On 21/05/13 15:00, Miroslav Grepl wrote:
On 05/21/2013 03:47 PM, Tristan Santore wrote:
Dear All,
For the last few days Dominick and I have been trying to write a
policy for Zoneminder, as the current policy does not seem to be working.
I will append what we gathered up so far below, however before I do,
there seems to be an inherent problem with apache and sudo/su/pam,
which seems to work in permissive mode, but as soon as I enable
enforcing, b00m, I get these.
May 21 14:18:23 hq su: pam_unix(su:auth): auth could not identify
password for [apache]
May 21 14:18:23 hq su: pam_succeed_if(su:auth): requirement "uid >=
1000" not met by user "apache"
May 21 14:18:23 hq su: pam_unix(su:auth): auth could not identify
password for [apache]
May 21 14:18:23 hq su: pam_succeed_if(su:auth): requirement "uid >=
1000" not met by user "apache"
In permissive mode all is fine:
May 21 14:32:03 hq su: pam_unix(su:session): session opened for user
apache by (uid=0)
May 21 14:32:03 hq su: pam_unix(su:session): session closed for user
apache
May 21 14:32:03 hq su: pam_unix(su:session): session opened for user
apache by (uid=0)
May 21 14:32:03 hq su: pam_unix(su:session): session closed for user
apache
May 21 14:32:03 hq su: pam_unix(su:session): session opened for user
apache by (uid=0)
type=USER_CMD msg=audit(1369143877.597:513): pid=2196 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:zoneminder_t:s0
msg='cwd="/usr/share/zoneminder/www" cmd="true" terminal=? res=failed'
type=USER_AUTH msg=audit(1369143877.611:514): pid=2197 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:zoneminder_t:s0
msg='op=PAM:authentication acct="apache" exe="/usr/bin/su" hostname=?
addr=? terminal=? res=failed'
type=USER_AUTH msg=audit(1369143877.625:515): pid=2199 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:zoneminder_t:s0
msg='op=PAM:authentication acct="apache" exe="/usr/bin/su" hostname=?
addr=? terminal=? res=failed'
type=SERVICE_START msg=audit(1369143877.642:516): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='
comm="zoneminder" exe="/usr/lib/systemd/systemd" hostname=? addr=?
terminal=? res=failed'
Any insights would be most appreciated, as I would really like to see
a policy for zoneminder that works, not only for myself, but so that
we can have it in the Fedora stock policy.
Thank you for all your help, especially Dominick Grift's.
Regards,
Tristan
And the policy we have so far:
policy_module(myzonem, 1.0.0)
gen_require(` type zoneminder_t; ')
domain_read_all_domains_state(zoneminder_t)
logging_send_audit_msgs(zoneminder_t)
sudo_exec(zoneminder_t)
su_exec(zoneminder_t)
allow zoneminder_t self:process setrlimit;
allow zoneminder_t self:capability { setuid setgid sys_resource };
gen_require(`type httpd_zoneminder_script_exec_t; ')
can_exec(zoneminder_t, httpd_zoneminder_script_exec_t)
gen_require(` type zoneminder_var_lib_t; ')
manage_lnk_files_pattern(zoneminder_t, zoneminder_var_lib_t,
zoneminder_var_lib_t)
dbus_system_bus_client(zoneminder_t)
selinux_compute_access_vector(zoneminder_t)
allow zoneminder_t self:process setsched;
allow zoneminder_t self:key write;
auth_rw_lastlog(zoneminder_t)
systemd_write_inherited_logind_sessions_pipes(zoneminder_t)
auth_domtrans_chk_passwd(zoneminder_t)
systemd_dbus_chat_logind(zoneminder_t)
gen_require(` type chkpwd_t; ')
allow zoneminder_t chkpwd_t:process { rlimitinh noatsecure siginh };
auth_read_shadow(zoneminder_t)
auth_domtrans_upd_passwd(zoneminder_t)
#gen_require(` type systemd_logind_t; ')
#permissive systemd_logind_t;
gen_require(` type unconfined_t; role system_r; type
zoneminder_exec_t; role unconfined_r; ')
domtrans_pattern(unconfined_t, zoneminder_exec_t, zoneminder_t)
role_transition unconfined_r zoneminder_exec_t:file system_r;
domain_entry_file(zoneminder_t, httpd_zoneminder_script_exec_t)
domtrans_pattern(unconfined_t, httpd_zoneminder_script_exec_t,
zoneminder_t)
gen_require(` type httpd_t; ')
gen_require(` type httpd_zoneminder_script_t; type zoneminder_tmpfs_t;')
init_read_utmp(httpd_t)
read_files_pattern(httpd_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
rw_files_pattern(httpd_zoneminder_script_t, zoneminder_tmpfs_t,
zoneminder_tmpfs_t)
manage_dirs_pattern(httpd_zoneminder_script_t, zoneminder_var_lib_t,
zoneminder_var_lib_t)
manage_files_pattern(httpd_zoneminder_script_t, zoneminder_var_lib_t,
zoneminder_var_lib_t)
allow httpd_t zoneminder_var_lib_t:dir list_dir_perms;
init_daemon_domain(zoneminder_t, httpd_zoneminder_script_exec_t)
require {
type chkpwd_t;
type httpd_t;
type httpd_zoneminder_script_t;
type sshd_t;
class process { siginh noatsecure rlimitinh };
class unix_stream_socket { read write };
}
#============= httpd_t ==============
allow httpd_t httpd_zoneminder_script_t:process { siginh noatsecure
rlimitinh };
#============= httpd_zoneminder_script_t ==============
allow httpd_zoneminder_script_t httpd_t:unix_stream_socket { read
write };
require {
type passwd_t;
}
allow passwd_t chkpwd_t:process { noatsecure siginh rlimitinh };
allow httpd_zoneminder_script_t httpd_t:unix_stream_socket { read
write };
allow httpd_t httpd_zoneminder_script_t:process { noatsecure siginh
rlimitinh };
After the quick review I see that this policy is coming to be unconfined
probably. For example, it runs su/sudo directly.
Could you open a new bug?
Thank you.
Regards,
Miroslav
Miroslav,
Thanks to Dan, we found out what was lacking. Policy complete see below
bugzilla's for fix and PAM bug, for pam_rootok.
The fix was:
allow zoneminder_t self:passwd rootok;
Bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=965723
https://bugzilla.redhat.com/show_bug.cgi?id=965714
Big thank you to Dominick for help with the policy write up and
debugging and also for Dan for the PAM pam_rootok issue, where it does
not log to auditd.
Regards,
Tristan
--
Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
Tristan.Santore@xxxxxxxxxxxxxxxxxxxxx
Former Thawte Notary
(Please note: Thawte has closed its WoT programme down,
and I am therefore no longer able to accredit trust)
For Fedora related issues, please email me at:
TSantore@xxxxxxxxxxxxxxxxx
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux