We use targeted SELinux and Likewise Open on our RHEL 5 and CentOS 5 servers, even though Likewise is currently not supported with SELinux in enforcing mode. Both of them together have been working reliably for us so far. The audit logs fill up with AVC messages like the ones I have pasted at the end of this message, which are all regarding /var/ lib/likewise/.lsassd and don't appear to matter from a functional point of view for the system. I have configured setroubleshoot to send emails to an internal mailing list when something is blocked, because apart from the likewise events anything else is really urgent. The problem is that the list receives so many messages about /var/lib/ likewise/.lsassd that the urgent ones get "lost". I have asked the folks at Likewise about this and their answer is always that SELinux should be permissive or disabled.
Is there some way to prevent auditd from logging these AVC messages?
type=AVC msg=audit(1306183684.644:121931): avc: denied { connectto } for pid=31266 comm="vsftpd" path="/var/lib/likewise/.lsassd" scontext=system_u:system_r:ftpd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1306185430.740:122001): avc: denied { write } for pid=378 comm="pickup" name=".lsassd" dev=dm-1 ino=426071 scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file
type=AVC msg=audit(1306179615.139:121656): avc: denied { connectto } for pid=22431 comm="httpd" path="/var/lib/likewise/.lsassd" scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
type=USER_AUTH msg=audit(1306265986.269:124088): user pid=25822 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: authentication acct="layout" : exe="/usr/sbin/ sshd" (hostname=asb-sys61.us.ad.gannett.com, addr=10.0.65.242, terminal=ssh res=failed)'
type=AVC msg=audit(1306853338.309:51215): avc: denied { write } for pid=5472 comm="genhomedircon" name=".lsassd" dev=dm-4 ino=32827 scontext=user_u:system_r:semanage_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file
type=AVC msg=audit(1306853338.309:51215): avc: denied { connectto } for pid=5472 comm="genhomedircon" path="/var/lib/likewise/.lsassd" scontext=user_u:system_r:semanage_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
Thanks, Maria
On Tue, 2011-05-31 at 11:17 -0400, Maria Iano wrote:
Is there some way to prevent auditd from logging these AVC messages?
type=AVC msg=audit(1306183684.644:121931): avc: denied { connectto } for pid=31266 comm="vsftpd" path="/var/lib/likewise/.lsassd" scontext=system_u:system_r:ftpd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1306185430.740:122001): avc: denied { write } for pid=378 comm="pickup" name=".lsassd" dev=dm-1 ino=426071 scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file
type=AVC msg=audit(1306179615.139:121656): avc: denied { connectto } for pid=22431 comm="httpd" path="/var/lib/likewise/.lsassd" scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
type=USER_AUTH msg=audit(1306265986.269:124088): user pid=25822 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: authentication acct="layout" : exe="/usr/sbin/ sshd" (hostname=asb-sys61.us.ad.gannett.com, addr=10.0.65.242, terminal=ssh res=failed)'
type=AVC msg=audit(1306853338.309:51215): avc: denied { write } for pid=5472 comm="genhomedircon" name=".lsassd" dev=dm-4 ino=32827 scontext=user_u:system_r:semanage_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file
type=AVC msg=audit(1306853338.309:51215): avc: denied { connectto } for pid=5472 comm="genhomedircon" path="/var/lib/likewise/.lsassd" scontext=user_u:system_r:semanage_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
I am not sure whether "el5" supports it but i guess you could try piping the avc denials into "audit2allow -DM mydontauditsforlikewise"
And then load it into the system with "semodule -i mydontauditsforlikewise.pp"
If that does not work you could write a policy module manually:
mkdir mylw; cd mylw; echo "policy_module(mylw, 1.0.0) gen_require(` type semanage_t, initrc_t, var_lib_t, ftpd_t, httpd_t, postfix_pickup_t; ') dontaudit { httpd_t ftpd_t semanage_t postfix_pickup_t } initrc_t:unix_stream_socket connectto; dontaudit { httpd_t ftpd_t semanage_t, postfix_pickup_t } var_lib_t:sock_file write_sock_file_perms;" >> mylw.te
(yum install selinux-policy-devel)
make -f /usr/share/selinux/devel/Makefile mylw.pp sudo semodule -i mylw.pp
Although hidding these may have consequences for example attempts by httpd, ftpd etc to connect to any service with a unix stream socket running in the init script domain will be hidden.
Same for any of those domain trying to write to var_lib_t sock files.
Thanks, Maria
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On May 31, 2011, at 11:31 AM, Dominick Grift wrote:
On Tue, 2011-05-31 at 11:17 -0400, Maria Iano wrote:
Is there some way to prevent auditd from logging these AVC messages?
type=AVC msg=audit(1306183684.644:121931): avc: denied { connectto } for pid=31266 comm="vsftpd" path="/var/lib/likewise/.lsassd" scontext=system_u:system_r:ftpd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1306185430.740:122001): avc: denied { write } for pid=378 comm="pickup" name=".lsassd" dev=dm-1 ino=426071 scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file
type=AVC msg=audit(1306179615.139:121656): avc: denied { connectto } for pid=22431 comm="httpd" path="/var/lib/likewise/.lsassd" scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
type=USER_AUTH msg=audit(1306265986.269:124088): user pid=25822 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: authentication acct="layout" : exe="/usr/sbin/ sshd" (hostname=asb-sys61.us.ad.gannett.com, addr=10.0.65.242, terminal=ssh res=failed)'
type=AVC msg=audit(1306853338.309:51215): avc: denied { write } for pid=5472 comm="genhomedircon" name=".lsassd" dev=dm-4 ino=32827 scontext=user_u:system_r:semanage_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file
type=AVC msg=audit(1306853338.309:51215): avc: denied { connectto } for pid=5472 comm="genhomedircon" path="/var/lib/likewise/.lsassd" scontext=user_u:system_r:semanage_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
I am not sure whether "el5" supports it but i guess you could try piping the avc denials into "audit2allow -DM mydontauditsforlikewise"
And then load it into the system with "semodule -i mydontauditsforlikewise.pp"
If that does not work you could write a policy module manually:
mkdir mylw; cd mylw; echo "policy_module(mylw, 1.0.0) gen_require(` type semanage_t, initrc_t, var_lib_t, ftpd_t, httpd_t, postfix_pickup_t; ') dontaudit { httpd_t ftpd_t semanage_t postfix_pickup_t } initrc_t:unix_stream_socket connectto; dontaudit { httpd_t ftpd_t semanage_t, postfix_pickup_t } var_lib_t:sock_file write_sock_file_perms;" >> mylw.te
(yum install selinux-policy-devel)
make -f /usr/share/selinux/devel/Makefile mylw.pp sudo semodule -i mylw.pp
Although hidding these may have consequences for example attempts by httpd, ftpd etc to connect to any service with a unix stream socket running in the init script domain will be hidden.
Same for any of those domain trying to write to var_lib_t sock files.
I don't want to allow that access. I just want auditd to not log it.
On May 31, 2011, at 11:31 AM, Dominick Grift wrote:
On Tue, 2011-05-31 at 11:17 -0400, Maria Iano wrote:
Is there some way to prevent auditd from logging these AVC messages?
type=AVC msg=audit(1306183684.644:121931): avc: denied { connectto } for pid=31266 comm="vsftpd" path="/var/lib/likewise/.lsassd" scontext=system_u:system_r:ftpd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1306185430.740:122001): avc: denied { write } for pid=378 comm="pickup" name=".lsassd" dev=dm-1 ino=426071 scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file
type=AVC msg=audit(1306179615.139:121656): avc: denied { connectto } for pid=22431 comm="httpd" path="/var/lib/likewise/.lsassd" scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
type=USER_AUTH msg=audit(1306265986.269:124088): user pid=25822 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: authentication acct="layout" : exe="/usr/sbin/ sshd" (hostname=asb-sys61.us.ad.gannett.com, addr=10.0.65.242, terminal=ssh res=failed)'
type=AVC msg=audit(1306853338.309:51215): avc: denied { write } for pid=5472 comm="genhomedircon" name=".lsassd" dev=dm-4 ino=32827 scontext=user_u:system_r:semanage_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file
type=AVC msg=audit(1306853338.309:51215): avc: denied { connectto } for pid=5472 comm="genhomedircon" path="/var/lib/likewise/.lsassd" scontext=user_u:system_r:semanage_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
I am not sure whether "el5" supports it but i guess you could try piping the avc denials into "audit2allow -DM mydontauditsforlikewise"
And then load it into the system with "semodule -i mydontauditsforlikewise.pp"
If that does not work you could write a policy module manually:
mkdir mylw; cd mylw; echo "policy_module(mylw, 1.0.0) gen_require(` type semanage_t, initrc_t, var_lib_t, ftpd_t, httpd_t, postfix_pickup_t; ') dontaudit { httpd_t ftpd_t semanage_t postfix_pickup_t } initrc_t:unix_stream_socket connectto; dontaudit { httpd_t ftpd_t semanage_t, postfix_pickup_t } var_lib_t:sock_file write_sock_file_perms;" >> mylw.te
(yum install selinux-policy-devel)
make -f /usr/share/selinux/devel/Makefile mylw.pp sudo semodule -i mylw.pp
Although hidding these may have consequences for example attempts by httpd, ftpd etc to connect to any service with a unix stream socket running in the init script domain will be hidden.
Same for any of those domain trying to write to var_lib_t sock files.
Thank you - I understand what you're saying now. I don't think I'm comfortable with turning off notifications for all attempts to connect to those types, just when the path is /var/lib/likewise/.lsassd. Would the only way to achieve that be to add a new type for var/lib/ likewise/.lsassd? I'm wondering just how much havoc that would cause...
selinux@lists.fedoraproject.org