Re: [gentoo-hardened] newrole -r selinux problem - gentoo-hardened

From:	lunaslide <lunaslide@××.org>
To:	gentoo-hardened@l.g.o
Subject:	Re: [gentoo-hardened] newrole -r selinux problem
Date:	Mon, 25 Sep 2006 08:41:36
Message-Id:	`451795DF.3020303@23.org`
In Reply to:	Re: [gentoo-hardened] newrole -r selinux problem by stanke

1

It appears that several of your cron related files are not labeled. 

2

Furthermore, the temp files cron is creating are not being labeled when 

3

they are generated.  Check to see that you have 

4

sec-policy/selinux-vixie-cron installed and try doing 'make relabel'.

5

6

stanke wrote:

7

> Hello

8

>

9

> Thanks for help, I solved my problem with user_r and sysadm_r it's

10

> working ok now, but I have still problem with my cron,

11

> Everything (probably)  usefull I can find in logs is.

12

>

13

> Could please someone help me or show me the right way i should go.

14

>

15

> Thank you

16

>

17

> Sep 25 05:23:01 gentoo64 cron[24435]: (root) ENTRYPOINT FAILED

18

> (crontabs/root)

19

>

20

> Sep 25 05:21:53 gentoo64 audit(1159154513.832:8048): avc:  denied  {

21

> search } for  pid=21140 comm="crontab" name="/" dev=dm-3 ino=2

22

> ipaddr=16.14.42.166 scontext=tester:sysadm_r:sysadm_crontab_t

23

> tcontext=system_u:object_r:unlabeled_t tclass=dir

24

> Sep 25 05:21:53 gentoo64 audit(1159154513.832:8049): avc:  denied  {

25

> write } for  pid=21140 comm="crontab" name="/" dev=dm-3 ino=2

26

> ipaddr=16.14.42.166 scontext=tester:sysadm_r:sysadm_crontab_t

27

> tcontext=system_u:object_r:unlabeled_t tclass=dir

28

> Sep 25 05:21:53 gentoo64 audit(1159154513.832:8050): avc:  denied  {

29

> add_name } for  pid=21140 comm="crontab" name="crontab.XXXX9WNbfG"

30

> ipaddr=16.14.42.166 scontext=tester:sysadm_r:sysadm_crontab_t

31

> tcontext=system_u:object_r:unlabeled_t tclass=dir

32

> Sep 25 05:21:53 gentoo64 audit(1159154513.832:8051): avc:  denied  {

33

> create } for  pid=21140 comm="crontab" name="crontab.XXXX9WNbfG"

34

> ipaddr=16.14.42.166 scontext=tester:sysadm_r:sysadm_crontab_t

35

> tcontext=tester:object_r:unlabeled_t tclass=file

36

> Sep 25 05:21:53 gentoo64 audit(1159154513.832:8052): avc:  denied  {

37

> associate } for  pid=21140 comm="crontab" name="crontab.XXXX9WNbfG"

38

> ipaddr=16.14.42.166 scontext=tester:object_r:unlabeled_t

39

> tcontext=system_u:object_r:unlabeled_t tclass=filesystem

40

> Sep 25 05:21:53 gentoo64 audit(1159154513.832:8053): avc:  denied  {

41

> setattr } for  pid=21140 comm="crontab" name="crontab.XXXX9WNbfG"

42

> dev=dm-3 ino=58 ipaddr=16.14.42.166

43

> scontext=tester:sysadm_r:sysadm_crontab_t

44

> tcontext=system_u:object_r:unlabeled_t tclass=file

45

> Sep 25 05:21:53 gentoo64 audit(1159154513.832:8054): avc:  denied  {

46

> getattr } for  pid=21140 comm="crontab" name="crontab.XXXX9WNbfG"

47

> dev=dm-3 ino=58 ipaddr=16.14.42.166

48

> scontext=tester:sysadm_r:sysadm_crontab_t

49

> tcontext=system_u:object_r:unlabeled_t tclass=file

50

> Sep 25 05:21:53 gentoo64 audit(1159154513.844:8055): avc:  denied  {

51

> write } for  pid=21140 comm="crontab" name="crontab.XXXX9WNbfG" dev=dm-3

52

> ino=58 ipaddr=16.14.42.166 scontext=tester:sysadm_r:sysadm_crontab_t

53

> tcontext=system_u:object_r:unlabeled_t tclass=file

54

> Sep 25 05:22:02 gentoo64 audit(1159154522.949:8056): avc:  denied  {

55

> read } for  pid=21140 comm="crontab" name="crontab.XXXX9WNbfG" dev=dm-3

56

> ino=58 ipaddr=16.14.42.166 scontext=tester:sysadm_r:sysadm_crontab_t

57

> tcontext=system_u:object_r:unlabeled_t tclass=file

58

> Sep 25 05:22:02 gentoo64 audit(1159154522.949:8057): avc:  denied  {

59

> remove_name } for  pid=21140 comm="crontab" name="crontab.XXXX9WNbfG"

60

> dev=dm-3 ino=58 ipaddr=16.14.42.166

61

> scontext=tester:sysadm_r:sysadm_crontab_t

62

> tcontext=system_u:object_r:unlabeled_t tclass=dir

63

> Sep 25 05:22:02 gentoo64 audit(1159154522.949:8058): avc:  denied  {

64

> unlink } for  pid=21140 comm="crontab" name="crontab.XXXX9WNbfG"

65

> dev=dm-3 ino=58 ipaddr=16.14.42.166

66

> scontext=tester:sysadm_r:sysadm_crontab_t

67

> tcontext=system_u:object_r:unlabeled_t tclass=file

68

>

69

>

70

>

71

>

72

> Antoine Martin  wrote / napísal(a):

73

>>>>> The policy does not allow a role transition from user_r to sysadm_r.

74

>>>>> So thats why su can't work.

75

>>>>>

76

>>>>>

77

>>>> The solution in this case is to make sure that when you login as root

78

>>>> you get into sysadm_u:sysadm_r:sysadm_t or another context which does

79

>>>> allow the transition to sysadm. Setting the default for ssh is fairly

80

>>>> well documented.

81

>>>>

82

>>> Thanks for help could you please send me some link for manuals, i google

83

>>> it (probably wrong) but i didn't found nothing usefull.

84

>>>

85

>> /etc/security/default_contexts

86

>> is what you're looking for.

87

>>

88

>> Antoine

89

>>

90

>>

91

>

92

93

94

--

95

lunaslide           *          GPG key->lunapark.org/~luna/key.asc

96

  *     *        *               *         *         *         *

97

...you shall now pay me in full for the grief you have caused me

98

on account of my comrades whom you have killed in battle.      *

99

            *            - Achilles, The Iliad     *

100

*     *              *              *                *          *

101

          *                    *            *              *

102

--

103

gentoo-hardened@g.o mailing list

1	It appears that several of your cron related files are not labeled.
2	Furthermore, the temp files cron is creating are not being labeled when
3	they are generated. Check to see that you have
4	sec-policy/selinux-vixie-cron installed and try doing 'make relabel'.
5
6	stanke wrote:
7	> Hello
8	>
9	> Thanks for help, I solved my problem with user_r and sysadm_r it's
10	> working ok now, but I have still problem with my cron,
11	> Everything (probably) usefull I can find in logs is.
12	>
13	> Could please someone help me or show me the right way i should go.
14	>
15	> Thank you
16	>
17	> Sep 25 05:23:01 gentoo64 cron[24435]: (root) ENTRYPOINT FAILED
18	> (crontabs/root)
19	>
20	> Sep 25 05:21:53 gentoo64 audit(1159154513.832:8048): avc: denied {
21	> search } for pid=21140 comm="crontab" name="/" dev=dm-3 ino=2
22	> ipaddr=16.14.42.166 scontext=tester:sysadm_r:sysadm_crontab_t
23	> tcontext=system_u:object_r:unlabeled_t tclass=dir
24	> Sep 25 05:21:53 gentoo64 audit(1159154513.832:8049): avc: denied {
25	> write } for pid=21140 comm="crontab" name="/" dev=dm-3 ino=2
26	> ipaddr=16.14.42.166 scontext=tester:sysadm_r:sysadm_crontab_t
27	> tcontext=system_u:object_r:unlabeled_t tclass=dir
28	> Sep 25 05:21:53 gentoo64 audit(1159154513.832:8050): avc: denied {
29	> add_name } for pid=21140 comm="crontab" name="crontab.XXXX9WNbfG"
30	> ipaddr=16.14.42.166 scontext=tester:sysadm_r:sysadm_crontab_t
31	> tcontext=system_u:object_r:unlabeled_t tclass=dir
32	> Sep 25 05:21:53 gentoo64 audit(1159154513.832:8051): avc: denied {
33	> create } for pid=21140 comm="crontab" name="crontab.XXXX9WNbfG"
34	> ipaddr=16.14.42.166 scontext=tester:sysadm_r:sysadm_crontab_t
35	> tcontext=tester:object_r:unlabeled_t tclass=file
36	> Sep 25 05:21:53 gentoo64 audit(1159154513.832:8052): avc: denied {
37	> associate } for pid=21140 comm="crontab" name="crontab.XXXX9WNbfG"
38	> ipaddr=16.14.42.166 scontext=tester:object_r:unlabeled_t
39	> tcontext=system_u:object_r:unlabeled_t tclass=filesystem
40	> Sep 25 05:21:53 gentoo64 audit(1159154513.832:8053): avc: denied {
41	> setattr } for pid=21140 comm="crontab" name="crontab.XXXX9WNbfG"
42	> dev=dm-3 ino=58 ipaddr=16.14.42.166
43	> scontext=tester:sysadm_r:sysadm_crontab_t
44	> tcontext=system_u:object_r:unlabeled_t tclass=file
45	> Sep 25 05:21:53 gentoo64 audit(1159154513.832:8054): avc: denied {
46	> getattr } for pid=21140 comm="crontab" name="crontab.XXXX9WNbfG"
47	> dev=dm-3 ino=58 ipaddr=16.14.42.166
48	> scontext=tester:sysadm_r:sysadm_crontab_t
49	> tcontext=system_u:object_r:unlabeled_t tclass=file
50	> Sep 25 05:21:53 gentoo64 audit(1159154513.844:8055): avc: denied {
51	> write } for pid=21140 comm="crontab" name="crontab.XXXX9WNbfG" dev=dm-3
52	> ino=58 ipaddr=16.14.42.166 scontext=tester:sysadm_r:sysadm_crontab_t
53	> tcontext=system_u:object_r:unlabeled_t tclass=file
54	> Sep 25 05:22:02 gentoo64 audit(1159154522.949:8056): avc: denied {
55	> read } for pid=21140 comm="crontab" name="crontab.XXXX9WNbfG" dev=dm-3
56	> ino=58 ipaddr=16.14.42.166 scontext=tester:sysadm_r:sysadm_crontab_t
57	> tcontext=system_u:object_r:unlabeled_t tclass=file
58	> Sep 25 05:22:02 gentoo64 audit(1159154522.949:8057): avc: denied {
59	> remove_name } for pid=21140 comm="crontab" name="crontab.XXXX9WNbfG"
60	> dev=dm-3 ino=58 ipaddr=16.14.42.166
61	> scontext=tester:sysadm_r:sysadm_crontab_t
62	> tcontext=system_u:object_r:unlabeled_t tclass=dir
63	> Sep 25 05:22:02 gentoo64 audit(1159154522.949:8058): avc: denied {
64	> unlink } for pid=21140 comm="crontab" name="crontab.XXXX9WNbfG"
65	> dev=dm-3 ino=58 ipaddr=16.14.42.166
66	> scontext=tester:sysadm_r:sysadm_crontab_t
67	> tcontext=system_u:object_r:unlabeled_t tclass=file
68	>
69	>
70	>
71	>
72	> Antoine Martin wrote / napísal(a):
73	>>>>> The policy does not allow a role transition from user_r to sysadm_r.
74	>>>>> So thats why su can't work.
75	>>>>>
76	>>>>>
77	>>>> The solution in this case is to make sure that when you login as root
78	>>>> you get into sysadm_u:sysadm_r:sysadm_t or another context which does
79	>>>> allow the transition to sysadm. Setting the default for ssh is fairly
80	>>>> well documented.
81	>>>>
82	>>> Thanks for help could you please send me some link for manuals, i google
83	>>> it (probably wrong) but i didn't found nothing usefull.
84	>>>
85	>> /etc/security/default_contexts
86	>> is what you're looking for.
87	>>
88	>> Antoine
89	>>
90	>>
91	>
92
93
94	--
95	lunaslide * GPG key->lunapark.org/~luna/key.asc
96	* * * * * * *
97	...you shall now pay me in full for the grief you have caused me
98	on account of my comrades whom you have killed in battle. *
99	* - Achilles, The Iliad *
100	* * * * * *
101	* * * *
102	--
103	gentoo-hardened@g.o mailing list

Gentoo Archives: gentoo-hardened