Re: [RFC] security: add iptables "security" table for MAC rules
by James Morris
On Tue, 29 Jan 2008, Paul Moore wrote:
> I'm not sure if returning false and failing here is the best thing to do in
> terms of backwards compatibility. I think we need some grace period where we
> print a warning message and still allow the operation; after some period of
> time we can then remove the ability completely and force users to use the
> new "security" table.
Currently, the patch allows the use of the mangle table, so it is
backwards compatible.
--
James Morris
<jmorris(a)namei.org>
16 years, 3 months
[RFC] security: add iptables "security" table for MAC rules
by James Morris
The following patch implements a new "security" table for iptables, so
that MAC (SELinux etc.) networking rules can be managed separately to
standard DAC rules.
This is to help with distro integration of the new secmark-based network
controls, per various previous discussions.
The need for a separate table arises from the fact that existing tools and
usage of iptables will likely clash with centralized MAC policy
management.
The SECMARK and CONNSECMARK targets will still be valid in the mangle
table, to prevent breakage of existing users, although I suspect that
these targets are not in significant use and we could probably make them
valid only in the security table without major issues. (Comments?)
I've set the table priority to just after NF_IP_FILTER, to allow DAC
rules to take effect before MAC rules.
There is also not (yet) any LSM hooking for modifying the MAC rules, as it
will be more invasive, and we have coarse coverage via CAP_NET_ADMIN.
(Comments?)
IPv6 is not done yet as this is just at RFC stage.
Please review and let me know if this looks like a viable approach for
distro integration. If it is, we will then need to run it past the
Netfilter & netdev folk.
---
Add a "security" table to iptables for managing Mandatory Access
Control (MAC) rules. This is intended for use with the SECMARK
and CONNSECMARK targets.
Signed-off-by: James Morris <jmorris(a)namei.org>
---
include/linux/netfilter_ipv4.h | 1 +
net/ipv4/netfilter/Kconfig | 10 ++
net/ipv4/netfilter/Makefile | 1 +
net/ipv4/netfilter/iptable_security.c | 181 +++++++++++++++++++++++++++++++++
net/netfilter/xt_CONNSECMARK.c | 10 ++-
net/netfilter/xt_SECMARK.c | 10 ++-
6 files changed, 207 insertions(+), 6 deletions(-)
create mode 100644 net/ipv4/netfilter/iptable_security.c
diff --git a/include/linux/netfilter_ipv4.h b/include/linux/netfilter_ipv4.h
index 1a63adf..aec8961 100644
--- a/include/linux/netfilter_ipv4.h
+++ b/include/linux/netfilter_ipv4.h
@@ -60,6 +60,7 @@ enum nf_ip_hook_priorities {
NF_IP_PRI_MANGLE = -150,
NF_IP_PRI_NAT_DST = -100,
NF_IP_PRI_FILTER = 0,
+ NF_IP_PRI_SECURITY = 50,
NF_IP_PRI_NAT_SRC = 100,
NF_IP_PRI_SELINUX_LAST = 225,
NF_IP_PRI_CONNTRACK_HELPER = INT_MAX - 2,
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 9aca9c5..84d0d31 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -373,6 +373,16 @@ config IP_NF_RAW
If you want to compile it as a module, say M here and read
<file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
+# security table for MAC policy
+config IP_NF_SECURITY
+ tristate "Security table"
+ depends on IP_NF_IPTABLES
+ help
+ This option adds a `security' table to iptables, for use
+ with Mandatory Access Control (MAC) policy.
+
+ If unsure, say N.
+
# ARP tables
config IP_NF_ARPTABLES
tristate "ARP tables support"
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index 7456833..90fcdd6 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -39,6 +39,7 @@ obj-$(CONFIG_IP_NF_FILTER) += iptable_filter.o
obj-$(CONFIG_IP_NF_MANGLE) += iptable_mangle.o
obj-$(CONFIG_NF_NAT) += iptable_nat.o
obj-$(CONFIG_IP_NF_RAW) += iptable_raw.o
+obj-$(CONFIG_IP_NF_SECURITY) += iptable_security.o
# matches
obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
diff --git a/net/ipv4/netfilter/iptable_security.c b/net/ipv4/netfilter/iptable_security.c
new file mode 100644
index 0000000..640f200
--- /dev/null
+++ b/net/ipv4/netfilter/iptable_security.c
@@ -0,0 +1,181 @@
+/*
+ * "security" table
+ *
+ * This is for use by Mandatory Access Control (MAC) security models,
+ * which need to be able to manage security policy in separate context
+ * to DAC.
+ *
+ * Based on iptable_mangle.c
+ *
+ * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
+ * Copyright (C) 2000-2004 Netfilter Core Team <coreteam(a)netfilter.org>
+ * Copyright (C) 2008 Red Hat, Inc., James Morris <jmorris(a)redhat.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#include <linux/module.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netdevice.h>
+#include <linux/skbuff.h>
+#include <net/sock.h>
+#include <net/route.h>
+#include <linux/ip.h>
+#include <net/ip.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("James Morris <jmorris(a)redhat.com>");
+MODULE_DESCRIPTION("iptables security table, for MAC rules");
+
+#define SECURITY_VALID_HOOKS (1 << NF_IP_LOCAL_IN) | \
+ (1 << NF_IP_FORWARD) | \
+ (1 << NF_IP_LOCAL_OUT)
+
+static struct
+{
+ struct ipt_replace repl;
+ struct ipt_standard entries[3];
+ struct ipt_error term;
+} initial_table __initdata = {
+ .repl = {
+ .name = "security",
+ .valid_hooks = SECURITY_VALID_HOOKS,
+ .num_entries = 4,
+ .size = sizeof(struct ipt_standard) * 3 + sizeof(struct ipt_error),
+ .hook_entry = {
+ [NF_IP_LOCAL_IN] = 0,
+ [NF_IP_FORWARD] = sizeof(struct ipt_standard),
+ [NF_IP_LOCAL_OUT] = sizeof(struct ipt_standard) * 2,
+ },
+ .underflow = {
+ [NF_IP_LOCAL_IN] = 0,
+ [NF_IP_FORWARD] = sizeof(struct ipt_standard),
+ [NF_IP_LOCAL_OUT] = sizeof(struct ipt_standard) * 2,
+ },
+ },
+ .entries = {
+ IPT_STANDARD_INIT(NF_ACCEPT), /* LOCAL_IN */
+ IPT_STANDARD_INIT(NF_ACCEPT), /* FORWARD */
+ IPT_STANDARD_INIT(NF_ACCEPT), /* LOCAL_OUT */
+ },
+ .term = IPT_ERROR_INIT, /* ERROR */
+};
+
+static struct xt_table security_mangler = {
+ .name = "security",
+ .valid_hooks = SECURITY_VALID_HOOKS,
+ .lock = RW_LOCK_UNLOCKED,
+ .me = THIS_MODULE,
+ .af = AF_INET,
+};
+
+/* The work comes in here from netfilter.c. */
+static unsigned int
+ipt_route_hook(unsigned int hook,
+ struct sk_buff *skb,
+ const struct net_device *in,
+ const struct net_device *out,
+ int (*okfn)(struct sk_buff *))
+{
+ return ipt_do_table(skb, hook, in, out, &security_mangler);
+}
+
+static unsigned int
+ipt_local_hook(unsigned int hook,
+ struct sk_buff *skb,
+ const struct net_device *in,
+ const struct net_device *out,
+ int (*okfn)(struct sk_buff *))
+{
+ unsigned int ret;
+ const struct iphdr *iph;
+ u_int8_t tos;
+ __be32 saddr, daddr;
+ u_int32_t mark;
+
+ /* Somebody is playing with raw sockets. */
+ if (skb->len < sizeof(struct iphdr)
+ || ip_hdrlen(skb) < sizeof(struct iphdr)) {
+ if (net_ratelimit())
+ printk(KERN_INFO "iptable_mangle: ignoring short "
+ "SOCK_RAW packet.\n");
+ return NF_ACCEPT;
+ }
+
+ /* Save things which could affect route */
+ mark = skb->mark;
+ iph = ip_hdr(skb);
+ saddr = iph->saddr;
+ daddr = iph->daddr;
+ tos = iph->tos;
+
+ ret = ipt_do_table(skb, hook, in, out, &security_mangler);
+ /* Reroute for ANY change. */
+ if (ret != NF_DROP && ret != NF_STOLEN && ret != NF_QUEUE) {
+ iph = ip_hdr(skb);
+
+ if (iph->saddr != saddr ||
+ iph->daddr != daddr ||
+ skb->mark != mark ||
+ iph->tos != tos)
+ if (ip_route_me_harder(skb, RTN_UNSPEC))
+ ret = NF_DROP;
+ }
+
+ return ret;
+}
+
+static struct nf_hook_ops ipt_ops[] = {
+ {
+ .hook = ipt_route_hook,
+ .owner = THIS_MODULE,
+ .pf = PF_INET,
+ .hooknum = NF_IP_LOCAL_IN,
+ .priority = NF_IP_PRI_SECURITY,
+ },
+ {
+ .hook = ipt_route_hook,
+ .owner = THIS_MODULE,
+ .pf = PF_INET,
+ .hooknum = NF_IP_FORWARD,
+ .priority = NF_IP_PRI_SECURITY,
+ },
+ {
+ .hook = ipt_local_hook,
+ .owner = THIS_MODULE,
+ .pf = PF_INET,
+ .hooknum = NF_IP_LOCAL_OUT,
+ .priority = NF_IP_PRI_SECURITY,
+ },
+};
+
+static int __init iptable_security_init(void)
+{
+ int ret;
+
+ /* Register table */
+ ret = ipt_register_table(&security_mangler, &initial_table.repl);
+ if (ret < 0)
+ return ret;
+
+ /* Register hooks */
+ ret = nf_register_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
+ if (ret < 0)
+ goto cleanup_table;
+
+ return ret;
+
+cleanup_table:
+ ipt_unregister_table(&security_mangler);
+ return ret;
+}
+
+static void __exit iptable_security_fini(void)
+{
+ nf_unregister_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
+ ipt_unregister_table(&security_mangler);
+}
+
+module_init(iptable_security_init);
+module_exit(iptable_security_fini);
diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c
index d8feba9..5dd584b 100644
--- a/net/netfilter/xt_CONNSECMARK.c
+++ b/net/netfilter/xt_CONNSECMARK.c
@@ -8,7 +8,7 @@
* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
* by Henrik Nordstrom <hno(a)marasystems.com>
*
- * (C) 2006 Red Hat, Inc., James Morris <jmorris(a)redhat.com>
+ * (C) 2006,2008 Red Hat, Inc., James Morris <jmorris(a)redhat.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
@@ -90,6 +90,12 @@ static bool checkentry(const char *tablename, const void *entry,
{
const struct xt_connsecmark_target_info *info = targinfo;
+ if (strcmp(tablename, "mangle") && strcmp(tablename, "security")) {
+ printk(KERN_INFO PFX "target only valid in the \'mangle\' "
+ "or \'security\' tables, not \'%s\'.\n", tablename);
+ return false;
+ }
+
switch (info->mode) {
case CONNSECMARK_SAVE:
case CONNSECMARK_RESTORE:
@@ -122,7 +128,6 @@ static struct xt_target xt_connsecmark_target[] __read_mostly = {
.destroy = destroy,
.target = target,
.targetsize = sizeof(struct xt_connsecmark_target_info),
- .table = "mangle",
.me = THIS_MODULE,
},
{
@@ -132,7 +137,6 @@ static struct xt_target xt_connsecmark_target[] __read_mostly = {
.destroy = destroy,
.target = target,
.targetsize = sizeof(struct xt_connsecmark_target_info),
- .table = "mangle",
.me = THIS_MODULE,
},
};
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
index 235806e..7c92d87 100644
--- a/net/netfilter/xt_SECMARK.c
+++ b/net/netfilter/xt_SECMARK.c
@@ -5,7 +5,7 @@
* Based on the nfmark match by:
* (C) 1999-2001 Marc Boucher <marc(a)mbsi.ca>
*
- * (C) 2006 Red Hat, Inc., James Morris <jmorris(a)redhat.com>
+ * (C) 2006,2008 Red Hat, Inc., James Morris <jmorris(a)redhat.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
@@ -87,6 +87,12 @@ static bool checkentry(const char *tablename, const void *entry,
{
struct xt_secmark_target_info *info = targinfo;
+ if (strcmp(tablename, "mangle") && strcmp(tablename, "security")) {
+ printk(KERN_INFO PFX "target only valid in the \'mangle\' "
+ "or \'security\' tables, not \'%s\'.\n", tablename);
+ return false;
+ }
+
if (mode && mode != info->mode) {
printk(KERN_INFO PFX "mode already set to %hu cannot mix with "
"rules for mode %hu\n", mode, info->mode);
@@ -116,7 +122,6 @@ static struct xt_target xt_secmark_target[] __read_mostly = {
.checkentry = checkentry,
.target = target,
.targetsize = sizeof(struct xt_secmark_target_info),
- .table = "mangle",
.me = THIS_MODULE,
},
{
@@ -125,7 +130,6 @@ static struct xt_target xt_secmark_target[] __read_mostly = {
.checkentry = checkentry,
.target = target,
.targetsize = sizeof(struct xt_secmark_target_info),
- .table = "mangle",
.me = THIS_MODULE,
},
};
--
1.5.3.8
--
James Morris
<jmorris(a)namei.org>
16 years, 3 months
Rawhide kernel/etc. breaks sound, system_dbusd_t AVCs
by Tom London
Running today's rawhide, targeted/enforcing.
Booting up after applying today's updates, sound is disabled, and the
following AVCs:
type=AVC msg=audit(1201370968.279:17): avc: denied { execute } for
pid=3936 comm="dbus-daemon-lau" name="console-kit-daemon" dev=dm-0
ino=5490198 scontext=system_u:system_r:system_dbusd_t:s0
tcontext=system_u:object_r:consolekit_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1201370968.279:17): arch=40000003 syscall=11
success=no exit=-13 a0=9253c30 a1=9253bb0 a2=9253008 a3=de799c items=0
ppid=3935 pid=3936 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) comm="dbus-daemon-lau"
exe="/lib/dbus-1/dbus-daemon-launch-helper"
subj=system_u:system_r:system_dbusd_t:s0 key=(null)
type=AVC msg=audit(1201370973.064:18): avc: denied { execute } for
pid=4149 comm="dbus-daemon-lau" name="console-kit-daemon" dev=dm-0
ino=5490198 scontext=system_u:system_r:system_dbusd_t:s0
tcontext=system_u:object_r:consolekit_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1201370973.064:18): arch=40000003 syscall=11
success=no exit=-13 a0=9113c30 a1=9113bb0 a2=9113008 a3=de799c items=0
ppid=4148 pid=4149 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) comm="dbus-daemon-lau"
exe="/lib/dbus-1/dbus-daemon-launch-helper"
subj=system_u:system_r:system_dbusd_t:s0 key=(null)
<<< REPEATS >>>
#============= system_dbusd_t ==============
allow system_dbusd_t consolekit_exec_t:file execute;
Rebooting in permissive mode enables sound, but produces a host of
AVCs (/var/log/audit/audit.log attached):
#============= system_dbusd_t ==============
allow system_dbusd_t NetworkManager_t:dir search;
allow system_dbusd_t NetworkManager_t:file { read getattr };
allow system_dbusd_t NetworkManager_t:process ptrace;
allow system_dbusd_t consolekit_exec_t:file { read execute execute_no_trans };
allow system_dbusd_t hald_t:dbus send_msg;
allow system_dbusd_t hald_t:dir search;
allow system_dbusd_t hald_t:file { read getattr };
allow system_dbusd_t hald_t:process ptrace;
allow system_dbusd_t polkit_auth_t:dbus send_msg;
allow system_dbusd_t polkit_auth_t:dir search;
allow system_dbusd_t polkit_auth_t:file { read getattr };
allow system_dbusd_t self:capability { sys_nice sys_ptrace };
allow system_dbusd_t self:fifo_file getattr;
allow system_dbusd_t self:process getsched;
allow system_dbusd_t system_crond_var_lib_t:dir search;
allow system_dbusd_t system_crond_var_lib_t:file read;
allow system_dbusd_t tty_device_t:chr_file { read ioctl };
allow system_dbusd_t unconfined_t:dbus send_msg;
allow system_dbusd_t unconfined_t:dir search;
allow system_dbusd_t unconfined_t:file { read getattr };
allow system_dbusd_t unconfined_t:process ptrace;
allow system_dbusd_t var_log_t:dir search;
allow system_dbusd_t var_log_t:file { read getattr append setattr };
allow system_dbusd_t xdm_t:dbus send_msg;
allow system_dbusd_t xdm_t:dir search;
allow system_dbusd_t xdm_t:file { read getattr };
allow system_dbusd_t xdm_t:process ptrace;
Nothing seems mislabeled in /etc, /*bin, /lib, /usr/*bin, ....
tom
--
Tom London
16 years, 3 months
OLS 2008 SELinux Proposals for review and comments
by David P. Quigley
Hello Everyone,
I have put together a series of proposals for OLS this year which
include a talk on Labeled-NFS, an SELinux BOF, and an SELinux tutorial.
You will find them attached to this email. If you have any
questions/comments/and or complaints please feel free to make them.
Dave Quigley
16 years, 3 months
spamass-milter initrc_t issues
by Dan Thurman
I have tried in vain to resolve the spamass-milter issue and selinux. Nothing
I have tried manually, worked to resolve this issue. The specific issues
that I had was that selinux was expecting spamass-milter to be of type
initrc_t.
I have simply turned off spamass-milter in my sendmail.mc file until I can get
this issue resolved.
Here are some examples of complaints:
/var/log/maillog:
========================
Jan 26 13:56:47 gold sendmail[2408]: m0QLuhZk002408: from=dant, size=53,
class=0, nrcpts=1, msgid=<200801262156.m0QLuhZk002408(a)gold.cdkkt.com>,
relay=dant@localhost
Jan 26 13:56:47 gold sendmail[2410]: m0QLulQ9002410: Milter (spamassassin):
error connecting to filter: Permission denied
Jan 26 13:56:47 gold sendmail[2410]: m0QLulQ9002410: Milter (spamassassin): to
error state
Jan 26 13:56:47 gold sendmail[2410]: STARTTLS=server,
relay=localhost.localdomain [127.0.0.1], version=TLSv1/SSLv3, verify=NO,
cipher=DHE-RSA-AES256-SHA, bits=256/256
Jan 26 13:56:47 gold sendmail[2408]: STARTTLS=client, relay=[127.0.0.1],
version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256
Jan 26 13:56:50 gold sendmail[2410]: m0QLulQA002410:
from=<dant(a)gold.cdkkt.com>, size=332, class=0, nrcpts=1,
msgid=<200801262156.m0QLuhZk002408(a)gold.cdkkt.com>, proto=ESMTP, daemon=MTA,
relay=localhost.localdomain [127.0.0.1]
Jan 26 13:56:50 gold sendmail[2410]: m0QLulQA002410: Milter add: header:
X-Virus-Scanned: ClamAV 0.92/5562/Sat Jan 26 03:34:23 2008 on gold.cdkkt.com
Jan 26 13:56:50 gold sendmail[2410]: m0QLulQA002410: Milter add: header:
X-Virus-Status: Clean
Jan 26 13:56:50 gold sendmail[2408]: m0QLuhZk002408: to=dbthurman(a)hotmail.com,
ctladdr=dant (500/500), delay=00:00:07, xdelay=00:00:03, mailer=relay,
pri=30053, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent
(m0QLulQA002410 Message accepted for delivery)
Jan 26 13:57:12 gold sendmail[2414]: m0QLulQA002410:
to=<dbthurman(a)hotmail.com>, ctladdr=<dant(a)gold.cdkkt.com> (500/500),
delay=00:00:23, xdelay=00:00:22, mailer=esmtp, pri=120332,
relay=mx3.hotmail.com. [65.54.244.200], dsn=2.0.0, stat=Sent (
<200801262156.m0QLuhZk002408(a)gold.cdkkt.com> Queued mail for delivery)
========================
/var/log/messages:
========================
Jan 26 13:56:53 gold setroubleshoot: #012 SELinux is
preventing /usr/sbin/sendmail.sendmail (sendmail_t) "connectto"
to /var/run/spamass-milter/spamass-milter.sock (initrc_t).#012 For
complete SELinux messages. run sealert -l
a82ae4e6-5276-4fe6-9db0-44af64ea413d
========================
sealert -l a82ae4e6-5276-4fe6-9db0-44af64ea413d
========================
Summary
SELinux is preventing /usr/sbin/sendmail.sendmail (sendmail_t) "connectto"
to /var/run/spamass-milter/spamass-milter.sock (initrc_t).
Detailed Description
SELinux denied access requested by /usr/sbin/sendmail.sendmail. It is not
expected that this access is required by /usr/sbin/sendmail.sendmail and
this access may signal an intrusion attempt. It is also possible that the
specific version or configuration of the application is causing it to
require additional access.
Allowing Access
You can generate a local policy module to allow this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this package.
Additional Information
Source Context system_u:system_r:sendmail_t:s0
Target Context system_u:system_r:initrc_t:s0
Target Objects /var/run/spamass-milter/spamass-milter.sock [
unix_stream_socket ]
Affected RPM Packages sendmail-8.14.2-1.fc8 [application]
Policy RPM selinux-policy-3.0.8-76.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall
Host Name gold.cdkkt.com
Platform Linux gold.cdkkt.com 2.6.23.14-107.fc8 #1 SMP
Mon
Jan 14 21:37:30 EST 2008 i686 i686
Alert Count 1
First Seen Sat Jan 26 13:56:47 2008
Last Seen Sat Jan 26 13:56:47 2008
Local ID a82ae4e6-5276-4fe6-9db0-44af64ea413d
Line Numbers
Raw Audit Messages
avc: denied { connectto } for comm=sendmail egid=51 euid=0
exe=/usr/sbin/sendmail.sendmail exit=-13 fsgid=51 fsuid=0 gid=0 items=0
path=/var/run/spamass-milter/spamass-milter.sock pid=2410
scontext=system_u:system_r:sendmail_t:s0 sgid=51
subj=system_u:system_r:sendmail_t:s0 suid=0 tclass=unix_stream_socket
tcontext=system_u:system_r:initrc_t:s0 tty=(none) uid=0
========================
16 years, 3 months
SELinux is preventing dbus-daemon-lau(/lib/dbus-1/dbus-daemon-launch-helper)
by Antonio Olivares
Dear all,
As of updates to machine rawhide report 20080126, I
get the following warning from setroubleshoot:
Is it related to the previous one, dbus-daemon, or is
it a new one?
Thanks,
Antonio
Summary:
SELinux is preventing
dbus-daemon-lau(/lib/dbus-1/dbus-daemon-launch-helper)
(system_dbusd_t) "execute" to <Unknown>
(consolekit_exec_t).
Detailed Description:
SELinux denied access requested by
dbus-daemon-lau(/lib/dbus-1/dbus-daemon-launch-helper).
It is not expected that
this access is required by
dbus-daemon-lau(/lib/dbus-1/dbus-daemon-launch-helper)
and this access may
signal an intrusion attempt. It is also possible that
the specific version or
configuration of the application is causing it to
require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials.
You could try to restore
the default system file context for <Unknown>,
restorecon -v <Unknown>
If this does not work, there is currently no automatic
way to allow this access.
Instead, you can generate a local policy module to
allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)
Or you can disable
SELinux protection altogether. Disabling SELinux
protection is not recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context
system_u:system_r:system_dbusd_t
Target Context
system_u:object_r:consolekit_exec_t
Target Objects None [ file ]
Source
dbus-daemon-lau(/lib/dbus-1/dbus-daemon-launch-
helper)
Port <Unknown>
Host localhost
Source RPM Packages
Target RPM Packages
Policy RPM
selinux-policy-3.2.5-19.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name localhost
Platform Linux localhost
2.6.24-2.fc9 #1 SMP Fri Jan 25
13:14:54 EST 2008 i686
athlon
Alert Count 17
First Seen Sat 26 Jan 2008 02:17:08
PM CST
Last Seen Sat 26 Jan 2008 02:18:52
PM CST
Local ID
49f54895-d96b-44a0-8144-e7c4e8b3965f
Line Numbers
Raw Audit Messages
host=localhost type=AVC msg=audit(1201378732.288:37):
avc: denied { execute } for pid=2640
comm="dbus-daemon-lau" name="console-kit-daemon"
dev=dm-0 ino=32542536
scontext=system_u:system_r:system_dbusd_t:s0
tcontext=system_u:object_r:consolekit_exec_t:s0
tclass=file
host=localhost type=SYSCALL
msg=audit(1201378732.288:37): arch=40000003 syscall=11
success=no exit=-13 a0=9750020 a1=974fc80 a2=974f008
a3=60099c items=0 ppid=2639 pid=2640 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) comm="dbus-daemon-lau"
exe="/lib/dbus-1/dbus-daemon-launch-helper"
subj=system_u:system_r:system_dbusd_t:s0 key=(null)
____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
16 years, 3 months
AVC denial with bugzilla from epel
by Tony Molloy
Hi,
I'm installing bugzilla from epel-5 onto a Centos-5 Server. I'm getting the
following AVC denied message:
Summary
SELinux prevented httpd reading and writing access to http files.
Detailed Description
SELinux prevented httpd reading and writing access to http files.
Ordinarily
httpd is allowed full access to all files labeled with http file context.
This machine has a tightened security policy with the httpd_unified turned
off, This requires explicit labeling of all files. If a file is a cgi
script it needs to be labeled with httpd_TYPE_script_exec_t in order to be
executed. If it is read only content, it needs to be labeled
httpd_TYPE_content_t, it is writable content. it needs to be labeled
httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You can use the chcon
command to change these context. Please refer to the man page "man
httpd_selinux" or http://fedora.redhat.com/docs/selinux-apache-fc3 "TYPE"
refers toi one of "sys", "user" or "staff" or potentially other script
types.
Allowing Access
Changing the "httpd_unified" boolean to true will allow this access:
"setsebool -P httpd_unified=1"
The following command will allow this access:
setsebool -P httpd_unified=1
Additional Information
Source Context root:system_r:httpd_bugzilla_script_t
Target Context root:object_r:httpd_tmp_t
Target Objects /tmp/.NSPR-AFM-6806-97520c8.0 (deleted) [ file ]
Affected RPM Packages
Policy RPM selinux-policy-2.4.6-106.el5_1.3
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.httpd_unified
Host Name richmond.csis.ul.ie
Platform Linux richmond.csis.ul.ie 2.6.18-53.1.4.el5 #1
SMP
Fri Nov 30 00:45:16 EST 2007 i686 i686
Alert Count 21
Line Numbers
Raw Audit Messages
avc: denied { read, write } for comm="index.cgi" dev=sda6 egid=48 euid=48
exe="/usr/bin/perl" exit=0 fsgid=48 fsuid=48 gid=48 items=0
path=2F746D702F2E4E5
350522D41464D2D363830362D393735323063382E30202864656C6574656429 pid=12090
scontext=root:system_r:httpd_bugzilla_script_t:s0 sgid=48
subj=root:system_r:httpd_bugzilla_script_t:s0 suid=48 tclass=file
tcontext=root:object_r:httpd_tmp_t:s0 tty=(none) uid=48
This seems to a denial to r/w a file in /tmp
I can generate a local policy to allow this access with audit2allow but what
is the correct way to handle this.
Regards,
Tony
16 years, 3 months
Fwd: Re: AVC denial with bugzilla from epel
by Tony Molloy
Don't know why this didn't get through last night ( my time ;-0 )
---------- Forwarded Message ----------
Subject: Re: AVC denial with bugzilla from epel
Date: Thursday 24 January 2008
From: Tony Molloy <tony.molloy(a)ul.ie>
To: fedora-selinux-list(a)redhat.com
On Thursday 24 January 2008 15:28:42 Daniel J Walsh wrote:
> Paul Howarth wrote:
> > Rahul Sundaram wrote:
> >> Tony Molloy wrote:
> >>> Hi,
> >>>
> >>> I'm installing bugzilla from epel-5 onto a Centos-5 Server. I'm
> >>> getting the following AVC denied message:
> >>>
> >>> Summary
> >>> SELinux prevented httpd reading and writing access to http files.
> >>>
> >>> Detailed Description
> >>> SELinux prevented httpd reading and writing access to http files.
> >>> Ordinarily
> >>> httpd is allowed full access to all files labeled with http file
> >>> context.
> >>> This machine has a tightened security policy with the
> >>> httpd_unified turned
> >>> off, This requires explicit labeling of all files. If a file is
> >>> a cgi
> >>> script it needs to be labeled with httpd_TYPE_script_exec_t in
> >>> order to be
> >>> executed. If it is read only content, it needs to be labeled
> >>> httpd_TYPE_content_t, it is writable content. it needs to be
> >>> labeled httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You can use
> >>> the chcon
> >>> command to change these context. Please refer to the man page "man
> >>> httpd_selinux" or
> >>> http://fedora.redhat.com/docs/selinux-apache-fc3 "TYPE"
> >>> refers toi one of "sys", "user" or "staff" or potentially other
> >>> script
> >>> types.
> >>>
> >>> Allowing Access
> >>> Changing the "httpd_unified" boolean to true will allow this
> >>> access: "setsebool -P httpd_unified=1"
> >>>
> >>> The following command will allow this access:
> >>> setsebool -P httpd_unified=1
> >>>
> >>> Additional Information Source Context
> >>> root:system_r:httpd_bugzilla_script_t
> >>> Target Context root:object_r:httpd_tmp_t
> >>> Target Objects /tmp/.NSPR-AFM-6806-97520c8.0 (deleted)
> >>> [ file ]
> >>> Affected RPM Packages Policy RPM
> >>> selinux-policy-2.4.6-106.el5_1.3
> >>> Selinux Enabled True
> >>> Policy Type targeted
> >>> MLS Enabled True
> >>> Enforcing Mode Enforcing
> >>> Plugin Name plugins.httpd_unified
> >>> Host Name richmond.csis.ul.ie
> >>> Platform Linux richmond.csis.ul.ie
> >>> 2.6.18-53.1.4.el5 #1 SMP
> >>> Fri Nov 30 00:45:16 EST 2007 i686 i686
> >>> Alert Count 21
> >>> Line Numbers
> >>> Raw Audit Messages avc: denied { read, write } for
> >>> comm="index.cgi" dev=sda6 egid=48 euid=48
> >>> exe="/usr/bin/perl" exit=0 fsgid=48 fsuid=48 gid=48 items=0
> >>> path=2F746D702F2E4E5
> >>> 350522D41464D2D363830362D393735323063382E30202864656C6574656429
> >>> pid=12090
> >>> scontext=root:system_r:httpd_bugzilla_script_t:s0 sgid=48
> >>> subj=root:system_r:httpd_bugzilla_script_t:s0 suid=48 tclass=file
> >>> tcontext=root:object_r:httpd_tmp_t:s0 tty=(none) uid=48
> >>>
> >>> This seems to a denial to r/w a file in /tmp
> >>>
> >>> I can generate a local policy to allow this access with audit2allow
> >>> but what is the correct way to handle this.
> >>
> >> The answer was within the report itself
> >>
> >> # setsebool -P httpd_unified=1
> >
>Who is creating the httpd_tmp_t files? Is this a cgi that should be
>labeled httpd_bugzilla_script_t.
Several perl cgi scripts create tmp files.
>From the above it's index.cgi. The permissions on all these scripts are the
same.
-rwxr-x--- root apache system_u:object_r:httpd_bugzilla_script_exec_t
index.cgi
I created a local policy and bugzilla is working. I also submitted this as
bug 429879 to bugzilla.
Thanks,
Tony
-------------------------------------------------------
16 years, 3 months
Re: [RFC] change policy loading to initramfs
by Bill Nottingham
Peter Jones (pjones(a)redhat.com) said:
> This is what I get for coding during budget meetings.
Here's an updated patch (tested) that incorporates your changes.
At the moment, while load_policy -i would work, I'm not sure it's best
for Fedora right now as it would require pulling chroot into the initrd,
and handling return code checking in nash's not-quite-a-shell environment.
It's actually simpler to just call the policy load directly.
Bill
16 years, 3 months
Re: [RFC] change policy loading to initramfs
by Bill Nottingham
Peter Jones (pjones(a)redhat.com) said:
> int loadPolicyCommand(char *cmd, char *end)
> {
> int enforce = 0;
> int rootfd;
>
> rootfd = open("/", O_DIRECTORY|O_RDONLY);
> if (rootfd < 0) {
> eprintf("loadpolicy: could not open directory: %m\n");
> exit(1);
> }
> if (chroot("/sysroot") != 0) {
> eprintf("loadpolicy: chroot failed: %m\n");
> exit(1);
> }
> if (selinux_init_policy(&enforce) != 0) {
> eprintf("Unable to load SELinux policy (%m). Halting now.\n");
> exit(1);
> }
selinux_init_load_policy is what handles enforcing=0/selinux=0 on the
commandline - you only want to halt if you get back that it failed
and you're in enforcing mode. (Similarly, not sure if chdir/chroot
should be fatal errors.)
Bill
16 years, 3 months
