Daniel J Walsh wrote:
Nicklas Norling wrote:
Hi.
I've got a system updated from old redhat releases to FC2-3 and now 4.
I've just downloaded selinux-policy-targeted and have been able to
fix most of
my problems with setsebool etc. while in permissive mode. However a
few more
difficult issues still intrigues me and I'd love it if someone would
offer some help.
<snip>
The httpd problem appears to be python related. Not sure which of my
web applications is triggering it
(if any). Maybe MoinMoin Wiki but I can't seem to trigger it myself,
maybe a search spider is triggering it.
Jul 16 02:00:54 spock kernel: audit(1121472054.557:119): avc:
denied { getattr } for pid=20378 comm="python" name="var" dev=hda3
ino=163841 scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:var_t tclass=dir
Yes the question would be which file/dir is it trying to read under /var
Indeed, I shall keep my eyes open and report back if I can figure it out.
named is denied some fun?
Jul 14 15:39:10 spock named[1771]: exiting
Jul 14 15:39:12 spock kernel: audit(1121348352.535:98): avc: denied
{ read } for pid=16108 comm="named-checkconf" name
="[196624]" dev=pipefs ino=196624 scontext=root:system_r:named_t
tcontext=root:system_r:unconfined_t tclass=fifo_file
Jul 14 15:39:12 spock named[16110]: starting BIND 9.3.1 -u named
Is this only happening on a yum update/RPM install?
Yes it does. I read between the line(s) that is expected. Still looks
worrying to a noob like myself.
<snip>
webalizer is being asked to put it's resulting webpages into a local
users web directory in support of per user usage stat. The users
webfolder has the correct objects set for httpd security.
Jul 11 04:02:17 spock kernel: audit(1121047337.762:57): avc: denied
{ search } for pid=3409 comm="webalizer" name="home" dev=hda3
ino=819203 scontext=system_u:system_r:webalizer_t
tcontext=system_u:object_r:home_root_t tclass=dir
Jul 11 04:02:17 spock kernel: audit(1121047337.762:58): avc: denied
{ search } for pid=3409 comm="webalizer" name="joakim" dev=hda3
ino=458781 scontext=system_u:system_r:webalizer_t
tcontext=user_u:object_r:user_home_dir_t tclass=dir
You will need to write your own policy for this. Alternatively you
could create a directory under /var/www with the
label httpd_sys_content_t and allow webalizer to write their and allow
users to read it.
Hmm, ok. Maybe webalizer should have a boolean for accessing http home
dir provided httpd_enable_homedirs=1?
Or maybe my way of doing this is so odd it's worth the trouble.
tclass=file
In addition to this I have a shared folder with 'public' material,
files that I offer to for download/upload. This folder is shared to
my users with ftp as well as samba. Is this even possible to do with
selinux?
Jul 16 15:24:31 spock kernel: audit(1121520271.993:127): avc:
denied { search } for pid=21818 comm="smbd" name="/" dev=hdc1 ino=2
scontext=system_u:system_r:smbd_t
tcontext=system_u:object_r:ftpd_anon_t tclass=dir
Jul 16 15:24:32 spock kernel: audit(1121520272.060:128): avc:
denied { getattr } for pid=21818 comm="smbd" name="pub" dev=hdc1
ino=32769 scontext=system_u:system_r:smbd_t
tcontext=system_u:object_r:ftpd_anon_t tclass=dir
Jul 16 15:24:32 spock kernel: audit(1121520272.156:129): avc:
denied { read } for pid=21818 comm="smbd" name="pub" dev=hdc1
ino=32769 scontext=system_u:system_r:smbd_t
tcontext=system_u:object_r:ftpd_anon_t tclass=dir
audit2allow suggests:
allow smbd_t ftpd_anon_t:dir { getattr read search };
You could add this rule to your local.te file. We have discussed this
in the past and maybe a boolean allowing all apps to read "shared
data" would work.
Ok, I think adding the rule is the way to go for me. Some more learning
to do.
I would encourage a boolean for shared data location. I think labeling a
folder and it's subcontent with a specific label and then have different
services be able to use it might be a start. That way I could disallow
smb the rights but allow ftpd and httpd (as an example). I think that
would be a great improvment from my point of view.
Since 01:22:00 this day my server is in enforce mode. The only thing
I've found so far is sendmail being denied access to urandom and random.
I have sendmail setup with SMTP AUTH as well as certs for performing
STARTTLS with any TLS-able connecting MTA.
/var/log/messages
Jul 19 08:09:38 spock kernel: audit(1121753378.808:188): avc: denied {
getattr } for pid=20520 comm="sendmail" name="urandom" dev=tmpfs
ino=846
scontext=root:system_r:system_mail_ttcontext=system_u:object_r:urandom_device_t
tclass=chr_file
Jul 19 08:09:38 spock kernel: audit(1121753378.808:189): avc: denied {
getattr } for pid=20520 comm="sendmail" name="random" dev=tmpfs ino=844
scontext=root:system_r:system_mail_ttcontext=system_u:object_r:random_device_t
tclass=chr_file
/var/log/maillog
Jul 19 08:09:38 spock sendmail[20520]: j6J69cMx020520: from=<edited>,
size=874, class=0, nrcpts=1,
msgid=<bd1035dcc05d7b2d6a16b046ae4bdd04@xxxxxxxxxxxxxx>,
bodytype=8BITMIME, relay=apache@localhost
Jul 19 08:09:38 spock sendmail[20520]: j6J69cMx020520: STARTTLS=client,
error: connect failed=-1, SSL_error=5, timedout=0, errno=2
Jul 19 08:09:38 spock sendmail[20520]: ruleset=tls_server,
arg1=SOFTWARE, relay=[127.0.0.1], reject=403 4.7.0TLS handshake.
Jul 19 08:09:38 spock sendmail[20520]: j6J69cMx020520: to=<edited>,
ctladdr=<edited> (48/48), delay=00:00:00, xdelay=00:00:00, mailer=relay,
pri=30874, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: 403
4.7.0 TLS handshake.
Jul 19 08:09:38 spock sendmail[20521]: STARTTLS=server, error: accept
failed=0, SSL_error=5, timedout=0,errno=0
Jul 19 08:09:38 spock sendmail[20521]: j6J69cai020521: localhost
[127.0.0.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
audit2allow -d -l
allow system_mail_t random_device_t:chr_file getattr;
allow system_mail_t urandom_device_t:chr_file getattr;
Policy rpm installed: selinux-policy-targeted-1.25.1-9.noarch.rpm
Apart from this DoS on sendmail my system appears to be working as expected.
Personally I'd love to see permissive mode similar to enforcing when it
come's to avc's. I don't like the idea of turning on enforcing to see
things not work and then turn it off. Much rather would I use permissive
mode to investigate what will go wrong so I can fix problems before I
DoS myself.
Thanks a lot for all your help Daniel, I sure appretiate it!
/Nicke
|
