I made a package a long time ago, and over the years I've been adding new features, but the correct? support of SELinux has always eluded me. Occasionally I encounter problems with new versions of Fedora and RHEL. Recently I was asked to support the installation of my RPM on RHEL 6 systems, and I find that there are new SELinux feature/requirements.
Its probably me, but I haven't found any instructions/how-tos that have really helped (me) in providing the steps for testing and making a package SELinux compatible. I have something that works on older releases, but I've probably done it wrong.
There's lots of documentation about its concepts, but not anything that has helped me in porting.
Scenario:
Given a working RPM (with SELinux disabled)... what would the process be (with examples) of turning SELinux on, attempting to install and run the various applications, viewing security logs, and turning any errors detected into correct config files/commands that can be included in a spec-file/package.
Thanks
Fulko
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 02/14/2014 08:42 AM, Fulko Hew wrote:
I made a package a long time ago, and over the years I've been adding new features, but the correct? support of SELinux has always eluded me. Occasionally I encounter problems with new versions of Fedora and RHEL. Recently I was asked to support the installation of my RPM on RHEL 6 systems, and I find that there are new SELinux feature/requirements.
Its probably me, but I haven't found any instructions/how-tos that have really helped (me) in providing the steps for testing and making a package SELinux compatible. I have something that works on older releases, but I've probably done it wrong.
There's lots of documentation about its concepts, but not anything that has helped me in porting.
Scenario:
Given a working RPM (with SELinux disabled)... what would the process be (with examples) of turning SELinux on, attempting to install and run the various applications, viewing security logs, and turning any errors detected into correct config files/commands that can be included in a spec-file/package.
Thanks
Fulko
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
SELinux is a labeling system. You need to make sure any content that you provide to confined services is labeled correctly. The way you do this is by using a command like semanage fcontext ... in a post install and then using restorecon to fix the labels.
SELinux also has the concept of booleans which allow users to modify the policy on the system. Depending on what you app wants to do you might need to modify a boolean.
Finally SELinux expects network ports to match some defaults. If you want to change the default Network Port then you have to tell SELinux about this.
semanage port ...
SELinux error messages are stored in /var/log/audit/audit.log and called avc messages.
ausearch -m avc -ts recent
Can show you recent avc messages that your system received.
On Fri, Feb 14, 2014 at 8:58 AM, Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 02/14/2014 08:42 AM, Fulko Hew wrote:
I made a package a long time ago, and over the years I've been adding new features, but the correct? support of SELinux has always eluded me. Occasionally I encounter problems with new versions of Fedora and RHEL. Recently I was asked to support the installation of my RPM on RHEL 6 systems, and I find that there are new SELinux feature/requirements.
Its probably me, but I haven't found any instructions/how-tos that have really helped (me) in providing the steps for testing and making a
package
SELinux compatible. I have something that works on older releases, but I've probably done it wrong.
There's lots of documentation about its concepts, but not anything that
has
helped me in porting.
Scenario:
Given a working RPM (with SELinux disabled)... what would the process be (with examples) of turning SELinux on, attempting to install and run the various applications, viewing security logs, and turning any errors detected into correct config files/commands that can be included in a spec-file/package.
Thanks
Fulko
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
SELinux is a labeling system. You need to make sure any content that you provide to confined services is labeled correctly. The way you do this is by using a command like semanage fcontext ... in a post install and then using restorecon to fix the labels.
SELinux also has the concept of booleans which allow users to modify the policy on the system. Depending on what you app wants to do you might need to modify a boolean.
Finally SELinux expects network ports to match some defaults. If you want to change the default Network Port then you have to tell SELinux about this.
semanage port ...
SELinux error messages are stored in /var/log/audit/audit.log and called avc messages.
ausearch -m avc -ts recent
Can show you recent avc messages that your system received.
For now, my spec file has a bunch of semanage/restorecon command pairs, for such things as:
semanage fcontext -a -t httpd_sys_script_exec_t myFile semanage fcontext -a -t httpd_sys_rw_content_t myOtherFile semanage fcontext -a -t httpd_sys_content_t yetOtherFiles
a) Is this the 'right' way to do it?
b) an example of the new error/warning is:
Feb 13 14:37:58 livecd kernel: type=1400 audit(1392320278.129:151): avc: denied { name_connect } for pid=4517 comm="view_status.pl" dest=27395 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 02/14/2014 09:17 AM, Fulko Hew wrote:
On Fri, Feb 14, 2014 at 8:58 AM, Daniel J Walsh <dwalsh@redhat.com mailto:dwalsh@redhat.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 02/14/2014 08:42 AM, Fulko Hew wrote:
I made a package a long time ago, and over the years I've been adding new features, but the correct? support of SELinux has always eluded me. Occasionally I encounter problems with new versions of Fedora and RHEL. Recently I was asked to support the installation of my RPM on RHEL 6 systems, and I find that there are new SELinux feature/requirements.
Its probably me, but I haven't found any instructions/how-tos that have really helped (me) in providing the steps for testing and making a package SELinux compatible. I have something that works on older releases, but I've probably done it wrong.
There's lots of documentation about its concepts, but not anything that has helped me in porting.
Scenario:
Given a working RPM (with SELinux disabled)... what would the process be (with examples) of turning SELinux on, attempting to install and run the various applications, viewing security logs, and turning any errors detected into correct config files/commands that can be included in a spec-file/package.
Thanks
Fulko
-- selinux mailing list selinux@lists.fedoraproject.org
mailto:selinux@lists.fedoraproject.org
SELinux is a labeling system. You need to make sure any content that you provide to confined services is labeled correctly. The way you do this is by using a command like semanage fcontext ... in a post install and then using restorecon to fix the labels.
SELinux also has the concept of booleans which allow users to modify the policy on the system. Depending on what you app wants to do you might need to modify a boolean.
Finally SELinux expects network ports to match some defaults. If you want to change the default Network Port then you have to tell SELinux about this.
semanage port ...
SELinux error messages are stored in /var/log/audit/audit.log and called avc messages.
ausearch -m avc -ts recent
Can show you recent avc messages that your system received.
For now, my spec file has a bunch of semanage/restorecon command pairs, for such things as:
semanage fcontext -a -t httpd_sys_script_exec_t myFile semanage fcontext -a -t httpd_sys_rw_content_t myOtherFile semanage fcontext -a -t httpd_sys_content_t yetOtherFiles
a) Is this the 'right' way to do it?
Well you can combine these into a single transaction, which would speed it up.
semanage -S targeted -i - << _EOF boolean -m --on allow_polyinstantiation boolean -m --on xguest_connect_network boolean -m --on xguest_mount_media boolean -m --on xguest_use_bluetooth _EOF
This is what the xguest package does.
b) an example of the new error/warning is:
Feb 13 14:37:58 livecd kernel: type=1400 audit(1392320278.129:151): avc: denied { name_connect } for pid=4517 comm="view_status.pl http://view_status.pl" dest=27395 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
Well in a perfect world you would write policy for your cgi script. using a tool like sepolgen or sepolicy generate, depending on whether you are shipping in RHEL6 or Fedora.
You could also turn on the httpd_can_network_connect boolean which would allow apache processes to connect to any ports.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On Fri, Feb 14, 2014 at 9:43 AM, Daniel J Walsh dwalsh@redhat.com wrote:
On 02/14/2014 09:17 AM, Fulko Hew wrote:
On Fri, Feb 14, 2014 at 8:58 AM, Daniel J Walsh <dwalsh@redhat.com On 02/14/2014 08:42 AM, Fulko Hew wrote:
I made a package a long time ago, and over the years I've been adding new features, but the correct? support of SELinux has always eluded me. Occasionally I encounter problems with new versions of Fedora and RHEL. Recently I was asked to support the installation of my RPM on RHEL 6 systems, and I find that there are new SELinux feature/requirements.
Its probably me, but I haven't found any instructions/how-tos that have really helped (me) in providing the steps for testing and making a package SELinux compatible. I have something that works on older releases, but I've probably done it wrong.
There's lots of documentation about its concepts, but not anything that has helped me in porting.
Scenario:
Given a working RPM (with SELinux disabled)... what would the process be (with examples) of turning SELinux on, attempting to install and run the various applications, viewing security logs, and turning any errors detected into correct config files/commands that can be included in a spec-file/package.
Thanks
Fulko
SELinux is a labeling system. You need to make sure any content that you provide to confined services is labeled correctly. The way you do this
is
by using a command like semanage fcontext ... in a post install and then using restorecon to fix the labels.
SELinux also has the concept of booleans which allow users to modify the policy on the system. Depending on what you app wants to do you might
need
to modify a boolean.
Finally SELinux expects network ports to match some defaults. If you
want
to change the default Network Port then you have to tell SELinux about this.
semanage port ...
SELinux error messages are stored in /var/log/audit/audit.log and called avc messages.
ausearch -m avc -ts recent
Can show you recent avc messages that your system received.
For now, my spec file has a bunch of semanage/restorecon command pairs,
for
such things as:
semanage fcontext -a -t httpd_sys_script_exec_t myFile semanage
fcontext
-a -t httpd_sys_rw_content_t myOtherFile semanage fcontext -a -t httpd_sys_content_t yetOtherFiles
a) Is this the 'right' way to do it?
Well you can combine these into a single transaction, which would speed it up.
semanage -S targeted -i - << _EOF boolean -m --on allow_polyinstantiation boolean -m --on xguest_connect_network boolean -m --on xguest_mount_media boolean -m --on xguest_use_bluetooth _EOF
This is what the xguest package does.
I'm sorry, but I don't understand how to map your example into my values/example.
I also have a new problem. I've been testing against F20 Live (KDE) and the package (policycoreutils-python) that provides semanage isn't installed so semanage isn't available when my RPM is installed. What is the recommended approach?
a) should I make my package/.spec 'require' policycoreutils-python? (It would seem unusual to place that burden on package maintainers.) b) Use some other technique to configure/distribute security info. (Is this where policy files come into play?) 1. Where can I find a good example of how to create policy files given the contents of a .spec 2. And, what needs to be added to a .spec so that the 'policy' is installed?
b) an example of the new error/warning is:
Feb 13 14:37:58 livecd kernel: type=1400 audit(1392320278.129:151): avc: denied { name_connect } for pid=4517 comm="view_status.pl http://view_status.pl" dest=27395 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
Well in a perfect world you would write policy for your cgi script. using a tool like sepolgen or sepolicy generate, depending on whether you are shipping in RHEL6 or Fedora.
You could also turn on the httpd_can_network_connect boolean which would allow apache processes to connect to any ports.
I turns out that I did have code in the %post portion of my .spec to set that boolean, but due to a bug on my part, the boolean wasn't being set under certain conditions.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 02/18/2014 08:55 AM, Fulko Hew wrote:
On Fri, Feb 14, 2014 at 9:43 AM, Daniel J Walsh <dwalsh@redhat.com mailto:dwalsh@redhat.com> wrote:
On 02/14/2014 09:17 AM, Fulko Hew wrote:
On Fri, Feb 14, 2014 at 8:58 AM, Daniel J Walsh <dwalsh@redhat.com
On 02/14/2014 08:42 AM, Fulko Hew wrote:
I made a package a long time ago, and over the years I've been adding new features, but the correct? support of SELinux has always eluded me. Occasionally I encounter problems with new versions of Fedora and RHEL. Recently I was asked to support the installation of my RPM on RHEL 6 systems, and I find that there are new SELinux feature/requirements.
Its probably me, but I haven't found any instructions/how-tos that have really helped (me) in providing the steps for testing and making a package SELinux compatible. I have something that works on older releases, but I've probably done it wrong.
There's lots of documentation about its concepts, but not anything that has helped me in porting.
Scenario:
Given a working RPM (with SELinux disabled)... what would the process be (with examples) of turning SELinux on, attempting to install and run the various applications, viewing security logs, and turning any errors detected into correct config files/commands that can be included in a spec-file/package.
Thanks
Fulko
SELinux is a labeling system. You need to make sure any content that you provide to confined services is labeled correctly. The way you do this is by using a command like semanage fcontext ... in a post install and then using restorecon to fix the labels.
SELinux also has the concept of booleans which allow users to modify the policy on the system. Depending on what you app wants to do you might need to modify a boolean.
Finally SELinux expects network ports to match some defaults. If you want to change the default Network Port then you have to tell SELinux about this.
semanage port ...
SELinux error messages are stored in /var/log/audit/audit.log and called avc messages.
ausearch -m avc -ts recent
Can show you recent avc messages that your system received.
For now, my spec file has a bunch of semanage/restorecon command pairs, for such things as:
semanage fcontext -a -t httpd_sys_script_exec_t myFile semanage fcontext -a -t httpd_sys_rw_content_t myOtherFile semanage fcontext -a -t httpd_sys_content_t yetOtherFiles
a) Is this the 'right' way to do it?
Well you can combine these into a single transaction, which would speed it up.
semanage -S targeted -i - << _EOF boolean -m --on allow_polyinstantiation boolean -m --on xguest_connect_network boolean -m --on xguest_mount_media boolean -m --on xguest_use_bluetooth _EOF
This is what the xguest package does.
I'm sorry, but I don't understand how to map your example into my values/example.
I also have a new problem. I've been testing against F20 Live (KDE) and the package (policycoreutils-python) that provides semanage isn't installed so semanage isn't available when my RPM is installed. What is the recommended approach?
a) should I make my package/.spec 'require' policycoreutils-python? (It would seem unusual to place that burden on package maintainers.)
Requires(post): policycoreutils-python
b) Use some other technique to configure/distribute security info. (Is this where policy files come into play?) 1. Where can I find a good example of how to create policy files given the contents of a .spec
I wrote an article on this several years ago. http://magazine.redhat.com/2007/08/21/a-step-by-step-guide-to-building-a-new... There is an updated version at access.redhat.com
https://access.redhat.com/site/solutions/117583
sepolicy generate
Is the command I would recommend, on RHEL7 and latest Fedora this will generate the spec file for you.
- And, what needs to be added to a .spec so that the 'policy' is
installed?
b) an example of the new error/warning is:
Feb 13 14:37:58 livecd kernel: type=1400 audit(1392320278.129:151): avc: denied { name_connect } for pid=4517 comm="view_status.pl
http://view_status.pl" dest=27395 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
Well in a perfect world you would write policy for your cgi script. using a tool like sepolgen or sepolicy generate, depending on whether you are shipping in RHEL6 or Fedora.
You could also turn on the httpd_can_network_connect boolean which would allow apache processes to connect to any ports.
I turns out that I did have code in the %post portion of my .spec to set that boolean, but due to a bug on my part, the boolean wasn't being set under certain conditions.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Fulko Hew