No audit lines produced
by Jonathan Gazeley
I'm trying to debug a Nagios plugin that isn't playing nicely with
SELinux. It executes a system binary to get statistics about DHCP pool
usage, and obviously SELinux stamps on that access and the plugin only
returns partial data.
In Permissive mode the plugin works, it Enforcing it doesn't. But in
neither mode are there any debug messages in audit.log
[jg4461@dhcp1 ~]$ sudo setenforce 0
[jg4461@dhcp1 ~]$ /usr/lib64/nagios/plugins/check_nrpe -H localhost -c
check_dhcpd_pools
OK - all pools less than 80% full | MAYHEM! rnw-652=45.491%;80;90,
rnw-653=47.619%;80;90, rnw-654=51.570%;80;90, rnw-655=45.998%;80;90,
rnw-656=49.949%;80;90, rnw-657=48.126%;80;90, rnw-658=45.390%;80;90,
rnw-659=0.101%;80;90, rnw-ratelimited-660=0.811%;80;90,
rnw-onlinepayment-661=0.507%;80;90, rnw-onlinepayment-662=0.304%;80;90,
rnw-onlinepayment-663=0.405%;80;90, rnw-consoles-665=1.317%;80;90,
rnw-message-666=0.101%;80;90, rnw-instructions-667=9.411%;80;90
[jg4461@dhcp1 ~]$ sudo setenforce 1
[jg4461@dhcp1 ~]$ /usr/lib64/nagios/plugins/check_nrpe -H localhost -c
check_dhcpd_pools
OK - all pools less than 80% full |
Regardless of the SELinux mode, the same 3 log lines are printed in
audit.log:
type=USER_CMD msg=audit(1337077807.188:273642): user pid=1593 uid=0
auid=56933 ses=12137 subj=unconfined_u:system_r:nrpe_t:s0 msg='cwd="/"
cmd="/usr/lib64/nagios/plugins/check_dhcpd_pools" terminal=? res=success'
type=CRED_ACQ msg=audit(1337077807.191:273643): user pid=1594 uid=0
auid=56933 ses=12137 subj=unconfined_u:system_r:nrpe_t:s0
msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=?
terminal=? res=success'
type=USER_START msg=audit(1337077807.191:273644): user pid=1594 uid=0
auid=56933 ses=12137 subj=unconfined_u:system_r:nrpe_t:s0
msg='op=PAM:session_open acct="root" exe="/usr/bin/sudo" hostname=?
addr=? terminal=? res=success'
Anyone have any idea how I can see the deny messages and make a policy
from them?
Cheers,
Jonathan
12 years, 1 month
MySQL and ldconif avcs
by David Highley
Getting two avc's that trouble shooter indicates there is policy to
allow the operations.
I believe the sebool "mysql_connect_any" may correct the following avc:
time->Tue May 1 18:17:25 2012
type=SYSCALL msg=audit(1335921445.082:4514): arch=c000003e syscall=21
success=no exit=-13 a0=7f406ac5d9f0 a1=4 a2=7f406ac5d9fe a3=1c items=0
ppid=1 pid=24416 auid=4294967295 uid=27 gid=27 euid=27 suid=27 fsuid=27
egid=27 sgid=27 fsgid=27 tty=(none) ses=4294967295 comm="mysqld"
exe="/usr/libexec/mysqld" subj=system_u:system_r:mysqld_t:s0 key=(null)
type=AVC msg=audit(1335921445.082:4514): avc: denied { read } for
pid=24416 comm="mysqld" name="unix" dev="proc" ino=4026532000
scontext=system_u:system_r:mysqld_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=file
But I have no clue which bool would correct the following:
time->Tue May 1 19:01:13 2012
type=SYSCALL msg=audit(1335924073.146:4554): arch=c000003e syscall=59
success=yes exit=0 a0=f293b0 a1=f294b0 a2=f283b0 a3=18 items=0
ppid=25927 pid=25928 auid=4294967295 uid=989 gid=983 euid=989 suid=989
fsuid=989 egid=983 sgid=983 fsgid=983 tty=(none) ses=4294967295
comm="ldconfig" exe="/sbin/ldconfig"
subj=system_u:system_r:ldconfig_t:s0 key=(null)
type=AVC msg=audit(1335924073.146:4554): avc: denied { write } for
pid=25928 comm="ldconfig"
path=2F746D702F666669536752617269202864656C6574656429 dev="dm-1"
ino=1836898 scontext=system_u:system_r:ldconfig_t:s0
tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
12 years, 1 month
Creating multiple constrained admin roles
by Tim Sheppard
Hi,
I was wondering if it is possible to create a number of admin roles,
each with limited access to specified admin features, e.g. package
management only, NIC / Firewall management only, policy management only
etc and to effectively completely remove the root account as a system
wide administrator using selinux?
I have seen mention of Kiosk Users and the SELinux play machine (sadly
my corporate network does not allow global ssh access) so I believe this
is entirely possible, but am not entirely sure of the best resources to
delve into so any pointers would be very welcome.
Many Thanks,
Tim
This email and any attachments to it may be confidential and are
intended solely for the use of the individual to whom it is addressed.
If you are not the intended recipient of this email, you must neither
take any action based upon its contents, nor copy or show it to anyone.
Please contact the sender if you believe you have received this email in
error. QinetiQ may monitor email traffic data and also the content of
email for the purposes of security. QinetiQ Limited (Registered in
England & Wales: Company Number: 3796233) Registered office: Cody Technology
Park, Ively Road, Farnborough, Hampshire, GU14 0LX http://www.qinetiq.com.
12 years, 1 month
Can't login the embedded linux with seliux support
by casinee app
hello,
i build a linux system with selinux support for my embedded device. It
now can login as the root user automatically when it is powered on.
Then i copy the fiels( shadow ,group and passwd) in my PC linux system
to the embedded system, and add the login to it. But after i input the
username and pass word, it output like this :
login:root
password:
login:Can’t get SID for root
The output comes from the file login.c in busybox, how can i sovle
this problem?
Does this problem comes from the error in my policy? or the lib
related to the selinux?
12 years, 1 month
How to change the default context for files in the home directory
by Göran Uddeborg
I'm trying to set up F17 SELinux to accept the Swedish electronic
identity system called "BankID". I had it working under F16 with only
a few file context specifications for its libraries. (They need
textrel_shlib_t). But it seems like the policy has been tightened up
a bit in F17, which made some more tunings necessary. And I fail on
one of them.
This thing runs as a browser plugin, which starts a program, and
creates a few files in the user's home directory. My question is how
to define the context for these files. BankID creates a file called
".personal-<username>" and a directory tree ".personal/...". I added
a file context like this with semanage:
/home/[^/]*/\.personal.* all files system_u:object_r:mozilla_home_t:s0
After relabeling things in the .personal tree gets the mozilla_home_t,
but the file .personal-<username> directly in the home directory
doesn't. If it exists, it gets the right context when I do
restorecon. But it is created and removed each time the plugin is
run, and the next time the file is created, it gets user_home_dir_t.
Which the plugin in the mozilla_plugin_t context isn't allowed to
access, of course.
What am I doing wrong?
12 years, 1 month
Bootup avc, "systemd-tmpfile" important?
by Frank Murphy
Box was set to "fixfiles onboot"
Saw this avc:
*** Warning -- SELinux targeted policy relabel is required.
*** Relabeling could take a very long time, depending on file
*** system size and speed of hard drives.
[ 8.566136] type=1400 audit(1335687882.859:7): avc: denied {
relabelfrom } for pid=489 comm="systemd-tmpfile" name="lp2"
dev="devtmpfs" ino=11419
scontext=system_u:system_r:systemd_tmpfiles_t:s0
tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
[ 8.588374] type=1400 audit(1335687882.881:8): avc: denied {
relabelto } for pid=489 comm="systemd-tmpfile" name="lp2"
dev="devtmpfs" ino=11419
scontext=system_u:system_r:systemd_tmpfiles_t:s0
tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
selinux-policy-targeted-3.10.0-118.fc17.noarch
--
Regards,
Frank Murphy
UTF_8 Encoded
Friend of fedoraproject.org
12 years, 1 month