VASD policy
by Vadym Chepkov
Hi,
I noticed just one vasd related entry found it's way into SELinux policy:
# grep vasd ./serefpolicy-3.7.19/policy/modules/system/authlogin.fc
/var/opt/quest/vas/vasd(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
vasd is part of Quest Auth Services and I wonder if somebody already has a
policy defined for it or I have to start from scratch. Quest suggested to
disable SELinux, of cause.
Thanks,
Vadym
10 years, 2 months
Re: Executables in a home directory
by Dominick Grift
On Mon, 2013-08-05 at 12:47 -0400, m.roth(a)5-cent.us wrote:
> Dominick Grift wrote:
> > On Mon, 2013-08-05 at 11:16 -0400, m.roth(a)5-cent.us wrote:
> >> We've got a service (motion) that has an NFS-mounted home directory. In
> >> that directory is ./bin, and some executables. Is there a boolean to
> >> allow
> >> that to be executed, or do I have to add a policy to allow that on every
> >> system that is running the service?
> >>
> >> Btw, the system it just showed up on is a newly updated FC19.
> >>
> >> mark
> >
> > Show us avc denials please
>
> First, here's getsebool -a | grep -i nfs
>
> cobbler_use_nfs --> off
> ftpd_use_nfs --> off
> git_cgi_use_nfs --> off
> git_system_use_nfs --> off
> httpd_use_nfs --> on
> ksmtuned_use_nfs --> off
> mpd_use_nfs --> off
> nfs_export_all_ro --> on
> nfs_export_all_rw --> on
> nfsd_anon_write --> off
> polipo_use_nfs --> off
> samba_share_nfs --> off
> sanlock_use_nfs --> off
> sge_use_nfs --> off
> use_nfs_home_dirs --> on
> virt_use_nfs --> off
> xen_use_nfs --> off
>
> I've got several - here's three:
>
> type=AVC msg=audit(1375711978.360:34383): avc: denied { read } for
> pid=32095 comm="mplayer" name="2013-08-05" dev="0:38" ino=29229135
> scontext=system_u:system_r:zoneminder_t:s0
> tcontext=system_u:object_r:nfs_t:s0 tclass=dir
>
Where exactly is this directory "2013-08-05"?
You might be able to find it with the find command: find / -inum
29229135
But yes you would need to add rules to conditionally allow this in
theory (create a boolean zoneminder_use_nfs)
> This one is even more fun: it doesn't think bash should be allowed to
> execute mplayer (if I've got the sealert and the audit.log entry matched
> up....)
>
> type=AVC msg=audit(1375711977.280:34380): avc: denied { execute } for
> pid=32095 comm="mplayer" path="/usr/bin/mplayer" dev="sda3" ino=793612
> scontext=system_u:system_r:zoneminder_t:s0
> tcontext=system_u:object_r:mplayer_exec_t:s0 tclass=file
>
That one looks strange because it seems that mplayer executes itself. In
theory you can use audit2allow to allow this.
> Is this what you needed?
>
> mark
>
>
10 years, 7 months
Back to FC 19 AVCs
by mark
I did a full relabel of the system.
getsebool reports
use_nfs_home_dirs --> on
The dated subdirectory is in motion's home directory, owned by motion, and
NFS mounted.
And yet I get this from sealert:
SELinux is preventing /usr/bin/mplayer from read access on the directory
2013-08-14.
***** Plugin catchall (100. confidence) suggests
***************************
If you believe that mplayer should be allowed read access on the
2013-08-14 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mplayer /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:zoneminder_t:s0
Target Context system_u:object_r:nfs_t:s0
Target Objects 2013-08-14 [ dir ]
Source mplayer
Source Path /usr/bin/mplayer
Port <Unknown>
<snip>
Platform Linux argo 3.10.4-300.fc19.x86_64 #1 SMP Tue
Jul
30 11:29:05 UTC 2013 x86_64 x86_64
Alert Count 62
First Seen 2013-01-02 11:26:28 EST
Last Seen 2013-08-14 14:09:34 EDT
Local ID a01e1306-2704-45c0-813d-9bffa97c7bd1
Raw Audit Messages
type=AVC msg=audit(1376503774.334:31452): avc: denied { read } for
pid=17414 comm="mplayer" name="2013-08-14" dev="0:38" ino=29229148
scontext=system_u:system_r:zoneminder_t:s0
tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=AVC msg=audit(1376503774.334:31452): avc: denied { open } for
pid=17414 comm="mplayer" path="/home/motion/camera/2013-08-14" dev="0:38"
ino=29229148 scontext=system_u:system_r:zoneminder_t:s0
tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1376503774.334:31452): arch=x86_64 syscall=openat
success=yes exit=EINTR a0=ffffffffffffff9c a1=7f3f37f3d540 a2=90800 a3=0
items=0 ppid=17413 pid=17414 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=mplayer
exe=/usr/bin/mplayer subj=system_u:system_r:zoneminder_t:s0 key=(null)
Hash: mplayer,zoneminder_t,nfs_t,dir,read
10 years, 7 months
Sosreport Fedora 19
by David Highley
Lots of avc for sosreport in Fedora 19.
type=SYSCALL msg=audit(1376177902.497:110): arch=c000003e syscall=16
success=no exit=-65 a0=3 a1=8940 a2=7fff72ed5bf0 a3=7fff72ed59a0 items=0
ppid=3710 pid=3736 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="brctl"
exe="/usr/sbin/brctl" subj=system_u:system_r:sosreport_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1376177902.497:110): avc: denied { module_request }
for pid=3736 comm="brctl" kmod="bridge"
scontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023
tcontext=system_u:system_r:kernel_t:s0 tclass=system
type=SYSCALL msg=audit(1376177902.968:111): arch=c000003e syscall=6
success=no exit=-13 a0=7fff425f9af0 a1=1dcd140 a2=1dcd140 a3=fffff800
items=0 ppid=3710 pid=3764 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ls"
exe="/usr/bin/ls" subj=system_u:system_r:sosreport_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1376177902.968:111): avc: denied { getattr } for
pid=3764 comm="ls" path="/dev/initctl" dev="devtmpfs" ino=8906
scontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023
tcontext=system_u:object_r:initctl_t:s0 tclass=fifo_file
type=SYSCALL msg=audit(1376177902.980:112): arch=c000003e syscall=6
success=no exit=-13 a0=7fff425f9af0 a1=1ddbb30 a2=1ddbb30 a3=fffffff8
items=0 ppid=3710 pid=3764 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ls"
exe="/usr/bin/ls" subj=system_u:system_r:sosreport_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1376177902.980:112): avc: denied { getattr } for
pid=3764
comm="ls" path="/dev/pts/ptmx" dev="devpts" ino=2
scontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023
tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1376177903.375:113): arch=c000003e syscall=4
success=no exit=-13 a0=2051cb0 a1=7fff82adf0c0 a2=7fff82adf0c0 a3=0
items=0 ppid=3710 pid=3772 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="df"
exe="/usr/bin/df" subj=system_u:system_r:sosreport_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1376177903.375:113): avc: denied { getattr } for
pid=3772 comm="df" path="/sys/fs/pstore" dev="pstore" ino=9238
scontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023
tcontext=system_u:object_r:pstorefs_t:s0 tclass=dir
type=SYSCALL msg=audit(1376177903.408:114): arch=c000003e syscall=4
success=no exit=-13 a0=2052470 a1=7fff82adf0c0 a2=7fff82adf0c0 a3=0
items=0 ppid=3710 pid=3772 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="df"
exe="/usr/bin/df" subj=system_u:system_r:sosreport_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1376177903.408:114): avc: denied { getattr } for
pid=3772 comm="df" path="/sys/kernel/config" dev="configfs" ino=15409
scontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023
tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1376177904.575:115): arch=c000003e syscall=41
success=no exit=-13 a0=10 a1=80803 a2=f a3=d2be50 items=0 ppid=3710
pid=3803 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 ses=4294967295 tty=(none) comm="lsusb" exe="/usr/bin/lsusb"
subj=system_u:system_r:sosreport_t:s0-s0:c
0.c1023 key=(null)
type=AVC msg=audit(1376177904.575:115): avc: denied { create } for
pid=3803 comm="lsusb"
scontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023
tcontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023
tclass=netlink_kobject_uevent_socket
type=SYSCALL msg=audit(1376177904.650:116): arch=c000003e syscall=41
success=no exit=-13 a0=10 a1=80803 a2=f a3=1697e50 items=0 ppid=3710
pid=3804 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 ses=4294967295 tty=(none) comm="lsusb" exe="/usr/bin/lsusb"
subj=system_u:system_r:sosreport_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1376177904.650:116): avc: denied { create } for
pid=3804 comm="lsusb"
scontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023
tcontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023
tclass=netlink_kobject_uevent_socket
type=SYSCALL msg=audit(1376180405.316:271): arch=c000003e syscall=41
success=no exit=-13 a0=2 a1=3 a2=ff a3=7fffde20a870 items=0 ppid=3710
pid=6315 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 ses=4294967295 tty=(none) comm="iptables"
exe="/usr/sbin/xtables-multi"
subj=system_u:system_r:sosreport_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1376180405.316:271): avc: denied { create } for
pid=6315 comm="iptables"
scontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023
tcontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023
tclass=rawip_socket
type=SYSCALL msg=audit(1376180405.317:272): arch=c000003e syscall=41
success=no exit=-13 a0=2 a1=3 a2=ff a3=7fffde20a810 items=0 ppid=3710
pid=6315 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 ses=4294967295 tty=(
none) comm="iptables" exe="/usr/sbin/xtables-multi"
subj=system_u:system_r:sosreport_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1376180405.317:272): avc: denied { create } for
pid=6315 comm="iptables"
scontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023
tcontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023
tclass=rawip_socket
type=SYSCALL msg=audit(1376180405.323:273): arch=c000003e syscall=41
success=no exit=-13 a0=2 a1=3 a2=ff a3=7fffec93d130 items=0 ppid=3710
pid=6316 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 ses=4294967295 tty=(none) comm="iptables"
exe="/usr/sbin/xtables-multi"
subj=system_u:system_r:sosreport_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1376180405.323:273): avc: denied { create } for
pid=6316 comm="iptables"
scontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023
tcontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023
tclass=rawip_socket
type=SYSCALL msg=audit(1376180405.323:274): arch=c000003e syscall=41
success=no exit=-13 a0=2 a1=3 a2=ff a3=7fffec93d0d0 items=0 ppid=3710
pid=6316 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 ses=4294967295 tty=(none) comm="iptables"
exe="/usr/sbin/xtables-multi"
subj=system_u:system_r:sosreport_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1376180405.323:274): avc: denied { create } for
pid=6316 comm="iptables"
scontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023
tcontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023
tclass=rawip_socket
type=SYSCALL msg=audit(1376180405.697:281): arch=c000003e syscall=89
success=no exit=-13 a0=7fffa26e89e0 a1=7fffa26e87c0 a2=1d a3=3 items=0
ppid=3710 pid=6324 a
10 years, 7 months
FC19, AVC mailx
by mark
SELinux is preventing /usr/bin/mailx from ioctl access on the
unix_stream_socket unix_stream_socket.
***** Plugin catchall (100. confidence) suggests
***************************
If you believe that mailx should be allowed ioctl access on the
unix_stream_socket unix_stream_socket by default.
<snip>
Additional Information:
Source Context system_u:system_r:system_mail_t:s0
Target Context system_u:system_r:init_t:s0
Target Objects unix_stream_socket [ unix_stream_socket ]
Source mail
Source Path /usr/bin/mailx
Port <Unknown>
<snip>
Source RPM Packages mailx-12.5-8.fc19.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.12.1-69.fc19.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
<snip>
Platform Linux <...> 3.10.4-300.fc19.x86_64 #1 SMP
Tue Jul
30 11:29:05 UTC 2013 x86_64 x86_64
Alert Count 53
First Seen 2013-07-31 09:17:16 EDT
Last Seen 2013-08-20 09:06:53 EDT
Local ID c515e3ea-2126-47ac-9d89-5295777101e7
Raw Audit Messages
type=AVC msg=audit(1377004013.420:62309): avc: denied { ioctl } for
pid=31047 comm="mail" path="socket:[12915]" dev="sockfs" ino=12915
scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
type=SYSCALL msg=audit(1377004013.420:62309): arch=x86_64 syscall=ioctl
success=no exit=ENOTTY a0=1 a1=5401 a2=7fff8006f380 a3=7fff8006f1d0
items=0 ppid=31031 pid=31047 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=mail
exe=/usr/bin/mailx subj=system_u:system_r:system_mail_t:s0 key=(null)
Hash: mail,system_mail_t,init_t,unix_stream_socket,ioctl
mark "call me befuddled"
10 years, 7 months
Running Tor Browser Bundle in a sandbox
by fedorauser
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi!
since F19 my default browser is
'sandbox -X -t sandbox_web_t firefox %u'
which makes me feel a little bit more comfortable when browsing the
web without NoScript enabled.
Now I'd like to also move the Tor Browser Bundle [1] into a sandbox,
has anyone tried to do that yet?
Besides outgoing connections TBB will also try to open two listeners
at 127.0.0.1:9150 and 127.0.0.1:9151.
So far a simple test failed:
cd tor-browser_en-US-3.0-alpha-3
sandbox -X -H . -t sandbox_net_t ./start-tor-browser
Error: Tor Browser exited abnormally. Exit code: 127
Is there another sandbox type (-t) that would be more appropriate for
this?
Does sandbox_net_t allow to open local listeners (9150+9151)?
thanks!
[1] https://archive.torproject.org/tor-package-archive/torbrowser/3.0a3/
-----BEGIN PGP SIGNATURE-----
iQEcBAEBCgAGBQJSFIyUAAoJEHgmGhf8XKddI/AH/2Ukzmk83DafCDeuylIkyWWG
Vu5SDJWHt+/TUye3bsdb1W33dn6Q1tuAZoBitMxOgGFL5mOBEyNi4egZXTlVVlv/
jxKi6jR2b5OMQw5yogNWcsTwPp87EUCNMaeJe8VUdY23Mk0G6LipaJnluKNMMveu
jkFowl9XRqJcAwqM7FibOOezaCpTGFp/s1F83gkTChsvS36EomXs0uliPYsBxJc9
9UOzJ6cL6kzQfcfuG3zDnK4ANYO9kx+6N5pi8/GbtB+EAx2AvHI8+b3nInsjTdF6
Ujgw06DQgtNBW5D5knye6Sw6ynhklw4fWtKHZlP9GJ5UwocIryzUMkZgY5jmBSg=
=9lis
-----END PGP SIGNATURE-----
-------------------------------------------------
VFEmail.net - http://www.vfemail.net
$14.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!
10 years, 7 months
Splunk Policy
by Robert Gabriel
Greetz,
So I have cobbled together a basic policy for Splunk residing
in /opt/splunkdashboards/.
I followed Dan's blog to do the basics.
So I've added all the AVC messages to the splunkdashboards.te and restarted
Splunk with run_init...
Now, no more AVC messages but after a few seconds Splunk crashes.
Nothing in the debug log.
There is a crash log, seems to be a different thread each time crashing.
If I use the browser UI to work with Splunk, it does a few tasks then
something about
"Helper process is in an unknown state due to previous failure"
and then bang!
Seems to be thread permissions?
I'm lost, nothing in the log and no more AVC messages, where to from here?
I have tried so hard so far, I don't want to be a coward now and hit "
setenforce 0".
I must learn how to do this.
I'm unsure as to mailing list etiquette, do I post all the policy files,
Splunk log etc.?
Please advise.
Any help appreciated, thank you.
10 years, 7 months
sandbox selinux-policy module disabled by default in F19
by Fl@sh
$ sandbox -t sandbox_min_t htop
ERROR: could not find datum for type sandbox_t
/bin/sandbox: Sandbox Policy is currently disabled.
You need to enable the policy by executing the following as
root
# semodule -e sandbox
$ su -c 'semodule -l | grep sand'
sandbox 1.0.0 Disabled
sandboxX 1.0.0
PS: htop used as example there
After update\reinstall selinux-policy-targeted package this
module is disabled again.
In F17 this module was enabled.
The question is that now this module will be always
disabled by default, or it is a temporary solution?
--
Fl@sh
10 years, 7 months
FC19 - back to mplayer
by mark
I relabelled the system a week or so ago. After googling, I see that
Zoneminder is a motion detector, etc.
0. rpm -qa | grep -i zonemind reports that Zoneminder is not installed.
1. We *do* run both motion, which I presume is *like* zoneminder, and
mplayer.
2. I see that motion is zoneminder_t (not sure why) and mplayer is
mplayer_exec_t
I don't remember any of this in FC17. So:
- should I change the fcontext of mplayer?
- should I add it (Unix-wise) to the motion group? or
- should I just give up and create a local policy?
mark
10 years, 8 months