arch=c00000b7 syscall=35
by Henry Zhang
Hi folks,
I want to analyze audit.log and see
arch=c00000b7 syscall=35
Where can I find what c00000b7 and 35 mean respectively for arm64 device?
Thanks.
---henry
10 months, 3 weeks
Files created with the wrong context
by Dridi Boukelmoune
Greetings,
I have a custom policy that has a label for a directory and all its
contents, except for one specific sub-directory that uses a more
specific type. When a file is created in that sub-directory, it gets
the general label instead of the specific one.
It looks wrong, and at least restorecon seems to agree because it will
happily relabel the offending file, meeting my expectations. I must be
doing something wrong, probably missing something, but I have no idea
what.
Or could it be a bug? The kernel module could be evaluating rules in a
different order, hence the discrepancy at file creation time. In my
policy file contexts are sorted from least to most specific.
Anyway, I can't share that, so I made a minimal reproducer:
https://github.com/dridi/selinux-lostlabel
Any help appreciated, I tried really hard to understand what is going
on, to no avail. The only similar search result was wrong labels in
home directories showing up in several places but I couldn't find my
nugget there.
I initially sent an email and it's not showing up in the archive, so
instead I subscribed to the list and started a new thread using the
Hyperkitty interface. Apologies in advance if you receive it twice.
Thanks,
Dridi
11 months
Re: Relocating mysql
by Gionatan Danti
Il 2023-05-19 18:56 Casper ha scritto:
> With audit2allow, you can read from "auditd" logs then try to generate
> the .te file, then compile it into a Module Policy.
>
> If you know how to write Type Enforcement[1] (.te) file, you will have
> to compile it manually into a loadable Module Policy file. This step
> is done automatically by audit2allow.
>
> """
> Module (or Non-base) Policy - These are optional policy source files
> that when compiled, can be dynamically loaded or unloaded within the
> policy store. By convention these files are named after the module or
> application they represent, with the compiled binary having a '.pp'
> extension. These files are compiled using the checkmodule command.
> """
>
> CIL modules can be used with semodule because they are compiled by
> semodule directly, at install time.[2]
>
> [1] https://selinuxproject.org/page/NB_TE
> [2] https://selinuxproject.org/page/PolicyLanguage
Thank you so much.
Regards.
--
Danti Gionatan
Supporto Tecnico
Assyoma S.r.l. - www.assyoma.it
email: g.danti(a)assyoma.it - info(a)assyoma.it
GPG public key ID: FF5F32A8
11 months
Relocating mysql
by Gionatan Danti
Hi all,
I have a question about mysql relocation.
I already created an equivalency rule such as "semanage fcontext --list
-C" returns the following:
SELinux Local fcontext Equivalence
/mnt/lv_data/var/lib/mysql = /var/lib/mysql
Then I created a symlink in /var/lib:
system_u:object_r:mysqld_db_t:s0 26 May 17 14:39 mysql ->
/mnt/lv_data/var/lib/mysql
However, httpd/php can not connect to the database. The following
message is logged in audit.log:
type=AVC msg=audit(1684352064.936:232): avc: denied { read } for
pid=8558 comm="httpd" name="mysql" dev="sda4" ino=147925
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:mysqld_db_t:s0 tclass=lnk_file permissive=0
My understanding is that httpd can not read the symlink. I expected to
find a boolean to allow this kind of access, to no avail.
So my question is: can I allow httpd symlink access without manually
modifying the actual policy (ie: using audit2allow and the likes)?
Thanks.
--
Danti Gionatan
Supporto Tecnico
Assyoma S.r.l. - www.assyoma.it
email: g.danti(a)assyoma.it - info(a)assyoma.it
GPG public key ID: FF5F32A8
11 months
