general selinux questions

general selinux questions

[antoine]

Hi,
apologies if this is not the correct mailing list for these questions.
Also, I am fairly new to selinux.

The setup in question: Gentoo64 system (2004.1), running on an Opteron
box, custom 2.6.11.11 kernel with selinux in permissive mode.

1) I've labelled some of my cron scripts with a specific type to allow
them to do things like ping, then I added:
	domain_auto_trans(system_crond_t, mycron_exec_t, mycron_t)
so that these scripts run in mycron_t domain, then
	domain_auto_trans(mycron_t, ping_exec_t, ping_t)
so that a script in mycron_t can run ping_t (I omitted the rest)

It stopped complaining about so many things (mainly network) but I still
get these messages:
audit(1118170810.570:0): avc:  denied  { read } for  pid=27056
exe=/bin/ping path=pipe:[477173] dev=pipefs ino=477173
scontext=system_u:system_r:ping_t tcontext=system_u:system_r:crond_t
tclass=fifo_file
audit(1118170810.570:0): avc:  denied  { write } for  pid=27056
exe=/bin/ping path=pipe:[477174] dev=pipefs ino=477174
scontext=system_u:system_r:ping_t tcontext=system_u:system_r:crond_t
tclass=fifo_file
audit(1118174404.518:0): avc:  denied  { read } for  pid=29150
exe=/bin/ping path=pipe:[482483] dev=pipefs ino=482483
scontext=system_u:system_r:ping_t tcontext=system_u:system_r:crond_t
tclass=fifo_file
audit(1118174404.518:0): avc:  denied  { append } for  pid=29150
exe=/bin/ping path=/tmp/tmp.j5fwDc dev=tmpfs ino=484140
scontext=system_u:system_r:ping_t tcontext=system_u:object_r:tmpfs_t
tclass=file
audit(1118174404.518:0): avc:  denied  { write } for  pid=29150
exe=/bin/ping path=pipe:[482484] dev=pipefs ino=482484
scontext=system_u:system_r:ping_t tcontext=system_u:system_r:crond_t
tclass=fifo_file
audit(1118174404.519:0): avc:  denied  { getattr } for  pid=29150
exe=/bin/ping path=/tmp/tmp.j5fwDc dev=tmpfs ino=484140
scontext=system_u:system_r:ping_t tcontext=system_u:object_r:tmpfs_t
tclass=file
audit(1118174404.519:0): avc:  denied  { ioctl } for  pid=29150
exe=/bin/ping path=/tmp/tmp.j5fwDc dev=tmpfs ino=484140
scontext=system_u:system_r:ping_t tcontext=system_u:object_r:tmpfs_t
tclass=file

The ping used is:
ping -w 10 -W 10 -i 1 -c 2 -I $IFACE $IP

Which could be allowed by this:
allow ping_t crond_t:fifo_file { read write };
allow ping_t tmpfs_t:file { append getattr ioctl };
But why would I need to change the definition for crond_t? If anything
it should be for mycron_t? Also, why does ping_t need to use /tmp if it
is not in the default policy file?


2) Is there any online documentation on what all the macros do?
It would be a lot easier to be able to take the output from audit2allow
and know which parts map to which macro (can_network, uses_shlib, etc)
I'd prefer using google to look it up than vi ./macros/*
The closest pointer I found is on this page:
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/rhlcommon-section-0053.html
but it is still largely a manual process. I understand that being
macros, a full text search cannot guarantee accuracy, but for most cases
it would do the (painful) work for me. Can't we generate documentation
with typical examples automatically? Or write a command line tools (or
scripts) for performing these operations?

3) A lot of my current services are chrooted, labelling files in the
chroot seems to be a little bit difficult: I would like to re-use the
same label used outside the chroot (ie: etc_t for chroot/(.*)/etc(/.*)*)
but when I do, setfiles complains: "Operation not permitted". (-d tells
you what you would have expected it to do, but not what went wrong) - I
want to find which rule makes this illegal.

4) If I run ssh on a non-standard port, I need to tweak net_contexts,
what is the preferred place for keeping these settings? Generally
speaking, how do you maintain local customisations of the core policies?

5) If one of my script needs to restart a service (like apache) what do
I need to do to make it run without authentication. (run_init requires
authentication - do I just allow a transition to initrc_t? I haven't
tested this yet)

6) Can someone explain in layman's terms what needs to be fixed to get
rid of warnings like:
"security:  context system_u:system_r:[domain_t] is invalid"
What is missing from my policy for [domain_t]? Assuming [domain_t] can
be entered from initrc_t or sysadm_t for example, and that I have
domain_auto_trans(initrc_t, [domain_bin_t], [domain_t]) +same for sysadm

Thanks
Antoine


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: general selinux questions

[antoine]

Some more questions:
7) What can I do to logrotate.te to make it rotate my mysql logfiles but
have the correct label on the new /var/log/mysql/mysql.log file. As it
is now it comes up as var_log_t rather than mysql_var_log_t

8) How can I allow daemons to write to /dev/log?
allow psad_t devlog_t:sock_file write;
Is not allowed...

9) One of my scripts needs to kill a few processes by name (if they
exist) so it does something like 'ps -ef | grep "someLongUniqueString in
processName"' but that triggers all sorts of violations. Is there a
better way?

Thanks
Antoine



On Thu, 2005-06-09 at 02:50 +0100, antoine wrote:
> Hi,
> apologies if this is not the correct mailing list for these questions.
> Also, I am fairly new to selinux.
> 
> The setup in question: Gentoo64 system (2004.1), running on an Opteron
> box, custom 2.6.11.11 kernel with selinux in permissive mode.
> 
> 1) I've labelled some of my cron scripts with a specific type to allow
> them to do things like ping, then I added:
> 	domain_auto_trans(system_crond_t, mycron_exec_t, mycron_t)
> so that these scripts run in mycron_t domain, then
> 	domain_auto_trans(mycron_t, ping_exec_t, ping_t)
> so that a script in mycron_t can run ping_t (I omitted the rest)
> 
> It stopped complaining about so many things (mainly network) but I still
> get these messages:
> audit(1118170810.570:0): avc:  denied  { read } for  pid=27056
> exe=/bin/ping path=pipe:[477173] dev=pipefs ino=477173
> scontext=system_u:system_r:ping_t tcontext=system_u:system_r:crond_t
> tclass=fifo_file
> audit(1118170810.570:0): avc:  denied  { write } for  pid=27056
> exe=/bin/ping path=pipe:[477174] dev=pipefs ino=477174
> scontext=system_u:system_r:ping_t tcontext=system_u:system_r:crond_t
> tclass=fifo_file
> audit(1118174404.518:0): avc:  denied  { read } for  pid=29150
> exe=/bin/ping path=pipe:[482483] dev=pipefs ino=482483
> scontext=system_u:system_r:ping_t tcontext=system_u:system_r:crond_t
> tclass=fifo_file
> audit(1118174404.518:0): avc:  denied  { append } for  pid=29150
> exe=/bin/ping path=/tmp/tmp.j5fwDc dev=tmpfs ino=484140
> scontext=system_u:system_r:ping_t tcontext=system_u:object_r:tmpfs_t
> tclass=file
> audit(1118174404.518:0): avc:  denied  { write } for  pid=29150
> exe=/bin/ping path=pipe:[482484] dev=pipefs ino=482484
> scontext=system_u:system_r:ping_t tcontext=system_u:system_r:crond_t
> tclass=fifo_file
> audit(1118174404.519:0): avc:  denied  { getattr } for  pid=29150
> exe=/bin/ping path=/tmp/tmp.j5fwDc dev=tmpfs ino=484140
> scontext=system_u:system_r:ping_t tcontext=system_u:object_r:tmpfs_t
> tclass=file
> audit(1118174404.519:0): avc:  denied  { ioctl } for  pid=29150
> exe=/bin/ping path=/tmp/tmp.j5fwDc dev=tmpfs ino=484140
> scontext=system_u:system_r:ping_t tcontext=system_u:object_r:tmpfs_t
> tclass=file
> 
> The ping used is:
> ping -w 10 -W 10 -i 1 -c 2 -I $IFACE $IP
> 
> Which could be allowed by this:
> allow ping_t crond_t:fifo_file { read write };
> allow ping_t tmpfs_t:file { append getattr ioctl };
> But why would I need to change the definition for crond_t? If anything
> it should be for mycron_t? Also, why does ping_t need to use /tmp if it
> is not in the default policy file?
> 
> 
> 2) Is there any online documentation on what all the macros do?
> It would be a lot easier to be able to take the output from audit2allow
> and know which parts map to which macro (can_network, uses_shlib, etc)
> I'd prefer using google to look it up than vi ./macros/*
> The closest pointer I found is on this page:
> http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/rhlcommon-section-0053.html
> but it is still largely a manual process. I understand that being
> macros, a full text search cannot guarantee accuracy, but for most cases
> it would do the (painful) work for me. Can't we generate documentation
> with typical examples automatically? Or write a command line tools (or
> scripts) for performing these operations?
> 
> 3) A lot of my current services are chrooted, labelling files in the
> chroot seems to be a little bit difficult: I would like to re-use the
> same label used outside the chroot (ie: etc_t for chroot/(.*)/etc(/.*)*)
> but when I do, setfiles complains: "Operation not permitted". (-d tells
> you what you would have expected it to do, but not what went wrong) - I
> want to find which rule makes this illegal.
> 
> 4) If I run ssh on a non-standard port, I need to tweak net_contexts,
> what is the preferred place for keeping these settings? Generally
> speaking, how do you maintain local customisations of the core policies?
> 
> 5) If one of my script needs to restart a service (like apache) what do
> I need to do to make it run without authentication. (run_init requires
> authentication - do I just allow a transition to initrc_t? I haven't
> tested this yet)
> 
> 6) Can someone explain in layman's terms what needs to be fixed to get
> rid of warnings like:
> "security:  context system_u:system_r:[domain_t] is invalid"
> What is missing from my policy for [domain_t]? Assuming [domain_t] can
> be entered from initrc_t or sysadm_t for example, and that I have
> domain_auto_trans(initrc_t, [domain_bin_t], [domain_t]) +same for sysadm
> 
> Thanks
> Antoine


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: general selinux questions

[Stephen Smalley]

On Thu, 2005-06-09 at 02:50 +0100, antoine wrote:
> Which could be allowed by this:
> allow ping_t crond_t:fifo_file { read write };
> allow ping_t tmpfs_t:file { append getattr ioctl };
> But why would I need to change the definition for crond_t? If anything
> it should be for mycron_t? Also, why does ping_t need to use /tmp if it
> is not in the default policy file?

I'd guess that the pipe (fifo_file) is originally created by crond (thus
labeled with its type) to capture output of the cron job, then inherited
by your mycron script, and then inherited by ping as its stdout.  The
domain_auto_trans() macro allows for such inheritance and use by the
child domain from the parent domain, but in this case since you are
going through multiple such transitions, you have to explicitly allow
the channel (or interpose on it in your own script so that it is no
longer a direct channel between ping and crond).

I'm not sure what is happening with respect to the /tmp file.  The
example policy defines a crond_tmp_t for /tmp files created by crond
itself and a system_crond_tmp_t for tmp files created by system cron
jobs.  They certainly shouldn't be tmpfs_t.

In Fedora, using tmpfs for /tmp has been addressed by putting a
restorecon /tmp into rc.sysinit and adding an allow tmpfile
tmpfs_t:filesystem associate; rule to the policy.  

> 2) Is there any online documentation on what all the macros do?
> It would be a lot easier to be able to take the output from audit2allow
> and know which parts map to which macro (can_network, uses_shlib, etc)
> I'd prefer using google to look it up than vi ./macros/*
> The closest pointer I found is on this page:
> http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/rhlcommon-section-0053.html
> but it is still largely a manual process. I understand that being
> macros, a full text search cannot guarantee accuracy, but for most cases
> it would do the (painful) work for me. Can't we generate documentation
> with typical examples automatically? Or write a command line tools (or
> scripts) for performing these operations?

Some resources are linked from 
http://selinux.sourceforge.net/resources.php3
polgen may be helpful, but seeks to generate policy from strace output
rather than audit messages, see http://www.mitre.org/tech/selinux/.
There is also ongoing work on a policy development framework with some
higher level abstractions and on a reference policy with a more well-
defined interface.

> 3) A lot of my current services are chrooted, labelling files in the
> chroot seems to be a little bit difficult: I would like to re-use the
> same label used outside the chroot (ie: etc_t for chroot/(.*)/etc(/.*)*)
> but when I do, setfiles complains: "Operation not permitted". (-d tells
> you what you would have expected it to do, but not what went wrong) - I
> want to find which rule makes this illegal.

I'm not sure what you mean.  setfiles -r will let you specify an
alternate root path if you just want to apply the same types under the
chroot, but it may be smarter to use different types so that you can
completely prohibit access to the base system types by the daemon's
domain in your policy.  What is the actual output of setfiles?
Operation not permitted usually means that the kernel returned an errno
of EPERM on some system call, e.g. setfiles' domain lacked fowner
capability and you tried relabeling a file with another uid.

> 4) If I run ssh on a non-standard port, I need to tweak net_contexts,
> what is the preferred place for keeping these settings? Generally
> speaking, how do you maintain local customisations of the core policies?

No good answer yet.  There is presently support for local customization
of boolean settings, file contexts, and users (at least in Fedora)
without needing to touch policy sources.  For tweaks to .te rules, a
common convention is to create domains/misc/local.te or
domains/misc/custom.te.  The loadable module support that is in the
process of being upstreamed will allow for well-defined policy modules
with explicitly declared dependencies so you can define your own module
without disturbing the base one provided by your distributor, but I
think that support still only addresses the RBAC and TE rules, not
things like network contexts.  The MLS work will require the ability to
do site customization of netif contexts, so we'll likely have to add
similar support to libsepol for local customizations there as we have
already done for booleans and users.  That works by loading in the
binary policy file into memory, loading in the local customization
config files, mutating the in-memory policy image accordingly, and then
loading the resulting policy image into the kernel.

> 5) If one of my script needs to restart a service (like apache) what do
> I need to do to make it run without authentication. (run_init requires
> authentication - do I just allow a transition to initrc_t? I haven't
> tested this yet)

Fedora has a direct_sysadm_daemon tunable that enables automatic domain
transitions from sysadm_t to the daemon domains and automatic role
transitions from sysadm_r to system_r and authorizes root for system_r
(since there is no way to automatically transition user identities to
system_u; we originally expected all user identity transitions to be
explicit upon some action like authentication).

> 6) Can someone explain in layman's terms what needs to be fixed to get
> rid of warnings like:
> "security:  context system_u:system_r:[domain_t] is invalid"
> What is missing from my policy for [domain_t]? Assuming [domain_t] can
> be entered from initrc_t or sysadm_t for example, and that I have
> domain_auto_trans(initrc_t, [domain_bin_t], [domain_t]) +same for sysadm

The role has to be authorized for the domain, e.g.
	role system_r types domain_t;
Likewise, the user has to be authorized for the role, but that likely
isn't your issue.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: general selinux questions

[Stephen Smalley]

On Thu, 2005-06-09 at 13:25 +0100, antoine wrote:
> Some more questions:
> 7) What can I do to logrotate.te to make it rotate my mysql logfiles but
> have the correct label on the new /var/log/mysql/mysql.log file. As it
> is now it comes up as var_log_t rather than mysql_var_log_t

Does type mysqle_var_log_t have the logfile attribute?  If so, then
logrotate.te should be allowing logrotate the necessary permissions to
re-create the file with that type.  Of course, your logrotate program
has to be modified to preserve types on log files; the one in Fedora
should have such modifications.

> 8) How can I allow daemons to write to /dev/log?
> allow psad_t devlog_t:sock_file write;
> Is not allowed...

Add the 'privlog' attribute to the domain for the daemon.

> 9) One of my scripts needs to kill a few processes by name (if they
> exist) so it does something like 'ps -ef | grep "someLongUniqueString in
> processName"' but that triggers all sorts of violations. Is there a
> better way?

I'm not sure why you wouldn't use killall, but I don't think that will
help with the denials anyway.  Notice that the existing policy often
dontaudit's such attempts to avoid generating noise, e.g.
	dontaudit foo_t domain:dir search;
Note that if you are in enforcing mode, then it will stop trying after
the search failure, so you won't get the subsequent denials on the
attempts to read files under the directory.  So don't assume that you
need to add more dontaudit rules just because of the output while in
permissive mode.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: general selinux questions

[Jayendren Anand Maduray]

Hi!
I am looking to start coding in SELinux.
What are the perquisites and what media should i look into?

God bless.

On Thu, 2005-06-09 at 13:25 +0100, antoine wrote:
> Some more questions:
> 7) What can I do to logrotate.te to make it rotate my mysql logfiles but
> have the correct label on the new /var/log/mysql/mysql.log file. As it
> is now it comes up as var_log_t rather than mysql_var_log_t
> 
> 8) How can I allow daemons to write to /dev/log?
> allow psad_t devlog_t:sock_file write;
> Is not allowed...
> 
> 9) One of my scripts needs to kill a few processes by name (if they
> exist) so it does something like 'ps -ef | grep "someLongUniqueString in
> processName"' but that triggers all sorts of violations. Is there a
> better way?
> 
> Thanks
> Antoine
> 
> 
> 
> On Thu, 2005-06-09 at 02:50 +0100, antoine wrote:
> > Hi,
> > apologies if this is not the correct mailing list for these questions.
> > Also, I am fairly new to selinux.
> > 
> > The setup in question: Gentoo64 system (2004.1), running on an Opteron
> > box, custom 2.6.11.11 kernel with selinux in permissive mode.
> > 
> > 1) I've labelled some of my cron scripts with a specific type to allow
> > them to do things like ping, then I added:
> > 	domain_auto_trans(system_crond_t, mycron_exec_t, mycron_t)
> > so that these scripts run in mycron_t domain, then
> > 	domain_auto_trans(mycron_t, ping_exec_t, ping_t)
> > so that a script in mycron_t can run ping_t (I omitted the rest)
> > 
> > It stopped complaining about so many things (mainly network) but I still
> > get these messages:
> > audit(1118170810.570:0): avc:  denied  { read } for  pid=27056
> > exe=/bin/ping path=pipe:[477173] dev=pipefs ino=477173
> > scontext=system_u:system_r:ping_t tcontext=system_u:system_r:crond_t
> > tclass=fifo_file
> > audit(1118170810.570:0): avc:  denied  { write } for  pid=27056
> > exe=/bin/ping path=pipe:[477174] dev=pipefs ino=477174
> > scontext=system_u:system_r:ping_t tcontext=system_u:system_r:crond_t
> > tclass=fifo_file
> > audit(1118174404.518:0): avc:  denied  { read } for  pid=29150
> > exe=/bin/ping path=pipe:[482483] dev=pipefs ino=482483
> > scontext=system_u:system_r:ping_t tcontext=system_u:system_r:crond_t
> > tclass=fifo_file
> > audit(1118174404.518:0): avc:  denied  { append } for  pid=29150
> > exe=/bin/ping path=/tmp/tmp.j5fwDc dev=tmpfs ino=484140
> > scontext=system_u:system_r:ping_t tcontext=system_u:object_r:tmpfs_t
> > tclass=file
> > audit(1118174404.518:0): avc:  denied  { write } for  pid=29150
> > exe=/bin/ping path=pipe:[482484] dev=pipefs ino=482484
> > scontext=system_u:system_r:ping_t tcontext=system_u:system_r:crond_t
> > tclass=fifo_file
> > audit(1118174404.519:0): avc:  denied  { getattr } for  pid=29150
> > exe=/bin/ping path=/tmp/tmp.j5fwDc dev=tmpfs ino=484140
> > scontext=system_u:system_r:ping_t tcontext=system_u:object_r:tmpfs_t
> > tclass=file
> > audit(1118174404.519:0): avc:  denied  { ioctl } for  pid=29150
> > exe=/bin/ping path=/tmp/tmp.j5fwDc dev=tmpfs ino=484140
> > scontext=system_u:system_r:ping_t tcontext=system_u:object_r:tmpfs_t
> > tclass=file
> > 
> > The ping used is:
> > ping -w 10 -W 10 -i 1 -c 2 -I $IFACE $IP
> > 
> > Which could be allowed by this:
> > allow ping_t crond_t:fifo_file { read write };
> > allow ping_t tmpfs_t:file { append getattr ioctl };
> > But why would I need to change the definition for crond_t? If anything
> > it should be for mycron_t? Also, why does ping_t need to use /tmp if it
> > is not in the default policy file?
> > 
> > 
> > 2) Is there any online documentation on what all the macros do?
> > It would be a lot easier to be able to take the output from audit2allow
> > and know which parts map to which macro (can_network, uses_shlib, etc)
> > I'd prefer using google to look it up than vi ./macros/*
> > The closest pointer I found is on this page:
> > http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/rhlcommon-section-0053.html
> > but it is still largely a manual process. I understand that being
> > macros, a full text search cannot guarantee accuracy, but for most cases
> > it would do the (painful) work for me. Can't we generate documentation
> > with typical examples automatically? Or write a command line tools (or
> > scripts) for performing these operations?
> > 
> > 3) A lot of my current services are chrooted, labelling files in the
> > chroot seems to be a little bit difficult: I would like to re-use the
> > same label used outside the chroot (ie: etc_t for chroot/(.*)/etc(/.*)*)
> > but when I do, setfiles complains: "Operation not permitted". (-d tells
> > you what you would have expected it to do, but not what went wrong) - I
> > want to find which rule makes this illegal.
> > 
> > 4) If I run ssh on a non-standard port, I need to tweak net_contexts,
> > what is the preferred place for keeping these settings? Generally
> > speaking, how do you maintain local customisations of the core policies?
> > 
> > 5) If one of my script needs to restart a service (like apache) what do
> > I need to do to make it run without authentication. (run_init requires
> > authentication - do I just allow a transition to initrc_t? I haven't
> > tested this yet)
> > 
> > 6) Can someone explain in layman's terms what needs to be fixed to get
> > rid of warnings like:
> > "security:  context system_u:system_r:[domain_t] is invalid"
> > What is missing from my policy for [domain_t]? Assuming [domain_t] can
> > be entered from initrc_t or sysadm_t for example, and that I have
> > domain_auto_trans(initrc_t, [domain_bin_t], [domain_t]) +same for sysadm
> > 
> > Thanks
> > Antoine
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
-- 
Jayendren Anand Maduray
Microsoft Certified Professional
Network Plus
IT Administrator

Perinatal HIV Research Unit
Old Potch Road
Chris Hani Baragwanath Hospital
Soweto
South Africa

Tel: +27 11 989 9776
Tel: +27 11 989 9999
Fax: +27 11 938 3973
Cel: 082 22 774 94

Alternate email address: jayendren@mweb.co.za


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: general selinux questions

[Stephen Smalley]

On Fri, 2005-06-10 at 15:21 +0100, antoine wrote:
> I am using this one from Gentoo 2004.1 (which has selinux support):
> syslog-ng-1.6.7  -hardened +selinux -static +tcpd
> (latest from amd64 stable) Which is supposed to have the same mods.

Is logrotate part of syslog-ng on Gentoo?  It is a separate package in
Fedora.  

> logrotate.te contains:
> 
> # Set a context other than the default one for newly created files.
> can_setfscreate(logrotate_t)
> # Change ownership on log files.
> allow logrotate_t self:capability { chown dac_override dac_read_search
> kill fsetid fowner sys_resource sys_nice };

What about: 
allow logrotate_t logfile:dir rw_dir_perms;
allow logrotate_t logfile:file create_file_perms; 

> So I guess that my next question is: how do I figure out what is going
> wrong?

You can always force a manual run of logrotate and trace/debug it in the
usual manner.  Might want to ask on the gentoo lists as well since it
may be specific to it.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: general selinux questions

[antoine]

On Thu, 2005-06-09 at 14:36 -0400, Stephen Smalley wrote:
> On Thu, 2005-06-09 at 13:25 +0100, antoine wrote:
> > Some more questions:
> > 7) What can I do to logrotate.te to make it rotate my mysql logfiles but
> > have the correct label on the new /var/log/mysql/mysql.log file. As it
> > is now it comes up as var_log_t rather than mysql_var_log_t
> 
> Does type mysqle_var_log_t have the logfile attribute?
It is created using 'log_domain(mysqld)':
#grep mysqld_log_t policy.conf
type mysqld_log_t, file_type, sysadmfile, logfile;
allow mysqld_t mysqld_log_t:file { create ioctl read getattr lock write
setattr append link unlink rename };
type_transition mysqld_t var_log_t:file mysqld_log_t;
allow initrc_t mysqld_log_t:file { write append setattr ioctl };

So I'm not sure why it does not behave, here is the syslog-ng.d/mysql:

/var/log/mysql/mysql.err /var/log/mysql/mysql.log /var/log/mysql/mysqld.err {
monthly
create 660 mysql mysql
notifempty
size 5M
sharedscripts
missingok
postrotate
/bin/kill -HUP `cat /var/run/mysqld/mysqld.pid`
endscript
}


>   If so, then
> logrotate.te should be allowing logrotate the necessary permissions to
> re-create the file with that type.  Of course, your logrotate program
> has to be modified to preserve types on log files; the one in Fedora
> should have such modifications.
I am using this one from Gentoo 2004.1 (which has selinux support):
syslog-ng-1.6.7  -hardened +selinux -static +tcpd
(latest from amd64 stable) Which is supposed to have the same mods.
logrotate.te contains:

# Set a context other than the default one for newly created files.
can_setfscreate(logrotate_t)
# Change ownership on log files.
allow logrotate_t self:capability { chown dac_override dac_read_search
kill fsetid fowner sys_resource sys_nice };

So I guess that my next question is: how do I figure out what is going
wrong?

> > 8) How can I allow daemons to write to /dev/log?
> > allow psad_t devlog_t:sock_file write;
> > Is not allowed...
> 
> Add the 'privlog' attribute to the domain for the daemon.
Ah Thanks.

> > 9) One of my scripts needs to kill a few processes by name (if they
> > exist) so it does something like 'ps -ef | grep "someLongUniqueString in
> > processName"' but that triggers all sorts of violations. Is there a
> > better way?
> 
> I'm not sure why you wouldn't use killall, but I don't think that will
> help with the denials anyway.
I probably could (just that the long grep restricts more than what
killall allows - it feels safer)
>   Notice that the existing policy often
> dontaudit's such attempts to avoid generating noise, e.g.
> 	dontaudit foo_t domain:dir search;
> Note that if you are in enforcing mode, then it will stop trying after
> the search failure, so you won't get the subsequent denials on the
> attempts to read files under the directory.  So don't assume that you
> need to add more dontaudit rules just because of the output while in
> permissive mode.
Good, I hadn't thought of that.

Many thanks
Antoine


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: general selinux questions

[Stephen Smalley]

On Fri, 2005-06-10 at 15:55 +0100, antoine wrote:
> Not sure about the can_exec though? Why would you ever want to execute a
> logfile?

Good question.  I know that at one point, logrotate was generating
temporary script files and executing them, but they should have their
own type, and it looks like even that has been removed from the Fedora
logrotate (by a -noTMPDIR patch).   I'd drop it and see if anything
breaks.

You may also want to check how the Gentoo logrotate compares with the
one in the Fedora CVS tree; looks like there are several patches in the
Fedora package, including one related to SELinux.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: general selinux questions

[antoine]

On Fri, 2005-06-10 at 10:18 -0400, Stephen Smalley wrote:
> On Fri, 2005-06-10 at 15:21 +0100, antoine wrote:
> > I am using this one from Gentoo 2004.1 (which has selinux support):
> > syslog-ng-1.6.7  -hardened +selinux -static +tcpd
> > (latest from amd64 stable) Which is supposed to have the same mods.
> 
> Is logrotate part of syslog-ng on Gentoo?  It is a separate package in
> Fedora.  
Nope, sorry, it's just me copying the wrong thing... I meant:
app-admin/logrotate	3.7.1-r1
sec-policy/selinux-logrotate	20050408

> 
> > logrotate.te contains:
> > 
> > # Set a context other than the default one for newly created files.
> > can_setfscreate(logrotate_t)
> > # Change ownership on log files.
> > allow logrotate_t self:capability { chown dac_override dac_read_search
> > kill fsetid fowner sys_resource sys_nice };
> 
> What about: 
> allow logrotate_t logfile:dir rw_dir_perms;
> allow logrotate_t logfile:file create_file_perms; 

It is all there, I found:

# grep logfile ./domains/program/logrotate.te
allow logrotate_t logfile:dir rw_dir_perms;
allow logrotate_t logfile:lnk_file read;
allow logrotate_t logfile:file create_file_perms;
can_exec(logrotate_t,logfile)

Not sure about the can_exec though? Why would you ever want to execute a
logfile?
> 
> > So I guess that my next question is: how do I figure out what is going
> > wrong?
> 
> You can always force a manual run of logrotate and trace/debug it in the
> usual manner.  Might want to ask on the gentoo lists as well since it
> may be specific to it.
Will do.

Thanks
Antoine


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: general selinux questions

[Stephen Smalley]

On Fri, 2005-06-10 at 21:00 +0100, antoine wrote:
> That makes sense.
> I thought a simple bash redirect would work:
> ping [whatever] >& tempfile
> But it still complained about the fifo... So I worked around it by
> executing ping within the mycron domain and giving that domain the
> privileges needed.

Likely needed to redirect stdin too.

> I use Gentoo, it does the same thing:
> # grep tmpfs_t policy.conf
> type tmpfs_t, file_type, sysadmfile, fs_type;
> allow { tmpfs_t tmp_t } tmpfs_t:filesystem associate;
> (..)

Yes, but does it restorecon /tmp or use a context mount to get it into
tmp_t rather than tmpfs_t?

> I was trying a mixed approach: not using -r and making the root of the
> chroot not root_t but specific to the domain. So I had sprinkled some
> (/chroot/[service]) in the .fc files.

Yes, that should work; named.fc in the Fedora policy is similar:
/var/named/chroot(/.*)?         system_u:object_r:named_conf_t
/var/named/chroot/dev/null   -c system_u:object_r:null_device_t
/var/named/chroot/dev/random -c system_u:object_r:random_device_t
/var/named/chroot/dev/zero -c   system_u:object_r:zero_device_t
/var/named/chroot/etc(/.*)?     system_u:object_r:named_conf_t
/var/named/chroot/etc/rndc.key  -- system_u:object_r:dnssec_t
/var/named/chroot/var/run/named.* system_u:object_r:named_var_run_t
/var/named/chroot/var/tmp(/.*)? system_u:object_r:named_cache_t
/var/named/chroot/var/named(/.*)?       system_u:object_r:named_zone_t
/var/named/chroot/var/named/slaves(/.*)? system_u:object_r:named_cache_t
/var/named/chroot/var/named/data(/.*)? system_u:object_r:named_cache_t
/var/named/chroot/var/named/named\.ca   --      system_u:object_r:named_conf_t

> It's ok now, except I've had to move a directory out of the way: I can't
> delete it, even as root in non-enforcing mode... trace included at the
> bottom of this email. In the process I noticed that the code tries to
> access '/etc/selinux' which does not exist on Gentoo systems: the
> settings are in /etc/security/selinux, and there is no file named config
> in there anyway... 
> To remove these files I guess I'll have to reboot onto another disk (or
> cdrom), fsck, mount it and remove it from there...

Are you sure you are in permissive mode (getenforce)?  If so, then
SELinux shouldn't be in your way at all.  /chroot is a local fs?
Fedora migrated to /etc/selinux and reorganized the layout in FC3, but
libselinux knows to fall back to the old locations
under /etc/security/selinux if it cannot find /etc/selinux, so that
shouldn't be a problem.

> Any snippets of code I could re-use on Gentoo?
> I looked at a FC3 system for direct_sysadm, but couldn't find it.

macros/global_macros.te.  Critical rules are:
domain_auto_trans(sysadm_t, $1_exec_t, $1_t)
role_transition sysadm_r $1_exec_t system_r;
where $1 is each daemon domain.
That's for direct execution of the daemons.
For just running init scripts, you would only need:
domain_auto_trans(sysadm_t, initrc_exec_t, initrc_t)
role_transition sysadm_r initrc_exec_t system_r;

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: general selinux questions

[Stephen Smalley]

On Fri, 2005-06-10 at 15:54 -0400, Stephen Smalley wrote:
> macros/global_macros.te.  Critical rules are:
> domain_auto_trans(sysadm_t, $1_exec_t, $1_t)
> role_transition sysadm_r $1_exec_t system_r;
> where $1 is each daemon domain.
> That's for direct execution of the daemons.
> For just running init scripts, you would only need:
> domain_auto_trans(sysadm_t, initrc_exec_t, initrc_t)
> role_transition sysadm_r initrc_exec_t system_r;

Note btw that you then need to authorize the user who does this for
system_r as well, as there is no way to automatically transition the
user identity to system_u.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: general selinux questions

[antoine]

> I'd guess that the pipe (fifo_file) is originally created by crond (thus
> labeled with its type) to capture output of the cron job, then inherited
> by your mycron script, and then inherited by ping as its stdout.  The
> domain_auto_trans() macro allows for such inheritance and use by the
> child domain from the parent domain, but in this case since you are
> going through multiple such transitions, you have to explicitly allow
> the channel (or interpose on it in your own script so that it is no
> longer a direct channel between ping and crond).
That makes sense.
I thought a simple bash redirect would work:
ping [whatever] >& tempfile
But it still complained about the fifo... So I worked around it by
executing ping within the mycron domain and giving that domain the
privileges needed.

> I'm not sure what is happening with respect to the /tmp file.  The
> example policy defines a crond_tmp_t for /tmp files created by crond
> itself and a system_crond_tmp_t for tmp files created by system cron
> jobs.  They certainly shouldn't be tmpfs_t.
> 
> In Fedora, using tmpfs for /tmp has been addressed by putting a
> restorecon /tmp into rc.sysinit and adding an allow tmpfile
> tmpfs_t:filesystem associate; rule to the policy.  
I use Gentoo, it does the same thing:
# grep tmpfs_t policy.conf
type tmpfs_t, file_type, sysadmfile, fs_type;
allow { tmpfs_t tmp_t } tmpfs_t:filesystem associate;
(..)

2) [..] Thanks for the pointers.

> > 3) A lot of my current services are chrooted, labelling files in the
> > chroot seems to be a little bit difficult: I would like to re-use the
> > same label used outside the chroot (ie: etc_t for chroot/(.*)/etc(/.*)*)
> > but when I do, setfiles complains: "Operation not permitted". (-d tells
> > you what you would have expected it to do, but not what went wrong) - I
> > want to find which rule makes this illegal.
> 
> I'm not sure what you mean.  setfiles -r will let you specify an
> alternate root path if you just want to apply the same types under the
> chroot, but it may be smarter to use different types so that you can
> completely prohibit access to the base system types by the daemon's
> domain in your policy.  What is the actual output of setfiles?
I was trying a mixed approach: not using -r and making the root of the
chroot not root_t but specific to the domain. So I had sprinkled some
(/chroot/[service]) in the .fc files.
It's ok now, except I've had to move a directory out of the way: I can't
delete it, even as root in non-enforcing mode... trace included at the
bottom of this email. In the process I noticed that the code tries to
access '/etc/selinux' which does not exist on Gentoo systems: the
settings are in /etc/security/selinux, and there is no file named config
in there anyway... 
To remove these files I guess I'll have to reboot onto another disk (or
cdrom), fsck, mount it and remove it from there...


4) [...]
MLS sounds good, I would quite like the ability to tweak things like
network permissions for the uml virtual machines which are currently set
at the bridge and iptables level.

> > 5) If one of my script needs to restart a service (like apache) what do
> > I need to do to make it run without authentication. (run_init requires
> > authentication - do I just allow a transition to initrc_t? I haven't
> > tested this yet)
> 
> Fedora has a direct_sysadm_daemon tunable that enables automatic domain
> transitions from sysadm_t to the daemon domains and automatic role
> transitions from sysadm_r to system_r and authorizes root for system_r
> (since there is no way to automatically transition user identities to
> system_u; we originally expected all user identity transitions to be
> explicit upon some action like authentication).
Any snippets of code I could re-use on Gentoo?
I looked at a FC3 system for direct_sysadm, but couldn't find it.

> > 6) Can someone explain in layman's terms what needs to be fixed to get
> > rid of warnings like:
> > "security:  context system_u:system_r:[domain_t] is invalid"
> > What is missing from my policy for [domain_t]? Assuming [domain_t] can
> > be entered from initrc_t or sysadm_t for example, and that I have
> > domain_auto_trans(initrc_t, [domain_bin_t], [domain_t]) +same for sysadm
> 
> The role has to be authorized for the domain, e.g.
> 	role system_r types domain_t;
> Likewise, the user has to be authorized for the role, but that likely
> isn't your issue.
Ok, that makes sense, that solved a lot of problems.


Thanks a lot, sorry about flooding the ML lately...
Antoine



# strace rm -fr /chroot/dns.old/etc/bind
execve("/usr/bin/rm", ["rm", "-fr", "/chroot/dns.old/etc/bind"], [/* 31
vars */]) = 0
uname({sys="Linux", node="anaconda", ...}) = 0
brk(0)                                  = 0x509000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
= 0x2aaaaaac0000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=30135, ...}) = 0
mmap(NULL, 30135, PROT_READ, MAP_PRIVATE, 3, 0) = 0x2aaaaaac1000
close(3)                                = 0
open("/lib/libselinux.so.1", O_RDONLY)  = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0 .\0\0\0"...,
640) = 640
fstat(3, {st_mode=S_IFREG|0755, st_size=67928, ...}) = 0
mmap(NULL, 1115688, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
0) = 0x2aaaaabc1000
mprotect(0x2aaaaabd0000, 1054248, PROT_NONE) = 0
mmap(0x2aaaaacc1000, 65536, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_DENYWRITE, 3, 0) = 0x2aaaaacc1000
mmap(0x2aaaaacd1000, 1576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_ANONYMOUS, -1, 0) = 0x2aaaaacd1000
close(3)                                = 0
open("/lib/libc.so.6", O_RDONLY)        = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\316"...,
640) = 640
lseek(3, 624, SEEK_SET)                 = 624
read(3, "\4\0\0\0\20\0\0\0\1\0\0\0GNU\0\0\0\0\0\2\0\0\0\4\0\0\0"..., 32)
= 32
fstat(3, {st_mode=S_IFREG|0755, st_size=1270528, ...}) = 0
mmap(NULL, 2250248, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
0) = 0x2aaaaacd2000
mprotect(0x2aaaaadee000, 1086984, PROT_NONE) = 0
mmap(0x2aaaaaed2000, 135168, PROT_READ|PROT_WRITE, MAP_PRIVATE|
MAP_FIXED|MAP_DENYWRITE, 3, 0x100000) = 0x2aaaaaed2000
mmap(0x2aaaaaef3000, 17928, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_ANONYMOUS, -1, 0) = 0x2aaaaaef3000
close(3)                                = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
= 0x2aaaaaef8000
mprotect(0x2aaaaaeed000, 12288, PROT_READ) = 0
munmap(0x2aaaaaac1000, 30135)           = 0
access("/etc/selinux/", F_OK)           = -1 ENOENT (No such file or
directory)
brk(0)                                  = 0x509000
brk(0x52a000)                           = 0x52a000
open("/proc/mounts", O_RDONLY)          = 3
fstat(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
= 0x2aaaaaac1000
read(3, "rootfs / rootfs rw 0 0\n/dev/root"..., 1024) = 473
close(3)                                = 0
munmap(0x2aaaaaac1000, 4096)            = 0
open("/dev/urandom", O_RDONLY)          = 3
read(3, "\31\304\362Ac*\366\23", 8)     = 8
close(3)                                = 0
ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon
echo ...}) = 0
unlink("/chroot/dns.old/etc/bind")      = -1 EACCES (Permission denied)
write(2, "rm: ", 4rm: )                     = 4
write(2, "cannot remove `/chroot/dns.old/e"..., 40cannot remove
`/chroot/dns.old/etc/bind') = 40
write(2, ": Permission denied", 19: Permission denied)     = 19
write(2, "\n", 1
)                       = 1
exit_group(1)                           = ?




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: general selinux questions

[antoine]

> > ping [whatever] >& tempfile
(...) 
> Likely needed to redirect stdin too.
DOH. I'll try that.


[Note]:
Just about anything (ie: ssh login) seems to require:
'allow sysadm_t devpts_t:chr_file getattr;'
(I've put it in admin.te for now)


I've only got 2 problems left I *really* cannot figure out:
1)
audit(1118762231.596:0): avc:  denied  { transition } for  pid=28871
exe=/usr/lib/postfix/master path=/usr/lib/postfix/pipe dev=md3
ino=670776 scontext=system_u:system_r:postfix_master_t
tcontext=system_u:object_r:postfix_pipe_t tclass=process
So I've added this to postfix.te (from audit2allow):
allow postfix_master_t postfix_pipe_t:process transition;
But it has no effect and the same audit message keeps coming up!
I have absolutely no idea where to go from here...

Here are some related rules:
domain_auto_trans(postfix_master_t, postfix_pipe_exec_t, postfix_pipe_t)
I tried adding these:
role_transition system_r postfix_pipe_exec_t object_r;
allow postfix_master_t postfix_pipe_t:process transition;
role object_r types postfix_pipe_t;

-rwxr-xr-x  root     root
system_u:object_r:postfix_master_exec_t /usr/lib/postfix/master
-rwxr-xr-x  root     root
system_u:object_r:postfix_pipe_exec_t /usr/lib/postfix/pipe

2)
All similar to the one above (any code that calls sendmail):
audit(1118761207.922:0): avc:  denied  { transition } for  pid=28648
exe=/bin/bash path=/usr/sbin/sendmail dev=md3 ino=783481
scontext=system_u:system_r:myscript_exec_t
tcontext=system_u:object_r:sysadm_mail_t tclass=process

I tried the same rules as above with no effect...


> > I use Gentoo, it does the same thing:
> > # grep tmpfs_t policy.conf
> > type tmpfs_t, file_type, sysadmfile, fs_type;
> > allow { tmpfs_t tmp_t } tmpfs_t:filesystem associate;
> > (..)
> 
> Yes, but does it restorecon /tmp or use a context mount to get it into
> tmp_t rather than tmpfs_t?
When/where? You've lost me...

> Are you sure you are in permissive mode (getenforce)?  If so, then
> SELinux shouldn't be in your way at all.  /chroot is a local fs?
Yes /chroot is just a sub-directory of /
# getenforce
Permissive

> Fedora migrated to /etc/selinux and reorganized the layout in FC3, but
> libselinux knows to fall back to the old locations
> under /etc/security/selinux if it cannot find /etc/selinux, so that
> shouldn't be a problem.
Gentoo has /etc/security/selinux but no 'config' file in there.

Is there an equivalent to run_init for cron scripts? (one of my cron
scripts is misbehaving and I want to trace it in exactly the same env)


Thanks
Antoine


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: general selinux questions

[Colin Walters]

[-- Attachment #1: Type: text/plain, Size: 1665 bytes --]

On Tue, 2005-06-14 at 18:24 +0100, antoine wrote:
> > > ping [whatever] >& tempfile
> (...) 
> > Likely needed to redirect stdin too.
> DOH. I'll try that.
> 
> 
> [Note]:
> Just about anything (ie: ssh login) seems to require:
> 'allow sysadm_t devpts_t:chr_file getattr;'
> (I've put it in admin.te for now)

That should be harmless.

> I've only got 2 problems left I *really* cannot figure out:
> 1)
> audit(1118762231.596:0): avc:  denied  { transition } for  pid=28871
> exe=/usr/lib/postfix/master path=/usr/lib/postfix/pipe dev=md3
> ino=670776 scontext=system_u:system_r:postfix_master_t
> tcontext=system_u:object_r:postfix_pipe_t tclass=process
> So I've added this to postfix.te (from audit2allow):
> allow postfix_master_t postfix_pipe_t:process transition;
> But it has no effect and the same audit message keeps coming up!
> I have absolutely no idea where to go from here...

Tried audit2why?  Could be constraints or RBAC denial.

> Here are some related rules:
> domain_auto_trans(postfix_master_t, postfix_pipe_exec_t, postfix_pipe_t)
> I tried adding these:
> role_transition system_r postfix_pipe_exec_t object_r;
> allow postfix_master_t postfix_pipe_t:process transition;
> role object_r types postfix_pipe_t;

This should be system_r, not object_r, I'm pretty sure.

> 2)
> All similar to the one above (any code that calls sendmail):
> audit(1118761207.922:0): avc:  denied  { transition } for  pid=28648
> exe=/bin/bash path=/usr/sbin/sendmail dev=md3 ino=783481
> scontext=system_u:system_r:myscript_exec_t
> tcontext=system_u:object_r:sysadm_mail_t tclass=process

Similarly, try audit2why.


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: general selinux questions

[antoine]

> This should be system_r, not object_r, I'm pretty sure.
> 
> > 2)
> > All similar to the one above (any code that calls sendmail):
> > audit(1118761207.922:0): avc:  denied  { transition } for  pid=28648
> > exe=/bin/bash path=/usr/sbin/sendmail dev=md3 ino=783481
> > scontext=system_u:system_r:myscript_exec_t
> > tcontext=system_u:object_r:sysadm_mail_t tclass=process
> 
> Similarly, try audit2why.
> 
I almost hosed the live system this is happening on by trying (and
failing) to upgrade to current cvs... Fortunately I still had a console
and access to static versions of ls and cp to restore the libs!
I had tried to build a statically linked version, but it dies - which
has to be expected I guess...
Any other ideas? (or a way to compile it against 1.22)

Antoine


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: general selinux questions

[antoine]

> > audit(1118762231.596:0): avc:  denied  { transition } for  pid=28871
> > exe=/usr/lib/postfix/master path=/usr/lib/postfix/pipe dev=md3
> > ino=670776 scontext=system_u:system_r:postfix_master_t
> > tcontext=system_u:object_r:postfix_pipe_t tclass=process
> > So I've added this to postfix.te (from audit2allow):
> > allow postfix_master_t postfix_pipe_t:process transition;
> > But it has no effect and the same audit message keeps coming up!
> > I have absolutely no idea where to go from here...
> 
> Tried audit2why?  Could be constraints or RBAC denial.
Many thanks, it helped! I thought I had tried it but I needed one of:
role system_r types postfix_pipe_t;
role system_r types postfix_master_t;

Antoine (now in enforcing mode!)


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: general selinux questions

[antoine]

> > > I have absolutely no idea where to go from here...
> > 
> > Tried audit2why?  Could be constraints or RBAC denial.

Oh well, I thought it was working but that was before I restarted
postfix. When I do, I get (audit2why):

audit(1119536844.319:0): avc:  denied  { transition } for  pid=11754
exe=/bin/bash path=/usr/sbin/postfix dev=md3 ino=783515
scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:postfix_master_t tclass=process
        Was caused by:
                Constraint violation.
                Check policy/constraints.
                Typically, you just need to add a type attribute to the
domain to satisfy the constraint.

But I've got:
domain_auto_trans(initrc_t, postfix_master_exec_t, postfix_master_t)
allow initrc_t postfix_master_t:process { noatsecure siginh rlimitinh };
role_transition system_r postfix_master_exec_t object_r;
role system_r types postfix_master_t;
(may be redundant but does not help)

system_u:object_r:postfix_master_exec_t /usr/lib/postfix/master
system_u:object_r:postfix_pipe_exec_t /usr/lib/postfix/pipe

Which type attribute could it be?
Any ideas?

Thanks
Antoine


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: general selinux questions

[Stephen Smalley]

On Thu, 2005-06-23 at 16:33 +0100, antoine wrote:
> Oh well, I thought it was working but that was before I restarted
> postfix. When I do, I get (audit2why):
> 
> audit(1119536844.319:0): avc:  denied  { transition } for  pid=11754
> exe=/bin/bash path=/usr/sbin/postfix dev=md3 ino=783515
> scontext=system_u:system_r:initrc_t
> tcontext=system_u:object_r:postfix_master_t tclass=process

object_r should never be on a process, and system_r -> object_r
certainly shouldn't be allowed.  

> But I've got:
> domain_auto_trans(initrc_t, postfix_master_exec_t, postfix_master_t)
> allow initrc_t postfix_master_t:process { noatsecure siginh rlimitinh };
> role_transition system_r postfix_master_exec_t object_r;

This is wrong.  object_r is only for objects, not processes.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: general selinux questions

[antoine]

> > But I've got:
> > domain_auto_trans(initrc_t, postfix_master_exec_t, postfix_master_t)
> > allow initrc_t postfix_master_t:process { noatsecure siginh rlimitinh };
> > role_transition system_r postfix_master_exec_t object_r;
> 
> This is wrong.  object_r is only for objects, not processes.
Yes, I figured the last one was not helping. I was just trying random
things, hoping to understand the error message better.
I removed the change, so now I can start postfix again without problems,
but I am back where I started with spamd:

audit(1119545469.251:0): avc:  denied  { transition } for  pid=19693
exe=/usr/bin/spamc path=/usr/sbin/sendmail dev=md3 ino=783481
scontext=system_u:system_r:spamd_t
tcontext=system_u:object_r:postfix_pipe_t tclass=process

Even though I have:
domain_auto_trans(postfix_pipe_t, spamc_exec_t, spamd_t)
domain_auto_trans(spamd_t, sendmail_exec_t, postfix_pipe_t)
(to allow mail to be filtered by spamassassin in/out)
system_u:object_r:spamc_exec_t   /usr/bin/spamc
system_u:object_r:sendmail_exec_t /usr/sbin/sendmail

Audit2why tells me I should add a type attribute, but I really cannot
figure out *which one* that could be, and to which domain:

audit(1119545469.251:0): avc:  denied  { transition } for  pid=19693
exe=/usr/bin/spamc path=/usr/sbin/sendmail dev=md3 ino=783481
scontext=system_u:system_r:spamd_t
tcontext=system_u:object_r:postfix_pipe_t tclass=process
        Was caused by:
                Constraint violation.
                Check policy/constraints.
                Typically, you just need to add a type attribute to the
domain to satisfy the constraint.

I've been stuck on this one little nagging denial for over a week now...

Thanks
Antoine


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: general selinux questions

[Stephen Smalley]

On Thu, 2005-06-23 at 18:41 +0100, antoine wrote:
> I removed the change, so now I can start postfix again without problems,
> but I am back where I started with spamd:
> 
> audit(1119545469.251:0): avc:  denied  { transition } for  pid=19693
> exe=/usr/bin/spamc path=/usr/sbin/sendmail dev=md3 ino=783481
> scontext=system_u:system_r:spamd_t
> tcontext=system_u:object_r:postfix_pipe_t tclass=process

Again, object_r in process context.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: general selinux questions

[Stephen Smalley]

On Thu, 2005-06-23 at 13:44 -0400, Stephen Smalley wrote:
> On Thu, 2005-06-23 at 18:41 +0100, antoine wrote:
> > I removed the change, so now I can start postfix again without problems,
> > but I am back where I started with spamd:
> > 
> > audit(1119545469.251:0): avc:  denied  { transition } for  pid=19693
> > exe=/usr/bin/spamc path=/usr/sbin/sendmail dev=md3 ino=783481
> > scontext=system_u:system_r:spamd_t
> > tcontext=system_u:object_r:postfix_pipe_t tclass=process
> 
> Again, object_r in process context.

And note that this would violate both a constraint (role change in
violation of the constraint on r1 != r2) and a role allow restriction.
But audit2why just reports the first cause.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: general selinux questions

[antoine]

On Thu, 2005-06-23 at 13:55 -0400, Stephen Smalley wrote:
> On Thu, 2005-06-23 at 13:44 -0400, Stephen Smalley wrote:
> > On Thu, 2005-06-23 at 18:41 +0100, antoine wrote:
> > > I removed the change, so now I can start postfix again without problems,
> > > but I am back where I started with spamd:
> > > 
> > > audit(1119545469.251:0): avc:  denied  { transition } for  pid=19693
> > > exe=/usr/bin/spamc path=/usr/sbin/sendmail dev=md3 ino=783481
> > > scontext=system_u:system_r:spamd_t
> > > tcontext=system_u:object_r:postfix_pipe_t tclass=process
> > 
> > Again, object_r in process context.
Thanks, I found it. In another .te file I was allowing sysadm_r to
become object_r... I guess this took precedence over running sendmail as
system_u:system_r:postfix_pipe_t
Can this (somewhat dumb error I'll admit) be prevented with a neverallow
type of check?

Thanks
Antoine


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: general selinux questions

[Stephen Smalley]

On Thu, 2005-06-23 at 23:50 +0100, antoine wrote:
> Thanks, I found it. In another .te file I was allowing sysadm_r to
> become object_r... I guess this took precedence over running sendmail as
> system_u:system_r:postfix_pipe_t
> Can this (somewhat dumb error I'll admit) be prevented with a neverallow
> type of check?

Not presently; neverallow is currently only for TE allow rules.  We
could certainly introduce a neverroleallow for role allow rules into
checkpolicy and put a neverroleallow * object_r; rule into the policy.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.