On 06/02/2015 11:50 AM, m.roth@xxxxxxxxx wrote:
> On 06/01/15 16:27, m.roth@xxxxxxxxx wrote:
>> From: "Daniel J Walsh" <dwalsh@xxxxxxxxxx>
>> Cc: "Miroslav Grepl" <mgrepl@xxxxxxxxxx>
>> On 05/29/2015 04:34 PM, m.roth@xxxxxxxxx wrote:
>>> Daniel J Walsh wrote:
>>>> On 05/29/2015 01:03 PM, m.roth@xxxxxxxxx wrote:
>>>>> Daniel J Walsh wrote:
>>>>>> On 05/29/2015 09:20 AM, m.roth@xxxxxxxxx wrote:
>>>>>>> CentOS 7.1. Selinux policy, and targetted, updated two days ago.
>>>>>>>
>>>>>>> May 28 17:02:41 <servername> python: SELinux is preventing
>>>>>>> /usr/bin/bash from execute access on the file
> /usr/bin/bash.#012#012***** <...>
>>>>>>> May 28 17:02:45 <servername> python: SELinux is preventing
>>>>>>> /usr/bin/bash from execute access on the file
> /usr/bin/uname.#012#012***** <...>
>>>>>>> May 28 17:02:45 <servername> python: SELinux is preventing
>>>>>>> /usr/bin/uname from execute_no_trans access on the file /usr/bin
>>>>>>> /uname.#012#012***** <...>
>>>>>>> May 28 17:02:47 <servername> python: SELinux is preventing
>>>>>>> /usr/bin/bash from execute access on the file
> /usr/bin/mailx.#012#012***** <...>
>>> <snip>
>>>>>> What is the avc that you are seeing?
>>>>>>
>>>>>> ausearch -m avc -ts recent
>>>>> Hmmm, that ausearch gives no matches. However, in
>>>>> /var/log/audit/audit.log
>>>>> type=AVC msg=audit(1432846954.621:112734): avc: denied { execute } for
>>>>> pid=1984 comm="rsync" name="bash" dev="sda3" ino=23075548
>>>>> scontext=system_u:system_r:rsync_t:s0
>>>>> tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
>>>>> type=AVC msg=audit(1432846954.628:112735): avc: denied { execute } for
>>>>> pid=1987 comm="sh" name="uname" dev="sda3" ino=23071676
>>>>> scontext=system_u:system_r:rsync_t:s0
>>>>> tcontext=system_u:object_r:bin_t:s0
>>>>> tclass=file
>>>>> type=AVC msg=audit(1432846954.629:112737): avc: denied { execute } for
>>>>> pid=1986 comm="sh" name="mailx" dev="sda3" ino=23072424
>>>>> scontext=system_u:system_r:rsync_t:s0
>>>>> tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
>>>>>
>>>>> Now, my manager thinks that it's complaining that it's complaining
>>>>> because we have an rsync daemon running, and every time there's an
>>>>> upload, the daemon sends an email to a user.
>>>>>
>>>> Is the rsync set up as a client or server? Does it copy off or copy too?
>>>>
>>> Server. And stuff is copied onto it (it having a nice big RAID). They
>>> *may* copy stuff off - not sure.
>>>
>> I just pushed this to fedora upstream policy
>>
>> commit 035cecfb52aff40a60b0bb7651aadc284e0dffb7
>> Author: Dan Walsh <dwalsh@xxxxxxxxxx>
>> Date: Mon Jun 1 08:59:29 2015 -0400
>>
>> rsync server can be setup to send mail
>>
>> You can add the rules locally by compiling and installing this policy
>> create myrsync.te to look like the following
>> # =========================================
>> policy_module(myrsync, 1.0)
>>
>> gen_require(`
>> type rsync_t;
>> ')
>> mta_send_mail(rsync_t)
>> # ==========================================
>>
>> Then execute
>>
>> # make -f /usr/share/selinux/devel/Makefile
>> # semodule -i myrsync.pp
>>
> Ok, count me confused. I created that file, and tried the make, and it
> failed, which is reasonable, since I see there's no Makefile. I have on
> the system:
> rpm -qa | grep selinux
> selinux-policy-3.13.1-23.el7_1.7.noarch
> libselinux-devel-2.2.2-6.el7.x86_64
> libselinux-2.2.2-6.el7.x86_64
> selinux-policy-targeted-3.13.1-23.el7_1.7.noarch
> libselinux-utils-2.2.2-6.el7.x86_64
> libselinux-python-2.2.2-6.el7.x86_64
>
> I've never made a policy_module, just local policies, and (the audit log
> with the AVCs has been rotated):
> grep -i avc /var/log/audit/audit.log.1 | grep sendmail | audit2allow -M
> mypol > a2apol
>
> gives me:
> module mypol 1.0;
>
> require {
> type sendmail_exec_t;
> type rsync_t;
> type init_t;
> class process setrlimit;
> class unix_stream_socket getattr;
> class file { execute execute_no_trans };
> }
>
> #============= rsync_t ==============
> allow rsync_t init_t:unix_stream_socket getattr;
> allow rsync_t self:process setrlimit;
> allow rsync_t sendmail_exec_t:file { execute execute_no_trans };
>
> Should I use that, or is there another selinux package I need to install?
> Also, what's better/the more correct way to do this: the module, or the
> policy_module?
>
> mark
>
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
yum install selinux-policy-devel
I think will pull in the Makefile, sorry. It is better to transition to
the send_mail domain, since there is
a decent chance that you will need to add additional rules, however if
everything works fine
with that policy, I am fine with it.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
