Re: Strict policy on FC6 and F7
by Louis Lam
Hi,
I'm trying to enable strict policy on fc7, need to do this too. But i got this error when I tried to compile the module
[root@localhost local_module_for_login]# make -f /usr/share/selinux/devel/Makefile local.pp
Compiling targeted local module
/usr/bin/checkmodule: loading policy configuration from tmp/local.tmp
local.te:10:ERROR 'unknown class capability used in rule' at token ';' on line 80642:
#line 10
allow local_login_t self:capability audit_write;
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/local.mod] Error 1
Thanks & Rgds,
Louis
----- Original Message ----
From: shintaro_fujiwara <shin216(a)xf7.so-net.ne.jp>
To: Hal <hal_bg(a)yahoo.com>; fedora-selinux-list(a)redhat.com
Sent: Tuesday, August 7, 2007 5:27:16 PM
Subject: Re: Strict policy on FC6 and F7
2007-08-07 (火) の 09:48 -0700 に Hal さんは書きました:
> Hallo
>
> After a problem with the strict policy in FC6: firefox does not start under
> strict policy. No messages at all. I decided to check if firefox under strict
> policy on F7 works.
> I have installed F7 and enabled strict policy. But from now on I can no longer
> login in enforcing is on . When I enter username and password and I get
> permission denied even for root in GDM. In console I just get new "username"
> prompt.
>
> I do not understand why firefox does not start in fc6 and
> can not longin on F7 under strict policy?
>
> What might be wrong?
> Because, now you're in enforcing mode,
please disable SELinux and login.
Install devel policy.
#yum install selinux-policy-devel
Please install this module.
#vim local.te
module local 1.0;
require {
type local_login_t;
class netlink_audit_socket { append bind connect shutdown ioctl
getattr
setattr shutdown getopt setopt write nlmsg_relay nlmsg_read create
read };
}
logging_send_audit_msg(local_login_t)
logging_set_loginuid(local_login_t)
#make -f /usr/share/selinux/devel/Makefile local.pp
#semodule -i local.pp
#semodule -l|grep local
Set SELinux enforcing.
Did it work?
> Hal
>
>
>
>
>
> ____________________________________________________________________________________
> Luggage? GPS? Comic books?
> Check out fitting gifts for grads at Yahoo! Search
> http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=bz
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Send instant messages to your online friends http://uk.messenger.yahoo.com
16 years, 8 months
java error after installing reference policy
by Elihu Smails
I followed the instructions for installing the latest reference policy:
http://oss.tresys.com/projects/refpolicy/wiki/UseRefpolicy
After rebooting, I get the following command when I run SLIDE:
Java HotSpot(TM) Client VM warning: Attempt to allocate stack guard pages
failed.
Error occurred during initialization of VM
Could not reserve enough space for code cache
I then tried just running "java -version", and I get the same error message.
I am running Sun's JDK version 1.6 update 2.
--
..Cheers
Mark
16 years, 8 months
SLIDE error
by Elihu Smails
I have installed the latest version of SLIDE, and downloaded the latest
reference policy (20070629). I open up eclipse and create a new policy
module project. I then point Eclipse to the location where I unpacked the
reference policy (refpolicy-20070629.tar.bz2 ). I then get the following
error:
Rules.modular:152: *** No enabled modules! modules.conf may need to be
generated by using "make conf". Stop.
Can anyone please tell me where I am going wrong?
Thanks.
--
..Cheers
Mark
16 years, 8 months
Problem with domain transition on a nfs_t mount
by David-Alexandre Davidson
On fedora 7, lastest selinux strict policy.
I have written a selinux module which go through a domain transition
when executing a file on a nfs mount (labeled nfs_t)
However the transition never occurs. and I get a : denied
execute_no_trans on nfs_t files .
In order to find the source of the problem I have taken a file with the
exact same context outside of the nfs mount and the transition work fine.
Here is the related part of my module:
domain_auto_trans(custom_trans_t,nfs_t,i_custom_t);
allow custom_trans_t nfs_t:file rx_file_perms;
allow custom_trans_t nfs_t:dir r_dir_perms;
Here are the details on the nfs share:
file executed:
-rwxrwxr-x vu20003 vg20003 system_u:object_r:nfs_t
/home/usera/var/bin/testphp.app
result:
type=AVC msg=audit(1186108700.494:230294): avc: denied {
execute_no_trans } for pid=5969 comm="custom-app" name="testphp.app"
dev=0:18 ino=269058250 scontext=system_u:system_r:custom_trans_t:s0
tcontext=system_u:object_r:nfs_t:s0 tclass=file
Running the same program and executing an identical file outside the nfs
share: (I labelled manually to match)
file executed:
-rwxrwxr-x vu20003 vg20003 system_u:object_r:nfs_t
/testphp.app
result:
transition is made to context i_custom_t , nothing is audited
Any idea what can cause this difference ? I don't believe this behavior
is normal. By the way, if I allow the execute_no_trans on nfs_t, the
file gets executed just fine but without the expected transition...
Any help would be much appreciated !
--------------------------------------
David-Alexandre Davidson
IHQ Inc.
16 years, 8 months
thanks!
by Peter Harmsen
I would like to thank the devs for including a policy for firefox & co P:
--
I have made this letter longer than usual, because i lack the time to
make it short.
16 years, 8 months
MLS/MCS disabled in building a policy module
by KaiGai Kohei
When I built a policy module with the latest selinux-policy-devel (3.0.5-1),
the Makefile didn't enable the MLS/MCS switch.
We had to add "TYPE=mcs" option to avoid the problem.
----------------
[kaigai@masu policy]$ make NAME=targted -f /usr/share/selinux/devel/Makefile
Compiling targted sepostgresql module
/usr/bin/checkmodule: loading policy configuration from tmp/sepostgresql.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 6) to tmp/sepostgresql.mod
Creating targted sepostgresql.pp policy package
rm tmp/sepostgresql.mod.fc tmp/sepostgresql.mod
[kaigai@masu policy]$ su
Password:
[root@masu policy]# /usr/sbin/semodule -i sepostgresql.pp
libsepol.link_modules: Tried to link in a non-MLS module with an MLS base.
libsemanage.semanage_link_sandbox: Link packages failed
/usr/sbin/semodule: Failed!
[root@masu policy]#
----------------
I found the following differences between 3.0.4-1 and 3.0.5-1.
----------------
# enable MLS if requested.
-ifneq ($(findstring -mls,$(TYPE)),)
+ifeq "$(TYPE)" "mls"
M4PARAM += -D enable_mls
CHECKPOLICY += -M
CHECKMODULE += -M
endif
# enable MLS if MCS requested.
-ifneq ($(findstring -mcs,$(TYPE)),)
+ifeq "$(TYPE)" "mcs"
M4PARAM += -D enable_mcs
CHECKPOLICY += -M
CHECKMODULE += -M
----------------
Because $(TYPE) is set as "$(NAME)${MCSFLAG}" in /usr/share/selinux/devel/Makefile,
the above blocks are skipped, then MLS/MCS is disabled.
I think the above blocks should be reverted.
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai(a)ak.jp.nec.com>
16 years, 8 months
only allow 1 port for listening
by Elihu Smails
I am new to writing policies and have been reading the reference policy
files. I wrote a simple TCP server that listens on a port for connections.
I would like to write a policy that will only allow my program to bind to a
specific port(9999). I looked at the reference policy and see that the
ports that programs are allowed to use is in
policy/modules/kernel/corenetwork.te. My questions is, can I specify the
port in my programs type enforcement file so that I can make a module
instead of listing this in the kernel policy? If so, what would the syntax
be?
Thanks in advance.
--
..Cheers
Mark
16 years, 8 months
Can't run OpenVPN from /etc/init.d/openvpn
by Michal Ludvig
Hi all,
I have a fresh install of RHEL5 (x86) with OpenVPN 2.0.9 and its
dependent liblzo2 2.02 from RPMforge.net.
With SElinux disabled everything works nicely. However with SElinux
enabled in enforcing targeted mode I can't run OpenVPN via
/etc/init.d/openvpn:
~# /etc/init.d/openvpn start
Starting openvpn: /usr/sbin/openvpn: error while loading shared
libraries: liblzo2.so.2: cannot enable executable stack as shared object
requires: Permission denied
[FAILED]
At that time two new records appear in /var/log/audit/audit.log:
type=AVC msg=audit(1186574630.135:162): avc: denied { execstack } for
pid=18563 comm="openvpn" scontext=root:system_r:openvpn_t:s0
tcontext=root:system_r:openvpn_t:s0 tclass=process
type=SYSCALL msg=audit(1186574630.135:162): arch=40000003 syscall=125
success=no exit=-13 a0=bfb66000 a1=1000 a2=1000007 a3=fffff000 items=0
ppid=18553 pid=18563 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts2 comm="openvpn" exe="/usr/sbin/openvpn"
subj=root:system_r:openvpn_t:s0 key=(null)
When I pass them to audit2allow I get:
allow openvpn_t self:process execstack;
So I did "audit2allow -M local && semodule -i local.pp" to enable it,
but still no luck. "/etc/init.d/openvpn start" still fails with the
above error about being unable to load liblzo2.so.2.
~# ls -Z /etc/init.d/openvpn /usr/sbin/openvpn /usr/lib/liblzo2.so.2*
system_u:object_r:initrc_exec_t /etc/init.d/openvpn
system_u:object_r:openvpn_exec_t /usr/sbin/openvpn
system_u:object_r:lib_t /usr/lib/liblzo2.so.2.0.0
system_u:object_r:lib_t /usr/lib/liblzo2.so.2 -> liblzo2.so.2.0.0
Interesting thing is that when I manually run /usr/sbin/openvpn it works
fine:
~# /usr/sbin/openvpn --cd /etc/openvpn --config /etc/openvpn/vpn.conf
Thu Aug 9 00:25:24 2007 OpenVPN 2.0.9 i386-redhat-linux-gnu [SSL] [LZO]
[EPOLL] built on Mar 8 2007
[...]
Thu Aug 9 00:25:25 2007 TCPv4_CLIENT link local: [undef]
Thu Aug 9 00:25:25 2007 TCPv4_CLIENT link remote: xxx.xxx.xxx.xxx
Thu Aug 9 00:25:28 2007 Peer Connection Initiated with xxx.xxx.xxx.xxx
What should I do to make it work from /etc/init.d on system boot as well?
Thanks!
Michal
16 years, 8 months
Enabling the strict policy on Fedora 7
by Patrick McNeal
I'm new to SELinux, and have been banging my head against the wall on
how to change from the targeted to the strict policy on my Fedora 7
box. I just figured out how to do it, and thought that it would be a
good thing to have in the archive so others might more easily find a
solution.
1 - Install the strict policy using the package manager. I used
selinux-policy-strict-2.6.4-29.fc.noarch.
2 - Using the SELinux Administration tool, set the "system default
policy type" to "strict".
3 - Set the "system default enforcing mode" to "permissive".
4 - Check "Relabel on next reboot".
3 - Reboot
If you leave enforcing mode set to the default of "enforcing" you'll
get this error on reboot:
/sbin/init: error while loading shared libraries: libsepol.so.1:
failed to map segment from shared object: Permission denied
Kernel panic - not syncing: Attempted to kill init!
Note, you can also make these changes via the command line by
editing /etc/selinux/config, setup a relabel by
touching /.autorelabel and rebooting.
Hope that helps someone.
--Patrick
16 years, 8 months
ldconfig_t - still more .... ?
by Tom London
Running selinux-policy-3.0.5-2.fc8, targeted/enforcing.
Says: "- Fixes for ldconfig" but, get these during 'yum update'.
'restorecon' of /var/cache/ldconfig doesn't change ....
type=AVC msg=audit(1186493561.393:26): avc: denied { search } for
pid=4210 comm="ldconfig" name="ldconfig" dev=dm-0 ino=67143
scontext=system_u:system_r:ldconfig_t:s0
tcontext=system_u:object_r:ld_so_cache_t:s0 tclass=dir
type=SYSCALL msg=audit(1186493561.393:26): arch=40000003 syscall=5
success=no exit=-13 a0=80c5a92 a1=0 a2=3 a3=0 items=0 ppid=4209
pid=4210 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts0 comm="ldconfig" exe="/sbin/ldconfig"
subj=system_u:system_r:ldconfig_t:s0 key=(null)
type=AVC msg=audit(1186493561.572:27): avc: denied { getattr } for
pid=4210 comm="ldconfig" path="/var/cache/ldconfig" dev=dm-0 ino=67143
scontext=system_u:system_r:ldconfig_t:s0
tcontext=system_u:object_r:ld_so_cache_t:s0 tclass=dir
type=SYSCALL msg=audit(1186493561.572:27): arch=40000003 syscall=195
success=no exit=-13 a0=bfde8600 a1=bfde8658 a2=bfde8613 a3=8fd3080
items=0 ppid=4209 pid=4210 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts0 comm="ldconfig" exe="/sbin/ldconfig"
subj=system_u:system_r:ldconfig_t:s0 key=(null)
Putting in permissive mode adds:
type=SYSCALL msg=audit(1186493569.650:32): arch=40000003 syscall=4
success=yes exit=1 a0=3 a1=bfb7f5d4 a2=1 a3=bfb7f5d4 items=0 ppid=4222
pid=4263 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts1 comm="setenforce" exe="/usr/sbin/setenforce"
subj=system_u:system_r:unconfined_t:s0 key=(null)
type=AVC msg=audit(1186493600.964:33): avc: denied { search } for
pid=4290 comm="ldconfig" name="ldconfig" dev=dm-0 ino=67143
scontext=system_u:system_r:ldconfig_t:s0
tcontext=system_u:object_r:ld_so_cache_t:s0 tclass=dir
type=SYSCALL msg=audit(1186493600.964:33): arch=40000003 syscall=5
success=yes exit=3 a0=80c5a92 a1=0 a2=3 a3=0 items=0 ppid=4271
pid=4290 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts0 comm="ldconfig" exe="/sbin/ldconfig"
subj=system_u:system_r:ldconfig_t:s0 key=(null)
type=AVC msg=audit(1186493601.234:34): avc: denied { getattr } for
pid=4290 comm="ldconfig" path="/var/cache/ldconfig" dev=dm-0 ino=67143
scontext=system_u:system_r:ldconfig_t:s0
tcontext=system_u:object_r:ld_so_cache_t:s0 tclass=dir
type=SYSCALL msg=audit(1186493601.234:34): arch=40000003 syscall=195
success=yes exit=0 a0=bfd35ad0 a1=bfd35b28 a2=bfd35ae3 a3=8d77940
items=0 ppid=4271 pid=4290 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts0 comm="ldconfig" exe="/sbin/ldconfig"
subj=system_u:system_r:ldconfig_t:s0 key=(null)
type=AVC msg=audit(1186493601.234:35): avc: denied { write } for
pid=4290 comm="ldconfig" name="ldconfig" dev=dm-0 ino=67143
scontext=system_u:system_r:ldconfig_t:s0
tcontext=system_u:object_r:ld_so_cache_t:s0 tclass=dir
type=AVC msg=audit(1186493601.234:35): avc: denied { add_name } for
pid=4290 comm="ldconfig" name="aux-cache~"
scontext=system_u:system_r:ldconfig_t:s0
tcontext=system_u:object_r:ld_so_cache_t:s0 tclass=dir
type=SYSCALL msg=audit(1186493601.234:35): arch=40000003 syscall=5
success=yes exit=3 a0=8d77940 a1=20241 a2=180 a3=8d77940 items=0
ppid=4271 pid=4290 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts0 comm="ldconfig" exe="/sbin/ldconfig"
subj=system_u:system_r:ldconfig_t:s0 key=(null)
type=AVC msg=audit(1186493601.235:36): avc: denied { remove_name }
for pid=4290 comm="ldconfig" name="aux-cache~" dev=dm-0 ino=66343
scontext=system_u:system_r:ldconfig_t:s0
tcontext=system_u:object_r:ld_so_cache_t:s0 tclass=dir
type=SYSCALL msg=audit(1186493601.235:36): arch=40000003 syscall=38
success=yes exit=0 a0=8d77940 a1=80c5a92 a2=3 a3=8d77940 items=0
ppid=4271 pid=4290 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts0 comm="ldconfig" exe="/sbin/ldconfig"
subj=system_u:system_r:ldconfig_t:s0 key=(null)
tom
--
Tom London
16 years, 8 months