VASD policy
by Vadym Chepkov
Hi,
I noticed just one vasd related entry found it's way into SELinux policy:
# grep vasd ./serefpolicy-3.7.19/policy/modules/system/authlogin.fc
/var/opt/quest/vas/vasd(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
vasd is part of Quest Auth Services and I wonder if somebody already has a
policy defined for it or I have to start from scratch. Quest suggested to
disable SELinux, of cause.
Thanks,
Vadym
10 years, 2 months
issue on deleting a SELinux costumized user
by Leonidas Da Silva Barbosa
I was trying to delete an user with seobject.seluserRecords.delete,
but I realized that once I have a SELinux user created with
seobject.seluserRecords.add method deleted when I try to use
.add again to creates another one I grab the follow
error message:
libsemanage.validate_handler: selinux user se_auditadm_u does not exist (No
such file or directory).
libsemanage.validate_handler: seuser mapping [se_auditadm_u -> (se_auditadm_u,
s0-s0:c0.c1023)] is invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over records (No such
file or directory).
The only way I found to fix it was deleting some lines related to
the user was deleted in :
/etc/selinux/targeted/modules/active/seusers and seusers.final.
I'm wondering if I'm doing something wrong or if has a better way to do
that.
Thanks in advance.
Leonidas.
10 years, 5 months
what do we do with user_home_t, and what more could we do with it?
by Matthew Miller
There is some concern on the devel mailing list about user-writable
directories in the default $PATH -- initially discussion about ~/.local/bin
as a hidden file, but now also out to ~/bin as well. I notice that these are
home_bin_t. What does this do with the current policy, and what more could
we do? (Particularly, a compromised application shouldn't be able to put
binaries there, but a shell script or something like `pip install` probably
_should_ be able to.)
--
Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ <mattdm(a)fedoraproject.org>
10 years, 5 months
Labeling "lost_found_t" to the usb pen drive
by Shintaro Fujiwara
HI, I have a question on lost_found_t.
When I plug up my usb pen drive and issue this command,
# mkfs -t ext4 /dev/sdb
After succeeding making file system in the usb device ,Fedora auto-detects
the usb device and I found lost+found directory in the device labeled
file_t.
I can use pen drive alright, but isn't it good to label lost+found
lost_found_t ?
I made a local policy to label it, but I could not, although I could
install module itself and restorecon the directory.
restorecon said,
[root@localhost ~]# restorecon -rv /run/media
restorecon: Warning no default label for /run/media/fujiwara
restorecon: Warning no default label for
/run/media/fujiwara/64d4a696-14af-46fb-bcd1-1762f1f688bd
restorecon: Warning no default label for
/run/media/fujiwara/64d4a696-14af-46fb-bcd1-1762f1f688bd/lost+found
Why lost+found directory in the usb pen drive not permitted to label by
default?
Thanks in advance.
10 years, 5 months
filtering outgoing packets with SELinux and iptables
by Konstantin Ryabitsev
Hi, all:
Most of the selinux+iptables guides out there talk about using
iptables to label incoming packets, which would then be either allowed
or denied by the domain of the application.
I want to do it the other way around. Let's say I have a shared web
hosting site where every client's application is running inside its
own SELinux domain (e.g. httpd_myapp_script_t). I would like to be
able to only allow httpd_myapp_script_t to connect to 192.168.1.1 port
443, but not any other IP address. This is actually quite common -- an
application may need to make a REST call to some site, but it really
has no business talking to any other hosts on the net.
I can use standard approach to allow httpd_myapp_script_t to connect
to httpd_port_t, but this will allow it to talk to any host at all.
How would I write a policy that would label packets going out of
httpd_myapp_script_t (e.g. httpd_myapp_packet_t) and then use OUTPUT
rules to only allow such packets to go out to 192.168.1.1:443?
Has anyone done anything like that?
Best,
--
Konstantin Ryabitsev
LinuxFoundation.org
Montréal, Québec
10 years, 5 months
A quick avc question - identifying source file
by mark
The sealert tells me that a file named index.cgi is running avc on
sysfs_t. Is there any tool that would get me the *full* path of index.cgi,
as there are several of them, for several websites (including bugzilla)?
CentOS 6.4.
mark
10 years, 5 months
semanage, how do I hate thee...
by mark
Now that the US gov't is back, and so am I....
I'm trying to fix a server that was rebooted, and obviously a bunch of
stuff had the wrong context for some reason (I didn't set it up...)
However:
semanage fcontext -a -t httpd_sys_script_t
"/<pathtowebsite>/<website>/cgi-bin/(.*)?"
/usr/sbin/semanage: Type httpd_sys_script_t is invalid, must be a file or
device type
The same when I try
semanage fcontext -a -t httpd_sys_script_t
"/<pathtowebsite>/<website>/cgi-bin/(.*)?.cgi"
There are subdirectories, and other stuff, and I really want to change the
context only on what I want. However, that error message is utterly and
completely useless and meaningless.
So: what do I need to do to fix the contexts?
mark
10 years, 5 months
Cannot get rid of a user_home_dir_t label
by Juan Orti Alcaine
Hello,
I'm creating a package for bitcoin, and I must have messed up the file
contexts, because the directory /var/lib/bitcoin is always labeled as
'user_home_dir_t'.
Previously, I had a regular user 'bitcoin' with a homedir in
/home/bitcoin, but I removed it and its homedir some days ago. Now it's
a system user:
# grep bitcoin /etc/passwd
bitcoin:x:988:983:Bitcoin wallet server:/var/lib/bitcoin:/sbin/nologin
# grep bitcoin /etc/group
bitcoin:x:983:
bitcoin.fc:
/var/lib/bitcoin(/.*)?
gen_context(system_u:object_r:bitcoin_var_lib_t,s0)
# ls -laZ /var/lib/bitcoin/
drwxr-x---. bitcoin bitcoin user_u:object_r:user_home_dir_t:s0 .
drwxr-xr-x. root root system_u:object_r:var_lib_t:s0 ..
# chcon -u system_u -t object_r -t bitcoin_var_lib_t /var/lib/bitcoin/
# restorecon -F -r -v /var/lib/bitcoin
restorecon reset /var/lib/bitcoin context
system_u:object_r:bitcoin_var_lib_t:s0->user_u:object_r:user_home_dir_t:s0
# semanage fcontext -l | grep bitcoin
/etc/bitcoin(/.*)? all files
system_u:object_r:bitcoin_conf_t:s0
/usr/bin/bitcoind regular file
system_u:object_r:bitcoin_exec_t:s0
/var/lib/bitcoin(/.*)? all files
system_u:object_r:bitcoin_var_lib_t:s0
How are the homedirs contexts managed? I can't figure a way to get it
labeled correctly. Any hint?
Thank you.
--
Juan Orti
GPG Key: DEEBD08B - https://www.miceliux.com/~juan/pubkey.asc
Blog: https://apuntesderoot.wordpress.com/
10 years, 5 months
allow_domain_fd_use
by Tim.Einmahl@kba.de
Hi,
I would like to know, how much risk is there
setting allow_domain_fd_use to 1?
I am not totally sure about the security impact. Would that allow a process in one
domain to read files and sockets that have been opened by a another domain?
Usually, I disable it, but from time to time I get error messages like:
- type=AVC msg=audit(1381801383.801:31585): avc: denied { use } for pid=25761 comm="mail" path="/dev/null" dev=devtmpfs ino=3656 scontext=system_u:system_r:logrotate_mail_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 tclass=fd
type=AVC msg=audit(1381801383.801:31585): avc: denied { use } for pid=25761 comm="mail" path="/dev/null" dev=devtmpfs ino=3656 scontext=system_u:system_r:logrotate_mail_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 tclass=fd
type=SYSCALL msg=audit(1381801383.801:31585): arch=x86_64 syscall=execve success=yes exit=0 a0=229fcd0 a1=229fd50 a2=229df90 a3=7fffb994eef0 items=0 ppid=25741 pid=25761 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1677 comm=mail exe=/bin/mailx subj=system_u:system_r:logrotate_mail_t:s0-s0:c0.c1023 key=(null)
On a hypervisor, I have to allow it, otherwise I get millions of messages like
type=SYSCALL msg=audit(1381823069.947:3240474): arch=c000003e syscall=0 success=no exit=-13 a0=17 a1=7f9045c99ae4 a2=11000 a3=7fffa277af30 items=0 ppid=1 pid=9616 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe=2F7573722F6C6962657865632F71656D752D6B766D202864656C6574656429 subj=system_u:system_r:svirt_t:s0:c559,c791 key=(null)
type=AVC msg=audit(1381823069.947:3240474): avc: denied { use } for pid=9616 comm="qemu-kvm" path="/dev/net/tun" dev=devtmpfs ino=9274 scontext=system_u:system_r:svirt_t:s0:c559,c791 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=fd
Regards
Tim
10 years, 5 months