From psilva at certisign.com.br Mon Jul 2 14:17:17 2007 From: psilva at certisign.com.br (Pedro Silva) Date: Mon, 02 Jul 2007 11:17:17 -0300 Subject: Bugzilla's AVC: denied Message-ID: <468908ED.2030209@certisign.com.br> An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Certisign Type: image/jpeg Size: 5484 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5793 bytes Desc: S/MIME Cryptographic Signature URL: From drago01 at gmail.com Mon Jul 2 16:17:39 2007 From: drago01 at gmail.com (dragoran) Date: Mon, 02 Jul 2007 18:17:39 +0200 Subject: httpd can't send mails Message-ID: <46892523.3040601@gmail.com> I tryed to send mails using a php scripts that calls mail() but when I do it I get this avc: audit(1183392777.651:14): avc: denied { read } for pid=25048 comm="sendmail" name="[79366]" dev=eventpollfs ino=79366 scontext=user_u:system_r:system_mail_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=file the boolean "httpd_can_sendmail" is enabled (true). I restarted the httpd and sendmail service after doing so... but still no success. Any ideas? From sundaram at fedoraproject.org Mon Jul 2 17:00:58 2007 From: sundaram at fedoraproject.org (Rahul Sundaram) Date: Mon, 02 Jul 2007 22:30:58 +0530 Subject: Proactive SELinux fixes from automatic collection of logs In-Reply-To: <1183126637.801.41.camel@junko.usersys.redhat.com> References: <46845B49.2080906@fedoraproject.org> <1183126637.801.41.camel@junko.usersys.redhat.com> Message-ID: <46892F4A.50608@fedoraproject.org> John Dennis wrote: > On Fri, 2007-06-29 at 06:37 +0530, Rahul Sundaram wrote: >> Hi >> >> There are many instances where SELinux policy causes AVC denials while >> running programs. Some of these are policy issues, some actual bugs in >> the program or security issues and others where the denial is rather >> harmless and can be ignored for all practical purposes. >> >> It is sometimes tedious to go and file a bug report methodologically on >> all these denials in hope that we uncover and fix real policy issues. >> What would be better is for users to run in some opt-in program that >> automatically sends either the audit or messages log or both to central >> server and the SELinux developers proactively fix policy issues without >> the overhead of users filing bug reports. >> >> I would gladly run a program and I would guess that many users would >> find this a much better and easier way to report issues. We could even >> tie this to a GUI and first boot in the installer. Kind of a smolt >> (http://smolt.fedoraproject.org/stats) for SELinux if you will. Comments? > > We already have something much like you're suggesting. A while ago it > was recognized that diagnosing and addressing SELlinux AVC denials was a > significant problem. We designed and built a tool to help with that, > it's called setroubleshoot. This requires a GUI right? My idea would work on any Fedora system. > 1) Not all AVC denials are bugs. In fact many are due to correctly > operations the sys admin must explicitly enable via a policy boolean. This is in fact one of my reasons for favoring a more automated collection of AVC denials. Some of the systems don't have any GUI and I don't report bugs unless it prevents programs from working correctly. Maybe there are policy improvements to be made but it is not worth the trouble in many occasions to go and file bug reports for every AVC denial. > 2) The information contained in an AVC denial is security sensitive. It > would be a huge security hole to automatically transmit any of this > information in the form of a bug report or other notification channel. Encrypt it before transmission and scrub the data before revealing anything. Also this concern is already somewhat offset from the effort described below. > 3) Automatic collection of user generated reports was an extra > development effort which also requires a central service. Implementing > the feature and resources to then manage this central service was deemed > out of scope, especially taking into consideration points 1 and 2 above. Since there is a effort now to create infrastructure that allows people to upload logs and get analysis it wouldn't be too much additional effort. Smolt also already has similar infrastructure in place which would be a good example to learn from. Rahul From bruno at wolff.to Mon Jul 2 17:23:17 2007 From: bruno at wolff.to (Bruno Wolff III) Date: Mon, 2 Jul 2007 12:23:17 -0500 Subject: httpd can't send mails In-Reply-To: <46892523.3040601@gmail.com> References: <46892523.3040601@gmail.com> Message-ID: <20070702172317.GA17739@wolff.to> On Mon, Jul 02, 2007 at 18:17:39 +0200, dragoran wrote: > I tryed to send mails using a php scripts that calls mail() but when I > do it I get this avc: > audit(1183392777.651:14): avc: denied { read } for pid=25048 > comm="sendmail" name="[79366]" dev=eventpollfs ino=79366 > scontext=user_u:system_r:system_mail_t:s0 > tcontext=user_u:system_r:httpd_t:s0 tclass=file > the boolean "httpd_can_sendmail" is enabled (true). > I restarted the httpd and sendmail service after doing so... but still > no success. > Any ideas? man httpd_selinux is a good place to start. From jdennis at redhat.com Mon Jul 2 17:48:31 2007 From: jdennis at redhat.com (John Dennis) Date: Mon, 02 Jul 2007 13:48:31 -0400 Subject: Proactive SELinux fixes from automatic collection of logs In-Reply-To: <46892F4A.50608@fedoraproject.org> References: <46845B49.2080906@fedoraproject.org> <1183126637.801.41.camel@junko.usersys.redhat.com> <46892F4A.50608@fedoraproject.org> Message-ID: <1183398511.8532.35.camel@finch.boston.redhat.com> On Mon, 2007-07-02 at 22:30 +0530, Rahul Sundaram wrote: > John Dennis wrote: > > We already have something much like you're suggesting. A while ago it > > was recognized that diagnosing and addressing SELlinux AVC denials was a > > significant problem. We designed and built a tool to help with that, > > it's called setroubleshoot. > > This requires a GUI right? My idea would work on any Fedora system. No a GUI is not required, setroubleshoot-server can be installed on a headless machine. In this configuration the alerts setroubleshoot generates can be sent via email or one can use sealert in either the GUI or the command line mode to connect to the remote node and view the analysis or one can ssh into the machine and use the command line mode of sealert. That means at the moment there are 3 different ways you can get setroubleshoot analysis from a machine without an installed GUI. There are probably more favorable ways of gathering the data from setroubleshoot when managing a collection of nodes. We do have a requirement to better support general auditing from a collection of nodes. Work is proceeding on that front and the plans are to have setroubleshoot be a component in 'aggregate auditing. > > 1) Not all AVC denials are bugs. In fact many are due to correctly > > operations the sys admin must explicitly enable via a policy boolean. > > This is in fact one of my reasons for favoring a more automated > collection of AVC denials. Some of the systems don't have any GUI and I > don't report bugs unless it prevents programs from working correctly. > Maybe there are policy improvements to be made but it is not worth the > trouble in many occasions to go and file bug reports for every AVC denial. Just one problem here, who is going to be responsible for triaging every AVC denial on every installed Fedora system to figure out if it's user error, noise, or a genuine issue? The sheer volume would be overwhelming. One need only consider how long many genuine bugs languish in bugzilla due to inattention and one has to question just what forwarding all AVC denials is going to accomplish in practical terms. Putting an intelligent human in between the denial event and a bug report gains enormous efficiency right? > > > 2) The information contained in an AVC denial is security sensitive. It > > would be a huge security hole to automatically transmit any of this > > information in the form of a bug report or other notification channel. > > Encrypt it before transmission and scrub the data before revealing > anything. Also this concern is already somewhat offset from the effort > described below. Automatically sending security information to a remote third party is not going to be accepted by most users and certainly could not be enabled by default. If automatic transmission is not enabled by default then what is gained over an administrator of the system being automatically notified of a denial by setroubleshoot and letting them evaluate if this particular AVC denial needs to be elevated to a bug report? > > 3) Automatic collection of user generated reports was an extra > > development effort which also requires a central service. Implementing > > the feature and resources to then manage this central service was deemed > > out of scope, especially taking into consideration points 1 and 2 above. > > Since there is a effort now to create infrastructure that allows people > to upload logs and get analysis it wouldn't be too much additional > effort. Smolt also already has similar infrastructure in place which > would be a good example to learn from. I will take a look a smolt to see what it offers and what it's model is. Perhaps there are things in smolt we could benefit from. -- John Dennis From dwalsh at redhat.com Mon Jul 2 18:14:42 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 02 Jul 2007 14:14:42 -0400 Subject: Bugzilla's AVC: denied In-Reply-To: <468908ED.2030209@certisign.com.br> References: <468908ED.2030209@certisign.com.br> Message-ID: <46894092.40206@redhat.com> Pedro Silva wrote: > I'm using Bugzilla from the Fedora repository in a F7 system. > These are the AVC: denied I got so far. > > type=AVC msg=audit(1182965584.648:92): avc: denied { read } for > pid=3437 comm > ="index.cgi" name="resolv.conf" dev=dm-0 ino=1211246 > scontext=root:system_r:http > d_bugzilla_script_t:s0 tcontext=system_u:object_r:net_conf_t:s0 > tclass=file > Any idea why bugzilla is reading resolv.conf? Is it trying to translates a UID? > type=AVC msg=audit(1182965584.648:93): avc: denied { create } for > pid=3437 co > mm="index.cgi" scontext=root:system_r:httpd_bugzilla_script_t:s0 > tcontext=root:s > ystem_r:httpd_bugzilla_script_t:s0 tclass=udp_socket Why is it trying to create a udp socket? > > type=AVC msg=audit(1183036604.813:648): avc: denied { read write } > for pid=16 > 313 comm="sendmail" name="[335348]" dev=sockfs ino=335348 > scontext=root:system_r > :system_mail_t:s0 tcontext=root:system_r:httpd_bugzilla_script_t:s0 > tclass=unix_ > stream_socket This looks potentially like a leaked file descriptor? Or is sendmail reading and writing to a unix_stream_socket created by the bugzilla cgi? Could you run this in permissive mode to gather all of the avc messages. > > This last one is the only one that keeps happening after the initial > configuration. > > Bugzilla seems to work just fine; no mail notification seems to be lost. > > The mailer in this system is Postfix. > > I think Bugzilla is trying to create a file in /var/lib/bugzilla/data > without success. > > -- > > CERTISIGN **Pedro Silva** > Especialista de Desenvolvimento > (21) 4501 1026 > > Certisign Certificadora Digital > certisign.com.br > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From dwalsh at redhat.com Mon Jul 2 18:18:10 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 02 Jul 2007 14:18:10 -0400 Subject: httpd can't send mails In-Reply-To: <20070702172317.GA17739@wolff.to> References: <46892523.3040601@gmail.com> <20070702172317.GA17739@wolff.to> Message-ID: <46894162.5030500@redhat.com> Bruno Wolff III wrote: > On Mon, Jul 02, 2007 at 18:17:39 +0200, > dragoran wrote: > >> I tryed to send mails using a php scripts that calls mail() but when I >> do it I get this avc: >> audit(1183392777.651:14): avc: denied { read } for pid=25048 >> comm="sendmail" name="[79366]" dev=eventpollfs ino=79366 >> scontext=user_u:system_r:system_mail_t:s0 >> tcontext=user_u:system_r:httpd_t:s0 tclass=file >> the boolean "httpd_can_sendmail" is enabled (true). >> I restarted the httpd and sendmail service after doing so... but still >> no success. >> Any ideas? >> If you use # grep http /var/log/audit/audit.log | audit2allow -M myhttp # semodule -i myhttp.pp Does the mail work? > > man httpd_selinux > is a good place to start. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From smooge at gmail.com Mon Jul 2 18:30:11 2007 From: smooge at gmail.com (Stephen John Smoogen) Date: Mon, 2 Jul 2007 12:30:11 -0600 Subject: Proactive SELinux fixes from automatic collection of logs In-Reply-To: <1183398511.8532.35.camel@finch.boston.redhat.com> References: <46845B49.2080906@fedoraproject.org> <1183126637.801.41.camel@junko.usersys.redhat.com> <46892F4A.50608@fedoraproject.org> <1183398511.8532.35.camel@finch.boston.redhat.com> Message-ID: <80d7e4090707021130v3640ca5bob1caef9f641a966a@mail.gmail.com> On 7/2/07, John Dennis wrote: > On Mon, 2007-07-02 at 22:30 +0530, Rahul Sundaram wrote: > > > 2) The information contained in an AVC denial is security sensitive. It > > > would be a huge security hole to automatically transmit any of this > > > information in the form of a bug report or other notification channel. > > > > Encrypt it before transmission and scrub the data before revealing > > anything. Also this concern is already somewhat offset from the effort > > described below. > > Automatically sending security information to a remote third party is > not going to be accepted by most users and certainly could not be > enabled by default. If automatic transmission is not enabled by default > then what is gained over an administrator of the system being > automatically notified of a denial by setroubleshoot and letting them > evaluate if this particular AVC denial needs to be elevated to a bug > report? > Also scrubbing the data can be very hard since the information that could be sensitive is more than user name/ip address. While there might be some statistical information that could be picked up (hmmm 4000 users have problems with /xen installations... maybe we should see if there is a problem with the policy and what people think they are doing. Another issue I could see is that if someone opted into the program, and Fedora 'witnesses' a breakin (or some other criminal act) via a Selinux report... what are the reporting requirements (depending on the nation that the servers are in and where the client is.) -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice" From drago01 at gmail.com Mon Jul 2 18:32:33 2007 From: drago01 at gmail.com (dragoran) Date: Mon, 02 Jul 2007 20:32:33 +0200 Subject: httpd can't send mails In-Reply-To: <46894162.5030500@redhat.com> References: <46892523.3040601@gmail.com> <20070702172317.GA17739@wolff.to> <46894162.5030500@redhat.com> Message-ID: <468944C1.9090606@gmail.com> Daniel J Walsh wrote: > Bruno Wolff III wrote: >> On Mon, Jul 02, 2007 at 18:17:39 +0200, >> dragoran wrote: >> >>> I tryed to send mails using a php scripts that calls mail() but when >>> I do it I get this avc: >>> audit(1183392777.651:14): avc: denied { read } for pid=25048 >>> comm="sendmail" name="[79366]" dev=eventpollfs ino=79366 >>> scontext=user_u:system_r:system_mail_t:s0 >>> tcontext=user_u:system_r:httpd_t:s0 tclass=file >>> the boolean "httpd_can_sendmail" is enabled (true). >>> I restarted the httpd and sendmail service after doing so... but >>> still no success. >>> Any ideas? >>> > If you use > > # grep http /var/log/audit/audit.log | audit2allow -M myhttp > # semodule -i myhttp.pp > > Does the mail work? the mail was an other issue (server was not accepting mails from my IP) (first I tryed with setenforce 0 and it was the same)... but still what does this avc mean? is it a bug in the policy? From shin216 at xf7.so-net.ne.jp Mon Jul 2 18:47:59 2007 From: shin216 at xf7.so-net.ne.jp (Shintaro Fujiwara) Date: Tue, 03 Jul 2007 03:47:59 +0900 Subject: httpd can't send mails Message-ID: <1183402079.2659.14.camel@mama.intrajp-yokosuka.co.jp> > I tryed to send mails using a php scripts that calls mail() but when I > do it I get this avc: > audit(1183392777.651:14): avc: denied { read } for pid=25048 > comm="sendmail" name="[79366]" dev=eventpollfs ino=79366 > scontext=user_u:system_r:system_mail_t:s0 > tcontext=user_u:system_r:httpd_t:s0 tclass=file > the boolean "httpd_can_sendmail" is enabled (true). > I restarted the httpd and sendmail service after doing so... but still > no success. > Any ideas? Hi, Why don't you edit policy and update them ? Maybe you can do it edditing a few files, and typing several commands. If you using postfix, here's what I did. I made interface for postfix. ######################################## ## ## for xoops sending mail from postfix. ## ## ## Domain allowed to sending mails. ## # interface(`xoops_send_mail_by_postfix',` gen_require(` type bin_t; type smtp_port_t; type sendmail_exec_t; ') allow $1 bin_t:dir search; allow $1 smtp_port_t:tcp_socket { name_connect send_msg recv_msg }; allow $1 sendmail_exec_t:file { execute execute_no_trans getattr read }; ') 1. I downloaded source of refpolicy. 2. I copied postfix ones and apache ones to /usr/share/selinux/devel. 3. I edited first line of postfix.te so that the version number becoming larger than the original one. 4. I added above interface to postfix.if. 5. I added xoops_send_mail_by_postfix(httpd_t) to apache.te and also edited first line like postfix. 6. #make clean 7. #make 8. #semodule -u postfix.pp 9. #semodule -u apache.pp > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From drago01 at gmail.com Mon Jul 2 20:25:55 2007 From: drago01 at gmail.com (dragoran) Date: Mon, 02 Jul 2007 22:25:55 +0200 Subject: httpd can't send mails In-Reply-To: <1183402079.2659.14.camel@mama.intrajp-yokosuka.co.jp> References: <1183402079.2659.14.camel@mama.intrajp-yokosuka.co.jp> Message-ID: <46895F53.2090902@gmail.com> Shintaro Fujiwara wrote: >> I tryed to send mails using a php scripts that calls mail() but when >> > I > >> do it I get this avc: >> audit(1183392777.651:14): avc: denied { read } for pid=25048 >> comm="sendmail" name="[79366]" dev=eventpollfs ino=79366 >> scontext=user_u:system_r:system_mail_t:s0 >> tcontext=user_u:system_r:httpd_t:s0 tclass=file >> the boolean "httpd_can_sendmail" is enabled (true). >> I restarted the httpd and sendmail service after doing so... but >> > still > >> no success. >> Any ideas? >> > > Hi, > > Why don't you edit policy and update them ? > Maybe you can do it edditing a few files, and > typing several commands. > > If you using postfix, here's what I did. > I made interface for postfix. > > ######################################## > ## > ## for xoops sending mail from postfix. > ## > ## > ## Domain allowed to sending mails. > ## > # > > interface(`xoops_send_mail_by_postfix',` > gen_require(` > type bin_t; > type smtp_port_t; > type sendmail_exec_t; > ') > allow $1 bin_t:dir search; > allow $1 smtp_port_t:tcp_socket { name_connect send_msg > recv_msg }; > allow $1 sendmail_exec_t:file { execute execute_no_trans getattr > read }; > ') > > > 1. I downloaded source of refpolicy. > 2. I copied postfix ones and apache ones to /usr/share/selinux/devel. > 3. I edited first line of postfix.te so that the version number becoming > larger than the original one. > 4. I added above interface to postfix.if. > 5. I added xoops_send_mail_by_postfix(httpd_t) to apache.te and also > edited first line like postfix. > 6. #make clean > 7. #make > 8. #semodule -u postfix.pp > 9. #semodule -u apache.pp > > did this fix this kind of avcs for you? From dwalsh at redhat.com Mon Jul 2 20:31:42 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 02 Jul 2007 16:31:42 -0400 Subject: httpd can't send mails In-Reply-To: <46895F53.2090902@gmail.com> References: <1183402079.2659.14.camel@mama.intrajp-yokosuka.co.jp> <46895F53.2090902@gmail.com> Message-ID: <468960AE.4020509@redhat.com> dragoran wrote: > Shintaro Fujiwara wrote: >>> I tryed to send mails using a php scripts that calls mail() but when >>> >> I >>> do it I get this avc: >>> audit(1183392777.651:14): avc: denied { read } for pid=25048 >>> comm="sendmail" name="[79366]" dev=eventpollfs ino=79366 >>> scontext=user_u:system_r:system_mail_t:s0 >>> tcontext=user_u:system_r:httpd_t:s0 tclass=file >>> the boolean "httpd_can_sendmail" is enabled (true). >>> I restarted the httpd and sendmail service after doing so... but >>> >> still >>> no success. >>> Any ideas? >>> >> >> Hi, >> >> Why don't you edit policy and update them ? >> Maybe you can do it edditing a few files, and >> typing several commands. >> >> If you using postfix, here's what I did. >> I made interface for postfix. >> >> ######################################## >> ## >> ## for xoops sending mail from postfix. >> ## >> ## >> ## Domain allowed to sending mails. >> ## >> # >> >> interface(`xoops_send_mail_by_postfix',` >> gen_require(` >> type bin_t; >> type smtp_port_t; >> type sendmail_exec_t; >> ') >> allow $1 bin_t:dir search; >> allow $1 smtp_port_t:tcp_socket { name_connect send_msg >> recv_msg }; >> allow $1 sendmail_exec_t:file { execute execute_no_trans getattr >> read }; >> ') >> >> >> 1. I downloaded source of refpolicy. >> 2. I copied postfix ones and apache ones to /usr/share/selinux/devel. >> 3. I edited first line of postfix.te so that the version number becoming >> larger than the original one. >> 4. I added above interface to postfix.if. >> 5. I added xoops_send_mail_by_postfix(httpd_t) to apache.te and also >> edited first line like postfix. >> 6. #make clean >> 7. #make >> 8. #semodule -u postfix.pp >> 9. #semodule -u apache.pp >> >> > did this fix this kind of avcs for you? What platform and what version of policy. Current policy looks like it has these rules. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From selinux at gmail.com Mon Jul 2 20:35:38 2007 From: selinux at gmail.com (Tom London) Date: Mon, 2 Jul 2007 13:35:38 -0700 Subject: ldd fails for executables requiring execstack/execmem!? ld-linux.so.2 misbehaves? Message-ID: <4c4ba1530707021335u342c2486sed4d48ad43c19826@mail.gmail.com> I'm running the latest Rawhide, selinux-policy-3.0.1-4.fc8 targeted/enforcing. The 'ldd' command (/usr/bin/ldd) fails for me when I target it at executables requiring execstack or execmem. For example, here is what happens when I try 'ldd' against /usr/bin/skype: [root at localhost ~]# getenforce Enforcing [root at localhost ~]# ldd /usr/bin/skype not a dynamic executable [root at localhost ~]# setenforce 0 [root at localhost ~]# ldd /usr/bin/skype linux-gate.so.1 => (0x00110000) libasound.so.2 => /lib/libasound.so.2 (0x46f1f000) librt.so.1 => /lib/librt.so.1 (0x469c3000) <<<<<>>>> libXdmcp.so.6 => /usr/lib/libXdmcp.so.6 (0x4625c000) libcap.so.1 => /lib/libcap.so.1 (0x46b1d000) libexpat.so.0 => /lib/libexpat.so.0 (0x46348000) [root at localhost ~]# Here is a typical AVC generated by the above: type=AVC msg=audit(1183407589.500:113): avc: denied { execmem } for pid=11095 comm="ld-linux.so.2" scontext=system_u:system_r:unconfined_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1183407589.500:113): arch=40000003 syscall=192 success=no exit=-13 a0=8048000 a1=aa8000 a2=7 a3=812 items=0 ppid=11094 pid=11095 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="ld-linux.so.2" exe="/lib/ld-2.6.so" subj=system_u:system_r:unconfined_t:s0 key=(null) Interestingly, setting 'allow_execstack' to one via 'setsebool allow_execstack=1' eliminates the AVC and makes the 'ldd' command succeed: [root at localhost ~]# setsebool allow_execstack=1 [root at localhost ~]# getenforce Enforcing [root at localhost ~]# ldd /usr/bin/skype linux-gate.so.1 => (0x00110000) libasound.so.2 => /lib/libasound.so.2 (0x46f1f000) librt.so.1 => /lib/librt.so.1 (0x469c3000) <<<<>>> Of course, this happens with other files as well (e.g., vmware, ....). The problem appears to hit ld-linux.so.2 badly.... Preloading libraries that require execstack/execmem (and text relocation?) generate AVCs and fail. This causes particular problems with the scripts that start vmware. 'setroubleshoot' suggests setting /lib/ld-linux.so.2 to 'unconfined_execmem_exec_t', but that seems just wrong. Can someone shed some light on what is happening here? Path to enlightenment? thanks, tom -- Tom London From shin216 at xf7.so-net.ne.jp Mon Jul 2 22:00:36 2007 From: shin216 at xf7.so-net.ne.jp (Shintaro Fujiwara) Date: Tue, 03 Jul 2007 07:00:36 +0900 Subject: httpd can't send mails In-Reply-To: <468960AE.4020509@redhat.com> References: <1183402079.2659.14.camel@mama.intrajp-yokosuka.co.jp> <46895F53.2090902@gmail.com> <468960AE.4020509@redhat.com> Message-ID: <1183413636.2659.30.camel@mama.intrajp-yokosuka.co.jp> > dragoran wrote: > > Shintaro Fujiwara wrote: > >>> I tryed to send mails using a php scripts that calls mail() but when > >>> > >> I > >>> do it I get this avc: > >>> audit(1183392777.651:14): avc: denied { read } for pid=25048 > >>> comm="sendmail" name="[79366]" dev=eventpollfs ino=79366 > >>> scontext=user_u:system_r:system_mail_t:s0 > >>> tcontext=user_u:system_r:httpd_t:s0 tclass=file > >>> the boolean "httpd_can_sendmail" is enabled (true). > >>> I restarted the httpd and sendmail service after doing so... but > >>> > >> still > >>> no success. > >>> Any ideas? > >>> > >> > >> Hi, > >> > >> Why don't you edit policy and update them ? > >> Maybe you can do it edditing a few files, and > >> typing several commands. > >> > >> If you using postfix, here's what I did. > >> I made interface for postfix. > >> > >> ######################################## > >> ## > >> ## for xoops sending mail from postfix. > >> ## > >> ## > >> ## Domain allowed to sending mails. > >> ## > >> # > >> > >> interface(`xoops_send_mail_by_postfix',` > >> gen_require(` > >> type bin_t; > >> type smtp_port_t; > >> type sendmail_exec_t; > >> ') > >> allow $1 bin_t:dir search; > >> allow $1 smtp_port_t:tcp_socket { name_connect send_msg > >> recv_msg }; > >> allow $1 sendmail_exec_t:file { execute execute_no_trans getattr > >> read }; > >> ') > >> > >> > >> 1. I downloaded source of refpolicy. > >> 2. I copied postfix ones and apache ones to /usr/share/selinux/devel. > >> 3. I edited first line of postfix.te so that the version number becoming > >> larger than the original one. > >> 4. I added above interface to postfix.if. > >> 5. I added xoops_send_mail_by_postfix(httpd_t) to apache.te and also > >> edited first line like postfix. > >> 6. #make clean > >> 7. #make > >> 8. #semodule -u postfix.pp > >> 9. #semodule -u apache.pp > >> > >> > > did this fix this kind of avcs for you? > What platform and what version of policy. Current policy looks like it > has these rules. > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > Oh, I'm now using, selinux-policy-strict-2.4.6-13.fc6 on FC6 server. I'm now converting my own policies to F7. You are right. You guys made much progress on that. I will check if I can send mail from PHP script, without any errors on F7. I'm always relying on Dan's page, of course. Thanks ! Hey, we're having SELinux meeting in Japan, tomorrow. Hi, dragoran, Oh, system_mail_t ... That is not my case but I think it's close. Why don't you relabel your mail-agent's exec file to bin_t. From dac at tresys.com Tue Jul 3 13:10:56 2007 From: dac at tresys.com (David Caplan) Date: Tue, 3 Jul 2007 09:10:56 -0400 Subject: httpd can't send mails In-Reply-To: <1183402079.2659.14.camel@mama.intrajp-yokosuka.co.jp> Message-ID: <6FE441CD9F0C0C479F2D88F959B01588D01F63@exchange.columbia.tresys.com> Hi, > -----Original Message----- > From: fedora-selinux-list-bounces at redhat.com [mailto:fedora-selinux-list- > bounces at redhat.com] On Behalf Of Shintaro Fujiwara > Sent: Monday, July 02, 2007 2:48 PM > To: fedora-selinux-list > Subject: Re: httpd can't send mails > > > If you using postfix, here's what I did. > I made interface for postfix. > > ######################################## > ## > ## for xoops sending mail from postfix. > ## > ## > ## Domain allowed to sending mails. > ## > # > > interface(`xoops_send_mail_by_postfix',` > gen_require(` > type bin_t; > type smtp_port_t; > type sendmail_exec_t; > ') > allow $1 bin_t:dir search; > allow $1 smtp_port_t:tcp_socket { name_connect send_msg > recv_msg }; > allow $1 sendmail_exec_t:file { execute execute_no_trans getattr > read }; > ') > If you have the full reference policy source you should use defined interfaces instead of breaking encapsulation of the types. For example, you can rewrite your interface without any requires as: interface(`xoops_send_mail_by_postfix',` corecmd_search_bin($1) corenet_tcp_connect_smtp_port($1) corenet_tcp_sendrecv_smtp_port($1) mta_exec($1) ') David From shin216 at xf7.so-net.ne.jp Tue Jul 3 23:16:47 2007 From: shin216 at xf7.so-net.ne.jp (Shintaro Fujiwara) Date: Wed, 04 Jul 2007 08:16:47 +0900 Subject: httpd can't send mails In-Reply-To: <6FE441CD9F0C0C479F2D88F959B01588D01F63@exchange.columbia.tresys.com> References: <6FE441CD9F0C0C479F2D88F959B01588D01F63@exchange.columbia.tresys.com> Message-ID: <1183504607.2672.9.camel@mama.intrajp-yokosuka.co.jp> > Hi, > > > -----Original Message----- > > From: fedora-selinux-list-bounces at redhat.com > [mailto:fedora-selinux-list- > > bounces at redhat.com] On Behalf Of Shintaro Fujiwara > > Sent: Monday, July 02, 2007 2:48 PM > > To: fedora-selinux-list > > Subject: Re: httpd can't send mails > > > > > > If you using postfix, here's what I did. > > I made interface for postfix. > > > > ######################################## > > ## > > ## for xoops sending mail from postfix. > > ## > > ## > > ## Domain allowed to sending mails. > > ## > > # > > > > interface(`xoops_send_mail_by_postfix',` > > gen_require(` > > type bin_t; > > type smtp_port_t; > > type sendmail_exec_t; > > ') > > allow $1 bin_t:dir search; > > allow $1 smtp_port_t:tcp_socket { name_connect send_msg > > recv_msg }; > > allow $1 sendmail_exec_t:file { execute execute_no_trans > getattr > > read }; > > ') > > > > If you have the full reference policy source you should use defined > interfaces instead of breaking encapsulation of the types. For example, > you can rewrite your interface without any requires as: > > interface(`xoops_send_mail_by_postfix',` > > corecmd_search_bin($1) > > corenet_tcp_connect_smtp_port($1) > corenet_tcp_sendrecv_smtp_port($1) > > mta_exec($1) > ') > > David Thanks ! That's what I'm aiming at in near future. As a matter of fact, I printed every interfaces and felt at a loss, because of its thickness. In what page or Software can I find those defined interfaces ? SLIDE ? I once wrote such a software named segatex... Why audit2allow is just echoing raw access vectors and not interfaces ? I think if audit2allow has such an option, it would be more convenient and rewarding. Maybe I should rewrite my own program ...segatex...by this summer,though. Or are there other project doing the same thing? Karl's project? http://sourceforge.net/projects/segatex/ http://intrajp.no-ip.com my homepage Officer,System-Information,Signal School, JGSDF From psilva at certisign.com.br Wed Jul 4 13:31:36 2007 From: psilva at certisign.com.br (Pedro Silva) Date: Wed, 04 Jul 2007 10:31:36 -0300 Subject: Bugzilla's AVC: denied In-Reply-To: <46894092.40206@redhat.com> References: <468908ED.2030209@certisign.com.br> <46894092.40206@redhat.com> Message-ID: <468BA138.1090208@certisign.com.br> An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Certisign Type: image/jpeg Size: 5484 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5793 bytes Desc: S/MIME Cryptographic Signature URL: From dac at tresys.com Wed Jul 4 14:35:50 2007 From: dac at tresys.com (David Caplan) Date: Wed, 4 Jul 2007 10:35:50 -0400 Subject: refpolicy interfaces (was RE: httpd can't send mails) In-Reply-To: <1183504607.2672.9.camel@mama.intrajp-yokosuka.co.jp> Message-ID: <6FE441CD9F0C0C479F2D88F959B01588D02010@exchange.columbia.tresys.com> > From: Shintaro Fujiwara [mailto:shin216 at xf7.so-net.ne.jp] [text cut] > > As a matter of fact, I printed every interfaces and felt at a loss, > because of its thickness. > Yes, not a good idea. :) > In what page or Software can I find those defined interfaces ? > SLIDE ? > SLIDE has multiple features that can help you find interfaces. Its default configuration brings up an Interfaces window on the right side. The interfaces are grouped by layer (e.g., kernel, services, apps, etc.) and then by module. If you left click on an interface name, SLIDE shows you the policy source for the interface in the Declaration tabbed window at the bottom. You do need to understand the convention used for interface names and have a general idea of where an interface might be found. SLIDE gives you interface completion in the module editing window when you type . The completion pop-up shows initial matches in module names up until the first underscore, '_'. For example, if I type "core" and hit , SLIDE will show me the possible completions are "corecommands" and "corenetworks", and it will show me a summary comment for each one. If I pick "corecommands" SLIDE completes the first part of the interface, "corecmd_", and then it will show all of the interfaces that start with "corecmd_" and short descriptions of each one. I select which interface I want, let's say "corecmd_bin_domtrans", and SLIDE pastes the full name in with "()" and shows a hint about what arguments are required for the interface (in this case it shows, "domain, target_domain"). You can also press between the parentheses to see the parameter popup again. The descriptions are only as complete as the authors made them. The general format of interfaces and syntax conventions can be found on the Reference Policy pages, , and I'm sure Chris PeBenito would welcome any Reference Policy patches that expand the interface documentation. SLIDE, has plenty of documentation and we would welcome any suggestions. > I once wrote such a software named segatex... > > Why audit2allow is just echoing raw access vectors and not interfaces ? It is a simple tool designed to make it easy for people whose main objective is to get their application working. It is useful in providing a quick summary of the denials in the logs, but if you're trying to develop a strict policy you should not simply accept the output of audit2allow as your policy. > I think if audit2allow has such an option, it would be more convenient > and rewarding. > I believe that is Karl's objective with Madison/sepolgen. Matching an appropriate interface is not an easy problem. Even if you have a tool that can suggest the appropriate interface you still need to consider if the access is really required (quite often applications ask for access they don't really need) and, if so, if you should allow the access or fix the application. > Maybe I should rewrite my own program ...segatex...by this > summer,though. > Or are there other project doing the same thing? > Karl's project? > > http://sourceforge.net/projects/segatex/ > > http://intrajp.no-ip.com my homepage > > > Officer,System-Information,Signal School, JGSDF > > > From shin216 at xf7.so-net.ne.jp Wed Jul 4 15:39:37 2007 From: shin216 at xf7.so-net.ne.jp (Shintaro Fujiwara) Date: Thu, 05 Jul 2007 00:39:37 +0900 Subject: refpolicy interfaces (was RE: httpd can't send mails) In-Reply-To: <6FE441CD9F0C0C479F2D88F959B01588D02010@exchange.columbia.tresys.com> References: <6FE441CD9F0C0C479F2D88F959B01588D02010@exchange.columbia.tresys.com> Message-ID: <1183563577.2671.19.camel@mama.intrajp-yokosuka.co.jp> > > From: Shintaro Fujiwara [mailto:shin216 at xf7.so-net.ne.jp] > [text cut] > > > > As a matter of fact, I printed every interfaces and felt at a loss, > > because of its thickness. > > > > Yes, not a good idea. :) Everybody laughed at me, but I was so serious. > > In what page or Software can I find those defined interfaces ? > > SLIDE ? > > > > SLIDE has multiple features that can help you find interfaces. Its > default configuration brings up an Interfaces window on the right side. > The interfaces are grouped by layer (e.g., kernel, services, apps, etc.) > and then by module. If you left click on an interface name, SLIDE shows > you the policy source for the interface in the Declaration tabbed window > at the bottom. You do need to understand the convention used for > interface names and have a general idea of where an interface might be > found. > > SLIDE gives you interface completion in the module editing window when > you type . The completion pop-up shows initial matches in > module names up until the first underscore, '_'. For example, if I type > "core" and hit , SLIDE will show me the possible > completions are "corecommands" and "corenetworks", and it will show me a > summary comment for each one. If I pick "corecommands" SLIDE completes > the first part of the interface, "corecmd_", and then it will show all > of the interfaces that start with "corecmd_" and short descriptions of > each one. I select which interface I want, let's say > "corecmd_bin_domtrans", and SLIDE pastes the full name in with "()" and > shows a hint about what arguments are required for the interface (in > this case it shows, "domain, target_domain"). You can also press > between the parentheses to see the parameter popup > again. > > The descriptions are only as complete as the authors made them. The > general format of interfaces and syntax conventions can be found on the > Reference Policy pages, , and > I'm sure Chris PeBenito would welcome any Reference Policy patches that > expand the interface documentation. SLIDE, > has plenty of documentation and > we would welcome any suggestions. > Thanks for your lecture. I think I can work on SLIDE and could find out what I really need. > > I once wrote such a software named segatex... > > > > Why audit2allow is just echoing raw access vectors and not interfaces > ? > > It is a simple tool designed to make it easy for people whose main > objective is to get their application working. It is useful in providing > a quick summary of the denials in the logs, but if you're trying to > develop a strict policy you should not simply accept the output of > audit2allow as your policy. > > > I think if audit2allow has such an option, it would be more convenient > > and rewarding. > > > > I believe that is Karl's objective with Madison/sepolgen. Matching an > appropriate interface is not an easy problem. > > Even if you have a tool that can suggest the appropriate interface you > still need to consider if the access is really required (quite often > applications ask for access they don't really need) and, if so, if you > should allow the access or fix the application. You're totally right. We should reconsider what we echoed by audit2allow even if we could work our own modules on our machines. Surely, interfaces would provide more privileges than what is really needed... I rethought that httpd_t can execute bin_t would not be a good solution... I can co-operate any time on you guys work and want to make a small bounce on computer security. I recognized that what I want and you guys want is the same... Thanks ! We're waiting you guys come to our country and talk on your beliefs. ################################################## member, Secure-OS Users Group, JP Officer, System-Information, Signal School, JGSDF ################################################## > > Maybe I should rewrite my own program ...segatex...by this > > summer,though. > > Or are there other project doing the same thing? > > Karl's project? > > > > http://sourceforge.net/projects/segatex/ > > > > http://intrajp.no-ip.com my homepage > > > > > > Officer,System-Information,Signal School, JGSDF > > > > > > From sds at tycho.nsa.gov Thu Jul 5 12:29:26 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 05 Jul 2007 08:29:26 -0400 Subject: httpd can't send mails In-Reply-To: <1183504607.2672.9.camel@mama.intrajp-yokosuka.co.jp> References: <6FE441CD9F0C0C479F2D88F959B01588D01F63@exchange.columbia.tresys.com> <1183504607.2672.9.camel@mama.intrajp-yokosuka.co.jp> Message-ID: <1183638566.12218.331.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2007-07-04 at 08:16 +0900, Shintaro Fujiwara wrote: > > Hi, > > > > > -----Original Message----- > > > From: fedora-selinux-list-bounces at redhat.com > > [mailto:fedora-selinux-list- > > > bounces at redhat.com] On Behalf Of Shintaro Fujiwara > > > Sent: Monday, July 02, 2007 2:48 PM > > > To: fedora-selinux-list > > > Subject: Re: httpd can't send mails > > > > > > > > > If you using postfix, here's what I did. > > > I made interface for postfix. > > > > > > ######################################## > > > ## > > > ## for xoops sending mail from postfix. > > > ## > > > ## > > > ## Domain allowed to sending mails. > > > ## > > > # > > > > > > interface(`xoops_send_mail_by_postfix',` > > > gen_require(` > > > type bin_t; > > > type smtp_port_t; > > > type sendmail_exec_t; > > > ') > > > allow $1 bin_t:dir search; > > > allow $1 smtp_port_t:tcp_socket { name_connect send_msg > > > recv_msg }; > > > allow $1 sendmail_exec_t:file { execute execute_no_trans > > getattr > > > read }; > > > ') > > > > > > > If you have the full reference policy source you should use defined > > interfaces instead of breaking encapsulation of the types. For example, > > you can rewrite your interface without any requires as: > > > > interface(`xoops_send_mail_by_postfix',` > > > > corecmd_search_bin($1) > > > > corenet_tcp_connect_smtp_port($1) > > corenet_tcp_sendrecv_smtp_port($1) > > > > mta_exec($1) > > ') > > > > David > > Thanks ! > > That's what I'm aiming at in near future. > > As a matter of fact, I printed every interfaces and felt at a loss, > because of its thickness. > > In what page or Software can I find those defined interfaces ? > SLIDE ? > > I once wrote such a software named segatex... > > Why audit2allow is just echoing raw access vectors and not interfaces ? > I think if audit2allow has such an option, it would be more convenient > and rewarding. audit2allow -R will attempt to match interfaces, albeit imperfectly. -- Stephen Smalley National Security Agency From shin216 at xf7.so-net.ne.jp Thu Jul 5 13:46:30 2007 From: shin216 at xf7.so-net.ne.jp (Shintaro Fujiwara) Date: Thu, 05 Jul 2007 22:46:30 +0900 Subject: httpd can't send mails In-Reply-To: <1183638566.12218.331.camel@moss-spartans.epoch.ncsc.mil> References: <6FE441CD9F0C0C479F2D88F959B01588D01F63@exchange.columbia.tresys.com> <1183504607.2672.9.camel@mama.intrajp-yokosuka.co.jp> <1183638566.12218.331.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1183643190.2658.19.camel@mama.intrajp-yokosuka.co.jp> > On Wed, 2007-07-04 at 08:16 +0900, Shintaro Fujiwara wrote: > > > Hi, > > > > > > > -----Original Message----- > > > > From: fedora-selinux-list-bounces at redhat.com > > > [mailto:fedora-selinux-list- > > > > bounces at redhat.com] On Behalf Of Shintaro Fujiwara > > > > Sent: Monday, July 02, 2007 2:48 PM > > > > To: fedora-selinux-list > > > > Subject: Re: httpd can't send mails > > > > > > > > > > > > If you using postfix, here's what I did. > > > > I made interface for postfix. > > > > > > > > ######################################## > > > > ## > > > > ## for xoops sending mail from postfix. > > > > ## > > > > ## > > > > ## Domain allowed to sending mails. > > > > ## > > > > # > > > > > > > > interface(`xoops_send_mail_by_postfix',` > > > > gen_require(` > > > > type bin_t; > > > > type smtp_port_t; > > > > type sendmail_exec_t; > > > > ') > > > > allow $1 bin_t:dir search; > > > > allow $1 smtp_port_t:tcp_socket { name_connect send_msg > > > > recv_msg }; > > > > allow $1 sendmail_exec_t:file { execute execute_no_trans > > > getattr > > > > read }; > > > > ') > > > > > > > > > > If you have the full reference policy source you should use defined > > > interfaces instead of breaking encapsulation of the types. For example, > > > you can rewrite your interface without any requires as: > > > > > > interface(`xoops_send_mail_by_postfix',` > > > > > > corecmd_search_bin($1) > > > > > > corenet_tcp_connect_smtp_port($1) > > > corenet_tcp_sendrecv_smtp_port($1) > > > > > > mta_exec($1) > > > ') > > > > > > David > > > > Thanks ! > > > > That's what I'm aiming at in near future. > > > > As a matter of fact, I printed every interfaces and felt at a loss, > > because of its thickness. > > > > In what page or Software can I find those defined interfaces ? > > SLIDE ? > > > > I once wrote such a software named segatex... > > > > Why audit2allow is just echoing raw access vectors and not interfaces ? > > I think if audit2allow has such an option, it would be more convenient > > and rewarding. > > audit2allow -R will attempt to match interfaces, albeit imperfectly. > Thanks for letting me know. I found new refpolicy using many interfaces. As a means of generating interfaces from raw denied messages, I worked on one .if file a test to break up interfaces. By this process, I think I can match audit.log to interfaces. Although incomplete, it looks like this... I will break up till I get access vectors. ... ... interface(`acct_domtrans',` gen_require(` #type acct_t, acct_exec_t; type acct_t, acct_exec_t, bin_t; ') #corecmd_search_bin($1) #search_dirs_pattern($1,bin_t,bin_t) allow $1 bin_t:dir search_dir_perms; allow $1 bin_t:dir search_dir_perms; #domtrans_pattern($1,acct_exec_t,acct_t) #domain_auto_transition_pattern($1,$2,$3) #domain_transition_pattern($1,$2,$3) #allow $1 $2:file { getattr read execute }; allow $1 acct_exec_t:file { getattr read execute }; #allow $1 $3:process transition; allow $1 acct_t:process transition; #dontaudit $1 $3:process { noatsecure siginh rlimitinh }; dontaudit $1 acct_t:process { noatsecure siginh rlimitinh }; #type_transition $1 $2:process $3; type_transition $1 acct_exec_t:process acct_t; #allow $3 $1:fd use; allow acct_t $1:fd use; #allow $3 $1:fifo_file rw_file_perms; allow acct_t $1:fifo_file rw_file_perms; #allow $3 $1:process sigchld; allow acct_t $1:process sigchld; ') ... ... From sds at tycho.nsa.gov Thu Jul 5 14:20:37 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 05 Jul 2007 10:20:37 -0400 Subject: httpd can't send mails In-Reply-To: <1183643190.2658.19.camel@mama.intrajp-yokosuka.co.jp> References: <6FE441CD9F0C0C479F2D88F959B01588D01F63@exchange.columbia.tresys.com> <1183504607.2672.9.camel@mama.intrajp-yokosuka.co.jp> <1183638566.12218.331.camel@moss-spartans.epoch.ncsc.mil> <1183643190.2658.19.camel@mama.intrajp-yokosuka.co.jp> Message-ID: <1183645237.12218.338.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2007-07-05 at 22:46 +0900, Shintaro Fujiwara wrote: > > On Wed, 2007-07-04 at 08:16 +0900, Shintaro Fujiwara wrote: > > > > Hi, > > > > > > > > > -----Original Message----- > > > > > From: fedora-selinux-list-bounces at redhat.com > > > > [mailto:fedora-selinux-list- > > > > > bounces at redhat.com] On Behalf Of Shintaro Fujiwara > > > > > Sent: Monday, July 02, 2007 2:48 PM > > > > > To: fedora-selinux-list > > > > > Subject: Re: httpd can't send mails > > > > > > > > > > > > > > > If you using postfix, here's what I did. > > > > > I made interface for postfix. > > > > > > > > > > ######################################## > > > > > ## > > > > > ## for xoops sending mail from postfix. > > > > > ## > > > > > ## > > > > > ## Domain allowed to sending mails. > > > > > ## > > > > > # > > > > > > > > > > interface(`xoops_send_mail_by_postfix',` > > > > > gen_require(` > > > > > type bin_t; > > > > > type smtp_port_t; > > > > > type sendmail_exec_t; > > > > > ') > > > > > allow $1 bin_t:dir search; > > > > > allow $1 smtp_port_t:tcp_socket { name_connect send_msg > > > > > recv_msg }; > > > > > allow $1 sendmail_exec_t:file { execute execute_no_trans > > > > getattr > > > > > read }; > > > > > ') > > > > > > > > > > > > > If you have the full reference policy source you should use defined > > > > interfaces instead of breaking encapsulation of the types. For example, > > > > you can rewrite your interface without any requires as: > > > > > > > > interface(`xoops_send_mail_by_postfix',` > > > > > > > > corecmd_search_bin($1) > > > > > > > > corenet_tcp_connect_smtp_port($1) > > > > corenet_tcp_sendrecv_smtp_port($1) > > > > > > > > mta_exec($1) > > > > ') > > > > > > > > David > > > > > > Thanks ! > > > > > > That's what I'm aiming at in near future. > > > > > > As a matter of fact, I printed every interfaces and felt at a loss, > > > because of its thickness. > > > > > > In what page or Software can I find those defined interfaces ? > > > SLIDE ? > > > > > > I once wrote such a software named segatex... > > > > > > Why audit2allow is just echoing raw access vectors and not interfaces ? > > > I think if audit2allow has such an option, it would be more convenient > > > and rewarding. > > > > audit2allow -R will attempt to match interfaces, albeit imperfectly. > > > > Thanks for letting me know. > I found new refpolicy using many interfaces. > As a means of generating interfaces from raw denied messages, > I worked on one .if file a test to break up interfaces. > By this process, I think I can match audit.log to interfaces. > Although incomplete, it looks like this... > I will break up till I get access vectors. Not sure what you are trying to do, but just look at sepolgen to see how it is matching audit messages to interfaces. You can re-use that support. -- Stephen Smalley National Security Agency From shin216 at xf7.so-net.ne.jp Thu Jul 5 15:01:43 2007 From: shin216 at xf7.so-net.ne.jp (Shintaro Fujiwara) Date: Fri, 06 Jul 2007 00:01:43 +0900 Subject: httpd can't send mails In-Reply-To: <1183645237.12218.338.camel@moss-spartans.epoch.ncsc.mil> References: <6FE441CD9F0C0C479F2D88F959B01588D01F63@exchange.columbia.tresys.com> <1183504607.2672.9.camel@mama.intrajp-yokosuka.co.jp> <1183638566.12218.331.camel@moss-spartans.epoch.ncsc.mil> <1183643190.2658.19.camel@mama.intrajp-yokosuka.co.jp> <1183645237.12218.338.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1183647703.2658.30.camel@mama.intrajp-yokosuka.co.jp> > On Thu, 2007-07-05 at 22:46 +0900, Shintaro Fujiwara wrote: > > > On Wed, 2007-07-04 at 08:16 +0900, Shintaro Fujiwara wrote: > > > > > Hi, > > > > > > > > > > > -----Original Message----- > > > > > > From: fedora-selinux-list-bounces at redhat.com > > > > > [mailto:fedora-selinux-list- > > > > > > bounces at redhat.com] On Behalf Of Shintaro Fujiwara > > > > > > Sent: Monday, July 02, 2007 2:48 PM > > > > > > To: fedora-selinux-list > > > > > > Subject: Re: httpd can't send mails > > > > > > > > > > > > > > > > > > If you using postfix, here's what I did. > > > > > > I made interface for postfix. > > > > > > > > > > > > ######################################## > > > > > > ## > > > > > > ## for xoops sending mail from postfix. > > > > > > ## > > > > > > ## > > > > > > ## Domain allowed to sending mails. > > > > > > ## > > > > > > # > > > > > > > > > > > > interface(`xoops_send_mail_by_postfix',` > > > > > > gen_require(` > > > > > > type bin_t; > > > > > > type smtp_port_t; > > > > > > type sendmail_exec_t; > > > > > > ') > > > > > > allow $1 bin_t:dir search; > > > > > > allow $1 smtp_port_t:tcp_socket { name_connect send_msg > > > > > > recv_msg }; > > > > > > allow $1 sendmail_exec_t:file { execute execute_no_trans > > > > > getattr > > > > > > read }; > > > > > > ') > > > > > > > > > > > > > > > > If you have the full reference policy source you should use defined > > > > > interfaces instead of breaking encapsulation of the types. For example, > > > > > you can rewrite your interface without any requires as: > > > > > > > > > > interface(`xoops_send_mail_by_postfix',` > > > > > > > > > > corecmd_search_bin($1) > > > > > > > > > > corenet_tcp_connect_smtp_port($1) > > > > > corenet_tcp_sendrecv_smtp_port($1) > > > > > > > > > > mta_exec($1) > > > > > ') > > > > > > > > > > David > > > > > > > > Thanks ! > > > > > > > > That's what I'm aiming at in near future. > > > > > > > > As a matter of fact, I printed every interfaces and felt at a loss, > > > > because of its thickness. > > > > > > > > In what page or Software can I find those defined interfaces ? > > > > SLIDE ? > > > > > > > > I once wrote such a software named segatex... > > > > > > > > Why audit2allow is just echoing raw access vectors and not interfaces ? > > > > I think if audit2allow has such an option, it would be more convenient > > > > and rewarding. > > > > > > audit2allow -R will attempt to match interfaces, albeit imperfectly. > > > > > > > Thanks for letting me know. > > I found new refpolicy using many interfaces. > > As a means of generating interfaces from raw denied messages, > > I worked on one .if file a test to break up interfaces. > > By this process, I think I can match audit.log to interfaces. > > Although incomplete, it looks like this... > > I will break up till I get access vectors. > > Not sure what you are trying to do, but just look at sepolgen to see how > it is matching audit messages to interfaces. You can re-use that > support. Thanks ! I will make use of every way I can take. SLIDE or sepolgen would by nice, but I want to play on my project for a while. Just looking at those "support" or "modules" directories can make one understand SELinux better and I'm really having fun. From dwalsh at redhat.com Fri Jul 6 17:05:27 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 06 Jul 2007 13:05:27 -0400 Subject: Bugzilla's AVC: denied In-Reply-To: <468BA138.1090208@certisign.com.br> References: <468908ED.2030209@certisign.com.br> <46894092.40206@redhat.com> <468BA138.1090208@certisign.com.br> Message-ID: <468E7657.30400@redhat.com> Pedro Silva wrote: > Daniel J Walsh escreveu: > >>> type=AVC msg=audit(1183036604.813:648): avc: denied { read write } >>> for pid=16 >>> 313 comm="sendmail" name="[335348]" dev=sockfs ino=335348 >>> scontext=root:system_r >>> :system_mail_t:s0 tcontext=root:system_r:httpd_bugzilla_script_t:s0 >>> tclass=unix_ >>> stream_socket >> This looks potentially like a leaked file descriptor? Or is sendmail >> reading and writing to a unix_stream_socket created by the bugzilla >> cgi? >> >> Could you run this in permissive mode to gather all of the avc messages. > > I haven't reproduced the other AVC messages yet, but the above happens > when Bugzilla is sending mail after a bug changed. > This is what audit.log gives in permissive mode. > > type=AVC msg=audit(1183544590.817:4170): avc: denied { read write } > for pid=23730 comm="sendmail" name="[517705]" dev=sockfs ino=517705 > scontext=root:system_r:system_mail_t:s0 > tcontext=root:system_r:httpd_bugzilla_script_t:s0 > tclass=unix_stream_socket > > type=SYSCALL msg=audit(1183544590.817:4170): arch=40000003 syscall=11 > success=yes exit=0 a0=a179ab0 a1=a179a38 a2=916f240 a3=915c008 items=0 > ppid=23727 pid=23730 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 > egid=48 sgid=48 fsgid=48 tty=(none) comm="sendmail" > exe="/usr/sbin/sendmail.postfix" subj=root:system_r:system_mail_t:s0 > key=(null) > > type=AVC_PATH msg=audit(1183544590.817:4170): path="socket:[517705]" > > type=AVC msg=audit(1183544591.317:4171): avc: denied { getattr } > for pid=23731 comm="postdrop" name="[517696]" dev=pipefs ino=517696 > scontext=root:system_r:postfix_postdrop_t:s0 > tcontext=root:system_r:httpd_t:s0 tclass=fifo_file > > type=SYSCALL msg=audit(1183544591.317:4171): arch=40000003 syscall=197 > success=yes exit=0 a0=2 a1=bfa66af0 a2=840ff4 a3=3 items=0 ppid=23730 > pid=23731 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=90 > sgid=90 fsgid=90 tty=(none) comm="postdrop" exe="/usr/sbin/postdrop" > subj=root:system_r:postfix_postdrop_t:s0 key=(null) > > type=AVC_PATH msg=audit(1183544591.317:4171): path="pipe:[517696]" Ok I will dontaudit in the next release "2.6.4-27" > > -- > > CERTISIGN **Pedro Silva** > Especialista de Desenvolvimento > (21) 4501 1026 > > Certisign Certificadora Digital > certisign.com.br > From spng.yang at gmail.com Tue Jul 10 07:51:05 2007 From: spng.yang at gmail.com (Ken YANG) Date: Tue, 10 Jul 2007 15:51:05 +0800 Subject: vmware and eclipse avc denied in selinux-policy-targeted-3.0.2-3.fc8.noarch Message-ID: <46933A69.7000005@gmail.com> hi, i am in f8 rawhide with selinux-policy-targeted-3.0.2-3.fc8.noarch there are some avc denied about vmware and eclipse: 1 vmware config after i update to selinux-policy-targeted-3.0.2-3.fc8.noarch, i find my vmware must be re-configed every time i run it. but when i run vmware-config.pl, some avc denied messages occured: avc: denied { read, write } for comm="vmnet-bridge" cwd="/usr/bin" dev=00:10 egid=0 euid=0 exe="/usr/bin/vmnet-bridge" exit=-13 fsgid=0 fsuid=0 gid=0 inode=230929 item=0 items=1 mode=020600 name="vmnet0" obj=system_u:object_r:device_t:s0 ogid=0 ouid=0 path="/dev/vmnet0" pid=22164 rdev=77:00 scontext=system_u:system_r:vmware_host_t:s0 sgid=0 subj=system_u:system_r:vmware_host_t:s0 suid=0 tclass=chr_file tcontext=system_u:object_r:device_t:s0 tty=(none) uid=0 ...... other avc errors are similar, it seemed that /dev/vmnet* are mislabeled, they were all labeled device_t, not vmware_device_t. IIRC, i installed and configured vmware 6 well, before the merge of targeted and strict policy, i.e. We have a problem: when all the cache is used, it goes straight to swap which terminates our program. Has anyone seen this? Also, is there a way to configure the cache size for the kernel? Thank you, Laura Get a sneak peak at messages with a handy reading pane with All new Yahoo! Mail: http://mrd.mail.yahoo.com/try_beta?.intl=ca From selinux at gmail.com Tue Jul 10 14:03:30 2007 From: selinux at gmail.com (Tom London) Date: Tue, 10 Jul 2007 07:03:30 -0700 Subject: vmware and eclipse avc denied in selinux-policy-targeted-3.0.2-3.fc8.noarch In-Reply-To: <46933A69.7000005@gmail.com> References: <46933A69.7000005@gmail.com> Message-ID: <4c4ba1530707100703k5d25120cw7312ca09d5ab1515@mail.gmail.com> On 7/10/07, Ken YANG wrote: > > hi, > > i am in f8 rawhide with selinux-policy-targeted-3.0.2-3.fc8.noarch > > there are some avc denied about vmware and eclipse: > > 1 vmware config > > after i update to selinux-policy-targeted-3.0.2-3.fc8.noarch, > i find my vmware must be re-configed every time i run it. > > but when i run vmware-config.pl, some avc denied messages occured: > > avc: denied { read, write } for comm="vmnet-bridge" cwd="/usr/bin" dev=00:10 > egid=0 euid=0 exe="/usr/bin/vmnet-bridge" exit=-13 fsgid=0 fsuid=0 gid=0 > inode=230929 item=0 items=1 mode=020600 name="vmnet0" > obj=system_u:object_r:device_t:s0 ogid=0 ouid=0 path="/dev/vmnet0" pid=22164 > rdev=77:00 scontext=system_u:system_r:vmware_host_t:s0 sgid=0 > subj=system_u:system_r:vmware_host_t:s0 suid=0 tclass=chr_file > tcontext=system_u:object_r:device_t:s0 tty=(none) uid=0 > > ...... > > other avc errors are similar, it seemed that /dev/vmnet* are mislabeled, > they were all labeled device_t, not vmware_device_t. > > IIRC, i installed and configured vmware 6 well, before the merge of > targeted and strict policy, i.e. > i had compared the vmware* between these two versions policy, i had > not find any changes which will result to these errors. > > i also find the /dev in my system is tmpfs, so the file on this fs > should be labeled using fs_use_trans. > > I want to add type_transition rules to verify my guess, but i don't know > the type of /usr/bin/vmware-config.pl, which is "bin_t" now in my system > > > is there something i missed? > I have VMWare 6.0 running in Rawhide. I believe it is with 'stock' labeling, but I made the following change to /usr/lib/vmware/net-services.sh to correct the labeling. I'm not sure if there is a better way (e.g., in udev): [root at localhost vmware]# diff -u net-services.sh.old net-services.sh --- net-services.sh.old 2007-05-01 21:54:30.000000000 -0700 +++ net-services.sh 2007-07-10 06:55:11.000000000 -0700 @@ -616,6 +616,11 @@ if [ ! -e "$vDevice" ]; then mknod -m 600 "$vDevice" c 119 "$vHubNr" fi + retval=$? + if [ "`isSELinuxEnabled`" = 'yes' ]; then + restorecon "$vDevice" + fi + return $retval } # Create a virtual host ethernet interface and connect it to a virtual In addition to the above, there seems to be an issue with vmware's use of the 'ldd' command (e.g., see: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=246762). Setting 'allow_execmem' or 'allow_execstack' via 'setsebool' seems to work around this issue for me. tom -- Tom London From jmorris at namei.org Tue Jul 10 18:20:21 2007 From: jmorris at namei.org (James Morris) Date: Tue, 10 Jul 2007 14:20:21 -0400 (EDT) Subject: Kernal caching In-Reply-To: <22272.3939.qm@web30909.mail.mud.yahoo.com> References: <22272.3939.qm@web30909.mail.mud.yahoo.com> Message-ID: On Tue, 10 Jul 2007, Laura Crawley wrote: > We have a problem: when all the cache is used, it goes > straight to swap which terminates our program. Has > anyone seen this? Also, is there a way to configure > the cache size for the kernel? Are you talking about the SELinux access vector cache? -- James Morris From spng.yang at gmail.com Wed Jul 11 08:15:06 2007 From: spng.yang at gmail.com (Ken YANG) Date: Wed, 11 Jul 2007 16:15:06 +0800 Subject: vmware and eclipse avc denied in selinux-policy-targeted-3.0.2-3.fc8.noarch In-Reply-To: <4c4ba1530707100703k5d25120cw7312ca09d5ab1515@mail.gmail.com> References: <46933A69.7000005@gmail.com> <4c4ba1530707100703k5d25120cw7312ca09d5ab1515@mail.gmail.com> Message-ID: <4694918A.7030306@gmail.com> Tom London wrote: > On 7/10/07, Ken YANG wrote: >> >> hi, >> >> i am in f8 rawhide with selinux-policy-targeted-3.0.2-3.fc8.noarch >> >> there are some avc denied about vmware and eclipse: >> >> 1 vmware config >> >> after i update to selinux-policy-targeted-3.0.2-3.fc8.noarch, >> i find my vmware must be re-configed every time i run it. >> >> but when i run vmware-config.pl, some avc denied messages occured: >> >> avc: denied { read, write } for comm="vmnet-bridge" cwd="/usr/bin" >> dev=00:10 >> egid=0 euid=0 exe="/usr/bin/vmnet-bridge" exit=-13 fsgid=0 fsuid=0 gid=0 >> inode=230929 item=0 items=1 mode=020600 name="vmnet0" >> obj=system_u:object_r:device_t:s0 ogid=0 ouid=0 path="/dev/vmnet0" >> pid=22164 >> rdev=77:00 scontext=system_u:system_r:vmware_host_t:s0 sgid=0 >> subj=system_u:system_r:vmware_host_t:s0 suid=0 tclass=chr_file >> tcontext=system_u:object_r:device_t:s0 tty=(none) uid=0 >> >> ...... >> >> other avc errors are similar, it seemed that /dev/vmnet* are mislabeled, >> they were all labeled device_t, not vmware_device_t. >> >> IIRC, i installed and configured vmware 6 well, before the merge of >> targeted and strict policy, i.e. > >> i had compared the vmware* between these two versions policy, i had >> not find any changes which will result to these errors. >> >> i also find the /dev in my system is tmpfs, so the file on this fs >> should be labeled using fs_use_trans. >> >> I want to add type_transition rules to verify my guess, but i don't know >> the type of /usr/bin/vmware-config.pl, which is "bin_t" now in my system >> >> >> is there something i missed? >> > I have VMWare 6.0 running in Rawhide. > > I believe it is with 'stock' labeling, but I made the following change > to /usr/lib/vmware/net-services.sh to correct the labeling. I'm not > sure if there is a better way (e.g., in udev): > > [root at localhost vmware]# diff -u net-services.sh.old net-services.sh > --- net-services.sh.old 2007-05-01 21:54:30.000000000 -0700 > +++ net-services.sh 2007-07-10 06:55:11.000000000 -0700 > @@ -616,6 +616,11 @@ > if [ ! -e "$vDevice" ]; then > mknod -m 600 "$vDevice" c 119 "$vHubNr" > fi > + retval=$? > + if [ "`isSELinuxEnabled`" = 'yes' ]; then > + restorecon "$vDevice" > + fi > + return $retval > } > > # Create a virtual host ethernet interface and connect it to a virtual > thanks, tom "file_context" have right label about /dev/vmnet*, so we can use restorecon to fix this error. i think this is vmware bug, which does not use SELinux API. but i wonder why vmware work well in selinux-policy-targeted-2.6.5-2.fc8 and fail in new 3.0 policy(merged)? i am learning the differences between 2.6.5 and 3.0 policy, hoping to find some hints > > In addition to the above, there seems to be an issue with vmware's use > of the 'ldd' command (e.g., see: > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=246762). > > Setting 'allow_execmem' or 'allow_execstack' via 'setsebool' seems to > work around this issue for me. yes, to run vmware, "allow_execstack=1" is enough: -(yangshao at Nerazzurri:pts/1)----------------------------------------(/workbench/rpmbuild/SRPMS)-(24/24)- -(:16:11:$)-> getsebool -a|grep allow_exec allow_execheap --> off allow_execmem --> off allow_execmod --> off allow_execstack --> on BTW, i have posted to this bug, you should receive mail notification about this bug. > > tom From emanuele at nettirrena.it Wed Jul 11 17:33:31 2007 From: emanuele at nettirrena.it (Emanuele Maiarelli) Date: Wed, 11 Jul 2007 19:33:31 +0200 (CEST) Subject: rpmverify vs selinux problem Message-ID: <1345.192.168.1.103.1184175211.squirrel@mail.nettirrena.it> i'm running rpmverify and it return the following output: rpmverify -a|grep bin ........C /usr/share/locale/en_GB/LC_MESSAGES/kgreet_winbind.mo ........C /usr/share/locale/fi/LC_MESSAGES/kabcformat_binary.mo ........C /usr/share/locale/fi/LC_MESSAGES/kbinaryclock.mo ........C /usr/share/locale/fi/LC_MESSAGES/kgreet_winbind.mo ........C /usr/share/locale/ja/LC_MESSAGES/kabcformat_binary.mo ........C /usr/share/locale/ja/LC_MESSAGES/kbinaryclock.mo ........C /usr/share/locale/ja/LC_MESSAGES/kgreet_winbind.mo ........C /usr/share/locale/sk/LC_MESSAGES/kabcformat_binary.mo ........C /usr/share/locale/sk/LC_MESSAGES/kbinaryclock.mo ........C /usr/share/locale/sk/LC_MESSAGES/kgreet_winbind.mo ........C /usr/bin/firefox ........C /usr/lib/firefox-1.0.7/components/libinspector.so ........C /usr/lib/firefox-1.0.7/firefox-bin ........C /usr/lib/firefox-1.0.7/libgtkxtbin.so ........C /usr/lib/firefox-1.0.7/res/html/gopher-binary.gif ........C /usr/bin/viewfax ........C /usr/sbin/openldap/back_sql-2.2.so.7 ........C /usr/sbin/openldap/back_sql-2.2.so.7.0.22 ........C /usr/sbin/openldap/back_sql.la ........C /usr/bin/amstex ........C /usr/bin/bamstex ........C /usr/bin/bplain ........C /usr/bin/lambda It means "C selinux Context differs". Considering the /etc/sysconfig/selinux ------------ /etc/sysconfig/selinux ------------ # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=permissive # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted ------------------------------------------------ Can this be caused by the SELINUXTYPE=targeted? i've tried 'touch /.autorelabel' and reboot 'fixfiles -Ra> restore' 'fixfiles relabel' but this doesn't solve the problem. any hints? Thanks in advice, PS: i have already post the problem on fedora-security-list ( https://www.redhat.com/archives/fedora-security-list/2007-July/thread.html thread 'rpmverify output') they helped me and finally suggested to post it on fedora-selinux-list :) From sds at tycho.nsa.gov Wed Jul 11 17:54:11 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 11 Jul 2007 13:54:11 -0400 Subject: rpmverify vs selinux problem In-Reply-To: <1345.192.168.1.103.1184175211.squirrel@mail.nettirrena.it> References: <1345.192.168.1.103.1184175211.squirrel@mail.nettirrena.it> Message-ID: <1184176451.3392.153.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2007-07-11 at 19:33 +0200, Emanuele Maiarelli wrote: > i'm running rpmverify and it return the following output: > > rpmverify -a|grep bin > > ........C /usr/share/locale/en_GB/LC_MESSAGES/kgreet_winbind.mo > ........C /usr/share/locale/fi/LC_MESSAGES/kabcformat_binary.mo > ........C /usr/share/locale/fi/LC_MESSAGES/kbinaryclock.mo > ........C /usr/share/locale/fi/LC_MESSAGES/kgreet_winbind.mo > ........C /usr/share/locale/ja/LC_MESSAGES/kabcformat_binary.mo > ........C /usr/share/locale/ja/LC_MESSAGES/kbinaryclock.mo > ........C /usr/share/locale/ja/LC_MESSAGES/kgreet_winbind.mo > ........C /usr/share/locale/sk/LC_MESSAGES/kabcformat_binary.mo > ........C /usr/share/locale/sk/LC_MESSAGES/kbinaryclock.mo > ........C /usr/share/locale/sk/LC_MESSAGES/kgreet_winbind.mo > ........C /usr/bin/firefox > ........C /usr/lib/firefox-1.0.7/components/libinspector.so > ........C /usr/lib/firefox-1.0.7/firefox-bin > ........C /usr/lib/firefox-1.0.7/libgtkxtbin.so > ........C /usr/lib/firefox-1.0.7/res/html/gopher-binary.gif > ........C /usr/bin/viewfax > ........C /usr/sbin/openldap/back_sql-2.2.so.7 > ........C /usr/sbin/openldap/back_sql-2.2.so.7.0.22 > ........C /usr/sbin/openldap/back_sql.la > ........C /usr/bin/amstex > ........C /usr/bin/bamstex > ........C /usr/bin/bplain > ........C /usr/bin/lambda restorecon -Fv /usr/bin/lambda (or any other file in your list above). -- Stephen Smalley National Security Agency From lshoujun at yahoo.com Thu Jul 12 08:21:35 2007 From: lshoujun at yahoo.com (Louis Lam) Date: Thu, 12 Jul 2007 09:21:35 +0100 (BST) Subject: Containing vmware player 2.0.0 with SELINUX Message-ID: <928657.6553.qm@web34814.mail.mud.yahoo.com> Hi all, At this point i'm still trying to use SELINUX to "contain" vmware player, making it run in targeted mode. I'm still rather new to this but through the help of Ken, i've been able to manipulate modules and get it to "affect" the vmware player but at this point my vmware player is still "broken". Would anyone be able to share their configurations (.te,.fc,.if) file if you've managed to get it to work with vmware player or vmware-workstation 6 ? CUrrently i'm working with Fedora 7 but intend to port it back to RHEL 5. I've downloaded the latest reference policy from oss and examined the vmware relevant files. From examining the vmware.fc and "/etc/selinux/targeted/modules/active/file_context", seems like the vmware.fc file could have been written for an older/different version of vmware where the vmnet devices are at /dev/vmnet.* instead of /dev/vmnet* found in vmplayer 2/workstation 6. Which version was it written for? I went on to modify the vmware.fc file and managed to compile and load the vmware.pp module. But currently this affected the vmware services at startup, e.g. vmnet-dhcpd. For vmware, when something fails to start, it would ask me to rum vmware-config.pl again when i restart it. Doing this would recreate the /dev/vmnet* files over again but it will not have the right context, defaulting to "device_t" instead of "vmware_device_t" that i have modified. The line in my vmware.fc looks like this: /dev/vmnet0 -- gen_context(system_u:object_r:vmware_device_t,s0) /dev/vmnet1 -- gen_context(system_u:object_r:vmware_device_t,s0) /dev/vmnet8 -- gen_context(system_u:object_r:vmware_device_t,s0) I was thinking that if the script has created a new /dev/vmnet file it would automatically use the vmware_device_t context but it didn't. Did i miss out anything? What is the two "--" on the line mean? are they significant? Sorry about the long post, any help or advice? Thanks. Louis Send instant messages to your online friends http://uk.messenger.yahoo.com From dwalsh at redhat.com Thu Jul 12 12:46:10 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 12 Jul 2007 08:46:10 -0400 Subject: vmware and eclipse avc denied in selinux-policy-targeted-3.0.2-3.fc8.noarch In-Reply-To: <46933A69.7000005@gmail.com> References: <46933A69.7000005@gmail.com> Message-ID: <46962292.5030505@redhat.com> Ken YANG wrote: > hi, > > i am in f8 rawhide with selinux-policy-targeted-3.0.2-3.fc8.noarch > > there are some avc denied about vmware and eclipse: > > 1 vmware config > > after i update to selinux-policy-targeted-3.0.2-3.fc8.noarch, > i find my vmware must be re-configed every time i run it. > > but when i run vmware-config.pl, some avc denied messages occured: > > avc: denied { read, write } for comm="vmnet-bridge" cwd="/usr/bin" dev=00:10 > egid=0 euid=0 exe="/usr/bin/vmnet-bridge" exit=-13 fsgid=0 fsuid=0 gid=0 > inode=230929 item=0 items=1 mode=020600 name="vmnet0" > obj=system_u:object_r:device_t:s0 ogid=0 ouid=0 path="/dev/vmnet0" pid=22164 > rdev=77:00 scontext=system_u:system_r:vmware_host_t:s0 sgid=0 > subj=system_u:system_r:vmware_host_t:s0 suid=0 tclass=chr_file > tcontext=system_u:object_r:device_t:s0 tty=(none) uid=0 > > ...... > > other avc errors are similar, it seemed that /dev/vmnet* are mislabeled, > they were all labeled device_t, not vmware_device_t. > > IIRC, i installed and configured vmware 6 well, before the merge of > targeted and strict policy, i.e. > i had compared the vmware* between these two versions policy, i had > not find any changes which will result to these errors. > > i also find the /dev in my system is tmpfs, so the file on this fs > should be labeled using fs_use_trans. > > I want to add type_transition rules to verify my guess, but i don't know > the type of /usr/bin/vmware-config.pl, which is "bin_t" now in my system > > > is there something i missed? > > Who is creating the device? I don't believe this device is being created by udev, so it is getting the parent directories label. (device_t) If the device is getting created in an init script you should add a restorecon after the mknod. > 2 Eclipse avc error > > when i launch eclipse(SLIDE), i got avc error: > > avc: denied { unix_read, unix_write } for comm="X" egid=0 euid=0 > exe="/usr/bin/Xorg" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=2880 > scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 sgid=0 > subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 suid=0 tclass=shm > tcontext=system_u:system_r:java_t:s0 tty=tty7 uid=0 > > This might affect performance. I will contact one of our X Gurus to check. > i think this should be added in policy as "dontaudit", because it seemed > that it dont influence my use of eclipse > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From dwalsh at redhat.com Thu Jul 12 12:51:31 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 12 Jul 2007 08:51:31 -0400 Subject: vmware and eclipse avc denied in selinux-policy-targeted-3.0.2-3.fc8.noarch In-Reply-To: <4694918A.7030306@gmail.com> References: <46933A69.7000005@gmail.com> <4c4ba1530707100703k5d25120cw7312ca09d5ab1515@mail.gmail.com> <4694918A.7030306@gmail.com> Message-ID: <469623D3.1040703@redhat.com> Ken YANG wrote: > Tom London wrote: > >> On 7/10/07, Ken YANG wrote: >> >>> hi, >>> >>> i am in f8 rawhide with selinux-policy-targeted-3.0.2-3.fc8.noarch >>> >>> there are some avc denied about vmware and eclipse: >>> >>> 1 vmware config >>> >>> after i update to selinux-policy-targeted-3.0.2-3.fc8.noarch, >>> i find my vmware must be re-configed every time i run it. >>> >>> but when i run vmware-config.pl, some avc denied messages occured: >>> >>> avc: denied { read, write } for comm="vmnet-bridge" cwd="/usr/bin" >>> dev=00:10 >>> egid=0 euid=0 exe="/usr/bin/vmnet-bridge" exit=-13 fsgid=0 fsuid=0 gid=0 >>> inode=230929 item=0 items=1 mode=020600 name="vmnet0" >>> obj=system_u:object_r:device_t:s0 ogid=0 ouid=0 path="/dev/vmnet0" >>> pid=22164 >>> rdev=77:00 scontext=system_u:system_r:vmware_host_t:s0 sgid=0 >>> subj=system_u:system_r:vmware_host_t:s0 suid=0 tclass=chr_file >>> tcontext=system_u:object_r:device_t:s0 tty=(none) uid=0 >>> >>> ...... >>> >>> other avc errors are similar, it seemed that /dev/vmnet* are mislabeled, >>> they were all labeled device_t, not vmware_device_t. >>> >>> IIRC, i installed and configured vmware 6 well, before the merge of >>> targeted and strict policy, i.e. >> >>> i had compared the vmware* between these two versions policy, i had >>> not find any changes which will result to these errors. >>> >>> i also find the /dev in my system is tmpfs, so the file on this fs >>> should be labeled using fs_use_trans. >>> >>> I want to add type_transition rules to verify my guess, but i don't know >>> the type of /usr/bin/vmware-config.pl, which is "bin_t" now in my system >>> >>> >>> is there something i missed? >>> >>> >> I have VMWare 6.0 running in Rawhide. >> >> I believe it is with 'stock' labeling, but I made the following change >> to /usr/lib/vmware/net-services.sh to correct the labeling. I'm not >> sure if there is a better way (e.g., in udev): >> >> [root at localhost vmware]# diff -u net-services.sh.old net-services.sh >> --- net-services.sh.old 2007-05-01 21:54:30.000000000 -0700 >> +++ net-services.sh 2007-07-10 06:55:11.000000000 -0700 >> @@ -616,6 +616,11 @@ >> if [ ! -e "$vDevice" ]; then >> mknod -m 600 "$vDevice" c 119 "$vHubNr" >> fi >> + retval=$? >> + if [ "`isSELinuxEnabled`" = 'yes' ]; then >> + restorecon "$vDevice" >> + fi >> + return $retval >> } >> >> # Create a virtual host ethernet interface and connect it to a virtual >> >> > > thanks, tom > > "file_context" have right label about /dev/vmnet*, so we can use > restorecon to fix this error. > > i think this is vmware bug, which does not use SELinux API. > > but i wonder why vmware work well in selinux-policy-targeted-2.6.5-2.fc8 > and fail in new 3.0 policy(merged)? > > i am learning the differences between 2.6.5 and 3.0 policy, hoping > to find some hints > > We were not using vmware policy in fc7. So it ran unconfined. Now we are attempting to confine it. > >> In addition to the above, there seems to be an issue with vmware's use >> of the 'ldd' command (e.g., see: >> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=246762). >> >> Setting 'allow_execmem' or 'allow_execstack' via 'setsebool' seems to >> work around this issue for me. >> > > yes, to run vmware, "allow_execstack=1" is enough: > > -(yangshao at Nerazzurri:pts/1)----------------------------------------(/workbench/rpmbuild/SRPMS)-(24/24)- > -(:16:11:$)-> getsebool -a|grep allow_exec > allow_execheap --> off > allow_execmem --> off > allow_execmod --> off > allow_execstack --> on > > BTW, i have posted to this bug, you should receive mail notification > about this bug. > > >> tom >> > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From dwalsh at redhat.com Thu Jul 12 13:00:56 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 12 Jul 2007 09:00:56 -0400 Subject: Containing vmware player 2.0.0 with SELINUX In-Reply-To: <928657.6553.qm@web34814.mail.mud.yahoo.com> References: <928657.6553.qm@web34814.mail.mud.yahoo.com> Message-ID: <46962608.4050603@redhat.com> Louis Lam wrote: > Hi all, > > At this point i'm still trying to use SELINUX to "contain" vmware player, making it run in > targeted mode. > > I'm still rather new to this but through the help of Ken, i've been able to manipulate modules and > get it to "affect" the vmware player but at this point my vmware player is still "broken". > > Would anyone be able to share their configurations (.te,.fc,.if) file if you've managed to get it > to work with vmware player or vmware-workstation 6 ? CUrrently i'm working with Fedora 7 but > intend to port it back to RHEL 5. > > I've downloaded the latest reference policy from oss and examined the vmware relevant files. From > examining the vmware.fc and "/etc/selinux/targeted/modules/active/file_context", seems like the > vmware.fc file could have been written for an older/different version of vmware where the vmnet > devices are at /dev/vmnet.* instead of /dev/vmnet* found in vmplayer 2/workstation 6. Which > version was it written for? > > There is vmware policy that we are starting to use in Rawhide (fc8) > I went on to modify the vmware.fc file and managed to compile and load the vmware.pp module. But > currently this affected the vmware services at startup, e.g. vmnet-dhcpd. For vmware, when > something fails to start, it would ask me to rum vmware-config.pl again when i restart it. Doing > this would recreate the /dev/vmnet* files over again but it will not have the right context, > defaulting to "device_t" instead of "vmware_device_t" that i have modified. The line in my > vmware.fc looks like this: > > /dev/vmnet0 -- gen_context(system_u:object_r:vmware_device_t,s0) > /dev/vmnet1 -- gen_context(system_u:object_r:vmware_device_t,s0) > /dev/vmnet8 -- gen_context(system_u:object_r:vmware_device_t,s0) > > I was thinking that if the script has created a new /dev/vmnet file it would automatically use the > vmware_device_t context but it didn't. Did i miss out anything? > The problem here is the script is running as initrc_t which has no rules when creating devices in directories labeled device_t (/dev) So it uses the default and labels the devices the same as the directory. Usually when we have this situation, we just run restorecon /dev/XYZ after the creation, for example mknod /dev/XYZ chmod 666 /dev/XYZ restorecon /dev/XYZ > What is the two "--" on the line mean? are they significant? > The -- indicates that this matches only files. -d directories -s sock_file -l link file -c char_file ... Second character matches the first character of the ls -l line ls -l /dev/ttyS0 crw-rw---- 1 root uucp 4, 64 2007-07-11 19:07 /dev/ttyS0 If you have no option specified it would match any file type. /dev/vmnet0 -- gen_context(system_u:object_r:vmware_device_t,s0) /dev/vmnet1 -- gen_context(system_u:object_r:vmware_device_t,s0) /dev/vmnet8 -- gen_context(system_u:object_r:vmware_device_t,s0) Would match only "Regular files" with this labels. So you would be better off with -c (or -b if they are block devices). > Sorry about the long post, any help or advice? Thanks. > > Louis > > Send instant messages to your online friends http://uk.messenger.yahoo.com > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From selinux at gmail.com Thu Jul 12 13:53:38 2007 From: selinux at gmail.com (Tom London) Date: Thu, 12 Jul 2007 06:53:38 -0700 Subject: update of selinux-policy-targeted: failed? Message-ID: <4c4ba1530707120653i75bf1fa2o1a29b448957dae9e@mail.gmail.com> yum failure with today's rawhide: Updating : selinux-policy-targeted ##################### [ 31/126] libsepol.permission_copy_callback: Module evolution depends on permission flow_out in class packet, not satisfied libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed! tom -- Tom London From dwalsh at redhat.com Thu Jul 12 14:44:13 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 12 Jul 2007 10:44:13 -0400 Subject: update of selinux-policy-targeted: failed? In-Reply-To: <4c4ba1530707120653i75bf1fa2o1a29b448957dae9e@mail.gmail.com> References: <4c4ba1530707120653i75bf1fa2o1a29b448957dae9e@mail.gmail.com> Message-ID: <46963E3D.5090906@redhat.com> Tom London wrote: > yum failure with today's rawhide: > > Updating : selinux-policy-targeted ##################### [ 31/126] > libsepol.permission_copy_callback: Module evolution depends on > permission flow_out in class packet, not satisfied > libsemanage.semanage_link_sandbox: Link packages failed > semodule: Failed! > > tom Yes, I will put them back in tonight. Tried to remove them since they are unused, but any policy modules built with policy_module(XYZ,) macro will require them. Hopefully we can fix this in when the policy compile generation tools are rewritten. IE Have the compiler figure out the requires versus a human or gen_require macro specifying them. From spng.yang at gmail.com Fri Jul 13 06:56:37 2007 From: spng.yang at gmail.com (Ken YANG) Date: Fri, 13 Jul 2007 14:56:37 +0800 Subject: Containing vmware player 2.0.0 with SELINUX In-Reply-To: <46962608.4050603@redhat.com> References: <928657.6553.qm@web34814.mail.mud.yahoo.com> <46962608.4050603@redhat.com> Message-ID: <46972225.8020003@gmail.com> Daniel J Walsh wrote: > Louis Lam wrote: >> Hi all, >> >> At this point i'm still trying to use SELINUX to "contain" vmware >> player, making it run in >> targeted mode. >> >> I'm still rather new to this but through the help of Ken, i've been >> able to manipulate modules and >> get it to "affect" the vmware player but at this point my vmware >> player is still "broken". >> Would anyone be able to share their configurations (.te,.fc,.if) file >> if you've managed to get it >> to work with vmware player or vmware-workstation 6 ? CUrrently i'm >> working with Fedora 7 but >> intend to port it back to RHEL 5. >> >> I've downloaded the latest reference policy from oss and examined the >> vmware relevant files. From >> examining the vmware.fc and >> "/etc/selinux/targeted/modules/active/file_context", seems like the >> vmware.fc file could have been written for an older/different version >> of vmware where the vmnet >> devices are at /dev/vmnet.* instead of /dev/vmnet* found in vmplayer >> 2/workstation 6. Which >> version was it written for? >> >> > There is vmware policy that we are starting to use in Rawhide (fc8) >> I went on to modify the vmware.fc file and managed to compile and load >> the vmware.pp module. But >> currently this affected the vmware services at startup, e.g. >> vmnet-dhcpd. For vmware, when >> something fails to start, it would ask me to rum vmware-config.pl >> again when i restart it. Doing >> this would recreate the /dev/vmnet* files over again but it will not >> have the right context, >> defaulting to "device_t" instead of "vmware_device_t" that i have >> modified. The line in my >> vmware.fc looks like this: >> >> /dev/vmnet0 -- gen_context(system_u:object_r:vmware_device_t,s0) >> /dev/vmnet1 -- gen_context(system_u:object_r:vmware_device_t,s0) >> /dev/vmnet8 -- gen_context(system_u:object_r:vmware_device_t,s0) >> >> I was thinking that if the script has created a new /dev/vmnet file it >> would automatically use the >> vmware_device_t context but it didn't. Did i miss out anything? >> > The problem here is the script is running as initrc_t which has no rules > when creating devices in directories labeled device_t (/dev) So it uses > the default and labels the devices the same as the directory. Usually > when we have this situation, we just run restorecon /dev/XYZ after the > creation, > for example > > mknod /dev/XYZ > chmod 666 /dev/XYZ > restorecon /dev/XYZ as tom said, it seemed that it's "$vmdb_answer_LIBDIR"/net-services.sh who create such devices: http://marc.info/?l=fedora-selinux-list&m=118407622004161&w=2 i notice "/dev" is tmpfs: -(:14:45:$)-> cat /proc/mounts rootfs / rootfs rw 0 0 /dev/root / ext3 rw,data=ordered 0 0 /dev /dev tmpfs rw 0 0 ...... i want to add rules in policy: type_transition "vmware type" tmpfs_t : chr_file vmware_device_t; additionally i don't know what type of the net-services.sh, now it is: ... root root user_u:object_r:lib_t /usr/lib/vmware/net-services.sh is this method appropriate? >> What is the two "--" on the line mean? are they significant? >> > The -- indicates that this matches only files. > > -d directories > -s sock_file > -l link file > -c char_file > ... > > Second character matches the first character of the ls -l line > > ls -l /dev/ttyS0 > crw-rw---- 1 root uucp 4, 64 2007-07-11 19:07 /dev/ttyS0 > > If you have no option specified it would match any file type. > > /dev/vmnet0 -- gen_context(system_u:object_r:vmware_device_t,s0) > /dev/vmnet1 -- gen_context(system_u:object_r:vmware_device_t,s0) > /dev/vmnet8 -- gen_context(system_u:object_r:vmware_device_t,s0) > > > Would match only "Regular files" with this labels. So you would be > better off with -c (or -b if they are block devices). >> Sorry about the long post, any help or advice? Thanks. >> >> Louis >> Send instant messages to your online friends >> http://uk.messenger.yahoo.com >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From dwalsh at redhat.com Fri Jul 13 11:17:12 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 13 Jul 2007 07:17:12 -0400 Subject: Containing vmware player 2.0.0 with SELINUX In-Reply-To: <46972225.8020003@gmail.com> References: <928657.6553.qm@web34814.mail.mud.yahoo.com> <46962608.4050603@redhat.com> <46972225.8020003@gmail.com> Message-ID: <46975F38.6000709@redhat.com> Ken YANG wrote: > Daniel J Walsh wrote: > >> Louis Lam wrote: >> >>> Hi all, >>> >>> At this point i'm still trying to use SELINUX to "contain" vmware >>> player, making it run in >>> targeted mode. >>> >>> I'm still rather new to this but through the help of Ken, i've been >>> able to manipulate modules and >>> get it to "affect" the vmware player but at this point my vmware >>> player is still "broken". >>> Would anyone be able to share their configurations (.te,.fc,.if) file >>> if you've managed to get it >>> to work with vmware player or vmware-workstation 6 ? CUrrently i'm >>> working with Fedora 7 but >>> intend to port it back to RHEL 5. >>> >>> I've downloaded the latest reference policy from oss and examined the >>> vmware relevant files. From >>> examining the vmware.fc and >>> "/etc/selinux/targeted/modules/active/file_context", seems like the >>> vmware.fc file could have been written for an older/different version >>> of vmware where the vmnet >>> devices are at /dev/vmnet.* instead of /dev/vmnet* found in vmplayer >>> 2/workstation 6. Which >>> version was it written for? >>> >>> >>> >> There is vmware policy that we are starting to use in Rawhide (fc8) >> >>> I went on to modify the vmware.fc file and managed to compile and load >>> the vmware.pp module. But >>> currently this affected the vmware services at startup, e.g. >>> vmnet-dhcpd. For vmware, when >>> something fails to start, it would ask me to rum vmware-config.pl >>> again when i restart it. Doing >>> this would recreate the /dev/vmnet* files over again but it will not >>> have the right context, >>> defaulting to "device_t" instead of "vmware_device_t" that i have >>> modified. The line in my >>> vmware.fc looks like this: >>> >>> /dev/vmnet0 -- gen_context(system_u:object_r:vmware_device_t,s0) >>> /dev/vmnet1 -- gen_context(system_u:object_r:vmware_device_t,s0) >>> /dev/vmnet8 -- gen_context(system_u:object_r:vmware_device_t,s0) >>> >>> I was thinking that if the script has created a new /dev/vmnet file it >>> would automatically use the >>> vmware_device_t context but it didn't. Did i miss out anything? >>> >>> >> The problem here is the script is running as initrc_t which has no rules >> when creating devices in directories labeled device_t (/dev) So it uses >> the default and labels the devices the same as the directory. Usually >> when we have this situation, we just run restorecon /dev/XYZ after the >> creation, >> for example >> >> mknod /dev/XYZ >> chmod 666 /dev/XYZ >> restorecon /dev/XYZ >> > > as tom said, it seemed that it's "$vmdb_answer_LIBDIR"/net-services.sh > who create such devices: > > http://marc.info/?l=fedora-selinux-list&m=118407622004161&w=2 > > > i notice "/dev" is tmpfs: > > -(:14:45:$)-> cat /proc/mounts > rootfs / rootfs rw 0 0 > /dev/root / ext3 rw,data=ordered 0 0 > /dev /dev tmpfs rw 0 0 > ...... > > i want to add rules in policy: > > type_transition "vmware type" tmpfs_t : chr_file vmware_device_t; > > additionally i don't know what type of the net-services.sh, now it is: > > ... root root user_u:object_r:lib_t /usr/lib/vmware/net-services.sh > > > is this method appropriate? > > > > > >>> What is the two "--" on the line mean? are they significant? >>> >>> >> The -- indicates that this matches only files. >> >> -d directories >> -s sock_file >> -l link file >> -c char_file >> ... >> >> Second character matches the first character of the ls -l line >> >> ls -l /dev/ttyS0 >> crw-rw---- 1 root uucp 4, 64 2007-07-11 19:07 /dev/ttyS0 >> >> If you have no option specified it would match any file type. >> >> /dev/vmnet0 -- gen_context(system_u:object_r:vmware_device_t,s0) >> /dev/vmnet1 -- gen_context(system_u:object_r:vmware_device_t,s0) >> /dev/vmnet8 -- gen_context(system_u:object_r:vmware_device_t,s0) >> >> >> Would match only "Regular files" with this labels. So you would be >> better off with -c (or -b if they are block devices). >> >>> Sorry about the long post, any help or advice? Thanks. >>> >>> Louis >>> Send instant messages to your online friends >>> http://uk.messenger.yahoo.com >>> -- >>> fedora-selinux-list mailing list >>> fedora-selinux-list at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>> >>> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> >> > > One approach to this would be to label the /etc/init.d/vmware script vmware_initrc_exec_t and then setup the proper transitions. This is something we are considering for RBAC. For example we want to allow the webadm_t to be able to only restart/execute the httpd script. Currently we have to allow him to execute any initrc script, although we can prevent him from starting other confined domains. A cleaner solution might be to label the script differently and setup another domain for the script to transition to. From wart at kobold.org Sun Jul 15 03:58:23 2007 From: wart at kobold.org (Wart) Date: Sat, 14 Jul 2007 20:58:23 -0700 Subject: AVC Denied Dhcp and Iptables. In-Reply-To: <466D894D.20508@redhat.com> References: <112c19290706062318i6e39f009mba1bebe366097d2f@mail.gmail.com> <466D894D.20508@redhat.com> Message-ID: <46999B5F.60704@kobold.org> Daniel J Walsh wrote: > piotreek wrote: >> Hi guys i found some strange messages in my logs. It seams that >> selinux is blocking a dhcp an Iptables. >> I found similar post on group about DHCP but my messages are >> different.I am using FC7 latest policy update didn't resolve the problem. >> P.S I am using firestater as my firewall. > I believe you will need to write custom policy to make this work. You > can simply add these rules using audit2allow. > > # grep dhcpc /var/log/audit/audit.log | audit2allow -M mydhcpc > > # semodule -i mydhcpc.pp > > Having dhcpc allowed to turn on/off firewall rules is of debatable > security risk. I'm noticing similar behavior with dhcp and ntp. It seems that for some reason the dhcp client is trying to play with ntp (probably because I define the ntp server in the dhcp server config) and failing: type=AVC msg=audit(1184457984.239:75): avc: denied { remove_name } for pid=6370 comm="rm" name="ntpd" dev=sdc1 ino=1632966 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir type=AVC msg=audit(1184457984.239:75): avc: denied { unlink } for pid=6370 comm="rm" name="ntpd" dev=sdc1 ino=1632966 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file type=AVC msg=audit(1184457984.253:76): avc: denied { add_name } for pid=6377 comm="touch" name="ntpd" scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir type=AVC msg=audit(1184457984.253:76): avc: denied { create } for pid=6377 comm="touch" name="ntpd" scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file type=AVC msg=audit(1184457984.254:77): avc: denied { write } for pid=6377 comm="touch" name="ntpd" dev=sdc1 ino=1632966 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file I can easily write a custom policy to allow this, but it feels like a common enough configuration (ntp server configured by dhcp) that there should be a global policy (or boolean?) to allow this to work. --Mike From lshoujun at yahoo.com Mon Jul 16 06:38:06 2007 From: lshoujun at yahoo.com (Louis Lam) Date: Mon, 16 Jul 2007 07:38:06 +0100 (BST) Subject: Containing vmware player 2.0.0 with SELINUX In-Reply-To: <46975F38.6000709@redhat.com> Message-ID: <41001.75295.qm@web34801.mail.mud.yahoo.com> Hi All, I managed to get the vmware host services e.g. vmnet-bridge, vmnet-dhcpd etc... to be running in vmware_host_t domain. I did it by modifying the net-services.sh as described in an earlier post. Next I tried to get vmplayer (i'm using vmware player 2.0.0 but it is similar for vmware ws 6) to run in vmware_t domain. First i tried to chcon /usr/bin/vmplayer to system_u:object_r:vmware_exec_t. But it turns out that /usr/bin/vmplayer is a script that would in turn execute /usr/lib/vmware/bin/vmplayer. I have chcon /usr/lib/vmware/bin/vmplayer to system_u:object_r:vmware_exec_t but still it runs in unconfined_t when i launched it. I seems like the domain transition didn't take place. Please help. 1. What should be the context for the /usr/bin/vmplayer script? Does it affect the transition of the actual executable /usr/lib/vmware/bin/vmplayer? 2. For those who could get vmware workstation 6 to run how did you get it to run in vmware_t domain? THanks, Louis --- Daniel J Walsh wrote: > Ken YANG wrote: > > Daniel J Walsh wrote: > > > >> Louis Lam wrote: > >> > >>> Hi all, > >>> > >>> At this point i'm still trying to use SELINUX to "contain" vmware > >>> player, making it run in > >>> targeted mode. > >>> > >>> I'm still rather new to this but through the help of Ken, i've been > >>> able to manipulate modules and > >>> get it to "affect" the vmware player but at this point my vmware > >>> player is still "broken". > >>> Would anyone be able to share their configurations (.te,.fc,.if) file > >>> if you've managed to get it > >>> to work with vmware player or vmware-workstation 6 ? CUrrently i'm > >>> working with Fedora 7 but > >>> intend to port it back to RHEL 5. > >>> > >>> I've downloaded the latest reference policy from oss and examined the > >>> vmware relevant files. From > >>> examining the vmware.fc and > >>> "/etc/selinux/targeted/modules/active/file_context", seems like the > >>> vmware.fc file could have been written for an older/different version > >>> of vmware where the vmnet > >>> devices are at /dev/vmnet.* instead of /dev/vmnet* found in vmplayer > >>> 2/workstation 6. Which > >>> version was it written for? > >>> > >>> > >>> > >> There is vmware policy that we are starting to use in Rawhide (fc8) > >> > >>> I went on to modify the vmware.fc file and managed to compile and load > >>> the vmware.pp module. But > >>> currently this affected the vmware services at startup, e.g. > >>> vmnet-dhcpd. For vmware, when > >>> something fails to start, it would ask me to rum vmware-config.pl > >>> again when i restart it. Doing > >>> this would recreate the /dev/vmnet* files over again but it will not > >>> have the right context, > >>> defaulting to "device_t" instead of "vmware_device_t" that i have > >>> modified. The line in my > >>> vmware.fc looks like this: > >>> > >>> /dev/vmnet0 -- gen_context(system_u:object_r:vmware_device_t,s0) > >>> /dev/vmnet1 -- gen_context(system_u:object_r:vmware_device_t,s0) > >>> /dev/vmnet8 -- gen_context(system_u:object_r:vmware_device_t,s0) > >>> > >>> I was thinking that if the script has created a new /dev/vmnet file it > >>> would automatically use the > >>> vmware_device_t context but it didn't. Did i miss out anything? > >>> > >>> > >> The problem here is the script is running as initrc_t which has no rules > >> when creating devices in directories labeled device_t (/dev) So it uses > >> the default and labels the devices the same as the directory. Usually > >> when we have this situation, we just run restorecon /dev/XYZ after the > >> creation, > >> for example > >> > >> mknod /dev/XYZ > >> chmod 666 /dev/XYZ > >> restorecon /dev/XYZ > >> > > > > as tom said, it seemed that it's "$vmdb_answer_LIBDIR"/net-services.sh > > who create such devices: > > > > http://marc.info/?l=fedora-selinux-list&m=118407622004161&w=2 > > > > > > i notice "/dev" is tmpfs: > > > > -(:14:45:$)-> cat /proc/mounts > > rootfs / rootfs rw 0 0 > > /dev/root / ext3 rw,data=ordered 0 0 > > /dev /dev tmpfs rw 0 0 > > ...... > > > > i want to add rules in policy: > > > > type_transition "vmware type" tmpfs_t : chr_file vmware_device_t; > > > > additionally i don't know what type of the net-services.sh, now it is: > > > > ... root root user_u:object_r:lib_t /usr/lib/vmware/net-services.sh > > > > > > is this method appropriate? > > > > > > > > > > > >>> What is the two "--" on the line mean? are they significant? > >>> > >>> > >> The -- indicates that this matches only files. > >> > >> -d directories > >> -s sock_file > >> -l link file > >> -c char_file > >> ... > >> > >> Second character matches the first character of the ls -l line > >> > >> ls -l /dev/ttyS0 > >> crw-rw---- 1 root uucp 4, 64 2007-07-11 19:07 /dev/ttyS0 > >> > >> If you have no option specified it would match any file type. > >> > >> /dev/vmnet0 -- gen_context(system_u:object_r:vmware_device_t,s0) > >> /dev/vmnet1 -- gen_context(system_u:object_r:vmware_device_t,s0) > >> /dev/vmnet8 -- gen_context(system_u:object_r:vmware_device_t,s0) > >> > >> > >> Would match only "Regular files" with this labels. So you would be > >> better off with -c (or -b if they are block devices). > >> > >>> Sorry about the long post, any help or advice? Thanks. > >>> > >>> Louis > >>> Send instant messages to your online friends > >>> http://uk.messenger.yahoo.com > >>> -- > >>> fedora-selinux-list mailing list > >>> fedora-selinux-list at redhat.com > >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > >>> > >>> > >> -- > >> fedora-selinux-list mailing list > >> fedora-selinux-list at redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > >> > >> > > > > > > One approach to this would be to label the /etc/init.d/vmware script > vmware_initrc_exec_t and then setup the proper transitions. > > This is something we are considering for RBAC. For example we want to > allow the webadm_t to be able to only restart/execute the httpd > script. Currently we have to allow him to execute any initrc script, > although we can prevent him from starting other confined domains. > A cleaner solution might be to label the script differently and setup > another domain for the script to transition to. > Send instant messages to your online friends http://uk.messenger.yahoo.com From dwalsh at redhat.com Mon Jul 16 13:27:00 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 16 Jul 2007 09:27:00 -0400 Subject: AVC Denied Dhcp and Iptables. In-Reply-To: <46999B5F.60704@kobold.org> References: <112c19290706062318i6e39f009mba1bebe366097d2f@mail.gmail.com> <466D894D.20508@redhat.com> <46999B5F.60704@kobold.org> Message-ID: <469B7224.4030204@redhat.com> Wart wrote: > Daniel J Walsh wrote: >> piotreek wrote: >>> Hi guys i found some strange messages in my logs. It seams that >>> selinux is blocking a dhcp an Iptables. >>> I found similar post on group about DHCP but my messages are >>> different.I am using FC7 latest policy update didn't resolve the >>> problem. >>> P.S I am using firestater as my firewall. >> I believe you will need to write custom policy to make this work. >> You can simply add these rules using audit2allow. >> >> # grep dhcpc /var/log/audit/audit.log | audit2allow -M mydhcpc >> >> # semodule -i mydhcpc.pp >> >> Having dhcpc allowed to turn on/off firewall rules is of debatable >> security risk. > > I'm noticing similar behavior with dhcp and ntp. It seems that for > some reason the dhcp client is trying to play with ntp (probably > because I define the ntp server in the dhcp server config) and failing: > > type=AVC msg=audit(1184457984.239:75): avc: denied { remove_name } > for pid=6370 comm="rm" name="ntpd" dev=sdc1 ino=1632966 > scontext=system_u:system_r:dhcpc_t:s0 > tcontext=system_u:object_r:var_lock_t:s0 tclass=dir > type=AVC msg=audit(1184457984.239:75): avc: denied { unlink } for > pid=6370 comm="rm" name="ntpd" dev=sdc1 ino=1632966 > scontext=system_u:system_r:dhcpc_t:s0 > tcontext=system_u:object_r:var_lock_t:s0 tclass=file > type=AVC msg=audit(1184457984.253:76): avc: denied { add_name } for > pid=6377 comm="touch" name="ntpd" > scontext=system_u:system_r:dhcpc_t:s0 > tcontext=system_u:object_r:var_lock_t:s0 tclass=dir > type=AVC msg=audit(1184457984.253:76): avc: denied { create } for > pid=6377 comm="touch" name="ntpd" > scontext=system_u:system_r:dhcpc_t:s0 > tcontext=system_u:object_r:var_lock_t:s0 tclass=file > type=AVC msg=audit(1184457984.254:77): avc: denied { write } for > pid=6377 comm="touch" name="ntpd" dev=sdc1 ino=1632966 > scontext=system_u:system_r:dhcpc_t:s0 > tcontext=system_u:object_r:var_lock_t:s0 tclass=file > > I can easily write a custom policy to allow this, but it feels like a > common enough configuration (ntp server configured by dhcp) that there > should be a global policy (or boolean?) to allow this to work. > > --Mike > Did it work in enforcing mode? Currently the policy says to dontaudit search of the locks directory, which should have prevented these avc messages in enforcing mode. If it works in enforcing mode, these avc's can be ignored. > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From selinux at gmail.com Mon Jul 16 14:48:47 2007 From: selinux at gmail.com (Tom London) Date: Mon, 16 Jul 2007 07:48:47 -0700 Subject: mindterm (java_t) AVCs Message-ID: <4c4ba1530707160748h6d8127a0m1117a14165d34501@mail.gmail.com> Running latest rawhide, targeted enforcing: Running 'java -jar mindterm.jar' with mindterm-3.1.2 produced AVC. Putting in permissive mode and running, I get these: type=AVC msg=audit(1184596927.029:42): avc: denied { unix_read } for pid=3208 comm="X" key=0 scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tcontext=system_u:system_r:java_t:s0 tclass=shm type=AVC msg=audit(1184596927.029:42): avc: denied { read } for pid=3208 comm="X" key=0 scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tcontext=system_u:system_r:java_t:s0 tclass=shm type=SYSCALL msg=audit(1184596927.029:42): arch=40000003 syscall=117 success=yes exit=0 a0=15 a1=110017 a2=1000 a3=bfd97ef8 items=0 ppid=3206 pid=3208 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty7 comm="X" exe="/usr/bin/Xorg" subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1184596927.029:43): avc: denied { getattr associate } for pid=3208 comm="X" key=0 scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tcontext=system_u:system_r:java_t:s0 tclass=shm type=SYSCALL msg=audit(1184596927.029:43): arch=40000003 syscall=117 success=yes exit=0 a0=18 a1=110017 a2=102 a3=0 items=0 ppid=3206 pid=3208 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty7 comm="X" exe="/usr/bin/Xorg" subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1184596928.029:44): avc: denied { unix_write } for pid=3208 comm="X" key=0 scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tcontext=system_u:system_r:java_t:s0 tclass=shm type=AVC msg=audit(1184596928.029:44): avc: denied { write } for pid=3208 comm="X" key=0 scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tcontext=system_u:system_r:java_t:s0 tclass=shm type=SYSCALL msg=audit(1184596928.029:44): arch=40000003 syscall=117 success=yes exit=0 a0=15 a1=118017 a2=0 a3=bfd97ef8 items=0 ppid=3206 pid=3208 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty7 comm="X" exe="/usr/bin/Xorg" subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 key=(null) or allow xdm_xserver_t java_t:shm { write unix_read getattr unix_write associate read }; BTW, the app appears to run in enforcing mode, even with the AVC. Here is the only enforcing AVC: type=AVC msg=audit(1184596881.529:40): avc: denied { unix_read } for pid=3208 comm="X" key=0 scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tcontext=system_u:system_r:java_t:s0 tclass=shm type=SYSCALL msg=audit(1184596881.529:40): arch=40000003 syscall=117 success=no exit=-13 a0=15 a1=108017 a2=1000 a3=bfd97ef8 items=0 ppid=3206 pid=3208 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty7 comm="X" exe="/usr/bin/Xorg" subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 key=(null) tom -- Tom London From dwalsh at redhat.com Mon Jul 16 17:24:00 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 16 Jul 2007 13:24:00 -0400 Subject: Containing vmware player 2.0.0 with SELINUX In-Reply-To: <41001.75295.qm@web34801.mail.mud.yahoo.com> References: <41001.75295.qm@web34801.mail.mud.yahoo.com> Message-ID: <469BA9B0.5040706@redhat.com> Louis Lam wrote: > Hi All, > > I managed to get the vmware host services e.g. vmnet-bridge, vmnet-dhcpd etc... to be running in > vmware_host_t domain. I did it by modifying the net-services.sh as described in an earlier post. > > Next I tried to get vmplayer (i'm using vmware player 2.0.0 but it is similar for vmware ws 6) to > run in vmware_t domain. First i tried to chcon /usr/bin/vmplayer to > system_u:object_r:vmware_exec_t. But it turns out that /usr/bin/vmplayer is a script that would in > turn execute /usr/lib/vmware/bin/vmplayer. I have chcon /usr/lib/vmware/bin/vmplayer to > system_u:object_r:vmware_exec_t but still it runs in unconfined_t when i launched it. I seems like > the domain transition didn't take place. Please help. > > 1. What should be the context for the /usr/bin/vmplayer script? Does it affect the transition of > the actual executable /usr/lib/vmware/bin/vmplayer? > > 2. For those who could get vmware workstation 6 to run how did you get it to run in vmware_t > domain? > > There is currently no transition from unconfined_t to vmware_t. So the only way to get the transition to happen is through the initrc script. You could label the vmplayer script initrc_exec_t and the transitions should happen properly. > THanks, > Louis > > --- Daniel J Walsh wrote: > > >> Ken YANG wrote: >> >>> Daniel J Walsh wrote: >>> >>> >>>> Louis Lam wrote: >>>> >>>> >>>>> Hi all, >>>>> >>>>> At this point i'm still trying to use SELINUX to "contain" vmware >>>>> player, making it run in >>>>> targeted mode. >>>>> >>>>> I'm still rather new to this but through the help of Ken, i've been >>>>> able to manipulate modules and >>>>> get it to "affect" the vmware player but at this point my vmware >>>>> player is still "broken". >>>>> Would anyone be able to share their configurations (.te,.fc,.if) file >>>>> if you've managed to get it >>>>> to work with vmware player or vmware-workstation 6 ? CUrrently i'm >>>>> working with Fedora 7 but >>>>> intend to port it back to RHEL 5. >>>>> >>>>> I've downloaded the latest reference policy from oss and examined the >>>>> vmware relevant files. From >>>>> examining the vmware.fc and >>>>> "/etc/selinux/targeted/modules/active/file_context", seems like the >>>>> vmware.fc file could have been written for an older/different version >>>>> of vmware where the vmnet >>>>> devices are at /dev/vmnet.* instead of /dev/vmnet* found in vmplayer >>>>> 2/workstation 6. Which >>>>> version was it written for? >>>>> >>>>> >>>>> >>>>> >>>> There is vmware policy that we are starting to use in Rawhide (fc8) >>>> >>>> >>>>> I went on to modify the vmware.fc file and managed to compile and load >>>>> the vmware.pp module. But >>>>> currently this affected the vmware services at startup, e.g. >>>>> vmnet-dhcpd. For vmware, when >>>>> something fails to start, it would ask me to rum vmware-config.pl >>>>> again when i restart it. Doing >>>>> this would recreate the /dev/vmnet* files over again but it will not >>>>> have the right context, >>>>> defaulting to "device_t" instead of "vmware_device_t" that i have >>>>> modified. The line in my >>>>> vmware.fc looks like this: >>>>> >>>>> /dev/vmnet0 -- gen_context(system_u:object_r:vmware_device_t,s0) >>>>> /dev/vmnet1 -- gen_context(system_u:object_r:vmware_device_t,s0) >>>>> /dev/vmnet8 -- gen_context(system_u:object_r:vmware_device_t,s0) >>>>> >>>>> I was thinking that if the script has created a new /dev/vmnet file it >>>>> would automatically use the >>>>> vmware_device_t context but it didn't. Did i miss out anything? >>>>> >>>>> >>>>> >>>> The problem here is the script is running as initrc_t which has no rules >>>> when creating devices in directories labeled device_t (/dev) So it uses >>>> the default and labels the devices the same as the directory. Usually >>>> when we have this situation, we just run restorecon /dev/XYZ after the >>>> creation, >>>> for example >>>> >>>> mknod /dev/XYZ >>>> chmod 666 /dev/XYZ >>>> restorecon /dev/XYZ >>>> >>>> >>> as tom said, it seemed that it's "$vmdb_answer_LIBDIR"/net-services.sh >>> who create such devices: >>> >>> http://marc.info/?l=fedora-selinux-list&m=118407622004161&w=2 >>> >>> >>> i notice "/dev" is tmpfs: >>> >>> -(:14:45:$)-> cat /proc/mounts >>> rootfs / rootfs rw 0 0 >>> /dev/root / ext3 rw,data=ordered 0 0 >>> /dev /dev tmpfs rw 0 0 >>> ...... >>> >>> i want to add rules in policy: >>> >>> type_transition "vmware type" tmpfs_t : chr_file vmware_device_t; >>> >>> additionally i don't know what type of the net-services.sh, now it is: >>> >>> ... root root user_u:object_r:lib_t /usr/lib/vmware/net-services.sh >>> >>> >>> is this method appropriate? >>> >>> >>> >>> >>> >>> >>>>> What is the two "--" on the line mean? are they significant? >>>>> >>>>> >>>>> >>>> The -- indicates that this matches only files. >>>> >>>> -d directories >>>> -s sock_file >>>> -l link file >>>> -c char_file >>>> ... >>>> >>>> Second character matches the first character of the ls -l line >>>> >>>> ls -l /dev/ttyS0 >>>> crw-rw---- 1 root uucp 4, 64 2007-07-11 19:07 /dev/ttyS0 >>>> >>>> If you have no option specified it would match any file type. >>>> >>>> /dev/vmnet0 -- gen_context(system_u:object_r:vmware_device_t,s0) >>>> /dev/vmnet1 -- gen_context(system_u:object_r:vmware_device_t,s0) >>>> /dev/vmnet8 -- gen_context(system_u:object_r:vmware_device_t,s0) >>>> >>>> >>>> Would match only "Regular files" with this labels. So you would be >>>> better off with -c (or -b if they are block devices). >>>> >>>> >>>>> Sorry about the long post, any help or advice? Thanks. >>>>> >>>>> Louis >>>>> Send instant messages to your online friends >>>>> http://uk.messenger.yahoo.com >>>>> -- >>>>> fedora-selinux-list mailing list >>>>> fedora-selinux-list at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>>>> >>>>> >>>>> >>>> -- >>>> fedora-selinux-list mailing list >>>> fedora-selinux-list at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>>> >>>> >>>> >>> >>> >> One approach to this would be to label the /etc/init.d/vmware script >> vmware_initrc_exec_t and then setup the proper transitions. >> >> This is something we are considering for RBAC. For example we want to >> allow the webadm_t to be able to only restart/execute the httpd >> script. Currently we have to allow him to execute any initrc script, >> although we can prevent him from starting other confined domains. >> A cleaner solution might be to label the script differently and setup >> another domain for the script to transition to. >> >> > > > Send instant messages to your online friends http://uk.messenger.yahoo.com > From olivares14031 at yahoo.com Tue Jul 17 19:11:12 2007 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Tue, 17 Jul 2007 12:11:12 -0700 (PDT) Subject: does selinux policy have an avc denied for zedeyen fate" ? Message-ID: <186354.46251.qm@web52607.mail.re2.yahoo.com> "zedeyen fate" Add to Address BookAdd to Address Book Add Mobile Alert To:Send an Instant Message sanor at yahoo.com, olivares14031 at yahoo.com, fedora-selinux-list at redhat.com, Send an Instant Message fhuddles at yahoo.com, marketsq at ci.sat.tx.us, Send an Instant Message suzanaeckermann at yahoo.com, Send an Instant Message sandyacrestx at yahoo.com, Send an Instant Message creeksidemom at yahoo.com, Send an Instant Message stevenv_us at yahoo.com, Send an Instant Message tazzy694me at yahoo.com, Send an Instant Message lisitalk at yahoo.com, Send an Instant Message erbowen2020 at yahoo.com, Send an Instant Message lolitapg at yahoo.com, Send an Instant Message neferuaten11 at yahoo.com, Send an Instant Message myprivateemailacct at yahoo.com, Send an Instant Message avilamyra888 at yahoo.com, Send an Instant Message a_texan_abroad at yahoo.com, Send an Instant Message skinnykoffeekupsa at yahoo.com, Send an Instant Message michelle_leatherbury at yahoo.com, Send an Instant Message mycahzcreationz at yahoo.com, Send an Instant Message pagedegffg5 at yahoo.com, Send an Instant Message peterjon93 at yahoo.com, Send an Instant Message theazsundvltch at yahoo.com, Send an Instant Message burkenancyb at yahoo.com, tamir at yahoo-inc.com, Send an Instant Message eshel_tamir at yahoo.com, Send an Instant Message akdrlaura at yahoo.com, Send an Instant Message assemblytjonz42 at yahoo.com, occasional at madriver.com, Send an Instant Message rarebirdfinds at yahoo.com, Send an Instant Message yawdraob at yahoo.com, Send an Instant Message tx4ks at yahoo.com, Send an Instant Message pincheshhh at yahoo.com, Send an Instant Message s1l1l1 at yahoo.com, Send an Instant Message energyspinalcenters at yahoo.com, Send an Instant Message mariachi823 at yahoo.com, Send an Instant Message metromusic at yahoo.com Subject: I HAVE DECIDED TO CONTACT YOU Date: Tue, 17 Jul 2007 17:51:28 +0000 Seriously, Did anyone also get this mail in the fedora-selinux-list at redhat.com? He apparently addressed it to list as it is the third in the to section. This person loves yahoo, but also likes fedora-selinux-list. Regards, Antonio ____________________________________________________________________________________ Looking for a deal? Find great prices on flights and hotels with Yahoo! FareChase. http://farechase.yahoo.com/ From ftaylor at redhat.com Wed Jul 18 17:00:18 2007 From: ftaylor at redhat.com (Forrest Taylor) Date: Wed, 18 Jul 2007 11:00:18 -0600 Subject: Text console not setting category Message-ID: <1184778019.5187.18.camel@localhost.localdomain> I have a user that has a category different than the default. When I log in to the GUI or via ssh, the category is set. However, when I login to the text console, the category is not set. Is this a bug in login or do I have unreasonable expectations? # semanage translation -l s0:c1 admin1 # semanage login -l student user_u admin1 Through ssh/GUI: $ id -Z user_u:system_r:unconfined_t:admin1 Through text console: $ id -Z system_u:system_r:unconfined_t:SystemLow-SystemHigh Now that I write this, I notice that the user and role have changed as well. I also notice this in the audit log: type=USER_ROLE_CHANGE msg=audit(1184777815.107:4063): user pid=5517 uid=0 auid=500 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='pam: default-context=user_u:system_r:unconfined_t:s0:c1 selected- context=?: exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)' This is running on RHEL 5.0.0 targeted policy. Any clues? Thanks, Forrest -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From selinux at gmail.com Thu Jul 19 14:03:30 2007 From: selinux at gmail.com (Tom London) Date: Thu, 19 Jul 2007 07:03:30 -0700 Subject: Issues after today's Rawhide update... Message-ID: <4c4ba1530707190703r995e352wf815a8406950d78@mail.gmail.com> After today's update (targeted/enforcing), I get a bunch of AVCs. audit.log file attached. tom [root at localhost ~]# audit2allow -i log #============= NetworkManager_t ============== allow NetworkManager_t device_t:sock_file write; #============= auditd_t ============== allow auditd_t device_t:sock_file write; #============= avahi_t ============== allow avahi_t device_t:sock_file write; #============= crond_t ============== allow crond_t device_t:sock_file write; #============= cupsd_t ============== allow cupsd_t unlabeled_t:file ioctl; #============= dhcpc_t ============== allow dhcpc_t device_t:sock_file write; #============= entropyd_t ============== allow entropyd_t device_t:sock_file write; #============= fsdaemon_t ============== allow fsdaemon_t device_t:sock_file write; #============= gpm_t ============== allow gpm_t device_t:sock_file write; #============= ntpd_t ============== allow ntpd_t device_t:sock_file write; #============= rpcbind_t ============== allow rpcbind_t self:capability sys_tty_config; allow rpcbind_t self:udp_socket listen; #============= sendmail_t ============== allow sendmail_t device_t:sock_file write; #============= setroubleshootd_t ============== allow setroubleshootd_t device_t:sock_file write; #============= sshd_t ============== allow sshd_t device_t:sock_file write; #============= system_chkpwd_t ============== allow system_chkpwd_t device_t:sock_file write; #============= system_dbusd_t ============== allow system_dbusd_t device_t:sock_file write; #============= xdm_t ============== allow xdm_t device_t:sock_file write; -- Tom London -------------- next part -------------- A non-text attachment was scrubbed... Name: log.txt.gz Type: application/x-gzip Size: 4378 bytes Desc: not available URL: From dwalsh at redhat.com Thu Jul 19 14:26:49 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 19 Jul 2007 10:26:49 -0400 Subject: Text console not setting category In-Reply-To: <1184778019.5187.18.camel@localhost.localdomain> References: <1184778019.5187.18.camel@localhost.localdomain> Message-ID: <469F74A9.2020602@redhat.com> Forrest Taylor wrote: > I have a user that has a category different than the default. When I > log in to the GUI or via ssh, the category is set. However, when I > login to the text console, the category is not set. Is this a bug in > login or do I have unreasonable expectations? > > # semanage translation -l > s0:c1 admin1 > > # semanage login -l > student user_u admin1 > > Through ssh/GUI: > $ id -Z > user_u:system_r:unconfined_t:admin1 > > Through text console: > $ id -Z > system_u:system_r:unconfined_t:SystemLow-SystemHigh > > Now that I write this, I notice that the user and role have changed as > well. I also notice this in the audit log: > > type=USER_ROLE_CHANGE msg=audit(1184777815.107:4063): user pid=5517 > uid=0 auid=500 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 > msg='pam: default-context=user_u:system_r:unconfined_t:s0:c1 selected- > context=?: exe="/bin/login" (hostname=?, addr=?, terminal=tty1 > res=success)' > > This is running on RHEL 5.0.0 targeted policy. Any clues? > > Thanks, > > Forrest > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list This looks like a bug. But a lot of fixes were added for 5.1 for MLS policy and this might have been one of them. Since this is pretty fundamental to mls. A prerelease of the mls packages is available at http://people.redhat.com/sgrubb/files/lspp/ From selinux at gmail.com Thu Jul 19 14:29:53 2007 From: selinux at gmail.com (Tom London) Date: Thu, 19 Jul 2007 07:29:53 -0700 Subject: syslog is now rsyslog..... Message-ID: <4c4ba1530707190729k6e1c29bbg28b187932ed20f3f@mail.gmail.com> Believe some changes (e.g., /etc/rsyslog.conf, /sbin/rsyslogd,...) are in order? [root at localhost ~]# ps agxZ | grep syslog system_u:system_r:initrc_t 2511 ? Ssl 0:00 rsyslogd -m 0 system_u:system_r:unconfined_t 4154 pts/0 S+ 0:00 grep syslog [root at localhost ~]# tom -- Tom London From selinux at gmail.com Thu Jul 19 14:43:30 2007 From: selinux at gmail.com (Tom London) Date: Thu, 19 Jul 2007 07:43:30 -0700 Subject: Issues after today's Rawhide update... In-Reply-To: <4c4ba1530707190703r995e352wf815a8406950d78@mail.gmail.com> References: <4c4ba1530707190703r995e352wf815a8406950d78@mail.gmail.com> Message-ID: <4c4ba1530707190743q31cb0a5eida7f744702d299ae@mail.gmail.com> On 7/19/07, Tom London wrote: > After today's update (targeted/enforcing), I get a bunch of AVCs. > audit.log file attached. > > tom > > [root at localhost ~]# audit2allow -i log > > > #============= NetworkManager_t ============== > allow NetworkManager_t device_t:sock_file write; > > #============= auditd_t ============== > allow auditd_t device_t:sock_file write; > > #============= avahi_t ============== > allow avahi_t device_t:sock_file write; > > #============= crond_t ============== > allow crond_t device_t:sock_file write; > > #============= cupsd_t ============== > allow cupsd_t unlabeled_t:file ioctl; > > #============= dhcpc_t ============== > allow dhcpc_t device_t:sock_file write; > > #============= entropyd_t ============== > allow entropyd_t device_t:sock_file write; > > #============= fsdaemon_t ============== > allow fsdaemon_t device_t:sock_file write; > > #============= gpm_t ============== > allow gpm_t device_t:sock_file write; > > #============= ntpd_t ============== > allow ntpd_t device_t:sock_file write; > > #============= rpcbind_t ============== > allow rpcbind_t self:capability sys_tty_config; > allow rpcbind_t self:udp_socket listen; > > #============= sendmail_t ============== > allow sendmail_t device_t:sock_file write; > > #============= setroubleshootd_t ============== > allow setroubleshootd_t device_t:sock_file write; > > #============= sshd_t ============== > allow sshd_t device_t:sock_file write; > > #============= system_chkpwd_t ============== > allow system_chkpwd_t device_t:sock_file write; > > #============= system_dbusd_t ============== > allow system_dbusd_t device_t:sock_file write; > > #============= xdm_t ============== > allow xdm_t device_t:sock_file write; > > > -- > Tom London > > Fixing the labels for /sbin/rsyslogd, /sbin/rklogd, etc. appears to fix this... Sorry for being 'quick on the trigger'. tom -- Tom London From dwalsh at redhat.com Thu Jul 19 15:06:56 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 19 Jul 2007 11:06:56 -0400 Subject: Issues after today's Rawhide update... In-Reply-To: <4c4ba1530707190703r995e352wf815a8406950d78@mail.gmail.com> References: <4c4ba1530707190703r995e352wf815a8406950d78@mail.gmail.com> Message-ID: <469F7E10.7060501@redhat.com> Tom London wrote: > After today's update (targeted/enforcing), I get a bunch of AVCs. > audit.log file attached. > > tom > > [root at localhost ~]# audit2allow -i log > > > #============= NetworkManager_t ============== > allow NetworkManager_t device_t:sock_file write; > > #============= auditd_t ============== > allow auditd_t device_t:sock_file write; > > #============= avahi_t ============== > allow avahi_t device_t:sock_file write; > > #============= crond_t ============== > allow crond_t device_t:sock_file write; > > #============= cupsd_t ============== > allow cupsd_t unlabeled_t:file ioctl; > > #============= dhcpc_t ============== > allow dhcpc_t device_t:sock_file write; > > #============= entropyd_t ============== > allow entropyd_t device_t:sock_file write; > > #============= fsdaemon_t ============== > allow fsdaemon_t device_t:sock_file write; > > #============= gpm_t ============== > allow gpm_t device_t:sock_file write; > > #============= ntpd_t ============== > allow ntpd_t device_t:sock_file write; > > #============= rpcbind_t ============== > allow rpcbind_t self:capability sys_tty_config; > allow rpcbind_t self:udp_socket listen; > > #============= sendmail_t ============== > allow sendmail_t device_t:sock_file write; > > #============= setroubleshootd_t ============== > allow setroubleshootd_t device_t:sock_file write; > > #============= sshd_t ============== > allow sshd_t device_t:sock_file write; > > #============= system_chkpwd_t ============== > allow system_chkpwd_t device_t:sock_file write; > > #============= system_dbusd_t ============== > allow system_dbusd_t device_t:sock_file write; > > #============= xdm_t ============== > allow xdm_t device_t:sock_file write; > > Does /dev/log have the wrong label on it? > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From dwalsh at redhat.com Thu Jul 19 15:13:27 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 19 Jul 2007 11:13:27 -0400 Subject: syslog is now rsyslog..... In-Reply-To: <4c4ba1530707190729k6e1c29bbg28b187932ed20f3f@mail.gmail.com> References: <4c4ba1530707190729k6e1c29bbg28b187932ed20f3f@mail.gmail.com> Message-ID: <469F7F97.2090900@redhat.com> Tom London wrote: > Believe some changes (e.g., /etc/rsyslog.conf, /sbin/rsyslogd,...) are > in order? > > [root at localhost ~]# ps agxZ | grep syslog > system_u:system_r:initrc_t 2511 ? Ssl 0:00 rsyslogd -m 0 > system_u:system_r:unconfined_t 4154 pts/0 S+ 0:00 grep syslog > [root at localhost ~]# > > > tom If you change its context to syslogd_exec_t does everything work right? From dwalsh at redhat.com Thu Jul 19 15:27:57 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 19 Jul 2007 11:27:57 -0400 Subject: Issues after today's Rawhide update... In-Reply-To: <4c4ba1530707190743q31cb0a5eida7f744702d299ae@mail.gmail.com> References: <4c4ba1530707190703r995e352wf815a8406950d78@mail.gmail.com> <4c4ba1530707190743q31cb0a5eida7f744702d299ae@mail.gmail.com> Message-ID: <469F82FD.4010201@redhat.com> Tom London wrote: > On 7/19/07, Tom London wrote: >> After today's update (targeted/enforcing), I get a bunch of AVCs. >> audit.log file attached. >> >> tom >> >> [root at localhost ~]# audit2allow -i log >> >> >> #============= NetworkManager_t ============== >> allow NetworkManager_t device_t:sock_file write; >> >> #============= auditd_t ============== >> allow auditd_t device_t:sock_file write; >> >> #============= avahi_t ============== >> allow avahi_t device_t:sock_file write; >> >> #============= crond_t ============== >> allow crond_t device_t:sock_file write; >> >> #============= cupsd_t ============== >> allow cupsd_t unlabeled_t:file ioctl; >> >> #============= dhcpc_t ============== >> allow dhcpc_t device_t:sock_file write; >> >> #============= entropyd_t ============== >> allow entropyd_t device_t:sock_file write; >> >> #============= fsdaemon_t ============== >> allow fsdaemon_t device_t:sock_file write; >> >> #============= gpm_t ============== >> allow gpm_t device_t:sock_file write; >> >> #============= ntpd_t ============== >> allow ntpd_t device_t:sock_file write; >> >> #============= rpcbind_t ============== >> allow rpcbind_t self:capability sys_tty_config; >> allow rpcbind_t self:udp_socket listen; >> >> #============= sendmail_t ============== >> allow sendmail_t device_t:sock_file write; >> >> #============= setroubleshootd_t ============== >> allow setroubleshootd_t device_t:sock_file write; >> >> #============= sshd_t ============== >> allow sshd_t device_t:sock_file write; >> >> #============= system_chkpwd_t ============== >> allow system_chkpwd_t device_t:sock_file write; >> >> #============= system_dbusd_t ============== >> allow system_dbusd_t device_t:sock_file write; >> >> #============= xdm_t ============== >> allow xdm_t device_t:sock_file write; >> >> >> -- >> Tom London >> >> > Fixing the labels for /sbin/rsyslogd, /sbin/rklogd, etc. appears to > fix this... > > Sorry for being 'quick on the trigger'. > > > tom Ok tonights policy will have the correct context on these. I need to crack some skulls together... From selinux at gmail.com Thu Jul 19 15:54:18 2007 From: selinux at gmail.com (Tom London) Date: Thu, 19 Jul 2007 08:54:18 -0700 Subject: daemons running as initrc_t Message-ID: <4c4ba1530707190854w56827359he9e3e4af3acd9b2e@mail.gmail.com> [root at localhost ~]# ps agxZ | grep initrc_t system_u:system_r:initrc_t 2818 ? S 0:00 nasd -b -local system_u:system_r:initrc_t 3174 ? Ss 0:00 NetworkManagerDispatcher --pid-file=/var/run/NetworkManager/NetworkManagerDispatcher.pid system_u:system_r:unconfined_t 3802 pts/0 S+ 0:00 grep initrc_t [root at localhost ~]# So, nasd and Network run in initrc_t. Should nasd have its own domain (e.g., nasd_exec_t -> nasd_t)? What about NetworkManagerDispatcher (e.g., also NetworkManager_exec_t, other?)? tom -- Tom London From dwalsh at redhat.com Thu Jul 19 16:10:31 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 19 Jul 2007 12:10:31 -0400 Subject: daemons running as initrc_t In-Reply-To: <4c4ba1530707190854w56827359he9e3e4af3acd9b2e@mail.gmail.com> References: <4c4ba1530707190854w56827359he9e3e4af3acd9b2e@mail.gmail.com> Message-ID: <469F8CF7.4050903@redhat.com> Tom London wrote: > [root at localhost ~]# ps agxZ | grep initrc_t > system_u:system_r:initrc_t 2818 ? S 0:00 nasd -b -local > system_u:system_r:initrc_t 3174 ? Ss 0:00 > NetworkManagerDispatcher > --pid-file=/var/run/NetworkManager/NetworkManagerDispatcher.pid > system_u:system_r:unconfined_t 3802 pts/0 S+ 0:00 grep initrc_t > [root at localhost ~]# > > So, nasd and Network run in initrc_t. > > Should nasd have its own domain (e.g., nasd_exec_t -> nasd_t)? Yes anyone out there looking to get their feet wet in writing policy, this is probably a good one to start on. Try out system-config-selinux, go to modules tab and select new. Comments welcome. I plan on writing up a tutorial on this, soon. > > What about NetworkManagerDispatcher (e.g., also NetworkManager_exec_t, > other?)? > This really needs a different interface also. And the scripts need to be labeled. One problem with this is these scripts could do anything so writing a policy to do this dispatcher would need to be able to transition to lots of domains. Maybe add an interface to it so, it like apache can run scripts in different contexts. But we would have to ship an NetworkManager_unconfined_script_exec_t, for the default. > tom From ftaylor at redhat.com Thu Jul 19 20:26:36 2007 From: ftaylor at redhat.com (Forrest Taylor) Date: Thu, 19 Jul 2007 14:26:36 -0600 Subject: Text console not setting category In-Reply-To: <469F74A9.2020602@redhat.com> References: <1184778019.5187.18.camel@localhost.localdomain> <469F74A9.2020602@redhat.com> Message-ID: <1184876796.5179.18.camel@localhost.localdomain> On Thu, 2007-07-19 at 10:26 -0400, Daniel J Walsh wrote: > Forrest Taylor wrote: > > I have a user that has a category different than the default. When I > > log in to the GUI or via ssh, the category is set. However, when I > > login to the text console, the category is not set. Is this a bug in > > login or do I have unreasonable expectations? > > > > # semanage translation -l > > s0:c1 admin1 > > > > # semanage login -l > > student user_u admin1 > > > > Through ssh/GUI: > > $ id -Z > > user_u:system_r:unconfined_t:admin1 > > > > Through text console: > > $ id -Z > > system_u:system_r:unconfined_t:SystemLow-SystemHigh > > > > Now that I write this, I notice that the user and role have changed as > > well. I also notice this in the audit log: > > > > type=USER_ROLE_CHANGE msg=audit(1184777815.107:4063): user pid=5517 > > uid=0 auid=500 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 > > msg='pam: default-context=user_u:system_r:unconfined_t:s0:c1 selected- > > context=?: exe="/bin/login" (hostname=?, addr=?, terminal=tty1 > > res=success)' > > > > This is running on RHEL 5.0.0 targeted policy. Any clues? > > > > Thanks, > > > > Forrest > > > > ------------------------------------------------------------------------ > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > This looks like a bug. > > > But a lot of fixes were added for 5.1 for MLS policy and this might have > been one of them. Since this is pretty fundamental to mls. > > A prerelease of the mls packages is available at > > http://people.redhat.com/sgrubb/files/lspp/ Yes, that fixed the problem. I pointed yum to Steve's repo and installed all the updates. Now I get this context: user_u:system_r:unconfined_t::admin1 Interesting that it has :: before admin1. I assume that this tells us that admin1 is defined as both a security level and a category. Although this doesn't hold true for root: root:system_r:unconfined_t:-SystemHigh Why does root have -SystemHigh (why the dash)? Turning off mcstrans shows that it is s0-s0:c0.c1023, so how is that translated to - SystemHigh, and why doesn't it have :: ? Thanks, Forrest -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From dwalsh at redhat.com Thu Jul 19 20:30:59 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 19 Jul 2007 16:30:59 -0400 Subject: Text console not setting category In-Reply-To: <1184876796.5179.18.camel@localhost.localdomain> References: <1184778019.5187.18.camel@localhost.localdomain> <469F74A9.2020602@redhat.com> <1184876796.5179.18.camel@localhost.localdomain> Message-ID: <469FCA03.3090407@redhat.com> Forrest Taylor wrote: > On Thu, 2007-07-19 at 10:26 -0400, Daniel J Walsh wrote: > >> Forrest Taylor wrote: >> >>> I have a user that has a category different than the default. When I >>> log in to the GUI or via ssh, the category is set. However, when I >>> login to the text console, the category is not set. Is this a bug in >>> login or do I have unreasonable expectations? >>> >>> # semanage translation -l >>> s0:c1 admin1 >>> >>> # semanage login -l >>> student user_u admin1 >>> >>> Through ssh/GUI: >>> $ id -Z >>> user_u:system_r:unconfined_t:admin1 >>> >>> Through text console: >>> $ id -Z >>> system_u:system_r:unconfined_t:SystemLow-SystemHigh >>> >>> Now that I write this, I notice that the user and role have changed as >>> well. I also notice this in the audit log: >>> >>> type=USER_ROLE_CHANGE msg=audit(1184777815.107:4063): user pid=5517 >>> uid=0 auid=500 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 >>> msg='pam: default-context=user_u:system_r:unconfined_t:s0:c1 selected- >>> context=?: exe="/bin/login" (hostname=?, addr=?, terminal=tty1 >>> res=success)' >>> >>> This is running on RHEL 5.0.0 targeted policy. Any clues? >>> >>> Thanks, >>> >>> Forrest >>> >>> ------------------------------------------------------------------------ >>> >>> -- >>> fedora-selinux-list mailing list >>> fedora-selinux-list at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>> >> This looks like a bug. >> >> >> But a lot of fixes were added for 5.1 for MLS policy and this might have >> been one of them. Since this is pretty fundamental to mls. >> >> A prerelease of the mls packages is available at >> >> http://people.redhat.com/sgrubb/files/lspp/ >> > > Yes, that fixed the problem. I pointed yum to Steve's repo and > installed all the updates. Now I get this context: > > user_u:system_r:unconfined_t::admin1 > > Interesting that it has :: before admin1. I assume that this tells us > that admin1 is defined as both a security level and a category. > Although this doesn't hold true for root: > > root:system_r:unconfined_t:-SystemHigh > > Why does root have -SystemHigh (why the dash)? Turning off mcstrans > shows that it is s0-s0:c0.c1023, so how is that translated to - > SystemHigh, and why doesn't it have :: ? > > Thanks, > > Forrest > This looks like a translation problem. You have s0->"" So this is really s0:admin1 s0-SystemHigh From ftaylor at redhat.com Thu Jul 19 21:04:13 2007 From: ftaylor at redhat.com (Forrest Taylor) Date: Thu, 19 Jul 2007 15:04:13 -0600 Subject: Text console not setting category In-Reply-To: <469FCA03.3090407@redhat.com> References: <1184778019.5187.18.camel@localhost.localdomain> <469F74A9.2020602@redhat.com> <1184876796.5179.18.camel@localhost.localdomain> <469FCA03.3090407@redhat.com> Message-ID: <1184879053.5179.23.camel@localhost.localdomain> On Thu, 2007-07-19 at 16:30 -0400, Daniel J Walsh wrote: > Forrest Taylor wrote: > > On Thu, 2007-07-19 at 10:26 -0400, Daniel J Walsh wrote: > > > >> Forrest Taylor wrote: > >> > >>> I have a user that has a category different than the default. When I > >>> log in to the GUI or via ssh, the category is set. However, when I > >>> login to the text console, the category is not set. Is this a bug in > >>> login or do I have unreasonable expectations? > >>> > >>> # semanage translation -l > >>> s0:c1 admin1 > >>> > >>> # semanage login -l > >>> student user_u admin1 > >>> > >>> Through ssh/GUI: > >>> $ id -Z > >>> user_u:system_r:unconfined_t:admin1 > >>> > >>> Through text console: > >>> $ id -Z > >>> system_u:system_r:unconfined_t:SystemLow-SystemHigh > >>> > >>> Now that I write this, I notice that the user and role have changed as > >>> well. I also notice this in the audit log: > >>> > >>> type=USER_ROLE_CHANGE msg=audit(1184777815.107:4063): user pid=5517 > >>> uid=0 auid=500 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 > >>> msg='pam: default-context=user_u:system_r:unconfined_t:s0:c1 selected- > >>> context=?: exe="/bin/login" (hostname=?, addr=?, terminal=tty1 > >>> res=success)' > >>> > >>> This is running on RHEL 5.0.0 targeted policy. Any clues? > >>> > >>> Thanks, > >>> > >>> Forrest > >>> > >>> ------------------------------------------------------------------------ > >>> > >>> -- > >>> fedora-selinux-list mailing list > >>> fedora-selinux-list at redhat.com > >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > >>> > >> This looks like a bug. > >> > >> > >> But a lot of fixes were added for 5.1 for MLS policy and this might have > >> been one of them. Since this is pretty fundamental to mls. > >> > >> A prerelease of the mls packages is available at > >> > >> http://people.redhat.com/sgrubb/files/lspp/ > >> > > > > Yes, that fixed the problem. I pointed yum to Steve's repo and > > installed all the updates. Now I get this context: > > > > user_u:system_r:unconfined_t::admin1 > > > > Interesting that it has :: before admin1. I assume that this tells us > > that admin1 is defined as both a security level and a category. > > Although this doesn't hold true for root: > > > > root:system_r:unconfined_t:-SystemHigh > > > > Why does root have -SystemHigh (why the dash)? Turning off mcstrans > > shows that it is s0-s0:c0.c1023, so how is that translated to - > > SystemHigh, and why doesn't it have :: ? > > > > Thanks, > > > > Forrest > > > > This looks like a translation problem. You have s0->"" So this is really > > s0:admin1 > s0-SystemHigh True. BTW, why isn't s0 defined by default? Shouldn't it be SystemLow? Forrest -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From spng.yang at gmail.com Fri Jul 20 01:57:40 2007 From: spng.yang at gmail.com (Ken YANG) Date: Fri, 20 Jul 2007 09:57:40 +0800 Subject: mindterm (java_t) AVCs In-Reply-To: <4c4ba1530707160748h6d8127a0m1117a14165d34501@mail.gmail.com> References: <4c4ba1530707160748h6d8127a0m1117a14165d34501@mail.gmail.com> Message-ID: <46A01694.8020702@gmail.com> Tom London wrote: > Running latest rawhide, targeted enforcing: > > Running 'java -jar mindterm.jar' with mindterm-3.1.2 produced AVC. > > Putting in permissive mode and running, I get these: > > type=AVC msg=audit(1184596927.029:42): avc: denied { unix_read } for > pid=3208 comm="X" key=0 > scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 > tcontext=system_u:system_r:java_t:s0 tclass=shm > type=AVC msg=audit(1184596927.029:42): avc: denied { read } for > pid=3208 comm="X" key=0 > scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 > tcontext=system_u:system_r:java_t:s0 tclass=shm > type=SYSCALL msg=audit(1184596927.029:42): arch=40000003 syscall=117 > success=yes exit=0 a0=15 a1=110017 a2=1000 a3=bfd97ef8 items=0 > ppid=3206 pid=3208 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=tty7 comm="X" exe="/usr/bin/Xorg" > subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 key=(null) > type=AVC msg=audit(1184596927.029:43): avc: denied { getattr > associate } for pid=3208 comm="X" key=0 > scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 > tcontext=system_u:system_r:java_t:s0 tclass=shm > type=SYSCALL msg=audit(1184596927.029:43): arch=40000003 syscall=117 > success=yes exit=0 a0=18 a1=110017 a2=102 a3=0 items=0 ppid=3206 > pid=3208 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > sgid=0 fsgid=0 tty=tty7 comm="X" exe="/usr/bin/Xorg" > subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 key=(null) > type=AVC msg=audit(1184596928.029:44): avc: denied { unix_write } > for pid=3208 comm="X" key=0 > scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 > tcontext=system_u:system_r:java_t:s0 tclass=shm > type=AVC msg=audit(1184596928.029:44): avc: denied { write } for > pid=3208 comm="X" key=0 > scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 > tcontext=system_u:system_r:java_t:s0 tclass=shm > type=SYSCALL msg=audit(1184596928.029:44): arch=40000003 syscall=117 > success=yes exit=0 a0=15 a1=118017 a2=0 a3=bfd97ef8 items=0 ppid=3206 > pid=3208 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > sgid=0 fsgid=0 tty=tty7 comm="X" exe="/usr/bin/Xorg" > subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 key=(null) > > or > > allow xdm_xserver_t java_t:shm { write unix_read getattr unix_write > associate read }; > > > BTW, the app appears to run in enforcing mode, even with the AVC. > Here is the only enforcing AVC: > > type=AVC msg=audit(1184596881.529:40): avc: denied { unix_read } for > pid=3208 comm="X" key=0 > scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 > tcontext=system_u:system_r:java_t:s0 tclass=shm > type=SYSCALL msg=audit(1184596881.529:40): arch=40000003 syscall=117 > success=no exit=-13 a0=15 a1=108017 a2=1000 a3=bfd97ef8 items=0 > ppid=3206 pid=3208 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=tty7 comm="X" exe="/usr/bin/Xorg" > subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 key=(null) hi tom, i encounter similar problem in running eclipse, but it seemed that it's not a big question and is just about performance, you can ignore it, see details in: http://marc.info/?l=fedora-selinux-list&m=118424437816871&w=2 > > tom From spng.yang at gmail.com Fri Jul 20 02:58:37 2007 From: spng.yang at gmail.com (Ken YANG) Date: Fri, 20 Jul 2007 10:58:37 +0800 Subject: syslog is now rsyslog..... In-Reply-To: <469F7F97.2090900@redhat.com> References: <4c4ba1530707190729k6e1c29bbg28b187932ed20f3f@mail.gmail.com> <469F7F97.2090900@redhat.com> Message-ID: <46A024DD.6060506@gmail.com> Daniel J Walsh wrote: > Tom London wrote: >> Believe some changes (e.g., /etc/rsyslog.conf, /sbin/rsyslogd,...) are >> in order? >> >> [root at localhost ~]# ps agxZ | grep syslog >> system_u:system_r:initrc_t 2511 ? Ssl 0:00 rsyslogd -m 0 >> system_u:system_r:unconfined_t 4154 pts/0 S+ 0:00 grep syslog >> [root at localhost ~]# >> >> >> tom > If you change its context to syslogd_exec_t does everything work right? to me, it seemed everything is right, after changing to syslogd_exec_t -(:10:53:$)-> ps axZ | grep syslog system_u:system_r:syslogd_t 3553 ? Ssl 0:00 rsyslogd -m 0 system_u:system_r:syslogd_t 3557 ? Ss 0:00 rklogd -x and after i plugged in flash disk, dmesg also worked well: -(:10:51:$)-> dmesg | tail sdc: Mode Sense: 03 00 00 00 sdc: assuming drive cache: write through SCSI device sdc: 258048 512-byte hdwr sectors (132 MB) sdc: Write Protect is off sdc: Mode Sense: 03 00 00 00 sdc: assuming drive cache: write through sdc: sdc1 sd 4:0:0:0: Attached scsi removable disk sdc sd 4:0:0:0: Attached scsi generic sg2 type 0 SELinux: initialized (dev sdc1, type vfat), uses genfs_contexts can all these infos verify "everything work right"? if yes, i want to modify policy according to these. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From spng.yang at gmail.com Fri Jul 20 05:45:09 2007 From: spng.yang at gmail.com (Ken YANG) Date: Fri, 20 Jul 2007 13:45:09 +0800 Subject: daemons running as initrc_t In-Reply-To: <469F8CF7.4050903@redhat.com> References: <4c4ba1530707190854w56827359he9e3e4af3acd9b2e@mail.gmail.com> <469F8CF7.4050903@redhat.com> Message-ID: <46A04BE5.4020307@gmail.com> Daniel J Walsh wrote: > Tom London wrote: >> [root at localhost ~]# ps agxZ | grep initrc_t >> system_u:system_r:initrc_t 2818 ? S 0:00 nasd -b -local >> system_u:system_r:initrc_t 3174 ? Ss 0:00 >> NetworkManagerDispatcher >> --pid-file=/var/run/NetworkManager/NetworkManagerDispatcher.pid >> system_u:system_r:unconfined_t 3802 pts/0 S+ 0:00 grep initrc_t >> [root at localhost ~]# >> >> So, nasd and Network run in initrc_t. >> >> Should nasd have its own domain (e.g., nasd_exec_t -> nasd_t)? > Yes anyone out there looking to get their feet wet in writing policy, > this is probably a good one to start on. i don't know whether tom has worked on this. if not, i will try, but i am not familiar with network audio system :-) > > Try out system-config-selinux, go to modules tab and select new. > Comments welcome. I plan on writing up a > tutorial on this, soon. >> >> What about NetworkManagerDispatcher (e.g., also NetworkManager_exec_t, >> other?)? >> > This really needs a different interface also. And the scripts need to > be labeled. One problem with this is > these scripts could do anything so writing a policy to do this > dispatcher would need to be able to transition > to lots of domains. Maybe add an interface to it so, it like apache can > run scripts in different contexts. > > But we would have to ship an NetworkManager_unconfined_script_exec_t, > for the default. >> tom > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From selinux at gmail.com Fri Jul 20 13:51:27 2007 From: selinux at gmail.com (Tom London) Date: Fri, 20 Jul 2007 06:51:27 -0700 Subject: syslog is now rsyslog..... In-Reply-To: <46A024DD.6060506@gmail.com> References: <4c4ba1530707190729k6e1c29bbg28b187932ed20f3f@mail.gmail.com> <469F7F97.2090900@redhat.com> <46A024DD.6060506@gmail.com> Message-ID: <4c4ba1530707200651i475509bn3af150300cd52d3c@mail.gmail.com> On 7/19/07, Ken YANG wrote: > Daniel J Walsh wrote: > > Tom London wrote: > >> Believe some changes (e.g., /etc/rsyslog.conf, /sbin/rsyslogd,...) are > >> in order? > >> > >> [root at localhost ~]# ps agxZ | grep syslog > >> system_u:system_r:initrc_t 2511 ? Ssl 0:00 rsyslogd -m 0 > >> system_u:system_r:unconfined_t 4154 pts/0 S+ 0:00 grep syslog > >> [root at localhost ~]# > >> > >> > >> tom > > If you change its context to syslogd_exec_t does everything work right? > > to me, it seemed everything is right, after changing to syslogd_exec_t > > -(:10:53:$)-> ps axZ | grep syslog > system_u:system_r:syslogd_t 3553 ? Ssl 0:00 rsyslogd -m 0 > system_u:system_r:syslogd_t 3557 ? Ss 0:00 rklogd -x > > and after i plugged in flash disk, dmesg also worked well: > > -(:10:51:$)-> dmesg | tail > sdc: Mode Sense: 03 00 00 00 > sdc: assuming drive cache: write through > SCSI device sdc: 258048 512-byte hdwr sectors (132 MB) > sdc: Write Protect is off > sdc: Mode Sense: 03 00 00 00 > sdc: assuming drive cache: write through > sdc: sdc1 > sd 4:0:0:0: Attached scsi removable disk sdc > sd 4:0:0:0: Attached scsi generic sg2 type 0 > SELinux: initialized (dev sdc1, type vfat), uses genfs_contexts > > > can all these infos verify "everything work right"? if yes, i want > to modify policy according to these. > Ken, Believe this is not exactly right. I believe /sbin/rklogd should have a type of 'klogd_exec_t', not 'syslog_exec_t'. I believe Dan has already fixed this in selinux-policy-3.0.3-2.fc8. tom -- Tom London From selinux at gmail.com Fri Jul 20 13:52:58 2007 From: selinux at gmail.com (Tom London) Date: Fri, 20 Jul 2007 06:52:58 -0700 Subject: daemons running as initrc_t In-Reply-To: <46A04BE5.4020307@gmail.com> References: <4c4ba1530707190854w56827359he9e3e4af3acd9b2e@mail.gmail.com> <469F8CF7.4050903@redhat.com> <46A04BE5.4020307@gmail.com> Message-ID: <4c4ba1530707200652p6a842998q51de21eab2d6728d@mail.gmail.com> On 7/19/07, Ken YANG wrote: > Daniel J Walsh wrote: > > Tom London wrote: > >> [root at localhost ~]# ps agxZ | grep initrc_t > >> system_u:system_r:initrc_t 2818 ? S 0:00 nasd -b -local > >> system_u:system_r:initrc_t 3174 ? Ss 0:00 > >> NetworkManagerDispatcher > >> --pid-file=/var/run/NetworkManager/NetworkManagerDispatcher.pid > >> system_u:system_r:unconfined_t 3802 pts/0 S+ 0:00 grep initrc_t > >> [root at localhost ~]# > >> > >> So, nasd and Network run in initrc_t. > >> > >> Should nasd have its own domain (e.g., nasd_exec_t -> nasd_t)? > > Yes anyone out there looking to get their feet wet in writing policy, > > this is probably a good one to start on. > > i don't know whether tom has worked on this. if not, i will try, but > i am not familiar with network audio system :-) > I won't be able to get to this until late weekend, so if you can, please start! tom -- Tom London From selinux at gmail.com Fri Jul 20 13:56:38 2007 From: selinux at gmail.com (Tom London) Date: Fri, 20 Jul 2007 06:56:38 -0700 Subject: Messages from update to selinux-policy-3.0.3-2.fc8 Message-ID: <4c4ba1530707200656j30362240oea10b14c1b97cadc@mail.gmail.com> [root at localhost Downloads]# rpm -Uvh selinux* Preparing... ########################################### [100%] 1:selinux-policy ########################################### [ 33%] 2:selinux-policy-devel ########################################### [ 67%] 3:selinux-policy-targeted########################################### [100%] libsemanage.semanage_commit_sandbox: Error while renaming /etc/selinux/targeted/modules/active to /etc/selinux/targeted/modules/previous. /usr/sbin/semanage: Could not add SELinux user guest_u libsemanage.semanage_commit_sandbox: Error while renaming /etc/selinux/targeted/modules/active to /etc/selinux/targeted/modules/previous. /usr/sbin/semanage: Could not add SELinux user xguest_u [root at localhost Downloads]# Got this AVC: type=AVC msg=audit(1184939434.913:47): avc: denied { rename } for pid=5453 comm="semanage" name="active" dev=dm-0 ino=11076264 scontext=system_u:system_r:semanage_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir type=SYSCALL msg=audit(1184939434.913:47): arch=40000003 syscall=38 success=no exit=-13 a0=85a0d40 a1=85a0d70 a2=1975c4 a3=bf9eec98 items=0 ppid=5443 pid=5453 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="semanage" exe="/usr/bin/python" subj=system_u:system_r:semanage_t:s0 key=(null) type=USER_ROLE_CHANGE msg=audit(1184939434.913:48): user pid=5453 uid=0 auid=500 subj=system_u:system_r:semanage_t:s0 msg='op=add SELinux user record acct="xguest_u" old-seuser=? old-role=? old-range=? new-seuser=xguest_u new-role=xguest_r new-range=s0 exe=/usr/sbin/semanage (hostname=?, addr=?, terminal=pts/0 res=failed)' [similar one for 'guest_u'] tom -- Tom London From selinux at gmail.com Fri Jul 20 14:04:08 2007 From: selinux at gmail.com (Tom London) Date: Fri, 20 Jul 2007 07:04:08 -0700 Subject: cups AVC... Message-ID: <4c4ba1530707200704w63088ea1mcd4c4cafab305569@mail.gmail.com> Seem to be getting this one from cups. Haven't seen 'anon_inodefs' before.... Printing to HP5MP seems to work however.... tom type=AVC msg=audit(1184938825.408:32): avc: denied { ioctl } for pid=5296 comm="cupsd" name="[eventpoll]" dev=anon_inodefs ino=385 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file type=SYSCALL msg=audit(1184938825.408:32): arch=40000003 syscall=54 success=no exit=-13 a0=1 a1=5401 a2=bfda72ac a3=bfda73cc items=0 ppid=5295 pid=5296 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="cupsd" exe="/usr/sbin/cupsd" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) type=AVC_PATH msg=audit(1184938825.408:32): path="anon_inode:[eventpoll]" type=LABEL_LEVEL_CHANGE msg=audit(1184938825.408:33): user pid=5296 uid=0 auid=500 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='printer=HP5MP uri=hp:/par/HP_LaserJet_5MP?device=/dev/parport0 banners=none,none range=unknown: exe="/usr/sbin/cupsd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=? res=success)' -- Tom London From dwalsh at redhat.com Fri Jul 20 14:07:07 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 20 Jul 2007 10:07:07 -0400 Subject: Text console not setting category In-Reply-To: <1184879053.5179.23.camel@localhost.localdomain> References: <1184778019.5187.18.camel@localhost.localdomain> <469F74A9.2020602@redhat.com> <1184876796.5179.18.camel@localhost.localdomain> <469FCA03.3090407@redhat.com> <1184879053.5179.23.camel@localhost.localdomain> Message-ID: <46A0C18B.2080002@redhat.com> Forrest Taylor wrote: > On Thu, 2007-07-19 at 16:30 -0400, Daniel J Walsh wrote: > >> Forrest Taylor wrote: >> >>> On Thu, 2007-07-19 at 10:26 -0400, Daniel J Walsh wrote: >>> >>> >>>> Forrest Taylor wrote: >>>> >>>> >>>>> I have a user that has a category different than the default. When I >>>>> log in to the GUI or via ssh, the category is set. However, when I >>>>> login to the text console, the category is not set. Is this a bug in >>>>> login or do I have unreasonable expectations? >>>>> >>>>> # semanage translation -l >>>>> s0:c1 admin1 >>>>> >>>>> # semanage login -l >>>>> student user_u admin1 >>>>> >>>>> Through ssh/GUI: >>>>> $ id -Z >>>>> user_u:system_r:unconfined_t:admin1 >>>>> >>>>> Through text console: >>>>> $ id -Z >>>>> system_u:system_r:unconfined_t:SystemLow-SystemHigh >>>>> >>>>> Now that I write this, I notice that the user and role have changed as >>>>> well. I also notice this in the audit log: >>>>> >>>>> type=USER_ROLE_CHANGE msg=audit(1184777815.107:4063): user pid=5517 >>>>> uid=0 auid=500 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 >>>>> msg='pam: default-context=user_u:system_r:unconfined_t:s0:c1 selected- >>>>> context=?: exe="/bin/login" (hostname=?, addr=?, terminal=tty1 >>>>> res=success)' >>>>> >>>>> This is running on RHEL 5.0.0 targeted policy. Any clues? >>>>> >>>>> Thanks, >>>>> >>>>> Forrest >>>>> >>>>> ------------------------------------------------------------------------ >>>>> >>>>> -- >>>>> fedora-selinux-list mailing list >>>>> fedora-selinux-list at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>>>> >>>>> >>>> This looks like a bug. >>>> >>>> >>>> But a lot of fixes were added for 5.1 for MLS policy and this might have >>>> been one of them. Since this is pretty fundamental to mls. >>>> >>>> A prerelease of the mls packages is available at >>>> >>>> http://people.redhat.com/sgrubb/files/lspp/ >>>> >>>> >>> Yes, that fixed the problem. I pointed yum to Steve's repo and >>> installed all the updates. Now I get this context: >>> >>> user_u:system_r:unconfined_t::admin1 >>> >>> Interesting that it has :: before admin1. I assume that this tells us >>> that admin1 is defined as both a security level and a category. >>> Although this doesn't hold true for root: >>> >>> root:system_r:unconfined_t:-SystemHigh >>> >>> Why does root have -SystemHigh (why the dash)? Turning off mcstrans >>> shows that it is s0-s0:c0.c1023, so how is that translated to - >>> SystemHigh, and why doesn't it have :: ? >>> >>> Thanks, >>> >>> Forrest >>> >>> >> This looks like a translation problem. You have s0->"" So this is really >> >> s0:admin1 >> s0-SystemHigh >> > > True. BTW, why isn't s0 defined by default? Shouldn't it be SystemLow? > > Forrest > Just saving terminal space. Since 99.99 % of the people in the world do not use MCS/MLS. We decided to translate s0 == "" and save terminal/screen real estate. From twaugh at redhat.com Fri Jul 20 14:10:51 2007 From: twaugh at redhat.com (Tim Waugh) Date: Fri, 20 Jul 2007 15:10:51 +0100 Subject: cups AVC... In-Reply-To: <4c4ba1530707200704w63088ea1mcd4c4cafab305569@mail.gmail.com> References: <4c4ba1530707200704w63088ea1mcd4c4cafab305569@mail.gmail.com> Message-ID: <1184940651.4860.4.camel@cyberelk.elk> On Fri, 2007-07-20 at 07:04 -0700, Tom London wrote: > Seem to be getting this one from cups. Haven't seen 'anon_inodefs' before.... > > Printing to HP5MP seems to work however.... > > tom > > type=AVC msg=audit(1184938825.408:32): avc: denied { ioctl } for > pid=5296 comm="cupsd" name="[eventpoll]" dev=anon_inodefs ino=385 > scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:unlabeled_t:s0 tclass=file > type=SYSCALL msg=audit(1184938825.408:32): arch=40000003 syscall=54 > success=no exit=-13 a0=1 a1=5401 a2=bfda72ac a3=bfda73cc items=0 > ppid=5295 pid=5296 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > sgid=0 fsgid=0 tty=(none) comm="cupsd" exe="/usr/sbin/cupsd" > subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) > type=AVC_PATH msg=audit(1184938825.408:32): path="anon_inode:[eventpoll]" Yes, this seems to have started happening since it started to link against avahi-compat-libdns_sd. I don't know quite why -- the policy should say it can talk to avahi. Tim. */ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From dwalsh at redhat.com Fri Jul 20 14:18:48 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 20 Jul 2007 10:18:48 -0400 Subject: Messages from update to selinux-policy-3.0.3-2.fc8 In-Reply-To: <4c4ba1530707200656j30362240oea10b14c1b97cadc@mail.gmail.com> References: <4c4ba1530707200656j30362240oea10b14c1b97cadc@mail.gmail.com> Message-ID: <46A0C448.7080804@redhat.com> Tom London wrote: > [root at localhost Downloads]# rpm -Uvh selinux* > Preparing... > ########################################### [100%] > 1:selinux-policy ########################################### > [ 33%] > 2:selinux-policy-devel ########################################### > [ 67%] > 3:selinux-policy-targeted########################################### > [100%] > libsemanage.semanage_commit_sandbox: Error while renaming > /etc/selinux/targeted/modules/active to > /etc/selinux/targeted/modules/previous. > /usr/sbin/semanage: Could not add SELinux user guest_u > libsemanage.semanage_commit_sandbox: Error while renaming > /etc/selinux/targeted/modules/active to > /etc/selinux/targeted/modules/previous. > /usr/sbin/semanage: Could not add SELinux user xguest_u > [root at localhost Downloads]# > > Got this AVC: > > type=AVC msg=audit(1184939434.913:47): avc: denied { rename } for > pid=5453 comm="semanage" name="active" dev=dm-0 ino=11076264 > scontext=system_u:system_r:semanage_t:s0 > tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir > type=SYSCALL msg=audit(1184939434.913:47): arch=40000003 syscall=38 > success=no exit=-13 a0=85a0d40 a1=85a0d70 a2=1975c4 a3=bf9eec98 > items=0 ppid=5443 pid=5453 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=pts0 comm="semanage" exe="/usr/bin/python" > subj=system_u:system_r:semanage_t:s0 key=(null) > type=USER_ROLE_CHANGE msg=audit(1184939434.913:48): user pid=5453 > uid=0 auid=500 subj=system_u:system_r:semanage_t:s0 msg='op=add > SELinux user record acct="xguest_u" old-seuser=? old-role=? > old-range=? new-seuser=xguest_u new-role=xguest_r new-range=s0 > exe=/usr/sbin/semanage (hostname=?, addr=?, terminal=pts/0 > res=failed)' > > [similar one for 'guest_u'] > > tom > This looks like the labeling on /etc/selinux/targeted got screwed up. restorecon -R -v /etc/selinux From dwalsh at redhat.com Fri Jul 20 14:20:49 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 20 Jul 2007 10:20:49 -0400 Subject: cups AVC... In-Reply-To: <4c4ba1530707200704w63088ea1mcd4c4cafab305569@mail.gmail.com> References: <4c4ba1530707200704w63088ea1mcd4c4cafab305569@mail.gmail.com> Message-ID: <46A0C4C1.7070700@redhat.com> Tom London wrote: > Seem to be getting this one from cups. Haven't seen 'anon_inodefs' > before.... > > Printing to HP5MP seems to work however.... > > tom > > type=AVC msg=audit(1184938825.408:32): avc: denied { ioctl } for > pid=5296 comm="cupsd" name="[eventpoll]" dev=anon_inodefs ino=385 > scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:unlabeled_t:s0 tclass=file > type=SYSCALL msg=audit(1184938825.408:32): arch=40000003 syscall=54 > success=no exit=-13 a0=1 a1=5401 a2=bfda72ac a3=bfda73cc items=0 > ppid=5295 pid=5296 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > sgid=0 fsgid=0 tty=(none) comm="cupsd" exe="/usr/sbin/cupsd" > subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) > type=AVC_PATH msg=audit(1184938825.408:32): > path="anon_inode:[eventpoll]" > type=LABEL_LEVEL_CHANGE msg=audit(1184938825.408:33): user pid=5296 > uid=0 auid=500 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 > msg='printer=HP5MP uri=hp:/par/HP_LaserJet_5MP?device=/dev/parport0 > banners=none,none range=unknown: exe="/usr/sbin/cupsd" > (hostname=localhost.localdomain, addr=127.0.0.1, terminal=? > res=success)' > This looks like a kernel problem. Forwarded to the correct people. From selinux at gmail.com Fri Jul 20 14:22:09 2007 From: selinux at gmail.com (Tom London) Date: Fri, 20 Jul 2007 07:22:09 -0700 Subject: gconf AVCs.... Message-ID: <4c4ba1530707200722l27951768y6b803436cc9c29da@mail.gmail.com> Login spawns these: type=USER_LOGIN msg=audit(1184940747.700:30): user pid=3063 uid=0 auid=500 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='uid=500: exe="/usr/sbin/gdm-binary" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=:0 res=success)' type=AVC msg=audit(1184940749.700:31): avc: denied { associate } for pid=3234 comm="gconfd-2" name=".testing.writeability" scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem type=SYSCALL msg=audit(1184940749.700:31): arch=40000003 syscall=5 success=no exit=-13 a0=811ef20 a1=41 a2=1c0 a3=811ef20 items=0 ppid=1 pid=3234 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="gconfd-2" exe="/usr/libexec/gconfd-2" subj=system_u:system_r:unconfined_t:s0 key=(null) type=AVC msg=audit(1184940756.200:32): avc: denied { associate } for pid=3234 comm="gconfd-2" name=".testing.writeability" scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem type=SYSCALL msg=audit(1184940756.200:32): arch=40000003 syscall=5 success=no exit=-13 a0=8345d90 a1=41 a2=1c0 a3=8345d90 items=0 ppid=1 pid=3234 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="gconfd-2" exe="/usr/libexec/gconfd-2" subj=system_u:system_r:unconfined_t:s0 key=(null) type=AVC msg=audit(1184940779.699:33): avc: denied { associate } for pid=3234 comm="gconfd-2" name="saved_state.tmp" scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem type=SYSCALL msg=audit(1184940779.699:33): arch=40000003 syscall=5 success=no exit=-13 a0=834c8a0 a1=241 a2=1c0 a3=811d230 items=0 ppid=1 pid=3234 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="gconfd-2" exe="/usr/libexec/gconfd-2" subj=system_u:system_r:unconfined_t:s0 key=(null) tom -- Tom London From selinux at gmail.com Fri Jul 20 14:30:01 2007 From: selinux at gmail.com (Tom London) Date: Fri, 20 Jul 2007 07:30:01 -0700 Subject: gconf AVCs.... In-Reply-To: <4c4ba1530707200722l27951768y6b803436cc9c29da@mail.gmail.com> References: <4c4ba1530707200722l27951768y6b803436cc9c29da@mail.gmail.com> Message-ID: <4c4ba1530707200730g67764b6cqab284f0727e7f54@mail.gmail.com> A bit more info: Appear to get this each time a new window is to be created: type=AVC msg=audit(1184941619.962:41): avc: denied { associate } for pid=3234 comm="gconfd-2" name="saved_state.tmp" scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem type=SYSCALL msg=audit(1184941619.962:41): arch=40000003 syscall=5 success=no exit=-13 a0=834c8a0 a1=241 a2=1c0 a3=811d230 items=0 ppid=1 pid=3234 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="gconfd-2" exe="/usr/libexec/gconfd-2" subj=system_u:system_r:unconfined_t:s0 key=(null) From dwalsh at redhat.com Fri Jul 20 15:19:00 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 20 Jul 2007 11:19:00 -0400 Subject: mindterm (java_t) AVCs In-Reply-To: <46A01694.8020702@gmail.com> References: <4c4ba1530707160748h6d8127a0m1117a14165d34501@mail.gmail.com> <46A01694.8020702@gmail.com> Message-ID: <46A0D264.5020202@redhat.com> Ken YANG wrote: > Tom London wrote: > >> Running latest rawhide, targeted enforcing: >> >> Running 'java -jar mindterm.jar' with mindterm-3.1.2 produced AVC. >> >> Putting in permissive mode and running, I get these: >> >> type=AVC msg=audit(1184596927.029:42): avc: denied { unix_read } for >> pid=3208 comm="X" key=0 >> scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 >> tcontext=system_u:system_r:java_t:s0 tclass=shm >> type=AVC msg=audit(1184596927.029:42): avc: denied { read } for >> pid=3208 comm="X" key=0 >> scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 >> tcontext=system_u:system_r:java_t:s0 tclass=shm >> type=SYSCALL msg=audit(1184596927.029:42): arch=40000003 syscall=117 >> success=yes exit=0 a0=15 a1=110017 a2=1000 a3=bfd97ef8 items=0 >> ppid=3206 pid=3208 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 >> egid=0 sgid=0 fsgid=0 tty=tty7 comm="X" exe="/usr/bin/Xorg" >> subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 key=(null) >> type=AVC msg=audit(1184596927.029:43): avc: denied { getattr >> associate } for pid=3208 comm="X" key=0 >> scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 >> tcontext=system_u:system_r:java_t:s0 tclass=shm >> type=SYSCALL msg=audit(1184596927.029:43): arch=40000003 syscall=117 >> success=yes exit=0 a0=18 a1=110017 a2=102 a3=0 items=0 ppid=3206 >> pid=3208 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> sgid=0 fsgid=0 tty=tty7 comm="X" exe="/usr/bin/Xorg" >> subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 key=(null) >> type=AVC msg=audit(1184596928.029:44): avc: denied { unix_write } >> for pid=3208 comm="X" key=0 >> scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 >> tcontext=system_u:system_r:java_t:s0 tclass=shm >> type=AVC msg=audit(1184596928.029:44): avc: denied { write } for >> pid=3208 comm="X" key=0 >> scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 >> tcontext=system_u:system_r:java_t:s0 tclass=shm >> type=SYSCALL msg=audit(1184596928.029:44): arch=40000003 syscall=117 >> success=yes exit=0 a0=15 a1=118017 a2=0 a3=bfd97ef8 items=0 ppid=3206 >> pid=3208 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> sgid=0 fsgid=0 tty=tty7 comm="X" exe="/usr/bin/Xorg" >> subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 key=(null) >> >> or >> >> allow xdm_xserver_t java_t:shm { write unix_read getattr unix_write >> associate read }; >> >> >> BTW, the app appears to run in enforcing mode, even with the AVC. >> Here is the only enforcing AVC: >> >> type=AVC msg=audit(1184596881.529:40): avc: denied { unix_read } for >> pid=3208 comm="X" key=0 >> scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 >> tcontext=system_u:system_r:java_t:s0 tclass=shm >> type=SYSCALL msg=audit(1184596881.529:40): arch=40000003 syscall=117 >> success=no exit=-13 a0=15 a1=108017 a2=1000 a3=bfd97ef8 items=0 >> ppid=3206 pid=3208 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 >> egid=0 sgid=0 fsgid=0 tty=tty7 comm="X" exe="/usr/bin/Xorg" >> subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 key=(null) >> > > hi tom, i encounter similar problem in running eclipse, but it seemed > that it's not a big question and is just about performance, you can > ignore it, see details in: > > http://marc.info/?l=fedora-selinux-list&m=118424437816871&w=2 > > > >> tom >> > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > Should be fixed in selinux-policy-3.0.3-2 From dwalsh at redhat.com Fri Jul 20 15:21:29 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 20 Jul 2007 11:21:29 -0400 Subject: gconf AVCs.... In-Reply-To: <4c4ba1530707200730g67764b6cqab284f0727e7f54@mail.gmail.com> References: <4c4ba1530707200722l27951768y6b803436cc9c29da@mail.gmail.com> <4c4ba1530707200730g67764b6cqab284f0727e7f54@mail.gmail.com> Message-ID: <46A0D2F9.30601@redhat.com> Tom London wrote: > A bit more info: > > Appear to get this each time a new window is to be created: > > type=AVC msg=audit(1184941619.962:41): avc: denied { associate } for > pid=3234 comm="gconfd-2" name="saved_state.tmp" > scontext=system_u:object_r:unlabeled_t:s0 > tcontext=system_u:object_r:fs_t:s0 tclass=filesystem > type=SYSCALL msg=audit(1184941619.962:41): arch=40000003 syscall=5 > success=no exit=-13 a0=834c8a0 a1=241 a2=1c0 a3=811d230 items=0 ppid=1 > pid=3234 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 > sgid=500 fsgid=500 tty=(none) comm="gconfd-2" > exe="/usr/libexec/gconfd-2" subj=system_u:system_r:unconfined_t:s0 > key=(null) > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Problem is that gconf_t has been eliminated from policy so you have a process running as unlabeled_t. If you log out, make sure gconfd-2 is killed. Log back in, it should work. From selinux at gmail.com Fri Jul 20 16:37:43 2007 From: selinux at gmail.com (Tom London) Date: Fri, 20 Jul 2007 09:37:43 -0700 Subject: gconf AVCs.... In-Reply-To: <46A0D2F9.30601@redhat.com> References: <4c4ba1530707200722l27951768y6b803436cc9c29da@mail.gmail.com> <4c4ba1530707200730g67764b6cqab284f0727e7f54@mail.gmail.com> <46A0D2F9.30601@redhat.com> Message-ID: <4c4ba1530707200937j3e58bfa6tf2e0ca239e07953a@mail.gmail.com> On 7/20/07, Daniel J Walsh wrote: > Tom London wrote: > > A bit more info: > > > > Appear to get this each time a new window is to be created: > > > > type=AVC msg=audit(1184941619.962:41): avc: denied { associate } for > > pid=3234 comm="gconfd-2" name="saved_state.tmp" > > scontext=system_u:object_r:unlabeled_t:s0 > > tcontext=system_u:object_r:fs_t:s0 tclass=filesystem > > type=SYSCALL msg=audit(1184941619.962:41): arch=40000003 syscall=5 > > success=no exit=-13 a0=834c8a0 a1=241 a2=1c0 a3=811d230 items=0 ppid=1 > > pid=3234 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 > > sgid=500 fsgid=500 tty=(none) comm="gconfd-2" > > exe="/usr/libexec/gconfd-2" subj=system_u:system_r:unconfined_t:s0 > > key=(null) > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > Problem is that gconf_t has been eliminated from policy so you have a > process running as unlabeled_t. > > If you log out, make sure gconfd-2 is killed. Log back in, it should work. > > I just rebooted, logged in again, and am still getting these. 'ps agxZ' shows: [root at localhost ~]# ps agxZ | grep gconf system_u:system_r:unconfined_t 3342 ? S 0:00 /usr/libexec/gconfd-2 6 system_u:system_r:unconfined_t 3359 ? S 0:02 compiz --replace gconf system_u:system_r:unconfined_t 3855 pts/0 S+ 0:00 grep gconf [root at localhost ~]# Last AVC: type=AVC msg=audit(1184949297.290:45): avc: denied { associate } for pid=3342 comm="gconfd-2" name="saved_state.tmp" scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem type=SYSCALL msg=audit(1184949297.290:45): arch=40000003 syscall=5 success=no exit=-13 a0=821f8c0 a1=241 a2=1c0 a3=81a9230 items=0 ppid=1 pid=3342 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="gconfd-2" exe="/usr/libexec/gconfd-2" subj=system_u:system_r:unconfined_t:s0 key=(null) Did I mess something up? tom -- Tom London From selinux at gmail.com Fri Jul 20 16:52:07 2007 From: selinux at gmail.com (Tom London) Date: Fri, 20 Jul 2007 09:52:07 -0700 Subject: gconf AVCs.... In-Reply-To: <4c4ba1530707200937j3e58bfa6tf2e0ca239e07953a@mail.gmail.com> References: <4c4ba1530707200722l27951768y6b803436cc9c29da@mail.gmail.com> <4c4ba1530707200730g67764b6cqab284f0727e7f54@mail.gmail.com> <46A0D2F9.30601@redhat.com> <4c4ba1530707200937j3e58bfa6tf2e0ca239e07953a@mail.gmail.com> Message-ID: <4c4ba1530707200952y612b7eb9mad1ff00ad20850a3@mail.gmail.com> On 7/20/07, Tom London wrote: > On 7/20/07, Daniel J Walsh wrote: > > Tom London wrote: > > > A bit more info: > > > > > > Appear to get this each time a new window is to be created: > > > > > > type=AVC msg=audit(1184941619.962:41): avc: denied { associate } for > > > pid=3234 comm="gconfd-2" name="saved_state.tmp" > > > scontext=system_u:object_r:unlabeled_t:s0 > > > tcontext=system_u:object_r:fs_t:s0 tclass=filesystem > > > type=SYSCALL msg=audit(1184941619.962:41): arch=40000003 syscall=5 > > > success=no exit=-13 a0=834c8a0 a1=241 a2=1c0 a3=811d230 items=0 ppid=1 > > > pid=3234 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 > > > sgid=500 fsgid=500 tty=(none) comm="gconfd-2" > > > exe="/usr/libexec/gconfd-2" subj=system_u:system_r:unconfined_t:s0 > > > key=(null) > > > > > > -- > > > fedora-selinux-list mailing list > > > fedora-selinux-list at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > Problem is that gconf_t has been eliminated from policy so you have a > > process running as unlabeled_t. > > > > If you log out, make sure gconfd-2 is killed. Log back in, it should work. > > > > > I just rebooted, logged in again, and am still getting these. 'ps agxZ' shows: > > [root at localhost ~]# ps agxZ | grep gconf > system_u:system_r:unconfined_t 3342 ? S 0:00 > /usr/libexec/gconfd-2 6 > system_u:system_r:unconfined_t 3359 ? S 0:02 compiz > --replace gconf > system_u:system_r:unconfined_t 3855 pts/0 S+ 0:00 grep gconf > [root at localhost ~]# > > Last AVC: > > type=AVC msg=audit(1184949297.290:45): avc: denied { associate } for > pid=3342 comm="gconfd-2" name="saved_state.tmp" > scontext=system_u:object_r:unlabeled_t:s0 > tcontext=system_u:object_r:fs_t:s0 tclass=filesystem > type=SYSCALL msg=audit(1184949297.290:45): arch=40000003 syscall=5 > success=no exit=-13 a0=821f8c0 a1=241 a2=1c0 a3=81a9230 items=0 ppid=1 > pid=3342 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 > sgid=500 fsgid=500 tty=(none) comm="gconfd-2" > exe="/usr/libexec/gconfd-2" subj=system_u:system_r:unconfined_t:s0 > key=(null) > > Did I mess something up? > OK, I think I have this fixed (thanks for the 'hint'): Looks like ~/.gconf* needed to be relabeled. I relabeled home directory and these seem to have gone away. tom -- Tom London From ftaylor at redhat.com Fri Jul 20 18:16:09 2007 From: ftaylor at redhat.com (Forrest Taylor) Date: Fri, 20 Jul 2007 12:16:09 -0600 Subject: Text console not setting category In-Reply-To: <46A0C18B.2080002@redhat.com> References: <1184778019.5187.18.camel@localhost.localdomain> <469F74A9.2020602@redhat.com> <1184876796.5179.18.camel@localhost.localdomain> <469FCA03.3090407@redhat.com> <1184879053.5179.23.camel@localhost.localdomain> <46A0C18B.2080002@redhat.com> Message-ID: <1184955369.5979.17.camel@localhost.localdomain> On Fri, 2007-07-20 at 10:07 -0400, Daniel J Walsh wrote: > Forrest Taylor wrote: > > On Thu, 2007-07-19 at 16:30 -0400, Daniel J Walsh wrote: > > > >> Forrest Taylor wrote: > >> > >>> On Thu, 2007-07-19 at 10:26 -0400, Daniel J Walsh wrote: > >>> > >>> > >>>> Forrest Taylor wrote: > >>>> > >>>> > >>>>> I have a user that has a category different than the default. When I > >>>>> log in to the GUI or via ssh, the category is set. However, when I > >>>>> login to the text console, the category is not set. Is this a bug in > >>>>> login or do I have unreasonable expectations? > >>>>> > >>>>> # semanage translation -l > >>>>> s0:c1 admin1 > >>>>> > >>>>> # semanage login -l > >>>>> student user_u admin1 > >>>>> > >>>>> Through ssh/GUI: > >>>>> $ id -Z > >>>>> user_u:system_r:unconfined_t:admin1 > >>>>> > >>>>> Through text console: > >>>>> $ id -Z > >>>>> system_u:system_r:unconfined_t:SystemLow-SystemHigh > >>>>> > >>>>> Now that I write this, I notice that the user and role have changed as > >>>>> well. I also notice this in the audit log: > >>>>> > >>>>> type=USER_ROLE_CHANGE msg=audit(1184777815.107:4063): user pid=5517 > >>>>> uid=0 auid=500 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 > >>>>> msg='pam: default-context=user_u:system_r:unconfined_t:s0:c1 selected- > >>>>> context=?: exe="/bin/login" (hostname=?, addr=?, terminal=tty1 > >>>>> res=success)' > >>>>> > >>>>> This is running on RHEL 5.0.0 targeted policy. Any clues? > >>>>> > >>>>> Thanks, > >>>>> > >>>>> Forrest > >>>>> > >>>>> ------------------------------------------------------------------------ > >>>>> > >>>>> -- > >>>>> fedora-selinux-list mailing list > >>>>> fedora-selinux-list at redhat.com > >>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > >>>>> > >>>>> > >>>> This looks like a bug. > >>>> > >>>> > >>>> But a lot of fixes were added for 5.1 for MLS policy and this might have > >>>> been one of them. Since this is pretty fundamental to mls. > >>>> > >>>> A prerelease of the mls packages is available at > >>>> > >>>> http://people.redhat.com/sgrubb/files/lspp/ > >>>> > >>>> > >>> Yes, that fixed the problem. I pointed yum to Steve's repo and > >>> installed all the updates. Now I get this context: > >>> > >>> user_u:system_r:unconfined_t::admin1 > >>> > >>> Interesting that it has :: before admin1. I assume that this tells us > >>> that admin1 is defined as both a security level and a category. > >>> Although this doesn't hold true for root: > >>> > >>> root:system_r:unconfined_t:-SystemHigh > >>> > >>> Why does root have -SystemHigh (why the dash)? Turning off mcstrans > >>> shows that it is s0-s0:c0.c1023, so how is that translated to - > >>> SystemHigh, and why doesn't it have :: ? > >>> > >>> Thanks, > >>> > >>> Forrest > >>> > >>> > >> This looks like a translation problem. You have s0->"" So this is really > >> > >> s0:admin1 > >> s0-SystemHigh > >> > > > > True. BTW, why isn't s0 defined by default? Shouldn't it be SystemLow? > > > > Forrest > > > Just saving terminal space. Since 99.99 % of the people in the world do > not use MCS/MLS. We decided to translate > s0 == "" and save terminal/screen real estate. Makes sense (I love efficiency), and it is easy enough to define yourself. Forrest -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From marcio.barbado at gmail.com Fri Jul 20 19:52:12 2007 From: marcio.barbado at gmail.com (M.B.Jr.) Date: Fri, 20 Jul 2007 16:52:12 -0300 Subject: EnCase Message-ID: <2df3b0cb0707201252y426fdd91mc1be9074535260cb@mail.gmail.com> Dear list, is there any documentation regarding SE Linux and the forensic solution named EnCase Enterprise? Thank you in advance, -- Marcio Barbado, Jr. ============== ============== -------------- next part -------------- An HTML attachment was scrubbed... URL: From dwalsh at redhat.com Fri Jul 20 19:53:26 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 20 Jul 2007 15:53:26 -0400 Subject: gconf AVCs.... In-Reply-To: <4c4ba1530707200937j3e58bfa6tf2e0ca239e07953a@mail.gmail.com> References: <4c4ba1530707200722l27951768y6b803436cc9c29da@mail.gmail.com> <4c4ba1530707200730g67764b6cqab284f0727e7f54@mail.gmail.com> <46A0D2F9.30601@redhat.com> <4c4ba1530707200937j3e58bfa6tf2e0ca239e07953a@mail.gmail.com> Message-ID: <46A112B6.6030101@redhat.com> Tom London wrote: > On 7/20/07, Daniel J Walsh wrote: >> Tom London wrote: >> > A bit more info: >> > >> > Appear to get this each time a new window is to be created: >> > >> > type=AVC msg=audit(1184941619.962:41): avc: denied { associate } for >> > pid=3234 comm="gconfd-2" name="saved_state.tmp" >> > scontext=system_u:object_r:unlabeled_t:s0 >> > tcontext=system_u:object_r:fs_t:s0 tclass=filesystem >> > type=SYSCALL msg=audit(1184941619.962:41): arch=40000003 syscall=5 >> > success=no exit=-13 a0=834c8a0 a1=241 a2=1c0 a3=811d230 items=0 ppid=1 >> > pid=3234 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 >> > sgid=500 fsgid=500 tty=(none) comm="gconfd-2" >> > exe="/usr/libexec/gconfd-2" subj=system_u:system_r:unconfined_t:s0 >> > key=(null) >> > >> > -- >> > fedora-selinux-list mailing list >> > fedora-selinux-list at redhat.com >> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> Problem is that gconf_t has been eliminated from policy so you have a >> process running as unlabeled_t. >> >> If you log out, make sure gconfd-2 is killed. Log back in, it should >> work. >> >> > I just rebooted, logged in again, and am still getting these. 'ps > agxZ' shows: > > [root at localhost ~]# ps agxZ | grep gconf > system_u:system_r:unconfined_t 3342 ? S 0:00 > /usr/libexec/gconfd-2 6 > system_u:system_r:unconfined_t 3359 ? S 0:02 compiz > --replace gconf > system_u:system_r:unconfined_t 3855 pts/0 S+ 0:00 grep gconf > [root at localhost ~]# > > Last AVC: > > type=AVC msg=audit(1184949297.290:45): avc: denied { associate } for > pid=3342 comm="gconfd-2" name="saved_state.tmp" > scontext=system_u:object_r:unlabeled_t:s0 > tcontext=system_u:object_r:fs_t:s0 tclass=filesystem > type=SYSCALL msg=audit(1184949297.290:45): arch=40000003 syscall=5 > success=no exit=-13 a0=821f8c0 a1=241 a2=1c0 a3=81a9230 items=0 ppid=1 > pid=3342 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 > sgid=500 fsgid=500 tty=(none) comm="gconfd-2" > exe="/usr/libexec/gconfd-2" subj=system_u:system_r:unconfined_t:s0 > key=(null) > > Did I mess something up? > > tom > -- > Tom London restorecon -R -v /home From linux_4ever at yahoo.com Sat Jul 21 13:25:42 2007 From: linux_4ever at yahoo.com (Steve G) Date: Sat, 21 Jul 2007 06:25:42 -0700 (PDT) Subject: Today's rawhide update Message-ID: <20070721132542.7338.qmail@web51502.mail.re2.yahoo.com> Hi, FYI, got this updating today: Cleanup : setools ####################### [14/22] Cleanup : selinux-policy-targeted ####################### [15/22] libsemanage.semanage_commit_sandbox: Error while renaming /etc/selinux/targeted/modules/active to /etc/selinux/targeted/modules/previous. /usr/sbin/semanage: Could not add SELinux user guest_u libsemanage.semanage_commit_sandbox: Error while renaming /etc/selinux/targeted/modules/active to /etc/selinux/targeted/modules/previous. /usr/sbin/semanage: Could not add SELinux user xguest_u Cleanup : policycoreutils ####################### [16/22] -Steve ____________________________________________________________________________________Ready for the edge of your seat? Check out tonight's top picks on Yahoo! TV. http://tv.yahoo.com/ From dotancohen at gmail.com Sat Jul 21 13:57:10 2007 From: dotancohen at gmail.com (Dotan Cohen) Date: Sat, 21 Jul 2007 16:57:10 +0300 Subject: Today's rawhide update In-Reply-To: <20070721132542.7338.qmail@web51502.mail.re2.yahoo.com> References: <20070721132542.7338.qmail@web51502.mail.re2.yahoo.com> Message-ID: <880dece00707210657w77ca6570oe119762d56945008@mail.gmail.com> On 21/07/07, Steve G wrote: > Hi, > > FYI, got this updating today: > > Cleanup : setools ####################### [14/22] > Cleanup : selinux-policy-targeted ####################### [15/22] > libsemanage.semanage_commit_sandbox: Error while renaming > /etc/selinux/targeted/modules/active to /etc/selinux/targeted/modules/previous. > /usr/sbin/semanage: Could not add SELinux user guest_u > libsemanage.semanage_commit_sandbox: Error while renaming > /etc/selinux/targeted/modules/active to /etc/selinux/targeted/modules/previous. > /usr/sbin/semanage: Could not add SELinux user xguest_u > Cleanup : policycoreutils ####################### [16/22] > > > -Steve > Steve, why is this alarming? I'm almost certain that I've seen this before on my own system. Should I be concerned as well? Dotan Cohen http://lyricslist.com/ http://what-is-what.com/ From linux_4ever at yahoo.com Sat Jul 21 15:23:53 2007 From: linux_4ever at yahoo.com (Steve G) Date: Sat, 21 Jul 2007 08:23:53 -0700 (PDT) Subject: Today's rawhide update In-Reply-To: <880dece00707210657w77ca6570oe119762d56945008@mail.gmail.com> Message-ID: <160233.66244.qm@web51501.mail.re2.yahoo.com> >> libsemanage.semanage_commit_sandbox: Error while renaming >> /etc/selinux/targeted/modules/active to /etc/selinux/targeted/modules/previous. >> /usr/sbin/semanage: Could not add SELinux user guest_u >> libsemanage.semanage_commit_sandbox: Error while renaming >> /etc/selinux/targeted/modules/active to /etc/selinux/targeted/modules/previous. >> /usr/sbin/semanage: Could not add SELinux user xguest_u >> Cleanup : policycoreutils ####################### [16/22] > > >Steve, why is this alarming? Cause it sounds like a user type was not successfully added to the on-disk policy. Running "semanage user -l" shows that neither guest_u or xguest_u exist. > I'm almost certain that I've seen this before on my own system. Should I be > concerned as well? I think this indicates a problem with libsemanage or selinux policy. And by the terseness of the error messages, I wonder if there's enough information to diagnose *why* this failed. An errno might be useful here. -Steve ____________________________________________________________________________________ Be a better Globetrotter. Get better travel answers from someone who knows. Yahoo! Answers - Check it out. http://answers.yahoo.com/dir/?link=list&sid=396545469 From selinux at gmail.com Sat Jul 21 17:52:26 2007 From: selinux at gmail.com (Tom London) Date: Sat, 21 Jul 2007 10:52:26 -0700 Subject: insmod_t wants sys_nice .... Message-ID: <4c4ba1530707211052q4c12fdb1gc383e3866608bd4f@mail.gmail.com> After installing this morning's Rawhide, including selinux-policy-targeted-3.0.3-3.fc8, selinux-policy-3.0.3-3.fc8 and selinux-policy-devel-3.0.3-3.fc8, I get lots of Jul 21 10:39:01 localhost kernel: audit(1185039533.420:74): avc: denied { sys_nice } for pid=1796 comm="modprobe" capability=23 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:system_r:insmod_t:s0 tclass=capability Jul 21 10:39:01 localhost kernel: audit(1185039533.920:75): avc: denied { sys_nice } for pid=1829 comm="modprobe" capability=23 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:system_r:insmod_t:s0 tclass=capability in /var/log/messages, and similar type=AVC msg=audit(1185039594.415:93): avc: denied { sys_nice } for pid=3157 comm="modprobe" capability=23 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=capability type=SYSCALL msg=audit(1185039594.415:93): arch=40000003 syscall=128 success=yes exit=0 a0=b7f13008 a1=180f4 a2=a0166f8 a3=a0166f8 items=0 ppid=3133 pid=3157 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="modprobe" exe="/sbin/modprobe" subj=system_u:system_r:insmod_t:s0-s0:c0.c1023 key=(null) in /var/log/audit/audit.log tom -- Tom London From dwalsh at redhat.com Mon Jul 23 13:23:16 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 23 Jul 2007 09:23:16 -0400 Subject: Today's rawhide update In-Reply-To: <160233.66244.qm@web51501.mail.re2.yahoo.com> References: <160233.66244.qm@web51501.mail.re2.yahoo.com> Message-ID: <46A4ABC4.5020900@redhat.com> Steve G wrote: >>> libsemanage.semanage_commit_sandbox: Error while renaming >>> /etc/selinux/targeted/modules/active to >>> > /etc/selinux/targeted/modules/previous. > >>> /usr/sbin/semanage: Could not add SELinux user guest_u >>> libsemanage.semanage_commit_sandbox: Error while renaming >>> /etc/selinux/targeted/modules/active to >>> > /etc/selinux/targeted/modules/previous. > >>> /usr/sbin/semanage: Could not add SELinux user xguest_u >>> Cleanup : policycoreutils ####################### [16/22] >>> >> Steve, why is this alarming? >> > > Cause it sounds like a user type was not successfully added to the on-disk > policy. Running "semanage user -l" shows that neither guest_u or xguest_u exist. > > >> I'm almost certain that I've seen this before on my own system. Should I be >> concerned as well? >> > > I think this indicates a problem with libsemanage or selinux policy. And by the > terseness of the error messages, I wonder if there's enough information to > diagnose *why* this failed. An errno might be useful here. > > -Steve > > > > ____________________________________________________________________________________ > Be a better Globetrotter. Get better travel answers from someone who knows. Yahoo! Answers - Check it out. > http://answers.yahoo.com/dir/?link=list&sid=396545469 > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > The problem here is that a transition has failed and /etc/selinux/targeted has a mislabeled problem. restorecon -R -v /etc/selinux/targeted should clean it up. Not sure what caused it, although I have a theory that a transition on setsebool did not happen properly so the files got mislabeled, during an rpm install. restorecon -R -v /etc/selinux/targeted should clean up the mislabeled directory # semanage user -a -P guest -R guest_r guest_u # semanage user -a -P xguest -R xguest_r xguest_u Execute these commands to create the two new user types. From justin.conover at gmail.com Mon Jul 23 14:09:03 2007 From: justin.conover at gmail.com (Justin Conover) Date: Mon, 23 Jul 2007 09:09:03 -0500 Subject: Debian testing +selinux Message-ID: I'm not sure if there is a regular selinux mailing list or not, I mainly use Fedora but thought someone here might be able to help. I'm playing with selinux on Debian Testing and decided to try and write a policy from following the fc5 faq http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385 Here is what I have done: comatose:~# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 21 Policy from config file: refpolicy-targeted comatose:~# audit2allow -m local -l -i /var/log/audit/audit.log > local.te comatose:~# checkmodule -M -m -o local.mod local.te checkmodule: loading policy configuration from local.te checkmodule: policy configuration loaded checkmodule: writing binary representation (version 6) to local.mod comatose:~# semodule_package -o local.pp -m local.mod comatose:~# semodule -i local.pp libsepol.check_assertion_helper: assertion on line 0 violated by allow hald_t memory_device_t:chr_file { read }; libsepol.check_assertions: 1 assertion violations occured libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed! comatose:~# cat local.te module local 1.0; require { type unconfined_t; type lib_t; type xserver_log_t; type mount_t; type var_run_t; type syslogd_t; type etc_runtime_t; type initrc_t; type xdm_t; type udev_t; type device_t; type hald_t; type xdm_xserver_t; type memory_device_t; type insmod_t; type dhcpc_t; type var_t; type etc_t; type security_t; class fifo_file write; class process { execstack execmem signal }; class unix_stream_socket { read write }; class chr_file read; class fd use; class file { write rename getattr append read create unlink execute_no_trans }; class filesystem getattr; class dir { write remove_name create add_name rmdir }; } #============= dhcpc_t ============== allow dhcpc_t etc_runtime_t:file unlink; #============= hald_t ============== allow hald_t memory_device_t:chr_file read; allow hald_t var_t:file { read getattr }; #============= insmod_t ============== allow insmod_t xdm_t:fd use; allow insmod_t xdm_xserver_t:unix_stream_socket { read write }; allow insmod_t xserver_log_t:file write; #============= mount_t ============== allow mount_t security_t:filesystem getattr; #============= syslogd_t ============== allow syslogd_t device_t:fifo_file write; #============= udev_t ============== allow udev_t etc_t:dir { write remove_name add_name }; allow udev_t etc_t:file { write rename create unlink append }; allow udev_t initrc_t:process signal; allow udev_t lib_t:file execute_no_trans; allow udev_t var_run_t:dir { create rmdir }; #============= unconfined_t ============== allow unconfined_t self:process { execstack execmem }; -------------- next part -------------- An HTML attachment was scrubbed... URL: From sds at tycho.nsa.gov Mon Jul 23 14:14:22 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 23 Jul 2007 10:14:22 -0400 Subject: Debian testing +selinux In-Reply-To: References: Message-ID: <1185200062.1998.9.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2007-07-23 at 09:09 -0500, Justin Conover wrote: > I'm not sure if there is a regular selinux mailing list or not, I > mainly use Fedora but thought someone here might be able to help. http://www.nsa.gov/selinux/info/list.cfm > I'm playing with selinux on Debian Testing and decided to try and > write a policy from following the fc5 faq > > http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385 > > > Here is what I have done: > > comatose:~# sestatus > SELinux status: enabled > SELinuxfs mount: /selinux > Current mode: permissive > Mode from config file: permissive > Policy version: 21 > Policy from config file: refpolicy-targeted > > comatose:~# audit2allow -m local -l -i /var/log/audit/audit.log > > local.te > comatose:~# checkmodule -M -m -o local.mod local.te > checkmodule: loading policy configuration from local.te > checkmodule: policy configuration loaded > checkmodule: writing binary representation (version 6) to local.mod > comatose:~# semodule_package -o local.pp -m local.mod > comatose:~# semodule -i local.pp > libsepol.check_assertion_helper: assertion on line 0 violated by allow > hald_t memory_device_t:chr_file { read }; > libsepol.check_assertions: 1 assertion violations occured > libsemanage.semanage_expand_sandbox: Expand module failed > semodule: Failed! > > > > comatose:~# cat local.te > > module local 1.0; > > require { > type unconfined_t; > type lib_t; > type xserver_log_t; > type mount_t; > type var_run_t; > type syslogd_t; > type etc_runtime_t; > type initrc_t; > type xdm_t; > type udev_t; > type device_t; > type hald_t; > type xdm_xserver_t; > type memory_device_t; > type insmod_t; > type dhcpc_t; > type var_t; > type etc_t; > type security_t; > class fifo_file write; > class process { execstack execmem signal }; > class unix_stream_socket { read write }; > class chr_file read; > class fd use; > class file { write rename getattr append read create unlink > execute_no_trans }; > class filesystem getattr; > class dir { write remove_name create add_name rmdir }; > } > > #============= dhcpc_t ============== > allow dhcpc_t etc_runtime_t:file unlink; > > #============= hald_t ============== > allow hald_t memory_device_t:chr_file read; The above rule violates a neverallow statement in your base policy to catch dangerous rules (like access to /dev/mem or /dev/kmem, as in this case). Options: - remove the rule entirely, - replace "allow" with "dontaudit" to silence the audit message without allowing it, - use the appropriate refpolicy interface to allow it in a way that marks hald_t with a typeattribute authorized for such access. > allow hald_t var_t:file { read getattr }; > > #============= insmod_t ============== > allow insmod_t xdm_t:fd use; > allow insmod_t xdm_xserver_t:unix_stream_socket { read write }; > allow insmod_t xserver_log_t:file write; > > #============= mount_t ============== > allow mount_t security_t:filesystem getattr; > > #============= syslogd_t ============== > allow syslogd_t device_t:fifo_file write; > > #============= udev_t ============== > allow udev_t etc_t:dir { write remove_name add_name }; > allow udev_t etc_t:file { write rename create unlink append }; > allow udev_t initrc_t:process signal; > allow udev_t lib_t:file execute_no_trans; > allow udev_t var_run_t:dir { create rmdir }; > > #============= unconfined_t ============== > allow unconfined_t self:process { execstack execmem }; > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- Stephen Smalley National Security Agency From justin.conover at gmail.com Mon Jul 23 14:41:36 2007 From: justin.conover at gmail.com (Justin Conover) Date: Mon, 23 Jul 2007 09:41:36 -0500 Subject: Debian testing +selinux In-Reply-To: <1185200864.1998.17.camel@moss-spartans.epoch.ncsc.mil> References: <1185200062.1998.9.camel@moss-spartans.epoch.ncsc.mil> <1185200864.1998.17.camel@moss-spartans.epoch.ncsc.mil> Message-ID: On 7/23/07, Stephen Smalley wrote: > > On Mon, 2007-07-23 at 09:23 -0500, Justin Conover wrote: > > > > > > On 7/23/07, Stephen Smalley wrote: > > On Mon, 2007-07-23 at 09:09 -0500, Justin Conover wrote: > > > I'm not sure if there is a regular selinux mailing list or > > not, I > > > mainly use Fedora but thought someone here might be able to > > help. > > > > http://www.nsa.gov/selinux/info/list.cfm > > > > > > Thank you, I saw that list but it said "SELinux Developers mailing > > list" and I'm not a developer so I thought that excluded me :) > > Nope. > > > So if I remove the rule entirely, does that mean take it out of > > local.te? The parts talking about hald. > > Only one that is relevant to this assertion is the one between hald_t > and memory_device_t. > > -- > Stephen Smalley > National Security Agency > > Ok, I have removed the hald_t memory_device part: comatose:~# grep hald local.te type hald_t; #============= hald_t ============== #allow hald_t memory_device_t:chr_file read; allow hald_t var_t:file { read getattr }; comatose:~# checkmodule -M -m -o local.mod local.te checkmodule: loading policy configuration from local.te checkmodule: policy configuration loaded checkmodule: writing binary representation (version 6) to local.mod comatose:~# semodule_package -o local.pp -m local.mod comatose:~# semodule -i local.pp comatose:~# Another question, does doing this audit2allow method sort of mean "I have no idea what I'm doing, so allow it all", or is that why it caught the hald_t memory portion and said NO, don't do this! -------------- next part -------------- An HTML attachment was scrubbed... URL: From sds at tycho.nsa.gov Mon Jul 23 18:13:45 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 23 Jul 2007 14:13:45 -0400 Subject: Debian testing +selinux In-Reply-To: References: <1185200062.1998.9.camel@moss-spartans.epoch.ncsc.mil> <1185200864.1998.17.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1185214425.3389.15.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2007-07-23 at 09:41 -0500, Justin Conover wrote: > Another question, does doing this audit2allow method sort of mean "I > have no idea what I'm doing, so allow it all", or is that why it > caught the hald_t memory portion and said NO, don't do this! As per the audit2allow man page, you should think through the rules generated by audit2allow, not just blindly take them. The neverallow statements aka assertions in the base policy will catch certain kinds of dangerous access or malformed rules, but are certainly not exhaustive. Mapping the low-level allow rules to higher level abstractions is something you get from using reference policy, if you use the reference policy interfaces. You might try running audit2allow with the -R option to try to have it generate calls to reference policy interfaces. What version of audit2allow are you using? You may want to try SLIDE for policy writing, as it makes it much easier to search reference policy interfaces, access the inline documentation, etc. -- Stephen Smalley National Security Agency From spng.yang at gmail.com Tue Jul 24 02:17:48 2007 From: spng.yang at gmail.com (Ken YANG) Date: Tue, 24 Jul 2007 10:17:48 +0800 Subject: Debian testing +selinux In-Reply-To: <1185214425.3389.15.camel@moss-spartans.epoch.ncsc.mil> References: <1185200062.1998.9.camel@moss-spartans.epoch.ncsc.mil> <1185200864.1998.17.camel@moss-spartans.epoch.ncsc.mil> <1185214425.3389.15.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <46A5614C.1030601@gmail.com> Stephen Smalley wrote: > On Mon, 2007-07-23 at 09:41 -0500, Justin Conover wrote: >> Another question, does doing this audit2allow method sort of mean "I >> have no idea what I'm doing, so allow it all", or is that why it >> caught the hald_t memory portion and said NO, don't do this! > > As per the audit2allow man page, you should think through the rules > generated by audit2allow, not just blindly take them. > > The neverallow statements aka assertions in the base policy will catch > certain kinds of dangerous access or malformed rules, but are certainly > not exhaustive. with your words, can i think the violated assertion, such as: assertion on line 0 violated by allow ...... only be introduced by "neverallow" rules? Are there any other rules will cause this kind of errors? > > Mapping the low-level allow rules to higher level abstractions is > something you get from using reference policy, if you use the reference > policy interfaces. You might try running audit2allow with the -R option > to try to have it generate calls to reference policy interfaces. What > version of audit2allow are you using? > > You may want to try SLIDE for policy writing, as it makes it much easier > to search reference policy interfaces, access the inline documentation, > etc. > From hal_bg at yahoo.com Tue Jul 24 09:18:59 2007 From: hal_bg at yahoo.com (Hal) Date: Tue, 24 Jul 2007 02:18:59 -0700 (PDT) Subject: user home - disable execution Message-ID: <748686.80742.qm@web32209.mail.mud.yahoo.com> Hi all I am new to selinux and I want to use it to acheive 3 main goals: 1. disable execution of any executables located in users' home dir trees. 2. disable users to see what other users exist on the system. 3. disable users to see who is logged in and what processes is running. Does anybody have any policy modules doing something similar? I need a starting point. A clue, what ever to point me the right direction. I have been reading "Selinux by example" and "SELINUX NSA'a open source Security Enhabced linux" but both books seem quite out of date. All I have learned is how to write useless rules, because I do not know how to make a modile how to use module to override the default policy etc. Thanks in advance! Hal ____________________________________________________________________________________ Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to get online. http://smallbusiness.yahoo.com/webhosting From sds at tycho.nsa.gov Tue Jul 24 12:11:30 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 24 Jul 2007 08:11:30 -0400 Subject: Debian testing +selinux In-Reply-To: <46A5614C.1030601@gmail.com> References: <1185200062.1998.9.camel@moss-spartans.epoch.ncsc.mil> <1185200864.1998.17.camel@moss-spartans.epoch.ncsc.mil> <1185214425.3389.15.camel@moss-spartans.epoch.ncsc.mil> <46A5614C.1030601@gmail.com> Message-ID: <1185279090.16598.7.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2007-07-24 at 10:17 +0800, Ken YANG wrote: > Stephen Smalley wrote: > > On Mon, 2007-07-23 at 09:41 -0500, Justin Conover wrote: > >> Another question, does doing this audit2allow method sort of mean "I > >> have no idea what I'm doing, so allow it all", or is that why it > >> caught the hald_t memory portion and said NO, don't do this! > > > > As per the audit2allow man page, you should think through the rules > > generated by audit2allow, not just blindly take them. > > > > The neverallow statements aka assertions in the base policy will catch > > certain kinds of dangerous access or malformed rules, but are certainly > > not exhaustive. > > with your words, can i think the violated assertion, such as: > > assertion on line 0 violated by allow ...... > > only be introduced by "neverallow" rules? Are there any other rules > will cause this kind of errors? Only neverallow rules cause those messages to occur. The "assertion on line 0" part is a holdover of when this was all done when policy was compiled from source (versus precompiled loadable modules). -- Stephen Smalley National Security Agency From dwalsh at redhat.com Tue Jul 24 20:44:43 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 24 Jul 2007 16:44:43 -0400 Subject: user home - disable execution In-Reply-To: <748686.80742.qm@web32209.mail.mud.yahoo.com> References: <748686.80742.qm@web32209.mail.mud.yahoo.com> Message-ID: <46A664BB.1020505@redhat.com> Hal wrote: > Hi all > > I am new to selinux and I want to use it to acheive 3 main goals: > 1. disable execution of any executables located in users' home dir trees. > 2. disable users to see what other users exist on the system. > 3. disable users to see who is logged in and what processes is running. > > Does anybody have any policy modules doing something similar? I > need a starting point. A clue, what ever to point me the right direction. > I have been reading "Selinux by example" and "SELINUX NSA'a open source > Security Enhabced linux" but both books seem quite out of date. All I have > learned is > how to write useless rules, because I do not know how to make a modile how to > use module to override the default policy etc. > > Thanks in advance! > > Hal > > I have just rebuilt rawhide policy and by default guest/xguest users will give you exactly what you request. selinux-policy-3.0.3-6 > > ____________________________________________________________________________________ > Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to get online. > http://smallbusiness.yahoo.com/webhosting > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From hal_bg at yahoo.com Tue Jul 24 21:11:03 2007 From: hal_bg at yahoo.com (Hal) Date: Tue, 24 Jul 2007 14:11:03 -0700 (PDT) Subject: user home - disable execution In-Reply-To: <46A664BB.1020505@redhat.com> Message-ID: <254146.28320.qm@web32210.mail.mud.yahoo.com> > > > I have just rebuilt rawhide policy and by default guest/xguest users > will give you exactly what you request. > > selinux-policy-3.0.3-6 > > 10x! but How to apply this to ~500 users? ____________________________________________________________________________________Ready for the edge of your seat? Check out tonight's top picks on Yahoo! TV. http://tv.yahoo.com/ From hal_bg at yahoo.com Wed Jul 25 06:35:56 2007 From: hal_bg at yahoo.com (Hal) Date: Tue, 24 Jul 2007 23:35:56 -0700 (PDT) Subject: user home - disable execution - selinux-policy-3.0.3-6 In-Reply-To: <46A664BB.1020505@redhat.com> Message-ID: <724737.21651.qm@web32205.mail.mud.yahoo.com> Sorry, but I can not find selinux-policy-3.0.3-6 anywhere. Would you give me a link? Hal --- Daniel J Walsh wrote: > Hal wrote: > > Hi all > > > > I am new to selinux and I want to use it to acheive 3 main goals: > > 1. disable execution of any executables located in users' home dir trees. > > 2. disable users to see what other users exist on the system. > > 3. disable users to see who is logged in and what processes is running. > > > > Does anybody have any policy modules doing something similar? I > > need a starting point. A clue, what ever to point me the right direction. > > I have been reading "Selinux by example" and "SELINUX NSA'a open source > > Security Enhabced linux" but both books seem quite out of date. All I have > > learned is > > how to write useless rules, because I do not know how to make a modile how > to > > use module to override the default policy etc. > > > > Thanks in advance! > > > > Hal > > > > > I have just rebuilt rawhide policy and by default guest/xguest users > will give you exactly what you request. > > selinux-policy-3.0.3-6 > > > > > ____________________________________________________________________________________ > > Building a website is a piece of cake. Yahoo! Small Business gives you all > the tools to get online. > > http://smallbusiness.yahoo.com/webhosting > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > ____________________________________________________________________________________ Luggage? GPS? Comic books? Check out fitting gifts for grads at Yahoo! Search http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=bz From lshoujun at yahoo.com Wed Jul 25 07:47:27 2007 From: lshoujun at yahoo.com (Louis Lam) Date: Wed, 25 Jul 2007 00:47:27 -0700 (PDT) Subject: Containing vmware player 2.0.0 with SELINUX Message-ID: <563435.59905.qm@web34815.mail.mud.yahoo.com> Hi All, Still on the topic of transition between a file vmware_exec_t to vmware_t. Under the vmware.if file, there is a: domain_entry_file($1_vmware_t, vmware_exec_t) role $3 types $1_vmware_t Is this a rule that allows files marked with vmware_exec_t to transit to vmware_t? What does the $1,$2,$3 represent? Pardon my ignorance on this but i see these $1, $2 things appear in a lot of places which confuse me. Can anyone point me to a place to learn more about the substitutions? For the transition to take place I'd probably need to add something like this: domain_auto_trans(initrc_t, vmware_exec_t, vmware_t) That is following the suggestion below by Daniel to make the /usr/bin/vmplayer script initrc_exec_t. But not too sure where to place this statement, in vmware.te? I tried that but get a compilation error vmware.te:13:ERROR: 'unknown type vmware_t' at token ';' I thought vmware_t has been defined in vmware.if? Thanks in Advance, Best Regards, Louis ----- Original Message ---- From: Daniel J Walsh To: Louis Lam Cc: Ken YANG ; fedora-selinux-list at redhat.com Sent: Monday, July 16, 2007 1:24:00 PM Subject: Re: Containing vmware player 2.0.0 with SELINUX Louis Lam wrote: > Hi All, > > I managed to get the vmware host services e.g. vmnet-bridge, vmnet-dhcpd etc... to be running in > vmware_host_t domain. I did it by modifying the net-services.sh as described in an earlier post. > > Next I tried to get vmplayer (i'm using vmware player 2.0.0 but it is similar for vmware ws 6) to > run in vmware_t domain. First i tried to chcon /usr/bin/vmplayer to > system_u:object_r:vmware_exec_t. But it turns out that /usr/bin/vmplayer is a script that would in > turn execute /usr/lib/vmware/bin/vmplayer. I have chcon /usr/lib/vmware/bin/vmplayer to > system_u:object_r:vmware_exec_t but still it runs in unconfined_t when i launched it. I seems like > the domain transition didn't take place. Please help. > > 1. What should be the context for the /usr/bin/vmplayer script? Does it affect the transition of > the actual executable /usr/lib/vmware/bin/vmplayer? > > 2. For those who could get vmware workstation 6 to run how did you get it to run in vmware_t > domain? > > There is currently no transition from unconfined_t to vmware_t. So the only way to get the transition to happen is through the initrc script. You could label the vmplayer script initrc_exec_t and the transitions should happen properly. > THanks, > Louis > > --- Daniel J Walsh wrote: > > >> Ken YANG wrote: >> >>> Daniel J Walsh wrote: >>> >>> >>>> Louis Lam wrote: >>>> >>>> >>>>> Hi all, >>>>> >>>>> At this point i'm still trying to use SELINUX to "contain" vmware >>>>> player, making it run in >>>>> targeted mode. >>>>> >>>>> I'm still rather new to this but through the help of Ken, i've been >>>>> able to manipulate modules and >>>>> get it to "affect" the vmware player but at this point my vmware >>>>> player is still "broken". >>>>> Would anyone be able to share their configurations (.te,.fc,.if) file >>>>> if you've managed to get it >>>>> to work with vmware player or vmware-workstation 6 ? CUrrently i'm >>>>> working with Fedora 7 but >>>>> intend to port it back to RHEL 5. >>>>> >>>>> I've downloaded the latest reference policy from oss and examined the >>>>> vmware relevant files. From >>>>> examining the vmware.fc and >>>>> "/etc/selinux/targeted/modules/active/file_context", seems like the >>>>> vmware.fc file could have been written for an older/different version >>>>> of vmware where the vmnet >>>>> devices are at /dev/vmnet.* instead of /dev/vmnet* found in vmplayer >>>>> 2/workstation 6. Which >>>>> version was it written for? >>>>> >>>>> >>>>> >>>>> >>>> There is vmware policy that we are starting to use in Rawhide (fc8) >>>> >>>> >>>>> I went on to modify the vmware.fc file and managed to compile and load >>>>> the vmware.pp module. But >>>>> currently this affected the vmware services at startup, e.g. >>>>> vmnet-dhcpd. For vmware, when >>>>> something fails to start, it would ask me to rum vmware-config.pl >>>>> again when i restart it. Doing >>>>> this would recreate the /dev/vmnet* files over again but it will not >>>>> have the right context, >>>>> defaulting to "device_t" instead of "vmware_device_t" that i have >>>>> modified. The line in my >>>>> vmware.fc looks like this: >>>>> >>>>> /dev/vmnet0 -- gen_context(system_u:object_r:vmware_device_t,s0) >>>>> /dev/vmnet1 -- gen_context(system_u:object_r:vmware_device_t,s0) >>>>> /dev/vmnet8 -- gen_context(system_u:object_r:vmware_device_t,s0) >>>>> >>>>> I was thinking that if the script has created a new /dev/vmnet file it >>>>> would automatically use the >>>>> vmware_device_t context but it didn't. Did i miss out anything? >>>>> >>>>> >>>>> >>>> The problem here is the script is running as initrc_t which has no rules >>>> when creating devices in directories labeled device_t (/dev) So it uses >>>> the default and labels the devices the same as the directory. Usually >>>> when we have this situation, we just run restorecon /dev/XYZ after the >>>> creation, >>>> for example >>>> >>>> mknod /dev/XYZ >>>> chmod 666 /dev/XYZ >>>> restorecon /dev/XYZ >>>> >>>> >>> as tom said, it seemed that it's "$vmdb_answer_LIBDIR"/net-services.sh >>> who create such devices: >>> >>> http://marc.info/?l=fedora-selinux-list&m=118407622004161&w=2 >>> >>> >>> i notice "/dev" is tmpfs: >>> >>> -(:14:45:$)-> cat /proc/mounts >>> rootfs / rootfs rw 0 0 >>> /dev/root / ext3 rw,data=ordered 0 0 >>> /dev /dev tmpfs rw 0 0 >>> ...... >>> >>> i want to add rules in policy: >>> >>> type_transition "vmware type" tmpfs_t : chr_file vmware_device_t; >>> >>> additionally i don't know what type of the net-services.sh, now it is: >>> >>> ... root root user_u:object_r:lib_t /usr/lib/vmware/net-services.sh >>> >>> >>> is this method appropriate? >>> >>> >>> >>> >>> >>> >>>>> What is the two "--" on the line mean? are they significant? >>>>> >>>>> >>>>> >>>> The -- indicates that this matches only files. >>>> >>>> -d directories >>>> -s sock_file >>>> -l link file >>>> -c char_file >>>> ... >>>> >>>> Second character matches the first character of the ls -l line >>>> >>>> ls -l /dev/ttyS0 >>>> crw-rw---- 1 root uucp 4, 64 2007-07-11 19:07 /dev/ttyS0 >>>> >>>> If you have no option specified it would match any file type. >>>> >>>> /dev/vmnet0 -- gen_context(system_u:object_r:vmware_device_t,s0) >>>> /dev/vmnet1 -- gen_context(system_u:object_r:vmware_device_t,s0) >>>> /dev/vmnet8 -- gen_context(system_u:object_r:vmware_device_t,s0) >>>> >>>> >>>> Would match only "Regular files" with this labels. So you would be >>>> better off with -c (or -b if they are block devices). >>>> >>>> >>>>> Sorry about the long post, any help or advice? Thanks. >>>>> >>>>> Louis >>>>> Send instant messages to your online friends >>>>> http://uk.messenger.yahoo.com >>>>> -- >>>>> fedora-selinux-list mailing list >>>>> fedora-selinux-list at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>>>> >>>>> >>>>> >>>> -- >>>> fedora-selinux-list mailing list >>>> fedora-selinux-list at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>>> >>>> >>>> >>> >>> >> One approach to this would be to label the /etc/init.d/vmware script >> vmware_initrc_exec_t and then setup the proper transitions. >> >> This is something we are considering for RBAC. For example we want to >> allow the webadm_t to be able to only restart/execute the httpd >> script. Currently we have to allow him to execute any initrc script, >> although we can prevent him from starting other confined domains. >> A cleaner solution might be to label the script differently and setup >> another domain for the script to transition to. >> >> > > > Send instant messages to your online friends http://uk.messenger.yahoo.com > Send instant messages to your online friends http://uk.messenger.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From spng.yang at gmail.com Wed Jul 25 08:42:22 2007 From: spng.yang at gmail.com (Ken YANG) Date: Wed, 25 Jul 2007 16:42:22 +0800 Subject: user home - disable execution - selinux-policy-3.0.3-6 In-Reply-To: <724737.21651.qm@web32205.mail.mud.yahoo.com> References: <724737.21651.qm@web32205.mail.mud.yahoo.com> Message-ID: <46A70CEE.8040707@gmail.com> Hal wrote: > Sorry, but I can not find selinux-policy-3.0.3-6 anywhere. Would you give me a > link? http://koji.fedoraproject.org/koji/buildinfo?buildID=11831 and will be in rawhide soon > > Hal > > > --- Daniel J Walsh wrote: > >> Hal wrote: >>> Hi all >>> >>> I am new to selinux and I want to use it to acheive 3 main goals: >>> 1. disable execution of any executables located in users' home dir trees. >>> 2. disable users to see what other users exist on the system. >>> 3. disable users to see who is logged in and what processes is running. >>> >>> Does anybody have any policy modules doing something similar? I >>> need a starting point. A clue, what ever to point me the right direction. >>> I have been reading "Selinux by example" and "SELINUX NSA'a open source >>> Security Enhabced linux" but both books seem quite out of date. All I have >>> learned is >>> how to write useless rules, because I do not know how to make a modile how >> to >>> use module to override the default policy etc. >>> >>> Thanks in advance! >>> >>> Hal >>> >>> >> I have just rebuilt rawhide policy and by default guest/xguest users >> will give you exactly what you request. >> >> selinux-policy-3.0.3-6 >>> >>> > ____________________________________________________________________________________ >>> Building a website is a piece of cake. Yahoo! Small Business gives you all >> the tools to get online. >>> http://smallbusiness.yahoo.com/webhosting >>> >>> -- >>> fedora-selinux-list mailing list >>> fedora-selinux-list at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>> >> > > > > ____________________________________________________________________________________ > Luggage? GPS? Comic books? > Check out fitting gifts for grads at Yahoo! Search > http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=bz > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From dwalsh at redhat.com Wed Jul 25 12:46:33 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 25 Jul 2007 08:46:33 -0400 Subject: user home - disable execution In-Reply-To: <254146.28320.qm@web32210.mail.mud.yahoo.com> References: <254146.28320.qm@web32210.mail.mud.yahoo.com> Message-ID: <46A74629.2080806@redhat.com> Hal wrote: >>> >>> >> I have just rebuilt rawhide policy and by default guest/xguest users >> will give you exactly what you request. >> >> selinux-policy-3.0.3-6 >> >>> >>> > > 10x! > but How to apply this to ~500 users? > > All on the same machine? semanage login -m -s guest_u __default__ Should setup the machine to default all users to the guest user account. > > > ____________________________________________________________________________________Ready for the edge of your seat? > Check out tonight's top picks on Yahoo! TV. > http://tv.yahoo.com/ > From dwalsh at redhat.com Wed Jul 25 12:51:51 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 25 Jul 2007 08:51:51 -0400 Subject: user home - disable execution - selinux-policy-3.0.3-6 In-Reply-To: <724737.21651.qm@web32205.mail.mud.yahoo.com> References: <724737.21651.qm@web32205.mail.mud.yahoo.com> Message-ID: <46A74767.3010000@redhat.com> Hal wrote: > Sorry, but I can not find selinux-policy-3.0.3-6 anywhere. Would you give me a > link? > > Hal > > > --- Daniel J Walsh wrote: > > >> Hal wrote: >> >>> Hi all >>> >>> I am new to selinux and I want to use it to acheive 3 main goals: >>> 1. disable execution of any executables located in users' home dir trees. >>> 2. disable users to see what other users exist on the system. >>> 3. disable users to see who is logged in and what processes is running. >>> >>> Does anybody have any policy modules doing something similar? I >>> need a starting point. A clue, what ever to point me the right direction. >>> I have been reading "Selinux by example" and "SELINUX NSA'a open source >>> Security Enhabced linux" but both books seem quite out of date. All I have >>> learned is >>> how to write useless rules, because I do not know how to make a modile how >>> >> to >> >>> use module to override the default policy etc. >>> >>> Thanks in advance! >>> >>> Hal >>> >>> >>> >> I have just rebuilt rawhide policy and by default guest/xguest users >> will give you exactly what you request. >> >> selinux-policy-3.0.3-6 >> >>> >>> >>> > ____________________________________________________________________________________ > >>> Building a website is a piece of cake. Yahoo! Small Business gives you all >>> >> the tools to get online. >> >>> http://smallbusiness.yahoo.com/webhosting >>> >>> -- >>> fedora-selinux-list mailing list >>> fedora-selinux-list at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>> >>> >> > > > > ____________________________________________________________________________________ > Luggage? GPS? Comic books? > Check out fitting gifts for grads at Yahoo! Search > http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=bz > It should be in today's rawhide. You can also grab it at http://people.redhat.com/dwalsh/SELinux/Fedora From hal_bg at yahoo.com Wed Jul 25 16:53:38 2007 From: hal_bg at yahoo.com (Hal) Date: Wed, 25 Jul 2007 09:53:38 -0700 (PDT) Subject: user home - disable execution - load/unload policy In-Reply-To: <46A74629.2080806@redhat.com> Message-ID: <807513.91457.qm@web32212.mail.mud.yahoo.com> 10x a lot! The last question: How do I unload the original policy and load this one on fc6? Is it possible at all? --- Daniel J Walsh wrote: > Hal wrote: > >>> > >>> > >> I have just rebuilt rawhide policy and by default guest/xguest users > >> will give you exactly what you request. > >> > >> selinux-policy-3.0.3-6 > >> > >>> > >>> > > > > 10x! > > but How to apply this to ~500 users? > > > > > All on the same machine? > > semanage login -m -s guest_u __default__ > > Should setup the machine to default all users to the guest user account. > > > > > > > ____________________________________________________________________________________Ready > for the edge of your seat? > > Check out tonight's top picks on Yahoo! TV. > > http://tv.yahoo.com/ > > > > ____________________________________________________________________________________ Be a better Heartthrob. Get better relationship answers from someone who knows. Yahoo! Answers - Check it out. http://answers.yahoo.com/dir/?link=list&sid=396545433 From dwalsh at redhat.com Wed Jul 25 17:10:01 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 25 Jul 2007 13:10:01 -0400 Subject: user home - disable execution - load/unload policy In-Reply-To: <807513.91457.qm@web32212.mail.mud.yahoo.com> References: <807513.91457.qm@web32212.mail.mud.yahoo.com> Message-ID: <46A783E9.7010502@redhat.com> Hal wrote: > 10x a lot! > The last question: > How do I unload the original policy and load this one on fc6? > Is it possible at all? > > This policy is highly expermental, and should only at this time be used on Rawhide boxes. selinux policy rpm will replace the old one, but it probably requires lots of other packages to update the system. > --- Daniel J Walsh wrote: > > >> Hal wrote: >> >>>>> >>>>> >>>>> >>>> I have just rebuilt rawhide policy and by default guest/xguest users >>>> will give you exactly what you request. >>>> >>>> selinux-policy-3.0.3-6 >>>> >>>> >>>>> >>>>> >>>>> >>> 10x! >>> but How to apply this to ~500 users? >>> >>> >>> >> All on the same machine? >> >> semanage login -m -s guest_u __default__ >> >> Should setup the machine to default all users to the guest user account. >> >>> >>> >>> > ____________________________________________________________________________________Ready > >> for the edge of your seat? >> >>> Check out tonight's top picks on Yahoo! TV. >>> http://tv.yahoo.com/ >>> >>> >> > > > > > ____________________________________________________________________________________ > Be a better Heartthrob. Get better relationship answers from someone who knows. Yahoo! Answers - Check it out. > http://answers.yahoo.com/dir/?link=list&sid=396545433 > From dwalsh at redhat.com Wed Jul 25 19:12:56 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 25 Jul 2007 15:12:56 -0400 Subject: Containing vmware player 2.0.0 with SELINUX In-Reply-To: <563435.59905.qm@web34815.mail.mud.yahoo.com> References: <563435.59905.qm@web34815.mail.mud.yahoo.com> Message-ID: <46A7A0B8.9010202@redhat.com> Louis Lam wrote: > Hi All, > > Still on the topic of transition between a file vmware_exec_t to vmware_t. > > Under the vmware.if file, there is a: > > domain_entry_file($1_vmware_t, vmware_exec_t) > role $3 types $1_vmware_t > > Is this a rule that allows files marked with vmware_exec_t to transit > to vmware_t? What does the $1,$2,$3 represent? Pardon my ignorance on > this but i see these $1, $2 things appear in a lot of places which > confuse me. Can anyone point me to a place to learn more about the > substitutions? > This just says that files labeled vmware_exec_t can be used as entrypoints into the $1_vmware_t, where $1 is a user type. "user", "staff", "guest", "xguest". The next line specifies which roles can reach the specified domain. No transition rules have been defined. > For the transition to take place I'd probably need to add something > like this: > > domain_auto_trans(initrc_t, vmware_exec_t, vmware_t) > Yes this allows it to reach this particular domain. But to reach the user domains defined above. domain_auto_trans($1_t, vmware_exec_t, $1_vmware_t) or domain_auto_trans(user_t, vmware_exec_t, user_vmware_t) > That is following the suggestion below by Daniel to make the > /usr/bin/vmplayer script initrc_exec_t. > > But not too sure where to place this statement, in vmware.te? > > I tried that but get a compilation error > > vmware.te:13:ERROR: 'unknown type vmware_t' at token ';' > Yes I was mistaken. That is not the way the policy is written. ( I guess I should read before I speak.) If you want to get vmware to transition from unconfined_t you will have to write the transition rules from uncofined_t to unconfined_vmware_t. > I thought vmware_t has been defined in vmware.if? > > Thanks in Advance, > Best Regards, > Louis > > ----- Original Message ---- > From: Daniel J Walsh > To: Louis Lam > Cc: Ken YANG ; fedora-selinux-list at redhat.com > Sent: Monday, July 16, 2007 1:24:00 PM > Subject: Re: Containing vmware player 2.0.0 with SELINUX > > Louis Lam wrote: > > Hi All, > > > > I managed to get the vmware host services e.g. vmnet-bridge, > vmnet-dhcpd etc... to be running in > > vmware_host_t domain. I did it by modifying the net-services.sh as > described in an earlier post. > > > > Next I tried to get vmplayer (i'm using vmware player 2.0.0 but it > is similar for vmware ws 6) to > > run in vmware_t domain. First i tried to chcon /usr/bin/vmplayer to > > system_u:object_r:vmware_exec_t. But it turns out that > /usr/bin/vmplayer is a script that would in > > turn execute /usr/lib/vmware/bin/vmplayer. I have chcon > /usr/lib/vmware/bin/vmplayer to > > system_u:object_r:vmware_exec_t but still it runs in unconfined_t > when i launched it. I seems like > > the domain transition didn't take place. Please help. > > > > 1. What should be the context for the /usr/bin/vmplayer script? Does > it affect the transition of > > the actual executable /usr/lib/vmware/bin/vmplayer? > > > > 2. For those who could get vmware workstation 6 to run how did you > get it to run in vmware_t > > domain? > > > > > There is currently no transition from unconfined_t to vmware_t. So the > only way to get > the transition to happen is through the initrc script. You could label > the vmplayer script > initrc_exec_t and the transitions should happen properly. > > THanks, > > Louis > > > > --- Daniel J Walsh wrote: > > > > > >> Ken YANG wrote: > >> > >>> Daniel J Walsh wrote: > >>> > >>> > >>>> Louis Lam wrote: > >>>> > >>>> > >>>>> Hi all, > >>>>> > >>>>> At this point i'm still trying to use SELINUX to "contain" vmware > >>>>> player, making it run in > >>>>> targeted mode. > >>>>> > >>>>> I'm still rather new to this but through the help of Ken, i've been > >>>>> able to manipulate modules and > >>>>> get it to "affect" the vmware player but at this point my vmware > >>>>> player is still "broken". > >>>>> Would anyone be able to share their configurations (.te,.fc,.if) > file > >>>>> if you've managed to get it > >>>>> to work with vmware player or vmware-workstation 6 ? CUrrently i'm > >>>>> working with Fedora 7 but > >>>>> intend to port it back to RHEL 5. > >>>>> > >>>>> I've downloaded the latest reference policy from oss and > examined the > >>>>> vmware relevant files. From > >>>>> examining the vmware.fc and > >>>>> "/etc/selinux/targeted/modules/active/file_context", seems like the > >>>>> vmware.fc file could have been written for an older/different > version > >>>>> of vmware where the vmnet > >>>>> devices are at /dev/vmnet.* instead of /dev/vmnet* found in vmplayer > >>>>> 2/workstation 6. Which > >>>>> version was it written for? > >>>>> > >>>>> > >>>>> > >>>>> > >>>> There is vmware policy that we are starting to use in Rawhide (fc8) > >>>> > >>>> > >>>>> I went on to modify the vmware.fc file and managed to compile > and load > >>>>> the vmware.pp module. But > >>>>> currently this affected the vmware services at startup, e.g. > >>>>> vmnet-dhcpd. For vmware, when > >>>>> something fails to start, it would ask me to rum vmware-config.pl > >>>>> again when i restart it. Doing > >>>>> this would recreate the /dev/vmnet* files over again but it will not > >>>>> have the right context, > >>>>> defaulting to "device_t" instead of "vmware_device_t" that i have > >>>>> modified. The line in my > >>>>> vmware.fc looks like this: > >>>>> > >>>>> /dev/vmnet0 -- gen_context(system_u:object_r:vmware_device_t,s0) > >>>>> /dev/vmnet1 -- gen_context(system_u:object_r:vmware_device_t,s0) > >>>>> /dev/vmnet8 -- gen_context(system_u:object_r:vmware_device_t,s0) > >>>>> > >>>>> I was thinking that if the script has created a new /dev/vmnet > file it > >>>>> would automatically use the > >>>>> vmware_device_t context but it didn't. Did i miss out anything? > >>>>> > >>>>> > >>>>> > >>>> The problem here is the script is running as initrc_t which has > no rules > >>>> when creating devices in directories labeled device_t (/dev) So > it uses > >>>> the default and labels the devices the same as the > directory. Usually > >>>> when we have this situation, we just run restorecon /dev/XYZ > after the > >>>> creation, > >>>> for example > >>>> > >>>> mknod /dev/XYZ > >>>> chmod 666 /dev/XYZ > >>>> restorecon /dev/XYZ > >>>> > >>>> > >>> as tom said, it seemed that it's "$vmdb_answer_LIBDIR"/net-services.sh > >>> who create such devices: > >>> > >>> http://marc.info/?l=fedora-selinux-list&m=118407622004161&w=2 > > >>> > >>> > >>> i notice "/dev" is tmpfs: > >>> > >>> -(:14:45:$)-> cat /proc/mounts > >>> rootfs / rootfs rw 0 0 > >>> /dev/root / ext3 rw,data=ordered 0 0 > >>> /dev /dev tmpfs rw 0 0 > >>> ...... > >>> > >>> i want to add rules in policy: > >>> > >>> type_transition "vmware type" tmpfs_t : chr_file vmware_device_t; > >>> > >>> additionally i don't know what type of the net-services.sh, now it is: > >>> > >>> ... root root user_u:object_r:lib_t /usr/lib/vmware/net-services.sh > >>> > >>> > >>> is this method appropriate? > >>> > >>> > >>> > >>> > >>> > >>> > >>>>> What is the two "--" on the line mean? are they significant? > >>>>> > >>>>> > >>>>> > >>>> The -- indicates that this matches only files. > >>>> > >>>> -d directories > >>>> -s sock_file > >>>> -l link file > >>>> -c char_file > >>>> ... > >>>> > >>>> Second character matches the first character of the ls -l line > >>>> > >>>> ls -l /dev/ttyS0 > >>>> crw-rw---- 1 root uucp 4, 64 2007-07-11 19:07 /dev/ttyS0 > >>>> > >>>> If you have no option specified it would match any file type. > >>>> > >>>> /dev/vmnet0 -- gen_context(system_u:object_r:vmware_device_t,s0) > >>>> /dev/vmnet1 -- gen_context(system_u:object_r:vmware_device_t,s0) > >>>> /dev/vmnet8 -- gen_context(system_u:object_r:vmware_device_t,s0) > >>>> > >>>> > >>>> Would match only "Regular files" with this labels. So you would be > >>>> better off with -c (or -b if they are block devices). > >>>> > >>>> > >>>>> Sorry about the long post, any help or advice? Thanks. > >>>>> > >>>>> Louis > >>>>> Send instant messages to your online friends > >>>>> http://uk.messenger.yahoo.com > >>>>> -- > >>>>> fedora-selinux-list mailing list > >>>>> fedora-selinux-list at redhat.com > >>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > >>>>> > >>>>> > >>>>> > >>>> -- > >>>> fedora-selinux-list mailing list > >>>> fedora-selinux-list at redhat.com > >>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > >>>> > >>>> > >>>> > >>> > >>> > >> One approach to this would be to label the /etc/init.d/vmware script > >> vmware_initrc_exec_t and then setup the proper transitions. > >> > >> This is something we are considering for RBAC. For example we want to > >> allow the webadm_t to be able to only restart/execute the httpd > >> script. Currently we have to allow him to execute any initrc script, > >> although we can prevent him from starting other confined domains. > >> A cleaner solution might be to label the script differently and setup > >> another domain for the script to transition to. > >> > >> > > > > > > Send instant messages to your online friends > http://uk.messenger.yahoo.com > > > > > > Send instant messages to your online friends > http://uk.messenger.yahoo.com From linux_4ever at yahoo.com Thu Jul 26 02:27:23 2007 From: linux_4ever at yahoo.com (Steve G) Date: Wed, 25 Jul 2007 19:27:23 -0700 (PDT) Subject: Today's rawhide update In-Reply-To: <46A4ABC4.5020900@redhat.com> Message-ID: <446825.39808.qm@web51501.mail.re2.yahoo.com> Hi, Updated again...messages are slightly different but it still fails. -Steve Cleanup : selinux-policy-targeted ####################### [39/40] libsemanage.semanage_commit_sandbox: Could not remove previous backup /etc/selinux/targeted/modules/previous. Could not change policy booleans libsemanage.semanage_commit_sandbox: Could not remove previous backup /etc/selinux/targeted/modules/previous. /usr/sbin/semanage: Could not add SELinux user guest_u libsemanage.semanage_commit_sandbox: Could not remove previous backup /etc/selinux/targeted/modules/previous. /usr/sbin/semanage: Could not add SELinux user xguest_u libsemanage.semanage_commit_sandbox: Could not remove previous backup /etc/selinux/targeted/modules/previous. Could not change policy booleans Cleanup : selinux-policy ####################### [40/40] ____________________________________________________________________________________ Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to get online. http://smallbusiness.yahoo.com/webhosting From kaigai at ak.jp.nec.com Thu Jul 26 08:57:26 2007 From: kaigai at ak.jp.nec.com (KaiGai Kohei) Date: Thu, 26 Jul 2007 17:57:26 +0900 Subject: Guideline for RPM packages In-Reply-To: <46681ED6.1010408@kaigai.gr.jp> References: <46681714.3030009@kaigai.gr.jp> <1181227502.11979.24.camel@moss-spartans.epoch.ncsc.mil> <46681ED6.1010408@kaigai.gr.jp> Message-ID: <46A861F6.10709@ak.jp.nec.com> >>> If I remember correctly, someone posted a guideline to make >>> a RPM package which contains binary security policy, several >>> weeks ago. >>> >>> If you know the URL, would you tell me the location? >> There is a draft guide at: >> http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules > > Thanks, so much! I have a comment for the Policy Module Packaging Guideline. The document says every *.pp files should be installed for any sort of policies (targeted, strict, mls) in the %post section. However, it can cause a problem when a part of policies are not installed yet. When we try to install an application including policy package on the system which has only targeted policy, installation of *.pp files for strict/mls will be failed no need to say. If we want to install selinux-policy-strict or -mls later, the oraphan *.pp files are not linked automatically because "/usr/bin/semodule -i" is not invoked. It will cause a simple problem, but a bit difficult to find out. I have an idea that uses "%triggerin" to invoke "/use/bin/semodule -i" to link orphan *.pp files on instllation of selinux-policy-* packages later, as follows: ---------------- %triggerin -- selinux-policy-targeted if [ $0 -eq 1 ]; then /usr/sbin/semodule -s targeted -i %{_datadir}/selinux/targeted/mymodule.pp &> /dev/null || : fi %triggerin -- selinux-policy-strict if [ $0 -eq 1 ]; then /usr/sbin/semodule -s strict -i %{_datadir}/selinux/strict/mymodule.pp &> /dev/null || : fi %triggerin -- selinux-policy-mls if [ $0 -eq 1 ]; then /usr/sbin/semodule -s mls -i %{_datadir}/selinux/mls/mymodule.pp &> /dev/null || : fi ---------------- If the application is installed on the system which already has selinux-policy-strict, "%triggerin -- selinux-policy-strict" will be invoked just when the application is installed, so there is no degrading. Thanks, -- OSS Platform Development Division, NEC KaiGai Kohei From kaigai at kaigai.gr.jp Thu Jul 26 16:25:04 2007 From: kaigai at kaigai.gr.jp (KaiGai Kohei) Date: Fri, 27 Jul 2007 01:25:04 +0900 Subject: SE-PostgreSQL for Fedora (Re: Guideline for RPM packages) In-Reply-To: <46A861F6.10709@ak.jp.nec.com> References: <46681714.3030009@kaigai.gr.jp> <1181227502.11979.24.camel@moss-spartans.epoch.ncsc.mil> <46681ED6.1010408@kaigai.gr.jp> <46A861F6.10709@ak.jp.nec.com> Message-ID: <46A8CAE0.7030809@kaigai.gr.jp> By the way, I'm seeking sponsors who can review SE-PostgreSQL package. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=249522 If you can volunteer the reviewing process, please contact me. Thanks, >>>> If I remember correctly, someone posted a guideline to make >>>> a RPM package which contains binary security policy, several >>>> weeks ago. >>>> >>>> If you know the URL, would you tell me the location? >>> There is a draft guide at: >>> http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules >> Thanks, so much! > > I have a comment for the Policy Module Packaging Guideline. > > The document says every *.pp files should be installed for any sort of policies > (targeted, strict, mls) in the %post section. > However, it can cause a problem when a part of policies are not installed yet. > > When we try to install an application including policy package on the system > which has only targeted policy, installation of *.pp files for strict/mls will > be failed no need to say. > If we want to install selinux-policy-strict or -mls later, the oraphan *.pp files > are not linked automatically because "/usr/bin/semodule -i" is not invoked. > It will cause a simple problem, but a bit difficult to find out. > > I have an idea that uses "%triggerin" to invoke "/use/bin/semodule -i" to link > orphan *.pp files on instllation of selinux-policy-* packages later, as follows: > > ---------------- > %triggerin -- selinux-policy-targeted > if [ $0 -eq 1 ]; then > /usr/sbin/semodule -s targeted -i %{_datadir}/selinux/targeted/mymodule.pp &> /dev/null || : > fi > %triggerin -- selinux-policy-strict > if [ $0 -eq 1 ]; then > /usr/sbin/semodule -s strict -i %{_datadir}/selinux/strict/mymodule.pp &> /dev/null || : > fi > %triggerin -- selinux-policy-mls > if [ $0 -eq 1 ]; then > /usr/sbin/semodule -s mls -i %{_datadir}/selinux/mls/mymodule.pp &> /dev/null || : > fi > ---------------- > > If the application is installed on the system which already has selinux-policy-strict, > "%triggerin -- selinux-policy-strict" will be invoked just when the application is > installed, so there is no degrading. > > Thanks, -- KaiGai Kohei From sundaram at fedoraproject.org Thu Jul 26 06:58:59 2007 From: sundaram at fedoraproject.org (Rahul Sundaram) Date: Thu, 26 Jul 2007 12:28:59 +0530 Subject: Powertop and SE Alert Message-ID: <46A84633.50203@fedoraproject.org> Hi I get this advice when running powertop --- Disable the SE-Alert software by removing the 'setroubleshoot-server' rpm SE-Alert alerts you about SELinux policy violations, but also has a bug that wakes it up 10 times per second. --- Is this fixed or do I need to file a bug report? Rahul From notting at redhat.com Thu Jul 26 19:01:50 2007 From: notting at redhat.com (Bill Nottingham) Date: Thu, 26 Jul 2007 15:01:50 -0400 Subject: Powertop and SE Alert In-Reply-To: <46A84633.50203@fedoraproject.org> References: <46A84633.50203@fedoraproject.org> Message-ID: <20070726190150.GH31755@nostromo.devel.redhat.com> Rahul Sundaram (sundaram at fedoraproject.org) said: > Is this fixed or do I need to file a bug report? http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=239893 Bill From selinux at gmail.com Thu Jul 26 21:40:24 2007 From: selinux at gmail.com (Tom London) Date: Thu, 26 Jul 2007 14:40:24 -0700 Subject: insmod_t wants setsched Message-ID: <4c4ba1530707261440u180cf6feh3b8ee007e2447936@mail.gmail.com> Get these during boot and shutdown.... type=AVC msg=audit(1185485644.365:96): avc: denied { setsched } for pid=3339 comm="modprobe" scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=process type=SYSCALL msg=audit(1185485644.365:96): arch=40000003 syscall=128 success=yes exit=0 a0=b7f18008 a1=1818c a2=9211708 a3=9211708 items=0 ppid=3315 pid=3339 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="modprobe" exe="/sbin/modprobe" subj=system_u:system_r:insmod_t:s0-s0:c0.c1023 key=(null) -- Tom London From piotreek23 at gmail.com Fri Jul 27 05:32:56 2007 From: piotreek23 at gmail.com (piotreek) Date: Fri, 27 Jul 2007 07:32:56 +0200 Subject: NTFS-3G strange AVC Denied. Message-ID: <112c19290707262232w7e2866clc635b5d20a834fcd@mail.gmail.com> audit(1185512975.221:4): avc: denied { search } for pid=1361 comm=" mount.ntfs-3g" name="media" dev=sdb1 ino=65409 scontext=system_u:system_r:mount_ntfs_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir Jul 27 07:09:46 merkury kernel: audit(1185512975.221:5): avc: denied { search } for pid=1369 comm="mount.ntfs-3g" name="media" dev=sdb1 ino=65409 scontext=system_u:system_r:mount_ntfs_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir Jul 27 07:09:46 merkury kernel: Adding 2192864k swap on /dev/sdb2. Priority:-1 extents:1 across:2192864k Hi Guys after update to ntfs-3g-1.710-1.fc7 i cannot mount my NTFS partitions and get this avc denied messages. Greatings Peter -------------- next part -------------- An HTML attachment was scrubbed... URL: From drago01 at gmail.com Fri Jul 27 08:53:03 2007 From: drago01 at gmail.com (dragoran) Date: Fri, 27 Jul 2007 10:53:03 +0200 Subject: NTFS-3G strange AVC Denied. In-Reply-To: <112c19290707262232w7e2866clc635b5d20a834fcd@mail.gmail.com> References: <112c19290707262232w7e2866clc635b5d20a834fcd@mail.gmail.com> Message-ID: <46A9B26F.90704@gmail.com> piotreek wrote: > audit(1185512975.221:4): avc: denied { search } for pid=1361 > comm="mount.ntfs-3g" name="media" dev=sdb1 ino=65409 > scontext=system_u:system_r:mount_ntfs_t:s0 > tcontext=system_u:object_r:mnt_t:s0 tclass=dir > Jul 27 07:09:46 merkury kernel: audit(1185512975.221:5): avc: denied > { search } for pid=1369 comm="mount.ntfs-3g" name="media" dev=sdb1 > ino=65409 scontext=system_u:system_r:mount_ntfs_t:s0 > tcontext=system_u:object_r:mnt_t:s0 tclass=dir > Jul 27 07:09:46 merkury kernel: Adding 2192864k swap on /dev/sdb2. > Priority:-1 extents:1 across:2192864k > > Hi Guys after update to ntfs-3g-1.710-1.fc7 i cannot mount my NTFS > partitions and get this avc denied messages. > Greatings Peter > See: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=249695 From lshoujun at yahoo.com Fri Jul 27 09:05:05 2007 From: lshoujun at yahoo.com (Louis Lam) Date: Fri, 27 Jul 2007 02:05:05 -0700 (PDT) Subject: Containing vmware player 2.0.0 with SELINUX Message-ID: <976045.34827.qm@web34813.mail.mud.yahoo.com> Thanks Daniel for the information, hi everyone I've tried to make the following changes: 1. Defined the vmware_t type in vmware.te: type vmware_t; I need to do this since I'm trying to let the vmware user program run under vmware_t domain but this is not defined. In terms of overall code compliance is it correct to define here? or should be at the vmware.if? 2. Created a domain transition so that the vmware user programs e.g. /usr/lib/vmplayer script, /usr/lib/vmware/bin/vmplayer that are labelleled system_u:object_r:vmware_exec_t will transit to system_u:object_r:vmware_t when executed. I put it also in vmware.te: domain_entry_file($1_t, vmware_exec_t, $1_vmware_t) but on making the vmware.pp module I get this warning and error: 'syntax error' at token '1' on line 81143: #line 13 allow $1_t vmware_exec_t: file entrypoint; Not very sure what this means and how it should be corrected. Thanks in advance, Louis ----- Original Message ---- From: Daniel J Walsh To: Louis Lam Cc: Ken YANG ; fedora-selinux-list at redhat.com Sent: Wednesday, July 25, 2007 3:12:56 PM Subject: Re: Containing vmware player 2.0.0 with SELINUX Louis Lam wrote: > Hi All, > > Still on the topic of transition between a file vmware_exec_t to vmware_t. > > Under the vmware.if file, there is a: > > domain_entry_file($1_vmware_t, vmware_exec_t) > role $3 types $1_vmware_t > > Is this a rule that allows files marked with vmware_exec_t to transit > to vmware_t? What does the $1,$2,$3 represent? Pardon my ignorance on > this but i see these $1, $2 things appear in a lot of places which > confuse me. Can anyone point me to a place to learn more about the > substitutions? > This just says that files labeled vmware_exec_t can be used as entrypoints into the $1_vmware_t, where $1 is a user type. "user", "staff", "guest", "xguest". The next line specifies which roles can reach the specified domain. No transition rules have been defined. > For the transition to take place I'd probably need to add something > like this: > > domain_auto_trans(initrc_t, vmware_exec_t, vmware_t) > Yes this allows it to reach this particular domain. But to reach the user domains defined above. domain_auto_trans($1_t, vmware_exec_t, $1_vmware_t) or domain_auto_trans(user_t, vmware_exec_t, user_vmware_t) > That is following the suggestion below by Daniel to make the > /usr/bin/vmplayer script initrc_exec_t. > > But not too sure where to place this statement, in vmware.te? > > I tried that but get a compilation error > > vmware.te:13:ERROR: 'unknown type vmware_t' at token ';' > Yes I was mistaken. That is not the way the policy is written. ( I guess I should read before I speak.) If you want to get vmware to transition from unconfined_t you will have to write the transition rules from uncofined_t to unconfined_vmware_t. > I thought vmware_t has been defined in vmware.if? > > Thanks in Advance, > Best Regards, > Louis > > ----- Original Message ---- > From: Daniel J Walsh > To: Louis Lam > Cc: Ken YANG ; fedora-selinux-list at redhat.com > Sent: Monday, July 16, 2007 1:24:00 PM > Subject: Re: Containing vmware player 2.0.0 with SELINUX > > Louis Lam wrote: > > Hi All, > > > > I managed to get the vmware host services e.g. vmnet-bridge, > vmnet-dhcpd etc... to be running in > > vmware_host_t domain. I did it by modifying the net-services.sh as > described in an earlier post. > > > > Next I tried to get vmplayer (i'm using vmware player 2.0.0 but it > is similar for vmware ws 6) to > > run in vmware_t domain. First i tried to chcon /usr/bin/vmplayer to > > system_u:object_r:vmware_exec_t. But it turns out that > /usr/bin/vmplayer is a script that would in > > turn execute /usr/lib/vmware/bin/vmplayer. I have chcon > /usr/lib/vmware/bin/vmplayer to > > system_u:object_r:vmware_exec_t but still it runs in unconfined_t > when i launched it. I seems like > > the domain transition didn't take place. Please help. > > > > 1. What should be the context for the /usr/bin/vmplayer script? Does > it affect the transition of > > the actual executable /usr/lib/vmware/bin/vmplayer? > > > > 2. For those who could get vmware workstation 6 to run how did you > get it to run in vmware_t > > domain? > > > > > There is currently no transition from unconfined_t to vmware_t. So the > only way to get > the transition to happen is through the initrc script. You could label > the vmplayer script > initrc_exec_t and the transitions should happen properly. > > THanks, > > Louis > > > > --- Daniel J Walsh wrote: > > > > > >> Ken YANG wrote: > >> > >>> Daniel J Walsh wrote: > >>> > >>> > >>>> Louis Lam wrote: > >>>> > >>>> > >>>>> Hi all, > >>>>> > >>>>> At this point i'm still trying to use SELINUX to "contain" vmware > >>>>> player, making it run in > >>>>> targeted mode. > >>>>> > >>>>> I'm still rather new to this but through the help of Ken, i've been > >>>>> able to manipulate modules and > >>>>> get it to "affect" the vmware player but at this point my vmware > >>>>> player is still "broken". > >>>>> Would anyone be able to share their configurations (.te,.fc,.if) > file > >>>>> if you've managed to get it > >>>>> to work with vmware player or vmware-workstation 6 ? CUrrently i'm > >>>>> working with Fedora 7 but > >>>>> intend to port it back to RHEL 5. > >>>>> > >>>>> I've downloaded the latest reference policy from oss and > examined the > >>>>> vmware relevant files. From > >>>>> examining the vmware.fc and > >>>>> "/etc/selinux/targeted/modules/active/file_context", seems like the > >>>>> vmware.fc file could have been written for an older/different > version > >>>>> of vmware where the vmnet > >>>>> devices are at /dev/vmnet.* instead of /dev/vmnet* found in vmplayer > >>>>> 2/workstation 6. Which > >>>>> version was it written for? > >>>>> > >>>>> > >>>>> > >>>>> > >>>> There is vmware policy that we are starting to use in Rawhide (fc8) > >>>> > >>>> > >>>>> I went on to modify the vmware.fc file and managed to compile > and load > >>>>> the vmware.pp module. But > >>>>> currently this affected the vmware services at startup, e.g. > >>>>> vmnet-dhcpd. For vmware, when > >>>>> something fails to start, it would ask me to rum vmware-config.pl > >>>>> again when i restart it. Doing > >>>>> this would recreate the /dev/vmnet* files over again but it will not > >>>>> have the right context, > >>>>> defaulting to "device_t" instead of "vmware_device_t" that i have > >>>>> modified. The line in my > >>>>> vmware.fc looks like this: > >>>>> > >>>>> /dev/vmnet0 -- gen_context(system_u:object_r:vmware_device_t,s0) > >>>>> /dev/vmnet1 -- gen_context(system_u:object_r:vmware_device_t,s0) > >>>>> /dev/vmnet8 -- gen_context(system_u:object_r:vmware_device_t,s0) > >>>>> > >>>>> I was thinking that if the script has created a new /dev/vmnet > file it > >>>>> would automatically use the > >>>>> vmware_device_t context but it didn't. Did i miss out anything? > >>>>> > >>>>> > >>>>> > >>>> The problem here is the script is running as initrc_t which has > no rules > >>>> when creating devices in directories labeled device_t (/dev) So > it uses > >>>> the default and labels the devices the same as the > directory. Usually > >>>> when we have this situation, we just run restorecon /dev/XYZ > after the > >>>> creation, > >>>> for example > >>>> > >>>> mknod /dev/XYZ > >>>> chmod 666 /dev/XYZ > >>>> restorecon /dev/XYZ > >>>> > >>>> > >>> as tom said, it seemed that it's "$vmdb_answer_LIBDIR"/net-services.sh > >>> who create such devices: > >>> > >>> http://marc.info/?l=fedora-selinux-list&m=118407622004161&w=2 > > >>> > >>> > >>> i notice "/dev" is tmpfs: > >>> > >>> -(:14:45:$)-> cat /proc/mounts > >>> rootfs / rootfs rw 0 0 > >>> /dev/root / ext3 rw,data=ordered 0 0 > >>> /dev /dev tmpfs rw 0 0 > >>> ...... > >>> > >>> i want to add rules in policy: > >>> > >>> type_transition "vmware type" tmpfs_t : chr_file vmware_device_t; > >>> > >>> additionally i don't know what type of the net-services.sh, now it is: > >>> > >>> ... root root user_u:object_r:lib_t /usr/lib/vmware/net-services.sh > >>> > >>> > >>> is this method appropriate? > >>> > >>> > >>> > >>> > >>> > >>> > >>>>> What is the two "--" on the line mean? are they significant? > >>>>> > >>>>> > >>>>> > >>>> The -- indicates that this matches only files. > >>>> > >>>> -d directories > >>>> -s sock_file > >>>> -l link file > >>>> -c char_file > >>>> ... > >>>> > >>>> Second character matches the first character of the ls -l line > >>>> > >>>> ls -l /dev/ttyS0 > >>>> crw-rw---- 1 root uucp 4, 64 2007-07-11 19:07 /dev/ttyS0 > >>>> > >>>> If you have no option specified it would match any file type. > >>>> > >>>> /dev/vmnet0 -- gen_context(system_u:object_r:vmware_device_t,s0) > >>>> /dev/vmnet1 -- gen_context(system_u:object_r:vmware_device_t,s0) > >>>> /dev/vmnet8 -- gen_context(system_u:object_r:vmware_device_t,s0) > >>>> > >>>> > >>>> Would match only "Regular files" with this labels. So you would be > >>>> better off with -c (or -b if they are block devices). > >>>> > >>>> > >>>>> Sorry about the long post, any help or advice? Thanks. > >>>>> > >>>>> Louis > >>>>> Send instant messages to your online friends > >>>>> http://uk.messenger.yahoo.com > >>>>> -- > >>>>> fedora-selinux-list mailing list > >>>>> fedora-selinux-list at redhat.com > >>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > >>>>> > >>>>> > >>>>> > >>>> -- > >>>> fedora-selinux-list mailing list > >>>> fedora-selinux-list at redhat.com > >>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > >>>> > >>>> > >>>> > >>> > >>> > >> One approach to this would be to label the /etc/init.d/vmware script > >> vmware_initrc_exec_t and then setup the proper transitions. > >> > >> This is something we are considering for RBAC. For example we want to > >> allow the webadm_t to be able to only restart/execute the httpd > >> script. Currently we have to allow him to execute any initrc script, > >> although we can prevent him from starting other confined domains. > >> A cleaner solution might be to label the script differently and setup > >> another domain for the script to transition to. > >> > >> > > > > > > Send instant messages to your online friends > http://uk.messenger.yahoo.com > > > > > > Send instant messages to your online friends > http://uk.messenger.yahoo.com Send instant messages to your online friends http://uk.messenger.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From lshoujun at yahoo.com Fri Jul 27 09:15:07 2007 From: lshoujun at yahoo.com (Louis Lam) Date: Fri, 27 Jul 2007 02:15:07 -0700 (PDT) Subject: Containing vmware player 2.0.0 with SELINUX Message-ID: <977034.19161.qm@web34809.mail.mud.yahoo.com> My mistakes, apologies for the confusion, under part 2, I was trying to do domain_auto_trans instead of doman_entry_file, so... 2. Created a domain transition so that the vmware user programs e.g. /usr/lib/vmplayer script, /usr/lib/vmware/bin/vmplayer that are labelleled system_u:object_r:vmware_exec_t will transit to system_u:object_r:vmware_t when executed. I put it also in vmware.te: domain_auto_trans($1_t, vmware_exec_t, $1_vmware_t) but on making the vmware.pp module I get this warning and error: 'syntax error' at token '1' on line 81143: #line 13 allow $1_t vmware_exec_t: file {getattr read execute}; Thanks in advance, Louis ----- Original Message ---- From: Louis Lam To: Daniel J Walsh Cc: fedora-selinux-list at redhat.com Sent: Friday, July 27, 2007 5:05:05 AM Subject: Re: Containing vmware player 2.0.0 with SELINUX Thanks Daniel for the information, hi everyone I've tried to make the following changes: 1. Defined the vmware_t type in vmware.te: type vmware_t; I need to do this since I'm trying to let the vmware user program run under vmware_t domain but this is not defined. In terms of overall code compliance is it correct to define here? or should be at the vmware.if? 2. Created a domain transition so that the vmware user programs e.g. /usr/lib/vmplayer script, /usr/lib/vmware/bin/vmplayer that are labelleled system_u:object_r:vmware_exec_t will transit to system_u:object_r:vmware_t when executed. I put it also in vmware.te: domain_entry_file($1_t, vmware_exec_t, $1_vmware_t) but on making the vmware.pp module I get this warning and error: 'syntax error' at token '1' on line 81143: #line 13 allow $1_t vmware_exec_t: file entrypoint; Not very sure what this means and how it should be corrected. Thanks in advance, Louis ----- Original Message ---- From: Daniel J Walsh To: Louis Lam Cc: Ken YANG ; fedora-selinux-list at redhat.com Sent: Wednesday, July 25, 2007 3:12:56 PM Subject: Re: Containing vmware player 2.0.0 with SELINUX Louis Lam wrote: > Hi All, > > Still on the topic of transition between a file vmware_exec_t to vmware_t. > > Under the vmware.if file, there is a: > > domain_entry_file($1_vmware_t, vmware_exec_t) > role $3 types $1_vmware_t > > Is this a rule that allows files marked with vmware_exec_t to transit > to vmware_t? What does the $1,$2,$3 represent? Pardon my ignorance on > this but i see these $1, $2 things appear in a lot of places which > confuse me. Can anyone point me to a place to learn more about the > substitutions? > This just says that files labeled vmware_exec_t can be used as entrypoints into the $1_vmware_t, where $1 is a user type. "user", "staff", "guest", "xguest". The next line specifies which roles can reach the specified domain. No transition rules have been defined. > For the transition to take place I'd probably need to add something > like this: > > domain_auto_trans(initrc_t, vmware_exec_t, vmware_t) > Yes this allows it to reach this particular domain. But to reach the user domains defined above. domain_auto_trans($1_t, vmware_exec_t, $1_vmware_t) or domain_auto_trans(user_t, vmware_exec_t, user_vmware_t) > That is following the suggestion below by Daniel to make the > /usr/bin/vmplayer script initrc_exec_t. > > But not too sure where to place this statement, in vmware.te? > > I tried that but get a compilation error > > vmware.te:13:ERROR: 'unknown type vmware_t' at token ';' > Yes I was mistaken. That is not the way the policy is written. ( I guess I should read before I speak.) If you want to get vmware to transition from unconfined_t you will have to write the transition rules from uncofined_t to unconfined_vmware_t. > I thought vmware_t has been defined in vmware.if? > > Thanks in Advance, > Best Regards, > Louis > > ----- Original Message ---- > From: Daniel J Walsh > To: Louis Lam > Cc: Ken YANG ; fedora-selinux-list at redhat.com > Sent: Monday, July 16, 2007 1:24:00 PM > Subject: Re: Containing vmware player 2.0.0 with SELINUX > > Louis Lam wrote: > > Hi All, > > > > I managed to get the vmware host services e.g. vmnet-bridge, > vmnet-dhcpd etc... to be running in > > vmware_host_t domain. I did it by modifying the net-services.sh as > described in an earlier post. > > > > Next I tried to get vmplayer (i'm using vmware player 2.0.0 but it > is similar for vmware ws 6) to > > run in vmware_t domain. First i tried to chcon /usr/bin/vmplayer to > > system_u:object_r:vmware_exec_t. But it turns out that > /usr/bin/vmplayer is a script that would in > > turn execute /usr/lib/vmware/bin/vmplayer. I have chcon > /usr/lib/vmware/bin/vmplayer to > > system_u:object_r:vmware_exec_t but still it runs in unconfined_t > when i launched it. I seems like > > the domain transition didn't take place. Please help. > > > > 1. What should be the context for the /usr/bin/vmplayer script? Does > it affect the transition of > > the actual executable /usr/lib/vmware/bin/vmplayer? > > > > 2. For those who could get vmware workstation 6 to run how did you > get it to run in vmware_t > > domain? > > > > > There is currently no transition from unconfined_t to vmware_t. So the > only way to get > the transition to happen is through the initrc script. You could label > the vmplayer script > initrc_exec_t and the transitions should happen properly. > > THanks, > > Louis > > > > --- Daniel J Walsh wrote: > > > > > >> Ken YANG wrote: > >> > >>> Daniel J Walsh wrote: > >>> > >>> > >>>> Louis Lam wrote: > >>>> > >>>> > >>>>> Hi all, > >>>>> > >>>>> At this point i'm still trying to use SELINUX to "contain" vmware > >>>>> player, making it run in > >>>>> targeted mode. > >>>>> > >>>>> I'm still rather new to this but through the help of Ken, i've been > >>>>> able to manipulate modules and > >>>>> get it to "affect" the vmware player but at this point my vmware > >>>>> player is still "broken". > >>>>> Would anyone be able to share their configurations (.te,.fc,.if) > file > >>>>> if you've managed to get it > >>>>> to work with vmware player or vmware-workstation 6 ? CUrrently i'm > >>>>> working with Fedora 7 but > >>>>> intend to port it back to RHEL 5. > >>>>> > >>>>> I've downloaded the latest reference policy from oss and > examined the > >>>>> vmware relevant files. From > >>>>> examining the vmware.fc and > >>>>> "/etc/selinux/targeted/modules/active/file_context", seems like the > >>>>> vmware.fc file could have been written for an older/different > version > >>>>> of vmware where the vmnet > >>>>> devices are at /dev/vmnet.* instead of /dev/vmnet* found in vmplayer > >>>>> 2/workstation 6. Which > >>>>> version was it written for? > >>>>> > >>>>> > >>>>> > >>>>> > >>>> There is vmware policy that we are starting to use in Rawhide (fc8) > >>>> > >>>> > >>>>> I went on to modify the vmware.fc file and managed to compile > and load > >>>>> the vmware.pp module. But > >>>>> currently this affected the vmware services at startup, e.g. > >>>>> vmnet-dhcpd. For vmware, when > >>>>> something fails to start, it would ask me to rum vmware-config.pl > >>>>> again when i restart it. Doing > >>>>> this would recreate the /dev/vmnet* files over again but it will not > >>>>> have the right context, > >>>>> defaulting to "device_t" instead of "vmware_device_t" that i have > >>>>> modified. The line in my > >>>>> vmware.fc looks like this: > >>>>> > >>>>> /dev/vmnet0 -- gen_context(system_u:object_r:vmware_device_t,s0) > >>>>> /dev/vmnet1 -- gen_context(system_u:object_r:vmware_device_t,s0) > >>>>> /dev/vmnet8 -- gen_context(system_u:object_r:vmware_device_t,s0) > >>>>> > >>>>> I was thinking that if the script has created a new /dev/vmnet > file it > >>>>> would automatically use the > >>>>> vmware_device_t context but it didn't. Did i miss out anything? > >>>>> > >>>>> > >>>>> > >>>> The problem here is the script is running as initrc_t which has > no rules > >>>> when creating devices in directories labeled device_t (/dev) So > it uses > >>>> the default and labels the devices the same as the > directory. Usually > >>>> when we have this situation, we just run restorecon /dev/XYZ > after the > >>>> creation, > >>>> for example > >>>> > >>>> mknod /dev/XYZ > >>>> chmod 666 /dev/XYZ > >>>> restorecon /dev/XYZ > >>>> > >>>> > >>> as tom said, it seemed that it's "$vmdb_answer_LIBDIR"/net-services.sh > >>> who create such devices: > >>> > >>> http://marc.info/?l=fedora-selinux-list&m=118407622004161&w=2 > > >>> > >>> > >>> i notice "/dev" is tmpfs: > >>> > >>> -(:14:45:$)-> cat /proc/mounts > >>> rootfs / rootfs rw 0 0 > >>> /dev/root / ext3 rw,data=ordered 0 0 > >>> /dev /dev tmpfs rw 0 0 > >>> ...... > >>> > >>> i want to add rules in policy: > >>> > >>> type_transition "vmware type" tmpfs_t : chr_file vmware_device_t; > >>> > >>> additionally i don't know what type of the net-services.sh, now it is: > >>> > >>> ... root root user_u:object_r:lib_t /usr/lib/vmware/net-services.sh > >>> > >>> > >>> is this method appropriate? > >>> > >>> > >>> > >>> > >>> > >>> > >>>>> What is the two "--" on the line mean? are they significant? > >>>>> > >>>>> > >>>>> > >>>> The -- indicates that this matches only files. > >>>> > >>>> -d directories > >>>> -s sock_file > >>>> -l link file > >>>> -c char_file > >>>> ... > >>>> > >>>> Second character matches the first character of the ls -l line > >>>> > >>>> ls -l /dev/ttyS0 > >>>> crw-rw---- 1 root uucp 4, 64 2007-07-11 19:07 /dev/ttyS0 > >>>> > >>>> If you have no option specified it would match any file type. > >>>> > >>>> /dev/vmnet0 -- gen_context(system_u:object_r:vmware_device_t,s0) > >>>> /dev/vmnet1 -- gen_context(system_u:object_r:vmware_device_t,s0) > >>>> /dev/vmnet8 -- gen_context(system_u:object_r:vmware_device_t,s0) > >>>> > >>>> > >>>> Would match only "Regular files" with this labels. So you would be > >>>> better off with -c (or -b if they are block devices). > >>>> > >>>> > >>>>> Sorry about the long post, any help or advice? Thanks. > >>>>> > >>>>> Louis > >>>>> Send instant messages to your online friends > >>>>> http://uk.messenger.yahoo.com > >>>>> -- > >>>>> fedora-selinux-list mailing list > >>>>> fedora-selinux-list at redhat.com > >>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > >>>>> > >>>>> > >>>>> > >>>> -- > >>>> fedora-selinux-list mailing list > >>>> fedora-selinux-list at redhat.com > >>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > >>>> > >>>> > >>>> > >>> > >>> > >> One approach to this would be to label the /etc/init.d/vmware script > >> vmware_initrc_exec_t and then setup the proper transitions. > >> > >> This is something we are considering for RBAC. For example we want to > >> allow the webadm_t to be able to only restart/execute the httpd > >> script. Currently we have to allow him to execute any initrc script, > >> although we can prevent him from starting other confined domains. > >> A cleaner solution might be to label the script differently and setup > >> another domain for the script to transition to. > >> > >> > > > > > > Send instant messages to your online friends > http://uk.messenger.yahoo.com > > > > > > Send instant messages to your online friends > http://uk.messenger.yahoo.com Send instant messages to your online friends http://uk.messenger.yahoo.com Send instant messages to your online friends http://uk.messenger.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From amarkelov at pluscom.ru Fri Jul 27 13:58:24 2007 From: amarkelov at pluscom.ru (Markelov Andrey) Date: Fri, 27 Jul 2007 17:58:24 +0400 Subject: Novice problem with apol/ policy.conf Message-ID: Hello, I am novice in SELinux. For policy analysis I compiled policy.conf from selinux-policy-2.4.6-30.el5.src.rpm on RHEL5. When I tried to open policy.21 with apol (GUI version 3.0 libapol version 3.0.0) it was ok. But when i opened policy.conf i received the following error: The selected file does not appear to be a valid SELinux Policy. Error opening policy: Input/output error. And in console tmp/rolemap.conf:624:ERROR 'syntax error' at token 'ntfs-3g' on line 1563798: genfscon ntfs-3g / system_u:object_r:dosfs_t genfscon msdos / system_u:object_r:dosfs_t What is the possible reason? ____ Andrey Markelov Plus Communications Phone: +7(495)777-0-111 ext.533 From selinux at gmail.com Fri Jul 27 14:20:17 2007 From: selinux at gmail.com (Tom London) Date: Fri, 27 Jul 2007 07:20:17 -0700 Subject: loadkeys.... I see red.... (minor) Message-ID: <4c4ba1530707270720q4374f836x2d26ec6abb4221df@mail.gmail.com> Running latest Rawhide, targeted/enforcing. On boot, I get failure message from rc.sysinit when loading keymap. System->Administration->Keyboard produces AVCs, so I suspect the bootup failure is related. Appears that loadkeys will try to search current working directory for keymap file if its argument is not an 'absolute path'. So, s-c-keyboard will try to search /home and /home/. Not sure which directory loadkeys runs in during rc.sysinit. I've thought of the following options: 1. Change rc.sysinit to include full path in call to loadkeys. That will probably turn RED message on boot to GREEN. But, s-c-keyboard will still produce AVCs. [Seems to 'work', however.] 2. Change loadkeys to only look at /lib/kbd. I'm guessing this is not likely, nor correct. 3. Allow loadkeys_t to search home_dir_t and home_root_t or DONTAUDIT. 4. Other? Combination? tom -- Tom London From notting at redhat.com Fri Jul 27 14:25:49 2007 From: notting at redhat.com (Bill Nottingham) Date: Fri, 27 Jul 2007 10:25:49 -0400 Subject: loadkeys.... I see red.... (minor) In-Reply-To: <4c4ba1530707270720q4374f836x2d26ec6abb4221df@mail.gmail.com> References: <4c4ba1530707270720q4374f836x2d26ec6abb4221df@mail.gmail.com> Message-ID: <20070727142549.GA27466@nostromo.devel.redhat.com> Tom London (selinux at gmail.com) said: > 1. Change rc.sysinit to include full path in call to loadkeys. That > will probably turn RED message on boot to GREEN. But, s-c-keyboard > will still produce AVCs. [Seems to 'work', however.] Since the maps are spread out over various subdirectories of /lib/kbd, I don't think this is really practical (also, requires rewriting config files.) Bill From dwalsh at redhat.com Fri Jul 27 15:48:39 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 27 Jul 2007 11:48:39 -0400 Subject: insmod_t wants setsched In-Reply-To: <4c4ba1530707261440u180cf6feh3b8ee007e2447936@mail.gmail.com> References: <4c4ba1530707261440u180cf6feh3b8ee007e2447936@mail.gmail.com> Message-ID: <46AA13D7.7090408@redhat.com> Tom London wrote: > Get these during boot and shutdown.... > > type=AVC msg=audit(1185485644.365:96): avc: denied { setsched } for > pid=3339 comm="modprobe" > scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 > tcontext=system_u:system_r:kernel_t:s0 tclass=process > type=SYSCALL msg=audit(1185485644.365:96): arch=40000003 syscall=128 > success=yes exit=0 a0=b7f18008 a1=1818c a2=9211708 a3=9211708 items=0 > ppid=3315 pid=3339 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=(none) comm="modprobe" exe="/sbin/modprobe" > subj=system_u:system_r:insmod_t:s0-s0:c0.c1023 key=(null) > > > Fixed in rawhide. From dwalsh at redhat.com Fri Jul 27 16:39:32 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 27 Jul 2007 12:39:32 -0400 Subject: loadkeys.... I see red.... (minor) In-Reply-To: <20070727142549.GA27466@nostromo.devel.redhat.com> References: <4c4ba1530707270720q4374f836x2d26ec6abb4221df@mail.gmail.com> <20070727142549.GA27466@nostromo.devel.redhat.com> Message-ID: <46AA1FC4.50402@redhat.com> Bill Nottingham wrote: > Tom London (selinux at gmail.com) said: > >> 1. Change rc.sysinit to include full path in call to loadkeys. That >> will probably turn RED message on boot to GREEN. But, s-c-keyboard >> will still produce AVCs. [Seems to 'work', however.] >> > > Since the maps are spread out over various subdirectories of /lib/kbd, > I don't think this is really practical (also, requires rewriting config > files.) > > Bill > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > I believe the problem on boot was caused by loadkeys not being able to talk to generic labeled ttys. I have changed that in rawhide policy and the failure has dissappeared. From selinux at gmail.com Fri Jul 27 17:31:27 2007 From: selinux at gmail.com (Tom London) Date: Fri, 27 Jul 2007 10:31:27 -0700 Subject: loadkeys.... I see red.... (minor) In-Reply-To: <46AA1FC4.50402@redhat.com> References: <4c4ba1530707270720q4374f836x2d26ec6abb4221df@mail.gmail.com> <20070727142549.GA27466@nostromo.devel.redhat.com> <46AA1FC4.50402@redhat.com> Message-ID: <4c4ba1530707271031v5c03e734ma8757eccc2f98743@mail.gmail.com> On 7/27/07, Daniel J Walsh wrote: > Bill Nottingham wrote: > > Tom London (selinux at gmail.com) said: > > > >> 1. Change rc.sysinit to include full path in call to loadkeys. That > >> will probably turn RED message on boot to GREEN. But, s-c-keyboard > >> will still produce AVCs. [Seems to 'work', however.] > >> > > > > Since the maps are spread out over various subdirectories of /lib/kbd, > > I don't think this is really practical (also, requires rewriting config > > files.) > > > > Bill > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > I believe the problem on boot was caused by loadkeys not being able to > talk to generic labeled ttys. I have changed that in rawhide policy and > the failure has dissappeared. > Figured I would get it wrong.... ;) -- Tom London From eparis at redhat.com Fri Jul 27 17:44:12 2007 From: eparis at redhat.com (Eric Paris) Date: Fri, 27 Jul 2007 13:44:12 -0400 Subject: Novice problem with apol/ policy.conf In-Reply-To: References: Message-ID: <1185558252.3669.2.camel@dhcp231-215.rdu.redhat.com> On Fri, 2007-07-27 at 17:58 +0400, Markelov Andrey wrote: > Hello, > I am novice in SELinux. For policy analysis I compiled policy.conf from selinux-policy-2.4.6-30.el5.src.rpm on RHEL5. > When I tried to open policy.21 with apol (GUI version 3.0 > libapol version 3.0.0) it was ok. But when i opened policy.conf i received the following error: The selected file does not appear to be a valid SELinux Policy. Error opening policy: Input/output error. And in console > tmp/rolemap.conf:624:ERROR 'syntax error' at token 'ntfs-3g' on line 1563798: > genfscon ntfs-3g / system_u:object_r:dosfs_t > > genfscon msdos / system_u:object_r:dosfs_t > > What is the possible reason? I'd bet on an apol bug, but I don't know. The addition of a '-' in ntfs-3g caused a number of headaches. I'm adding the upstream list to the cc and hopefully one of the people who work on apol will know right offhand. -Eric From cpebenito at tresys.com Fri Jul 27 19:02:35 2007 From: cpebenito at tresys.com (Christopher J. PeBenito) Date: Fri, 27 Jul 2007 19:02:35 +0000 Subject: Novice problem with apol/ policy.conf In-Reply-To: <1185558252.3669.2.camel@dhcp231-215.rdu.redhat.com> References: <1185558252.3669.2.camel@dhcp231-215.rdu.redhat.com> Message-ID: <1185562955.24951.52.camel@gorn> On Fri, 2007-07-27 at 13:44 -0400, Eric Paris wrote: > On Fri, 2007-07-27 at 17:58 +0400, Markelov Andrey wrote: > > Hello, > > I am novice in SELinux. For policy analysis I compiled policy.conf from selinux-policy-2.4.6-30.el5.src.rpm on RHEL5. > > When I tried to open policy.21 with apol (GUI version 3.0 > > libapol version 3.0.0) it was ok. But when i opened policy.conf i received the following error: The selected file does not appear to be a valid SELinux Policy. Error opening policy: Input/output error. And in console > > tmp/rolemap.conf:624:ERROR 'syntax error' at token 'ntfs-3g' on line 1563798: > > genfscon ntfs-3g / system_u:object_r:dosfs_t > > > > genfscon msdos / system_u:object_r:dosfs_t > > > > What is the possible reason? > > I'd bet on an apol bug, but I don't know. The addition of a '-' in > ntfs-3g caused a number of headaches. I'm adding the upstream list to > the cc and hopefully one of the people who work on apol will know right > offhand. Just like the checkpolicy/checkmodule parser, the setools parser had to be updated, and this happened in setools 3.0.1. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 From spng.yang at gmail.com Sat Jul 28 08:33:09 2007 From: spng.yang at gmail.com (Ken YANG) Date: Sat, 28 Jul 2007 16:33:09 +0800 Subject: [RFC] policy about nas sound server Message-ID: <46AAFF45.1090909@gmail.com> hi all, i write module for Network Audio System (NAS) in fedora rawhide. firstly, i think there is not policy for nas, so i write from scratch, but after finishing, i found there is a soundserver module in policy, so i ported my nas policy into this module. i am not familiar with nas, so i just make some tests for new soundserver policy, especially some tools in nas package, including: audemo, audial, auinfo, aupanel, auplay...... IMHO, it seems to work well, and there was not any errors about nas in audit messages. -(:16:13:$)-> rpm -q nas nas-1.9-2.fc7.i386 -(yangshao at Nerazzurri:pts/2)--------------------------------------(~/workBench/selinux/soundserver)-(5/5)- -(:16:13:$)-> ps axZ|grep nas system_u:system_r:soundd_t 2322 ? S 0:00 nasd -b -local system_u:system_r:unconfined_t 4329 pts/2 S+ 0:00 egrep --color -r --exclude=*.svn* nas -(yangshao at Nerazzurri:pts/2)--------------------------------------(~/workBench/selinux/soundserver)-(5/5)- -(:16:13:$)-> rpm -q selinux-policy-targeted selinux-policy-targeted-3.0.4-1.fc8.noarch please review this patch. -------------- next part -------------- A non-text attachment was scrubbed... Name: soundserver-3.0.4.patch Type: text/x-patch Size: 4535 bytes Desc: not available URL: From spng.yang at gmail.com Sat Jul 28 09:28:25 2007 From: spng.yang at gmail.com (Ken YANG) Date: Sat, 28 Jul 2007 17:28:25 +0800 Subject: Containing vmware player 2.0.0 with SELINUX In-Reply-To: <977034.19161.qm@web34809.mail.mud.yahoo.com> References: <977034.19161.qm@web34809.mail.mud.yahoo.com> Message-ID: <46AB0C39.9090902@gmail.com> Louis Lam wrote: > My mistakes, apologies for the confusion, under part 2, I was trying to do domain_auto_trans instead of doman_entry_file, so... > > 2. Created a domain transition so that the vmware user programs e.g. > /usr/lib/vmplayer script, /usr/lib/vmware/bin/vmplayer that are > labelleled system_u:object_r:vmware_exec_t will transit to > system_u:object_r:vmware_t when executed. I put it also in vmware.te: > > domain_auto_trans($1_t, vmware_exec_t, $1_vmware_t) > > but > on making the vmware.pp module I get this warning and error: > > 'syntax error' at token '1' on line 81143: > #line 13 > allow $1_t vmware_exec_t: file {getattr read execute}; this rule is generated by domain_auto_trans, so i think the syntax error should be caused by other rules. you may check other rules in your policy. > > Thanks in advance, > Louis > > > ----- Original Message ---- > From: Louis Lam > To: Daniel J Walsh > Cc: fedora-selinux-list at redhat.com > Sent: Friday, July 27, 2007 5:05:05 AM > Subject: Re: Containing vmware player 2.0.0 with SELINUX > > Thanks Daniel for the information, hi everyone > > I've tried to make the following changes: > > 1. Defined the vmware_t type in vmware.te: > type vmware_t; > > I need to do this since I'm trying to let the vmware user program run under vmware_t domain but this is not defined. In terms of overall code compliance is it correct to define here? or should be at the vmware.if? type definition should be in vmware.te From selinux at gmail.com Sat Jul 28 23:32:35 2007 From: selinux at gmail.com (Tom London) Date: Sat, 28 Jul 2007 16:32:35 -0700 Subject: crond wants 'entrypoint' for updpwd_exec_t Message-ID: <4c4ba1530707281632p7b73d467x9cfb2f065133fa51@mail.gmail.com> Rawhide, targeted/enforcing. Seeing the below. Sort of remember something similar (May 30 according to gmail) that seemed to be resolved by pam: http://www.redhat.com/archives/fedora-selinux-list/2007-May/msg00095.html This similar? tom type=AVC msg=audit(1185663661.818:55): avc: denied { entrypoint } for pid=8356 comm="crond" path="/sbin/unix_update" dev=dm-0 ino=11338066 scontext=system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=file type=SYSCALL msg=audit(1185663661.818:55): arch=40000003 syscall=11 success=no exit=-13 a0=2c2918 a1=bffa858c a2=2c4408 a3=400 items=0 ppid=8355 pid=8356 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key=(null) -- Tom London From janfrode at tanso.net Sun Jul 29 16:20:10 2007 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Sun, 29 Jul 2007 18:20:10 +0200 Subject: remote logging and sealert Message-ID: We run a centralized syslog server, and separate all syslogged avc into a separate log file. Is it possible to have setroubleshooter/sealert use this log file ? -jf From amarkelov at pluscom.ru Mon Jul 30 07:51:26 2007 From: amarkelov at pluscom.ru (Andrey Markelov) Date: Mon, 30 Jul 2007 11:51:26 +0400 Subject: Novice problem with apol/ policy.conf In-Reply-To: <1185562955.24951.52.camel@gorn> References: <1185558252.3669.2.camel@dhcp231-215.rdu.redhat.com> <1185562955.24951.52.camel@gorn> Message-ID: <20070730115126.5c79b7c1.amarkelov@pluscom.ru> Thanks for clarifications! I was confused that in fully updated RHEL-system apol can't open default policy . At first I looked at bugzilla and did not see any bug reports. -- Andrey Markelov, Plus Communications Phone: +7(495)777-0-111 ext.533 On Fri, 27 Jul 2007 19:02:35 +0000 "Christopher J. PeBenito" wrote: > On Fri, 2007-07-27 at 13:44 -0400, Eric Paris wrote: > > On Fri, 2007-07-27 at 17:58 +0400, Markelov Andrey wrote: > > > Hello, > > > I am novice in SELinux. For policy analysis I compiled policy.conf from selinux-policy-2.4.6-30.el5.src.rpm on RHEL5. > > > When I tried to open policy.21 with apol (GUI version 3.0 > > > libapol version 3.0.0) it was ok. But when i opened policy.conf i received the following error: The selected file does not appear to be a valid SELinux Policy. Error opening policy: Input/output error. And in console > > > tmp/rolemap.conf:624:ERROR 'syntax error' at token 'ntfs-3g' on line 1563798: > > > genfscon ntfs-3g / system_u:object_r:dosfs_t > > > > > > genfscon msdos / system_u:object_r:dosfs_t > > > > > > What is the possible reason? > > > > I'd bet on an apol bug, but I don't know. The addition of a '-' in > > ntfs-3g caused a number of headaches. I'm adding the upstream list to > > the cc and hopefully one of the people who work on apol will know right > > offhand. > > Just like the checkpolicy/checkmodule parser, the setools parser had to > be updated, and this happened in setools 3.0.1. > > -- > Chris PeBenito > Tresys Technology, LLC > (410) 290-1411 x150 > -- Andrey Markelov, Plus Communications Phone: +7(495)777-0-111 ext.533 From lshoujun at yahoo.com Mon Jul 30 09:11:14 2007 From: lshoujun at yahoo.com (Louis Lam) Date: Mon, 30 Jul 2007 02:11:14 -0700 (PDT) Subject: Containing vmware player 2.0.0 with SELINUX Message-ID: <895701.27672.qm@web34805.mail.mud.yahoo.com> Hi, I think i'm having a policy compilation problem here I've moved the domain_auto_trans($1_t, vmware_exec_t, $1_vmware_t) statement to vmware.if. I was following the domain_auto_trans rules for other apps such as mozilla. The syntax error problem went away. But the problem is that the domain transition didn't take place. My vmplayer is still running in unconfined state. I'm doing compilation of the vmware.pp module using make -f /usr/share/selinux/devel/Makefile. I've tried to purposely introduce errors into vmware.if to see if the compilation is effective: e.g. domain_auto_trans($2, $2, $1_t, vmware_exec_t, $1_vmware_t) But the make process didn't detect any errors and the compilation still went on. I did a diff between the vmware.pp at the /etc/selinux/targeted/modules/active/modules/vmware.pp and the development directory (where I do all my compilation), but there are no differences. Does it mean if the vmware.if file is modified it will not affect the make? How do you ensure that the changes at vmware.if effective? (well at least cause some compilation errors?) Thanks, Louis ----- Original Message ---- From: Ken YANG To: Louis Lam Cc: Daniel J Walsh ; fedora-selinux-list at redhat.com Sent: Saturday, July 28, 2007 5:28:25 PM Subject: Re: Containing vmware player 2.0.0 with SELINUX Louis Lam wrote: > My mistakes, apologies for the confusion, under part 2, I was trying to do domain_auto_trans instead of doman_entry_file, so... > > 2. Created a domain transition so that the vmware user programs e.g. > /usr/lib/vmplayer script, /usr/lib/vmware/bin/vmplayer that are > labelleled system_u:object_r:vmware_exec_t will transit to > system_u:object_r:vmware_t when executed. I put it also in vmware.te: > > domain_auto_trans($1_t, vmware_exec_t, $1_vmware_t) > > but > on making the vmware.pp module I get this warning and error: > > 'syntax error' at token '1' on line 81143: > #line 13 > allow $1_t vmware_exec_t: file {getattr read execute}; this rule is generated by domain_auto_trans, so i think the syntax error should be caused by other rules. you may check other rules in your policy. > > Thanks in advance, > Louis > > > ----- Original Message ---- > From: Louis Lam > To: Daniel J Walsh > Cc: fedora-selinux-list at redhat.com > Sent: Friday, July 27, 2007 5:05:05 AM > Subject: Re: Containing vmware player 2.0.0 with SELINUX > > Thanks Daniel for the information, hi everyone > > I've tried to make the following changes: > > 1. Defined the vmware_t type in vmware.te: > type vmware_t; > > I need to do this since I'm trying to let the vmware user program run under vmware_t domain but this is not defined. In terms of overall code compliance is it correct to define here? or should be at the vmware.if? type definition should be in vmware.te Send instant messages to your online friends http://uk.messenger.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From sathish.raman at tcs.com Mon Jul 30 09:55:07 2007 From: sathish.raman at tcs.com (Sathish Raman) Date: Mon, 30 Jul 2007 15:25:07 +0530 Subject: Help requried on SELinux Message-ID: Hi all, I am beginner in SELinux. Please let me know if any documents available for basic administration, writing policies and how to edit targeted policies. thanks & regards, Sathish Kumar =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you -------------- next part -------------- An HTML attachment was scrubbed... URL: From spng.yang at gmail.com Mon Jul 30 10:40:41 2007 From: spng.yang at gmail.com (Ken YANG) Date: Mon, 30 Jul 2007 18:40:41 +0800 Subject: Help requried on SELinux In-Reply-To: References: Message-ID: <46ADC029.4000502@gmail.com> Sathish Raman wrote: > Hi all, > > I am beginner in SELinux. Please let me know if any documents available > for basic administration, writing policies and how to edit targeted > policies. administration relative: http://fedoraproject.org/wiki/SELinux because fedora is the best distribution about selinux support policy relative: http://oss.tresys.com/projects/refpolicy BTW, there are so many docs about selinux, you can use google > > thanks & regards, > Sathish Kumar > =====-----=====-----===== > Notice: The information contained in this e-mail > message and/or attachments to it may contain > confidential or privileged information. If you are > not the intended recipient, any dissemination, use, > review, distribution, printing or copying of the > information contained in this e-mail message > and/or attachments to it are strictly prohibited. If > you have received this communication in error, > please notify us by reply e-mail or telephone and > immediately and permanently delete the message > and any attachments. Thank you > > > > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From spng.yang at gmail.com Mon Jul 30 10:53:17 2007 From: spng.yang at gmail.com (Ken YANG) Date: Mon, 30 Jul 2007 18:53:17 +0800 Subject: Containing vmware player 2.0.0 with SELINUX In-Reply-To: <895701.27672.qm@web34805.mail.mud.yahoo.com> References: <895701.27672.qm@web34805.mail.mud.yahoo.com> Message-ID: <46ADC31D.5020506@gmail.com> Louis Lam wrote: > Hi, > > I think i'm having a policy compilation problem here > > I've moved the domain_auto_trans($1_t, vmware_exec_t, $1_vmware_t) statement to vmware.if. I was following the domain_auto_trans rules for other apps such as mozilla. The syntax error problem went away. > > But the problem is that the domain transition didn't take place. My vmplayer is still running in unconfined state. > > I'm doing compilation of the vmware.pp module using make -f /usr/share/selinux/devel/Makefile. I've tried to purposely introduce errors into vmware.if to see if the compilation is effective: > > e.g. domain_auto_trans($2, $2, $1_t, vmware_exec_t, $1_vmware_t) > > But the make process didn't detect any errors and the compilation still went on. I did a diff between the vmware.pp at the /etc/selinux/targeted/modules/active/modules/vmware.pp and the development directory (where I do all my compilation), but there are no differences. > > Does it mean if the vmware.if file is modified it will not affect the make? as i infer (i'm not sure): the interface will not be checked, unless someone invoke it, because if there are not invokes, the parameter can not be determined. when you build vmware module, you will not use your own interface in own module, so build process will not detect error. > > How do you ensure that the changes at vmware.if effective? (well at least cause some compilation errors?) > > > > Thanks, > Louis > > > > > > ----- Original Message ---- > From: Ken YANG > To: Louis Lam > Cc: Daniel J Walsh ; fedora-selinux-list at redhat.com > Sent: Saturday, July 28, 2007 5:28:25 PM > Subject: Re: Containing vmware player 2.0.0 with SELINUX > > > Louis Lam wrote: >> My mistakes, apologies for the confusion, under part 2, I was trying to do domain_auto_trans instead of doman_entry_file, so... >> >> 2. Created a domain transition so that the vmware user programs e.g. >> /usr/lib/vmplayer script, /usr/lib/vmware/bin/vmplayer that are >> labelleled system_u:object_r:vmware_exec_t will transit to >> system_u:object_r:vmware_t when executed. I put it also in vmware.te: >> >> domain_auto_trans($1_t, vmware_exec_t, $1_vmware_t) >> >> but >> on making the vmware.pp module I get this warning and error: >> >> 'syntax error' at token '1' on line 81143: >> #line 13 >> allow $1_t vmware_exec_t: file {getattr read execute}; > > this rule is generated by domain_auto_trans, so i think the > syntax error should be caused by other rules. > > you may check other rules in your policy. > >> Thanks in advance, >> Louis >> >> >> ----- Original Message ---- >> From: Louis Lam >> To: Daniel J Walsh >> Cc: fedora-selinux-list at redhat.com >> Sent: Friday, July 27, 2007 5:05:05 AM >> Subject: Re: Containing vmware player 2.0.0 with SELINUX >> >> Thanks Daniel for the information, hi everyone >> >> I've tried to make the following changes: >> >> 1. Defined the vmware_t type in vmware.te: >> type vmware_t; >> >> I need to do this since I'm trying to let the vmware user program run under vmware_t domain but this is not defined. In terms of overall code compliance is it correct to define here? or should be at the vmware.if? > > type definition should be in vmware.te > > Send instant messages to your online friends http://uk.messenger.yahoo.com From paul at city-fan.org Mon Jul 30 15:16:13 2007 From: paul at city-fan.org (Paul Howarth) Date: Mon, 30 Jul 2007 16:16:13 +0100 Subject: Guideline for RPM packages In-Reply-To: <46A861F6.10709@ak.jp.nec.com> References: <46681714.3030009@kaigai.gr.jp> <1181227502.11979.24.camel@moss-spartans.epoch.ncsc.mil> <46681ED6.1010408@kaigai.gr.jp> <46A861F6.10709@ak.jp.nec.com> Message-ID: <46AE00BD.80900@city-fan.org> KaiGai Kohei wrote: >>>> If I remember correctly, someone posted a guideline to make >>>> a RPM package which contains binary security policy, several >>>> weeks ago. >>>> >>>> If you know the URL, would you tell me the location? >>> There is a draft guide at: >>> http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules >> Thanks, so much! > > I have a comment for the Policy Module Packaging Guideline. > > The document says every *.pp files should be installed for any sort of policies > (targeted, strict, mls) in the %post section. > However, it can cause a problem when a part of policies are not installed yet. > > When we try to install an application including policy package on the system > which has only targeted policy, installation of *.pp files for strict/mls will > be failed no need to say. > If we want to install selinux-policy-strict or -mls later, the oraphan *.pp files > are not linked automatically because "/usr/bin/semodule -i" is not invoked. > It will cause a simple problem, but a bit difficult to find out. > > I have an idea that uses "%triggerin" to invoke "/use/bin/semodule -i" to link > orphan *.pp files on instllation of selinux-policy-* packages later, as follows: > > ---------------- > %triggerin -- selinux-policy-targeted > if [ $0 -eq 1 ]; then > /usr/sbin/semodule -s targeted -i %{_datadir}/selinux/targeted/mymodule.pp &> /dev/null || : > fi > %triggerin -- selinux-policy-strict > if [ $0 -eq 1 ]; then > /usr/sbin/semodule -s strict -i %{_datadir}/selinux/strict/mymodule.pp &> /dev/null || : > fi > %triggerin -- selinux-policy-mls > if [ $0 -eq 1 ]; then > /usr/sbin/semodule -s mls -i %{_datadir}/selinux/mls/mymodule.pp &> /dev/null || : > fi > ---------------- > > If the application is installed on the system which already has selinux-policy-strict, > "%triggerin -- selinux-policy-strict" will be invoked just when the application is > installed, so there is no degrading. Looks sane to me though it would be nice if there was some way of expressing this once rather than duplicate it for each policy type. Can't think of any way of doing that though. Paul. From kaigai at kaigai.gr.jp Mon Jul 30 15:47:01 2007 From: kaigai at kaigai.gr.jp (KaiGai Kohei) Date: Tue, 31 Jul 2007 00:47:01 +0900 Subject: Guideline for RPM packages In-Reply-To: <46AE00BD.80900@city-fan.org> References: <46681714.3030009@kaigai.gr.jp> <1181227502.11979.24.camel@moss-spartans.epoch.ncsc.mil> <46681ED6.1010408@kaigai.gr.jp> <46A861F6.10709@ak.jp.nec.com> <46AE00BD.80900@city-fan.org> Message-ID: <46AE07F5.1090101@kaigai.gr.jp> Paul Howarth wrote: > KaiGai Kohei wrote: >>>>> If I remember correctly, someone posted a guideline to make >>>>> a RPM package which contains binary security policy, several >>>>> weeks ago. >>>>> >>>>> If you know the URL, would you tell me the location? >>>> There is a draft guide at: >>>> http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules >>> Thanks, so much! >> I have a comment for the Policy Module Packaging Guideline. >> >> The document says every *.pp files should be installed for any sort of policies >> (targeted, strict, mls) in the %post section. >> However, it can cause a problem when a part of policies are not installed yet. >> >> When we try to install an application including policy package on the system >> which has only targeted policy, installation of *.pp files for strict/mls will >> be failed no need to say. >> If we want to install selinux-policy-strict or -mls later, the oraphan *.pp files >> are not linked automatically because "/usr/bin/semodule -i" is not invoked. >> It will cause a simple problem, but a bit difficult to find out. >> >> I have an idea that uses "%triggerin" to invoke "/use/bin/semodule -i" to link >> orphan *.pp files on instllation of selinux-policy-* packages later, as follows: >> >> ---------------- >> %triggerin -- selinux-policy-targeted >> if [ $0 -eq 1 ]; then >> /usr/sbin/semodule -s targeted -i %{_datadir}/selinux/targeted/mymodule.pp &> /dev/null || : >> fi >> %triggerin -- selinux-policy-strict >> if [ $0 -eq 1 ]; then >> /usr/sbin/semodule -s strict -i %{_datadir}/selinux/strict/mymodule.pp &> /dev/null || : >> fi >> %triggerin -- selinux-policy-mls >> if [ $0 -eq 1 ]; then >> /usr/sbin/semodule -s mls -i %{_datadir}/selinux/mls/mymodule.pp &> /dev/null || : >> fi >> ---------------- >> >> If the application is installed on the system which already has selinux-policy-strict, >> "%triggerin -- selinux-policy-strict" will be invoked just when the application is >> installed, so there is no degrading. > > Looks sane to me though it would be nice if there was some way of > expressing this once rather than duplicate it for each policy type. > Can't think of any way of doing that though. I tried to find a way to describe it once without a duplication, but I could not get a good idea. If we can describe them like as "%triggerin -- selinux-policy-*", it's better. Please tell me, if anyone knows more appropriate way to describe. Thanks, -- KaiGai Kohei From lshoujun at yahoo.com Tue Jul 31 07:28:48 2007 From: lshoujun at yahoo.com (Louis Lam) Date: Tue, 31 Jul 2007 00:28:48 -0700 (PDT) Subject: Containing vmware player 2.0.0 with SELINUX Message-ID: <492233.23695.qm@web34813.mail.mud.yahoo.com> Hi, Thanks for the reply. My conclusion is that not I'm not sure where to place the domain_auto_trans() statement. If I can't place it in the vmware.if file(since it will not be read during module compilation ) where can I put this statement? All i need to do now is to make the vmware executable run in its own domain e.g. vmware_t. But it seems more difficult than I thought. Can you point me to resources to how to develop modules? Can someone help me with this problem? Thanks & Regards, Louis ----- Original Message ---- From: Ken YANG To: Louis Lam Cc: Daniel J Walsh ; fedora-selinux-list at redhat.com Sent: Monday, July 30, 2007 6:53:17 AM Subject: Re: Containing vmware player 2.0.0 with SELINUX Louis Lam wrote: > Hi, > > I think i'm having a policy compilation problem here > > I've moved the domain_auto_trans($1_t, vmware_exec_t, $1_vmware_t) statement to vmware.if. I was following the domain_auto_trans rules for other apps such as mozilla. The syntax error problem went away. > > But the problem is that the domain transition didn't take place. My vmplayer is still running in unconfined state. > > I'm doing compilation of the vmware.pp module using make -f /usr/share/selinux/devel/Makefile. I've tried to purposely introduce errors into vmware.if to see if the compilation is effective: > > e.g. domain_auto_trans($2, $2, $1_t, vmware_exec_t, $1_vmware_t) > > But the make process didn't detect any errors and the compilation still went on. I did a diff between the vmware.pp at the /etc/selinux/targeted/modules/active/modules/vmware.pp and the development directory (where I do all my compilation), but there are no differences. > > Does it mean if the vmware.if file is modified it will not affect the make? as i infer (i'm not sure): the interface will not be checked, unless someone invoke it, because if there are not invokes, the parameter can not be determined. when you build vmware module, you will not use your own interface in own module, so build process will not detect error. > > How do you ensure that the changes at vmware.if effective? (well at least cause some compilation errors?) > > > > Thanks, > Louis > > > > > > ----- Original Message ---- > From: Ken YANG > To: Louis Lam > Cc: Daniel J Walsh ; fedora-selinux-list at redhat.com > Sent: Saturday, July 28, 2007 5:28:25 PM > Subject: Re: Containing vmware player 2.0.0 with SELINUX > > > Louis Lam wrote: >> My mistakes, apologies for the confusion, under part 2, I was trying to do domain_auto_trans instead of doman_entry_file, so... >> >> 2. Created a domain transition so that the vmware user programs e.g. >> /usr/lib/vmplayer script, /usr/lib/vmware/bin/vmplayer that are >> labelleled system_u:object_r:vmware_exec_t will transit to >> system_u:object_r:vmware_t when executed. I put it also in vmware.te: >> >> domain_auto_trans($1_t, vmware_exec_t, $1_vmware_t) >> >> but >> on making the vmware.pp module I get this warning and error: >> >> 'syntax error' at token '1' on line 81143: >> #line 13 >> allow $1_t vmware_exec_t: file {getattr read execute}; > > this rule is generated by domain_auto_trans, so i think the > syntax error should be caused by other rules. > > you may check other rules in your policy. > >> Thanks in advance, >> Louis >> >> >> ----- Original Message ---- >> From: Louis Lam >> To: Daniel J Walsh >> Cc: fedora-selinux-list at redhat.com >> Sent: Friday, July 27, 2007 5:05:05 AM >> Subject: Re: Containing vmware player 2.0.0 with SELINUX >> >> Thanks Daniel for the information, hi everyone >> >> I've tried to make the following changes: >> >> 1. Defined the vmware_t type in vmware.te: >> type vmware_t; >> >> I need to do this since I'm trying to let the vmware user program run under vmware_t domain but this is not defined. In terms of overall code compliance is it correct to define here? or should be at the vmware.if? > > type definition should be in vmware.te > > Send instant messages to your online friends http://uk.messenger.yahoo.com Send instant messages to your online friends http://uk.messenger.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From spng.yang at gmail.com Tue Jul 31 10:00:20 2007 From: spng.yang at gmail.com (Ken YANG) Date: Tue, 31 Jul 2007 18:00:20 +0800 Subject: Containing vmware player 2.0.0 with SELINUX In-Reply-To: <492233.23695.qm@web34813.mail.mud.yahoo.com> References: <492233.23695.qm@web34813.mail.mud.yahoo.com> Message-ID: <46AF0834.7080909@gmail.com> Louis Lam wrote: > Hi, > > Thanks for the reply. > > My conclusion is that not I'm not sure where to place the domain_auto_trans() statement. If I can't place it in the vmware.if file(since it will not be read during module compilation ) where can I put this statement? All i need to do now is to make the vmware executable run in its own domain e.g. vmware_t. But it seems more difficult than I thought. if you want vmware program run in own domain, all necessary rules should be in te file, e.g. domain_auto_trans(vmware_t, vmware_host_exec_t, vmware_host_t) (just a example) similarly, domain_auto_trans can also used in if file, especially used in per_role_template. All these are depend on your purpose. to make vmware run in selinux-policy>3.0, the easiest way is to follow what tom guid, i.e. modify the net-service.sh to restorce label after creating device node. but if you want to make policy contain vmware, you must resolve the "device node label" problem, IMHO, you should use fs_use_trans to make label automatically: http://marc.info/?l=selinux&m=118481693028190&w=2 now, i have not time to do this, so i have not solved the problems i encountered. > > Can you point me to resources to how to develop modules? Can someone help me with this problem? "Beginning is the most difficult one, but A Good Beginning is half the battle" :-) after you finish the beginning, you will find it's not difficult. The book <> is a good guide for developing modules, but i think the best guide to develop policy is the policy source. > > Thanks & Regards, > Louis > > ----- Original Message ---- > From: Ken YANG > To: Louis Lam > Cc: Daniel J Walsh ; fedora-selinux-list at redhat.com > Sent: Monday, July 30, 2007 6:53:17 AM > Subject: Re: Containing vmware player 2.0.0 with SELINUX > > Louis Lam wrote: >> Hi, >> >> I think i'm having a policy compilation problem here >> >> I've moved the domain_auto_trans($1_t, vmware_exec_t, $1_vmware_t) statement to vmware.if. I was following the domain_auto_trans rules for other apps such as mozilla. The syntax error problem went away. >> >> But the problem is that the domain transition didn't take place. My vmplayer is still running in unconfined state. >> >> I'm doing compilation of the vmware.pp module using make -f /usr/share/selinux/devel/Makefile. I've tried to purposely introduce errors into vmware.if to see if the compilation is effective: >> >> e.g. domain_auto_trans($2, $2, $1_t, vmware_exec_t, $1_vmware_t) >> >> But the make process didn't detect any errors and the compilation still went on. I did a diff between the vmware.pp at the /etc/selinux/targeted/modules/active/modules/vmware.pp and the development directory (where I do all my compilation), but there are no differences. >> >> Does it mean if the vmware.if file is modified it will not affect the make? > > as i infer (i'm not sure): > > the interface will not be checked, unless someone invoke it, because if > there are not invokes, the parameter can not be determined. > > when you build vmware module, you will not use your own interface in > own module, so build process will not detect error. > > > >> How do you ensure that the changes at vmware.if effective? (well at least cause some compilation errors?) >> >> >> >> Thanks, >> Louis >> >> >> >> >> >> ----- Original Message ---- >> From: Ken YANG >> To: Louis Lam >> Cc: Daniel J Walsh ; fedora-selinux-list at redhat.com >> Sent: Saturday, July 28, 2007 5:28:25 PM >> Subject: Re: Containing vmware player 2.0.0 with SELINUX >> >> >> Louis Lam wrote: >>> My mistakes, apologies for the confusion, under part 2, I was trying to do domain_auto_trans instead of doman_entry_file, so... >>> >>> 2. Created a domain transition so that the vmware user programs e.g. >>> /usr/lib/vmplayer script, /usr/lib/vmware/bin/vmplayer that are >>> labelleled system_u:object_r:vmware_exec_t will transit to >>> system_u:object_r:vmware_t when executed. I put it also in vmware.te: >>> >>> domain_auto_trans($1_t, vmware_exec_t, $1_vmware_t) >>> >>> but >>> on making the vmware.pp module I get this warning and error: >>> >>> 'syntax error' at token '1' on line 81143: >>> #line 13 >>> allow $1_t vmware_exec_t: file {getattr read execute}; >> this rule is generated by domain_auto_trans, so i think the >> syntax error should be caused by other rules. >> >> you may check other rules in your policy. >> >>> Thanks in advance, >>> Louis >>> >>> >>> ----- Original Message ---- >>> From: Louis Lam >>> To: Daniel J Walsh >>> Cc: fedora-selinux-list at redhat.com >>> Sent: Friday, July 27, 2007 5:05:05 AM >>> Subject: Re: Containing vmware player 2.0.0 with SELINUX >>> >>> Thanks Daniel for the information, hi everyone >>> >>> I've tried to make the following changes: >>> >>> 1. Defined the vmware_t type in vmware.te: >>> type vmware_t; >>> >>> I need to do this since I'm trying to let the vmware user program run under vmware_t domain but this is not defined. In terms of overall code compliance is it correct to define here? or should be at the vmware.if? >> type definition should be in vmware.te >> >> Send instant messages to your online friends http://uk.messenger.yahoo.com > > > > > > > > Send instant messages to your online friends http://uk.messenger.yahoo.com