audit2allow broken?
Hongwei Li
hongwei at wustl.edu
Wed May 9 21:05:07 UTC 2007
> On Wed, 2007-05-09 at 14:29 -0500, Hongwei Li wrote:
>> > On Wed, 2007-05-09 at 13:47 -0500, Hongwei Li wrote:
>> >> Hi,
>> >>
>> >> I have a fc6 linux box: kernel-2.6.20-1.2944.fc6,
>> >> selinux-policy-2.4.6-62.fc6
>> >> and selinux-policy-targeted-2.4.6-62.fc6, audit-1.4.2-5.fc6.
...
>> >
>> > The implication is that there were no avc denials
>> > in /var/log/audit/audit.log, and thus the generated module was empty.
>> > Possibly your audit logs were automatically rotated?
>> >
>> > You should really be using the -a option btw, e.g.
>> > audit2allow -a -M local
>> > That will pull all messages from audit, including older audit logs I
>> > believe.
>> >
>> > --
>> > Stephen Smalley
>> > National Security Agency
>> >
>>
...
>>
>> However, it fails when I run:
>> # semodule -i local.pp
>> libsepol.check_assertion_helper: assertion on line 0 violated by allow
>> httpd_t
>> shadow_t:file { read };
>> libsepol.check_assertions: 1 assertion violations occured
>> libsemanage.semanage_expand_sandbox: Expand module failed
>>
>> Actually, this has been an old problem since fc5 linux (not in fc4 or
>> earlier)
>> -- once set enforced, password cannot be changed from squirrelmail (web
>> site),
>> modules with "shadow..." cannot be added. Is there anyway to change it? The
>> reason is simple: my squirrelmail users need to change their password from
>> within squirrelmail (web site) and I want to set selinux enforced.
>>
>> BTW, I have policycoreutils-1.34.1-7.fc6 and targeted policy.
>
> Ideally you wouldn't be running that plugin directly in httpd_t.
>
> The assertions aka neverallow rules can be overridden, but they are
> there as a warning to you that you are trying to allow something that is
> unsafe, in this case allowing your httpd processes to directly access
> your shadow file. It would be better if that plugin ran in a separate
> process in its own domain.
>
> To allow it anyway, you can create use the refpolicy interface to allow
> such access, which will also add the type to the right attribute to
> satisfy the assertion/neverallow rule. In this case, that would mean
> adding:
> auth_rw_shadow(httpd_t)
> to your local.te file and then running:
> # make -f /usr/share/selinux/devel/Makefile
> # semodule -i local.pp
>
> --
> Stephen Smalley
> National Security Agency
Thank you for help! However, I got error when doing it.
# make -f /usr/share/selinux/devel/Makefile
Compiling targeted localb module
/usr/bin/checkmodule: loading policy configuration from tmp/localb.tmp
localb.te:6:ERROR 'syntax error' at token '' on line 78455:
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/localb.mod] Error 1
My local.te is:
module local 1.0;
require {
type portmap_t;
type home_root_t;
type system_mail_t;
type nfsd_t;
type crond_t;
type httpd_t;
type restorecon_t;
type shadow_t;
class dir { search getattr };
class file read;
class fifo_file read;
}
auth_rw_shadow(httpd_t);
#============= httpd_t ==============
allow httpd_t shadow_t:file read;
#============= nfsd_t ==============
allow nfsd_t crond_t:fifo_file read;
#============= portmap_t ==============
allow portmap_t crond_t:fifo_file read;
#============= restorecon_t ==============
allow restorecon_t crond_t:fifo_file read;
#============= system_mail_t ==============
allow system_mail_t home_root_t:dir { search getattr };
allow system_mail_t httpd_t:file read;
What "syntax error" is? Did I add the line
auth_rw_shadow(httpd_t);
incorrectly?
I have selinux-policy-devel.noarch 0:2.4.6-62.fc6 installed.
Thanks!
Hongwei
More information about the fedora-selinux-list
mailing list