Fwd: constraining an app in targeted policy
by Benjamin Youngdahl
Oops, forgot to CC the list in case anyone was curious on the specifics of
the resolution.
---------- Forwarded message ----------
From: Benjamin Youngdahl <ben.youngdahl(a)gmail.com>
Date: Dec 20, 2005 1:23 PM
Subject: Re: constraining an app in targeted policy
To: Daniel J Walsh <dwalsh(a)redhat.com>
Here you go -- was in a previous post but not the follow up that had the
".fc".
The problem was solved by a reboot. Stephen has helped me see that it may
have been caused by an unload that I did of the module. I thought (and am
still pretty sure) that I relabeled the files after the unload/reinstall of
the module, because I saw they had their context reset, but I may have
botched that step.
It's all working now, and I greatly appreciate the assistance of everyone.
Have a great Holidays; I know I will, writing policy modules :)
Ben
-----
policy_module(bentest,1.0.4)
############################## ##########
#
# Declarations
#
# Private type declarations
type bentest_t;
domain_type(bentest_t)
domain_auto_trans(unconfined_t,bentest_exec_t,bentest_t)
role system_r types bentest_t;
type bentest_exec_t;
domain_entry_file(bentest_t,bentest_exec_t)
18 years, 4 months
RE: Non-root console login issue! (was: Problem with VNC and SELinux:FC4)
by Dan Thurman
>From: fedora-list-bounces(a)redhat.com
>[mailto:fedora-list-bounces@redhat.com]On Behalf Of Daniel B. Thurman
>Sent: Saturday, December 17, 2005 2:30 PM
>To: For users of Fedora Core releases
>Cc: Fedora SELinux support list for users & developers.
>Subject: Non-root console login issue! (was: Problem with VNC and
>SELinux:FC4)
>
>
>>From: fedora-list-bounces(a)redhat.com
>>[mailto:fedora-list-bounces@redhat.com]On Behalf Of Daniel B. Thurman
>>Sent: Friday, December 16, 2005 6:11 PM
>>To: For users of Fedora Core releases (E-mail)
>>Cc: Fedora SELinux support list for users & developers.
>>Subject: Problem with VNC and SELinux: FC4
>>
>>
>>
>>Folks,
>>
>>With the new SELinux updates, it appears that root,
>>other than normal users can login to Fedora via VNC
>>Server? My VNC Server is setup such that I am using
>>xinitd for VNC Server requests.
>>
>>Another problem I noticed is that when I log into my
>>Fedora system via VNC as root user, and open a xterm
>>window and run a su - <normal-user>, I get back a
>>SElinux message:
>>
>>================================================
>># su - dan
>>Your default context is: user_u:system_r:kernel_t.
>>
>>Do you want to want to choose a different one? [n]
>>================================================
>>
>>It is *possible* that this problem came up when
>>I had to make a copy of my filesystem to another
>>hard-disk for the purpose of creating a /boot
>>partition (my bad) and copied/restored the filesystem
>>back over to the main drive. I don't think I made
>>any copy/restore mistakes as I know the fs permissions
>>are correct but I cannot speak for filesystem journaling
>>or whatever that keeps track of the SELinux attributes.
>>
>>In any case, what can I do to resolve my VNC and/or su
>>issue knowing that SElinux has something to do with it?
>>
>>Thanks!
>>Dan Thurman
>>
>
>Problem is not related to SELinux and not really related
>to VNC. It turns out that I cannot log into the console
>as a non-root user and I get a message saying:
>
>=======================================================
>Your session lasted less than 10 seconds. If you have not
>logged out yourself, this could mean that there is some
>installation problem or that you may be out of diskspace.
>Try logging in with one of the failsafe sessions to see if
>you can fix this problem.
>
>[] View details (~/.xsession-errors file)
>=======================================================
>
>The problem here is that the .xsession-errors file does
>not exist. I also note from /var/log/message file:
>
>=======================================================
>Dec 17 12:45:31 linux gdm(pam_unix)[16480]: session opened for
>user dant by (uid=0)
>Dec 17 12:45:32 linux gdm(pam_unix)[16480]: session closed for
>user dant
>Dec 17 12:45:32 linux dbus: avc: 0 AV entries and 0/512
>buckets used, longest chain length 0
>=======================================================
>
>And from /var/log/audit/audit.log
>=======================================================
>type=USER_AUTH msg=audit(1134858412.155:3929): user pid=3397
>uid=0 auid=4294967295 msg='PAM authentication: user=dant
>exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0
>result=Success)'
>type=USER_ACCT msg=audit(1134858412.159:3930): user pid=3397
>uid=0 auid=4294967295 msg='PAM accounting: user=dant
>exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0
>result=Success)'
>type=CRED_ACQ msg=audit(1134858412.247:3931): user pid=3397
>uid=0 auid=4294967295 msg='PAM setcred: user=dant
>exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0
>result=Success)'
>type=USER_START msg=audit(1134858412.307:3932): user pid=3397
>uid=0 auid=4294967295 msg='PAM session open: user=dant
>exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0
>result=Success)'
>=======================================================
>
>File:
># ls -l /usr/bin/gdm-binary
>-rwxr-xr-x 1 root root 251668 May 23 2005 /usr/bin/gdm-binary
>
>HALLLLLP! Please :-)
>
>Dan
>
Sorry - had to add this tidbit.... seems that SElinux may be
involved or maybe my file journaling is messed up after a "restore"?
I tried to create a new user account to see if by doing this
I would get a correct security context and be able to log
into the console but WHOA!!! What is going on here!?!?!?
=======================================================
[root@linux ~]# useradd dant2
useradd: cannot rewrite password file
[root@linux ~]#
=======================================================
File: /var/log/audit/audit.log:
94967295 msg='useradd: op=adding home directory acct=dant2 res=success'
type=AVC msg=audit(1134859204.879:4004): avc: denied { create } for pid=19177 comm="useradd" name=".kde" scontext=root:system_r:kernel_t tcontext=user_u:object_r:user_home_t tclass=dir
type=SYSCALL msg=audit(1134859204.879:4004): arch=40000003 syscall=39 success=no exit=-13 a0=bfd81470 a1=1ed a2=98fd2ef a3=ffffffff items=1 pid=19177 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="useradd" exe="/usr/sbin/useradd"
type=CWD msg=audit(1134859204.879:4004): cwd="/root"
type=PATH msg=audit(1134859204.879:4004): item=0 name="/home/dant2/.kde" flags=10 inode=1245989 dev=03:02 mode=040755 ouid=511 ogid=512 rdev=00:00
type=AVC msg=audit(1134859204.883:4005): avc: denied { create } for pid=19177 comm="useradd" name="passwd+" scontext=root:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=file
type=SYSCALL msg=audit(1134859204.883:4005): arch=40000003 syscall=5 success=no exit=-13 a0=bfd817e4 a1=8241 a2=1b6 a3=98f6f38 items=1 pid=19177 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="useradd" exe="/usr/sbin/useradd"
type=CWD msg=audit(1134859204.883:4005): cwd="/root"
type=PATH msg=audit(1134859204.883:4005): item=0 name="/etc/passwd+" flags=310 inode=1212417 dev=03:02 mode=040755 ouid=0 ogid=0 rdev=00:00
type=USER_CHAUTHTOK msg=audit(1134859204.883:4006): user pid=19177 uid=0 auid=4294967295 msg='useradd: op=adding user acct=dant2 res=failed'
=======================================================
Dan
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.1/206 - Release Date: 12/16/2005
18 years, 4 months
constraining an app in targeted policy
by Benjamin Youngdahl
I have a question on locking down an application under the targeted policy.
The policy module I've tried is below. I can see that the process has the
appropriate type in "ps -Z".:
root:system_r:bentest_t:SystemLow-SystemHigh 13127 pts/1 00:00:00 bentest
But it still appears to have all the power of "unconfined_t". I did to a
"restorecon -RF", and the files are appropriately labeled.
Is it possible for an app to confine "unconfined_t", or should I be
switching over to the replacement for the strict policy? (I think it is
just called "mls" at this point, which is a confusing name considering that
targeted itself is an "mls" it seems.)
If I do need to switch to "selinux-policy-mls", is that policy ready for
prime time?
Apologies in advance if I'm way off base in my understanding.
Thanks !
Ben
-------------
policy_module(bentest,1.0.4)
########################################
#
# Declarations
#
# Private type declarations
type bentest_t;
domain_type(bentest_t)
domain_auto_trans(unconfined_t,bentest_exec_t,bentest_t)
role system_r types bentest_t;
type bentest_exec_t;
domain_entry_file(bentest_t,bentest_exec_t)
18 years, 4 months
problem solved
by Benjamin Youngdahl
Stephen I tracked the problem down to human error on my part. Thanks for
the insights. ;)
18 years, 4 months
RE: constraining an app in targeted policy
by Steve Brueckner
Stephen Smalley wrote:
> On Mon, 2005-12-19 at 23:16 -0600, Benjamin Youngdahl wrote:
>> I have a question on locking down an application under the targeted
>> policy.
>>
>> The policy module I've tried is below. I can see that the process
>> has the appropriate type in "ps -Z".:
>>
>> root:system_r:bentest_t:SystemLow-SystemHigh 13127 pts/1 00:00:00
>> bentest
>>
>> But it still appears to have all the power of "unconfined_t". I did
>> to a "restorecon -RF", and the files are appropriately labeled.
>
> What makes you say it has all the power of unconfined_t?
>
Remove the allows from your .te file and see how much power it has.
Or maybe there are some macros in there giving the domain permissions.
Also, make sure you're not running in permissive mode.
Stephen Brueckner, ATC-NY
18 years, 4 months
SELinux and Cacti (and other webapps)
by Aurelien Bompard
Hi all,
We're trying to package cacti for Fedora Extras:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=175748
and we're running into an SELinux problem. Cacti is a web frontend to
RRDTool, an improved version of MRTG (which you might know).
There is a script, run by cron, which create the statistics databases, and
put them in /var/lib/cacti. The log goes into /var/log/cacti. Then, the web
interfaces lets the user see theses statistics.
The problem is that SELinux won't let httpd access /var/lib/cacti :
type=AVC msg=audit(1134978797.695:45154): avc: denied { read } for
pid=2605 comm="rrdtool" name="localhost_proc_7.rrd" dev=sda2 ino=981003
scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:var_lib_t tclass=file
Httpd can't acces /var/log/cacti either.
What should we do to make that work with SELinux ? Do we have to run chcon
in the %post scriptlet (that sounds like an ugly hack) ? Should we move
everything to /var/www ?
Thanks for you help
Aurélien
--
http://aurelien.bompard.org ~~~~ Jabber : abompard(a)jabber.fr
Programmer: A biological system designed to convert coffee and pizza
into code.
18 years, 4 months
Odd mount behavior mounting hfsplus
by Derek Poon
Hi,
I'd like to report an odd behavior that I traced to SELinux. To mount
my Mac OS X partition automatically, I have the following line in
my /etc/fstab:
/dev/hda3 /Macintosh\040HD hfsplus ro 0 0
If I execute mount '/Macintosh HD' as root, this works fine.
However, this mount fails during the boot process.
If I execute
(A) /etc/rc.d/init.d/netfs start
as root, I get an error:
mount: cannot mount block device /dev/hda3 read-only [FAILED]
Running (A) under strace, I see
mount("/dev/hda3", "/Macintosh HD", "hfsplus", MS_RDONLY|MS_POSIXACL|
MS_ACTIVE|MS_NOUSER|0xec0000, 0x10037f58) = -1 EACCES (Permission
denied)
However, the following commands both succeed:
(B) /bin/bash /etc/rc.d/init.d/netfs start
(C) setenforce 0 ; /etc/rc.d/init.d/netfs start
Obviously, (C) proves that SELinux is the culprit. The question is,
under SELinux, why should (B) work while (A) fails? Since the netfs
script has #!/bin/bash as the shebang line, shouldn't (A) and (B) be
equivalent?
My setup is FC4 on a Mac mini with all updates applied:
selinux-policy-targeted-1.27.1-2.16.ppc.rpm
libselinux-1.23.10-2.ppc.rpm
util-linux-2.12p-9.12.ppc.rpm
initscripts-2.6.14-1.1653_FC4.ppc.rpm
kernel-2.6.14-1.1653_FC4.ppc.rpm
(I realize that /etc/rc.d/init.d/rc.sysinit contains the same mount
command as /etc/rc.d/init.d/netfs, but netfs is more convenient to test
than rc.sysinit.)
Derek
18 years, 4 months
RE: Problem with VNC and SELinux: FC4
by Dan Thurman
>From: Stephen Smalley [mailto:sds@tycho.nsa.gov]
>Sent: Monday, December 19, 2005 5:33 AM
>To: Daniel B. Thurman
>Cc: For users of Fedora Core releases (E-mail); Fedora SELinux support
>list for users & developers.
>Subject: Re: Problem with VNC and SELinux: FC4
>
>
>On Fri, 2005-12-16 at 18:11 -0800, Daniel B. Thurman wrote:
>> With the new SELinux updates, it appears that root,
>> other than normal users can login to Fedora via VNC
>> Server? My VNC Server is setup such that I am using
>> xinitd for VNC Server requests.
>>
>> Another problem I noticed is that when I log into my
>> Fedora system via VNC as root user, and open a xterm
>> window and run a su - <normal-user>, I get back a
>> SElinux message:
>>
>> ================================================
>> # su - dan
>> Your default context is: user_u:system_r:kernel_t.
>>
>> Do you want to want to choose a different one? [n]
>> ================================================
>>
>> It is *possible* that this problem came up when
>> I had to make a copy of my filesystem to another
>> hard-disk for the purpose of creating a /boot
>> partition (my bad) and copied/restored the filesystem
>> back over to the main drive. I don't think I made
>> any copy/restore mistakes as I know the fs permissions
>> are correct but I cannot speak for filesystem journaling
>> or whatever that keeps track of the SELinux attributes.
>>
>> In any case, what can I do to resolve my VNC and/or su
>> issue knowing that SElinux has something to do with it?
>
>/usr/sbin/sestatus -v | grep -v active shows what?
>
[
There are several threads to this issue - so I will be
trying to update these threads to let others know of my
progress.
At this time, my system is running, I am able to login as
non-root user into the gnome console, I am able to create
and delete new users. It appears that selinux is now working
good but I have yet to catch up to manual selinux disables for
Kerberos and FrontPage because these were reset to defaults.
So far, so good. Everything appears to look good however I am
not certain I have solved all the 'yum update' #prelink#
issues. Please read on for details if you want. I have
provided you with the selinux status request in case there
are other possible issues with selinux since I am no expert
on this subject :-)
]
Please note, that it took me several tries using fixfiles to
reset (restore, and relabel) before all of the permissions
denied messages stopped being displayed.
Previously, I had done the restore command but while in selinix
and single user mode (selinux was not disabled), where the
restore had permissions denied on perhaps less than 200 files
from X11 fonts, and other places throughout.
I believe I may have gotten some selinux attribute recovery
by doing selinix=0 and single user mode and running fixfiles
and using the -F such as: /sbin/fixfiles -F -R -a -F relabel
and then reboot. I had thought that running the command would
have executed immediately but did not actually take effect until
a reboot - which was odd to me - but perhaps this is normal? Manual
says nothing about this behavior. The fixfiles with the restore
command ran immediately in place - and this was while I was in
single user mode with selinux in effect at the time.
When I did an yum update but before running the above fixfile relabel
command, I noticed that there was a lot of #prelinks# where KDE
and GNOME was being updated/installed and it was basically saying
something that these prelinks (post-installation?) was failing due
to selinux permission denials (logs in audit.log) on the post-installation
processes. It also could have been bad timimg on my part for thinking
that 'yum update' would somehow restore my problems when I had no idea
where to begin.
When I tried to log into the gnome console as a non-root user,
I did not actually click the checkbox at the time, but in doing so
revealed to me that there was a problem executing the file:
/usr/lib/libgnomeui-2.so
Delving into this further, I saw the "#prelink#" files and noted
that the file permission was 0600! So, I changed the permission
for this library as:
# chmod 755 /usr/lib/libgnomeui-2.so.0.1000.0.#prelink#.Hotj6j
I have not yet tried to locate all of the other #prelink# files at
this time. But for now, I can now log into gnome as a non-root user!
I am providing per your request for the status, in case there may
be other issues that I may not be aware of. Thanks for responding
to my issue!
# /usr/sbin/sestatus -v
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 20
Policy from config file: targeted
Policy booleans:
NetworkManager_disable_trans inactive
allow_execmem active
allow_execmod active
allow_execstack active
allow_ftpd_anon_write inactive
allow_gssd_read_tmp active
allow_httpd_anon_write inactive
allow_httpd_sys_script_anon_write inactive
allow_ifconfig_sys_module inactive
allow_kerberos active
allow_postgresql_use_pam inactive
allow_rsync_anon_write inactive
allow_saslauthd_read_shadow inactive
allow_smbd_anon_write inactive
allow_write_xshm inactive
allow_ypbind inactive
apmd_disable_trans inactive
arpwatch_disable_trans inactive
auditd_disable_trans inactive
bluetooth_disable_trans inactive
canna_disable_trans inactive
cardmgr_disable_trans inactive
comsat_disable_trans inactive
cupsd_config_disable_trans inactive
cupsd_disable_trans inactive
cupsd_lpd_disable_trans inactive
cvs_disable_trans inactive
cyrus_disable_trans inactive
dbskkd_disable_trans inactive
dhcpc_disable_trans inactive
dhcpd_disable_trans inactive
dovecot_disable_trans inactive
fingerd_disable_trans inactive
ftp_home_dir active
ftpd_disable_trans inactive
ftpd_is_daemon active
getty_disable_trans inactive
gssd_disable_trans inactive
hald_disable_trans inactive
hotplug_disable_trans inactive
howl_disable_trans inactive
hplip_disable_trans inactive
httpd_builtin_scripting active
httpd_can_network_connect inactive
httpd_disable_trans active
httpd_enable_cgi active
httpd_enable_ftp_server inactive
httpd_enable_homedirs active
httpd_ssi_exec active
httpd_suexec_disable_trans inactive
httpd_tty_comm inactive
httpd_unified active
inetd_child_disable_trans inactive
inetd_disable_trans inactive
innd_disable_trans inactive
kadmind_disable_trans active
klogd_disable_trans inactive
krb5kdc_disable_trans active
ktalkd_disable_trans inactive
lpd_disable_trans inactive
mysqld_disable_trans inactive
named_disable_trans inactive
named_write_master_zones inactive
nfs_export_all_ro active
nfs_export_all_rw active
nfsd_disable_trans inactive
nmbd_disable_trans active
nscd_disable_trans inactive
ntpd_disable_trans inactive
pegasus_disable_trans inactive
portmap_disable_trans inactive
postfix_disable_trans inactive
postgresql_disable_trans inactive
pppd_can_insmod inactive
pppd_disable_trans inactive
pppd_for_user inactive
pptp_disable_trans inactive
privoxy_disable_trans inactive
ptal_disable_trans inactive
radiusd_disable_trans inactive
radvd_disable_trans inactive
read_default_t active
rlogind_disable_trans inactive
rpcd_disable_trans inactive
rsync_disable_trans inactive
samba_enable_home_dirs inactive
saslauthd_disable_trans inactive
secure_mode_insmod inactive
secure_mode_policyload inactive
slapd_disable_trans inactive
smbd_disable_trans active
snmpd_disable_trans inactive
spamd_disable_trans inactive
squid_connect_any inactive
squid_disable_trans inactive
stunnel_disable_trans inactive
stunnel_is_daemon inactive
syslogd_disable_trans inactive
system_dbusd_disable_trans inactive
telnetd_disable_trans inactive
tftpd_disable_trans inactive
udev_disable_trans inactive
use_nfs_home_dirs inactive
use_samba_home_dirs inactive
uucpd_disable_trans inactive
winbind_disable_trans active
ypbind_disable_trans inactive
ypserv_disable_trans inactive
zebra_disable_trans inactive
Process contexts:
Current context: root:system_r:unconfined_t
Init context: system_u:system_r:init_t
/sbin/mingetty system_u:system_r:getty_t
/usr/sbin/sshd system_u:system_r:unconfined_t
File contexts:
Controlling term: root:object_r:devpts_t
/etc/passwd system_u:object_r:etc_t
/etc/shadow system_u:object_r:shadow_t
/bin/bash system_u:object_r:shell_exec_t
/bin/login system_u:object_r:login_exec_t
/bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t
/sbin/agetty system_u:object_r:getty_exec_t
/sbin/init system_u:object_r:init_exec_t
/sbin/mingetty system_u:object_r:getty_exec_t
/usr/sbin/sshd system_u:object_r:sshd_exec_t
/lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:lib_t
/lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.1/206 - Release Date: 12/16/2005
18 years, 4 months
Problem with VNC and SELinux: FC4
by Dan Thurman
Folks,
With the new SELinux updates, it appears that root,
other than normal users can login to Fedora via VNC
Server? My VNC Server is setup such that I am using
xinitd for VNC Server requests.
Another problem I noticed is that when I log into my
Fedora system via VNC as root user, and open a xterm
window and run a su - <normal-user>, I get back a
SElinux message:
================================================
# su - dan
Your default context is: user_u:system_r:kernel_t.
Do you want to want to choose a different one? [n]
================================================
It is *possible* that this problem came up when
I had to make a copy of my filesystem to another
hard-disk for the purpose of creating a /boot
partition (my bad) and copied/restored the filesystem
back over to the main drive. I don't think I made
any copy/restore mistakes as I know the fs permissions
are correct but I cannot speak for filesystem journaling
or whatever that keeps track of the SELinux attributes.
In any case, what can I do to resolve my VNC and/or su
issue knowing that SElinux has something to do with it?
Thanks!
Dan Thurman
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.1/204 - Release Date: 12/15/2005
18 years, 4 months
SELinux in Fedora
by symphony
I'am a beginning in SELInux.
Somebody could indicate an tutorial for installation and a configuration?
Why I'm I try difficulties, after qualifying during the installation,
in finding, creating and to compile the politics why the folder does not
exist.
Thanks
Pierre
18 years, 4 months