Initial context for init
by Philip Seeley
Hi all,
Quick question is:
In the targeted policy should init run SystemHigh as it does in the mls
policy?
The background:
We're setting up a targeted system where we confine all users and remove
the unconfined policy module, but we also enable polyinstantiation of /tmp
and /var/tmp.
If we ssh in as a staff_u user phil and elevate to root/sysadm_r then we
have a context of:
staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
And therefore /var/tmp is:
drwxrwxrwt. root root system_u:object_r:tmp_t:s0-s0:c0.c1023 /var/tmp
Which is really:
drwxrwxrwt. root root
system_u:object_r:tmp_t:s0-s0:c0.c1023 /var/tmp-inst/system_u:object_r:tmp_t:s0-s0:c0.c1023_phil
The real /var/tmp is:
drwxrwxrwt. root root system_u:object_r:tmp_t:s0 /var/tmp
Now if we use run_init to update an RPM that contains a post install
script, rpm can't create the temporary script file:
# run_init bash -c 'rpm -i
--force /root/libselinux-2.0.94-7.el6.x86_64.rpm'
Authenticating phil.
Password:
error: error creating temporary file /var/tmp/rpm-tmp.atkHTf: Permission
denied
error: Couldn't create temporary file for %post
(libselinux-2.0.94-7.el6.x86_64): Permission denied
Note: you need to use run_init as the rpm might restart a service, e.g. the
sssd rpm.
We've traced this to the /etc/selinux/targeted/contexts/initrc_context file
which contains:
system_u:system_r:initrc_t:s0
So we transition to initrc_t and then to rpm_t without any categories, but
because the polyinstantiated /var/tmp directory has c0.c1023 we get denied.
Normally in targeted init runs unconfined, but we've removed this.
type=AVC msg=audit(1467342325.016:716): avc: denied { read } for
pid=2779 comm="rpm" name="system_u:object_r:tmp_t:s0-s0:c0.c1023_phil"
dev=dm-0 ino=1966082 scontext=system_u:system_r:rpm_t:s0
tcontext=system_u:object_r:tmp_t:s0-s0:c0.c1023 tclass=dir
It works if we change initrc_context to:
system_u:system_r:initrc_t:s0-s0:c0.c1023
We don't see the issue under mls because the default initrc_context is:
system_u:system_r:initrc_t:s0-s15:c0.c1023
We've traces this back through the selinux-policy src RPM and to the
upstream refpolicy and see that config/appconfig-mcs/initrc_context is:
system_u:system_r:initrc_t:s0
whereas config/appconfig-mls/initrc_context is:
system_u:system_r:initrc_t:s0-mls_systemhigh
So under mls init's context is SystemHigh, but under mcs/targeted it
doesn't have any categories.
So the long question is should config/appconfig-mcs/initrc_context really
be:
system_u:system_r:initrc_t:mcs_systemhigh
as it seems odd that the more secure mls policy would run init at
SystemHigh but targeted doesn't.
Thanks
Phil Seeley
4 years, 8 months
Re: Controlling execution of Java JAR files with SELinux RBAC
by Philip Seeley
Hi Bill,
My understanding was that the "user" range was the possible range and the
"login" range was what was allowed for a user.
I think this is actually wrong, as in CentOS6/RHEL6 you seem to be
restricted to the context you login with and get a "process.transition"
denial if a user_t tries to change their context, e.g. with runcon:
[jack@centos6 ~]$ runcon -l s0:c1 bash
runcon: bash: Permission denied
This doesn't seem to be the case for later versions, specifically Fedora 25
that I've tried with. In this case you seem to need different SELinux
users:
[root@laptop ~]# semanage user -a -R user_r -r s0:c0 jack_u
[root@laptop ~]# semanage user -a -R user_r -r s0:c1 mary_u
[root@laptop ~]# semanage login -a -s jack_u -r s0:c0 jack
[root@laptop ~]# semanage login -a -s mary_u -r s0:c1 mary
Then you can't change the context due to it being invalid:
[jack@centos6 ~]$ id
uid=500(jack) gid=500(jack) groups=500(jack)
context=jack_u:user_r:user_t:s0:c0
[jack@centos6 ~]$ runcon -l s0:c1 bash
runcon: invalid context: jack_u:user_r:user_t:s0:c1: Invalid argument
This latter approach worked for me on all versions of the OS and I would
say is the more correct approach.
Hope that helps.
Phil
From: Bill D <littus(a)icloud.com>
To: Philip Seeley <pseeley(a)au1.ibm.com>
Cc: littus(a)icloud.com, selinux(a)lists.fedoraproject.org
Date: 31/05/2017 09:50
Subject: Re: Controlling execution of Java JAR files with SELinux RBAC
Hello Phil:
Thank you for the information and the explanation of the "+" option--it
makes sense.
I have one concern... Notice that initially user_u's MCS settings is s0
which I believe it is the lowest category.
But in order to set up new categories for constraining access to JAR files,
we must change user_u's MCS settings to s0-s0:c0.c1023 with the following
command:
# semanage user -m -r s0-s0:c0.c1023 user_u
Doesn't it mean that we are elevating user_u's category privileges?
Is it possible to attain the desired effect without having to elevate
user_u's category privileges?
Thank you & Best Regards,
Bill
On 05/29/2017 08:27 PM, Philip Seeley wrote:
Hi Bill,
Good news.
The "+" will add to any existing categories already given to the
login, which in your initial case was SystemLow-SystemHigh, so had no
effect. If it was initially SystemLow then it would have done the
desired thing.
For platforms newer than CentOS6/RHEL6, then you can make the user_t
domain MCS constrained with:
[root@laptop ~]# cat mcsconstrainedusers.te
policy_module(mcsconstrainedusers, 1.0.0)
gen_require(`
type user_t;
')
mcs_constrained(user_t);
Compiling this under Fedora 25 gave a bunch of warnings, but the
module installed OK and gave the desired effect. I've not had time to
look into the warnings, sorry.
[root@laptop ~]# make -f /usr/share/selinux/devel/Makefile
/usr/share/selinux/devel/include/contrib/container.if:14: Error:
duplicate definition of container_runtime_domtrans(). Original
definition on 14.
/usr/share/selinux/devel/include/contrib/container.if:40: Error:
duplicate definition of container_runtime_run(). Original definition
on 40.
<snip>...
/usr/share/selinux/devel/include/contrib/container.if:589: Error:
duplicate definition of docker_spc_stream_connect(). Original
definition on 589.
/usr/share/selinux/devel/include/contrib/container.if:603: Error:
duplicate definition of container_spc_read_state(). Original
definition on 603.
Compiling targeted mcsconstrainedusers module
/usr/bin/checkmodule: loading policy configuration from
tmp/mcsconstrainedusers.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 17) to
tmp/mcsconstrainedusers.mod
Creating targeted mcsconstrainedusers.pp policy package
rm tmp/mcsconstrainedusers.mod tmp/mcsconstrainedusers.mod.fc
[root@laptop ~]# semodule -i mcsconstrainedusers.pp
[root@laptop ~]#
Cheers
Phil
Inactive
hide details for Bill Durant ---30/05/2017
07:01:42---Hello
Phil: Setting the categories instead of
adding them with tBill Durant ---30/05/2017 07:01:42---Hello Phil:
Setting the categories instead of adding them with the "+" worked!
From: Bill Durant <littus(a)icloud.com>
To: Philip Seeley <pseeley(a)au1.ibm.com>
Cc: littus(a)icloud.com, selinux(a)lists.fedoraproject.org
Date: 30/05/2017 07:01
Subject: Re: Controlling execution of Java JAR files with SELinux
RBAC
Hello Phil:
Setting the categories instead of adding them with the "+" worked!
So it sounds like the chcat "+" option is not working as expected on
CentOS 6.9. Do you concur?
Thank you for your help Phil.
The following series of steps show that it now works as expected:
# uname -a
Linux es300h 2.6.32-696.1.1.el6.x86_64 #1 SMP Tue Apr 11 17:13:24 UTC
2017 x86_64 x86_64 x86_64 GNU/Linux
# cat /etc/redhat-release
CentOS release 6.9 (Final)
# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range
SELinux Roles
git_shell_u user s0 s0
git_shell_r
green_u user s0 s0
green_r
guest_u user s0 s0
guest_r
red_u user s0 s0
red_r
root user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r
sysadm_u user s0 s0-s0:c0.c1023
sysadm_r
system_u user s0 s0-s0:c0.c1023
system_r unconfined_r
unconfined_u user s0 s0-s0:c0.c1023
system_r unconfined_r
user_u user s0 s0
user_r
xguest_u user s0 s0
xguest_r
# semanage user -m -r s0-s0:c0.c1023 user_u
# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range
SELinux Roles
git_shell_u user s0 s0
git_shell_r
green_u user s0 s0
green_r
guest_u user s0 s0
guest_r
red_u user s0 s0
red_r
root user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r
sysadm_u user s0 s0-s0:c0.c1023
sysadm_r
system_u user s0 s0-s0:c0.c1023
system_r unconfined_r
unconfined_u user s0 s0-s0:c0.c1023
system_r unconfined_r
user_u user s0 s0-s0:c0.c1023
user_r
xguest_u user s0 s0
xguest_r
# cat /etc/selinux/targeted/setrans.conf
#
# Multi-Category Security translation table for SELinux
#
# Uncomment the following to disable translation libary
# disable=1
#
# Objects can be categorized with 0-1023 categories defined by the
admin.
# Objects can be in more than one category at a time.
# Categories are stored in the system as c0-c1023. Users can use
this
# table to translate the categories into a more meaningful output.
# Examples:
# s0:c0=CompanyConfidential
# s0:c1=PatientRecord
# s0:c2=Unclassified
# s0:c3=TopSecret
# s0:c1,c3=CompanyConfidentialRedHat
s0:c0=NetworkAdministrator
s0:c1=Operator
s0=SystemLow
s0-s0:c0.c1023=SystemLow-SystemHigh
s0:c0.c1023=SystemHigh
# service mcstrans restart
Stopping mcstransd: [ OK ]
Starting mcstransd: [ OK ]
# chcat -L
s0:c0 NetworkAdministrator
s0:c1 Operator
s0 SystemLow
s0-s0:c0.c1023 SystemLow-SystemHigh
s0:c0.c1023 SystemHigh
# useradd foo
# useradd bar
# passwd foo
Changing password for user foo.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
# passwd bar
Changing password for user bar.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
# semanage login -a foo
# semanage login -a bar
# chcat -l -- c0 foo
# chcat -l -- c1 bar
# semanage login -l
Login Name SELinux User MLS/MCS
Range
__default__ unconfined_u
SystemLow-SystemHigh
bar user_u
SystemLow-Operator
foo user_u
SystemLow-NetworkAdministrator
root unconfined_u
SystemLow-SystemHigh
system_u system_u
SystemLow-SystemHigh
# chcat -L -l foo bar
foo: NetworkAdministrator
bar: Operator
# chcat -- +NetworkAdministrator /usr/local/soup/bin/foo.jar
# ls -Z /usr/local/soup/bin/foo.jar
-rwxr-xr-x. admin admin
system_u:object_r:bin_t:NetworkAdministrator /usr/local/soup/bin/foo.jar
Now as the Linux user, foo, it works as expected:
$ whoami
foo
$ id -Z
user_u:user_r:user_t:SystemLow-NetworkAdministrator
$ java -jar /usr/local/soup/bin/foo.jar
Hello from the foo application
Now as the Linux user, bar, it also works as expected:
$ whoami
bar
$ id -Z
user_u:user_r:user_t:SystemLow-Operator
$ java -jar /usr/local/soup/bin/foo.jar
Error: Unable to access jarfile /usr/local/soup/bin/foo.jar
Regards,
Bill
On 05/28/2017 05:22 PM, Philip Seeley wrote:
Hi Bill,
I saw in a previous post that you were using CentOS 6.9
so this should work for you. It looks like the login
configuration is not quite right as both users are
showing SystemLow-SystemHigh when they logon.
Check the login config shows they only have the
categories they need, i.e. jack has c0 and mary has c1.
If they're not correct try setting the categories rather
than adding to them with a "+":
[root@centos6 ~]# chcat -l -- c0 jack
[root@centos6 ~]# chcat -l -- c1 mary
[root@centos6 ~]# semanage login -l
Login Name SELinux User
MLS/MCS Range
__default__ unconfined_u
s0-s0:c0.c1023
jack user_u
s0-s0:c0
mary user_u
s0-s0:c1
root unconfined_u
s0-s0:c0.c1023
system_u system_u
s0-s0:c0.c1023
Then with:
# ll -Z /usr/local/bin/
-rw-r--r--. root root unconfined_u:object_r:bin_t:s0:c0
jack
-rw-r--r--. root root unconfined_u:object_r:bin_t:s0:c1
mary
[root@centos6 ~]# cat /etc/system-release
CentOS release 6.9 (Final)
as jack:
[jack@centos6 ~]$ id
uid=500(jack) gid=500(jack) groups=500(jack)
context=user_u:user_r:user_t:s0-s0:c0
[jack@centos6 ~]$ cat /usr/local/bin/jack
Hi
[jack@centos6 ~]$ cat /usr/local/bin/mary
cat: /usr/local/bin/mary: Permission denied
and as mary:
[mary@centos6 ~]$ id
uid=501(mary) gid=501(mary) groups=501(mary)
context=user_u:user_r:user_t:s0-s0:c1
[mary@centos6 ~]$ cat /usr/local/bin/jack
cat: /usr/local/bin/jack: Permission denied
[mary@centos6 ~]$ cat /usr/local/bin/mary
Hi
Cheers
Phil
Inactive hide details for Bill D ---26/05/2017
05:19:44---Hello Phil: Thank you for the response. Your
suggested fix resolved Bill D ---26/05/2017
05:19:44---Hello Phil: Thank you for the response. Your
suggested fix resolved the error.
From: Bill D <littus(a)icloud.com>
To: Philip Seeley <pseeley(a)au1.ibm.com>
Cc: littus(a)icloud.com, selinux(a)lists.fedoraproject.org
Date: 26/05/2017 05:19
Subject: Re: Controlling execution of Java JAR files with
SELinux RBAC
Hello Phil:
Thank you for the response. Your suggested fix resolved
the error.
However, I am unable to get the desired effect.
I am not able to prevent a Linux user from
running/accessing a Java JAR file using SELinux
categories.
I would appreciate any other hints to make this work.
Following are the details of what I did:
# semanage user -l
Labeling MLS/
MLS/
SELinux User Prefix MCS Level MCS
Range SELinux Roles
git_shell_u user SystemLow
SystemLow git_shell_r
guest_u user SystemLow
SystemLow guest_r
root user SystemLow
SystemLow-SystemHigh staff_r sysadm_r system_r
unconfined_r
staff_u user SystemLow
SystemLow-SystemHigh staff_r sysadm_r system_r
unconfined_r
sysadm_u user SystemLow
SystemLow-SystemHigh sysadm_r
system_u user SystemLow
SystemLow-SystemHigh system_r unconfined_r
unconfined_u user SystemLow
SystemLow-SystemHigh system_r unconfined_r
user_u user SystemLow
SystemLow user_r
xguest_u user SystemLow
SystemLow xguest_r
# semanage user -m -r s0-s0:c0.c1023 user_u
# semanage user -l
Labeling MLS/
MLS/
SELinux User Prefix MCS Level MCS
Range SELinux Roles
git_shell_u user SystemLow
SystemLow git_shell_r
guest_u user SystemLow
SystemLow guest_r
root user SystemLow
SystemLow-SystemHigh staff_r sysadm_r system_r
unconfined_r
staff_u user SystemLow
SystemLow-SystemHigh staff_r sysadm_r system_r
unconfined_r
sysadm_u user SystemLow
SystemLow-SystemHigh sysadm_r
system_u user SystemLow
SystemLow-SystemHigh system_r unconfined_r
unconfined_u user SystemLow
SystemLow-SystemHigh system_r unconfined_r
user_u user SystemLow
SystemLow-SystemHigh user_r
xguest_u user SystemLow
SystemLow xguest_r
# cat setrans.conf
#
# Multi-Category Security translation table for SELinux
#
# Uncomment the following to disable translation libary
# disable=1
#
# Objects can be categorized with 0-1023 categories
defined by the admin.
# Objects can be in more than one category at a time.
# Categories are stored in the system as c0-c1023. Users
can use this
# table to translate the categories into a more
meaningful output.
# Examples:
# s0:c0=CompanyConfidential
# s0:c1=PatientRecord
# s0:c2=Unclassified
# s0:c3=TopSecret
# s0:c1,c3=CompanyConfidentialRedHat
s0:c0=NetworkAdministrator
s0:c1=Operator
s0=SystemLow
s0-s0:c0.c1023=SystemLow-SystemHigh
s0:c0.c1023=SystemHigh
# service mcstrans restart
Stopping
mcstransd: [
OK ]
Starting
mcstransd: [
OK ]
# chcat -L
s0:c0 NetworkAdministrator
s0:c1 Operator
s0 SystemLow
s0-s0:c0.c1023 SystemLow-SystemHigh
s0:c0.c1023 SystemHigh
# useradd foo
# useradd bar
# passwd foo
Changing password for user foo.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
# passwd bar
Changing password for user bar.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
# semanage login -a foo
# semanage login -a bar
# chcat -l -- +NetworkAdministrator foo
# chcat -l -- +Operator bar
# chcat -L -l bar foo
bar: s0:c0.c1023,c1 <===== why is it not just s0:c1?
foo: s0:c0.c1023,c0 <===== why is it not just just
s0:c0?
# chcat --
+NetworkAdministrator /usr/local/soup/bin/Foo.jar
# ls -Z /usr/local/soup/bin/Foo.jar
-rwxr-xr-x. admin admin
system_u:object_r:bin_t:NetworkAdministrator /usr/local/soup/bin/Foo.jar
Now Login as the 'foo' Linux user and notice that it can
run Foo.jar as expected
$ whoami
foo
$ id -Z
user_u:user_r:user_t:SystemLow-SystemHigh
$ ls -Z /usr/local/soup/bin/Foo.jar
-rwxr-xr-x. admin admin
system_u:object_r:bin_t:NetworkAdministrator /usr/local/soup/bin/Foo.jar
$ java -jar /usr/local/soup/bin/Foo.jar
Hello Foo
Now login as the 'bar' Linux user and notice that it can
also run Foo.jar which is NOT expected
$ whoami
bar
$ id -Z
user_u:user_r:user_t:SystemLow-SystemHigh
$ ls -Z /usr/local/soup/bin/Foo.jar
-rwxr-xr-x. admin admin
system_u:object_r:bin_t:NetworkAdministrator /usr/local/soup/bin/Foo.jar
$ java -jar /usr/local/soup/bin/Foo.jar
Hello Foo
Why is Linux user 'bar' able to run/access Foo.jar when
its category doesn't match Foo.jar's category?
Following is how to create the Foo.jar file:
$ cat Foo.java
public class Foo {
public static void main(String[] args) {
System.out.println("Hello Foo");
}
}
$ cat manifest.txt
Main-Class:
$ javac Foo.java
$ jar cvfe Foo.jar Foo Foo.class
added manifest
adding: Foo.class(in = 409) (out= 282)(deflated 31%)
Best Regards,
Bill
On 05/24/2017 04:39 PM, Philip Seeley wrote:
Hi Bill,
I think this was my mistake in
transcribing. The user_u line
after the "semanage user -m"
command should be:
user_u user
SystemLow
SystemLow-SystemHigh
user_r
So the command should have been:
semanage user -m -r
s0-s0:c0.c1023 user_u
Or even:
semanage user -m -r
SystemLow-SystemHigh user_u
Appologies for that.
Phil
Inactive hide details for Bill D
---25/05/2017 02:28:19---Hello
Phil, I have tried
your suggestion of extending the
user_u defiBill D ---25/05/2017
02:28:19---Hello Phil, I have
tried your suggestion of
extending the user_u definition
without
From: Bill D <littus(a)icloud.com>
To: Philip Seeley
<pseeley(a)au1.ibm.com>
Cc: littus(a)icloud.com,
selinux(a)lists.fedoraproject.org
Date: 25/05/2017 02:28
Subject: Re: Controlling
execution of Java JAR files with
SELinux RBAC
Hello Phil,
I have tried your suggestion of
extending the user_u definition
without success:
# semanage user -l
Labeling
MLS/
MLS/
SELinux User Prefix MCS
Level MCS
Range
SELinux Roles
git_shell_u user
SystemLow
SystemLow
git_shell_r
guest_u user
SystemLow
SystemLow
guest_r
root user
SystemLow
SystemLow-SystemHigh
staff_r sysadm_r system_r
unconfined_r
staff_u user
SystemLow
SystemLow-SystemHigh
staff_r sysadm_r system_r
unconfined_r
sysadm_u user
SystemLow
SystemLow-SystemHigh
sysadm_r
system_u user
SystemLow
SystemLow-SystemHigh
system_r unconfined_r
unconfined_u user
SystemLow
SystemLow-SystemHigh
system_r unconfined_r
user_u user
SystemLow
SystemLow
user_r
xguest_u user
SystemLow
SystemLow
xguest_r
# semanage user -m -r s0:c0.c1023
user_u
# semanage user -l
Labeling
MLS/
MLS/
SELinux User Prefix MCS
Level MCS
Range
SELinux Roles
git_shell_u user
SystemLow
SystemLow
git_shell_r
guest_u user
SystemLow
SystemLow
guest_r
root user
SystemLow
SystemLow-SystemHigh
staff_r sysadm_r system_r
unconfined_r
staff_u user
SystemLow
SystemLow-SystemHigh
staff_r sysadm_r system_r
unconfined_r
sysadm_u user
SystemLow
SystemLow-SystemHigh
sysadm_r
system_u user
SystemLow
SystemLow-SystemHigh
system_r unconfined_r
unconfined_u user
SystemLow
SystemLow-SystemHigh
system_r unconfined_r
user_u user
SystemLow
SystemHigh
user_r
xguest_u user
SystemLow
SystemLow
xguest_r
# useradd kate
# passwd kate
Changing password for user kate.
New password:
Retype new password:
passwd: all authentication tokens
updated successfully.
# semanage login -a kate
libsemanage.validate_handler: MLS
range s0 for Unix user
regularuser exceeds allowed range
s0:c0.c1023 for SELinux user
user_u (No such file or
directory).
libsemanage.validate_handler:
seuser mapping [regularuser ->
(user_u, s0)] is invalid (No such
file or directory).
libsemanage.dbase_llist_iterate:
could not iterate over records
(No such file or directory).
/usr/sbin/semanage: Could not
commit semanage transaction
I would greatly appreciate any
other hints to make this work.
Regards,
Bill
On 5/23/2017 8:42 PM, Philip
Seeley wrote:
Hi Bill,
This is probably because the default RHEL6 configuration
does not include any categories in the user_u SELinux user's
range:
# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range
SELinux Roles
guest_u user s0 s0
guest_r
root user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r
sysadm_u user s0 s0-s0:c0.c1023
sysadm_r
system_u user s0 s0-s0:c0.c1023
system_r unconfined_r
unconfined_u user s0 s0-s0:c0.c1023
system_r unconfined_r
user_u user s0 s0
user_r
You probably have to extend the user definition to include
the categories you're using. As an example, this gives all
categories:
# semanage user -m -r s0:c0.c1023 user_u
# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range
SELinux Roles
guest_u user s0 s0
guest_r
root user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r
sysadm_u user s0 s0-s0:c0.c1023
sysadm_r
system_u user s0 s0-s0:c0.c1023
system_r unconfined_r
unconfined_u user s0 s0-s0:c0.c1023
system_r unconfined_r
user_u user s0 s0:c0.c1023
user_r
Hope that helps.
Phil
Inactive hide details for Bill
Durant ---24/05/2017
12:34:53---Hello Phil: Thank you for
the suggestion. I have tried the
stepBill Durant ---24/05/2017 12:34:53---Hello Phil: Thank
you for the suggestion. I have tried the steps from the URL
that
From: Bill Durant <littus(a)icloud.com>
To: Philip Seeley <pseeley(a)au1.ibm.com>
Cc: littus(a)icloud.com, selinux(a)lists.fedoraproject.org
Date: 24/05/2017 12:34
Subject: Re: Controlling execution of Java JAR files with
SELinux RBAC
Hello Phil:
Thank you for the suggestion. I have tried the steps from
the URL that you provided without success.
I get an error when I try to assign Linux user mary to an
SELinux login as follows:
# cat /etc/redhat-release
CentOS release 6.9 (Final)
;;; Add "s0:c0=NetworkAdministrator" and "s0:c1=Operator"
to /etc/selinux/targeted/setrans.conf
# cat /etc/selinux/targeted/setrans.conf
#
# Multi-Category Security translation table for SELinux
#
# Uncomment the following to disable translation libary
# disable=1
#
# Objects can be categorized with 0-1023 categories defined
by the admin.
# Objects can be in more than one category at a time.
# Categories are stored in the system as c0-c1023. Users
can use this
# table to translate the categories into a more meaningful
output.
# Examples:
# s0:c0=CompanyConfidential
# s0:c1=PatientRecord
# s0:c2=Unclassified
# s0:c3=TopSecret
# s0:c1,c3=CompanyConfidentialRedHat
s0:c0=NetworkAdministrator
s0:c1=Operator
s0=SystemLow
s0-s0:c0.c1023=SystemLow-SystemHigh
s0:c0.c1023=SystemHigh
# service mcstrans start
# chcat -L
s0:c0 NetworkAdministrator
s0:c1 Operator
s0 SystemLow
s0-s0:c0.c1023 SystemLow-SystemHigh
s0:c0.c1023 SystemHigh
# useradd mary
# passwd mary
Changing password for user mary.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
# semanage login -a mary
# chcat -l -- +NetworkAdministrator mary
libsemanage.validate_handler: MLS range s0-s0:c0 for Unix
user mary exceeds allowed range s0 for SELinux user user_u
(No such file or directory).
libsemanage.validate_handler: seuser mapping [mary ->
(user_u, s0-s0:c0)] is invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over
records (No such file or directory).
/usr/sbin/semanage: Could not commit semanage transaction
I would appreciate any hints on how to resolve that error.
Thanks!
Bill
On 05/23/2017 05:49 PM, Philip Seeley wrote:
Hi Bill,
Have you thought about using
categories?
https://www.centos.org/docs/5/html/Deployment_Guide-en-US/sec-mcs-getstar...
Cheers
Phil
Inactive
hide details
for Bill D
---24/05/2017
09:52:00---Greetings: I
have been trying to figure out how to
control
the executBill D ---24/05/2017
09:52:00---Greetings: I have been
trying to figure out how to control the
execution of Java
From: Bill D <littus(a)icloud.com>
To: selinux(a)lists.fedoraproject.org
Cc: littus(a)icloud.com
Date: 24/05/2017 09:52
Subject: Controlling execution of Java
JAR files with SELinux RBAC
Greetings:
I have been trying to figure out how to
control the execution of Java
JAR files with SELinux RBAC.
I have two Linux users named joe and
mary and two Java JAR files named
jack.jar and mary.jar.
Here is how jack executes jack.jar:
java -jar jack.jar
Here is how mary executes mary.jar:
java -jar mary.jar
I would like SELinux RBAC to prevent
jack from executing mary.jar and
prevent mary from executing jack.jar.
How to configure SELinux RBAC to make
that happen?
I have tried various approaches without
success. I have also tried the
steps in
http://forums.fedoraforum.org/archive/index.php/t-222938.html
without success.
I would greatly appreciate any hints.
Regards,
Bill
_______________________________________________
selinux mailing list --
selinux(a)lists.fedoraproject.org
To unsubscribe send an email to
selinux-leave(a)lists.fedoraproject.org
_______________________________________________
selinux mailing list --
selinux(a)lists.fedoraproject.org
To unsubscribe send an email to
selinux-leave(a)lists.fedoraproject.org
_______________________________________________
selinux mailing list -- selinux(a)lists.fedoraproject.org
To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
6 years, 10 months
Controlling execution of Java JAR files with SELinux RBAC
by Bill D
Greetings:
I have been trying to figure out how to control the execution of Java
JAR files with SELinux RBAC.
I have two Linux users named joe and mary and two Java JAR files named
jack.jar and mary.jar.
Here is how jack executes jack.jar: java -jar jack.jar
Here is how mary executes mary.jar: java -jar mary.jar
I would like SELinux RBAC to prevent jack from executing mary.jar and
prevent mary from executing jack.jar.
How to configure SELinux RBAC to make that happen?
I have tried various approaches without success. I have also tried the
steps in http://forums.fedoraforum.org/archive/index.php/t-222938.html
without success.
I would greatly appreciate any hints.
Regards,
Bill
6 years, 10 months
Re: Controlling execution of Java JAR files with SELinux RBAC
by Bill D
Hello Phil:
Thank you for the response. Your suggested fix resolved the error.
However, I am unable to get the desired effect.
I am not able to prevent a Linux user from running/accessing a Java JAR
file using SELinux categories.
I would appreciate any other hints to make this work.
Following are the details of what I did:
# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
git_shell_u user SystemLow SystemLow git_shell_r
guest_u user SystemLow SystemLow guest_r
root user SystemLow SystemLow-SystemHigh staff_r
sysadm_r system_r unconfined_r
staff_u user SystemLow SystemLow-SystemHigh staff_r
sysadm_r system_r unconfined_r
sysadm_u user SystemLow SystemLow-SystemHigh sysadm_r
system_u user SystemLow SystemLow-SystemHigh system_r
unconfined_r
unconfined_u user SystemLow SystemLow-SystemHigh system_r
unconfined_r
user_u user SystemLow SystemLow user_r
xguest_u user SystemLow SystemLow xguest_r
# semanage user -m -r s0-s0:c0.c1023 user_u
# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
git_shell_u user SystemLow SystemLow git_shell_r
guest_u user SystemLow SystemLow guest_r
root user SystemLow SystemLow-SystemHigh staff_r
sysadm_r system_r unconfined_r
staff_u user SystemLow SystemLow-SystemHigh staff_r
sysadm_r system_r unconfined_r
sysadm_u user SystemLow SystemLow-SystemHigh sysadm_r
system_u user SystemLow SystemLow-SystemHigh system_r
unconfined_r
unconfined_u user SystemLow SystemLow-SystemHigh system_r
unconfined_r
user_u user SystemLow SystemLow-SystemHigh user_r
xguest_u user SystemLow SystemLow xguest_r
# cat setrans.conf
#
# Multi-Category Security translation table for SELinux
#
# Uncomment the following to disable translation libary
# disable=1
#
# Objects can be categorized with 0-1023 categories defined by the admin.
# Objects can be in more than one category at a time.
# Categories are stored in the system as c0-c1023. Users can use this
# table to translate the categories into a more meaningful output.
# Examples:
# s0:c0=CompanyConfidential
# s0:c1=PatientRecord
# s0:c2=Unclassified
# s0:c3=TopSecret
# s0:c1,c3=CompanyConfidentialRedHat
s0:c0=NetworkAdministrator
s0:c1=Operator
s0=SystemLow
s0-s0:c0.c1023=SystemLow-SystemHigh
s0:c0.c1023=SystemHigh
# service mcstrans restart
Stopping mcstransd: [ OK ]
Starting mcstransd: [ OK ]
# chcat -L
s0:c0 NetworkAdministrator
s0:c1 Operator
s0 SystemLow
s0-s0:c0.c1023 SystemLow-SystemHigh
s0:c0.c1023 SystemHigh
# useradd foo
# useradd bar
# passwd foo
Changing password for user foo.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
# passwd bar
Changing password for user bar.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
# semanage login -a foo
# semanage login -a bar
# chcat -l -- +NetworkAdministrator foo
# chcat -l -- +Operator bar
# chcat -L -l bar foo
bar: s0:c0.c1023,c1 <===== why is it not just s0:c1?
foo: s0:c0.c1023,c0 <===== why is it not just just s0:c0?
# chcat -- +NetworkAdministrator /usr/local/soup/bin/Foo.jar
# ls -Z /usr/local/soup/bin/Foo.jar
-rwxr-xr-x. admin admin system_u:object_r:bin_t:NetworkAdministrator
/usr/local/soup/bin/Foo.jar
Now Login as the 'foo' Linux user and notice that it can run Foo.jar as
expected
$ whoami
foo
$ id -Z
user_u:user_r:user_t:SystemLow-SystemHigh
$ ls -Z /usr/local/soup/bin/Foo.jar
-rwxr-xr-x. admin admin system_u:object_r:bin_t:NetworkAdministrator
/usr/local/soup/bin/Foo.jar
$ java -jar /usr/local/soup/bin/Foo.jar
Hello Foo
Now login as the 'bar' Linux user and notice that it can also run
Foo.jar which is NOT expected
$ whoami
bar
$ id -Z
user_u:user_r:user_t:SystemLow-SystemHigh
$ ls -Z /usr/local/soup/bin/Foo.jar
-rwxr-xr-x. admin admin system_u:object_r:bin_t:NetworkAdministrator
/usr/local/soup/bin/Foo.jar
$ java -jar /usr/local/soup/bin/Foo.jar
Hello Foo
Why is Linux user 'bar' able to run/access Foo.jar when its category
doesn't match Foo.jar's category?
Following is how to create the Foo.jar file:
$ cat Foo.java
public class Foo {
public static void main(String[] args) {
System.out.println("Hello Foo");
}
}
$ cat manifest.txt
Main-Class:
$ javac Foo.java
$ jar cvfe Foo.jar Foo Foo.class
added manifest
adding: Foo.class(in = 409) (out= 282)(deflated 31%)
Best Regards,
Bill
On 05/24/2017 04:39 PM, Philip Seeley wrote:
>
> Hi Bill,
>
> I think this was my mistake in transcribing. The user_u line after the
> "semanage user -m" command should be:
>
> user_u user SystemLow
> SystemLow-SystemHigh user_r
>
> So the command should have been:
>
> semanage user -m -r s0-s0:c0.c1023 user_u
>
> Or even:
>
> semanage user -m -r SystemLow-SystemHigh user_u
>
> Appologies for that.
>
> Phil
>
> Inactive hide details for Bill D ---25/05/2017 02:28:19---Hello Phil,
> I have tried your suggestion of extending the user_u defiBill D
> ---25/05/2017 02:28:19---Hello Phil, I have tried your suggestion of
> extending the user_u definition without
>
> From: Bill D <littus(a)icloud.com>
> To: Philip Seeley <pseeley(a)au1.ibm.com>
> Cc: littus(a)icloud.com, selinux(a)lists.fedoraproject.org
> Date: 25/05/2017 02:28
> Subject: Re: Controlling execution of Java JAR files with SELinux RBAC
>
> ------------------------------------------------------------------------
>
>
>
> Hello Phil,
>
> I have tried your suggestion of extending the user_u definition
> without success:
>
> # semanage user -l
>
> Labeling MLS/ MLS/
> SELinux User Prefix MCS Level MCS Range
> SELinux Roles
>
> git_shell_u user SystemLow SystemLow
> git_shell_r
> guest_u user SystemLow SystemLow
> guest_r
> root user SystemLow SystemLow-SystemHigh
> staff_r sysadm_r system_r unconfined_r
> staff_u user SystemLow SystemLow-SystemHigh
> staff_r sysadm_r system_r unconfined_r
> sysadm_u user SystemLow SystemLow-SystemHigh
> sysadm_r
> system_u user SystemLow SystemLow-SystemHigh
> system_r unconfined_r
> unconfined_u user SystemLow SystemLow-SystemHigh
> system_r unconfined_r
> user_u user SystemLow SystemLow user_r
> xguest_u user SystemLow SystemLow
> xguest_r
>
> # semanage user -m -r s0:c0.c1023 user_u
>
> # semanage user -l
>
> Labeling MLS/ MLS/
> SELinux User Prefix MCS Level MCS Range
> SELinux Roles
>
> git_shell_u user SystemLow SystemLow
> git_shell_r
> guest_u user SystemLow SystemLow
> guest_r
> root user SystemLow SystemLow-SystemHigh
> staff_r sysadm_r system_r unconfined_r
> staff_u user SystemLow SystemLow-SystemHigh
> staff_r sysadm_r system_r unconfined_r
> sysadm_u user SystemLow SystemLow-SystemHigh
> sysadm_r
> system_u user SystemLow SystemLow-SystemHigh
> system_r unconfined_r
> unconfined_u user SystemLow SystemLow-SystemHigh
> system_r unconfined_r
> user_u user SystemLow SystemHigh user_r
> xguest_u user SystemLow SystemLow
> xguest_r
>
> # useradd kate
>
> # passwd kate
> Changing password for user kate.
> New password:
> Retype new password:
> passwd: all authentication tokens updated successfully.
>
> # semanage login -a kate
> libsemanage.validate_handler: MLS range s0 for Unix user regularuser
> exceeds allowed range s0:c0.c1023 for SELinux user user_u (No such
> file or directory).
> libsemanage.validate_handler: seuser mapping [regularuser -> (user_u,
> s0)] is invalid (No such file or directory).
> libsemanage.dbase_llist_iterate: could not iterate over records (No
> such file or directory).
> /usr/sbin/semanage: Could not commit semanage transaction
>
> I would greatly appreciate any other hints to make this work.
>
> Regards,
>
> Bill
>
> On 5/23/2017 8:42 PM, Philip Seeley wrote:
>
> Hi Bill,
>
> This is probably because the default RHEL6 configuration does
> not include any categories in the user_u SELinux user's range:
>
> # semanage user -l
>
> Labeling MLS/ MLS/
> SELinux User Prefix MCS Level MCS Range
> SELinux Roles
>
> guest_u user s0 s0 guest_r
> root user s0 s0-s0:c0.c1023
> staff_r sysadm_r system_r unconfined_r
> staff_u user s0 s0-s0:c0.c1023
> staff_r sysadm_r system_r unconfined_r
> sysadm_u user s0 s0-s0:c0.c1023
> sysadm_r
> system_u user s0 s0-s0:c0.c1023
> system_r unconfined_r
> unconfined_u user s0 s0-s0:c0.c1023
> system_r unconfined_r
> user_u user s0 s0 user_r
>
> You probably have to extend the user definition to include the
> categories you're using. As an example, this gives all categories:
>
> # semanage user -m -r s0:c0.c1023 user_u
>
> # semanage user -l
>
> Labeling MLS/ MLS/
> SELinux User Prefix MCS Level MCS Range
> SELinux Roles
>
> guest_u user s0 s0 guest_r
> root user s0 s0-s0:c0.c1023
> staff_r sysadm_r system_r unconfined_r
> staff_u user s0 s0-s0:c0.c1023
> staff_r sysadm_r system_r unconfined_r
> sysadm_u user s0 s0-s0:c0.c1023
> sysadm_r
> system_u user s0 s0-s0:c0.c1023
> system_r unconfined_r
> unconfined_u user s0 s0-s0:c0.c1023
> system_r unconfined_r
> user_u user s0 s0:c0.c1023
> user_r
>
> Hope that helps.
>
> Phil
>
>
> Inactive hide details for Bill Durant ---24/05/2017
> 12:34:53---Hello Phil: Thank you for the suggestion. I have
> tried the stepBill Durant ---24/05/2017 12:34:53---Hello Phil:
> Thank you for the suggestion. I have tried the steps from the
> URL that
>
> From: Bill Durant _<littus(a)icloud.com>_ <mailto:littus@icloud.com>
> To: Philip Seeley _<pseeley(a)au1.ibm.com>_
> <mailto:pseeley@au1.ibm.com>
> Cc: _littus(a)icloud.com_ <mailto:littus@icloud.com>,
> _selinux(a)lists.fedoraproject.org_
> <mailto:selinux@lists.fedoraproject.org>
> Date: 24/05/2017 12:34
> Subject: Re: Controlling execution of Java JAR files with
> SELinux RBAC
> ------------------------------------------------------------------------
>
>
>
> Hello Phil:
>
> Thank you for the suggestion. I have tried the steps from the
> URL that you provided without success.
>
> I get an error when I try to assign Linux user mary to an
> SELinux login as follows:
>
> # cat /etc/redhat-release
> CentOS release 6.9 (Final)
>
> ;;; Add "s0:c0=NetworkAdministrator" and "s0:c1=Operator" to
> /etc/selinux/targeted/setrans.conf
>
> # cat /etc/selinux/targeted/setrans.conf
> #
> # Multi-Category Security translation table for SELinux
> #
> # Uncomment the following to disable translation libary
> # disable=1
> #
> # Objects can be categorized with 0-1023 categories defined by
> the admin.
> # Objects can be in more than one category at a time.
> # Categories are stored in the system as c0-c1023. Users can
> use this
> # table to translate the categories into a more meaningful output.
> # Examples:
> # s0:c0=CompanyConfidential
> # s0:c1=PatientRecord
> # s0:c2=Unclassified
> # s0:c3=TopSecret
> # s0:c1,c3=CompanyConfidentialRedHat
> s0:c0=NetworkAdministrator
> s0:c1=Operator
> s0=SystemLow
> s0-s0:c0.c1023=SystemLow-SystemHigh
> s0:c0.c1023=SystemHigh
>
> # service mcstrans start
>
> # chcat -L
> s0:c0 NetworkAdministrator
> s0:c1 Operator
> s0 SystemLow
> s0-s0:c0.c1023 SystemLow-SystemHigh
> s0:c0.c1023 SystemHigh
>
>
> # useradd mary
> # passwd mary
> Changing password for user mary.
> New password:
> Retype new password:
> passwd: all authentication tokens updated successfully.
>
> # semanage login -a mary
>
> # chcat -l -- +NetworkAdministrator mary
> libsemanage.validate_handler: MLS range s0-s0:c0 for Unix user
> mary exceeds allowed range s0 for SELinux user user_u (No such
> file or directory).
> libsemanage.validate_handler: seuser mapping [mary -> (user_u,
> s0-s0:c0)] is invalid (No such file or directory).
> libsemanage.dbase_llist_iterate: could not iterate over
> records (No such file or directory).
> /usr/sbin/semanage: Could not commit semanage transaction
>
> I would appreciate any hints on how to resolve that error.
>
> Thanks!
>
> Bill
>
>
> On 05/23/2017 05:49 PM, Philip Seeley wrote:
>
> Hi Bill,
>
> Have you thought about using categories?_
>
> __https://www.centos.org/docs/5/html/Deployment_Guide-en-US/sec-mcs-getst...
>
> Cheers
>
> Phil
>
> Inactive hide details for Bill D ---24/05/2017
> 09:52:00---Greetings: I have been trying to
> figure out how to control the executBill D
> ---24/05/2017 09:52:00---Greetings: I have
> been trying to figure out how to control the
> execution of Java
>
> From: Bill D _<littus(a)icloud.com>_
> <mailto:littus@icloud.com>
> To: _selinux(a)lists.fedoraproject.org_
> <mailto:selinux@lists.fedoraproject.org>
> Cc: _littus(a)icloud.com_ <mailto:littus@icloud.com>
> Date: 24/05/2017 09:52
> Subject: Controlling execution of Java JAR
> files with SELinux RBAC
> ------------------------------------------------------------------------
>
>
>
> Greetings:
>
> I have been trying to figure out how to
> control the execution of Java
> JAR files with SELinux RBAC.
>
> I have two Linux users named joe and mary and
> two Java JAR files named
> jack.jar and mary.jar.
>
> Here is how jack executes jack.jar: java -jar
> jack.jar
>
> Here is how mary executes mary.jar: java -jar
> mary.jar
>
> I would like SELinux RBAC to prevent jack from
> executing mary.jar and
> prevent mary from executing jack.jar.
>
> How to configure SELinux RBAC to make that happen?
>
> I have tried various approaches without
> success. I have also tried the
> steps in
> _http://forums.fedoraforum.org/archive/index.php/t-222938.html_
> without success.
>
> I would greatly appreciate any hints.
>
> Regards,
>
> Bill
>
>
> _______________________________________________
> selinux mailing list --
> _selinux(a)lists.fedoraproject.org_
> <mailto:selinux@lists.fedoraproject.org>
> To unsubscribe send an email to
> _selinux-leave(a)lists.fedoraproject.org_
> <mailto:selinux-leave@lists.fedoraproject.org>
>
>
>
>
>
> _______________________________________________
> selinux mailing list --
> _selinux(a)lists.fedoraproject.org_
> <mailto:selinux@lists.fedoraproject.org>
> To unsubscribe send an email to
> _selinux-leave(a)lists.fedoraproject.org_
> <mailto:selinux-leave@lists.fedoraproject.org>
>
>
>
>
6 years, 10 months
RHEL7 screen issue
by Steve Huston
I'm having some issues with using 'screen' on RHEL7-based systems. It
seems that things like utmp/wtmp writing do not work, which I haven't
looked into yet (which makes 'deflogin' fail), but the one that was
more easily tracked down is things like log files.
$ id
uid=9318(huston) ... context=staff_u:staff_r:staff_t:s0-s0:c0.c1023
$ ls -lZ `which screen`
-rwxr-sr-x. root screen system_u:object_r:screen_exec_t:s0 /usr/bin/screen*
# ps -efZ | grep -i screen
staff_u:staff_r:staff_screen_t:s0-s0:c0.c1023 huston 14296 1 0 Mar02
? 00:06:00 SCREEN
staff_u:staff_r:staff_screen_t:s0-s0:c0.c1023 huston 3432606 3432605
0 10:51 pts/0 00:00:00 screen -raAx
# ls -lZ /home/huston/screenlog.16
-rw-rw-r--. huston huston staff_u:object_r:user_home_dir_t:s0
/home/huston/screenlog.16
This file could only be written after I set permissive mode (or add a
selinux policy that lets allow user_screen_t user_home_dir_t:file {
append create getattr open }; and staff_screen_t user_home_dir_t:file
{ append create getattr open }; which of course works great to create
the file, but then I cannot read it).
Looking through serefpolicy-contrib-3.13.1/screen.te (from
selinux-policy-3.13.1-102.el7_3.16.src.rpm) I see three lines:
userdom_user_home_dir_filetrans($3, screen_home_t, dir, ".screen")
userdom_user_home_dir_filetrans($3, screen_home_t, file, ".screenrc")
userdom_user_home_dir_filetrans($3, screen_home_t, file, ".tmux.conf")
Which works for relabeling those files so that screen can read them,
but what I don't see is something that is telling the system that
screen should be creating files as user_home_dir_t, which seems to be
the problem. I would assume they should also be screen_home_t, so
that screen can reopen the files for appending if the logfile is
reopened, but I know not how to do that.
Any insight would be appreaciated - I'm guessing there's something
missing in the reference policy, but I'm not opposed to adding
something to fix it locally until the change makes its way through the
proper channels.
--
Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
Princeton University | ICBM Address: 40.346344 -74.652242
345 Lewis Library |"On my ship, the Rocinante, wheeling through
Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus,
(267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1'
6 years, 10 months
Re: upss.. reason="memory violation" sig=11 => segfault htcondor
by Gary Tierney
CC'ing to list. Replied directly to sender by accident.
On Tue, May 23, 2017 at 01:45:12PM +0100, Gary Tierney wrote:
> Try running `semodule -DB`. Looks like something might be dontaudited. After
> running that command reproduce your error and check the audit log using Lukas'
> ausearch command.
>
> On Tue, May 23, 2017 at 12:54:43PM +0100, lejeczek wrote:
> >
> >
> > On 23/05/17 12:07, Lukas Vrabec wrote:
> > > On 05/23/2017 12:56 PM, lejeczek wrote:
> > > > hi fellas
> > > >
> > > > I don't want to disable se, I cannot find booleans, there is no
> > > > domain
> > > > for htcondor I think.
> > > > How do I let my htcondor through?
> > > > with se:
> > > >
> > > > condor_submit[29217]: segfault at 0 ip (null) sp
> > > > 00007ffd7dfa61c8
> > > >
> > > > type=ANOM_ABEND msg=audit(1495536871.977:1484): auid=2501 uid=1177
> > > > gid=513 ses=63
> > > > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1532
> > > > comm="condor_submit" reason="memory violation" sig=11
> > > >
> > > > disable se and works.
> > > >
> > > > many thanks.
> > > > L.
> > > > _______________________________________________
> > > > selinux mailing list -- selinux(a)lists.fedoraproject.org
> > > > To unsubscribe send an email to
> > > > selinux-leave(a)lists.fedoraproject.org
> > >
> > > Hi,
> > >
> > > Could you reproduce the scenario and then attach output of:
> > > # ausearch -m AVC,USER_AVC -ts recent
> > >
> > >
> > > Thanks,
> > > Lukas.
> > >
> > hi,
> > ausearch as above finds nothing, with only "recent" all the grep condor
> > finds is that one line.
> > Should I include a few more lines before that condor one?
> > _______________________________________________
> > selinux mailing list -- selinux(a)lists.fedoraproject.org
> > To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
>
> --
> Gary Tierney
>
> GPG fingerprint: 412C 0EF9 C305 68E6 B660 BDAF 706E D765 85AA 79D8
> https://sks-keyservers.net/pks/lookup?op=get&search=0x706ED76585AA79D8
--
Gary Tierney
GPG fingerprint: 412C 0EF9 C305 68E6 B660 BDAF 706E D765 85AA 79D8
https://sks-keyservers.net/pks/lookup?op=get&search=0x706ED76585AA79D8
6 years, 10 months
guest_u with limited guest_exec_content
by Lakshmipathi.G
Hi,
I need some advise/suggestion on below setup. We created 'guest_u'
accounts with shell access.
Now we like to allow:
1) Only selected guest_u users has "guest_exec_content->on"
permission. (ex: user1,user3 has exec permission, but user2 don't have
permission)
2) for users in (1) allow them to execute specific binary(~/abc.bin)
but not all. (ex: user1,user3 can execute only ~/abc.bin but can't
other binary files)
Is that possible to achieve? any suggestion how to create such setup? thanks.
----
Cheers,
Lakshmipathi.G
http://www.giis.co.in http://www.webminal.org
6 years, 10 months
upss.. reason="memory violation" sig=11 => segfault htcondor
by lejeczek
hi fellas
I don't want to disable se, I cannot find booleans, there is
no domain for htcondor I think.
How do I let my htcondor through?
with se:
condor_submit[29217]: segfault at 0 ip (null) sp
00007ffd7dfa61c8
type=ANOM_ABEND msg=audit(1495536871.977:1484): auid=2501
uid=1177 gid=513 ses=63
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
pid=1532 comm="condor_submit" reason="memory violation" sig=11
disable se and works.
many thanks.
L.
6 years, 10 months
Is this an error that should be BZ'd?
by Ed Greshko
I was having some problems with getting a setting to stick under network
manager. I wanted to eliminate a silent selinux AVC. So I issued a
semodule -DB. This is on F25, BTW.
But now I'm continuously getting the following....
SELinux is preventing systemd from 'read, write' accesses on the
unix_stream_socket unix_stream_socket.
***** Plugin catchall (100. confidence) suggests
**************************
If you believe that systemd should be allowed read write access on the
unix_stream_socket unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd' --raw | audit2allow -M my-systemd
# semodule -X 300 -i my-systemd.pp
Additional Information:
Source Context system_u:system_r:init_t:s0
Target Context system_u:system_r:kernel_t:s0-s0:c0.c1023
Target Objects unix_stream_socket [ unix_stream_socket ]
Source systemd
Source Path systemd
Port <Unknown>
Host meimei.greshko.com
Source RPM Packages
Target RPM Packages
Policy RPM <Unknown>
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name meimei.greshko.com
Platform Linux meimei.greshko.com
4.10.8-200.fc25.x86_64 #1
SMP Fri Mar 31 13:20:22 UTC 2017 x86_64 x86_64
Alert Count 2
First Seen 2017-04-11 13:59:41 CST
Last Seen 2017-04-11 13:59:41 CST
Local ID a9f3060f-290b-4777-bf8f-28d0313ca9f1
Raw Audit Messages
type=AVC msg=audit(1491890381.516:407): avc: denied { read write }
for pid=1 comm="systemd" path="socket:[65875]" dev="sockfs" ino=65875
scontext=system_u:system_r:init_t:s0
tcontext=system_u:system_r:kernel_t:s0-s0:c0.c1023
tclass=unix_stream_socket permissive=0
Hash: systemd,init_t,kernel_t,unix_stream_socket,read,write
Should I follow the recommendation of generating a local policy? Should
this be BZ'd?
--
Fedora Users List - The place to go to get others to do the work for you
6 years, 10 months