Stuck in init_t
by Sciola, Dario
Classification: UNCLASSIFIED
Hi,
I've got a small application that I'm trying to get running as a service
on and FC8 SELinux box. I've got an entry in my inittab file to kick
start the app, but all my attempts at writing an appropriate policy
leaves that app running in the init_t domain.
The inittab file entry is:
cds:2345:respawn:/usr/bin/CDSserver -l -p 2732
ps -efZ (observing this as a 'root' user) gives:
system_u:system_r:init_t:s0 root 2663 1 0 10:01 ? 00:00:00
/usr/bin/CDSserver -l -p 2732
My .te file contains:
policy_module(cdsserver,1.0.3)
########################################
#
# Declarations
#
########################################
# Type declarations
###################
# the target domain:
type cds_t;
# Entrypoint for exec
type cds_exec_t;
# domain type
#domain_type(cds_t)
# Mark cds_t as a domain and cds_exec_t as an entrypoint
init_daemon_domain(cds_t, cds_exec_t)
domain_entry_file(cds_t, cds_exec_t)
allow cds_t self:process execmem;
...
My .fc file contains:
/usr/bin/CDSserver -- gen_context(system_u:object_r:cds_exec_t,s0)
My .if file contains:
interface(`cds_domtrans',`
gen_require(`
type cds_t, cds_exec_t;
')
domain_auto_trans($1,cds_exec_t,cds_t)
allow $1 cds_t:fd use;
allow cds_t $1:fd use;
allow cds_t $1:fifo_file rw_file_perms;
allow cds_t $1:process sigchld;
')
I've also tried putting init_t as $1 in the domain_auto_trans()
Why isn't the process transitioning to cds_t? I've looked at a lot of
sites and examples and can't seem to figure out my problem. The policy
is the targeted FC8 policy. Module compiles and loads (semodule) fine.
# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 21
Policy from config file: targeted
Any ideas?
Dario Sciola
15 years, 11 months
RE: Samba shares...
by Dan Thurman
Stephen Smalley
|Daniel B. Thurman wrote:
|> |You can certainly generate a local policy module that gives
|> |access to fusefs_t, but it would be better if we could get
|> |the context mount option to work.
|>
|> I will try anything you suggest. Let me know if you can
|> resolve this issue, otherwise let me know (in detail) how
|> to write a policy as a last resort?
|
|To generate local policy for this issue, you'd do something like this:
|
|$ su -
|# ausearch -m AVC | grep fuse | audit2allow -M myfuse
|# semodule -i myfuse.pp
|
|Then the fuse-related denials should be allowed.
Uh, almost. It still will not allow me to chmod or chgrp
the mounted filesystem which means that I cannot write to
the shared NTFS filesystem without assigning the proper
permissions. I have set samba properties to allow writes
but apparently this problem resides with fuse again. Grr.
What can I do to allow samba shared writes?
Thanks!
Dan
15 years, 11 months
FW: SELinux, apache/php and qmail's sendmail
by D. Hilbig
Can someone please help me with this?
-----Original Message-----
From: D. Hilbig [mailto:selinux@hilbig.name]
Sent: Thursday, May 08, 2008 10:14 AM
To: 'fedora-selinux-list(a)redhat.com'
Subject: SELinux, apache/php and qmail's sendmail
I use qmail instead of sendmail on RHEL v5 and I could use some advice on
setting contexts for qmail's sendmail so that apache/php can use it.
Below are the files and directories involved with qmail's sendmail (and
delivery to queue)
allow apache/php to invoke qmail's sendmail program:
/var/qmail/bin/sendmail
allow qmail's sendmail to invoke qmail-inject program:
/var/qmail/bin/qmail-inject
allow qmail-inject to list the contents of the config files directory:
/var/qmail/control
allow qmail-inject to read the config files it uses:
/var/qmail/control/defaultdomain
/var/qmail/control/deaulthost
/var/qmail/control/idhost
/var/qmail/control/plusdomain
/var/qmail/control/me
allow qmail-inject to invoke qmail-queue program:
/var/qmail/bin/qmail-queue
allow qmail-queue to read the config file used by the 'taps' patch:
/var/qmail/control/taps
allow qmail-queue to put a message into the queue:
(create, edit, delete and link files)
/var/qmail/queue/pid (and subdirectories)
/var/qmail/queue/mess (and subdirectories)
/var/qmail/queue/intd (and subdirectories)
/var/qmail/queue/todo (and subdirectories)
For testing I specified the context "httpd_sys_content_t" but I know that it
isn't the desired context. What context(s) should I specify for the
aforementioned programs, directories and configuration files?
Are there any other things I should do or consider besides setting the
context(s)?
Your guidance is greatly appreciated.
15 years, 11 months
RE: Samba shares...
by Dan Thurman
Stephen Smalley wrote:
|On Tue, 2008-05-13 at 10:27 -0700, Daniel B. Thurman wrote:
|> Daniel B. Thurman wrote:
|> |Stephen Smalley
|> ||On Tue, 2008-05-13 at 08:12 -0700, Daniel B. Thurman wrote:
|> ||> Stephen Smalley wrote:
|> ||> >> Daniel B. Thurman wrote:
|> ||> >> I am not sure what is going on. I am unable to get
|> ||> >> samba shares to work for an NTFS filesystem. I do
|> ||> >> have several shares working for ext3 filesystems.
|> ||> >>
|> ||> >> Here is what I did:
|> ||> >>
|> ||> >> 1) Create an empty directory: /AV
|> ||> >> 2) chcon -t samba_share_t /AV
|> ||> >> 3) chmod 775 !$
|> ||> >> 4) chgrp avusers !$
|> ||> >> 5) Add to fstab
|> ||> >> /dev/sda1 /AV ntfs defaults 1 2
|> | [snipped!]
|> ||
|> ||It is just another mount option, so you can just do something like:
|> ||/dev/sda1 /AV ntfs
|> |defaults,context=system_u:object_r:samba_share_t 1 2
|> |
|> |Yes, I thought so. I tried that and the context does not
|> |change. Any ideas?
|>
|> Mounting an NTFS filesystem even with context options,
|> the context always remains as fusefs_t. I am allowed
|> to change the context on the directory before the mount,
|> but not after the mount. After mounting, I am not allowed
|> to chcon the mounted FS as it says that the Operation is
|> not allowed.
|
|Can you confirm that if you umount /AV and then mount it with the
|context= option that it really doesn't work for you? You do have to
|umount it though if you previously mounted it w/o the context option to
|make the option take affect.
Yes, I can confirm that adding context= to the option line
in /etc/fstab does not seem to do anything, i.e. the context
does not change and remains fusefs_t. I tried several times,
and even tried the fscontext= as well, neither seems to work.
I was forced to reboot sometimes since I was not at times
able to unmount the /AV filesystem, it sometimes reports
that the /AV filesystem was 'busy'. This seems to happen
if I mount/unmount several times then it says 'busy',
preventing me from unmounting. Hmm.
|I'm not sure why a context mount option wouldn't work for fuse - Eric?
|
|fuse itself won't let you chcon (setxattr) the files unless the
|filesystem supports setxattr, which is why you get Operation not
|supported there.
|
|> I even tried: setsebool -P samba_export_all_rw=1 and that
|> does not work, either.
|>
|> If I setenforce 0, I can share the NTFS filesystem, but I
|> really do not want to do this. Can someone please give me
|> a workaround?
|
|You can certainly generate a local policy module that gives access to
|fusefs_t, but it would be better if we could get the context mount
|option to work.
I will try anything you suggest. Let me know if you can
resolve this issue, otherwise let me know (in detail) how
to write a policy as a last resort?
Thanks much!
Dan
15 years, 12 months
RE: Samba shares...
by Dan Thurman
Daniel B. Thurman wrote:
|Daniel J Walsh
[ snip! ]
||This looks like a bug.
|Seems so. Also, I tried disabling the fuse service
|and rebooted and for some reason, the fusefs still
|runs? It still mounts /media files even when this
|service is so-called disabled? I went back to look
|to see if the service was running (it wasn't) and
|even tried ps -ef| grep fuse (finding no match), so
|why is fuse filesystem still running? Is that a major
|bug or is it that the fuse service has no relation to
|the fusefs?
|
|Well, can I have a policy work around or will it fail
|anyway due to fuse?
|
|BTW: I am running Fedora F8.
Oh man....
This is what I did:
1) Disable the fuse service permemantly
2) Unmount all fuse filesystems (as root)
3) rmmod fuse
4) lsmod| grep fuse (make sure fuse module is NOT loaded)
5) mount /dev/sda1 /AV -t ntfs -o context=system_u:object_r:samba_share_t
6) lsmod|grep fuse (module is reloaded!)
7) ls -ldZ /AV shows fusefs_t context.
So it looks like there is no possible way to get rid of
the fuse filesystem module, mount seems to force a fuse
filesystem regardless of attempts NOT to do so! Grrr....
Well, please let me know what to do at this point. Seems
I have to wait or to setenforce 0 for now until this fix
for F8 appears upstream?
Thanks for all your time guys!
Dan
15 years, 12 months
RE: Samba shares...
by Dan Thurman
Daniel J Walsh
|Daniel B. Thurman wrote:
|> Stephen Smalley wrote:
|> |On Tue, 2008-05-13 at 10:27 -0700, Daniel B. Thurman wrote:
|> |> Daniel B. Thurman wrote:
|> |> |Stephen Smalley
|> |> ||On Tue, 2008-05-13 at 08:12 -0700, Daniel B. Thurman wrote:
|> |> ||> Stephen Smalley wrote:
|> |> ||> >> Daniel B. Thurman wrote:
|> |> ||> >> I am not sure what is going on. I am unable to get
|> |> ||> >> samba shares to work for an NTFS filesystem. I do
|> |> ||> >> have several shares working for ext3 filesystems.
|> |> ||> >>
|> |> ||> >> Here is what I did:
|> |> ||> >>
|> |> ||> >> 1) Create an empty directory: /AV
|> |> ||> >> 2) chcon -t samba_share_t /AV
|> |> ||> >> 3) chmod 775 !$
|> |> ||> >> 4) chgrp avusers !$
|> |> ||> >> 5) Add to fstab
|> |> ||> >> /dev/sda1 /AV ntfs defaults 1 2
|> |> | [snipped!]
|> |> ||
|> |> ||It is just another mount option, so you can just do
|something like:
|> |> ||/dev/sda1 /AV ntfs
|> |> |defaults,context=system_u:object_r:samba_share_t 1 2
|> |> |
|> |> |Yes, I thought so. I tried that and the context does not
|> |> |change. Any ideas?
|> |>
|> |> Mounting an NTFS filesystem even with context options,
|> |> the context always remains as fusefs_t. I am allowed
|> |> to change the context on the directory before the mount,
|> |> but not after the mount. After mounting, I am not allowed
|> |> to chcon the mounted FS as it says that the Operation is
|> |> not allowed.
|> |
|> |Can you confirm that if you umount /AV and then mount it with the
|> |context= option that it really doesn't work for you? You do have to
|> |umount it though if you previously mounted it w/o the
|context option to
|> |make the option take affect.
|>
|> Yes, I can confirm that adding context= to the option line
|> in /etc/fstab does not seem to do anything, i.e. the context
|> does not change and remains fusefs_t. I tried several times,
|> and even tried the fscontext= as well, neither seems to work.
|>
|> I was forced to reboot sometimes since I was not at times
|> able to unmount the /AV filesystem, it sometimes reports
|> that the /AV filesystem was 'busy'. This seems to happen
|> if I mount/unmount several times then it says 'busy',
|> preventing me from unmounting. Hmm.
|>
|> |I'm not sure why a context mount option wouldn't work for
|fuse - Eric?
|> |
|> |fuse itself won't let you chcon (setxattr) the files unless the
|> |filesystem supports setxattr, which is why you get Operation not
|> |supported there.
|> |
|> |> I even tried: setsebool -P samba_export_all_rw=1 and that
|> |> does not work, either.
|> |>
|> |> If I setenforce 0, I can share the NTFS filesystem, but I
|> |> really do not want to do this. Can someone please give me
|> |> a workaround?
|> |
|> |You can certainly generate a local policy module that gives
|access to
|> |fusefs_t, but it would be better if we could get the context mount
|> |option to work.
|>
|> I will try anything you suggest. Let me know if you can
|> resolve this issue, otherwise let me know (in detail) how
|> to write a policy as a last resort?
|>
|> Thanks much!
|> Dan
|This looks like a bug.
Seems so. Also, I tried disabling the fuse service
and rebooted and for some reason, the fusefs still
runs? It still mounts /media files even when this
service is so-called disabled? I went back to look
to see if the service was running (it wasn't) and
even tried ps -ef| grep fuse (finding no match), so
why is fuse filesystem still running? Is that a major
bug or is it that the fuse service has no relation to
the fusefs?
Well, can I have a policy work around or will it fail
anyway due to fuse?
BTW: I am running Fedora F8.
Thanks!
Dan
15 years, 12 months
NFSv4 and SELinux
by Hervé WERNER
Hi.
I've just installed Fedora 9 today in order to test NFSv4 through SELinux.
I know that sending context across the wire is still in progress, but
could I find some patch to test? Is there anything I could test to make it
work?
I also would like to make the context mount option work with NFSv4. The
mount command doesn't give any error at mounting but when I list the
context of the NFSv4 mount point I get "system_u:object_r:nfs_t". Is there
any way to set context for the mounted points?
Any help would be appreciated.
15 years, 12 months
RE: Samba shares...
by Dan Thurman
Daniel B. Thurman wrote:
|Stephen Smalley
||On Tue, 2008-05-13 at 08:12 -0700, Daniel B. Thurman wrote:
||> Stephen Smalley wrote:
||> >> Daniel B. Thurman wrote:
||> >> I am not sure what is going on. I am unable to get
||> >> samba shares to work for an NTFS filesystem. I do
||> >> have several shares working for ext3 filesystems.
||> >>
||> >> Here is what I did:
||> >>
||> >> 1) Create an empty directory: /AV
||> >> 2) chcon -t samba_share_t /AV
||> >> 3) chmod 775 !$
||> >> 4) chgrp avusers !$
||> >> 5) Add to fstab
||> >> /dev/sda1 /AV ntfs defaults 1 2
| [snipped!]
||
||It is just another mount option, so you can just do something like:
||/dev/sda1 /AV ntfs
|defaults,context=system_u:object_r:samba_share_t 1 2
|
|Yes, I thought so. I tried that and the context does not
|change. Any ideas?
Mounting an NTFS filesystem even with context options,
the context always remains as fusefs_t. I am allowed
to change the context on the directory before the mount,
but not after the mount. After mounting, I am not allowed
to chcon the mounted FS as it says that the Operation is
not allowed.
I even tried: setsebool -P samba_export_all_rw=1 and that
does not work, either.
If I setenforce 0, I can share the NTFS filesystem, but I
really do not want to do this. Can someone please give me
a workaround?
Thanks-
Dan
15 years, 12 months
NFSv4 and SELinux
by Hervé WERNER
Hi.
I've just installed Fedora 9 today in order to test NFSv4 through SELinux.
I know that sending context across the wire is still in progress, but
could I find some patch to test? Is there anything I could test to make it
work?
I also would like to make the context mount option work with NFSv4. The
mount command doesn't give any error at mounting but when I list the
context of the NFSv4 mount point I get "system_u:object_r:nfs_t". Is there
any way to set context for the mounted points?
Any help would be appreciated.
15 years, 12 months
RE: Samba shares...
by Dan Thurman
Stephen Smalley
|On Tue, 2008-05-13 at 08:12 -0700, Daniel B. Thurman wrote:
|> Stephen Smalley wrote:
|> >> Daniel B. Thurman wrote:
|> >> I am not sure what is going on. I am unable to get
|> >> samba shares to work for an NTFS filesystem. I do
|> >> have several shares working for ext3 filesystems.
|> >>
|> >> Here is what I did:
|> >>
|> >> 1) Create an empty directory: /AV
|> >> 2) chcon -t samba_share_t /AV
|> >> 3) chmod 775 !$
|> >> 4) chgrp avusers !$
|> >> 5) Add to fstab
|> >> /dev/sda1 /AV ntfs defaults 1 2
[snipped!]
|
|It is just another mount option, so you can just do something like:
|/dev/sda1 /AV ntfs defaults,context=system_u:object_r:samba_share_t 1 2
Yes, I thought so. I tried that and the context does not
change. Any ideas?
Thanks!
Dan
15 years, 12 months
