Re: A few policy changes I had to make

Rodrigo Damazio <rodrigo.damazio@xxxxxxxxxxx> · Thu, 09 Dec 2004 11:57:50 -0200

I've made the dontaudit changes you suggested and they 
everything seems to still work. However, I'm still having problems with 
apache - I use too many PHP functions which do various things such as 
executing external programs, opening sockets, connecting to postgres, 
etc. that generate avc denied errors. I tried, thus, to remove apache.te 
from domains/program, just to find out that mailman depended on it - it 
gives me an error about mailman_cgi_exec_t (which, indeed, is only 
defined if apache.te is defined, but it appears in the mailman.fc file 
without an ifdef - adding an ifdef made it all work perfectly. I wonder 
if there's a way to use selinux with apache without limiting php functions.



Rodrigo


Daniel J Walsh wrote:


Rodrigo Damazio wrote:


      Hello. I started playing with SELinux on FC2, and recently 
moved to FC3, and I must say it's much better now, with the targeted 
policy. Congrats on this.

      I still had to change a few things in my policies, though. 
Following is a collection of the avc errors justifying my changes. 
I'm not experienced with SElinux yet, so I may be doing something 
wrong...please let me know if these changes are correct or not. Also, 
the unlink allow for httpd_t is because, for some reason, when I try 
to remove a file from within PHP, it uses httpd_t instead of 
httpd_sys_script_t . I would also like a rule(which I'm not sure how 
to write) to allow PHP programs to execute external programs, since I 
have a script which receives an uploaded file, does a lot of 
processing with it through external programs, and stores it in the 
database - when I run that, it gives me avc execute errors trying to 
run bash and the other utilities.



Apache:

Nov 12 16:50:46 fireball kernel: audit(1100285446.637:0): avc:  
denied  { connectto } for  pid=2522 exe=/usr/sbin/httpd 
path=/tmp/.s.PGSQL.5432 scontext=user_u:system_r:httpd_t 
tcontext=user_u:system_r:unconfined_t tclass=unix_stream_socket



NTPd:

Nov 11 19:51:49 fireball kernel: audit(1100209909.743:0): avc:  
denied  { create } for  pid=2293 exe=/usr/sbin/ntpd 
scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t 
tclass=netlink_route_socket

Nov 11 19:51:49 fireball kernel: audit(1100209909.745:0): avc:  
denied  { bind } for  pid=2293 exe=/usr/sbin/ntpd 
scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t 
tclass=netlink_route_socket

Nov 11 19:51:49 fireball kernel: audit(1100209909.745:0): avc:  
denied  { getattr } for  pid=2293 exe=/usr/sbin/ntpd 
scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t 
tclass=netlink_route_socket

Nov 11 19:51:49 fireball kernel: audit(1100209909.747:0): avc:  
denied  { write } for  pid=2293 exe=/usr/sbin/ntpd 
scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t 
tclass=netlink_route_socket

Nov 11 19:51:49 fireball kernel: audit(1100209909.749:0): avc:  
denied  { net_admin } for  pid=2293 exe=/usr/sbin/ntpd capability=12 
scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t 
tclass=capability

Nov 11 19:51:49 fireball kernel: audit(1100209909.750:0): avc:  
denied  { nlmsg_read } for  pid=2293 exe=/usr/sbin/ntpd 
scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t 
tclass=netlink_route_socket

Nov 11 19:51:49 fireball kernel: audit(1100209909.752:0): avc:  
denied  { read } for  pid=2293 exe=/usr/sbin/ntpd 
scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t 
tclass=netlink_route_socket



DHCPd:

Nov 12 23:37:25 fireball kernel: audit(1100309845.314:0): avc:  
denied  { create } for  pid=10002 exe=/usr/sbin/dhcpd 
scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t 
tclass=netlink_route_socket

Nov 12 23:37:25 fireball kernel: audit(1100309845.317:0): avc:  
denied  { bind } for  pid=10002 exe=/usr/sbin/dhcpd 
scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t 
tclass=netlink_route_socket

Nov 12 23:37:25 fireball kernel: audit(1100309845.320:0): avc:  
denied  { getattr } for  pid=10002 exe=/usr/sbin/dhcpd 
scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t 
tclass=netlink_route_socket

Nov 12 23:37:25 fireball kernel: audit(1100309845.323:0): avc:  
denied  { write } for  pid=10002 exe=/usr/sbin/dhcpd 
scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t 
tclass=netlink_route_socket

Nov 12 23:37:25 fireball kernel: audit(1100309845.325:0): avc:  
denied  { net_admin } for  pid=10002 exe=/usr/sbin/dhcpd 
capability=12 scontext=root:system_r:dhcpd_t 
tcontext=root:system_r:dhcpd_t tclass=capability

Nov 12 23:37:25 fireball kernel: audit(1100309845.326:0): avc:  
denied  { nlmsg_read } for  pid=10002 exe=/usr/sbin/dhcpd 
scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t 
tclass=netlink_route_socket

Nov 12 23:37:25 fireball kernel: audit(1100309845.327:0): avc:  
denied  { read } for  pid=10002 exe=/usr/sbin/dhcpd 
scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t 
tclass=netlink_route_socket

Nov 12 23:37:25 fireball kernel: audit(1100309845.909:0): avc:  
denied  { unlink } for  pid=10008 exe=/usr/sbin/dhcpd 
name=dhcpd.leases~ dev=hda1 ino=425472 scontext=root:system_r:dhcpd_t 
tcontext=system_u:object_r:file_t tclass=file



named:

Nov 12 23:41:25 fireball kernel: audit(1100310085.797:0): avc:  
denied  { create } for  pid=10183 exe=/usr/sbin/named 
scontext=root:system_r:named_t tcontext=root:system_r:named_t 
tclass=netlink_route_socket

Nov 12 23:41:25 fireball kernel: audit(1100310085.798:0): avc:  
denied  { bind } for  pid=10183 exe=/usr/sbin/named 
scontext=root:system_r:named_t tcontext=root:system_r:named_t 
tclass=netlink_route_socket

Nov 12 23:41:25 fireball kernel: audit(1100310085.799:0): avc:  
denied  { getattr } for  pid=10183 exe=/usr/sbin/named 
scontext=root:system_r:named_t tcontext=root:system_r:named_t 
tclass=netlink_route_socket

Nov 12 23:41:25 fireball kernel: audit(1100310085.803:0): avc:  
denied  { write } for  pid=10183 exe=/usr/sbin/named 
scontext=root:system_r:named_t tcontext=root:system_r:named_t 
tclass=netlink_route_socket

Nov 12 23:41:25 fireball kernel: audit(1100310085.806:0): avc:  
denied  { nlmsg_read } for  pid=10183 exe=/usr/sbin/named 
scontext=root:system_r:named_t tcontext=root:system_r:named_t 
tclass=netlink_route_socket

Nov 12 23:41:25 fireball kernel: audit(1100310085.809:0): avc:  
denied  { read } for  pid=10183 exe=/usr/sbin/named 
scontext=root:system_r:named_t tcontext=root:system_r:named_t 
tclass=netlink_route_socket



Thanks,
Rodrigo


------------------------------------------------------------------------


diff -ru src.orig/policy/domains/program/apache.te 
src/policy/domains/program/apache.te

--- src.orig/policy/domains/program/apache.te    2004-11-01 
19:36:22.000000000 -0200

+++ src/policy/domains/program/apache.te    2004-11-12 
23:54:36.127952796 -0200

@@ -285,6 +285,8 @@

# Allow httpd to work with postgresql

#

allow httpd_t tmp_t:sock_file rw_file_perms;

+allow httpd_t tmp_t:unix_stream_socket rw_file_perms;

+allow httpd_t unconfined_t:unix_stream_socket rw_file_perms;

') dnl targeted policy

 



This would allow httpd to talk to any unix_stream_socket (XWindows for 
example.) I am going to try to add postgresql.te (As we have with 
mysql.te) to targeted policy to see if it fixes this

and does not cause other problems.




#

diff -ru src.orig/policy/domains/program/dhcpd.te 
src/policy/domains/program/dhcpd.te

--- src.orig/policy/domains/program/dhcpd.te    2004-11-01 
19:36:22.000000000 -0200

+++ src/policy/domains/program/dhcpd.te    2004-11-12 
23:38:18.000000000 -0200

@@ -33,13 +33,14 @@

can_ypbind(dhcpd_t)

allow dhcpd_t self:unix_dgram_socket create_socket_perms;

allow dhcpd_t self:unix_stream_socket create_socket_perms;

+allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms;



 



Added, but have never seen this before.


allow dhcpd_t var_lib_t:dir search;


allow dhcpd_t devtty_t:chr_file { read write };


# Use capabilities

-allow dhcpd_t dhcpd_t:capability { net_raw net_bind_service };

+allow dhcpd_t dhcpd_t:capability { net_raw net_admin 
net_bind_service };



 



net_admin is a strong capability  Allows you to bring up and down 
network interfaces, iptable rules. Do you have any idea what it is 
trying to do that would cause this?  Could you try to

dontaudit it and see what happens.

dontaudit dhcpd_t self:capability net_admin;



# Allow access to the dhcpd file types

type dhcp_state_t, file_type, sysadmfile;

diff -ru src.orig/policy/domains/program/named.te 
src/policy/domains/program/named.te

--- src.orig/policy/domains/program/named.te    2004-11-01 
19:36:22.000000000 -0200

+++ src/policy/domains/program/named.te    2004-11-12 
23:42:38.000000000 -0200

@@ -60,6 +60,7 @@

# Bind to the named port.

allow named_t dns_port_t:udp_socket name_bind;

allow named_t { dns_port_t rndc_port_t }:tcp_socket name_bind;

+allow named_t self:netlink_route_socket r_netlink_socket_perms;



 



Added. but again have not seen this.


bool named_write_master_zones false;


diff -ru src.orig/policy/domains/program/ntpd.te 
src/policy/domains/program/ntpd.te

--- src.orig/policy/domains/program/ntpd.te    2004-11-01 
19:36:22.000000000 -0200

+++ src/policy/domains/program/ntpd.te    2004-11-12 
23:33:18.000000000 -0200

@@ -22,7 +22,7 @@

# for SSP

allow ntpd_t urandom_device_t:chr_file read;



-allow ntpd_t self:capability { setgid setuid sys_time 
net_bind_service ipc_lock sys_chroot };

+allow ntpd_t self:capability { setgid setuid sys_time 
net_bind_service ipc_lock sys_chroot net_admin };

 



This should definitely not be allowed.  I can't see why ntpd would 
want to modify your network environment.



allow ntpd_t self:process { setcap setsched };
# ntpdate wants sys_nice
dontaudit ntpd_t self:capability { fsetid sys_nice };
@@ -39,6 +39,7 @@
allow ntpd_t ntp_port_t:udp_socket name_bind;
allow ntpd_t self:unix_dgram_socket create_socket_perms;
allow ntpd_t self:unix_stream_socket create_socket_perms;
+allow ntpd_t self:netlink_route_socket r_netlink_socket_perms;


 



Same as previous comments about netlink_sockets


# so the start script can change firewall entries

allow initrc_t net_conf_t:file { getattr read ioctl };

diff -ru src.orig/policy/macros/program/apache_macros.te 
src/policy/macros/program/apache_macros.te

--- src.orig/policy/macros/program/apache_macros.te    2004-11-01 
19:36:22.000000000 -0200

+++ src/policy/macros/program/apache_macros.te    2004-11-12 
23:01:49.000000000 -0200

@@ -106,6 +106,7 @@

############################################################################ 



r_dir_file(httpd_$1_script_t, httpd_$1_script_ro_t)

create_dir_file(httpd_$1_script_t, httpd_$1_script_rw_t)

+allow httpd_t { httpd_$1_script_rw_t }:{ file dir lnk_file } { 
unlink };

ra_dir_file(httpd_$1_script_t, httpd_$1_script_ra_t)



if (httpd_enable_cgi) && (httpd_unified) {

 



 



The update policy has the following which would cover this case.


r_dir_file(httpd_t, httpd_sys_script_ro_t)
create_dir_file(httpd_t, httpd_sys_script_rw_t)
ra_dir_file(httpd_t, httpd_sys_script_ra_t)


------------------------------------------------------------------------


--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list



--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list










