Re: SE Linux preventing mounting an iso on FC5 through nfs
by Matthew Shapiro
>>> Stephen Smalley <sds(a)tycho.nsa.gov> 01/11/07 3:07 PM >>>
>audit2allow -M local < /var/log/messages
>semodule -i local.pp
Wow that makes life simple. Thanks a lot!
>Did you look at the Fedora SELinux FAQ and wiki pages?
>http://fedora.redhat.com/docs/selinux-faq-fc5/
>http://fedoraproject.org/wiki/SELinux/
Actually I did not know about these (the HOWTO's I found was a policy
HOWTO and a general (focused on debian) SELinux introduction). This
look like great resources though.
> Are you actually using strict policy? It isn't the default in Fedora.
Ah that explains it. I actually got confused with the versions
(installed the strict src from fc3 by accident, targeted wouldn't
install) and that explains why my last attempt didn't work. I
confirmed and it is setup to use targeted. Though the loadable modules
that I now know about make doing this much easier anyways.
>nfs_t is a file type, not a process domain, and you want to allow
>mount_t to read nfs_t:file, not transition into it.
Gotcha. From the documentation I read it made it seem like the _t
denoted a domain. Guess I have some more reading to do to fully
understand everything that is going on.
Thanks for your help and quick response! It's now working, and I"m
going to do some more research to learn more about SE Linux now that I'm
not fighting with it :)
--Matthew Shapiro
17 years, 3 months
SE Linux preventing mounting an iso on FC5 through nfs
by Matthew Shapiro
Hey all, A SE Linux newbie here. I am trying to learn SE Linux to fix
this one issue we are having on our servers and I was hoping someone
here might be able to give me some insight into the problem and tell me
if I am following the correct line of thinking or not.
We have FC5 systems with an automount point that mounts a directory on
our main server for the cluster. Inside this mountpoint are some
directories, which contain a list of rpms. Each of these rpms is really
just a symlink to another automount point that automounts a certain
Fedora Core iso image which really contains the real rpm. This makes it
really easy to install the rpms without having to scour all four FC5 cds
manually.
The problem is that SE Linux doesn't seem to want us to mount the iso
image automatically from nfs. When I directly use the mount command on
the iso it mounts perfectly fine, but when I try to have the automounter
mount it, it fails with the following error in /var/log/messages:
avc: denied { read } for pid=1709 comm="mount"
name="FC3-i386-disc1.iso" dev=0:17 no=1188825
scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:nfs_t:s0 tclass=file
After reading various SE Linux HOWTO's and pieces of documentation what
it looks like to me (a SE Linux newbie) is that the mount_t domain does
not have access to read files under the nfs_t domain security context.
So after various reading I thought all I would have to do is create a
domain transition from the mount_t domain to the nfs_t domain. I
created the file /etc/selinux/strict/src/policy/domains/misc/mmae.te and
added the following line:
domain_auto_trans(mount_t, mount_exec_t, nfs_t)
Unfortunatly, when I did a make load I got the following two errors
assertion on line 226661 violated by allow nfs_t mount_t:process {
sigchld };
assertion on line 226508 violated by allow mount_t nfs_t:process {
transition };
Line 226661 of policy.conf contains
neverallow ~{ domain unlabeled_t } *:process *;
and line 226508 of policy.conf contains
neverallow domain ~domain:process transition;
Unfortunatly, with my limited knowledge in SE Linux I am unsure of what
is wrong with my statement, why it violates those two rules, what those
two rules really mean and even if I am following the correct path. I
also tried to switch mount_t and nfs_t in the domain_auto_trans function
which resulted in the same assertions.
Finally, I decided to take a stab in the dark and try a different
approach without dealing with domains. The only information I could
deduce from those previous error messages were that one of those was not
an actual domain. After looking at various entries in the policy.conf I
commented out the domain transition and instead put in:
allow mount_t nfs_t:file { read };
thinking that this would allow processes in the mount_t security context
to read files in the nfs_t context. I then ran make load, which didn't
give any hassle, looked in the policy.conf to make sure it was listed in
there (which it was), and tried again. It still gave the original
error.
After reading various threads on mailing lists (found through google) I
decided to try giving the main directory a different security context so
it wasn't in the nfs_t domain. So I edited the /etc/auto.misc entry for
the original mountpoint to include context=system_u:object_r:tmp_t,
which failed with the message:
SELinux: security_context_to_sid(system_u:object_r/tmp_t) failed for
(dev 0:17, type nfs) errno=-22
which I am guessing means it doesn't have access to change security
contexts.
I am really stumped as to how to proceed from here. If anyone could
give me any advice I would really appreciate it.
Thanks
--Matthew Shapiro
17 years, 3 months
Problem with label on /
by Adam Huffman
Rather unwisely I followed through some advice from setroubleshootd on
a new FC6 test system without thinking through the implications.
It advised me to run:
chcon -R -t xen_image_t /
because xend was having some trouble with virtual disk files.
This had some interesting consequences, most of which I have been able
to fix via relabelling.
However, there are still errors being reported for various daemons. E.g.
SELinux is preventing /usr/sbin/cupsd (cupsd_t) "search" access to /
(xen_image_t).
Is there any way of fixing this?
Adam
17 years, 3 months
cricket grapher.cgi
by Chuck Anderson
I'm trying to get cricket (cricket.sf.net) to work on FC6 with SELinux
targeted enforcing. I get the following AVC when trying to view the
grapher.cgi from my web browser:
type=AVC msg=audit(1168459205.932:49631): avc: denied { read } for
pid=5499 comm="grapher.cgi" name="cricket" dev=dm-4 ino=5242884
scontext=user_u:system_r:httpd_sys_script_t:s0
tcontext=user_u:object_r:httpd_sys_script_exec_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1168459205.932:49631): arch=40000003
syscall=195 success=no exit=-13 a0=8e10010 a1=bff4190c a2=42378ff4
a3=8e10010 items=0 ppid=5314 pid=5499 auid=10002 uid=48 gid=48 euid=48
suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none)
comm="grapher.cgi" exe="/usr/bin/perl"
subj=user_u:system_r:httpd_sys_script_t:s0 key=(null)
The ino number in the AVC is /var/cricket/cricket.
The application is installed in /var/cricket (from the legacy install)
but if necessary I can move bits and pieces around to accomodate
SELinux standards. I relabeled the entire /var/cricket tree to
httpd_script_exec_t.
drwxr-xr-x cricket cricket system_u:object_r:httpd_sys_script_exec_t bin/
lrwxrwxrwx root root user_u:object_r:httpd_sys_script_exec_t cricket -> cricket-1.0.5/
drwxr-xr-x cricket cricket system_u:object_r:httpd_sys_script_exec_t cricket-1.0.5/
drwxr-xr-x cricket cricket system_u:object_r:httpd_sys_script_exec_t cricket-config/
drwxr-xr-x cricket cricket system_u:object_r:httpd_sys_script_exec_t cricket-config-attic/
drwxr-xr-x cricket cricket system_u:object_r:httpd_sys_script_exec_t cricket-data/
drwxr-xr-x cricket cricket system_u:object_r:httpd_sys_script_exec_t cricket-logs/
drwxr-xr-x cricket cricket system_u:object_r:httpd_sys_script_exec_t public_html/
Here is my relavent Apache config:
AddHandler cgi-script .cgi
NameVirtualHost *:80
<VirtualHost *:80>
ServerAdmin root@localhost
DocumentRoot /var/cricket/public_html
ServerName server.host.name
ErrorLog /var/log/httpd/cricket/error_log
CustomLog /var/log/httpd/cricket/access_log common
</VirtualHost>
<Directory "/var/cricket/public_html">
AllowOverride Options FileInfo AuthConfig Limit
Order allow,deny
Allow from all
</Directory>
Has anyone had success running cricket with SELinux?
Thanks.
17 years, 3 months
SELinux Symposium: Head of IBM Linux Development to be Keynote Speaker
by Frank Mayer
All, FYI we just announced that Dan Frye, head of Linux development at
IBM as a keynote speaker at this year's SELinux Symposium. I expect a
second keynote speaker to be announced later this month. Hope to see you
all there. Frank
-=-=-=-=-=-=-=-=-=-=-=-
FOR IMMEDIATE RELEASE
CONTACT: info(a)selinux-symposium.org
Head of IBM Linux Development to be Keynote Speaker at
Third Security Enhanced Linux Symposium
Baltimore, Maryland-January 10, 2007- Daniel Frye, Vice President, IBM
Open Systems Development, will be a keynote speaker for the third annual
Security Enhanced Linux (SELinux) Symposium (www.selinux-symposium.org),
scheduled for March 12-16, 2007 in Baltimore, Maryland.
Dr. Frye is the head of IBM's UNIX development team, principally
responsible for Linux and AIX development. He is additionally
responsible for overseeing IBM's Linux technical strategy, IBM's
participation in the open source Linux development community, and the
IBM Linux Technology Center (LTC). The goal of Dr. Frye's Linux
organization is to help the global open source community make Linux
better, to ensure Enterprise-level Linux support for IBM's hardware,
software, and services brands, and to help expand the reach of Linux
into new markets.
Dr. Frye will present a keynote address entitled "Open and Secure: Linux
Today and Tomorrow." In this address, Dr. Frye will discuss the impact
of SELinux on Linux, and how open software helps in the proliferation of
new security technology.
About the SELinux Symposium
The Security Enhanced Linux (SELinux) Symposium is an annual exchange of
ideas, technology, and research involving SELinux. SELinux is emerging
technology that adds flexible, strong mandatory access control security
to Linux. The third annual symposium is scheduled for March 12-16, 2007
in Baltimore, Maryland, USA. This year's symposium is sponsored by
Hewlett-Packard, IBM, Red Hat, and Tresys Technology. The event brings
together experts from business, government, and academia to share
research, development, and application experiences using SELinux. For
information on registration and sponsorship opportunities, see
www.selinux-symposium.org.
17 years, 3 months
[ANN] Madison policy generation tools
by Karl MacMillan
The first public release of the Madison SELinux policy generation tools
can be found at http://et.redhat.com/madison/. Madison is a new project
to create command line and GUI policy generation tools that:
* Create more readable and secure policy by leveraging the reference
policy development environment.
* Provide administrators with guidance and information to help them
make good security decisions.
This release focuses on the creation of a foundation library (in
python). It only includes a single tool - audit2policy - that is a drop
in replacement for audit2allow with better reference policy interface
call generation (using the undocumented -R audit2allow flag).
Contributions are very welcome. I'm looking for help with:
* Testing (particularly interface call generation and module
generation)
* Documenation
* Unit test creation
* Code / tool development
See the website for more details on contributing.
To the authors of other policy generation tools: I would like to avoid
duplication of effort where possible. The current release focuses on
areas that other tools have not explored thoroughly. Moving forward I
would to discuss how we can best work together.
Please send any feedback to the selinux development list.
Thanks - Karl
17 years, 3 months
policy build failure
by Michael Thomas
I just tried rebuilding the policy files for a package that I am working
on (cyphesis), and started getting this syntax error in Rawhide:
% make NAME=strict -f /usr/share/selinux/devel/Makefile
cat: /selinux/mls: No such file or directory
Compiling strict cyphesis module
tmp/all_interfaces.conf:7820:ERROR 'syntax error' at token 'allow' on
line 3871:
allow staff_evolution_alarm_t staff_t:fifo_file { getattr write };
/usr/bin/checkmodule: error(s) encountered while parsing configuration
/usr/bin/checkmodule: loading policy configuration from tmp/cyphesis.tmp
This was done using the latest:
checkpolicy 1.33.1-2.fc7
selinux-policy 2.4.6-21.fc7
selinux-policy-devel 2.4.6-21.fc7
policycoreutils 1.33.6-9.fc7
Any ideas on how to work around this?
--Wart
17 years, 3 months
Re: oracle and selinux
by bastard operater
>From: Steve Grubb <sgrubb(a)redhat.com>
>
>On Saturday 06 January 2007 18:43, Adam Turk wrote:
> > I guess I will try the install with selinux enabled and see what
>happens.
>
>Yes and please tell us if you get any AVCs.
I asked for the update because there was some talk back on April 13, 2004
about Russell Coker working on a selinux policy for oracle.
The install is scheduled for the end of the month. I will put selinux in
enforcing mode and let the list know what happens.
Thanks,
_________________________________________________________________
Find sales, coupons, and free shipping, all in one place! MSN Shopping
Sales & Deals
http://shopping.msn.com/content/shp/?ctid=198,ptnrid=176,ptnrdata=200639
17 years, 4 months
Post FC6 upgrade SELinux problem
by Kirk Lowery
After upgrading from FC5 to FC6, my first clue was that X-Windows
wouldn't come up because it could not find the 'fixed' font. This
meant the xfs server wasn't working. Sure enough, dmesg showed:
audit(1167922474.426:78): avc: denied { read } for pid=2399
comm="xfs" name="fonts.dir" dev=hda5 ino=3260727
scontext=system_u:system_r:xfs_t:s0
tcontext=system_u:object_r:usr_t:s0 tclass=file
Looking through dmesg, I discovered many other "avc: denied" messages:
audit(1167922423.998:4): avc: denied { audit_write } for pid=376
comm="hwclock" capability=29 scontext=system_u:system_r:hwclock_t:s0
tcontext=system_u:system_r:hwclock_t:s0 tclass=capability
audit(1167922427.986:5): avc: denied { getattr } for pid=1369
comm="pam_console_app" name="adsp1" dev=tmpfs ino=5904
scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
audit(1167922462.739:7): avc: denied { search } for pid=2083
comm="auditd" name="bin" dev=hda5 ino=1042531
scontext=system_u:system_r:auditd_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=dir
audit(1167922463.659:12): avc: denied { write } for pid=2132
comm="dbus-daemon" name=".setrans-unix" dev=hda5 ino=423906
scontext=system_u:system_r:system_dbusd_t:s0
tcontext=system_u:object_r:
var_run_t:s0 tclass=sock_file
audit(1167922464.088:15): avc: denied { setuid } for pid=2154
comm="mount" capability=7 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:system_r:mount_t:s0 tclass=capability
audit(1167922464.089:16): avc: denied { setgid } for pid=2154
comm="mount" capability=6 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:system_r:mount_t:s0 tclass=capability
audit(1167922464.531:23): avc: denied { search } for pid=2193
comm="automount" name="1" dev=proc ino=65538
scontext=system_u:system_r:automount_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=dir
audit(1167922470.796:75): avc: denied { search } for pid=2249
comm="ntpd" name="net" dev=proc ino=-268435432
scontext=system_u:system_r:ntpd_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=dir
audit(1167922474.229:76): avc: denied { write } for pid=2396
comm="restorecon" name=".setrans-unix" dev=hda5 ino=423906
scontext=system_u:system_r:restorecon_t:s0
tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
audit(1167922474.426:78): avc: denied { read } for pid=2399
comm="xfs" name="fonts.dir" dev=hda5 ino=3260727
scontext=system_u:system_r:xfs_t:s0
tcontext=system_u:object_r:usr_t:s0 tclass=file
....and many, many more. Clearly, my SELinux policies were seriously
broken during the upgrade. So, how to recover? If I could get
X-Windows up, would the new SELinux GUI be the way to go? Do I need to
reinstall an SELinux package(s)? If so, which one(s)?
Suggestions, pointers much appreciated!
TIA,
Kirk
17 years, 4 months
Process for creating Fedora selinux-policy packages
by Rich Fearn
Hello,
Due to an SELinux bug I reported in August, I've been tyring to
understand the selinux-policy packages to see how they're built. I
understand the principle of taking the upstream refpolicy, modifying it
and building the Fedora-specific packages. However, I'm struggling to
see where the refpolicy is coming from.
For example, as I write this, the latest FC6 selinux-policy package
pushed to the repositories is 2.4.6-1. According to the "sources" file
in CVS, this package is built using serefpolicy-2.4.6.tgz. If I get
serefpolicy-2.4.6.tgz from the lookaside repository then the VERSION
file in it says 20061018. However, the contents of serefpolicy-2.4.6.tgz
differ a great deal from the "official" 20061018 version of the
reference policy from Tresys.
I could understand it if the Fedora selinux-policy packages were
directly based on the 20061018 version of the refpolicy from Tresys, but
there seems to be an intermediate stage of development that produces the
serefpolicy-2.x.x.tgz files in the lookaside repository.
My question is: is there a CVS repository somewhere for a "Fedora
reference policy", that is used to build all these serefpolicy files?
Thanks
Richard Fearn
17 years, 4 months