Rodrigo Damazio wrote:
Hello. I started playing with SELinux on FC2, and recently moved to FC3, and I must say it's much better now, with the targeted policy. Congrats on this.This would allow httpd to talk to any unix_stream_socket (XWindows for example.) I am going to try to add postgresql.te (As we have with mysql.te) to targeted policy to see if it fixes this
I still had to change a few things in my policies, though. Following is a collection of the avc errors justifying my changes. I'm not experienced with SElinux yet, so I may be doing something wrong...please let me know if these changes are correct or not. Also, the unlink allow for httpd_t is because, for some reason, when I try to remove a file from within PHP, it uses httpd_t instead of httpd_sys_script_t . I would also like a rule(which I'm not sure how to write) to allow PHP programs to execute external programs, since I have a script which receives an uploaded file, does a lot of processing with it through external programs, and stores it in the database - when I run that, it gives me avc execute errors trying to run bash and the other utilities.
Apache:
Nov 12 16:50:46 fireball kernel: audit(1100285446.637:0): avc: denied { connectto } for pid=2522 exe=/usr/sbin/httpd path=/tmp/.s.PGSQL.5432 scontext=user_u:system_r:httpd_t tcontext=user_u:system_r:unconfined_t tclass=unix_stream_socket
NTPd:
Nov 11 19:51:49 fireball kernel: audit(1100209909.743:0): avc: denied { create } for pid=2293 exe=/usr/sbin/ntpd scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t tclass=netlink_route_socket
Nov 11 19:51:49 fireball kernel: audit(1100209909.745:0): avc: denied { bind } for pid=2293 exe=/usr/sbin/ntpd scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t tclass=netlink_route_socket
Nov 11 19:51:49 fireball kernel: audit(1100209909.745:0): avc: denied { getattr } for pid=2293 exe=/usr/sbin/ntpd scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t tclass=netlink_route_socket
Nov 11 19:51:49 fireball kernel: audit(1100209909.747:0): avc: denied { write } for pid=2293 exe=/usr/sbin/ntpd scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t tclass=netlink_route_socket
Nov 11 19:51:49 fireball kernel: audit(1100209909.749:0): avc: denied { net_admin } for pid=2293 exe=/usr/sbin/ntpd capability=12 scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t tclass=capability
Nov 11 19:51:49 fireball kernel: audit(1100209909.750:0): avc: denied { nlmsg_read } for pid=2293 exe=/usr/sbin/ntpd scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t tclass=netlink_route_socket
Nov 11 19:51:49 fireball kernel: audit(1100209909.752:0): avc: denied { read } for pid=2293 exe=/usr/sbin/ntpd scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t tclass=netlink_route_socket
DHCPd:
Nov 12 23:37:25 fireball kernel: audit(1100309845.314:0): avc: denied { create } for pid=10002 exe=/usr/sbin/dhcpd scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t tclass=netlink_route_socket
Nov 12 23:37:25 fireball kernel: audit(1100309845.317:0): avc: denied { bind } for pid=10002 exe=/usr/sbin/dhcpd scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t tclass=netlink_route_socket
Nov 12 23:37:25 fireball kernel: audit(1100309845.320:0): avc: denied { getattr } for pid=10002 exe=/usr/sbin/dhcpd scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t tclass=netlink_route_socket
Nov 12 23:37:25 fireball kernel: audit(1100309845.323:0): avc: denied { write } for pid=10002 exe=/usr/sbin/dhcpd scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t tclass=netlink_route_socket
Nov 12 23:37:25 fireball kernel: audit(1100309845.325:0): avc: denied { net_admin } for pid=10002 exe=/usr/sbin/dhcpd capability=12 scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t tclass=capability
Nov 12 23:37:25 fireball kernel: audit(1100309845.326:0): avc: denied { nlmsg_read } for pid=10002 exe=/usr/sbin/dhcpd scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t tclass=netlink_route_socket
Nov 12 23:37:25 fireball kernel: audit(1100309845.327:0): avc: denied { read } for pid=10002 exe=/usr/sbin/dhcpd scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t tclass=netlink_route_socket
Nov 12 23:37:25 fireball kernel: audit(1100309845.909:0): avc: denied { unlink } for pid=10008 exe=/usr/sbin/dhcpd name=dhcpd.leases~ dev=hda1 ino=425472 scontext=root:system_r:dhcpd_t tcontext=system_u:object_r:file_t tclass=file
named:
Nov 12 23:41:25 fireball kernel: audit(1100310085.797:0): avc: denied { create } for pid=10183 exe=/usr/sbin/named scontext=root:system_r:named_t tcontext=root:system_r:named_t tclass=netlink_route_socket
Nov 12 23:41:25 fireball kernel: audit(1100310085.798:0): avc: denied { bind } for pid=10183 exe=/usr/sbin/named scontext=root:system_r:named_t tcontext=root:system_r:named_t tclass=netlink_route_socket
Nov 12 23:41:25 fireball kernel: audit(1100310085.799:0): avc: denied { getattr } for pid=10183 exe=/usr/sbin/named scontext=root:system_r:named_t tcontext=root:system_r:named_t tclass=netlink_route_socket
Nov 12 23:41:25 fireball kernel: audit(1100310085.803:0): avc: denied { write } for pid=10183 exe=/usr/sbin/named scontext=root:system_r:named_t tcontext=root:system_r:named_t tclass=netlink_route_socket
Nov 12 23:41:25 fireball kernel: audit(1100310085.806:0): avc: denied { nlmsg_read } for pid=10183 exe=/usr/sbin/named scontext=root:system_r:named_t tcontext=root:system_r:named_t tclass=netlink_route_socket
Nov 12 23:41:25 fireball kernel: audit(1100310085.809:0): avc: denied { read } for pid=10183 exe=/usr/sbin/named scontext=root:system_r:named_t tcontext=root:system_r:named_t tclass=netlink_route_socket
Thanks, Rodrigo
------------------------------------------------------------------------
diff -ru src.orig/policy/domains/program/apache.te src/policy/domains/program/apache.te
--- src.orig/policy/domains/program/apache.te 2004-11-01 19:36:22.000000000 -0200
+++ src/policy/domains/program/apache.te 2004-11-12 23:54:36.127952796 -0200
@@ -285,6 +285,8 @@
# Allow httpd to work with postgresql
#
allow httpd_t tmp_t:sock_file rw_file_perms;
+allow httpd_t tmp_t:unix_stream_socket rw_file_perms;
+allow httpd_t unconfined_t:unix_stream_socket rw_file_perms;
') dnl targeted policy
and does not cause other problems.
# diff -ru src.orig/policy/domains/program/dhcpd.te src/policy/domains/program/dhcpd.te --- src.orig/policy/domains/program/dhcpd.te 2004-11-01 19:36:22.000000000 -0200 +++ src/policy/domains/program/dhcpd.te 2004-11-12 23:38:18.000000000 -0200 @@ -33,13 +33,14 @@ can_ypbind(dhcpd_t) allow dhcpd_t self:unix_dgram_socket create_socket_perms; allow dhcpd_t self:unix_stream_socket create_socket_perms; +allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms;
Added, but have never seen this before.
net_admin is a strong capability Allows you to bring up and down network interfaces, iptable rules. Do you have any idea what it is trying to do that would cause this? Could you try toallow dhcpd_t var_lib_t:dir search;
allow dhcpd_t devtty_t:chr_file { read write };
# Use capabilities -allow dhcpd_t dhcpd_t:capability { net_raw net_bind_service }; +allow dhcpd_t dhcpd_t:capability { net_raw net_admin net_bind_service };
dontaudit it and see what happens.
dontaudit dhcpd_t self:capability net_admin;
# Allow access to the dhcpd file types type dhcp_state_t, file_type, sysadmfile; diff -ru src.orig/policy/domains/program/named.te src/policy/domains/program/named.te --- src.orig/policy/domains/program/named.te 2004-11-01 19:36:22.000000000 -0200 +++ src/policy/domains/program/named.te 2004-11-12 23:42:38.000000000 -0200 @@ -60,6 +60,7 @@ # Bind to the named port. allow named_t dns_port_t:udp_socket name_bind; allow named_t { dns_port_t rndc_port_t }:tcp_socket name_bind; +allow named_t self:netlink_route_socket r_netlink_socket_perms;
Added. but again have not seen this.
This should definitely not be allowed. I can't see why ntpd would want to modify your network environment.bool named_write_master_zones false;
diff -ru src.orig/policy/domains/program/ntpd.te src/policy/domains/program/ntpd.te --- src.orig/policy/domains/program/ntpd.te 2004-11-01 19:36:22.000000000 -0200 +++ src/policy/domains/program/ntpd.te 2004-11-12 23:33:18.000000000 -0200 @@ -22,7 +22,7 @@ # for SSP allow ntpd_t urandom_device_t:chr_file read;
-allow ntpd_t self:capability { setgid setuid sys_time net_bind_service ipc_lock sys_chroot };
+allow ntpd_t self:capability { setgid setuid sys_time net_bind_service ipc_lock sys_chroot net_admin };
allow ntpd_t self:process { setcap setsched }; # ntpdate wants sys_nice dontaudit ntpd_t self:capability { fsetid sys_nice }; @@ -39,6 +39,7 @@ allow ntpd_t ntp_port_t:udp_socket name_bind; allow ntpd_t self:unix_dgram_socket create_socket_perms; allow ntpd_t self:unix_stream_socket create_socket_perms; +allow ntpd_t self:netlink_route_socket r_netlink_socket_perms;
Same as previous comments about netlink_sockets
# so the start script can change firewall entries allow initrc_t net_conf_t:file { getattr read ioctl }; diff -ru src.orig/policy/macros/program/apache_macros.te src/policy/macros/program/apache_macros.te --- src.orig/policy/macros/program/apache_macros.te 2004-11-01 19:36:22.000000000 -0200 +++ src/policy/macros/program/apache_macros.te 2004-11-12 23:01:49.000000000 -0200 @@ -106,6 +106,7 @@ ############################################################################ r_dir_file(httpd_$1_script_t, httpd_$1_script_ro_t) create_dir_file(httpd_$1_script_t, httpd_$1_script_rw_t) +allow httpd_t { httpd_$1_script_rw_t }:{ file dir lnk_file } { unlink }; ra_dir_file(httpd_$1_script_t, httpd_$1_script_ra_t)
if (httpd_enable_cgi) && (httpd_unified) {
The update policy has the following which would cover this case.
r_dir_file(httpd_t, httpd_sys_script_ro_t) create_dir_file(httpd_t, httpd_sys_script_rw_t) ra_dir_file(httpd_t, httpd_sys_script_ra_t)
------------------------------------------------------------------------
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
