From selinux at gmail.com Sun May 3 20:16:19 2009 From: selinux at gmail.com (selinux at gmail.com) Date: Sun, 3 May 2009 13:16:19 -0700 (PST) Subject: Test message #33 Message-ID: 33 33 33 -- Tom London -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2139 bytes Desc: S/MIME Cryptographic Signature URL: From adriangolding at gmail.com Mon May 4 01:19:37 2009 From: adriangolding at gmail.com (fluffie) Date: Sun, 3 May 2009 18:19:37 -0700 (PDT) Subject: Boolean or rule for preventing user_u for su or sudo Message-ID: <23289935.post@talk.nabble.com> hi, i created a useruuser account which has SELinux User of "user_u". and when i log in using that account, i cannot use 'su' or 'sudo'. in particular, when i try to use 'sudo', there will be a permission denied message. may i know where is the boolean or rule that specified this restriction? thank you -- View this message in context: http://www.nabble.com/Boolean-or-rule-for-preventing-user_u-for-su-or-sudo-tp23289935p23289935.html Sent from the Fedora SELinux List mailing list archive at Nabble.com. From eparis at redhat.com Mon May 4 15:22:11 2009 From: eparis at redhat.com (Eric Paris) Date: Mon, 04 May 2009 11:22:11 -0400 Subject: Boolean or rule for preventing user_u for su or sudo In-Reply-To: <23289935.post@talk.nabble.com> References: <23289935.post@talk.nabble.com> Message-ID: <1241450531.16650.46.camel@dhcp231-142.rdu.redhat.com> On Sun, 2009-05-03 at 18:19 -0700, fluffie wrote: > hi, > > i created a useruuser account which has SELinux User of "user_u". > and when i log in using that account, i cannot use 'su' or 'sudo'. > in particular, when i try to use 'sudo', there will be a permission denied > message. > > may i know where is the boolean or rule that specified this restriction? > > thank you That's one of the points of user_u, it can't get to root :) staff_u can get to sysadm_t (through sudo) which then has most admin privs. Although I beleive dwalsh would suggest staff_u -> unconfined_t via sudo if you want an admin user. (which would require adding unconfined_r to staff_u I believe) -Eric From ewalsh at tycho.nsa.gov Mon May 4 21:25:50 2009 From: ewalsh at tycho.nsa.gov (Eamon Walsh) Date: Mon, 04 May 2009 17:25:50 -0400 Subject: scp only using SELinux In-Reply-To: <469635.32561.qm@web36806.mail.mud.yahoo.com> References: <469635.32561.qm@web36806.mail.mud.yahoo.com> Message-ID: <49FF5D5E.7080500@tycho.nsa.gov> Vadym Chepkov wrote: > Hi, > > I wonder if it is possible to achieve "scp only" capability for a user just by using SELinux? Basically I want a user to be able to only upload/download files from his home via scp/sftp and nothing else. Thank you. > > Sincerely yours, > Vadym Chepkov > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > As a first effort you could place the scp and sftp binaries into a separate domain, create a role that can only enter that domain, and place the user in that role. However, if shell access is required (including whatever ssh does at login time) the policy could get more complicated. You could also use the networking controls to only allow outgoing connections on the ports for scp/sftp/ssh. But in general yes SELinux is well-suited to this type of task. -- Eamon Walsh National Security Agency From shintaro.fujiwara at gmail.com Tue May 5 04:56:35 2009 From: shintaro.fujiwara at gmail.com (Shintaro Fujiwara) Date: Tue, 5 May 2009 13:56:35 +0900 Subject: How to install SELinux original policy as original RPM Message-ID: Hello, I don't know how to install SELinux original policy as original RPM. I edited my spec file but semodule didn't work in BUILDROOT. Thanks in advance. -- http://intrajp.no-ip.com/ Home Page From dwalsh at redhat.com Tue May 5 12:37:10 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 05 May 2009 08:37:10 -0400 Subject: How to install SELinux original policy as original RPM In-Reply-To: References: Message-ID: <4A0032F6.1040801@redhat.com> On 05/05/2009 12:56 AM, Shintaro Fujiwara wrote: > Hello, I don't know how to install SELinux original policy as original RPM. > I edited my spec file but semodule didn't work in BUILDROOT. > Thanks in advance. > semodule should be run in the post install not during the build section. You are adding you policy to the installed policy on the destination machine. From shintaro.fujiwara at gmail.com Tue May 5 12:52:24 2009 From: shintaro.fujiwara at gmail.com (Shintaro Fujiwara) Date: Tue, 5 May 2009 21:52:24 +0900 Subject: How to install SELinux original policy as original RPM In-Reply-To: <4A0032F6.1040801@redhat.com> References: <4A0032F6.1040801@redhat.com> Message-ID: Thanks, and I will test on my spec file. 2009/5/5 Daniel J Walsh : > On 05/05/2009 12:56 AM, Shintaro Fujiwara wrote: >> >> Hello, I don't know how to install SELinux original policy as original >> RPM. >> I edited my spec file but semodule didn't work in BUILDROOT. >> Thanks in advance. >> > semodule should be run in the post install not during the build section. > ?You are adding you policy to the installed policy on the destination > machine. > -- http://intrajp.no-ip.com/ Home Page From shintaro.fujiwara at gmail.com Tue May 5 13:59:37 2009 From: shintaro.fujiwara at gmail.com (Shintaro Fujiwara) Date: Tue, 5 May 2009 22:59:37 +0900 Subject: How to install SELinux original policy as original RPM In-Reply-To: <4A0032F6.1040801@redhat.com> References: <4A0032F6.1040801@redhat.com> Message-ID: Yeah, I wrote, %post /usr/sbin/semodule -u /usr/share/segatex/segatex.pp but, I got Requires(post): /bin/sh Requires: /bin/sh libQt3Support.so.4 libQtCore.so.4 libQtGui.so.4 libQtNetwork.so.4 libQtSql.so.4 libc.so.6 libc.so.6(GLIBC_2.0) libc.so.6(GLIBC_2.1) libc.so.6(GLIBC_2.1.3) libc.so.6(GLIBC_2.4) libgcc_s.so.1 libgcc_s.so.1(GCC_3.0) libm.so.6 libpthread.so.0 libselinux.so.1 libstdc++.so.6 libstdc++.so.6(CXXABI_1.3) libstdc++.so.6(GLIBCXX_3.4) libstdc++.so.6(GLIBCXX_3.4.9) rtld(GNU_HASH) what's this, I guess something's lacking in above statement ? 2009/5/5 Daniel J Walsh : > On 05/05/2009 12:56 AM, Shintaro Fujiwara wrote: >> >> Hello, I don't know how to install SELinux original policy as original >> RPM. >> I edited my spec file but semodule didn't work in BUILDROOT. >> Thanks in advance. >> > semodule should be run in the post install not during the build section. > ?You are adding you policy to the installed policy on the destination > machine. > -- http://intrajp.no-ip.com/ Home Page From joliver at john-oliver.net Tue May 5 23:29:32 2009 From: joliver at john-oliver.net (John Oliver) Date: Tue, 5 May 2009 16:29:32 -0700 Subject: selinux problem I solved months ago Message-ID: <20090505232932.GA23703@ns.sdsitehosting.net> I had this problem weeks and weeks ago: [root at mda-vm1h ~]# service httpd configtest httpd: Syntax error on line 209 of /etc/httpd/conf/httpd.conf: Syntax error on line 1 of /etc/httpd/conf.d/valicert.conf: Cannot load /etc/httpd/modules/vcapache.so into server: /etc/httpd/modules/vcapache.so: cannot restore segment prot after reloc: Permission denied I solved it by creating an selinux module and "baking" it into my kickstart. Built many machines, all worked perfectly. Now, I have three virtual machines I installed with the same kickstart, and I'm getting the same problem. [root at mda-vm1h ~]# ls -lZ /etc/httpd/modules/vcapache.so -rwxr-xr-x root root system_u:object_r:httpd_modules_t /etc/httpd/modules/vcapache.so type=AVC msg=audit(1241564879.792:4671): avc: denied { execheap } for pid=28957 comm="httpd" scontext=user_u:system_r:initrc_t:s0 tcontext=user_u:system_r:initrc_t:s0 tclass=process type=SYSCALL msg=audit(1241564879.792:4671): arch=40000003 syscall=125 success=no exit=-13 a0=ffa000 a1=1b8000 a2=5 a3=bf8b7eb0 items=0 ppid=28953 pid=28957 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:initrc_t:s0 key=(null) [root at mda-vm1h ~]# semodule -l amavis 1.1.0 ccs 1.0.0 clamav 1.1.0 dcc 1.1.0 evolution 1.1.0 iscsid 1.0.0 mozilla 1.1.0 mplayer 1.1.0 nagios 1.1.0 oddjob 1.0.1 pcscd 1.0.0 pyzor 1.1.0 razor 1.1.0 ricci 1.0.0 smartmon 1.1.0 valicert 1.0 There it is, at the end. I removed and reinstalled it with no effect. It's data, so I can't cat it out, but that module worked... unless this is some new, different problem. Is there more magic sauce that has to be added? -- *********************************************************************** * John Oliver http://www.john-oliver.net/ * * * *********************************************************************** From sds at tycho.nsa.gov Wed May 6 11:28:40 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 06 May 2009 07:28:40 -0400 Subject: selinux problem I solved months ago In-Reply-To: <20090505232932.GA23703@ns.sdsitehosting.net> References: <20090505232932.GA23703@ns.sdsitehosting.net> Message-ID: <1241609320.27629.5.camel@localhost.localdomain> On Tue, 2009-05-05 at 16:29 -0700, John Oliver wrote: > I had this problem weeks and weeks ago: > > [root at mda-vm1h ~]# service httpd configtest > httpd: Syntax error on line 209 of /etc/httpd/conf/httpd.conf: Syntax > error on line 1 of /etc/httpd/conf.d/valicert.conf: Cannot load > /etc/httpd/modules/vcapache.so into server: > /etc/httpd/modules/vcapache.so: cannot restore segment prot after reloc: > Permission denied > > I solved it by creating an selinux module and "baking" it into my > kickstart. Built many machines, all worked perfectly. > > Now, I have three virtual machines I installed with the same kickstart, > and I'm getting the same problem. > > [root at mda-vm1h ~]# ls -lZ /etc/httpd/modules/vcapache.so > -rwxr-xr-x root root system_u:object_r:httpd_modules_t > /etc/httpd/modules/vcapache.so > > type=AVC msg=audit(1241564879.792:4671): avc: denied { execheap } for > pid=28957 comm="httpd" scontext=user_u:system_r:initrc_t:s0 > tcontext=user_u:system_r:initrc_t:s0 tclass=process > type=SYSCALL msg=audit(1241564879.792:4671): arch=40000003 syscall=125 > success=no exit=-13 a0=ffa000 a1=1b8000 a2=5 a3=bf8b7eb0 items=0 > ppid=28953 pid=28957 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > sgid=0 fsgid=0 tty=pts1 comm="httpd" exe="/usr/sbin/httpd" > subj=user_u:system_r:initrc_t:s0 key=(null) > > [root at mda-vm1h ~]# semodule -l > amavis 1.1.0 > ccs 1.0.0 > clamav 1.1.0 > dcc 1.1.0 > evolution 1.1.0 > iscsid 1.0.0 > mozilla 1.1.0 > mplayer 1.1.0 > nagios 1.1.0 > oddjob 1.0.1 > pcscd 1.0.0 > pyzor 1.1.0 > razor 1.1.0 > ricci 1.0.0 > smartmon 1.1.0 > valicert 1.0 > > There it is, at the end. I removed and reinstalled it with no effect. > It's data, so I can't cat it out, but that module worked... unless this > is some new, different problem. > > Is there more magic sauce that has to be added? The first one looks like it was an execmod denial rather than an execheap denial, offhand. So I suspect this may be a new denial rather than the same old one. If you generate a module for it via audit2allow -M and insert that, does it still recur? -- Stephen Smalley National Security Agency From shintaro.fujiwara at gmail.com Wed May 6 12:00:12 2009 From: shintaro.fujiwara at gmail.com (Shintaro Fujiwara) Date: Wed, 6 May 2009 21:00:12 +0900 Subject: How can I set certain domain don't audit for certain time ? Message-ID: Hi, I try to ps from certain domain and when I do that a lot of denied messages occurs. I set this domain permissive but I want to silent it alltogether. One thing in my mind is to domain_trans to domain same as ps, but my question is to don't audit for certain time like semanage permissive. After ps, I want to audit everything as hoped. Thanks in advance. -- http://intrajp.no-ip.com/ Home Page From dwalsh at redhat.com Wed May 6 12:04:30 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 06 May 2009 08:04:30 -0400 Subject: How can I set certain domain don't audit for certain time ? In-Reply-To: References: Message-ID: <4A017CCE.6000107@redhat.com> On 05/06/2009 08:00 AM, Shintaro Fujiwara wrote: > Hi, I try to ps from certain domain and when I do that a lot of denied > messages occurs. > > I set this domain permissive but I want to silent it alltogether. > > One thing in my mind is to domain_trans to domain same as ps, but my > question is to don't audit for certain time like semanage permissive. > > After ps, I want to audit everything as hoped. > > Thanks in advance. > domain_read_all_domains_state(mytype_t) or domain_dontaudit_read_all_domains_state(mytype_t) From shintaro.fujiwara at gmail.com Wed May 6 12:22:09 2009 From: shintaro.fujiwara at gmail.com (Shintaro Fujiwara) Date: Wed, 6 May 2009 21:22:09 +0900 Subject: How can I set certain domain don't audit for certain time ? In-Reply-To: <4A017CCE.6000107@redhat.com> References: <4A017CCE.6000107@redhat.com> Message-ID: Thank you, sir. I will make a module, install and remove it. 2009/5/6 Daniel J Walsh : > On 05/06/2009 08:00 AM, Shintaro Fujiwara wrote: >> >> Hi, I try to ps from certain domain and when I do that a lot of denied >> messages occurs. >> >> I set this domain permissive but I want to silent it alltogether. >> >> One thing in my mind is to domain_trans to domain same as ps, but my >> question is to don't audit for certain time like semanage permissive. >> >> After ps, I want to audit everything as hoped. >> >> Thanks in advance. >> > > domain_read_all_domains_state(mytype_t) > or > domain_dontaudit_read_all_domains_state(mytype_t) > > -- http://intrajp.no-ip.com/ Home Page From kaigai at ak.jp.nec.com Wed May 6 23:56:44 2009 From: kaigai at ak.jp.nec.com (KaiGai Kohei) Date: Thu, 07 May 2009 08:56:44 +0900 Subject: How to install SELinux original policy as original RPM In-Reply-To: References: <4A0032F6.1040801@redhat.com> Message-ID: <4A0223BC.5020502@ak.jp.nec.com> Shintaro Fujiwara wrote: > Yeah, I wrote, > > %post > /usr/sbin/semodule -u /usr/share/segatex/segatex.pp > > but, I got > > Requires(post): /bin/sh > Requires: /bin/sh libQt3Support.so.4 libQtCore.so.4 libQtGui.so.4 > libQtNetwork.so.4 libQtSql.so.4 libc.so.6 libc.so.6(GLIBC_2.0) > libc.so.6(GLIBC_2.1) libc.so.6(GLIBC_2.1.3) libc.so.6(GLIBC_2.4) > libgcc_s.so.1 libgcc_s.so.1(GCC_3.0) libm.so.6 libpthread.so.0 > libselinux.so.1 libstdc++.so.6 libstdc++.so.6(CXXABI_1.3) > libstdc++.so.6(GLIBCXX_3.4) libstdc++.so.6(GLIBCXX_3.4.9) > rtld(GNU_HASH) > > what's this, I guess something's lacking in above statement ? Do you have the following Reuires: definition in the specfile? Requires: libselinux policycoreutils selinux-policy BTW, /usr/share/selinux//segatex.pp is more preferable location to store policy package. Thanks, > 2009/5/5 Daniel J Walsh : >> On 05/05/2009 12:56 AM, Shintaro Fujiwara wrote: >>> Hello, I don't know how to install SELinux original policy as original >>> RPM. >>> I edited my spec file but semodule didn't work in BUILDROOT. >>> Thanks in advance. >>> >> semodule should be run in the post install not during the build section. >> You are adding you policy to the installed policy on the destination >> machine. -- OSS Platform Development Division, NEC KaiGai Kohei From goetz.lohmann at gmx.de Thu May 7 22:21:30 2009 From: goetz.lohmann at gmx.de (G. Lohmann) Date: Fri, 08 May 2009 00:21:30 +0200 Subject: HowTo create a new domain for a web administration tool Message-ID: <1241734890.32159.51.camel@localhost.localdomain> Hi List, there are a loot of web administration frontends (plesk, confixx, ispconfig, webmin, ..) out there and nearly all of them start with disabling SELinux which I think is a bad idea. On the other hand it is a bit tricky to get around the various issue. I already started to read for example the "Fedora Core 5 SELinux FAQ" which already solved me some issues but as well opened a lot of new questions. There are in generally two problems: 1. Installing the web frontend in an SELinux enabled environment Mostly this is done by extracting a tar archive and then calling a script that starts to copy several files and modify configuration files of several deamons and restarting them. I already figured out that if I modify the domain of the script, I get less warnings: /home/downloads # chcon -R -t bin_t install /home/downloads # php install.php a.) I am not sure if the domain 'bin_t' is Ok at all b.) I still get a couple of warnings when the script try to restart the daemons like type=AVC msg=audit(1241722547.281:24545): avc: denied { read write } for pid=29460 comm="restorecon" path="socket:[121254]" dev=sockfs ino=121254 scontext=unconfined_u:system_r:setfiles_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1241722547.281:24545): arch=c000003e syscall=59 success=yes exit=0 a0=1d0a630 a1=1d0a6e0 a2=1cd8e70 a3=8 items=0 ppid=29415 pid=29460 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="restorecon" exe="/sbin/setfiles" subj=unconfined_u:system_r:setfiles_t:s0 key=(null) type=AVC msg=audit(1241722547.726:24546): avc: denied { read write } for pid=29463 comm="mysqld_safe" path="socket:[121254]" dev=sockfs ino=121254 scontext=unconfined_u:system_r:mysqld_safe_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1241722547.726:24546): arch=c000003e syscall=59 success=yes exit=0 a0=1d0a630 a1=1d07070 a2=1cd8e70 a3=0 items=0 ppid=29415 pid=29463 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="mysqld_safe" exe="/bin/bash" subj=unconfined_u:system_r:mysqld_safe_t:s0 key=(null) c.) I already tried to create a policy via # audit2allow -m local -l -i /var/log/audit/audit.log > local.te the resulting file already contain several entries like: ... #============= ftpd_t ============== allow ftpd_t unconfined_t:unix_stream_socket { read write }; #============= httpd_t ============== allow httpd_t initrc_exec_t:dir search; allow httpd_t unconfined_t:unix_stream_socket { read write }; #============= mysqld_safe_t ============== allow mysqld_safe_t initrc_exec_t:dir { search getattr }; allow mysqld_safe_t unconfined_t:unix_stream_socket { read write }; ... but the 'unconfined_t' sounds like this rule would be now generated for ALL and everybody but I only want to give this rights to the install script. So I guess I have to create an own domain 'install_t' and then set the domain of the 'install.php' to that domain. 2. Running the web application below the httpd domain This is the second tricky part. If one get this tools installed properly one get several warnings of the application accessing several parts which a common httpd may not be allowed to. Maybe one idea might already be to have a second apache daemon running for the administration frontend that run under a different extended domain than the default apache ... but already this is not obvious to handle. What I already was able to barely solve was the following. There is a custom logging tool inside of the 'httpd.conf' using a perl script and looking like: CustomLog "| /usr/sbin/vlogger -s access.log -t \"%Y%m%d-access.log\" /var/log/webadmin/httpd" combined_webadmin This produced in the default setup already several errors leading to the log file placed there to be not written by apache. A small check with ls already showed me why: # ls -alZ /var/log ... drwx------ root root system_u:object_r:httpd_log_t:s0 httpd drwxr-xr-x root root unconfined_u:object_r:unconfined_t:s0 webadmin ... changing the user and the domain of that folder already solved the problem that apache now could write there: # chcon -R -u system_u webadmin # chcon -R -u httpd_sys_content_rw_t webadmin # ls -alZ /var/log ... drwx------ root root system_u:object_r:httpd_log_t:s0 httpd drwxr-xr-x root root system_u:object_r:httpd_sys_content_rw_t:s0 webadmin The follow up problem now is that 'logrotate' throw now warning/errors that it is unable to rotate the log in that folder. Unfortunately if I change 'httpd_sys_content_rw_t' to 'httpd_log_t' apache refuse to write to that folder or better say ... apache is calling '/usr/sbin/vlogger' in the httpd domain which then is not allowed to write there. So there are some questions: a.) how to install those files and folders by the previous mentioned 'install.php' script with the proper rights and b.) does the issue of the logger man that I need to create an own domain or can I 'fix' it by just setting a different domain tag to '/usr/sbin/vlogger'? thx in adavance Goetz From adriangolding at gmail.com Mon May 11 10:37:42 2009 From: adriangolding at gmail.com (fluffie) Date: Mon, 11 May 2009 03:37:42 -0700 (PDT) Subject: What changed that allows xguest to go on AOL? Message-ID: <23480891.post@talk.nabble.com> i read the article from : http://magazine.redhat.com/2008/07/02/writing-policy-for-confined-selinux-users/ and i recently installed setools to (hopefully) understand more about SELinux. in the article, it is shown (and i tried) that xguest_t role cannot communicate using AOL. the xguest_t can launch pidgin in /usr/bin/ though. AOL uses the port 5190 and that port has the 'aol_port_t' type. so i created the new policy rule as per the tutorial and now my xguest_t can use pidgin and talk on AOL. if i were to use 'apol' to understand the changes made by the new policy change, how should i do it? i tried to do a 'domain transition analysis', starting from the xguest_t type and then see how many ways xguest_t can transit to the aol_port_t type, and tried to compare the 'before' and 'after' policy addition. But i could not tell any difference. so i guess my question is more of how to use 'apol' to obtain meaningful information such as this. i cannot help but feel overwhelmed using apol because there are so many options and so much information coming back at me. thank you -- View this message in context: http://www.nabble.com/What-changed-that-allows-xguest-to-go-on-AOL--tp23480891p23480891.html Sent from the Fedora SELinux List mailing list archive at Nabble.com. From BGinn at symark.com Mon May 11 16:54:46 2009 From: BGinn at symark.com (Brian Ginn) Date: Mon, 11 May 2009 09:54:46 -0700 Subject: multiple output file context types? Message-ID: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5D53@dragonfly.symark.com> I have an application that has two different type out output files that are normally written to /var/log. 1: diagnostic log - should be readable by "normal" system administrators. 2: security data log - should only be readable by security officers. Is there a different way to declare two different file context types for output files? My current attempts do not work: For the diagnostic log, I have created a log file type myapp_log_t, and created a file context: /var/log/myapp\.log -- gen_context(system_u:object_r:myapp_log_t,s0) Using the following policy statements, myapp creates a log file, and SELinux takes care of assigning the file context automatically: logging_log_file(myapp_log_t) logging_log_filetrans(myapp_t, myapp_log_t, { file dir } ) manage_dirs_pattern(myapp_t, myapp_log_t, myapp_log_t) manage_files_pattern(myapp_t, myapp_log_t, myapp_log_t) I wish to have a different type for the data log, however when I try to use logging_log_filetrans for a second log type, semodule complains: [root at host1 log]# semodule -i /home/brian/src/myapp/myapp.pp libsepol.expand_terule_helper: conflicting TE rule for (myapp_t, var_log_t:dir): old was myapp_log_t, new is myappsecurity_log_t libsepol.expand_module: Error during expand libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed! [root at host1 log]# Thanks, Brian -------------- next part -------------- An HTML attachment was scrubbed... URL: From sds at tycho.nsa.gov Mon May 11 17:04:48 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 11 May 2009 13:04:48 -0400 Subject: multiple output file context types? In-Reply-To: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5D53@dragonfly.symark.com> References: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5D53@dragonfly.symark.com> Message-ID: <1242061488.4289.53.camel@localhost.localdomain> On Mon, 2009-05-11 at 09:54 -0700, Brian Ginn wrote: > I have an application that has two different type out output files > that are normally written to /var/log. > > 1: diagnostic log - should be readable by "normal" system > administrators. > > 2: security data log - should only be readable by security > officers. > > > > Is there a different way to declare two different file context types > for output files? The kernel policy can only distinguish based on the creating process domain, the parent directory type, and the file class. You can therefore only define one default type assignment in the policy for any such triple. To support multiple output types, you have two choices: 1) Move one of the log files to a different subdirectory, e.g. /var/log/security, and assign that subdirectory a different type, or 2) Modify your application to call setfscreatecon(secctx) with the desired security context prior to creating the security data log file, then call setfscreatecon(NULL) afterward to restore the default labeling behavior on any subsequent file creations. -- Stephen Smalley National Security Agency From dwalsh at redhat.com Mon May 11 17:54:51 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 11 May 2009 13:54:51 -0400 Subject: multiple output file context types? In-Reply-To: <1242061488.4289.53.camel@localhost.localdomain> References: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5D53@dragonfly.symark.com> <1242061488.4289.53.camel@localhost.localdomain> Message-ID: <4A08666B.7030007@redhat.com> On 05/11/2009 01:04 PM, Stephen Smalley wrote: > On Mon, 2009-05-11 at 09:54 -0700, Brian Ginn wrote: >> I have an application that has two different type out output files >> that are normally written to /var/log. >> >> 1: diagnostic log - should be readable by "normal" system >> administrators. >> >> 2: security data log - should only be readable by security >> officers. >> >> >> >> Is there a different way to declare two different file context types >> for output files? > > The kernel policy can only distinguish based on the creating process > domain, the parent directory type, and the file class. You can > therefore only define one default type assignment in the policy for any > such triple. To support multiple output types, you have two choices: > 1) Move one of the log files to a different subdirectory, > e.g. /var/log/security, and assign that subdirectory a different type, > or > 2) Modify your application to call setfscreatecon(secctx) with the > desired security context prior to creating the security data log file, > then call setfscreatecon(NULL) afterward to restore the default labeling > behavior on any subsequent file creations. > Or precreate the files in the init script and run restorecon on them, Then allow your confined domain to append output to the files. From BGinn at symark.com Tue May 12 17:14:44 2009 From: BGinn at symark.com (Brian Ginn) Date: Tue, 12 May 2009 10:14:44 -0700 Subject: roles in targeted mode Message-ID: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5D5F@dragonfly.symark.com> After some time learning SELinux on Fedora 9, I'm on an RHEL 5.3 box in targeted mode. The policycoreutils rpm doesn't contain the newrole command. Is newrole even needed in targeted mode? seinfo -r -x reports 6 roles and 268 total types It looks like every role is allowed to run every type except for two types: httpd_squid_script_t and httpd_prewikka_script_t Thanks, Brian From dwalsh at redhat.com Tue May 12 18:07:35 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 12 May 2009 14:07:35 -0400 Subject: roles in targeted mode In-Reply-To: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5D5F@dragonfly.symark.com> References: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5D5F@dragonfly.symark.com> Message-ID: <4A09BAE7.70201@redhat.com> On 05/12/2009 01:14 PM, Brian Ginn wrote: > After some time learning SELinux on Fedora 9, I'm on an RHEL 5.3 box in targeted mode. > The policycoreutils rpm doesn't contain the newrole command. Is newrole even needed in targeted mode? > No targeted policy in RHEL5 is basically everything in system_r role. This is changing in Fedora 9 and beyond. Where you can have confined user roles along with unconfined user roles. > seinfo -r -x > reports 6 roles and 268 total types > It looks like every role is allowed to run every type except for two types: > httpd_squid_script_t and httpd_prewikka_script_t > > > > > > Thanks, > Brian > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From shintaro.fujiwara at gmail.com Wed May 13 11:41:57 2009 From: shintaro.fujiwara at gmail.com (Shintaro Fujiwara) Date: Wed, 13 May 2009 20:41:57 +0900 Subject: How can I create shadow_t file ? Message-ID: Well, I've been writing a policy to add user from certain domain. I wrote a policy including these interfaces, auth_domtrans_chk_passwd(segatex_t) auth_manage_shadow(segatex_t) auth_rw_shadow(segatex_t) files_manage_etc_files(segatex_t) and still I can't add user from certain domain and when I look into log, I have two denied messages, etc_t file create shadow_t file create So I wrote exactly same thing to allow create these but sill I can't add user nor delete user. I feel numb. -- http://intrajp.no-ip.com/ Home Page From sds at tycho.nsa.gov Wed May 13 12:24:07 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 13 May 2009 08:24:07 -0400 Subject: How can I create shadow_t file ? In-Reply-To: References: Message-ID: <1242217447.9974.11.camel@localhost.localdomain> On Wed, 2009-05-13 at 20:41 +0900, Shintaro Fujiwara wrote: > Well, I've been writing a policy to add user from certain domain. > > I wrote a policy including these interfaces, > > auth_domtrans_chk_passwd(segatex_t) > auth_manage_shadow(segatex_t) > auth_rw_shadow(segatex_t) > files_manage_etc_files(segatex_t) > > and still I can't add user from certain domain and when I look into > log, I have two denied messages, > > etc_t file create > shadow_t file create > > So I wrote exactly same thing to allow create these but sill I can't > add user nor delete user. > > I feel numb. What does audit2why report when you feed it these avc denial messages? -- Stephen Smalley National Security Agency From dwalsh at redhat.com Wed May 13 13:33:35 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 13 May 2009 09:33:35 -0400 Subject: How can I create shadow_t file ? In-Reply-To: References: Message-ID: <4A0ACC2F.9040803@redhat.com> On 05/13/2009 07:41 AM, Shintaro Fujiwara wrote: > Well, I've been writing a policy to add user from certain domain. > > I wrote a policy including these interfaces, > > auth_domtrans_chk_passwd(segatex_t) > auth_manage_shadow(segatex_t) > auth_rw_shadow(segatex_t) > files_manage_etc_files(segatex_t) > > and still I can't add user from certain domain and when I look into > log, I have two denied messages, > > etc_t file create > shadow_t file create > > So I wrote exactly same thing to allow create these but sill I can't > add user nor delete user. > > I feel numb. > > You are fighting constraints. If your tool is relabeling you probably need, domain_subj_id_change_exemption(segatex_t) To allow you to change the user component. audit2allow -w (audit2why) will tell you if you are failing a constraint. From shintaro.fujiwara at gmail.com Wed May 13 14:01:00 2009 From: shintaro.fujiwara at gmail.com (Shintaro Fujiwara) Date: Wed, 13 May 2009 23:01:00 +0900 Subject: How can I create shadow_t file ? In-Reply-To: <4A0ACC2F.9040803@redhat.com> References: <4A0ACC2F.9040803@redhat.com> Message-ID: Thank you. I updated my tool's policy including 2 interfaces you guys introduced. Still I can't add user from my tool and strangely, no AVC messages now even I setSELinux permissive. Of course when I set permissive, I can add user. But, I don't have any denied logs now... No way out ? 2009/5/13 Daniel J Walsh : > On 05/13/2009 07:41 AM, Shintaro Fujiwara wrote: >> >> Well, I've been writing a policy to add user from certain domain. >> >> I wrote a policy including these interfaces, >> >> auth_domtrans_chk_passwd(segatex_t) >> auth_manage_shadow(segatex_t) >> auth_rw_shadow(segatex_t) >> files_manage_etc_files(segatex_t) >> >> and still I can't add user from certain domain and when I look into >> log, I have two denied messages, >> >> etc_t file create >> shadow_t file create >> >> So I wrote exactly same thing to allow create these but sill I can't >> add user nor delete user. >> >> I feel numb. >> >> > You are fighting constraints. > > If your tool is relabeling you probably need, > domain_subj_id_change_exemption(segatex_t) > To allow you to change the user component. > > audit2allow -w (audit2why) will tell you if you are failing a constraint. > -- http://intrajp.no-ip.com/ Home Page From sds at tycho.nsa.gov Wed May 13 13:56:28 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 13 May 2009 09:56:28 -0400 Subject: How can I create shadow_t file ? In-Reply-To: References: <4A0ACC2F.9040803@redhat.com> Message-ID: <1242222988.9974.24.camel@localhost.localdomain> On Wed, 2009-05-13 at 23:01 +0900, Shintaro Fujiwara wrote: > Thank you. > > I updated my tool's policy including 2 interfaces you guys introduced. > > Still I can't add user from my tool and strangely, no AVC messages now > even I setSELinux permissive. > Of course when I set permissive, I can add user. > But, I don't have any denied logs now... > > No way out ? Run "semodule -DB" to strip dontaudit rules and try again. You'll have to wade through the irrelevant avc messages though. -- Stephen Smalley National Security Agency From shintaro.fujiwara at gmail.com Wed May 13 14:48:58 2009 From: shintaro.fujiwara at gmail.com (Shintaro Fujiwara) Date: Wed, 13 May 2009 23:48:58 +0900 Subject: How can I create shadow_t file ? In-Reply-To: <1242222988.9974.24.camel@localhost.localdomain> References: <4A0ACC2F.9040803@redhat.com> <1242222988.9974.24.camel@localhost.localdomain> Message-ID: Yeh, I was forgetting the command "audit them all" stuff, thanks for letting me know. #after i semanage -DB allow segatex_t security_t:filesystem getattr; allow segatex_t self:process setfscreate; allow segatex_t semanage_t:process { siginh rlimitinh noatsecure }; #============= semanage_t ============== allow semanage_t setfiles_t:process { siginh rlimitinh noatsecure }; #end after i semanage -DB I finally made it. Both adding and deleting user. Maybe I should add button to audit them all thing. I remember RH original one had it, so. Thanks ! 2009/5/13 Stephen Smalley : > On Wed, 2009-05-13 at 23:01 +0900, Shintaro Fujiwara wrote: >> Thank you. >> >> I updated my tool's policy including 2 interfaces you guys introduced. >> >> Still I can't add user from my tool and strangely, no AVC messages now >> even I setSELinux permissive. >> Of course when I set permissive, I can add user. >> But, I don't have any denied logs now... >> >> No way out ? > > Run "semodule -DB" to strip dontaudit rules and try again. > You'll have to wade through the irrelevant avc messages though. > > -- > Stephen Smalley > National Security Agency > > -- http://intrajp.no-ip.com/ Home Page From shintaro.fujiwara at gmail.com Wed May 13 14:55:26 2009 From: shintaro.fujiwara at gmail.com (Shintaro Fujiwara) Date: Wed, 13 May 2009 23:55:26 +0900 Subject: How can I create shadow_t file ? In-Reply-To: References: <4A0ACC2F.9040803@redhat.com> <1242222988.9974.24.camel@localhost.localdomain> Message-ID: I typed semodule -DB, my mistake... If you are kind enough to teach me a way back to normal audit, I am glad to hear. I forgot , sorry. semodule -B ? Thanks. 2009/5/13 Shintaro Fujiwara : > Yeh, I was forgetting the command "audit them all" stuff, thanks for > letting me know. > > #after i semanage -DB > > allow segatex_t security_t:filesystem getattr; > allow segatex_t self:process setfscreate; > allow segatex_t semanage_t:process { siginh rlimitinh noatsecure }; > > #============= semanage_t ============== > allow semanage_t setfiles_t:process { siginh rlimitinh noatsecure }; > > #end after i semanage -DB > > I finally made it. > Both adding and deleting user. > > Maybe I should add button to audit them all thing. > I remember RH original one had it, so. > > Thanks ! > > 2009/5/13 Stephen Smalley : >> On Wed, 2009-05-13 at 23:01 +0900, Shintaro Fujiwara wrote: >>> Thank you. >>> >>> I updated my tool's policy including 2 interfaces you guys introduced. >>> >>> Still I can't add user from my tool and strangely, no AVC messages now >>> even I setSELinux permissive. >>> Of course when I set permissive, I can add user. >>> But, I don't have any denied logs now... >>> >>> No way out ? >> >> Run "semodule -DB" to strip dontaudit rules and try again. >> You'll have to wade through the irrelevant avc messages though. >> >> -- >> Stephen Smalley >> National Security Agency >> >> > > > > -- > http://intrajp.no-ip.com/ Home Page > -- http://intrajp.no-ip.com/ Home Page From sds at tycho.nsa.gov Wed May 13 15:21:16 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 13 May 2009 11:21:16 -0400 Subject: How can I create shadow_t file ? In-Reply-To: References: <4A0ACC2F.9040803@redhat.com> <1242222988.9974.24.camel@localhost.localdomain> Message-ID: <1242228076.9974.31.camel@localhost.localdomain> On Wed, 2009-05-13 at 23:55 +0900, Shintaro Fujiwara wrote: > I typed semodule -DB, my mistake... > > If you are kind enough to teach me a way back to normal audit, I am > glad to hear. > I forgot , sorry. > > semodule -B ? Yes. -- Stephen Smalley National Security Agency From BGinn at symark.com Fri May 15 01:01:59 2009 From: BGinn at symark.com (Brian Ginn) Date: Thu, 14 May 2009 18:01:59 -0700 Subject: multiple output file context types? In-Reply-To: <1242061488.4289.53.camel@localhost.localdomain> References: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5D53@dragonfly.symark.com> <1242061488.4289.53.camel@localhost.localdomain> Message-ID: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5D65@dragonfly.symark.com> Thanks for the info! I chose to use setfscreatecon(). I had it working on Monday. It worked through this afternoon, Then all the sudden it stopped working. Audit2why reported: type=AVC msg=audit(1242347675.070:837): avc: denied { create } for pid=14914 comm="myapp" name="myapp.seclog" scontext=root:system_r:myapp_t:s0-s0:c0.c1023 tcontext=system_u:object_r:myapp_sec_log_t:s0 tclass=file Was caused by: Constraint violation. Check policy/constraints. Typically, you just need to add a type attribute to the domain to satisfy the constraint. Audit2allow shows a line that is already in the myapp.te file: allow myapp_t myapp_sec_log_t:file create; I finally rebooted - and it works again. Does SELinux on RHEL5.3 have any known "flakyness" that reboots normally solve? Thanks, Brian -----Original Message----- From: Stephen Smalley [mailto:sds at tycho.nsa.gov] Sent: Monday, May 11, 2009 10:05 AM To: Brian Ginn Cc: 'fedora-selinux-list at redhat.com' Subject: Re: multiple output file context types? On Mon, 2009-05-11 at 09:54 -0700, Brian Ginn wrote: > I have an application that has two different type out output files > that are normally written to /var/log. > > 1: diagnostic log - should be readable by "normal" system > administrators. > > 2: security data log - should only be readable by security > officers. > > > > Is there a different way to declare two different file context types > for output files? The kernel policy can only distinguish based on the creating process domain, the parent directory type, and the file class. You can therefore only define one default type assignment in the policy for any such triple. To support multiple output types, you have two choices: 1) Move one of the log files to a different subdirectory, e.g. /var/log/security, and assign that subdirectory a different type, or 2) Modify your application to call setfscreatecon(secctx) with the desired security context prior to creating the security data log file, then call setfscreatecon(NULL) afterward to restore the default labeling behavior on any subsequent file creations. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Fri May 15 11:42:50 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 15 May 2009 07:42:50 -0400 Subject: multiple output file context types? In-Reply-To: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5D65@dragonfly.symark.com> References: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5D53@dragonfly.symark.com> <1242061488.4289.53.camel@localhost.localdomain> <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5D65@dragonfly.symark.com> Message-ID: <1242387770.29973.6.camel@localhost.localdomain> On Thu, 2009-05-14 at 18:01 -0700, Brian Ginn wrote: > Thanks for the info! > > I chose to use setfscreatecon(). > I had it working on Monday. It worked through this afternoon, > Then all the sudden it stopped working. > > Audit2why reported: > type=AVC msg=audit(1242347675.070:837): avc: denied { create } for pid=14914 comm="myapp" name="myapp.seclog" scontext=root:system_r:myapp_t:s0-s0:c0.c1023 tcontext=system_u:object_r:myapp_sec_log_t:s0 tclass=file > Was caused by: > Constraint violation. > Check policy/constraints. > Typically, you just need to add a type attribute to the domain to satisfy the constraint. > > Audit2allow shows a line that is already in the myapp.te file: > allow myapp_t myapp_sec_log_t:file create; > > I finally rebooted - and it works again. > > Does SELinux on RHEL5.3 have any known "flakyness" that reboots normally solve? It wasn't merely the reboot, but rather the SELinux user identity on the process vs. the file. If you look at the denial, you'll see that your process was running with the "root" identity in the scontext, and the file was labeled with the "system_u" identity in the tcontext. That violates a policy constraint on the ability to create or relabel files with a different SELinux user identity. Unfortunately, if you manually restart a service, it will run with your user identity rather than system_u and thus can sometimes cause this problem. The "run_init" helper program was written to help avoid this as well as other issues, e.g. run_init /etc/init.d/myapp restart. Alternatively, you may wish to add the type attribute to myapp_t that allows it to create files with a different SELinux user identity. This can be done via: domain_obj_id_change_exemption(myapp_t) which simply expands to: require { attribute can_change_object_identity; } typeattribute myapp_t can_change_object_identity; This then satisfies the constraint in policy/constraints: constrain dir_file_class_set { create relabelto relabelfrom } ( u1 == u2 or t1 == can_change_object_identity ); which means: Only allow the { create relabelto relabelfrom } permissions if the user identity of the source context (u1) equals the user identity of the target context (u2) or if the TE type of the source context (t1) is part of the set of types associated with the can_change_object_identity type attribute. Welcome to a dark corner of SELinux... -- Stephen Smalley National Security Agency From BGinn at symark.com Fri May 15 20:43:37 2009 From: BGinn at symark.com (Brian Ginn) Date: Fri, 15 May 2009 13:43:37 -0700 Subject: network failures maybe SELinux related? Message-ID: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5D66@dragonfly.symark.com> I have a client app run by users, and two server apps run from xinetd. The client connects to server1 Server1 connects to server2 Server2 connects back to the client app When not confined by SELinux policy. Everything works fine. I can run several hundred iterations without any failures. When confined, but run in permissive mode, Everything works fine. - nothing in audit.log When confined and enforced, it works a few times, then the connection from server1 to server2 fails. Then, after a rest, it works a few times, then the connection from server1 to server2 fails. There is nothing in audit.log. Does anyone have suggestions for constraints or don't audit rules I should look into? Thanks, Brian -------------- next part -------------- An HTML attachment was scrubbed... URL: From BGinn at symark.com Fri May 15 21:47:50 2009 From: BGinn at symark.com (Brian Ginn) Date: Fri, 15 May 2009 14:47:50 -0700 Subject: SELinux default contexts and PAM session? Message-ID: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5D68@dragonfly.symark.com> I have a server app that runs from xinetd. This server's job is to exec a program. This app is not yet confined by SELinux policy. When I use PAM session service, audit.log shows: type=USER_ROLE_CHANGE msg=audit(1242413723.389:14866): user pid=24149 uid=0 auid=0 subj=system_u:system_r:inetd_t:s0-s0:c0.c1023 msg='pam: default-context=root:system_r:amanda_t:s0-s0:c0.c1023 selected-context=root:system_r:amanda_t:s0-s0:c0.c1023: exe="/usr/sbin/myserverd" (hostname=?, addr=?, terminal=ptmx res=success)' Somehow, SELinux is deciding that the default context should be ...amanda_t... How is that decision made? Can I create a more correct context (that will be recognized as the default context) without confining the server? Thanks, Brian -------------- next part -------------- An HTML attachment was scrubbed... URL: From BGinn at symark.com Fri May 15 21:48:55 2009 From: BGinn at symark.com (Brian Ginn) Date: Fri, 15 May 2009 14:48:55 -0700 Subject: network failures maybe SELinux related? In-Reply-To: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5D66@dragonfly.symark.com> References: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5D66@dragonfly.symark.com> Message-ID: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5D69@dragonfly.symark.com> corenet_tcp_bind_all_ports() seems to have solved my problems. -Brian From: Brian Ginn Sent: Friday, May 15, 2009 1:44 PM To: 'fedora-selinux-list at redhat.com' Subject: network failures maybe SELinux related? I have a client app run by users, and two server apps run from xinetd. The client connects to server1 Server1 connects to server2 Server2 connects back to the client app When not confined by SELinux policy. Everything works fine. I can run several hundred iterations without any failures. When confined, but run in permissive mode, Everything works fine. - nothing in audit.log When confined and enforced, it works a few times, then the connection from server1 to server2 fails. Then, after a rest, it works a few times, then the connection from server1 to server2 fails. There is nothing in audit.log. Does anyone have suggestions for constraints or don't audit rules I should look into? Thanks, Brian -------------- next part -------------- An HTML attachment was scrubbed... URL: From shintaro.fujiwara at gmail.com Fri May 15 23:50:55 2009 From: shintaro.fujiwara at gmail.com (Shintaro Fujiwara) Date: Sat, 16 May 2009 08:50:55 +0900 Subject: How can I know disabling dontaudit or not ? Message-ID: Hi, I typed, #semodule -DB How should I know if I succeeded disabled dontaudits ? Thanks. -- http://intrajp.no-ip.com/ Home Page From dwalsh at redhat.com Sat May 16 11:49:31 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Sat, 16 May 2009 07:49:31 -0400 Subject: network failures maybe SELinux related? In-Reply-To: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5D69@dragonfly.symark.com> References: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5D66@dragonfly.symark.com> <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5D69@dragonfly.symark.com> Message-ID: <4A0EA84B.90207@redhat.com> On 05/15/2009 05:48 PM, Brian Ginn wrote: > corenet_tcp_bind_all_ports() seems to have solved my problems. > On what domain? This will allow that domain to bind to any port, if you know what port you want to listen on, you might be able to add the port using semanage port -a -t MISTERYDOMAIN_port_t -p tcp PORTNUMBER > > -Brian > > > From: Brian Ginn > Sent: Friday, May 15, 2009 1:44 PM > To: 'fedora-selinux-list at redhat.com' > Subject: network failures maybe SELinux related? > > I have a client app run by users, and two server apps run from xinetd. > The client connects to server1 > Server1 connects to server2 > Server2 connects back to the client app > > When not confined by SELinux policy. Everything works fine. > I can run several hundred iterations without any failures. > When confined, but run in permissive mode, Everything works fine. - nothing in audit.log > > When confined and enforced, it works a few times, then the connection from server1 to server2 fails. > Then, after a rest, it works a few times, then the connection from server1 to server2 fails. > There is nothing in audit.log. > Does anyone have suggestions for constraints or don't audit rules I should look into? > > > Thanks, > Brian > > > > > > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From dwalsh at redhat.com Sat May 16 11:59:25 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Sat, 16 May 2009 07:59:25 -0400 Subject: SELinux default contexts and PAM session? In-Reply-To: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5D68@dragonfly.symark.com> References: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5D68@dragonfly.symark.com> Message-ID: <4A0EAA9D.4000308@redhat.com> On 05/15/2009 05:47 PM, Brian Ginn wrote: > I have a server app that runs from xinetd. > > This server's job is to exec a program. > > This app is not yet confined by SELinux policy. > > > > When I use PAM session service, audit.log shows: > > > > type=USER_ROLE_CHANGE msg=audit(1242413723.389:14866): user pid=24149 uid=0 auid=0 subj=system_u:system_r:inetd_t:s0-s0:c0.c1023 msg='pam: default-context=root:system_r:amanda_t:s0-s0:c0.c1023 selected-context=root:system_r:amanda_t:s0-s0:c0.c1023: exe="/usr/sbin/myserverd" (hostname=?, addr=?, terminal=ptmx res=success)' > > Somehow, SELinux is deciding that the default context should be ...amanda_t... > How is that decision made? > Can I create a more correct context (that will be recognized as the default context) without confining the server? > > > > Thanks, > Brian > > > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list I have no idea what this is, but is there a pam_selinux somewhere being called in your pam stack? pam_selinux is used for assinging user domains and it is obviously confused. From dwalsh at redhat.com Sat May 16 12:05:13 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Sat, 16 May 2009 08:05:13 -0400 Subject: How can I know disabling dontaudit or not ? In-Reply-To: References: Message-ID: <4A0EABF9.7050906@redhat.com> On 05/15/2009 07:50 PM, Shintaro Fujiwara wrote: > Hi, I typed, > > #semodule -DB > > How should I know if I succeeded disabled dontaudits ? > > Thanks. > If the command did not display any errors, it succeeded. Also you should start to see a lot more avc messages. Start and stop a couple of services. From shintaro.fujiwara at gmail.com Sat May 16 12:50:14 2009 From: shintaro.fujiwara at gmail.com (Shintaro Fujiwara) Date: Sat, 16 May 2009 21:50:14 +0900 Subject: How can I know disabling dontaudit or not ? In-Reply-To: <4A0EABF9.7050906@redhat.com> References: <4A0EABF9.7050906@redhat.com> Message-ID: Thanks. So, I understand there are no commands checking present state of enabling or disabling dontaudit ? And especially, disabling dontaudit survives next boot, for an ordinary administrator like me don't know whether or not disabling dontaudit. If I forget disabling dontaudit and don't know much about SELinux audit, if somebody tell me to do audit2allow and some buggy program running to manage shadow_t, I will foolishly may install a policy to manage shadow_t ? I think in that case, should be checked the present state of dontaudit disabled or not and giving advice to administrator to type command #semodue -B. Well, I presently can manage at least making in certain confined area a file labeled shadow_t or whatever the dontaudit will be applied and check if the dontaudit is disabled or not. I think only ugly way but as an ordinary administrator, I can manage in that way. Thanks for your advices. 2009/5/16 Daniel J Walsh : > On 05/15/2009 07:50 PM, Shintaro Fujiwara wrote: >> >> Hi, I typed, >> >> #semodule -DB >> >> How should I know if I succeeded disabled dontaudits ? >> >> Thanks. >> > If the command did not display any errors, it succeeded. ?Also you should > start to see a lot more avc messages. ?Start and stop a couple of services. > -- http://intrajp.no-ip.com/ Home Page From goeran at uddeborg.se Sun May 17 16:44:20 2009 From: goeran at uddeborg.se (=?utf-8?Q?G=C3=B6ran?= Uddeborg) Date: Sun, 17 May 2009 18:44:20 +0200 Subject: Why can not user_t link var_lib_t files? Message-ID: <18960.16100.946561.405182@gargle.gargle.HOWL> Is there some reason user_t is denied to link a file with type var_lib_t (among others)? Or did it just happen that way? I don't see any security advantage. (It doesn't matter for the question, but I suspect somebody will ask why I want this. The particular use case where we were hit by this is non-standard. We have a digital TV receiver box that saves recordings via NFS under /var/lib/TV on a server. A user wanted to edit out the commercials from one recording using the m2vmp2cut tool. The tool is most easy to use when the original recording is in the working directory. She could copy the file from /var/lib/TV/... to her home directory, but to save a lot of time and space she tried to make a (hard) link instead. SELinux denied her that. Obviously non-standard, and the regular policy doesn't know anything about these files. And I know various ways to work around it, including adding a module. But I was a bit surprised over the denial. I would have expected user_t to be allowed to do this. Thus my question, is this by design or by mistake?) From domg472 at gmail.com Sun May 17 17:25:08 2009 From: domg472 at gmail.com (Dominick Grift) Date: Sun, 17 May 2009 19:25:08 +0200 Subject: Why can not user_t link var_lib_t files? In-Reply-To: <18960.16100.946561.405182@gargle.gargle.HOWL> References: <18960.16100.946561.405182@gargle.gargle.HOWL> Message-ID: <1242581108.29548.7.camel@notebook2.grift.internal> On Sun, 2009-05-17 at 18:44 +0200, G?ran Uddeborg wrote: > Is there some reason user_t is denied to link a file with type > var_lib_t (among others)? Or did it just happen that way? I don't > see any security advantage. > Thus my question, is this by design or by mistake?) I think the policy author could probably give the right answer but i think this is by design. Most stuff in /var is system stuff and not for users. So if a user has nothing to do there then no need to give them access either. Stuff like /var/spool/mail/ is however accessible. Like you suggested it is easy to create a extension or a new role/ custom user domain for this functionality. If you want your users to be unrestricted then map the user to unconfined_u > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From goeran at uddeborg.se Sun May 17 20:26:24 2009 From: goeran at uddeborg.se (=?utf-8?Q?G=C3=B6ran?= Uddeborg) Date: Sun, 17 May 2009 22:26:24 +0200 Subject: Why can not user_t link var_lib_t files? In-Reply-To: <1242581108.29548.7.camel@notebook2.grift.internal> References: <18960.16100.946561.405182@gargle.gargle.HOWL> <1242581108.29548.7.camel@notebook2.grift.internal> Message-ID: <18960.29424.602377.676548@gargle.gargle.HOWL> Dominick Grift writes: > Most stuff in /var is system stuff and not for > users. So if a user has nothing to do there then no need to give them > access either. > > Stuff like /var/spool/mail/ is however accessible. Most things in /var is ACCESSIBLE. The same user that could not link the file had no problems copying it. I was under the impression that user_u was not meant to be overly restricted. It should not be able to do su/sudo and other kinds of system work. But apart from that I thought it was meant to be able to do most things regular users on non-SELinux systems can do. That was the impression I got from http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html among other places. But maybe I have misunderstood things. From dwalsh at redhat.com Mon May 18 12:15:07 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 18 May 2009 08:15:07 -0400 Subject: How can I know disabling dontaudit or not ? In-Reply-To: References: <4A0EABF9.7050906@redhat.com> Message-ID: <4A11514B.2040600@redhat.com> On 05/16/2009 08:50 AM, Shintaro Fujiwara wrote: > Thanks. > > So, I understand there are no commands checking present state of > enabling or disabling dontaudit ? > Correct. Although you could use sesearch --dontaudit to see there are no dontaudit rules in the policy. > And especially, disabling dontaudit survives next boot, for an > ordinary administrator like me don't know whether or not disabling > dontaudit. Yes semodule -DB rebuilds the /etc/selinux/targeted/policy/policy.VERSION file which will stay there until the next time you run semanage or semodule (selinux-policy-targeted update for example) > > If I forget disabling dontaudit and don't know much about SELinux > audit, if somebody tell me to do audit2allow and some buggy program > running to manage shadow_t, I will foolishly may install a policy to > manage shadow_t ? > Yes but you can always make this mistake. > I think in that case, should be checked the present state of dontaudit > disabled or not and giving advice to administrator to type command > #semodue -B. > I don't agree, the only time some one should disable dontaudit rules would be when trying to diagnose and SELinux problem, and the leaving SELinux dontaudit rules disabled will be pretty evident in the number of AVC's that will be coming to the machine. > Well, I presently can manage at least making in certain confined area > a file labeled shadow_t or whatever the dontaudit will be applied and > check if the dontaudit is disabled or not. > > I think only ugly way but as an ordinary administrator, I can manage > in that way. > > Thanks for your advices. > > > > 2009/5/16 Daniel J Walsh: >> On 05/15/2009 07:50 PM, Shintaro Fujiwara wrote: >>> Hi, I typed, >>> >>> #semodule -DB >>> >>> How should I know if I succeeded disabled dontaudits ? >>> >>> Thanks. >>> >> If the command did not display any errors, it succeeded. Also you should >> start to see a lot more avc messages. Start and stop a couple of services. >> > > > From dwalsh at redhat.com Mon May 18 12:19:35 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 18 May 2009 08:19:35 -0400 Subject: Why can not user_t link var_lib_t files? In-Reply-To: <18960.29424.602377.676548@gargle.gargle.HOWL> References: <18960.16100.946561.405182@gargle.gargle.HOWL> <1242581108.29548.7.camel@notebook2.grift.internal> <18960.29424.602377.676548@gargle.gargle.HOWL> Message-ID: <4A115257.3050201@redhat.com> On 05/17/2009 04:26 PM, G?ran Uddeborg wrote: > Dominick Grift writes: >> Most stuff in /var is system stuff and not for >> users. So if a user has nothing to do there then no need to give them >> access either. >> >> Stuff like /var/spool/mail/ is however accessible. > > Most things in /var is ACCESSIBLE. The same user that could not link > the file had no problems copying it. > > I was under the impression that user_u was not meant to be overly > restricted. It should not be able to do su/sudo and other kinds of > system work. But apart from that I thought it was meant to be able to > do most things regular users on non-SELinux systems can do. > > That was the impression I got from > http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html > among other places. But maybe I have misunderstood things. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Yes user_u is not that restrictive, but the idea is a managed user. I would tend to think of user who does few commands with the shell. But please attach the avc's you are seeing? The directory in question might need a different label. From shintaro.fujiwara at gmail.com Mon May 18 12:39:38 2009 From: shintaro.fujiwara at gmail.com (Shintaro Fujiwara) Date: Mon, 18 May 2009 21:39:38 +0900 Subject: How can I know disabling dontaudit or not ? In-Reply-To: <4A11514B.2040600@redhat.com> References: <4A0EABF9.7050906@redhat.com> <4A11514B.2040600@redhat.com> Message-ID: Thanks for your reply. Some of my friends already noticed me to type #seinfo or #sesearch both commands I didn't know... You say it's obvious that an administrator disabling dontaudit. Well, maybe... Yes, nobody does #semodule -DB unless he knows SELinux. Yes, he is diagnosing the machine. But, when it comes to Enforcing or Permissive, we have #getenforce. It's pretty good when I don't know whether or not Enforcing, I type that. I easily forget the present state and thanks to setroubleshootd, they tell me in red string when the system is in permissive. Other thing is that the contrivance you made, i.e. permissive domain. Yes, an administrator knows that he set some domain permissive and run the program to get audit log to make a policy. When I type #semodule -l, I get permissive_mydomain_t in alphabetical manner. It's quite all-right, but me forgettable easily forgets and makes mistakes, so in my tool, I tried to echo permissive_domain at the top of the #semodule -l. I admire that you are making many contrivances and I can catch up with, but my belief is that we should at least let an ordinary administrator know when he audit2allowed, he did in system permissive or some domain permissive or disabling audit. Well, last sentence is the idea that just hit me and never before. There are a lot of commands and I really appreciate them but above is are my beliefs. 2009/5/18 Daniel J Walsh : > On 05/16/2009 08:50 AM, Shintaro Fujiwara wrote: >> >> Thanks. >> >> So, I understand there are no commands checking present state of >> enabling or disabling dontaudit ? >> > Correct. ?Although you could use sesearch --dontaudit to see there are no > dontaudit rules in the policy. > >> And especially, disabling dontaudit survives next boot, for an >> ordinary administrator like me don't know whether or not disabling >> dontaudit. > > Yes semodule -DB rebuilds the /etc/selinux/targeted/policy/policy.VERSION > > file which will stay there until the next time you run semanage or semodule > (selinux-policy-targeted update for example) >> >> If I forget disabling dontaudit and don't know much about SELinux >> audit, if somebody tell me to do audit2allow and some buggy program >> running to manage shadow_t, I will foolishly may install a policy to >> manage shadow_t ? >> > Yes but you can always make this mistake. >> >> I think in that case, should be checked the present state of dontaudit >> disabled or not and giving advice to administrator to type command >> #semodue -B. >> > I don't agree, the only time some one should disable dontaudit rules would > be when trying to diagnose and SELinux problem, and the leaving SELinux > dontaudit rules disabled will be pretty evident in the number of AVC's that > will be coming to the machine. >> >> Well, I presently can manage at least making in certain confined area >> a file labeled shadow_t or whatever the dontaudit will be applied and >> check if the dontaudit is disabled or not. >> >> I think only ugly way but as an ordinary administrator, I can manage >> in that way. >> >> Thanks for your advices. >> >> >> >> 2009/5/16 Daniel J Walsh: >>> >>> On 05/15/2009 07:50 PM, Shintaro Fujiwara wrote: >>>> >>>> Hi, I typed, >>>> >>>> #semodule -DB >>>> >>>> How should I know if I succeeded disabled dontaudits ? >>>> >>>> Thanks. >>>> >>> If the command did not display any errors, it succeeded. ?Also you should >>> start to see a lot more avc messages. ?Start and stop a couple of >>> services. >>> >> >> >> > > -- http://intrajp.no-ip.com/ Home Page From sds at tycho.nsa.gov Mon May 18 12:48:08 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 18 May 2009 08:48:08 -0400 Subject: Why can not user_t link var_lib_t files? In-Reply-To: <18960.16100.946561.405182@gargle.gargle.HOWL> References: <18960.16100.946561.405182@gargle.gargle.HOWL> Message-ID: <1242650888.29973.195.camel@localhost.localdomain> On Sun, 2009-05-17 at 18:44 +0200, G?ran Uddeborg wrote: > Is there some reason user_t is denied to link a file with type > var_lib_t (among others)? Or did it just happen that way? I don't > see any security advantage. In a least privilege scheme, the question is not why should it be denied but rather what legitimate purpose does user_t have in creating hard links to random files under /var/lib. Generally none; in your case, you ought to have a distinct type for those files (and if they are in fact served via NFS, then I don't see why they would be in var_lib_t unless you mounted the NFS filesystem with context=system_u:object_r:var_lib_t). user_t is supposed to be an unprivileged user account, and creating hard links to files to which you have no create/write permissions is usually a sign of something wrong (hence a wide variety of Linux security patches prohibit link'ing to files you don't own). > (It doesn't matter for the question, but I suspect somebody will ask > why I want this. The particular use case where we were hit by this is > non-standard. We have a digital TV receiver box that saves recordings > via NFS under /var/lib/TV on a server. A user wanted to edit out the > commercials from one recording using the m2vmp2cut tool. The tool is > most easy to use when the original recording is in the working > directory. She could copy the file from /var/lib/TV/... to her home > directory, but to save a lot of time and space she tried to make a > (hard) link instead. SELinux denied her that. Obviously > non-standard, and the regular policy doesn't know anything about these > files. And I know various ways to work around it, including adding a > module. But I was a bit surprised over the denial. I would have > expected user_t to be allowed to do this. Thus my question, is this > by design or by mistake?) > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- Stephen Smalley National Security Agency From dwalsh at redhat.com Mon May 18 13:55:53 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 18 May 2009 09:55:53 -0400 Subject: How can I know disabling dontaudit or not ? In-Reply-To: References: <4A0EABF9.7050906@redhat.com> <4A11514B.2040600@redhat.com> Message-ID: <4A1168E9.3030209@redhat.com> On 05/18/2009 08:39 AM, Shintaro Fujiwara wrote: > Thanks for your reply. > > Some of my friends already noticed me to type #seinfo or #sesearch > both commands I didn't know... > > You say it's obvious that an administrator disabling dontaudit. > Well, maybe... > > Yes, nobody does #semodule -DB unless he knows SELinux. > Yes, he is diagnosing the machine. > > But, when it comes to Enforcing or Permissive, we have #getenforce. > > It's pretty good when I don't know whether or not Enforcing, I type that. > > I easily forget the present state and thanks to setroubleshootd, they > tell me in red string when the system is in permissive. > > Other thing is that the contrivance you made, i.e. permissive domain. > > Yes, an administrator knows that he set some domain permissive and run > the program to get audit log to make a policy. > > When I type #semodule -l, I get permissive_mydomain_t in alphabetical manner. > It's quite all-right, but me forgettable easily forgets and makes > mistakes, so in my tool, I tried to echo permissive_domain at the top > of the #semodule -l. > > I admire that you are making many contrivances and I can catch up > with, but my belief is that we should at least let an ordinary > administrator know when he audit2allowed, he did in system permissive > or some domain permissive or disabling audit. > > Well, last sentence is the idea that just hit me and never before. > > There are a lot of commands and I really appreciate them but above is > are my beliefs. > > > > 2009/5/18 Daniel J Walsh: >> On 05/16/2009 08:50 AM, Shintaro Fujiwara wrote: >>> Thanks. >>> >>> So, I understand there are no commands checking present state of >>> enabling or disabling dontaudit ? >>> >> Correct. Although you could use sesearch --dontaudit to see there are no >> dontaudit rules in the policy. >> >>> And especially, disabling dontaudit survives next boot, for an >>> ordinary administrator like me don't know whether or not disabling >>> dontaudit. >> Yes semodule -DB rebuilds the /etc/selinux/targeted/policy/policy.VERSION >> >> file which will stay there until the next time you run semanage or semodule >> (selinux-policy-targeted update for example) >>> If I forget disabling dontaudit and don't know much about SELinux >>> audit, if somebody tell me to do audit2allow and some buggy program >>> running to manage shadow_t, I will foolishly may install a policy to >>> manage shadow_t ? >>> >> Yes but you can always make this mistake. >>> I think in that case, should be checked the present state of dontaudit >>> disabled or not and giving advice to administrator to type command >>> #semodue -B. >>> >> I don't agree, the only time some one should disable dontaudit rules would >> be when trying to diagnose and SELinux problem, and the leaving SELinux >> dontaudit rules disabled will be pretty evident in the number of AVC's that >> will be coming to the machine. >>> Well, I presently can manage at least making in certain confined area >>> a file labeled shadow_t or whatever the dontaudit will be applied and >>> check if the dontaudit is disabled or not. >>> >>> I think only ugly way but as an ordinary administrator, I can manage >>> in that way. >>> >>> Thanks for your advices. >>> >>> >>> >>> 2009/5/16 Daniel J Walsh: >>>> On 05/15/2009 07:50 PM, Shintaro Fujiwara wrote: >>>>> Hi, I typed, >>>>> >>>>> #semodule -DB >>>>> >>>>> How should I know if I succeeded disabled dontaudits ? >>>>> >>>>> Thanks. >>>>> >>>> If the command did not display any errors, it succeeded. Also you should >>>> start to see a lot more avc messages. Start and stop a couple of >>>> services. >>>> >>> >>> >> > > > Ok, Please open a bug report on this, and we will consider it for a future version. From BGinn at symark.com Mon May 18 16:37:47 2009 From: BGinn at symark.com (Brian Ginn) Date: Mon, 18 May 2009 09:37:47 -0700 Subject: network failures maybe SELinux related? In-Reply-To: <4A0EA84B.90207@redhat.com> References: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5D66@dragonfly.symark.com> <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5D69@dragonfly.symark.com>, <4A0EA84B.90207@redhat.com> Message-ID: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB6D429D6@dragonfly.symark.com> Thanks! For the listining ports, I've done that. For the connecting ports, I pick a random port between 1025..65535, call connect() then if the port is in use, increment the port number and try again. Up until selinex, "permission denied" has not been a connect() error that I've had to deal with. I could change it so that "permission denied" also results in incrementing the port number and retrying connect(). ... however looking at the results of 'semanage port -l', most of those ports aren't used by the selinux domains they are registered for. When "hardening" a system, we make sure that various un-needed network services are not installed. Should we also remove selinux policy (and port registration) for those services? Thanks, Brian ________________________________________ From: Daniel J Walsh [dwalsh at redhat.com] Sent: Saturday, May 16, 2009 4:49 AM To: Brian Ginn Cc: 'fedora-selinux-list at redhat.com' Subject: Re: network failures maybe SELinux related? On 05/15/2009 05:48 PM, Brian Ginn wrote: > corenet_tcp_bind_all_ports() seems to have solved my problems. > On what domain? This will allow that domain to bind to any port, if you know what port you want to listen on, you might be able to add the port using semanage port -a -t MISTERYDOMAIN_port_t -p tcp PORTNUMBER > > -Brian > > > From: Brian Ginn > Sent: Friday, May 15, 2009 1:44 PM > To: 'fedora-selinux-list at redhat.com' > Subject: network failures maybe SELinux related? > > I have a client app run by users, and two server apps run from xinetd. > The client connects to server1 > Server1 connects to server2 > Server2 connects back to the client app > > When not confined by SELinux policy. Everything works fine. > I can run several hundred iterations without any failures. > When confined, but run in permissive mode, Everything works fine. - nothing in audit.log > > When confined and enforced, it works a few times, then the connection from server1 to server2 fails. > Then, after a rest, it works a few times, then the connection from server1 to server2 fails. > There is nothing in audit.log. > Does anyone have suggestions for constraints or don't audit rules I should look into? > > > Thanks, > Brian > > > > > > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From selinux at gmail.com Mon May 18 16:56:20 2009 From: selinux at gmail.com (Tom London) Date: Mon, 18 May 2009 09:56:20 -0700 Subject: btrfs SELinux support ?? Message-ID: <4c4ba1530905180956t26bd322eoa3bce981ba3e9383@mail.gmail.com> Sorry if I missed this, but does current rawhide BTRFS support xattrs/SELinux-labeling/etc.? Thanks, tom -- Tom London From eparis at redhat.com Mon May 18 17:04:55 2009 From: eparis at redhat.com (Eric Paris) Date: Mon, 18 May 2009 13:04:55 -0400 Subject: btrfs SELinux support ?? In-Reply-To: <4c4ba1530905180956t26bd322eoa3bce981ba3e9383@mail.gmail.com> References: <4c4ba1530905180956t26bd322eoa3bce981ba3e9383@mail.gmail.com> Message-ID: <1242666296.5212.38.camel@dhcp231-142.rdu.redhat.com> On Mon, 2009-05-18 at 09:56 -0700, Tom London wrote: > Sorry if I missed this, but does current rawhide BTRFS support > xattrs/SELinux-labeling/etc.? F11 + BTRFS + SELinux should be working just fine, I've been running with btrfs root for a couple months now.... -Eric From sds at tycho.nsa.gov Mon May 18 16:58:58 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 18 May 2009 12:58:58 -0400 Subject: btrfs SELinux support ?? In-Reply-To: <4c4ba1530905180956t26bd322eoa3bce981ba3e9383@mail.gmail.com> References: <4c4ba1530905180956t26bd322eoa3bce981ba3e9383@mail.gmail.com> Message-ID: <1242665938.20082.50.camel@localhost.localdomain> On Mon, 2009-05-18 at 09:56 -0700, Tom London wrote: > Sorry if I missed this, but does current rawhide BTRFS support > xattrs/SELinux-labeling/etc.? It should (the kernel support is present in 2.6.29). I haven't tried it myself though. -- Stephen Smalley National Security Agency From dwalsh at redhat.com Mon May 18 17:49:58 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 18 May 2009 13:49:58 -0400 Subject: network failures maybe SELinux related? In-Reply-To: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB6D429D6@dragonfly.symark.com> References: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5D66@dragonfly.symark.com> <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5D69@dragonfly.symark.com>, <4A0EA84B.90207@redhat.com> <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB6D429D6@dragonfly.symark.com> Message-ID: <4A119FC6.60607@redhat.com> On 05/18/2009 12:37 PM, Brian Ginn wrote: > Thanks! > > For the listining ports, I've done that. > For the connecting ports, I pick a random port between 1025..65535, call connect() then if the port > is in use, increment the port number and try again. > > Up until selinex, "permission denied" has not been a connect() error that I've had to deal with. > I could change it so that "permission denied" also results in incrementing the port number and > retrying connect(). > ... however looking at the results of 'semanage port -l', most of those ports aren't used by the > selinux domains they are registered for. > > When "hardening" a system, we make sure that various un-needed network services are not installed. > Should we also remove selinux policy (and port registration) for those services? > > > Thanks, > Brian > > ________________________________________ > From: Daniel J Walsh [dwalsh at redhat.com] > Sent: Saturday, May 16, 2009 4:49 AM > To: Brian Ginn > Cc: 'fedora-selinux-list at redhat.com' > Subject: Re: network failures maybe SELinux related? > > On 05/15/2009 05:48 PM, Brian Ginn wrote: >> corenet_tcp_bind_all_ports() seems to have solved my problems. >> > On what domain? This will allow that domain to bind to any port, if you > know what port you want to listen on, you might be able to add the port > using > > semanage port -a -t MISTERYDOMAIN_port_t -p tcp PORTNUMBER >> -Brian >> >> >> From: Brian Ginn >> Sent: Friday, May 15, 2009 1:44 PM >> To: 'fedora-selinux-list at redhat.com' >> Subject: network failures maybe SELinux related? >> >> I have a client app run by users, and two server apps run from xinetd. >> The client connects to server1 >> Server1 connects to server2 >> Server2 connects back to the client app >> >> When not confined by SELinux policy. Everything works fine. >> I can run several hundred iterations without any failures. >> When confined, but run in permissive mode, Everything works fine. - nothing in audit.log >> >> When confined and enforced, it works a few times, then the connection from server1 to server2 fails. >> Then, after a rest, it works a few times, then the connection from server1 to server2 fails. >> There is nothing in audit.log. >> Does anyone have suggestions for constraints or don't audit rules I should look into? >> >> >> Thanks, >> Brian >> >> >> >> >> >> >> >> ------------------------------------------------------------------------ >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list corenet_tcp_bind_generic_port(DOMAIN) Will allow you to bind to the first port_t port, IE a port that is not have an SELInux port defined for it. It will dontaudit attempts to bind to ports with SELInux ports defined. From dwalsh at redhat.com Mon May 18 17:50:43 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 18 May 2009 13:50:43 -0400 Subject: network failures maybe SELinux related? In-Reply-To: <4A119FC6.60607@redhat.com> References: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5D66@dragonfly.symark.com> <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5D69@dragonfly.symark.com>, <4A0EA84B.90207@redhat.com> <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB6D429D6@dragonfly.symark.com> <4A119FC6.60607@redhat.com> Message-ID: <4A119FF3.7000002@redhat.com> On 05/18/2009 01:49 PM, Daniel J Walsh wrote: > On 05/18/2009 12:37 PM, Brian Ginn wrote: >> Thanks! >> >> For the listining ports, I've done that. >> For the connecting ports, I pick a random port between 1025..65535, >> call connect() then if the port >> is in use, increment the port number and try again. >> >> Up until selinex, "permission denied" has not been a connect() error >> that I've had to deal with. >> I could change it so that "permission denied" also results in >> incrementing the port number and >> retrying connect(). >> ... however looking at the results of 'semanage port -l', most of >> those ports aren't used by the >> selinux domains they are registered for. >> >> When "hardening" a system, we make sure that various un-needed network >> services are not installed. >> Should we also remove selinux policy (and port registration) for those >> services? >> >> >> Thanks, >> Brian >> >> ________________________________________ >> From: Daniel J Walsh [dwalsh at redhat.com] >> Sent: Saturday, May 16, 2009 4:49 AM >> To: Brian Ginn >> Cc: 'fedora-selinux-list at redhat.com' >> Subject: Re: network failures maybe SELinux related? >> >> On 05/15/2009 05:48 PM, Brian Ginn wrote: >>> corenet_tcp_bind_all_ports() seems to have solved my problems. >>> >> On what domain? This will allow that domain to bind to any port, if you >> know what port you want to listen on, you might be able to add the port >> using >> >> semanage port -a -t MISTERYDOMAIN_port_t -p tcp PORTNUMBER >>> -Brian >>> >>> >>> From: Brian Ginn >>> Sent: Friday, May 15, 2009 1:44 PM >>> To: 'fedora-selinux-list at redhat.com' >>> Subject: network failures maybe SELinux related? >>> >>> I have a client app run by users, and two server apps run from xinetd. >>> The client connects to server1 >>> Server1 connects to server2 >>> Server2 connects back to the client app >>> >>> When not confined by SELinux policy. Everything works fine. >>> I can run several hundred iterations without any failures. >>> When confined, but run in permissive mode, Everything works fine. - >>> nothing in audit.log >>> >>> When confined and enforced, it works a few times, then the connection >>> from server1 to server2 fails. >>> Then, after a rest, it works a few times, then the connection from >>> server1 to server2 fails. >>> There is nothing in audit.log. >>> Does anyone have suggestions for constraints or don't audit rules I >>> should look into? >>> >>> >>> Thanks, >>> Brian >>> >>> >>> >>> >>> >>> >>> >>> ------------------------------------------------------------------------ >>> >>> -- >>> fedora-selinux-list mailing list >>> fedora-selinux-list at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > corenet_tcp_bind_generic_port(DOMAIN) > > Will allow you to bind to the first port_t port, IE a port that is not > have an SELInux port defined for it. It will dontaudit attempts to bind > to ports with SELInux ports defined. > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list corenet_tcp_connect_generic_port(DOMAIN) for connections From goeran at uddeborg.se Mon May 18 18:11:08 2009 From: goeran at uddeborg.se (=?utf-8?Q?G=C3=B6ran?= Uddeborg) Date: Mon, 18 May 2009 20:11:08 +0200 Subject: Why can not user_t link var_lib_t files? In-Reply-To: <4A115257.3050201@redhat.com> References: <18960.16100.946561.405182@gargle.gargle.HOWL> <1242581108.29548.7.camel@notebook2.grift.internal> <18960.29424.602377.676548@gargle.gargle.HOWL> <4A115257.3050201@redhat.com> Message-ID: <18961.42172.709249.529892@gargle.gargle.HOWL> Daniel J Walsh writes: > Yes user_u is not that restrictive, but the idea is a managed user. I > would tend to think of user who does few commands with the shell. Ok. The typical GUI user would probably not trigger this, I agree. > But please attach the avc's you are seeing? I retriggered it, and attach the mail setroubleshoot sent me. > The directory in question might need a different label. Yes, I was planning to add some fcontext rule for it. A custom rule for a custom directory. -------------- next part -------------- An embedded message was scrubbed... From: unknown sender Subject: no subject Date: no date Size: 17650 URL: From goeran at uddeborg.se Mon May 18 18:19:45 2009 From: goeran at uddeborg.se (=?utf-8?Q?G=C3=B6ran?= Uddeborg) Date: Mon, 18 May 2009 20:19:45 +0200 Subject: Why can not user_t link var_lib_t files? In-Reply-To: <1242650888.29973.195.camel@localhost.localdomain> References: <18960.16100.946561.405182@gargle.gargle.HOWL> <1242650888.29973.195.camel@localhost.localdomain> Message-ID: <18961.42689.184760.305704@gargle.gargle.HOWL> Stephen Smalley writes: > In a least privilege scheme, the question is not why should it be denied > but rather what legitimate purpose does user_t have in creating hard > links to random files under /var/lib. That is true, but as I said I didn't think user_t was designed following a least privilege scheme. I thought it more was allowed to do most random things, with a few exceptions. (According to the least privilege scheme, the same user should probably not be allowed to READ random /var/lib files either. Some files and directories, like /var/lib/texmf, should be readable, but they have their own type.) > (and if they are in fact > served via NFS, then I don't see why they would be in var_lib_t unless > you mounted the NFS filesystem with > context=system_u:object_r:var_lib_t). Ah, no. These commands were executed on the server where the files are stored. It is the digital-TV box that mounts this directory with NFS. But we are not trying to do the editing on that box. From sds at tycho.nsa.gov Mon May 18 18:32:14 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 18 May 2009 14:32:14 -0400 Subject: Why can not user_t link var_lib_t files? In-Reply-To: <18961.42689.184760.305704@gargle.gargle.HOWL> References: <18960.16100.946561.405182@gargle.gargle.HOWL> <1242650888.29973.195.camel@localhost.localdomain> <18961.42689.184760.305704@gargle.gargle.HOWL> Message-ID: <1242671534.20082.111.camel@localhost.localdomain> On Mon, 2009-05-18 at 20:19 +0200, G?ran Uddeborg wrote: > Stephen Smalley writes: > > In a least privilege scheme, the question is not why should it be denied > > but rather what legitimate purpose does user_t have in creating hard > > links to random files under /var/lib. > > That is true, but as I said I didn't think user_t was designed > following a least privilege scheme. I thought it more was allowed to > do most random things, with a few exceptions. > > (According to the least privilege scheme, the same user should > probably not be allowed to READ random /var/lib files either. Some > files and directories, like /var/lib/texmf, should be readable, but > they have their own type.) Yes, that's true, but the original example policy was predominantly focused on integrity goals and that has largely carried through with a few exceptions, e.g. /etc/shadow. > > (and if they are in fact > > served via NFS, then I don't see why they would be in var_lib_t unless > > you mounted the NFS filesystem with > > context=system_u:object_r:var_lib_t). > > Ah, no. These commands were executed on the server where the files > are stored. It is the digital-TV box that mounts this directory with > NFS. But we are not trying to do the editing on that box. -- Stephen Smalley National Security Agency From peljasz at yahoo.co.uk Tue May 19 09:40:06 2009 From: peljasz at yahoo.co.uk (lejeczek) Date: Tue, 19 May 2009 10:40:06 +0100 Subject: Exception during AVC analysis: global name 'audit_event' is not defined Message-ID: <4A127E76.8050904@yahoo.co.uk> dear all regards, I really don't recall any potential reason nor event that could cause below, but a while ago a started getting it: (f10; setroubleshoot-server-2.0.12-3.fc10.noarch) May 19 10:30:05 whale setroubleshoot: [avc.ERROR] Exception during AVC analysis: global name 'audit_event' is not defined#012Traceback (most recent call last):#012 File "/usr/lib/python2.5/site-packages/setroubleshoot/analyze.py", line 187, in run#012 self.analyze_avc(avc, report_receiver)#012 File "/usr/lib/python2.5/site-packages/setroubleshoot/analyze.py", line 171, in analyze_avc#012 log_stats.info("analyze_avc() audit_event=%s\nstatistics=%s", audit_event, statistics)#012NameError: global name 'audit_event' is not defined cheers Pawel ___________________________________________________________ Try the all-new Yahoo! Mail. "The New Version is radically easier to use" ? The Wall Street Journal http://uk.docs.yahoo.com/nowyoucan.html From dwalsh at redhat.com Tue May 19 14:06:26 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 19 May 2009 10:06:26 -0400 Subject: Exception during AVC analysis: global name 'audit_event' is not defined In-Reply-To: <4A127E76.8050904@yahoo.co.uk> References: <4A127E76.8050904@yahoo.co.uk> Message-ID: <4A12BCE2.6000601@redhat.com> On 05/19/2009 05:40 AM, lejeczek wrote: > dear all regards, > I really don't recall any potential reason nor event that could cause > below, but a while ago a started getting it: > (f10; setroubleshoot-server-2.0.12-3.fc10.noarch) > > May 19 10:30:05 whale setroubleshoot: [avc.ERROR] Exception during AVC > analysis: global name 'audit_event' is not defined#012Traceback (most > recent call last):#012 File > "/usr/lib/python2.5/site-packages/setroubleshoot/analyze.py", line 187, > in run#012 self.analyze_avc(avc, report_receiver)#012 File > "/usr/lib/python2.5/site-packages/setroubleshoot/analyze.py", line 171, > in analyze_avc#012 log_stats.info("analyze_avc() > audit_event=%s\nstatistics=%s", audit_event, statistics)#012NameError: > global name 'audit_event' is not defined > > cheers > Pawel > > > ___________________________________________________________ Try the > all-new Yahoo! Mail. "The New Version is radically easier to use" ? The > Wall Street Journal http://uk.docs.yahoo.com/nowyoucan.html > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Are you fully updated. I think there was a problem in the location of the audit.py file on 64 bit platforms that might be causing this. yum -y update audit\* setroubleshoot\* policycoreutils\* selinux\* From goeran at uddeborg.se Tue May 19 16:16:41 2009 From: goeran at uddeborg.se (=?utf-8?Q?G=C3=B6ran?= Uddeborg) Date: Tue, 19 May 2009 18:16:41 +0200 Subject: Why can not user_t link var_lib_t files? In-Reply-To: <18961.42172.709249.529892@gargle.gargle.HOWL> References: <18960.16100.946561.405182@gargle.gargle.HOWL> <1242581108.29548.7.camel@notebook2.grift.internal> <18960.29424.602377.676548@gargle.gargle.HOWL> <4A115257.3050201@redhat.com> <18961.42172.709249.529892@gargle.gargle.HOWL> Message-ID: <18962.56169.78363.179830@gargle.gargle.HOWL> G?ran Uddeborg writes: > I retriggered it, and attach the mail setroubleshoot sent me. It looked wierd in my mail client when I got it back. I'm not sure why, and if its buggy when reading or when writing. Just in case, I reran sealert and include the output below. Summary: SELinux is preventing ln (user_t) "link" to ./30392D30342D3132202D20535654312056C3A473746E797474202D204D65726C696E202D20427269747469736B742066616E746173796472616D615F2044656C2031332061762031335F2056C3A46E736B61705F206C6F6A616C69746574206F6368206B2E7473 (var_lib_t). Detailed Description: SELinux denied access requested by ln. It is not expected that this access is required by ln and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./30392D30342D3132202D20535654312056C3A473746E797474202D204D65726C696E202D20427269747469736B742066616E746173796472616D615F2044656C2031332061762031335F2056C3A46E736B61705F206C6F6A616C69746574206F6368206B2E7473, restorecon -v './30392D30342D3132202D20535654312056C3A473746E797474202D204D65726C696E202D20427269747469736B742066616E746173796472616D615F2044656C2031332061762031335F2056C3A46E736B61705F206C6F6A616C69746574206F6368206B2E7473' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context user_u:user_r:user_t Target Context system_u:object_r:var_lib_t Target Objects ./30392D30342D3132202D20535654312056C3A473746E7974 74202D204D65726C696E202D20427269747469736B74206661 6E746173796472616D615F2044656C2031332061762031335F 2056C3A46E736B61705F206C6F6A616C69746574206F636820 6B2E7473 [ file ] Source ln Source Path /bin/ln Port Host mimmi Source RPM Packages coreutils-6.12-18.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-58.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name mimmi Platform Linux mimmi 2.6.27.12-170.2.5.fc10.x86_64 #1 SMP Wed Jan 21 01:33:24 EST 2009 x86_64 x86_64 Alert Count 1 First Seen Mon May 18 20:00:13 2009 Last Seen Mon May 18 20:00:13 2009 Local ID d6ad3700-432a-4dd7-b574-46275e4d1e24 Line Numbers Raw Audit Messages node=mimmi type=AVC msg=audit(1242669613.397:1336): avc: denied { link } for pid=26061 comm="ln" name=30392D30342D3132202D20535654312056C3A473746E797474202D204D65726C696E202D20427269747469736B742066616E746173796472616D615F2044656C2031332061762031335F2056C3A46E736B61705F206C6F6A616C69746574206F6368206B2E7473 dev=dm-0 ino=3276854 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file node=mimmi type=SYSCALL msg=audit(1242669613.397:1336): arch=c000003e syscall=86 success=no exit=-13 a0=7fff3f37982a a1=7fff3f3798a4 a2=0 a3=7fff3f378380 items=0 ppid=25807 pid=26061 auid=920 uid=920 gid=924 euid=920 suid=920 fsuid=920 egid=924 sgid=924 fsgid=924 tty=tty2 ses=10 comm="ln" exe="/bin/ln" subj=user_u:user_r:user_t:s0 key=(null) From jdennis at redhat.com Tue May 19 16:31:37 2009 From: jdennis at redhat.com (John Dennis) Date: Tue, 19 May 2009 12:31:37 -0400 Subject: Why can not user_t link var_lib_t files? In-Reply-To: <18962.56169.78363.179830@gargle.gargle.HOWL> References: <18960.16100.946561.405182@gargle.gargle.HOWL> <1242581108.29548.7.camel@notebook2.grift.internal> <18960.29424.602377.676548@gargle.gargle.HOWL> <4A115257.3050201@redhat.com> <18961.42172.709249.529892@gargle.gargle.HOWL> <18962.56169.78363.179830@gargle.gargle.HOWL> Message-ID: <4A12DEE9.6080503@redhat.com> G?ran Uddeborg wrote: > G?ran Uddeborg writes: >> I retriggered it, and attach the mail setroubleshoot sent me. > > It looked wierd in my mail client when I got it back. I'm not sure > why, and if its buggy when reading or when writing. Just in case, I > reran sealert and include the output below. > > > Summary: > > SELinux is preventing ln (user_t) "link" to > ./30392D30342D3132202D20535654312056C3A473746E797474202D204D65726C696E202D20427269747469736B742066616E746173796472616D615F2044656C2031332061762031335F2056C3A46E736B61705F206C6F6A616C69746574206F6368206B2E7473 > (var_lib_t). Sometimes the kernel audit system encodes strings as hex if there are any unusual characters in the string (including a space). setroubleshoot is supposed to automatically turn hex encoded strings back into a string, but it looks like in this instance it didn't. The string is actually: 09-04-12 - SVT1 V\xc3\xa4stnytt - Merlin - Brittiskt fantasydrama_ Del 13 av 13_ V\xc3\xa4nskap_ lojalitet och k.ts -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dwalsh at redhat.com Tue May 19 18:10:56 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 19 May 2009 14:10:56 -0400 Subject: Why can not user_t link var_lib_t files? In-Reply-To: <18962.56169.78363.179830@gargle.gargle.HOWL> References: <18960.16100.946561.405182@gargle.gargle.HOWL> <1242581108.29548.7.camel@notebook2.grift.internal> <18960.29424.602377.676548@gargle.gargle.HOWL> <4A115257.3050201@redhat.com> <18961.42172.709249.529892@gargle.gargle.HOWL> <18962.56169.78363.179830@gargle.gargle.HOWL> Message-ID: <4A12F630.90908@redhat.com> On 05/19/2009 12:16 PM, G?ran Uddeborg wrote: > G?ran Uddeborg writes: >> I retriggered it, and attach the mail setroubleshoot sent me. > > It looked wierd in my mail client when I got it back. I'm not sure > why, and if its buggy when reading or when writing. Just in case, I > reran sealert and include the output below. > > > Summary: > > SELinux is preventing ln (user_t) "link" to > ./30392D30342D3132202D20535654312056C3A473746E797474202D204D65726C696E202D20427269747469736B742066616E746173796472616D615F2044656C2031332061762031335F2056C3A46E736B61705F206C6F6A616C69746574206F6368206B2E7473 > (var_lib_t). > > Detailed Description: > > SELinux denied access requested by ln. It is not expected that this access is > required by ln and this access may signal an intrusion attempt. It is also > possible that the specific version or configuration of the application is > causing it to require additional access. > > Allowing Access: > > Sometimes labeling problems can cause SELinux denials. You could try to restore > the default system file context for > ./30392D30342D3132202D20535654312056C3A473746E797474202D204D65726C696E202D20427269747469736B742066616E746173796472616D615F2044656C2031332061762031335F2056C3A46E736B61705F206C6F6A616C69746574206F6368206B2E7473, > > restorecon -v > './30392D30342D3132202D20535654312056C3A473746E797474202D204D65726C696E202D20427269747469736B742066616E746173796472616D615F2044656C2031332061762031335F2056C3A46E736B61705F206C6F6A616C69746574206F6368206B2E7473' > > If this does not work, there is currently no automatic way to allow this access. > Instead, you can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context user_u:user_r:user_t > Target Context system_u:object_r:var_lib_t > Target Objects ./30392D30342D3132202D20535654312056C3A473746E7974 > 74202D204D65726C696E202D20427269747469736B74206661 > 6E746173796472616D615F2044656C2031332061762031335F > 2056C3A46E736B61705F206C6F6A616C69746574206F636820 > 6B2E7473 [ file ] > Source ln > Source Path /bin/ln > Port > Host mimmi > Source RPM Packages coreutils-6.12-18.fc10 > Target RPM Packages > Policy RPM selinux-policy-3.5.13-58.fc10 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall_file > Host Name mimmi > Platform Linux mimmi 2.6.27.12-170.2.5.fc10.x86_64 #1 SMP > Wed Jan 21 01:33:24 EST 2009 x86_64 x86_64 > Alert Count 1 > First Seen Mon May 18 20:00:13 2009 > Last Seen Mon May 18 20:00:13 2009 > Local ID d6ad3700-432a-4dd7-b574-46275e4d1e24 > Line Numbers > > Raw Audit Messages > > node=mimmi type=AVC msg=audit(1242669613.397:1336): avc: denied { link } for pid=26061 comm="ln" name=30392D30342D3132202D20535654312056C3A473746E797474202D204D65726C696E202D20427269747469736B742066616E746173796472616D615F2044656C2031332061762031335F2056C3A46E736B61705F206C6F6A616C69746574206F6368206B2E7473 dev=dm-0 ino=3276854 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file > > node=mimmi type=SYSCALL msg=audit(1242669613.397:1336): arch=c000003e syscall=86 success=no exit=-13 a0=7fff3f37982a a1=7fff3f3798a4 a2=0 a3=7fff3f378380 items=0 ppid=25807 pid=26061 auid=920 uid=920 gid=924 euid=920 suid=920 fsuid=920 egid=924 sgid=924 fsgid=924 tty=tty2 ses=10 comm="ln" exe="/bin/ln" subj=user_u:user_r:user_t:s0 key=(null) > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list What directory is this file in? From goeran at uddeborg.se Tue May 19 18:50:05 2009 From: goeran at uddeborg.se (=?utf-8?Q?G=C3=B6ran?= Uddeborg) Date: Tue, 19 May 2009 20:50:05 +0200 Subject: Why can not user_t link var_lib_t files? In-Reply-To: <4A12F630.90908@redhat.com> References: <18960.16100.946561.405182@gargle.gargle.HOWL> <1242581108.29548.7.camel@notebook2.grift.internal> <18960.29424.602377.676548@gargle.gargle.HOWL> <4A115257.3050201@redhat.com> <18961.42172.709249.529892@gargle.gargle.HOWL> <18962.56169.78363.179830@gargle.gargle.HOWL> <4A12F630.90908@redhat.com> Message-ID: <18962.65373.596352.389122@gargle.gargle.HOWL> Daniel J Walsh writes: > What directory is this file in? /var/lib/TV/movie. From goeran at uddeborg.se Tue May 19 18:52:22 2009 From: goeran at uddeborg.se (=?utf-8?Q?G=C3=B6ran?= Uddeborg) Date: Tue, 19 May 2009 20:52:22 +0200 Subject: Why can not user_t link var_lib_t files? In-Reply-To: <4A12DEE9.6080503@redhat.com> References: <18960.16100.946561.405182@gargle.gargle.HOWL> <1242581108.29548.7.camel@notebook2.grift.internal> <18960.29424.602377.676548@gargle.gargle.HOWL> <4A115257.3050201@redhat.com> <18961.42172.709249.529892@gargle.gargle.HOWL> <18962.56169.78363.179830@gargle.gargle.HOWL> <4A12DEE9.6080503@redhat.com> Message-ID: <18962.65510.63696.658411@gargle.gargle.HOWL> John Dennis writes: > Sometimes the kernel audit system encodes strings as hex if there are > any unusual characters in the string (including a space). It wasn't that I meant. In my mail program the entire attached message just showed up as a base64 encoded blob. But maybe it was just a limitation in the display, I don't know. From dwalsh at redhat.com Wed May 20 13:08:25 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 20 May 2009 09:08:25 -0400 Subject: Why can not user_t link var_lib_t files? In-Reply-To: <18962.65373.596352.389122@gargle.gargle.HOWL> References: <18960.16100.946561.405182@gargle.gargle.HOWL> <1242581108.29548.7.camel@notebook2.grift.internal> <18960.29424.602377.676548@gargle.gargle.HOWL> <4A115257.3050201@redhat.com> <18961.42172.709249.529892@gargle.gargle.HOWL> <18962.56169.78363.179830@gargle.gargle.HOWL> <4A12F630.90908@redhat.com> <18962.65373.596352.389122@gargle.gargle.HOWL> Message-ID: <4A1400C9.2040005@redhat.com> On 05/19/2009 02:50 PM, G?ran Uddeborg wrote: > Daniel J Walsh writes: >> What directory is this file in? > > /var/lib/TV/movie. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list So this is probably a location users are expected to be able to write to? If yes you could set the context to user_home_t # semanage fcontext -a user_home_t '/var/lib/TV(/.*)?' # restorecon -R -v /var/lib/TV This tells SELInux all your users can use this directory tree. From peljasz at yahoo.co.uk Wed May 20 15:03:10 2009 From: peljasz at yahoo.co.uk (lejeczek) Date: Wed, 20 May 2009 16:03:10 +0100 Subject: Exception during AVC analysis: global name 'audit_event' is not defined In-Reply-To: <4A12BCE2.6000601@redhat.com> References: <4A127E76.8050904@yahoo.co.uk> <4A12BCE2.6000601@redhat.com> Message-ID: <4A141BAE.4030206@yahoo.co.uk> well yes, I was, but I just reinstalled mentioned rpms and still getting errors, am I only one with this problem? audit-1.7.12-4.fc10.x86_64 audit-libs-1.7.12-4.fc10.x86_64 audit-libs-devel-1.7.12-4.fc10.x86_64 audit-libs-python-1.7.12-4.fc10.x86_64 policycoreutils-2.0.57-17.fc10.x86_64 policycoreutils-gui-2.0.57-17.fc10.x86_64 selinux-doc-1.26-1.1.noarch selinux-policy-3.5.13-58.fc10.noarch selinux-policy-3.5.13-59.fc10.noarch selinux-policy-doc-3.5.13-58.fc10.noarch selinux-policy-doc-3.5.13-59.fc10.noarch selinux-policy-targeted-3.5.13-58.fc10.noarch selinux-policy-targeted-3.5.13-59.fc10.noarch setroubleshoot-2.0.12-3.fc10.noarch setroubleshoot-plugins-2.0.12-1.fc10.noarch setroubleshoot-server-2.0.12-3.fc10.noarch Daniel J Walsh wrote: > On 05/19/2009 05:40 AM, lejeczek wrote: >> dear all regards, >> I really don't recall any potential reason nor event that could cause >> below, but a while ago a started getting it: >> (f10; setroubleshoot-server-2.0.12-3.fc10.noarch) >> >> May 19 10:30:05 whale setroubleshoot: [avc.ERROR] Exception during AVC >> analysis: global name 'audit_event' is not defined#012Traceback (most >> recent call last):#012 File >> "/usr/lib/python2.5/site-packages/setroubleshoot/analyze.py", line 187, >> in run#012 self.analyze_avc(avc, report_receiver)#012 File >> "/usr/lib/python2.5/site-packages/setroubleshoot/analyze.py", line 171, >> in analyze_avc#012 log_stats.info("analyze_avc() >> audit_event=%s\nstatistics=%s", audit_event, statistics)#012NameError: >> global name 'audit_event' is not defined >> >> cheers >> Pawel >> >> >> ___________________________________________________________ Try the >> all-new Yahoo! Mail. "The New Version is radically easier to use" ??? The >> Wall Street Journal http://uk.docs.yahoo.com/nowyoucan.html >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > Are you fully updated. I think there was a problem in the location of > the audit.py file on 64 bit platforms that might be causing this. > > yum -y update audit\* setroubleshoot\* policycoreutils\* selinux\* > > ___________________________________________________________ All New Yahoo! Mail ? Tired of Vi at gr@! come-ons? Let our SpamGuard protect you. http://uk.docs.yahoo.com/nowyoucan.html From mcepl at redhat.com Thu May 21 14:26:15 2009 From: mcepl at redhat.com (Matej Cepl) Date: Thu, 21 May 2009 14:26:15 +0000 (UTC) Subject: btrfs SELinux support ?? References: <4c4ba1530905180956t26bd322eoa3bce981ba3e9383@mail.gmail.com> <1242666296.5212.38.camel@dhcp231-142.rdu.redhat.com> Message-ID: Eric Paris, Mon, 18 May 2009 13:04:55 -0400: > I've been running with btrfs root for a couple months now.... Wov! (/me just finished cleaning of other computer from /var walking away on me ;-)) From mickeyboa at sbcglobal.net Sat May 23 18:27:16 2009 From: mickeyboa at sbcglobal.net (Jim) Date: Sat, 23 May 2009 14:27:16 -0400 Subject: Selinux, Fail2ban problems Message-ID: <4A184004.60401@sbcglobal.net> FC10/KDE Has anyone run across this problem run across this while running fail2ban-0.8.3-18.fc10.noarch ?? there are two Redhat bug reports on this same problem and they seem to think it's fixed, but it isn't. Bug # 499674 491444 -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: selinux_alert.txt URL: From wooky at btconnect.com Sun May 24 10:00:12 2009 From: wooky at btconnect.com (Nigel Rumens) Date: Sun, 24 May 2009 11:00:12 +0100 Subject: selinux and sctp Message-ID: <4A191AAC.4000500@btconnect.com> Hi, Does selinux understand sctp? When I run (for example) sctp_darn -H 0 -P 9876 -l It results in an avc denial message which tells me the target object is of type None[rawip_socket] Also semanage port -l shows only udp and tcp Machine tested on was F11 (fully updated) - I also tried it F10 with the same results Thanks wooky From chepkov at yahoo.com Sun May 24 12:40:13 2009 From: chepkov at yahoo.com (Vadym Chepkov) Date: Sun, 24 May 2009 05:40:13 -0700 (PDT) Subject: semodule Message-ID: <601236.68225.qm@web36807.mail.mud.yahoo.com> Hello, I have this AVC denial when I try to load my local policy module: time->Sun May 24 08:31:57 2009 type=SYSCALL msg=audit(1243168317.542:724332): arch=40000003 syscall=11 success=yes exit=0 a0=1056700 a1=1563f60 a2=0 a3=0 items=0 ppid=17011 pid=17266 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="load_policy" exe="/usr/sbin/load_policy" subj=system_u:system_r:load_policy_t:s0 -s0:c0.c1023 key=(null) type=AVC msg=audit(1243168317.542:724332): avc: denied { read write } for pid=17266 comm="load_policy" name="1" dev=devpts ino=3 scontext=system_u:system_r:load_pol icy_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sshd_devpts_t:s0 tclass=chr_file SETroubleshoot suggests setsebool -P allow_daemons_use_tty=1, but I have it on already. What gives? Thank you. selinux-policy-targeted-3.5.13-59.fc10.noarch Sincerely yours, Vadym Chepkov From goeran at uddeborg.se Sun May 24 19:59:13 2009 From: goeran at uddeborg.se (=?utf-8?Q?G=C3=B6ran?= Uddeborg) Date: Sun, 24 May 2009 21:59:13 +0200 Subject: Why can not user_t link var_lib_t files? In-Reply-To: <4A1400C9.2040005@redhat.com> References: <18960.16100.946561.405182@gargle.gargle.HOWL> <1242581108.29548.7.camel@notebook2.grift.internal> <18960.29424.602377.676548@gargle.gargle.HOWL> <4A115257.3050201@redhat.com> <18961.42172.709249.529892@gargle.gargle.HOWL> <18962.56169.78363.179830@gargle.gargle.HOWL> <4A12F630.90908@redhat.com> <18962.65373.596352.389122@gargle.gargle.HOWL> <4A1400C9.2040005@redhat.com> Message-ID: <18969.42769.873859.402418@gargle.gargle.HOWL> Daniel J Walsh writes: > So this is probably a location users are expected to be able to write to? Yes. > If yes you could set the context to user_home_t Yes, that might be the best type to use. From dwalsh at redhat.com Tue May 26 11:59:26 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 26 May 2009 07:59:26 -0400 Subject: semodule In-Reply-To: <601236.68225.qm@web36807.mail.mud.yahoo.com> References: <601236.68225.qm@web36807.mail.mud.yahoo.com> Message-ID: <4A1BD99E.5070204@redhat.com> On 05/24/2009 08:40 AM, Vadym Chepkov wrote: > Hello, > > I have this AVC denial when I try to load my local policy module: > > time->Sun May 24 08:31:57 2009 > type=SYSCALL msg=audit(1243168317.542:724332): arch=40000003 syscall=11 success=yes exit=0 a0=1056700 a1=1563f60 a2=0 a3=0 items=0 ppid=17011 pid=17266 auid=4294967295 > uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="load_policy" exe="/usr/sbin/load_policy" subj=system_u:system_r:load_policy_t:s0 > -s0:c0.c1023 key=(null) > type=AVC msg=audit(1243168317.542:724332): avc: denied { read write } for pid=17266 comm="load_policy" name="1" dev=devpts ino=3 scontext=system_u:system_r:load_pol > icy_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sshd_devpts_t:s0 tclass=chr_file > > SETroubleshoot suggests setsebool -P allow_daemons_use_tty=1, but I have it on already. What gives? Thank you. > > selinux-policy-targeted-3.5.13-59.fc10.noarch > > Sincerely yours, > Vadym Chepkov > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Setroubleshoot is mistaken. Are you ssh into a box and the running load_policy or are you running ssh remotehost load_policy? If you ssh into a box and execute id -Z what does it show? From chepkov at yahoo.com Tue May 26 12:56:57 2009 From: chepkov at yahoo.com (Vadym Chepkov) Date: Tue, 26 May 2009 05:56:57 -0700 (PDT) Subject: semodule Message-ID: <439958.78705.qm@web36801.mail.mud.yahoo.com> I ssh do the host, sudo to the root and issue semodule -i local.pp command id -Z system_u:system_r:unconfined_t:SystemLow-SystemHigh Sincerely yours, Vadym Chepkov --- On Tue, 5/26/09, Daniel J Walsh wrote: > Setroubleshoot is mistaken.? Are you ssh into a box > and the running > load_policy or are you running ssh remotehost load_policy? > > If you ssh into a box and execute id -Z what does it show? > From dwalsh at redhat.com Tue May 26 13:27:42 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 26 May 2009 09:27:42 -0400 Subject: semodule In-Reply-To: <439958.78705.qm@web36801.mail.mud.yahoo.com> References: <439958.78705.qm@web36801.mail.mud.yahoo.com> Message-ID: <4A1BEE4E.6000501@redhat.com> On 05/26/2009 08:56 AM, Vadym Chepkov wrote: > I ssh do the host, sudo to the root and issue semodule -i local.pp command > > id -Z > system_u:system_r:unconfined_t:SystemLow-SystemHigh > > Sincerely yours, > Vadym Chepkov > > > --- On Tue, 5/26/09, Daniel J Walsh wrote: > >> Setroubleshoot is mistaken. Are you ssh into a box >> and the running >> load_policy or are you running ssh remotehost load_policy? >> >> If you ssh into a box and execute id -Z what does it show? >> Ok While you are there please do ls -lZ `tty` What OS Version are you using? From dwalsh at redhat.com Tue May 26 15:32:44 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 26 May 2009 11:32:44 -0400 Subject: Introducing SELinux Sandbox Message-ID: <4A1C0B9C.2070800@redhat.com> http://danwalsh.livejournal.com/28545.html From chepkov at yahoo.com Tue May 26 16:10:42 2009 From: chepkov at yahoo.com (Vadym Chepkov) Date: Tue, 26 May 2009 09:10:42 -0700 (PDT) Subject: semodule Message-ID: <340322.67555.qm@web36804.mail.mud.yahoo.com> > Ok While you are there please do > > ls -lZ `tty` > ls -lZ `tty` crw--w---- vvc tty system_u:object_r:sshd_devpts_t /dev/pts/1 > What OS Version are you using? > It's Fedora 10, but it was brought to this level by series of yum upgrade since Fedora 5. I probably found why I am having this problem. This is the system that has the issue: semanage login -l Login Name SELinux User MLS/MCS Range __default__ user_u s0 root root s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023 This is Fedora 10 installed from DVD semanage login -l Login Name SELinux User MLS/MCS Range __default__ unconfined_u s0-s0:c0.c1023 root unconfined_u s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023 I guess somewhere along the way login entries were not upgraded properly. I will try to change this first and see if it will solve the problem. Thank you, Vadym From serue at us.ibm.com Tue May 26 16:25:30 2009 From: serue at us.ibm.com (Serge E. Hallyn) Date: Tue, 26 May 2009 11:25:30 -0500 Subject: Introducing SELinux Sandbox In-Reply-To: <4A1C0B9C.2070800@redhat.com> References: <4A1C0B9C.2070800@redhat.com> Message-ID: <20090526162530.GA12813@us.ibm.com> Quoting Daniel J Walsh (dwalsh at redhat.com): > http://danwalsh.livejournal.com/28545.html I really like this! -serge From dwalsh at redhat.com Tue May 26 16:51:59 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 26 May 2009 12:51:59 -0400 Subject: semodule In-Reply-To: <340322.67555.qm@web36804.mail.mud.yahoo.com> References: <340322.67555.qm@web36804.mail.mud.yahoo.com> Message-ID: <4A1C1E2F.5000403@redhat.com> On 05/26/2009 12:10 PM, Vadym Chepkov wrote: > >> Ok While you are there please do >> >> ls -lZ `tty` >> > > ls -lZ `tty` > crw--w---- vvc tty system_u:object_r:sshd_devpts_t /dev/pts/1 > >> What OS Version are you using? >> > > It's Fedora 10, but it was brought to this level by series of yum upgrade since Fedora 5. I probably found why I am having this problem. > > This is the system that has the issue: > > semanage login -l > > Login Name SELinux User MLS/MCS Range > > __default__ user_u s0 > root root s0-s0:c0.c1023 > system_u system_u s0-s0:c0.c1023 > > This is Fedora 10 installed from DVD > > semanage login -l > > Login Name SELinux User MLS/MCS Range > > __default__ unconfined_u s0-s0:c0.c1023 > root unconfined_u s0-s0:c0.c1023 > system_u system_u s0-s0:c0.c1023 > > I guess somewhere along the way login entries were not upgraded properly. I will try to change this first and see if it will solve the problem. > > Thank you, > Vadym Yes execute semanage login -m -s unconfined_u -r s0--s0:c0.c1023 __default__ semanage login -m -s unconfined_u -r s0--s0:c0.c1023 root You might have to add the unconfined_u user # semanage user -a -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u Upgrade from F8-F10 did not work properly. From chepkov at yahoo.com Tue May 26 17:12:56 2009 From: chepkov at yahoo.com (Vadym Chepkov) Date: Tue, 26 May 2009 10:12:56 -0700 (PDT) Subject: semodule Message-ID: <386095.75233.qm@web36805.mail.mud.yahoo.com> > Yes execute > > semanage login -m -s unconfined_u -r s0-s0:c0.c1023 > __default__ > semanage login -m -s unconfined_u -r s0-s0:c0.c1023 root > > You might have to add the unconfined_u user > > # semanage user -a -P user -R "unconfined_r system_r" -r > s0-s0:c0.c1023 > unconfined_u > > Upgrade from F8-F10 did not work properly. Ok # semanage login -l Login Name SELinux User MLS/MCS Range __default__ unconfined_u SystemLow-SystemHigh root unconfined_u SystemLow-SystemHigh system_u system_u SystemLow-SystemHigh # semanage user -l|grep unconfined_u unconfined_u user s0 SystemLow-SystemHigh system_r unconfined_r But, when I login, I still have id -Z system_u:system_r:unconfined_t:SystemLow-SystemHigh Do I have to reboot?? From dwalsh at redhat.com Tue May 26 18:05:48 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 26 May 2009 14:05:48 -0400 Subject: semodule In-Reply-To: <386095.75233.qm@web36805.mail.mud.yahoo.com> References: <386095.75233.qm@web36805.mail.mud.yahoo.com> Message-ID: <4A1C2F7C.1070006@redhat.com> On 05/26/2009 01:12 PM, Vadym Chepkov wrote: >> Yes execute >> >> semanage login -m -s unconfined_u -r s0-s0:c0.c1023 >> __default__ >> semanage login -m -s unconfined_u -r s0-s0:c0.c1023 root >> >> You might have to add the unconfined_u user >> >> # semanage user -a -P user -R "unconfined_r system_r" -r >> s0-s0:c0.c1023 >> unconfined_u >> >> Upgrade from F8-F10 did not work properly. > > Ok > > # semanage login -l > > Login Name SELinux User MLS/MCS Range > > __default__ unconfined_u SystemLow-SystemHigh > root unconfined_u SystemLow-SystemHigh > system_u system_u SystemLow-SystemHigh > > # semanage user -l|grep unconfined_u > unconfined_u user s0 SystemLow-SystemHigh system_r unconfined_r > > But, when I login, I still have > > id -Z > system_u:system_r:unconfined_t:SystemLow-SystemHigh > > Do I have to reboot?? > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list No that is strange. ps -eZ | grep sshd From chepkov at yahoo.com Tue May 26 19:41:07 2009 From: chepkov at yahoo.com (Vadym Chepkov) Date: Tue, 26 May 2009 12:41:07 -0700 (PDT) Subject: semodule Message-ID: <4779.83423.qm@web36804.mail.mud.yahoo.com> I made sure all labels are correct via 'fixfiles check'. restarted sshd via 'service sshd restart' $ ps -efZ|grep sshd system_u:system_r:sshd_t:SystemLow-SystemHigh root 30757 1 0 15:39 ? 00:00:00 /usr/sbin/sshd system_u:system_r:sshd_t:SystemLow-SystemHigh root 30765 30757 0 15:39 ? 00:00:00 sshd: vvc [priv] system_u:system_r:sshd_t:SystemLow-SystemHigh vvc 30769 30765 0 15:39 ? 00:00:00 sshd: vvc at pts/0 system_u:system_r:unconfined_t:SystemLow-SystemHigh vvc 30806 30770 0 15:39 pts/0 00:00:00 [vvc at pegasus ~]$ id -Z system_u:system_r:unconfined_t:SystemLow-SystemHigh Sincerely yours, Vadym Chepkov From dwalsh at redhat.com Tue May 26 19:49:28 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 26 May 2009 15:49:28 -0400 Subject: semodule In-Reply-To: <4779.83423.qm@web36804.mail.mud.yahoo.com> References: <4779.83423.qm@web36804.mail.mud.yahoo.com> Message-ID: <4A1C47C8.7070805@redhat.com> On 05/26/2009 03:41 PM, Vadym Chepkov wrote: > I made sure all labels are correct via 'fixfiles check'. > > restarted sshd via 'service sshd restart' > > $ ps -efZ|grep sshd > system_u:system_r:sshd_t:SystemLow-SystemHigh root 30757 1 0 15:39 ? 00:00:00 /usr/sbin/sshd > system_u:system_r:sshd_t:SystemLow-SystemHigh root 30765 30757 0 15:39 ? 00:00:00 sshd: vvc [priv] > system_u:system_r:sshd_t:SystemLow-SystemHigh vvc 30769 30765 0 15:39 ? 00:00:00 sshd: vvc at pts/0 > system_u:system_r:unconfined_t:SystemLow-SystemHigh vvc 30806 30770 0 15:39 pts/0 00:00:00 > > [vvc at pegasus ~]$ id -Z > system_u:system_r:unconfined_t:SystemLow-SystemHigh > > Sincerely yours, > Vadym Chepkov > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Do you have a file in /etc/selinux/targeted/contexts/users/unconfined_u From chepkov at yahoo.com Tue May 26 19:53:48 2009 From: chepkov at yahoo.com (Vadym Chepkov) Date: Tue, 26 May 2009 12:53:48 -0700 (PDT) Subject: semodule Message-ID: <711353.85363.qm@web36804.mail.mud.yahoo.com> --- On Tue, 5/26/09, Daniel J Walsh wrote: > Do you have a file in > /etc/selinux/targeted/contexts/users/unconfined_u > -rw-r--r-- 1 root root 578 2009-05-07 07:30 /etc/selinux/targeted/contexts/users/unconfined_u From BGinn at symark.com Tue May 26 22:58:50 2009 From: BGinn at symark.com (Brian Ginn) Date: Tue, 26 May 2009 15:58:50 -0700 Subject: ports under SELinux on RHEL-5.3 Message-ID: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB6D9F2CC@dragonfly.symark.com> My app binds to a random port prior to connecting to a well known port. If the random port is in use (errno == EADDRINUSE) the port number is incremented and a new bind is attempted. SELinux port labeling was causing errno==EACCES for ports that are under SELinux control. I found corenet_tcp_bind_all_ports() which fixed the problem - because now, my app is allowed to use those ports. Dan Walsh suggested corenet_tcp_bind_generic_port() instead - so my app doesn't use the ports managed by SELinux for other apps. So I changed my code to also increment the port and re-attempt a bind when errno==EACCES. I find that some non-SELinux controlled ports are also causing EACCES (but only in enforcing mode)... and EACCES is a problem I've never run into before on non-SELinux boxes... so I believe that SELinux is somehow preventing access to the un-controlled ports. Each of the ports listed below, the PRIOR port has an SELinux type shown by 'semanage port -l', yet these ports also get the EACCES error: 1702 2607 3261 3552 4691 5433 5704 6021 7001 8022 8119 8291 8293 9011 9223 9283 9293 9434 9702 13446 16002 From BGinn at symark.com Tue May 26 23:20:32 2009 From: BGinn at symark.com (Brian Ginn) Date: Tue, 26 May 2009 16:20:32 -0700 Subject: ports under SELinux on RHEL-5.3 In-Reply-To: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB6D9F2CC@dragonfly.symark.com> References: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB6D9F2CC@dragonfly.symark.com> Message-ID: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB6D9F2CE@dragonfly.symark.com> Oops... I was not resetting errno in the loop. Thanks, Brian -----Original Message----- From: Brian Ginn Sent: Tuesday, May 26, 2009 3:59 PM To: 'fedora-selinux-list at redhat.com' Subject: ports under SELinux on RHEL-5.3 My app binds to a random port prior to connecting to a well known port. If the random port is in use (errno == EADDRINUSE) the port number is incremented and a new bind is attempted. SELinux port labeling was causing errno==EACCES for ports that are under SELinux control. I found corenet_tcp_bind_all_ports() which fixed the problem - because now, my app is allowed to use those ports. Dan Walsh suggested corenet_tcp_bind_generic_port() instead - so my app doesn't use the ports managed by SELinux for other apps. So I changed my code to also increment the port and re-attempt a bind when errno==EACCES. I find that some non-SELinux controlled ports are also causing EACCES (but only in enforcing mode)... and EACCES is a problem I've never run into before on non-SELinux boxes... so I believe that SELinux is somehow preventing access to the un-controlled ports. Each of the ports listed below, the PRIOR port has an SELinux type shown by 'semanage port -l', yet these ports also get the EACCES error: 1702 2607 3261 3552 4691 5433 5704 6021 7001 8022 8119 8291 8293 9011 9223 9283 9293 9434 9702 13446 16002 From nick at magitekltd.com Wed May 27 23:33:01 2009 From: nick at magitekltd.com (Nickolas Gray) Date: Wed, 27 May 2009 18:33:01 -0500 Subject: lvconvert does not work in enforcing, no AVC, instead I get SELINUX_ERR Message-ID: <6EAE5C5F-FD8C-4008-8080-85BCFC419104@magitekltd.com> I am trying to run the "lvconvert" command in enforcing and cannot determine how to do it. I am using the domain type lvm_t and running lvconvert inside a bash script. The command works in permissive but fails in enforcing. with the following audit trail. ---- node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009 10:31:40.907:208246) : item=0 name=/dev/vg00/root inode=813052 dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00 obj=siterep_u:object_r:device_t:s15:c0.c1023 node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009 10:31:40.907:208246) : cwd=/home/siterep1 node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009 10:31:40.907:208246) : arch=x86_64 syscall=lsetxattr success=yes exit=0 a0=7fffd2b27a20 a1=7f97ca9034b9 a2=7f97c9ad16c0 a3=1e items=1 ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7 ses=1 comm=lvconvert exe=/sbin/lvm subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null) node=develop.local.austin.rr.com type=SELINUX_ERR msg=audit(05/27/2009 10:31:40.907:208246) : security_validate_transition: denied for oldcontext=siterep_u:object_r:device_t:s15:c0.c1023 newcontext=system_u:object_r:device_t:s0 taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file ---- node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009 10:31:40.908:208247) : item=0 name=/dev/vg00/snap inode=813108 dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00 obj=siterep_u:object_r:device_t:s15:c0.c1023 node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009 10:31:40.908:208247) : cwd=/home/siterep1 node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009 10:31:40.908:208247) : arch=x86_64 syscall=lsetxattr success=yes exit=0 a0=7fffd2b27a20 a1=7f97ca9034b9 a2=7f97c9acc480 a3=1e items=1 ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7 ses=1 comm=lvconvert exe=/sbin/lvm subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null) node=develop.local.austin.rr.com type=SELINUX_ERR msg=audit(05/27/2009 10:31:40.908:208247) : security_validate_transition: denied for oldcontext=siterep_u:object_r:device_t:s15:c0.c1023 newcontext=system_u:object_r:device_t:s0 taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file ---- node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009 10:31:40.983:208258) : item=0 name=/dev/vg00/root inode=813142 dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00 obj=siterep_u:object_r:device_t:s15:c0.c1023 node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009 10:31:40.983:208258) : cwd=/home/siterep1 node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009 10:31:40.983:208258) : arch=x86_64 syscall=lsetxattr success=yes exit=0 a0=7fffd2b27b30 a1=7f97ca9034b9 a2=7f97c4556b10 a3=1e items=1 ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7 ses=1 comm=lvconvert exe=/sbin/lvm subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null) node=develop.local.austin.rr.com type=SELINUX_ERR msg=audit(05/27/2009 10:31:40.983:208258) : security_validate_transition: denied for oldcontext=siterep_u:object_r:device_t:s15:c0.c1023 newcontext=system_u:object_r:device_t:s0 taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file ---- node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009 10:31:40.984:208260) : item=0 name=/dev/vg00/snap inode=813145 dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00 obj=siterep_u:object_r:device_t:s15:c0.c1023 node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009 10:31:40.984:208260) : cwd=/home/siterep1 node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009 10:31:40.984:208260) : arch=x86_64 syscall=lsetxattr success=yes exit=0 a0=7fffd2b27b30 a1=7f97ca9034b9 a2=7f97c455dc90 a3=1e items=1 ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7 ses=1 comm=lvconvert exe=/sbin/lvm subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null) node=develop.local.austin.rr.com type=SELINUX_ERR msg=audit(05/27/2009 10:31:40.984:208260) : security_validate_transition: denied for oldcontext=siterep_u:object_r:device_t:s15:c0.c1023 newcontext=system_u:object_r:device_t:s0 taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file ---- There are no AVCs associated with the error and I am using the following policy statements ( where jcdx_fsbackup_t is the domain type of the entire script) lvm_domtrans(jcdx_fsbackup_t) mls_file_write_all_levels(lvm_t) allow lvm_t lvm_control_t:chr_file write; allow lvm_t lvm_lock_t:dir { write remove_name add_name }; allow lvm_t lvm_metadata_t:dir { write remove_name add_name }; At this point the script is ---------- #!/bin/bash /sbin/lvconvert -s vg00/root snap ---------- The policy is selinux-policy-3.5.13-57.fc10, A push in the right direction would be appreciated. -- "THIS time it really is fixed. I mean, how many times can we get it wrong? At some point, we just have to run out of bad ideas.." Linus Torvalds Nickolas Gray nick at magitek.ltd From sds at tycho.nsa.gov Thu May 28 12:38:29 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 28 May 2009 08:38:29 -0400 Subject: lvconvert does not work in enforcing, no AVC, instead I get SELINUX_ERR In-Reply-To: <6EAE5C5F-FD8C-4008-8080-85BCFC419104@magitekltd.com> References: <6EAE5C5F-FD8C-4008-8080-85BCFC419104@magitekltd.com> Message-ID: <1243514309.2752.46.camel@localhost.localdomain> On Wed, 2009-05-27 at 18:33 -0500, Nickolas Gray wrote: > I am trying to run the "lvconvert" command in enforcing and cannot > determine how to do it. > > I am using the domain type lvm_t and running lvconvert inside a bash > script. The command works in permissive but fails in enforcing. > > with the following audit trail. > > ---- > node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009 > 10:31:40.907:208246) : item=0 name=/dev/vg00/root inode=813052 > dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00 > obj=siterep_u:object_r:device_t:s15:c0.c1023 > node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009 > 10:31:40.907:208246) : cwd=/home/siterep1 > node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009 > 10:31:40.907:208246) : arch=x86_64 syscall=lsetxattr success=yes > exit=0 a0=7fffd2b27a20 a1=7f97ca9034b9 a2=7f97c9ad16c0 a3=1e items=1 > ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root > suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7 > ses=1 comm=lvconvert exe=/sbin/lvm > subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null) > node=develop.local.austin.rr.com type=SELINUX_ERR msg=audit(05/27/2009 > 10:31:40.907:208246) : security_validate_transition: denied for > oldcontext=siterep_u:object_r:device_t:s15:c0.c1023 > newcontext=system_u:object_r:device_t:s0 > taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file You are violating a MLS validatetrans constraint (in policy/mls) that restricts the ability to relabel a file to a different level unless the calling domain has the appropriate type attribute. In this case, you are downgrading the device from s15:c0.c1023 (systemhigh) to s0 (systemlow). If you want lvm to be able to do that, you'd have to give it mlsfiledowngrade, i.e. $ cat lvmmls.te policy_module(lvmmls, 1.0) require { type lvm_t; } mls_file_downgrade(lvm_t) $ make -f /usr/share/selinux/devel/Makefile lvmmls.pp $ sudo semodule -i lvmmls.pp > ---- > node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009 > 10:31:40.908:208247) : item=0 name=/dev/vg00/snap inode=813108 > dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00 > obj=siterep_u:object_r:device_t:s15:c0.c1023 > node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009 > 10:31:40.908:208247) : cwd=/home/siterep1 > node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009 > 10:31:40.908:208247) : arch=x86_64 syscall=lsetxattr success=yes > exit=0 a0=7fffd2b27a20 a1=7f97ca9034b9 a2=7f97c9acc480 a3=1e items=1 > ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root > suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7 > ses=1 comm=lvconvert exe=/sbin/lvm > subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null) > node=develop.local.austin.rr.com type=SELINUX_ERR msg=audit(05/27/2009 > 10:31:40.908:208247) : security_validate_transition: denied for > oldcontext=siterep_u:object_r:device_t:s15:c0.c1023 > newcontext=system_u:object_r:device_t:s0 > taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file > ---- > node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009 > 10:31:40.983:208258) : item=0 name=/dev/vg00/root inode=813142 > dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00 > obj=siterep_u:object_r:device_t:s15:c0.c1023 > node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009 > 10:31:40.983:208258) : cwd=/home/siterep1 > node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009 > 10:31:40.983:208258) : arch=x86_64 syscall=lsetxattr success=yes > exit=0 a0=7fffd2b27b30 a1=7f97ca9034b9 a2=7f97c4556b10 a3=1e items=1 > ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root > suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7 > ses=1 comm=lvconvert exe=/sbin/lvm > subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null) > node=develop.local.austin.rr.com type=SELINUX_ERR msg=audit(05/27/2009 > 10:31:40.983:208258) : security_validate_transition: denied for > oldcontext=siterep_u:object_r:device_t:s15:c0.c1023 > newcontext=system_u:object_r:device_t:s0 > taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file > ---- > node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009 > 10:31:40.984:208260) : item=0 name=/dev/vg00/snap inode=813145 > dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00 > obj=siterep_u:object_r:device_t:s15:c0.c1023 > node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009 > 10:31:40.984:208260) : cwd=/home/siterep1 > node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009 > 10:31:40.984:208260) : arch=x86_64 syscall=lsetxattr success=yes > exit=0 a0=7fffd2b27b30 a1=7f97ca9034b9 a2=7f97c455dc90 a3=1e items=1 > ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root > suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7 > ses=1 comm=lvconvert exe=/sbin/lvm > subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null) > node=develop.local.austin.rr.com type=SELINUX_ERR msg=audit(05/27/2009 > 10:31:40.984:208260) : security_validate_transition: denied for > oldcontext=siterep_u:object_r:device_t:s15:c0.c1023 > newcontext=system_u:object_r:device_t:s0 > taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file > ---- > > There are no AVCs associated with the error and I am using the > following policy statements ( where jcdx_fsbackup_t is the domain type > of the entire script) > > lvm_domtrans(jcdx_fsbackup_t) > mls_file_write_all_levels(lvm_t) > allow lvm_t lvm_control_t:chr_file write; > allow lvm_t lvm_lock_t:dir { write remove_name add_name }; > allow lvm_t lvm_metadata_t:dir { write remove_name add_name }; > > At this point the script is > > ---------- > #!/bin/bash > > /sbin/lvconvert -s vg00/root snap > ---------- > > The policy is selinux-policy-3.5.13-57.fc10, > > A push in the right direction would be appreciated. > > > -- > > "THIS time it really is fixed. I mean, how many times can we get it > wrong? At some point, we just have to run out of bad ideas.." > > Linus Torvalds > > > > Nickolas Gray > nick at magitek.ltd > > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- Stephen Smalley National Security Agency From domg472 at gmail.com Thu May 28 12:19:48 2009 From: domg472 at gmail.com (Dominick Grift) Date: Thu, 28 May 2009 14:19:48 +0200 Subject: lvconvert does not work in enforcing, no AVC, instead I get SELINUX_ERR In-Reply-To: <6EAE5C5F-FD8C-4008-8080-85BCFC419104@magitekltd.com> References: <6EAE5C5F-FD8C-4008-8080-85BCFC419104@magitekltd.com> Message-ID: <1243513188.11278.2.camel@notebook2.grift.internal> On Wed, 2009-05-27 at 18:33 -0500, Nickolas Gray wrote: > I am trying to run the "lvconvert" command in enforcing and cannot > determine how to do it. > > I am using the domain type lvm_t and running lvconvert inside a bash > script. The command works in permissive but fails in enforcing. > > with the following audit trail. > > ---- > node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009 > 10:31:40.907:208246) : item=0 name=/dev/vg00/root inode=813052 > dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00 > obj=siterep_u:object_r:device_t:s15:c0.c1023 > node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009 > 10:31:40.907:208246) : cwd=/home/siterep1 > node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009 > 10:31:40.907:208246) : arch=x86_64 syscall=lsetxattr success=yes > exit=0 a0=7fffd2b27a20 a1=7f97ca9034b9 a2=7f97c9ad16c0 a3=1e items=1 > ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root > suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7 > ses=1 comm=lvconvert exe=/sbin/lvm > subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null) > node=develop.local.austin.rr.com type=SELINUX_ERR msg=audit(05/27/2009 > 10:31:40.907:208246) : security_validate_transition: denied for > oldcontext=siterep_u:object_r:device_t:s15:c0.c1023 > newcontext=system_u:object_r:device_t:s0 > taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file > ---- > node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009 > 10:31:40.908:208247) : item=0 name=/dev/vg00/snap inode=813108 > dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00 > obj=siterep_u:object_r:device_t:s15:c0.c1023 > node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009 > 10:31:40.908:208247) : cwd=/home/siterep1 > node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009 > 10:31:40.908:208247) : arch=x86_64 syscall=lsetxattr success=yes > exit=0 a0=7fffd2b27a20 a1=7f97ca9034b9 a2=7f97c9acc480 a3=1e items=1 > ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root > suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7 > ses=1 comm=lvconvert exe=/sbin/lvm > subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null) > node=develop.local.austin.rr.com type=SELINUX_ERR msg=audit(05/27/2009 > 10:31:40.908:208247) : security_validate_transition: denied for > oldcontext=siterep_u:object_r:device_t:s15:c0.c1023 > newcontext=system_u:object_r:device_t:s0 > taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file > ---- > node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009 > 10:31:40.983:208258) : item=0 name=/dev/vg00/root inode=813142 > dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00 > obj=siterep_u:object_r:device_t:s15:c0.c1023 > node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009 > 10:31:40.983:208258) : cwd=/home/siterep1 > node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009 > 10:31:40.983:208258) : arch=x86_64 syscall=lsetxattr success=yes > exit=0 a0=7fffd2b27b30 a1=7f97ca9034b9 a2=7f97c4556b10 a3=1e items=1 > ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root > suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7 > ses=1 comm=lvconvert exe=/sbin/lvm > subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null) > node=develop.local.austin.rr.com type=SELINUX_ERR msg=audit(05/27/2009 > 10:31:40.983:208258) : security_validate_transition: denied for > oldcontext=siterep_u:object_r:device_t:s15:c0.c1023 > newcontext=system_u:object_r:device_t:s0 > taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file > ---- > node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009 > 10:31:40.984:208260) : item=0 name=/dev/vg00/snap inode=813145 > dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00 > obj=siterep_u:object_r:device_t:s15:c0.c1023 > node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009 > 10:31:40.984:208260) : cwd=/home/siterep1 > node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009 > 10:31:40.984:208260) : arch=x86_64 syscall=lsetxattr success=yes > exit=0 a0=7fffd2b27b30 a1=7f97ca9034b9 a2=7f97c455dc90 a3=1e items=1 > ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root > suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7 > ses=1 comm=lvconvert exe=/sbin/lvm > subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null) > node=develop.local.austin.rr.com type=SELINUX_ERR msg=audit(05/27/2009 > 10:31:40.984:208260) : security_validate_transition: denied for > oldcontext=siterep_u:object_r:device_t:s15:c0.c1023 > newcontext=system_u:object_r:device_t:s0 > taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file > ---- > > There are no AVCs associated with the error and I am using the > following policy statements ( where jcdx_fsbackup_t is the domain type > of the entire script) > > lvm_domtrans(jcdx_fsbackup_t) > mls_file_write_all_levels(lvm_t) > allow lvm_t lvm_control_t:chr_file write; > allow lvm_t lvm_lock_t:dir { write remove_name add_name }; > allow lvm_t lvm_metadata_t:dir { write remove_name add_name }; > > At this point the script is > > ---------- > #!/bin/bash > > /sbin/lvconvert -s vg00/root snap > ---------- > > The policy is selinux-policy-3.5.13-57.fc10, > > A push in the right direction would be appreciated. > you need to add a rule that allows lvm_t to inherit the siterep_r role: role siterep_r types lvm_t; > -- > > "THIS time it really is fixed. I mean, how many times can we get it > wrong? At some point, we just have to run out of bad ideas.." > > Linus Torvalds > > > > Nickolas Gray > nick at magitek.ltd > > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From nick at magitekltd.com Thu May 28 16:09:00 2009 From: nick at magitekltd.com (Nickolas Gray) Date: Thu, 28 May 2009 11:09:00 -0500 Subject: lvconvert does not work in enforcing, no AVC, instead I get SELINUX_ERR In-Reply-To: <1243513188.11278.2.camel@notebook2.grift.internal> References: <6EAE5C5F-FD8C-4008-8080-85BCFC419104@magitekltd.com> <1243513188.11278.2.camel@notebook2.grift.internal> Message-ID: <70595F0C-C6A7-407E-8AB0-B5CEEE915833@magitekltd.com> Dominic, Stephan Thanks for the input. Let me digest this and I may have more questions. On May 28, 2009, at 7:19 AM, Dominick Grift wrote: > On Wed, 2009-05-27 at 18:33 -0500, Nickolas Gray wrote: >> I am trying to run the "lvconvert" command in enforcing and cannot >> determine how to do it. >> >> I am using the domain type lvm_t and running lvconvert inside a bash >> script. The command works in permissive but fails in enforcing. >> >> with the following audit trail. >> >> ---- >> node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009 >> 10:31:40.907:208246) : item=0 name=/dev/vg00/root inode=813052 >> dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00 >> obj=siterep_u:object_r:device_t:s15:c0.c1023 >> node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009 >> 10:31:40.907:208246) : cwd=/home/siterep1 >> node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009 >> 10:31:40.907:208246) : arch=x86_64 syscall=lsetxattr success=yes >> exit=0 a0=7fffd2b27a20 a1=7f97ca9034b9 a2=7f97c9ad16c0 a3=1e items=1 >> ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root >> suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7 >> ses=1 comm=lvconvert exe=/sbin/lvm >> subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null) >> node=develop.local.austin.rr.com type=SELINUX_ERR >> msg=audit(05/27/2009 >> 10:31:40.907:208246) : security_validate_transition: denied for >> oldcontext=siterep_u:object_r:device_t:s15:c0.c1023 >> newcontext=system_u:object_r:device_t:s0 >> taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file >> ---- >> node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009 >> 10:31:40.908:208247) : item=0 name=/dev/vg00/snap inode=813108 >> dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00 >> obj=siterep_u:object_r:device_t:s15:c0.c1023 >> node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009 >> 10:31:40.908:208247) : cwd=/home/siterep1 >> node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009 >> 10:31:40.908:208247) : arch=x86_64 syscall=lsetxattr success=yes >> exit=0 a0=7fffd2b27a20 a1=7f97ca9034b9 a2=7f97c9acc480 a3=1e items=1 >> ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root >> suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7 >> ses=1 comm=lvconvert exe=/sbin/lvm >> subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null) >> node=develop.local.austin.rr.com type=SELINUX_ERR >> msg=audit(05/27/2009 >> 10:31:40.908:208247) : security_validate_transition: denied for >> oldcontext=siterep_u:object_r:device_t:s15:c0.c1023 >> newcontext=system_u:object_r:device_t:s0 >> taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file >> ---- >> node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009 >> 10:31:40.983:208258) : item=0 name=/dev/vg00/root inode=813142 >> dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00 >> obj=siterep_u:object_r:device_t:s15:c0.c1023 >> node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009 >> 10:31:40.983:208258) : cwd=/home/siterep1 >> node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009 >> 10:31:40.983:208258) : arch=x86_64 syscall=lsetxattr success=yes >> exit=0 a0=7fffd2b27b30 a1=7f97ca9034b9 a2=7f97c4556b10 a3=1e items=1 >> ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root >> suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7 >> ses=1 comm=lvconvert exe=/sbin/lvm >> subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null) >> node=develop.local.austin.rr.com type=SELINUX_ERR >> msg=audit(05/27/2009 >> 10:31:40.983:208258) : security_validate_transition: denied for >> oldcontext=siterep_u:object_r:device_t:s15:c0.c1023 >> newcontext=system_u:object_r:device_t:s0 >> taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file >> ---- >> node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009 >> 10:31:40.984:208260) : item=0 name=/dev/vg00/snap inode=813145 >> dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00 >> obj=siterep_u:object_r:device_t:s15:c0.c1023 >> node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009 >> 10:31:40.984:208260) : cwd=/home/siterep1 >> node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009 >> 10:31:40.984:208260) : arch=x86_64 syscall=lsetxattr success=yes >> exit=0 a0=7fffd2b27b30 a1=7f97ca9034b9 a2=7f97c455dc90 a3=1e items=1 >> ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root >> suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7 >> ses=1 comm=lvconvert exe=/sbin/lvm >> subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null) >> node=develop.local.austin.rr.com type=SELINUX_ERR >> msg=audit(05/27/2009 >> 10:31:40.984:208260) : security_validate_transition: denied for >> oldcontext=siterep_u:object_r:device_t:s15:c0.c1023 >> newcontext=system_u:object_r:device_t:s0 >> taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file >> ---- >> >> There are no AVCs associated with the error and I am using the >> following policy statements ( where jcdx_fsbackup_t is the domain >> type >> of the entire script) >> >> lvm_domtrans(jcdx_fsbackup_t) >> mls_file_write_all_levels(lvm_t) >> allow lvm_t lvm_control_t:chr_file write; >> allow lvm_t lvm_lock_t:dir { write remove_name add_name }; >> allow lvm_t lvm_metadata_t:dir { write remove_name add_name }; >> >> At this point the script is >> >> ---------- >> #!/bin/bash >> >> /sbin/lvconvert -s vg00/root snap >> ---------- >> >> The policy is selinux-policy-3.5.13-57.fc10, >> >> A push in the right direction would be appreciated. >> > > you need to add a rule that allows lvm_t to inherit the siterep_r > role: > > role siterep_r types lvm_t; > >> -- >> >> "THIS time it really is fixed. I mean, how many times can we get it >> wrong? At some point, we just have to run out of bad ideas.." >> >> Linus Torvalds >> >> >> >> Nickolas Gray >> nick at magitek.ltd >> >> >> >> >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- "THIS time it really is fixed. I mean, how many times can we get it wrong? At some point, we just have to run out of bad ideas.." Linus Torvalds Nickolas Gray nick at magitek.ltd From jmorris at namei.org Thu May 28 21:54:02 2009 From: jmorris at namei.org (James Morris) Date: Fri, 29 May 2009 07:54:02 +1000 (EST) Subject: [ANN] 2009 SELinux Developer Summit Call for Participation Message-ID: The call for participation for the 2009 SELinux Developer Summit is now open. The summit will be held Sunday September 20th in Portland as part of LinuxCon [1]. Note that all attendees must be registered as attendees of LinuxCon. Primary topics for this year's summit will be extensibility and usability, with a flexible format to include interactive talks and development sessions. Extensibility topics of interest include (but are not limited to) storage, virtualization, databases, web applications, and the desktop environment. Usability topics of interest include (but are not limited to) policy development and deployment, system administration, and high-level tools. Other topics relating to SELinux technology, flexible mandatory access control, and its application to real-world problems are also of interest for this symposium. Such topics might include: * Updates on the various Linux distributions using SELinux * Flexible MAC in other operating systems * Case studies and application experience with flexible MAC * User and customer concerns and needs Forms of participation include: * Interactive technical presentations (30 minutes each, papers are optional) * Lightning talks * Development sessions Proposals may be sent to the organizing team at: sel-dev-summit-pc AT selinuxproject.org In your proposal, please identify the form of participation, the amount of time you expect to need, and a title and abstract describing the topic you wish to cover. If you wish to attend the summit in any capacity, please subscribe to the mailing list [2] so the organizers can estimate numbers as well as provide you with updated event information. Please also visit the summit wiki page [3] for more details on the event and location. Important dates: * CFP ends: 1st July 2009 * Speaker notifications: 15th July 2009 * Publish schedule: 1st August 2009 Note that early bird registration for LinuxCon ends on June 1st, and standard registration ends on August 14th. URLs: [1] LinuxCon, http://events.linuxfoundation.org/events/linuxcon [2] Mailing list, http://selinuxproject.org/mailman/listinfo/selinux-developer-summit-2009 [3] SELinux Developer Summit page, http://selinuxproject.org/page/Developer_Summit_2009 ---------------------------------------------------------------------------- From BGinn at symark.com Fri May 29 01:03:32 2009 From: BGinn at symark.com (Brian Ginn) Date: Thu, 28 May 2009 18:03:32 -0700 Subject: policy to allow myapp to exec chfn Message-ID: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB6D9F2D9@dragonfly.symark.com> I have an app which runs from xinetd in the myapp_t domain: system_u:system_r:myapp_t I am attempting to get myapp to exec the chfn program however it reports: chfn: system_u:system_r:myapp_t:SystemLow-SystemHigh is not authorized to change the finger info of test5 I have tried these macros from the reference policy: usermanage_run_chfn(myapp_t,system_r,devpts_t ) type myapp_devpts_t; type myapp_tty_device_t; userdom_change_password_template(myapp) usermanage_run_chfn(myapp_t,system_r,{ myapp_devpts_t myapp_tty_device_t }) but things still don't work. SELinux is not reporting denials in audit.log, presumably because chfn calls security_compute_av() and reports the "denial" itself. Is there policy I can write that will allow myapp to exec chfn? Thanks, Brian -------------- next part -------------- An HTML attachment was scrubbed... URL: From dwalsh at redhat.com Fri May 29 01:48:37 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 28 May 2009 21:48:37 -0400 Subject: policy to allow myapp to exec chfn In-Reply-To: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB6D9F2D9@dragonfly.symark.com> References: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB6D9F2D9@dragonfly.symark.com> Message-ID: <4A1F3EF5.7030405@redhat.com> On 05/28/2009 09:03 PM, Brian Ginn wrote: > I have an app which runs from xinetd in the myapp_t domain: > > system_u:system_r:myapp_t > > > > I am attempting to get myapp to exec the chfn program > > however it reports: > > chfn: system_u:system_r:myapp_t:SystemLow-SystemHigh is not authorized to change the finger info of test5 > This means the transition did not happen. > > > I have tried these macros from the reference policy: > > usermanage_run_chfn(myapp_t,system_r,devpts_t ) > > type myapp_devpts_t; > > type myapp_tty_device_t; > > userdom_change_password_template(myapp) > > usermanage_run_chfn(myapp_t,system_r,{ myapp_devpts_t myapp_tty_device_t }) > > > > but things still don't work. > > > > SELinux is not reporting denials in audit.log, presumably because > > chfn calls security_compute_av() and reports the "denial" itself. > > > > > > Is there policy I can write that will allow myapp to exec chfn? > > > > > > Thanks, > Brian > > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list If myapp_t needs to have the ability to change a passwd of another user. allow myapp_t self:passwd chfn; chfn and others should report this error as an AVC rater then just an error message so the tools would be able to generate appropriate policy. Report this as a bug and cc me on the bug report. passwd, chfn, chsh are all accesses required for root programs to change the passwd, finger info or shell of oher UIDS. From BGinn at symark.com Sat May 30 01:10:29 2009 From: BGinn at symark.com (Brian Ginn) Date: Fri, 29 May 2009 18:10:29 -0700 Subject: policy to allow myapp to exec chfn In-Reply-To: <4A1F3EF5.7030405@redhat.com> References: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB6D9F2D9@dragonfly.symark.com> <4A1F3EF5.7030405@redhat.com> Message-ID: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB6D9F2E1@dragonfly.symark.com> Ok, Thanks! In flask/security_classes I see that class passwd is commented to be # userspace. In flask/access_vectors I see the chfn permission for class passwd. ... So maybe next time I get a similar problem, I'll be able to solve it myself. Is https://bugzilla.redhat.com/ the appropriate place to submit a bug report for chfn ? -Brian -----Original Message----- From: Daniel J Walsh [mailto:dwalsh at redhat.com] Sent: Thursday, May 28, 2009 6:49 PM To: Brian Ginn Cc: 'fedora-selinux-list at redhat.com' Subject: Re: policy to allow myapp to exec chfn On 05/28/2009 09:03 PM, Brian Ginn wrote: > I have an app which runs from xinetd in the myapp_t domain: > > system_u:system_r:myapp_t > > > > I am attempting to get myapp to exec the chfn program > > however it reports: > > chfn: system_u:system_r:myapp_t:SystemLow-SystemHigh is not authorized to change the finger info of test5 > This means the transition did not happen. > > > I have tried these macros from the reference policy: > > usermanage_run_chfn(myapp_t,system_r,devpts_t ) > > type myapp_devpts_t; > > type myapp_tty_device_t; > > userdom_change_password_template(myapp) > > usermanage_run_chfn(myapp_t,system_r,{ myapp_devpts_t myapp_tty_device_t }) > > > > but things still don't work. > > > > SELinux is not reporting denials in audit.log, presumably because > > chfn calls security_compute_av() and reports the "denial" itself. > > > > > > Is there policy I can write that will allow myapp to exec chfn? > > > > > > Thanks, > Brian > > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list If myapp_t needs to have the ability to change a passwd of another user. allow myapp_t self:passwd chfn; chfn and others should report this error as an AVC rater then just an error message so the tools would be able to generate appropriate policy. Report this as a bug and cc me on the bug report. passwd, chfn, chsh are all accesses required for root programs to change the passwd, finger info or shell of oher UIDS. From nick at magitekltd.com Sat May 30 03:50:37 2009 From: nick at magitekltd.com (Nickolas Gray) Date: Fri, 29 May 2009 22:50:37 -0500 Subject: Rsyncing every file on the root to another disk Message-ID: <6A55B6DB-E968-43FE-BF4E-9DF1533A7F19@magitekltd.com> I have a requirement to rsync ALL files over to a newly mounted partition. the command is "rsync -AaXxH /home/snapshot/* /target/" I can get this to work in permissive, and with a bit of massaging. I can get an operational system that boots in enforcing on a new disk. For the life of me I can't determine how I can gain access to copy and write all these files in enforcing. I have included the simple rules like files_read_all_files(), but it seems there must be an easier assured way of making sure I don't miss anything. It appears to me that not everyfile in the system is really labeled with the attribute file_type. Is there something I am missing on how to do this? Suggestions? Nick -- "THIS time it really is fixed. I mean, how many times can we get it wrong? At some point, we just have to run out of bad ideas.." Linus Torvalds Nickolas Gray nick at magitek.ltd From joe at nall.com Sat May 30 04:13:21 2009 From: joe at nall.com (Joe Nall) Date: Fri, 29 May 2009 23:13:21 -0500 Subject: Rsyncing every file on the root to another disk In-Reply-To: <6A55B6DB-E968-43FE-BF4E-9DF1533A7F19@magitekltd.com> References: <6A55B6DB-E968-43FE-BF4E-9DF1533A7F19@magitekltd.com> Message-ID: <628D5D97-8D74-4B99-8DDC-8DB51FA68A81@nall.com> On May 29, 2009, at 10:50 PM, Nickolas Gray wrote: > I have a requirement to rsync ALL files over to a newly mounted > partition. the command is "rsync -AaXxH /home/snapshot/* /target/" > I can get this to work in permissive, and with a bit of massaging. I > can get an operational system that boots in enforcing on a new disk. > > For the life of me I can't determine how I can gain access to copy > and write all these files in enforcing. > > I have included the simple rules like > > files_read_all_files(), but it seems there must be an easier assured > way of making sure I don't miss anything. It appears to me that not > everyfile in the system is really labeled with the attribute > file_type. Is there something I am missing on how to do this? > Suggestions? From: http://oss.tresys.com/projects/refpolicy/browser/trunk/policy/modules/admin/backup.te ... allow backup_t self:capability dac_override; ... files_read_all_files(backup_t) files_read_all_symlinks(backup_t) files_getattr_all_pipes(backup_t) files_getattr_all_sockets(backup_t) ... joe From nick at magitekltd.com Sat May 30 11:20:33 2009 From: nick at magitekltd.com (Nickolas Gray) Date: Sat, 30 May 2009 06:20:33 -0500 Subject: Rsyncing every file on the root to another disk In-Reply-To: <628D5D97-8D74-4B99-8DDC-8DB51FA68A81@nall.com> References: <6A55B6DB-E968-43FE-BF4E-9DF1533A7F19@magitekltd.com> <628D5D97-8D74-4B99-8DDC-8DB51FA68A81@nall.com> Message-ID: <1E43BE34-D775-4739-B143-3221B97D09F2@magitekltd.com> Already have these, I believe my problems have to do with placing the files on the new disk. I am getting relabelto, relabelfrom, rename,add_name, remove_name, and setattr in my audit log On May 29, 2009, at 11:13 PM, Joe Nall wrote: > > On May 29, 2009, at 10:50 PM, Nickolas Gray wrote: > >> I have a requirement to rsync ALL files over to a newly mounted >> partition. the command is "rsync -AaXxH /home/snapshot/* /target/" >> I can get this to work in permissive, and with a bit of massaging. >> I can get an operational system that boots in enforcing on a new >> disk. >> >> For the life of me I can't determine how I can gain access to copy >> and write all these files in enforcing. >> >> I have included the simple rules like >> >> files_read_all_files(), but it seems there must be an easier >> assured way of making sure I don't miss anything. It appears to me >> that not everyfile in the system is really labeled with the >> attribute file_type. Is there something I am missing on how to do >> this? Suggestions? > > From: > > http://oss.tresys.com/projects/refpolicy/browser/trunk/policy/modules/admin/backup.te > > ... > allow backup_t self:capability dac_override; > ... > files_read_all_files(backup_t) > files_read_all_symlinks(backup_t) > files_getattr_all_pipes(backup_t) > files_getattr_all_sockets(backup_t) > ... > > joe > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- "THIS time it really is fixed. I mean, how many times can we get it wrong? At some point, we just have to run out of bad ideas.." Linus Torvalds Nickolas Gray nick at magitek.ltd From joe at nall.com Sat May 30 13:51:29 2009 From: joe at nall.com (Joe Nall) Date: Sat, 30 May 2009 08:51:29 -0500 Subject: Rsyncing every file on the root to another disk In-Reply-To: <1E43BE34-D775-4739-B143-3221B97D09F2@magitekltd.com> References: <6A55B6DB-E968-43FE-BF4E-9DF1533A7F19@magitekltd.com> <628D5D97-8D74-4B99-8DDC-8DB51FA68A81@nall.com> <1E43BE34-D775-4739-B143-3221B97D09F2@magitekltd.com> Message-ID: <5C8B73B7-E1CF-4D95-9ECA-04F269A91DF6@nall.com> On May 30, 2009, at 6:20 AM, Nickolas Gray wrote: > Already have these, > > I believe my problems have to do with placing the files on the new > disk. I am getting relabelto, relabelfrom, rename,add_name, > remove_name, and setattr in my audit log look at the macros in /usr/share/selinux/devel/kernel/files.if files_relabel_all_files might help joe From chepkov at yahoo.com Sun May 31 13:22:59 2009 From: chepkov at yahoo.com (Vadym Chepkov) Date: Sun, 31 May 2009 06:22:59 -0700 (PDT) Subject: semodule Message-ID: <284393.48035.qm@web36801.mail.mud.yahoo.com> I am lost. I compared semanage user/login on affected and freshly installed systems - identical. I did relabel several times. both have the same selinux-policy-targeted-3.5.13-59.fc10.noarch installed. on both sshd runs in the same context. Normal system: sshd(`system_u:system_r:sshd_t:s0-s0:c0.c1023') `-sshd(`system_u:system_r:sshd_t:s0-s0:c0.c1023') `-sshd(`system_u:system_r:sshd_t:s0-s0:c0.c1023') `-bash(`unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023') `-pstree(`unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023') Affected system: sshd(`system_u:system_r:sshd_t:s0-s0:c0.c1023') `-sshd(`system_u:system_r:sshd_t:s0-s0:c0.c1023') `-sshd(`system_u:system_r:sshd_t:s0-s0:c0.c1023') `-bash(`system_u:system_r:unconfined_t:s0-s0:c0.c1023') `-pstree(`system_u:system_r:unconfined_t:s0-s0:c0.c1023') As you can see, my login shell doesn't become 'unconfined_u'. So, I decided to experiment and added a new SEuser #semanage user -a -P user -r s0-s0:c0.c1023 -R "system_r unconfined_r" vvc_u and assigned this SEuser to my login, to see if it makes a difference #semanage login --add -s vvc_u -r s0-s0:c0.c1023 vvc $id -Z system_u:system_r:unconfined_t:s0-s0:c0.c1023 Totally ignored Is some PAM entry or whatever is missing? Sincerely yours, Vadym Chepkov --- On Tue, 5/26/09, Vadym Chepkov wrote: > From: Vadym Chepkov > Subject: Re: semodule > To: "Daniel J Walsh" > Cc: "Fedora SELinux" > Date: Tuesday, May 26, 2009, 3:53 PM > --- On Tue, 5/26/09, Daniel J Walsh > > wrote: > > Do you have a file in > > /etc/selinux/targeted/contexts/users/unconfined_u > > > -rw-r--r-- 1 root root 578 2009-05-07 07:30 > /etc/selinux/targeted/contexts/users/unconfined_u > > From chepkov at yahoo.com Sun May 31 15:36:29 2009 From: chepkov at yahoo.com (Vadym Chepkov) Date: Sun, 31 May 2009 08:36:29 -0700 (PDT) Subject: semodule Message-ID: <465251.41151.qm@web36801.mail.mud.yahoo.com> I compared /etc/pam.d/sshd of the affected and working system, they are identical. But, I found these entries in /var/log/secure of the system in trouble: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument I bet it's a smoking gun, I just have no idea what to do about it. Sincerely yours, Vadym Chepkov From cra at WPI.EDU Sun May 31 18:12:15 2009 From: cra at WPI.EDU (Chuck Anderson) Date: Sun, 31 May 2009 14:12:15 -0400 Subject: semodule In-Reply-To: <465251.41151.qm@web36801.mail.mud.yahoo.com> References: <465251.41151.qm@web36801.mail.mud.yahoo.com> Message-ID: <20090531181215.GA10296@angus.ind.WPI.EDU> On Sun, May 31, 2009 at 08:36:29AM -0700, Vadym Chepkov wrote: > > I compared /etc/pam.d/sshd of the affected and working system, they are identical. But, I found these entries in /var/log/secure of the system in trouble: also check /etc/pam.d/system-auth From chepkov at yahoo.com Sun May 31 21:12:54 2009 From: chepkov at yahoo.com (Vadym Chepkov) Date: Sun, 31 May 2009 14:12:54 -0700 (PDT) Subject: semodule Message-ID: <464159.53393.qm@web36803.mail.mud.yahoo.com> > also check /etc/pam.d/system-auth Unexpected, but yes, you were right, when I disabled winbind it worked as expected, but I need winbind enabled. I thought having pam_selinux as a first and last session rule should be sufficient. what's wrong with my config then? $ cat /etc/pam.d/sshd #%PAM-1.0 auth include system-auth account required pam_nologin.so account include system-auth password include system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session include system-auth session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke $ cat /etc/pam.d/system-auth #%PAM-1.0 auth required pam_env.so auth sufficient pam_unix.so try_first_pass nullok auth sufficient pam_winbind.so auth required pam_deny.so account sufficient pam_unix.so account required pam_winbind.so password required pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session sufficient pam_unix.so session required pam_winbind.so Sincerely yours, Vadym Chepkov