FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 12-29-2009, 08:17 AM
Klaus Lichtenwalder
 
Default policy for mgetty fax receive and new_fax

Hi,

just tried receiving a fax with mgetty (and notifying me via email with
the attached fax)
Watching all denials flowing by (permissive mode,
selinux-policy-targeted-3.6.32-59.fc12.noarch) I'm wondering whether
someone already started preparing a policy or whether I should try to
start it on myself? Anyone knows? Google does not find much of value

Klaus
--
------------------------------------------------------------------------
Klaus Lichtenwalder, Dipl. Inform., http://lklaus.homelinux.org/Klaus/
PGP Key fingerprint: A5C0 F73A 2C83 96EE 766B 9C62 DB6D 1258 0E9B B6D1

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-29-2009, 10:16 AM
Dominick Grift
 
Default policy for mgetty fax receive and new_fax

On Tue, Dec 29, 2009 at 10:17:36AM +0100, Klaus Lichtenwalder wrote:
> Hi,
>
> just tried receiving a fax with mgetty (and notifying me via email with
> the attached fax)
> Watching all denials flowing by (permissive mode,
> selinux-policy-targeted-3.6.32-59.fc12.noarch) I'm wondering whether
> someone already started preparing a policy or whether I should try to
> start it on myself? Anyone knows? Google does not find much of value

Can you show us the AVC denials?
>
> Klaus
> --
> ------------------------------------------------------------------------
> Klaus Lichtenwalder, Dipl. Inform., http://lklaus.homelinux.org/Klaus/
> PGP Key fingerprint: A5C0 F73A 2C83 96EE 766B 9C62 DB6D 1258 0E9B B6D1
>



> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-29-2009, 10:27 AM
Klaus Lichtenwalder
 
Default policy for mgetty fax receive and new_fax

Am Dienstag, den 29.12.2009, 12:16 +0100 schrieb Dominick Grift:
> On Tue, Dec 29, 2009 at 10:17:36AM +0100, Klaus Lichtenwalder wrote:
> > Hi,
> >
> > just tried receiving a fax with mgetty (and notifying me via email with
> > the attached fax)
> > Watching all denials flowing by (permissive mode,
> > selinux-policy-targeted-3.6.32-59.fc12.noarch) I'm wondering whether
> > someone already started preparing a policy or whether I should try to
> > start it on myself? Anyone knows? Google does not find much of value
>
> Can you show us the AVC denials?

Sure, no problem. One thing, as a first step I put new_fax into bin_t,
as this was a suggestion from sealert output.
I do think this probably does not belong to the getty policy, as mgetty,
receiving a fax, does far more than standard getty, imho.

Klaus
--
------------------------------------------------------------------------
Klaus Lichtenwalder, Dipl. Inform., http://lklaus.homelinux.org/Klaus/
PGP Key fingerprint: A5C0 F73A 2C83 96EE 766B 9C62 DB6D 1258 0E9B B6D1

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-29-2009, 10:46 AM
Dominick Grift
 
Default policy for mgetty fax receive and new_fax

On Tue, Dec 29, 2009 at 12:27:56PM +0100, Klaus Lichtenwalder wrote:
> Am Dienstag, den 29.12.2009, 12:16 +0100 schrieb Dominick Grift:
> > On Tue, Dec 29, 2009 at 10:17:36AM +0100, Klaus Lichtenwalder wrote:
> > > Hi,
> > >
> > > just tried receiving a fax with mgetty (and notifying me via email with
> > > the attached fax)
> > > Watching all denials flowing by (permissive mode,
> > > selinux-policy-targeted-3.6.32-59.fc12.noarch) I'm wondering whether
> > > someone already started preparing a policy or whether I should try to
> > > start it on myself? Anyone knows? Google does not find much of value
> >
> > Can you show us the AVC denials?
>
> Sure, no problem. One thing, as a first step I put new_fax into bin_t,
> as this was a suggestion from sealert output.
> I do think this probably does not belong to the getty policy, as mgetty,
> receiving a fax, does far more than standard getty, imho.

echo "policy_module(mygetty, 1.0.0)" > mygetty.te;
echo "optional_policy(`" >> mygetty.te;
echo "gen_require(`" >> mygetty.te;
echo "type getty_t;" >> mygetty.te;
echo "')" >> mygetty.te;
echo "corecmd_exec_shell(getty_t)" >> mygetty.te;
echo "')" >> mygetty.te;

make -f /usr/share/selinux/devel/Makefile mygetty.pp
sudo semodule -i mygetty.pp

See if this solves your issue
>
> Klaus
> --
> ------------------------------------------------------------------------
> Klaus Lichtenwalder, Dipl. Inform., http://lklaus.homelinux.org/Klaus/
> PGP Key fingerprint: A5C0 F73A 2C83 96EE 766B 9C62 DB6D 1258 0E9B B6D1
>

> ----
> time->Mon Dec 28 17:12:38 2009
> type=SYSCALL msg=audit(1262016758.657:57496): arch=c000003e syscall=59 success=yes exit=0 a0=3273d3ace3 a1=7fffef415d60 a2=7fffef418a30 a3=7f0863d089d0 items=0 ppid=31795 pid=1283 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null)
> type=AVC msg=audit(1262016758.657:57496): avc: denied { execute_no_trans } for pid=1283 comm="mgetty" path="/bin/bash" dev=dm-6 ino=12628 scontext=system_u:system_r:getty_t:s0 tcontext=system_ubject_r:shell_exec_t:s0 tclass=file
> type=AVC msg=audit(1262016758.657:57496): avc: denied { read open } for pid=1283 comm="mgetty" name="bash" dev=dm-6 ino=12628 scontext=system_u:system_r:getty_t:s0 tcontext=system_ubject_r:shell_exec_t:s0 tclass=file
> type=AVC msg=audit(1262016758.657:57496): avc: denied { execute } for pid=1283 comm="mgetty" name="bash" dev=dm-6 ino=12628 scontext=system_u:system_r:getty_t:s0 tcontext=system_ubject_r:shell_exec_t:s0 tclass=file
> ----
> time->Mon Dec 28 17:12:38 2009
> type=SYSCALL msg=audit(1262016758.659:57497): arch=c000003e syscall=2 success=yes exit=3 a0=3273d3c1f2 a1=0 a2=1b6 a3=2 items=0 ppid=31795 pid=1283 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null)
> type=AVC msg=audit(1262016758.659:57497): avc: denied { open } for pid=1283 comm="sh" name="meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:getty_t:s0 tcontext=system_ubject_rroc_t:s0 tclass=file
> type=AVC msg=audit(1262016758.659:57497): avc: denied { read } for pid=1283 comm="sh" name="meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:getty_t:s0 tcontext=system_ubject_rroc_t:s0 tclass=file
> ----
> time->Mon Dec 28 17:12:38 2009
> type=SYSCALL msg=audit(1262016758.661:57498): arch=c000003e syscall=5 success=yes exit=128 a0=3 a1=7fff05edb290 a2=7fff05edb290 a3=2 items=0 ppid=31795 pid=1283 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null)
> type=AVC msg=audit(1262016758.661:57498): avc: denied { getattr } for pid=1283 comm="sh" path="/proc/meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:getty_t:s0 tcontext=system_ubject_rroc_t:s0 tclass=file
> ----
> time->Mon Dec 28 17:12:38 2009
> type=SYSCALL msg=audit(1262016758.662:57499): arch=c000003e syscall=4 success=yes exit=128 a0=1090ab0 a1=7fff05edd2e0 a2=7fff05edd2e0 a3=8 items=0 ppid=31795 pid=1283 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null)
> type=AVC msg=audit(1262016758.662:57499): avc: denied { getattr } for pid=1283 comm="sh" path="/bin/bash" dev=dm-6 ino=12628 scontext=system_u:system_r:getty_t:s0 tcontext=system_ubject_r:shell_exec_t:s0 tclass=file
> ----
> time->Mon Dec 28 17:12:38 2009
> type=SYSCALL msg=audit(1262016758.664:57500): arch=c000003e syscall=59 success=yes exit=0 a0=1093a10 a1=1093b30 a2=1092b20 a3=18 items=0 ppid=1283 pid=1286 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.postfix" subj=system_u:system_r:system_mail_t:s0 key=(null)
> type=AVC msg=audit(1262016758.664:57500): avc: denied { read write } for pid=1286 comm="sendmail" name="ttyS0" dev=tmpfs ino=2217 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_ubject_r:tty_device_t:s0 tclass=chr_file
> ----
> time->Mon Dec 28 17:12:38 2009
> type=SYSCALL msg=audit(1262016758.806:57501): arch=c000003e syscall=2 success=yes exit=0 a0=3273d3c1f2 a1=0 a2=1b6 a3=2 items=0 ppid=1288 pid=1289 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null)
> type=AVC msg=audit(1262016758.806:57501): avc: denied { open } for pid=1289 comm="sh" name="meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:getty_t:s0 tcontext=system_ubject_rroc_t:s0 tclass=file
> type=AVC msg=audit(1262016758.806:57501): avc: denied { read } for pid=1289 comm="sh" name="meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:getty_t:s0 tcontext=system_ubject_rroc_t:s0 tclass=file
> ----
> time->Mon Dec 28 17:12:38 2009
> type=SYSCALL msg=audit(1262016758.807:57502): arch=c000003e syscall=5 success=yes exit=128 a0=0 a1=7fff44b52830 a2=7fff44b52830 a3=2 items=0 ppid=1288 pid=1289 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null)
> type=AVC msg=audit(1262016758.807:57502): avc: denied { getattr } for pid=1289 comm="sh" path="/proc/meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:getty_t:s0 tcontext=system_ubject_rroc_t:s0 tclass=file
> ----
> time->Mon Dec 28 17:12:38 2009
> type=SYSCALL msg=audit(1262016758.809:57503): arch=c000003e syscall=59 success=yes exit=0 a0=eb55b0 a1=eb5480 a2=eb3e50 a3=30 items=0 ppid=1289 pid=1291 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="new_fax" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null)
> type=AVC msg=audit(1262016758.809:57503): avc: denied { execute_no_trans } for pid=1291 comm="sh" path="/etc/mgetty+sendfax/new_fax" dev=dm-6 ino=51 scontext=system_u:system_r:getty_t:s0 tcontext=system_ubject_r:bin_t:s0 tclass=file
> type=AVC msg=audit(1262016758.809:57503): avc: denied { read open } for pid=1291 comm="sh" name="new_fax" dev=dm-6 ino=51 scontext=system_u:system_r:getty_t:s0 tcontext=system_ubject_r:bin_t:s0 tclass=file
> type=AVC msg=audit(1262016758.809:57503): avc: denied { execute } for pid=1291 comm="sh" name="new_fax" dev=dm-6 ino=51 scontext=system_u:system_r:getty_t:s0 tcontext=system_ubject_r:bin_t:s0 tclass=file
> ----
> time->Mon Dec 28 17:12:38 2009
> type=SYSCALL msg=audit(1262016758.817:57504): arch=c000003e syscall=16 success=no exit=-25 a0=3 a1=5401 a2=7fffcdc622a0 a3=2 items=0 ppid=1289 pid=1291 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="new_fax" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null)
> type=AVC msg=audit(1262016758.817:57504): avc: denied { ioctl } for pid=1291 comm="new_fax" path="/etc/mgetty+sendfax/new_fax" dev=dm-6 ino=51 scontext=system_u:system_r:getty_t:s0 tcontext=system_ubject_r:bin_t:s0 tclass=file
> ----
> time->Mon Dec 28 17:12:38 2009
> type=SYSCALL msg=audit(1262016758.817:57505): arch=c000003e syscall=5 success=yes exit=0 a0=ff a1=7fffcdc62370 a2=7fffcdc62370 a3=0 items=0 ppid=1289 pid=1291 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="new_fax" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null)
> type=AVC msg=audit(1262016758.817:57505): avc: denied { getattr } for pid=1291 comm="new_fax" path="/etc/mgetty+sendfax/new_fax" dev=dm-6 ino=51 scontext=system_u:system_r:getty_t:s0 tcontext=system_ubject_r:bin_t:s0 tclass=file




> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-29-2009, 11:02 AM
Dominick Grift
 
Default policy for mgetty fax receive and new_fax

On Tue, Dec 29, 2009 at 12:27:56PM +0100, Klaus Lichtenwalder wrote:
> Am Dienstag, den 29.12.2009, 12:16 +0100 schrieb Dominick Grift:
> > On Tue, Dec 29, 2009 at 10:17:36AM +0100, Klaus Lichtenwalder wrote:
> > > Hi,
> > >
> > > just tried receiving a fax with mgetty (and notifying me via email with
> > > the attached fax)
> > > Watching all denials flowing by (permissive mode,
> > > selinux-policy-targeted-3.6.32-59.fc12.noarch) I'm wondering whether
> > > someone already started preparing a policy or whether I should try to
> > > start it on myself? Anyone knows? Google does not find much of value
> >
> > Can you show us the AVC denials?
>
> Sure, no problem. One thing, as a first step I put new_fax into bin_t,
> as this was a suggestion from sealert output.
> I do think this probably does not belong to the getty policy, as mgetty,
> receiving a fax, does far more than standard getty, imho.

Whoops i forgot some policy:

echo "policy_module(mygetty, 1.0.0)" > mygetty.te;
echo "optional_policy(`" >> mygetty.te;
echo "gen_require(`" >> mygetty.te;
echo "type getty_t;" >> mygetty.te;
echo "')" >> mygetty.te;
echo "corecmd_exec_bin(getty_t)" >> mygetty.te;
echo "corecmd_exec_shell(getty_t)" >> mygetty.te;
echo "kernel_read_system_state(getty_t)" >> mygetty.te;
echo "')" >> mygetty.te;

make -f /usr/share/selinux/devel/Makefile mygetty.pp
sudo semodule -i mygetty.pp

As for system_mail_t:

echo "policy_module(mymail, 1.0.0)" > mymail.te;
echo "optional_policy(`" >> mymail.te;
echo "gen_require(`" >> mymail.te;
echo "type system_mail_t;" >> mymail.te;
echo "')" >> mymail.te;
echo "term_use_unallocated_ttys(system_mail_t)" >> mymail.te;
echo "')" >> mymail.te;

make -f /usr/share/selinux/devel/Makefile mymail.pp
sudo semodule -i mymail.pp

That should help.



>
> Klaus
> --
> ------------------------------------------------------------------------
> Klaus Lichtenwalder, Dipl. Inform., http://lklaus.homelinux.org/Klaus/
> PGP Key fingerprint: A5C0 F73A 2C83 96EE 766B 9C62 DB6D 1258 0E9B B6D1
>

> ----
> time->Mon Dec 28 17:12:38 2009
> type=SYSCALL msg=audit(1262016758.657:57496): arch=c000003e syscall=59 success=yes exit=0 a0=3273d3ace3 a1=7fffef415d60 a2=7fffef418a30 a3=7f0863d089d0 items=0 ppid=31795 pid=1283 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null)
> type=AVC msg=audit(1262016758.657:57496): avc: denied { execute_no_trans } for pid=1283 comm="mgetty" path="/bin/bash" dev=dm-6 ino=12628 scontext=system_u:system_r:getty_t:s0 tcontext=system_ubject_r:shell_exec_t:s0 tclass=file
> type=AVC msg=audit(1262016758.657:57496): avc: denied { read open } for pid=1283 comm="mgetty" name="bash" dev=dm-6 ino=12628 scontext=system_u:system_r:getty_t:s0 tcontext=system_ubject_r:shell_exec_t:s0 tclass=file
> type=AVC msg=audit(1262016758.657:57496): avc: denied { execute } for pid=1283 comm="mgetty" name="bash" dev=dm-6 ino=12628 scontext=system_u:system_r:getty_t:s0 tcontext=system_ubject_r:shell_exec_t:s0 tclass=file
> ----
> time->Mon Dec 28 17:12:38 2009
> type=SYSCALL msg=audit(1262016758.659:57497): arch=c000003e syscall=2 success=yes exit=3 a0=3273d3c1f2 a1=0 a2=1b6 a3=2 items=0 ppid=31795 pid=1283 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null)
> type=AVC msg=audit(1262016758.659:57497): avc: denied { open } for pid=1283 comm="sh" name="meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:getty_t:s0 tcontext=system_ubject_rroc_t:s0 tclass=file
> type=AVC msg=audit(1262016758.659:57497): avc: denied { read } for pid=1283 comm="sh" name="meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:getty_t:s0 tcontext=system_ubject_rroc_t:s0 tclass=file
> ----
> time->Mon Dec 28 17:12:38 2009
> type=SYSCALL msg=audit(1262016758.661:57498): arch=c000003e syscall=5 success=yes exit=128 a0=3 a1=7fff05edb290 a2=7fff05edb290 a3=2 items=0 ppid=31795 pid=1283 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null)
> type=AVC msg=audit(1262016758.661:57498): avc: denied { getattr } for pid=1283 comm="sh" path="/proc/meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:getty_t:s0 tcontext=system_ubject_rroc_t:s0 tclass=file
> ----
> time->Mon Dec 28 17:12:38 2009
> type=SYSCALL msg=audit(1262016758.662:57499): arch=c000003e syscall=4 success=yes exit=128 a0=1090ab0 a1=7fff05edd2e0 a2=7fff05edd2e0 a3=8 items=0 ppid=31795 pid=1283 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null)
> type=AVC msg=audit(1262016758.662:57499): avc: denied { getattr } for pid=1283 comm="sh" path="/bin/bash" dev=dm-6 ino=12628 scontext=system_u:system_r:getty_t:s0 tcontext=system_ubject_r:shell_exec_t:s0 tclass=file
> ----
> time->Mon Dec 28 17:12:38 2009
> type=SYSCALL msg=audit(1262016758.664:57500): arch=c000003e syscall=59 success=yes exit=0 a0=1093a10 a1=1093b30 a2=1092b20 a3=18 items=0 ppid=1283 pid=1286 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.postfix" subj=system_u:system_r:system_mail_t:s0 key=(null)
> type=AVC msg=audit(1262016758.664:57500): avc: denied { read write } for pid=1286 comm="sendmail" name="ttyS0" dev=tmpfs ino=2217 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_ubject_r:tty_device_t:s0 tclass=chr_file
> ----
> time->Mon Dec 28 17:12:38 2009
> type=SYSCALL msg=audit(1262016758.806:57501): arch=c000003e syscall=2 success=yes exit=0 a0=3273d3c1f2 a1=0 a2=1b6 a3=2 items=0 ppid=1288 pid=1289 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null)
> type=AVC msg=audit(1262016758.806:57501): avc: denied { open } for pid=1289 comm="sh" name="meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:getty_t:s0 tcontext=system_ubject_rroc_t:s0 tclass=file
> type=AVC msg=audit(1262016758.806:57501): avc: denied { read } for pid=1289 comm="sh" name="meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:getty_t:s0 tcontext=system_ubject_rroc_t:s0 tclass=file
> ----
> time->Mon Dec 28 17:12:38 2009
> type=SYSCALL msg=audit(1262016758.807:57502): arch=c000003e syscall=5 success=yes exit=128 a0=0 a1=7fff44b52830 a2=7fff44b52830 a3=2 items=0 ppid=1288 pid=1289 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null)
> type=AVC msg=audit(1262016758.807:57502): avc: denied { getattr } for pid=1289 comm="sh" path="/proc/meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:getty_t:s0 tcontext=system_ubject_rroc_t:s0 tclass=file
> ----
> time->Mon Dec 28 17:12:38 2009
> type=SYSCALL msg=audit(1262016758.809:57503): arch=c000003e syscall=59 success=yes exit=0 a0=eb55b0 a1=eb5480 a2=eb3e50 a3=30 items=0 ppid=1289 pid=1291 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="new_fax" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null)
> type=AVC msg=audit(1262016758.809:57503): avc: denied { execute_no_trans } for pid=1291 comm="sh" path="/etc/mgetty+sendfax/new_fax" dev=dm-6 ino=51 scontext=system_u:system_r:getty_t:s0 tcontext=system_ubject_r:bin_t:s0 tclass=file
> type=AVC msg=audit(1262016758.809:57503): avc: denied { read open } for pid=1291 comm="sh" name="new_fax" dev=dm-6 ino=51 scontext=system_u:system_r:getty_t:s0 tcontext=system_ubject_r:bin_t:s0 tclass=file
> type=AVC msg=audit(1262016758.809:57503): avc: denied { execute } for pid=1291 comm="sh" name="new_fax" dev=dm-6 ino=51 scontext=system_u:system_r:getty_t:s0 tcontext=system_ubject_r:bin_t:s0 tclass=file
> ----
> time->Mon Dec 28 17:12:38 2009
> type=SYSCALL msg=audit(1262016758.817:57504): arch=c000003e syscall=16 success=no exit=-25 a0=3 a1=5401 a2=7fffcdc622a0 a3=2 items=0 ppid=1289 pid=1291 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="new_fax" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null)
> type=AVC msg=audit(1262016758.817:57504): avc: denied { ioctl } for pid=1291 comm="new_fax" path="/etc/mgetty+sendfax/new_fax" dev=dm-6 ino=51 scontext=system_u:system_r:getty_t:s0 tcontext=system_ubject_r:bin_t:s0 tclass=file
> ----
> time->Mon Dec 28 17:12:38 2009
> type=SYSCALL msg=audit(1262016758.817:57505): arch=c000003e syscall=5 success=yes exit=0 a0=ff a1=7fffcdc62370 a2=7fffcdc62370 a3=0 items=0 ppid=1289 pid=1291 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="new_fax" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null)
> type=AVC msg=audit(1262016758.817:57505): avc: denied { getattr } for pid=1291 comm="new_fax" path="/etc/mgetty+sendfax/new_fax" dev=dm-6 ino=51 scontext=system_u:system_r:getty_t:s0 tcontext=system_ubject_r:bin_t:s0 tclass=file




> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-29-2009, 11:52 AM
Klaus Lichtenwalder
 
Default policy for mgetty fax receive and new_fax

Dominick,

Am Dienstag, den 29.12.2009, 13:02 +0100 schrieb Dominick Grift:

> Whoops i forgot some policy:

Ok, I was already wondering whether that could be it, trying to
understand :-)

>
> echo "policy_module(mygetty, 1.0.0)" > mygetty.te;
> echo "optional_policy(`" >> mygetty.te;
> echo "gen_require(`" >> mygetty.te;
> echo "type getty_t;" >> mygetty.te;
> echo "')" >> mygetty.te;
> echo "corecmd_exec_bin(getty_t)" >> mygetty.te;
> echo "corecmd_exec_shell(getty_t)" >> mygetty.te;
> echo "kernel_read_system_state(getty_t)" >> mygetty.te;
> echo "')" >> mygetty.te;
>
> make -f /usr/share/selinux/devel/Makefile mygetty.pp
> sudo semodule -i mygetty.pp
>
> As for system_mail_t:
>
> echo "policy_module(mymail, 1.0.0)" > mymail.te;
> echo "optional_policy(`" >> mymail.te;
> echo "gen_require(`" >> mymail.te;
> echo "type system_mail_t;" >> mymail.te;
> echo "')" >> mymail.te;
> echo "term_use_unallocated_ttys(system_mail_t)" >> mymail.te;
> echo "')" >> mymail.te;
>
> make -f /usr/share/selinux/devel/Makefile mymail.pp
> sudo semodule -i mymail.pp
>
> That should help.


This helps a lot, as fax receiving (and notifying) works without AVC
denials showing up. No I'm off trying to understand everything. With all
those makros, one get's a lot done with little code :-)

Thanks again
Klaus
--
------------------------------------------------------------------------
Klaus Lichtenwalder, Dipl. Inform., http://lklaus.homelinux.org/Klaus/
PGP Key fingerprint: A5C0 F73A 2C83 96EE 766B 9C62 DB6D 1258 0E9B B6D1

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-29-2009, 12:06 PM
Dominick Grift
 
Default policy for mgetty fax receive and new_fax

On 12/29/2009 01:52 PM, Klaus Lichtenwalder wrote:
> Dominick,
>
> Am Dienstag, den 29.12.2009, 13:02 +0100 schrieb Dominick Grift:
>
>> Whoops i forgot some policy:
>
> Ok, I was already wondering whether that could be it, trying to
> understand :-)
>
>>
>> echo "policy_module(mygetty, 1.0.0)" > mygetty.te;
>> echo "optional_policy(`" >> mygetty.te;
>> echo "gen_require(`" >> mygetty.te;
>> echo "type getty_t;" >> mygetty.te;
>> echo "')" >> mygetty.te;
>> echo "corecmd_exec_bin(getty_t)" >> mygetty.te;
>> echo "corecmd_exec_shell(getty_t)" >> mygetty.te;
>> echo "kernel_read_system_state(getty_t)" >> mygetty.te;
>> echo "')" >> mygetty.te;
>>
>> make -f /usr/share/selinux/devel/Makefile mygetty.pp
>> sudo semodule -i mygetty.pp
>>
>> As for system_mail_t:
>>
>> echo "policy_module(mymail, 1.0.0)" > mymail.te;
>> echo "optional_policy(`" >> mymail.te;
>> echo "gen_require(`" >> mymail.te;
>> echo "type system_mail_t;" >> mymail.te;
>> echo "')" >> mymail.te;
>> echo "term_use_unallocated_ttys(system_mail_t)" >> mymail.te;
>> echo "')" >> mymail.te;
>>
>> make -f /usr/share/selinux/devel/Makefile mymail.pp
>> sudo semodule -i mymail.pp
>>
>> That should help.
>
>
> This helps a lot, as fax receiving (and notifying) works without AVC
> denials showing up. No I'm off trying to understand everything. With all
> those makros, one get's a lot done with little code :-)

Well there was already policy for getty present but it seems to not be
sufficient for your configuration (or it may signal misconfiguration on
your part)

With regard to system_mail_t this is likely due to a bug. (known bug)
Where the tty device does not get properly labeled. My fix makes it work
but it is not a good fix ( user tty devices need to get labeled properly)

If you are certain that you are using getty properly then consider
reporting the AVC denials and my policy for getty_t to
bugzilla/selinux-policy so that getties policy can be extended to
support your configuration.

> Thanks again
> Klaus
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-29-2009, 01:00 PM
Klaus Lichtenwalder
 
Default policy for mgetty fax receive and new_fax

Am Dienstag, den 29.12.2009, 14:06 +0100 schrieb Dominick Grift:
[...]
> Well there was already policy for getty present but it seems to not be
> sufficient for your configuration (or it may signal misconfiguration on
> your part)

Yes, but mgetty does lots more than getty (which can be used for serial
devices, too). It is always possible I made a mistake configuring
mgetty, but I'm using it for ca 15 years now (starting with some 0.x
release, if I remember correctly), so I'm fairly confident I did not...

The extensions needed for the policy are for the mechanisms after the
successful receipt of a fax, and as this is nothing needed in the
getty-policy I guess mgetty does need its own policy.

>
> With regard to system_mail_t this is likely due to a bug. (known bug)
> Where the tty device does not get properly labeled. My fix makes it work
> but it is not a good fix ( user tty devices need to get labeled properly)
>
> If you are certain that you are using getty properly then consider
> reporting the AVC denials and my policy for getty_t to
> bugzilla/selinux-policy so that getties policy can be extended to
> support your configuration.
>
Yes, I forgot to ask in my last mail, I will check and try to
understand, possibly help weed out the (possible) bugs and then go
ahead.

Thanks,
Klaus
--
------------------------------------------------------------------------
Klaus Lichtenwalder, Dipl. Inform., http://lklaus.homelinux.org/Klaus/
PGP Key fingerprint: A5C0 F73A 2C83 96EE 766B 9C62 DB6D 1258 0E9B B6D1

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 05:27 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org