| 1 |
On Tue, 20 Nov 2007 09:16:03 +0100 |
| 2 |
Julien Thomas <julien.thomas@×××××××××××××.fr> wrote: |
| 3 |
|
| 4 |
> Hi. |
| 5 |
> |
| 6 |
> When I tried to analyze booleans, I used http://linux.die.net/man/8/ |
| 7 |
> |
| 8 |
> It does not described each boolean options,but if you take a look at a |
| 9 |
> Linux option (see for instance nfs_selinux), you will find the |
| 10 |
> associated booleans with their goals. |
| 11 |
> |
| 12 |
> According to me, you can also take a look at the SELinux sources, as |
| 13 |
> most of the times : |
| 14 |
> - boolean name are quite explicit |
| 15 |
> - looking at the allowded rules by the boolean gives clues about the |
| 16 |
> boolean goal. |
| 17 |
> |
| 18 |
> For courier-imap and sasl booleans, you can also take a look at the |
| 19 |
> documentations I made about the policies (see my previous messages of |
| 20 |
> the list, talking about policies upgrade proposals). |
| 21 |
> |
| 22 |
> Julien. |
| 23 |
> |
| 24 |
> |
| 25 |
> Will Keaney a écrit : |
| 26 |
> > On Sun, 18 Nov 2007 18:25:17 -0500 |
| 27 |
> > Bill Sharer <bsharer@××××××××××.com> wrote: |
| 28 |
> > |
| 29 |
> >> The booleans are in /selinux/booleans |
| 30 |
> >> |
| 31 |
> >> Use setsebool to change their value and/or make it permanent. |
| 32 |
> >> |
| 33 |
> >> Will Keaney wrote: |
| 34 |
> >>> On Sun, 18 Nov 2007 16:56:55 -0500 |
| 35 |
> >>> Bill Sharer <bsharer@××××××××××.com> wrote: |
| 36 |
> >>> |
| 37 |
> >>> |
| 38 |
> >>>> You can run the log through audit2why and audit2allow to get a |
| 39 |
> >>>> feel for what's going on in policy. Don't directly rely on |
| 40 |
> >>>> audit2allow since I think it still orients itself to the old |
| 41 |
> >>>> modular example policy and not refpolicy. |
| 42 |
> >>>> |
| 43 |
> >>>> Check your booleans. I spotted one thing right off the bat |
| 44 |
> >>>> (urandom) which is probably due to the boolean global_ssp not |
| 45 |
> >>>> being true. This should be true for gentoo systems, but for some |
| 46 |
> >>>> reason, the ebuild defaults it to false. |
| 47 |
> >>>> |
| 48 |
> >>>> Will Keaney wrote: |
| 49 |
> >>>> |
| 50 |
> >>>>> I've just finished updating my SELinux VM, but still get a lot |
| 51 |
> >>>>> of avc denials in /var/log/syslog. |
| 52 |
> >>>>> What is the recommended method of changing |
| 53 |
> >>>>> the SELinux policy? I seem to remember PeBenito saying in IRC |
| 54 |
> >>>>> that editing the policy files directly is not recommended. |
| 55 |
> >>>>> |
| 56 |
> >>>>> On the off chance that someone has some insight into what might |
| 57 |
> >>>>> be causing these errors, I'm attaching the output of |
| 58 |
> >>>>> grep "Nov 18 16:2" /var/log/syslog | cut -d " " -f 7- | grep avc |
| 59 |
> >>>>> |
| 60 |
> >>>>> |
| 61 |
> >>>>> Thanks, |
| 62 |
> >>>>> |
| 63 |
> >>>>> Will Keaney |
| 64 |
> >>>>> uberpinguin |
| 65 |
> >>>>> |
| 66 |
> >>>>> |
| 67 |
> >>> Thanks very much for the quick reply, it is very informative. |
| 68 |
> >>> I don't seem to have any booleans loaded, according to sestatus |
| 69 |
> >>> -v: SELinux status: enabled |
| 70 |
> >>> SELinuxfs mount: /selinux |
| 71 |
> >>> Current mode: permissive |
| 72 |
> >>> Mode from config file: permissive |
| 73 |
> >>> Policy version: 21 |
| 74 |
> >>> Policy from config file: strict |
| 75 |
> >>> |
| 76 |
> >>> Process contexts: |
| 77 |
> >>> Current context: root:sysadm_r:sysadm_t |
| 78 |
> >>> Init context: system_u:system_r:init_t |
| 79 |
> >>> /sbin/agetty system_u:system_r:getty_t |
| 80 |
> >>> /usr/sbin/sshd system_u:system_r:sshd_t |
| 81 |
> >>> |
| 82 |
> >>> File contexts: |
| 83 |
> >>> Controlling term: root:object_r:sysadm_tty_device_t |
| 84 |
> >>> /sbin/init system_u:object_r:init_exec_t |
| 85 |
> >>> /sbin/agetty system_u:object_r:getty_exec_t |
| 86 |
> >>> /bin/login system_u:object_r:login_exec_t |
| 87 |
> >>> /sbin/rc system_u:object_r:initrc_exec_t |
| 88 |
> >>> /sbin/runscript.sh system_u:object_r:initrc_exec_t |
| 89 |
> >>> /usr/sbin/sshd system_u:object_r:sshd_exec_t |
| 90 |
> >>> /sbin/unix_chkpwd system_u:object_r:chkpwd_exec_t |
| 91 |
> >>> /etc/passwd system_u:object_r:etc_t |
| 92 |
> >>> /etc/shadow system_u:object_r:shadow_t |
| 93 |
> >>> /bin/sh system_u:object_r:bin_t -> |
| 94 |
> >>> system_u:object_r:shell_exec_t /bin/bash |
| 95 |
> >>> system_u:object_r:shell_exec_t /usr/bin/newrole |
| 96 |
> >>> system_u:object_r:newrole_exec_t /lib/libc.so.6 |
| 97 |
> >>> system_u:object_r:lib_t -> |
| 98 |
> >>> system_u:object_r:shlib_t /lib/ld-linux.so.2 |
| 99 |
> >>> system_u:object_r:lib_t -> system_u:object_r:ld_so_t |
| 100 |
> >>> |
| 101 |
> >>> I don't see a command to load/change booleans though? |
| 102 |
> >>> |
| 103 |
> >>> Will |
| 104 |
> >>> |
| 105 |
> > Thanks very much. Is there some sort of documentation for what |
| 106 |
> > each of these booleans does? Google is turning up a few mailing |
| 107 |
> > list threads, but so far none have been very informative. |
| 108 |
> > Once I've been through all of the booleans, what's the best way to |
| 109 |
> > start adding allow rules? |
| 110 |
> > |
| 111 |
> > Thanks, |
| 112 |
> > |
| 113 |
> > Will |
| 114 |
> |
| 115 |
Thanks very much to Bill Sharer, Julien Thomas and Andrew Ross for your |
| 116 |
helpful tips. I've gotten many of the denials cleared up, but there |
| 117 |
are still a few that are stumping me. |
| 118 |
|
| 119 |
audit(1195922131.060:3): avc: denied { write } for pid=924 |
| 120 |
comm="bash" name="null" dev=tmpfs ino=1804 |
| 121 |
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t |
| 122 |
tclass=chr_file audit(1195922131.580:4): avc: denied { read } for |
| 123 |
pid=932 comm="write_root_link" name="console" dev=tmpfs ino=1798 |
| 124 |
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t |
| 125 |
tclass=chr_file |
| 126 |
|
| 127 |
audit(1195922135.024:5): avc: denied { read } for |
| 128 |
pid=1015 comm="modprobe" name="console" dev=tmpfs ino=1798 |
| 129 |
scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:device_t |
| 130 |
tclass=chr_file |
| 131 |
|
| 132 |
audit(1195922135.032:6): avc: denied { write } for |
| 133 |
pid=1015 comm="modprobe" name="null" dev=tmpfs ino=1804 |
| 134 |
scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:device_t |
| 135 |
tclass=chr_file |
| 136 |
|
| 137 |
audit(1195922135.332:7): avc: denied { getattr } for |
| 138 |
pid=1026 comm="modprobe" name="null" dev=tmpfs ino=1804 |
| 139 |
scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:device_t |
| 140 |
tclass=chr_file |
| 141 |
|
| 142 |
audit(1195922175.333:8): avc: denied { append } for |
| 143 |
pid=3425 comm="syslogd" name="syslog" dev=hda1 ino=475362 |
| 144 |
scontext=system_u:system_r:syslogd_t |
| 145 |
tcontext=system_u:object_r:cron_log_t tclass=file |
| 146 |
|
| 147 |
audit(1195922175.333:9): avc: denied { ioctl } for pid=3425 |
| 148 |
comm="syslogd" name="syslog" dev=hda1 ino=475362 |
| 149 |
scontext=system_u:system_r:syslogd_t |
| 150 |
tcontext=system_u:object_r:cron_log_t tclass=file |
| 151 |
|
| 152 |
audit(1195922204.094:10): avc: denied { read } for pid=4175 |
| 153 |
comm="bash" name=".bash_history" dev=hda1 ino=16389 |
| 154 |
scontext=root:staff_r:staff_t tcontext=root:object_r:sysadm_home_t |
| 155 |
tclass=file |
| 156 |
|
| 157 |
I've run this through audit2why and audit2allow, but the output isn't |
| 158 |
particularly helpful at this point - audit2why simply says "Missing or |
| 159 |
disabled TE allow rule," which is kind of a "Duh" statement; |
| 160 |
audit2allow gives me the necessary allow rules, but I'm not sure what |
| 161 |
to do with them: |
| 162 |
allow initrc_t device_t:chr_file { read write }; |
| 163 |
allow insmod_t device_t:chr_file { getattr read write }; |
| 164 |
allow staff_t sysadm_home_t:file read; |
| 165 |
(I believe this is due to root logging in to the staff_r role by |
| 166 |
default, but everything in /root/ being labeled with the sysadm_home_t |
| 167 |
domain. Is this intended behavior?) |
| 168 |
allow syslogd_t cron_log_t:file { append ioctl }; |
| 169 |
|
| 170 |
Again, thank you for all your help. |
| 171 |
|
| 172 |
Will |
Archives