apache and setroubleshot policy oddities
by mark
CentOS 6.4 (probably not the current kernel)
selinux-policy, selinux-policy-targetd 3.7.19-155.el6_3.14
And we're running SiteMinder from CA (and have *zero* control over that,
don't get me started)
unconfined_u:system_r:httpd_t:s0 apache <...> LLAWP
/etc/httpd/conf/WebAgent.conf -APACHE22
apache root unconfined_u:object_r:httpd_log_t:s0 /var/log/httpd/agent.log
So, why would I get AVCs, and running them through audit2allow gives me:
#============= httpd_t ==============
allow httpd_t httpd_log_t:file write;
Why on earth can't something running as httpd_t write to a logfile of
httpd_log_t in /var/log/httpd/?
And then there's this...
#============= setroubleshootd_t ==============
allow setroubleshootd_t httpd_sys_script_t:dir read;
allow setroubleshootd_t httpd_sys_script_t:file getattr;
Shouldn't setroubleshootd have rights?
mark
11 years, 1 month
Looking for links: passenger & selinux
by mark
Gag. I hate passenger...
This is CentOS 6.3
Does someone have a link to info on what selinux passenger context to set
what files to? I see passenger set to lib_t, which I may have done a
while back, but the current policy may be more picky. I've looked at the
passenger_selinux manpage, and it doesn't suggest what they should be. The
version of ruby my users are on is the old 1.8.7 enterprise, *not*
installed from an rpm, so nothing's correct....
mark
11 years, 1 month
setroubleshoot bug returns?
by mark
I just updated a system to the latest 6.3 (no CR), and I'm seeing
setroubleshoot: [avc.ERROR] Plugin Exception catchall_boolean
#012Traceback (most recent call last):#012 File
"/usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py", line 191,
in analyze_avc#012 report = plugin.analyze(avc)#012 File
"/usr/share/setroubleshoot/plugins/catchall_boolean.py", line 90, in
analyze#012 man_page = self.check_for_man(b)#012 File
"/usr/share/setroubleshoot/plugins/catchall_boolean.py", line 76, in
check_for_man#012 man_page = name.split("_")[0] +
"_selinux"#012AttributeError: 'tuple' object has no attribute 'split'
which appears to be *exactly* Red Hat Bugzilla – Bug 518232, closed in
rawhide on 2009-08-19.
Has this crept back in?
mark
11 years, 1 month
staff_u unable to run ls in /var on one system
by Erinn Looney-Triggs
I have an odd problem. Users running as staff_u are unable to run ls in
/var on one system only (though I haven't tested all of them).
It is definetly an SELinux thing, setenforce 0, problem goes away,
setenforce 1, problem returns. ausearch -m avc -ts now shows nothing.
restorecon on /var yields nothing and the labels are the same from one
system to the next.
id -Z
staff_u:staff_r:staff_t:s0-s0:c0.c1023
Same on both systems (this is set via IPA and SSSD)
So I can't really figure out where the problem lies:
ls -lZd /var
drwxr-xr-x. root root system_u:object_r:var_t:s0 /var
Any ideas?
-Erinn
11 years, 1 month
Whats this sys_admin capability
by Tony Molloy
Hi,
I'm seeing messages similar to the following for a number of services
on a recently updated Centos 6.4 system.
I can generate local policies for each service but is there some
boolean which can affecdt this sys_admin capability.
Mar 9 12:45:10 youngmunster setroubleshoot: SELinux is preventing
/usr/sbin/nmbd from using the sys_admin capability. For complete
SELinux messages. run sealert -l 5a37dd50-b60c-4a1c-b97d-6d62baeee33a
[root@youngmunster ~]# sealert -l 5a37dd50-b60c-4a1c-b97d-6d62baeee33a
SELinux is preventing /usr/sbin/nmbd from using the sys_admin
capability.
***** Plugin catchall (100. confidence) suggests
***************************
If you believe that nmbd should have the sys_admin capability by
default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep nmbd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Thanks,
Tony
11 years, 1 month
Re: setroubleshoot bug returns?
by mark
Trevor Hemsley wrote:
> On 08/03/13 16:44, m.roth(a)5-cent.us wrote:
>> Trevor Hemsley wrote:
>>> On 08/03/13 15:05, m.roth(a)5-cent.us wrote:
>>>> This is CentOS - 6.4 is still in q/a.
>>>
>>> Actually not, you can get access to it now via
>>>
>>> yum --enablerepo=extras install centos-release-cr
>>> yum update
>>>
>>> First one installs the CR repo and it contains all of 6.4 except the
>>> centos-release package that updates /etc/redhat-release
>>>
>> What part of "I have to negotiate with users as to when I can update
>> their production and developments systems to a new release, which can
>> take up to a month or more" was I not clear about?
>>
> Well, a) you didn't say that at all in this thread and b) sorry for
> trying to be helpful. Remind me not to bother next time.
Oh, sorry, I *hate* the way the selinux list is configured, so that it
replies to an *individual*, and cc's the list, and if you don't remember
(I have no other lists I'm on, or have been on in for the decades I've
been online), you can miss that it only went that way.
Other point: thinking about this over lunch, it strikes me that this looks
like a bug in the code, not in a policy, since it explicitly refers to the
file catchall_boolean.py.
mark
11 years, 1 month
[PATCH 1/2] iptables (userspace): add secmark match
by Mr Dash Four
This patch is part of the userspace changes needed for the "secmark" match
in iptables.
Signed-off-by: Mr Dash Four <mr.dash.four(a)googlemail.com>
---
extensions/libxt_secmark.c | 100 ++++++++++++++++++++++++++++++++++
extensions/libxt_secmark.man | 22 ++++++++
include/linux/netfilter/xt_secmark.h | 24 ++++++++
3 files changed, 146 insertions(+)
create mode 100644 extensions/libxt_secmark.c
create mode 100644 extensions/libxt_secmark.man
create mode 100644 include/linux/netfilter/xt_secmark.h
diff --git a/extensions/libxt_secmark.c b/extensions/libxt_secmark.c
new file mode 100644
index 0000000..92ecc6b
--- /dev/null
+++ b/extensions/libxt_secmark.c
@@ -0,0 +1,100 @@
+/*
+ * Shared library add-on to iptables to add secmark match support.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 (or
+ * any later at your option) as published by the Free Software Foundation.
+ */
+#include <stdbool.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <getopt.h>
+#include <xtables.h>
+
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_secmark.h>
+
+#define PFX "secmark match: "
+
+enum {
+ O_SELCTX = 0,
+};
+
+#define s struct xt_secmark_match_info
+static const struct xt_option_entry secmark_opts[] = {
+ {.name = "selctx", .id = O_SELCTX, .type = XTTYPE_STRING,
+ .flags = XTOPT_MAND|XTOPT_PUT, XTOPT_POINTER(s, secctx)},
+ XTOPT_TABLEEND,
+};
+#undef s
+
+static void secmark_help(void)
+{
+ printf("secmark match options:\n"
+ " --selctx STRING SELinux security context\n");
+}
+
+static void secmark_parse(struct xt_option_call *cb)
+{
+ struct xt_secmark_match_info *info = cb->data;
+
+ xtables_option_parse(cb);
+ switch (cb->entry->id) {
+ case O_SELCTX:
+ if (strchr(cb->arg, '\n') != NULL)
+ xtables_error(PARAMETER_PROBLEM, PFX
+ "new lines not allowed in --selctx");
+ info->mode = SECMARK_MODE_SEL;
+ break;
+ }
+}
+
+static void
+secmark_print_selctx(const struct xt_secmark_match_info *info, char *str)
+{
+ switch (info->mode) {
+ case SECMARK_MODE_SEL:
+ printf(" %sselctx %s", str, info->secctx);
+ break;
+
+ default:
+ xtables_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode);
+ }
+}
+
+static void secmark_print(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct xt_secmark_match_info *info =
+ (struct xt_secmark_match_info *)match->data;
+
+ secmark_print_selctx(info, "");
+}
+
+static void secmark_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_secmark_match_info *info =
+ (struct xt_secmark_match_info *)match->data;
+
+ secmark_print_selctx(info, "--");
+}
+
+static struct xtables_match secmark_match = {
+ .family = NFPROTO_UNSPEC,
+ .name = "secmark",
+ .version = XTABLES_VERSION,
+ .revision = 0,
+ .size = XT_ALIGN(sizeof(struct xt_secmark_match_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_secmark_match_info)),
+ .help = secmark_help,
+ .print = secmark_print,
+ .save = secmark_save,
+ .x6_parse = secmark_parse,
+ .x6_options = secmark_opts,
+};
+
+void _init(void)
+{
+ xtables_register_match(&secmark_match);
+}
diff --git a/extensions/libxt_secmark.man b/extensions/libxt_secmark.man
new file mode 100644
index 0000000..b38e32c
--- /dev/null
+++ b/extensions/libxt_secmark.man
@@ -0,0 +1,22 @@
+The secmark match is used to match the security mark value
+associated with a packet.
+.PP
+Only one option is available with this match which needs
+to be specified:
+.TP
+\fB\-\-selctx\fP \fIselctx\fP
+This option selects the SELinux security context (\fBselctx\fP) to
+be used for packet matching. This security context needs to have already
+been assigned to a packet by using the \fBSECMARK\fP target.
+.PP
+For this extension to be used, the appropriate SELinux support needs
+to be installed and present in the Linux kernel.
+.PP
+Examples:
+.IP
+iptables \-I INPUT \-p icmp \-\-icmp-type 3 \-m secmark \-\-selctx
+system_u:object_r:dns_packet_t:s0 \-j ACCEPT
+.IP
+iptables \-I OUTPUT \-m secmark \-\-selctx
+system_u:object_r:ssh_packet_t:s0 \-j DROP
+
diff --git a/include/linux/netfilter/xt_secmark.h b/include/linux/netfilter/xt_secmark.h
new file mode 100644
index 0000000..c74a35d
--- /dev/null
+++ b/include/linux/netfilter/xt_secmark.h
@@ -0,0 +1,24 @@
+#ifndef _XT_SECMARK_MATCH_H
+#define _XT_SECMARK_MATCH_H
+
+#include <linux/types.h>
+
+/*
+ * Header file for iptables xt_secmark match
+ *
+ * This is intended for use by various security subsystems (but not
+ * at the same time).
+ *
+ * 'mode' refers to the specific security subsystem which the
+ * packets are being marked for.
+ */
+#define SECMARK_MODE_SEL 0x01 /* SELinux */
+#define SECMARK_SECCTX_MAX 256
+
+struct xt_secmark_match_info {
+ __u8 mode;
+ __u32 secid;
+ char secctx[SECMARK_SECCTX_MAX];
+};
+
+#endif /* _XT_SECMARK_MATCH_H */
11 years, 2 months
[PATCH 0/2] iptables: add secmark match
by Mr Dash Four
The secmark match is used to match the security mark value
associated with a packet. For this extension to be available, the appropriate
SELinux support needs to be installed and present in the Linux kernel.
Examples:
iptables -I INPUT -p icmp --icmp-type 3 -m secmark --selctx system_u:object_r:dns_packet_t:s0 -j ACCEPT
iptables -I OUTPUT -m secmark --selctx system_u:object_r:ssh_packet_t:s0 -j DROP
Mr Dash Four (2):
iptables (userspace): add secmark match
iptables (kernel): add secmark match
11 years, 2 months