Re: policy for mgetty fax receive and new_fax

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Dec 29, 2009 at 12:27:56PM +0100, Klaus Lichtenwalder wrote:
> Am Dienstag, den 29.12.2009, 12:16 +0100 schrieb Dominick Grift:
> > On Tue, Dec 29, 2009 at 10:17:36AM +0100, Klaus Lichtenwalder wrote:
> > > Hi,
> > > 
> > > just tried receiving a fax with mgetty (and notifying me via email with
> > > the attached fax)
> > > Watching all denials flowing by (permissive mode,
> > > selinux-policy-targeted-3.6.32-59.fc12.noarch) I'm wondering whether
> > > someone already started preparing a policy or whether I should try to
> > > start it on myself? Anyone knows? Google does not find much of value
> > 
> > Can you show us the AVC denials?
> 
> Sure, no problem. One thing, as a first step I put new_fax into bin_t,
> as this was a suggestion from sealert output. 
> I do think this probably does not belong to the getty policy, as mgetty,
> receiving a fax, does far more than standard getty, imho.

Whoops i forgot some policy:

echo "policy_module(mygetty, 1.0.0)" > mygetty.te;
echo "optional_policy(\`" >> mygetty.te;
echo "gen_require(\`" >> mygetty.te;
echo "type getty_t;" >> mygetty.te;
echo "')" >> mygetty.te;
echo "corecmd_exec_bin(getty_t)" >> mygetty.te;
echo "corecmd_exec_shell(getty_t)" >> mygetty.te;
echo "kernel_read_system_state(getty_t)" >> mygetty.te;
echo "')" >> mygetty.te;

make -f /usr/share/selinux/devel/Makefile mygetty.pp
sudo semodule -i mygetty.pp

As for system_mail_t:

echo "policy_module(mymail, 1.0.0)" > mymail.te;
echo "optional_policy(\`" >> mymail.te;
echo "gen_require(\`" >> mymail.te;
echo "type system_mail_t;" >> mymail.te;
echo "')" >> mymail.te;
echo "term_use_unallocated_ttys(system_mail_t)" >> mymail.te;
echo "')" >> mymail.te;

make -f /usr/share/selinux/devel/Makefile mymail.pp
sudo semodule -i mymail.pp

That should help. 
 


> 
> Klaus
> -- 
> ------------------------------------------------------------------------ 
>  Klaus Lichtenwalder, Dipl. Inform.,  http://lklaus.homelinux.org/Klaus/
>  PGP Key fingerprint: A5C0 F73A 2C83 96EE 766B  9C62 DB6D 1258 0E9B B6D1
> 

> ----
> time->Mon Dec 28 17:12:38 2009
> type=SYSCALL msg=audit(1262016758.657:57496): arch=c000003e syscall=59 success=yes exit=0 a0=3273d3ace3 a1=7fffef415d60 a2=7fffef418a30 a3=7f0863d089d0 items=0 ppid=31795 pid=1283 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null)
> type=AVC msg=audit(1262016758.657:57496): avc:  denied  { execute_no_trans } for  pid=1283 comm="mgetty" path="/bin/bash" dev=dm-6 ino=12628 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
> type=AVC msg=audit(1262016758.657:57496): avc:  denied  { read open } for  pid=1283 comm="mgetty" name="bash" dev=dm-6 ino=12628 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
> type=AVC msg=audit(1262016758.657:57496): avc:  denied  { execute } for  pid=1283 comm="mgetty" name="bash" dev=dm-6 ino=12628 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
> ----
> time->Mon Dec 28 17:12:38 2009
> type=SYSCALL msg=audit(1262016758.659:57497): arch=c000003e syscall=2 success=yes exit=3 a0=3273d3c1f2 a1=0 a2=1b6 a3=2 items=0 ppid=31795 pid=1283 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null)
> type=AVC msg=audit(1262016758.659:57497): avc:  denied  { open } for  pid=1283 comm="sh" name="meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
> type=AVC msg=audit(1262016758.659:57497): avc:  denied  { read } for  pid=1283 comm="sh" name="meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
> ----
> time->Mon Dec 28 17:12:38 2009
> type=SYSCALL msg=audit(1262016758.661:57498): arch=c000003e syscall=5 success=yes exit=128 a0=3 a1=7fff05edb290 a2=7fff05edb290 a3=2 items=0 ppid=31795 pid=1283 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null)
> type=AVC msg=audit(1262016758.661:57498): avc:  denied  { getattr } for  pid=1283 comm="sh" path="/proc/meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
> ----
> time->Mon Dec 28 17:12:38 2009
> type=SYSCALL msg=audit(1262016758.662:57499): arch=c000003e syscall=4 success=yes exit=128 a0=1090ab0 a1=7fff05edd2e0 a2=7fff05edd2e0 a3=8 items=0 ppid=31795 pid=1283 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null)
> type=AVC msg=audit(1262016758.662:57499): avc:  denied  { getattr } for  pid=1283 comm="sh" path="/bin/bash" dev=dm-6 ino=12628 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
> ----
> time->Mon Dec 28 17:12:38 2009
> type=SYSCALL msg=audit(1262016758.664:57500): arch=c000003e syscall=59 success=yes exit=0 a0=1093a10 a1=1093b30 a2=1092b20 a3=18 items=0 ppid=1283 pid=1286 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.postfix" subj=system_u:system_r:system_mail_t:s0 key=(null)
> type=AVC msg=audit(1262016758.664:57500): avc:  denied  { read write } for  pid=1286 comm="sendmail" name="ttyS0" dev=tmpfs ino=2217 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file
> ----
> time->Mon Dec 28 17:12:38 2009
> type=SYSCALL msg=audit(1262016758.806:57501): arch=c000003e syscall=2 success=yes exit=0 a0=3273d3c1f2 a1=0 a2=1b6 a3=2 items=0 ppid=1288 pid=1289 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null)
> type=AVC msg=audit(1262016758.806:57501): avc:  denied  { open } for  pid=1289 comm="sh" name="meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
> type=AVC msg=audit(1262016758.806:57501): avc:  denied  { read } for  pid=1289 comm="sh" name="meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
> ----
> time->Mon Dec 28 17:12:38 2009
> type=SYSCALL msg=audit(1262016758.807:57502): arch=c000003e syscall=5 success=yes exit=128 a0=0 a1=7fff44b52830 a2=7fff44b52830 a3=2 items=0 ppid=1288 pid=1289 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null)
> type=AVC msg=audit(1262016758.807:57502): avc:  denied  { getattr } for  pid=1289 comm="sh" path="/proc/meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
> ----
> time->Mon Dec 28 17:12:38 2009
> type=SYSCALL msg=audit(1262016758.809:57503): arch=c000003e syscall=59 success=yes exit=0 a0=eb55b0 a1=eb5480 a2=eb3e50 a3=30 items=0 ppid=1289 pid=1291 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="new_fax" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null)
> type=AVC msg=audit(1262016758.809:57503): avc:  denied  { execute_no_trans } for  pid=1291 comm="sh" path="/etc/mgetty+sendfax/new_fax" dev=dm-6 ino=51 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
> type=AVC msg=audit(1262016758.809:57503): avc:  denied  { read open } for  pid=1291 comm="sh" name="new_fax" dev=dm-6 ino=51 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
> type=AVC msg=audit(1262016758.809:57503): avc:  denied  { execute } for  pid=1291 comm="sh" name="new_fax" dev=dm-6 ino=51 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
> ----
> time->Mon Dec 28 17:12:38 2009
> type=SYSCALL msg=audit(1262016758.817:57504): arch=c000003e syscall=16 success=no exit=-25 a0=3 a1=5401 a2=7fffcdc622a0 a3=2 items=0 ppid=1289 pid=1291 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="new_fax" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null)
> type=AVC msg=audit(1262016758.817:57504): avc:  denied  { ioctl } for  pid=1291 comm="new_fax" path="/etc/mgetty+sendfax/new_fax" dev=dm-6 ino=51 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
> ----
> time->Mon Dec 28 17:12:38 2009
> type=SYSCALL msg=audit(1262016758.817:57505): arch=c000003e syscall=5 success=yes exit=0 a0=ff a1=7fffcdc62370 a2=7fffcdc62370 a3=0 items=0 ppid=1289 pid=1291 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="new_fax" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null)
> type=AVC msg=audit(1262016758.817:57505): avc:  denied  { getattr } for  pid=1291 comm="new_fax" path="/etc/mgetty+sendfax/new_fax" dev=dm-6 ino=51 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file




> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Attachment: pgpxq0DvO0uH8.pgp
Description: PGP signature

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux