Re: Zoneminder and Selinux and the Infinite Story of Doom

[Tristan Santore <tristan.santore@xxxxxxxxxxxxxxxxxxxxx>]

On 21/05/13 15:00, Miroslav Grepl wrote:
> On 05/21/2013 03:47 PM, Tristan Santore wrote:
> > Dear All,
> >
> > For the last few days Dominick and I have been trying to write a
> > policy for Zoneminder, as the current policy does not seem to be working.
> >
> > I will append what we gathered up so far below, however before I do,
> > there seems to be an inherent problem with apache and sudo/su/pam,
> > which seems to work in permissive mode, but as soon as I enable
> > enforcing, b00m, I get these.
> >
> > May 21 14:18:23 hq su: pam_unix(su:auth): auth could not identify
> > password for [apache]
> > May 21 14:18:23 hq su: pam_succeed_if(su:auth): requirement "uid >=
> > 1000" not met by user "apache"
> > May 21 14:18:23 hq su: pam_unix(su:auth): auth could not identify
> > password for [apache]
> > May 21 14:18:23 hq su: pam_succeed_if(su:auth): requirement "uid >=
> > 1000" not met by user "apache"
> >
> > In permissive mode all is fine:
> >
> > May 21 14:32:03 hq su: pam_unix(su:session): session opened for user
> > apache by (uid=0)
> > May 21 14:32:03 hq su: pam_unix(su:session): session closed for user
> > apache
> > May 21 14:32:03 hq su: pam_unix(su:session): session opened for user
> > apache by (uid=0)
> > May 21 14:32:03 hq su: pam_unix(su:session): session closed for user
> > apache
> > May 21 14:32:03 hq su: pam_unix(su:session): session opened for user
> > apache by (uid=0)
> >
> > type=USER_CMD msg=audit(1369143877.597:513): pid=2196 uid=0
> > auid=4294967295 ses=4294967295 subj=system_u:system_r:zoneminder_t:s0
> > msg='cwd="/usr/share/zoneminder/www" cmd="true" terminal=? res=failed'
> > type=USER_AUTH msg=audit(1369143877.611:514): pid=2197 uid=0
> > auid=4294967295 ses=4294967295 subj=system_u:system_r:zoneminder_t:s0
> > msg='op=PAM:authentication acct="apache" exe="/usr/bin/su" hostname=?
> > addr=? terminal=? res=failed'
> > type=USER_AUTH msg=audit(1369143877.625:515): pid=2199 uid=0
> > auid=4294967295 ses=4294967295 subj=system_u:system_r:zoneminder_t:s0
> > msg='op=PAM:authentication acct="apache" exe="/usr/bin/su" hostname=?
> > addr=? terminal=? res=failed'
> > type=SERVICE_START msg=audit(1369143877.642:516): pid=1 uid=0
> > auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='
> > comm="zoneminder" exe="/usr/lib/systemd/systemd" hostname=? addr=?
> > terminal=? res=failed'
> >
> >
> > Any insights would be most appreciated, as I would really like to see
> > a policy for zoneminder that works, not only for myself, but so that
> > we can have it in the Fedora stock policy.
> >
> >
> > Thank you for all your help, especially Dominick Grift's.
> >
> > Regards,
> >
> > Tristan
> >
> >
> > And the policy we have so far:
> >
> > policy_module(myzonem, 1.0.0)
> > gen_require(` type zoneminder_t; ')
> > domain_read_all_domains_state(zoneminder_t)
> > logging_send_audit_msgs(zoneminder_t)
> > sudo_exec(zoneminder_t)
> > su_exec(zoneminder_t)
> > allow zoneminder_t self:process setrlimit;
> > allow zoneminder_t self:capability { setuid setgid sys_resource };
> > gen_require(`type httpd_zoneminder_script_exec_t; ')
> > can_exec(zoneminder_t, httpd_zoneminder_script_exec_t)
> > gen_require(` type zoneminder_var_lib_t; ')
> > manage_lnk_files_pattern(zoneminder_t, zoneminder_var_lib_t,
> > zoneminder_var_lib_t)
> > dbus_system_bus_client(zoneminder_t)
> > selinux_compute_access_vector(zoneminder_t)
> > allow zoneminder_t self:process setsched;
> >
> >
> > allow zoneminder_t self:key write;
> > auth_rw_lastlog(zoneminder_t)
> > systemd_write_inherited_logind_sessions_pipes(zoneminder_t)
> > auth_domtrans_chk_passwd(zoneminder_t)
> > systemd_dbus_chat_logind(zoneminder_t)
> > gen_require(` type chkpwd_t; ')
> > allow zoneminder_t chkpwd_t:process { rlimitinh noatsecure siginh };
> > auth_read_shadow(zoneminder_t)
> > auth_domtrans_upd_passwd(zoneminder_t)
> > #gen_require(` type  systemd_logind_t; ')
> > #permissive systemd_logind_t;
> > gen_require(` type unconfined_t; role system_r; type
> > zoneminder_exec_t; role unconfined_r; ')
> > domtrans_pattern(unconfined_t, zoneminder_exec_t, zoneminder_t)
> > role_transition unconfined_r zoneminder_exec_t:file system_r;
> > domain_entry_file(zoneminder_t, httpd_zoneminder_script_exec_t)
> > domtrans_pattern(unconfined_t, httpd_zoneminder_script_exec_t,
> > zoneminder_t)
> > gen_require(` type httpd_t; ')
> > gen_require(` type httpd_zoneminder_script_t; type zoneminder_tmpfs_t;')
> > init_read_utmp(httpd_t)
> > read_files_pattern(httpd_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
> > rw_files_pattern(httpd_zoneminder_script_t, zoneminder_tmpfs_t,
> > zoneminder_tmpfs_t)
> > manage_dirs_pattern(httpd_zoneminder_script_t, zoneminder_var_lib_t,
> > zoneminder_var_lib_t)
> > manage_files_pattern(httpd_zoneminder_script_t, zoneminder_var_lib_t,
> > zoneminder_var_lib_t)
> > allow httpd_t zoneminder_var_lib_t:dir list_dir_perms;
> > init_daemon_domain(zoneminder_t, httpd_zoneminder_script_exec_t)
> >
> > require {
> >         type chkpwd_t;
> >         type httpd_t;
> >         type httpd_zoneminder_script_t;
> >         type sshd_t;
> >         class process { siginh noatsecure rlimitinh };
> >         class unix_stream_socket { read write };
> > }
> >
> > #============= httpd_t ==============
> > allow httpd_t httpd_zoneminder_script_t:process { siginh noatsecure
> > rlimitinh };
> >
> > #============= httpd_zoneminder_script_t ==============
> > allow httpd_zoneminder_script_t httpd_t:unix_stream_socket { read
> > write };
> >
> > require {
> >         type passwd_t;
> > }
> > allow passwd_t chkpwd_t:process { noatsecure siginh rlimitinh };
> > allow httpd_zoneminder_script_t httpd_t:unix_stream_socket { read
> > write };
> > allow httpd_t httpd_zoneminder_script_t:process { noatsecure siginh
> > rlimitinh };
> After the quick review I see that this policy is coming to be unconfined
> probably. For example, it runs su/sudo directly.
>
> Could you open a new bug?
>
> Thank you.
>
> Regards,
> Miroslav
Miroslav,

Thanks to Dan, we found out what was lacking. Policy complete see below 
bugzilla's for fix and PAM bug, for pam_rootok.
The fix was:
allow zoneminder_t self:passwd rootok;


Bugzilla:

https://bugzilla.redhat.com/show_bug.cgi?id=965723
https://bugzilla.redhat.com/show_bug.cgi?id=965714

Big thank you to Dominick for help with the policy write up and 
debugging and also for Dan for the PAM pam_rootok issue, where it does 
not log to auditd.

Regards,

Tristan

--
Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
Tristan.Santore@xxxxxxxxxxxxxxxxxxxxx

Former Thawte Notary
(Please note: Thawte has closed its WoT programme down,
and I am therefore no longer able to accredit trust)

For Fedora related issues, please email me at:
TSantore@xxxxxxxxxxxxxxxxx
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux