Re: SElinux Query

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,
I understand now.

As I wrote before, macros are basically just a way to specify multiple allow rules at once.
During policy compilation, macros are broken down to those individual allow rules. Therefore binary policy (which is used to make decisions on allowing/denying access) doesn't know about macros (it contains only individual "allow" rules).

Another thing is that you are looking at AVC denials (messages in audit.log) the wrong way. Since SELinux policy rules can only allow access (this is not entirely true, but for simplicity lets assume it is), you can't really violate them. When you tried to access the webpage after relabeling it, SELinux reported that there is no rule allowing such access (not that there is a rule prohibiting it).

In conclusion, SELinux AVC messages will always contain only specific types (never anything to do with macros).

If we look at an actual AVC message 

type=AVC msg=audit(1363289005.532:184): avc:  denied  { read } for  pid=29199 comm="Trace" 
name="online" dev="sysfs" ino=30 scontext=staff_u:staff_r:googletalk_plugin_t 
tcontext=system_u:object_r:sysfs_t tclass=file

There will always be a specific target type of the attempted access.
In this case the target context is 
system_u:object_r:sysfs_t
(user:role:type)
And the target type is "sysfs_t" (specified in "base" policy module).

Hope this helps.

Vit Mojzis
SELinux Solutions
Red Hat, Inc.



----- Original Message -----
From: "Naina Emmanuel" <nemmanuel1992@xxxxxxxxx>
To: "Vit Mojzis" <vmojzis@xxxxxxxxxx>
Sent: Tuesday, April 26, 2016 1:54:17 PM
Subject: Re: SElinux Query

Sir my task is to monitor logs (if violation occurs then I have to track
that violation has been occurred to which te file(module)) For this purpose
I have created violation to get logs, I created apache violation e.g
relabled the files, my web page under /var/www/html from
httpd_sys_content_t to var_t, in apache te httpd_sys_content_t is allowed
to access httpd while var_t under /var/www/html is not allowed so when I
accessed my webpage from browser it created violation and went to
/var/log/audit/audit.log but that was violation of allow rule in te  I.e
allow httpd_t httpd_sys_content_t:dir list_dir_perms; NOW I want if some
macro (any macro) gets violated then what kind of logs I ll get...
Q1: How to create macro violation to see its logs in
/var/logs/audit/audit.log

Please provide some example/tutorial in which some macro violation has been
occurred so that I can monitor the logs... Hope sir u got my problem

Thanks

Engr. Naina Emmanuel
On Apr 22, 2016 2:43 PM, "Naina Emmanuel" <nemmanuel1992@xxxxxxxxx> wrote:

> good afternoon!
> i have a problem dealing with the logs,please tell how can we violate a
> macro/s (used in a module for example apache)
> and how to see their logs...
>
> i have a task to monitor logs (violations) as MS project, so please help
> in this regard
>
> thanks in advance
>
>
>
>
>
>
>
>
>
> *Engr. Naina Emmanuel*
> *Linux Essential Certified (LEPDC)*
> *Cisco Certified Network Associate (CCNA)*
>
> *Computer Engineering Department, UET Taxila*
>
> *Information Security, CS Department, CIIT Islamabad*
>
> On Thu, Apr 7, 2016 at 3:19 PM, Naina Emmanuel <nemmanuel1992@xxxxxxxxx>
> wrote:
>
>> thank you so much, i try this method!
>>
>> thanks once again for your positive response
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> *Engr. Naina Emmanuel*
>> *Linux Essential Certified (LEPDC)*
>> *Cisco Certified Network Associate (CCNA)*
>>
>> *Computer Engineering Department, UET Taxila*
>>
>> *Information Security, CS Department, CIIT Islamabad*
>>
>> On Thu, Apr 7, 2016 at 2:01 AM, Vit Mojzis <vmojzis@xxxxxxxxxx> wrote:
>>
>>> Hi,
>>> depends on the scale.
>>>
>>> If you just need to identify policy module of one specific service, try
>>> searching for the service name in “# semodule -l” output (modules are
>>> usually named after corresponding service).
>>>
>>> If that doesn't help (sometimes 1 module contains policy rules for more
>>> services), I would go with Lukas's suggestion, which was to download
>>> selinux-policy repository from github (
>>> https://github.com/fedora-selinux/selinux-policy) and search for
>>> selinux type of the service you are interested in.
>>>
>>> Let's say you want policy module of bluetooth daemon.
>>> # ps -efZ | grep bluetoothd
>>> system_u:system_r:bluetooth_t:s0 root      764     1  0 09:09 ?
>>>  00:00:00 /usr/libexec/bluetooth/bluetoothd
>>> Bluetoothd process has label of “bluetooth_t”.
>>>
>>> Search for “bluetooth_t” in selinux-policy repository (branch
>>> rawhide-contrib) shows that the type was defined in “bluetooth.te”.
>>> $ grep -R bluetooth_t
>>> bluetooth.te:type bluetooth_t;
>>>
>>> If you want to map all running services to their respective policy
>>> modules, fastest way would be to search for the type of running process in
>>> the file I enclosed to this email (all selinux policy modules in Fedora 23
>>> and types defined in them). Each line contains the following
>>> module_nameomain_types:resource_types
>>> I won't go into details since obtaining of this mapping is not so
>>> straight forward.
>>>
>>> Hope this helps.
>>>
>>> Vit Mojzis
>>> SELinux Solutions
>>> Red Hat, Inc.
>>>
>>> ----- Original Message -----
>>> From: "Lukas Vrabec" <lvrabec@xxxxxxxxxx>
>>> To: selinux@xxxxxxxxxxxxxxxxxxxxxxx, "Vit Mojzis" <vmojzis@xxxxxxxxxx>
>>> Sent: Thursday, April 7, 2016 10:20:57 AM
>>> Subject: Re: SElinux Query
>>>
>>> On 04/06/2016 08:04 PM, Naina Emmanuel wrote:
>>> > Thanks for the response...
>>> > Please tell that how can we map the service running to its module?
>>> > My use case is, ps -efZ will tell which services are running(enforced
>>> > modules) how can we map that running service to its module( that is
>>> > applying a policy to that Service?)
>>> >
>>>
>>> Vit Mojzis can help you here.
>>>
>>> > Thansk in advance
>>> >
>>> > Engr. Naina Emmanuel
>>> >
>>> > On Apr 5, 2016 2:51 PM, "Miroslav Grepl" <mgrepl@xxxxxxxxxx
>>> > <mailto:mgrepl@xxxxxxxxxx>> wrote:
>>> >
>>> >     On 04/03/2016 10:20 AM, Naina Emmanuel wrote:
>>> >      > Good Afternoon
>>> >      > Can u please help me and tell...
>>> >      > 1) how we can check, which policy modules are actually enforced?
>>> >     means
>>> >      > which services are being secured by selinux. because #semodule
>>> -l
>>> >     gives
>>> >      > loaded modules, but which are being secured how can we check
>>> that???*
>>> >      > *
>>> >
>>> >     Good point. You can play around
>>> >
>>> >     $ seinfo -xadomain
>>> >
>>> >      > 2) If i dont understand any macro, from where i can get its
>>> >     description
>>> >      > or help?*
>>> >
>>> >     You are looking for
>>> >
>>> >     $ firefox /usr/share/doc/selinux-policy/html/index.html
>>> >
>>> >     $ rpm -qf /usr/share/doc/selinux-policy/html/index.html
>>> >     selinux-policy-doc-3.13.1-180.fc25.noarch
>>> >
>>> >      > *
>>> >      > *
>>> >      > *
>>> >      > *
>>> >      > *thanks in advance
>>> >      > *
>>> >      > *
>>> >      > *
>>> >      > *
>>> >      > *
>>> >      > /Engr. Naina Emmanuel/*
>>> >      > *Linux Essential Certified (LEPDC)**
>>> >      > *
>>> >      > *Cisco Certified Network Associate (CCNA)*
>>> >      > *Computer Engineering Department, UET Taxila
>>> >      > *
>>> >      > *Information Security, CS Department, CIIT Islamabad
>>> >      > *
>>> >      >
>>> >      >
>>> >      > --
>>> >      > selinux mailing list
>>> >      > selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>> >     <mailto:selinux@xxxxxxxxxxxxxxxxxxxxxxx>
>>> >      >
>>> >
>>> http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>> >      >
>>> >
>>> >
>>> >     --
>>> >     Miroslav Grepl
>>> >     Senior Software Engineer, SELinux Solutions
>>> >     Red Hat, Inc.
>>> >
>>> >
>>> >
>>> > --
>>> > selinux mailing list
>>> > selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>> >
>>> http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>> >
>>>
>>>
>>> --
>>> Lukas Vrabec
>>> SELinux Solutions
>>> Red Hat, Inc.
>>>
>>
>>
>
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux