(Apologies in advance for the length of this mail. I am a total noob at SELinux so my vocabulary is probably not correct. Hopefully you will be able to understand from context what I am trying to say.) I have been setting up x11vnc on some of my machines. It looks like there are a hundred different ways of setting it up but I have chosen to follow the spirit of this entry in the Fedora Forum: http://forums.fedoraforum.org/showpost.php?p=1448696&postcount=2 This works with SELinux permissive but fails completely when enforcing. Even when running permissively there are so many SELinux events in the first few seconds that many are dropped as shown here: Jan 29 03:44:10 ecafe audispd: queue is full - dropping event After several hours of scouring the system log, running sealert and creating policies, rinsing and repeating I think I have generated the command line that will identify all the events which occur during an x11vnc session: egrep ps\|x11vnc\|tcpd\|mission-control /var/log/audit/audit.log | audit2allow -M mypol By repetitively running that line, applying the generated policy then restarting the computer and launching a new vnc session eventually all the events are able to be recorded without filling the queue. I will put my questions here together where they are easy to find and will post logs and other data below in case anyone wants to look at them... 1) I have copied the mypol.te file below. Could someone tell me if anything in there opens up a huge security risk? 2) Can I copy the mypol.pp file to another computer and apply the policy directly? 3) If yes can I also copy it to a computer running Fedora 16 or 17? 4) Is there a simple way to convert a .te file to a .pp file? 5) If I put up this informaton as a How-To on the forum is there a preferred way of defining the policy? For example: a) publish this line... egrep ps\|x11vnc\|tcpd\|mission-control /var/log/audit/audit.log | audit2allow -M mypol ... and tell them to work from that b) Publish the contents of the .te file (assuming there is a neat way to create a .pp file) and say "Trust me" c) Put the .pp file somewhere accessible from the internet and say "Trust me even more" d) Something else??? 6) I have copied one of the outputs from sealert -l GUID below in case it is useful. I have kept copies of all the others. Please let me know if it would be useful to see them. I can supply them with no problem. There are seventeen different outputs. 7) Is there a simpler way of having x11vnc "running as a service" like Windows? Thanks to anyone who can respond... @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ mypol.te (For brevity I have removed several lines saying #!!!! This avc is allowed in the current policy ) module mypol9 1.0; require { type modemmanager_t; type ksmtuned_t; type shell_exec_t; type initrc_t; type fprintd_t; type telepathy_mission_control_exec_t; type user_devpts_t; type dhcpc_t; type cupsd_t; type inetd_t; type fsdaemon_t; type keyboardd_t; type udev_t; type admin_home_t; type xserver_t; type audisp_t; type policykit_t; type dnsmasq_t; type tcpd_t; type virtd_t; type bin_t; type rpcd_t; type crond_t; type apmd_t; type rtkit_daemon_t; type sysctl_kernel_t; type NetworkManager_t; type colord_t; type unconfined_t; type unconfined_dbusd_t; type rpcbind_t; type init_t; type auditd_t; type devpts_t; type syslogd_t; type xserver_port_t; type tty_device_t; type xdm_var_lib_t; type setroubleshootd_t; type system_dbusd_t; type var_log_t; type config_home_t; type accountsd_t; type passwd_file_t; type xdm_dbusd_t; type avahi_t; type proc_t; type bluetooth_t; type xdm_var_run_t; type xdm_tmp_t; type abrt_watch_log_t; type mcelog_t; type iscsid_t; type kernel_t; type rpm_t; type consolekit_t; type firewalld_t; type chronyd_t; type xdm_t; type systemd_logind_t; type sendmail_t; type sshd_t; type devicekit_power_t; type devicekit_disk_t; type tmpfs_t; class process setsched; class unix_stream_socket connectto; - class chr_file getattr; class shm { write unix_read unix_write read destroy create }; class capability { sys_ptrace dac_override }; class tcp_socket name_connect; class file { rename execute read create ioctl execute_no_trans write getattr unlink open }; class netlink_route_socket { bind create setopt nlmsg_read getattr }; class lnk_file read; class udp_socket { create connect getattr }; class dir { write getattr read remove_name create search add_name }; } #============= tcpd_t ============== allow tcpd_t NetworkManager_t:dir { getattr search }; allow tcpd_t NetworkManager_t:file { read open }; allow tcpd_t abrt_watch_log_t:dir { getattr search }; allow tcpd_t abrt_watch_log_t:file { read open }; allow tcpd_t accountsd_t:dir { getattr search }; allow tcpd_t accountsd_t:file { read open }; allow tcpd_t admin_home_t:dir search; allow tcpd_t admin_home_t:file { read getattr open }; allow tcpd_t apmd_t:dir { getattr search }; allow tcpd_t apmd_t:file { read open }; allow tcpd_t audisp_t:dir { getattr search }; allow tcpd_t audisp_t:file { read open }; allow tcpd_t auditd_t:dir { getattr search }; allow tcpd_t auditd_t:file { read open }; allow tcpd_t avahi_t:dir { getattr search }; allow tcpd_t avahi_t:file { read open }; allow tcpd_t bin_t:file { ioctl execute read open getattr execute_no_trans }; allow tcpd_t bluetooth_t:dir { getattr search }; allow tcpd_t bluetooth_t:file { read open }; allow tcpd_t chronyd_t:dir { getattr search }; allow tcpd_t chronyd_t:file { read open }; allow tcpd_t colord_t:dir { getattr search }; allow tcpd_t colord_t:file { read open }; allow tcpd_t consolekit_t:dir { getattr search }; allow tcpd_t consolekit_t:file { read open }; allow tcpd_t crond_t:dir { getattr search }; allow tcpd_t crond_t:file { read open }; allow tcpd_t cupsd_t:dir { getattr search }; allow tcpd_t cupsd_t:file { read open }; allow tcpd_t devicekit_disk_t:dir { getattr search }; allow tcpd_t devicekit_disk_t:file { read open }; allow tcpd_t devicekit_power_t:dir { getattr search }; allow tcpd_t devicekit_power_t:file { read open }; allow tcpd_t devpts_t:dir { getattr search }; allow tcpd_t dhcpc_t:dir { getattr search }; allow tcpd_t dhcpc_t:file { read open }; allow tcpd_t dnsmasq_t:dir { getattr search }; allow tcpd_t dnsmasq_t:file { read open }; allow tcpd_t firewalld_t:dir { getattr search }; allow tcpd_t firewalld_t:file { read open }; allow tcpd_t fprintd_t:dir { getattr search }; allow tcpd_t fprintd_t:file { read open }; allow tcpd_t fsdaemon_t:dir { getattr search }; allow tcpd_t fsdaemon_t:file { read open }; allow tcpd_t inetd_t:dir { getattr search }; allow tcpd_t inetd_t:file { read open }; allow tcpd_t init_t:dir { getattr search }; allow tcpd_t init_t:file { read open }; allow tcpd_t initrc_t:dir { getattr search }; allow tcpd_t initrc_t:file { read open }; allow tcpd_t iscsid_t:dir { getattr search }; allow tcpd_t iscsid_t:file { read open }; allow tcpd_t kernel_t:dir { getattr search }; allow tcpd_t kernel_t:file { read open }; allow tcpd_t keyboardd_t:dir { getattr search }; allow tcpd_t keyboardd_t:file { read open }; allow tcpd_t ksmtuned_t:dir { getattr search }; allow tcpd_t ksmtuned_t:file { read open }; allow tcpd_t mcelog_t:dir { getattr search }; allow tcpd_t mcelog_t:file { read open }; allow tcpd_t modemmanager_t:dir { getattr search }; allow tcpd_t modemmanager_t:file { read open }; allow tcpd_t passwd_file_t:file { read getattr open }; allow tcpd_t policykit_t:dir { getattr search }; allow tcpd_t policykit_t:file { read open }; allow tcpd_t proc_t:dir read; allow tcpd_t proc_t:file { read getattr open }; allow tcpd_t rpcbind_t:dir { getattr search }; allow tcpd_t rpcbind_t:file { read open }; allow tcpd_t rpcd_t:dir { getattr search }; allow tcpd_t rpcd_t:file { read open }; allow tcpd_t rpm_t:dir { getattr search }; allow tcpd_t rpm_t:file { read open }; allow tcpd_t rtkit_daemon_t:dir { getattr search }; allow tcpd_t rtkit_daemon_t:file { read open }; allow tcpd_t self:capability { sys_ptrace dac_override }; allow tcpd_t self:netlink_route_socket { bind create setopt nlmsg_read getattr }; allow tcpd_t self:shm { write unix_read unix_write read destroy create }; allow tcpd_t self:udp_socket { create connect getattr }; allow tcpd_t sendmail_t:dir { getattr search }; allow tcpd_t sendmail_t:file { read open }; allow tcpd_t setroubleshootd_t:dir { getattr search }; allow tcpd_t setroubleshootd_t:file { read open }; allow tcpd_t shell_exec_t:file { read execute open }; allow tcpd_t sshd_t:dir { getattr search }; allow tcpd_t sshd_t:file { read open }; allow tcpd_t sysctl_kernel_t:dir search; allow tcpd_t sysctl_kernel_t:file { read open }; allow tcpd_t syslogd_t:dir { getattr search }; allow tcpd_t syslogd_t:file { read open }; allow tcpd_t system_dbusd_t:dir { getattr search }; allow tcpd_t system_dbusd_t:file { read open }; allow tcpd_t systemd_logind_t:dir { getattr search }; allow tcpd_t systemd_logind_t:file { read open }; allow tcpd_t tmpfs_t:file { read write }; allow tcpd_t tty_device_t:chr_file getattr; allow tcpd_t udev_t:dir { getattr search }; allow tcpd_t udev_t:file { read open }; allow tcpd_t unconfined_dbusd_t:dir { getattr search }; allow tcpd_t unconfined_dbusd_t:file { read open }; allow tcpd_t unconfined_t:dir { getattr search }; allow tcpd_t unconfined_t:file { read open }; allow tcpd_t unconfined_t:lnk_file read; allow tcpd_t user_devpts_t:chr_file getattr; allow tcpd_t var_log_t:dir { write add_name }; allow tcpd_t var_log_t:file { write create open }; allow tcpd_t virtd_t:dir { getattr search }; allow tcpd_t virtd_t:file { read open }; allow tcpd_t xdm_dbusd_t:dir { getattr search }; allow tcpd_t xdm_dbusd_t:file { read open }; allow tcpd_t xdm_t:dir { getattr search }; allow tcpd_t xdm_t:file { read open }; allow tcpd_t xdm_tmp_t:dir search; allow tcpd_t xdm_var_run_t:dir search; allow tcpd_t xdm_var_run_t:file { read getattr open }; allow tcpd_t xserver_port_t:tcp_socket name_connect; allow tcpd_t xserver_t:dir { getattr search }; allow tcpd_t xserver_t:file { read open }; allow tcpd_t xserver_t:unix_stream_socket connectto; #============= xdm_dbusd_t ============== allow xdm_dbusd_t config_home_t:file write; allow xdm_dbusd_t self:process setsched; allow xdm_dbusd_t telepathy_mission_control_exec_t:file { read open execute_no_trans }; allow xdm_dbusd_t xdm_var_lib_t:dir { write remove_name create add_name }; allow xdm_dbusd_t xdm_var_lib_t:file { rename write getattr read create unlink open }; @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ SELinux is preventing /usr/bin/bash from execute access on the file /usr/bin/bash. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that bash should be allowed execute access on the bash file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep x11vnc_sh /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:tcpd_t:s0-s0:c0.c1023 Target Context system_u:object_r:shell_exec_t:s0 Target Objects /usr/bin/bash [ file ] Source x11vnc_sh Source Path /usr/bin/bash Port <Unknown> Host ecafe.hogwarts.local Source RPM Packages bash-4.2.42-1.fc18.i686 Target RPM Packages bash-4.2.42-1.fc18.i686 Policy RPM selinux-policy-3.11.1-73.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name ecafe.hogwarts.local Platform Linux ecafe.hogwarts.local 3.7.4-204.fc18.i686.PAE #1 SMP Wed Jan 23 16:58:41 UTC 2013 i686 i686 Alert Count 1 First Seen 2013-01-29 04:34:05 CET Last Seen 2013-01-29 04:34:05 CET Local ID 0215ecf1-f067-4475-a2ff-3810697a0c55 Raw Audit Messages type=AVC msg=audit(1359430445.962:387): avc: denied { execute } for pid=1740 comm="tcpd" name="bash" dev="sda5" ino=2123061 scontext=system_u:system_r:tcpd_t:s0-s0\ :c0.c1023 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file type=SYSCALL msg=audit(1359430445.962:387): arch=i386 syscall=execve success=yes exit=0 a0=bfcc93fc a1=bfccb4b4 a2=bfccb4bc a3=bfcc90c0 items=0 ppid=780 pid=1740 auid\ =4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=x11vnc_sh exe=/usr/bin/bash subj=system_u:system_r:tcpd_t:s0-s0:c0.\ c1023 key=(null) Hash: x11vnc_sh,tcpd_t,shell_exec_t,file,execute audit2allow #============= tcpd_t ============== allow tcpd_t shell_exec_t:file execute; audit2allow -R #============= tcpd_t ============== allow tcpd_t shell_exec_t:file execute; -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
