From gtwilliams at gmail.com Wed Apr 4 00:10:22 2007 From: gtwilliams at gmail.com (Garry T. Williams) Date: Tue, 3 Apr 2007 20:10:22 -0400 Subject: cups-lpd: Unable to reserve port: Permission denied Message-ID: <200704032010.22763.gtwilliams@gmail.com> I recently noted that print jobs from my FC6 machine sent to my remote lpd print server take over five minutes to actually be spooled to print server. When I strace the cups process that connects to the remote lpd, I see repeated attempts to bind() to port numbers below 1024. Each attempt fails with EACCES even though the process is running as root. After each failure, the lpd client waits for one second, then decrements the port number and tries again. This sequence repeats until port number 631 is tried. That succeeds and the client calls connect() and the print job is sent to the remote printer. My theory (based on suggestions from the fedora-user mailing list) is that there is a new selinux policy that restricts the cupsd process and its children to only be able to bind to port 631. If this is true, I believe it is incorrect. I think that there are some older lpd servers that insist on validating clients based on their source port numbers, refusing to allow connections from clients using ports over 1024. This behavior will probably be judged silly (at best) these days, but there seems to be a need to support it even today. Consequently, the default behavior of cups-lpd seems to insist on a low port number before calling connect(). I got around the problem by specifying a printer URI that suppresses that behavior. (That wasn't obvious to me -- I got there from a suggestion from David Hull, replying to my question on the fedora-user list.) But the cups developers think this is OK behavior for their client when it needs to talk to some servers. I think the new policy is wrong. Regardless, why don't I see avc log messages on this? -- Garry T. Williams --- +1 678 656-4579 From mra at hp.com Thu Apr 5 23:01:19 2007 From: mra at hp.com (Matt Anderson) Date: Thu, 05 Apr 2007 19:01:19 -0400 Subject: cups-lpd: Unable to reserve port: Permission denied In-Reply-To: <200704032010.22763.gtwilliams@gmail.com> References: <200704032010.22763.gtwilliams@gmail.com> Message-ID: <46157FBF.8080703@hp.com> Garry T. Williams wrote: > I recently noted that print jobs from my FC6 machine sent to my remote > lpd print server take over five minutes to actually be spooled to > print server. When I strace the cups process that connects to the > remote lpd, I see repeated attempts to bind() to port numbers below > 1024. Each attempt fails with EACCES even though the process is > running as root. After each failure, the lpd client waits for one > second, then decrements the port number and tries again. This > sequence repeats until port number 631 is tried. That succeeds and > the client calls connect() and the print job is sent to the remote > printer. > > My theory (based on suggestions from the fedora-user mailing list) is > that there is a new selinux policy that restricts the cupsd process > and its children to only be able to bind to port 631. If this is > true, I believe it is incorrect. > > I think that there are some older lpd servers that insist on > validating clients based on their source port numbers, refusing to > allow connections from clients using ports over 1024. This behavior > will probably be judged silly (at best) these days, but there seems to > be a need to support it even today. Consequently, the default > behavior of cups-lpd seems to insist on a low port number before > calling connect(). > > I got around the problem by specifying a printer URI that suppresses > that behavior. (That wasn't obvious to me -- I got there from a > suggestion from David Hull, replying to my question on the fedora-user > list.) But the cups developers think this is OK behavior for their > client when it needs to talk to some servers. > > I think the new policy is wrong. Regardless, why don't I see avc log > messages on this? It seems to me that the AVCs are lost because they are don't audited. If you put in place the enableaudit.pp policy file then you'd probably see them. cupsd should only be able to bind to port 631, but your client's should be able to use high ports to connect to the remote server. From what you've said it sounds like the printer you are lpr'ing to is a locally defined print spool that cupsd is supposed to then queue up and send to remote printers. If that is the case then why not configure the queue so that lpr sends jobs directly to the remote queue? Or am I missing something. -matt From gtwilliams at gmail.com Fri Apr 6 00:30:57 2007 From: gtwilliams at gmail.com (Garry T. Williams) Date: Thu, 5 Apr 2007 20:30:57 -0400 Subject: cups-lpd: Unable to reserve port: Permission denied In-Reply-To: <46157FBF.8080703@hp.com> References: <200704032010.22763.gtwilliams@gmail.com> <46157FBF.8080703@hp.com> Message-ID: <200704052030.58077.gtwilliams@gmail.com> On Thursday 05 April 2007 19:01:19 Matt Anderson wrote: > Garry T. Williams wrote: > > I think the new policy is wrong. Regardless, why don't I see avc log > > messages on this? > > It seems to me that the AVCs are lost because they are don't audited. > If you put in place the enableaudit.pp policy file then you'd probably > see them. Thanks for the pointer. This will save debug time. :-) > cupsd should only be able to bind to port 631, but your client's should > be able to use high ports to connect to the remote server. From what > you've said it sounds like the printer you are lpr'ing to is a locally > defined print spool that cupsd is supposed to then queue up and send to > remote printers. If that is the case then why not configure the queue > so that lpr sends jobs directly to the remote queue? Or am I missing > something. I simply defined a remote lpd printer to cups and then printed to it from an application like a2ps or firefox. This causes my local cupsd process to fork a client to connect to the remote lpd. In general, TCP clients don't need to bind to a specific port. In general, TCP clients don't even call bind(). But... Because of historical conventions (as I understand it), some lpd *servers* refuse to allow connections from clients coming from source ports above 1024. Yes, it's silly, but the cups folks claim that there are such servers that cups needs to support. Because of this, the default behavior for cups-lpd running in *client* mode is to bind to a low-numbered port before connecting to the server. The new selinux policy forbids this. As a matter of fact, the cups-lpd running as a client *can't* bind to the permitted port 631, if the cups server has already done so. (I don't run cupsd on anything but localhost on this machine, so the bind eventually succeeded when cups-lpd finally counted down to 631 retrying bind() along the way.) If you accept that it is legitimate for cups-lpd to insist on a low-numbered port that is not 631, then the current policy is flawed. The client mode will never call listen(), so it doesn't become a server. It just wants a low source port when it connects to another server. -- Garry T. Williams --- +1 678 656-4579 From dwalsh at redhat.com Fri Apr 6 12:26:54 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 06 Apr 2007 08:26:54 -0400 Subject: cups-lpd: Unable to reserve port: Permission denied In-Reply-To: <200704052030.58077.gtwilliams@gmail.com> References: <200704032010.22763.gtwilliams@gmail.com> <46157FBF.8080703@hp.com> <200704052030.58077.gtwilliams@gmail.com> Message-ID: <46163C8E.6030100@redhat.com> Garry T. Williams wrote: > On Thursday 05 April 2007 19:01:19 Matt Anderson wrote: > >> Garry T. Williams wrote: >> >>> I think the new policy is wrong. Regardless, why don't I see avc log >>> messages on this? >>> >> It seems to me that the AVCs are lost because they are don't audited. >> If you put in place the enableaudit.pp policy file then you'd probably >> see them. >> > > Thanks for the pointer. This will save debug time. :-) > > >> cupsd should only be able to bind to port 631, but your client's should >> be able to use high ports to connect to the remote server. From what >> you've said it sounds like the printer you are lpr'ing to is a locally >> defined print spool that cupsd is supposed to then queue up and send to >> remote printers. If that is the case then why not configure the queue >> so that lpr sends jobs directly to the remote queue? Or am I missing >> something. >> > > I simply defined a remote lpd printer to cups and then printed to it > from an application like a2ps or firefox. This causes my local cupsd > process to fork a client to connect to the remote lpd. In general, > TCP clients don't need to bind to a specific port. In general, TCP > clients don't even call bind(). But... > > Because of historical conventions (as I understand it), some lpd > *servers* refuse to allow connections from clients coming from source > ports above 1024. Yes, it's silly, but the cups folks claim that > there are such servers that cups needs to support. Because of this, > the default behavior for cups-lpd running in *client* mode is to bind > to a low-numbered port before connecting to the server. The new > selinux policy forbids this. As a matter of fact, the cups-lpd > running as a client *can't* bind to the permitted port 631, if the > cups server has already done so. > > (I don't run cupsd on anything but localhost on this machine, so the > bind eventually succeeded when cups-lpd finally counted down to 631 > retrying bind() along the way.) > > If you accept that it is legitimate for cups-lpd to insist on a > low-numbered port that is not 631, then the current policy is flawed. > The client mode will never call listen(), so it doesn't become a > server. It just wants a low source port when it connects to another > server. > > I have added the ability for cups to bind to any port 600-1023. selinux-policy-2.5.11-5.fc7 From olivares14031 at yahoo.com Tue Apr 10 13:23:25 2007 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Tue, 10 Apr 2007 06:23:25 -0700 (PDT) Subject: denied avcs Rawhide how to troubleshoot Message-ID: <20070410132326.13820.qmail@web52610.mail.re2.yahoo.com> Dear list, I am running rawhide and I get these denied avcs [olivares at localhost ~]$ cat /etc/fedora-release Fedora release 6.92 (Rawhide) [olivares at localhost ~]$ There is a tool semanage, but I do not know how to use it. Is there any reference to this new tool. How do I fix this using chcon -? or other tools to troubleshoot this. audit(1176209974.281:4): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u1440" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file audit(1176209974.281:5): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u1680" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file audit(1176209974.281:6): avc: denied { create } for pid=991 comm="cIreate_floppy_d" name="fd0u1722" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file audit(1176209974.281:7): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u1743" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file audit(1176209974.281:8): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u1760" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file audit(1176209974.281:9): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u1920" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file audit(1176209974.281:10): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u1840" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file audit(1176209974.281:11): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u1600" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file audit(1176209974.281:12): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u360" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file audit(1176209974.281:13): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u720" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file audit(1176209974.281:14): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u820" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file audit(1176209974.281:15): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u830" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file audit(1176209974.281:16): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u1040" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file audit(1176209974.281:17): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u1120" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file audit(1176209974.281:18): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u800" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file Thanks, Antonio ____________________________________________________________________________________ Don't pick lemons. See all the new 2007 cars at Yahoo! Autos. http://autos.yahoo.com/new_cars.html From sds at tycho.nsa.gov Tue Apr 10 13:41:22 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 10 Apr 2007 09:41:22 -0400 Subject: denied avcs Rawhide how to troubleshoot In-Reply-To: <20070410132326.13820.qmail@web52610.mail.re2.yahoo.com> References: <20070410132326.13820.qmail@web52610.mail.re2.yahoo.com> Message-ID: <1176212482.15415.159.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2007-04-10 at 06:23 -0700, Antonio Olivares wrote: > Dear list, > > I am running rawhide and I get these denied avcs > > [olivares at localhost ~]$ cat /etc/fedora-release > Fedora release 6.92 (Rawhide) > [olivares at localhost ~]$ > > There is a tool semanage, but I do not know how to use it. Is there any reference to this new tool. > How do I fix this using chcon -? or other tools to troubleshoot this. > > audit(1176209974.281:4): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u1440" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file In this case, it appears that udev is creating a device node without properly setting its security context. I can confirm the same behavior on a rawhide system here. /sbin/restorecon -nv /dev/fd0u1440 reports that it has default_t but should have removable_device_t according to policy. Possibly a bug in the latest version of udev? -- Stephen Smalley National Security Agency From dwalsh at redhat.com Tue Apr 10 17:46:29 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 10 Apr 2007 13:46:29 -0400 Subject: denied avcs Rawhide how to troubleshoot In-Reply-To: <20070410132326.13820.qmail@web52610.mail.re2.yahoo.com> References: <20070410132326.13820.qmail@web52610.mail.re2.yahoo.com> Message-ID: <461BCD75.2030400@redhat.com> Antonio Olivares wrote: Dear list, > I am running rawhide and I get these denied avcs > > [olivares at localhost ~]$ cat /etc/fedora-release > Fedora release 6.92 (Rawhide) > [olivares at localhost ~]$ > > There is a tool semanage, but I do not know how to use it. Is there any reference to this new tool. > How do I fix this using chcon -? or other tools to troubleshoot this. > > audit(1176209974.281:4): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u1440" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file > audit(1176209974.281:5): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u1680" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file > audit(1176209974.281:6): avc: denied { create } for pid=991 comm="cIreate_floppy_d" name="fd0u1722" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file > audit(1176209974.281:7): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u1743" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file > audit(1176209974.281:8): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u1760" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file > audit(1176209974.281:9): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u1920" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file > audit(1176209974.281:10): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u1840" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file > audit(1176209974.281:11): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u1600" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file > audit(1176209974.281:12): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u360" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file > audit(1176209974.281:13): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u720" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file > audit(1176209974.281:14): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u820" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file > audit(1176209974.281:15): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u830" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file > audit(1176209974.281:16): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u1040" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file > audit(1176209974.281:17): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u1120" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file > audit(1176209974.281:18): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u800" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file > > > > > Thanks, > > Antonio > > > > > > ____________________________________________________________________________________ > Don't pick lemons. > See all the new 2007 cars at Yahoo! Autos. > http://autos.yahoo.com/new_cars.html > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > Please submit this as a udev bug. From olivares14031 at yahoo.com Wed Apr 11 00:59:47 2007 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Tue, 10 Apr 2007 17:59:47 -0700 (PDT) Subject: denied avcs Rawhide how to troubleshoot Message-ID: <20070411005947.98458.qmail@web52605.mail.re2.yahoo.com> ----- Original Message ---- From: Daniel J Walsh To: Antonio Olivares Cc: fedora-selinux-list at redhat.com Sent: Tuesday, April 10, 2007 12:46:29 PM Subject: Re: denied avcs Rawhide how to troubleshoot Antonio Olivares wrote: Dear list, > I am running rawhide and I get these denied avcs > > [olivares at localhost ~]$ cat /etc/fedora-release > Fedora release 6.92 (Rawhide) > [olivares at localhost ~]$ > > There is a tool semanage, but I do not know how to use it. Is there any reference to this new tool. > How do I fix this using chcon -? or other tools to troubleshoot this. > > audit(1176209974.281:4): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u1440" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file > audit(1176209974.281:5): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u1680" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file > audit(1176209974.281:6): avc: denied { create } for pid=991 comm="cIreate_floppy_d" name="fd0u1722" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file > audit(1176209974.281:7): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u1743" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file > audit(1176209974.281:8): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u1760" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file > audit(1176209974.281:9): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u1920" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file > audit(1176209974.281:10): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u1840" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file > audit(1176209974.281:11): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u1600" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file > audit(1176209974.281:12): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u360" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file > audit(1176209974.281:13): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u720" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file > audit(1176209974.281:14): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u820" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file > audit(1176209974.281:15): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u830" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file > audit(1176209974.281:16): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u1040" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file > audit(1176209974.281:17): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u1120" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file > audit(1176209974.281:18): avc: denied { create } for pid=991 comm="create_floppy_d" name="fd0u800" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=blk_file > > > > > Thanks, > > Antonio > > > > > > ____________________________________________________________________________________ > Don't pick lemons. > See all the new 2007 cars at Yahoo! Autos. > http://autos.yahoo.com/new_cars.html > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > Please submit this as a udev bug. Done! https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235953 Regards, Antonio ____________________________________________________________________________________ Don't pick lemons. See all the new 2007 cars at Yahoo! Autos. http://autos.yahoo.com/new_cars.html From joe at nall.com Wed Apr 11 15:55:34 2007 From: joe at nall.com (Joe Nall) Date: Wed, 11 Apr 2007 10:55:34 -0500 Subject: Many to one translations in setrans.conf Message-ID: We have been using /etc/selinux/mls/setrans.conf files that use multiple equivalent translations to support common aliases. For example: s2:c1.c225,c227.c253=CONFIDENTIAL//REL FU s2:c1.c225,c227.c253=C O N F I D E N T I A L REL FU s2:c1.c225,c227.c253=C O N F I D E N T I A L RELEASABLE TO FU s2:c1.c225,c227.c253=CONFIDENTIAL//REL BAR s2:c1.c225,c227.c253=C O N F I D E N T I A L REL BAR s2:c1.c225,c227.c253=C O N F I D E N T I A L RELEASABLE TO BAR This has the effect of mapping all of these labels to a common context. This context maps back to the first translation (CONFIDENTIAL//REL FU). 'semanage translation -a -T ...' has different behavior. When a translation is added, it rewrites the file using the last (C O N F I D E N T I A L RELEASABLE TO BAR) translation and deletes the other translations. It also moves all of the comments to the top, moving them away from the translation they are documenting. Should we be using this many to one behavior to support aliases? Is it broken in other ways that we have not discovered yet? joe From dwalsh at redhat.com Wed Apr 11 16:02:11 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 11 Apr 2007 12:02:11 -0400 Subject: Many to one translations in setrans.conf In-Reply-To: References: Message-ID: <461D0683.5040902@redhat.com> Joe Nall wrote: > We have been using /etc/selinux/mls/setrans.conf files that use > multiple equivalent translations to support common aliases. For example: > > s2:c1.c225,c227.c253=CONFIDENTIAL//REL FU > s2:c1.c225,c227.c253=C O N F I D E N T I A L REL FU > s2:c1.c225,c227.c253=C O N F I D E N T I A L RELEASABLE TO FU > s2:c1.c225,c227.c253=CONFIDENTIAL//REL BAR > s2:c1.c225,c227.c253=C O N F I D E N T I A L REL BAR > s2:c1.c225,c227.c253=C O N F I D E N T I A L RELEASABLE TO BAR > > This has the effect of mapping all of these labels to a common > context. This context maps back to the first translation > (CONFIDENTIAL//REL FU). > > 'semanage translation -a -T ...' has different behavior. When a > translation is added, it rewrites the file using the last (C O N F I D > E N T I A L RELEASABLE TO BAR) translation and deletes the other > translations. It also moves all of the comments to the top, moving > them away from the translation they are documenting. > > Should we be using this many to one behavior to support aliases? Is it > broken in other ways that we have not discovered yet? > No I think this is fine, but the tool is probably broken. > joe > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From jouni at viikarit.com Wed Apr 11 17:53:54 2007 From: jouni at viikarit.com (Jouni Viikari) Date: Wed, 11 Apr 2007 20:53:54 +0300 Subject: Latest selinux update & ping Message-ID: <1176314035.12433.11.camel@pappa.viikarit.com> Hi, After the latest selinux updates I get a lot of these messages at my log: SELinux is preventing /bin/ping (ping_t) "search" to locale (locale_t) or audit log: denied { search } for pid=16255 comm="ping" name="locale" dev=dm-0 ino=3113039 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=dir type=SYSCALL msg=audit(1176300990.257:65255): arch=40000003 syscall=5 success=no exit=-13 a0=bf91d6e0 a1=0 a2=1b6 a3=8816018 items=0 ppid=18973 pid=18974 auid=4294967295 uid=507 gid=507 euid=0 suid =0 fsuid=0 egid=507 sgid=507 fsgid=507 tty=(none) comm="ping" exe="/bin/ping" subj=system_u:system_r:ping_t:s0 key=(null) type=AVC msg=audit(1176300990.257:65256): avc: denied { search } for pid=18974 comm="ping" name="locale" dev=dm-0 ino=3113039 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:loca le_t:s0 tclass=dir The last line repeats itself many times. The pings are run by Big Brother which as a one task pings my network to see all is up. Is this a local problem here, selinux problem or ping problem? -Jouni From sds at tycho.nsa.gov Wed Apr 11 18:02:37 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 11 Apr 2007 14:02:37 -0400 Subject: Latest selinux update & ping In-Reply-To: <1176314035.12433.11.camel@pappa.viikarit.com> References: <1176314035.12433.11.camel@pappa.viikarit.com> Message-ID: <1176314557.3986.10.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2007-04-11 at 20:53 +0300, Jouni Viikari wrote: > Hi, > > After the latest selinux updates I get a lot of these messages at my > log: > > SELinux is preventing /bin/ping (ping_t) "search" to locale (locale_t) > > or audit log: > > denied { search } for pid=16255 comm="ping" name="locale" dev=dm-0 > ino=3113039 scontext=system_u:system_r:ping_t:s0 > tcontext=system_u:object_r:locale_t:s0 tclass=dir > > > type=SYSCALL msg=audit(1176300990.257:65255): arch=40000003 syscall=5 > success=no exit=-13 a0=bf91d6e0 a1=0 a2=1b6 a3=8816018 items=0 > ppid=18973 pid=18974 auid=4294967295 uid=507 gid=507 euid=0 suid > =0 fsuid=0 egid=507 sgid=507 fsgid=507 tty=(none) comm="ping" > exe="/bin/ping" subj=system_u:system_r:ping_t:s0 key=(null) > type=AVC msg=audit(1176300990.257:65256): avc: denied { search } for > pid=18974 comm="ping" name="locale" dev=dm-0 ino=3113039 > scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:loca > le_t:s0 tclass=dir > > The last line repeats itself many times. > > The pings are run by Big Brother which as a one task pings my network to > see all is up. > > Is this a local problem here, selinux problem or ping problem? I'd say it is a selinux policy problem (should allow ping to read locale data). You can work around it by creating a local policy module with audit2allow and installing it via semodule until it is fixed in the policy. Not sure why it would only show up after an update. -- Stephen Smalley National Security Agency From elihusmails at gmail.com Wed Apr 11 18:18:49 2007 From: elihusmails at gmail.com (Mark Webb) Date: Wed, 11 Apr 2007 14:18:49 -0400 Subject: X server won't start using MLS policy Message-ID: <9f066ee90704111118v2dd681ednc4d4929aeb9fec1c@mail.gmail.com> I have followed the instructions at http://fedoraproject.org/wiki/SELinux/FedoraMLSHowto on how to install the MLS policy. I have it working under Fedora Core 6, but when I boot to runlevel 5, I get an error saying that the X server cannot be started. Does anyone know how to fix this problem? Thanks -- ..Cheers Mark -------------- next part -------------- An HTML attachment was scrubbed... URL: From txtoth at gmail.com Wed Apr 11 18:48:31 2007 From: txtoth at gmail.com (Ted X Toth) Date: Wed, 11 Apr 2007 13:48:31 -0500 Subject: X server won't start using MLS policy In-Reply-To: <9f066ee90704111118v2dd681ednc4d4929aeb9fec1c@mail.gmail.com> References: <9f066ee90704111118v2dd681ednc4d4929aeb9fec1c@mail.gmail.com> Message-ID: <461D2D7F.1000907@gmail.com> Mark Webb wrote: > I have followed the instructions at > http://fedoraproject.org/wiki/SELinux/FedoraMLSHowto on how to install > the MLS policy. I have it working under Fedora Core 6, but when I > boot to runlevel 5, I get an error saying that the X server cannot be > started. > > Does anyone know how to fix this problem? > > Thanks > -- > ..Cheers > Mark > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list What is the actual error? Have you looked in /var/log/Xorg.0.log? Ted From ivan.makale at ngi.it Sat Apr 14 15:10:07 2007 From: ivan.makale at ngi.it (Ivan Makale) Date: Sat, 14 Apr 2007 17:10:07 +0200 Subject: setrans.conf Message-ID: <4620EECF.5030505@ngi.it> I'm studying SELinux and I'd like to find a clear explanation of the syntax used in the setrans.conf file. Have anybody a web resource to suggest? So to give an example, s0-s0:c0.c1023=SystemLow-SystemHigh s0:c0.c1023=SystemHigh Is '-' indicating a range between sensitivity levels and the ''.' a range between categories? What's the difference between "s0" only and "s0-s0"? And so on... Thank you, Ivan Makale From dblistsub-fedora at yahoo.it Mon Apr 16 11:08:37 2007 From: dblistsub-fedora at yahoo.it (Davide Bolcioni) Date: Mon, 16 Apr 2007 13:08:37 +0200 Subject: Targeted policy does not allow lvm output redirection ? Message-ID: <200704161308.38014.dblistsub-fedora@yahoo.it> Greetings, I tried the following: lvm vgs -o vg_name,vg_extent_size --units=k | cat > /tmp/vgs2 lvm vgs -o vg_name,vg_extent_size --units=k > /tmp/vgs1 and obtained -rw-r--r-- 1 root root 0 Apr 15 11:49 /tmp/vgs1 -rw-r--r-- 1 root root 28 Apr 15 11:49 /tmp/vgs2 but as you can see in the attached /var/log/audit.d/audit.log fragment, writing from an executable running in the lvm_t context to an object labeled with the tmp_t context is not allowed by the targeted policy. My setup: libselinux-1.33.4-2.fc6 selinux-policy-targeted-2.4.6-49.fc6 selinux-policy-2.4.6-49.fc6 Should I open a Bugzilla for this ? Thank you for your consideration, Davide Bolcioni -- There is no place like /home. -------------- next part -------------- type=USER_ACCT msg=audit(1171320301.650:41): user pid=6201 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct=news : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' type=LOGIN msg=audit(1171320301.651:42): login pid=6201 uid=0 old auid=4294967295 new auid=9 type=USER_START msg=audit(1171320301.656:43): user pid=6201 uid=0 auid=9 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct=news : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' type=CRED_ACQ msg=audit(1171320301.656:44): user pid=6201 uid=0 auid=9 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=news : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' type=AVC msg=audit(1176630582.797:103): avc: denied { write } for pid=6201 comm="lvm" name="vgs1" dev=tmpfs ino=33551 scontext=user_u:system_r:lvm_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file type=SYSCALL msg=audit(1176630582.797:103): arch=c000003e syscall=59 success=yes exit=0 a0=8eaa80 a1=8d61b0 a2=8f4300 a3=6d items=0 ppid=5575 pid=6201 auid=503 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="lvm" exe="/sbin/lvm.static" subj=user_u:system_r:lvm_t:s0 key=(null) type=AVC msg=audit(1176630585.345:104): avc: denied { write } for pid=6201 comm="lvm" name=".cache" dev=dm-1 ino=1933743 scontext=user_u:system_r:lvm_t:s0 tcontext=user_u:object_r:lvm_etc_t:s0 tclass=file type=SYSCALL msg=audit(1176630585.345:104): arch=c000003e syscall=2 success=no exit=-13 a0=89da10 a1=42 a2=1ff a3=1 items=0 ppid=5575 pid=6201 auid=503 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="lvm" exe="/usr/sbin/lvm" subj=user_u:system_r:lvm_t:s0 key=(null) From dwalsh at redhat.com Mon Apr 16 17:49:10 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 16 Apr 2007 13:49:10 -0400 Subject: setrans.conf In-Reply-To: <4620EECF.5030505@ngi.it> References: <4620EECF.5030505@ngi.it> Message-ID: <4623B716.3060901@redhat.com> Ivan Makale wrote: > I'm studying SELinux and I'd like to find a clear explanation of the > syntax used in the setrans.conf file. Have anybody a web resource to > suggest? > So to give an example, > > s0-s0:c0.c1023=SystemLow-SystemHigh > s0:c0.c1023=SystemHigh > > Is '-' indicating a range between sensitivity levels and the ''.' a > range between categories? What's the difference between "s0" only and > "s0-s0"? And so on... s0 only implies s0-s0 The first number in a sensitivity level range indicates the default level. For the case of a process, this indicates you can use newrole to transition to any of the levels in the range. For a directory, it would indicate the allowable sensitively levels that can be placed in a directory. The . in a category is just a shorthand to indicate the sensitivity level includes all categories from the beginning to the end. So s0:c1.c5 is the same as s0:c1,c2,c3,c4,c5. > Thank you, Ivan Makale > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From dwalsh at redhat.com Mon Apr 16 17:52:39 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 16 Apr 2007 13:52:39 -0400 Subject: Targeted policy does not allow lvm output redirection ? In-Reply-To: <200704161308.38014.dblistsub-fedora@yahoo.it> References: <200704161308.38014.dblistsub-fedora@yahoo.it> Message-ID: <4623B7E7.1020108@redhat.com> Davide Bolcioni wrote: > Greetings, > I tried the following: > > lvm vgs -o vg_name,vg_extent_size --units=k | cat > /tmp/vgs2 > lvm vgs -o vg_name,vg_extent_size --units=k > /tmp/vgs1 > > and obtained > > -rw-r--r-- 1 root root 0 Apr 15 11:49 /tmp/vgs1 > -rw-r--r-- 1 root root 28 Apr 15 11:49 /tmp/vgs2 > > but as you can see in the attached /var/log/audit.d/audit.log fragment, > writing from an executable running in the lvm_t context to an object labeled > with the tmp_t context is not allowed by the targeted policy. > > My setup: > > libselinux-1.33.4-2.fc6 > selinux-policy-targeted-2.4.6-49.fc6 > selinux-policy-2.4.6-49.fc6 > > Should I open a Bugzilla for this ? > > This is one of the tricky things about selinux. An admin can redirect output from a confined domain to any directory, So writing policy to allow output to all possible file_types is not good security or policy. So this problem is really a difficult problem to solve. Allow confined domains to write to /tmp just for redirection might not seem unreasonable, but this could be an attack vector from a confined domains against users. BTW, you have a mislabeled .cache file. restorecon -v /etc/lvm/.cache > Thank you for your consideration, > Davide Bolcioni > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From kwizart at gmail.com Tue Apr 17 20:02:10 2007 From: kwizart at gmail.com (kwizart) Date: Tue, 17 Apr 2007 22:02:10 +0200 Subject: vlc x86 libs requires text relocation. Message-ID: <462527C2.1020808@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello! I would like to solve the Selinux context issue with vlc x86 It is supposed to do the same purpose as mplayer do with 32bit codecs dll if there are present on the end-user system. This affect vlc for Fedora release 5, 6 and devel only for x86 (not ppc or x86_64) from https://bugzilla.livna.org/show_bug.cgi?id=1404 - ---- SELinux is preventing /usr/bin/vlc from loading /usr/lib/vlc/codec/libdmo_plugin.so which requires text relocation. SELinux is preventing /usr/bin/vlc from loading /usr/lib/vlc/codec/librealaudio_plugin.so which requires text relocation. I'm not sure if this can be fixed in the vlc package or if it would need to be fixed in the selinux policy package. I'll attach the saved output from setroubleshoot for these denials. - ---- libdmo_plugin denial - ----- Summary SELinux is preventing /usr/bin/vlc from loading /usr/lib/vlc/codec/libdmo_plugin.so which requires text relocation. Detailed Description The /usr/bin/vlc application attempted to load /usr/lib/vlc/codec/libdmo_plugin.so which requires text relocation. This is a potential security problem. Most libraries do not need this permission. Libraries are sometimes coded incorrectly and request this permission. The http://people.redhat.com/drepper/selinux-mem.html web page explains how to remove this requirement. You can configure SELinux temporarily to allow /usr/lib/vlc/codec/libdmo_plugin.so to use relocation as a workaround, until the library is fixed. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Allowing Access If you trust /usr/lib/vlc/codec/libdmo_plugin.so to run correctly, you can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t /usr/lib/vlc/codec/libdmo_plugin.so" The following command will allow this access: chcon -t textrel_shlib_t /usr/lib/vlc/codec/libdmo_plugin.so Additional Information: Source Context: user_u:system_r:unconfined_t Target Context: system_u:object_r:lib_t Target Objects: /usr/lib/vlc/codec/libdmo_plugin.so [ file ] Affected RPM Packages: vlc-0.8.6a-1.lvn6.1 [application]vlc-0.8.6a-1.lvn6.1 [target] Policy RPM: selinux-policy-2.4.6-27.fc6 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: plugins.allow_execmod Host Name: rusharri-lnx2 Platform: Linux rusharri-lnx2 2.6.19-1.2895.fc6 #1 SMP Wed Jan 10 19:28:18 EST 2007 i686 i686 Alert Count: 1 Line Numbers: Raw Audit Messages: avc: denied { execmod } for comm="vlc" dev=dm-0 egid=162433 euid=162433 exe="/usr/bin/vlc" exit=-13 fsgid=162433 fsuid=162433 gid=162433 items=0 name="libdmo_plugin.so" path="/usr/lib/vlc/codec/libdmo_plugin.so" pid=10856 scontext=user_u:system_r:unconfined_t:s0 sgid=162433 subj=user_u:system_r:unconfined_t:s0 suid=162433 tclass=file tcontext=system_u:object_r:lib_t:s0 tty=pts1 uid=162433 - -------- librealaudio_plugin denial - -------- Summary SELinux is preventing /usr/bin/vlc from loading /usr/lib/vlc/codec/librealaudio_plugin.so which requires text relocation. Detailed Description The /usr/bin/vlc application attempted to load /usr/lib/vlc/codec/librealaudio_plugin.so which requires text relocation. This is a potential security problem. Most libraries do not need this permission. Libraries are sometimes coded incorrectly and request this permission. The http://people.redhat.com/drepper/selinux-mem.html web page explains how to remove this requirement. You can configure SELinux temporarily to allow /usr/lib/vlc/codec/librealaudio_plugin.so to use relocation as a workaround, until the library is fixed. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Allowing Access If you trust /usr/lib/vlc/codec/librealaudio_plugin.so to run correctly, you can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t /usr/lib/vlc/codec/librealaudio_plugin.so" The following command will allow this access: chcon -t textrel_shlib_t /usr/lib/vlc/codec/librealaudio_plugin.so Additional Information: Source Context: user_u:system_r:unconfined_t Target Context: system_u:object_r:lib_t Target Objects: /usr/lib/vlc/codec/librealaudio_plugin.so [ file ] Affected RPM Packages: vlc-0.8.6a-1.lvn6.1 [application]vlc-0.8.6a-1.lvn6.1 [target] Policy RPM: selinux-policy-2.4.6-27.fc6 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: plugins.allow_execmod Host Name: rusharri-lnx2 Platform: Linux rusharri-lnx2 2.6.19-1.2895.fc6 #1 SMP Wed Jan 10 19:28:18 EST 2007 i686 i686 Alert Count: 1 Line Numbers: Raw Audit Messages: avc: denied { execmod } for comm="vlc" dev=dm-0 egid=162433 euid=162433 exe="/usr/bin/vlc" exit=-13 fsgid=16243 - ---------- Thx for your advices: Nicolas (kwizart) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFGJSfBlNdbIlsB+AERAgqAAKCAe3oBN3TvicHhQCVkJGpclzNNPwCdFIRv BfH3xDwe78OSJyOwd/rQ6Yk= =8pOY -----END PGP SIGNATURE----- From spng.yang at gmail.com Wed Apr 18 02:06:40 2007 From: spng.yang at gmail.com (Ken YANG) Date: Wed, 18 Apr 2007 10:06:40 +0800 Subject: autoreconf fails in setools of revision 4290 In-Reply-To: <200704171226.51102.jmowery@tresys.com> References: <4624897D.5030205@gmail.com> <200704171226.51102.jmowery@tresys.com> Message-ID: <46257D30.3070507@gmail.com> Jeremy A. Mowery wrote: > On Tuesday 17 April 2007 04:46, you wrote: >> hi all, >> >> i use autoconf-2.61-8.fc7 in fc7 rawhide >> >> autoreconf of this version fails in building setools of >> revision 4290. >> >> i also test setools 3.1 tags, it fails with the same errors: >> >> ...... >> sediff/Makefile.am:45: notdir $@: non-POSIX variable name >> sediff/Makefile.am:45: (probably a GNU make extension) >> sediff/Makefile.am:48: notdir $@: non-POSIX variable name >> sediff/Makefile.am:48: (probably a GNU make extension) >> sediff/Makefile.am:51: notdir $@: non-POSIX variable name >> sediff/Makefile.am:51: (probably a GNU make extension) >> autoreconf: automake failed with exit status: 1 >> > We were unable to reproduce this error. > We are currently building with: > autoconf (GNU Autoconf) 2.59 > automake (GNU automake) 1.9.6 > GNU Make 3.80 > > Could you send further information about the build tools you are using? the build tools i use are: automake-1.10-5 autoconf-2.61-8.fc7 make-3.81-6.fc7 as i mentioned before, the 3.1 tags in svn also failed with this error but the 3.1 version of fc7 can be built without any errors: setools-3.1-3.fc7.src.rpm by the way, when i use the setools in fc7 rawhide: setools-3.1-4.fc7.src.rpm apol had "segmentation fault" errors in analyzing "all base" policy, i.e. all modules in "module.conf" are changed into "base" the same errors occured in setools-3.1-3.fc7.src.rpm. but apol from setools-3.1-3.src.rpm can analyze the same base.pp without any errors. i forget where i got this srpm, maybe from tresys website, but i am sure that it is not from fc repos. finally, it seems that this problem is not belong to selinux list, so i CC to fedora-selinux list. "setools at tresys.com" is the mailing list of setools? if yes, i will send similar problems to this list. > > - Jeremy A. Mowery >> thanks in advance >> >> Ken YANG > From ahziem1 at mailbolt.com Wed Apr 18 15:19:13 2007 From: ahziem1 at mailbolt.com (Andrew Ziem) Date: Wed, 18 Apr 2007 09:19:13 -0600 Subject: Denied despite permissive mode? Message-ID: <462636F1.10903@mailbolt.com> Hi, 1. Should I be getting denied in permissive mode? 2. How do I get ntpd working? (Also, smartd has the same problem, but they both used to work some months ago.) [root at z ~]# getsebool -a | grep exec allow_execheap --> on allow_execmem --> on allow_execmod --> on allow_execstack --> on allow_java_execstack --> off httpd_ssi_exec --> on httpd_suexec_disable_trans --> off [root at z ~]# getenforce Permissive [root at z ~]# /sbin/service ntpd start Starting ntpd: SELinux denied execmem. [FAILED] [root at z ~]# cat /etc/fedora-release Fedora Core release 5 (Bordeaux) [root at z ~]# uname -a Linux z.localdomain 2.6.20-1.2312.fc5 #1 Tue Apr 10 15:09:44 EDT 2007 i686 athlon i386 GNU/Linux Andrew From rhallyx at mindspring.com Wed Apr 18 17:46:37 2007 From: rhallyx at mindspring.com (Richard Hally) Date: Wed, 18 Apr 2007 13:46:37 -0400 Subject: rawhide update errors Message-ID: <4626597D.70805@mindspring.com> from todays yum update from rawhide: Updating : selinux-policy-strict ##################### [ 29/121] Updating : selinux-policy-mls ##################### [ 30/121] Updating : selinux-policy-targeted ##################### [ 31/121] /sbin/fixfiles: line 62: 17611 Done sed -r -e 's,:s0, ,g' $FC 17612 | sort -u 17613 Done(1) | /usr/bin/diff -b ${PREFCTEMPFILE} - 17614 | grep '^[<>]' 17615 | cut -c3- 17616 | grep ^/ 17617 | egrep -v '(^/home|^/root|^/tmp|^/dev)' 17618 | sed -r -e 's,[[:blank:]].*,,g' -e 's|\(([/[:alnum:]]+)\)\?|{\1,}|g' -e 's|([/[:alnum:]])\?|{\1,}|g' -e 's|\?.*|*|g' -e 's|\(.*|*|g' -e 's|\[.*|*|g' -e 's|\.\*.*|*|g' -e 's|\.\+.*|*|g' 17619 | sort -u 17620 | sort -d 17621 | while read pattern; do if ! echo "$pattern" | grep -q -f ${TEMPFILE} 2> /dev/null; then echo "$pattern"; case "$pattern" in *"*") echo "$pattern" | sed 's,\*$,,g' >> ${TEMPFILE} ;; esac; fi; done 17622 Done(1) | while read pattern; do find $pattern ! \( -fstype ext2 -o -fstype ext3 -o -fstype jfs -o -fstype xfs \) -prune -o \( -wholename /home -o -wholename /root -o -wholename /tmp -wholename /dev \) -prune -o -print; done 2> /dev/null 17623 Segmentation fault | ${RESTORECON} $2 -v -f - Updating : selinux-policy-devel ##################### [ 32/121] Updating : policycoreutils-gui ##################### [ 33/121] Updating : libsepol-devel ##################### [ 34/121] Richard From dsugar at tresys.com Wed Apr 18 18:51:11 2007 From: dsugar at tresys.com (Dave Sugar) Date: Wed, 18 Apr 2007 14:51:11 -0400 Subject: ANN: SELinux Policy IDE (SLIDE) version 1.1 Message-ID: <1176922271.3611.28.camel@localhost.localdomain> Version 1.1 of the SELinux Policy IDE (SLIDE) from Tresys is now available for download from the Tresys Open Source website at http://oss.tresys.com. SLIDE is an Eclipse plug-in that integrates with the SELinux Reference Policy to provide a development environment for building SELinux policy. SLIDE features: * A graphical user interface for policy development, including policy syntax highlighting, context suggestions, and integrated compilation. * Integration with SELinux Reference Policy, including quick lookup and documentation for interfaces. * Wizards and easy to use templates to automate common tasks from creating a new SELinux policy to adding an interface into an existing module. * Integrated remote policy installation and audit log monitoring, to facilitate policy testing. * Seamless integration with the power of standard Eclipse. Version 1.1 highlights: * Disabled interfaces indicated in module editor. * Improved documentation on the open source web site. * Updates to SLIDERemote to work with SETools version 3.1. * Support for new fields in build.conf editor. * Fixed problems with the Console output. If you would like to contribute, currently the best help would be to test and provide feedback on the SLIDE plugin and SLIDE Remote. From adpacifico at users.sourceforge.net Wed Apr 18 20:56:44 2007 From: adpacifico at users.sourceforge.net (Al Pacifico) Date: Wed, 18 Apr 2007 13:56:44 -0700 Subject: Helper program for a daemon Message-ID: <5d3cd4150704181356g25831acanb47ccfb9557c1639@mail.gmail.com> I (a greenhorn with selinux) am writing a policy for a daemon that streams music files over my home network to a music player client (a Slimdevices Squeezebox). My OS is FC5. The main daemon (/usr/sbin/slimserver) is a perl script that serves the music files and is started with an init script. My questions have to do with a secondary program (/usr/sbin/slimserver-scanner, also a perl script) that scans the music on the server, reading mp3 tags and such, and generates a database of stored music that is stored in a MySQL database. /usr/sbin/slimserver-scanner is invoked by the /usr/sbin/slimserver daemon and might be invoked by the user (although I can't recall ever doing so in several years of owning a Squeezebox). I've been following the example posted by Dan Walsh in a blog at http://danwalsh.livejournal.com/8707.html?thread=39171 which has been extremely helpful. My (2) questions: 1. What is the appropriate file context for the scanner program? system_u:object_r:sbin_t? system_u:object_r:slimserver_t? system_u:object_r:slimserver_exec_t? The generated slimserver.fc file contains: # slimserver executable will have: # label: system_u:object_r:slimserver_exec_t # MLS sensitivity: s0 # MCS categories: /usr/sbin/slimserver -- gen_context(system_u:object_r:slimserver_exec_t,s0) /var/run/slimserver.pid gen_context(system_u:object_r:slimserver_var_run_t,s0) /var/log/slimserver gen_context(system_u:object_r:slimserver_var_log_t,s0) and the slimserver.if file contains: interface(`slimserver_domtrans',` gen_require(` type slimserver_t, slimserver_exec_t; ') domain_auto_trans($1,slimserver_exec_t,slimserver_t) allow $1 slimserver_t:fd use; allow slimserver_t $1:fd use; allow slimserver_t $1:fifo_file rw_file_perms; allow slimserver_t $1:process sigchld; ') 2. There is no reason to add the scanner program be added to slimserver.fcthat was generated by policygentool, is there? The file itself just needs to be labeled appropriately, right? Or does that file play some role in policy compilation in a step that I did not explicitly executed when I invoked 'make -f /usr/share/selinux/devel/Makefile'? Thanks in advance. -al -- Al Pacifico Seattle, WA -------------- next part -------------- An HTML attachment was scrubbed... URL: From janfrode at tanso.net Wed Apr 18 22:25:07 2007 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Thu, 19 Apr 2007 00:25:07 +0200 Subject: Helper program for a daemon References: <5d3cd4150704181356g25831acanb47ccfb9557c1639@mail.gmail.com> Message-ID: On 2007-04-18, Al Pacifico wrote: > I (a greenhorn with selinux) am writing a policy for a daemon that streams > music files over my home network to a music player client (a Slimdevices > Squeezebox). My OS is FC5. Cool, I have a Squeezebox too, and slimserver running on Centos5. > > I've been following the example posted by Dan Walsh in a blog at > http://danwalsh.livejournal.com/8707.html?thread=39171 which has been > extremely helpful. Have a look at my venture into selinux-land too :-) Cronologically: http://tanso.net/selinux/ http://tanso.net/selinux/argus/ http://tanso.net/selinux/argus/argus-from-scratch/ > My (2) questions: > 1. What is the appropriate file context for the scanner program? > system_u:object_r:sbin_t? > system_u:object_r:slimserver_t? > system_u:object_r:slimserver_exec_t? I believe the scanner is executed from the web-server process (there's a scan-now link, or similar). So, my guess would be that you should make the main slimserver script that's supposed to transition into slimserver_t slimserver_exec_t, while the scanner should be slimserver_t. If you make it sbin_t or bin_t, it will mean that you'll need to give the main slimserver access to execute all files of type (s)bin_t. It will probably be interesting to see how much it's possible to confine a perl-script like the slimserver. Without looking, I'd assume it'd need to exec lots of bin_t executables.. > > 2. There is no reason to add the scanner program be added to > slimserver.fcthat was generated by policygentool, is there? The file > itself just needs to > be labeled appropriately, right? I think you'll want to add the scanner to slimserver.fc to make sure the labeling gets correct on the next re-label or slimserver upgrade. -jf From spng.yang at gmail.com Thu Apr 19 02:16:55 2007 From: spng.yang at gmail.com (Ken YANG) Date: Thu, 19 Apr 2007 10:16:55 +0800 Subject: autoreconf fails in setools of revision 4290 In-Reply-To: <1176929988.1270.14.camel@localhost.localdomain> References: <4624897D.5030205@gmail.com> <200704171226.51102.jmowery@tresys.com> <46257D30.3070507@gmail.com> <1176929988.1270.14.camel@localhost.localdomain> Message-ID: <4626D117.8080302@gmail.com> J. Tang wrote: > On Wed, 2007-04-18 at 10:06 +0800, Ken YANG wrote: >> the build tools i use are: >> >> automake-1.10-5 >> autoconf-2.61-8.fc7 >> make-3.81-6.fc7 > > Hello Ken. > > I was able to reproduce your issue on a Rawhide system. The reason is > due to automake. Fedora Core 6 (which is what SETools was tested upon) > ships with automake 1.9; Rawhide has automake 1.10. This newer version > of automake now considers GNU make extensions to be fatal errors, > whereas previous versions of automake ignored them. > > Quick Answer: From SVN checkout, do this as the first step: > > $ autoreconf -Wno-portability -i > >> as i mentioned before, the 3.1 tags in svn also failed with this error >> but the 3.1 version of fc7 can be built without any errors: > > This is because the source RPM contains the distributed, post-automake > files. That is, it has the result of a 'make dist'. thanks very much for your guiding. > >> apol had "segmentation fault" errors in analyzing "all base" policy, >> i.e. all modules in "module.conf" are changed into "base" > > There is a critical error in libsepol-2.0.2 that prevents SETools from > opening source policies. Unfortunately, recompiling SETools against > libsepol-2.0.3 is not sufficient; it also requires a fix that is only in > the development branch of SETools. > >> "setools at tresys.com" is the mailing list of setools? if yes, i will send > > Yes. if i have some setools problems(maybe bugs) in future, where can i send? i can not find "subscribe" of setools mailing list, but i find the "Active Tickets" in setools wiki. actually, i don't know what this mean. i find there are bug and feature. if the setools mailing list is private, i will send problem/bug to the fedora-selinux mailing list in future, ok? > From janfrode at tanso.net Thu Apr 19 07:01:09 2007 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Thu, 19 Apr 2007 09:01:09 +0200 Subject: packaging selinux modules into rpms ? Message-ID: I've been building RPMs for syslog-ng and argus, that needs to contain selinux-modules to work on enforcing RHEL5. Are there any recommendations for how to package these with RPM? In http://tanso.net/yum/repodata/repoview/syslog-ng-0-2.0.3-1.el5.html I build the module by checkmodule/semodule_package/semodule -i in the rpm %post, but maybe I should have done this in the source-rpm, and just installed the .pp in the binary-rpm %post ? -jf From paul at city-fan.org Thu Apr 19 09:46:28 2007 From: paul at city-fan.org (Paul Howarth) Date: Thu, 19 Apr 2007 10:46:28 +0100 Subject: packaging selinux modules into rpms ? In-Reply-To: References: Message-ID: <1176975988.4264.5.camel@metropolis.intra.city-fan.org> On Thu, 2007-04-19 at 09:01 +0200, Jan-Frode Myklebust wrote: > I've been building RPMs for syslog-ng and argus, that needs > to contain selinux-modules to work on enforcing RHEL5. Are > there any recommendations for how to package these with RPM? > > In http://tanso.net/yum/repodata/repoview/syslog-ng-0-2.0.3-1.el5.html > I build the module by checkmodule/semodule_package/semodule -i in the > rpm %post, but maybe I should have done this in the source-rpm, and > just installed the .pp in the binary-rpm %post ? > A few people have contributed selinux module packaging guidelines here: http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules Paul. From dwalsh at redhat.com Thu Apr 19 13:25:28 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 19 Apr 2007 09:25:28 -0400 Subject: Helper program for a daemon In-Reply-To: <5d3cd4150704181356g25831acanb47ccfb9557c1639@mail.gmail.com> References: <5d3cd4150704181356g25831acanb47ccfb9557c1639@mail.gmail.com> Message-ID: <46276DC8.4020808@redhat.com> Al Pacifico wrote: > I (a greenhorn with selinux) am writing a policy for a daemon that > streams music files over my home network to a music player client (a > Slimdevices Squeezebox). My OS is FC5. > > The main daemon (/usr/sbin/slimserver) is a perl script that serves > the music files and is started with an init script. My questions have > to do with a secondary program (/usr/sbin/slimserver-scanner, also a > perl script) that scans the music on the server, reading mp3 tags and > such, and generates a database of stored music that is stored in a > MySQL database. /usr/sbin/slimserver-scanner is invoked by the > /usr/sbin/slimserver daemon and might be invoked by the user (although > I can't recall ever doing so in several years of owning a Squeezebox). > > I've been following the example posted by Dan Walsh in a blog at > http://danwalsh.livejournal.com/8707.html?thread=39171 which has been > extremely helpful. > > My (2) questions: > 1. What is the appropriate file context for the scanner program? > system_u:object_r:sbin_t? > system_u:object_r:slimserver_t? > system_u:object_r:slimserver_exec_t? > That depends on your security goals. If you want the slimserver-scanner to have the same privs as slimserver you would label it sbin_t and allow slimserver to corecmd_exec_sbin(). If you want to go with least privs, you would create a new policy for slimserver-scanner (slimserver_scanner_t with file context of slimserver_scanner_exec_t) and then add a rule to slimserver_t to domtrans slimserver_scanner_domtrans(slimserver_t) > The generated slimserver.fc file contains: > # slimserver executable will have: > # label: system_u:object_r:slimserver_exec_t > # MLS sensitivity: s0 > # MCS categories: > > /usr/sbin/slimserver -- > gen_context(system_u:object_r:slimserver_exec_t,s0) > /var/run/slimserver.pid > gen_context(system_u:object_r:slimserver_var_run_t,s0) > /var/log/slimserver > gen_context(system_u:object_r:slimserver_var_log_t,s0) > > and the slimserver.if file contains: > interface(`slimserver_domtrans',` > gen_require(` > type slimserver_t, slimserver_exec_t; > ') > > domain_auto_trans($1,slimserver_exec_t,slimserver_t) > > allow $1 slimserver_t:fd use; > allow slimserver_t $1:fd use; > allow slimserver_t $1:fifo_file rw_file_perms; > allow slimserver_t $1:process sigchld; > ') > > 2. There is no reason to add the scanner program be added to > slimserver.fc that was generated by policygentool, is there? Only if you are creating a context for slimserver_scanner_exec_t, otherwise just let it be labeled sbin_t. > The file itself just needs to be labeled appropriately, right? Or does > that file play some role in policy compilation in a step that I did > not explicitly executed when I invoked 'make -f > /usr/share/selinux/devel/Makefile'? > > Thanks in advance. > -al > -- > Al Pacifico > Seattle, WA > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From sds at tycho.nsa.gov Thu Apr 19 16:20:45 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 19 Apr 2007 12:20:45 -0400 Subject: Denied despite permissive mode? In-Reply-To: <462636F1.10903@mailbolt.com> References: <462636F1.10903@mailbolt.com> Message-ID: <1176999645.27654.77.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2007-04-18 at 09:19 -0600, Andrew Ziem wrote: > Hi, > > 1. Should I be getting denied in permissive mode? No. > 2. How do I get ntpd working? (Also, smartd has the same problem, but > they both used to work some months ago.) > > [root at z ~]# getsebool -a | grep exec > allow_execheap --> on > allow_execmem --> on > allow_execmod --> on > allow_execstack --> on > allow_java_execstack --> off > httpd_ssi_exec --> on > httpd_suexec_disable_trans --> off > [root at z ~]# getenforce > Permissive > [root at z ~]# /sbin/service ntpd start > Starting ntpd: SELinux denied execmem. Hmm...that's interesting. What is generating that message ("SELinux denied execmem")? A SELinux denial only manifests as an audit message (in /var/log/messages or /var/log/audit/audit.log) and as an error return from the kernel (with errno EACCES, but not distinguished from other potential reasons for permission denied there), so some userland component is displaying that message for you, not SELinux itself. I'd guess that the application or script is getting an error and incorrectly assuming that it was SELinux that was the culprit, as permissive mode shouldn't deny anything. > [FAILED] > [root at z ~]# cat /etc/fedora-release > Fedora Core release 5 (Bordeaux) > [root at z ~]# uname -a > Linux z.localdomain 2.6.20-1.2312.fc5 #1 Tue Apr 10 15:09:44 EDT 2007 > i686 athlon i386 GNU/Linux > > > > Andrew > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- Stephen Smalley National Security Agency From lamont at gurulabs.com Thu Apr 19 17:20:35 2007 From: lamont at gurulabs.com (Lamont Peterson) Date: Thu, 19 Apr 2007 11:20:35 -0600 Subject: Squid cachemgr.cgi AVC denied Message-ID: <200704191120.40468.lamont@gurulabs.com> On RHEL5 and FC6, I'm seeing an AVC denied message when trying to use cachemgr.cgi: type=AVC msg=audit(1177002702.300:787): avc: denied { search } for pid=18199 comm="cachemgr.cgi" name="squid" dev=hda5 ino=346594 scontext=root:system_r:httpd_t:s0 tcontext=system_u:object_r:squid_conf_t:s0 tclass=dir If I'm reading this correctly, the problem is that the policy doesn't allow cachmgr.cgi to get it's /etc/squid/cachemgr.conf file because the /etc/squid/ directory (and the cachemgr.conf) file are labeled: # ll -Zd /etc/squid/ drwxr-xr-x root root system_u:object_r:squid_conf_t /etc/squid/ # ll -Z /etc/squid/cachemgr.conf -rw-r--r-- root squid system_u:object_r:squid_conf_t /etc/squid/cachemgr.conf Shall I file a bug for this or is it already known, fixed, work-around-is-available? -- Lamont Peterson Senior Instructor Guru Labs, L.C. [ http://www.GuruLabs.com/ ] NOTE: All messages from this email address should be digitally signed with my 0xDC0DD409 GPG key. It is available on the pgp.mit.edu keyserver as well as other keyservers that sync with MIT's. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From dwalsh at redhat.com Thu Apr 19 18:06:19 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 19 Apr 2007 14:06:19 -0400 Subject: Squid cachemgr.cgi AVC denied In-Reply-To: <200704191120.40468.lamont@gurulabs.com> References: <200704191120.40468.lamont@gurulabs.com> Message-ID: <4627AF9B.8070902@redhat.com> Lamont Peterson wrote: > On RHEL5 and FC6, I'm seeing an AVC denied message when trying to use > cachemgr.cgi: > > type=AVC msg=audit(1177002702.300:787): avc: denied { search } for > pid=18199 comm="cachemgr.cgi" name="squid" dev=hda5 ino=346594 > scontext=root:system_r:httpd_t:s0 tcontext=system_u:object_r:squid_conf_t:s0 > tclass=dir > > If I'm reading this correctly, the problem is that the policy doesn't allow > cachmgr.cgi to get it's /etc/squid/cachemgr.conf file because the /etc/squid/ > directory (and the cachemgr.conf) file are labeled: > > # ll -Zd /etc/squid/ > drwxr-xr-x root root system_u:object_r:squid_conf_t /etc/squid/ > # ll -Z /etc/squid/cachemgr.conf > -rw-r--r-- root squid > system_u:object_r:squid_conf_t /etc/squid/cachemgr.conf > > Shall I file a bug for this or is it already known, fixed, > work-around-is-available? > > Please update to the latest selinux-policy. This should work there. yum -y update selinux-policy > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From adpacifico at users.sourceforge.net Thu Apr 19 23:22:11 2007 From: adpacifico at users.sourceforge.net (Al Pacifico) Date: Thu, 19 Apr 2007 16:22:11 -0700 Subject: Helper program for a daemon In-Reply-To: <46276DC8.4020808@redhat.com> References: <5d3cd4150704181356g25831acanb47ccfb9557c1639@mail.gmail.com> <46276DC8.4020808@redhat.com> Message-ID: <5d3cd4150704191622n41116062h2fff070677f690e6@mail.gmail.com> On 4/19/07, Daniel J Walsh wrote: > > Al Pacifico wrote: > > I (a greenhorn with selinux) am writing a policy for a daemon that > > streams music files over my home network to a music player client (a > > Slimdevices Squeezebox). My OS is FC5. > > > > The main daemon (/usr/sbin/slimserver) is a perl script that serves > > the music files and is started with an init script. My questions have > > to do with a secondary program (/usr/sbin/slimserver-scanner, also a > > perl script) that scans the music on the server, reading mp3 tags and > > such, and generates a database of stored music that is stored in a > > MySQL database. /usr/sbin/slimserver-scanner is invoked by the > > /usr/sbin/slimserver daemon and might be invoked by the user (although > > I can't recall ever doing so in several years of owning a Squeezebox). > > > > I've been following the example posted by Dan Walsh in a blog at > > http://danwalsh.livejournal.com/8707.html?thread=39171 which has been > > extremely helpful. > > > > My (2) questions: > > 1. What is the appropriate file context for the scanner program? > > system_u:object_r:sbin_t? > > system_u:object_r:slimserver_t? > > system_u:object_r:slimserver_exec_t? > > > That depends on your security goals. If you want the slimserver-scanner > to have the same privs as slimserver you would label it sbin_t and allow > slimserver to corecmd_exec_sbin(). If you want to go with least privs, > you would create a new policy for slimserver-scanner > (slimserver_scanner_t with file context of slimserver_scanner_exec_t) > and then add a rule to slimserver_t to domtrans > slimserver_scanner_domtrans(slimserver_t) After reviewing the source code to: 1) confirm that slimserver-scanner is intended to be run from the command line as well as by the slimserver daemon 2) see if it logs to the slimserver log 3) determine if it might want to use the network (to which all three answers were 'yes') ...I tried to use policygentool to create a policy for slimserver-scanner. However, I was stymied by an error. Here is what happened: [root at joplin slimserver-scanner]# /usr/share/selinux/devel/policygentool slimserver-scanner /usr/sbin/slimserver-scanner This tool generate three files for policy development, A Type Enforcement (te) file, a File Context (fc), and a Interface File(if). Most of the policy rules will be written in the te file. Use the File Context file to associate file paths with security context. Use the interface rules to allow other protected domains to interact with the newly defined domains. After generating these files use the /usr/share/selinux/devel/Makefile to compile your policy package. Then use the semodule tool to load it. # /usr/share/selinux/devel/policygentool myapp /usr/bin/myapp # make -f /usr/share/selinux/devel/Makefile # semodule -l myapp.pp # restorecon -R -v /usr/bin/myapp "all files defined in myapp.fc" Now you can turn on permissive mode, start your application and avc messages will be generated. You can use audit2allow to help translate the avc messages into policy. # setenforce 0 # service myapp start # audit2allow -R -i /var/log/audit/audit.log Return to continue: If the module uses pidfiles, what is the pidfile called? If the module uses logfiles, where are they stored? /var/log/slimserver If the module has var/lib files, where are they stored? Does the module have a init script? [yN] N Does the module use the network? [yN] y [root at joplin slimserver-scanner]# ls slimserver-scanner.fc slimserver-scanner.if slimserver-scanner.te [root at joplin slimserver-scanner]# make -f /usr/share/selinux/devel/Makefile Compiling targeted slimserver-scanner module /usr/bin/checkmodule: loading policy configuration from tmp/slimserver- scanner.tmp slimserver-scanner.te:1:ERROR 'syntax error' at token 'slimserver-scanner' on line 59006: module slimserver-scanner 1.0.0; #line 1 /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/slimserver-scanner.mod] Error 1 I thought I would display the line containing the error and associated context with the following: [root at joplin slimserver-scanner]# nl tmp/slimserver-scanner.tmp | sed -n '58990,59022p' 50718 ## Execute a domain transition to run slimserver-scanner. 50719 ## 50720 ## 50721 ## 50722 ## Domain allowed to transition. 50723 ## 50724 ## 50725 # 50726 50727 #line 124172 50728 #line 1 "slimserver-scanner.te" 50729 #line 1 50730 50731 #line 1 50732 module slimserver-scanner 1.0.0; 50733 #line 1 50734 #line 1 50735 require { 50736 #line 1 50737 role system_r; 50738 #line 1 50739 50740 #line 1 50741 class security { compute_av compute_create compute_member check_context load_policy compute_relabel compute_user setenforce setbool setsecparam setcheckreqprot }; 50742 #line 1 50743 class process { fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate }; 50744 #line 1 50745 class system { ipc_info syslog_read syslog_mod syslog_console }; 50746 #line 1 50747 class capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control }; which does show the line 'module slimserver-scanner 1.0.0;', although the line numbering is inconsistent. At first, I thought maybe policygentool inspected the context for the /usr/sbin/slimserver-scanner binary and that was the problem. Cursory examination of the source code did not suggest this. Now, I wonder if policygentool is only to be used for daemons. This wasn't stated in any comments. (BTW I'm using the selinux-policy-devel-2.3.7-2.fc5 package.) Are there any thoughts regarding the nature of the error or suggestions for alternative tools for generating the policy? -al -- Al Pacifico Seattle, WA -------------- next part -------------- An HTML attachment was scrubbed... URL: From olivares14031 at yahoo.com Thu Apr 19 23:24:14 2007 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Thu, 19 Apr 2007 16:24:14 -0700 (PDT) Subject: SELinux is preventing /usr/sbin/semodule (semanage_t) "getattr" to / (security_t). Message-ID: <222679.2941.qm@web52606.mail.re2.yahoo.com> Dear list(s), currently running Rawhide and setroubleshoot browser fires up with a denial Summary SELinux is preventing /usr/sbin/semodule (semanage_t) "getattr" to / (security_t). Detailed Description SELinux denied access requested by /usr/sbin/semodule. It is not expected that this access is required by /usr/sbin/semodule and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context user_u:system_r:semanage_t Target Context system_u:object_r:security_t Target Objects / [ filesystem ] Affected RPM Packages policycoreutils-2.0.2-3.fc7 [application]filesystem-2.4.2-1.fc7 [target] Policy RPM selinux-policy-2.5.4-1.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall Host Name localhost Platform Linux localhost 2.6.20-1.2949.fc7 #1 SMP Mon Feb 26 18:37:35 EST 2007 i686 athlon Alert Count 1 First Seen Wed 04 Apr 2007 06:46:19 AM CDT Last Seen Wed 04 Apr 2007 06:46:19 AM CDT Local ID 32e2ac76-301c-4f3f-b971-e8b7da4fff73 Line Numbers Raw Audit Messages avc: denied { getattr } for comm="semodule" dev=selinuxfs egid=0 euid=0 exe="/usr/sbin/semodule" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" pid=8883 scontext=user_u:system_r:semanage_t:s0 sgid=0 subj=user_u:system_r:semanage_t:s0 suid=0 tclass=filesystem tcontext=system_u:object_r:security_t:s0 tty=pts1 uid=0 Summary SELinux is preventing /usr/sbin/useradd (useradd_t) "read write" to faillog (var_log_t). Detailed Description SELinux denied access requested by /usr/sbin/useradd. It is not expected that this access is required by /usr/sbin/useradd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for faillog, restorecon -v faillog If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context user_u:system_r:useradd_t Target Context system_u:object_r:var_log_t Target Objects faillog [ file ] Affected RPM Packages shadow-utils-4.0.18.1-13.fc7 [application] Policy RPM selinux-policy-2.5.12-5.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name localhost Platform Linux localhost 2.6.20-1.3088.fc7 #1 SMP Wed Apr 18 15:12:44 EDT 2007 i686 athlon Alert Count 1 First Seen Thu 19 Apr 2007 06:19:42 PM CDT Last Seen Thu 19 Apr 2007 06:19:42 PM CDT Local ID 2eacf14b-bf35-4d12-bb8e-13e35aeaaf6a Line Numbers Raw Audit Messages avc: denied { read, write } for comm="useradd" dev=dm-0 egid=0 euid=0 exe="/usr/sbin/useradd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="faillog" pid=3370 scontext=user_u:system_r:useradd_t:s0 sgid=0 subj=user_u:system_r:useradd_t:s0 suid=0 tclass=file tcontext=system_u:object_r:var_log_t:s0 tty=pts0 uid=0 Thanks for any help/suggestions on this. Regards, Antonio __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From janfrode at tanso.net Fri Apr 20 07:33:33 2007 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Fri, 20 Apr 2007 09:33:33 +0200 Subject: Helper program for a daemon References: <5d3cd4150704181356g25831acanb47ccfb9557c1639@mail.gmail.com> <46276DC8.4020808@redhat.com> <5d3cd4150704191622n41116062h2fff070677f690e6@mail.gmail.com> Message-ID: On 2007-04-19, Al Pacifico wrote: > scanner.tmp > slimserver-scanner.te:1:ERROR 'syntax error' at token 'slimserver-scanner' > on line 59006: > module slimserver-scanner 1.0.0; > #line 1 > /usr/bin/checkmodule: error(s) encountered while parsing configuration > make: *** [tmp/slimserver-scanner.mod] Error 1 > AFAIK it doesn't like the '-' in the module name. Try changing it to "slimserverscanner" or "slimserver_scanner". -jf From janfrode at tanso.net Fri Apr 20 10:53:39 2007 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Fri, 20 Apr 2007 12:53:39 +0200 Subject: vlc x86 libs requires text relocation. References: <462527C2.1020808@gmail.com> Message-ID: On 2007-04-17, kwizart wrote: > > This affect vlc for Fedora release 5, 6 and devel only for x86 (not ppc > or x86_64) > > from https://bugzilla.livna.org/show_bug.cgi?id=1404 > - ---- > SELinux is preventing /usr/bin/vlc from loading > /usr/lib/vlc/codec/libdmo_plugin.so which requires text relocation. > > SELinux is preventing /usr/bin/vlc from loading > /usr/lib/vlc/codec/librealaudio_plugin.so which requires text relocation. > > I'm not sure if this can be fixed in the vlc package or if it would need > to be > fixed in the selinux policy package. It can be fixed in the vlc package's RPM %post section by running: # Add new labeling rules for libraries requiring text relocation: /usr/sbin/semanage fcontext -a -t textrel_shlib_t /usr/lib/vlc/codec/libdmo_plugin.so /usr/sbin/semanage fcontext -a -t textrel_shlib_t /usr/lib/vlc/codec/librealaudio_plugin.so # Set correct SELinux security contexts: restorecon /usr/lib/vlc/codec/libdmo_plugin.so /usr/lib/vlc/codec/librealaudio_plugin.so The semanage-commands will add these rules to /etc/selinux/targeted/contexts/files/file_contexts.local. -jf From adpacifico at users.sourceforge.net Fri Apr 20 16:52:18 2007 From: adpacifico at users.sourceforge.net (Al Pacifico) Date: Fri, 20 Apr 2007 09:52:18 -0700 Subject: Backing out of changes to file contexts specification Message-ID: <5d3cd4150704200952o6f9ae58nc0dfdf9b9c61b3c4@mail.gmail.com> This is related to the daemon question I asked earlier. I created a problem using policygentool by specifying that a log file is written to by two different binaries with different policies. My thread about "Helper program for a daemon" provides some context (no pun intended). I didn't realize that installing the policy would change the file context specification database (although it makes perfect sense in retrospect). Now, I've inadvertently specified that /var/log/slimserver be labelled under two different contexts in /etc/selinux/targeted/contexts/files/file_contexts and wish to remove the second set of entries. Output of setfiles -n /etc/selinux/targeted/contexts/files/file_contexts $filename includes several messages of the form: /etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /var/log/slimserver (system_u:object_r:slimserver_scanner_var_log_t and system_u:object_r:slimserver_var_log_t). My policy module didn't install correctly because of this error, but the file contexts specification is now incorrect. What is the best way to correct this? 1. Just use sed or vi to eliminate the second specification? 2.Remove both installed policies that I wrote (which are the only non-stock policy modules installed on my FC5 box) using semodule and restore /etc/selinux/targeted/contexts/files/file_contexts from the rpm package file? Keep in mind I'm doing this over ssh to a box with no GUI, so I must use the command line, vi, etc. -al -- Al Pacifico Seattle, WA -------------- next part -------------- An HTML attachment was scrubbed... URL: From florin at andrei.myip.org Fri Apr 20 17:36:33 2007 From: florin at andrei.myip.org (Florin Andrei) Date: Fri, 20 Apr 2007 10:36:33 -0700 Subject: MySQL custom datadir location - other daemons too Message-ID: <4628FA21.6070606@andrei.myip.org> I'm building a log analysis server that's running a big MySQL database. Logs are imported in the database and then are processed for statistical analysis and stuff like that. The system is running CentOS5 64bit (almost identical to RHEL 5). I'm keeping the database on a separate RAID array, for obvious reasons. So I mounted that array as /db and then moved the MySQL datadir via /etc/my.cnf: datadir=/db/mysql tmpdir=/db/tmp/ basedir=/db I made sure to move /var/lib/mysql to /db/mysql in such a way as to preserve all the attributes, including SELinux. But, of course, MySQL fails to run: type=AVC msg=audit(1177025497.442:254): avc: denied { search } for pid=7453 comm="mysqld" name="/" dev=sdb1 ino=2 scontext=root:system_r:mysqld_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir type=SYSCALL msg=audit(1177025497.442:254): arch=c000003e syscall=87 success=no exit=-13 a0=7fff6ee35150 a1=0 a2=0 a3=3 items=0 ppid=7417 pid=7453 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="mysqld" exe="/usr/libexec/mysqld" subj=root:system_r:mysqld_t:s0 key=(null) type=AVC msg=audit(1177025497.442:255): avc: denied { search } for pid=7453 comm="mysqld" name="/" dev=sdb1 ino=2 scontext=root:system_r:mysqld_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir type=SYSCALL msg=audit(1177025497.442:255): arch=c000003e syscall=2 success=no exit=-13 a0=7fff6ee35350 a1=42 a2=1b6 a3=3 items=0 ppid=7417 pid=7453 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="mysqld" exe="/usr/libexec/mysqld" subj=root:system_r:mysqld_t:s0 key=(null) type=AVC msg=audit(1177025497.442:256): avc: denied { search } for pid=7453 comm="mysqld" name="/" dev=sdb1 ino=2 scontext=root:system_r:mysqld_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir Now, I can definitely customize the policy, I guess the first rule would be like this and I'll keep tweaking it until it works: allow mysqld_t file_t:dir search; But this seems like a hack. I mean, moving the datadir to a different location is probably something that MySQL admins do all the time when building big servers (or maybe even not that big). I wish there was a SELinux variable, or a place where I can tell SELinux that the datadir has moved, that XYZ is the new location, and just let me use it (provided that the SELinux attributes are OK within the MySQL datadir per se). Same thing happens with many servers when moving their default data locations. Examples that I had issues with: Cyrus-IMAPd, Squid. Sure, one can customize the policy the "normal", step-by-step way, but that doesn't seem the right thing. I'm strictly speaking from the sysadmin's perspective. It just looks like a natural thing to be able to customize SELinux via a simple variable or something, and make it "aware" (sort of) that, hey, I only moved the data dir to a new location, stop panicking about that. Thanks, -- Florin Andrei http://florin.myip.org/ From lamont at gurulabs.com Fri Apr 20 22:57:15 2007 From: lamont at gurulabs.com (Lamont Peterson) Date: Fri, 20 Apr 2007 16:57:15 -0600 Subject: Squid cachemgr.cgi AVC denied In-Reply-To: <4627AF9B.8070902@redhat.com> References: <200704191120.40468.lamont@gurulabs.com> <4627AF9B.8070902@redhat.com> Message-ID: <200704201657.22175.lamont@gurulabs.com> On Thursday 19 April 2007 12:06pm, Daniel J Walsh wrote: > Lamont Peterson wrote: > > On RHEL5 and FC6, I'm seeing an AVC denied message when trying to use > > cachemgr.cgi: > > > > type=AVC msg=audit(1177002702.300:787): avc: denied { search } for > > pid=18199 comm="cachemgr.cgi" name="squid" dev=hda5 ino=346594 > > scontext=root:system_r:httpd_t:s0 > > tcontext=system_u:object_r:squid_conf_t:s0 tclass=dir > > > > If I'm reading this correctly, the problem is that the policy doesn't > > allow cachmgr.cgi to get it's /etc/squid/cachemgr.conf file because the > > /etc/squid/ directory (and the cachemgr.conf) file are labeled: > > > > # ll -Zd /etc/squid/ > > drwxr-xr-x root root system_u:object_r:squid_conf_t /etc/squid/ > > # ll -Z /etc/squid/cachemgr.conf > > -rw-r--r-- root squid > > system_u:object_r:squid_conf_t /etc/squid/cachemgr.conf > > > > Shall I file a bug for this or is it already known, fixed, > > work-around-is-available? > > Please update to the latest selinux-policy. This should work there. > > yum -y update selinux-policy That might be well and good for FC6, but I don't see a single SELinux update for RHEL5 on RHN. Is there one coming soon for RHEL5 or should we try installing the FC6 SELinux targeted policy on RHEL5? -- Lamont Peterson Senior Instructor Guru Labs, L.C. [ http://www.GuruLabs.com/ ] NOTE: All messages from this email address should be digitally signed with my 0xDC0DD409 GPG key. It is available on the pgp.mit.edu keyserver as well as other keyservers that sync with MIT's. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From mykleb at no.ibm.com Fri Apr 20 19:12:24 2007 From: mykleb at no.ibm.com (Jan-Frode Myklebust) Date: Fri, 20 Apr 2007 21:12:24 +0200 Subject: MySQL custom datadir location - other daemons too References: <4628FA21.6070606@andrei.myip.org> Message-ID: These are the selinux labeling rules for mysql: # grep mysql /etc/selinux/targeted/contexts/files/file_contexts /etc/mysql(/.*)? system_u:object_r:mysqld_etc_t:s0 /var/log/mysql.* -- system_u:object_r:mysqld_log_t:s0 /var/lib/mysql(/.*)? system_u:object_r:mysqld_db_t:s0 /var/run/mysqld(/.*)? system_u:object_r:mysqld_var_run_t:s0 /usr/sbin/mysqld(-max)? -- system_u:object_r:mysqld_exec_t:s0 /etc/my\.cnf -- system_u:object_r:mysqld_etc_t:s0 /usr/libexec/mysqld -- system_u:object_r:mysqld_exec_t:s0 /var/lib/mysql/mysql\.sock -s system_u:object_r:mysqld_var_run_t:s0 It seems you're moving /var/lib/mysql to /db/mysql, and the following new labeling rule should set the right labels for the db: # Add new labeling rule: /usr/sbin/semanage fcontext -a -t mysqld_db_t "/db/mysql(/.*)?" # Restore labels based on labeling rules: restorecon -R /db/mysql But, I'm quite uncertain on how to map your tmpdir and basedir. What where the original location of these ? Once you find these, it will likely be easy to create similar new labeling rules for these, and your new database location should be OK. On the other hand.. I would have just mounted the storage array as /var/lib/mysql, run "restorecon -R /var/lib/mysql" and not have needed to change much in either selinux or mysql startup for getting it working. -jf From florin at andrei.myip.org Fri Apr 20 23:55:59 2007 From: florin at andrei.myip.org (Florin Andrei) Date: Fri, 20 Apr 2007 16:55:59 -0700 Subject: MySQL custom datadir location - other daemons too In-Reply-To: References: <4628FA21.6070606@andrei.myip.org> Message-ID: <4629530F.2040100@andrei.myip.org> (re-sending reply to mailing list, Reply-To is broken for this list) Jan-Frode Myklebust wrote: > > It seems you're moving /var/lib/mysql to /db/mysql true I've found that if I mount /db like this, SELinux does not complain anymore: mount -o defcontext=system_u:object_r:var_t /db The new problem is, if I put defcontext=... in /etc/fstab, for some reason /db errors out when the system boots up and tries to mount it, so /db ends up not mounted. > But, I'm quite uncertain on how to map your tmpdir and basedir. tmpdir=/db/tmp/ basedir=/db > What where the original location of these ? tmpdir=/tmp/ basedir=/var/lib -- Florin Andrei http://florin.myip.org/ From florin at andrei.myip.org Sat Apr 21 00:26:42 2007 From: florin at andrei.myip.org (Florin Andrei) Date: Fri, 20 Apr 2007 17:26:42 -0700 Subject: MySQL custom datadir location - other daemons too In-Reply-To: References: <4628FA21.6070606@andrei.myip.org> Message-ID: <46295A42.5030001@andrei.myip.org> Jan-Frode Myklebust wrote: > > It seems you're moving /var/lib/mysql to /db/mysql, and the following > new labeling rule should set the right labels for the db: > > # Add new labeling rule: > /usr/sbin/semanage fcontext -a -t mysqld_db_t "/db/mysql(/.*)?" Which files are modified by this command, and will the changes persist after updates will be released (and applied) for the selinux RPMs? > But, I'm quite uncertain on how to map your tmpdir and basedir. What Yeah, I'd like to keep tmpdir (originally on /tmp) together with the datadir, so I'd like to move it, say, to /db/tmp I guess I should run semanage for /db/tmp as well? basedir will probably be /db (originally /var/lib) so I'm not sure what to do. I guess I could actually move /var/lib/mysql to /db/lib/mysql and change basedir from /var/lib to /db/lib - this might make it simpler to adapt existing labeling rules to the customized system? By the way, I figured out the fstab thing. The correct way to do it is: # grep /db /etc/fstab LABEL=/db /db ext3 defcontext=system_u:object_r:var_t:s0 1 2 The trailing :s0 appears to be important in this context. But after the system boots up, I can manually do a "mount /db" even if :s0 is not appended and it works. -- Florin Andrei http://florin.myip.org/ From ahziem1 at mailbolt.com Sat Apr 21 05:34:45 2007 From: ahziem1 at mailbolt.com (Andrew Ziem) Date: Fri, 20 Apr 2007 23:34:45 -0600 Subject: Denied despite permissive mode? In-Reply-To: <1176999645.27654.77.camel@moss-spartans.epoch.ncsc.mil> References: <462636F1.10903@mailbolt.com> <1176999645.27654.77.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <4629A275.6090401@mailbolt.com> Stephen Smalley wrote: > On Wed, 2007-04-18 at 09:19 -0600, Andrew Ziem wrote: > >> Hi, >> >> 1. Should I be getting denied in permissive mode? >> > > No. > > >> 2. How do I get ntpd working? (Also, smartd has the same problem, but >> they both used to work some months ago.) >> >> [root at z ~]# getsebool -a | grep exec >> allow_execheap --> on >> allow_execmem --> on >> allow_execmod --> on >> allow_execstack --> on >> allow_java_execstack --> off >> httpd_ssi_exec --> on >> httpd_suexec_disable_trans --> off >> [root at z ~]# getenforce >> Permissive >> [root at z ~]# /sbin/service ntpd start >> Starting ntpd: SELinux denied execmem. >> > > Hmm...that's interesting. What is generating that message ("SELinux > denied execmem")? A SELinux denial only manifests as an audit message > (in /var/log/messages or /var/log/audit/audit.log) and as an error > return from the kernel (with errno EACCES, but not distinguished from > other potential reasons for permission denied there), so some userland > component is displaying that message for you, not SELinux itself. > > I'd guess that the application or script is getting an error and > incorrectly assuming that it was SELinux that was the culprit, as > permissive mode shouldn't deny anything. > Apparently, the binaries were corrupt. The problem was solved by: rpm -e --nodeps ntp hal-cups-utils; yum -y install ntp hal-cups-utils (Also affected was cups-config-daemon in hal-cups-utils.) Anyway, sorry for the noise. Andrew From mykleb at no.ibm.com Sat Apr 21 10:09:06 2007 From: mykleb at no.ibm.com (Jan-Frode Myklebust) Date: Sat, 21 Apr 2007 12:09:06 +0200 Subject: MySQL custom datadir location - other daemons too References: <4628FA21.6070606@andrei.myip.org> <46295A42.5030001@andrei.myip.org> Message-ID: On 2007-04-21, Florin Andrei wrote: >> >> # Add new labeling rule: >> /usr/sbin/semanage fcontext -a -t mysqld_db_t "/db/mysql(/.*)?" > > Which files are modified by this command, and will the changes persist > after updates will be released (and applied) for the selinux RPMs? The new rule is added to /etc/selinux/targeted/contexts/files/file_contexts.local and will persist after upgrades of mysql/selinux. > I guess I should run semanage for /db/tmp as well? I think you will get away with simply labelling /db/ as mysqld_db_t: /usr/sbin/semanage fcontext -a -t mysqld_db_t "/db(/.*)?" restorecon -R /db > > # grep /db /etc/fstab > LABEL=/db /db ext3 defcontext=system_u:object_r:var_t:s0 1 2 That doesn't look right to me.. I think you should label it mysqld_db_t, not var_t. mysqld_db_t should mean only mysql will have access to these files and directories, while var_t is much more open. Lots of apps probably have access to var_t. But -- you should probably do either mount option, or "semanage fcontext". No need to do both. -jf From florin at andrei.myip.org Sun Apr 22 01:48:09 2007 From: florin at andrei.myip.org (Florin Andrei) Date: Sat, 21 Apr 2007 18:48:09 -0700 Subject: MySQL custom datadir location - other daemons too In-Reply-To: References: <4628FA21.6070606@andrei.myip.org> <46295A42.5030001@andrei.myip.org> Message-ID: <462ABED9.7010307@andrei.myip.org> Jan-Frode Myklebust wrote: > On 2007-04-21, Florin Andrei wrote: > >> # grep /db /etc/fstab >> LABEL=/db /db ext3 defcontext=system_u:object_r:var_t:s0 1 2 > > That doesn't look right to me.. I think you should label it mysqld_db_t, > not var_t. mysqld_db_t should mean only mysql will have access to these > files and directories, while var_t is much more open. Lots of apps > probably have access to var_t. Well, I was just trying to replicate the situation in /var I thought - the least amount of changes, the least amount of headaches. But I'll try both and see what happens. > But -- you should probably do either mount option, or "semanage fcontext". > No need to do both. Got it. -- Florin Andrei http://florin.myip.org/ From florin at andrei.myip.org Sun Apr 22 20:43:06 2007 From: florin at andrei.myip.org (Florin Andrei) Date: Sun, 22 Apr 2007 13:43:06 -0700 Subject: MySQL custom datadir location - other daemons too In-Reply-To: References: <4628FA21.6070606@andrei.myip.org> <46295A42.5030001@andrei.myip.org> Message-ID: <462BC8DA.4080708@andrei.myip.org> Jan-Frode Myklebust wrote: > On 2007-04-21, Florin Andrei wrote: > >> # grep /db /etc/fstab >> LABEL=/db /db ext3 defcontext=system_u:object_r:var_t:s0 1 2 > > That doesn't look right to me.. I think you should label it mysqld_db_t, > not var_t. mysqld_db_t should mean only mysql will have access to these > files and directories, while var_t is much more open. Lots of apps > probably have access to var_t. # grep /db /etc/fstab LABEL=/db /db ext3 defcontext=system_u:object_r:mysql_db_t:s0 1 2 # tail -n 1 /var/log/messages Apr 22 13:38:34 reports kernel: SELinux: security_context_to_sid(system_u:object_r:mysql_db_t:s0) failed for (dev sdb1, type ext3) errno=-22 -- Florin Andrei http://florin.myip.org/ From janfrode at tanso.net Sun Apr 22 21:22:07 2007 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Sun, 22 Apr 2007 23:22:07 +0200 Subject: MySQL custom datadir location - other daemons too References: <4628FA21.6070606@andrei.myip.org> <46295A42.5030001@andrei.myip.org> <462BC8DA.4080708@andrei.myip.org> Message-ID: On 2007-04-22, Florin Andrei wrote: >> > > # grep /db /etc/fstab > LABEL=/db /db ext3 defcontext=system_u:object_r:mysql_db_t:s0 1 2 > > # tail -n 1 /var/log/messages > Apr 22 13:38:34 reports kernel: SELinux: > security_context_to_sid(system_u:object_r:mysql_db_t:s0) failed for (dev > sdb1, type ext3) errno=-22 What about: LABEL=/db /db ext3 fcontext=system_u:object_r:mysql_db_t:s0 1 2 or LABEL=/db /db ext3 fcontext=system_u:object_r:mysql_db_t 1 2 ? -jf From florin at andrei.myip.org Sun Apr 22 23:21:51 2007 From: florin at andrei.myip.org (Florin Andrei) Date: Sun, 22 Apr 2007 16:21:51 -0700 Subject: MySQL custom datadir location - other daemons too In-Reply-To: References: <4628FA21.6070606@andrei.myip.org> <46295A42.5030001@andrei.myip.org> <462BC8DA.4080708@andrei.myip.org> Message-ID: <462BEE0F.1090902@andrei.myip.org> Jan-Frode Myklebust wrote: > > What about: > > LABEL=/db /db ext3 fcontext=system_u:object_r:mysql_db_t:s0 1 2 > or > LABEL=/db /db ext3 fcontext=system_u:object_r:mysql_db_t 1 2 > > ? You mean "fscontext"? I can't test it now, as the system is busy swallowing a huge pile of logs, but I think fscontext changed the context of all files underneath the mount point. I don't want that, I just want to change the context at the top and leave the rest of the filesystem unchanged. -- Florin Andrei http://florin.myip.org/ From dwalsh at redhat.com Mon Apr 23 15:07:18 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 23 Apr 2007 11:07:18 -0400 Subject: Backing out of changes to file contexts specification In-Reply-To: <5d3cd4150704200952o6f9ae58nc0dfdf9b9c61b3c4@mail.gmail.com> References: <5d3cd4150704200952o6f9ae58nc0dfdf9b9c61b3c4@mail.gmail.com> Message-ID: <462CCBA6.8040607@redhat.com> Al Pacifico wrote: > This is related to the daemon question I asked earlier. > > I created a problem using policygentool by specifying that a log file > is written to by two different binaries with different policies. My > thread about "Helper program for a daemon" provides some context (no > pun intended). > > I didn't realize that installing the policy would change the file > context specification database (although it makes perfect sense in > retrospect). Now, I've inadvertently specified that > /var/log/slimserver be labelled under two different contexts in > /etc/selinux/targeted/contexts/files/file_contexts and wish to remove > the second set of entries. > > Output of setfiles -n > /etc/selinux/targeted/contexts/files/file_contexts $filename includes > several messages of the form: > > /etc/selinux/targeted/contexts/files/file_contexts: Multiple different > specifications for /var/log/slimserver > (system_u:object_r:slimserver_scanner_var_log_t and > system_u:object_r:slimserver_var_log_t). > > My policy module didn't install correctly because of this error, but > the file contexts specification is now incorrect. What is the best way > to correct this? > 1. Just use sed or vi to eliminate the second specification? > 2.Remove both installed policies that I wrote (which are the only > non-stock policy modules installed on my FC5 box) using semodule and > restore /etc/selinux/targeted/contexts/files/file_contexts from the > rpm package file? > > Keep in mind I'm doing this over ssh to a box with no GUI, so I must > use the command line, vi, etc. semanage fcontext -d /var/log/slimserver > -al > -- > Al Pacifico > Seattle, WA > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From dwalsh at redhat.com Mon Apr 23 15:14:08 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 23 Apr 2007 11:14:08 -0400 Subject: Helper program for a daemon In-Reply-To: <5d3cd4150704191622n41116062h2fff070677f690e6@mail.gmail.com> References: <5d3cd4150704181356g25831acanb47ccfb9557c1639@mail.gmail.com> <46276DC8.4020808@redhat.com> <5d3cd4150704191622n41116062h2fff070677f690e6@mail.gmail.com> Message-ID: <462CCD40.7010103@redhat.com> Al Pacifico wrote: > > > On 4/19/07, *Daniel J Walsh* > wrote: > > Al Pacifico wrote: > > I (a greenhorn with selinux) am writing a policy for a daemon that > > streams music files over my home network to a music player client (a > > Slimdevices Squeezebox). My OS is FC5. > > > > The main daemon (/usr/sbin/slimserver) is a perl script that serves > > the music files and is started with an init script. My questions > have > > to do with a secondary program (/usr/sbin/slimserver-scanner, > also a > > perl script) that scans the music on the server, reading mp3 > tags and > > such, and generates a database of stored music that is stored in a > > MySQL database. /usr/sbin/slimserver-scanner is invoked by the > > /usr/sbin/slimserver daemon and might be invoked by the user > (although > > I can't recall ever doing so in several years of owning a > Squeezebox). > > > > I've been following the example posted by Dan Walsh in a blog at > > http://danwalsh.livejournal.com/8707.html?thread=39171 which has > been > > extremely helpful. > > > > My (2) questions: > > 1. What is the appropriate file context for the scanner program? > > system_u:object_r:sbin_t? > > system_u:object_r:slimserver_t? > > system_u:object_r:slimserver_exec_t? > > > That depends on your security goals. If you want the > slimserver-scanner > to have the same privs as slimserver you would label it sbin_t and > allow > slimserver to corecmd_exec_sbin(). If you want to go with least > privs, > you would create a new policy for slimserver-scanner > (slimserver_scanner_t with file context of slimserver_scanner_exec_t) > and then add a rule to slimserver_t to domtrans > slimserver_scanner_domtrans(slimserver_t) > > > After reviewing the source code to: > 1) confirm that slimserver-scanner is intended to be run from the > command line as well as by the slimserver daemon > 2) see if it logs to the slimserver log > 3) determine if it might want to use the network > (to which all three answers were 'yes') > ...I tried to use policygentool to create a policy for > slimserver-scanner. However, I was stymied by an error. > > Here is what happened: > [root at joplin slimserver-scanner]# > /usr/share/selinux/devel/policygentool slimserver-scanner > /usr/sbin/slimserver-scanner > > > This tool generate three files for policy development, A Type > Enforcement (te) > file, a File Context (fc), and a Interface File(if). Most of the > policy rules > will be written in the te file. Use the File Context file to > associate file > paths with security context. Use the interface rules to allow other > protected > domains to interact with the newly defined domains. > > After generating these files use the /usr/share/selinux/devel/Makefile to > compile your policy package. Then use the semodule tool to load it. > > # /usr/share/selinux/devel/policygentool myapp /usr/bin/myapp > # make -f /usr/share/selinux/devel/Makefile > # semodule -l myapp.pp > # restorecon -R -v /usr/bin/myapp "all files defined in myapp.fc" > > Now you can turn on permissive mode, start your application and avc > messages > will be generated. You can use audit2allow to help translate the avc > messages > into policy. > > # setenforce 0 > # service myapp start > # audit2allow -R -i /var/log/audit/audit.log > > Return to continue: > > If the module uses pidfiles, what is the pidfile called? > > If the module uses logfiles, where are they stored? > /var/log/slimserver > If the module has var/lib files, where are they stored? > > Does the module have a init script? [yN] > N > Does the module use the network? [yN] > y > [root at joplin slimserver-scanner]# ls > slimserver-scanner.fc slimserver-scanner.if slimserver-scanner.te > [root at joplin slimserver-scanner]# make -f > /usr/share/selinux/devel/Makefile > Compiling targeted slimserver-scanner module > /usr/bin/checkmodule: loading policy configuration from > tmp/slimserver-scanner.tmp > slimserver-scanner.te:1:ERROR 'syntax error' at token > 'slimserver-scanner' on line 59006: > module slimserver-scanner 1.0.0; > #line 1 > /usr/bin/checkmodule: error(s) encountered while parsing configuration > make: *** [tmp/slimserver-scanner.mod] Error 1 > > I thought I would display the line containing the error and associated > context with the following: > [root at joplin slimserver-scanner]# nl tmp/slimserver-scanner.tmp | sed > -n '58990,59022p' > 50718 ## Execute a domain transition to run slimserver-scanner. > 50719 ## > 50720 ## > 50721 ## > 50722 ## Domain allowed to transition. > 50723 ## > 50724 ## > 50725 # > 50726 > 50727 #line 124172 > > 50728 #line 1 "slimserver-scanner.te " > > 50729 #line 1 > 50730 > 50731 #line 1 > 50732 module slimserver-scanner 1.0.0; > 50733 #line 1 > > 50734 #line 1 > 50735 require { > 50736 #line 1 > 50737 role system_r; > 50738 #line 1 > 50739 > 50740 #line 1 > 50741 class security { compute_av compute_create > compute_member check_context load_policy compute_relabel compute_user > setenforce setbool setsecparam setcheckreqprot }; > 50742 #line 1 > 50743 class process { fork transition sigchld sigkill > sigstop signull signal ptrace getsched setsched getsession getpgid > setpgid getcap setcap share getattr setexec setfscreate noatsecure > siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack > execheap setkeycreate }; > 50744 #line 1 > 50745 class system { ipc_info syslog_read syslog_mod > syslog_console }; 50746 #line 1 > 50747 class capability { chown dac_override dac_read_search > fowner fsetid kill setgid setuid setpcap linux_immutable > net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner > sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin > sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease > audit_write audit_control }; > > which does show the line 'module slimserver-scanner 1.0.0;', although > the line numbering is inconsistent. > > At first, I thought maybe policygentool inspected the context for the > /usr/sbin/slimserver-scanner binary and that was the problem. Cursory > examination of the source code did not suggest this. Now, I wonder if > policygentool is only to be used for daemons. This wasn't stated in > any comments. (BTW I'm using the selinux-policy-devel-2.3.7-2.fc5 > package.) > > Are there any thoughts regarding the nature of the error or > suggestions for alternative tools for generating the policy? > -al > Could it be that the compiler does not like the - in the policy name? Could you change it to sslimserver_scanner? > -- > Al Pacifico > Seattle, WA > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From adpacifico at users.sourceforge.net Mon Apr 23 15:20:03 2007 From: adpacifico at users.sourceforge.net (Al Pacifico) Date: Mon, 23 Apr 2007 08:20:03 -0700 Subject: Backing out of changes to file contexts specification In-Reply-To: <462CCBA6.8040607@redhat.com> References: <5d3cd4150704200952o6f9ae58nc0dfdf9b9c61b3c4@mail.gmail.com> <462CCBA6.8040607@redhat.com> Message-ID: <5d3cd4150704230820xb79f7dfk80c6fb2cdffcbbea@mail.gmail.com> On 4/23/07, Daniel J Walsh wrote: > > Al Pacifico wrote: > > This is related to the daemon question I asked earlier. > > > > I created a problem using policygentool by specifying that a log file > > is written to by two different binaries with different policies. My > > thread about "Helper program for a daemon" provides some context (no > > pun intended). > > > > I didn't realize that installing the policy would change the file > > context specification database (although it makes perfect sense in > > retrospect). Now, I've inadvertently specified that > > /var/log/slimserver be labelled under two different contexts in > > /etc/selinux/targeted/contexts/files/file_contexts and wish to remove > > the second set of entries. > > > > Output of setfiles -n > > /etc/selinux/targeted/contexts/files/file_contexts $filename includes > > several messages of the form: > > > > /etc/selinux/targeted/contexts/files/file_contexts: Multiple different > > specifications for /var/log/slimserver > > (system_u:object_r:slimserver_scanner_var_log_t and > > system_u:object_r:slimserver_var_log_t). > > > > My policy module didn't install correctly because of this error, but > > the file contexts specification is now incorrect. What is the best way > > to correct this? > > 1. Just use sed or vi to eliminate the second specification? > > 2.Remove both installed policies that I wrote (which are the only > > non-stock policy modules installed on my FC5 box) using semodule and > > restore /etc/selinux/targeted/contexts/files/file_contexts from the > > rpm package file? > > > > Keep in mind I'm doing this over ssh to a box with no GUI, so I must > > use the command line, vi, etc. > semanage fcontext -d /var/log/slimserver If I reboot, does the file /etc/selinux/targeted/contexts/files/file_contexts get automatically rewritten? If so, where does the information that it's filled with come from and what process rewrites it? > -al > > -- > > Al Pacifico > > Seattle, WA > > ------------------------------------------------------------------------ > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > -- Al Pacifico Seattle, WA -------------- next part -------------- An HTML attachment was scrubbed... URL: From dwalsh at redhat.com Mon Apr 23 15:25:40 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 23 Apr 2007 11:25:40 -0400 Subject: Backing out of changes to file contexts specification In-Reply-To: <5d3cd4150704230820xb79f7dfk80c6fb2cdffcbbea@mail.gmail.com> References: <5d3cd4150704200952o6f9ae58nc0dfdf9b9c61b3c4@mail.gmail.com> <462CCBA6.8040607@redhat.com> <5d3cd4150704230820xb79f7dfk80c6fb2cdffcbbea@mail.gmail.com> Message-ID: <462CCFF4.6050504@redhat.com> Al Pacifico wrote: > > On 4/23/07, *Daniel J Walsh* > wrote: > > Al Pacifico wrote: > > This is related to the daemon question I asked earlier. > > > > I created a problem using policygentool by specifying that a log > file > > is written to by two different binaries with different policies. My > > thread about "Helper program for a daemon" provides some context (no > > pun intended). > > > > I didn't realize that installing the policy would change the file > > context specification database (although it makes perfect sense in > > retrospect). Now, I've inadvertently specified that > > /var/log/slimserver be labelled under two different contexts in > > /etc/selinux/targeted/contexts/files/file_contexts and wish to > remove > > the second set of entries. > > > > Output of setfiles -n > > /etc/selinux/targeted/contexts/files/file_contexts $filename > includes > > several messages of the form: > > > > /etc/selinux/targeted/contexts/files/file_contexts: Multiple > different > > specifications for /var/log/slimserver > > (system_u:object_r:slimserver_scanner_var_log_t and > > system_u:object_r:slimserver_var_log_t). > > > > My policy module didn't install correctly because of this error, > but > > the file contexts specification is now incorrect. What is the > best way > > to correct this? > > 1. Just use sed or vi to eliminate the second specification? > > 2.Remove both installed policies that I wrote (which are the only > > non-stock policy modules installed on my FC5 box) using semodule and > > restore /etc/selinux/targeted/contexts/files/file_contexts from the > > rpm package file? > > > > Keep in mind I'm doing this over ssh to a box with no GUI, so I > must > > use the command line, vi, etc. > semanage fcontext -d /var/log/slimserver > > > If I reboot, does the file > /etc/selinux/targeted/contexts/files/file_contexts get automatically > rewritten? If so, where does the information that it's filled with > come from and what process rewrites it? > No, Only time these files get modified is by the semanage or semodule command. (rpm installations, often execute these commands. ) All the data used to build this file is in /etc/selinux/targeted/modules/active/ > > > -al > > -- > > Al Pacifico > > Seattle, WA > > > ------------------------------------------------------------------------ > > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > > -- > Al Pacifico > Seattle, WA From sds at tycho.nsa.gov Mon Apr 23 15:25:46 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 23 Apr 2007 11:25:46 -0400 Subject: Backing out of changes to file contexts specification In-Reply-To: <5d3cd4150704230820xb79f7dfk80c6fb2cdffcbbea@mail.gmail.com> References: <5d3cd4150704200952o6f9ae58nc0dfdf9b9c61b3c4@mail.gmail.com> <462CCBA6.8040607@redhat.com> <5d3cd4150704230820xb79f7dfk80c6fb2cdffcbbea@mail.gmail.com> Message-ID: <1177341946.24282.46.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2007-04-23 at 08:20 -0700, Al Pacifico wrote: > > If I reboot, does the > file /etc/selinux/targeted/contexts/files/file_contexts get > automatically rewritten? If so, where does the information that it's > filled with come from and what process rewrites it? It doesn't get rewritten at boot, only upon a change made to the policy via semodule or semanage (both of which use libsemanage as their backend). libsemanage manages a private store under /etc/selinux/targeted/modules, applies all changes in a sandbox there first, and then installs to the real locations upon a successful completion of a transaction. -- Stephen Smalley National Security Agency From dwalsh at redhat.com Mon Apr 23 15:27:15 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 23 Apr 2007 11:27:15 -0400 Subject: Squid cachemgr.cgi AVC denied In-Reply-To: <200704201657.22175.lamont@gurulabs.com> References: <200704191120.40468.lamont@gurulabs.com> <4627AF9B.8070902@redhat.com> <200704201657.22175.lamont@gurulabs.com> Message-ID: <462CD053.1080707@redhat.com> You will get new policy for RHEL 5 when u1 is released. You can down load the current u1 policy at http://people.redhat.com/dwalsh/SELinux/RHEL5/u1/ From thomas at apestaart.org Mon Apr 23 15:58:24 2007 From: thomas at apestaart.org (Thomas Vander Stichele) Date: Mon, 23 Apr 2007 17:58:24 +0200 Subject: labeling files for multiple daemons Message-ID: <1177343904.11905.8.camel@level.fluendo.lan> I have two particular cases I want to make possible: a) have a tree under /home/mirror that can be offered both by httpd and over nfs. How should I label these files ? I assume default file contexts are either/or, so maybe I need to create a custom context type and load custom policy to tell httpd and nfs about it ? Or is there an easier way ? b) Suppose I have /home/file where users can upload files through ftp and webdav, and I again want to export these files over NFS. So, variant on case a) Any help appreciated, Thomas From mike.clarkson at baesystems.com Mon Apr 23 17:22:11 2007 From: mike.clarkson at baesystems.com (Clarkson, Mike R (US SSA)) Date: Mon, 23 Apr 2007 10:22:11 -0700 Subject: using runcon -l s1 Message-ID: I am trying to figure out how to get "runcon -l s1" to work while having selinux in enforcing mode. So far, I can only use the runcon command successfully with selinux in permissive mode. Here is the error I get when in enforcing mode: >runcon -l s1 ./SimulatedImport /home/m252/SimulatedImport/output/junk execvp: Permission denied My shell is running as root in the unconfined_t domain. Here is the output of id -Z: root:system_r:unconfined_t:s0-s15:c0.c255 The executable that I'm trying to run with runcon is "SimulatedImport". This is a very simple program which simply creates a small text file. I have created a domain named "import_t" for this program. I have an selinux policy that I built as an mls policy off the targeted policy. When I run audit2allow I get the following: audit2allow -i /var/log/audit/audit.log -l -v -r require { class dir search; class file { getattr read }; class process transition; type auditd_log_t; type unconfined_t; role system_r; }; allow unconfined_t auditd_log_t:dir search; #TYPE=AVC MSG=audit(1177347232.381:45684): COMM="audit2allow" NAME="audit" : search #TYPE=AVC MSG=audit(1177347344.098:45698): COMM="audit2allow" NAME="audit" : search allow unconfined_t auditd_log_t:file { getattr read }; #TYPE=AVC MSG=audit(1177347344.098:45699): COMM="audit2allow" NAME="audit.log" : getattr #TYPE=AVC MSG=audit(1177347344.098:45698): COMM="audit2allow" NAME="audit.log" : read allow unconfined_t self:process transition; #TYPE=AVC MSG=audit(1177347223.780:45683): COMM="runcon" NAME="SimulatedImport" : transition Adding "allow unconfined_t self:process transition;" to my "import" module seems to have no effect. Any help would be appreciated. Thanks, Mike -------------- next part -------------- An HTML attachment was scrubbed... URL: From dwalsh at redhat.com Tue Apr 24 12:31:49 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 24 Apr 2007 08:31:49 -0400 Subject: using runcon -l s1 In-Reply-To: References: Message-ID: <462DF8B5.5060301@redhat.com> Clarkson, Mike R (US SSA) wrote: > > I am trying to figure out how to get ?runcon ?l s1? to work while > having selinux in enforcing mode. So far, I can only use the runcon > command successfully with selinux in permissive mode. Here is the > error I get when in enforcing mode: > > >runcon -l s1 ./SimulatedImport /home/m252/SimulatedImport/output/junk > > execvp: Permission denied > > My shell is running as root in the unconfined_t domain. Here is the > output of id ?Z: > > root:system_r:unconfined_t:s0-s15:c0.c255 > > The executable that I?m trying to run with runcon is > ?SimulatedImport?. This is a very simple program which simply creates > a small text file. I have created a domain named ?import_t? for this > program. > > I have an selinux policy that I built as an mls policy off the > targeted policy. > > When I run audit2allow I get the following: > > audit2allow -i /var/log/audit/audit.log -l -v -r > > require { > > class dir search; > > class file { getattr read }; > > class process transition; > > type auditd_log_t; > > type unconfined_t; > > role system_r; > > }; > > allow unconfined_t auditd_log_t:dir search; > > #TYPE=AVC MSG=audit(1177347232.381:45684): COMM="audit2allow" > NAME="audit" : search > > #TYPE=AVC MSG=audit(1177347344.098:45698): COMM="audit2allow" > NAME="audit" : search > > allow unconfined_t auditd_log_t:file { getattr read }; > > #TYPE=AVC MSG=audit(1177347344.098:45699): COMM="audit2allow" > NAME="audit.log" : getattr > > #TYPE=AVC MSG=audit(1177347344.098:45698): COMM="audit2allow" > NAME="audit.log" : read > > allow unconfined_t self:process transition; > > #TYPE=AVC MSG=audit(1177347223.780:45683): COMM="runcon" > NAME="SimulatedImport" : transition > > Adding ?allow unconfined_t self:process transition;? to my ?import? > module seems to have no effect. > I think you are being prevented by a constraint of MLS As a guess I would suggest trying: mls_process_set_level(unconfined_t) > > > Any help would be appreciated. > > Thanks, > > Mike > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From adpacifico at users.sourceforge.net Tue Apr 24 15:36:01 2007 From: adpacifico at users.sourceforge.net (Al Pacifico) Date: Tue, 24 Apr 2007 08:36:01 -0700 Subject: Helper program for a daemon In-Reply-To: <46276DC8.4020808@redhat.com> References: <5d3cd4150704181356g25831acanb47ccfb9557c1639@mail.gmail.com> <46276DC8.4020808@redhat.com> Message-ID: <5d3cd4150704240836q7d6627a0qc931aa67461f9082@mail.gmail.com> On 4/19/07, Daniel J Walsh wrote: > > Al Pacifico wrote: > > I (a greenhorn with selinux) am writing a policy for a daemon that > > streams music files over my home network to a music player client (a > > Slimdevices Squeezebox). My OS is FC5. > > > > The main daemon (/usr/sbin/slimserver) is a perl script that serves > > the music files and is started with an init script. My questions have > > to do with a secondary program (/usr/sbin/slimserver-scanner, also a > > perl script) that scans the music on the server, reading mp3 tags and > > such, and generates a database of stored music that is stored in a > > MySQL database. /usr/sbin/slimserver-scanner is invoked by the > > /usr/sbin/slimserver daemon and might be invoked by the user (although > > I can't recall ever doing so in several years of owning a Squeezebox). > > > > I've been following the example posted by Dan Walsh in a blog at > > http://danwalsh.livejournal.com/8707.html?thread=39171 which has been > > extremely helpful. > > > > My (2) questions: > > 1. What is the appropriate file context for the scanner program? > > system_u:object_r:sbin_t? > > system_u:object_r:slimserver_t? > > system_u:object_r:slimserver_exec_t? > > > That depends on your security goals. If you want the slimserver-scanner > to have the same privs as slimserver you would label it sbin_t and allow > slimserver to corecmd_exec_sbin(). If you want to go with least privs, > you would create a new policy for slimserver-scanner > (slimserver_scanner_t with file context of slimserver_scanner_exec_t) > and then add a rule to slimserver_t to domtrans > slimserver_scanner_domtrans(slimserver_t) I'm a little confused about this. I want to limit privileges of slimserver and slimserver-scanner to accessing only certain files. If I label slimserver-scanner as 'sbin_t', when a user executes slimserver-scanner, won't he/she have more privileges than slimserver then? > The generated slimserver.fc file contains: > > # slimserver executable will have: > > # label: system_u:object_r:slimserver_exec_t > > # MLS sensitivity: s0 > > # MCS categories: > > > > /usr/sbin/slimserver -- > > gen_context(system_u:object_r:slimserver_exec_t,s0) > > /var/run/slimserver.pid > > gen_context(system_u:object_r:slimserver_var_run_t,s0) > > /var/log/slimserver > > gen_context(system_u:object_r:slimserver_var_log_t,s0) > > > > and the slimserver.if file contains: > > interface(`slimserver_domtrans',` > > gen_require(` > > type slimserver_t, slimserver_exec_t; > > ') > > > > domain_auto_trans($1,slimserver_exec_t,slimserver_t) > > > > allow $1 slimserver_t:fd use; > > allow slimserver_t $1:fd use; > > allow slimserver_t $1:fifo_file rw_file_perms; > > allow slimserver_t $1:process sigchld; > > ') > > > > 2. There is no reason to add the scanner program be added to > > slimserver.fc that was generated by policygentool, is there? > Only if you are creating a context for slimserver_scanner_exec_t, > otherwise just let it be labeled sbin_t. > > The file itself just needs to be labeled appropriately, right? Or does > > that file play some role in policy compilation in a step that I did > > not explicitly executed when I invoked 'make -f > > /usr/share/selinux/devel/Makefile'? > > > > Thanks in advance. > > -al > > -- > > Al Pacifico > > Seattle, WA > > ------------------------------------------------------------------------ > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > -- Al Pacifico Seattle, WA -------------- next part -------------- An HTML attachment was scrubbed... URL: From phil at noggle.biz Tue Apr 24 15:31:04 2007 From: phil at noggle.biz (phil) Date: Tue, 24 Apr 2007 11:31:04 -0400 Subject: apache 4.1 & SELinux on FC6 Message-ID: <462E22B8.7030900@noggle.biz> List, I'm performing a bit of an experiment setting up some software on FC6 and confining it in an SELinux domain. In taking a survey of potential obstacles, I've run into something that I'm hoping y'all can provide some guidance on. The application I'm setting up was initially deployed on RHEL4 (SELinux disabled) and thus depends on MySQL (version 4.1). In developing policy I'd really like to use the most up to date modular policy from FC6 (anticipating our transition to RHEL5), but the MySQL packaged in FC6 is 5.0. From my perspective, my options are: (1) try using MySQL 5.0 and hope the application doesn't break (cross your fingers) (2) install MySQL 4.1 (from source / older package) and try to use the FC6 policy for MySQL 5.0 and hope that works. I'm not really sure which is the best choice (though option 1 does seem like higher risk) so I thought I'd ask for some advice. Has anyone used the FC6 MySQL policy with older versions of MySQL? Am I nuts for even trying this? There's another team working to bring this software up to date for deployment on RHEL5 but naturally our efforts are in parallel so I can't benefit from their work just yet (nor can I, or do I want to monkey around in their Java code). I could always develop my policy on the older RHEL4 platform and use our standard build but when integration begins that would put me way behind the ball as (from what I understand) the policy in RHEL5 is vastly improved / different, which is why I'm trying to use FC6 in my initial tests. Any help / guidance / insight would be much appreciated. TIA, - Philip From sonie_darabe at yahoo.fr Wed Apr 25 06:50:29 2007 From: sonie_darabe at yahoo.fr (sonie darabe) Date: Wed, 25 Apr 2007 08:50:29 +0200 (CEST) Subject: fedora-selinux-list Digest, Vol 38, Issue 17 In-Reply-To: <20070424160011.AE1517324C@hormel.redhat.com> Message-ID: <538329.21416.qm@web23311.mail.ird.yahoo.com> --> answer in your mail body! fedora-selinux-list-request at redhat.com a ?crit : Send fedora-selinux-list mailing list submissions to fedora-selinux-list at redhat.com To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/fedora-selinux-list or, via email, send a message with subject or body 'help' to fedora-selinux-list-request at redhat.com You can reach the person managing the list at fedora-selinux-list-owner at redhat.com When replying, please edit your Subject line so it is more specific than "Re: Contents of fedora-selinux-list digest..." Today's Topics: 1. using runcon -l s1 (Clarkson, Mike R (US SSA)) 2. Re: using runcon -l s1 (Daniel J Walsh) 3. Re: Helper program for a daemon (Al Pacifico) ---------------------------------------------------------------------- Message: 1 Date: Mon, 23 Apr 2007 10:22:11 -0700 From: "Clarkson, Mike R \(US SSA\)" Subject: using runcon -l s1 To: Message-ID: Content-Type: text/plain; charset="us-ascii" I am trying to figure out how to get "runcon -l s1" to work while having selinux in enforcing mode. So far, I can only use the runcon command successfully with selinux in permissive mode. Here is the error I get when in enforcing mode: >runcon -l s1 ./SimulatedImport /home/m252/SimulatedImport/output/junk execvp: Permission denied --> you should know that enforcing mode makes that SELinux will be fully activated that meens policies are respected ans as a user you have a role and this role will assign to you specific permissions!!! that's why you get this message your role doesn't give you access to this permission. this the principal way for protection of SELinux. My shell is running as root in the unconfined_t domain. Here is the output of id -Z: root:system_r:unconfined_t:s0-s15:c0.c255 -->this context is assigned to root as d?fault context. you can modify it with newrole The executable that I'm trying to run with runcon is "SimulatedImport". This is a very simple program which simply creates a small text file. I have created a domain named "import_t" for this program. I have an selinux policy that I built as an mls policy off the targeted policy. When I run audit2allow I get the following: audit2allow -i /var/log/audit/audit.log -l -v -r require { class dir search; class file { getattr read }; class process transition; type auditd_log_t; type unconfined_t; role system_r; }; allow unconfined_t auditd_log_t:dir search; #TYPE=AVC MSG=audit(1177347232.381:45684): COMM="audit2allow" NAME="audit" : search #TYPE=AVC MSG=audit(1177347344.098:45698): COMM="audit2allow" NAME="audit" : search allow unconfined_t auditd_log_t:file { getattr read }; #TYPE=AVC MSG=audit(1177347344.098:45699): COMM="audit2allow" NAME="audit.log" : getattr #TYPE=AVC MSG=audit(1177347344.098:45698): COMM="audit2allow" NAME="audit.log" : read allow unconfined_t self:process transition; #TYPE=AVC MSG=audit(1177347223.780:45683): COMM="runcon" NAME="SimulatedImport" : transition Adding "allow unconfined_t self:process transition;" to my "import" module seems to have no effect. -->i think you should use allow for transition from a domain to another so i don't thik that this rule you added is right. Any help would be appreciated. Thanks, Mike -------------- next part -------------- An HTML attachment was scrubbed... URL: https://www.redhat.com/archives/fedora-selinux-list/attachments/20070423/f6255682/attachment.html ------------------------------ Message: 2 Date: Tue, 24 Apr 2007 08:31:49 -0400 From: Daniel J Walsh Subject: Re: using runcon -l s1 To: "Clarkson, Mike R (US SSA)" Cc: fedora-selinux-list at redhat.com Message-ID: <462DF8B5.5060301 at redhat.com> Content-Type: text/plain; charset=windows-1252; format=flowed Clarkson, Mike R (US SSA) wrote: > > I am trying to figure out how to get ?runcon ?l s1? to work while > having selinux in enforcing mode. So far, I can only use the runcon > command successfully with selinux in permissive mode. Here is the > error I get when in enforcing mode: > > >runcon -l s1 ./SimulatedImport /home/m252/SimulatedImport/output/junk > > execvp: Permission denied > > My shell is running as root in the unconfined_t domain. Here is the > output of id ?Z: > > root:system_r:unconfined_t:s0-s15:c0.c255 > > The executable that I?m trying to run with runcon is > ?SimulatedImport?. This is a very simple program which simply creates > a small text file. I have created a domain named ?import_t? for this > program. > > I have an selinux policy that I built as an mls policy off the > targeted policy. > > When I run audit2allow I get the following: > > audit2allow -i /var/log/audit/audit.log -l -v -r > > require { > > class dir search; > > class file { getattr read }; > > class process transition; > > type auditd_log_t; > > type unconfined_t; > > role system_r; > > }; > > allow unconfined_t auditd_log_t:dir search; > > #TYPE=AVC MSG=audit(1177347232.381:45684): COMM="audit2allow" > NAME="audit" : search > > #TYPE=AVC MSG=audit(1177347344.098:45698): COMM="audit2allow" > NAME="audit" : search > > allow unconfined_t auditd_log_t:file { getattr read }; > > #TYPE=AVC MSG=audit(1177347344.098:45699): COMM="audit2allow" > NAME="audit.log" : getattr > > #TYPE=AVC MSG=audit(1177347344.098:45698): COMM="audit2allow" > NAME="audit.log" : read > > allow unconfined_t self:process transition; > > #TYPE=AVC MSG=audit(1177347223.780:45683): COMM="runcon" > NAME="SimulatedImport" : transition > > Adding ?allow unconfined_t self:process transition;? to my ?import? > module seems to have no effect. > I think you are being prevented by a constraint of MLS As a guess I would suggest trying: mls_process_set_level(unconfined_t) > > > Any help would be appreciated. > > Thanks, > > Mike > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list ------------------------------ Message: 3 Date: Tue, 24 Apr 2007 08:36:01 -0700 From: "Al Pacifico" Subject: Re: Helper program for a daemon To: fedora-selinux-list at redhat.com Cc: Daniel J Walsh Message-ID: <5d3cd4150704240836q7d6627a0qc931aa67461f9082 at mail.gmail.com> Content-Type: text/plain; charset="iso-8859-1" On 4/19/07, Daniel J Walsh wrote: > > Al Pacifico wrote: > > I (a greenhorn with selinux) am writing a policy for a daemon that > > streams music files over my home network to a music player client (a > > Slimdevices Squeezebox). My OS is FC5. > > > > The main daemon (/usr/sbin/slimserver) is a perl script that serves > > the music files and is started with an init script. My questions have > > to do with a secondary program (/usr/sbin/slimserver-scanner, also a > > perl script) that scans the music on the server, reading mp3 tags and > > such, and generates a database of stored music that is stored in a > > MySQL database. /usr/sbin/slimserver-scanner is invoked by the > > /usr/sbin/slimserver daemon and might be invoked by the user (although > > I can't recall ever doing so in several years of owning a Squeezebox). > > > > I've been following the example posted by Dan Walsh in a blog at > > http://danwalsh.livejournal.com/8707.html?thread=39171 which has been > > extremely helpful. > > > > My (2) questions: > > 1. What is the appropriate file context for the scanner program? > > system_u:object_r:sbin_t? > > system_u:object_r:slimserver_t? > > system_u:object_r:slimserver_exec_t? > > > That depends on your security goals. If you want the slimserver-scanner > to have the same privs as slimserver you would label it sbin_t and allow > slimserver to corecmd_exec_sbin(). If you want to go with least privs, > you would create a new policy for slimserver-scanner > (slimserver_scanner_t with file context of slimserver_scanner_exec_t) > and then add a rule to slimserver_t to domtrans > slimserver_scanner_domtrans(slimserver_t) I'm a little confused about this. I want to limit privileges of slimserver and slimserver-scanner to accessing only certain files. If I label slimserver-scanner as 'sbin_t', when a user executes slimserver-scanner, won't he/she have more privileges than slimserver then? > The generated slimserver.fc file contains: > > # slimserver executable will have: > > # label: system_u:object_r:slimserver_exec_t > > # MLS sensitivity: s0 > > # MCS categories: > > > > /usr/sbin/slimserver -- > > gen_context(system_u:object_r:slimserver_exec_t,s0) > > /var/run/slimserver.pid > > gen_context(system_u:object_r:slimserver_var_run_t,s0) > > /var/log/slimserver > > gen_context(system_u:object_r:slimserver_var_log_t,s0) > > > > and the slimserver.if file contains: > > interface(`slimserver_domtrans',` > > gen_require(` > > type slimserver_t, slimserver_exec_t; > > ') > > > > domain_auto_trans($1,slimserver_exec_t,slimserver_t) > > > > allow $1 slimserver_t:fd use; > > allow slimserver_t $1:fd use; > > allow slimserver_t $1:fifo_file rw_file_perms; > > allow slimserver_t $1:process sigchld; > > ') > > > > 2. There is no reason to add the scanner program be added to > > slimserver.fc that was generated by policygentool, is there? > Only if you are creating a context for slimserver_scanner_exec_t, > otherwise just let it be labeled sbin_t. > > The file itself just needs to be labeled appropriately, right? Or does > > that file play some role in policy compilation in a step that I did > > not explicitly executed when I invoked 'make -f > > /usr/share/selinux/devel/Makefile'? > > > > Thanks in advance. > > -al > > -- > > Al Pacifico > > Seattle, WA > > ------------------------------------------------------------------------ > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > -- Al Pacifico Seattle, WA -------------- next part -------------- An HTML attachment was scrubbed... URL: https://www.redhat.com/archives/fedora-selinux-list/attachments/20070424/4e25931f/attachment.html ------------------------------ -- fedora-selinux-list mailing list fedora-selinux-list at redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list End of fedora-selinux-list Digest, Vol 38, Issue 17 *************************************************** --------------------------------- D?couvrez une nouvelle fa?on d'obtenir des r?ponses ? toutes vos questions ! Profitez des connaissances, des opinions et des exp?riences des internautes sur Yahoo! Questions/R?ponses. -------------- next part -------------- An HTML attachment was scrubbed... URL: From thomas at apestaart.org Wed Apr 25 13:03:01 2007 From: thomas at apestaart.org (Thomas Vander Stichele) Date: Wed, 25 Apr 2007 15:03:01 +0200 Subject: bind-chroot selinux problems on log file Message-ID: <1177506181.28381.25.camel@level.fluendo.lan> I want to take this particular bug as a way of figuring out how to "fix" bigs and provide patches. On FC5, with bind-chroot installed, /var/named/chroot/var/log is labeled as S_Context: system_u:object_r:named_conf_t This causes audit messages like: audit(1177506082.955:23904): avc: denied { getattr } for pid=2781 comm="named" name="debug.log" dev=dm-0 ino=2850829 scontext=root:system_r:named_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file and the log files aren't being written to. When I manually change files: chcon -R system_u:object_r:var_log_t log/ it works. Of course, a restorecon resets to named_conf_t. Is the best way to fix this, straight in the selinux source policy ? Or should I create an add-on .te and load it to override ? Thomas From paul at city-fan.org Wed Apr 25 13:12:02 2007 From: paul at city-fan.org (Paul Howarth) Date: Wed, 25 Apr 2007 14:12:02 +0100 Subject: bind-chroot selinux problems on log file In-Reply-To: <1177506181.28381.25.camel@level.fluendo.lan> References: <1177506181.28381.25.camel@level.fluendo.lan> Message-ID: <462F53A2.8070003@city-fan.org> Thomas Vander Stichele wrote: > I want to take this particular bug as a way of figuring out how to "fix" > bigs and provide patches. > > On FC5, with bind-chroot installed, /var/named/chroot/var/log is labeled > as > S_Context: system_u:object_r:named_conf_t > > This causes audit messages like: > audit(1177506082.955:23904): avc: denied { getattr } for pid=2781 > comm="named" name="debug.log" dev=dm-0 ino=2850829 > scontext=root:system_r:named_t:s0 > tcontext=system_u:object_r:var_log_t:s0 tclass=file > > and the log files aren't being written to. > > When I manually change files: > chcon -R system_u:object_r:var_log_t log/ > > it works. > > Of course, a restorecon resets to named_conf_t. > > Is the best way to fix this, straight in the selinux source policy ? Or > should I create an add-on .te and load it to override ? Or you could do: # semanage fcontext -a -t var_log_t '/var/named/chroot/var/log(/.*)?' # restorecon -Rv /var/named/chroot/var/log That would survive a policy update, relabel etc. Paul. From janfrode at tanso.net Wed Apr 25 22:37:41 2007 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Thu, 26 Apr 2007 00:37:41 +0200 Subject: Helper program for a daemon References: <5d3cd4150704181356g25831acanb47ccfb9557c1639@mail.gmail.com> <46276DC8.4020808@redhat.com> <5d3cd4150704240836q7d6627a0qc931aa67461f9082@mail.gmail.com> Message-ID: On 2007-04-24, Al Pacifico wrote: >> That depends on your security goals. If you want the slimserver-scanner >> to have the same privs as slimserver you would label it sbin_t and allow >> slimserver to corecmd_exec_sbin(). If you want to go with least privs, >> you would create a new policy for slimserver-scanner >> (slimserver_scanner_t with file context of slimserver_scanner_exec_t) >> and then add a rule to slimserver_t to domtrans >> slimserver_scanner_domtrans(slimserver_t) > > > I'm a little confused about this. I want to limit privileges of slimserver > and slimserver-scanner to accessing only certain files. If I label > slimserver-scanner as 'sbin_t', when a user executes slimserver-scanner, > won't he/she have more privileges than slimserver then? Yes. If you want slimserver-scanner to have less privileges when executed interactively by a user, you'll need to create a new domain for (i.e. not sbin_t), and transition into this domain when the user exec it. But, why would you want that? All it's doing is reading the mp3-files, and updating a database. If you limit the scanners privileges, your users can still step outside of this by "cp /usr/sbin/slimserver-scanner /tmp/slimserver-scanner".. I would aim at confining the main web-based slimserver, and make sure the slimserver-scanner executed within this process doesn't get more privileges than absolutely necessary. -jf From joe at nall.com Thu Apr 26 19:55:54 2007 From: joe at nall.com (Joe Nall) Date: Thu, 26 Apr 2007 14:55:54 -0500 Subject: service and system-config-services restart daemons in incorrect type under mls policy Message-ID: <87FA012F-047D-48E9-898C-CCDD98029ED5@nall.com> I'm running an mls/permissive policy on FC6 and service and system- config-services start daemons in the user's selinux context rather than those in /etc/selinux/mls/contexts/initrc_context. Since our policies use init_daemon_domain to establish domain transitions, they are not transitioning into the correct domain on user initiated (re) starts. "run_init service restart" - works, but leaves us in a situation where documentation doesn't match experience. What is the right approach to getting the transitions to work properly? Patch service and friends? Write a more generic transition? joe From sds at tycho.nsa.gov Thu Apr 26 20:18:06 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 26 Apr 2007 16:18:06 -0400 Subject: service and system-config-services restart daemons in incorrect type under mls policy In-Reply-To: <87FA012F-047D-48E9-898C-CCDD98029ED5@nall.com> References: <87FA012F-047D-48E9-898C-CCDD98029ED5@nall.com> Message-ID: <1177618686.24282.372.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2007-04-26 at 14:55 -0500, Joe Nall wrote: > I'm running an mls/permissive policy on FC6 and service and system- > config-services start daemons in the user's selinux context rather > than those in /etc/selinux/mls/contexts/initrc_context. Since our > policies use init_daemon_domain to establish domain transitions, they > are not transitioning into the correct domain on user initiated (re) > starts. > > "run_init service restart" - works, but leaves us in a > situation where documentation doesn't match experience. What is the > right approach to getting the transitions to work properly? Patch > service and friends? Write a more generic transition? That should be governed by the DIRECT_INITRC= setting in the refpolicy build.conf (or as overridden on the make command line in the .spec file for building the policy). DIRECT_INITRC=y (as in -targeted) turns on direct role transitions and domain transitions from sysadm_r:sysadm_t to system_r:initrc_t and/or system_r:, although we can't yet automatically transition the user identity field. If you want the DIRECT_INITRC=n situation, then yes, you need to integrate run_init or similar functionality into the init script and/or service script infrastructure, as they have done in Hardened Gentoo. -- Stephen Smalley National Security Agency From ftaylor at redhat.com Thu Apr 26 22:30:36 2007 From: ftaylor at redhat.com (Forrest Taylor) Date: Thu, 26 Apr 2007 16:30:36 -0600 Subject: What is special about /home? Message-ID: <1177626636.4809.30.camel@localhost.localdomain> I have a .fc file that contains: /home/dir(/.*)? system_u:object_r:tmp_t:s0 When I create the directory, it gets user_home_dir_t and files in the directory get user_home_t. After I load the module, restorecon will not change the permissions on the directory or files. So, what is special about those types? I thought at first that they may be customizable types, but they aren't listed in the file. semanage fcontext doesn't show them either. Any clues? Thanks, Forrest -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From joe at nall.com Fri Apr 27 01:00:47 2007 From: joe at nall.com (Joe Nall) Date: Thu, 26 Apr 2007 20:00:47 -0500 Subject: service and system-config-services restart daemons in incorrect type under mls policy In-Reply-To: <1177618686.24282.372.camel@moss-spartans.epoch.ncsc.mil> References: <87FA012F-047D-48E9-898C-CCDD98029ED5@nall.com> <1177618686.24282.372.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <542B85FA-8F91-4407-A530-7BD4316A313D@nall.com> On Apr 26, 2007, at 3:18 PM, Stephen Smalley wrote: > On Thu, 2007-04-26 at 14:55 -0500, Joe Nall wrote: >> I'm running an mls/permissive policy on FC6 and service and system- >> config-services start daemons in the user's selinux context rather >> than those in /etc/selinux/mls/contexts/initrc_context. Since our >> policies use init_daemon_domain to establish domain transitions, they >> are not transitioning into the correct domain on user initiated (re) >> starts. >> >> "run_init service restart" - works, but leaves us in a >> situation where documentation doesn't match experience. What is the >> right approach to getting the transitions to work properly? Patch >> service and friends? Write a more generic transition? > > That should be governed by the DIRECT_INITRC= setting in the refpolicy > build.conf (or as overridden on the make command line in the .spec > file > for building the policy). DIRECT_INITRC=y (as in -targeted) turns on > direct role transitions and domain transitions from > sysadm_r:sysadm_t to > system_r:initrc_t and/or system_r:, although we > can't yet > automatically transition the user identity field. > > If you want the DIRECT_INITRC=n situation, then yes, you need to > integrate run_init or similar functionality into the init script > and/or > service script infrastructure, as they have done in Hardened Gentoo. Why does run_init prompt for a root password rather than perform a role check? joe From ftaylor at redhat.com Fri Apr 27 14:39:55 2007 From: ftaylor at redhat.com (Forrest Taylor) Date: Fri, 27 Apr 2007 08:39:55 -0600 Subject: What is special about /home? In-Reply-To: <1177626636.4809.30.camel@localhost.localdomain> References: <1177626636.4809.30.camel@localhost.localdomain> Message-ID: <1177684795.4818.0.camel@localhost.localdomain> On Thu, 2007-04-26 at 16:30 -0600, Forrest Taylor wrote: > I have a .fc file that contains: > /home/dir(/.*)? system_u:object_r:tmp_t:s0 > > When I create the directory, it gets user_home_dir_t and files in the > directory get user_home_t. After I load the module, restorecon will not > change the permissions on the directory or files. So, what is special > about those types? I thought at first that they may be customizable > types, but they aren't listed in the file. semanage fcontext doesn't > show them either. Any clues? I forgot to mention that I am using RHEL 5.0.0. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From sds at tycho.nsa.gov Fri Apr 27 15:08:00 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 27 Apr 2007 11:08:00 -0400 Subject: service and system-config-services restart daemons in incorrect type under mls policy In-Reply-To: <542B85FA-8F91-4407-A530-7BD4316A313D@nall.com> References: <87FA012F-047D-48E9-898C-CCDD98029ED5@nall.com> <1177618686.24282.372.camel@moss-spartans.epoch.ncsc.mil> <542B85FA-8F91-4407-A530-7BD4316A313D@nall.com> Message-ID: <1177686480.3357.14.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2007-04-26 at 20:00 -0500, Joe Nall wrote: > On Apr 26, 2007, at 3:18 PM, Stephen Smalley wrote: > > > On Thu, 2007-04-26 at 14:55 -0500, Joe Nall wrote: > >> I'm running an mls/permissive policy on FC6 and service and system- > >> config-services start daemons in the user's selinux context rather > >> than those in /etc/selinux/mls/contexts/initrc_context. Since our > >> policies use init_daemon_domain to establish domain transitions, they > >> are not transitioning into the correct domain on user initiated (re) > >> starts. > >> > >> "run_init service restart" - works, but leaves us in a > >> situation where documentation doesn't match experience. What is the > >> right approach to getting the transitions to work properly? Patch > >> service and friends? Write a more generic transition? > > > > That should be governed by the DIRECT_INITRC= setting in the refpolicy > > build.conf (or as overridden on the make command line in the .spec > > file > > for building the policy). DIRECT_INITRC=y (as in -targeted) turns on > > direct role transitions and domain transitions from > > sysadm_r:sysadm_t to > > system_r:initrc_t and/or system_r:, although we > > can't yet > > automatically transition the user identity field. > > > > If you want the DIRECT_INITRC=n situation, then yes, you need to > > integrate run_init or similar functionality into the init script > > and/or > > service script infrastructure, as they have done in Hardened Gentoo. > > Why does run_init prompt for a root password rather than perform a > role check? The role authorization is handled transparently by policy - if you weren't in an authorized role/domain, then you couldn't use run_init to transition to system_r:initrc_t anyway. Same as with newrole. The re-authentication stage is purely a (weak) countermeasure against invocation by malicious code without user consent - if we had a trusted path mechanism in Linux, we'd use that instead. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Fri Apr 27 15:17:24 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 27 Apr 2007 11:17:24 -0400 Subject: What is special about /home? In-Reply-To: <1177684795.4818.0.camel@localhost.localdomain> References: <1177626636.4809.30.camel@localhost.localdomain> <1177684795.4818.0.camel@localhost.localdomain> Message-ID: <1177687044.3357.21.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2007-04-27 at 08:39 -0600, Forrest Taylor wrote: > On Thu, 2007-04-26 at 16:30 -0600, Forrest Taylor wrote: > > I have a .fc file that contains: > > /home/dir(/.*)? system_u:object_r:tmp_t:s0 > > > > When I create the directory, it gets user_home_dir_t and files in the > > directory get user_home_t. After I load the module, restorecon will not > > change the permissions on the directory or files. So, what is special > > about those types? I thought at first that they may be customizable > > types, but they aren't listed in the file. semanage fcontext doesn't > > show them either. Any clues? > > I forgot to mention that I am using RHEL 5.0.0. There is an ordering/precedence among the different kinds of file contexts configurations, with the base file_contexts generated from the module .fc files at the lowest priority, the file_context.homedirs file generated by genhomedircon as the next priority, and the file_contexts.local file as the highest priority. So a module .fc file can be overridden by the genhomedircon-generated entries or by the local file contexts added via semanage fcontext -a. Sounds like you should be using semanage fcontext -a for this instead of a module. -- Stephen Smalley National Security Agency From ftaylor at redhat.com Fri Apr 27 15:34:49 2007 From: ftaylor at redhat.com (Forrest Taylor) Date: Fri, 27 Apr 2007 09:34:49 -0600 Subject: What is special about /home? In-Reply-To: <1177687044.3357.21.camel@moss-spartans.epoch.ncsc.mil> References: <1177626636.4809.30.camel@localhost.localdomain> <1177684795.4818.0.camel@localhost.localdomain> <1177687044.3357.21.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1177688089.4818.17.camel@localhost.localdomain> On Fri, 2007-04-27 at 11:17 -0400, Stephen Smalley wrote: > On Fri, 2007-04-27 at 08:39 -0600, Forrest Taylor wrote: > > On Thu, 2007-04-26 at 16:30 -0600, Forrest Taylor wrote: > > > I have a .fc file that contains: > > > /home/dir(/.*)? system_u:object_r:tmp_t:s0 > > > > > > When I create the directory, it gets user_home_dir_t and files in the > > > directory get user_home_t. After I load the module, restorecon will not > > > change the permissions on the directory or files. So, what is special > > > about those types? I thought at first that they may be customizable > > > types, but they aren't listed in the file. semanage fcontext doesn't > > > show them either. Any clues? > > > > I forgot to mention that I am using RHEL 5.0.0. > > There is an ordering/precedence among the different kinds of file > contexts configurations, with the base file_contexts generated from the > module .fc files at the lowest priority, the file_context.homedirs file > generated by genhomedircon as the next priority, and the > file_contexts.local file as the highest priority. > > So a module .fc file can be overridden by the genhomedircon-generated > entries or by the local file contexts added via semanage fcontext -a. > Sounds like you should be using semanage fcontext -a for this instead of > a module. Yes, yes it does. Thanks for the explanation. Forrest -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From dwalsh at redhat.com Fri Apr 27 17:21:42 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 27 Apr 2007 13:21:42 -0400 Subject: service and system-config-services restart daemons in incorrect type under mls policy In-Reply-To: <1177686480.3357.14.camel@moss-spartans.epoch.ncsc.mil> References: <87FA012F-047D-48E9-898C-CCDD98029ED5@nall.com> <1177618686.24282.372.camel@moss-spartans.epoch.ncsc.mil> <542B85FA-8F91-4407-A530-7BD4316A313D@nall.com> <1177686480.3357.14.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <46323126.9030002@redhat.com> Stephen Smalley wrote: > On Thu, 2007-04-26 at 20:00 -0500, Joe Nall wrote: > >> On Apr 26, 2007, at 3:18 PM, Stephen Smalley wrote: >> >> >>> On Thu, 2007-04-26 at 14:55 -0500, Joe Nall wrote: >>> >>>> I'm running an mls/permissive policy on FC6 and service and system- >>>> config-services start daemons in the user's selinux context rather >>>> than those in /etc/selinux/mls/contexts/initrc_context. Since our >>>> policies use init_daemon_domain to establish domain transitions, they >>>> are not transitioning into the correct domain on user initiated (re) >>>> starts. >>>> >>>> "run_init service restart" - works, but leaves us in a >>>> situation where documentation doesn't match experience. What is the >>>> right approach to getting the transitions to work properly? Patch >>>> service and friends? Write a more generic transition? >>>> >>> That should be governed by the DIRECT_INITRC= setting in the refpolicy >>> build.conf (or as overridden on the make command line in the .spec >>> file >>> for building the policy). DIRECT_INITRC=y (as in -targeted) turns on >>> direct role transitions and domain transitions from >>> sysadm_r:sysadm_t to >>> system_r:initrc_t and/or system_r:, although we >>> can't yet >>> automatically transition the user identity field. >>> >>> If you want the DIRECT_INITRC=n situation, then yes, you need to >>> integrate run_init or similar functionality into the init script >>> and/or >>> service script infrastructure, as they have done in Hardened Gentoo. >>> >> Why does run_init prompt for a root password rather than perform a >> role check? >> > > The role authorization is handled transparently by policy - if you > weren't in an authorized role/domain, then you couldn't use run_init to > transition to system_r:initrc_t anyway. Same as with newrole. The > re-authentication stage is purely a (weak) countermeasure against > invocation by malicious code without user consent - if we had a trusted > path mechanism in Linux, we'd use that instead. > > Most people are adding pam_rootok to /etc/pam.d/run_init so that it will work for sysadm_t. From sds at tycho.nsa.gov Fri Apr 27 17:30:38 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 27 Apr 2007 13:30:38 -0400 Subject: service and system-config-services restart daemons in incorrect type under mls policy In-Reply-To: <46323126.9030002@redhat.com> References: <87FA012F-047D-48E9-898C-CCDD98029ED5@nall.com> <1177618686.24282.372.camel@moss-spartans.epoch.ncsc.mil> <542B85FA-8F91-4407-A530-7BD4316A313D@nall.com> <1177686480.3357.14.camel@moss-spartans.epoch.ncsc.mil> <46323126.9030002@redhat.com> Message-ID: <1177695038.3357.77.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2007-04-27 at 13:21 -0400, Daniel J Walsh wrote: > Stephen Smalley wrote: > > On Thu, 2007-04-26 at 20:00 -0500, Joe Nall wrote: > > > >> On Apr 26, 2007, at 3:18 PM, Stephen Smalley wrote: > >> > >> > >>> On Thu, 2007-04-26 at 14:55 -0500, Joe Nall wrote: > >>> > >>>> I'm running an mls/permissive policy on FC6 and service and system- > >>>> config-services start daemons in the user's selinux context rather > >>>> than those in /etc/selinux/mls/contexts/initrc_context. Since our > >>>> policies use init_daemon_domain to establish domain transitions, they > >>>> are not transitioning into the correct domain on user initiated (re) > >>>> starts. > >>>> > >>>> "run_init service restart" - works, but leaves us in a > >>>> situation where documentation doesn't match experience. What is the > >>>> right approach to getting the transitions to work properly? Patch > >>>> service and friends? Write a more generic transition? > >>>> > >>> That should be governed by the DIRECT_INITRC= setting in the refpolicy > >>> build.conf (or as overridden on the make command line in the .spec > >>> file > >>> for building the policy). DIRECT_INITRC=y (as in -targeted) turns on > >>> direct role transitions and domain transitions from > >>> sysadm_r:sysadm_t to > >>> system_r:initrc_t and/or system_r:, although we > >>> can't yet > >>> automatically transition the user identity field. > >>> > >>> If you want the DIRECT_INITRC=n situation, then yes, you need to > >>> integrate run_init or similar functionality into the init script > >>> and/or > >>> service script infrastructure, as they have done in Hardened Gentoo. > >>> > >> Why does run_init prompt for a root password rather than perform a > >> role check? > >> > > > > The role authorization is handled transparently by policy - if you > > weren't in an authorized role/domain, then you couldn't use run_init to > > transition to system_r:initrc_t anyway. Same as with newrole. The > > re-authentication stage is purely a (weak) countermeasure against > > invocation by malicious code without user consent - if we had a trusted > > path mechanism in Linux, we'd use that instead. > > > > > Most people are adding pam_rootok to /etc/pam.d/run_init so that it will > work for sysadm_t. Ok, they are certainly free to choose that approach (and it nicely allows for either option with a single run_init binary). As long as they understand the rationale for it. -- Stephen Smalley National Security Agency From mike.clarkson at baesystems.com Sat Apr 28 00:34:55 2007 From: mike.clarkson at baesystems.com (Clarkson, Mike R (US SSA)) Date: Fri, 27 Apr 2007 17:34:55 -0700 Subject: getcon/setcon Message-ID: getcon and all of its variants as well as setcon do not seem to be installed on my RHEL5 system. Are these commands part of a separate rpm that I need to install? -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftaylor at redhat.com Sat Apr 28 02:48:30 2007 From: ftaylor at redhat.com (Forrest Taylor) Date: Fri, 27 Apr 2007 20:48:30 -0600 Subject: getcon/setcon In-Reply-To: References: Message-ID: <1177728511.21895.4.camel@papa.taylor.com> On Fri, 2007-04-27 at 17:34 -0700, Clarkson, Mike R (US SSA) wrote: > getcon and all of its variants as well as setcon do not seem to be > installed on my RHEL5 system. Are these commands part of a separate > rpm that I need to install? libselinux-devel contains the getcon/setcon functions. Forrest -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From sds at tycho.nsa.gov Mon Apr 30 12:06:19 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 30 Apr 2007 08:06:19 -0400 Subject: getcon/setcon In-Reply-To: References: Message-ID: <1177934779.16232.5.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2007-04-27 at 17:34 -0700, Clarkson, Mike R (US SSA) wrote: > getcon and all of its variants as well as setcon do not seem to be > installed on my RHEL5 system. Are these commands part of a separate > rpm that I need to install? They are library functions, not commands, and are part of libselinux. libselinux is always installed (as many system components depend on it), but for development of applications that use it, you'll want to install libselinux-devel. Like many (all?) of the other libraries, the main libselinux package only contains the shared library and some utilities; the libselinux-devel package contains the headers, man pages, and static library. You only need the -devel package for your development, not on your production system. -- Stephen Smalley National Security Agency From rob.myers at gtri.gatech.edu Mon Apr 30 14:47:09 2007 From: rob.myers at gtri.gatech.edu (rob myers) Date: Mon, 30 Apr 2007 10:47:09 -0400 Subject: portcon in a policy module? Message-ID: <1177944430.1731.13.camel@rxm-581b.stl.gtri.gatech.edu> hello- i tried to assign a port type in a policy module like so: portcon tcp 1521 system_u:object_r:oracle_port_t:s0; which fails unless i rebuild as a monolithic policy. should this fail or have i got something wrong? i have found that using "semanage port -a -t oracle_port_t -p tcp 1521" in the rpm post install script works. what is the proper way to assign a port in a policy module? thanks for any clues! rob. From ftaylor at redhat.com Mon Apr 30 14:53:28 2007 From: ftaylor at redhat.com (Forrest Taylor) Date: Mon, 30 Apr 2007 08:53:28 -0600 Subject: portcon in a policy module? In-Reply-To: <1177944430.1731.13.camel@rxm-581b.stl.gtri.gatech.edu> References: <1177944430.1731.13.camel@rxm-581b.stl.gtri.gatech.edu> Message-ID: <1177944808.4880.0.camel@localhost.localdomain> On Mon, 2007-04-30 at 10:47 -0400, rob myers wrote: > hello- > > i tried to assign a port type in a policy module like so: > > portcon tcp 1521 system_u:object_r:oracle_port_t:s0; > > which fails unless i rebuild as a monolithic policy. should this fail > or have i got something wrong? Yes, portcon is only valid in the base module. > > i have found that using "semanage port -a -t oracle_port_t -p tcp 1521" > in the rpm post install script works. > > what is the proper way to assign a port in a policy module? This is the best way unless you are rebuilding the base module. Forrest -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From sds at tycho.nsa.gov Mon Apr 30 14:53:37 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 30 Apr 2007 10:53:37 -0400 Subject: portcon in a policy module? In-Reply-To: <1177944430.1731.13.camel@rxm-581b.stl.gtri.gatech.edu> References: <1177944430.1731.13.camel@rxm-581b.stl.gtri.gatech.edu> Message-ID: <1177944817.16232.30.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2007-04-30 at 10:47 -0400, rob myers wrote: > hello- > > i tried to assign a port type in a policy module like so: > > portcon tcp 1521 system_u:object_r:oracle_port_t:s0; > > which fails unless i rebuild as a monolithic policy. should this fail > or have i got something wrong? > > i have found that using "semanage port -a -t oracle_port_t -p tcp 1521" > in the rpm post install script works. > > what is the proper way to assign a port in a policy module? > > thanks for any clues! semanage is the right approach for object contexts - they aren't supported in policy modules (yet), and even if they were, there would be the potential for ordering/overriding issues there. -- Stephen Smalley National Security Agency From mike.clarkson at baesystems.com Mon Apr 30 20:12:22 2007 From: mike.clarkson at baesystems.com (Clarkson, Mike R (US SSA)) Date: Mon, 30 Apr 2007 13:12:22 -0700 Subject: trouble using runcon Message-ID: Whenever I use runcon in my script, I get the error "root:system_r:datalabeler_t:s0-s15:c0.c255 is not a valid context", regardless of the user, role, type, and mls level that I specify with the runcon command. Infact, even when I specify the context that I'm already running in with the runcon statement, I get the above error. So for instance, if I run the script WITHOUT the runcon command, it runs fine with the following security context (verified with a ps -efZ command): root:system_r:datalabeler_t:s0-s15:c0.c255. But if I run the script with a runcon statement that specifies the exact same user, role, type, and mls level I get the error shown above. My script runs in a domain named datalabeler_t (I don't have the problem when running a similar script in the unconfined_t domain). It kicks off a java process with the following line: java mls.SimulatedImport.SimulatedDataLabeler $argv[*] When I add the runcon statement, I get the above error: runcon -u root -r system_r -t datalabeler_t java mls.SimulatedImport.SimulatedDataLabeler $argv[*] I am using an selinux policy that I built as an mls policy off the targeted policy. Ultimately what I'd like to be able to do is to use the runcon statement to specify an mls level, but I need to get past this first. Any help would be appreciated. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: