selinux September 2011

selinux@lists.fedoraproject.org

25 participants
23 discussions

execmod access to '/opt/google/chrome/chrome' file
by Antonio Trande 24 Sep '11

24 Sep '11

This problem is appeared with chrome executable: SELinux is preventing /opt/google/chrome/chrome from execmod access on the file /opt/google/chrome/chrome. setroubleshoot suggests to change the label on '/opt/google/chrome/chrome' how textrel_shlib_t type or to allow chrome to have execmod access on the chrome file. But does not happen always (never to me). Could you give more infos about this behavior ? Thanks. -- *Antonio Trande "Fedora Ambassador" **mail*: mailto:sagitter@fedoraproject.org <sagitter(a)fedoraproject.org> *Homepage*: http://www.fedora-os.org *Sip Address* : sip:sagitter AT ekiga.net *Jabber <http://jabber.org/>* :sagitter AT jabber.org *GPG Key: CFE3479C*

3 2

awstats and logrotate
by Vadym Chepkov 23 Sep '11

23 Sep '11

Hi, in RHEL6 policy awstats module has been added and it works rather well except it is not suited for calling awstat from log rotate script. It's a general practice to include awstats call before rotating logs, since awstats usually an hourly job, so there can be log entries between top of the hours and when log rotate job kicks in: /var/log/httpd/*log { missingok notifempty sharedscripts delaycompress prerotate /etc/cron.hourly/awstats > /dev/null 2>/dev/null || true endscript postrotate /sbin/service httpd graceful > /dev/null 2>/dev/null || true endscript } I thought adding domain transition would help it, but I guess I did it wrong: domain_auto_trans(logrotate_t, awstats_exec_t, awstats_t) /etc/cron.hourly/awstats is bin_t, so I assume domain won't change from logrotate_t I still get an AVC though: type=AVC msg=audit(1316320942.646:21684): avc: denied { sigchld } for pid=30083 comm="awstats" scontext=system_u:system_r:awstats_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=process and I am not sure should I allow this or not. Thanks, Vadym

3 2

This avc is a constraint violation! Stuck resolving this via --update on sepolgen generated file
by Michael Atighetchi 23 Sep '11

23 Sep '11

Hi, I am stuck trying to create a selinux policy for the Software Test Automation Framework (STAF) daemon on Fedora 14. From the violations, it seems that STAF wants to send out emails and restart iptables, which is behavior that should be allowed. I've created the inital policy with sepolgen and did run the resulting .sh script with "--update" a number of times, but so far no success in getting a policy that works without generating violations. I have included the resulting te file as an attachment. Any ideas about what could be wrong would be greatly appreciated. The current set of violations are: [root@lime audit]# grep AVC audit.log | grep STAF type=AVC msg=audit(1316772648.834:16749): avc: denied { create } for pid=13504 comm="STAFProc" name="STAF.tmp" scontext=unconfined_u:unconfined_r:STAFProc_t:s0 tcontext=unconfined_u:object_r:krb5_host_rcache_t:s0 tclass=file type=AVC msg=audit(1316772676.905:16750): avc: denied { read } for pid=13541 comm="killall" name="stat" dev=proc ino=5874476 scontext=unconfined_u:unconfined_r:STAFProc_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=file type=AVC msg=audit(1316772676.905:16750): avc: denied { open } for pid=13541 comm="killall" name="stat" dev=proc ino=5874476 scontext=unconfined_u:unconfined_r:STAFProc_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=file type=AVC msg=audit(1316772676.906:16751): avc: denied { getattr } for pid=13541 comm="killall" path="/proc/1433/stat" dev=proc ino=5874476 scontext=unconfined_u:unconfined_r:STAFProc_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=file type=AVC msg=audit(1316772677.136:16755): avc: denied { transition } for pid=13558 comm="env" path="/etc/rc.d/init.d/iptables" dev=dm-0 ino=652904 scontext=unconfined_u:unconfined_r:STAFProc_t:s0 tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process type=AVC msg=audit(1316772677.136:16755): avc: denied { rlimitinh } for pid=13558 comm="iptables" scontext=unconfined_u:unconfined_r:STAFProc_t:s0 tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process type=AVC msg=audit(1316772677.136:16755): avc: denied { siginh } for pid=13558 comm="iptables" scontext=unconfined_u:unconfined_r:STAFProc_t:s0 tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process type=AVC msg=audit(1316772677.136:16755): avc: denied { noatsecure } for pid=13558 comm="iptables" scontext=unconfined_u:unconfined_r:STAFProc_t:s0 tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process -- Michael Atighetchi Senior Scientist Raytheon BBN Technologies 617-873-1679 matighet(a)bbn.com

2 4

Best way to copy local changes between hosts
by Erinn Looney-Triggs 22 Sep '11

22 Sep '11

I am using puppet to manage my system configuration and I am looking for the best way to manage file context changes between multiple hosts. Basically I have some local changes that are held in /etc/selinux/targeted/modules/active/file_contexts.local, is it reasonable just to copy this file to hosts that need to be aware of the changes held therein or is there a better method? This would be implemented on RHEL 5 and 6 systems. Thanks, -Erinn

4 6

SEL & Spamassassin
by Arthur Dent 22 Sep '11

22 Sep '11

Hello All, I have just upgraded (clean install) from F13 to F15 and installed spamassassin via yum. At the same time I also installed the plugins Pyzor, Razor and iXhash. In Permissive mode something in those triggers a strange AVC: SELinux is preventing /bin/systemd-tty-ask-password-agent from read access on the fifo_file 136:0. Here is the detail: Raw Audit Messages type=AVC msg=audit(1307797576.537:29628): avc: denied { read } for pid=10471 comm="systemd-tty-ask" name="136:0" dev=tmpfs ino=282609 scontext=unconfined_u:system_r:systemd_passwd_agent_t:s0 tcontext=unconfined_u:object_r:init_var_run_t:s0 tclass=fifo_file type=AVC msg=audit(1307797576.537:29628): avc: denied { open } for pid=10471 comm="systemd-tty-ask" name="136:0" dev=tmpfs ino=282609 scontext=unconfined_u:system_r:systemd_passwd_agent_t:s0 tcontext=unconfined_u:object_r:init_var_run_t:s0 tclass=fifo_file type=SYSCALL msg=audit(1307797576.537:29628): arch=i386 syscall=open success=yes exit=ESRCH a0=8ca9080 a1=88900 a2=0 a3=bf8fba54 items=0 ppid=10470 pid=10471 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm=systemd-tty-ask exe=/bin/systemd-tty-ask-password-agent subj=unconfined_u:system_r:systemd_passwd_agent_t:s0 key=(null) Hash: systemd-tty-ask,systemd_passwd_agent_t,init_var_run_t,fifo_file,read audit2allow #============= systemd_passwd_agent_t ============== allow systemd_passwd_agent_t init_var_run_t:fifo_file { read open }; audit2allow -R #============= systemd_passwd_agent_t ============== allow systemd_passwd_agent_t init_var_run_t:fifo_file { read open }; The other slightly odd thing is that when I place the system back into Enforcing mode I get no AVCs, but some of the Spamassassin checks (Especially iXhash I think) don't seem to be run, but give no errors. Anyway, the above AVC looked strange and I didn't want to create a local policy module for it until I had checked with the chaps here... Thanks in advance for any advice or suggestions... Mark

4 5

dkim policy in Fedora
by Paul Howarth 13 Sep '11

13 Sep '11

Currently, the SELinux policy for dkim in Fedora (at least for F-15 and Rawhide) is in the milter module, whereas upstream has a separate dkim module. I'm looking at adding support for opendkim (a fork of dkim-milter), which has recently been imported to Fedora, and if I send a patch upstream, it's not going to get pulled into Fedora because Fedora is using a patched milter module rather than upstream's dkim module. Is there any reason for this other than it being a historical thing due to it being in Fedora before upstream? Paul.

3 4

matchpathcon crashing in mock chroot
by Paul Howarth 07 Sep '11

07 Sep '11

I'm running matchpathcon as part of the libssh2 build to set the file context of a test script appropriately such that an instance of an openssh server that's run as part of the test suite transitions correctly to sshd_t. This has worked OK in the past but I'm now finding that on my F-15 builder matchpathcon is crashing when doing: /usr/sbin/matchpathcon -n /etc/rc.d/init.d/sshd gdb doesn't seem to be much help: [mockbuild@zion ~]$ /usr/sbin/matchpathcon -n /etc/rc.d/init.d/sshd Segmentation fault (core dumped) [mockbuild@zion ~]$ gdb /usr/sbin/matchpathcon GNU gdb (GDB) Fedora (7.3.50.20110722-6.fc16) Copyright (C) 2011 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-redhat-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /usr/sbin/matchpathcon...Reading symbols from /usr/lib/debug/sbin/matchpathcon.debug...done. done. (gdb) run -n /etc/rc.d/init.d/sshd Starting program: /usr/sbin/matchpathcon -n /etc/rc.d/init.d/sshd Program received signal SIGSEGV, Segmentation fault. __strtok_r_1c (__nextp=read_sleb128: Corrupted DWARF expression. ) at /usr/include/bits/string2.h:1179 1179 while (*__s == __sep) (gdb) bt #0 __strtok_r_1c (__nextp=read_sleb128: Corrupted DWARF expression. ) at /usr/include/bits/string2.h:1179 #1 init (rec=0x602010, opts=0x7ffff7ff3718, n=<optimized out>) at label_file.c:440 #2 0x00007ffff7bc4b3d in selabel_open (backend=0, opts=0x7ffff7ff3718, nopts=5) at label.c:165 #3 0x00007ffff7bc3e16 in matchpathcon_init_prefix_internal (path=0x0, subset=0x0) at matchpathcon.c:321 #4 0x00007ffff7bc40a9 in matchpathcon (path=0x7fffffffe82a "/etc/rc.d/init.d/sshd", mode=0, con=0x7fffffffe418) at matchpathcon.c:406 #5 0x0000000000400fe7 in printmatchpathcon (path=0x7fffffffe82a "/etc/rc.d/init.d/sshd", header=0, mode=<optimized out>) at matchpathcon.c:27 #6 0x0000000000400d41 in main (argc=<optimized out>, argv=<optimized out>) at matchpathcon.c:156 (gdb) I was getting an AVC earlier too, fixed by: allow setfiles_t sysfs_t:filesystem getattr; but fixing that didn't prevent the crash. This is with an F-15 host and Rawhide x86_64 target, libselinux-2.1.5-2.fc17. Any suggestions? Paul.

3 2

Right way to do CGI that does complicated things?
by Robin Lee Powell 07 Sep '11

07 Sep '11

(Background: My SELinux hosts are all F15, fairly base installation, with the unconfined module disabled) I have a host that is for random hackery, and hence is (or at least is allowed to be) less secure than the others. I have a user who made a CGI (running under apache; python, in case that matters) that pulls things from elsewhere on the web and then sends email with the results. This generates a pretty large number of AVC denials, which I suppose is reasonable since that behaviour looks an awful lot like "I just got hijacked and am now being used for spam distribution". One thing I was genuinely surprised by though is that the mail-related denials all came in for httpd_user_script_t , rather than sendmail_t or something, and that no attempt to transition to sendmail_t seems to have occured or been denied or anything, as I'd have expected (it sends mail with /bin/mail ). FWIW, here's the AVCs: http://fpaste.org/ZyHg/ (uses date from the input form only) http://fpaste.org/M9Fq/ (goes out and talks to another website) I've learned a lot about SELinux recently, but it's all been piecemeal, so this is more of a "what's the right thing?" question designed to for me to learn from more than "what's the fastest way to fix this?". So, what's the right way to handle this situation? httpd_user_script_exec_t doesn't do the trick at all (which is probably good since it turns out user_u can set that with chcon, which I didn't expect). Is there some way without installing a module (i.e. with semanage or similar) to indicate to SELinux "Yeah, this script over here? It can talk to the web" (or "send email")? Is there a way to indicate that system-wide without installing a module? (not that I would, just curious) If doing it via module, it's best to create a bobs_script_exec_t and bobs_script_t and do everything for those types, rather than httpd_user_script_exec_t and friends, right? This means that a user making a non-trivial CGI has to come talk to me, which is a tad unfortunate but not horrible. Thanks for all enlightenment here, and please feel free to go the "you're thinking about it wrong" route; I'm really wanting to learn. -Robin -- http://singinst.org/ : Our last, best hope for a fantastic future. Lojban (http://www.lojban.org/) The language in which "this parrot is dead" is "ti poi spitaki cu morsi", but "this sentence is false" is "na nei". My personal page: http://www.digitalkingdom.org/rlp/

4 7

Ordering of file context choices?
by Robin Lee Powell 06 Sep '11

06 Sep '11

I have a custom module installed that is supposed to set file contexts for some stuff in a user's homedir (the CGI application I mentioned in my last email, that I want the user to be able to administer): /etc/selinux/targeted/modules/active/file_contexts.template 1953:/home/melbi/bpfk_corpus(/.*)? system_u:object_r:lojban_corpus_t:s0 2179:/home/melbi/public_html/cgi-bin/corpus.cgi system_u:object_r:lojban_corpus_t:s0 /etc/selinux/targeted/modules/active/file_contexts 1883:/home/melbi/bpfk_corpus(/.*)? system_u:object_r:lojban_corpus_t:s0 2101:/home/melbi/public_html/cgi-bin/corpus.cgi system_u:object_r:lojban_corpus_t:s0 /etc/selinux/targeted/contexts/files/file_contexts 1883:/home/melbi/bpfk_corpus(/.*)? system_u:object_r:lojban_corpus_t:s0 2101:/home/melbi/public_html/cgi-bin/corpus.cgi system_u:object_r:lojban_corpus_t:s0 This doesn't appear to actually *work*; as far as I can tell the contexts for the home directory itself are winning: rlpowell@vrici> ls -lZ ~melbi/bpfk_corpus drwxrwxrwx. melbi melbi user_u:object_r:user_home_t:s0 files/ -rw-r--r--. melbi melbi user_u:object_r:user_home_t:s0 selmaho.txt drwxrwxrwx. melbi melbi user_u:object_r:user_home_t:s0 tmp/ -rw-r--r--. apache apache user_u:object_r:user_home_t:s0 urls.db -rw-rw-rw-. melbi melbi user_u:object_r:user_home_t:s0 urls.not.db (that's after a restorecon) Can I do anything to change that? -Robin -- http://singinst.org/ : Our last, best hope for a fantastic future. Lojban (http://www.lojban.org/) The language in which "this parrot is dead" is "ti poi spitaki cu morsi", but "this sentence is false" is "na nei". My personal page: http://www.digitalkingdom.org/rlp/

2 6

Re: Monitoring and prevention of MBR activity.
by Daniel J Walsh 06 Sep '11

06 Sep '11

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/06/2011 10:15 AM, phil wrote: > Usually Master Boot Record, but Microsoft has semi-equivalents for > their removable storage, IFS Insert File System, drivespace and > DoubleSpace, whereas the MBR is key to the partition settings for a > hard drive, similar protections can be expected to be helpful for > the partition controls for non-spinning systems. > > Using a write protected flash drive for content to prevent it's > alteration can take advantage of spanning. Yet, hardware write > blocking is usually global, but I have some Calluna controllers > that allow tailoring of the blocking and access control via > intercept of the ATA commands. > > But, gosh, that is all at least 10 years old tech. > > ----- Original Message ----- From: "Daniel J Walsh" > <dwalsh(a)redhat.com> To: <selinux(a)lists.fedoraproject.org> Sent: > Tuesday, September 06, 2011 7:04 AM Subject: Re: Monitoring and > prevention of MBR activity. > > > On 09/06/2011 09:51 AM, Robb III, George B. wrote: >>>> Hi All- >>>> >>>> Have an interesting problem in which monitoring and >>>> preventing activity on the MBR would be very useful. >>>> >>>> Has anyone used SELinux for this type of task? >>>> >>>> Thanks for any assistance, >>>> >>>> George >>>> >>>> >>>> -- selinux mailing list selinux(a)lists.fedoraproject.org >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux > > Maybe if I new what MBR stood for? >> -- selinux mailing list selinux(a)lists.fedoraproject.org >> https://admin.fedoraproject.org/mailman/listinfo/selinux > Ok now I recognize it, SELinux can be used to allow/prevent processes from writing to physical disk. For example SELinux can prevent processes including confined administrators that are running as root from writing directly to /dev/sda. The audit subsystem could be used to watch for processes writing to physical disk. (SELinux could also, but auditing does a better job. Now if you have a app/admin user process that needs to have full access to the system but want to make sure he does not modify the MBR you will have a difficult time writing policy for this. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5mLrwACgkQrlYvE4MpobM8OQCgqrv1+CmDMGiAhR7d2tgLLaS8 8ygAn1LCzsCRv2sLdfSY4FMrhJXGcCbI =Rg1a -----END PGP SIGNATURE-----

3 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux September 2011