|

»

Fedora SELinux List

Dear List members

View: New views

5 Messages — Rating Filter: Alert me

	Dear List members by tarnait :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Some parts of this message have been removed. Learn more about Nabble's security policy. Hi, I'm new to SElinux and I'm a bit careful with it, so up till now I want to run it in permissive mode. After reading a lot's of docs I fixed most of my problems, but there are still some errors in audit.log. Now I would like to ask you to review this errors and give me feedback if this rules are safe to add to my policy or not. In summary is my understanding correct that: O auditctl, ifconfig, iptables-restor, dmesg and pppd try to write to the console, O pppd searches something in the root home directory ??!, O and iptables writes to a socket? if I would add this policy to the module wouldn't it be too much (e.g. could for example pppd access all my files?) Thanks for the answers, Kind Regards, Tibor type=AVC msg=audit(1253870573.883:13): avc: denied { read write } for pid=877 comm="auditctl" name="console" dev=sda1 ino=15533 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=chr_file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1253870574.190:15): avc: denied { read write } for pid=918 comm="ifconfig" name="console" dev=sda1 ino=15533 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=chr_file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1253870574.264:16): avc: denied { read write } for pid=921 comm="pppd" name="console" dev=sda1 ino=15533 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=chr_file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1253870574.325:17): avc: denied { search } for pid=921 comm="pppd" name="root" dev=sda1 ino=12 scontext=system_u:system_r:pppd_t:s0 tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 tclass=dir Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1253870574.401:18): avc: denied { read write } for pid=929 comm="iptables-restor" name="console" dev=sda1 ino=15533 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=chr_file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1253870576.482:19): avc: denied { read write } for pid=1087 comm="dmesg" name="console" dev=sda1 ino=15533 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=chr_file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1253870578.829:20): avc: denied { read write } for pid=1242 comm="iptables" path="socket:[3131]" dev=sockfs ino=3131 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=packet_socket Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list
	Re: Dear List members by Dominick Grift :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Fri, Sep 25, 2009 at 03:35:52PM +0000, tarnait wrote: > > > Hi, > > I'm new to SElinux and I'm a bit careful with it, so up till now I want to run it in permissive mode. After reading a lot's of docs I fixed most of my problems, but there are still some errors in audit.log. Now I would like to ask you to review this errors and give me feedback if this rules are safe to add to my policy or not. In summary is my understanding correct that: > > O auditctl, ifconfig, iptables-restor, dmesg and pppd try to write to the console, > O pppd searches something in the root home directory ??!, > O and iptables writes to a socket? > > if I would add this policy to the module wouldn't it be too much (e.g. could for example pppd access all my files?) > > Thanks for the answers, > Kind Regards, Tibor > > > type=AVC msg=audit(1253870573.883:13): avc: denied { read write } for pid=877 comm="auditctl" name="console" dev=sda1 ino=15533 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=chr_file > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1253870574.190:15): avc: denied { read write } for pid=918 comm="ifconfig" name="console" dev=sda1 ino=15533 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=chr_file > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1253870574.264:16): avc: denied { read write } for pid=921 comm="pppd" name="console" dev=sda1 ino=15533 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=chr_file > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. The rules above should not be allowed because the /dev/console has an invalid type (file_t) This signals a labelling issue: http://docs.fedoraproject.org/selinux-user-guide/f11/en-US/sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types.html > > type=AVC msg=audit(1253870574.325:17): avc: denied { search } for pid=921 comm="pppd" name="root" dev=sda1 ino=12 scontext=system_u:system_r:pppd_t:s0 tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 tclass=dir > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > This also may be a labelling issue. pppd wants to search /root dir. /root dir has type unconfined_home_dir_t. see if this is correct: matchpathcon /root restorecon -R /root /root usually has type admin_home_t and i do not see any good reason why pppd should be able to search it. misconfiguration/misusage maybe? > type=AVC msg=audit(1253870574.401:18): avc: denied { read write } for pid=929 comm="iptables-restor" name="console" dev=sda1 ino=15533 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=chr_file > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1253870576.482:19): avc: denied { read write } for pid=1087 comm="dmesg" name="console" dev=sda1 ino=15533 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=chr_file > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1253870578.829:20): avc: denied { read write } for pid=1242 comm="iptables" path="socket:[3131]" dev=sockfs ino=3131 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=packet_socket > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > > Not sure about this one. Maybe signals a leaked file descriptor? I can tell you that on my configuration this access is not allowed. What distro, kernel and selinux version are you using? > -- > fedora-selinux-list mailing list > fedora-selinux-list@... > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list attachment0 (205 bytes) Download Attachment
	Re: Dear List members by Paul Howarth :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Fri, 25 Sep 2009 18:38:20 +0200 Dominick Grift <domg472@...> wrote: > On Fri, Sep 25, 2009 at 03:35:52PM +0000, tarnait wrote: > > type=AVC msg=audit(1253870574.325:17): avc: denied { search } > > for pid=921 comm="pppd" name="root" dev=sda1 ino=12 > > scontext=system_u:system_r:pppd_t:s0 > > tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 tclass=dir > > Was caused by: Missing type enforcement (TE) allow rule. > > > > You can use audit2allow to generate a loadable > > module to allow this access. > > > > This also may be a labelling issue. pppd wants to search /root > dir. /root dir has type unconfined_home_dir_t. see if this is > correct: matchpathcon /root restorecon -R /root > > /root usually has type admin_home_t and i do not see any good reason > why pppd should be able to search it. misconfiguration/misusage maybe? pppd looks for ~/.ppprc, so if you're using it as root (e.g. to connect to your ISP) you're going to see this. Haven't found any way of turning it off either. Paul. -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list
	AW: Dear List members by tarnait :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Some parts of this message have been removed. Learn more about Nabble's security policy. Hi, yeah the console problem was that I use static udev, and the underlying /dev/console didn't have the proper label. Now I'm down to two problems: #============= iptables_t ============== allow iptables_t pppd_t:packet_socket { read write }; #============= pppd_t ============== allow pppd_t unconfined_home_dir_t:dir search; as I use iptables to redirect traffic from wlan0 to ppp0 I assue it's safe to add them. Thanks for your help, Kindest Regards Von: Paul Howarth <paul@...> An: Dominick Grift <domg472@...> CC: fedora-selinux-list@... Gesendet: Samstag, den 26. September 2009, 02:10:58 Uhr Betreff: Re: Dear List members On Fri, 25 Sep 2009 18:38:20 +0200 Dominick Grift <domg472@...> wrote: > On Fri, Sep 25, 2009 at 03:35:52PM +0000, tarnait wrote: > > type=AVC msg=audit(1253870574.325:17): avc: denied { search } > > for pid=921 comm="pppd" name="root" dev=sda1 ino=12 > > scontext=system_u:system_r:pppd_t:s0 > > tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 tclass=dir > > Was caused by: Missing type enforcement (TE) allow rule. > > > > You can use audit2allow to generate a loadable > > module to allow this access. > > > > This also may be a labelling issue. pppd wants to search /root > dir. /root dir has type unconfined_home_dir_t. see if this is > correct: matchpathcon /root restorecon -R /root > > /root usually has type admin_home_t and i do not see any good reason > why pppd should be able to search it. misconfiguration/misusage maybe? pppd looks for ~/.ppprc, so if you're using it as root (e.g. to connect to your ISP) you're going to see this. Haven't found any way of turning it off either. Paul. -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list
	Re: AW: Dear List members by Daniel J Walsh :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On 09/26/2009 05:56 AM, tarnait wrote: > Hi, > > yeah the console problem was that I use static udev, and the underlying /dev/console didn't have the proper label. Now I'm down to two problems: > > #============= iptables_t ============== > allow iptables_t pppd_t:packet_socket { read write }; Most likely a leaked file descriptor, if you dontaudit this everything should work fine. > > #============= pppd_t ============== > allow pppd_t unconfined_home_dir_t:dir search; Probably can also be dontaudit. pppd_t is just searching the homedir of the process that launched it. > > > as I use iptables to redirect traffic from wlan0 to ppp0 I assue it's safe to add them. > > Thanks for your help, Kindest Regards > > > > > ________________________________ > Von: Paul Howarth <paul@...> > An: Dominick Grift <domg472@...> > CC: fedora-selinux-list@... > Gesendet: Samstag, den 26. September 2009, 02:10:58 Uhr > Betreff: Re: Dear List members > > On Fri, 25 Sep 2009 18:38:20 +0200 > Dominick Grift <domg472@...> wrote: > >> On Fri, Sep 25, 2009 at 03:35:52PM +0000, tarnait wrote: >>> type=AVC msg=audit(1253870574.325:17): avc: denied { search } >>> for pid=921 comm="pppd" name="root" dev=sda1 ino=12 >>> scontext=system_u:system_r:pppd_t:s0 >>> tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 tclass=dir >>> Was caused by: Missing type enforcement (TE) allow rule. >>> >>> You can use audit2allow to generate a loadable >>> module to allow this access. >>> >> >> This also may be a labelling issue. pppd wants to search /root >> dir. /root dir has type unconfined_home_dir_t. see if this is >> correct: matchpathcon /root restorecon -R /root >> >> /root usually has type admin_home_t and i do not see any good reason >> why pppd should be able to search it. misconfiguration/misusage maybe? > > pppd looks for ~/.ppprc, so if you're using it as root (e.g. to connect > to your ISP) you're going to see this. Haven't found any way of turning > it off either. > > Paul. > > -- > fedora-selinux-list mailing list > fedora-selinux-list@... > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list@... > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list