Hi guys,
Im getting selinux alerts logged to audit.log, is there anyway to parse the alerts via the command line to get human readable alerts?
I have read that you can install setroubleshoot, but installs a huge list of dependencies for use with the gui, but i dont have a gui installed.
Any ideas?
Tony
On 01/07/2010 10:19 AM, tony@specialistdevelopment.com wrote:
Hi guys,
Im getting selinux alerts logged to audit.log, is there anyway to parse the alerts via the command line to get human readable alerts?
I have read that you can install setroubleshoot, but installs a huge list of dependencies for use with the gui, but i dont have a gui installed.
Any ideas?
Tony
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You can install setroubleshoot-server and set it up to send email.
audit2allow -la
Will generate a list of audit2allow rules, which is what I usually do.
On 01/07/2010 10:19 AM, tony@specialistdevelopment.com wrote:
Hi guys,
Im getting selinux alerts logged to audit.log, is there anyway to parse the alerts via the command line to get human readable alerts?
I have read that you can install setroubleshoot, but installs a huge list of dependencies for use with the gui, but i dont have a gui installed.
Any ideas?
Install the non-gui version of setroubleshoot, that's why it exists. The package name is setroubleshoot-server.
tony@specialistdevelopment.com wrote:
Hi guys,
Im getting selinux alerts logged to audit.log, is there anyway to parse the alerts via the command line to get human readable alerts?
I have read that you can install setroubleshoot, but installs a huge list of dependencies for use with the gui, but i dont have a gui installed.
Any ideas?
Tony
As well as audit2allow(1) and audit2why(8), there are the aureport(8) and ausearch(8) programs; they have a huge number of options, so take time to study the man pages, but "aureport --avc" will list all the selinux denials.
Moray. "To err is human; to purr, feline."
Hi Guys,
Sorry to keep emailing the group but im determined to crack selinux and not just switch it off :)
I have moved my mysql root to /db01/mysql and have sym linked /var/lib/mysql to there as well just in case any apps still have mysql hard coded to the original location.
The alert im getting is this:
Summary:
SELinux is preventing /bin/bash "read" access on /var/lib/mysql.
Detailed Description:
SELinux denied access requested by mysqld_safe. It is not expected that this access is required by mysqld_safe and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report.
Additional Information:
Source Context unconfined_u:system_r:mysqld_safe_t:s0 Target Context system_u:object_r:mysqld_db_t:s0 Target Objects /var/lib/mysql [ lnk_file ] Source mysqld_safe Source Path /bin/bash Port <Unknown> Host vm-lin-wb01 Source RPM Packages bash-4.0.35-2.fc12 Target RPM Packages mysql-server-5.1.41-2.fc12 Policy RPM selinux-policy-3.6.32-63.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name vm-lin-wb01 Platform Linux vm-lin-wb01 2.6.31.9-174.fc12.i686.PAE #1 SMP Mon Dec 21 06:04:56 UTC 2009 i686 i686 Alert Count 1 First Seen Fri Jan 8 10:06:33 2010 Last Seen Fri Jan 8 10:06:33 2010 Local ID f35cf4f8-9714-4d41-8f88-310f8cef5425 Line Numbers
Raw Audit Messages
node=vm-lin-wb01 type=AVC msg=audit(1262945193.369:25): avc: denied { read } for pid=1267 comm="mysqld_safe" name="mysql" dev=dm-2 ino=21498 scontext=unconfined_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=lnk_file
node=vm-lin-wb01 type=SYSCALL msg=audit(1262945193.369:25): arch=40000003 syscall=195 success=no exit=-13 a0=9e04f88 a1=bff7924c a2=b5cff4 a3=9e04f88 items=0 ppid=1227 pid=1267 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="mysqld_safe" exe="/bin/bash" subj=unconfined_u:system_r:mysqld_safe_t:s0 key=(null)
All the contexts look correct to me, but have i missed something? would be grateful if anyone could point me in the right direction.
Thanks in advance :)
On 01/08/2010 11:47 AM, tony@specialistdevelopment.com wrote:
Hi Guys,
Sorry to keep emailing the group but im determined to crack selinux and not just switch it off :)
I have moved my mysql root to /db01/mysql and have sym linked /var/lib/mysql to there as well just in case any apps still have mysql hard coded to the original location.
The alert im getting is this:
Summary:
SELinux is preventing /bin/bash "read" access on /var/lib/mysql.
Detailed Description:
SELinux denied access requested by mysqld_safe. It is not expected that this access is required by mysqld_safe and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report.
Additional Information:
Source Context unconfined_u:system_r:mysqld_safe_t:s0 Target Context system_u:object_r:mysqld_db_t:s0 Target Objects /var/lib/mysql [ lnk_file ] Source mysqld_safe Source Path /bin/bash Port <Unknown> Host vm-lin-wb01 Source RPM Packages bash-4.0.35-2.fc12 Target RPM Packages mysql-server-5.1.41-2.fc12 Policy RPM selinux-policy-3.6.32-63.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name vm-lin-wb01 Platform Linux vm-lin-wb01 2.6.31.9-174.fc12.i686.PAE #1 SMP Mon Dec 21 06:04:56 UTC 2009 i686 i686 Alert Count 1 First Seen Fri Jan 8 10:06:33 2010 Last Seen Fri Jan 8 10:06:33 2010 Local ID f35cf4f8-9714-4d41-8f88-310f8cef5425 Line Numbers
Raw Audit Messages
node=vm-lin-wb01 type=AVC msg=audit(1262945193.369:25): avc: denied { read } for pid=1267 comm="mysqld_safe" name="mysql" dev=dm-2 ino=21498 scontext=unconfined_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=lnk_file
node=vm-lin-wb01 type=SYSCALL msg=audit(1262945193.369:25): arch=40000003 syscall=195 success=no exit=-13 a0=9e04f88 a1=bff7924c a2=b5cff4 a3=9e04f88 items=0 ppid=1227 pid=1267 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="mysqld_safe" exe="/bin/bash" subj=unconfined_u:system_r:mysqld_safe_t:s0 key=(null)
All the contexts look correct to me, but have i missed something? would be grateful if anyone could point me in the right direction.
Thanks in advance :)
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
looks like there is no such rule to allow this access.
[root@localhost ~]# sesearch --allow -s mysqld_safe_t | grep mysqld_db_t allow mysqld_safe_t mysqld_db_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; allow mysqld_safe_t mysqld_db_t : dir { ioctl read write getattr lock add_name remove_name search open } ;
You can allow mysqld_safe_t to read lnk_files with type mysqld_db_t:
echo "avc: denied { read } for pid=1267 comm="mysqld_safe" name="mysql" dev=dm-2 ino=21498 scontext=unconfined_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=lnk_file" | audit2allow -M mymysqldsafe; sudo semodule -i mymysqldsafe.pp
( make sure that you use "mymysqldsafe" for your modules' name. This to avoid that you overwrite your existing mysql module. )
Please consider reporting this bug. Thanks in advance.
tony@specialistdevelopment.com wrote:
Hi Guys,
Sorry to keep emailing the group but im determined to crack selinux and not just switch it off :)
I have moved my mysql root to /db01/mysql and have sym linked /var/lib/mysql to there as well just in case any apps still have mysql hard coded to the original location.
Use mount --bind instead of symlink
The alert im getting is this:
Summary:
SELinux is preventing /bin/bash "read" access on /var/lib/mysql.
Detailed Description:
SELinux denied access requested by mysqld_safe. It is not expected that this access is required by mysqld_safe and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report.
Additional Information:
Source Context unconfined_u:system_r:mysqld_safe_t:s0 Target Context system_u:object_r:mysqld_db_t:s0 Target Objects /var/lib/mysql [ lnk_file ] Source mysqld_safe Source Path /bin/bash Port <Unknown> Host vm-lin-wb01 Source RPM Packages bash-4.0.35-2.fc12 Target RPM Packages mysql-server-5.1.41-2.fc12 Policy RPM selinux-policy-3.6.32-63.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name vm-lin-wb01 Platform Linux vm-lin-wb01 2.6.31.9-174.fc12.i686.PAE #1 SMP Mon Dec 21 06:04:56 UTC 2009 i686 i686 Alert Count 1 First Seen Fri Jan 8 10:06:33 2010 Last Seen Fri Jan 8 10:06:33 2010 Local ID f35cf4f8-9714-4d41-8f88-310f8cef5425 Line Numbers
Raw Audit Messages
node=vm-lin-wb01 type=AVC msg=audit(1262945193.369:25): avc: denied { read } for pid=1267 comm="mysqld_safe" name="mysql" dev=dm-2 ino=21498 scontext=unconfined_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=lnk_file
node=vm-lin-wb01 type=SYSCALL msg=audit(1262945193.369:25): arch=40000003 syscall=195 success=no exit=-13 a0=9e04f88 a1=bff7924c a2=b5cff4 a3=9e04f88 items=0 ppid=1227 pid=1267 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="mysqld_safe" exe="/bin/bash" subj=unconfined_u:system_r:mysqld_safe_t:s0 key=(null)
All the contexts look correct to me, but have i missed something? would be grateful if anyone could point me in the right direction.
Thanks in advance :)
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On 01/08/2010 12:45 PM, Manuel Wolfshant wrote:
tony@specialistdevelopment.com wrote:
Hi Guys,
Sorry to keep emailing the group but im determined to crack selinux and not just switch it off :)
I have moved my mysql root to /db01/mysql and have sym linked /var/lib/mysql to there as well just in case any apps still have mysql hard coded to the original location.
Use mount --bind instead of symlink
Whoops i did not notice this issue is due to custom configuration. So this issue probably does not justify a bugreport.
I do not think SELinux plays nice with mount --bind so that may not work.
You just manually allow mysqld_safe_t to read the link file , like i showed in my example.
Make sure though that the link target is properly labeled (mysqld_db_t) and that mysqld_safe_t can access it. ( label db01 dir with a type mysqld_safe_t has access to search. for example var_t or mysqld_db_t.
The alert im getting is this:
Summary:
SELinux is preventing /bin/bash "read" access on /var/lib/mysql.
Detailed Description:
SELinux denied access requested by mysqld_safe. It is not expected that this access is required by mysqld_safe and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report.
Additional Information:
Source Context unconfined_u:system_r:mysqld_safe_t:s0 Target Context system_u:object_r:mysqld_db_t:s0 Target Objects /var/lib/mysql [ lnk_file ] Source mysqld_safe Source Path /bin/bash Port <Unknown> Host vm-lin-wb01 Source RPM Packages bash-4.0.35-2.fc12 Target RPM Packages mysql-server-5.1.41-2.fc12 Policy RPM selinux-policy-3.6.32-63.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name vm-lin-wb01 Platform Linux vm-lin-wb01 2.6.31.9-174.fc12.i686.PAE #1 SMP Mon Dec 21 06:04:56 UTC 2009 i686 i686 Alert Count 1 First Seen Fri Jan 8 10:06:33 2010 Last Seen Fri Jan 8 10:06:33 2010 Local ID f35cf4f8-9714-4d41-8f88-310f8cef5425 Line Numbers
Raw Audit Messages
node=vm-lin-wb01 type=AVC msg=audit(1262945193.369:25): avc: denied { read } for pid=1267 comm="mysqld_safe" name="mysql" dev=dm-2 ino=21498 scontext=unconfined_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=lnk_file
node=vm-lin-wb01 type=SYSCALL msg=audit(1262945193.369:25): arch=40000003 syscall=195 success=no exit=-13 a0=9e04f88 a1=bff7924c a2=b5cff4 a3=9e04f88 items=0 ppid=1227 pid=1267 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="mysqld_safe" exe="/bin/bash" subj=unconfined_u:system_r:mysqld_safe_t:s0 key=(null)
All the contexts look correct to me, but have i missed something? would be grateful if anyone could point me in the right direction.
Thanks in advance :)
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Ho Dominick,
Thanks ill try that, thanks to everyone for their help over the last couple of days, im starting to like and understand selinux, but no doubt there will be some more issues :)
Thanks again.
Tony
Quoting Dominick Grift domg472@gmail.com:
On 01/08/2010 12:45 PM, Manuel Wolfshant wrote:
tony@specialistdevelopment.com wrote:
Hi Guys,
Sorry to keep emailing the group but im determined to crack selinux and not just switch it off :)
I have moved my mysql root to /db01/mysql and have sym linked /var/lib/mysql to there as well just in case any apps still have mysql hard coded to the original location.
Use mount --bind instead of symlink
Whoops i did not notice this issue is due to custom configuration. So this issue probably does not justify a bugreport.
I do not think SELinux plays nice with mount --bind so that may not work.
You just manually allow mysqld_safe_t to read the link file , like i showed in my example.
Make sure though that the link target is properly labeled (mysqld_db_t) and that mysqld_safe_t can access it. ( label db01 dir with a type mysqld_safe_t has access to search. for example var_t or mysqld_db_t.
The alert im getting is this:
Summary:
SELinux is preventing /bin/bash "read" access on /var/lib/mysql.
Detailed Description:
SELinux denied access requested by mysqld_safe. It is not expected that this access is required by mysqld_safe and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report.
Additional Information:
Source Context unconfined_u:system_r:mysqld_safe_t:s0 Target Context system_u:object_r:mysqld_db_t:s0 Target Objects /var/lib/mysql [ lnk_file ] Source mysqld_safe Source Path /bin/bash Port <Unknown> Host vm-lin-wb01 Source RPM Packages bash-4.0.35-2.fc12 Target RPM Packages mysql-server-5.1.41-2.fc12 Policy RPM selinux-policy-3.6.32-63.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name vm-lin-wb01 Platform Linux vm-lin-wb01 2.6.31.9-174.fc12.i686.PAE #1 SMP Mon Dec 21 06:04:56 UTC 2009 i686 i686 Alert Count 1 First Seen Fri Jan 8 10:06:33 2010 Last Seen Fri Jan 8 10:06:33 2010 Local ID f35cf4f8-9714-4d41-8f88-310f8cef5425 Line Numbers
Raw Audit Messages
node=vm-lin-wb01 type=AVC msg=audit(1262945193.369:25): avc: denied { read } for pid=1267 comm="mysqld_safe" name="mysql" dev=dm-2 ino=21498 scontext=unconfined_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=lnk_file
node=vm-lin-wb01 type=SYSCALL msg=audit(1262945193.369:25): arch=40000003 syscall=195 success=no exit=-13 a0=9e04f88 a1=bff7924c a2=b5cff4 a3=9e04f88 items=0 ppid=1227 pid=1267 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="mysqld_safe" exe="/bin/bash" subj=unconfined_u:system_r:mysqld_safe_t:s0 key=(null)
All the contexts look correct to me, but have i missed something? would be grateful if anyone could point me in the right direction.
Thanks in advance :)
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Dominick Grift wrote:
On 01/08/2010 12:45 PM, Manuel Wolfshant wrote:
tony@specialistdevelopment.com wrote:
Hi Guys,
Sorry to keep emailing the group but im determined to crack selinux and not just switch it off :)
I have moved my mysql root to /db01/mysql and have sym linked /var/lib/mysql to there as well just in case any apps still have mysql hard coded to the original location.
Use mount --bind instead of symlink
Whoops i did not notice this issue is due to custom configuration. So this issue probably does not justify a bugreport.
I do not think SELinux plays nice with mount --bind so that may not work.
It does. Better that it plays with symlinks
You just manually allow mysqld_safe_t to read the link file , like i showed in my example.
Make sure though that the link target is properly labeled (mysqld_db_t) and that mysqld_safe_t can access it. ( label db01 dir with a type mysqld_safe_t has access to search. for example var_t or mysqld_db_t.
The alert im getting is this:
Summary:
SELinux is preventing /bin/bash "read" access on /var/lib/mysql.
Detailed Description:
SELinux denied access requested by mysqld_safe. It is not expected that this access is required by mysqld_safe and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report.
Additional Information:
Source Context unconfined_u:system_r:mysqld_safe_t:s0 Target Context system_u:object_r:mysqld_db_t:s0 Target Objects /var/lib/mysql [ lnk_file ] Source mysqld_safe Source Path /bin/bash Port <Unknown> Host vm-lin-wb01 Source RPM Packages bash-4.0.35-2.fc12 Target RPM Packages mysql-server-5.1.41-2.fc12 Policy RPM selinux-policy-3.6.32-63.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name vm-lin-wb01 Platform Linux vm-lin-wb01 2.6.31.9-174.fc12.i686.PAE #1 SMP Mon Dec 21 06:04:56 UTC 2009 i686 i686 Alert Count 1 First Seen Fri Jan 8 10:06:33 2010 Last Seen Fri Jan 8 10:06:33 2010 Local ID f35cf4f8-9714-4d41-8f88-310f8cef5425 Line Numbers
Raw Audit Messages
node=vm-lin-wb01 type=AVC msg=audit(1262945193.369:25): avc: denied { read } for pid=1267 comm="mysqld_safe" name="mysql" dev=dm-2 ino=21498 scontext=unconfined_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=lnk_file
node=vm-lin-wb01 type=SYSCALL msg=audit(1262945193.369:25): arch=40000003 syscall=195 success=no exit=-13 a0=9e04f88 a1=bff7924c a2=b5cff4 a3=9e04f88 items=0 ppid=1227 pid=1267 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="mysqld_safe" exe="/bin/bash" subj=unconfined_u:system_r:mysqld_safe_t:s0 key=(null)
All the contexts look correct to me, but have i missed something? would be grateful if anyone could point me in the right direction.
Thanks in advance :)
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On 01/08/2010 09:08 PM, Mail Lists wrote:
On 01/08/2010 05:47 AM, tony@specialistdevelopment.com wrote:
Hi Guys,
They have added the 'equivalence' flag for this :
semanage fcontext -a -e /var/lib/mysql /db01/mysql restorecon -R /db01/mysqlregards,
gene/
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You really want to do this at one level higher.
semanage fcontext -a -e /var/lib/mysql /db01
Otherwise /db01 would be labeled default_t and mysql would not be able to search through it.
selinux@lists.fedoraproject.org
-
Anthony Davis -
Daniel J Walsh -
Dominick Grift -
Genes MailLists -
John Dennis -
Manuel Wolfshant -
Moray Henderson