Nagios Web Interface and SELinux
by Ryan Skadberg
I have been trying to get nagios up and running on 2 different
machines. One running FC5 and one running FC6. Nagios itself starts
up fine, but the web interface fails miserably.
When looking at /var/log/messages, I see things like:
Dec 3 11:38:17 xray kernel: audit(1165174697.348:289): avc: denied
{ execute_no_trans } for pid=22237 comm="httpd" name="tac.cgi"
dev=dm-0 ino=11272226 scontext=user_u:system_r:httpd_t:s0
tcontext=system_u:object_r:lib_t:s0 tclass=file
I noticed in the selinux-policy-targeted Changelog:
* Wed Jul 26 2006 Dan Walsh <dwalsh(a)redhat.com> 2.3.3-13
- Add nagios policy
This may have been for the program itself or maybe the web interface,
but it sure doesn't seem to be working for me.
Both systems are set to:
SELINUX=enforcing
SELINUXTYPE=targeted
SETLOCALDEFS=0
Anyone have any advice on how to fix this?
Thanks!
Skadz
16 years, 7 months
Mail problems...
by melaina@libero.it
Hello!
I have just started playing a bit with SELinux in permissive mode on my system. I have qmail with spamassassin installed; the only AVC denied messages I get (after I relabeled the system and fixed domains on a couple of log files), is the following:
Jan 30 20:23:13 drake kernel: audit(1170210193.998:8): avc: denied { read } for pid=11862 comm="sendmail" name="RsmVLSTr" dev=loop0 ino=20 scontext=user_u: system_r:system_mail_t tcontext=user_u:object_r:httpd_sys_script_rw_t tclass=fil e
Jan 30 20:23:13 drake kernel: audit(1170210193.998:9): avc: denied { read wr ite } for pid=11862 comm="sendmail" name="jk-runtime-status" dev=hda5 ino=49827 49 scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:httpd_log_t tclass=file
Jan 30 20:23:14 drake kernel: audit(1170210194.019:10): avc: denied { ioctl } for pid=11863 comm="qmail-scanner-q" name="error_log" dev=hda5 ino=4984894 sc ontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:httpd_log_t tcla ss=file
Jan 30 20:23:14 drake kernel: audit(1170210194.026:11): avc: denied { read } for pid=11863 comm="sperl5.8.5" name="mounts" dev=proc ino=777453584 scontext= user_u:system_r:system_mail_t tcontext=user_u:system_r:system_mail_t tclass=file
Jan 30 20:23:14 drake kernel: audit(1170210194.026:12): avc: denied { getatt r } for pid=11863 comm="sperl5.8.5" name="mounts" dev=proc ino=777453584 sconte xt=user_u:system_r:system_mail_t tcontext=user_u:system_r:system_mail_t tclass=f ile
Jan 30 20:23:15 drake kernel: audit(1170210195.204:13): avc: denied { append } for pid=11863 comm="perl5.8.5" name="qmail-queue.log" dev=hda5 ino=5130271 s context=user_u:system_r:system_mail_t tcontext=system_u:object_r:var_spool_t tcl ass=file
Jan 30 20:23:15 drake kernel: audit(1170210195.204:14): avc: denied { ioctl } for pid=11863 comm="perl5.8.5" name="qmail-queue.log" dev=hda5 ino=5130271 sc ontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:var_spool_t tcla ss=file
Jan 30 20:23:15 drake kernel: audit(1170210195.205:15): avc: denied { getatt r } for pid=11863 comm="perl5.8.5" name="qmail-queue.log" dev=hda5 ino=5130271 scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:var_spool_t tc lass=file
Jan 30 20:23:15 drake kernel: audit(1170210195.206:16): avc: denied { read } for pid=11863 comm="perl5.8.5" name="qmail-scanner-queue-version.txt" dev=hda5 ino=5130273 scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:v ar_spool_t tclass=file
Jan 30 20:23:15 drake kernel: audit(1170210195.208:17): avc: denied { write } for pid=11863 comm="perl5.8.5" name="tmp" dev=hda5 ino=5195094 scontext=user_ u:system_r:system_mail_t tcontext=system_u:object_r:var_spool_t tclass=dir
Jan 30 20:23:15 drake kernel: audit(1170210195.208:18): avc: denied { add_na me } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com1170210195772118 63" scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:var_spool_ t tclass=dir
Jan 30 20:23:15 drake kernel: audit(1170210195.208:19): avc: denied { create } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com117021019577211863 " scontext=user_u:system_r:system_mail_t tcontext=user_u:object_r:var_spool_t tc lass=dir
Jan 30 20:23:15 drake kernel: audit(1170210195.409:20): avc: denied { create } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com117021019577211863 " scontext=user_u:system_r:system_mail_t tcontext=user_u:object_r:var_spool_t tc lass=file
Jan 30 20:23:15 drake kernel: audit(1170210195.410:21): avc: denied { ioctl } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com117021019577211863" dev=hda5 ino=5276868 scontext=user_u:system_r:system_mail_t tcontext=user_u:obj ect_r:var_spool_t tclass=file
Jan 30 20:23:15 drake kernel: audit(1170210195.410:22): avc: denied { getatt r } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com11702101957721186 3" dev=hda5 ino=5276868 scontext=user_u:system_r:system_mail_t tcontext=user_u:o bject_r:var_spool_t tclass=file
Jan 30 20:23:15 drake kernel: audit(1170210195.414:23): avc: denied { write } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com117021019577211863" dev=hda5 ino=5276868 scontext=user_u:system_r:system_mail_t tcontext=user_u:obj ect_r:var_spool_t tclass=file
Jan 30 20:23:15 drake kernel: audit(1170210195.418:24): avc: denied { link } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com117021019577211863" dev=hda5 ino=5276868 scontext=user_u:system_r:system_mail_t tcontext=user_u:obje ct_r:var_spool_t tclass=file
Jan 30 20:23:15 drake kernel: audit(1170210195.419:25): avc: denied { remove _name } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com1170210195772 11863" dev=hda5 ino=5276868 scontext=user_u:system_r:system_mail_t tcontext=syst em_u:object_r:var_spool_t tclass=dir
Jan 30 20:23:15 drake kernel: audit(1170210195.419:26): avc: denied { unlink } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com117021019577211863 " dev=hda5 ino=5276868 scontext=user_u:system_r:system_mail_t tcontext=user_u:ob ject_r:var_spool_t tclass=file
Jan 30 20:23:15 drake kernel: audit(1170210195.424:27): avc: denied { read w rite } for pid=11864 comm="sh" name="tty" dev=tmpfs ino=1804 scontext=user_u:sy stem_r:system_mail_t tcontext=system_u:object_r:devtty_t tclass=chr_file
Jan 30 20:23:15 drake kernel: audit(1170210195.431:28): avc: denied { read } for pid=11865 comm="sh" name="drake.mydomain.com117021019577211863" dev=hda 5 ino=5276868 scontext=user_u:system_r:system_mail_t tcontext=user_u:object_r:va r_spool_t tclass=file
Jan 30 20:23:15 drake kernel: audit(1170210195.434:29): avc: denied { write } for pid=11865 comm="reformime" name="drake.mydomain.com117021019577211863" dev=hda5 ino=5408221 scontext=user_u:system_r:system_mail_t tcontext=user_u:obj ect_r:var_spool_t tclass=dir
Jan 30 20:23:15 drake kernel: audit(1170210195.434:30): avc: denied { add_na me } for pid=11865 comm="reformime" name="1170210195.11865-0.drake.mydomain. com" scontext=user_u:system_r:system_mail_t tcontext=user_u:object_r:var_spool_t tclass=dir
Jan 30 20:23:15 drake kernel: audit(1170210195.739:31): avc: denied { read } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com117021019577211863" dev=hda5 ino=5408221 scontext=user_u:system_r:system_mail_t tcontext=user_u:obje ct_r:var_spool_t tclass=dir
Jan 30 20:23:15 drake kernel: audit(1170210195.755:32): avc: denied { read } for pid=11863 comm="perl5.8.5" name="tmp" dev=hda5 ino=4980740 scontext=user_u :system_r:system_mail_t tcontext=system_u:object_r:var_t tclass=lnk_file
Jan 30 20:23:15 drake kernel: audit(1170210195.795:33): avc: denied { execut e } for pid=11867 comm="perl5.8.5" name="find" dev=hda5 ino=5297451 scontext=us er_u:system_r:system_mail_t tcontext=system_u:object_r:file_t tclass=file
Jan 30 20:23:15 drake kernel: audit(1170210195.796:34): avc: denied { execut e_no_trans } for pid=11867 comm="perl5.8.5" name="find" dev=hda5 ino=5297451 sc ontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:file_t tclass=fi le
Jan 30 20:23:15 drake kernel: audit(1170210195.796:35): avc: denied { read } for pid=11867 comm="perl5.8.5" name="find" dev=hda5 ino=5297451 scontext=user_ u:system_r:system_mail_t tcontext=system_u:object_r:file_t tclass=file
Jan 30 20:23:15 drake kernel: audit(1170210195.798:36): avc: denied { search } for pid=11867 comm="find" name="selinux" dev=hda5 ino=557257 scontext=user_u :system_r:system_mail_t tcontext=system_u:object_r:selinux_config_t tclass=dir
Jan 30 20:23:15 drake kernel: audit(1170210195.798:37): avc: denied { read } for pid=11867 comm="find" name="config" dev=hda5 ino=557274 scontext=user_u:sy stem_r:system_mail_t tcontext=user_u:object_r:selinux_config_t tclass=file
Jan 30 20:23:15 drake kernel: audit(1170210195.798:38): avc: denied { getatt r } for pid=11867 comm="find" name="config" dev=hda5 ino=557274 scontext=user_u :system_r:system_mail_t tcontext=user_u:object_r:selinux_config_t tclass=file
Jan 30 20:23:15 drake kernel: audit(1170210195.860:39): avc: denied { read } for pid=11871 comm="rm" name="qscan" dev=hda5 ino=5130256 scontext=user_u:syst em_r:system_mail_t tcontext=system_u:object_r:var_spool_t tclass=dir
Jan 30 20:23:15 drake kernel: audit(1170210195.860:40): avc: denied { remove _name } for pid=11871 comm="rm" name="1170210195.11865-0.drake.mydomain.com" dev=hda5 ino=5408222 scontext=user_u:system_r:system_mail_t tcontext=user_u:obj ect_r:var_spool_t tclass=dir
Jan 30 20:23:15 drake kernel: audit(1170210195.861:41): avc: denied { rmdir } for pid=11871 comm="rm" name="drake.mydomain.com117021019577211863" dev=hd a5 ino=5408221 scontext=user_u:system_r:system_mail_t tcontext=user_u:object_r:v ar_spool_t tclass=dir
Jan 30 20:23:15 drake kernel: audit(1170210195.873:42): avc: denied { sigchl d } for pid=1 comm="init" scontext=user_u:system_r:system_mail_t tcontext=user_ u:system_r:unconfined_t tclass=process
Any directions to fix this?
Thanks!
------------------------------------------------------
Mutuo da 200.000 ? Tassi ridotti da 4.25%. Solo per richieste online. Mutuionline.it
http://click.libero.it/mutuionline31ge07
17 years, 2 months
Crossover
by Göran Uddeborg
Crossover installs under /opt/cxoffice by default. The rules for
wine-style programs does not seem to cover that hierarchy, and just
trying to run things gives a lot of denied execmods.
I assume just mirroring the settings for regular wine is fine for
Crossover too:
/opt/cxoffice/lib/wine/.+\.so system_u:object_r:textrel_shlib_t:s0
/opt/cxoffice/bin/wine system_u:object_r:wine_exec_t:s0
I changed the files (only directly with chcon) and it appears to work.
At least so far, we have not used this too much yet.
Does this make sense? Do you want a bugzilla about it?
17 years, 2 months
Selinux is ignoring me
by Ronald
My problem can be viewed here:
http://forums.fedoraforum.org/showthread.php?p=734545#post734545
No one answered on the forums. Can someone help me on the mailinglist?
I'm trying to understand the system, so I can hopefully write a manual
(or HOWTO) for the forums.
Can anybody help me with my problem? And some good links will be
appreciated as well. The ones from google give hits that rever to
non-existing files...
17 years, 2 months
PAM problems
by Anne Wilson
From logwatch:
**Unmatched Entries**
userhelper[20994]: PAM [error: /lib/security/lib/security/pam_permit.so:
cannot open shared object file: No such file or directory]: 1 Time(s)
userhelper[20994]: PAM [error: /lib/security/lib/security/pam_rootok.so:
cannot open shared object file: No such file or directory]: 1 Time(s)
userhelper[20994]: PAM [error: /lib/security/lib/security/pam_stack.so:
cannot open shared object file: No such file or directory]: 1 Time(s)
userhelper[20994]: PAM
[error: /lib/security/lib/security/pam_timestamp.so: cannot open shared
object file: No such file or directory]: 1 Time(s)
userhelper[20994]: PAM [error: /lib/security/lib/security/pam_xauth.so:
cannot open shared object file: No such file or directory]: 1 Time(s)
userhelper[20994]: PAM adding faulty
module: /lib/security/lib/security/pam_permit.so: 1 Time(s)
userhelper[20994]: PAM adding faulty
module: /lib/security/lib/security/pam_rootok.so: 1 Time(s)
userhelper[20994]: PAM adding faulty
module: /lib/security/lib/security/pam_stack.so: 1 Time(s)
userhelper[20994]: PAM adding faulty
module: /lib/security/lib/security/pam_timestamp.so: 1 Time(s)
userhelper[20994]: PAM adding faulty
module: /lib/security/lib/security/pam_xauth.so: 1 Time(s)
userhelper[20994]: PAM unable to
dlopen(/lib/security/lib/security/pam_permit.so): 1 Time(s)
userhelper[20994]: PAM unable to
dlopen(/lib/security/lib/security/pam_rootok.so): 1 Time(s)
userhelper[20994]: PAM unable to
dlopen(/lib/security/lib/security/pam_stack.so): 1 Time(s)
userhelper[20994]: PAM unable to
dlopen(/lib/security/lib/security/pam_timestamp.so): 1 Time(s)
userhelper[20994]: PAM unable to
dlopen(/lib/security/lib/security/pam_xauth.so): 1 Time(s)
userhelper[21001]: PAM [error: /lib/security/lib/security/pam_permit.so:
cannot open shared object file: No such file or directory]: 1 Time(s)
userhelper[21001]: PAM [error: /lib/security/lib/security/pam_rootok.so:
cannot open shared object file: No such file or directory]: 1 Time(s)
userhelper[21001]: PAM [error: /lib/security/lib/security/pam_stack.so:
cannot open shared object file: No such file or directory]: 1 Time(s)
userhelper[21001]: PAM
[error: /lib/security/lib/security/pam_timestamp.so: cannot open shared
object file: No such file or directory]: 1 Time(s)
userhelper[21001]: PAM [error: /lib/security/lib/security/pam_xauth.so:
cannot open shared object file: No such file or directory]: 1 Time(s)
userhelper[21001]: PAM adding faulty
module: /lib/security/lib/security/pam_permit.so: 1 Time(s)
userhelper[21001]: PAM adding faulty
module: /lib/security/lib/security/pam_rootok.so: 1 Time(s)
userhelper[21001]: PAM adding faulty
module: /lib/security/lib/security/pam_stack.so: 1 Time(s)
userhelper[21001]: PAM adding faulty
module: /lib/security/lib/security/pam_timestamp.so: 1 Time(s)
userhelper[21001]: PAM adding faulty
module: /lib/security/lib/security/pam_xauth.so: 1 Time(s)
userhelper[21001]: PAM unable to
dlopen(/lib/security/lib/security/pam_permit.so): 1 Time(s)
userhelper[21001]: PAM unable to
dlopen(/lib/security/lib/security/pam_rootok.so): 1 Time(s)
userhelper[21001]: PAM unable to
dlopen(/lib/security/lib/security/pam_stack.so): 1 Time(s)
userhelper[21001]: PAM unable to
dlopen(/lib/security/lib/security/pam_timestamp.so): 1 Time(s)
userhelper[21001]: PAM unable to
dlopen(/lib/security/lib/security/pam_xauth.so): 1 Time(s)
What's happening?
Anne
17 years, 3 months
SELinux Policy/Flask Classes from scratch
by bx
Hello,
Let me apologize if this is the wrong place to ask this question, but I
figure that those well versed in SELinux can help me. I have been reading a
ton about SELinux and Flask, and I haven't found anything that answered my
question.
I am working on creating a security policy from scratch and followed the
tutorial the IBM published (
http://www-128.ibm.com/developerworks/linux/library/l-selinux.html). After
taking a look at the bare bones policy.conf file it generated, it got me
thinking- I don't need to have something as granular as SELinux allows me
to be. In fact it would simplify things if I could change the granularity.
How would SELinux be affected if I were to remove some of the class
definitions and took anything that referred to those classes out of my
policy? Would SELinux just not enforce anything on those types of objects,
would SELinux completely disallow all use of those objects or would it just
break SELinux?
Thank you for your time and help,
Rebecca
17 years, 3 months
httpd and tcp_connect
by Michael Thomas
I'm receiving the following avc denial from a game package that's under
review[1]:
Jan 21 10:55:49 localhost kernel: audit(1169405749.338:3): avc: denied
{ name_connect } for pid=2661 comm="httpd" dest=19382
scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0
tclass=tcp_socket
The package includes a php-based web application and a python daemon
backend. The php webapp communicates with the python daemon through tcp
sockets.
From the avc denial it appears that this communication fails because
httpd is not allowed to establish tcp connections. This seems like a
valid security restriction, except in this case I do want to allow it.
How can I configure the httpd policy to allow tcp connections, but only
to localhost and only on the python daemon's ports (19380-19383)?
--Wart
[1] https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=219972
17 years, 3 months
script executables
by Michael Thomas
I'm working on selinux protection for a python script daemon that is
started inside of an init.d script. Inside the init.d script the python
daemon is invoked as:
python myscript.py --daemon --pid=... --log=...
I'd like to have this process run under its own domain. The worst thing
I could do is to relabel python with that domain, but that would just be
really bad and sloppy, and not really an option.
Another option that I've gotten to work is to use a wrapper shell script
to invoke the python commands. The init.d script invokes the wrapper
script, which is labeled with the desired domain.
But I was wondering of there was another way to get myscript.py to run
under a specific domain without using an application-specific wrapper.
Something like 'sedomainexec myappd_t python myscript.py --daemon ...'
Is the wrapper script my only option?
--Wart
17 years, 3 months
ANN: SELinux Policy IDE (SLIDE)
by David Sugar
Version 1.0 of the SELinux Policy IDE (SLIDE) from Tresys is now
available for download from the Tresys Open Source website at
http://oss.tresys.com.
SLIDE is an Eclipse plug-in that integrates with the SELinux Reference
Policy to provide a development environment for building SELinux policy.
SLIDE features:
* A graphical user interface for policy development, including policy
syntax highlighting, context suggestions, and integrated compilation.
* Integration with SELinux Reference Policy, including quick lookup and
documentation for interfaces.
* Wizards and easy to use templates to automate common tasks from
creating a new SELinux policy to adding an interface into an existing
module.
* Integrated remote policy installation and audit log monitoring, to
facilitate policy testing.
* Seamless integration with the power of standard Eclipse.
Version 1.0 highlights:
* Integration of online help into the SLIDE plugin.
* Display of distinct icon for disabled modules.
* Improved documentation on the open source web site.
If you would like to contribute, currently the best help would be to
test and provide feedback on the SLIDE plugin and SLIDE Remote.
17 years, 3 months
chcat problem
by pandalists@free.fr
Hi,
I am currently trying teach myself SELinux on a Fedora FC6 box (VMware),
configured with the strict policy running in permissive mode.
I followed the instructions provided on
http://james-morris.livejournal.com/8228.html to play with MCS functions, but I
get an error when I try to assign a category "Public" to an unprivileged user
"foo" with the chcat command (as root, with sysadm role)
-----------------------------------------------
# chcat -l -- +Public foo
libsemanage.validate_handler: MLS range s0-s0:c0 for Unix user foo exceeds allow
ed range s0 for SELinux user user_u
libsemanage.validate_handler: seuser mapping [foo -> (user_u, s0-s0:c0)] is inva
lid
libsemanage.dbase_llist_iterate: could not iterate over records
-----------------------------------------------
Other techniques to achieve the same result (e.g. trying to assign this category
with semanage) leads the same error.
-----------------------------------------------
# semanage login -l
__default__ user_u s0
foo user_u s0
root root SystemLow-SystemHigh
system_u system_u SystemLow-SystemHigh
# semanage user -l
root sysadm s0 SystemLow-SystemHigh system_r sy
sadm_r staff_r
staff_u staff s0 SystemLow-SystemHigh sysadm_r st
aff_r
sysadm_u sysadm s0 SystemLow-SystemHigh sysadm_r
system_u user s0 SystemLow-SystemHigh system_r
user_u user s0 s0 user_r
-----------------------------------------------
My setrans.conf file contains :
s0:c0=Public
s0:c1=Confidential
s0:c2=Secret
s0:c3=TopSecret
Any idea?
Apart from that, setting a category on a non-existing file leads to a
segmentation fault :
# chcat -- +Public doesnotexist.txt
Segmentation fault
Thanks for your help,
Ben
17 years, 3 months
