audit2allow broken?

Wed May 9 20:11:34 UTC 2007

On Wed, 2007-05-09 at 14:29 -0500, Hongwei Li wrote:
> > On Wed, 2007-05-09 at 13:47 -0500, Hongwei Li wrote:
> >> Hi,
> >>
> >> I have a fc6 linux box: kernel-2.6.20-1.2944.fc6,
> >> selinux-policy-2.4.6-62.fc6
> >> and selinux-policy-targeted-2.4.6-62.fc6, audit-1.4.2-5.fc6.
> >> The system works and I was trying to add some settings to the selinux policy
> >> by running audit2allow. It was okay before noon:
> >>
> >> # audit2allow -M local < /var/log/audit/audit.log
> >> # semodule -i local.pp
> >>
> >> The new modules were added and it works. However, later, I can't do it
> >> again,
> >> but always get error:
> >>
> >> # audit2allow -M local < /var/log/audit/audit.log
> >> compilation failed:
> >> (unknown source)::ERROR 'syntax error' at token '' on line 6:
> >>
> >> /usr/bin/checkmodule:  error(s) encountered while parsing configuration
> >> /usr/bin/checkmodule:  loading policy configuration from local.te
> >>
> >> and the file local.te has only one line:
> >>
> >> module local 1.0;
> >>
> >> not like before.  Can somebody tell what is wrong? "on line 6" of what file?
> >> I reboot the system, still the same.
> >
> > What version of policycoreutils?
> >
> > The implication is that there were no avc denials
> > in /var/log/audit/audit.log, and thus the generated module was empty.
> > Possibly your audit logs were automatically rotated?
> >
> > You should really be using the -a option btw, e.g.
> > 	audit2allow -a -M local
> > That will pull all messages from audit, including older audit logs I
> > believe.
> >
> > --
> > Stephen Smalley
> > National Security Agency
> >
> 
> Yes, you are right -- there was no avc denials in the audit.log. Now, I set
> enforced and try a squirrelmail plugin change_passwd, it creates some avc
> denials, and then it works:
> 
> # audit2allow -a -M local
> ******************** IMPORTANT ***********************
> To make this policy package active, execute:
> 
> semodule -i local.pp
> 
> However, it fails when I run:
> # semodule -i local.pp
> libsepol.check_assertion_helper: assertion on line 0 violated by allow httpd_t
> shadow_t:file { read };
> libsepol.check_assertions: 1 assertion violations occured
> libsemanage.semanage_expand_sandbox: Expand module failed
> 
> Actually, this has been an old problem since fc5 linux (not in fc4 or earlier)
> -- once set enforced, password cannot be changed from squirrelmail (web site),
> modules with "shadow..." cannot be added. Is there anyway to change it?  The
> reason is simple: my squirrelmail users need to change their password from
> within squirrelmail (web site) and I want to set selinux enforced.
> 
> BTW, I have policycoreutils-1.34.1-7.fc6 and targeted policy.

Ideally you wouldn't be running that plugin directly in httpd_t.

The assertions aka neverallow rules can be overridden, but they are
there as a warning to you that you are trying to allow something that is
unsafe, in this case allowing your httpd processes to directly access
your shadow file.  It would be better if that plugin ran in a separate
process in its own domain.

To allow it anyway, you can create use the refpolicy interface to allow
such access, which will also add the type to the right attribute to
satisfy the assertion/neverallow rule.  In this case, that would mean
adding:
	auth_rw_shadow(httpd_t)
to your local.te file and then running:
# make -f /usr/share/selinux/devel/Makefile
# semodule -i local.pp

-- 
Stephen Smalley
National Security Agency