audit2allow broken?

Hongwei Li hongwei at wustl.edu
Wed May 9 21:05:07 UTC 2007 

> On Wed, 2007-05-09 at 14:29 -0500, Hongwei Li wrote:
>> > On Wed, 2007-05-09 at 13:47 -0500, Hongwei Li wrote:
>> >> Hi,
>> >>
>> >> I have a fc6 linux box: kernel-2.6.20-1.2944.fc6,
>> >> selinux-policy-2.4.6-62.fc6
>> >> and selinux-policy-targeted-2.4.6-62.fc6, audit-1.4.2-5.fc6.
...

>> >
>> > The implication is that there were no avc denials
>> > in /var/log/audit/audit.log, and thus the generated module was empty.
>> > Possibly your audit logs were automatically rotated?
>> >
>> > You should really be using the -a option btw, e.g.
>> > 	audit2allow -a -M local
>> > That will pull all messages from audit, including older audit logs I
>> > believe.
>> >
>> > --
>> > Stephen Smalley
>> > National Security Agency
>> >
>>
...
>>
>> However, it fails when I run:
>> # semodule -i local.pp
>> libsepol.check_assertion_helper: assertion on line 0 violated by allow
>> httpd_t
>> shadow_t:file { read };
>> libsepol.check_assertions: 1 assertion violations occured
>> libsemanage.semanage_expand_sandbox: Expand module failed
>>
>> Actually, this has been an old problem since fc5 linux (not in fc4 or
>> earlier)
>> -- once set enforced, password cannot be changed from squirrelmail (web
>> site),
>> modules with "shadow..." cannot be added. Is there anyway to change it?  The
>> reason is simple: my squirrelmail users need to change their password from
>> within squirrelmail (web site) and I want to set selinux enforced.
>>
>> BTW, I have policycoreutils-1.34.1-7.fc6 and targeted policy.
>
> Ideally you wouldn't be running that plugin directly in httpd_t.
>
> The assertions aka neverallow rules can be overridden, but they are
> there as a warning to you that you are trying to allow something that is
> unsafe, in this case allowing your httpd processes to directly access
> your shadow file.  It would be better if that plugin ran in a separate
> process in its own domain.
>
> To allow it anyway, you can create use the refpolicy interface to allow
> such access, which will also add the type to the right attribute to
> satisfy the assertion/neverallow rule.  In this case, that would mean
> adding:
> 	auth_rw_shadow(httpd_t)
> to your local.te file and then running:
> # make -f /usr/share/selinux/devel/Makefile
> # semodule -i local.pp
>
> --
> Stephen Smalley
> National Security Agency

Thank you for help! However, I got error when doing it.
# make -f /usr/share/selinux/devel/Makefile
Compiling targeted localb module
/usr/bin/checkmodule:  loading policy configuration from tmp/localb.tmp
localb.te:6:ERROR 'syntax error' at token '' on line 78455:


/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [tmp/localb.mod] Error 1


My local.te is:

module local 1.0;

require {
        type portmap_t;
        type home_root_t;
        type system_mail_t;
        type nfsd_t;
        type crond_t;
        type httpd_t;
        type restorecon_t;
        type shadow_t;
        class dir { search getattr };
        class file read;
        class fifo_file read;
}

auth_rw_shadow(httpd_t);

#============= httpd_t ==============
allow httpd_t shadow_t:file read;

#============= nfsd_t ==============
allow nfsd_t crond_t:fifo_file read;

#============= portmap_t ==============
allow portmap_t crond_t:fifo_file read;

#============= restorecon_t ==============
allow restorecon_t crond_t:fifo_file read;

#============= system_mail_t ==============
allow system_mail_t home_root_t:dir { search getattr };
allow system_mail_t httpd_t:file read;


What "syntax error" is? Did I add the line
auth_rw_shadow(httpd_t);
incorrectly?

I have selinux-policy-devel.noarch 0:2.4.6-62.fc6 installed.

Thanks!

Hongwei

More information about the fedora-selinux-list mailing list