Using SELinux on samba mounted directories
by Michael Kraus
G'day...
Previously under RH9, I had mounted a directory from a windows machine,
which was web-served by apache.
When I tried to do the same under FC3 I found that apache wasn't
recognising the directory, and learnt that this was because of SELinux.
I tried to "chcon -R -t httpd_sys_content_t <directory>" the directory
and found I couldn't. The directory was mounted using smb and an entry
in /etc/fstab.
Is there a way to edit the /etc/fstab file so that the context is set
when the directory is mounted? (I hope this is all making sense, I'm
new to all of this.)
TIA!
Regards,
Michael S. E. Kraus
B. Info. Tech. (CQU), Dip. Business (Computing)
Software Developer
Wild Technology Pty Ltd
_______________________________
ABN 98 091 470 692
Level 4 Tiara, 306/9 Crystal Street, Waterloo NSW 2017, Australia
Telephone 1300-13-9453 | Facsimile 1300-88-9453
http://www.wildtechnology.net
The information contained in this email message and any attachments may
be confidential information and may also be the subject of client legal
- legal professional privilege. If you are not the intended recipient,
any use, interference with, disclosure or copying of this material is
unauthorised and prohibited. This email and any attachments are also
subject to copyright. No part of them may be reproduced, adapted or
transmitted without the written permission of the copyright owner. If
you have received this email in error, please immediately advise the
sender by return email and delete the message from your system.
19 years, 4 months
Snare, SELinux, NISPOM
by Browder, Tom
OK, given the current state of things, is anyone satisfying NISPOM
auditing requirements on Linux? If so, what are you using for auditing
(Linux distribution, add-ons, kernel)?
The best I can figure in the short term (right out of the box) is FC 2
and snare 096b with the UT kernel rpms: 2.6.7-1.494.2.2SNARE096b
Any better ideas would be appreciated.
Thanks.
Tom Browder
19 years, 4 months
RE: No Denial
by Browder, Tom
> -----Original Message-----
> From: fedora-selinux-list-bounces(a)redhat.com
> [mailto:fedora-selinux-list-bounces@redhat.com] On Behalf Of
> Stephen Smalley
> I suspect that you don't actually want SELinux auditing here,
> as it is just of MAC permission checks, but instead want
> ordinary system call auditing. There is ongoing work to
> enhance the existing Linux audit framework and userspace
> tools toward that end, see the linux-audit mailing list.
I joined, and took a look. With the audit tools, and audit=1, do I need
to keep SELinux turned on?
Thanks.
Tom Browder
19 years, 4 months
RE: No Denial
by Browder, Tom
> -----Original Message-----
> From: fedora-selinux-list-bounces(a)redhat.com
> [mailto:fedora-selinux-list-bounces@redhat.com] On Behalf Of
> Stephen Smalley
> I suspect that you don't actually want SELinux auditing here,
> as it is just of MAC permission checks, but instead want
> ordinary system call auditing. There is ongoing work to
> enhance the existing Linux audit framework and userspace
> tools toward that end, see the linux-audit mailing list.
Thanks, Stephen, I'll check it out.
In the meantime, I've turned on enforcement and will see if that at
least is a temporary fix.
A quick test of major programs I use shows no problems.
Tom Browder
19 years, 4 months
RE: No Denial
by Browder, Tom
> -----Original Message-----
> From: fedora-selinux-list-bounces(a)redhat.com
> [mailto:fedora-selinux-list-bounces@redhat.com] On Behalf Of
> Stephen Smalley
> Unless your process has uid 0, then the latter command would
> be prevented by ordinary Linux DAC and never reaches the
> SELinux permission checks. Hence, you wouldn't see an audit
> message for it. The former command would be allowed by Linux
> DAC and thus reaches the SELinux checks (and audit).
Thanks, Stephen.
Actually, I did a 'make load', rotated my logs to clear them out, and
then did 'mv /etc/shadow /etc/shadow.save' as a normal user and got a
long denial log message (get_attr).
Tom Browder
19 years, 4 months
RE: No Denial
by Browder, Tom
(It would be nice to be able to choose to get logging of all instances
of denial in permissive mode.)
But the denial is the same whether I do 'ls /etc/shadow' or 'mv
/etc/shadow /etc/shadow.save'. Is there a way to show the different
system calls?
I'm sure there is, but I'm just getting started in the nitty-gritty of
this stuff and a few hints would be appreciated.
Here's my situation: I have a customer who wants to audit specific
commands on specific files and directories, i.e., who's doing what to
whom and when.
Is there an "easy" way to do something like that?
Thanks, and I'll try not to bug you any more.
Tom Browder
19 years, 4 months
No Denial
by Browder, Tom
I'm using the default strict policy for FC 3 SELinux for testing and
learning.
I see denial messages when I do 'ls -l /etc/shadow', but nothing when I
try to do 'mv /etc/shadow /etc/shadow.save'.
Uh, I think I read somewhere that only one of a message type will be
seen in some situations, but I can't find it now. How do I ensure that
every instance of a specific denial is seen?
Thanks.
Tom Browder
19 years, 4 months
RE: No Denial
by Browder, Tom
Sorry, I found it--in the Unofficial SELinux FAQ.
Tom Browder
19 years, 4 months
Why does this get denied?
by Andy Smith
Hi,
Firstly apologies if what I'm about to ask is obvious, I'm kind of
new to selinux and I'm trying to read the relevant docs but I don't
understand something. If what I ask is covered in a document then
I'd appreciate a pointer.
Okay so I just installed apache from RPM on fedora core 3 and when I
try to start it I get the following:
# service httpd start
Starting httpd: Syntax error on line 266 of
/etc/httpd/conf/httpd.conf:
DocumentRoot must be a directory
In /var/log/messages:
Dec 20 16:28:32 becks kernel: audit(1103560112.198:0): avc: denied
{ search } for pid=27331 exe=/usr/sbin/httpd name=/ dev=dm-1 ino=2
scontext=root:system_r:httpd_t tcontext=system_u:object_r:file_t
tclass=dir
I am using the targeted policy.
Now, the only thing I have changed is, instead of having my document
root be /var/www/html I've put it in /data/www. I edited
/etc/selinux/targeted/src/policy/file_contexts/program/apache.fc to
reflect the fact that my content is in a different place and did do
a restorecon to relabel things under /data.
What I don't understand is the reference to /. Why is selinux
denying httpd searching /? This is a new install and selinux has
been enabled from the start so / should be labelled correctly..
What am I missing?
Thanks,
Andy
19 years, 4 months
Fedora Targeted List grows on Rawhide.
by Daniel J Walsh
I have added several targets to Targeted Policy as of
selinux-policy-targeted-1.19.14-2.
I am attempting to add most of the network daemons to targeted. In
order to experiment with this new
policy file, you will need to relabel. Or you can just relabel the
target you are interested in.
The best way to do this is install the policy and then execute
rpm -q -l TARGETRPM | restorecon -R -f -
Current targets
amanda.te apache.te cups.te dhcpd.te dictd.te dovecot.te fingerd.te
ftpd.te howl.te i18n_input.te inetd.te innd.te kerberos.te ktalkd.te
ldconfig.te lpd.te mailman.te modutil.te mta.te mysqld.te named.te
nscd.te ntpd.te portmap.te postgresql.te privoxy.te radius.te radvd.te
rpcd.te rshd.te rsync.te samba.te slapd.te snmpd.te spamd.te squid.te
stunnel.te syslogd.te tftpd.te winbind.te ypbind.te ypserv.te zebra.te
This is not a commitment for this list in FC4, some could be pulled if
they don't work well :*).
The goal of targeted policy is to protect all network daemons and to
allow userspace to run with normal privs. You still need strict
policy to confine userspace.
19 years, 4 months