Re: SELinux and gitosis (FC11)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 07/07/2009 05:59 AM, Jonathan Stott wrote:

On Mon, 06 Jul 2009 08:12:26 -0400
Daniel J Walsh<dwalsh@xxxxxxxxxx>  wrote:


On 07/04/2009 07:41 AM, Jonathan Stott wrote:

Hi

# rpm -q selinux-policy selinux-policy-targeted
selinux-policy-3.6.12-62.fc11.noarch
selinux-policy-targeted-3.6.12-62.fc11.noarch

(previously it was 3.6.12-53)

And gitosis-serve is labelled gitosis_exec_t

Even after upgrading the selinux policy versions, it still seems to
hang in the same manner though.

Regards,
Jon

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Are you seeing any avc messages in /var/log/audit/audit.log?

ps -eZ | grep gitosis

Does this show apps running under the correct domain?



It's hard to tell whether it's running under the correct context (gitosis-serve seems to very quickly shell out to whatever git command is called and I'm not sure how to trigger ps at the correct time).  However it definitely has the correct context on the executable (which is the only copy of gitosis-serve on the system), and I've relabeled the file system just to be sure.

However, I still seem to get the same AVC denial:

-----------------------------------------------------------------------------
Summary:

SELinux is preventing bash (guest_t) "write" sshd_t.

Detailed Description:

SELinux denied access requested by bash. It is not expected that this access is
required by bash and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                guest_u:guest_r:guest_t:s0
Target Context                system_u:system_r:sshd_t:s0-s0:c0.c1023
Target Objects                pipe [ fifo_file ]
Source                        bash
Source Path                   /bin/bash
Port<Unknown>
Host                          hzhangpg02.ph.man.ac.uk
Source RPM Packages           bash-4.0-6.fc11
Target RPM Packages
Policy RPM                    selinux-policy-3.6.12-62.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     hzhangpg02.ph.man.ac.uk
Platform                      Linux hzhangpg02.ph.man.ac.uk
                               2.6.29.5-191.fc11.x86_64 #1 SMP Tue Jun 16
                               23:23:21 EDT 2009 x86_64 x86_64
Alert Count                   31
First Seen                    Tue 30 Jun 2009 16:48:17 BST
Last Seen                     Tue 07 Jul 2009 10:51:13 BST
Local ID                      1cf6580e-12c8-48fb-bbb8-c06c3e55109d
Line Numbers

Raw Audit Messages

node=hzhangpg02.ph.man.ac.uk type=AVC msg=audit(1246960273.947:80): avc:  denied  { write } for  pid=3472 comm="bash" path="pipe:[51971]" dev=pipefs ino=51971 scontext=guest_u:guest_r:guest_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=fifo_file

node=hzhangpg02.ph.man.ac.uk type=AVC msg=audit(1246960273.947:80): avc:  denied  { write } for  pid=3472 comm="bash" path="pipe:[51972]" dev=pipefs ino=51972 scontext=guest_u:guest_r:guest_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=fifo_file

node=hzhangpg02.ph.man.ac.uk type=SYSCALL msg=audit(1246960273.947:80): arch=c000003e syscall=59 success=yes exit=0 a0=7f5e932395d0 a1=7ffff16ddc90 a2=7f5e932314c0 a3=7ffff16dd940 items=0 ppid=3471 pid=3472 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=5 comm="bash" exe="/bin/bash" subj=guest_u:guest_r:guest_t:s0 key=(null)

--------------------------------------------------------------------

Piping the raw audit messages into audit2allow and installing the module doesn't seem to remove them, though.

Regards,
Jon
So you intended on using the guest_t user? What does the te file created by audit2allow look like?
I think the problem here is the guest_t user is running at s0 and trying to write to a fifo_file at s0-s0:c0.c1023
If you take the above audit messages and run them through audit2why, what does the tool say? 

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux