Re: AVC Denials on UDEV
by Chris Richards
On 12/01/2009 09:47 AM, Dominick Grift wrote:
> On 12/01/2009 03:44 PM, Chris Richards wrote:
>> First, my apologies if I'm in the wrong place or this has been asked
>> before (I'm sure it has, but I haven't turned up anything with Google).
>>
>> I'm running a Gentoo system. This is a fresh build, so not everything
>> is installed yet. Basically, I've got the stage 3 tarball, the Selinux
>> stuff, syslog-ng and vixie-cron, and that's about it.
>>
>> When I boot my sysem, I'm getting the following messages in my kernel
>> log:
>> * Mounting /dev
>> /etc/init.d/udev-mount: line 63: /dev/null: Permission denied
>> /etc/init.d/udev: line 69: /dev/null: Permission denied
>> * Starting udevd
>> * Populating /dev with existing devices through uevents ...
>> # Waiting for uevents to be processed ...
>> error sending message: Permission denied
>> error sending message: Permission denied
>> udevadm[601]: errorsending message: Permission denied
>>
>> Nov 29 23:55:30 aoaforums kernel: type=1400 audit(1259538915.208:3):
>> avc: denied { read } for pid=1 comm="init" name="ld.so.cache" dev=sda3
>> ino=737384 scontext=system_u:system_r:init_t
>> tcontext=system_u:object_r:file_t tclass=file
>> Nov 29 23:55:30 aoaforums kernel: type=1400 audit(1259538915.215:4):
>> avc: denied { getattr } for pid=1 comm="init" path="/etc/ld.so.cache"
>> dev=sda3 ino=737384 scontext=system_u:system_r:init_t
>> tcontext=system_u:object_r:file_t tclass=file
> looks like the file is mislabeled. what does matchpathcon
> /etc/ld.so.cache say?
>
> make sure that your file system labeling is correct.
>
I've relabled like 15 times with rlpkg -a -r. LOL
matchpathcon /etc/ld.so.cache
/etc/ld.so.cache system_u:object_r:ld_so_cache_t
ls -Z /etc/ld.so.cache
root:object_r:ld_so_cache_t
Based on the above, I did
chcon -u system_u /etc/ld.so.cache
That seems to have resolved the issues that were plaguing me there.
>> The pattern of denials above repeats for a number of comm= types,
>> including consoletype, dmesg, hwclock, hostname, ifconfig
>>
>> Nov 29 23:55:30 aoaforums kernel: type=1400 audit(1259538915.221:5):
>> avc: denied { read } for pid=1 comm="init" name="urandom" dev=sda3
>> ino=140683 scontext=system_u:system_r:init_t
>> tcontext=system_u:object_r:urandom_device_t tclass=chr_file
>>
>> As above, I get a number of denials on different comm= types.
>>
>>
>> I'm also seeing a buttload of these in my avc.log:
>> Dec 1 13:48:41 aoaforums kernel: type=1400
>> audit(1259675321.237:1614490880): avc: denied { read } for pid=477
>> comm="udevd" path="anon_inode:[signalfd]" dev=anon_inodefs ino=9
>> scontext=system_u:system_r:udev_t
>> tcontext=system_u:object_r:anon_inodefs_t tclass=file
>> This one in particular is bad: my log is full to overflowing with this
>> one, and when I'm in enforcing mode udevd is pulling 100% cpu.
> If the types in this interaction are correct. Run the avc denial through
> audit2why. If audit2why says "missing TE rule"; then consider adding
> policy to allow it using audit2allow and semodule.
>
That's exactly what it says.
When I do the following:
# grep udev /var/log/avc.log > local
# audit2allow -m local > local.te
# checkmodule -M -m -o local.mod local.te
checkmodule: loading policy configuration from local.te
checkmodule: policy configuration loaded
checkmodule: writing binary representation (version 8) to local.mod
# semodule_package -o local.pp -m local.mod
# semodule -i ./local.pp
Everything goes fine up to the semodule -i command, and then I get:
libsepol.link_modules: Tried to link in an MLS module with a non-MLS base.
libsemanage.semanage_link_sandbox: Link packages failed
semodule: Failed!
Based on all the weird problems and heartburn I've had, I'm really
starting to wonder if ANYONE in recent history has gotten a strict
Selinux profile running in enforcing mode on hardened-gentoo according
to the instructions in the Gentoo Selinux Handbook. Getting even to
this point has been frustrating beyond belief.
And before I give anyone the wrong impression, I really do appreciate
the hard work that has gone into this; I'm just suffering from a steep
learning curve, and documentation that I not only don't understand, but
doesn't seem to correspond to my system when I DO understand it.
>> Finally, a related question:
>> Gentoo is currently running what is labeled as
>> "selinux-base-policy-20080525".
> That policy is old. See if you can implement some newer policy.
>
That's default gentoo-hardened policy. V2 policy horridly breaks a
hardened gentoo system at this stage from what I understand (as in, it
won't even boot).
>> This seems to bear little resemblance to the policy and tools that I see
>> discussed here:
>> http://oss.tresys.com/projects/refpolicy/wiki/GettingStarted
>>
>> In particular, a lot of the booleans don't exist. As near as I can
>> tell, this is pretty much the policy that was used in RHEL 4. However,
>> I can find precious little in the way of documentation on the older
>> policy setup. Can anyone provide any guidance on resources to look at
>> for this? Referring me to the current base policy and tools really
>> doesn't help me in understanding what my system is doing.....
>>
>> Many thanks in advance for any guidance you can offer.
> Overall it is good to appreciate that SELinux is a framework and that
> policy is configuration. The framework allows you to define policy.
>
> The process of adding policy is always on going. In my view no policy
> will ever be perfect. There are simply to many variables.
>
> Learn how to implement policy, make security decisions and solve
> interaction problems.
>
> Theres a few things to consider:
>
> 1. are the types in an interaction the expected types. (mislabeled
> objects?)
> 2. is there some tunable policy available to allow an interaction that
> is currently denied? (audit2why)
> 3. is a denial caused by misconfiguration of one of the parties in an
> interaction? (check config of app)
> 4. is a denial signalling an intrusion. (break in?)
> 5. is a denials signalling a bug in one of the parties in an
> interaction? (bug in app)
> 6. is it a bug in selinux-policy( are rules to allow it missing?)
>
Thanks for your response and help.
Later,
Chris
14 years, 5 months
Virtual http hosting and selinux
by David Highley
A common virtual web hosting set up would be a web root directory
location with the following sub directories:
ftp
logs
pages
pages/cgi-bin
Under ftp you would have all that is needed for a chroot ftp sandbox.
Since each virtual host would be a different user and or company how
does one change sebool httpd_unified to off and get it all to work with
selinux?
14 years, 5 months
Re: Fedora 12 and unconfined_u sshdfilter
by David Highley
"Daniel J Walsh wrote:"
>
> On 12/03/2009 12:33 AM, David Highley wrote:
> > I'm trying to get sshdfilter a Perl wrapper around sshd to work in
> > Fedora 12. The script needs to be able to call iptables to drop in new
> > rejection rules detected hacking connections. I used "semanage fcontext
> > -a -t sshd_exec_t" which gave it the same context as sshd. I have not
> > been able to change the unconfined_u to system_u:
> > lz -Z /usr/sbin/sshdfilter unconfined_u:object_r:sshd_exec_t:s0
> >
> > I was getting avc errors so I created an allow policy:
> > module mysshdfilter 1.0;
> >
> > require {
> > type iptables_exec_t;
> > type iptables_t;
> > type sshd_t;
> > class file execute;
> > class fifo_file read;
> > }
> >
> > #============= iptables_t ==============
> > allow iptables_t self:fifo_file read;
> >
> > #============= sshd_t ==============
> > allow sshd_t iptables_exec_t:file execute;
> >
> >
> > Now I'm getting:
> > time->Wed Dec 2 21:07:04 2009
> > type=USER_ROLE_CHANGE msg=audit(1259816824.474:201): user pid=3664 uid=0
> > auid=0 ses=12 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=?: exe= "/usr/sbin/sshd" hostname=? addr=? terminal=? res=failed'
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list(a)redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >
> >
> You probably want
>
> iptables_domtrans(sshd_t)
I tried adding this statement to the file, but checkmodule gave syntax
error. I tried searching through the selinux files but did not find an
example of how to use the above statement.
>
> The ROLE_CHANGE is not an SELinux error, it is just an audit message.
>
> I will add the fifo_file rule to iptables policy
>
> Fixed in selinux-policy-3.6.32-54.fc12
>
> If you want to get real crazy you could write policy for
> /usr/sbin/sshdfilter
>
>
> policy_module(sshdfilter, 1.0)
>
> ssh_server_template(sshdfilter)
> iptables_domtrans(sshdfilter_t)
>
>
>
--
Regards,
David Highley
Highley Recommended, Inc. Phone: (206) 669-0081
2927 SW 339th Street WEB: http://www.highley-recommended.com
Federal Way, WA 98023-7732
14 years, 5 months
SELinux won't let dovecot connect to postgresql
by Roland Roberts
I'm running Fedora 11 x86_64 with the dovecot and dovecot-pgsql RPMs
installed. I have a small user database set up for email authentication.
The issue I'm having is that when I am in enforcing mode, dovecot can't
connect to the database. Turning off enforcing mode lets it work. I'm
having trouble diagnosing where the denial is taking place as I don't
see any avc messages in /var/log/messages that relate to dovecot. The
only messages I'm getting are in /var/log/maillog from dovecot like this:
Nov 28 22:23:11 fred dovecot: auth(default): pgsql: Connect failed to
maildb: could not connect to server: Permission denied
Nov 28 22:23:11 fred dovecot: auth(default): #011Is the server running
on host "fred.flinstone.org" and accepting
Nov 28 22:23:11 fred dovecot: auth(default): #011TCP/IP connections on
port 5432?
The answer to the questions is "yes" it is running and accepting
connections. Whether or not enforcing mode is on, when logged in, I can
connect to the database via
$ psql -h fred.flinstone.org maildb
I *think* this is a result of updating on Nov 18. I have not changed
the default selinux mode since the host was set up back in September.
At that point, I set it to enforcing mode after working out a few
issues. On Nov 18, a lot of things were updated, but among there were
Nov 18 10:00:02 Updated: kernel-firmware-2.6.30.9-96.fc11.noarch
Nov 18 10:00:15 Updated: kernel-headers-2.6.30.9-96.fc11.x86_64
Nov 18 10:00:28 Installed: kernel-devel-2.6.30.9-96.fc11.x86_64
Nov 18 10:01:30 Installed: kernel-2.6.30.9-96.fc11.x86_64
Nov 18 10:02:01 Updated: selinux-policy-3.6.12-86.fc11.noarch
Nov 18 10:02:46 Updated: selinux-policy-targeted-3.6.12-86.fc11.noarch
Today, I did another update, hoping it would cure the problem and got
these revisions
Nov 28 10:57:33 Updated: selinux-policy-3.6.12-88.fc11.noarch
Nov 28 10:57:47 Updated: selinux-policy-targeted-3.6.12-88.fc11.noarch
but the behavior is unchanged, I still have to turn off enforcing mode.
Any clues on what I need to do to get this to work? Or where to look
for clues since, as I mentioned, I can't even find log entries that
would clue me in.
roland
--
PGP Key ID: 66 BC 3B CD
Roland B. Roberts, PhD RL Enterprises
roland(a)rlenter.com 6818 Madeline Court
roland(a)astrofoto.org Brooklyn, NY 11220
14 years, 5 months
Fedora 12 and unconfined_u sshdfilter
by David Highley
I'm trying to get sshdfilter a Perl wrapper around sshd to work in
Fedora 12. The script needs to be able to call iptables to drop in new
rejection rules detected hacking connections. I used "semanage fcontext
-a -t sshd_exec_t" which gave it the same context as sshd. I have not
been able to change the unconfined_u to system_u:
lz -Z /usr/sbin/sshdfilter unconfined_u:object_r:sshd_exec_t:s0
I was getting avc errors so I created an allow policy:
module mysshdfilter 1.0;
require {
type iptables_exec_t;
type iptables_t;
type sshd_t;
class file execute;
class fifo_file read;
}
#============= iptables_t ==============
allow iptables_t self:fifo_file read;
#============= sshd_t ==============
allow sshd_t iptables_exec_t:file execute;
Now I'm getting:
time->Wed Dec 2 21:07:04 2009
type=USER_ROLE_CHANGE msg=audit(1259816824.474:201): user pid=3664 uid=0
auid=0 ses=12 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=?: exe= "/usr/sbin/sshd" hostname=? addr=? terminal=? res=failed'
14 years, 5 months
Is this an selinux system?
by Moray Henderson
I'm trying to solve a problem on an old EL4 box.
/etc/sysconfig/selinux says:
SELINUX=enforcing
SELINUXTYPE=targeted
sestatus says:
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 18
Policy from config file:targeted
seinfo and sesearch say:
Default policy search failed: This is not an selinux system.
It clearly is an SELinux system - I see SELinux initializing during
boot, it has an /selinux file system, files and processes have contexts,
I get avc errors when I violate policy.
What could be confusing seinfo and sesearch?
# ls -lZ /etc/selinux/targeted/policy
-rw-r--r-- root root system_u:object_r:policy_config_t
policy.18
# rpm -qf /usr/bin/seinfo /usr/sbin/sestatus
setools-1.5.1-5
policycoreutils-1.18.1-4.7
# rpm -V setools policycoreutils
#
Moray.
"To err is human. To purr, feline."
14 years, 5 months
libcgroup policy (concept)
by Dominick Grift
Attached policy targets some libcgroup stuff. The policy is largely
untested (i do have it running on a few servers here but i get some avc
denials that i am not quite sure what to do with)
14 years, 5 months
AVC Denials on UDEV
by Chris Richards
First, my apologies if I'm in the wrong place or this has been asked
before (I'm sure it has, but I haven't turned up anything with Google).
I'm running a Gentoo system. This is a fresh build, so not everything
is installed yet. Basically, I've got the stage 3 tarball, the Selinux
stuff, syslog-ng and vixie-cron, and that's about it.
When I boot my sysem, I'm getting the following messages in my kernel log:
* Mounting /dev
/etc/init.d/udev-mount: line 63: /dev/null: Permission denied
/etc/init.d/udev: line 69: /dev/null: Permission denied
* Starting udevd
* Populating /dev with existing devices through uevents ...
# Waiting for uevents to be processed ...
error sending message: Permission denied
error sending message: Permission denied
udevadm[601]: errorsending message: Permission denied
Nov 29 23:55:30 aoaforums kernel: type=1400 audit(1259538915.208:3):
avc: denied { read } for pid=1 comm="init" name="ld.so.cache" dev=sda3
ino=737384 scontext=system_u:system_r:init_t
tcontext=system_u:object_r:file_t tclass=file
Nov 29 23:55:30 aoaforums kernel: type=1400 audit(1259538915.215:4):
avc: denied { getattr } for pid=1 comm="init" path="/etc/ld.so.cache"
dev=sda3 ino=737384 scontext=system_u:system_r:init_t
tcontext=system_u:object_r:file_t tclass=file
The pattern of denials above repeats for a number of comm= types,
including consoletype, dmesg, hwclock, hostname, ifconfig
Nov 29 23:55:30 aoaforums kernel: type=1400 audit(1259538915.221:5):
avc: denied { read } for pid=1 comm="init" name="urandom" dev=sda3
ino=140683 scontext=system_u:system_r:init_t
tcontext=system_u:object_r:urandom_device_t tclass=chr_file
As above, I get a number of denials on different comm= types.
I'm also seeing a buttload of these in my avc.log:
Dec 1 13:48:41 aoaforums kernel: type=1400
audit(1259675321.237:1614490880): avc: denied { read } for pid=477
comm="udevd" path="anon_inode:[signalfd]" dev=anon_inodefs ino=9
scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:anon_inodefs_t tclass=file
This one in particular is bad: my log is full to overflowing with this
one, and when I'm in enforcing mode udevd is pulling 100% cpu.
Finally, a related question:
Gentoo is currently running what is labeled as
"selinux-base-policy-20080525".
This seems to bear little resemblance to the policy and tools that I see
discussed here: http://oss.tresys.com/projects/refpolicy/wiki/GettingStarted
In particular, a lot of the booleans don't exist. As near as I can
tell, this is pretty much the policy that was used in RHEL 4. However,
I can find precious little in the way of documentation on the older
policy setup. Can anyone provide any guidance on resources to look at
for this? Referring me to the current base policy and tools really
doesn't help me in understanding what my system is doing.....
Many thanks in advance for any guidance you can offer.
Later,
Chris
14 years, 5 months