Nicklas Norling wrote:
Hi.
I've got a system updated from old redhat releases to FC2-3 and now 4.
I've just downloaded selinux-policy-targeted and have been able to fix
most of
my problems with setsebool etc. while in permissive mode. However a
few more
difficult issues still intrigues me and I'd love it if someone would
offer some help.
First:
[root@spock ~]# audit2allow -i /var/log/messages -l
allow dovecot_auth_t selinux_config_t:file { getattr read };
allow httpd_sys_script_t var_t:dir getattr;
allow named_t unconfined_t:fifo_file read;
allow smbd_t selinux_config_t:dir search;
allow smbd_t selinux_config_t:file { getattr read };
allow webalizer_t home_root_t:dir search;
allow webalizer_t user_home_dir_t:dir search;
The dovecot-auth problem seems to occur with every new connection to
dovecot:
Jul 16 14:00:16 spock kernel: audit(1121515216.305:122): avc: denied
{ read } for pid=21686 comm="dovecot-auth" name="config" dev=hda3
ino=394549 scontext=root:system_r:dovecot_auth_t
tcontext=system_u:object_r:selinux_config_t tclass=file
Jul 16 14:00:16 spock kernel: audit(1121515216.305:123): avc: denied
{ getattr } for pid=21686 comm="dovecot-auth" name="config" dev=hda3
ino=394549 scontext=root:system_r:dovecot_auth_t
tcontext=system_u:object_r:selinux_config_t tclass=file
The would be suppressed by a dontaudit rule if you were running in
enforcing. Always attempt to reproduce AVC messages in enforcing mode,
since these are the ones we will fix. Permissive mode should only be
run temporarily to get around a problem. Targeted policy gives a lot of
"False" avc messages.
The httpd problem appears to be python related. Not sure which of my
web applications is triggering it
(if any). Maybe MoinMoin Wiki but I can't seem to trigger it myself,
maybe a search spider is triggering it.
Jul 16 02:00:54 spock kernel: audit(1121472054.557:119): avc: denied
{ getattr } for pid=20378 comm="python" name="var" dev=hda3
ino=163841 scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:var_t tclass=dir
Yes the question would be which file/dir is it trying to read under /var
named is denied some fun?
Jul 14 15:39:10 spock named[1771]: exiting
Jul 14 15:39:12 spock kernel: audit(1121348352.535:98): avc: denied
{ read } for pid=16108 comm="named-checkconf" name
="[196624]" dev=pipefs ino=196624 scontext=root:system_r:named_t
tcontext=root:system_r:unconfined_t tclass=fifo_file
Jul 14 15:39:12 spock named[16110]: starting BIND 9.3.1 -u named
Is this only happening on a yum update/RPM install?
Samba appears to wan't to read in the selinux config file? Every
access to a home directory triggers this despite the correct sebool is
set.
Jul 15 02:43:18 spock kernel: audit(1121388198.077:104): avc: denied
{ search } for pid=17122 comm="smbd" name="selinu
x" dev=hda3 ino=394114 scontext=system_u:system_r:smbd_t
tcontext=system_u:object_r:selinux_config_t tclass=dir
Jul 15 02:43:18 spock kernel: audit(1121388198.077:105): avc: denied
{ read } for pid=17122 comm="smbd" name="config"
dev=hda3 ino=394549 scontext=system_u:system_r:smbd_t
tcontext=system_u:object_r:selinux_config_t tclass=file
Jul 15 02:43:18 spock kernel: audit(1121388198.078:106): avc: denied
{ getattr } for pid=17122 comm="smbd" name="config" dev=hda3
ino=394549 scontext=system_u:system_r:smbd_t
tcontext=system_u:object_r:selinux_config_t tclass=file
These should be dontaudited. Again run under enforcing mode.
webalizer is being asked to put it's resulting webpages into a local
users web directory in support of per user usage stat. The users
webfolder has the correct objects set for httpd security.
Jul 11 04:02:17 spock kernel: audit(1121047337.762:57): avc: denied
{ search } for pid=3409 comm="webalizer" name="home" dev=hda3
ino=819203 scontext=system_u:system_r:webalizer_t
tcontext=system_u:object_r:home_root_t tclass=dir
Jul 11 04:02:17 spock kernel: audit(1121047337.762:58): avc: denied
{ search } for pid=3409 comm="webalizer" name="joakim" dev=hda3
ino=458781 scontext=system_u:system_r:webalizer_t
tcontext=user_u:object_r:user_home_dir_t tclass=dir
You will need to write your own policy for this. Alternatively you
could create a directory under /var/www with the
label httpd_sys_content_t and allow webalizer to write their and allow
users to read it.
tclass=file
In addition to this I have a shared folder with 'public' material,
files that I offer to for download/upload. This folder is shared to my
users with ftp as well as samba. Is this even possible to do with
selinux?
Jul 16 15:24:31 spock kernel: audit(1121520271.993:127): avc: denied
{ search } for pid=21818 comm="smbd" name="/" dev=hdc1 ino=2
scontext=system_u:system_r:smbd_t
tcontext=system_u:object_r:ftpd_anon_t tclass=dir
Jul 16 15:24:32 spock kernel: audit(1121520272.060:128): avc: denied
{ getattr } for pid=21818 comm="smbd" name="pub" dev=hdc1 ino=32769
scontext=system_u:system_r:smbd_t
tcontext=system_u:object_r:ftpd_anon_t tclass=dir
Jul 16 15:24:32 spock kernel: audit(1121520272.156:129): avc: denied
{ read } for pid=21818 comm="smbd" name="pub" dev=hdc1 ino=32769
scontext=system_u:system_r:smbd_t
tcontext=system_u:object_r:ftpd_anon_t tclass=dir
audit2allow suggests:
allow smbd_t ftpd_anon_t:dir { getattr read search };
You could add this rule to your local.te file. We have discussed this
in the past and maybe a boolean allowing all apps to read "shared data"
would work.
Greatful for any tips, hoping to enforce soon!
/Nicke
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
