Not possible to specify smtp password for setroubleshootd?
by Matt Kinni
Hello, I run a Fedora 35 server and would like setroubleshootd to send email alerts for avc denials, but I'm having trouble configuring this due to the apparent lack of support for configuring an smtp password.
The out of the box setroubleshoot.conf sets
> smtp_host = localhost
> smtp_port = 25
> from_address = SELinux_Troubleshoot
, but there is no config parameter for smtp password.
For this to actually work on a machine acting as an MTA (I have postfix running locally), the mail server would have to be configured to allow unauthenticated port 25 connections to masquerade as any local system user, which no decent postfix setup would allow.
I am not a python programmer, but in my reading of https://pagure.io/setroubleshoot/blob/main/f/framework/src/setroubleshoot..., it doesn't appear there is any built in way to support authenticated email sending despite the underlying smtplib being able to do it.
I would suggest either a) adding password support for smtplib, or/and b) adding an option to send mail using the sendmail binary, which allows postfix to recognize the running user without any password needed.
Has anyone else run into problems deploying the setroubleshootd email alerts in practice? email_alert.py appears simple enough to hack in password support, but I feel a security oriented project like selinux shouldn't require an insecure mail setup in order to send its alerts.
Any tips are welcome,
Thanks,
Matt
1 week, 1 day
get rid of setenforce
by Henry Zhang
Hi folks,
setenforce allows users to swap selinux mode between enforcing and
permissive.
If I want my selinux to stay in enforcing mode forever so that nobody is
able to interfere with my selinux.
What should I do?
Thanks.
---henry
1 week, 1 day
Help with test failures
by Orion Poplawski
We have the following PR for zabbix SELinux policy:
https://src.fedoraproject.org/rpms/zabbix/pull-request/10
and we're getting some test failures, but I can't really interpret them.
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Unsound/dangerous policy practices
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [ 21:15:26 ] :: [ BEGIN ] :: Running 'semodule -lfull | grep zabbix'
:: [ 21:15:26 ] :: [ PASS ] :: Command 'semodule -lfull | grep zabbix'
(Expected 0, got 0)
:: [ 21:15:26 ] :: [ BEGIN ] :: Running 'semodule -X 200 --cil -E zabbix'
:: [ 21:15:26 ] :: [ PASS ] :: Command 'semodule -X 200 --cil -E zabbix'
(Expected 0, got 0)
:: [ 21:15:26 ] :: [ BEGIN ] :: Running 'python3 test.py zabbix.cil
policy/zabbix.te'
/var/str/DSP_test/test.py:64: SyntaxWarning: invalid escape sequence '\('
out = subprocess.run(['grep', '-E', '[A-Za-z_]+\(.*\)', te_source_file],
capture_output=True, text=True)
:: [ 21:15:27 ] :: [ FAIL ] :: Command 'python3 test.py zabbix.cil
policy/zabbix.te' (Expected 0, got 4)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Duration: 1s
:: Assertions: 2 good, 1 bad
:: RESULT: FAIL (Unsound/dangerous policy practices)
This seems like it might be a python error in the test.
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: SELint static analysis
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [ 21:15:27 ] :: [ BEGIN ] :: Running 'selint -s -r -d E-005 -d W-004 -d
W-005 -d W-010 -d S-001 -d S-010 --context=base-policy policy/zabbix.fc
policy/zabbix.te 2>&1 | tee /tmp/tmp.DVGZL996ny'
:: [ 21:15:27 ] :: [ PASS ] :: Command 'selint -s -r -d E-005 -d W-004 -d
W-005 -d W-010 -d S-001 -d S-010 --context=base-policy policy/zabbix.fc
policy/zabbix.te 2>&1 | tee /tmp/tmp.DVGZL996ny' (Expected 0, got 0)
:: [ 21:15:27 ] :: [ BEGIN ] :: Running 'grep -v 'F-002' '/tmp/tmp.DVGZL996ny''
:: [ 21:15:27 ] :: [ FAIL ] :: Command 'grep -v 'F-002'
'/tmp/tmp.DVGZL996ny'' (Expected 1, got 0)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Duration: 0s
:: Assertions: 1 good, 1 bad
:: RESULT: FAIL (SELint static analysis)
No idea about this.
In the installability teest:
BAD install: zabbix-1:6.0.30-1.fc41.x86_64 (selinux AVCs)
----
type=AVC msg=audit(05/28/2024 21:15:28.247:957) : avc: denied { map_read
map_write } for pid=4601 comm=selinux-autorel
scontext=system_u:system_r:selinux_autorelabel_generator_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
----
type=AVC msg=audit(05/28/2024 21:15:28.254:958) : avc: denied { map_read
map_write } for pid=4605 comm=systemd-fstab-g
scontext=system_u:system_r:systemd_fstab_generator_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
----
type=AVC msg=audit(05/28/2024 21:15:28.261:959) : avc: denied { map_read
map_write } for pid=4609 comm=systemd-gpt-aut
scontext=system_u:system_r:systemd_gpt_generator_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
----
type=AVC msg=audit(05/28/2024 21:15:28.273:960) : avc: denied { map_read
map_write } for pid=4613 comm=systemd-rc-loca
scontext=system_u:system_r:systemd_rc_local_generator_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
----
type=AVC msg=audit(05/28/2024 21:15:28.281:961) : avc: denied { read } for
pid=4615 comm=systemd-ssh-gen name=vsock dev="devtmpfs" ino=388
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:vsock_device_t:s0 tclass=chr_file permissive=0
----
type=AVC msg=audit(05/28/2024 21:15:28.284:962) : avc: denied { map_read
map_write } for pid=4619 comm=systemd-sysv-ge
scontext=system_u:system_r:systemd_sysv_generator_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
and more, but these seem unrelated to the zabbix package.
--
Orion Poplawski
he/him/his - surely the least important thing about me
Manager of IT Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301 https://www.nwra.com/
1 week, 4 days
certmonger post-save scripts & certmonger_unconfined_t domain
by Sam Morris
Certmonger allows for the configuration of a post-save command to be run after it has obtained new certificates. This can be used to copy the key & certificates out of wherever certmonger is allowed to put them, and save them elsewhere with a particular owner/group, combine the certificate & chain into a single file as required by some software, etc.
The problem comes with SELinux which prevents my post-save scripts from being able to do all of that. I thought the solution was to give the scripts the context of certmonger_unconfined_exec_t, which would cause a transition to the certmonger_unconfined_t domain which is as its name suggests unconfined; but I can't get this to work.
I'm trying to use runcon to simulate certmonger executing a fake script:
# cat /tmp/fakescript
#!/bin/bash
set -eu
id -Z
# /tmp/fakescript
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
# ls -Z /tmp/fakescript
unconfined_u:object_r:certmonger_unconfined_exec_t:s0 /tmp/fakescript
# runcon system_u:system_r:certmonger_t:s0 /tmp/fakescript
runcon: ‘/tmp/fakescript’: Permission denied
Here is the avc denial:
----
type=PROCTITLE msg=audit(27/04/21 16:16:47.156:153492) : proctitle=runcon system_u:system_r:certmonger_t:s0 /tmp/fakescript
type=SYSCALL msg=audit(27/04/21 16:16:47.156:153492) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x7ffd8aa768ab a1=0x7ffd8aa75888 a2=0x7ffd8aa75898 a3=0x0 items=0 ppid=177795 pid=177796 auid=sam.admin uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts5 ses=103 comm=runcon exe=/usr/bin/runcon subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(27/04/21 16:16:47.156:153492) : avc: denied { entrypoint } for pid=177796 comm=runcon path=/tmp/fakescript dev="dm-0" ino=33563064 scontext=system_u:system_r:certmonger_t:s0 tcontext=unconfined_u:object_r:certmonger_unconfined_exec_t:s0 tclass=file permissive=0
Even though:
# sepolicy transition -s certmonger_t -t certmonger_unconfined_t
certmonger_t @ certmonger_unconfined_exec_t --> certmonger_unconfined_t
Diving in a little deeper, I can see that certmonger can execute the file:
# sesearch -s certmonger_t -t certmonger_unconfined_exec_t -c file -p execute -A
allow certmonger_t certmonger_unconfined_exec_t:file { execute execute_no_trans getattr ioctl map open read };
... and that the file type is an entrypoint for the certmonger_unconfined_t domain:
# sesearch -s certmonger_unconfined_t -t certmonger_unconfined_exec_t -c file -p entrypoint -A
allow certmonger_unconfined_t certmonger_unconfined_exec_t:file { entrypoint execute getattr ioctl lock map open read };
... and that transition is permitted from certmonger_t:
# sesearch -s certmonger_t -t certmonger_unconfined_t -c process -p transition -A
allow certmonger_t certmonger_unconfined_t:process transition;
Which leaves me scratching my head, unsure why it doesn't work in practice...
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
1 week, 5 days
Proper way to handle errors from python restorecon binding?
by Brian J. Murrell
It's not clear to me in which ways the restorecon() python binding can return an error/failure?
Can it raise an exception or does it always simply report errors in it's return code? I.e. I need to do:
rc = selinux.restorecon(path)
if rc != 0:
[error handling]
And/or do I need a try/except block around restorecon() as something it calls could raise an exception?
I have seen reference to code that calls it as such:
try:
selinux.restorecon(path)
except selinux.SELinuxError:
[error handling]
1 month, 1 week
