playing with unconfined domains and users on Fedora 16

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

after reading Dan's Blog post about upping the security with SE Linux I
thought I'd give it another try. So I did the following on my Netbook,
wich is a Fedora 16 XFCE Spin:

(I'm playing in Permissive mode right now ;-)

	semodule -d unconfined

Which was relatively painless after a reboot (only Networkmananager
seems to have problems (re)starting sendmail, but I did not want to use
this anyway)

So I went further:
# semanage login -m -s staff_u root
# semanage login -m -s staff_u __default__
# semanage user -d unconfined_u
# semanage user -m -R "staff_r system_r sysadm_r" staff_u

I did not remove the unconfineduser for the moment.

The following happens, which I guess is a bug in gpg-agents policy?

Output of audit2allow
	#============= gpg_agent_t ==============
	#!!!! The source type 'gpg_agent_t' can write to a 'dir' of 	
	the	following types:
	# tmp_t, gpg_agent_tmp_t, gpg_secret_t

	allow gpg_agent_t cache_home_t:dir { write add_name };
	#!!!! The source type 'gpg_agent_t' can write to a 'file' of 	
	the following types:
	# gpg_agent_tmp_t, gpg_secret_t

	allow gpg_agent_t cache_home_t:file { write create open getattr };
	allow gpg_agent_t gpg_secret_t:sock_file { write create };

which would render gpg-agent probably useless...


Then I'm coming on shaky ground. If I understand correctly, I have to
have sudo rules for getting administrative work done. This is my sudoers
rule, which seems to work:

	klaus   ALL = TYPE=unconfined_t ROLE=system_r ALL

But I get the following avcs:
	#============= staff_sudo_t ==============
	allow staff_sudo_t unconfined_t:process transition;

	#============= staff_t ==============
	allow staff_t etc_t:file entrypoint;
	allow staff_t xauth_exec_t:file entrypoint;

I did not try this with enforcing.
Any recommendations?
Full AVC Log is in the attachment

Thanks,
Klaus

-- 
------------------------------------------------------------------------
 Klaus Lichtenwalder, Dipl. Inform.,  http://www.lichtenwalder.name
 PGP Key fingerprint: FEDE 1D2A EE70 FB60 9CA2  669D 2F59 3F34 6E81 5A89

----
time->Thu Feb  2 14:01:40 2012
type=SYSCALL msg=audit(1328187700.889:51): arch=40000003 syscall=11 success=yes exit=0 a0=a055398 a1=a04ff88 a2=a05b2b0 a3=a04ff88 items=0 ppid=1002 pid=1003 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="PreLogin" exe="/bin/bash" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1328187700.889:51): avc:  denied  { entrypoint } for  pid=1003 comm="lxdm-binary" path="/etc/lxdm/PreLogin" dev=sda3 ino=393588 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
----
time->Thu Feb  2 14:01:40 2012
type=SYSCALL msg=audit(1328187700.930:52): arch=40000003 syscall=11 success=yes exit=0 a0=a05b85d a1=a057a38 a2=a05b2b0 a3=bfe1ff76 items=0 ppid=1 pid=1007 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="xauth" exe="/usr/bin/xauth" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1328187700.930:52): avc:  denied  { entrypoint } for  pid=1007 comm="lxdm-binary" path="/usr/bin/xauth" dev=sda3 ino=61761 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_exec_t:s0 tclass=file
----
time->Thu Feb  2 14:01:45 2012
type=SYSCALL msg=audit(1328187705.676:54): arch=40000003 syscall=5 success=yes exit=3 a0=bf869ab2 a1=8241 a2=1b6 a3=0 items=0 ppid=1002 pid=1172 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="gpg-agent" exe="/usr/bin/gpg-agent" subj=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1328187705.676:54): avc:  denied  { write open } for  pid=1172 comm="gpg-agent" name="gpg-agent-info" dev=sda2 ino=2098378 scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:cache_home_t:s0 tclass=file
type=AVC msg=audit(1328187705.676:54): avc:  denied  { create } for  pid=1172 comm="gpg-agent" name="gpg-agent-info" scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:cache_home_t:s0 tclass=file
type=AVC msg=audit(1328187705.676:54): avc:  denied  { add_name } for  pid=1172 comm="gpg-agent" name="gpg-agent-info" scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=dir
type=AVC msg=audit(1328187705.676:54): avc:  denied  { write } for  pid=1172 comm="gpg-agent" name=".cache" dev=sda2 ino=2097189 scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=dir
----
time->Thu Feb  2 14:01:45 2012
type=SYSCALL msg=audit(1328187705.684:55): arch=40000003 syscall=197 success=yes exit=0 a0=3 a1=bf868970 a2=4f221ff4 a3=8b33b50 items=0 ppid=1002 pid=1172 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="gpg-agent" exe="/usr/bin/gpg-agent" subj=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1328187705.684:55): avc:  denied  { getattr } for  pid=1172 comm="gpg-agent" path="/home/klaus/.cache/gpg-agent-info" dev=sda2 ino=2098378 scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:cache_home_t:s0 tclass=file
----
time->Thu Feb  2 14:01:45 2012
type=SYSCALL msg=audit(1328187705.675:53): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bf868a50 a2=41594ff4 a3=20 items=0 ppid=1002 pid=1172 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="gpg-agent" exe="/usr/bin/gpg-agent" subj=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1328187705.675:53): avc:  denied  { create } for  pid=1172 comm="gpg-agent" name="S.gpg-agent" scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:gpg_secret_t:s0 tclass=sock_file
----
time->Thu Feb  2 14:02:13 2012
type=SYSCALL msg=audit(1328187733.740:62): arch=40000003 syscall=11 success=yes exit=0 a0=70db77 a1=2130e408 a2=2130e9c8 a3=21309e08 items=0 ppid=1581 pid=1585 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="sesh" exe="/usr/libexec/sesh" subj=staff_u:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1328187733.740:62): avc:  denied  { transition } for  pid=1585 comm="sudo" path="/usr/libexec/sesh" dev=sda3 ino=66403 scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tcontext=staff_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process

Attachment: signature.asc
Description: OpenPGP digital signature

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux