[sandbox] modifying the Xephyr window title (patch)
by Christoph A.
Hi,
If most of your windows are sandboxed applications, your bar looks like:
[Sandbox sandbo..] [Sandbox sandbo..] [Sandbox sandbo..]
and it is hard to find a specific application.
example of a current Xephyr title:
Sandbox sandbox_web_t:s0:c112,c991 -- /usr/bin/firefox
with the modification in the attached patch titles will look like:
/usr/bin/firefox (sandbox_web_t)
and it should be easier to find a specific application.
In addition to the type I would find it handy to also include the
DISPLAY in the title (needed when using xsel for copy'n paste).
The second patch only adds '-nolisten tcp' to Xephyr, but if there are
use cases where one needs Xephyr to open a listener this patch will
break thinks.
regards,
Christoph A.
btw: secon's manpage doesn't contain the '-l' option.
11 years, 10 months
How to change the default context for files in the home directory
by Göran Uddeborg
I'm trying to set up F17 SELinux to accept the Swedish electronic
identity system called "BankID". I had it working under F16 with only
a few file context specifications for its libraries. (They need
textrel_shlib_t). But it seems like the policy has been tightened up
a bit in F17, which made some more tunings necessary. And I fail on
one of them.
This thing runs as a browser plugin, which starts a program, and
creates a few files in the user's home directory. My question is how
to define the context for these files. BankID creates a file called
".personal-<username>" and a directory tree ".personal/...". I added
a file context like this with semanage:
/home/[^/]*/\.personal.* all files system_u:object_r:mozilla_home_t:s0
After relabeling things in the .personal tree gets the mozilla_home_t,
but the file .personal-<username> directly in the home directory
doesn't. If it exists, it gets the right context when I do
restorecon. But it is created and removed each time the plugin is
run, and the next time the file is created, it gets user_home_dir_t.
Which the plugin in the mozilla_plugin_t context isn't allowed to
access, of course.
What am I doing wrong?
11 years, 12 months
Bootup avc, "systemd-tmpfile" important?
by Frank Murphy
Box was set to "fixfiles onboot"
Saw this avc:
*** Warning -- SELinux targeted policy relabel is required.
*** Relabeling could take a very long time, depending on file
*** system size and speed of hard drives.
[ 8.566136] type=1400 audit(1335687882.859:7): avc: denied {
relabelfrom } for pid=489 comm="systemd-tmpfile" name="lp2"
dev="devtmpfs" ino=11419
scontext=system_u:system_r:systemd_tmpfiles_t:s0
tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
[ 8.588374] type=1400 audit(1335687882.881:8): avc: denied {
relabelto } for pid=489 comm="systemd-tmpfile" name="lp2"
dev="devtmpfs" ino=11419
scontext=system_u:system_r:systemd_tmpfiles_t:s0
tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
selinux-policy-targeted-3.10.0-118.fc17.noarch
--
Regards,
Frank Murphy
UTF_8 Encoded
Friend of fedoraproject.org
11 years, 12 months
several denials that don't get noticed by seatrouble shoot alerts
by Antonio Olivares
Dear folks,
I have some denials that don't appear in sea alert tool:
[ 26.964346] SELinux: initialized (dev sda5, type ext4), uses xattr
[ 37.206747] EXT4-fs (dm-2): mounted filesystem with ordered data mode. Opts: (null)
[ 37.211983] SELinux: initialized (dev dm-2, type ext4), uses xattr
[ 37.608076] type=1400 audit(1335642984.005:4): avc: denied { relabelfrom } for pid=607 comm="systemd-tmpfile" name="lp0" dev="devtmpfs" ino=12221 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
[ 37.620822] type=1400 audit(1335642984.017:5): avc: denied { relabelfrom } for pid=607 comm="systemd-tmpfile" name="lp1" dev="devtmpfs" ino=12223 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
[ 37.635066] type=1400 audit(1335642984.031:6): avc: denied { relabelfrom } for pid=607 comm="systemd-tmpfile" name="lp2" dev="devtmpfs" ino=12224 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
[ 37.650084] type=1400 audit(1335642984.046:7): avc: denied { relabelfrom } for pid=607 comm="systemd-tmpfile" name="lp3" dev="devtmpfs" ino=12225 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
Also I have a gut feeling that this in some way is contributing to the system not shutting down and hanging, having oneself to resort to "pressing and holding power button to make sure system is shutdown".
How do I take care of these?
Thanks and sorry for the noise.
Regards,
Antonio
11 years, 12 months
Runtime flexibility of SELInux
by Tim Sheppard
Hi,
I am looking to use SELinux to secure a process that is made up of a
number of discrete, sequential stages. One stage communicates to the
next by writing results to a file and then an external process modifies
the SELinux context of the file to allow the next stage to read the file
and so on until the final stage is reached and the processing stops.
The problem I have is that the number of stages is variable and can
change with each invocation of the process, i.e. when I create the
process I know the number of stages that will be required in it, but the
number of stages could change with each invocation. I think therefore,
that I need a means of creating new contexts on the fly and assigning
them to the processes. Is it possible with SELinux to create a new
security context (domain for the output file, and user/role for the
stage process) on the fly and execute a process within that context such
that it could poll a directory for input files and, if it is permitted
to read the file perform its operation?
Many Thanks,
Tim Sheppard
This email and any attachments to it may be confidential and are
intended solely for the use of the individual to whom it is addressed.
If you are not the intended recipient of this email, you must neither
take any action based upon its contents, nor copy or show it to anyone.
Please contact the sender if you believe you have received this email in
error. QinetiQ may monitor email traffic data and also the content of
email for the purposes of security. QinetiQ Limited (Registered in
England & Wales: Company Number: 3796233) Registered office: Cody Technology
Park, Ively Road, Farnborough, Hampshire, GU14 0LX http://www.qinetiq.com.
12 years
Re: https://bugzilla.redhat.com/show_bug.cgi?id=812100
by Antonio Olivares
> > Running restorecon on /etc/ld.so.cache
> > will fix the
> > label, as the setroubleshoot tells you. Does the file
> become
> > mislabeled again?
>
> Will try it later tonight and see what happens.
>
Nothing good happens seatroubleshooter appears with same sealert :(
This is definitely a bug
I tried to send this message but the lxde panel crashed, then I lost connection :(, sending now later after seveal hours :(
Best Regards,
Antonio
12 years
https://bugzilla.redhat.com/show_bug.cgi?id=812100
by Antonio Olivares
Dear folks,
The title has been reported as NOT A BUG, but it is annoying :(
without doing anything but logging in, the setroubleshooter kicks in and displays the message. I have tried numerous times to report it, but it came back empty. Then I click enough times and see that it is there, but it is NOT A BUG :(, I don't agree but can't do shite.
--- Running report_Bugzilla ---
Logging into Bugzilla at https://bugzilla.redhat.com
Checking for duplicates
Bug is already reported: 812100
Logging out
Status: CLOSED NOTABUG https://bugzilla.redhat.com/show_bug.cgi?id=812100
--- Running report_Bugzilla ---
This problem was already reported to Bugzilla (see 'https://bugzilla.redhat.com/show_bug.cgi?id=812100'). Do you still want to create a new bug? NO
SELinux is preventing dmesg from 'read' accesses on the file /etc/ld.so.cache.
***** Plugin restorecon (94.8 confidence) suggests *************************
If you want to fix the label.
/etc/ld.so.cache default label should be ld_so_cache_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /etc/ld.so.cache
***** Plugin catchall_labels (5.21 confidence) suggests ********************
If you want to allow dmesg to have read access on the ld.so.cache file
Then you need to change the label on /etc/ld.so.cache
Do
# semanage fcontext -a -t FILE_TYPE '/etc/ld.so.cache'
where FILE_TYPE is one of the following: cpu_online_t, afs_cache_t, abrt_helper_exec_t, textrel_shlib_t, rpm_script_tmp_t, user_cron_spool_t, puppet_tmp_t, ld_so_cache_t, abrt_var_run_t, udev_var_run_t, sysctl_kernel_t, abrt_var_run_t, sysctl_crypto_t, locale_t, dmesg_t, proc_t, sysfs_t, dmesg_exec_t, abrt_t, lib_t, ld_so_t.
Then execute:
restorecon -v '/etc/ld.so.cache'
***** Plugin catchall (1.44 confidence) suggests ***************************
If you believe that dmesg should be allowed read access on the ld.so.cache file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep dmesg /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:dmesg_t:s0
Target Context unconfined_u:object_r:etc_t:s0
Target Objects /etc/ld.so.cache [ file ]
Source dmesg
Source Path dmesg
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages glibc-2.15-32.fc17.i686
Policy RPM selinux-policy-3.10.0-116.fc17.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux acer-aspire-1 3.3.2-1.fc17.i686 #1 SMP Fri
Apr 13 21:06:40 UTC 2012 i686 i686
Alert Count 1
First Seen Thu 19 Apr 2012 09:30:20 PM CDT
Last Seen Thu 19 Apr 2012 09:30:20 PM CDT
Local ID db50d35a-1a8c-4e53-a4ae-98765dcb81db
Raw Audit Messages
type=AVC msg=audit(1334889020.147:6): avc: denied { read } for pid=633 comm="dmesg" name="ld.so.cache" dev="dm-1" ino=54745 scontext=system_u:system_r:dmesg_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file
Hash: dmesg,dmesg_t,etc_t,file,read
audit2allowunable to open /sys/fs/selinux/policy: Permission denied
audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied
What do I do, please advice. I am getting annoyed, frustrated and I would hate to kill off selinux, because I actually like it, but the NOT A BUG does bother me. I have had the past three or four days dealing with this, and now I am finally doing something about it :(
Thanks for listening.
Regards,
Antonio
12 years
force audit log rotation?
by Dr. Michael J. Chudobiak
Hi all,
How do I force an audit.log rotation in a systemd world (F16)?
"service auditd rotate" no longer works, of course.
- Mike
12 years
RE: runcon Invalid argument
by Moray Henderson
(sorry - my reply didn't get copied to the list)
> -----Original Message-----
> From: Daniel J Walsh [mailto:dwalsh@redhat.com]
> Sent: 13 April 2012 17:52
> >
> > I can do this:
> >
> > [root@kojihub ~]# setenforce 0 [root@kojihub ~]# runcon
> > unconfined_u:system_r:httpd_t:s0 bash [root@kojihub ~]# setenforce 1
> > [root@kojihub ~]# id uid=0(root) gid=0(root)
> > groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
> > context=unconfined_u:system_r:httpd_t:s0
(those lines should not have joined - 2 spaces at the beginning of each line are supposed to prevent an email client "helpfully" removing line breaks)
> > However, I think I have a problem. My nfs server has to have SELinux
> > disabled for other reasons, so I can't set nfs_export_all_rw there.
> It has
> > to be on the nfs server, doesn't it? Even if I set everything in the
> tree
> > I'm exporting to public_content_rw_t on the server and unmount and
> remount
> > the client filesystem everything still comes out as nfs_t. Is that
> because
> > it's not getting the proper information from the nfs server?
> >
> > Other than leaving my Koji server in permissive mode or using
> > httpd_disable_trans=1 (if that works on CentOS 6), is there a way to
> make
> > this work? If not, I'll have to rearrange some disk space.
> >
> >
> > Moray. “To err is human; to purr, feline.”
> >
> >
> >
> >
> The remove client does not have to have SELinux enabled or not. Lets
> step back
> to the beginning, what problem are you trying to solve?
>
> SELinux is enforced at the client side, so it treats all files as
> nfs_t. If
> you are trying to share content on an NFS Server using apache, you have
> to
> turn on a couple of booleans depending on the OS you are running
> SELinux on.
My apache server is on the nfs client machine. That machine does not have enough disk space, so I was hoping to have it write to a filesystem mounted from another machine. The machine that I was trying to use as the nfs server has lots of disk space, but has to have SELinux disabled.
Moray.
“To err is human; to purr, feline.”
12 years
runcon Invalid argument
by Moray Henderson (ICT)
I'm trying to debug an httpd-nfs-selinux issue, and it would be _really_
useful to be able to execute commands in context httpd_t while trying out
combinations of the nfs_export_all_rw Boolean and public_content_rw_t type.
If I can do
[root@kojihub ~]# runcon unconfined_u:unconfined_r:unconfined_t:s0 bash
[root@kojihub ~]# exit
why can't I do
[root@kojihub ~]# runcon unconfined_u:unconfined_r:httpd_t:s0 bash
runcon: invalid context: unconfined_u:unconfined_r:httpd_t:s0: Invalid
argument
The actual issue is that I've set up a new koji hub with /mnt/koji on an nfs
mount; with SELinux in permissive mode I get
AVC Report
========================================================
# date time comm subj syscall class permission obj event
========================================================
1. 04/13/2012 14:23:36 httpd unconfined_u:system_r:httpd_t:s0 4 dir getattr
system_u:object_r:nfs_t:s0 denied 494
2. 04/13/2012 14:23:36 httpd unconfined_u:system_r:httpd_t:s0 4 dir search
system_u:object_r:nfs_t:s0 denied 493
3. 04/13/2012 14:23:36 httpd unconfined_u:system_r:httpd_t:s0 83 dir write
system_u:object_r:nfs_t:s0 denied 495
4. 04/13/2012 14:23:36 httpd unconfined_u:system_r:httpd_t:s0 83 dir
add_name system_u:object_r:nfs_t:s0 denied 495
5. 04/13/2012 14:23:36 httpd unconfined_u:system_r:httpd_t:s0 83 dir create
unconfined_u:object_r:nfs_t:s0 denied 495
6. 04/13/2012 14:23:36 httpd unconfined_u:system_r:httpd_t:s0 2 file create
unconfined_u:object_r:nfs_t:s0 denied 496
7. 04/13/2012 14:23:36 httpd unconfined_u:system_r:httpd_t:s0 2 file open
system_u:object_r:nfs_t:s0 denied 496
Moray.
"To err is human; to purr, feline."
OM International Limited - Unit B Clifford Court, Cooper Way - Carlisle CA3 0JG - United Kingdom
Charity reg no: 1112655 - Company reg no: 5649412 (England and Wales)
12 years
