Interesting Denials from semodule on Centos 5.2

Vadym Chepkov chepkov at yahoo.com
Sun Feb 1 13:56:16 UTC 2009 

root's home has a different context then the rest of the users:

# ls -dZ /root
drwxr-x---  root root system_u:object_r:admin_home_t   /root

I would do something like this:

policy_module(nx, 0.0.1)
type nx_home_t;
userdom_user_home_content(user, nx_home_t)

HOME_DIR/\.nx(/.*)? gen_context(system_u:object_r:nx_home_t,s0)
/root/\.nx(/.*)?    gen_context(system_u:object_r:nx_home_t,s0)

and work with this domain instead. 
Hopefuly it will lead you to a nice policy one day :) 

Sincerely yours,
  Vadym Chepkov


--- On Sun, 2/1/09, Richard Chapman <rchapman at aardvark.com.au> wrote:

> From: Richard Chapman <rchapman at aardvark.com.au>
> Subject: Interesting Denials from semodule on Centos 5.2
> To: fedora-selinux-list at redhat.com
> Cc: "Daniel J Walsh" <dwalsh at redhat.com>
> Date: Sunday, February 1, 2009, 6:37 AM
> Hi
> 
> I have an interesting denial here - and I think I
> understand what is causing it - but I'm not sure of the
> best method of resolving it. I have pasted the denial below.
> 
> What seems to cause it is running the gui
> "System/Administration/Selinux Management" tool -
> while in a gnome x session in an "nx" session.
> I'm not sure how well know it is - but "nx" is
> a very good gui remote terminal (like vnc but much better
> imho) running over ssh. Very fast ad accurate and presumably
> secure. I use nx to manage the Centos 5.2 server - rather
> than use a physical terminal.
> Every time I start the gui Selinux Management tool I get
> one of these denials. Note that the /root/.nx directory must
> be a housekeeping directory for nx where it keeps session
> information.
> 
> I have run audit2allow on this denial and it suggests this
> very simple policy
> ---------
> module mynx 1.0;
> 
> require {
>        type semanage_t;
>        type user_home_t;
>        class file append;
> }
> 
> #============= semanage_t ==============
> allow semanage_t user_home_t:file append;
> -------
> 
> Is this a good solution - or is it freeing up the wrong
> thing?
> Does anyone understand why this configuration should cause
> the denial - and can anyone suggest a better solution?
> 
> BTW: I have tried the suggested re-labelling - and it
> didn't help.
> 
> Richard.
> 
> 
> 
> 
> 
> Summary
> SELinux is preventing the semodule from using potentially
> mislabeled files
> (/root/.nx/C-C5.aardvark.com.au-1001-A809D35DE6DD5692B6DD14987FACDFC9/session).
> 
> Detailed Description
> [SELinux is in permissive mode, the operation would have
> been denied but was permitted due to permissive mode.]
> 
> SELinux has denied semodule access to potentially
> mislabeled file(s)
> (/root/.nx/C-C5.aardvark.com.au-1001-A809D35DE6DD5692B6DD14987FACDFC9/session).
> This means that SELinux will not allow semodule to use these
> files. It is common for users to edit files in their home
> directory or tmp directories and then move (mv) them to
> system directories. The problem is that the files end up
> with the wrong file context which confined applications are
> not allowed to access.
> 
> Allowing Access
> If you want semodule to access this files, you need to
> relabel them using restorecon -v
> '/root/.nx/C-C5.aardvark.com.au-1001-A809D35DE6DD5692B6DD14987FACDFC9/session'.
> You might want to relabel the entire directory using
> restorecon -R -v
> '/root/.nx/C-C5.aardvark.com.au-1001-A809D35DE6DD5692B6DD14987FACDFC9'.
> Additional Information
> 
> Source Context:   	system_u:system_r:semanage_t
> Target Context:   	user_u:object_r:user_home_t
> Target Objects:  
> /root/.nx/C-C5.aardvark.com.au-1001-A809D35DE6DD5692B6DD14987FACDFC9/session
> [ file ]
> Source:   	semodule
> Source Path:   	/usr/sbin/semodule
> Port:   	<Unknown>
> Host:   	C5.aardvark.com.au
> Source RPM Packages:   	policycoreutils-1.33.12-14.el5
> Target RPM Packages:   	
> Policy RPM:   	selinux-policy-2.4.6-203.el5
> Selinux Enabled:   	True
> Policy Type:   	targeted
> MLS Enabled:   	True
> Enforcing Mode:   	Permissive
> Plugin Name:   	home_tmp_bad_labels
> Host Name:   	C5.aardvark.com.au
> Platform:   	Linux C5.aardvark.com.au 2.6.18-92.1.22.el5 #1
> SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
> Alert Count:   	3
> First Seen:   	Sun Feb 1 15:21:40 2009
> Last Seen:   	Sun Feb 1 16:01:16 2009
> Local ID:   	31b6bb16-26ba-419d-8057-7bb9eee9708a
> Line Numbers:   	
> 
> Raw Audit Messages :
> 
> host=C5.aardvark.com.au type=AVC
> msg=audit(1233471676.49:19106): avc: denied { append } for
> pid=25330 comm="semodule"
> path="/root/.nx/C-C5.aardvark.com.au-1001-A809D35DE6DD5692B6DD14987FACDFC9/session"
> dev=dm-0 ino=29294826
> scontext=system_u:system_r:semanage_t:s0
> tcontext=user_u:object_r:user_home_t:s0 tclass=file
> host=C5.aardvark.com.au type=AVC
> msg=audit(1233471676.49:19106): avc: denied { append } for
> pid=25330 comm="semodule"
> path="/root/.nx/C-C5.aardvark.com.au-1001-A809D35DE6DD5692B6DD14987FACDFC9/session"
> dev=dm-0 ino=29294826
> scontext=system_u:system_r:semanage_t:s0
> tcontext=user_u:object_r:user_home_t:s0 tclass=file
> host=C5.aardvark.com.au type=SYSCALL
> msg=audit(1233471676.49:19106): arch=c000003e syscall=59
> success=yes exit=0 a0=16674410 a1=166747b0 a2=16673660 a3=3
> items=0 ppid=25327 pid=25330 auid=102 uid=0 gid=0 euid=0
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1740
> comm="semodule" exe="/usr/sbin/semodule"
> subj=system_u:system_r:semanage_t:s0 key=(null)
> host=C5.aardvark.com.au type=SYSCALL
> msg=audit(1233471676.49:19106): arch=c000003e syscall=59
> success=yes exit=0 a0=16674410 a1=166747b0 a2=16673660 a3=3
> items=0 ppid=25327 pid=25330 auid=102 uid=0 gid=0 euid=0
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1740
> comm="semodule" exe="/usr/sbin/semodule"
> subj=system_u:system_r:semanage_t:s0 key=(null)
> 
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

More information about the fedora-selinux-list mailing list