selinux December 2021

selinux@lists.fedoraproject.org

2 participants
4 discussions

SELinux is preventing systemd-tmpfile from using the sys_resource capability.
by Manfred Lotz 23 Apr '25

23 Apr '25

Hi there, Running Fedora 31 and SELinux still in permissive mode I got SELinux is preventing systemd-tmpfile from using the sys_resource capability. ***** Plugin sys_resource (91.4 confidence) suggests ********************** If you do not want processes to require capabilities to use up all the system resources on your syste> Then you need to diagnose why your system is running out of system resources and fix the problem. According to /usr/include/linux/capability.h, sys_resource is required to: /* Override resource limits. Set resource limits. */ /* Override quota limits. */ /* Override reserved space on ext2 filesystem */ /* Modify data journaling mode on ext3 filesystem (uses journaling resources) */ /* NOTE: ext2 honors fsuid when checking for resource overrides, so you can override using fsuid too */ /* Override size restrictions on IPC message queues */ /* Allow more than 64hz interrupts from the real-time clock */ /* Override max number of consoles on console allocation */ /* Override max number of keymaps */ Do fix the cause of the SYS_RESOURCE on your system. ***** Plugin catchall (9.59 confidence) suggests ************************** If you believe that systemd-tmpfile should have the sys_resource capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-tmpfile' --raw | audit2allow -M my-systemdtmpfile # semodule -X 300 -i my-systemdtmpfile.pp I also see type=AVC msg=audit(1569414241.452:321): avc: denied { sys_resource } for pid=17409 comm="systemd-tmpfile" capability=24 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:systemd_tmpfiles_t:s0 tclass=capability permissive=1 type=AVC msg=audit(1569414241.452:322): avc: denied { setrlimit } for pid=17409 comm="systemd-tmpfile" scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:systemd_tmpfiles_t:s0 tclass=process permissive=1 I have to admit I don't know how to judge this. Before I do anything here I like to understand. -- Manfred

3 3

certmonger post-save scripts & certmonger_unconfined_t domain
by Sam Morris 06 Jun '24

06 Jun '24

Certmonger allows for the configuration of a post-save command to be run after it has obtained new certificates. This can be used to copy the key & certificates out of wherever certmonger is allowed to put them, and save them elsewhere with a particular owner/group, combine the certificate & chain into a single file as required by some software, etc. The problem comes with SELinux which prevents my post-save scripts from being able to do all of that. I thought the solution was to give the scripts the context of certmonger_unconfined_exec_t, which would cause a transition to the certmonger_unconfined_t domain which is as its name suggests unconfined; but I can't get this to work. I'm trying to use runcon to simulate certmonger executing a fake script: # cat /tmp/fakescript #!/bin/bash set -eu id -Z # /tmp/fakescript unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 # ls -Z /tmp/fakescript unconfined_u:object_r:certmonger_unconfined_exec_t:s0 /tmp/fakescript # runcon system_u:system_r:certmonger_t:s0 /tmp/fakescript runcon: ‘/tmp/fakescript’: Permission denied Here is the avc denial: ---- type=PROCTITLE msg=audit(27/04/21 16:16:47.156:153492) : proctitle=runcon system_u:system_r:certmonger_t:s0 /tmp/fakescript type=SYSCALL msg=audit(27/04/21 16:16:47.156:153492) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x7ffd8aa768ab a1=0x7ffd8aa75888 a2=0x7ffd8aa75898 a3=0x0 items=0 ppid=177795 pid=177796 auid=sam.admin uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts5 ses=103 comm=runcon exe=/usr/bin/runcon subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(27/04/21 16:16:47.156:153492) : avc: denied { entrypoint } for pid=177796 comm=runcon path=/tmp/fakescript dev="dm-0" ino=33563064 scontext=system_u:system_r:certmonger_t:s0 tcontext=unconfined_u:object_r:certmonger_unconfined_exec_t:s0 tclass=file permissive=0 Even though: # sepolicy transition -s certmonger_t -t certmonger_unconfined_t certmonger_t @ certmonger_unconfined_exec_t --> certmonger_unconfined_t Diving in a little deeper, I can see that certmonger can execute the file: # sesearch -s certmonger_t -t certmonger_unconfined_exec_t -c file -p execute -A allow certmonger_t certmonger_unconfined_exec_t:file { execute execute_no_trans getattr ioctl map open read }; ... and that the file type is an entrypoint for the certmonger_unconfined_t domain: # sesearch -s certmonger_unconfined_t -t certmonger_unconfined_exec_t -c file -p entrypoint -A allow certmonger_unconfined_t certmonger_unconfined_exec_t:file { entrypoint execute getattr ioctl lock map open read }; ... and that transition is permitted from certmonger_t: # sesearch -s certmonger_t -t certmonger_unconfined_t -c process -p transition -A allow certmonger_t certmonger_unconfined_t:process transition; Which leaves me scratching my head, unsure why it doesn't work in practice... -- Sam Morris <https://robots.org.uk/> PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9

2 4

Re: Patch "selinux: fix race condition when computing ocontext SIDs" has been added to the 5.4-stable tree
by Ondrej Mosnacek 15 Dec '21

15 Dec '21

Hi Greg, On Wed, Dec 15, 2021 at 2:35 PM <gregkh(a)linuxfoundation.org> wrote: > This is a note to let you know that I've just added the patch titled > > selinux: fix race condition when computing ocontext SIDs > > to the 5.4-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > selinux-fix-race-condition-when-computing-ocontext-sids.patch > and it can be found in the queue-5.4 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. Somehow this notification (and a couple of previous ones) has been sent to selinux(a)lists.fedoraproject.org instead of selinux(a)vger.kernel.org, which is the right list for SElinux kernel development. It's not a big deal, but you might want to check what went wrong and fix it up :) -- Ondrej Mosnacek Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.

1 0

【寐】香港之杭州文过饰非,黄晓玲之黄页过犹不及
by yx279667 yx279667 11 Dec '21

11 Dec '21

香港之杭州黄晓玲之黄页 --》点击后面地址进入看午@夜大片: http://heqabd998.aa345.cc/#fedoraproject1211 --》点击后面地址进入看午@夜视频: http://heqabd998.aa345.cc/#fedoraproject1211 香港之杭州黄晓玲之黄页长大的路上，她牵着我的手，让我懂得了什么叫宽容。曾几何时，贪玩任性的我迟迟归来，她用温柔的双手抚摸着我的头说，饭热好了，吃吧。曾几何时，我手捧不理想的成绩单站在她面前，她说，没关系，下次努力，你永远是我的骄傲。她的眼中闪现出一丝光彩，我知道，那是宽容。长大的路上，她牵着我的手，让我懂得了什么叫慈爱。曾记得，每次下雨，她总是第一个给我送伞，她说，我也没事，闲着也是闲着。曾记得，每次高烧，她总是细心地照料我，她说，以后可要注意点，多穿点衣服。她挥动手臂拭着额上的汗珠，我知道，那是慈爱。她，我的母亲。母亲啊，您温柔的双手牵我走过高山，趟过河流，一路走来，一路吟唱。小时候，突然迷上了自行车，我缠着您学。您微笑着，仔细地向我传授方法。我歪歪扭扭地蹬几下，摔倒了。您又微笑着说，好孩子，自己爬起来。我站起来，接着骑，又摔倒，您还是鼓励着我。我烦了，您依旧微笑着鼓励我。慢慢地，我学会了，我欢喜地笑着，您欣慰地笑着……母亲啊，女儿没有用高山、大海来形容您，女儿觉得，您给我的，是真实的、确切的、触摸得到的爱与关怀，而不是遥远的、空洞的、模糊的一个概念。您执着地守护着我，就像蓝天执着地守护着白云，大海执着地守护着鱼儿。母亲啊，你在女儿心中是那不可磨灭的印记，是那不可丢弃的生命。岁月的河流缓缓淌过，成长的脚印深深留下。蓦然回首，长大的路上，她牵着我的手…她的脊背总是柔软的，并不宽阔，却给人一种安全感。无数次，我在她的脊背上拨弄着她的头发，牵扯着她的衣领，重复着一首又一首她教给我的童谣。【寐】香港之杭州文过饰非,黄晓玲之黄页过犹不及“千里黄云白日曛，北风吹雁雪纷纷。”弥漫的迷云遮蔽住太阳的光辉，鸟群在北风的吼叫中向南方飞去。风一起，浑身都冰凉了。香港之杭州黄晓玲之黄页

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux December 2021