From nicolas.mailhot at laposte.net Fri Sep 1 11:20:46 2006 From: nicolas.mailhot at laposte.net (Nicolas Mailhot) Date: Fri, 1 Sep 2006 13:20:46 +0200 (CEST) Subject: suggest an icon for selinux (e.g. setroubleshoot) In-Reply-To: <36794.192.54.193.51.1157015038.squirrel@rousalka.dyndns.org> References: <1156946658.18802.33.camel@finch.boston.redhat.com> <44F5BC53.26511.218358@knute.frazmtn.com> <44F62542.5010705@antient.org> <36794.192.54.193.51.1157015038.squirrel@rousalka.dyndns.org> Message-ID: <7557.192.54.193.51.1157109646.squirrel@rousalka.dyndns.org> Since everyone here seems concerned about NSA/Big brother references, how about a comics-like mousetrap squeezing a bad guy (complete with mask/scarf/black fedora/whatever) ? -- Nicolas Mailhot From andy at warmcat.com Fri Sep 1 11:55:12 2006 From: andy at warmcat.com (Andy Green) Date: Fri, 01 Sep 2006 12:55:12 +0100 Subject: suggest an icon for selinux (e.g. setroubleshoot) In-Reply-To: <7557.192.54.193.51.1157109646.squirrel@rousalka.dyndns.org> References: <1156946658.18802.33.camel@finch.boston.redhat.com> <44F5BC53.26511.218358@knute.frazmtn.com> <44F62542.5010705@antient.org> <36794.192.54.193.51.1157015038.squirrel@rousalka.dyndns.org> <7557.192.54.193.51.1157109646.squirrel@rousalka.dyndns.org> Message-ID: <44F81FA0.4090907@warmcat.com> Nicolas Mailhot wrote: > Since everyone here seems concerned about NSA/Big brother references, how > about a comics-like mousetrap squeezing a bad guy (complete with > mask/scarf/black fedora/whatever) ? Why not a condom? Stylized along these lines: http://www.linkcondom.com/condom.gif Everybody understands it stops bad things happening and it tries not to get too much in the way... -Andy -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4492 bytes Desc: S/MIME Cryptographic Signature URL: From jdennis at redhat.com Fri Sep 1 13:55:20 2006 From: jdennis at redhat.com (John Dennis) Date: Fri, 01 Sep 2006 09:55:20 -0400 Subject: suggest an icon for selinux (e.g. setroubleshoot) In-Reply-To: <1156946658.18802.33.camel@finch.boston.redhat.com> References: <1156946658.18802.33.camel@finch.boston.redhat.com> Message-ID: <1157118920.2535.21.camel@localhost.localdomain> Thank you everyone for your wonderful suggestions, it's been a treat to read though and consider. I tried to condense and summarize the thread with some editorial prerogative with the hope of narrowing things down so we can get a few images to review. If you have artistic skills and would like to submit a contribution that would be wonderful. We'll also take a few take a couple of ideas to our graphic artist Diana Fong and see what she comes up with. Some of the suggestions, at least for me, did not intuitively invoke an association with protection (e.g. the bota flask). Other suggestions seemed too generic leaving one wondering without ambiguity what the image was trying to tell me, e.g. watching eyes, keys in locks, shields, etc. While some of these images do in fact invoke the notion of protection they've also become quite overloaded, e.g is the icon for my virus protection?, my key ring?, my authentication logon? etc. It has to somehow be distinctively unique so the user does not confuse it with something else. More to the point we also want to train people to associate the image with SELinux exclusively, I don't think we can do that with something like a key in a lock. Finally we should bear in mind the audience will be international. Let's do a straw poll vote: A) Star fish inscribed in a circle (pentagon) B) Golden key inscribed in a pentagon C) Mousetrap D) Gecko in a trench coat with the collar turned up E) Crossed swords Here is some of the contextual background: Richard Irving: how about a star fish, inside an unbroken circle ? starfish inside a pentagon.instead of an unbroken circle, just different enough from the original to be unique. It would then symbolize "isolation and containment".... aligning the stars legs to the corners of the pentagon, isolating each 5th of the pentagon from the other. there is the idea of a simple old fashioned "Flask" ... The flask (Bota) has an outline that conforms with many of the PHI curves, such as the nautilus, that trademark the Unix philosophy... (debian logo, the snail shell.... etc.) So does the pentacle, obviously. The bota flask, with the alternating black and white pentacle, on the side with the Key superimposed over the pentacle... gives one an excuse to make the key "Golden", as well.... (this is rather simple) I also like the black and white alternating pentacle on the edge of the seal, it is distinctive symbol. The Golden key about to be inserted into a lock, the keyhole is located in the center of an alternating pentacle, perhaps in the interior pentagon. With a golden or red capital "I", as the keyhole.... but the lock outline, describing the symbol PHI, using the I (the keyhole) as the center I of the phi symbol. (The outline of the lock forming the oblong O around the I) A subtle derivative might be a Gecko in a London Fog, with the collar turned up.... PPS: The crossed swords have my vote, if you don't like the starfish. Marc Schwartz A gold key, the shape of which is consistent with the key in the NSA logo being held onto by the eagle. Superimposed over the key is a red exclamation point or perhaps a red "I" information bubble icon. Nicolas Mailhot I propose an Horus eye since selinux checks the system against forbidden accesses. How about a comics-like mousetrap squeezing a bad guy (complete with mask/scarf/black fedora/whatever) ? James Morris What about something with a honeycomb structure, to suggest the compartmented nature of an SELinux system? Dan Walsh Another suggestion would be a shield, think Middle Ages. -- John Dennis From jdennis at redhat.com Fri Sep 1 14:03:53 2006 From: jdennis at redhat.com (John Dennis) Date: Fri, 01 Sep 2006 10:03:53 -0400 Subject: suggest an icon for selinux (e.g. setroubleshoot) In-Reply-To: <1157118920.2535.21.camel@localhost.localdomain> References: <1156946658.18802.33.camel@finch.boston.redhat.com> <1157118920.2535.21.camel@localhost.localdomain> Message-ID: <1157119433.2535.30.camel@localhost.localdomain> On Fri, 2006-09-01 at 09:55 -0400, John Dennis wrote: > Let's do a straw poll vote: > > A) Star fish inscribed in a circle (pentagon) > > B) Golden key inscribed in a pentagon > > C) Mousetrap > > D) Gecko in a trench coat with the collar turned up > > E) Crossed swords The starfish inscribed in a circle reminds me of the badge worn by sheriffs in westerns, but that might too cultural and possibly too generic. The mousetrap and gecko are cool, fun, playful and don't have other strong associations, I like them. But my vote probably goes for B, it seems to strike the right balance between existing associations, is uniquely different, maintains dignity, and would be recognizable at small sizes. -- John Dennis From tonynelson at georgeanelson.com Fri Sep 1 15:43:00 2006 From: tonynelson at georgeanelson.com (Tony Nelson) Date: Fri, 1 Sep 2006 11:43:00 -0400 Subject: suggest an icon for selinux (e.g. setroubleshoot) In-Reply-To: <1157119433.2535.30.camel@localhost.localdomain> References: <1156946658.18802.33.camel@finch.boston.redhat.com> <1157118920.2535.21.camel@localhost.localdomain> <1157119433.2535.30.camel@localhost.localdomain> Message-ID: At 10:03 AM -0400 9/1/06, John Dennis wrote: >On Fri, 2006-09-01 at 09:55 -0400, John Dennis wrote: >> Let's do a straw poll vote: >> >> A) Star fish inscribed in a circle (pentagon) >> >> B) Golden key inscribed in a pentagon >> >> C) Mousetrap >> >> D) Gecko in a trench coat with the collar turned up >> >> E) Crossed swords > >The starfish inscribed in a circle reminds me of the badge worn by >sheriffs in westerns, but that might too cultural and possibly too >generic. The mousetrap and gecko are cool, fun, playful and don't have >other strong associations, I like them. But my vote probably goes for B, >it seems to strike the right balance between existing associations, is >uniquely different, maintains dignity, and would be recognizable at >small sizes. I expect that pentagons are out, because of the association with the US Department of Defense. How about an exterior window showing a (view of a room with a) barred interior door? That derives from the SELinux metaphor that even if "they" get in through the windows, the doors to other rooms are still locked. That should be doable as an icon, and recognizable as the same icon when shown as a small icon. It would have lots of right-angles, so even I could draw one. -- ____________________________________________________________________ TonyN.:' ' From fedora at grifent.com Fri Sep 1 17:20:52 2006 From: fedora at grifent.com (John Griffiths) Date: Fri, 01 Sep 2006 13:20:52 -0400 Subject: suggest an icon for selinux (e.g. setroubleshoot) In-Reply-To: <20060901160012.35A2773306@hormel.redhat.com> References: <20060901160012.35A2773306@hormel.redhat.com> Message-ID: <44F86BF4.6010308@grifent.com> > > Let's do a straw poll vote: > > A) Star fish inscribed in a circle (pentagon) > > B) Golden key inscribed in a pentagon > > C) Mousetrap > > D) Gecko in a trench coat with the collar turned up > > E) Crossed swords Gecko might be a problem with GEICO insurance. John From selinux at gmail.com Fri Sep 1 20:28:26 2006 From: selinux at gmail.com (Tom London) Date: Fri, 1 Sep 2006 13:28:26 -0700 Subject: setroubleshootd message.....cool! Message-ID: <4c4ba1530609011328j79d7ef39xcbbd9ea4ab5d40e2@mail.gmail.com> During update of today's rawhide, I get this in /var/log messages (and a nice icon in the tray): Sep 1 08:18:44 localhost Updated: kexec-tools.i386 1.101-51.fc6 Sep 1 08:19:14 localhost /usr/sbin/setroubleshootd: SELinux is preventing /usr/sbin/lvm (lvm_t) "getattr" to /dev/nvram (unlabeled_t). See audit.log for complete SELinux messages. id = 1fbf1f44-8ff6-4eb2-96dd-cdfe9ea35829 Sep 1 08:19:22 localhost Installed: kernel.i686 2.6.17-1.2608.fc6 Here's the associated AVC: type=AVC msg=audit(1157123951.753:51): avc: denied { getattr } for pid=7465 comm="lvs" name="nvram" dev=tmpfs ino=3418 scontext=user_u:system_r:lvm_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=chr_file type=SYSCALL msg=audit(1157123951.753:51): arch=40000003 syscall=195 success=no exit=-13 a0=8611ef8 a1=bfc3281c a2=c4fff4 a3=8611ef8 items=0 ppid=7464 pid=7465 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="lvs" exe="/usr/sbin/lvm" subj=user_u:system_r:lvm_t:s0 key=(null) type=AVC_PATH msg=audit(1157123951.753:51): path="/dev/nvram" On reboot, /dev/nvram seems to be labeled properly. [tbl at localhost ~]$ ls -lZ /dev/nvram crw-rw---- root root system_u:object_r:nvram_device_t /dev/nvram [tbl at localhost ~]$ Anyway, setroubleshoot is neat..... tom -- Tom London From dwalsh at redhat.com Fri Sep 1 20:37:33 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 01 Sep 2006 16:37:33 -0400 Subject: setroubleshootd message.....cool! In-Reply-To: <4c4ba1530609011328j79d7ef39xcbbd9ea4ab5d40e2@mail.gmail.com> References: <4c4ba1530609011328j79d7ef39xcbbd9ea4ab5d40e2@mail.gmail.com> Message-ID: <44F89A0D.6060804@redhat.com> Tom London wrote: > During update of today's rawhide, I get this in /var/log messages (and > a nice icon in the tray): > > Sep 1 08:18:44 localhost Updated: kexec-tools.i386 1.101-51.fc6 > Sep 1 08:19:14 localhost /usr/sbin/setroubleshootd: SELinux is > preventing /usr/sbin/lvm (lvm_t) "getattr" to /dev/nvram > (unlabeled_t). See audit.log for complete SELinux messages. id = > 1fbf1f44-8ff6-4eb2-96dd-cdfe9ea35829 > Sep 1 08:19:22 localhost Installed: kernel.i686 2.6.17-1.2608.fc6 > > Here's the associated AVC: > > type=AVC msg=audit(1157123951.753:51): avc: denied { getattr } for > pid=7465 comm="lvs" name="nvram" dev=tmpfs ino=3418 > scontext=user_u:system_r:lvm_t:s0 > tcontext=system_u:object_r:unlabeled_t:s0 tclass=chr_file > type=SYSCALL msg=audit(1157123951.753:51): arch=40000003 syscall=195 > success=no exit=-13 a0=8611ef8 a1=bfc3281c a2=c4fff4 a3=8611ef8 > items=0 ppid=7464 pid=7465 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=(none) comm="lvs" exe="/usr/sbin/lvm" > subj=user_u:system_r:lvm_t:s0 key=(null) > type=AVC_PATH msg=audit(1157123951.753:51): path="/dev/nvram" > > On reboot, /dev/nvram seems to be labeled properly. > [tbl at localhost ~]$ ls -lZ /dev/nvram > crw-rw---- root root system_u:object_r:nvram_device_t /dev/nvram > [tbl at localhost ~]$ > > Anyway, setroubleshoot is neat..... > > tom We changed the context of /dev/nvram from bios_device_t to nvram_device_t which caused it to become unlabeled_t when bios_device_t disappeared. One of the costs of running rawhide. Anyways we have some nice updates to the tool coming tonight. The GUI now has printing, popup message seems to work properly. I am really excited about this tool. From selinux at gmail.com Sat Sep 2 17:20:51 2006 From: selinux at gmail.com (Tom London) Date: Sat, 2 Sep 2006 10:20:51 -0700 Subject: install of selinux-policy-targeted-2.3.11-1 chokes a bit.... Message-ID: <4c4ba1530609021020v7e602952n852ef30464571bac@mail.gmail.com> Running rawhide, targeted enforcing. Yum installing today's packages (including selinux-policy-targeted-2.3.11-1) generates: Updating : selinux-policy-targeted ##################### [ 40/108] libsepol.context_from_record: type firstboot_rw_t is not defined libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:object_r:firstboot_rw_t:s0 to sid /etc/selinux/targeted/contexts/files/file_contexts: line 1573 has invalid context system_u:object_r:firstboot_rw_t:s0 libsemanage.semanage_install_active: setfiles returned error code 1. /usr/sbin/load_policy: Can't load policy: Invalid argument libsemanage.semanage_reload_policy: load_policy returned error code 2. semodule: Failed! tom -- Tom London From borzoi at caltanet.it Sun Sep 3 16:21:42 2006 From: borzoi at caltanet.it (Paolo D.) Date: Sun, 3 Sep 2006 18:21:42 +0200 Subject: install of selinux-policy-targeted-2.3.11-1 chokes a bit.... In-Reply-To: <20060903160009.65D9E731D9@hormel.redhat.com> Message-ID: <001701c6cf75$0bbf5690$70c06850@STEFANENKO> Good evening Tom, for my experience, I suggest you to download updated libsepol and libsemanage packages from NSA download site (http://www.nsa.gov/selinux/code/download5.cfm), extract them, and build them in order, with a simple "make install" from extracted directories. It should function. Paolo De Nictolis _______________________ Ing. Paolo De Nictolis Tel.: +393389511681 E-mail: borzoi at caltanet.it Running rawhide, targeted enforcing. Yum installing today's packages (including selinux-policy-targeted-2.3.11-1) generates: Updating : selinux-policy-targeted ##################### [ 40/108] libsepol.context_from_record: type firstboot_rw_t is not defined libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:object_r:firstboot_rw_t:s0 to sid /etc/selinux/targeted/contexts/files/file_contexts: line 1573 has invalid context system_u:object_r:firstboot_rw_t:s0 libsemanage.semanage_install_active: setfiles returned error code 1. /usr/sbin/load_policy: Can't load policy: Invalid argument libsemanage.semanage_reload_policy: load_policy returned error code 2. semodule: Failed! From selinux at gmail.com Sun Sep 3 16:35:13 2006 From: selinux at gmail.com (Tom London) Date: Sun, 3 Sep 2006 09:35:13 -0700 Subject: install of selinux-policy-targeted-2.3.11-1 chokes a bit.... In-Reply-To: <001701c6cf75$0bbf5690$70c06850@STEFANENKO> References: <20060903160009.65D9E731D9@hormel.redhat.com> <001701c6cf75$0bbf5690$70c06850@STEFANENKO> Message-ID: <4c4ba1530609030935i2114900bs7db70e98de0fdc99@mail.gmail.com> On 9/3/06, Paolo D. wrote: > Good evening Tom, > for my experience, I suggest you to download updated libsepol and > libsemanage packages from NSA download site > (http://www.nsa.gov/selinux/code/download5.cfm), extract them, and build > them in order, with a simple "make install" from extracted directories. > It should function. > > Paolo De Nictolis > Paolo, Thanks for the suggestion. I ususally install and test the Fedora Rawhide packages for 'correctness', so my message here is just my way of reporting a minor breakage, and letting others know the issue is known. This error leaves my system running and functional, so I can wait for Dan's (usually quick) update :-) tom -- Tom London From wart at kobold.org Mon Sep 4 21:44:41 2006 From: wart at kobold.org (Wart) Date: Mon, 04 Sep 2006 14:44:41 -0700 Subject: semanage changes Message-ID: <44FC9E49.70309@kobold.org> I'm trying to make modifications to semanage so that it's easier to delete all ports for a given context, ie: # semanage port -d -t crossfire_port_t # semanage port -d -t crossfire_port_t -d tcp However, I'm a little confused by the workings of the semanage python modules. /usr/sbin/semange makes the following call to delete the ports: OBJECT = seobject.portRecords() ... OBJECT.delete(target, proto) Where 'target' is the port number to delete, and proto is the protocol (tcp or udp). OBJECT is an array of selinux objects on which to operate. Presumably, either the OBJECT list contains only the selinux objects that match the input context (such as crossfire_port_t), or the delete() method has some magic to filter only the matching contexts. Since I couldn't find any code to support the latter, I suspect the former. Can someone explain how this OBJECT array gets filtered to only contain matching contexts? It's not obvious how this happens when the OBJECT array is created with seobject.portRecords(). Thanks, --Mike From dwalsh at redhat.com Tue Sep 5 13:34:47 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 05 Sep 2006 09:34:47 -0400 Subject: semanage changes In-Reply-To: <44FC9E49.70309@kobold.org> References: <44FC9E49.70309@kobold.org> Message-ID: <44FD7CF7.7000101@redhat.com> Wart wrote: > I'm trying to make modifications to semanage so that it's easier to > delete all ports for a given context, ie: > > # semanage port -d -t crossfire_port_t > # semanage port -d -t crossfire_port_t -d tcp > > However, I'm a little confused by the workings of the semanage python > modules. > > /usr/sbin/semange makes the following call to delete the ports: > > OBJECT = seobject.portRecords() > ... > OBJECT.delete(target, proto) > > Where 'target' is the port number to delete, and proto is the protocol > (tcp or udp). OBJECT is an array of selinux objects on which to operate. > > Presumably, either the OBJECT list contains only the selinux objects > that match the input context (such as crossfire_port_t), or the > delete() method has some magic to filter only the matching contexts. > Since I couldn't find any code to support the latter, I suspect the > former. > > Can someone explain how this OBJECT array gets filtered to only > contain matching contexts? It's not obvious how this happens when the > OBJECT array is created with seobject.portRecords(). > I don't think there is any magic. Basically there is only one portnumber/PROTOCOL allowed. So this is the key. Type is not part of the key. > Thanks, > > --Mike > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From selinux at gmail.com Tue Sep 5 16:40:59 2006 From: selinux at gmail.com (Tom London) Date: Tue, 5 Sep 2006 09:40:59 -0700 Subject: xen avcs.... Message-ID: <4c4ba1530609050940i3978c8e8lfbcf93428d4d3ce5@mail.gmail.com> Running latest rawhide, targeted/enforcing. See the following when running xen enabled kernel, xenguest-install, ... type=AVC msg=audit(1157437064.863:54): avc: denied { search } for pid=3123 comm="python" name="root" dev=dm-0 ino=2883585 scontext=system_u:system_r:xend_t:s0 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir type=SYSCALL msg=audit(1157437064.863:54): arch=40000003 syscall=33 success=no exit=-13 a0=8ed9a00 a1=4 a2=474c48e4 a3=b711fa4c items=0 ppid=2789 pid=3123 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python" subj=system_u:system_r:xend_t:s0 key=(null) type=ANOM_PROMISCUOUS msg=audit(1157437099.990:55): dev=vif7.0 prom=256 old_prom=0 auid=4294967295 type=SYSCALL msg=audit(1157437099.990:55): arch=40000003 syscall=54 success=yes exit=0 a0=3 a1=89a2 a2=bf9ab5e0 a3=1 items=0 ppid=5236 pid=5319 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="brctl" exe="/usr/sbin/brctl" subj=system_u:system_r:udev_t:s0-s0:c0.c255 key=(null) type=AVC msg=audit(1157437100.910:56): avc: denied { name_bind } for pid=5238 comm="xen-vncfb" src=5900 scontext=system_u:system_r:xend_t:s0 tcontext=system_u:object_r:vnc_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1157437100.910:56): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bfdc5d00 a2=5 a3=bfdc5d2c items=0 ppid=2792 pid=5238 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="xen-vncfb" exe="/usr/lib/xen/bin/xen-vncfb" subj=system_u:system_r:xend_t:s0 key=(null) Xen an interesting case here, or should I defer reporting such.... tom -- Tom London From dwalsh at redhat.com Tue Sep 5 16:57:59 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 05 Sep 2006 12:57:59 -0400 Subject: xen avcs.... In-Reply-To: <4c4ba1530609050940i3978c8e8lfbcf93428d4d3ce5@mail.gmail.com> References: <4c4ba1530609050940i3978c8e8lfbcf93428d4d3ce5@mail.gmail.com> Message-ID: <44FDAC97.7070906@redhat.com> Tom London wrote: > Running latest rawhide, targeted/enforcing. > > See the following when running xen enabled kernel, xenguest-install, ... > > type=AVC msg=audit(1157437064.863:54): avc: denied { search } for > pid=3123 comm="python" name="root" dev=dm-0 ino=2883585 > scontext=system_u:system_r:xend_t:s0 > tcontext=root:object_r:user_home_dir_t:s0 tclass=dir > type=SYSCALL msg=audit(1157437064.863:54): arch=40000003 syscall=33 > success=no exit=-13 a0=8ed9a00 a1=4 a2=474c48e4 a3=b711fa4c items=0 > ppid=2789 pid=3123 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python" > subj=system_u:system_r:xend_t:s0 key=(null) > type=ANOM_PROMISCUOUS msg=audit(1157437099.990:55): dev=vif7.0 > prom=256 old_prom=0 auid=4294967295 > type=SYSCALL msg=audit(1157437099.990:55): arch=40000003 syscall=54 > success=yes exit=0 a0=3 a1=89a2 a2=bf9ab5e0 a3=1 items=0 ppid=5236 > pid=5319 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > sgid=0 fsgid=0 tty=(none) comm="brctl" exe="/usr/sbin/brctl" > subj=system_u:system_r:udev_t:s0-s0:c0.c255 key=(null) > type=AVC msg=audit(1157437100.910:56): avc: denied { name_bind } for > pid=5238 comm="xen-vncfb" src=5900 > scontext=system_u:system_r:xend_t:s0 > tcontext=system_u:object_r:vnc_port_t:s0 tclass=tcp_socket > type=SYSCALL msg=audit(1157437100.910:56): arch=40000003 syscall=102 > success=no exit=-13 a0=2 a1=bfdc5d00 a2=5 a3=bfdc5d2c items=0 > ppid=2792 pid=5238 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=(none) comm="xen-vncfb" > exe="/usr/lib/xen/bin/xen-vncfb" subj=system_u:system_r:xend_t:s0 > key=(null) > > Xen an interesting case here, or should I defer reporting such.... > > No we want all errors, thanks. > tom From ynakam at hitachisoft.jp Tue Sep 5 23:49:16 2006 From: ynakam at hitachisoft.jp (Yuichi Nakamura) Date: Wed, 6 Sep 2006 08:49:16 +0900 Subject: audit2allow -l is unusable in FC5 Message-ID: <20060906084916.dcd17d8b.ynakam@hitachisoft.jp> Hi, I yum updated today and found audit2allow -l is unusable in FC5. There is no log saying "avc granted load_policy", instead, there is audit log "audit(1157498697.581:88): policy loaded auid=4294967295 ". I am teaching people audit2allow "-l" is useful and to use -l, many people are using -l option. Are you going to prepare new option for audit2allow, or fix poilcy(auditallow load_policy again), or fix avc.py? Yuichi Nakamura From linux_4ever at yahoo.com Wed Sep 6 00:35:24 2006 From: linux_4ever at yahoo.com (Steve G) Date: Tue, 5 Sep 2006 17:35:24 -0700 (PDT) Subject: audit2allow -l is unusable in FC5 In-Reply-To: <20060906084916.dcd17d8b.ynakam@hitachisoft.jp> Message-ID: <20060906003524.36391.qmail@web51503.mail.yahoo.com> >There is no log saying "avc granted load_policy", >instead, there is audit log "audit(1157498697.581:88): policy loaded >auid=4294967295 ". Yes this is correct. This is the new way as of kernel 2.6.17. There was some overlap where an audit was in the policy and the kernel, but we only need one message. The audit2allow program should be updated to recognize the above as a load policy event. -Steve __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From ynakam at hitachisoft.jp Wed Sep 6 01:15:11 2006 From: ynakam at hitachisoft.jp (Yuichi Nakamura) Date: Wed, 6 Sep 2006 10:15:11 +0900 Subject: audit2allow -l is unusable in FC5 In-Reply-To: <20060906003524.36391.qmail@web51503.mail.yahoo.com> References: <20060906084916.dcd17d8b.ynakam@hitachisoft.jp> <20060906003524.36391.qmail@web51503.mail.yahoo.com> Message-ID: <20060906101511.d860bf27.ynakam@hitachisoft.jp> On Tue, 5 Sep 2006 17:35:24 -0700 (PDT) Steve G wrote: > >There is no log saying "avc granted load_policy", > >instead, there is audit log "audit(1157498697.581:88): policy loaded > >auid=4294967295 ". > Yes this is correct. This is the new way as of kernel 2.6.17. There was some > overlap where an audit was in the policy and the kernel, but we only need one > message. The audit2allow program should be updated to recognize the above as a > load policy event. I see, so avc.py should be fixed. I wrote simple patch. Yuichi Nakamura -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: avc.py.diff URL: From selinux at gmail.com Wed Sep 6 14:05:44 2006 From: selinux at gmail.com (Tom London) Date: Wed, 6 Sep 2006 07:05:44 -0700 Subject: invalid context message from today's updates.... Message-ID: <4c4ba1530609060705n755eb04dr4ce1e2010dbd484c@mail.gmail.com> Running rawhide, targeted/enforcing. Got this during today's updates: Updating : fedora-logos ########## [39/86]file_contexts: invalid context system_u:object_r:firstboot_rw_t:s0 Updating : fedora-logos ####################### [39/86] Fedora-logos got updated after update to selinux-policy-targeted. This appears in /var/log/messages: Sep 6 06:58:10 localhost Updated: caching-nameserver.i386 30:9.3.2-40.fc6 Sep 6 06:58:26 localhost kernel: security: 3 users, 6 roles, 1528 types, 158 bools, 1 sens, 256 cats Sep 6 06:58:26 localhost kernel: security: 58 classes, 45425 rules Sep 6 06:58:26 localhost kernel: security: invalidating context system_u:object_r:firstboot_rw_t:s0 Sep 6 06:58:26 localhost dbus: Can't send to audit system: USER_AVC avc: received policyload notice (seqno=2) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?) Sep 6 06:58:27 localhost dbus: Can't send to audit system: USER_AVC avc: received policyload notice (seqno=2) : exe="/bin/dbus-daemon" (sauid=500, hostname=?, addr=?, terminal=?) Sep 6 06:58:29 localhost Updated: selinux-policy-targeted.noarch 2.3.12-1 Timing? tom -- Tom London From linux_4ever at yahoo.com Wed Sep 6 16:27:37 2006 From: linux_4ever at yahoo.com (Steve G) Date: Wed, 6 Sep 2006 09:27:37 -0700 (PDT) Subject: service start/stop test script Message-ID: <20060906162737.88061.qmail@web51513.mail.yahoo.com> Hello, I just wanted to let everyone know that I'm making a test script available to help policy writers (and everyone doing selinux testing). The script will go though /etc/rc.d/init.d and make a list of services installed. It filters out some that you'd really not want to run (like halt). Then it checks the service to see if its running. If so, it stops and starts the service. Otherwise it starts then stops the service. After each service cycle, it scans the audit logs to look for avcs. If any are found they are run through audit2allow and output. The script can be found here: http://people.redhat.com/sgrubb/files/testing/service-avc-test Feedback and updates are welcome. -Steve __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From shin216 at xf7.so-net.ne.jp Wed Sep 6 20:55:06 2006 From: shin216 at xf7.so-net.ne.jp (Shintaro Fujiwara) Date: Thu, 07 Sep 2006 05:55:06 +0900 Subject: service start/stop test script In-Reply-To: <20060906162737.88061.qmail@web51513.mail.yahoo.com> References: <20060906162737.88061.qmail@web51513.mail.yahoo.com> Message-ID: <1157576106.2470.6.camel@mama.intrajp-yokosuka.co.jp> Hi. I named your script sgrub for test and made it run. It woked fine and I like it very much. I was interested in your "ausearch", so it hits the point and I think it helps for people who write policy. Those scripts are really needed when humans hard to decsern which log is related to which program. 2006-09-06 (?) ? 09:27 -0700 ? Steve G ????????: > Hello, > > I just wanted to let everyone know that I'm making a test script available to > help policy writers (and everyone doing selinux testing). The script will go > though /etc/rc.d/init.d and make a list of services installed. It filters out > some that you'd really not want to run (like halt). Then it checks the service to > see if its running. If so, it stops and starts the service. Otherwise it starts > then stops the service. After each service cycle, it scans the audit logs to look > for avcs. If any are found they are run through audit2allow and output. The > script can be found here: > > http://people.redhat.com/sgrubb/files/testing/service-avc-test > > Feedback and updates are welcome. > > -Steve > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From linux_4ever at yahoo.com Wed Sep 6 23:01:16 2006 From: linux_4ever at yahoo.com (Steve G) Date: Wed, 6 Sep 2006 16:01:16 -0700 (PDT) Subject: service start/stop test script In-Reply-To: <1157576106.2470.6.camel@mama.intrajp-yokosuka.co.jp> Message-ID: <20060906230116.85685.qmail@web51512.mail.yahoo.com> >Those scripts are really needed when humans >hard to decsern which log is related to which >program. Yes indeed. If anyone has ideas about how to do some simple tests that could result in avcs, please let me know. I have another script in development that will run through the yum update log and isolate the packages recently updated. It then runs fixfiles with -R option to see if the new rpm's files got labled correctly during update/install. The more of these tests we can think up, the better SE Linux will get. -Steve __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From lenny at bruzenak.com Wed Sep 6 23:33:42 2006 From: lenny at bruzenak.com (LC Bruzenak) Date: Wed, 06 Sep 2006 18:33:42 -0500 Subject: x86_64 question Message-ID: <1157585622.4162.54.camel@fryspc> Question(s): Installed FC6T2 from DVD on a 64-bit machine. Selected only "software development" checkbox option. Left it in "enforcing" mode. Prior to doing anything else, checked to see what was installed. There are many instances of both the i386 and the x86_64 versions there. I guess that is OK - the 64 bit version will override or it is always installed last? Is there a easy way to scrub the duplicate .386 names out of the db so that they will not show up if not actually in use (like the "--justdb" option in the rpm -freshen command)? # yum list installed | grep libse libselinux.i386 1.30.19-5 installed libselinux.x86_64 1.30.19-5 installed libselinux-devel.x86_64 1.30.19-5 installed libselinux-devel.i386 1.30.19-5 installed libselinux-python.x86_64 1.30.19-5 installed libsemanage.x86_64 1.6.12-2 installed libsepol.i386 1.12.19-1.1 installed libsepol.x86_64 1.12.19-1.1 installed -- LC Bruzenak lenny at bruzenak.com From linux_4ever at yahoo.com Wed Sep 6 23:42:02 2006 From: linux_4ever at yahoo.com (Steve G) Date: Wed, 6 Sep 2006 16:42:02 -0700 (PDT) Subject: x86_64 question In-Reply-To: <1157585622.4162.54.camel@fryspc> Message-ID: <20060906234202.96987.qmail@web51514.mail.yahoo.com> >There are many instances of both the i386 and the x86_64 versions there. >I guess that is OK - the 64 bit version will override or it is always >installed last? I think that if you have i386, there are i386 some files installed. >Is there a easy way to scrub the duplicate .386 names out of the db so >that they will not show up if not actually in use (like the "--justdb" >option in the rpm -freshen command)? I don't think its a db issue. I think there are actually some files installed. This question might be better answered on the fedora-devel mail list (installer/yum/rpm developers hang out there). -Steve __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From fdsubs at t-online.hu Thu Sep 7 00:55:47 2006 From: fdsubs at t-online.hu (Daniel Fazekas) Date: Thu, 7 Sep 2006 02:55:47 +0200 Subject: x86_64 question In-Reply-To: <1157585622.4162.54.camel@fryspc> References: <1157585622.4162.54.camel@fryspc> Message-ID: On Sep 7, 2006, at 1:33, LC Bruzenak wrote: > There are many instances of both the i386 and the x86_64 versions > there. > I guess that is OK - the 64 bit version will override or it is always > installed last? That's all perfectly normal and there's nothing to "override." On x86_64 systems, both 32-bit and 64-bit versions of all libraries are installed; this isn't limited to SELinux and has been the norm since the very first x86_64 release. This way you can develop and run both 32-bit and 64-bit programs. 32-bit programs will automatically link to the 32-bit copy of the library, and 64-bit programs to the 64-bit libraries. -- fds From matt at gillens.us Thu Sep 7 02:37:18 2006 From: matt at gillens.us (Matthew Gillen) Date: Wed, 06 Sep 2006 22:37:18 -0400 Subject: procmail with nfs home dirs Message-ID: <44FF85DE.4080304@gillens.us> Hi, I'm new to SELinux, and I was having some problems with procmail not working correctly for me with NFS (via NIS-based autofs) home directories on FC5. There seemed to be a discussion about a similar issue a while back: http://www.redhat.com/archives/fedora-list/2006-May/msg03265.html but the solutions there didn't solve my problem. In any event, I managed to get it working for myself using the following policy module. The 'autofs_t:dir search' part seemed to be needed to find my .procmailrc file, and the rest looks like it is needed to write messages into my maildirs under $HOME/Mail/ If anyone has suggestions on how to improve this I'd be happy to hear them. Thanks, Matt -------------------------------------- module procmailnfs 1.0; require { class dir { getattr search write }; class file { append getattr read }; type autofs_t; type default_t; type procmail_t; role system_r; }; allow procmail_t autofs_t:dir search; allow procmail_t default_t:dir { getattr search write }; allow procmail_t default_t:file { append getattr read }; -------------------------------------- From stefan at sf-net.com Thu Sep 7 08:11:25 2006 From: stefan at sf-net.com (Stefan) Date: Thu, 7 Sep 2006 10:11:25 +0200 Subject: problems with latest mls policy Message-ID: <5FF0BE4B-00DE-4047-B172-D2EE87A0AB9A@sf-net.com> Hi, I did an update of the mls policy last night (the version before was 1,5 months old) and know cron can't change its context to logrotate. Only two modules seem to be installed in /usr/share/selinux/mls: base.pp and enableaudit.pp If I install the strict policy there are a lot of policy modules installed even logrotate.pp. Someone any ideas? The following packages are installed: selinux-policy-2.3.7-2.fc5 selinux-policy-mls-2.3.7-2.fc5 selinux-policy-devel-2.3.7-2.fc5 Best regards, Stefan PS: Here is a list of all the avc denials: allow user_crond_t NetworkManager_var_run_t:dir getattr; allow user_crond_t acct_data_t:dir { getattr search }; allow user_crond_t acct_data_t:file getattr; allow user_crond_t alsa_etc_rw_t:dir getattr; allow user_crond_t apmd_log_t:file getattr; allow user_crond_t auditd_log_t:dir getattr; allow user_crond_t avahi_var_run_t:dir getattr; allow user_crond_t bin_t:dir { add_name remove_name write }; allow user_crond_t bin_t:file { create relabelfrom relabelto rename setattr unlink write }; allow user_crond_t binfmt_misc_fs_t:dir getattr; allow user_crond_t bluetooth_conf_t:dir getattr; allow user_crond_t boot_t:dir getattr; allow user_crond_t cert_t:dir { getattr read search }; allow user_crond_t crack_db_t:dir getattr; allow user_crond_t cron_spool_t:dir { getattr search }; allow user_crond_t cvs_data_t:dir getattr; allow user_crond_t data_t:dir { getattr read search }; allow user_crond_t dbusd_etc_t:dir { getattr search }; allow user_crond_t default_context_t:dir { getattr read search }; allow user_crond_t default_t:dir getattr; allow user_crond_t devlog_t:sock_file write; allow user_crond_t devpts_t:dir getattr; allow user_crond_t dhcpc_state_t:dir getattr; allow user_crond_t dhcpd_state_t:dir { getattr read search }; allow user_crond_t etc_mail_t:dir getattr; allow user_crond_t etc_runtime_t:dir getattr; allow user_crond_t etc_t:dir { add_name remove_name write }; allow user_crond_t etc_t:file { create rename setattr unlink write }; allow user_crond_t file_context_t:dir { getattr read search }; allow user_crond_t firstboot_rw_t:dir { getattr search }; allow user_crond_t fonts_t:dir getattr; allow user_crond_t home_root_t:dir read; allow user_crond_t httpd_config_t:dir { getattr search }; allow user_crond_t httpd_log_t:dir { getattr read search }; allow user_crond_t httpd_log_t:file { getattr read }; allow user_crond_t httpd_modules_t:dir { getattr read search }; allow user_crond_t httpd_modules_t:file { getattr read }; allow user_crond_t httpd_sys_content_t:dir { getattr read search }; allow user_crond_t httpd_sys_script_exec_t:dir getattr; allow user_crond_t httpd_var_lib_t:dir getattr; allow user_crond_t hwdata_t:dir { getattr search }; allow user_crond_t initrc_tmp_t:dir getattr; allow user_crond_t ipsec_conf_file_t:dir { getattr search }; allow user_crond_t ipsec_exec_t:file { relabelto rename unlink }; allow user_crond_t ipsec_key_file_t:dir getattr; allow user_crond_t ipsec_var_run_t:dir getattr; allow user_crond_t lib_t:dir { add_name remove_name write }; allow user_crond_t lib_t:file { create relabelfrom relabelto rename setattr unlink write }; allow user_crond_t locate_var_lib_t:dir { add_name getattr read remove_name search write }; allow user_crond_t locate_var_lib_t:file { create getattr read rename setattr unlink write }; allow user_crond_t logrotate_var_lib_t:file { getattr read write }; allow user_crond_t logwatch_cache_t:dir { add_name create getattr read remove_name rmdir search write }; allow user_crond_t logwatch_cache_t:file { create getattr ioctl read unlink write }; allow user_crond_t lost_found_t:dir getattr; allow user_crond_t lvm_etc_t:dir { getattr search }; allow user_crond_t lvm_lock_t:dir getattr; allow user_crond_t lvm_metadata_t:dir getattr; allow user_crond_t mail_spool_t:dir { getattr read }; allow user_crond_t mail_spool_t:lnk_file read; allow user_crond_t man_t:dir { getattr read search setattr }; allow user_crond_t man_t:file { getattr read setattr write }; allow user_crond_t mdadm_var_run_t:dir getattr; allow user_crond_t mnt_t:dir { getattr search }; allow user_crond_t modules_object_t:dir { getattr read search }; allow user_crond_t mqueue_spool_t:dir getattr; allow user_crond_t mrtg_etc_t:dir getattr; allow user_crond_t mrtg_lock_t:dir getattr; allow user_crond_t mrtg_var_lib_t:dir getattr; allow user_crond_t named_cache_t:dir getattr; allow user_crond_t named_conf_t:dir { getattr read search }; allow user_crond_t named_var_run_t:dir { getattr read search }; allow user_crond_t named_zone_t:dir { getattr read search }; allow user_crond_t net_conf_t:file { getattr read }; allow user_crond_t netif_t:netif { rawip_recv rawip_send }; allow user_crond_t netutils_exec_t:file { relabelto rename unlink }; allow user_crond_t nmbd_t:process signal; allow user_crond_t nmbd_var_run_t:file { getattr read }; allow user_crond_t node_t:node { rawip_recv rawip_send }; allow user_crond_t nscd_var_run_t:dir { getattr search }; allow user_crond_t ntp_drift_t:dir { getattr read search }; allow user_crond_t pam_var_console_t:dir getattr; allow user_crond_t pam_var_run_t:dir getattr; allow user_crond_t policy_config_t:dir { getattr read search }; allow user_crond_t postfix_etc_t:dir { getattr search }; allow user_crond_t postfix_etc_t:file { getattr read }; allow user_crond_t postfix_private_t:dir getattr; allow user_crond_t postfix_public_t:dir { getattr search }; allow user_crond_t postfix_public_t:fifo_file { getattr write }; allow user_crond_t postfix_spool_bounce_t:dir getattr; allow user_crond_t postfix_spool_flush_t:dir getattr; allow user_crond_t postfix_spool_maildrop_t:dir { add_name getattr read remove_name search write }; allow user_crond_t postfix_spool_maildrop_t:file { create getattr rename setattr write }; allow user_crond_t postfix_spool_t:dir { getattr read search }; allow user_crond_t pppd_etc_t:dir { getattr search }; allow user_crond_t pppd_var_run_t:dir getattr; allow user_crond_t prelink_log_t:file { append getattr write }; allow user_crond_t print_spool_t:dir getattr; allow user_crond_t radvd_var_run_t:dir getattr; allow user_crond_t rpm_exec_t:file { relabelto rename unlink }; allow user_crond_t rpm_log_t:file { append getattr read write }; allow user_crond_t rpm_var_lib_t:dir { getattr read search write }; allow user_crond_t rpm_var_lib_t:file { getattr lock read write }; allow user_crond_t samba_etc_t:dir getattr; allow user_crond_t samba_log_t:dir { add_name getattr read remove_name search write }; allow user_crond_t samba_log_t:file { create getattr read rename setattr write }; allow user_crond_t samba_var_t:dir { getattr read search }; allow user_crond_t saslauthd_exec_t:file { relabelto rename unlink }; allow user_crond_t saslauthd_var_run_t:dir getattr; allow user_crond_t sbin_t:dir { add_name remove_name write }; allow user_crond_t sbin_t:file { create relabelfrom relabelto rename setattr unlink write }; allow user_crond_t security_t:dir read; allow user_crond_t semanage_store_t:dir { getattr search }; allow user_crond_t sendmail_log_t:dir getattr; allow user_crond_t shlib_t:file { relabelto rename unlink }; allow user_crond_t smbd_t:process signal; allow user_crond_t smbd_var_run_t:file { getattr read }; allow user_crond_t src_t:dir getattr; allow user_crond_t staff_home_dir_t:dir { getattr search }; allow user_crond_t staff_home_ssh_t:dir getattr; allow user_crond_t stunnel_etc_t:dir getattr; allow user_crond_t sysadm_home_ssh_t:dir getattr; allow user_crond_t sysadm_home_t:dir { getattr read search }; allow user_crond_t sysctl_fs_t:dir { getattr search }; allow user_crond_t sysfs_t:dir getattr; allow user_crond_t syslogd_t:unix_dgram_socket sendto; allow user_crond_t system_cron_spool_t:dir getattr; allow user_crond_t system_dbusd_var_run_t:dir getattr; allow user_crond_t tdm2_etc_t:dir { getattr search }; allow user_crond_t tmp_t:dir { add_name read remove_name setattr write }; allow user_crond_t tmp_t:file { append create getattr ioctl read unlink write }; allow user_crond_t tmpfs_t:dir getattr; allow user_crond_t self:capability { chown fowner fsetid setgid setuid }; allow user_crond_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; allow user_crond_t self:process { setfscreate setrlimit }; allow user_crond_t self:tcp_socket { connect create read write }; allow user_crond_t self:udp_socket { create ioctl read write }; allow user_crond_t var_lib_nfs_t:dir { getattr read search }; allow user_crond_t var_lib_t:dir { getattr read search }; allow user_crond_t var_lib_t:file { getattr write }; allow user_crond_t var_lock_t:dir { add_name getattr read remove_name search write }; allow user_crond_t var_lock_t:file { create unlink write }; allow user_crond_t var_log_t:dir read; allow user_crond_t var_log_t:file { getattr read }; allow user_crond_t var_run_t:dir { add_name remove_name write }; allow user_crond_t var_run_t:file { create getattr unlink write }; allow user_crond_t var_spool_t:dir read; allow user_crond_t var_spool_t:file { read setattr write }; allow user_crond_t var_t:dir read; allow user_crond_t var_t:file { setattr write }; allow user_crond_t var_yp_t:dir getattr; allow user_crond_t winbind_var_run_t:dir getattr; allow user_crond_t wtmp_t:file getattr; From paul at city-fan.org Thu Sep 7 09:32:43 2006 From: paul at city-fan.org (Paul Howarth) Date: Thu, 07 Sep 2006 10:32:43 +0100 Subject: procmail with nfs home dirs In-Reply-To: <44FF85DE.4080304@gillens.us> References: <44FF85DE.4080304@gillens.us> Message-ID: <44FFE73B.4070706@city-fan.org> Matthew Gillen wrote: > Hi, > I'm new to SELinux, and I was having some problems with procmail not working > correctly for me with NFS (via NIS-based autofs) home directories on FC5. > > There seemed to be a discussion about a similar issue a while back: > http://www.redhat.com/archives/fedora-list/2006-May/msg03265.html > but the solutions there didn't solve my problem. > > In any event, I managed to get it working for myself using the following > policy module. The 'autofs_t:dir search' part seemed to be needed to find > my .procmailrc file, and the rest looks like it is needed to write messages > into my maildirs under $HOME/Mail/ > > If anyone has suggestions on how to improve this I'd be happy to hear them. > Thanks, > Matt > > -------------------------------------- > module procmailnfs 1.0; > > require { > class dir { getattr search write }; > class file { append getattr read }; > type autofs_t; > type default_t; > type procmail_t; > role system_r; > }; > > allow procmail_t autofs_t:dir search; > allow procmail_t default_t:dir { getattr search write }; > allow procmail_t default_t:file { append getattr read }; A couple of things: 1. I'm surprised you're getting default_t as the type; NFS directories here are nfs_t 2. I'd wrap the parts needed for NFS home directories with a conditional based on the state of the use_nfs_home_dirs boolean, as for instance happens in the xserver policy: tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xdm_t) fs_manage_nfs_files(xdm_t) fs_manage_nfs_symlinks(xdm_t) fs_exec_nfs_files(xdm_t) ') Paul. From dwalsh at redhat.com Thu Sep 7 19:32:41 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 07 Sep 2006 15:32:41 -0400 Subject: procmail with nfs home dirs In-Reply-To: <44FF85DE.4080304@gillens.us> References: <44FF85DE.4080304@gillens.us> Message-ID: <450073D9.7050009@redhat.com> Matthew Gillen wrote: > Hi, > I'm new to SELinux, and I was having some problems with procmail not working > correctly for me with NFS (via NIS-based autofs) home directories on FC5. > > There seemed to be a discussion about a similar issue a while back: > http://www.redhat.com/archives/fedora-list/2006-May/msg03265.html > but the solutions there didn't solve my problem. > > In any event, I managed to get it working for myself using the following > policy module. The 'autofs_t:dir search' part seemed to be needed to find > my .procmailrc file, and the rest looks like it is needed to write messages > into my maildirs under $HOME/Mail/ > > If anyone has suggestions on how to improve this I'd be happy to hear them. > Thanks, > Matt > > -------------------------------------- > module procmailnfs 1.0; > > require { > class dir { getattr search write }; > class file { append getattr read }; > type autofs_t; > type default_t; > type procmail_t; > role system_r; > }; > > allow procmail_t autofs_t:dir search; > allow procmail_t default_t:dir { getattr search write }; > allow procmail_t default_t:file { append getattr read }; > -------------------------------------- > > This looks like a labeling problem. What directory is labeled default_t? > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From matt at gillens.us Thu Sep 7 23:38:08 2006 From: matt at gillens.us (Matthew Gillen) Date: Thu, 07 Sep 2006 19:38:08 -0400 Subject: procmail with nfs home dirs In-Reply-To: <450073D9.7050009@redhat.com> References: <44FF85DE.4080304@gillens.us> <450073D9.7050009@redhat.com> Message-ID: <4500AD60.7020404@gillens.us> Daniel J Walsh wrote: > Matthew Gillen wrote: >> Hi, >> I'm new to SELinux, and I was having some problems with procmail not >> working >> correctly for me with NFS (via NIS-based autofs) home directories on FC5. >> >> There seemed to be a discussion about a similar issue a while back: >> http://www.redhat.com/archives/fedora-list/2006-May/msg03265.html >> but the solutions there didn't solve my problem. >> >> In any event, I managed to get it working for myself using the following >> policy module. The 'autofs_t:dir search' part seemed to be needed to >> find >> my .procmailrc file, and the rest looks like it is needed to write >> messages >> into my maildirs under $HOME/Mail/ >> >> If anyone has suggestions on how to improve this I'd be happy to hear >> them. >> Thanks, >> Matt >> >> -------------------------------------- >> module procmailnfs 1.0; >> >> require { >> class dir { getattr search write }; >> class file { append getattr read }; >> type autofs_t; >> type default_t; >> type procmail_t; >> role system_r; >> }; >> >> allow procmail_t autofs_t:dir search; >> allow procmail_t default_t:dir { getattr search write }; >> allow procmail_t default_t:file { append getattr read }; >> -------------------------------------- >> >> > This looks like a labeling problem. What directory is labeled default_t? I think I need to explain a bit more about my setup. Basically, I've got one machine that's an NIS+NFS server and a mail server. This machine has /export/home set up as one of it's nfs shares. After a '/sbin/restorecon -v -R /export/home', the ls -Z output for /export/home/username is system_u:object_r:default_t. Here's where it gets interesting. The NFS server will automount from itself for users in NIS. If I log into the NFS server as 'username', and do 'ls -lZd /home/username', the result is 'system_u:object_r:default_t'. However, if I'm on some other machine (that is an NFS client), the 'ls -Z' output for /home/username is 'system_u:object_r:nfs_t' On both machines, (the NFS server+client and the pure client) the ls -Z output for /home indicates 'system_u:object_r:autofs_t' So, maybe what's ultimately going on is that there's a bug in setting the context for a locally-served NFS share? Thanks, Matt From paul at city-fan.org Fri Sep 8 07:25:06 2006 From: paul at city-fan.org (Paul Howarth) Date: Fri, 08 Sep 2006 08:25:06 +0100 Subject: procmail with nfs home dirs In-Reply-To: <4500AD60.7020404@gillens.us> References: <44FF85DE.4080304@gillens.us> <450073D9.7050009@redhat.com> <4500AD60.7020404@gillens.us> Message-ID: <1157700306.16685.30.camel@metropolis.intra.city-fan.org> On Thu, 2006-09-07 at 19:38 -0400, Matthew Gillen wrote: > Daniel J Walsh wrote: > > Matthew Gillen wrote: > >> Hi, > >> I'm new to SELinux, and I was having some problems with procmail not > >> working > >> correctly for me with NFS (via NIS-based autofs) home directories on FC5. > >> > >> There seemed to be a discussion about a similar issue a while back: > >> http://www.redhat.com/archives/fedora-list/2006-May/msg03265.html > >> but the solutions there didn't solve my problem. > >> > >> In any event, I managed to get it working for myself using the following > >> policy module. The 'autofs_t:dir search' part seemed to be needed to > >> find > >> my .procmailrc file, and the rest looks like it is needed to write > >> messages > >> into my maildirs under $HOME/Mail/ > >> > >> If anyone has suggestions on how to improve this I'd be happy to hear > >> them. > >> Thanks, > >> Matt > >> > >> -------------------------------------- > >> module procmailnfs 1.0; > >> > >> require { > >> class dir { getattr search write }; > >> class file { append getattr read }; > >> type autofs_t; > >> type default_t; > >> type procmail_t; > >> role system_r; > >> }; > >> > >> allow procmail_t autofs_t:dir search; > >> allow procmail_t default_t:dir { getattr search write }; > >> allow procmail_t default_t:file { append getattr read }; > >> -------------------------------------- > >> > >> > > This looks like a labeling problem. What directory is labeled default_t? > > I think I need to explain a bit more about my setup. Basically, I've got > one machine that's an NIS+NFS server and a mail server. This machine has > /export/home set up as one of it's nfs shares. > After a '/sbin/restorecon -v -R /export/home', the ls -Z output for > /export/home/username is system_u:object_r:default_t. > > Here's where it gets interesting. The NFS server will automount from itself > for users in NIS. If I log into the NFS server as 'username', and do 'ls > -lZd /home/username', the result is 'system_u:object_r:default_t'. However, > if I'm on some other machine (that is an NFS client), the 'ls -Z' output for > /home/username is 'system_u:object_r:nfs_t' > > On both machines, (the NFS server+client and the pure client) the ls -Z > output for /home indicates 'system_u:object_r:autofs_t' > > So, maybe what's ultimately going on is that there's a bug in setting the > context for a locally-served NFS share? I think it's much simpler than that; there is no default context for /export/home (Fedora home directories default to /home rather than /export/home) and that's why restorecon didn't change anything. Are the home directories in the NIS database listed as being in /home or /export/home? Paul. From dwalsh at redhat.com Fri Sep 8 18:11:37 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 08 Sep 2006 14:11:37 -0400 Subject: problems with latest mls policy In-Reply-To: <5FF0BE4B-00DE-4047-B172-D2EE87A0AB9A@sf-net.com> References: <5FF0BE4B-00DE-4047-B172-D2EE87A0AB9A@sf-net.com> Message-ID: <4501B259.2000704@redhat.com> Stefan wrote: > Hi, > > I did an update of the mls policy last night (the version before was > 1,5 months old) and know cron can't change its context to logrotate. > Only two modules seem to be installed in /usr/share/selinux/mls: > base.pp and enableaudit.pp THese are the only two. > If I install the strict policy there are a lot of policy modules > installed even logrotate.pp. > Someone any ideas? Strict policy is fully modularized, which is why there are so many. mls is a much smaller subset of packages. > > The following packages are installed: > selinux-policy-2.3.7-2.fc5 > selinux-policy-mls-2.3.7-2.fc5 > selinux-policy-devel-2.3.7-2.fc5 > > Best regards, > Stefan > > PS: Here is a list of all the avc denials: > allow user_crond_t NetworkManager_var_run_t:dir getattr; > allow user_crond_t acct_data_t:dir { getattr search }; > allow user_crond_t acct_data_t:file getattr; > allow user_crond_t alsa_etc_rw_t:dir getattr; > allow user_crond_t apmd_log_t:file getattr; > allow user_crond_t auditd_log_t:dir getattr; > allow user_crond_t avahi_var_run_t:dir getattr; > allow user_crond_t bin_t:dir { add_name remove_name write }; > allow user_crond_t bin_t:file { create relabelfrom relabelto rename > setattr unlink write }; > allow user_crond_t binfmt_misc_fs_t:dir getattr; > allow user_crond_t bluetooth_conf_t:dir getattr; > allow user_crond_t boot_t:dir getattr; > allow user_crond_t cert_t:dir { getattr read search }; > allow user_crond_t crack_db_t:dir getattr; > allow user_crond_t cron_spool_t:dir { getattr search }; > allow user_crond_t cvs_data_t:dir getattr; > allow user_crond_t data_t:dir { getattr read search }; > allow user_crond_t dbusd_etc_t:dir { getattr search }; > allow user_crond_t default_context_t:dir { getattr read search }; > allow user_crond_t default_t:dir getattr; > allow user_crond_t devlog_t:sock_file write; > allow user_crond_t devpts_t:dir getattr; > allow user_crond_t dhcpc_state_t:dir getattr; > allow user_crond_t dhcpd_state_t:dir { getattr read search }; > allow user_crond_t etc_mail_t:dir getattr; > allow user_crond_t etc_runtime_t:dir getattr; > allow user_crond_t etc_t:dir { add_name remove_name write }; > allow user_crond_t etc_t:file { create rename setattr unlink write }; > allow user_crond_t file_context_t:dir { getattr read search }; > allow user_crond_t firstboot_rw_t:dir { getattr search }; > allow user_crond_t fonts_t:dir getattr; > allow user_crond_t home_root_t:dir read; > allow user_crond_t httpd_config_t:dir { getattr search }; > allow user_crond_t httpd_log_t:dir { getattr read search }; > allow user_crond_t httpd_log_t:file { getattr read }; > allow user_crond_t httpd_modules_t:dir { getattr read search }; > allow user_crond_t httpd_modules_t:file { getattr read }; > allow user_crond_t httpd_sys_content_t:dir { getattr read search }; > allow user_crond_t httpd_sys_script_exec_t:dir getattr; > allow user_crond_t httpd_var_lib_t:dir getattr; > allow user_crond_t hwdata_t:dir { getattr search }; > allow user_crond_t initrc_tmp_t:dir getattr; > allow user_crond_t ipsec_conf_file_t:dir { getattr search }; > allow user_crond_t ipsec_exec_t:file { relabelto rename unlink }; > allow user_crond_t ipsec_key_file_t:dir getattr; > allow user_crond_t ipsec_var_run_t:dir getattr; > allow user_crond_t lib_t:dir { add_name remove_name write }; > allow user_crond_t lib_t:file { create relabelfrom relabelto rename > setattr unlink write }; > allow user_crond_t locate_var_lib_t:dir { add_name getattr read > remove_name search write }; > allow user_crond_t locate_var_lib_t:file { create getattr read rename > setattr unlink write }; > allow user_crond_t logrotate_var_lib_t:file { getattr read write }; > allow user_crond_t logwatch_cache_t:dir { add_name create getattr read > remove_name rmdir search write }; > allow user_crond_t logwatch_cache_t:file { create getattr ioctl read > unlink write }; > allow user_crond_t lost_found_t:dir getattr; > allow user_crond_t lvm_etc_t:dir { getattr search }; > allow user_crond_t lvm_lock_t:dir getattr; > allow user_crond_t lvm_metadata_t:dir getattr; > allow user_crond_t mail_spool_t:dir { getattr read }; > allow user_crond_t mail_spool_t:lnk_file read; > allow user_crond_t man_t:dir { getattr read search setattr }; > allow user_crond_t man_t:file { getattr read setattr write }; > allow user_crond_t mdadm_var_run_t:dir getattr; > allow user_crond_t mnt_t:dir { getattr search }; > allow user_crond_t modules_object_t:dir { getattr read search }; > allow user_crond_t mqueue_spool_t:dir getattr; > allow user_crond_t mrtg_etc_t:dir getattr; > allow user_crond_t mrtg_lock_t:dir getattr; > allow user_crond_t mrtg_var_lib_t:dir getattr; > allow user_crond_t named_cache_t:dir getattr; > allow user_crond_t named_conf_t:dir { getattr read search }; > allow user_crond_t named_var_run_t:dir { getattr read search }; > allow user_crond_t named_zone_t:dir { getattr read search }; > allow user_crond_t net_conf_t:file { getattr read }; > allow user_crond_t netif_t:netif { rawip_recv rawip_send }; > allow user_crond_t netutils_exec_t:file { relabelto rename unlink }; > allow user_crond_t nmbd_t:process signal; > allow user_crond_t nmbd_var_run_t:file { getattr read }; > allow user_crond_t node_t:node { rawip_recv rawip_send }; > allow user_crond_t nscd_var_run_t:dir { getattr search }; > allow user_crond_t ntp_drift_t:dir { getattr read search }; > allow user_crond_t pam_var_console_t:dir getattr; > allow user_crond_t pam_var_run_t:dir getattr; > allow user_crond_t policy_config_t:dir { getattr read search }; > allow user_crond_t postfix_etc_t:dir { getattr search }; > allow user_crond_t postfix_etc_t:file { getattr read }; > allow user_crond_t postfix_private_t:dir getattr; > allow user_crond_t postfix_public_t:dir { getattr search }; > allow user_crond_t postfix_public_t:fifo_file { getattr write }; > allow user_crond_t postfix_spool_bounce_t:dir getattr; > allow user_crond_t postfix_spool_flush_t:dir getattr; > allow user_crond_t postfix_spool_maildrop_t:dir { add_name getattr > read remove_name search write }; > allow user_crond_t postfix_spool_maildrop_t:file { create getattr > rename setattr write }; > allow user_crond_t postfix_spool_t:dir { getattr read search }; > allow user_crond_t pppd_etc_t:dir { getattr search }; > allow user_crond_t pppd_var_run_t:dir getattr; > allow user_crond_t prelink_log_t:file { append getattr write }; > allow user_crond_t print_spool_t:dir getattr; > allow user_crond_t radvd_var_run_t:dir getattr; > allow user_crond_t rpm_exec_t:file { relabelto rename unlink }; > allow user_crond_t rpm_log_t:file { append getattr read write }; > allow user_crond_t rpm_var_lib_t:dir { getattr read search write }; > allow user_crond_t rpm_var_lib_t:file { getattr lock read write }; > allow user_crond_t samba_etc_t:dir getattr; > allow user_crond_t samba_log_t:dir { add_name getattr read remove_name > search write }; > allow user_crond_t samba_log_t:file { create getattr read rename > setattr write }; > allow user_crond_t samba_var_t:dir { getattr read search }; > allow user_crond_t saslauthd_exec_t:file { relabelto rename unlink }; > allow user_crond_t saslauthd_var_run_t:dir getattr; > allow user_crond_t sbin_t:dir { add_name remove_name write }; > allow user_crond_t sbin_t:file { create relabelfrom relabelto rename > setattr unlink write }; > allow user_crond_t security_t:dir read; > allow user_crond_t semanage_store_t:dir { getattr search }; > allow user_crond_t sendmail_log_t:dir getattr; > allow user_crond_t shlib_t:file { relabelto rename unlink }; > allow user_crond_t smbd_t:process signal; > allow user_crond_t smbd_var_run_t:file { getattr read }; > allow user_crond_t src_t:dir getattr; > allow user_crond_t staff_home_dir_t:dir { getattr search }; > allow user_crond_t staff_home_ssh_t:dir getattr; > allow user_crond_t stunnel_etc_t:dir getattr; > allow user_crond_t sysadm_home_ssh_t:dir getattr; > allow user_crond_t sysadm_home_t:dir { getattr read search }; > allow user_crond_t sysctl_fs_t:dir { getattr search }; > allow user_crond_t sysfs_t:dir getattr; > allow user_crond_t syslogd_t:unix_dgram_socket sendto; > allow user_crond_t system_cron_spool_t:dir getattr; > allow user_crond_t system_dbusd_var_run_t:dir getattr; > allow user_crond_t tdm2_etc_t:dir { getattr search }; > allow user_crond_t tmp_t:dir { add_name read remove_name setattr write }; > allow user_crond_t tmp_t:file { append create getattr ioctl read > unlink write }; > allow user_crond_t tmpfs_t:dir getattr; > allow user_crond_t self:capability { chown fowner fsetid setgid setuid }; > allow user_crond_t self:netlink_route_socket { bind create getattr > nlmsg_read read write }; > allow user_crond_t self:process { setfscreate setrlimit }; > allow user_crond_t self:tcp_socket { connect create read write }; > allow user_crond_t self:udp_socket { create ioctl read write }; > allow user_crond_t var_lib_nfs_t:dir { getattr read search }; > allow user_crond_t var_lib_t:dir { getattr read search }; > allow user_crond_t var_lib_t:file { getattr write }; > allow user_crond_t var_lock_t:dir { add_name getattr read remove_name > search write }; > allow user_crond_t var_lock_t:file { create unlink write }; > allow user_crond_t var_log_t:dir read; > allow user_crond_t var_log_t:file { getattr read }; > allow user_crond_t var_run_t:dir { add_name remove_name write }; > allow user_crond_t var_run_t:file { create getattr unlink write }; > allow user_crond_t var_spool_t:dir read; > allow user_crond_t var_spool_t:file { read setattr write }; > allow user_crond_t var_t:dir read; > allow user_crond_t var_t:file { setattr write }; > allow user_crond_t var_yp_t:dir getattr; > allow user_crond_t winbind_var_run_t:dir getattr; > allow user_crond_t wtmp_t:file getattr; > Please attach you message log. > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From dwalsh at redhat.com Fri Sep 8 18:43:28 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 08 Sep 2006 14:43:28 -0400 Subject: procmail with nfs home dirs In-Reply-To: <1157700306.16685.30.camel@metropolis.intra.city-fan.org> References: <44FF85DE.4080304@gillens.us> <450073D9.7050009@redhat.com> <4500AD60.7020404@gillens.us> <1157700306.16685.30.camel@metropolis.intra.city-fan.org> Message-ID: <4501B9D0.8060609@redhat.com> Paul Howarth wrote: > On Thu, 2006-09-07 at 19:38 -0400, Matthew Gillen wrote: > >> Daniel J Walsh wrote: >> >>> Matthew Gillen wrote: >>> >>>> Hi, >>>> I'm new to SELinux, and I was having some problems with procmail not >>>> working >>>> correctly for me with NFS (via NIS-based autofs) home directories on FC5. >>>> >>>> There seemed to be a discussion about a similar issue a while back: >>>> http://www.redhat.com/archives/fedora-list/2006-May/msg03265.html >>>> but the solutions there didn't solve my problem. >>>> >>>> In any event, I managed to get it working for myself using the following >>>> policy module. The 'autofs_t:dir search' part seemed to be needed to >>>> find >>>> my .procmailrc file, and the rest looks like it is needed to write >>>> messages >>>> into my maildirs under $HOME/Mail/ >>>> >>>> If anyone has suggestions on how to improve this I'd be happy to hear >>>> them. >>>> Thanks, >>>> Matt >>>> >>>> -------------------------------------- >>>> module procmailnfs 1.0; >>>> >>>> require { >>>> class dir { getattr search write }; >>>> class file { append getattr read }; >>>> type autofs_t; >>>> type default_t; >>>> type procmail_t; >>>> role system_r; >>>> }; >>>> >>>> allow procmail_t autofs_t:dir search; >>>> allow procmail_t default_t:dir { getattr search write }; >>>> allow procmail_t default_t:file { append getattr read }; >>>> -------------------------------------- >>>> >>>> >>>> >>> This looks like a labeling problem. What directory is labeled default_t? >>> >> I think I need to explain a bit more about my setup. Basically, I've got >> one machine that's an NIS+NFS server and a mail server. This machine has >> /export/home set up as one of it's nfs shares. >> After a '/sbin/restorecon -v -R /export/home', the ls -Z output for >> /export/home/username is system_u:object_r:default_t. >> >> Here's where it gets interesting. The NFS server will automount from itself >> for users in NIS. If I log into the NFS server as 'username', and do 'ls >> -lZd /home/username', the result is 'system_u:object_r:default_t'. However, >> if I'm on some other machine (that is an NFS client), the 'ls -Z' output for >> /home/username is 'system_u:object_r:nfs_t' >> >> On both machines, (the NFS server+client and the pure client) the ls -Z >> output for /home indicates 'system_u:object_r:autofs_t' >> >> So, maybe what's ultimately going on is that there's a bug in setting the >> context for a locally-served NFS share? >> > > I think it's much simpler than that; there is no default context > for /export/home (Fedora home directories default to /home rather > than /export/home) and that's why restorecon didn't change anything. > > Are the home directories in the NIS database listed as being in /home > or /export/home? > > Paul. > > > > Yes the question is where are the homedirs comeing from an what are they labeled? Are you doing a bind mount on the local machine. Try chcon -t home_root_t /export/home From shishz at hotpop.com Fri Sep 8 23:19:45 2006 From: shishz at hotpop.com (Zing) Date: Fri, 08 Sep 2006 19:19:45 -0400 Subject: no avc denial for httpd_tty_comm checks ??? Message-ID: Is it normal for no avc denial to happen if the httpd_tty_comm disallows httpd to grab the tty? I ask, because I just setup a key for apache on core 5 and httpd_tty_comm will deny apache tty access by default. That's fine, but the first thing I checked was "aureport --failed -a" and it was silent about anything failing... this doesn't seem intuitively correct, but I'm just a selinux beginner. thanks. From matt at gillens.us Sat Sep 9 02:11:47 2006 From: matt at gillens.us (Matthew Gillen) Date: Fri, 08 Sep 2006 22:11:47 -0400 Subject: procmail with nfs home dirs In-Reply-To: <4501B9D0.8060609@redhat.com> References: <44FF85DE.4080304@gillens.us> <450073D9.7050009@redhat.com> <4500AD60.7020404@gillens.us> <1157700306.16685.30.camel@metropolis.intra.city-fan.org> <4501B9D0.8060609@redhat.com> Message-ID: <450222E3.1090605@gillens.us> Daniel J Walsh wrote: > Paul Howarth wrote: >> On Thu, 2006-09-07 at 19:38 -0400, Matthew Gillen wrote: >> >>> Daniel J Walsh wrote: >>> >>>> Matthew Gillen wrote: >>>> >>>>> Hi, >>>>> I'm new to SELinux, and I was having some problems with procmail not >>>>> working >>>>> correctly for me with NFS (via NIS-based autofs) home directories >>>>> on FC5. >>>>> >>>>> There seemed to be a discussion about a similar issue a while back: >>>>> http://www.redhat.com/archives/fedora-list/2006-May/msg03265.html >>>>> but the solutions there didn't solve my problem. >>>>> >>>>> In any event, I managed to get it working for myself using the >>>>> following >>>>> policy module. The 'autofs_t:dir search' part seemed to be needed to >>>>> find >>>>> my .procmailrc file, and the rest looks like it is needed to write >>>>> messages >>>>> into my maildirs under $HOME/Mail/ >>>>> >>>>> If anyone has suggestions on how to improve this I'd be happy to hear >>>>> them. >>>>> Thanks, >>>>> Matt >>>>> >>>>> -------------------------------------- >>>>> module procmailnfs 1.0; >>>>> >>>>> require { >>>>> class dir { getattr search write }; >>>>> class file { append getattr read }; >>>>> type autofs_t; >>>>> type default_t; >>>>> type procmail_t; >>>>> role system_r; >>>>> }; >>>>> >>>>> allow procmail_t autofs_t:dir search; >>>>> allow procmail_t default_t:dir { getattr search write }; >>>>> allow procmail_t default_t:file { append getattr read }; >>>>> -------------------------------------- >>>>> >>>>> >>>> This looks like a labeling problem. What directory is labeled >>>> default_t? >>>> >>> I think I need to explain a bit more about my setup. Basically, I've >>> got one machine that's an NIS+NFS server and a mail server. This >>> machine has /export/home set up as one of it's nfs shares. >>> After a '/sbin/restorecon -v -R /export/home', the ls -Z output for >>> /export/home/username is system_u:object_r:default_t. >>> >>> Here's where it gets interesting. The NFS server will automount from >>> itself for users in NIS. If I log into the NFS server as 'username', >>> and do 'ls -lZd /home/username', the result is >>> 'system_u:object_r:default_t'. However, if I'm on some other machine >>> (that is an NFS client), the 'ls -Z' output for /home/username is >>> 'system_u:object_r:nfs_t' >>> On both machines, (the NFS server+client and the pure client) the ls -Z >>> output for /home indicates 'system_u:object_r:autofs_t' >>> >>> So, maybe what's ultimately going on is that there's a bug in setting >>> the >>> context for a locally-served NFS share? >>> >> >> I think it's much simpler than that; there is no default context >> for /export/home (Fedora home directories default to /home rather >> than /export/home) and that's why restorecon didn't change anything. >> >> Are the home directories in the NIS database listed as being in /home >> or /export/home? 'getent passwd' would say that the home dirs are in /home. And /etc/auto.home on the server contains: # Auto.home * server:/export/home/& So, I think the answer to your question is /home. I did just notice something peculiar though: on the server, the automounted entries (/home/*) don't show up when I run 'df'. On a pure client, 'df' reports all the automounted home dirs: Filesystem Mounted On server:/export/home/user1 ... /home/user1 server:/export/home/user2 ... /home/user2 > Yes the question is where are the homedirs comeing from an what are they > labeled? Are you doing a bind mount on the local machine. I'm not sure what you mean by a 'bind mount'. > Try > chcon -t home_root_t /export/home Ok, I did that, but what should I expect to change (other than the output of 'ls -Zd /export/home') ? Should that change the behavior of restorecon for /export/home/* ? Thanks, Matt From andrew at sprocks.gotdns.com Sat Sep 9 08:13:02 2006 From: andrew at sprocks.gotdns.com (Andrew Kroeger) Date: Sat, 09 Sep 2006 03:13:02 -0500 Subject: Preventing homedir relabel of Oracle XE files Message-ID: <4502778E.7050803@sprocks.gotdns.com> Greetings: I just updated to the latest FC5 policy (2.3.7-2), and saw all of the files in my Oracle XE installation get relabeled to user_u:object_r:user_home_t. I was able to get Oracle XE installed and running with SELinux enabled (details available at http://forums.oracle.com/forums/message.jspa?messageID=1344572 -- registration required), and that got hosed by the relabel. I initially thought something Oracle-specific had been added to the new policy and caused the relabel. After some searching, I discovered entries in /etc/selinux/targeted/contexts/files/file_contexts.homedirs (which is generated by genhomedircon) that had caused the relabel. Further investigation showed that genhomedircon ignores "system" users (UID < 500), but the Oracle RPM creates the "oracle" user as a non-system user during the install. Is there any way to provide an exception to the "oracle" user for future policy updates? I was able to get things working again by re-labeling the affected files, but I would like to avoid that step for each policy update that comes out. Also, if specific policies are created for Oracle XE in the future, would those override the homedir policies for the non-system "oracle" user, or would there be potential conflicts that would need to be resolved in that case? I appreciate any assistance that can be provided in this matter. Thanks, Andrew Kroeger From rhbugs at n-dimensional.de Sat Sep 9 10:20:23 2006 From: rhbugs at n-dimensional.de (Hans Ulrich Niedermann) Date: Sat, 09 Sep 2006 12:20:23 +0200 Subject: Preventing homedir relabel of Oracle XE files In-Reply-To: <4502778E.7050803@sprocks.gotdns.com> (Andrew Kroeger's message of "Sat, 09 Sep 2006 03:13:02 -0500") References: <4502778E.7050803@sprocks.gotdns.com> Message-ID: <868xkt1guw.fsf@n-dimensional.de> Andrew Kroeger writes: > Is there any way to provide an exception to the "oracle" user for > future policy updates? I was able to get things working again by > re-labeling the affected files, but I would like to avoid that step > for each policy update that comes out. Also, if specific policies are > created for Oracle XE in the future, would those override the homedir > policies for the non-system "oracle" user, or would there be potential > conflicts that would need to be resolved in that case? If you write and install an SELinux Policy Module properly tailored to your needs, the next relabeling will relabel it exactly as you have defined in that policy module. U. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 188 bytes Desc: not available URL: From linux_4ever at yahoo.com Sat Sep 9 10:57:14 2006 From: linux_4ever at yahoo.com (Steve G) Date: Sat, 9 Sep 2006 03:57:14 -0700 (PDT) Subject: no avc denial for httpd_tty_comm checks ??? In-Reply-To: Message-ID: <20060909105714.8114.qmail@web51502.mail.yahoo.com> >That's fine, but the first thing I checked was "aureport --failed -a" and it >was silent about anything failing... What aureport considers a failure is syscalls that fail. For example, if you have your system in permissive mode, the syscall associated with any avcs would actually suceed. If you taked the --failed flag away, do you see the expected avc being reported? -Steve __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From shishz at hotpop.com Sat Sep 9 19:44:12 2006 From: shishz at hotpop.com (Zing) Date: Sat, 09 Sep 2006 15:44:12 -0400 Subject: no avc denial for httpd_tty_comm checks ??? References: <20060909105714.8114.qmail@web51502.mail.yahoo.com> Message-ID: On Sat, 09 Sep 2006 03:57:14 -0700, Steve G wrote: > >>That's fine, but the first thing I checked was "aureport --failed -a" >>and it was silent about anything failing... > > What aureport considers a failure is syscalls that fail. For example, if > you have your system in permissive mode, the syscall associated with any > avcs would actually suceed. If you taked the --failed flag away, do you > see the expected avc being reported? sorry, looks the same. I double checked i am in enforcing and targeted policy mode and just tried again and still nothing. I can basically "setsebool httpd_tty_comm 0" and get this error in apache ssl_error_log: [Sat Sep 09 15:34:52 2006] [error] Init: Unable to read pass phrase [Hint: key introduced or changed before restart?] [Sat Sep 09 15:34:52 2006] [error] SSL Library Error: 218710120 error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag [Sat Sep 09 15:34:52 2006] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Sat Sep 09 15:34:52 2006] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error [Sat Sep 09 15:34:52 2006] [error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib and nothing in "aureport -a", then "setsebool httpd_tty_comm 1" and apache will prompt accordingly and startup. zing From shishz at hotpop.com Sat Sep 9 20:10:50 2006 From: shishz at hotpop.com (Zing) Date: Sat, 09 Sep 2006 16:10:50 -0400 Subject: dontaudit! arrr! was Re: no avc denial for httpd_tty_comm checks ??? References: <20060909105714.8114.qmail@web51502.mail.yahoo.com> Message-ID: On Sat, 09 Sep 2006 15:44:12 -0400, Zing wrote: > On Sat, 09 Sep 2006 03:57:14 -0700, Steve G wrote: > > >>>That's fine, but the first thing I checked was "aureport --failed -a" >>>and it was silent about anything failing... >> >> What aureport considers a failure is syscalls that fail. For example, if >> you have your system in permissive mode, the syscall associated with any >> avcs would actually suceed. If you taked the --failed flag away, do you >> see the expected avc being reported? > > sorry, looks the same. > > I double checked i am in enforcing and targeted policy mode and just tried > again and still nothing. I can basically "setsebool httpd_tty_comm 0" and > get this error in apache ssl_error_log: ah ha... i just found out about the dontaudit rule (devious bugger!)... i can see the avc denial now if I "semodule -b enableaudit.pp": type=AVC msg=audit(1157831739.873:3618): avc: denied { read write } for pid=19145 comm="httpd" name="1" dev=devpts ino=3 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:devpts_t:s0 tclass=chr_file zing From andreas at bawue.net Sat Sep 9 21:19:16 2006 From: andreas at bawue.net (Andreas Thienemann) Date: Sat, 9 Sep 2006 23:19:16 +0200 (CEST) Subject: A bit of packaging help is needed for suphp Message-ID: Hi, I'm currently preparing an update for mod_suphp in FE. suphp works similar to suexec for the apache httpd, only that it is designed with php scripts in mind. The execution works similar to suexec: A php-script on the webserver is accessed, for which the mod_suphp module is configured. The modules executes /usr/sbin/suphp, which drops privileges to the user owning the file and executes the php-cgi binary, feeding the generated content back to the server. I want this to work with the targeted selinux policy. Right now, the httpd error log shows: [Sat Sep 09 06:05:36 2006] [error] [client 127.0.0.1] (13)Permission denied: couldn't create child process: /usr/sbin/suphp for /home/andreas/public_html/test.php I tried relabeling the suphp binary with httpd_suexec_exec_t but this doesn't seem to help at all. Strangely, I'm not seeing anything related in the audit.log. A helpful user added a preliminary selinux policy to bugzilla for mod_suphp. It'd be great, if someone knowledgable could take a look at it and comment. bye, andreas From stefan at sf-net.com Sun Sep 10 09:08:58 2006 From: stefan at sf-net.com (Stefan) Date: Sun, 10 Sep 2006 11:08:58 +0200 Subject: problems with latest mls policy In-Reply-To: <4501B259.2000704@redhat.com> References: <5FF0BE4B-00DE-4047-B172-D2EE87A0AB9A@sf-net.com> <4501B259.2000704@redhat.com> Message-ID: > Please attach you message log. Attached. Approximately 400 lines of avc denials. Most of them are from "user_crond_t". -------------- next part -------------- A non-text attachment was scrubbed... Name: auditlogs Type: application/octet-stream Size: 88104 bytes Desc: not available URL: From paul at city-fan.org Sun Sep 10 12:46:08 2006 From: paul at city-fan.org (Paul Howarth) Date: Sun, 10 Sep 2006 13:46:08 +0100 Subject: A bit of packaging help is needed for suphp In-Reply-To: References: Message-ID: <1157892368.12559.7.camel@metropolis.intra.city-fan.org> On Sat, 2006-09-09 at 23:19 +0200, Andreas Thienemann wrote: > Hi, > > I'm currently preparing an update for mod_suphp in FE. > suphp works similar to suexec for the apache httpd, only that it is > designed with php scripts in mind. > > > The execution works similar to suexec: A php-script on the webserver is > accessed, for which the mod_suphp module is configured. > The modules executes /usr/sbin/suphp, which drops privileges to the user > owning the file and executes the php-cgi binary, feeding the generated > content back to the server. > > > I want this to work with the targeted selinux policy. Right now, the httpd > error log shows: > > [Sat Sep 09 06:05:36 2006] [error] [client 127.0.0.1] (13)Permission > denied: couldn't create child process: /usr/sbin/suphp for > /home/andreas/public_html/test.php > > I tried relabeling the suphp binary with httpd_suexec_exec_t but this > doesn't seem to help at all. > Strangely, I'm not seeing anything related in the audit.log. > > > A helpful user added a preliminary selinux policy to bugzilla for > mod_suphp. > > > It'd be great, if someone knowledgable could take a look at it and > comment. It looks to me like it might be better to use apache_content_template for this That's the approach I used for mod_fcgid: http://cvs.fedora.redhat.com/viewcvs/devel/mod_fcgid/?root=extras Paul. From sentix at gmx.net Mon Sep 11 00:56:50 2006 From: sentix at gmx.net (Stefan "SeNtiX" Scicluna) Date: Mon, 11 Sep 2006 02:56:50 +0200 Subject: Restrict Users to view own processes Message-ID: <4504B452.6080400@gmx.net> Is it possible using SELinux to restrict a user to view only his own processes? Because I need to give access to this machine to other users, and I want them to be able to view only their processes when using "ps aux" "top" "pstree" and other things which show running processes From benjamin.tsai at intervideo.com Mon Sep 11 11:08:20 2006 From: benjamin.tsai at intervideo.com (Benjamin Tsai) Date: Mon, 11 Sep 2006 19:08:20 +0800 Subject: How to apply new policy exactly? Message-ID: <8EE726B05F4D0D42AE5F0E2BC03CCF530DDA1E@TPE-EVS02.ivi.net> Dear all: I've downloaded refpolicy source from tresys's website and tried to install it on my FC5 box. However, there're some problems I'm not able to fix it so far. According to online documents, I first setenforce 0. In build.conf I enabled DISTRO=redhat, then make install-src under /etc/selinux/refpolicy make conf; make policy; make install; make load under /etc/selinux/refpolicy/src/policy 1. While executing make load, it replied that policy file argument policy.20 is no longer supported, The next line showed "continue..." I was so confused here that it looked like refpolicy is not loaded yet. So how do I feed it a "supported policy file"? 2. Besides, is there any way I can check if the policy is loaded? My guess is sestatus. 3. If I neglected the "loading-policy-thing" and make relabel directly, then I'll got Relabeling filesystem types: ext2 ext3 xfs jfs /usr/sbin/setfiles /etc/selinux/refpolicy/contexts/files/file_contexts / /boot /etc/selinux/refpolicy/contexts/files/file_contexts: line 79 has invalid context system_u:object_r:quota_db_t /etc/selinux/refpolicy/contexts/files/file_contexts: line 121 has invalid context system_u:object_r:svc_svc_t /etc/selinux/refpolicy/contexts/files/file_contexts: line 139 has invalid context system_u:object_r:ipsec_exec_t /etc/selinux/refpolicy/contexts/files/file_contexts: line 147 has invalid context system_u:object_r:ipsec_exec_t /etc/selinux/refpolicy/contexts/files/file_contexts: line 153 has invalid context system_u:object_r:ipsec_exec_t /etc/selinux/refpolicy/contexts/files/file_contexts: line 189 has invalid context system_u:object_r:ipsec_mgmt_exec_t /etc/selinux/refpolicy/contexts/files/file_contexts: line 213 has invalid context system_u:object_r:ipsec_mgmt_exec_t /etc/selinux/refpolicy/contexts/files/file_contexts: line 214 has invalid context system_u:object_r:ipsec_exec_t /etc/selinux/refpolicy/contexts/files/file_contexts: line 245 has invalid context system_u:object_r:portage_exec_t Exiting after 10 errors. make: *** [relabel] Error 1 Though, I believe this error comes after the unmatched running policy. Please give me some instructions to fix up problems listed above. Thank you guys :-) Best Regards, Benjamin Tsai -------------- next part -------------- An HTML attachment was scrubbed... URL: From cpebenito at tresys.com Mon Sep 11 13:53:37 2006 From: cpebenito at tresys.com (Christopher J. PeBenito) Date: Mon, 11 Sep 2006 09:53:37 -0400 Subject: How to apply new policy exactly? In-Reply-To: <8EE726B05F4D0D42AE5F0E2BC03CCF530DDA1E@TPE-EVS02.ivi.net> References: <8EE726B05F4D0D42AE5F0E2BC03CCF530DDA1E@TPE-EVS02.ivi.net> Message-ID: <1157982817.26420.40.camel@sgc> On Mon, 2006-09-11 at 19:08 +0800, Benjamin Tsai wrote: > I?ve downloaded refpolicy source from tresys?s website and > tried to install it on my FC5 box. > > However, there?re some problems I?m not able to fix it so > far. According to online documents, I first setenforce 0. > > In build.conf I enabled DISTRO=redhat, then make > install-src under /etc/selinux/refpolicy > > make conf; make policy; make install; make load > under /etc/selinux/refpolicy/src/policy > > 1. While executing make load, it replied that policy file > argument policy.20 is no longer supported, The next line showed > ?continue?? > > I was so confused here that it looked like refpolicy is not loaded > yet. So how do I feed it a ?supported policy file?? It was not loaded because the load_policy in FC5 looks at your /etc/selinux/config to determine what policy to load. It does not use the command line parameter, which is what the message is saying. The refpolicy makefile provides this parameter for compatibility for older SELinux machines. What happened is that you loaded the policy configured set in /etc/selinux/config. Second, you are using a monolithic policy build configuration, which is not supported in FC5. > 2. Besides, is there any way I can check if the policy is > loaded? My guess is sestatus. Yes. The "policy from config file" is the policy that was loaded. > 3. If I neglected the ?loading-policy-thing? and make relabel > directly, then I?ll got > You were relabeling using the file contexts from your custom refpolicy, but the FC5 policy was loaded, and it turns out that the configurations differ; therefore, there are invalid contexts. > > Relabeling filesystem types: ext2 ext3 xfs jfs > > /usr/sbin/setfiles /etc/selinux/refpolicy/contexts/files/file_contexts / /boot > > /etc/selinux/refpolicy/contexts/files/file_contexts: line 79 has > invalid context system_u:object_r:quota_db_t > > /etc/selinux/refpolicy/contexts/files/file_contexts: line 121 has > invalid context system_u:object_r:svc_svc_t > > /etc/selinux/refpolicy/contexts/files/file_contexts: line 139 has > invalid context system_u:object_r:ipsec_exec_t > > /etc/selinux/refpolicy/contexts/files/file_contexts: line 147 has > invalid context system_u:object_r:ipsec_exec_t > > /etc/selinux/refpolicy/contexts/files/file_contexts: line 153 has > invalid context system_u:object_r:ipsec_exec_t > > /etc/selinux/refpolicy/contexts/files/file_contexts: line 189 has > invalid context system_u:object_r:ipsec_mgmt_exec_t > > /etc/selinux/refpolicy/contexts/files/file_contexts: line 213 has > invalid context system_u:object_r:ipsec_mgmt_exec_t > > /etc/selinux/refpolicy/contexts/files/file_contexts: line 214 has > invalid context system_u:object_r:ipsec_exec_t > > /etc/selinux/refpolicy/contexts/files/file_contexts: line 245 has > invalid context system_u:object_r:portage_exec_t > > Exiting after 10 errors. > > make: *** [relabel] Error 1 -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 From mra at hp.com Mon Sep 11 14:11:50 2006 From: mra at hp.com (Matt Anderson) Date: Mon, 11 Sep 2006 10:11:50 -0400 Subject: MCS printing Message-ID: <45056EA6.2050908@hp.com> I've been working on adding SELinux labeling support to the CUPS service with the goal of meeting all the requirements of an LSPP evaluation. Even though my goal is a system running the MLS policy I realize that many users will be using targeted policy and could be interested in these features. Specifically one addition is forced page labels. On an MLS system its common to see SystemLow-SystemHigh added to the top and bottom of each printed page, corresponding to the user's level when they sent the job. For a targeted system there is no level, so "(null)" was being added. If the system was configured for compartments however that would be printed, "Reception" or "Lab" could be applied to each page. This is a configurable option, and not enabled by default, but it seems like it could be useful for some MCS users. My main question is in the case of no compartments would you want a marker saying that there wasn't a compartment, or should the label be left off? Is there any MCS specific things I should be aware of that I might otherwise overlook coming at this from an MLS direction? thanks -matt From linux_4ever at yahoo.com Mon Sep 11 22:23:28 2006 From: linux_4ever at yahoo.com (Steve G) Date: Mon, 11 Sep 2006 15:23:28 -0700 (PDT) Subject: post update label checking script Message-ID: <20060911222328.14439.qmail@web51505.mail.yahoo.com> Hi, I just wanted to let everyone know that I'm making another test script available to help people testing fedora rawhide updates. What this script does is look at your yum logs to see if you've updated the system today. If so it makes the list of rpms and sends that to fixfiles to see if the update has caused any files to be mislabled. This can happen when post install scriptlets do the wrong thing. You can find it here: http://people.redhat.com/sgrubb/files/testing/selinux-check-new-rpms You can run the script after doing yum update on rawhide. you can also pass the script a date but it must be the same format that the yum logs uses. Example, "Sep 03" would be valid in my locale. There were some bug fixes needed to make the script work and hopefully they will be backported to FC5 sometime soon. Feedback and updates are welcome. -Steve __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From benjamin.tsai at intervideo.com Tue Sep 12 02:38:24 2006 From: benjamin.tsai at intervideo.com (Benjamin Tsai) Date: Tue, 12 Sep 2006 10:38:24 +0800 Subject: How to apply new policy exactly? Message-ID: <8EE726B05F4D0D42AE5F0E2BC03CCF530DDA4F@TPE-EVS02.ivi.net> Thank you for the clarification. I have reconfigured selinux/config and recompile policy as the way I did it yesterday, but now I got another error like this /usr/sbin/load_policy: Can't load policy: Invalid argument libsemanage.semanage_reload_policy: load_policy returned error code 2. libsemanage.semanage_install_active: Could not copy /etc/selinux/refpolicy/modules/active/policy.kern to /etc/selinux/refpolicy/policy/policy.20. /usr/sbin/semodule: Failed! after make load. In fact, I cannot find this file "policy.kern", neither some helpful information on Google. Please help me out, Thx. :) Best Regards, Benjamin Tsai -------------- next part -------------- An HTML attachment was scrubbed... URL: From cpebenito at tresys.com Tue Sep 12 12:14:47 2006 From: cpebenito at tresys.com (Christopher J. PeBenito) Date: Tue, 12 Sep 2006 08:14:47 -0400 Subject: How to apply new policy exactly? In-Reply-To: <8EE726B05F4D0D42AE5F0E2BC03CCF530DDA4F@TPE-EVS02.ivi.net> References: <8EE726B05F4D0D42AE5F0E2BC03CCF530DDA4F@TPE-EVS02.ivi.net> Message-ID: <1158063288.26420.52.camel@sgc> On Tue, 2006-09-12 at 10:38 +0800, Benjamin Tsai wrote: > Thank you for the clarification. I have reconfigured selinux/config > and recompile policy as the way I did it yesterday, but now I got > another error like this > libsemanage.semanage_install_active: Could not > copy /etc/selinux/refpolicy/modules/active/policy.kern > to /etc/selinux/refpolicy/policy/policy.20. mkdir -p /etc/selinux/refpolicy/policy -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 From sds at tycho.nsa.gov Tue Sep 12 13:01:25 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 12 Sep 2006 09:01:25 -0400 Subject: How to apply new policy exactly? In-Reply-To: <1158063288.26420.52.camel@sgc> References: <8EE726B05F4D0D42AE5F0E2BC03CCF530DDA4F@TPE-EVS02.ivi.net> <1158063288.26420.52.camel@sgc> Message-ID: <1158066085.324.50.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2006-09-12 at 08:14 -0400, Christopher J. PeBenito wrote: > On Tue, 2006-09-12 at 10:38 +0800, Benjamin Tsai wrote: > > Thank you for the clarification. I have reconfigured selinux/config > > and recompile policy as the way I did it yesterday, but now I got > > another error like this > > > > libsemanage.semanage_install_active: Could not > > copy /etc/selinux/refpolicy/modules/active/policy.kern > > to /etc/selinux/refpolicy/policy/policy.20. > > mkdir -p /etc/selinux/refpolicy/policy Also mkdir -p /etc/selinux/refpolicy/contexts/files It would be nice if libsemanage did the equivalent automatically if they don't exist. However, I'm not clear that Benjamin is on the right path here. What is it that you actually want to achieve? Why are you installing upstream refpolicy? And what exact refpolicy are you installing - the 20060307 release or the current svn trunk? And what are the rest of your build.conf options - you only mentioned the DISTRO=redhat one, but Fedora customizes other settings as well, like DIRECT_INITRC=y, and it builds modular (MONOLITHIC=n) policy for FC5 and later. You also likely want the TYPE= to include the -mcs suffix so that your on-disk file contexts are compatible, particularly since some packages are now using semanage with local file contexts. FC5 already uses refpolicy as its basis for building its targeted and strict policy packages, so I'm not sure what you hope to gain by building directly from the upstream refpolicy. Last I looked though, strict policy was broken in FC5 because it was modular w/o the newer libsepol/checkpolicy that supported optionals-in-base (take 2). Dan, is that still the case? You either need libsepol >= 1.12.18 and checkpolicy >= 1.30.8 or a strict policy that puts everything into base. If you are trying to build a strict policy that works on FC5, I think you need a newer policy toolchain (either from upstream svn or the Fedora devel tree). You could try just updating to the devel versions of libsepol, checkpolicy, libselinux, libsemanage, and policycoreutils, and then installing the devel version of selinux-policy-strict. Then you don't need to build upstream refpolicy yourself. Even if you want to build upstream refpolicy yourself, I think you'll need the newer policy toolchain unless you collapse everything into the base module. -- Stephen Smalley National Security Agency From jbrindle at tresys.com Tue Sep 12 13:11:56 2006 From: jbrindle at tresys.com (Joshua Brindle) Date: Tue, 12 Sep 2006 09:11:56 -0400 Subject: How to apply new policy exactly? In-Reply-To: <1158066085.324.50.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <6FE441CD9F0C0C479F2D88F959B015883C1862@exchange.columbia.tresys.com> > From: Stephen Smalley [mailto:sds at tycho.nsa.gov] > > On Tue, 2006-09-12 at 08:14 -0400, Christopher J. PeBenito wrote: > > On Tue, 2006-09-12 at 10:38 +0800, Benjamin Tsai wrote: > > > Thank you for the clarification. I have reconfigured > selinux/config > > > and recompile policy as the way I did it yesterday, but now I got > > > another error like this > > > > > > > libsemanage.semanage_install_active: Could not copy > > > /etc/selinux/refpolicy/modules/active/policy.kern > > > to /etc/selinux/refpolicy/policy/policy.20. > > > > mkdir -p /etc/selinux/refpolicy/policy > > Also > mkdir -p /etc/selinux/refpolicy/contexts/files > > It would be nice if libsemanage did the equivalent > automatically if they don't exist. > It was always assumed that libsemanage would only manage files/directories of the store, not the rest of the policy directory (other files have to be installed there anyway for a functional system). I'd prefer it stay that way but since this has come up time and time again it won't offend me horribly to fix it. If we still want this will someone please file a bug on http://sourceforge.net/tracker/?group_id=21266&atid=121266 From jbrindle at tresys.com Wed Sep 13 18:54:38 2006 From: jbrindle at tresys.com (Joshua Brindle) Date: Wed, 13 Sep 2006 14:54:38 -0400 Subject: 2007 SELinux Symposium dates and call for papers In-Reply-To: <6FE441CD9F0C0C479F2D88F959B0158832AA99@exchange.columbia.tresys.com> References: <6FE441CD9F0C0C479F2D88F959B0158832AA99@exchange.columbia.tresys.com> Message-ID: <450853EE.5030203@tresys.com> Joshua Brindle wrote: > The Security Enhanced Linux (SELinux) Symposium announces that its third > annual Symposium is scheduled for March 12-16, 2007, at the Wyndham > Hotel, Baltimore, Maryland, USA. The Symposium also announces the > opening of its call for papers. The event is the only of its kind to > examine SELinux and the power of the flexible mandatory access control > security it brings to Linux. The first two years of this annual event > were a tremendous success providing the SELinux development and user > community the opportunity to discuss related research results, > development plans, and applications. > > The call for papers is open until October 9, 2006. Paper requirements > and topics of interest are available on the Symposium web site at > www.selinux-symposium.org. > This is a reminder that the call for papers for the 2007 SELinux Symposium is closing on October 9th. Anyone who wants to submit a paper or tutorial should go to http://selinux-symposium.org/2007/faq.php for information about the requirements, etc. Help us make the 2007 Symposium as much of a success as the last two by contributing content. Thanks. From TobyD at wolke7.net Thu Sep 14 08:05:40 2006 From: TobyD at wolke7.net (Tobias) Date: Thu, 14 Sep 2006 10:05:40 +0200 Subject: Unable to update/install packages Message-ID: <20060914080540.268380@gmx.net> Hi, i've a little problem with my FC5. All at once i can't install or update any packages. I have not played with SELinux and at all this is a default installation: kernel-2.6.17-1.2157_FC5 libselinux-1.30.3-4.fc5 selinux-policy-2.3.3-8.fc5 libselinux-python-1.30.3-4.fc5 selinux-policy-targeted-2.3.3-8.fc5 Examples of my problem: # yum install dhcp Loading "installonlyn" plugin Setting up Install Process Setting up repositories [...] Total download size: 653 k Is this ok [y/N]: y [...] Running Transaction /etc/selinux/targeted/contexts/files/file_contexts: line 1378 has invalid regex ^/sbin/ftpwho$: Memory exhausted /etc/selinux/targeted/contexts/files/file_contexts: line 1379 has invalid regex ^/mkreiserfs$: Memory exhausted /etc/selinux/targeted/contexts/files/file_contexts: line 1380 has invalid regex ^/spool/voice$: Memory exhausted [...] /etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 30 is missing fields, skipping /etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 31 is missing fields, skipping /etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 32 is missing fields, skipping Installing: dhcp [1/1]warning: /etc/dhcpd.conf created as /etc/dhcpd.conf.rpmnew Segmentation fault # yum install binutils Loading "installonlyn" plugin Setting up Install Process Setting up repositories [...] Total download size: 3.4 M Is this ok [y/N]: y [...] Running Transaction /etc/selinux/targeted/contexts/files/file_contexts: line 1364 has invalid regex ^/dbus-daemon$: Memory exhausted /etc/selinux/targeted/contexts/files/file_contexts: line 1365 has invalid regex ^/sbin/amdump$: Memory exhausted /etc/selinux/targeted/contexts/files/file_contexts: line 1366 has invalid regex ^/sbin/amplot$: Memory exhausted *** glibc detected *** /usr/bin/python: double free or corruption (!prev): 0x097b09a8 *** [...] Any idea how to fix this ? TIA Tobias -- "Feel free" - 10 GB Mailbox, 100 FreeSMS/Monat ... Jetzt GMX TopMail testen: http://www.gmx.net/de/go/topmail From selinux at gmail.com Thu Sep 14 14:29:57 2006 From: selinux at gmail.com (Tom London) Date: Thu, 14 Sep 2006 07:29:57 -0700 Subject: AVCs with USB scanner and xsane Message-ID: <4c4ba1530609140729n6fdd3c0bu74a2bb269638c665@mail.gmail.com> Running Rawhide, targeted/enforcing. Get these when running xsane on a USB scanner. Seems to occur during 'scanning for devices' type=AVC msg=audit(1158241690.244:23): avc: denied { dac_override } for pid=3158 comm="hpiod" capability=1 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:system_r:hplip_t:s0 tclass=capability type=SYSCALL msg=audit(1158241690.244:23): arch=40000003 syscall=5 success=no exit=-13 a0=b750e71c a1=2 a2=1 a3=b750e71c items=0 ppid=1 pid=3158 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="hpiod" exe="/usr/sbin/hpiod" subj=system_u:system_r:hplip_t:s0 key=(null) type=AVC msg=audit(1158241690.244:24): avc: denied { dac_override } for pid=3158 comm="hpiod" capability=1 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:system_r:hplip_t:s0 tclass=capability type=AVC msg=audit(1158241690.244:24): avc: denied { dac_read_search } for pid=3158 comm="hpiod" capability=2 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:system_r:hplip_t:s0 tclass=capability type=SYSCALL msg=audit(1158241690.244:24): arch=40000003 syscall=5 success=no exit=-13 a0=b750e71c a1=0 a2=1 a3=b750e71c items=0 ppid=1 pid=3158 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="hpiod" exe="/usr/sbin/hpiod" subj=system_u:system_r:hplip_t:s0 key=(null) tom -- Tom London From redhatdude at bellsouth.net Thu Sep 14 19:53:29 2006 From: redhatdude at bellsouth.net (redhatdude at bellsouth.net) Date: Thu, 14 Sep 2006 15:53:29 -0400 Subject: ati driver and selinux Message-ID: Hi, I installed the ati driver and now selinux doesn't let me start kdm. I ran audit2allow on the avc errors and this is what I got: allow xdm_xserver_t lib_t:file execmod; So, what am I supposed to do with this now? Please advice. Thanks, EJ From sds at tycho.nsa.gov Thu Sep 14 20:01:16 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 14 Sep 2006 16:01:16 -0400 Subject: ati driver and selinux In-Reply-To: References: Message-ID: <1158264076.25629.221.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2006-09-14 at 15:53 -0400, redhatdude at bellsouth.net wrote: > Hi, > I installed the ati driver and now selinux doesn't let me start kdm. > I ran audit2allow on the avc errors and this is what I got: > > allow xdm_xserver_t lib_t:file execmod; > > So, what am I supposed to do with this now? Was there a name= or path= listed in the avc message? -- Stephen Smalley National Security Agency From redhatdude at bellsouth.net Thu Sep 14 20:30:44 2006 From: redhatdude at bellsouth.net (redhatdude at bellsouth.net) Date: Thu, 14 Sep 2006 16:30:44 -0400 Subject: ati driver and selinux In-Reply-To: <1158264865.25629.226.camel@moss-spartans.epoch.ncsc.mil> References: <1158264076.25629.221.camel@moss-spartans.epoch.ncsc.mil> <95CED54C-944A-49C5-9E80-9A728DA53660@bellsouth.net> <1158264865.25629.226.camel@moss-spartans.epoch.ncsc.mil> Message-ID: On Sep 14, 2006, at 4:14 PM, Stephen Smalley wrote: > On Thu, 2006-09-14 at 16:03 -0400, redhatdude at bellsouth.net wrote: >> These are the errors I got >> >> type=AVC msg=audit(1158255182.936:396): avc: denied { execmod } >> for pid=7074 comm="X" name="fglrx_drv.so" dev=dm-0 ino=2328943 >> scontext=user_u:system_r:xdm_xserver_t:s0 >> tcontext=user_u:object_r:lib_t:s0 tclass=file >> type=SYSCALL msg=audit(1158255182.936:396): arch=40000003 syscall=125 >> success=no exit=-13 a0=f64000 a1=661000 a2=5 a3=bfeb46d0 >> items=0 pid=7074 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 >> egid=0 sgid=0 fsgid=0 tty=tty7 comm="X" exe="/usr/bin/Xorg" >> subj=user_u:system_r:xdm_xserver_t:s0 >> type=AVC_PATH msg=audit(1158255182.936:396): path="/usr/lib/xorg/ >> modules/drivers/fglrx_drv.so" > > Ok, looks like this one has already been added to upstream policy. > You should be able to do the following: > > # /usr/sbin/semanage fcontext -a -t textrel_shlib_t /usr/lib/xorg/ > modules/drivers/fglrx_drv.so > # /sbin/restorecon -v /usr/lib/xorg/modules/drives/fglrx_drv.so > > This marks the DSO as requiring text relocations. > > -- > Stephen Smalley > National Security Agency > Hi Stephen, Thanks for helping. Well. I ran those commands in the terminal and the avc errors are gone from the audit.log. However, I lost the display. KDM starts but all I get is a blank screen with or without selinux. EJ. From redhatdude at bellsouth.net Thu Sep 14 20:48:08 2006 From: redhatdude at bellsouth.net (redhatdude at bellsouth.net) Date: Thu, 14 Sep 2006 16:48:08 -0400 Subject: ati driver and selinux ( SOLVED ) In-Reply-To: References: <1158264076.25629.221.camel@moss-spartans.epoch.ncsc.mil> <95CED54C-944A-49C5-9E80-9A728DA53660@bellsouth.net> <1158264865.25629.226.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <0050C12C-6302-4788-94E4-605EEE7A5BA4@bellsouth.net> On Sep 14, 2006, at 4:30 PM, redhatdude at bellsouth.net wrote: > > On Sep 14, 2006, at 4:14 PM, Stephen Smalley wrote: > >> On Thu, 2006-09-14 at 16:03 -0400, redhatdude at bellsouth.net wrote: >>> These are the errors I got >>> >>> type=AVC msg=audit(1158255182.936:396): avc: denied { execmod } >>> for pid=7074 comm="X" name="fglrx_drv.so" dev=dm-0 ino=2328943 >>> scontext=user_u:system_r:xdm_xserver_t:s0 >>> tcontext=user_u:object_r:lib_t:s0 tclass=file >>> type=SYSCALL msg=audit(1158255182.936:396): arch=40000003 >>> syscall=125 >>> success=no exit=-13 a0=f64000 a1=661000 a2=5 a3=bfeb46d0 >>> items=0 pid=7074 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 >>> egid=0 sgid=0 fsgid=0 tty=tty7 comm="X" exe="/usr/bin/Xorg" >>> subj=user_u:system_r:xdm_xserver_t:s0 >>> type=AVC_PATH msg=audit(1158255182.936:396): path="/usr/lib/xorg/ >>> modules/drivers/fglrx_drv.so" >> >> Ok, looks like this one has already been added to upstream policy. >> You should be able to do the following: >> >> # /usr/sbin/semanage fcontext -a -t textrel_shlib_t /usr/lib/xorg/ >> modules/drivers/fglrx_drv.so >> # /sbin/restorecon -v /usr/lib/xorg/modules/drives/fglrx_drv.so >> >> This marks the DSO as requiring text relocations. >> >> -- >> Stephen Smalley >> National Security Agency >> > > Hi Stephen, > Thanks for helping. > Well. I ran those commands in the terminal and the avc errors are > gone from the audit.log. However, I lost the display. KDM starts > but all I get is a blank screen with or without selinux. > EJ. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Nevermind, I ran the configuration utility for ati ( aticonfig ) and restarted kdm. Now everything works perfectly. Thanks a lot for the help. From peter.pun at gmail.com Fri Sep 15 00:20:07 2006 From: peter.pun at gmail.com (Peter Pun) Date: Thu, 14 Sep 2006 20:20:07 -0400 Subject: please review my firefox policy? Message-ID: <3e2c91580609141720g5fc3babfv562d3fe2b54752f3@mail.gmail.com> Hi Everyone, I created this firefox policy; it is probably allowing too many unecessary things. If anyone could comment on it, I'd appreciate it. The matter is, someone was able to break out to unconfined and disable a 000 ACL on /bin/su. This is a surf machine, with no listening daemons, postfix is blocked by firewall and unconfigured, not even cups is running. So I think the hole must be through firefox. ------------------------------------------------------------ policy_module(foxpol,1.0.5) ######################################## # # Declarations # require { type fonts_t; type inotifyfs_t; type proc_net_t; type proc_t; type urandom_device_t; type user_home_dir_t; type user_home_t; type xdm_t; type sysctl_kernel_t; type sysctl_net_t; type sysctl_t; type home_root_t; type fs_t; type autofs_t; type unconfined_execmem_t; }; type foxpol_t; type foxpol_exec_t; domain_type(foxpol_t) init_daemon_domain(foxpol_t, foxpol_exec_t) # log files type foxpol_var_log_t; logging_log_file(foxpol_var_log_t) # download dir, which firefox has write access to type foxpol_down_t; # private_t dir - a labled dir which fox cannot read, made because # - fox has read access to home dir type private_t; ######################################## # # foxpol local policy # # Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules. # Some common macros (you might be able to remove some) files_read_etc_files(foxpol_t) libs_use_ld_so(foxpol_t) libs_use_shared_libs(foxpol_t) miscfiles_read_localization(foxpol_t) ## internal communication is often done using fifo and unix sockets. allow foxpol_t self:fifo_file { read write }; allow foxpol_t self:unix_stream_socket create_stream_socket_perms; # log files allow foxpol_t foxpol_var_log_t:file create_file_perms; allow foxpol_t foxpol_var_log_t:sock_file create_file_perms; allow foxpol_t foxpol_var_log_t:dir { rw_dir_perms setattr }; logging_log_filetrans(foxpol_t,foxpol_var_log_t,{ sock_file file dir }) ## Networking basics (adjust to your needs!) sysnet_dns_name_resolve(foxpol_t) corenet_tcp_sendrecv_all_if(foxpol_t) corenet_tcp_sendrecv_all_nodes(foxpol_t) corenet_tcp_sendrecv_all_ports(foxpol_t) corenet_non_ipsec_sendrecv(foxpol_t) corenet_tcp_connect_http_port(foxpol_t) #corenet_tcp_connect_all_ports(foxpol_t) ## if it is a network daemon, consider these: #corenet_tcp_bind_all_ports(foxpol_t) #corenet_tcp_bind_all_nodes(foxpol_t) allow foxpol_t self:tcp_socket { listen accept }; # Init script handling init_use_fds(foxpol_t) init_use_script_ptys(foxpol_t) domain_use_interactive_fds(foxpol_t) # ok copy files to download dir allow unconfined_t foxpol_down_t:dir { add_name getattr setattr read relabelto remove_name search write rmdir }; allow unconfined_t foxpol_down_t:file { execute create getattr setattr read write append rename link unlink ioctl lock }; # ok unconfined processes to open files in download dir allow unconfined_execmem_t foxpol_down_t:dir { create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl } ; allow unconfined_execmem_t foxpol_down_t:file { create getattr setattr read write append rename link unlink ioctl lock }; # ok fox to write to download dir allow foxpol_t foxpol_down_t:dir { add_name create getattr read search write remove_name }; allow foxpol_t foxpol_down_t:file { create setattr getattr read write rename unlink append }; # ok unconfined process to open files in private dir allow unconfined_execmem_t private_t:dir { create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }; allow unconfined_execmem_t private_t:file { create getattr setattr read write append rename link unlink ioctl lock }; allow unconfined_t private_t:dir { create getattr setattr read write link unlink rename search add_name remove_name reparent relabelfrom relabelto rmdir lock ioctl }; allow unconfined_t private_t:file { relabelto create getattr setattr read write append rename link unlink ioctl lock }; allow private_t fs_t:filesystem associate; # ok fox to create new stuff in .mozilla allow foxpol_t foxpol_var_log_t:dir create; # # audit2allow says it wants all the stuff below, it also wanted exec rights to bin_t which I removed # allow foxpol_down_t fs_t:filesystem associate; allow foxpol_t autofs_t:dir getattr; allow foxpol_t fonts_t:dir { getattr read search }; allow foxpol_t fonts_t:file { getattr read }; allow foxpol_t foxpol_down_t:dir { add_name create getattr read search write }; allow foxpol_t foxpol_down_t:file { create getattr write }; allow foxpol_t self:fifo_file getattr; allow foxpol_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; allow foxpol_t self:process { getsched setsched signal }; allow foxpol_t self:shm { create destroy read unix_read unix_write write }; allow foxpol_t self:unix_dgram_socket create; allow foxpol_t foxpol_var_log_t:lnk_file { create unlink }; allow foxpol_t home_root_t:dir { getattr read search }; allow foxpol_t inotifyfs_t:dir { getattr read }; allow foxpol_t proc_net_t:dir { read search }; allow foxpol_t proc_net_t:file { getattr read }; allow foxpol_t proc_t:file { getattr read }; allow foxpol_t sysctl_kernel_t:dir search; allow foxpol_t sysctl_kernel_t:file read; allow foxpol_t sysctl_net_t:dir search; allow foxpol_t sysctl_t:dir search; allow foxpol_t tmp_t:dir { add_name getattr read remove_name search setattr write }; allow foxpol_t tmp_t:file { create getattr lock read unlink write }; allow foxpol_t tmp_t:sock_file { create unlink write }; allow foxpol_t tmpfs_t:file { read write }; # allow foxpol_t unconfined_t:unix_stream_socket connectto; allow foxpol_t urandom_device_t:chr_file { getattr ioctl read }; allow foxpol_t user_home_dir_t:dir { getattr read search }; allow foxpol_t user_home_t:dir { getattr read search }; allow foxpol_t user_home_t:file { getattr read }; allow foxpol_t usr_t:file { getattr read }; allow foxpol_t usr_t:lnk_file read; allow foxpol_t xdm_t:unix_stream_socket connectto; -------------- next part -------------- An HTML attachment was scrubbed... URL: From dwalsh at redhat.com Fri Sep 15 16:24:06 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 15 Sep 2006 12:24:06 -0400 Subject: MCS printing In-Reply-To: <45056EA6.2050908@hp.com> References: <45056EA6.2050908@hp.com> Message-ID: <450AD3A6.9090103@redhat.com> Matt Anderson wrote: > I've been working on adding SELinux labeling support to the CUPS service > with the goal of meeting all the requirements of an LSPP evaluation. > Even though my goal is a system running the MLS policy I realize that > many users will be using targeted policy and could be interested in > these features. > > Specifically one addition is forced page labels. On an MLS system its > common to see SystemLow-SystemHigh added to the top and bottom of each > printed page, corresponding to the user's level when they sent the job. > For a targeted system there is no level, so "(null)" was being added. > If the system was configured for compartments however that would be > printed, "Reception" or "Lab" could be applied to each page. This is a > configurable option, and not enabled by default, but it seems like it > could be useful for some MCS users. My main question is in the case of > no compartments would you want a marker saying that there wasn't a > compartment, or should the label be left off? Is there any MCS specific > things I should be aware of that I might otherwise overlook coming at > this from an MLS direction? > > You should not have a label if there is none. So s0=="". For MCS we really want the label of the file you are printing, not the level that you are running at. So if I am running id -Z user_u:system_r:unconfined_t:s0-PatientRecord,Unclassified But I print a document labeled PatientRecord, it should print PatientRecord. Not PatientRecord,Unclassified > thanks > -matt > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From dwalsh at redhat.com Fri Sep 15 16:28:07 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 15 Sep 2006 12:28:07 -0400 Subject: Preventing homedir relabel of Oracle XE files In-Reply-To: <4502778E.7050803@sprocks.gotdns.com> References: <4502778E.7050803@sprocks.gotdns.com> Message-ID: <450AD497.3040808@redhat.com> Andrew Kroeger wrote: > Greetings: > > I just updated to the latest FC5 policy (2.3.7-2), and saw all of the > files in my Oracle XE installation get relabeled to > user_u:object_r:user_home_t. I was able to get Oracle XE installed > and running with SELinux enabled (details available at > http://forums.oracle.com/forums/message.jspa?messageID=1344572 -- > registration required), and that got hosed by the relabel. > > I initially thought something Oracle-specific had been added to the > new policy and caused the relabel. After some searching, I discovered > entries in /etc/selinux/targeted/contexts/files/file_contexts.homedirs > (which is generated by genhomedircon) that had caused the relabel. > Further investigation showed that genhomedircon ignores "system" users > (UID < 500), but the Oracle RPM creates the "oracle" user as a > non-system user during the install. What does the oracle user account look like? Does it have a real login shell? If you change the account to have a shell of /sbin/nologin, the labeleing should work correctly. > > Is there any way to provide an exception to the "oracle" user for > future policy updates? I was able to get things working again by > re-labeling the affected files, but I would like to avoid that step > for each policy update that comes out. Also, if specific policies are > created for Oracle XE in the future, would those override the homedir > policies for the non-system "oracle" user, or would there be potential > conflicts that would need to be resolved in that case? > > I appreciate any assistance that can be provided in this matter. > > Thanks, > Andrew Kroeger > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From dwalsh at redhat.com Fri Sep 15 16:37:50 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 15 Sep 2006 12:37:50 -0400 Subject: please review my firefox policy? In-Reply-To: <3e2c91580609141720g5fc3babfv562d3fe2b54752f3@mail.gmail.com> References: <3e2c91580609141720g5fc3babfv562d3fe2b54752f3@mail.gmail.com> Message-ID: <450AD6DE.3060007@redhat.com> Peter Pun wrote: > Hi Everyone, > > I created this firefox policy; it is probably allowing too many > unecessary things. If anyone could comment on it, I'd appreciate it. > The matter is, someone was able to break out to unconfined and disable > a 000 ACL on /bin/su. This is a surf machine, with no listening > daemons, postfix is blocked by firewall and unconfigured, not even > cups is running. So I think the hole must be through firefox. > > Did you look at mozilla.te, mozilla.if, and mozilla.fc? These policies already do most of what you want here. > ------------------------------------------------------------ > > policy_module(foxpol,1.0.5) > > ######################################## > # > # Declarations > # > require { > type fonts_t; > type inotifyfs_t; > type proc_net_t; > type proc_t; > type urandom_device_t; > type user_home_dir_t; > type user_home_t; > type xdm_t; > type sysctl_kernel_t; > type sysctl_net_t; > type sysctl_t; > type home_root_t; > type fs_t; > type autofs_t; > type unconfined_execmem_t; > }; > If you use module interfaces you will not need this section. /usr/share/selinux/devel/include > type foxpol_t; > type foxpol_exec_t; > domain_type(foxpol_t) > init_daemon_domain(foxpol_t, foxpol_exec_t) > > # log files > type foxpol_var_log_t; > logging_log_file(foxpol_var_log_t) > > # download dir, which firefox has write access to > type foxpol_down_t; > files_type(foxpol_down_t) > # private_t dir - a labled dir which fox cannot read, made because > # - fox has read access to home dir > type private_t; > > ######################################## > # > # foxpol local policy > # > # Check in /etc/selinux/refpolicy/include for macros to use instead of > allow rules. > > # Some common macros (you might be able to remove some) > files_read_etc_files(foxpol_t) > libs_use_ld_so(foxpol_t) > libs_use_shared_libs(foxpol_t) > miscfiles_read_localization(foxpol_t) > ## internal communication is often done using fifo and unix sockets. > allow foxpol_t self:fifo_file { read write }; > allow foxpol_t self:unix_stream_socket create_stream_socket_perms; > > # log files > allow foxpol_t foxpol_var_log_t:file create_file_perms; > allow foxpol_t foxpol_var_log_t:sock_file create_file_perms; > allow foxpol_t foxpol_var_log_t:dir { rw_dir_perms setattr }; > logging_log_filetrans(foxpol_t,foxpol_var_log_t,{ sock_file file dir }) > > ## Networking basics (adjust to your needs!) > sysnet_dns_name_resolve(foxpol_t) > corenet_tcp_sendrecv_all_if(foxpol_t) > corenet_tcp_sendrecv_all_nodes(foxpol_t) > corenet_tcp_sendrecv_all_ports(foxpol_t) > corenet_non_ipsec_sendrecv(foxpol_t) > corenet_tcp_connect_http_port(foxpol_t) > #corenet_tcp_connect_all_ports(foxpol_t) > ## if it is a network daemon, consider these: > #corenet_tcp_bind_all_ports(foxpol_t) > #corenet_tcp_bind_all_nodes(foxpol_t) > allow foxpol_t self:tcp_socket { listen accept }; > > # Init script handling > init_use_fds(foxpol_t) > init_use_script_ptys(foxpol_t) > domain_use_interactive_fds(foxpol_t) > > # ok copy files to download dir > allow unconfined_t foxpol_down_t:dir { add_name getattr setattr read > relabelto remove_name search write rmdir }; > allow unconfined_t foxpol_down_t:file { execute create getattr setattr > read write append rename link unlink ioctl lock }; > You should not need these rules unconfined_domains can do anything they want to the system, although you probably want a transition from unconfined_*t to foxpol_t > # ok unconfined processes to open files in download dir > allow unconfined_execmem_t foxpol_down_t:dir { create getattr setattr > read write link unlink rename search add_name remove_name reparent > rmdir lock ioctl } ; > allow unconfined_execmem_t foxpol_down_t:file { create getattr setattr > read write append rename link unlink ioctl lock }; > > # ok fox to write to download dir > allow foxpol_t foxpol_down_t:dir { add_name create getattr read search > write remove_name }; > allow foxpol_t foxpol_down_t:file { create setattr getattr read write > rename unlink append }; > Please use define statements like rw_dir_perms and create_file_perms. Makes the policy easier to read. > # ok unconfined process to open files in private dir > allow unconfined_execmem_t private_t:dir { create getattr setattr read > write link unlink rename search add_name remove_name reparent rmdir > lock ioctl }; > allow unconfined_execmem_t private_t:file { create getattr setattr > read write append rename link unlink ioctl lock }; > allow unconfined_t private_t:dir { create getattr setattr read write > link unlink rename search add_name remove_name reparent relabelfrom > relabelto rmdir lock ioctl }; > allow unconfined_t private_t:file { relabelto create getattr setattr > read write append rename link unlink ioctl lock }; > allow private_t fs_t:filesystem associate; > > # ok fox to create new stuff in .mozilla > allow foxpol_t foxpol_var_log_t:dir create; > > > > # > # audit2allow says it wants all the stuff below, it also wanted exec > rights to bin_t which I removed > # You might want to try audit2allow -R for these and try to use reference policy. > allow foxpol_down_t fs_t:filesystem associate; > allow foxpol_t autofs_t:dir getattr; > allow foxpol_t fonts_t:dir { getattr read search }; > allow foxpol_t fonts_t:file { getattr read }; > allow foxpol_t foxpol_down_t:dir { add_name create getattr read search > write }; > allow foxpol_t foxpol_down_t:file { create getattr write }; > allow foxpol_t self:fifo_file getattr; > allow foxpol_t self:netlink_route_socket { bind create getattr > nlmsg_read read write }; > allow foxpol_t self:process { getsched setsched signal }; > allow foxpol_t self:shm { create destroy read unix_read unix_write > write }; > allow foxpol_t self:unix_dgram_socket create; > allow foxpol_t foxpol_var_log_t:lnk_file { create unlink }; > allow foxpol_t home_root_t:dir { getattr read search }; > allow foxpol_t inotifyfs_t:dir { getattr read }; > allow foxpol_t proc_net_t:dir { read search }; > allow foxpol_t proc_net_t:file { getattr read }; > allow foxpol_t proc_t:file { getattr read }; > allow foxpol_t sysctl_kernel_t:dir search; > allow foxpol_t sysctl_kernel_t:file read; > allow foxpol_t sysctl_net_t:dir search; > allow foxpol_t sysctl_t:dir search; > allow foxpol_t tmp_t:dir { add_name getattr read remove_name search > setattr write }; > allow foxpol_t tmp_t:file { create getattr lock read unlink write }; > allow foxpol_t tmp_t:sock_file { create unlink write }; > allow foxpol_t tmpfs_t:file { read write }; > # allow foxpol_t unconfined_t:unix_stream_socket connectto; > allow foxpol_t urandom_device_t:chr_file { getattr ioctl read }; > allow foxpol_t user_home_dir_t:dir { getattr read search }; > allow foxpol_t user_home_t:dir { getattr read search }; > allow foxpol_t user_home_t:file { getattr read }; > allow foxpol_t usr_t:file { getattr read }; > allow foxpol_t usr_t:lnk_file read; > allow foxpol_t xdm_t:unix_stream_socket connectto; > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From selinux at gmail.com Fri Sep 15 20:10:17 2006 From: selinux at gmail.com (Tom London) Date: Fri, 15 Sep 2006 13:10:17 -0700 Subject: Typo in /usr/lib/python2.4/site-packages/setroubleshoot/Plugin.py Message-ID: <4c4ba1530609151310q4353ae68o2f695983f8ccfba8@mail.gmail.com> Today's rawhide: 2006-09-15 12:58:00,126 [plugin.ERROR] failed to load use_nfs_home_dirs plugin Traceback (most recent call last): File "/usr/lib/python2.4/site-packages/setroubleshoot/util.py", line 312, in load_plugins mod = imp.load_module(module_name, *imp.find_module(plugin_name, [plugin_dir])) File "/usr/share/setroubleshoot/plugins/use_nfs_home_dirs.py", line 22, in ? from setroubleshoot.Plugin import Plugin File "/usr/lib/python2.4/site-packages/setroubleshoot/Plugin.py", line 123 rpm = get_rpm_nvr_by_file_path(self.path.strip('"'))) ^ SyntaxError: invalid syntax Extra ')' at end of line 123. tom -- Tom London From selinux at gmail.com Fri Sep 15 20:20:35 2006 From: selinux at gmail.com (Tom London) Date: Fri, 15 Sep 2006 13:20:35 -0700 Subject: restorecon seg fault on 'no such file' Message-ID: <4c4ba1530609151320v5549d86ck31713b7273129f0b@mail.gmail.com> Running latest rawhide, targeted/enforcing. There is a entry in /etc/rc.sysinit that segfaults on my system (line 678): # Clean up SELinux labels if [ -n "$SELINUX_STATE" ]; then restorecon /etc/mtab /etc/ld.so.cache /etc/blkid.tab /etc/resolv.conf >/dev/null 2>&1 fi [root at localhost rc.d]# restorecon /etc/mtab /etc/ld.so.cache /etc/blkid.tab /etc/resolv.conf Segmentation fault [root at localhost rc.d]# The problem is that there is on /etc/blkid.tab. This seems to confuse restorecon (tail of strace): munmap(0xb7f38000, 4096) = 0 lstat64("/etc/blkid.tab", 0xbff4c02c) = -1 ENOENT (No such file or directory) --- SIGSEGV (Segmentation fault) @ 0 (0) --- +++ killed by SIGSEGV +++ Process 4031 detached tom -- Tom London From notting at redhat.com Fri Sep 15 20:40:28 2006 From: notting at redhat.com (Bill Nottingham) Date: Fri, 15 Sep 2006 16:40:28 -0400 Subject: restorecon seg fault on 'no such file' In-Reply-To: <4c4ba1530609151320v5549d86ck31713b7273129f0b@mail.gmail.com> References: <4c4ba1530609151320v5549d86ck31713b7273129f0b@mail.gmail.com> Message-ID: <20060915204028.GB7978@nostromo.devel.redhat.com> Tom London (selinux at gmail.com) said: > Running latest rawhide, targeted/enforcing. > > There is a entry in /etc/rc.sysinit that segfaults on my system (line 678): > # Clean up SELinux labels > if [ -n "$SELINUX_STATE" ]; then > restorecon /etc/mtab /etc/ld.so.cache /etc/blkid.tab > /etc/resolv.conf >/dev/null 2>&1 > fi See bug 206579. Bill From sds at tycho.nsa.gov Fri Sep 15 21:05:10 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 15 Sep 2006 17:05:10 -0400 Subject: restorecon seg fault on 'no such file' In-Reply-To: <20060915204028.GB7978@nostromo.devel.redhat.com> References: <4c4ba1530609151320v5549d86ck31713b7273129f0b@mail.gmail.com> <20060915204028.GB7978@nostromo.devel.redhat.com> Message-ID: <1158354310.18951.188.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2006-09-15 at 16:40 -0400, Bill Nottingham wrote: > Tom London (selinux at gmail.com) said: > > Running latest rawhide, targeted/enforcing. > > > > There is a entry in /etc/rc.sysinit that segfaults on my system (line 678): > > # Clean up SELinux labels > > if [ -n "$SELINUX_STATE" ]; then > > restorecon /etc/mtab /etc/ld.so.cache /etc/blkid.tab > > /etc/resolv.conf >/dev/null 2>&1 > > fi > > See bug 206579. Looks like the bug I pointed out yesterday on selinux list; it was in the policycoreutils-rhat.patch in the Fedora package, not upstream. Dan posted a new patch today that looks like it corrected that along with other issues. -- Stephen Smalley National Security Agency From selinux at gmail.com Sat Sep 16 19:32:38 2006 From: selinux at gmail.com (Tom London) Date: Sat, 16 Sep 2006 12:32:38 -0700 Subject: setrans_t *:dir search ..... Message-ID: <4c4ba1530609161232r53726245v71ea23dedd0ee826@mail.gmail.com> Running latest rawhide, targeted/enforcing. mctransd wants to access the 'processID' directories in /proc, and this is failing, e.g.: type=AVC msg=audit(1158434177.034:15): avc: denied { search } for pid=1914 comm="mcstransd" name="2348" dev=proc ino=153878530 scontext=system_u:system_r:setrans_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c255 tclass=dir type=SYSCALL msg=audit(1158434177.034:15): arch=40000003 syscall=5 success=no exit=-13 a0=9828568 a1=8000 a2=0 a3=8000 items=0 ppid=1 pid=1914 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="mcstransd" exe="/sbin/mcstransd" subj=system_u:system_r:setrans_t:s0 key=(null) type=AVC msg=audit(1158434177.038:16): avc: denied { search } for pid=1914 comm="mcstransd" name="2348" dev=proc ino=153878530 scontext=system_u:system_r:setrans_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c255 tclass=dir type=SYSCALL msg=audit(1158434177.038:16): arch=40000003 syscall=5 success=no exit=-13 a0=9828678 a1=8000 a2=0 a3=8000 items=0 ppid=1 pid=1914 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="mcstransd" exe="/sbin/mcstransd" subj=system_u:system_r:setrans_t:s0 key=(null) Seems to be failing for crond_t, cupd_t, udev_t, xdm_t Also, 'ls -ldZ /proc/2348' fails in enforcing mode now: [root at localhost proc]# ls -ldZ 2348 ls: 2348: Permission denied [root at localhost proc]# getenforce Enforcing [root at localhost proc]# setenforce 0 [root at localhost proc]# [root at localhost proc]# ls -ldZ 2348 dr-xr-xr-x root root system_u:system_r:crond_t:SystemLow-SystemHigh 2348 [root at localhost proc]# [root at localhost proc]# setenforce 1 [root at localhost proc]# tom -- Tom London From selinux at gmail.com Sat Sep 16 19:40:51 2006 From: selinux at gmail.com (Tom London) Date: Sat, 16 Sep 2006 12:40:51 -0700 Subject: another AVC.... Message-ID: <4c4ba1530609161240we42fa87odedc104546fc0f4c@mail.gmail.com> running rawhide, targeted/enforcing. Get this one after the last mctransd AVC: type=AVC msg=audit(1158434197.103:120): avc: denied { search } for pid=2617 comm="killall" name="2251" dev=proc ino=147521538 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c255 tclass=dir type=SYSCALL msg=audit(1158434197.103:120): arch=40000003 syscall=5 success=no exit=-13 a0=87540b0 a1=8000 a2=1b6 a3=87540c8 items=0 ppid=2477 pid=2617 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="killall" exe="/usr/bin/killall" subj=system_u:system_r:NetworkManager_t:s0 key=(null) tom -- Tom London From ruedarod at cse.psu.edu Sun Sep 17 03:12:18 2006 From: ruedarod at cse.psu.edu (Sandra Julieta Rueda Rodriguez) Date: Sat, 16 Sep 2006 23:12:18 -0400 (EDT) Subject: FC5 - changing security context to sockets Message-ID: <50268.66.71.92.111.1158462738.squirrel@66.71.92.111> Hello, I am currently working with SElinux FC5 and I want an application to be able to switch security context. The application uses sockets, so they inherit the security context from the application. To allow the application to switch security context (domain) I will add a transition rule in the list of selinux policies. However, I also want the application to be able to relabel the socket with the new security context. So far I have not found a direct way to do it so I am planning to modify the sys_setsockopt function in the socket file and other functions related to that one. I was wondering if there is a direct way to do it, instead of having to modify the kernel. Thanks, Sandra From benjamin.tsai at intervideo.com Mon Sep 18 10:02:49 2006 From: benjamin.tsai at intervideo.com (Benjamin Tsai) Date: Mon, 18 Sep 2006 18:02:49 +0800 Subject: How to apply new policy exactly? In-Reply-To: <1158066085.324.50.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <8EE726B05F4D0D42AE5F0E2BC03CCF530DDC76@TPE-EVS02.ivi.net> My purpose is to customize SELinux policies for my own daemon. I want to create new user, role, type on my system. I thought I'll need policy sources to achieve the recompilation, so I start from refpolicy. On my box the directories you indicated are created automatically, so I think there're other problems. I've updated policy toolchain: selinux-policy-2.3.13-5 libselinux-1.30.3-4.fc5 selinux-policy-strict-2.3.13-5 libsepol-1.12.26-1 libsemanage-1.6.16-2 policycoreutils-1.30.29-1 checkpolicy-1.30.9-1.1 My refpolicy/src/policy/build.conf: TYPE=strict-mcs NAME=refpolicy DISTRO=redhat DIRECT_INITRC=y MONOLITHIC=n After the update, I re-compiled refpolicy source and got the following errors libsepol.mls_read_range_helper: truncated range libsepol.sepol_module_package_read: invalid module in module package (at section 0) libsemanage.semanage_load_module: Error while reading from module file /etc/selinux/refpolicy/modules/tmp/base.pp. /usr/sbin/semodule: Failed! make: *** [load] Error 1 The directory tmp exists, but the file base.pp doesn't. I need help here. Thank you so much :) Benjamin -----Original Message----- From: Stephen Smalley [mailto:sds at tycho.nsa.gov] Sent: Tuesday, September 12, 2006 9:01 PM To: Christopher J. PeBenito Cc: Daniel J Walsh; Karl MacMillan; Joshua Brindle; Benjamin Tsai; fedora-selinux-list at redhat.com Subject: RE: How to apply new policy exactly? On Tue, 2006-09-12 at 08:14 -0400, Christopher J. PeBenito wrote: > On Tue, 2006-09-12 at 10:38 +0800, Benjamin Tsai wrote: > > Thank you for the clarification. I have reconfigured selinux/config > > and recompile policy as the way I did it yesterday, but now I got > > another error like this > > > > libsemanage.semanage_install_active: Could not > > copy /etc/selinux/refpolicy/modules/active/policy.kern > > to /etc/selinux/refpolicy/policy/policy.20. > > mkdir -p /etc/selinux/refpolicy/policy Also mkdir -p /etc/selinux/refpolicy/contexts/files It would be nice if libsemanage did the equivalent automatically if they don't exist. However, I'm not clear that Benjamin is on the right path here. What is it that you actually want to achieve? Why are you installing upstream refpolicy? And what exact refpolicy are you installing - the 20060307 release or the current svn trunk? And what are the rest of your build.conf options - you only mentioned the DISTRO=redhat one, but Fedora customizes other settings as well, like DIRECT_INITRC=y, and it builds modular (MONOLITHIC=n) policy for FC5 and later. You also likely want the TYPE= to include the -mcs suffix so that your on-disk file contexts are compatible, particularly since some packages are now using semanage with local file contexts. FC5 already uses refpolicy as its basis for building its targeted and strict policy packages, so I'm not sure what you hope to gain by building directly from the upstream refpolicy. Last I looked though, strict policy was broken in FC5 because it was modular w/o the newer libsepol/checkpolicy that supported optionals-in-base (take 2). Dan, is that still the case? You either need libsepol >= 1.12.18 and checkpolicy >= 1.30.8 or a strict policy that puts everything into base. If you are trying to build a strict policy that works on FC5, I think you need a newer policy toolchain (either from upstream svn or the Fedora devel tree). You could try just updating to the devel versions of libsepol, checkpolicy, libselinux, libsemanage, and policycoreutils, and then installing the devel version of selinux-policy-strict. Then you don't need to build upstream refpolicy yourself. Even if you want to build upstream refpolicy yourself, I think you'll need the newer policy toolchain unless you collapse everything into the base module. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Mon Sep 18 12:30:34 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 18 Sep 2006 08:30:34 -0400 Subject: FC5 - changing security context to sockets In-Reply-To: <50268.66.71.92.111.1158462738.squirrel@66.71.92.111> References: <50268.66.71.92.111.1158462738.squirrel@66.71.92.111> Message-ID: <1158582634.18951.211.camel@moss-spartans.epoch.ncsc.mil> On Sat, 2006-09-16 at 23:12 -0400, Sandra Julieta Rueda Rodriguez wrote: > Hello, > > I am currently working with SElinux FC5 and I want an application to be > able to switch security context. The application uses sockets, so they > inherit the security context from the application. > To allow the application to switch security context (domain) I will add a > transition rule in the list of selinux policies. > > However, I also want the application to be able to relabel the socket with > the new security context. So far I have not found a direct way to do it so > I am planning to modify the sys_setsockopt function in the socket file and > other functions related to that one. I was wondering if there is a direct > way to do it, instead of having to modify the kernel. When you say "switch contexts", do you mean setexeccon()+execve(), or setcon()? The former enables proper control over the inheritance of state and initialization of the process in the new context; the latter requires trust in the application to maintain any separation and weakens the binding between the new context and the code. As far as relabeling sockets is concerned, you could possibly use fsetfilecon(3), which is a wrapper for fsetxattr(3), since the VFS has a fallback for security attributes to the security module. However, relabeling in general is not desirable and should be minimized. The goal is to label objects with the right context upon creation and keep them in that context for their lifetime. Newer kernels support a way to create a socket in a particular context via /proc/self/attr/sockcreate, and newer libselinux versions provide a function interface for setting this attribute, setsockcreatecon(3). But these would not be present in FC5, only in FC6. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Mon Sep 18 13:09:02 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 18 Sep 2006 09:09:02 -0400 Subject: How to apply new policy exactly? In-Reply-To: <8EE726B05F4D0D42AE5F0E2BC03CCF530DDC76@TPE-EVS02.ivi.net> References: <8EE726B05F4D0D42AE5F0E2BC03CCF530DDC76@TPE-EVS02.ivi.net> Message-ID: <1158584942.18951.234.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2006-09-18 at 18:02 +0800, Benjamin Tsai wrote: > My purpose is to customize SELinux policies for my own daemon. > I want to create new user, role, type on my system. > I thought I'll need policy sources to achieve the recompilation, so I > start from refpolicy. Clarification: If you just want to create SELinux policy for your own daemon, then you don't need policy sources anymore. In FC5, policy module support was introduced, so you can create, build, and install your own policy module without needing the base policy sources at all. Still not clear as to whether you want strict policy or not from your postings. Do you want to confine everything, or just selected processes? Do you need to limit the actions of users, or just daemons? Even if you want strict, I suspect you could just update your toolchain and policy from FC6/devel rather than having to build from source yourself. > On my box the directories you indicated are created automatically, so I > think there're other problems. > > I've updated policy toolchain: > selinux-policy-2.3.13-5 > libselinux-1.30.3-4.fc5 > selinux-policy-strict-2.3.13-5 > libsepol-1.12.26-1 > libsemanage-1.6.16-2 > policycoreutils-1.30.29-1 > checkpolicy-1.30.9-1.1 That version of checkpolicy isn't consistent with that libsepol. Is that what is in FC5? Or some mix of FC5 and devel? > My refpolicy/src/policy/build.conf: > > TYPE=strict-mcs > NAME=refpolicy > DISTRO=redhat > DIRECT_INITRC=y > MONOLITHIC=n > > After the update, I re-compiled refpolicy source and got the following > errors > > libsepol.mls_read_range_helper: truncated range > libsepol.sepol_module_package_read: invalid module in module package (at > section 0) > libsemanage.semanage_load_module: Error while reading from module file > /etc/selinux/refpolicy/modules/tmp/base.pp. > /usr/sbin/semodule: Failed! > make: *** [load] Error 1 -- Stephen Smalley National Security Agency From stefan at sf-net.com Mon Sep 18 14:47:01 2006 From: stefan at sf-net.com (Stefan) Date: Mon, 18 Sep 2006 16:47:01 +0200 Subject: latest vixie-cron update Message-ID: Hi, since the last vixie-cron update the following errors appear in /var/ log/cron: Sep 18 16:01:01 troll crond[12489]: (*system*) NULL security context for user, but SELinux in permissive mode, continuing () Sep 18 16:01:01 troll crond[12492]: (root) CMD (run-parts /etc/ cron.hourly) Any ideas? Best regards, Stefan From stefan at sf-net.com Mon Sep 18 14:49:17 2006 From: stefan at sf-net.com (Stefan) Date: Mon, 18 Sep 2006 16:49:17 +0200 Subject: latest vixie-cron update In-Reply-To: References: Message-ID: <573D2653-3D1E-47D0-BC2A-56D1796D4831@sf-net.com> Ups, forgot the following infos: vixie-cron-4.1-58.fc5 selinux-policy-2.3.7-2.fc5 selinux-policy-mls-2.3.7-2.fc5 selinux-policy-devel-2.3.7-2.fc5 On 18.09.2006, at 16:47, Stefan wrote: > Hi, > > since the last vixie-cron update the following errors appear in / > var/log/cron: > > Sep 18 16:01:01 troll crond[12489]: (*system*) NULL security > context for user, but SELinux in permissive mode, continuing () > Sep 18 16:01:01 troll crond[12492]: (root) CMD (run-parts /etc/ > cron.hourly) > > Any ideas? > > Best regards, > Stefan > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From joe at nall.com Mon Sep 18 19:00:55 2006 From: joe at nall.com (Joe Nall) Date: Mon, 18 Sep 2006 14:00:55 -0500 Subject: FC5 - changing security context to sockets In-Reply-To: <1158582634.18951.211.camel@moss-spartans.epoch.ncsc.mil> References: <50268.66.71.92.111.1158462738.squirrel@66.71.92.111> <1158582634.18951.211.camel@moss-spartans.epoch.ncsc.mil> Message-ID: On Sep 18, 2006, at 7:30 AM, Stephen Smalley wrote: > As far as relabeling sockets is concerned, you could possibly use > fsetfilecon(3), which is a wrapper for fsetxattr(3), since the VFS > has a > fallback for security attributes to the security module. Would this work for unix domain but not IP sockets? > However, > relabeling in general is not desirable and should be minimized. The > goal is to label objects with the right context upon creation and keep > them in that context for their lifetime. In the CMW programming model I have more experience with, a multilevel daemon would accept() and then set the new socket level to that of the connecting peer so that both socket endpoints were at the same level. What is the right way to do this? > Newer kernels support a way to create a socket in a particular context > via /proc/self/attr/sockcreate, and newer libselinux versions > provide a > function interface for setting this attribute, setsockcreatecon > (3). But > these would not be present in FC5, only in FC6. Found in libselinux-1.30.28-1 joe From sds at tycho.nsa.gov Mon Sep 18 19:25:38 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 18 Sep 2006 15:25:38 -0400 Subject: FC5 - changing security context to sockets In-Reply-To: References: <50268.66.71.92.111.1158462738.squirrel@66.71.92.111> <1158582634.18951.211.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1158607538.14194.20.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2006-09-18 at 14:00 -0500, Joe Nall wrote: > On Sep 18, 2006, at 7:30 AM, Stephen Smalley wrote: > > > As far as relabeling sockets is concerned, you could possibly use > > fsetfilecon(3), which is a wrapper for fsetxattr(3), since the VFS > > has a > > fallback for security attributes to the security module. > > Would this work for unix domain but not IP sockets? Depends on your kernel. With existing kernels, it will work on all sockets (because there is only one SID and it is stored in the incore inode associated with the user socket). With kernels with the recent labeled networking patches (back ported to 2.6.18 for fc6/rhel5, queued for 2.6.19), there is a separate SID stored in the struct sock, so further work would be required to synchronize that SID if the SID was allowed to change after creation. > > However, > > relabeling in general is not desirable and should be minimized. The > > goal is to label objects with the right context upon creation and keep > > them in that context for their lifetime. > > In the CMW programming model I have more experience with, a multilevel > daemon would accept() and then set the new socket level to that of the > connecting peer so that both socket endpoints were at the same level. > > What is the right way to do this? That is being handled in the kernel automatically in the recent kernels with labeled networking patches. New server socket is assigned the level of the requesting client when it is created, so that it always has the right label. > > > Newer kernels support a way to create a socket in a particular context > > via /proc/self/attr/sockcreate, and newer libselinux versions > > provide a > > function interface for setting this attribute, setsockcreatecon > > (3). But > > these would not be present in FC5, only in FC6. > > Found in libselinux-1.30.28-1 > > joe -- Stephen Smalley National Security Agency From dwalsh at redhat.com Mon Sep 18 20:18:22 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 18 Sep 2006 16:18:22 -0400 Subject: another AVC.... In-Reply-To: <4c4ba1530609161240we42fa87odedc104546fc0f4c@mail.gmail.com> References: <4c4ba1530609161240we42fa87odedc104546fc0f4c@mail.gmail.com> Message-ID: <450EFF0E.4080608@redhat.com> Tom London wrote: > running rawhide, targeted/enforcing. > > Get this one after the last mctransd AVC: > > type=AVC msg=audit(1158434197.103:120): avc: denied { search } for > pid=2617 comm="killall" name="2251" dev=proc ino=147521538 > scontext=system_u:system_r:NetworkManager_t:s0 > tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c255 tclass=dir > type=SYSCALL msg=audit(1158434197.103:120): arch=40000003 syscall=5 > success=no exit=-13 a0=87540b0 a1=8000 a2=1b6 a3=87540c8 items=0 > ppid=2477 pid=2617 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=(none) comm="killall" exe="/usr/bin/killall" > subj=system_u:system_r:NetworkManager_t:s0 key=(null) > > tom Fixed in latest policy selinux-policy-2.3.14-3. From dwalsh at redhat.com Mon Sep 18 20:18:49 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 18 Sep 2006 16:18:49 -0400 Subject: setrans_t *:dir search ..... In-Reply-To: <4c4ba1530609161232r53726245v71ea23dedd0ee826@mail.gmail.com> References: <4c4ba1530609161232r53726245v71ea23dedd0ee826@mail.gmail.com> Message-ID: <450EFF29.7040303@redhat.com> Tom London wrote: > Running latest rawhide, targeted/enforcing. > > mctransd wants to access the 'processID' directories in /proc, and > this is failing, e.g.: > > type=AVC msg=audit(1158434177.034:15): avc: denied { search } for > pid=1914 comm="mcstransd" name="2348" dev=proc ino=153878530 > scontext=system_u:system_r:setrans_t:s0 > tcontext=system_u:system_r:crond_t:s0-s0:c0.c255 tclass=dir > type=SYSCALL msg=audit(1158434177.034:15): arch=40000003 syscall=5 > success=no exit=-13 a0=9828568 a1=8000 a2=0 a3=8000 items=0 ppid=1 > pid=1914 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > sgid=0 fsgid=0 tty=(none) comm="mcstransd" exe="/sbin/mcstransd" > subj=system_u:system_r:setrans_t:s0 key=(null) > type=AVC msg=audit(1158434177.038:16): avc: denied { search } for > pid=1914 comm="mcstransd" name="2348" dev=proc ino=153878530 > scontext=system_u:system_r:setrans_t:s0 > tcontext=system_u:system_r:crond_t:s0-s0:c0.c255 tclass=dir > type=SYSCALL msg=audit(1158434177.038:16): arch=40000003 syscall=5 > success=no exit=-13 a0=9828678 a1=8000 a2=0 a3=8000 items=0 ppid=1 > pid=1914 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > sgid=0 fsgid=0 tty=(none) comm="mcstransd" exe="/sbin/mcstransd" > subj=system_u:system_r:setrans_t:s0 key=(null) > > Seems to be failing for crond_t, cupd_t, udev_t, xdm_t > > Also, 'ls -ldZ /proc/2348' fails in enforcing mode now: > [root at localhost proc]# ls -ldZ 2348 > ls: 2348: Permission denied > [root at localhost proc]# getenforce > Enforcing > [root at localhost proc]# setenforce 0 > [root at localhost proc]# > [root at localhost proc]# ls -ldZ 2348 > dr-xr-xr-x root root system_u:system_r:crond_t:SystemLow-SystemHigh 2348 > [root at localhost proc]# > [root at localhost proc]# setenforce 1 > [root at localhost proc]# > > > tom Fixed in latest policy. 2.3.14-3 I wonder why these just started showing up. Problem should have been there all along. From benjamin.tsai at intervideo.com Tue Sep 19 02:20:41 2006 From: benjamin.tsai at intervideo.com (Benjamin Tsai) Date: Tue, 19 Sep 2006 10:20:41 +0800 Subject: How to apply new policy exactly? In-Reply-To: <1158584942.18951.234.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <8EE726B05F4D0D42AE5F0E2BC03CCF530DDCA1@TPE-EVS02.ivi.net> I want to write policy for my own daemon, instead of a strict policy. So, I stepped on the wrong road from the beginning? Though, according to the document "Configuring the SELinux Policy", it indicates a path to policy source. Well then, what's a correct build path? Are the following steps correct? write foo.te file, and execute #checkmodule -M -m foo.te -o foo.mod Then #semodule -i foo.mod Besides, is it then impossible to customize my own base policy package? Or I shall start over and write my own base module word by word? -----Original Message----- From: Stephen Smalley [mailto:sds at tycho.nsa.gov] Sent: Monday, September 18, 2006 9:09 PM To: Benjamin Tsai Cc: Christopher J. PeBenito; Daniel J Walsh; Karl MacMillan; Joshua Brindle; fedora-selinux-list at redhat.com Subject: RE: How to apply new policy exactly? On Mon, 2006-09-18 at 18:02 +0800, Benjamin Tsai wrote: > My purpose is to customize SELinux policies for my own daemon. > I want to create new user, role, type on my system. > I thought I'll need policy sources to achieve the recompilation, so I > start from refpolicy. Clarification: If you just want to create SELinux policy for your own daemon, then you don't need policy sources anymore. In FC5, policy module support was introduced, so you can create, build, and install your own policy module without needing the base policy sources at all. Still not clear as to whether you want strict policy or not from your postings. Do you want to confine everything, or just selected processes? Do you need to limit the actions of users, or just daemons? Even if you want strict, I suspect you could just update your toolchain and policy from FC6/devel rather than having to build from source yourself. > On my box the directories you indicated are created automatically, so I > think there're other problems. > > I've updated policy toolchain: > selinux-policy-2.3.13-5 > libselinux-1.30.3-4.fc5 > selinux-policy-strict-2.3.13-5 > libsepol-1.12.26-1 > libsemanage-1.6.16-2 > policycoreutils-1.30.29-1 > checkpolicy-1.30.9-1.1 That version of checkpolicy isn't consistent with that libsepol. Is that what is in FC5? Or some mix of FC5 and devel? > My refpolicy/src/policy/build.conf: > > TYPE=strict-mcs > NAME=refpolicy > DISTRO=redhat > DIRECT_INITRC=y > MONOLITHIC=n > > After the update, I re-compiled refpolicy source and got the following > errors > > libsepol.mls_read_range_helper: truncated range > libsepol.sepol_module_package_read: invalid module in module package (at > section 0) > libsemanage.semanage_load_module: Error while reading from module file > /etc/selinux/refpolicy/modules/tmp/base.pp. > /usr/sbin/semodule: Failed! > make: *** [load] Error 1 -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Tue Sep 19 12:57:52 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 19 Sep 2006 08:57:52 -0400 Subject: How to apply new policy exactly? In-Reply-To: <8EE726B05F4D0D42AE5F0E2BC03CCF530DDCA1@TPE-EVS02.ivi.net> References: <8EE726B05F4D0D42AE5F0E2BC03CCF530DDCA1@TPE-EVS02.ivi.net> Message-ID: <1158670672.15340.28.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2006-09-19 at 10:20 +0800, Benjamin Tsai wrote: > I want to write policy for my own daemon, instead of a strict policy. > So, I stepped on the wrong road from the beginning? > Though, according to the document "Configuring the SELinux Policy", it > indicates a path to policy source. That's because it was written before modular policy support existed. Useful links: Fedora Core 5 SELinux FAQ http://fedora.redhat.com/docs/selinux-faq-fc5/ Fedora SELinux Wiki http://fedoraproject.org/wiki/SELinux/ Dan and Joshua, it looks like the links to various Tresys site pages are no longer valid. > Well then, what's a correct build path? Are the following steps correct? > write foo.te file, and execute > #checkmodule -M -m foo.te -o foo.mod > Then > #semodule -i foo.mod semodule acts on a policy module package rather than just a module, which you can create via: semodule_package -o foo.pp -m foo.mod If you have file contexts as well, you can bundle them within the package, as in: semodule_package -o foo.pp -m foo.mod -f foo.fc But this can all be handled more easily via the sequence described in: http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961577 > Besides, is it then impossible to customize my own base policy package? > Or I shall start over and write my own base module word by word? It isn't impossible, but in many cases, it is no longer necessary - you can define your own policy modules and add them, or you can use semanage to customize other local settings, while still being able to just use the Fedora-provided base policy and any updates to it. You can certainly replace the entire policy and just use the refpolicy from oss.tresys.com, but if you don't need to do so, then it is just making more work for yourself. -- Stephen Smalley National Security Agency From giuffsalvo at hotmail.it Tue Sep 19 16:54:25 2006 From: giuffsalvo at hotmail.it (Salvo Giuffrida) Date: Tue, 19 Sep 2006 18:54:25 +0200 Subject: .pp files Message-ID: What is the function of the .pp files in /etc/selinux/targeted/modules/active/modules? I read a book from O'Reilly (SELinux - NSA's Open Source Security Enhanced Linux) and there's no mention of their function... Thanks a lot _________________________________________________________________ Ricerche online pi? semplici e veloci con MSN Toolbar! http://toolbar.msn.it/ From paul at city-fan.org Tue Sep 19 16:59:54 2006 From: paul at city-fan.org (Paul Howarth) Date: Tue, 19 Sep 2006 17:59:54 +0100 Subject: .pp files In-Reply-To: References: Message-ID: <4510220A.6030407@city-fan.org> Salvo Giuffrida wrote: > What is the function of the .pp files in > /etc/selinux/targeted/modules/active/modules? > I read a book from O'Reilly (SELinux - NSA's Open Source Security > Enhanced Linux) and there's no mention of their function... > Thanks a lot The .pp files are the compiled policy module packages that are loaded using semodule into the running policy. Paul. From sundaram at fedoraproject.org Tue Sep 19 17:05:44 2006 From: sundaram at fedoraproject.org (Rahul) Date: Tue, 19 Sep 2006 22:35:44 +0530 Subject: .pp files In-Reply-To: References: Message-ID: <45102368.9050404@fedoraproject.org> Salvo Giuffrida wrote: > What is the function of the .pp files in > /etc/selinux/targeted/modules/active/modules? > I read a book from O'Reilly (SELinux - NSA's Open Source Security > Enhanced Linux) and there's no mention of their function... > Thanks a lot > That book is very outdated now. More updated information is available from http://fedoraproject.org/wiki/SELinux. The "pp" extension stands for policy package files which implement loadable policy modules. http://fedoraproject.org/wiki/SELinux/FC5Features Rahul From giuffsalvo at hotmail.it Tue Sep 19 17:36:02 2006 From: giuffsalvo at hotmail.it (Salvo Giuffrida) Date: Tue, 19 Sep 2006 19:36:02 +0200 Subject: .pp files In-Reply-To: <45102368.9050404@fedoraproject.org> Message-ID: So, what's now the role of the policy.number file in /etc/..../policy? Can one still use the "old way" of modifying the source, and recompile into a big binary file? Another thing, please: What's the "Object manager"? Thanks >From: Rahul >To: Salvo Giuffrida >CC: fedora-selinux-list at redhat.com >Subject: Re: .pp files >Date: Tue, 19 Sep 2006 22:35:44 +0530 > >Salvo Giuffrida wrote: >>What is the function of the .pp files in >>/etc/selinux/targeted/modules/active/modules? >>I read a book from O'Reilly (SELinux - NSA's Open Source Security Enhanced >>Linux) and there's no mention of their function... >>Thanks a lot >> > >That book is very outdated now. More updated information is available from >http://fedoraproject.org/wiki/SELinux. The "pp" extension stands for policy >package files which implement loadable policy modules. > >http://fedoraproject.org/wiki/SELinux/FC5Features > >Rahul _________________________________________________________________ Condivi foto, pensieri ed altro ancora creando il tuo Blog su Windows Live Spaces ! http://discoverspaces.live.com/?loc=it-IT From benjamin.tsai at intervideo.com Wed Sep 20 03:06:03 2006 From: benjamin.tsai at intervideo.com (Benjamin Tsai) Date: Wed, 20 Sep 2006 11:06:03 +0800 Subject: How to apply new policy exactly? In-Reply-To: <1158670672.15340.28.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <8EE726B05F4D0D42AE5F0E2BC03CCF530DDD0E@TPE-EVS02.ivi.net> Thank you for the reply, I now a bit closer to the right track. :) To work the build path around, I start with "audit2allow." With my box installed with selinux-policy-strict-2.3.7-2.fc5 and turned selinux mode to "permissive," I run audit2allow as follows: #audit2allow -m dmesg -d > dmesg.te #checkmodule -M -m -o dmesg.mod dmesg.te #semodule_package -o dmesg.pp -m dmesg.mod #semodule -I dmesg.pp Then I had the following errors: /etc/selinux/strict/contexts/files/file_contexts: Multiple different specifications for /usr/bin/apt-get (system_u:object_r:rpm_exec_t:s0 and system_u:object_r:apt_exec_t:s0). /etc/selinux/strict/contexts/files/file_contexts: Multiple different specifications for /usr/bin/apt-shell (system_u:object_r:rpm_exec_t:s0 and system_u:object_r:apt_exec_t:s0). I googled out your reply on same errors in 2004 and it says: "You shouldn't enable both rpm.te and dpkg.te in the same policy; they conflict." Without policy source, how can I disable either rpm.te or dpkg.te? Besides, I tried to mark rules related to rpm in my .te file, but it didn't fix the problem. Here is a copy of my dmesg.te file: #################################################################### module dmesg 1.0; require { class blk_file { ioctl read }; class dbus send_msg; class dir { add_name create relabelfrom relabelto remove_name rename reparent rmdir search setattr write }; class fd use; class fifo_file { getattr ioctl write }; class file { append create execute getattr ioctl lock read relabelfrom relabelto rename setattr unlink write }; class lnk_file { create read relabelfrom relabelto rename setattr }; class process { execmem setexec }; class security load_policy; class shm { associate getattr read unix_read unix_write write }; class sock_file { unlink write }; class unix_stream_socket connectto; type apmd_log_t; type auditctl_exec_t; type auditd_exec_t; type auditd_log_t; type etc_t; type faillog_t; type file_context_t; type file_t; type fonts_t; type hald_t; type ice_tmp_t; type initrc_exec_t; type krb5_conf_t; type lastlog_t; type lib_t; type man_t; type nscd_var_run_t; type pam_t; type policy_config_t; type removable_device_t; type rpm_log_t; type rpm_var_lib_t; type sbin_t; # type security_t; type selinux_config_t; type semanage_read_lock_t; type semanage_store_t; type semanage_trans_lock_t; type staff_t; type staff_tmpfs_t; type system_dbusd_t; type system_dbusd_var_run_t; type tmp_t; type user_home_dir_t; type user_home_t; type usr_t; type var_log_t; type var_run_t; type var_t; type xdm_t; type xdm_xserver_t; role staff_r; role system_r; }; allow hald_t staff_t:dbus send_msg; allow pam_t lib_t:file { execute getattr read }; allow pam_t nscd_var_run_t:dir search; allow pam_t xdm_t:fd use; allow pam_t xdm_t:fifo_file { getattr ioctl write }; allow staff_t apmd_log_t:file read; allow staff_t auditctl_exec_t:file { relabelto setattr }; allow staff_t auditd_exec_t:file { relabelto setattr }; allow staff_t auditd_log_t:dir { relabelto setattr }; allow staff_t etc_t:dir { add_name remove_name write }; allow staff_t etc_t:file { create relabelfrom relabelto rename setattr write }; allow staff_t etc_t:lnk_file create; allow staff_t faillog_t:file read; allow staff_t file_context_t:dir { add_name remove_name write }; allow staff_t file_context_t:file { create rename setattr unlink write }; allow staff_t file_t:file read; allow staff_t fonts_t:file read; allow staff_t hald_t:dbus send_msg; allow staff_t ice_tmp_t:sock_file write; allow staff_t initrc_exec_t:file { relabelto setattr }; allow staff_t krb5_conf_t:file { read write }; allow staff_t lastlog_t:file read; allow staff_t lib_t:dir { add_name remove_name write }; allow staff_t lib_t:file { create relabelfrom relabelto rename setattr unlink write }; allow staff_t lib_t:lnk_file { create relabelfrom relabelto rename setattr }; allow staff_t man_t:dir { add_name remove_name write }; allow staff_t man_t:file { create relabelfrom relabelto rename setattr write }; allow staff_t policy_config_t:dir { add_name remove_name write }; allow staff_t policy_config_t:file { create read rename unlink write }; allow staff_t removable_device_t:blk_file { ioctl read }; allow staff_t rpm_log_t:file append; allow staff_t rpm_var_lib_t:dir { add_name write }; allow staff_t rpm_var_lib_t:file { create lock read write }; allow staff_t sbin_t:dir { add_name remove_name write }; allow staff_t sbin_t:file { create relabelfrom relabelto rename setattr write }; #allow staff_t security_t:security load_policy; allow staff_t selinux_config_t:dir { add_name create remove_name rename rmdir write }; allow staff_t selinux_config_t:file { create rename unlink write }; allow staff_t semanage_read_lock_t:file { lock read write }; allow staff_t semanage_store_t:dir { remove_name rename rmdir write }; allow staff_t semanage_store_t:file { read unlink }; allow staff_t semanage_trans_lock_t:file { lock read write }; allow staff_t self:process { execmem setexec }; allow staff_t system_dbusd_t:unix_stream_socket connectto; allow staff_t system_dbusd_var_run_t:sock_file write; allow staff_t tmp_t:file { execute read write }; allow staff_t tmp_t:sock_file { unlink write }; allow staff_t user_home_dir_t:dir { add_name create rename rmdir write }; allow staff_t user_home_dir_t:file { create ioctl read relabelfrom rename setattr write }; allow staff_t user_home_dir_t:lnk_file { create read }; allow staff_t user_home_t:dir { add_name create remove_name rename reparent rmdir write }; allow staff_t user_home_t:file { create ioctl lock relabelto rename setattr unlink }; allow staff_t user_home_t:lnk_file create; allow staff_t usr_t:dir { add_name create relabelfrom relabelto remove_name setattr write }; allow staff_t usr_t:file { create relabelfrom relabelto rename setattr write }; allow staff_t var_log_t:dir { add_name create relabelfrom write }; allow staff_t var_log_t:file read; allow staff_t var_run_t:dir { add_name remove_name write }; allow staff_t var_run_t:file { create unlink write }; allow staff_t var_t:dir { add_name remove_name write }; allow staff_t var_t:file { create setattr unlink write }; allow staff_t xdm_xserver_t:unix_stream_socket connectto; allow xdm_xserver_t staff_t:fd use; allow xdm_xserver_t staff_t:shm { associate getattr read unix_read unix_write write }; allow xdm_xserver_t staff_tmpfs_t:file { read write }; ################################################################### -----Original Message----- From: Stephen Smalley [mailto:sds at tycho.nsa.gov] Sent: Tuesday, September 19, 2006 8:58 PM To: Benjamin Tsai Cc: Christopher J. PeBenito; Daniel J Walsh; Karl MacMillan; Joshua Brindle; fedora-selinux-list at redhat.com Subject: RE: How to apply new policy exactly? On Tue, 2006-09-19 at 10:20 +0800, Benjamin Tsai wrote: > I want to write policy for my own daemon, instead of a strict policy. > So, I stepped on the wrong road from the beginning? > Though, according to the document "Configuring the SELinux Policy", it > indicates a path to policy source. That's because it was written before modular policy support existed. Useful links: Fedora Core 5 SELinux FAQ http://fedora.redhat.com/docs/selinux-faq-fc5/ Fedora SELinux Wiki http://fedoraproject.org/wiki/SELinux/ Dan and Joshua, it looks like the links to various Tresys site pages are no longer valid. > Well then, what's a correct build path? Are the following steps correct? > write foo.te file, and execute > #checkmodule -M -m foo.te -o foo.mod > Then > #semodule -i foo.mod semodule acts on a policy module package rather than just a module, which you can create via: semodule_package -o foo.pp -m foo.mod If you have file contexts as well, you can bundle them within the package, as in: semodule_package -o foo.pp -m foo.mod -f foo.fc But this can all be handled more easily via the sequence described in: http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961577 > Besides, is it then impossible to customize my own base policy package? > Or I shall start over and write my own base module word by word? It isn't impossible, but in many cases, it is no longer necessary - you can define your own policy modules and add them, or you can use semanage to customize other local settings, while still being able to just use the Fedora-provided base policy and any updates to it. You can certainly replace the entire policy and just use the refpolicy from oss.tresys.com, but if you don't need to do so, then it is just making more work for yourself. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Wed Sep 20 19:04:29 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 20 Sep 2006 15:04:29 -0400 Subject: .pp files In-Reply-To: References: Message-ID: <1158779069.15340.141.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2006-09-19 at 19:36 +0200, Salvo Giuffrida wrote: > So, what's now the role of the policy.number file in /etc/..../policy? Can > one still use the "old way" of modifying the source, and recompile into a > big binary file? The policy modules are linked together and expanded into a kernel binary policy image, which is then installed to that file for loading into the kernel. You don't absolutely have to use modular/managed policy, but doing so has definite benefits, and both users and package scriptlets are increasingly taking advantage of semodule and semanage for managing policy in a modular way and customizing certain policy settings, and the dependencies on it are only going to increase in the future as further management infrastructure is created. BTW, while the O'Reilly book predates the modular policy support (possibly they'll issue an updated edition sometime, I don't know), there is a newer SELinux book that includes discussion of policy modules by people involved in their development, see: http://selinuxnews.org/wp/index.php/2006/08/09/new-selinux-book-published/ http://mentalrootkit.org/?p=10 > Another thing, please: What's the "Object manager"? That's a term used in the Flask security architecture, which SELinux implements. See: http://www.nsa.gov/selinux/papers/flask-abs.cfm -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Wed Sep 20 21:28:19 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 20 Sep 2006 17:28:19 -0400 Subject: How to apply new policy exactly? In-Reply-To: <8EE726B05F4D0D42AE5F0E2BC03CCF530DDD0E@TPE-EVS02.ivi.net> References: <8EE726B05F4D0D42AE5F0E2BC03CCF530DDD0E@TPE-EVS02.ivi.net> Message-ID: <1158787699.15340.247.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2006-09-20 at 11:06 +0800, Benjamin Tsai wrote: > Thank you for the reply, I now a bit closer to the right track. :) > > To work the build path around, I start with "audit2allow." > With my box installed with selinux-policy-strict-2.3.7-2.fc5 and turned > selinux mode to "permissive," I run audit2allow as follows: Hmmm...I'm confused again. I thought you said that you didn't want strict policy per se, just policy for your own daemon. Did you change your mind? Just want to be clear on your goals. If you want strict, then the next question is whether that fc5 strict policy package actually works. Dan or Karl? Last I looked, fc5 didn't have a libsepol/checkpolicy combo that included the final optionals-in-base fixes, and thus the modularized strict policy was broken there. > #audit2allow -m dmesg -d > dmesg.te > #checkmodule -M -m -o dmesg.mod dmesg.te > #semodule_package -o dmesg.pp -m dmesg.mod > #semodule -I dmesg.pp > > Then I had the following errors: > > /etc/selinux/strict/contexts/files/file_contexts: Multiple different > specifications for /usr/bin/apt-get (system_u:object_r:rpm_exec_t:s0 and > system_u:object_r:apt_exec_t:s0). > /etc/selinux/strict/contexts/files/file_contexts: Multiple different > specifications for /usr/bin/apt-shell (system_u:object_r:rpm_exec_t:s0 > and system_u:object_r:apt_exec_t:s0). > > I googled out your reply on same errors in 2004 and it says: > "You shouldn't enable both rpm.te and dpkg.te in the same policy; they > conflict." > > Without policy source, how can I disable either rpm.te or dpkg.te? > Besides, I tried to mark rules related to rpm in my .te file, but it > didn't fix the problem. First, those are just warnings, not fatal errors, and they aren't likely relevant to you. Second, if rpm and dpkg were built modular, then you should just be able to semodule -r them, e.g. semodule -r dpkg I don't think you want to disable rpm on a fedora system ;) Third, your dmesg module has lots of rules that I don't think you really want to allow, so you need to prune out most of it. Looks like you were trying to do privileged operations as a staff_r user rather than first newrole'ing to sysadm_r, and like you didn't restorecon your home directory after setting up your role for staff_r so that it had the right type (staff_home_* instead of user_home_*). -- Stephen Smalley National Security Agency From giuffsalvo at hotmail.it Wed Sep 20 22:51:55 2006 From: giuffsalvo at hotmail.it (Salvo Danilo Giuffrida) Date: Thu, 21 Sep 2006 00:51:55 +0200 Subject: .pp files In-Reply-To: <1158779069.15340.141.camel@moss-spartans.epoch.ncsc.mil> Message-ID: Thanks a lot for the answer. I have another question, please: Where can I find the list of all the object classes (file, dir, netif, etc...), and the operations associated to each one of them? Thanks a lot >From: Stephen Smalley >To: Salvo Giuffrida >CC: sundaram at fedoraproject.org, fedora-selinux-list at redhat.com >Subject: Re: .pp files >Date: Wed, 20 Sep 2006 15:04:29 -0400 > >On Tue, 2006-09-19 at 19:36 +0200, Salvo Giuffrida wrote: > > So, what's now the role of the policy.number file in /etc/..../policy? >Can > > one still use the "old way" of modifying the source, and recompile into >a > > big binary file? > >The policy modules are linked together and expanded into a kernel binary >policy image, which is then installed to that file for loading into the >kernel. > >You don't absolutely have to use modular/managed policy, but doing so >has definite benefits, and both users and package scriptlets are >increasingly taking advantage of semodule and semanage for managing >policy in a modular way and customizing certain policy settings, and the >dependencies on it are only going to increase in the future as further >management infrastructure is created. > >BTW, while the O'Reilly book predates the modular policy support >(possibly they'll issue an updated edition sometime, I don't know), >there is a newer SELinux book that includes discussion of policy modules >by people involved in their development, see: >http://selinuxnews.org/wp/index.php/2006/08/09/new-selinux-book-published/ >http://mentalrootkit.org/?p=10 > > > Another thing, please: What's the "Object manager"? > >That's a term used in the Flask security architecture, which SELinux >implements. See: >http://www.nsa.gov/selinux/papers/flask-abs.cfm > >-- >Stephen Smalley >National Security Agency > _________________________________________________________________ Personalizza MSN Messenger con sfondi e fotografie! http://www.ilovemessenger.msn.it/ From benjamin.tsai at intervideo.com Thu Sep 21 02:26:24 2006 From: benjamin.tsai at intervideo.com (Benjamin Tsai) Date: Thu, 21 Sep 2006 10:26:24 +0800 Subject: How to apply new policy exactly? In-Reply-To: <1158787699.15340.247.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <8EE726B05F4D0D42AE5F0E2BC03CCF53186EF2@TPE-EVS02.ivi.net> sorry I didn't make myself clear ... enough. Me thought if I want to build and load my own policy successfully, I should "feel" and confirm that the build path works on my box in advance. I shall have a valid .te file, and with that, I can compile/load it without errors and see it working correctly. That's why I start with audit2allow, it's merely a test for me. =) As for the warning, yes I did see my module installed through semodule -l. However, why is the warning? It's fc5 in my box, instead of debian, surely I don't have dpkg installed. Besides, I checked with semodule and didn't see dpkg. It's so weird to see a warning of something I don't have. By the way, thank you so much for clarifying my problems. =) -----Original Message----- From: Stephen Smalley [mailto:sds at tycho.nsa.gov] Sent: Thursday, September 21, 2006 5:28 AM To: Benjamin Tsai Cc: Christopher J. PeBenito; Daniel J Walsh; Karl MacMillan; Joshua Brindle; fedora-selinux-list at redhat.com Subject: RE: How to apply new policy exactly? On Wed, 2006-09-20 at 11:06 +0800, Benjamin Tsai wrote: > Thank you for the reply, I now a bit closer to the right track. :) > > To work the build path around, I start with "audit2allow." > With my box installed with selinux-policy-strict-2.3.7-2.fc5 and turned > selinux mode to "permissive," I run audit2allow as follows: Hmmm...I'm confused again. I thought you said that you didn't want strict policy per se, just policy for your own daemon. Did you change your mind? Just want to be clear on your goals. If you want strict, then the next question is whether that fc5 strict policy package actually works. Dan or Karl? Last I looked, fc5 didn't have a libsepol/checkpolicy combo that included the final optionals-in-base fixes, and thus the modularized strict policy was broken there. > #audit2allow -m dmesg -d > dmesg.te > #checkmodule -M -m -o dmesg.mod dmesg.te > #semodule_package -o dmesg.pp -m dmesg.mod > #semodule -I dmesg.pp > > Then I had the following errors: > > /etc/selinux/strict/contexts/files/file_contexts: Multiple different > specifications for /usr/bin/apt-get (system_u:object_r:rpm_exec_t:s0 and > system_u:object_r:apt_exec_t:s0). > /etc/selinux/strict/contexts/files/file_contexts: Multiple different > specifications for /usr/bin/apt-shell (system_u:object_r:rpm_exec_t:s0 > and system_u:object_r:apt_exec_t:s0). > > I googled out your reply on same errors in 2004 and it says: > "You shouldn't enable both rpm.te and dpkg.te in the same policy; they > conflict." > > Without policy source, how can I disable either rpm.te or dpkg.te? > Besides, I tried to mark rules related to rpm in my .te file, but it > didn't fix the problem. First, those are just warnings, not fatal errors, and they aren't likely relevant to you. Second, if rpm and dpkg were built modular, then you should just be able to semodule -r them, e.g. semodule -r dpkg I don't think you want to disable rpm on a fedora system ;) Third, your dmesg module has lots of rules that I don't think you really want to allow, so you need to prune out most of it. Looks like you were trying to do privileged operations as a staff_r user rather than first newrole'ing to sysadm_r, and like you didn't restorecon your home directory after setting up your role for staff_r so that it had the right type (staff_home_* instead of user_home_*). -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Thu Sep 21 13:39:37 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 21 Sep 2006 09:39:37 -0400 Subject: .pp files In-Reply-To: References: Message-ID: <1158845977.7748.5.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2006-09-21 at 00:51 +0200, Salvo Danilo Giuffrida wrote: > Thanks a lot for the answer. I have another question, please: Where can I > find the list of all the object classes (file, dir, netif, etc...), and the > operations associated to each one of them? The authors of the SELinux by Example book maintain a list on their site (and include a listing in an appendix of that book), over at: http://www.tresys.com/selinux/obj_perms_help Naturally, all such documentation will always be behind the latest changes - the only "authoritative" list is contained in the policy/flask files in the policy source tree, which provide the definitions to the policy and are also used to generate the headers used by the kernel and libselinux. -- Stephen Smalley National Security Agency From giuffsalvo at hotmail.it Thu Sep 21 13:07:47 2006 From: giuffsalvo at hotmail.it (Salvo Giuffrida) Date: Thu, 21 Sep 2006 15:07:47 +0200 Subject: A few questions Message-ID: Good morning, I have some questions regarding aspects of SELinux I don't understand: - The format of the file default_context in /etc/selinux/strict/contexts: why are there some lines for cron? From what I know, this file is intended to assign a default initial context to logged-in users. So, why there's also cron? Because it starts processes (jobs)? - What about the "identity" part of the security context? How is filled? - What makes the access control of SELinux "mandatory"? The fact that normal users can't change the security policy? - From what I understood, the root user in SELinux is partitioned into a lot of domains, so, even if I program which runs as "sysadm_r:some_domain_t" is compromised, the damage is limited to the domain, right? But, can't the attacker transition to another domain using newrole, and do other damages, and continue on? - Why in the Fedora there isn't the "staff_r" role? Thanks a lot for the answers _________________________________________________________________ Blocca le pop-up pubblicitarie con MSN Toolbar! http://toolbar.msn.it/ From cpebenito at tresys.com Thu Sep 21 14:15:06 2006 From: cpebenito at tresys.com (Christopher J. PeBenito) Date: Thu, 21 Sep 2006 10:15:06 -0400 Subject: A few questions In-Reply-To: References: Message-ID: <1158848106.3920.57.camel@sgc.columbia.tresys.com> On Thu, 2006-09-21 at 15:07 +0200, Salvo Giuffrida wrote: > Good morning, I have some questions regarding aspects of SELinux I don't > understand: > - The format of the file default_context in /etc/selinux/strict/contexts: > why are there some lines for cron? From what I know, this file is intended > to assign a default initial context to logged-in users. So, why there's also > cron? Because it starts processes (jobs)? I assume you're referring to /etc/selinux/strict/contexts/default_contexts. There are cron entries so cron knows what are possible role:domain options for running cron jobs. It will pick the first one that can be used for the Linux user's job. > - What about the "identity" part of the security context? How is filled? There is a mapping of Linux users to SELinux identities (see `semanage login -l`). Login programs (/bin/login, sshd, gdm, etc.) use this mapping to determine what identity to set. > - What makes the access control of SELinux "mandatory"? The fact that normal > users can't change the security policy? Yes. Policy only is set by the admin. > - From what I understood, the root user in SELinux is partitioned into a lot > of domains, so, even if I program which runs as "sysadm_r:some_domain_t" is > compromised, the damage is limited to the domain, right? But, can't the > attacker transition to another domain using newrole, and do other damages, > and continue on? It is partitioned so that the privileges are separated from the admin user domain (sysadm_t). So, for example, the network admin permissions are limited to domains such as ifconfig_t and iptables_t. Also if these programs were compromised, what it can do is limited, as you mention above. However, these domains can't just transition to any domain; the transition would have to be allowed by policy. Some_domain_t would need to be allowed to transition to newrole_t to run newrole. Only the user domains are allowed to transition to newrole_t. > - Why in the Fedora there isn't the "staff_r" role? There is staff_r in the strict policy. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 From sds at tycho.nsa.gov Thu Sep 21 14:41:46 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 21 Sep 2006 10:41:46 -0400 Subject: How to apply new policy exactly? In-Reply-To: <8EE726B05F4D0D42AE5F0E2BC03CCF53186EF2@TPE-EVS02.ivi.net> References: <8EE726B05F4D0D42AE5F0E2BC03CCF53186EF2@TPE-EVS02.ivi.net> Message-ID: <1158849706.7748.58.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2006-09-21 at 10:26 +0800, Benjamin Tsai wrote: > sorry I didn't make myself clear ... enough. > Me thought if I want to build and load my own policy successfully, I > should "feel" and confirm that the build path works on my box in > advance. > I shall have a valid .te file, and with that, I can compile/load it > without errors and see it working correctly. That's why I start with > audit2allow, it's merely a test for me. =) That's fine, but I'm still not clear - do you want strict policy or not? If your goal was just to write policy for your own daemon, you can do that while staying with targeted policy, and just write a policy module for your daemon. > As for the warning, yes I did see my module installed through semodule > -l. However, why is the warning? It's fc5 in my box, instead of debian, > surely I don't have dpkg installed. Besides, I checked with semodule and > didn't see dpkg. It's so weird to see a warning of something I don't > have. semodule -l doesn't list dpkg? Then I'm confused. I agree it shouldn't be included in the Fedora policy; that was likely just an oversight. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Thu Sep 21 14:53:53 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 21 Sep 2006 10:53:53 -0400 Subject: A few questions In-Reply-To: <1158848106.3920.57.camel@sgc.columbia.tresys.com> References: <1158848106.3920.57.camel@sgc.columbia.tresys.com> Message-ID: <1158850433.7748.69.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2006-09-21 at 10:15 -0400, Christopher J. PeBenito wrote: > On Thu, 2006-09-21 at 15:07 +0200, Salvo Giuffrida wrote: > > - What makes the access control of SELinux "mandatory"? The fact that normal > > users can't change the security policy? > > Yes. Policy only is set by the admin. Mandatory access control implies a bit more than just admin-only policy (otherwise AppArmor would qualify, as would many other things). In particular, we identify three properties for MAC: - complete mediation (control over all processes and objects), - complete and accurate basis for security decisions (decisions based on all security relevant information, and accurately reflecting the security properties of the process and object), - administrator-defined policy. -- Stephen Smalley National Security Agency From giuffsalvo at hotmail.it Thu Sep 21 15:01:10 2006 From: giuffsalvo at hotmail.it (Salvo Giuffrida) Date: Thu, 21 Sep 2006 17:01:10 +0200 Subject: A few questions In-Reply-To: <1158850433.7748.69.camel@moss-spartans.epoch.ncsc.mil> Message-ID: >From: Stephen Smalley >To: "Christopher J. PeBenito" >CC: Salvo Giuffrida , fedora-selinux-list at redhat.com >Subject: Re: A few questions >Date: Thu, 21 Sep 2006 10:53:53 -0400 > >On Thu, 2006-09-21 at 10:15 -0400, Christopher J. PeBenito wrote: > > On Thu, 2006-09-21 at 15:07 +0200, Salvo Giuffrida wrote: > > > - What makes the access control of SELinux "mandatory"? The fact that >normal > > > users can't change the security policy? > > > > Yes. Policy only is set by the admin. > >Mandatory access control implies a bit more than just admin-only policy >(otherwise AppArmor would qualify, as would many other things). In >particular, we identify three properties for MAC: >- complete mediation (control over all processes and objects), Isn't there complete control also on standard Linux with DAC? What are things not controlled? Virtual filesystems? >- complete and accurate basis for security decisions (decisions based on >all security relevant information, and accurately reflecting the >security properties of the process and object), Security relevant information, such as? Level of confidentiality, role, and...? Do you know a repository for Fedore where I can find the source rpms for the targeted and/or the strict policy? Thanks >- administrator-defined policy. > >-- >Stephen Smalley >National Security Agency > _________________________________________________________________ Ricerche online pi? semplici e veloci con MSN Toolbar! http://toolbar.msn.it/ From paul at city-fan.org Thu Sep 21 15:16:16 2006 From: paul at city-fan.org (Paul Howarth) Date: Thu, 21 Sep 2006 16:16:16 +0100 Subject: A few questions In-Reply-To: References: Message-ID: <4512ACC0.8000403@city-fan.org> Salvo Giuffrida wrote: > Do you know a repository for Fedore where I can find the source rpms for > the targeted and/or the strict policy? The source RPM is the same for all policies. # yum install yum-utils $ yumdownloader --source \ --enablerepo=core-source \ --enablerepo=updates-source \ selinux-policy Paul. From klaus at atsec.com Thu Sep 21 15:26:43 2006 From: klaus at atsec.com (Klaus Weidner) Date: Thu, 21 Sep 2006 10:26:43 -0500 Subject: A few questions In-Reply-To: References: <1158850433.7748.69.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <20060921152642.GA15103@w-m-p.com> On Thu, Sep 21, 2006 at 05:01:10PM +0200, Salvo Giuffrida wrote: > >From: Stephen Smalley > >Mandatory access control implies a bit more than just admin-only policy > >(otherwise AppArmor would qualify, as would many other things). In > >particular, we identify three properties for MAC: > >- complete mediation (control over all processes and objects), > Isn't there complete control also on standard Linux with DAC? What are > things not controlled? Virtual filesystems? The "Discretionary" in DAC means that a user has the right to give anyone read or write access to his files. MAC doesn't permit that, certain accesses are forbidden by the admin controlled policy no matter what the user wants. This way, MAC offers protections against trojan horses and other malicious code that's running with a user's privileges. You may want to read the book "Building a Secure Computer System" by Morrie Gasser, which is a bit old but has an excellent introduction to this: http://nucia.ist.unomaha.edu/library/gasserbook.pdf > >- complete and accurate basis for security decisions (decisions based on > >all security relevant information, and accurately reflecting the > >security properties of the process and object), > Security relevant information, such as? Level of confidentiality, role, > and...? Type (SELinux uses Type Enforcement (TE) in additition to MLS and to support RBAC) The "accurate" part is a dig at AppArmor which is path based, as opposed to the file labels which are directly associated with objects. Each has advantages and disadvantages, check the LKML "LSM" flamewar for additional background information. -Klaus From giuffsalvo at hotmail.it Thu Sep 21 15:27:02 2006 From: giuffsalvo at hotmail.it (Salvo Giuffrida) Date: Thu, 21 Sep 2006 17:27:02 +0200 Subject: A few questions In-Reply-To: <1158848106.3920.57.camel@sgc.columbia.tresys.com> Message-ID: >From: "Christopher J. PeBenito" >To: Salvo Giuffrida >CC: fedora-selinux-list at redhat.com >Subject: Re: A few questions >Date: Thu, 21 Sep 2006 10:15:06 -0400 > > > - Why in the Fedora there isn't the "staff_r" role? > >There is staff_r in the strict policy. And why there isn't it in the targeted policy? I knew that only staff_r users are allowed to enter sysadm_r, but in the targeted it seems that the system_r is used as the "jump on" role for sysadm_r... _________________________________________________________________ Personalizza MSN Messenger con sfondi e fotografie! http://www.ilovemessenger.msn.it/ From sds at tycho.nsa.gov Thu Sep 21 15:32:10 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 21 Sep 2006 11:32:10 -0400 Subject: A few questions In-Reply-To: References: Message-ID: <1158852730.7748.106.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2006-09-21 at 17:01 +0200, Salvo Giuffrida wrote: > Isn't there complete control also on standard Linux with DAC? No, there are entire object classes left uncontrolled by DAC (e.g. sockets), and there a quite a few operations that are not constrained by DAC. > Security relevant information, such as? Level of confidentiality, role, > and...? Yes, the role and clearance of the user, the function and trustworthiness of the program (and potentially the call chain leading to it), the sensitivity and integrity of the process and the data, etc. This is all fairly well covered in the background and papers on the nsa.gov/selinux site, http://www.nsa.gov/selinux/info/ http://www.nsa.gov/selinux/info/docs.cfm Not up to date, but useful in understanding. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Thu Sep 21 15:32:34 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 21 Sep 2006 11:32:34 -0400 Subject: A few questions In-Reply-To: References: Message-ID: <1158852754.7748.108.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2006-09-21 at 17:27 +0200, Salvo Giuffrida wrote: > > > >From: "Christopher J. PeBenito" > >To: Salvo Giuffrida > >CC: fedora-selinux-list at redhat.com > >Subject: Re: A few questions > >Date: Thu, 21 Sep 2006 10:15:06 -0400 > > > > > - Why in the Fedora there isn't the "staff_r" role? > > > >There is staff_r in the strict policy. > And why there isn't it in the targeted policy? I knew that only staff_r > users are allowed to enter sysadm_r, but in the targeted it seems that the > system_r is used as the "jump on" role for sysadm_r... Targeted policy by definition doesn't restrict users, only daemons. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Thu Sep 21 15:37:51 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 21 Sep 2006 11:37:51 -0400 Subject: A few questions In-Reply-To: <20060921152642.GA15103@w-m-p.com> References: <1158850433.7748.69.camel@moss-spartans.epoch.ncsc.mil> <20060921152642.GA15103@w-m-p.com> Message-ID: <1158853071.7748.113.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2006-09-21 at 10:26 -0500, Klaus Weidner wrote: > The "accurate" part is a dig at AppArmor which is path based, as opposed > to the file labels which are directly associated with objects. Each has > advantages and disadvantages, check the LKML "LSM" flamewar for > additional background information. For security, pathname-based mechanism has only disadvantages. -- Stephen Smalley National Security Agency From giuffsalvo at hotmail.it Thu Sep 21 15:41:49 2006 From: giuffsalvo at hotmail.it (Salvo Giuffrida) Date: Thu, 21 Sep 2006 17:41:49 +0200 Subject: A few questions In-Reply-To: <4512ACC0.8000403@city-fan.org> Message-ID: Thank you for the tip. I did it, but the system answers me: yumdownloader --source --enablerepo=core-source --enablerepo=updates-source selinux-policy Traceback (most recent call last): File "/usr/bin/yumdownloader", line 156, in ? main() File "/usr/bin/yumdownloader", line 71, in main my = initYum() File "/usr/bin/yumdownloader", line 34, in initYum my.doConfigSetup() File "/usr/lib/python2.4/site-packages/yum/__init__.py", line 108, in doConfigSetup self.conf = config.readMainConfig(self.startupconf) AttributeError: 'YumBase' object has no attribute 'startupconf' >From: Paul Howarth >To: Salvo Giuffrida >CC: sds at tycho.nsa.gov, cpebenito at tresys.com, fedora-selinux-list at redhat.com >Subject: Re: A few questions >Date: Thu, 21 Sep 2006 16:16:16 +0100 > >Salvo Giuffrida wrote: >>Do you know a repository for Fedore where I can find the source rpms for >>the targeted and/or the strict policy? > >The source RPM is the same for all policies. > ># yum install yum-utils >$ yumdownloader --source \ > --enablerepo=core-source \ > --enablerepo=updates-source \ > selinux-policy > >Paul. _________________________________________________________________ Scopri il nuovo Windows Live Messenger! http://get.live.com/messenger/features From giuffsalvo at hotmail.it Fri Sep 22 18:35:24 2006 From: giuffsalvo at hotmail.it (Salvo Giuffrida) Date: Fri, 22 Sep 2006 20:35:24 +0200 Subject: selinux-policy.src Message-ID: I installed the selinux-policy.src.rpm package, and I have the sources of the reference policy in /usr/src/redhat/SOURCES/refpolicy. What is it? A "base" policy on top of which all the other are developed? Where are the sources of the targeted/strict policy? Thanks a lot for the answers _________________________________________________________________ Scarica gratuitamente MSN Toolbar! http://toolbar.msn.it/ From dwalsh at redhat.com Fri Sep 22 20:25:11 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 22 Sep 2006 16:25:11 -0400 Subject: selinux-policy.src In-Reply-To: References: Message-ID: <451446A7.4040106@redhat.com> Salvo Giuffrida wrote: > I installed the selinux-policy.src.rpm package, and I have the sources > of the reference policy in /usr/src/redhat/SOURCES/refpolicy. What is > it? A "base" policy on top of which all the other are developed? Where > are the sources of the targeted/strict policy? > Thanks a lot for the answers They are all the same source. You are just building different Variants out of them. If you take a look at the spec file you will see that it takes three passes over the source to build all three different policy packages. The spec file includes a modules file, booleans file and changes the qualifiers to the make file when it builds. > > _________________________________________________________________ > Scarica gratuitamente MSN Toolbar! http://toolbar.msn.it/ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From shin216 at xf7.so-net.ne.jp Sat Sep 23 09:20:27 2006 From: shin216 at xf7.so-net.ne.jp (Shintaro Fujiwara) Date: Sat, 23 Sep 2006 18:20:27 +0900 Subject: segatex RPM version released Message-ID: <1159003227.2612.8.camel@mama.intrajp-yokosuka.co.jp> Hi. I'm writing a SELinux tool named segatex. Mainly for beginners using targeted policy. I released RPM version a few minutes ago. You can download from http://sourceforge.net/projects/segatex/ Thanks. From vikigoyal at gmail.com Sun Sep 24 08:11:48 2006 From: vikigoyal at gmail.com (Vikram Goyal) Date: Sun, 24 Sep 2006 13:41:48 +0530 Subject: cupsd accessing afick.log clamd.log freshclam.log Message-ID: <20060924081148.GA2961@fc5host.fc5domain> Hello, I am getting these avc denied messages. I am not sure if these should be incorporated in local policy. type=AVC msg=audit(1159051843.723:565): avc: denied { read write } for pid=14645 comm="cupsd" name="afick.log" dev=sda12 ino=643989 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c255 tcontext=system_u:object_r:var_log_t:s0 tclass=file type=AVC msg=audit(1159051843.723:565): avc: denied { read write } for pid=14645 comm="cupsd" name="clamd.log" dev=sda12 ino=643867 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c255 tcontext=root:object_r:clamd_var_log_t:s0 tclass=file type=AVC msg=audit(1159051843.723:565): avc: denied { read write } for pid=14645 comm="cupsd" name="freshclam.log" dev=sda12 ino=643915 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c255 tcontext=root:object_r:var_log_t:s0 tclass=file audit2allow produces - allow cupsd_t clamd_var_log_t:file { read write }; allow cupsd_t var_log_t:file { read write }; The installed versions are: cups-1.2.3-1.6 clamav-0.88.4-21.fc5.at afick-2.2-2.2.fc5.rf Thanks! -- vikram... |||||||| |||||||| ^^'''''^^||root||^^^'''''''^^ // \\ )) //(( \\// \\ // /\\ || \\ || / )) (( \\ -- If in any problem you find yourself doing an immense amount of work, the answer can be obtained by simple inspection. -- ~|~ = Registered Linux User #285795 From twaugh at redhat.com Sun Sep 24 22:33:37 2006 From: twaugh at redhat.com (Tim Waugh) Date: Sun, 24 Sep 2006 23:33:37 +0100 Subject: cupsd accessing afick.log clamd.log freshclam.log In-Reply-To: <20060924081148.GA2961@fc5host.fc5domain> References: <20060924081148.GA2961@fc5host.fc5domain> Message-ID: <1159137217.3813.51.camel@cyberelk.elk> On Sun, 2006-09-24 at 13:41 +0530, Vikram Goyal wrote: > I am getting these avc denied messages. I am not sure if these should be > incorporated in local policy. cupsd shouldn't be trying to read these at all, let alone write to them. Do you get these avc messages every time you start CUPS? Tim. */ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From dwalsh at redhat.com Mon Sep 25 15:02:50 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 25 Sep 2006 11:02:50 -0400 Subject: cupsd accessing afick.log clamd.log freshclam.log In-Reply-To: <20060924081148.GA2961@fc5host.fc5domain> References: <20060924081148.GA2961@fc5host.fc5domain> Message-ID: <4517EF9A.4070002@redhat.com> Vikram Goyal wrote: > Hello, > > I am getting these avc denied messages. I am not sure if these should be > incorporated in local policy. > > type=AVC msg=audit(1159051843.723:565): avc: denied { read write } for > pid=14645 comm="cupsd" name="afick.log" dev=sda12 ino=643989 > scontext=user_u:system_r:cupsd_t:s0-s0:c0.c255 > tcontext=system_u:object_r:var_log_t:s0 tclass=file > > type=AVC msg=audit(1159051843.723:565): avc: denied { read write } for > pid=14645 comm="cupsd" name="clamd.log" dev=sda12 ino=643867 > scontext=user_u:system_r:cupsd_t:s0-s0:c0.c255 > tcontext=root:object_r:clamd_var_log_t:s0 tclass=file > > type=AVC msg=audit(1159051843.723:565): avc: denied { read write } for > pid=14645 comm="cupsd" name="freshclam.log" dev=sda12 ino=643915 > scontext=user_u:system_r:cupsd_t:s0-s0:c0.c255 > tcontext=root:object_r:var_log_t:s0 tclass=file > > > audit2allow produces - > allow cupsd_t clamd_var_log_t:file { read write }; > allow cupsd_t var_log_t:file { read write }; > > These look like leaked file descriptor. Most likely logrotate. Since logrotate probably opens these files for r/w and it restarts cups. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=205072 > The installed versions are: > cups-1.2.3-1.6 > clamav-0.88.4-21.fc5.at > afick-2.2-2.2.fc5.rf > > Thanks! > From giuffsalvo at hotmail.it Mon Sep 25 17:24:13 2006 From: giuffsalvo at hotmail.it (Salvo Giuffrida) Date: Mon, 25 Sep 2006 19:24:13 +0200 Subject: MLS and Biba Message-ID: Good morning, is it possible to configure the MLS policy, using mlsconstraint, to enforce a Biba integrity model of security (no read down, no write up), instead of the Bell-LaPadula (no read up, no write down)? I'm reading the book "SELinux by example", and there there's written that the MLS facility in the Security Server is not very flexible, and allows only to enforce the rules "no read up, no write down". But, if I'm the one configuring the policy in the file "mls", shouldn't I be able to change the rules to the opposite? Thanks a lot... _________________________________________________________________ Blocca le pop-up pubblicitarie con MSN Toolbar! http://toolbar.msn.it/ From vikigoyal at gmail.com Tue Sep 26 13:12:44 2006 From: vikigoyal at gmail.com (Vikram Goyal) Date: Tue, 26 Sep 2006 18:42:44 +0530 Subject: cupsd accessing afick.log clamd.log freshclam.log In-Reply-To: <4517EF9A.4070002@redhat.com> References: <4517EF9A.4070002@redhat.com> Message-ID: <20060926131244.GB3062@fc5host.fc5domain> On Mon, Sep 25, 2006 at 11:02:50AM -0400, Daniel J Walsh wrote: > > > These look like leaked file descriptor. Most likely logrotate. Since > logrotate probably opens these files for r/w and it restarts cups. > > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=205072 > >The installed versions are: > >cups-1.2.3-1.6 > >clamav-0.88.4-21.fc5.at > >afick-2.2-2.2.fc5.rf > > > >Thanks! > > Yes, These avc's do not show at startup but afterwards, most probably after cron.daily has gome through it's routine, but I'm not sure. By the way I forgot to post selinux packs installed. They are: selinux-policy-targeted-2.3.7-2.fc5 selinux-policy-2.3.7-2.fc5 Thanks! -- vikram... |||||||| |||||||| ^^'''''^^||root||^^^'''''''^^ // \\ )) //(( \\// \\ // /\\ || \\ || / )) (( \\ -- A university faculty is 500 egotists with a common parking problem. -- _ ~|~ = Registered Linux User #285795 From selinux at gmail.com Wed Sep 27 13:53:22 2006 From: selinux at gmail.com (Tom London) Date: Wed, 27 Sep 2006 06:53:22 -0700 Subject: allow_domains_use_tty message in today's update Message-ID: <4c4ba1530609270653i12c309d9hdfffc69dc575d360@mail.gmail.com> Running latest Rawhide, targeted/enforcing. Get the following message during today's update: libsepol.sepol_genbools_array: boolean allow_domains_use_tty no longer in policy tom -- Tom London From soxos at gmx.de Wed Sep 27 15:24:19 2006 From: soxos at gmx.de (Andreas Sachs) Date: Wed, 27 Sep 2006 17:24:19 +0200 Subject: How to get unionfs work with SELinux on Fedora 5? Message-ID: <004901c6e249$00e22b30$0b01a8c0@mediacenterpc> Hello I'm running Fedora Core 5 Server with unionfs file system to merge some directories and export them through nfs. SELinux is in enforcing mode and the targeted-policy is selected. Unionfs is build with extended attributes support (EXTRACFLAGS=-DUNIONFS_XATTR). When I try to mount the union from a client I get a permission denied error from server. The following is in my /var/log/messages on the server: Nov 1 10:32:43 localhost kernel: SELinux: initialized (dev unionfs, type unionfs), not configured for labeling Nov 1 10:32:43 localhost kernel: audit(1162373563.375:109): avc: denied { getattr } for pid=2021 comm="hald" name="/" dev=unionfs ino=744 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir Nov 1 10:50:57 localhost kernel: audit(1162374657.604:110): avc: denied { getattr } for pid=1810 comm="rpc.mountd" name="/" dev=unionfs ino=744 scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir Nov 1 10:50:57 localhost mountd[1810]: authenticated mount request from 192.168.1.13:1011 for /test (/test) Nov 1 10:50:57 localhost kernel: audit(1162374657.632:111): avc: denied { getattr } for pid=1810 comm="rpc.mountd" name="/" dev=unionfs ino=744 scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir Nov 1 10:50:57 localhost mountd[1810]: can't stat exported dir /test: Permission denied For the Red Hat Enterprise Linux there is a workaround: 1. Install strict/targetted selinux policy sources 2. Open /etc/selinux//src/policy/fs_use 3. Append "fs_use_xattr unionfs system_u:object_r:fs_t;" 4. Compile, install, and reload the selinux policy How can I adopt the workaround to work on Fedora 5, because there are no policy sources available? How can I define "fs_use_xattr unionfs system_u:object_r:fs_t;" on Fedora Core 5? Thanks! Andreas Sachs -------------- next part -------------- An HTML attachment was scrubbed... URL: From ruedarod at cse.psu.edu Wed Sep 27 15:33:18 2006 From: ruedarod at cse.psu.edu (Sandra Julieta Rueda Rodriguez) Date: Wed, 27 Sep 2006 11:33:18 -0400 (EDT) Subject: question about semodule Message-ID: <49576.130.203.65.72.1159371198.squirrel@130.203.65.72> Hello, I was playing with semodule (trying to understand how it works) so I added a module. Later I also played with refpolicy and monolithic building (again trying to understand how it works). Now I want to delete the module I loaded before and this is the message I am getting from the system: # semodule -v -r KnockServer Attempting to remove module 'KnockServer': Ok: return value of 0. Committing changes: /usr/sbin/load_policy: Can't load policy: Invalid argument libsemanage.semanage_reload_policy: load_policy returned error code 2. /usr/sbin/load_policy: Can't load policy: Invalid argument libsemanage.semanage_reload_policy: load_policy returned error code 2. semodule: Failed! semodule -l works fine (apparently) and one of the items in the list is KnockServer and its version. Is there any way to know why semodule -r is failing? What argument is invalid? I have other questions about modules: what is the relationship between the modules and the binary policy file installed at /etc/selinux/(strict|targeted)/policy? Does this file include just base modules? If so, where are the files for non-base modules stored? Is it another binary file? Thanks in advance, Sandra From sds at tycho.nsa.gov Wed Sep 27 15:45:42 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 27 Sep 2006 11:45:42 -0400 Subject: How to get unionfs work with SELinux on Fedora 5? In-Reply-To: <004901c6e249$00e22b30$0b01a8c0@mediacenterpc> References: <004901c6e249$00e22b30$0b01a8c0@mediacenterpc> Message-ID: <1159371942.32075.73.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2006-09-27 at 17:24 +0200, Andreas Sachs wrote: > Hello > > > > I?m running Fedora Core 5 Server with unionfs file system to merge > some directories and export them through nfs. SELinux is in enforcing > mode and the targeted-policy is selected. Unionfs is build with > extended attributes support (EXTRACFLAGS=-DUNIONFS_XATTR). > > When I try to mount the union from a client I get a permission denied > error from server. > > The following is in my /var/log/messages on the server: > > > > Nov 1 10:32:43 localhost kernel: SELinux: initialized (dev unionfs, > type unionfs), not configured for labeling > > Nov 1 10:32:43 localhost kernel: audit(1162373563.375:109): avc: > denied { getattr } for pid=2021 comm="hald" name="/" dev=unionfs > ino=744 scontext=system_u:system_r:hald_t:s0 > tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir > > Nov 1 10:50:57 localhost kernel: audit(1162374657.604:110): avc: > denied { getattr } for pid=1810 comm="rpc.mountd" name="/" > dev=unionfs ino=744 scontext=system_u:system_r:nfsd_t:s0 > tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir > > Nov 1 10:50:57 localhost mountd[1810]: authenticated mount request > from 192.168.1.13:1011 for /test (/test) > > Nov 1 10:50:57 localhost kernel: audit(1162374657.632:111): avc: > denied { getattr } for pid=1810 comm="rpc.mountd" name="/" > dev=unionfs ino=744 scontext=system_u:system_r:nfsd_t:s0 > tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir > > Nov 1 10:50:57 localhost mountd[1810]: can't stat exported dir /test: > Permission denied > > > > For the Red Hat Enterprise Linux there is a workaround: > > 1. Install strict/targetted selinux policy sources > 2. Open /etc/selinux//src/policy/fs_use > 3. Append "fs_use_xattr unionfs system_u:object_r:fs_t;" > > 4. Compile, install, and reload the selinux policy > > > > How can I adopt the workaround to work on Fedora 5, because there are > no policy sources available? Policy sources are still available, but only in the .src.rpm file. > How can I define "fs_use_xattr unionfs system_u:object_r:fs_t;" on > Fedora Core 5? You can build a modified policy that includes that statement, either from the .src.rpm or from the upstream policy. You could also use a context= mount to cause SELinux to treat the unionfs mount as having a particular context rather than calling getxattr on the underlying filesystem. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Wed Sep 27 15:58:54 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 27 Sep 2006 11:58:54 -0400 Subject: question about semodule In-Reply-To: <49576.130.203.65.72.1159371198.squirrel@130.203.65.72> References: <49576.130.203.65.72.1159371198.squirrel@130.203.65.72> Message-ID: <1159372734.2260.1.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2006-09-27 at 11:33 -0400, Sandra Julieta Rueda Rodriguez wrote: > Hello, > > I was playing with semodule (trying to understand how it works) so I added > a module. Later I also played with refpolicy and monolithic building > (again trying to understand how it works). > > Now I want to delete the module I loaded before and this is the message I > am getting from the system: > > # semodule -v -r KnockServer > Attempting to remove module 'KnockServer': > Ok: return value of 0. > Committing changes: > /usr/sbin/load_policy: Can't load policy: Invalid argument > libsemanage.semanage_reload_policy: load_policy returned error code 2. > /usr/sbin/load_policy: Can't load policy: Invalid argument > libsemanage.semanage_reload_policy: load_policy returned error code 2. > semodule: Failed! > > semodule -l works fine (apparently) and one of the items in the list is > KnockServer and its version. > Is there any way to know why semodule -r is failing? What argument is > invalid? This typically means that the kernel rejected the policy, look for messages in /var/log/messages. This can happen e.g. if you load a policy that defines newer classes and permissions and later try to load a policy that lacks those definitions, which would happen if you tried loading a newer upstream policy and are now trying to revert to a stock FC5 policy. The kernel has an overly conservative check at present that no class or permission definitions can go away after initial policy load; the actual requirement is just that no class or permission definition on which the kernel relies should go away. To recover, do something like: # Remove the module, rebuild policy, but don't try to load it yet. semodule -n -r KnockServer Then reboot with the updated policy. > I have other questions about modules: what is the relationship between the > modules and the binary policy file installed at > /etc/selinux/(strict|targeted)/policy? Does this file include just base > modules? If so, where are the files for non-base modules stored? Is it > another binary file? The kernel binary policy file is generated from all of the kernel policy-related data in the policy module store, including all modules (base and non-base), local boolean settings, and network object contexts. This is done by libsemanage, which is used by semodule, semanage, and setsebool to apply changes to the policy. -- Stephen Smalley National Security Agency From klaus at atsec.com Wed Sep 27 16:09:37 2006 From: klaus at atsec.com (Klaus Weidner) Date: Wed, 27 Sep 2006 11:09:37 -0500 Subject: MLS and Biba In-Reply-To: References: Message-ID: <20060927160937.GA10207@w-m-p.com> On Mon, Sep 25, 2006 at 07:24:13PM +0200, Salvo Giuffrida wrote: > Good morning, is it possible to configure the MLS policy, using > mlsconstraint, to enforce a Biba integrity model of security (no read down, > no write up), instead of the Bell-LaPadula (no read up, no write down)? I'm > reading the book "SELinux by example", and there there's written that the > MLS facility in the Security Server is not very flexible, and allows only > to enforce the rules "no read up, no write down". But, if I'm the one > configuring the policy in the file "mls", shouldn't I be able to change the > rules to the opposite? Sure, for example the MCS policy implements "no read up, no write up", have a look at the policy/mcs file in the serefpolicy distribution. If you need more help please try the SELinux mailing list. I think an interesting extension would be to split up the category bits into MLS, MCS, and MIC (integrity) sets, so that you could use all the models within a single policy. Something like the following maybe (this doesn't work currently)? mlsconstrain file write (((l1 & mls_cats) dom (l2 & mls_cats)) and ((h1 & mcs_cats) dom (h2 & mcs_cats)) and ((l1 & mic_cats) domby (l2 & mic_cats))); mlsconstrain file read (((l1 & mls_cats) eq (l2 & mls_cats)) and ((h1 & mcs_cats) dom (h2 & mcs_cats)) and ((l1 & mic_cats) dom (l2 & mic_cats))) -Klaus From rirving at antient.org Wed Sep 27 17:32:30 2006 From: rirving at antient.org (Richard Irving) Date: Wed, 27 Sep 2006 13:32:30 -0400 Subject: Two issues Message-ID: <451AB5AE.4090307@antient.org> Hi, I am having two issues with FC5 (x86_64) and selinux.... First, it appears the system is having a problem logging AVC's: =================================================================== Sep 27 13:09:16 localhost dbus: Can't send to audit system: USER_AVC avc: received policyload notice (seqno=4) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?) Sep 27 13:09:16 localhost dbus: Can't send to audit system: USER_AVC avc: 2 AV entries and 2/512 buckets used, longest chain length 1 : exe="?" (sauid=81, hostname=?, addr=?, terminal=?) Sep 27 13:09:16 localhost dbus: Can't send to audit system: USER_AVC avc: received policyload notice (seqno=4) : exe="/bin/dbus-daemon" (sauid=500, hostname=?, addr=?, terminal=?) Sep 27 13:09:16 localhost dbus: Can't send to audit system: USER_AVC avc: 0 AV entries and 0/512 buckets used, longest chain length 0 : exe="/bin/dbus-daemon" (sauid=500, hostname=?, addr=?, terminal=?) ================================================================ And second, I was working on a hand edited local.te, as selinux is preventing vsftpd from creating files in users home directories... When running the policy compiler, I get..... ======================================================================== (unknown source)::ERROR 'permission write is not defined for class dir' at token ';' on line 22: allow ftpd_t user_home_dir_t:dir { getattr read search write }; allow ftpd_t user_home_t:dir { getattr read search write }; =============================================================== And it appears "write" is no longer a valid attribute for directories ? What is its replacement ? The AVC is calling it a "write" problem... and audit2allow says the correcting line should be: allow ftpd_t user_home_dir_t:dir write; Am I missing something ? TIA! From sds at tycho.nsa.gov Wed Sep 27 17:51:15 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 27 Sep 2006 13:51:15 -0400 Subject: Two issues In-Reply-To: <451AB5AE.4090307@antient.org> References: <451AB5AE.4090307@antient.org> Message-ID: <1159379475.2260.39.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2006-09-27 at 13:32 -0400, Richard Irving wrote: > Hi, > I am having two issues with FC5 (x86_64) and selinux.... > > First, it appears the system is having a problem logging AVC's: > > =================================================================== > Sep 27 13:09:16 localhost dbus: Can't send to audit system: USER_AVC > avc: received policyload notice (seqno=4) : exe="?" (sauid=81, > hostname=?, addr=?, terminal=?) > Sep 27 13:09:16 localhost dbus: Can't send to audit system: USER_AVC > avc: 2 AV entries and 2/512 buckets used, longest chain length 1 : > exe="?" (sauid=81, hostname=?, addr=?, terminal=?) > Sep 27 13:09:16 localhost dbus: Can't send to audit system: USER_AVC > avc: received policyload notice (seqno=4) : exe="/bin/dbus-daemon" > (sauid=500, hostname=?, addr=?, terminal=?) > Sep 27 13:09:16 localhost dbus: Can't send to audit system: USER_AVC > avc: 0 AV entries and 0/512 buckets used, longest chain length 0 : > exe="/bin/dbus-daemon" (sauid=500, hostname=?, addr=?, terminal=?) Not certain about this one, although I recall issues with the session dbus (which runs with the user's identity, not as root) not being able to generate audit messages in the past. Steve? > ================================================================ > > And second, I was working on a hand edited local.te, as selinux is > preventing vsftpd from creating files in users home directories... > When running the policy compiler, I get..... > > ======================================================================== > (unknown source)::ERROR 'permission write is not defined for class dir' > at token ';' on line 22: > allow ftpd_t user_home_dir_t:dir { getattr read search write }; > allow ftpd_t user_home_t:dir { getattr read search write }; > =============================================================== > > And it appears "write" is no longer a valid attribute for directories > ? What is its replacement ? The AVC is calling it a "write" problem... > and audit2allow says the correcting line should be: > > allow ftpd_t user_home_dir_t:dir write; > > Am I missing something ? > > TIA! How was that local.te file generated? In any event, assuming you are trying to build it as a module, it needs to declare any required permissions in its require block, which can either be done explicitly or by using the policy_module() macro. Otherwise, the compiler doesn't know that it is an external dependency. -- Stephen Smalley National Security Agency From linux_4ever at yahoo.com Wed Sep 27 20:31:17 2006 From: linux_4ever at yahoo.com (Steve G) Date: Wed, 27 Sep 2006 13:31:17 -0700 (PDT) Subject: Two issues In-Reply-To: <1159379475.2260.39.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <20060927203117.43332.qmail@web51503.mail.yahoo.com> >Not certain about this one, although I recall issues with the session >dbus (which runs with the user's identity, not as root) not being able >to generate audit messages in the past. Steve? Yes, true. This was fixed in rawhide/fc6. Not sure if it'll be backported. In theory, it could be. -Steve __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From selinux at gmail.com Wed Sep 27 20:53:30 2006 From: selinux at gmail.com (Tom London) Date: Wed, 27 Sep 2006 13:53:30 -0700 Subject: AVCs on eject from DVD creator Message-ID: <4c4ba1530609271353y7f95682g17ea7b1c9d3a7bf3@mail.gmail.com> Running latest Rawhide, targeted/permissive. Got this after burning a DVD with gnome-DVD-Creator (e.g., Places->DVD Creator), and pressing the "Eject" button (running in Permissive mode): type=AVC msg=audit(1159390121.634:37): avc: denied { setexec } for pid=4152 comm="userhelper" scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:hald_t:s0 tclass=process type=SYSCALL msg=audit(1159390121.634:37): arch=40000003 syscall=4 success=yes exit=34 a0=4 a1=84329d8 a2=22 a3=48de06a9 items=0 ppid=4151 pid=4152 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="userhelper" exe="/usr/sbin/userhelper" subj=system_u:system_r:hald_t:s0 key=(null) type=AVC msg=audit(1159390121.634:38): avc: denied { transition } for pid=4152 comm="userhelper" name="eject" dev=dm-0 ino=5481735 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=process type=AVC msg=audit(1159390121.634:38): avc: denied { siginh } for pid=4152 comm="eject" scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=process type=AVC msg=audit(1159390121.634:38): avc: denied { rlimitinh } for pid=4152 comm="eject" scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=process type=AVC msg=audit(1159390121.634:38): avc: denied { noatsecure } for pid=4152 comm="eject" scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1159390121.634:38): arch=40000003 syscall=11 success=yes exit=0 a0=84320e0 a1=bfef3550 a2=8432930 a3=2 items=0 ppid=4151 pid=4152 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="eject" exe="/usr/sbin/eject" subj=system_u:system_r:unconfined_t:s0 key=(null) type=AVC_PATH msg=audit(1159390121.634:38): path="/usr/sbin/eject" tom -- Tom London From rirving at antient.org Wed Sep 27 22:33:18 2006 From: rirving at antient.org (Richard Irving) Date: Wed, 27 Sep 2006 18:33:18 -0400 Subject: Two issues In-Reply-To: <20060927203117.43332.qmail@web51503.mail.yahoo.com> References: <20060927203117.43332.qmail@web51503.mail.yahoo.com> Message-ID: <451AFC2E.1050109@antient.org> Well, this is a near virgin install of FC5..... (Actually, it *is* virgin) It is a bit cumbersome to hand audit, and create policy without audit2allow to predigest it... Worse, without the AVC's making it to actual logging, it is a silent death, in terms of knowing *what* has failed, and why... Any known work around ? Carnac, I am not.... TIA! Steve G wrote: >> Not certain about this one, although I recall issues with the session >> dbus (which runs with the user's identity, not as root) not being able >> to generate audit messages in the past. Steve? > > Yes, true. This was fixed in rawhide/fc6. Not sure if it'll be backported. In > theory, it could be. > > -Steve > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com From rirving at antient.org Wed Sep 27 23:11:22 2006 From: rirving at antient.org (Richard Irving) Date: Wed, 27 Sep 2006 19:11:22 -0400 Subject: Two issues In-Reply-To: <1159379475.2260.39.camel@moss-spartans.epoch.ncsc.mil> References: <451AB5AE.4090307@antient.org> <1159379475.2260.39.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <451B051A.4060203@antient.org> >> allow ftpd_t user_home_dir_t:dir write; >> >> Am I missing something ? >> >> TIA! > > How was that local.te file generated? In any event, assuming you are > trying to build it as a module, it needs to declare any required > permissions in its require block, which can either be done explicitly or > by using the policy_module() macro. Otherwise, the compiler doesn't > know that it is an external dependency. That was what I needed ! As you can tell, I am a "newby" to this modular version. A fixfiles ran to help the DBUS issue, "fixed" me all right, the vsftpd daemon is (*was*) kaput. (It worked fine *before* the fixfiles) I have created a working policy to resurrect the service. Being as I had not changed anything, besides running "yum update" on a virgin install, I suspect FC5 users are currently one "fixfiles" away from replicating my dilemma.. (I replicated this on another virgin system, as a sanity test.) So, just a FYI, heads up, and a Thank You! PPS: Any suggestions on recovering those DBUS messages, would be *greatly* appreciated... it is kind of hard to audit, without an audit trail. Say, the person who did that work didn't previously work for Diebold, did they ? :-P From selinux at gmail.com Wed Sep 27 23:40:25 2006 From: selinux at gmail.com (Tom London) Date: Wed, 27 Sep 2006 16:40:25 -0700 Subject: cupsd_t/hplip_etc_t AVCs configuring w/ browser interface Message-ID: <4c4ba1530609271640g437a4c09teec0c3f5727bc6ae@mail.gmail.com> Running Rawhide, targeted/enforcing: Get the following when attempting to 'add/modify' cups classes using the browser interface (http://localhost:631). I'm guessing its trying to access /etc/hp: [tbl at localhost hp]$ ls -lZ /etc/hp -rw-r--r-- root root system_u:object_r:hplip_etc_t hplip.conf [tbl at localhost hp]$ type=AVC msg=audit(1159399431.862:77): avc: denied { search } for pid=4914 comm="hp" name="hp" dev=dm-0 ino=11108479 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hplip_etc_t:s0 tclass=dir type=SYSCALL msg=audit(1159399431.862:77): arch=40000003 syscall=5 success=no exit=-13 a0=804c305 a1=0 a2=1b6 a3=9518008 items=0 ppid=4913 pid=4914 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 fsgid=7 tty=(none) comm="hp" exe="/usr/lib/cups/backend/hp" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) Putting it in permissive mode and browsing to 'Administration' page produces: type=AVC msg=audit(1159400309.010:111): avc: denied { search } for pid=5019 comm="hp" name="hp" dev=dm-0 ino=11108479 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hplip_etc_t:s0 tclass=dir type=AVC msg=audit(1159400309.010:111): avc: denied { read } for pid=5019 comm="hp" name="hplip.conf" dev=dm-0 ino=11108480 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hplip_etc_t:s0 tclass=file type=SYSCALL msg=audit(1159400309.010:111): arch=40000003 syscall=5 success=yes exit=4 a0=804c305 a1=0 a2=1b6 a3=806a008 items=0 ppid=5018 pid=5019 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 fsgid=7 tty=(none) comm="hp" exe="/usr/lib/cups/backend/hp" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1159400309.014:112): avc: denied { getattr } for pid=5019 comm="hp" name="hplip.conf" dev=dm-0 ino=11108480 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hplip_etc_t:s0 tclass=file type=SYSCALL msg=audit(1159400309.014:112): arch=40000003 syscall=197 success=yes exit=0 a0=4 a1=bf866cd8 a2=49872ff4 a3=806a008 items=0 ppid=5018 pid=5019 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 fsgid=7 tty=(none) comm="hp" exe="/usr/lib/cups/backend/hp" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) type=AVC_PATH msg=audit(1159400309.014:112): path="/etc/hp/hplip.conf" type=AVC msg=audit(1159400310.474:113): avc: denied { search } for pid=5039 comm="python" name="hp" dev=dm-0 ino=11108479 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hplip_etc_t:s0 tclass=dir type=AVC msg=audit(1159400310.474:113): avc: denied { getattr } for pid=5039 comm="python" name="hplip.conf" dev=dm-0 ino=11108480 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hplip_etc_t:s0 tclass=file type=SYSCALL msg=audit(1159400310.474:113): arch=40000003 syscall=195 success=yes exit=0 a0=99b4a98 a1=bfb26f88 a2=49872ff4 a3=99601b0 items=0 ppid=5018 pid=5039 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 fsgid=7 tty=(none) comm="python" exe="/usr/bin/python" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) type=AVC_PATH msg=audit(1159400310.474:113): path="/etc/hp/hplip.conf" type=AVC msg=audit(1159400310.474:114): avc: denied { read } for pid=5039 comm="python" name="hplip.conf" dev=dm-0 ino=11108480 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hplip_etc_t:s0 tclass=file type=SYSCALL msg=audit(1159400310.474:114): arch=40000003 syscall=5 success=yes exit=4 a0=99b4a98 a1=8000 a2=1b6 a3=99d2070 items=0 ppid=5018 pid=5039 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 fsgid=7 tty=(none) comm="python" exe="/usr/bin/python" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) tom -- Tom London From ruedarod at cse.psu.edu Thu Sep 28 01:49:43 2006 From: ruedarod at cse.psu.edu (Sandra Julieta Rueda Rodriguez) Date: Wed, 27 Sep 2006 21:49:43 -0400 (EDT) Subject: creating a new user In-Reply-To: <1159372734.2260.1.camel@moss-spartans.epoch.ncsc.mil> References: <49576.130.203.65.72.1159371198.squirrel@130.203.65.72> <1159372734.2260.1.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <50286.130.203.65.72.1159408183.squirrel@130.203.65.72> Hello, I just executed the given instructions (semodule -n -r) to fix the problem with semodule and now everything is working ok. Thanks. Now I have a different problem .... I am trying to create a new user. I added it to the file local.users in the src directory and also to /etc/selinux/strict/users/local.users. I tried first to modify only the one in src but it did not work, so I also modified the other one. Since I am working based on refpolicy (I already run make install-src) and the instructions I have found are for previous versions I am not sure if I need to run make policy, and then install. Just to be sure I tried, make policy worked ok, but make install does not work ... I guess I am doing something wrong ... could anybody help me with that? This is the output of make install: Validating strict file_contexts. /usr/sbin/setfiles -q -c /etc/selinux/strict/policy/policy.20 file_contexts libsepol.context_from_record: user rueda is not defined libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert rueda:staff_r:staff_t to sid file_contexts: line 2149 has invalid context make: *** [/etc/selinux/strict/contexts/files/file_contexts] Error 1 rueda is the user I am trying to create by adding it to the local.users file. I am also trying to use it as part of the context for a file. Thanks in advance, Sandra From dwalsh at redhat.com Thu Sep 28 14:30:57 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 28 Sep 2006 10:30:57 -0400 Subject: allow_domains_use_tty message in today's update In-Reply-To: <4c4ba1530609270653i12c309d9hdfffc69dc575d360@mail.gmail.com> References: <4c4ba1530609270653i12c309d9hdfffc69dc575d360@mail.gmail.com> Message-ID: <451BDCA1.4020101@redhat.com> Tom London wrote: > Running latest Rawhide, targeted/enforcing. > > Get the following message during today's update: > > libsepol.sepol_genbools_array: boolean allow_domains_use_tty no longer > in policy Renamed to allow_daemons_use_tty > > tom From dwalsh at redhat.com Thu Sep 28 14:35:22 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 28 Sep 2006 10:35:22 -0400 Subject: creating a new user In-Reply-To: <50286.130.203.65.72.1159408183.squirrel@130.203.65.72> References: <49576.130.203.65.72.1159371198.squirrel@130.203.65.72> <1159372734.2260.1.camel@moss-spartans.epoch.ncsc.mil> <50286.130.203.65.72.1159408183.squirrel@130.203.65.72> Message-ID: <451BDDAA.4080208@redhat.com> Sandra Julieta Rueda Rodriguez wrote: > Hello, > > I just executed the given instructions (semodule -n -r) to fix the problem > with semodule and now everything is working ok. Thanks. > > Now I have a different problem .... > > I am trying to create a new user. I added it to the file local.users in > the src directory and also to /etc/selinux/strict/users/local.users. I > tried first to modify only the one in src but it did not work, so I also > modified the other one. > Why not use semanage user -a to add SELinux users or semanage login -a if you want to map a UID to a SELinux user. > Since I am working based on refpolicy (I already run make install-src) and > the instructions I have found are for previous versions I am not sure if I > need to run make policy, and then install. Just to be sure I tried, make > policy worked ok, but make install does not work ... > I guess I am doing something wrong ... could anybody help me with that? > > This is the output of make install: > Validating strict file_contexts. > /usr/sbin/setfiles -q -c /etc/selinux/strict/policy/policy.20 > file_contexts > libsepol.context_from_record: user rueda is not defined > libsepol.context_from_record: could not create context structure > libsepol.context_from_string: could not create context structure > libsepol.sepol_context_to_sid: could not convert rueda:staff_r:staff_t to sid > file_contexts: line 2149 has invalid context > make: *** [/etc/selinux/strict/contexts/files/file_contexts] Error 1 > > rueda is the user I am trying to create by adding it to the local.users > file. I am also trying to use it as part of the context for a file. > > Thanks in advance, > Sandra > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From dwalsh at redhat.com Thu Sep 28 14:40:39 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 28 Sep 2006 10:40:39 -0400 Subject: Two issues In-Reply-To: <451AFC2E.1050109@antient.org> References: <20060927203117.43332.qmail@web51503.mail.yahoo.com> <451AFC2E.1050109@antient.org> Message-ID: <451BDEE7.6090505@redhat.com> Richard Irving wrote: > Well, this is a near virgin install of FC5..... > Please yum update to get to the latest SELinux tool chain and policy. Lots of bug fixes have gone in. There is a boolean to allow ftp to access users homedirectories which you could set setsebool -P ftp_home_dir=1 > (Actually, it *is* virgin) > > It is a bit cumbersome to hand audit, and create policy without > audit2allow to predigest it... > > Worse, without the AVC's making it to actual logging, it is a silent > death, in terms of knowing *what* has failed, and why... The dbus avc message is not that important. It is basically saying userspace dbus can not send audit messages. This fix is too stop trying, in userspace. Regular avc message should be going to /var/log/messages or /var/log/audit/audit.log > > Any known work around ? > > Carnac, I am not.... > > > TIA! > > Steve G wrote: >>> Not certain about this one, although I recall issues with the session >>> dbus (which runs with the user's identity, not as root) not being able >>> to generate audit messages in the past. Steve? >> >> Yes, true. This was fixed in rawhide/fc6. Not sure if it'll be >> backported. In >> theory, it could be. >> >> -Steve >> >> __________________________________________________ >> Do You Yahoo!? >> Tired of spam? Yahoo! Mail has the best spam protection around >> http://mail.yahoo.com > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From dwalsh at redhat.com Thu Sep 28 14:56:52 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 28 Sep 2006 10:56:52 -0400 Subject: cupsd_t/hplip_etc_t AVCs configuring w/ browser interface In-Reply-To: <4c4ba1530609271640g437a4c09teec0c3f5727bc6ae@mail.gmail.com> References: <4c4ba1530609271640g437a4c09teec0c3f5727bc6ae@mail.gmail.com> Message-ID: <451BE2B4.8000903@redhat.com> Tom London wrote: > Running Rawhide, targeted/enforcing: > > Get the following when attempting to 'add/modify' cups classes using > the browser interface (http://localhost:631). I'm guessing its trying > to access /etc/hp: > > [tbl at localhost hp]$ ls -lZ /etc/hp > -rw-r--r-- root root system_u:object_r:hplip_etc_t hplip.conf > [tbl at localhost hp]$ > > type=AVC msg=audit(1159399431.862:77): avc: denied { search } for > pid=4914 comm="hp" name="hp" dev=dm-0 ino=11108479 > scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:hplip_etc_t:s0 tclass=dir > type=SYSCALL msg=audit(1159399431.862:77): arch=40000003 syscall=5 > success=no exit=-13 a0=804c305 a1=0 a2=1b6 a3=9518008 items=0 > ppid=4913 pid=4914 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 > egid=7 sgid=7 fsgid=7 tty=(none) comm="hp" > exe="/usr/lib/cups/backend/hp" > subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) > > Putting it in permissive mode and browsing to 'Administration' page > produces: > > type=AVC msg=audit(1159400309.010:111): avc: denied { search } for > pid=5019 comm="hp" name="hp" dev=dm-0 ino=11108479 > scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:hplip_etc_t:s0 tclass=dir > type=AVC msg=audit(1159400309.010:111): avc: denied { read } for > pid=5019 comm="hp" name="hplip.conf" dev=dm-0 ino=11108480 > scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:hplip_etc_t:s0 tclass=file > type=SYSCALL msg=audit(1159400309.010:111): arch=40000003 syscall=5 > success=yes exit=4 a0=804c305 a1=0 a2=1b6 a3=806a008 items=0 ppid=5018 > pid=5019 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 egid=7 > sgid=7 fsgid=7 tty=(none) comm="hp" exe="/usr/lib/cups/backend/hp" > subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) > type=AVC msg=audit(1159400309.014:112): avc: denied { getattr } for > pid=5019 comm="hp" name="hplip.conf" dev=dm-0 ino=11108480 > scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:hplip_etc_t:s0 tclass=file > type=SYSCALL msg=audit(1159400309.014:112): arch=40000003 syscall=197 > success=yes exit=0 a0=4 a1=bf866cd8 a2=49872ff4 a3=806a008 items=0 > ppid=5018 pid=5019 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 > egid=7 sgid=7 fsgid=7 tty=(none) comm="hp" > exe="/usr/lib/cups/backend/hp" > subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) > type=AVC_PATH msg=audit(1159400309.014:112): path="/etc/hp/hplip.conf" > type=AVC msg=audit(1159400310.474:113): avc: denied { search } for > pid=5039 comm="python" name="hp" dev=dm-0 ino=11108479 > scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:hplip_etc_t:s0 tclass=dir > type=AVC msg=audit(1159400310.474:113): avc: denied { getattr } for > pid=5039 comm="python" name="hplip.conf" dev=dm-0 ino=11108480 > scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:hplip_etc_t:s0 tclass=file > type=SYSCALL msg=audit(1159400310.474:113): arch=40000003 syscall=195 > success=yes exit=0 a0=99b4a98 a1=bfb26f88 a2=49872ff4 a3=99601b0 > items=0 ppid=5018 pid=5039 auid=4294967295 uid=0 gid=7 euid=0 suid=0 > fsuid=0 egid=7 sgid=7 fsgid=7 tty=(none) comm="python" > exe="/usr/bin/python" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 > key=(null) > type=AVC_PATH msg=audit(1159400310.474:113): path="/etc/hp/hplip.conf" > type=AVC msg=audit(1159400310.474:114): avc: denied { read } for > pid=5039 comm="python" name="hplip.conf" dev=dm-0 ino=11108480 > scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:hplip_etc_t:s0 tclass=file > type=SYSCALL msg=audit(1159400310.474:114): arch=40000003 syscall=5 > success=yes exit=4 a0=99b4a98 a1=8000 a2=1b6 a3=99d2070 items=0 > ppid=5018 pid=5039 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 > egid=7 sgid=7 fsgid=7 tty=(none) comm="python" exe="/usr/bin/python" > subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) > > tom Added in selinux-policy-2.3.16-5 From selinux at gmail.com Thu Sep 28 17:36:26 2006 From: selinux at gmail.com (Tom London) Date: Thu, 28 Sep 2006 10:36:26 -0700 Subject: setroubleshoot messages/TypeError Message-ID: <4c4ba1530609281036i75175ad9y34895773d6d2224@mail.gmail.com> Running latest rawhide, targeted/enforcing. I see this in both /var/log/messages and /var/log/setroubleshoot/setroubleshoot.log: 2006-09-28 10:25:45,359 [plugin.ERROR] failed to retrieve rpm info for [unknown] Traceback (most recent call last): File "/usr/lib/python2.4/site-packages/setroubleshoot/util.py", line 117, in get_rpm_nvr_by_file_path mi = ts.dbMatch(rpm.RPMTAG_BASENAMES, path) TypeError: unknown key type The following is added in /var/log/messages: Sep 28 10:25:45 localhost setroubleshoot: SELinux is preventing /usr/bin/vmnet-natd (unconfined_t) "node_bind" to [unknown] (inaddr_any_node_t). See audit.log for complete SELinux messages. id = 9503dabe-b132-4703-b7b5-7f7294aa5034 Here is the AVC from /var/log/audit/audit.log: type=AVC msg=audit(1159464342.472:22): avc: denied { node_bind } for pid=3523 comm="vmnet-natd" scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=rawip_socket type=SYSCALL msg=audit(1159464342.472:22): arch=40000003 syscall=102 per=400000 success=no exit=-13 a0=2 a1=bfaf24f0 a2=8a98158 a3=7 items=0 ppid=3457 pid=3523 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="vmnet-natd" exe="/usr/bin/vmnet-natd" subj=user_u:system_r:unconfined_t:s0 key=(null) This is an AVC I get when the VMWare modules start up (I did a 'service vmware start' this time). [I leave the policy unmodified to catch this as one of my 'testing' cases.] tom -- Tom London From sds at tycho.nsa.gov Thu Sep 28 17:44:30 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 28 Sep 2006 13:44:30 -0400 Subject: creating a new user In-Reply-To: <50286.130.203.65.72.1159408183.squirrel@130.203.65.72> References: <49576.130.203.65.72.1159371198.squirrel@130.203.65.72> <1159372734.2260.1.camel@moss-spartans.epoch.ncsc.mil> <50286.130.203.65.72.1159408183.squirrel@130.203.65.72> Message-ID: <1159465470.13131.6.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2006-09-27 at 21:49 -0400, Sandra Julieta Rueda Rodriguez wrote: > Hello, > > I just executed the given instructions (semodule -n -r) to fix the problem > with semodule and now everything is working ok. Thanks. > > Now I have a different problem .... > > I am trying to create a new user. I added it to the file local.users in > the src directory and also to /etc/selinux/strict/users/local.users. I > tried first to modify only the one in src but it did not work, so I also > modified the other one. local.users is deprecated in FC5, and only looked at if SETLOCALDEFS=1 in /etc/selinux/config. In FC5 and later, user manipulation is done via semanage, and makes use of a separate mapping from Linux users to SELinux user identities (the seusers mapping), so that one can add/remove/modify Linux users without modifying kernel policy at all. semanage login manipulates this mapping. semanage user can also be used to manipulate SELinux user identities, but you generally shouldn't need to do that - typically you would just have one SELinux user identity per logical role, and then map Linux users to those SELinux user identities. > Since I am working based on refpolicy (I already run make install-src) and > the instructions I have found are for previous versions I am not sure if I > need to run make policy, and then install. Just to be sure I tried, make > policy worked ok, but make install does not work ... Um, you do know that FC5 policy is also based on refpolicy, right? And that you should be doing a modular policy build even if you are building from the upstream refpolicy, so that you can continue to use semodule and semanage? > I guess I am doing something wrong ... could anybody help me with that? > > This is the output of make install: > Validating strict file_contexts. > /usr/sbin/setfiles -q -c /etc/selinux/strict/policy/policy.20 > file_contexts > libsepol.context_from_record: user rueda is not defined > libsepol.context_from_record: could not create context structure > libsepol.context_from_string: could not create context structure > libsepol.sepol_context_to_sid: could not convert rueda:staff_r:staff_t to sid > file_contexts: line 2149 has invalid context > make: *** [/etc/selinux/strict/contexts/files/file_contexts] Error 1 > > rueda is the user I am trying to create by adding it to the local.users > file. I am also trying to use it as part of the context for a file. -- Stephen Smalley National Security Agency From selinux at gmail.com Fri Sep 29 18:38:44 2006 From: selinux at gmail.com (Tom London) Date: Fri, 29 Sep 2006 11:38:44 -0700 Subject: prelink_t AVC Message-ID: <4c4ba1530609291138x1409ebe2i1815870adaf6587@mail.gmail.com> Running latest Rawhide, targeted/enforcing. Got this today: type=AVC msg=audit(1159549607.591:47): avc: denied { read } for pid=7982 comm="prelink" name="spamc" dev=dm-0 ino=5488531 scontext=system_u:system_r:prelink_t:s0 tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file type=SYSCALL msg=audit(1159549607.591:47): arch=40000003 syscall=5 success=no exit=-13 a0=93651a0 a1=8000 a2=0 a3=0 items=0 ppid=7973 pid=7982 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="prelink" exe="/usr/sbin/prelink" subj=system_u:system_r:prelink_t:s0 key=(null) tom -- Tom London From smooge at gmail.com Sat Sep 30 00:08:59 2006 From: smooge at gmail.com (Stephen John Smoogen) Date: Fri, 29 Sep 2006 18:08:59 -0600 Subject: People running Postfix in FC5 not running Selinux? Message-ID: <80d7e4090609291708h1fe2a33cx68e67a67053b1cbc@mail.gmail.com> I installed a system from the original FC5 disks and updated to latest versions in yum repos. I changed over to postfix and found that it wasnt working for some reason.. no errros to /var/log/messages or /var/log/secure.. and I completely forgot for a day to look at audit. When my brain turned back on I found that postfix didnt start because a it was trying to use a pam entry that I had put in pam_tally.so in. Woops. Fixed that.. but postfix still wouldnt start up. This also showed me that my /etc/services file needed a relabel as I had put in a more verbose one. So I did a complete system relabel in case I missed something else. postfix was able to start email but could not do a mailq doing a mailq showed me things like allow postfix_local_t initrc_var_run_t:file { read write }; allow postfix_showq_t initrc_var_run_t:file { read write }; type=AVC msg=audit(1159574724.622:397): avc: denied { read write } for pid=2621 comm="local" name="unix.local" dev=dm-3 ino=163870 scontext=system_u:system_r:postfix_local_t:s0 tcontext=user_u:object_r:initrc_var_run_t:s0 tclass=file Was caused by: Missing or disabled TE allow rule. Allow rules may exist but be disabled by boolean settings; check boolean settings. You can see the necessary allow rules by running audit2allow with this audit message as input. type=AVC msg=audit(1159574753.636:398): avc: denied { read write } for pid=2625 comm="showq" name="unix.showq" dev=dm-3 ino=163871 scontext=system_u:system_r:postfix_showq_t:s0 tcontext=user_u:object_r:initrc_var_run_t:s0 tclass=file Was caused by: Missing or disabled TE allow rule. Allow rules may exist but be disabled by boolean settings; check boolean settings. You can see the necessary allow rules by running audit2allow with this audit message as input. Not sure what I should do next. Turning off the selinux selinux-policy-targeted-2.3.7-2.fc5 selinux-policy-2.3.7-2.fc5 -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice" From db-fedora at 3di.it Fri Sep 29 23:16:48 2006 From: db-fedora at 3di.it (Davide Bolcioni) Date: Sat, 30 Sep 2006 01:16:48 +0200 Subject: Mounting the news spool Message-ID: <451DA960.5080804@3di.it> Greetings, while attempting to set up leafnode I had a problem with mounting its spool, /var/spool/news: Sep 14 00:36:11 camelot kernel: audit(1158186712.955:375): avc: denied { mounton } for pid=1353 comm="mount" name="news" dev=dm-3 ino=65600 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:news_spool_t:s0 tclass=dir Using audit2why and then audit2allow I was able to come up with the following .te policy: module news 1.0; require { class dir mounton; type mount_t; type news_spool_t; role system_r; }; allow mount_t news_spool_t:dir mounton; which to my untrained eye looked good. Researching the archives before writing this, however, I came upon the answer for a similar problem: https://www.redhat.com/archives/fedora-selinux-list/2006-August/msg00096.html and found out that it would probably have been enough to label the mount point mnt_t (haven't tried it yet). Assuming it works, how should I have found out about it ? I tried rpm -qd and found out about the selinux-policy documentation, but nothing showed up for the targeted policy. In this context, isn't audit2allow somewhat ... dangerous ? Or was it just a shortcoming in the leafnode RPM, so I should be looking at what INN is doing instead ? Thank you for your consideration, Davide Bolcioni -- There is no place like /home. From giuffsalvo at hotmail.it Sat Sep 30 16:12:08 2006 From: giuffsalvo at hotmail.it (Salvo Giuffrida) Date: Sat, 30 Sep 2006 18:12:08 +0200 Subject: MLS policy and the X server Message-ID: Is it "normal" that, with the MLS policy (FC5), the X server doesn't work? Did anyone have problems with it? Thanks _________________________________________________________________ Bolletta del telefono pesante? Risparmia con il nuovo Messenger http://imagine-msn.com/messenger/launch80/?locale=it-it