On 06/01/15 16:27, m.roth@5-cent.us wrote:
From: "Daniel J Walsh" dwalsh@redhat.com Cc: "Miroslav Grepl" mgrepl@redhat.com On 05/29/2015 04:34 PM, m.roth@5-cent.us wrote:
Daniel J Walsh wrote:
On 05/29/2015 01:03 PM, m.roth@5-cent.us wrote:
Daniel J Walsh wrote:
On 05/29/2015 09:20 AM, m.roth@5-cent.us wrote:
CentOS 7.1. Selinux policy, and targetted, updated two days ago.
May 28 17:02:41 <servername> python: SELinux is preventing /usr/bin/bash from execute access on the file
/usr/bin/bash.#012#012***** <...>
May 28 17:02:45 <servername> python: SELinux is preventing /usr/bin/bash from execute access on the file
/usr/bin/uname.#012#012***** <...>
May 28 17:02:45 <servername> python: SELinux is preventing /usr/bin/uname from execute_no_trans access on the file /usr/bin /uname.#012#012***** <...> May 28 17:02:47 <servername> python: SELinux is preventing /usr/bin/bash from execute access on the file
/usr/bin/mailx.#012#012***** <...>
<snip> >>> What is the avc that you are seeing? >>> >>> ausearch -m avc -ts recent >> Hmmm, that ausearch gives no matches. However, in >> /var/log/audit/audit.log >> type=AVC msg=audit(1432846954.621:112734): avc: denied { execute } for >> pid=1984 comm="rsync" name="bash" dev="sda3" ino=23075548 >> scontext=system_u:system_r:rsync_t:s0 >> tcontext=system_u:object_r:shell_exec_t:s0 tclass=file >> type=AVC msg=audit(1432846954.628:112735): avc: denied { execute } for >> pid=1987 comm="sh" name="uname" dev="sda3" ino=23071676 >> scontext=system_u:system_r:rsync_t:s0 >> tcontext=system_u:object_r:bin_t:s0 >> tclass=file >> type=AVC msg=audit(1432846954.629:112737): avc: denied { execute } for >> pid=1986 comm="sh" name="mailx" dev="sda3" ino=23072424 >> scontext=system_u:system_r:rsync_t:s0 >> tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file >> >> Now, my manager thinks that it's complaining that it's complaining >> because we have an rsync daemon running, and every time there's an >> upload, the daemon sends an email to a user. >> > Is the rsync set up as a client or server? Does it copy off or copy too? > Server. And stuff is copied onto it (it having a nice big RAID). They *may* copy stuff off - not sure.
I just pushed this to fedora upstream policy
commit 035cecfb52aff40a60b0bb7651aadc284e0dffb7 Author: Dan Walsh dwalsh@redhat.com Date: Mon Jun 1 08:59:29 2015 -0400
rsync server can be setup to send mail
You can add the rules locally by compiling and installing this policy
create myrsync.te to look like the following # ========================================= policy_module(myrsync, 1.0)
gen_require(` type rsync_t; ') mta_send_mail(rsync_t) # ==========================================
Then execute
# make -f /usr/share/selinux/devel/Makefile # semodule -i myrsync.pp
Ok, count me confused. I created that file, and tried the make, and it failed, which is reasonable, since I see there's no Makefile. I have on the system: rpm -qa | grep selinux selinux-policy-3.13.1-23.el7_1.7.noarch libselinux-devel-2.2.2-6.el7.x86_64 libselinux-2.2.2-6.el7.x86_64 selinux-policy-targeted-3.13.1-23.el7_1.7.noarch libselinux-utils-2.2.2-6.el7.x86_64 libselinux-python-2.2.2-6.el7.x86_64
I've never made a policy_module, just local policies, and (the audit log with the AVCs has been rotated): grep -i avc /var/log/audit/audit.log.1 | grep sendmail | audit2allow -M mypol > a2apol
gives me: module mypol 1.0;
require { type sendmail_exec_t; type rsync_t; type init_t; class process setrlimit; class unix_stream_socket getattr; class file { execute execute_no_trans }; }
#============= rsync_t ============== allow rsync_t init_t:unix_stream_socket getattr; allow rsync_t self:process setrlimit; allow rsync_t sendmail_exec_t:file { execute execute_no_trans };
Should I use that, or is there another selinux package I need to install? Also, what's better/the more correct way to do this: the module, or the policy_module?
mark