apmd_t >> would have been allowed to read it. >> > I am making this change. > >> - tmp_domain(apmd_t) would have been added to enable it to create its >> own temporary files under /tmp without disturbing anyone else's >> temporary files. >> >> Looking at the latest rawhide targeted policy (1.27.1-5), it looks like >> the tmp_domain() has been added, it has been directly allowed to read >> usr_t (which I would have preferred not doing) and it has been made >> unconfined in targeted policy (which seems overkill). So I would expect >> your scripts to work just fine with that policy, even though I'd still >> favor adding a new type for /usr/share/hwdata and not making apmd_t >> completely unconfined. >> >> > The problem is there is no standard scripts for this yet. Trying to lock > down acpid is a moving target at this time, until the distros settle on a > standard way of doing this. So until then it is better to run unconfined. > If in FC5 timeframe a standard > develops in Fedora, I will make the policy work and remove the > unconfined_domain. > > > -- Matthew Saltzman Clemson University Math Sciences mjs AT clemson DOT edu http://www.math.clemson.edu/~mjs From rirving at antient.org Mon Sep 26 21:34:38 2005 From: rirving at antient.org (Richard Irving) Date: Mon, 26 Sep 2005 16:34:38 -0500 Subject: Latest update has a few holes HEADS UP In-Reply-To: <43385203.3070300@redhat.com> References: <4c4ba153050924113022d512fe@mail.gmail.com> <4335A5F8.9060001@cornell.edu> <4c4ba15305092414273880f8f7@mail.gmail.com> <4335E3A6.2030208@mindspring.com> <4c4ba1530509251040213969@mail.gmail.com> <4336EE87.3000208@antient.org> <4336F036.9010009@antient.org> <43385203.3070300@redhat.com> Message-ID: <4338696E.9040004@antient.org> Daniel J Walsh wrote: > Richard Irving wrote: > >>> >>> Could not set exec context to root:sysadm_r:rpm_t. >>> >>> An addition to rpm.te of: >>> >>> role system_r types rpm_t; >> s/system_r/sysadm_r/ Paste typo, I *hate* those, phugh! :-) > 2.2 puts the sysadm_r back in. It is not needed in targeted for Rawhide. I finally dropped it into an unrelated package that compiles in near the end, setfiles.te, I will be able to remove it.. So, until the next percussive event...Thanks, and C'ya. 8-) From pedro.esteba at gmail.com Tue Sep 27 09:09:33 2005 From: pedro.esteba at gmail.com (pedro esteban) Date: Tue, 27 Sep 2005 11:09:33 +0200 Subject: Simulating a hacker attack Message-ID: <81e69eb105092702092bf61038@mail.gmail.com> Hi, im having problems with the audit of denail messages with the targeted policy Im using runcon with a shell script to simulate what would happen if a hacker was successfull hacking the web server, so i execute the next command: runcon -u system_u -r system_r -t httpd_t /bin/bash I can only get this to work in permissive mode because if i execute it in enforcing mode i get an error (execvp: Permission denied) When i execute the command in permissive mode and im running in the new "httpd-shell", i execute 'id -Z' and get this: "system_u:system_r:httpd_t", so i think i running in the correct web server security context. The problem is that i dont recieve any error message in the /var/log/messages when i try to do not-alloweds operations (like to delete a file under /etc) (I have enabled all-auditing with make enableaudit;makeload under policy src) thanks in advance From dwalsh at redhat.com Tue Sep 27 12:48:58 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 27 Sep 2005 08:48:58 -0400 Subject: Simulating a hacker attack In-Reply-To: <81e69eb105092702092bf61038@mail.gmail.com> References: <81e69eb105092702092bf61038@mail.gmail.com> Message-ID: <43393FBA.3020306@redhat.com> Ok here is how I have simulated what you are trying to do. cp /bin/sh /var/www/httpdsh chcon -t httpd_exec_t /var/www/httpdsh Add the following lines to /etc/selinux/targeted/src/policy/domains/misc/local.te domain_auto_trans(unconfined_t,httpd_exec_t, httpd_t) allow httpd_t devpts_t:chr_file rw_file_perms; cd /etc/selinux/targeted/src/policy/ make load setsebool httpd_tty_comm=1 Then run /var/www/httpdsh as root. /var/www/httpdsh httpdsh: /root/.bashrc: Permission denied # id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:system_r:httpd_t:s0-s0:c0.c127 # cat /etc/shadow cat: /etc/shadow: Permission denied # cat /var/log/messages cat: /var/log/messages: Permission denied -- From andy at warmcat.com Tue Sep 27 13:19:54 2005 From: andy at warmcat.com (Andy Green) Date: Tue, 27 Sep 2005 14:19:54 +0100 Subject: FC4 last updates kill postfix+postgrey Message-ID: <433946FA.70301@warmcat.com> Hi Folks - Using FC4 postfix with 'postgrey', a greylisting service that communicates via a unix socket: # ll -Z /var/spool/postfix/postgrey/socket srw-rw-rw- postgrey nobody root:object_r:postfix_spool_t /var/spool/postfix/postgrey/socket After recent updates: Sep 27 09:25:17 Updated: audit-libs.i386 1.0.4-1.fc4 Sep 27 09:25:31 Updated: audit.x86_64 1.0.4-1.fc4 Sep 27 09:25:34 Updated: selinux-policy-targeted.noarch 1.27.1-2.2 Sep 27 09:25:35 Updated: audit-libs.x86_64 1.0.4-1.fc4 and a reboot, the socket is not available for postfix to open: Sep 27 14:08:56 siamese postfix/smtpd[13486]: warning: connect to /var/spool/postfix/postgrey/socket: Permission denied Sep 27 14:08:56 siamese postfix/smtpd[13486]: warning: problem talking to server /var/spool/postfix/postgrey/socket: Permission denied Mail is then getting kicked because of this with, eg: Sep 27 14:08:57 siamese postfix/smtpd[13486]: NOQUEUE: reject: RCPT from hormel.redhat.com[209.132.177.30]: 450 Server configuration problem; from= to= proto=ESMTP helo= However there are no avc complaints in /var/log/messages. Turning off enforcing (of the targetted mode this is) in system-config-securitylevel enables mail to work, therefore I deduce it is to do with selinux despite the lack of complaints. The socket is live alright as it appears (twice?) on: # lsof -n | grep postgrey\/socket postgrey 12989 postgrey 5u unix 0xffff81007995d800 77801 /var/spool/postfix/postgrey/socket postgrey 12989 postgrey 9u unix 0xffff810005ed3800 92050 /var/spool/postfix/postgrey/socket Any advice? -Andy -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4492 bytes Desc: S/MIME Cryptographic Signature URL: From pedro.esteba at gmail.com Tue Sep 27 13:31:27 2005 From: pedro.esteba at gmail.com (pedro esteban) Date: Tue, 27 Sep 2005 15:31:27 +0200 Subject: Simulating a hacker attack In-Reply-To: <43393FBA.3020306@redhat.com> References: <81e69eb105092702092bf61038@mail.gmail.com> <43393FBA.3020306@redhat.com> Message-ID: <81e69eb105092706316d1357f0@mail.gmail.com> > Ok here is how I have simulated what you are trying to do. > > cp /bin/sh /var/www/httpdsh > chcon -t httpd_exec_t /var/www/httpdsh > > Add the following lines to > /etc/selinux/targeted/src/policy/domains/misc/local.te > > > domain_auto_trans(unconfined_t,httpd_exec_t, httpd_t) > allow httpd_t devpts_t:chr_file rw_file_perms; > > cd /etc/selinux/targeted/src/policy/ > make load > setsebool httpd_tty_comm=1 > > Then run > /var/www/httpdsh > as root. > > /var/www/httpdsh > httpdsh: /root/.bashrc: Permission denied > # id > uid=0(root) gid=0(root) > groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) > context=root:system_r:httpd_t:s0-s0:c0.c127 > # cat /etc/shadow > cat: /etc/shadow: Permission denied > # cat /var/log/messages > cat: /var/log/messages: Permission denied ok, finally I have obtained it works! thanks But still I have a problem, when i do a non-allowed operation i can not see the avc dennied message in the /var/log/messeges. i have tried to solve it compiling with the option "make enableaudit" and also doing the operation in permissive mode, but still doesnt work. From andy at warmcat.com Tue Sep 27 13:37:16 2005 From: andy at warmcat.com (Andy Green) Date: Tue, 27 Sep 2005 14:37:16 +0100 Subject: FC4 last updates kill postfix+postgrey In-Reply-To: <433946FA.70301@warmcat.com> References: <433946FA.70301@warmcat.com> Message-ID: <43394B0C.6020802@warmcat.com> Andy Green wrote: > Sep 27 14:08:56 siamese postfix/smtpd[13486]: warning: connect to > /var/spool/postfix/postgrey/socket: Permission denied ... > However there are no avc complaints in /var/log/messages. Turning off I discover /var/log/audit/audit.log ... much neater once you know about it :-) This is the AVC message: type=AVC msg=audit(1127827818.253:472): avc: denied { connectto } for pid=13783 comm="smtpd" name="socket" scontext=root:system_r:postfix_smtpd_t tcontext=root:system_r:initrc_t tclass=unix_stream_socket type=SYSCALL msg=audit(1127827818.253:472): arch=c000003e syscall=42 success=yes exit=0 a0=14 a1=7fffffa59ec0 a2=6e a3=7fffffa59ec2 items=1 pid=13783 auid=500 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 comm="smtpd" exe="/usr/libexec/postfix/smtpd" type=AVC_PATH msg=audit(1127827818.253:472): path="/var/spool/postfix/postgrey/socket" type=SOCKADDR msg=audit(1127827818.253:472): saddr=01002F7661722F73706F6F6C2F706F73746669782F706F7374677265792F736F636B65740000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 type=PATH msg=audit(1127827818.253:472): item=0 flags=1 inode=3342296 dev=fd:00 mode=0140666 ouid=95 ogid=99 rdev=00:00 -Andy -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4492 bytes Desc: S/MIME Cryptographic Signature URL: From eparis at redhat.com Tue Sep 27 13:55:36 2005 From: eparis at redhat.com (Eric Paris) Date: Tue, 27 Sep 2005 09:55:36 -0400 Subject: Simulating a hacker attack In-Reply-To: <81e69eb105092706316d1357f0@mail.gmail.com> References: <81e69eb105092702092bf61038@mail.gmail.com> <43393FBA.3020306@redhat.com> <81e69eb105092706316d1357f0@mail.gmail.com> Message-ID: <1127829336.4560.5.camel@localhost.localdomain> Are you using a system with auditd? Check /var/log/audit/audit.log -Eric On Tue, 2005-09-27 at 15:31 +0200, pedro esteban wrote: > > Ok here is how I have simulated what you are trying to do. > > > > cp /bin/sh /var/www/httpdsh > > chcon -t httpd_exec_t /var/www/httpdsh > > > > Add the following lines to > > /etc/selinux/targeted/src/policy/domains/misc/local.te > > > > > > domain_auto_trans(unconfined_t,httpd_exec_t, httpd_t) > > allow httpd_t devpts_t:chr_file rw_file_perms; > > > > cd /etc/selinux/targeted/src/policy/ > > make load > > setsebool httpd_tty_comm=1 > > > > Then run > > /var/www/httpdsh > > as root. > > > > /var/www/httpdsh > > httpdsh: /root/.bashrc: Permission denied > > # id > > uid=0(root) gid=0(root) > > groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) > > context=root:system_r:httpd_t:s0-s0:c0.c127 > > # cat /etc/shadow > > cat: /etc/shadow: Permission denied > > # cat /var/log/messages > > cat: /var/log/messages: Permission denied > > ok, finally I have obtained it works! thanks > But still I have a problem, when i do a non-allowed operation i can > not see the avc dennied message in the /var/log/messeges. i have > tried to solve it compiling with the option "make enableaudit" and > also doing the operation in permissive mode, but still doesnt work. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From dwalsh at redhat.com Tue Sep 27 14:35:00 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 27 Sep 2005 10:35:00 -0400 Subject: FC4 last updates kill postfix+postgrey In-Reply-To: <43394B0C.6020802@warmcat.com> References: <433946FA.70301@warmcat.com> <43394B0C.6020802@warmcat.com> Message-ID: <43395894.8040303@redhat.com> Andy Green wrote: >Andy Green wrote: > > > >>Sep 27 14:08:56 siamese postfix/smtpd[13486]: warning: connect to >>/var/spool/postfix/postgrey/socket: Permission denied >> >> >... > > >>However there are no avc complaints in /var/log/messages. Turning off >> >> > >I discover /var/log/audit/audit.log ... much neater once you know about >it :-) This is the AVC message: > >type=AVC msg=audit(1127827818.253:472): avc: denied { connectto } for > pid=13783 comm="smtpd" name="socket" >scontext=root:system_r:postfix_smtpd_t tcontext=root:system_r:initrc_t >tclass=unix_stream_socket >type=SYSCALL msg=audit(1127827818.253:472): arch=c000003e syscall=42 >success=yes exit=0 a0=14 a1=7fffffa59ec0 a2=6e a3=7fffffa59ec2 items=1 >pid=13783 auid=500 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 >sgid=89 fsgid=89 comm="smtpd" exe="/usr/libexec/postfix/smtpd" >type=AVC_PATH msg=audit(1127827818.253:472): >path="/var/spool/postfix/postgrey/socket" >type=SOCKADDR msg=audit(1127827818.253:472): >saddr=01002F7661722F73706F6F6C2F706F73746669782F706F7374677265792F736F636B65740000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >type=PATH msg=audit(1127827818.253:472): item=0 flags=1 inode=3342296 >dev=fd:00 mode=0140666 ouid=95 ogid=99 rdev=00:00 > > > If you install selinux-policy-targeted-sources and add this line to /etc/selinux/policy/src/targeted/domains/misc/local.te allow postfix_smtpd_t initrc_t:unix_stream_socket connectto; And do a make -c /etc/selinux/targeted/src/policy load Does that fix your problem? >-Andy > > >------------------------------------------------------------------------ > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-selinux-list > -- From andy at warmcat.com Tue Sep 27 15:58:40 2005 From: andy at warmcat.com (Andy Green) Date: Tue, 27 Sep 2005 16:58:40 +0100 Subject: FC4 last updates kill postfix+postgrey In-Reply-To: <43395894.8040303@redhat.com> References: <433946FA.70301@warmcat.com> <43394B0C.6020802@warmcat.com> <43395894.8040303@redhat.com> Message-ID: <43396C30.8090001@warmcat.com> Daniel J Walsh wrote: > If you install selinux-policy-targeted-sources and add this line to > /etc/selinux/policy/src/targeted/domains/misc/local.te > > allow postfix_smtpd_t initrc_t:unix_stream_socket connectto; > > And do a > > make -c /etc/selinux/targeted/src/policy load > > Does that fix your problem? In short... no. I used this path: /etc/selinux/targeted/src/policy/domains/misc/local.te and make -C, but on completion nothing was changed. I rebooted (with a gratuitous relabel thrown in) and still it was broken. Was there another obvious step I should have taken after the make -C ... load? -Andy -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4492 bytes Desc: S/MIME Cryptographic Signature URL: From dwalsh at redhat.com Tue Sep 27 16:58:16 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 27 Sep 2005 12:58:16 -0400 Subject: FC4 last updates kill postfix+postgrey In-Reply-To: <43396C30.8090001@warmcat.com> References: <433946FA.70301@warmcat.com> <43394B0C.6020802@warmcat.com> <43395894.8040303@redhat.com> <43396C30.8090001@warmcat.com> Message-ID: <43397A28.8000503@redhat.com> Andy Green wrote: >Daniel J Walsh wrote: > > > >>If you install selinux-policy-targeted-sources and add this line to >>/etc/selinux/policy/src/targeted/domains/misc/local.te >> >>allow postfix_smtpd_t initrc_t:unix_stream_socket connectto; >> >>And do a >> >>make -c /etc/selinux/targeted/src/policy load >> >>Does that fix your problem? >> >> > >In short... no. I used this path: > >/etc/selinux/targeted/src/policy/domains/misc/local.te > >and make -C, but on completion nothing was changed. I rebooted (with a >gratuitous relabel thrown in) and still it was broken. Was there >another obvious step I should have taken after the make -C ... load? > >-Andy > > No. But are you seeing any AVC messages? Try to run with setenforce 0, and see what AVC messages are generated. No need to relabel or reboot. Dan -- From aastaneh at cmax2.com Tue Sep 27 17:18:36 2005 From: aastaneh at cmax2.com (Amin Astaneh) Date: Tue, 27 Sep 2005 13:18:36 -0400 Subject: apache denied access to sendmail Message-ID: <20050927131836.00006bee.aastaneh@cmax2.com> Hello- System: Fedora Core 3, current I am using a trouble ticketing system written in PHP (phpSupport) which uses sendmail through calling a perl script provided by the package. Every time phpSupport passes a mail request to sendmail, this audit appears: Sep 27 12:43:34 apache02 kernel: audit(1127839414.326:11): avc: denied { name_connect } for pid=3948 comm="sendmail" dest=25 scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:smtp_port_t tclass=tcp_socket In /var/log/maillog, sendmail logs this for the email transaction: Sep 27 12:43:34 apache02 sendmail[3948]: j8RGhYfY003948: from=apache, size=505, class=0, nrcpts=1, msgid=<200509271643.j8RGhYfY003948 at apache02.qwik.net>, relay=apache at localhost Sep 27 12:43:34 apache02 sendmail[3948]: j8RGhYfY003948: to=aastaneh at cmax2.com, ctladdr=apache (48/48), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30505, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Permission denied I have already submitted a bug report https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168874 and this problem was fixed in FC4... with no real note of fixing it for FC3. I have already did a touch /.autorelabel and rebooted, but to no avail.. The only fix is to take the results of audit2allow and recompile policy (which worked on my development box). I am a little wary of building policy from policy-sources on a production machine in order to insert dontaudit rules to stop this denial.. is it possible to build policy on a development server (with the exact architecture) and transplant it into the production machine? If so- what procedure must I follow? Are there any other solutions? Amin Astaneh From sds at tycho.nsa.gov Tue Sep 27 17:24:09 2005 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 27 Sep 2005 13:24:09 -0400 Subject: 2.6.14-rc2-git6 vs FC3 In-Reply-To: <43396CDC.3070700@freemail.hu> References: <43396CDC.3070700@freemail.hu> Message-ID: <1127841849.21671.28.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2005-09-27 at 18:01 +0200, Zoltan Boszormenyi wrote: > Tony Nelson ?rta: > > At 1:08 PM +0200 9/27/05, Zoltan Boszormenyi wrote: > > > >>Hi, > >> > >>I have an FC3/x86-64 system and I wanted to try > >>the latest-greatest mainstream test kernel. > >>The compilation went OK but it didn't boot successfully, > >>which seems to be an FC3 bug. The last lines on the > >>console are: > >> > >>------------------------------------------------- > >>Switching to new root > >>Enforcing mode requested but no policy loaded. Halting now. > >>Kernel panic - not syncing: Attempted to kil init! > >>------------------------------------------------- > >> > >>At that point, the initrd userspace already started up > >>and loaded the required modules, e.g. ext3, SATA drivers, etc. > >> > >>Is FC3 (or its mkinitrd) that old to be incompatible with > >>the latest kernel? At this moment I cannot upgrade to FC4 > >>to confirm this. > > > > > > That's SELinux. Note that the name SELinux doesn't appear in SELinux error > > messages; this may be the Security Mindset at work. The key words in the > > error message are "enforcing mode" and "policy". Turn off SELinux' > > enforcing mode. If you run any servers you will want to be behind some > > other firewall and pay attention to the machine's firewall. > > Yes, thank you. I know it's SELinux, I already switched off > enforcing mode, but I cannot reboot to try it at the moment. > My machine is the only computer in the house, so I am a bit > uneasy about switching it off. > > BTW, I am running 2.6.13-rc1-mm1 (kernel-2.6.11-1.14_FC3 is installed) > and setting enforcing mode on boot works with these kernel versions. /sbin/init tries to load the current policy version (for the binary policy format, not the package version) supported by the kernel (based on reading /selinux/policyvers), and then tries the next oldest version if that doesn't exist. I think the issue here is that the policy version has changed twice from what shipped in FC3, and /sbin/init doesn't keep trying older policy versions if the current one and its predecessor don't exist. The kernel itself will always accept older binary policy versions, so it would take the policy if /sbin/init loaded it. Naturally, there could be permission denials due to new permissions being introduced in the newer kernel that weren't allowed by the older policy, but you should at least be able to boot the system. /sbin/init should likely keep trying older versions down to the oldest supported version in the 2.6 series. It would then ultimately load the policy that you have in FC3, which would likely work modulo new permission check denials. cc'd fedora-selinux-list, as that is the best place to ask questions re SELinux. -- Stephen Smalley National Security Agency From aastaneh at cmax2.com Tue Sep 27 18:34:32 2005 From: aastaneh at cmax2.com (Amin Astaneh) Date: Tue, 27 Sep 2005 14:34:32 -0400 Subject: apache denied access to sendmail Message-ID: <20050927143432.000016d0.aastaneh@cmax2.com> Hello- And the plot thickens as well.. Evidently the email denied by SELinux eventually gets out on the network anyway through sendmail. The denial only defers the mail, so around ten minutes later the mail is sent again- successfully however, due to sendmail making it's own request. Here are the logs, grepping for the same set of timestamps and mail id's- /var/log/messages Sep 27 12:43:34 apache02 kernel: audit(1127839414.325:10): avc: denied { name_connect } for pid=3948 comm="sendmail" dest=25 scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:smtp_port_t tclass=tcp_socket Sep 27 12:43:34 apache02 kernel: audit(1127839414.326:11): avc: denied { name_connect } for pid=3948 comm="sendmail" dest=25 scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:smtp_port_t tclass=tcp_socket /var/log/maillog Sep 27 12:43:34 apache02 sendmail[3948]: j8RGhYfY003948: from=apache, size=505, class=0, nrcpts=1, msgid=<200509271643.j8RGhYfY003948 at apache02.qwik.net>, relay=apache at localhost Sep 27 12:43:34 apache02 sendmail[3948]: j8RGhYfY003948: to=aastaneh at cmax2.com, ctladdr=apache (48/48), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30505, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Permission denied Sep 27 12:52:04 apache02 sendmail[3953]: j8RGq3n2003953: from=, size=702, class=0, nrcpts=1, msgid=<200509271643.j8RGhYfY003948 at apache02.qwik.net>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1] Sep 27 12:52:04 apache02 sm-msp-queue[3952]: j8RGhYfY003948: to=aastaneh at cmax2.com, ctladdr=apache (48/48), delay=00:08:30, xdelay=00:00:01, mailer=relay, pri=120505, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (j8RGq3n2003953 Message accepted for delivery) -Amin Astaneh From andy at warmcat.com Tue Sep 27 18:58:01 2005 From: andy at warmcat.com (Andy Green) Date: Tue, 27 Sep 2005 19:58:01 +0100 Subject: FC4 last updates kill postfix+postgrey In-Reply-To: <43397A28.8000503@redhat.com> References: <433946FA.70301@warmcat.com> <43394B0C.6020802@warmcat.com> <43395894.8040303@redhat.com> <43396C30.8090001@warmcat.com> <43397A28.8000503@redhat.com> Message-ID: <43399639.3000100@warmcat.com> Daniel J Walsh wrote: > No. But are you seeing any AVC messages? Try to run with setenforce 0, > and see what AVC messages are generated. > No need to relabel or reboot. I saw a notification of a new version of the targeted policy in the testing repo fly by, so I downloaded it and updated to it. * Tue Sep 27 2005 Dan Walsh 1.27.1-2.3 - Fixes for postfix, amanda, bluetooth - Merge in changes from Rawhide. In the meanwhile my x86_64 postalias (a postfix utility) started segfaulting for no apparent reason (with or without selinux, and after reloading it from the rpm), since this is in the /etc/init.d/ script for postfix this killed postfix as a whole. strace did not show any funny business nor did -v -v. I removed the x86_64 postfix package and replaced it with the x86 postfix package. That worked fine without altering any config except returning the /etc/postfix/main.cf back to my original one. No idea what that was about. At the end of all this I can go back to enforcing without errors or avc messages, so I guess that is 'fixed' by the new policy rpm and/or the local.te line. Thanks for the help and sorry for the unclear nature of the resolution. -Andy -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4492 bytes Desc: S/MIME Cryptographic Signature URL: From ktl at bornet.net Tue Sep 27 20:15:27 2005 From: ktl at bornet.net (Tomas Larsson) Date: Tue, 27 Sep 2005 22:15:27 +0200 Subject: Yum SELINUX Updates. Message-ID: I have seen that there have been several updates of selinux policy. Do I need to do anything to make it valid, like reboot, relabel or something similar. Another "stupid" question, all posts from the list originates from fedora-selinux-list-bounces at redhat.com, I would assume that it means that the mails are bouncing in my mailbox, but I am not aware that should be the case, and my isp is telling me that everything is working OK. With best regards Tomas Larsson Sweden Verus Amicus Est Tamquam Alter Idem From netdxr at gmail.com Tue Sep 27 20:44:35 2005 From: netdxr at gmail.com (Tom Lisjac) Date: Tue, 27 Sep 2005 14:44:35 -0600 Subject: Selinux breaks samba with no AVC's... Message-ID: <863ff4520509271344478e4844@mail.gmail.com> I'm trying to make samba shares available on a new FC4 server I've just built that's running selinux-policy-targeted-1.27.1-2.1. I relabelled after the update the other day, ran permissive until everything worked, added the following to local.te and recompiled the policy sources: allow smbd_t home_root_t:dir { getattr search }; allow smbd_t httpd_sys_content_t:dir { getattr read remove_name search write }; allow smbd_t httpd_sys_content_t:file { getattr lock read unlink }; allow smbd_t samba_net_tmp_t:file { getattr read write }; allow smbd_t user_home_dir_t:dir { getattr read }; allow smbd_t user_home_t:dir getattr; allow smbd_t user_home_t:file getattr; When I switched to enforcing, I couldn't connect... and there were no new AVC's. Switching back to permissive worked. I've never seen this behavior before. In the past when enforcing, there has always been an AVC to explain a denial of service. This time there wasn't. Turning off selinux fixes the problem so there must be a relationship. Disabling selinux seems to be my only alternative... but I'd rather not. Any suggestions would be appreciated. -Tom From dwalsh at redhat.com Tue Sep 27 21:02:31 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 27 Sep 2005 17:02:31 -0400 Subject: Selinux breaks samba with no AVC's... In-Reply-To: <863ff4520509271344478e4844@mail.gmail.com> References: <863ff4520509271344478e4844@mail.gmail.com> Message-ID: <4339B367.3010108@redhat.com> Tom Lisjac wrote: >I'm trying to make samba shares available on a new FC4 server I've >just built that's running selinux-policy-targeted-1.27.1-2.1. I >relabelled after the update the other day, ran permissive until >everything worked, added the following to local.te and recompiled the >policy sources: > >allow smbd_t home_root_t:dir { getattr search }; >allow smbd_t httpd_sys_content_t:dir { getattr read remove_name search write }; >allow smbd_t httpd_sys_content_t:file { getattr lock read unlink }; >allow smbd_t samba_net_tmp_t:file { getattr read write }; >allow smbd_t user_home_dir_t:dir { getattr read }; >allow smbd_t user_home_t:dir getattr; >allow smbd_t user_home_t:file getattr; > >When I switched to enforcing, I couldn't connect... and there were no >new AVC's. Switching back to permissive worked. > >I've never seen this behavior before. In the past when enforcing, >there has always been an AVC to explain a denial of service. This time >there wasn't. Turning off selinux fixes the problem so there must be a >relationship. > >Disabling selinux seems to be my only alternative... but I'd rather >not. Any suggestions would be appreciated. > >-Tom > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > Try out the booleans setsebool -P samba_enable_home_dirs=1 # getsebool -a | grep samba samba_enable_home_dirs --> inactive use_samba_home_dirs --> inactive # getsebool -a | grep smb allow_smbd_anon_write --> inactive smbd_disable_trans --> inactive -- From dwalsh at redhat.com Tue Sep 27 21:03:42 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 27 Sep 2005 17:03:42 -0400 Subject: Yum SELINUX Updates. In-Reply-To: References: Message-ID: <4339B3AE.8040108@redhat.com> Tomas Larsson wrote: >I have seen that there have been several updates of selinux policy. >Do I need to do anything to make it valid, like reboot, relabel or something >similar. > > Should happen automatically. No relabel, reboot required. >Another "stupid" question, all posts from the list originates from >fedora-selinux-list-bounces at redhat.com, I would assume that it means that >the mails are bouncing in my mailbox, but I am not aware that should be the >case, and my isp is telling me that everything is working OK. > > > I thought this would mean you were not subscribed to the list. But since you got this one through not sure what it means. >With best regards > >Tomas Larsson >Sweden > >Verus Amicus Est Tamquam Alter Idem > > > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > -- From ktl at bornet.net Tue Sep 27 21:21:26 2005 From: ktl at bornet.net (Tomas Larsson) Date: Tue, 27 Sep 2005 23:21:26 +0200 Subject: Yum SELINUX Updates. In-Reply-To: <4339B3AE.8040108@redhat.com> Message-ID: > -----Original Message----- > From: Daniel J Walsh [mailto:dwalsh at redhat.com] > Sent: Tuesday, September 27, 2005 11:04 PM > To: Tomas Larsson > Cc: fedora-selinux-list at redhat.com > Subject: Re: Yum SELINUX Updates. > > > Tomas Larsson wrote: > > >I have seen that there have been several updates of selinux > policy. Do > >I need to do anything to make it valid, like reboot, relabel or > >something similar. > > > > > Should happen automatically. No relabel, reboot required. OK, anywhere where I can find what is updated, since I still have problem with webalizer is denyed to access vsftpd.log as a crond-jobb. > > >Another "stupid" question, all posts from the list originates from > >fedora-selinux-list-bounces at redhat.com, I would assume that it means > >that the mails are bouncing in my mailbox, but I am not aware that > >should be the case, and my isp is telling me that everything > is working > >OK. > > > > > > > I thought this would mean you were not subscribed to the list. But > since you got this one through not sure what it means. > > >With best regards > > > >Tomas Larsson > >Sweden > > > >Verus Amicus Est Tamquam Alter Idem > > > > > > > >-- > >fedora-selinux-list mailing list fedora-selinux-list at redhat.com > >https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > > > > -- > > With best regards Tomas Larsson Sweden Verus Amicus Est Tamquam Alter Idem From andy at warmcat.com Tue Sep 27 21:20:02 2005 From: andy at warmcat.com (Andy Green) Date: Tue, 27 Sep 2005 22:20:02 +0100 Subject: bounce email address (was Yum SELINUX Updates.) In-Reply-To: <4339B3AE.8040108@redhat.com> References: <4339B3AE.8040108@redhat.com> Message-ID: <4339B782.7000303@warmcat.com> Daniel J Walsh wrote: >> Another "stupid" question, all posts from the list originates from >> fedora-selinux-list-bounces at redhat.com, I would assume that it means that >> the mails are bouncing in my mailbox, but I am not aware that should >> be the >> case, and my isp is telling me that everything is working OK. > I thought this would mean you were not subscribed to the list. But > since you got this one through not sure what it means. It's just a way all the Redhat lists detect and deal with nonfunctional email MTA at the subscribers. After enough bounces are collected by that return email address your subscription is put on hold. This is to stop monster mailqueues having to be dealt with by Redhat constantly retrying dead addresses for every mail, etc. All Redhat mails come from a similar address all the time, it doesn't reflect any problems. -Andy -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4492 bytes Desc: S/MIME Cryptographic Signature URL: From netdxr at gmail.com Tue Sep 27 21:40:17 2005 From: netdxr at gmail.com (Tom Lisjac) Date: Tue, 27 Sep 2005 15:40:17 -0600 Subject: Selinux breaks samba with no AVC's... In-Reply-To: <4339B367.3010108@redhat.com> References: <863ff4520509271344478e4844@mail.gmail.com> <4339B367.3010108@redhat.com> Message-ID: <863ff452050927144012e7ef9b@mail.gmail.com> On 9/27/05, Daniel J Walsh wrote: > Tom Lisjac wrote: > > >I'm trying to make samba shares available on a new FC4 server... > >When I switched to enforcing, I couldn't connect... and there were no > >new AVC's. Switching back to permissive worked. > Try out the booleans > > setsebool -P samba_enable_home_dirs=1 > > # getsebool -a | grep samba > samba_enable_home_dirs --> inactive > use_samba_home_dirs --> inactive > # getsebool -a | grep smb > allow_smbd_anon_write --> inactive > smbd_disable_trans --> inactive That fixed it! Setting samba_enable_home_dirs and use_samba_home_dirs to active restored access and allowed me to remove all but one of the lines I added to local.te. I've been relabelling the public_html directories as user_u:object_r:httpd_user_content_t so Apache won't complain... but I can't see this directory in the mounted samba shares. Audit2allow returns the following: allow smbd_t httpd_sys_content_t:dir getattr; Is my labelling for public_html correct... or is there another switch I can throw to allow samba to read and write to this directory? -Tom From Valdis.Kletnieks at vt.edu Wed Sep 28 01:18:51 2005 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Tue, 27 Sep 2005 21:18:51 -0400 Subject: Yum SELINUX Updates. In-Reply-To: Your message of "Tue, 27 Sep 2005 22:15:27 +0200." References: Message-ID: <200509280118.j8S1Iqeq004259@turing-police.cc.vt.edu> On Tue, 27 Sep 2005 22:15:27 +0200, Tomas Larsson said: > Another "stupid" question, all posts from the list originates from > fedora-selinux-list-bounces at redhat.com, I would assume that it means that > the mails are bouncing in my mailbox No, what that *really* is "*if* the mail *does* bounce in your mailbox, your ISP should send the bounce to fedora-selinux-list-bounces at redhat.com". That address then (in this case) gets fed into software that figures out that your mailbox is dead and you should be unsubscribed... -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available URL: From pedro.esteba at gmail.com Wed Sep 28 14:46:18 2005 From: pedro.esteba at gmail.com (pedro esteban) Date: Wed, 28 Sep 2005 16:46:18 +0200 Subject: Simulating a hacker attack Message-ID: <81e69eb1050928074648375e61@mail.gmail.com> >Ok here is how I have simulated what you are trying to do. > > cp /bin/sh /var/www/httpdsh > chcon -t httpd_exec_t /var/www/httpdsh > > Add the following lines to > /etc/selinux/targeted/src/policy/domains/misc/local.te > > > domain_auto_trans(unconfined_t,httpd_exec_t, httpd_t) > allow httpd_t devpts_t:chr_file rw_file_perms; > > cd /etc/selinux/targeted/src/policy/ > make load > setsebool httpd_tty_comm=1 > > Then run > /var/www/httpdsh > as root. > > /var/www/httpdsh > httpdsh: /root/.bashrc: Permission denied > # id > uid=0(root) gid=0(root) > groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) > context=root:system_r:httpd_t:s0-s0:c0.c127 > # cat /etc/shadow > cat: /etc/shadow: Permission denied > # cat /var/log/messages > cat: /var/log/messages: Permission denied > Ok, thx for the lines. It works fine when im in Xmode (xterm), but when i change to console mode (tty1) if i execute /var/www/httpdsh it doesnot work. Its like if i dont execute the program. I dont get to the httpd bash. I dont receive any message in the console. I dont receive any message in /var/log/message. I dont receive any message in /var/log/audit/audit.log. Its like if it had not done anything What happen? From dwalsh at redhat.com Wed Sep 28 15:10:25 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 28 Sep 2005 11:10:25 -0400 Subject: Selinux breaks samba with no AVC's... In-Reply-To: <863ff452050927144012e7ef9b@mail.gmail.com> References: <863ff4520509271344478e4844@mail.gmail.com> <4339B367.3010108@redhat.com> <863ff452050927144012e7ef9b@mail.gmail.com> Message-ID: <433AB261.9010401@redhat.com> Tom Lisjac wrote: >On 9/27/05, Daniel J Walsh wrote: > > >>Tom Lisjac wrote: >> >> >> >>>I'm trying to make samba shares available on a new FC4 server... >>>When I switched to enforcing, I couldn't connect... and there were no >>>new AVC's. Switching back to permissive worked. >>> >>> > > > >>Try out the booleans >> >>setsebool -P samba_enable_home_dirs=1 >> >># getsebool -a | grep samba >>samba_enable_home_dirs --> inactive >>use_samba_home_dirs --> inactive >># getsebool -a | grep smb >>allow_smbd_anon_write --> inactive >>smbd_disable_trans --> inactive >> >> > >That fixed it! Setting samba_enable_home_dirs and use_samba_home_dirs >to active restored access and allowed me to remove all but one of the >lines I added to local.te. > >I've been relabelling the public_html directories as >user_u:object_r:httpd_user_content_t so Apache won't complain... but I >can't see this directory in the mounted samba shares. Audit2allow >returns the following: > >allow smbd_t httpd_sys_content_t:dir getattr; > >Is my labelling for public_html correct... or is there another switch >I can throw to allow samba to read and write to this directory? > >-Tom > > > Try chcon -t public_content_rw_t public_html. (or ftpd_anon_rw_t if public_content_rw_t does not exist) Then setsebool -P allow_smbd_anon_write=1 That should allow http to read and samba to write. (Also >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > -- From dwalsh at redhat.com Wed Sep 28 15:18:33 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 28 Sep 2005 11:18:33 -0400 Subject: Simulating a hacker attack In-Reply-To: <81e69eb1050928074648375e61@mail.gmail.com> References: <81e69eb1050928074648375e61@mail.gmail.com> Message-ID: <433AB449.5030109@redhat.com> pedro esteban wrote: >>Ok here is how I have simulated what you are trying to do. >> >>cp /bin/sh /var/www/httpdsh >>chcon -t httpd_exec_t /var/www/httpdsh >> >>Add the following lines to >>/etc/selinux/targeted/src/policy/domains/misc/local.te >> >> >>domain_auto_trans(unconfined_t,httpd_exec_t, httpd_t) >>allow httpd_t devpts_t:chr_file rw_file_perms; >> >>cd /etc/selinux/targeted/src/policy/ >>make load >>setsebool httpd_tty_comm=1 >> >>Then run >>/var/www/httpdsh >>as root. >> >> /var/www/httpdsh >>httpdsh: /root/.bashrc: Permission denied >># id >>uid=0(root) gid=0(root) >>groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) >>context=root:system_r:httpd_t:s0-s0:c0.c127 >># cat /etc/shadow >>cat: /etc/shadow: Permission denied >># cat /var/log/messages >>cat: /var/log/messages: Permission denied >> >> >> > >Ok, thx for the lines. It works fine when im in Xmode (xterm), but >when i change to console mode (tty1) if i execute /var/www/httpdsh it >doesnot work. Its like if i dont execute the program. I dont get to >the httpd bash. I dont receive any message in the console. I dont >receive any message in /var/log/message. I dont receive any message in >/var/log/audit/audit.log. Its like if it had not done anything > >What happen? > > You need to add getattr and ioctl to your tty. I am adding it to Policy. You could add allow httpd_t tty_device_t:chr_file { getattr ioctl }; to local.te -- From dwalsh at redhat.com Wed Sep 28 15:20:21 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 28 Sep 2005 11:20:21 -0400 Subject: Yum SELINUX Updates. In-Reply-To: References: Message-ID: <433AB4B5.5040405@redhat.com> Tomas Larsson wrote: >>-----Original Message----- >>From: Daniel J Walsh [mailto:dwalsh at redhat.com] >>Sent: Tuesday, September 27, 2005 11:04 PM >>To: Tomas Larsson >>Cc: fedora-selinux-list at redhat.com >>Subject: Re: Yum SELINUX Updates. >> >> >>Tomas Larsson wrote: >> >> >> >>>I have seen that there have been several updates of selinux >>> >>> >>policy. Do >> >> >>>I need to do anything to make it valid, like reboot, relabel or >>>something similar. >>> >>> >>> >>> >>Should happen automatically. No relabel, reboot required. >> >> > >OK, anywhere where I can find what is updated, since I still have problem >with webalizer is denyed to access vsftpd.log as a crond-jobb. > > > >>>Another "stupid" question, all posts from the list originates from >>>fedora-selinux-list-bounces at redhat.com, I would assume that it means >>>that the mails are bouncing in my mailbox, but I am not aware that >>>should be the case, and my isp is telling me that everything >>> >>> >>is working >> >> >>>OK. >>> >>> >>> >>> >>> >>I thought this would mean you were not subscribed to the list. But >>since you got this one through not sure what it means. >> >> Basically the fix should allow webalizer policy to read xferlog_t. What AVC messages are you seeing when this fails? Dan >> >> >>>With best regards >>> >>>Tomas Larsson >>>Sweden >>> >>>Verus Amicus Est Tamquam Alter Idem >>> >>> >>> >>>-- >>>fedora-selinux-list mailing list fedora-selinux-list at redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>> >>> >>> >>> >>-- >> >> >> >> > > > >With best regards > >Tomas Larsson >Sweden > >Verus Amicus Est Tamquam Alter Idem > > > > -- From filter at stevenstromer.com Wed Sep 28 13:47:47 2005 From: filter at stevenstromer.com (Steven Stromer) Date: Wed, 28 Sep 2005 09:47:47 -0400 Subject: AWStats and SELinux Permissions Message-ID: Ever change a configuration setting, and forget what it originally was? I need help. If anyone is running AWStats with SELinux on Fedora, can you let me know the SELinux permissions (ls -Z) on the directory /etc/awstats, and on the .conf files contained in this directory? In getting AWStats working I changed these settings from their defaults, and don't know SELinux well enough yet to know what the default settings likely were. Thanks! Steven Stromer From mickey at mickeyhill.com Wed Sep 28 19:21:44 2005 From: mickey at mickeyhill.com (Mickey Hill) Date: Wed, 28 Sep 2005 14:21:44 -0500 Subject: AWStats and SELinux Permissions In-Reply-To: References: Message-ID: <1127935304.4332.14.camel@host124.murray.rudolphtire.com> On Wed, 2005-09-28 at 09:47 -0400, Steven Stromer wrote: > Ever change a configuration setting, and forget what it originally was? > I need help. If anyone is running AWStats with SELinux on Fedora, can > you let me know the SELinux permissions (ls -Z) on the directory > /etc/awstats, and on the .conf files contained in this directory? In > getting AWStats working I changed these settings from their defaults, > and don't know SELinux well enough yet to know what the default settings > likely were. $ ls -Z /etc ... drwxr-xr-x root root system_u:object_r:etc_t awstats ... $ ls -Z /etc/awstats -rw-r--r-- root root system_u:object_r:etc_t awstats.localhost.localdomain.conf -rw-r--r-- root root system_u:object_r:etc_t awstats.model.conf -rw-r--r-- root root root:object_r:etc_t awstats.www.example.com.conf Also see http://www.redhat.com/archives/fedora-selinux-list/2005-September/msg00118.html No responses yet. I'd appreciate it if you would share how you got your installation working. -- Mickey Hill -- Mickey Hill From filter at stevenstromer.com Wed Sep 28 20:30:18 2005 From: filter at stevenstromer.com (Steven Stromer) Date: Wed, 28 Sep 2005 16:30:18 -0400 Subject: AWStats In-Reply-To: <1127751563.4995.8.camel@host124.murray.rudolphtire.com> References: <1127751563.4995.8.camel@host124.murray.rudolphtire.com> Message-ID: Dear Mickey, I noticed your post right before going to lunch. I was planning on responding when I got back, but you beat me to the punch! Thanks for your response. I believe that you are 90% of the way to your destination... > # ls -Z /usr/share/awstats/wwwroot/cgi-bin/ > -rwxr-xr-x root root system_u:object_r:usr_t awredir.pl > -rwxr-xr-x root root system_u:object_r:usr_t awstats.pl > > Changing the type gets the script running: > > # chcon -t httpd_sys_script_exec_t /usr/share/awstats/wwwroot/cgi-bin/* > # ls -Z /usr/share/awstats/wwwroot/cgi-bin/ > -rwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t > awredir.pl > -rwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t > awstats.pl This is correct, so far. > However, the script reports an error. > > Error: AWStats database directory defined in config file by 'DirData' > parameter (/var/lib/awstats) does not exist or is not writable. > > # ls -Z /var/lib > ... > drwxr-xr-x root root system_u:object_r:var_lib_t awstats > ... > > Changing the type allows the script to run: > > # chcon -t httpd_sys_script_rw_t /var/lib/awstats > # ls -Z /var/lib > ... > drwxr-xr-x root root system_u:object_r:httpd_sys_script_rw_t > awstats > ... You have changed the policy on the /var/lib/awstats folder, but not on its contents, as you successfully did on the files in the cgi-bin, above. In the case of the cgi-bin, it seems you achieved this with a wildcard (*). Just chcon the contents (the actual AWStats databases) in /var/lib/awstats, and you'll be good to go. You can do this one file at a time, or by using a wildcard (*) as you did above, or, best of all, recursively through the directory for all time, with: chcon -R -h -t httpd_sys_script_ra_t /var/lib/awstats This will make the existing contents of the directory, and any new databases added to the directory in the future (db's for new virtual hosts, for instance) properly permissioned, so long as future files added to the directory are created properly. (You might note that I recommended chcon'ing your awstats database folder _ra_t, and not _rw_t, as you had done originally. This just removes the right of awstats.pl to ever erase one of the databases.) This should get your web reporting working. However, it does not resolve the final issue, which I am still working out. There exists an option in the web reporting pages called 'Update Now'. It allows you to update reports from the web server's logs without performing the log parsing from the command line. You must change the directive 'AllowToUpdateStatsFromBrowser' from 0 to 1 in your awstats .conf file to activate this practical feature. However, I have found that the web-based update process needs access to the system's httpd access_log file (usually in /var/log/httpd). I have changed permissions on this file to httpd_sys_script_ra_t, but it was not sufficient to make the update feature work. Hopefully, someone will be able to help here. I'll post if I get the answer. Finally, I noticed that the changes to policy would not take until I closed the browser window in which I was trying to access AWStats, and reloaded it in a new window. Hope this helps, Steven Stromer From Valdis.Kletnieks at vt.edu Wed Sep 28 20:57:48 2005 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Wed, 28 Sep 2005 16:57:48 -0400 Subject: Simulating a hacker attack In-Reply-To: Your message of "Wed, 28 Sep 2005 11:18:33 EDT." <433AB449.5030109@redhat.com> References: <81e69eb1050928074648375e61@mail.gmail.com> <433AB449.5030109@redhat.com> Message-ID: <200509282057.j8SKvm20012800@turing-police.cc.vt.edu> On Wed, 28 Sep 2005 11:18:33 EDT, Daniel J Walsh said: > You need to add getattr and ioctl to your tty. I am adding it to Policy. > > You could add > > allow httpd_t tty_device_t:chr_file { getattr ioctl }; > > to local.te Umm... you're not adding it to the shipping policy, are you? Is there any *real* usage (as opposed to simulating a hack-in) that httpd_t needs those two added? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available URL: From kevinverma at gmail.com Wed Sep 28 21:46:21 2005 From: kevinverma at gmail.com (Kevin Verma) Date: Thu, 29 Sep 2005 00:46:21 +0300 Subject: sharing an object with two subjects, with mutltiple types ? Message-ID: Hi, Is it possible to share a data repositry with two catagories of subjects. For example, I hit a bump for sharing a data repository among both httpd and samba (on FC4). Thanks for reading, From netdxr at gmail.com Thu Sep 29 02:20:50 2005 From: netdxr at gmail.com (Tom Lisjac) Date: Wed, 28 Sep 2005 20:20:50 -0600 Subject: Selinux breaks samba with no AVC's... In-Reply-To: <433AB261.9010401@redhat.com> References: <863ff4520509271344478e4844@mail.gmail.com> <4339B367.3010108@redhat.com> <863ff452050927144012e7ef9b@mail.gmail.com> <433AB261.9010401@redhat.com> Message-ID: <863ff45205092819201803df81@mail.gmail.com> On 9/28/05, Daniel J Walsh wrote: > Tom Lisjac wrote: > >On 9/27/05, Daniel J Walsh wrote: > >>Tom Lisjac wrote: > >>>I'm trying to make samba shares available on a new FC4 server... > >>>When I switched to enforcing, I couldn't connect... and there were no > >>>new AVC's. Switching back to permissive worked. > >I've been relabelling the public_html directories as > >user_u:object_r:httpd_user_content_t so Apache won't complain... but I > >can't see this directory in the mounted samba shares. Audit2allow > >returns the following: > > > >allow smbd_t httpd_sys_content_t:dir getattr; > > > >Is my labelling for public_html correct... or is there another switch > >I can throw to allow samba to read and write to this directory? > > > Try chcon -t public_content_rw_t public_html. > (or ftpd_anon_rw_t if public_content_rw_t does not exist) > > Then setsebool -P allow_smbd_anon_write=1 > > That should allow http to read and samba to write. That fixed Samba so I could see public_html from the shares... but Apache complained when trying to serve content: allow httpd_t ftpd_anon_rw_t:dir getattr; I got everything working for both Samba and Apache by turning on the samba_enable_home_dirs boolean, per your suggestion, and adding the following to local.te: allow smbd_t httpd_sys_content_t:dir { add_name create getattr read remove_name rename rmdir search write }; allow smbd_t httpd_sys_content_t:file { create getattr lock read setattr unlink write }; I was hoping to make it work without the policy sources, but I can live with this. Incidentally, audit2allow didn't add the curly braces to the first line. Compilation failed until I put them in. Thanks for your help... much appreciated! -Tom From gauret at free.fr Thu Sep 29 05:16:27 2005 From: gauret at free.fr (Aurelien Bompard) Date: Thu, 29 Sep 2005 07:16:27 +0200 Subject: AWStats References: <1127751563.4995.8.camel@host124.murray.rudolphtire.com> Message-ID: Hi, I'm packaging Awstats for Extras, but I'm rather unfamiliar with SELinux. Is there something I could add to my package to make these contexts the default ? Thanks Aur?lien -- http://aurelien.bompard.org ~~~~ Jabber : abompard at jabber.fr "The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in: we're computer professionals. We cause accidents." -- Nathaniel Borenstein From pedro.esteba at gmail.com Thu Sep 29 07:31:44 2005 From: pedro.esteba at gmail.com (pedro esteban) Date: Thu, 29 Sep 2005 09:31:44 +0200 Subject: Simulating a hacker attack Message-ID: <81e69eb105092900317ce9ac52@mail.gmail.com> >Ok, thx for the lines. It works fine when im in Xmode (xterm), but > >when i change to console mode (tty1) if i execute /var/www/httpdsh it > >doesnot work. Its like if i dont execute the program. I dont get to > >the httpd bash. I dont receive any message in the console. I dont > >receive any message in /var/log/message. I dont receive any message in > >/var/log/audit/audit.log. Its like if it had not done anything > > > >What happen? > > > > > You need to add getattr and ioctl to your tty. I am adding it to Policy. > > You could add > > allow httpd_t tty_device_t:chr_file { getattr ioctl }; > > to local.te > > Thx again for your answer :), but it dosent work I think something is broken because like i said in my previous message, i dont receive any message from the system. When i execute the /var/www/httpdsh in Xmode (for example xterm) it works fine, but if i execute it in console mode (for example tty1) is like if i dont execute absolutely NOTHING. Nothing in console, nothing in /var/log/messages, nothing in /var/log/audit/audit.log, nothing in /var/log/* and after the execute im not in the new shell. its very strange From dwalsh at redhat.com Thu Sep 29 12:36:42 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 29 Sep 2005 08:36:42 -0400 Subject: sharing an object with two subjects, with mutltiple types ? In-Reply-To: References: Message-ID: <433BDFDA.3050207@redhat.com> Kevin Verma wrote: >Hi, > >Is it possible to share a data repositry with two catagories of >subjects. For example, I hit a bump for sharing a data repository >among both httpd and samba (on FC4). > >Thanks for reading, > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > public_content_t and public_content_rw_t (Used to be ftpd_anon_t and ftpd_anon_rw_t). If you need a particular domain to write to a sharded directory/file you need to set the appropriate boolean allow_DOMAIN_anon_write So to allow samba to write to public_content_rw_t, you would set the boolean setsebool -P allow_smb_anon_write=1 -- From dwalsh at redhat.com Thu Sep 29 12:44:35 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 29 Sep 2005 08:44:35 -0400 Subject: Simulating a hacker attack In-Reply-To: <200509282057.j8SKvm20012800@turing-police.cc.vt.edu> References: <81e69eb1050928074648375e61@mail.gmail.com> <433AB449.5030109@redhat.com> <200509282057.j8SKvm20012800@turing-police.cc.vt.edu> Message-ID: <433BE1B3.60605@redhat.com> Valdis.Kletnieks at vt.edu wrote: >On Wed, 28 Sep 2005 11:18:33 EDT, Daniel J Walsh said: > > > >>You need to add getattr and ioctl to your tty. I am adding it to Policy. >> >>You could add >> >>allow httpd_t tty_device_t:chr_file { getattr ioctl }; >> >>to local.te >> >> > >Umm... you're not adding it to the shipping policy, are you? Is there any >*real* usage (as opposed to simulating a hack-in) that httpd_t needs those >two added? > > These are only used when httpd_tty_comm is set, It is off by default. httpd_tty_comm is only required if you are using public keys that require a password to unlock. So when apache starts it prompts the admin for a password to unlock its certificates. -- From kevinverma at gmail.com Thu Sep 29 14:56:05 2005 From: kevinverma at gmail.com (Kevin Verma) Date: Thu, 29 Sep 2005 17:56:05 +0300 Subject: sharing an object with two subjects, with mutltiple types ? In-Reply-To: <433BDFDA.3050207@redhat.com> References: <433BDFDA.3050207@redhat.com> Message-ID: But I want to have a read-only access to this public repository. How to ? On 9/29/05, Daniel J Walsh wrote: > Kevin Verma wrote: > > >Hi, > > > >Is it possible to share a data repositry with two catagories of > >subjects. For example, I hit a bump for sharing a data repository > >among both httpd and samba (on FC4). > > > >Thanks for reading, > > > >-- > >fedora-selinux-list mailing list > >fedora-selinux-list at redhat.com > >https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > > public_content_t and public_content_rw_t (Used to be ftpd_anon_t and > ftpd_anon_rw_t). > > If you need a particular domain to write to a sharded directory/file you > need to set the appropriate boolean > allow_DOMAIN_anon_write > > So to allow samba to write to public_content_rw_t, you would set the boolean > > setsebool -P allow_smb_anon_write=1 > > > > -- > > > From dwalsh at redhat.com Thu Sep 29 19:35:56 2005 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 29 Sep 2005 15:35:56 -0400 Subject: sharing an object with two subjects, with mutltiple types ? In-Reply-To: References: <433BDFDA.3050207@redhat.com> Message-ID: <433C421C.7000109@redhat.com> Kevin Verma wrote: >But I want to have a read-only access to this public repository. How to ? >On 9/29/05, Daniel J Walsh wrote: > > >>Kevin Verma wrote: >> >> >> >>>Hi, >>> >>>Is it possible to share a data repositry with two catagories of >>>subjects. For example, I hit a bump for sharing a data repository >>>among both httpd and samba (on FC4). >>> >>>Thanks for reading, >>> >>>-- >>>fedora-selinux-list mailing list >>>fedora-selinux-list at redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>> >>> >>> >>> >>public_content_t and public_content_rw_t (Used to be ftpd_anon_t and >>ftpd_anon_rw_t). >> >>If you need a particular domain to write to a sharded directory/file you >>need to set the appropriate boolean >>allow_DOMAIN_anon_write >> >>So to allow samba to write to public_content_rw_t, you would set the boolean >> >>setsebool -P allow_smb_anon_write=1 >> >> >> >>-- >> >> >> >> >> > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > If you don't set the boolean, that domain will not have access. There is a bug in current policy where if you don't set the boolean for a domain, it does not get read access to the public_content_rw_t directory. -- From gmaxwell at gmail.com Fri Sep 30 03:31:41 2005 From: gmaxwell at gmail.com (Gregory Maxwell) Date: Thu, 29 Sep 2005 23:31:41 -0400 Subject: Selinux in FC4 is blocking SCTP Message-ID: type=AVC msg=audit(1128050967.120:12221195): avc: denied { name_bind } for pid=10749 comm="sctp_test" src=1234 scontext=root:system_r:unconfined_t tcontext=system_u:object_r:port_t tclass=socket type=SYSCALL msg=audit(1128050967.120:12221195): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bfc003f0 a2=2 a3=1 items=0 pid=10749 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="sctp_test" exe="/usr/bin/sctp_test" type=AVC msg=audit(1128050975.796:12243576): avc: denied { name_bind } for pid=10752 comm="sctp_test" src=1234 scontext=root:system_r:unconfined_t tcontext=system_u:object_r:port_t tclass=socket type=AVC msg=audit(1128050975.796:12243576): avc: denied { 0x400000 } for pid=10752 comm="sctp_test" saddr=192.168.16.64 src=1234 scontext=root:system_r:unconfined_t tcontext=system_u:object_r:node_t tclass=socket type=SYSCALL msg=audit(1128050975.796:12243576): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bfd283d0 a2=2 a3=1 items=0 pid=10752 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="sctp_test" exe="/usr/bin/sctp_test" From jmorris at namei.org Fri Sep 30 04:32:49 2005 From: jmorris at namei.org (James Morris) Date: Fri, 30 Sep 2005 00:32:49 -0400 (EDT) Subject: Selinux in FC4 is blocking SCTP In-Reply-To: References: Message-ID: On Thu, 29 Sep 2005, Gregory Maxwell wrote: > type=AVC msg=audit(1128050967.120:12221195): avc: denied { name_bind > } for pid=10749 comm="sctp_test" src=1234 > scontext=root:system_r:unconfined_t tcontext=system_u:object_r:port_t > tclass=socket SELinux has no protocol-level support for SCTP yet, so the SCTP socket is being classified by SELInux as a generic socket, but still being checked by the protocol-level bind() permissions. Other parts of the code make assumptions about IP & IPv6 sockets, classifying them as either TCP, UDP or 'RAW' (which is a catch-all for IP protocols notably including ICMP). We could add a policy entry for unconfined_t to allow name_bind for the socket class, but we'd also hit problems where it defaults to a 'raw' socket. We can't simply classify SCTP as 'raw', as it has some different semantics, such as multiple local and remote addresses, which we need to investigate and develop proper controls for. We proably need to rethink the way IP sockets default to 'raw', as new IP protocols are sometimes developed (DCCP has just been implemented) and we don't know that the 'raw' IP controls always appropriate. - James -- James Morris From gmaxwell at gmail.com Fri Sep 30 04:41:56 2005 From: gmaxwell at gmail.com (Gregory Maxwell) Date: Fri, 30 Sep 2005 00:41:56 -0400 Subject: Selinux in FC4 is blocking SCTP In-Reply-To: References: Message-ID: On 9/30/05, James Morris wrote: > > type=AVC msg=audit(1128050967.120:12221195): avc: denied { name_bind > > } for pid=10749 comm="sctp_test" src=1234 > > scontext=root:system_r:unconfined_t tcontext=system_u:object_r:port_t > > tclass=socket > > SELinux has no protocol-level support for SCTP yet, so the SCTP socket is > being classified by SELInux as a generic socket, but still being checked > by the protocol-level bind() permissions. > > Other parts of the code make assumptions about IP & IPv6 sockets, > classifying them as either TCP, UDP or 'RAW' (which is a > catch-all for IP protocols notably including ICMP). Ah, makes sense. > We could add a policy entry for unconfined_t to allow name_bind for the > socket class, but we'd also hit problems where it defaults to a 'raw' > socket. > > We can't simply classify SCTP as 'raw', as it has some different > semantics, such as multiple local and remote addresses, which we need to > investigate and develop proper controls for. > > We proably need to rethink the way IP sockets default to 'raw', as new IP > protocols are sometimes developed (DCCP has just been implemented) and we > don't know that the 'raw' IP controls always appropriate. In many cases the use of new protocols is so special use that it wouldn't hurt to give apps raw until better support is added. For example, a routing daemon speaking OSPF. SCTP obviously will need full support, since it will eventually be used as a general purpose transport in many applications and may eventually supplant TCP and UDP in some places. It would be nice if SElinux could step up to controlling the ability to control all address bindings (i.e. application X can only form connections on the secure network), but since they can be added and removed on an active connection that might be interesting. Is there currently the ability to control IPSec behavior from SElinux (i.e. application X can only use TCP across an encrypted link), if so that might provide some guidance in how to make some of the extra sctp knobs look.. From Valdis.Kletnieks at vt.edu Fri Sep 30 04:16:32 2005 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Fri, 30 Sep 2005 00:16:32 -0400 Subject: Simulating a hacker attack In-Reply-To: Your message of "Thu, 29 Sep 2005 08:44:35 EDT." <433BE1B3.60605@redhat.com> References: <81e69eb1050928074648375e61@mail.gmail.com> <433AB449.5030109@redhat.com> <200509282057.j8SKvm20012800@turing-police.cc.vt.edu> <433BE1B3.60605@redhat.com> Message-ID: <200509300416.j8U4GXiU008310@turing-police.cc.vt.edu> On Thu, 29 Sep 2005 08:44:35 EDT, Daniel J Walsh said: > These are only used when httpd_tty_comm is set, It is off by default. > httpd_tty_comm is only required if you > are using public keys that require a password to unlock. So when apache > starts it prompts the admin for a password > to unlock its certificates. Oh, OK.. that's a good reason to add it. :) I got the impression it got added to get Pedro's stuff working, and my first thought was "This was what SELinux was designed to *stop*" :) (Actually, the amount of difficulty that Pedro is having is a very good sign - it means that we did things right. :) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available URL: From pedro.esteba at gmail.com Fri Sep 30 06:39:18 2005 From: pedro.esteba at gmail.com (pedro esteban) Date: Fri, 30 Sep 2005 08:39:18 +0200 Subject: Simulating a hacker attack Message-ID: <81e69eb10509292339v3595954ct@mail.gmail.com> > >>Ok here is how I have simulated what you are trying to do. > >> > >>cp /bin/sh /var/www/httpdsh > >>chcon -t httpd_exec_t /var/www/httpdsh > >> > >>Add the following lines to > >>/etc/selinux/targeted/src/policy/domains/misc/local.te > >> > >> > >>domain_auto_trans(unconfined_t,httpd_exec_t, httpd_t) > >>allow httpd_t devpts_t:chr_file rw_file_perms; > >> > >>cd /etc/selinux/targeted/src/policy/ > >>make load > >>setsebool httpd_tty_comm=1 > >> > >>Then run > >>/var/www/httpdsh > >>as root. > >> > >> /var/www/httpdsh > >>httpdsh: /root/.bashrc: Permission denied > >># id > >>uid=0(root) gid=0(root) > >>groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) > >>context=root:system_r:httpd_t:s0-s0:c0.c127 > >># cat /etc/shadow > >>cat: /etc/shadow: Permission denied > >># cat /var/log/messages > >>cat: /var/log/messages: Permission denied > >> > >> > >> > > > >Ok, thx for the lines. It works fine when im in Xmode (xterm), but > >when i change to console mode (tty1) if i execute /var/www/httpdsh it > >doesnot work. Its like if i dont execute the program. I dont get to > >the httpd bash. I dont receive any message in the console. I dont > >receive any message in /var/log/message. I dont receive any message in > >/var/log/audit/audit.log. Its like if it had not done anything > > > >What happen? > > > > > You need to add getattr and ioctl to your tty. I am adding it to Policy. > > You could add > > allow httpd_t tty_device_t:chr_file { getattr ioctl }; > > to local.te Ok, i have solved the problem. I did not receive messages because i have dontaudit rules in policy.conf. I solved this problem compililng with "make enableaudit". (i thoug that i have done it before, sorry) Then i add this lines to policy and now i cant execute in console. allow httpd_t tty_device_t:chr_file { getattr ioctl }; #As Daniel J Walsh said allow httpd_t tty_device_t:chr_file { read write }; From jmorris at namei.org Fri Sep 30 06:49:02 2005 From: jmorris at namei.org (James Morris) Date: Fri, 30 Sep 2005 02:49:02 -0400 (EDT) Subject: Selinux in FC4 is blocking SCTP [PATCH RFC] In-Reply-To: References: Message-ID: On Fri, 30 Sep 2005, James Morris wrote: > We can't simply classify SCTP as 'raw', as it has some different > semantics, such as multiple local and remote addresses, which we need to > investigate and develop proper controls for. Actually, this does like a viable short term solution until full SCTP support is available. In the case of the extended IP level bind(2) checks, we just check the first/default IP address being bound, which is better than nothing. (We could do a special detection of SCTP in there and avoid this check, but for what gain?) Please review the following patch. It changes the SELinux IP socket classification logic, which is currently broken (well, out of date), so that an IPPROTO_IP protocol value passed to socket(2) classify the socket as TCP or UDP. Currently, a SOCK_STREAM with a protocol of IPPROTO_ARBITRARY will default to SECCLASS_TCP_SOCKET. With this patch, it will instead default to SECCLASS_RAWIP_SOCKET, the generic IP socket class. The patch also drops the check for SOCK_RAW and converts it into a default, so that socket types like SOCK_DCCP and SOCK_SEQPACKET are classified as SECCLASS_RAWIP_SOCKET (instead of generic sockets). This now causes all SCTP sockets to be classified as SECCLASS_RAWIP_SOCKET. This patch also unifies the way IP sockets classes are determined in selinux_socket_bind(), so we use the already calculated value instead of trying to recalculate it (which can lead to inconsistencies). To get SCTP working now in targeted policy, permissions for the rawip_socket classs need to be added to unconfined_domain: avc: denied { name_bind } for pid=16484 comm="lt-sctp_test" src=3339 scontext=root:system_r:unconfined_t tcontext=system_u:object_r:port_t tclass=rawip_socket (that should be it, I think). Comments? --- security/selinux/hooks.c | 30 ++++++++++++++++++++++++------ 1 files changed, 24 insertions(+), 6 deletions(-) diff -X dontdiff -purN linux-2.6.14-rc2.s1/security/selinux/hooks.c linux-2.6.14-rc2.t/security/selinux/hooks.c --- linux-2.6.14-rc2.s1/security/selinux/hooks.c 2005-09-24 10:08:25.000000000 -0400 +++ linux-2.6.14-rc2.t/security/selinux/hooks.c 2005-09-30 02:24:44.000000000 -0400 @@ -630,6 +630,16 @@ static inline u16 inode_mode_to_security return SECCLASS_FILE; } +static inline int default_protocol_stream(int protocol) +{ + return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP); +} + +static inline int default_protocol_dgram(int protocol) +{ + return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); +} + static inline u16 socket_type_to_security_class(int family, int type, int protocol) { switch (family) { @@ -646,10 +656,16 @@ static inline u16 socket_type_to_securit case PF_INET6: switch (type) { case SOCK_STREAM: - return SECCLASS_TCP_SOCKET; + if (default_protocol_stream(protocol)) + return SECCLASS_TCP_SOCKET; + else + return SECCLASS_RAWIP_SOCKET; case SOCK_DGRAM: - return SECCLASS_UDP_SOCKET; - case SOCK_RAW: + if (default_protocol_dgram(protocol)) + return SECCLASS_UDP_SOCKET; + else + return SECCLASS_RAWIP_SOCKET; + default: return SECCLASS_RAWIP_SOCKET; } break; @@ -2970,6 +2986,8 @@ static int selinux_socket_bind(struct so /* * If PF_INET or PF_INET6, check name_bind permission for the port. + * Multiple address binding for SCTP is not supported yet: we just + * check the first address now. */ family = sock->sk->sk_family; if (family == PF_INET || family == PF_INET6) { @@ -3014,12 +3032,12 @@ static int selinux_socket_bind(struct so goto out; } - switch(sk->sk_protocol) { - case IPPROTO_TCP: + switch(isec->sclass) { + case SECCLASS_TCP_SOCKET: node_perm = TCP_SOCKET__NODE_BIND; break; - case IPPROTO_UDP: + case SECCLASS_UDP_SOCKET: node_perm = UDP_SOCKET__NODE_BIND; break; From jmorris at namei.org Fri Sep 30 06:51:31 2005 From: jmorris at namei.org (James Morris) Date: Fri, 30 Sep 2005 02:51:31 -0400 (EDT) Subject: Selinux in FC4 is blocking SCTP In-Reply-To: References: Message-ID: On Fri, 30 Sep 2005, Gregory Maxwell wrote: > > We proably need to rethink the way IP sockets default to 'raw', as new IP > > protocols are sometimes developed (DCCP has just been implemented) and we > > don't know that the 'raw' IP controls always appropriate. > > In many cases the use of new protocols is so special use that it > wouldn't hurt to give apps raw until better support is added. For > example, a routing daemon speaking OSPF. Agreed. All of the checks for 'raw' sockets are at the IP level, so hopefully nothing will break. > SCTP obviously will need full support, since it will eventually be > used as a general purpose transport in many applications and may > eventually supplant TCP and UDP in some places. It would be nice if > SElinux could step up to controlling the ability to control all > address bindings (i.e. application X can only form connections on the > secure network), but since they can be added and removed on an active > connection that might be interesting. > > Is there currently the ability to control IPSec behavior from SElinux > (i.e. application X can only use TCP across an encrypted link), if so > that might provide some guidance in how to make some of the extra sctp > knobs look.. There's some work heading upstream integrating SELinux and IPSec, check the recent netdev archives. - James -- James Morris From jmorris at namei.org Fri Sep 30 15:38:32 2005 From: jmorris at namei.org (James Morris) Date: Fri, 30 Sep 2005 11:38:32 -0400 (EDT) Subject: Selinux in FC4 is blocking SCTP [PATCH RFC] In-Reply-To: <1128093218.12459.154.camel@moss-spartans.epoch.ncsc.mil> References: <1128093218.12459.154.camel@moss-spartans.epoch.ncsc.mil> Message-ID: On Fri, 30 Sep 2005, Stephen Smalley wrote: > Looks good. > > Signed-off-by: Stephen Smalley Andrew is away for a couple of weeks, so I guess we submit this to Linus as a bugfix. - James -- James Morris From sds at epoch.ncsc.mil Fri Sep 30 15:13:38 2005 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Fri, 30 Sep 2005 11:13:38 -0400 Subject: Selinux in FC4 is blocking SCTP [PATCH RFC] In-Reply-To: References: Message-ID: <1128093218.12459.154.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2005-09-30 at 02:49 -0400, James Morris wrote: > Please review the following patch. > > It changes the SELinux IP socket classification logic, which is currently > broken (well, out of date), so that an IPPROTO_IP protocol value passed to > socket(2) classify the socket as TCP or UDP. Currently, a SOCK_STREAM > with a protocol of IPPROTO_ARBITRARY will default to SECCLASS_TCP_SOCKET. > With this patch, it will instead default to SECCLASS_RAWIP_SOCKET, the > generic IP socket class. > > The patch also drops the check for SOCK_RAW and converts it into a > default, so that socket types like SOCK_DCCP and SOCK_SEQPACKET are > classified as SECCLASS_RAWIP_SOCKET (instead of generic sockets). > > This now causes all SCTP sockets to be classified as > SECCLASS_RAWIP_SOCKET. > > This patch also unifies the way IP sockets classes are determined in > selinux_socket_bind(), so we use the already calculated value instead of > trying to recalculate it (which can lead to inconsistencies). > > To get SCTP working now in targeted policy, permissions for the > rawip_socket classs need to be added to unconfined_domain: > > avc: denied { name_bind } for pid=16484 comm="lt-sctp_test" src=3339 > scontext=root:system_r:unconfined_t tcontext=system_u:object_r:port_t > tclass=rawip_socket > > (that should be it, I think). > > Comments? > > --- > > security/selinux/hooks.c | 30 ++++++++++++++++++++++++------ > 1 files changed, 24 insertions(+), 6 deletions(-) Looks good. Signed-off-by: Stephen Smalley -- Stephen Smalley National Security Agency From sds at epoch.ncsc.mil Fri Sep 30 16:58:17 2005 From: sds at epoch.ncsc.mil (Stephen Smalley) Date: Fri, 30 Sep 2005 12:58:17 -0400 Subject: Selinux in FC4 is blocking SCTP [PATCH RFC] In-Reply-To: References: <1128093218.12459.154.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1128099497.12459.159.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2005-09-30 at 11:38 -0400, James Morris wrote: > On Fri, 30 Sep 2005, Stephen Smalley wrote: > > > > Looks good. > > > > Signed-off-by: Stephen Smalley > > Andrew is away for a couple of weeks, so I guess we submit this to Linus > as a bugfix. Ok, sounds fine. If he isn't willing to take it into 2.6.14, then I suppose we can workaround it in policy in the interim (at least for unconfined_t, where we can just use '*' as the permission list to allow even the undefined permissions for the generic socket class). -- Stephen Smalley National Security Agency