FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 02-22-2010, 11:55 PM
Trevor Hemsley
 
Default Dontaudit rule for $HOME/.ssh and samba

I am sharing my user home directories to other machines on my LAN using
Samba. I have that all working correctly except for one persistent AVC
that I keep seeing. Now this AVC is correct in that I really do not want
my user's .ssh directories read over SMB so I'd quite like to keep that
as-is. But... I get alerts for this all the time so I'd like to know how
to add a dontaudit rule for it so that access is denied but I don't get
told about it. Ideally I'd like to add a generic rule to catch all
user's not have to add one dontaudit rule per user. Just don't have a
clue where to start and google was not much use on this so would
appreciate some help if anyone has done this before?

SELinux is preventing samba (smbd) "getattr" to /home/$user/.ssh
(sshd_key_t).

Source Context: system_u:system_r:smbd_t
Target Context: user_ubject_r:sshd_key_t
Target Objects: /home/$user/.ssh/config [ file ]
Source: smbd
Source Path: /usr/sbin/smbd
Port: <Unknown>
Host: hostname
Source RPM Packages: samba-3.0.33-3.15.el5_4.1
Target RPM Packages:
Policy RPM: selinux-policy-2.4.6-255.el5_4.4
Selinux Enabled: True
Policy Type: targeted
MLS Enabled: True
Enforcing Mode: Permissive
Plugin Name: samba_share
Host Name: hostname
Platform: Linux hostname 2.6.32.5 #3 SMP Sun Jan 31 03:27:09 GMT 2010
x86_64 x86_64
Alert Count: 1
First Seen: Tue 23 Feb 2010 12:44:47 AM GMT
Last Seen: Tue 23 Feb 2010 12:44:47 AM GMT
Local ID: 5d933e81-2ab5-4529-8dce-9e554a59f0e3
Line Numbers:

Raw Audit Messages :
host=hostname type=AVC msg=audit(1266885887.400:4313): avc: denied {
getattr } for pid=16382 comm="smbd" path="/home/$user/.ssh/config"
dev=dm-4 ino=10453601 scontext=system_u:system_r:smbd_t:s0
tcontext=user_ubject_r:sshd_key_t:s0 tclass=file

host=hostname type=SYSCALL msg=audit(1266885887.400:4313): arch=c000003e
syscall=4 success=yes exit=0 a0=7fff2dc9f270 a1=7fff2dc9e9a0
a2=7fff2dc9e9a0 a3=7fff2dc9ee70 items=0 ppid=4352 pid=16382
auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0
fsgid=500 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd"
subj=system_u:system_r:smbd_t:s0 key=(null)

--

Trevor Hemsley
Infrastructure Engineer
.................................................
* C A L Y P S O
* 4th Floor, Tower Point,
44 North Road,
Brighton, BN1 1YR, UK

OFFICE +44 (0) 1273 666 350
FAX +44 (0) 1273 666 351

.................................................
www.calypso.com

This electronic-mail might contain confidential information intended
only for the use by the entity named. If the reader of this message is
not the intended recipient, the reader is hereby notified that any
dissemination, distribution or copying is strictly prohibited.

* P * /*/ Please consider the environment before printing this e-mail /*/

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-23-2010, 08:02 AM
Paul Howarth
 
Default Dontaudit rule for $HOME/.ssh and samba

On 23/02/10 00:55, Trevor Hemsley wrote:
> I am sharing my user home directories to other machines on my LAN using
> Samba. I have that all working correctly except for one persistent AVC
> that I keep seeing. Now this AVC is correct in that I really do not want
> my user's .ssh directories read over SMB so I'd quite like to keep that
> as-is. But... I get alerts for this all the time so I'd like to know how
> to add a dontaudit rule for it so that access is denied but I don't get
> told about it. Ideally I'd like to add a generic rule to catch all
> user's not have to add one dontaudit rule per user. Just don't have a
> clue where to start and google was not much use on this so would
> appreciate some help if anyone has done this before?

This is easy: just use audit2allow to generate a rule as if you wanted
to allow this access, then change the "allow" in the rule to "dontaudit"
before compiling and loading your policy module.

Paul.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-23-2010, 05:06 PM
Daniel J Walsh
 
Default Dontaudit rule for $HOME/.ssh and samba

On 02/22/2010 07:55 PM, Trevor Hemsley wrote:
> I am sharing my user home directories to other machines on my LAN using
> Samba. I have that all working correctly except for one persistent AVC
> that I keep seeing. Now this AVC is correct in that I really do not want
> my user's .ssh directories read over SMB so I'd quite like to keep that
> as-is. But... I get alerts for this all the time so I'd like to know how
> to add a dontaudit rule for it so that access is denied but I don't get
> told about it. Ideally I'd like to add a generic rule to catch all
> user's not have to add one dontaudit rule per user. Just don't have a
> clue where to start and google was not much use on this so would
> appreciate some help if anyone has done this before?
>
> SELinux is preventing samba (smbd) "getattr" to /home/$user/.ssh
> (sshd_key_t).
>
> Source Context: system_u:system_r:smbd_t
> Target Context: user_ubject_r:sshd_key_t
> Target Objects: /home/$user/.ssh/config [ file ]
> Source: smbd
> Source Path: /usr/sbin/smbd
> Port:<Unknown>
> Host: hostname
> Source RPM Packages: samba-3.0.33-3.15.el5_4.1
> Target RPM Packages:
> Policy RPM: selinux-policy-2.4.6-255.el5_4.4
> Selinux Enabled: True
> Policy Type: targeted
> MLS Enabled: True
> Enforcing Mode: Permissive
> Plugin Name: samba_share
> Host Name: hostname
> Platform: Linux hostname 2.6.32.5 #3 SMP Sun Jan 31 03:27:09 GMT 2010
> x86_64 x86_64
> Alert Count: 1
> First Seen: Tue 23 Feb 2010 12:44:47 AM GMT
> Last Seen: Tue 23 Feb 2010 12:44:47 AM GMT
> Local ID: 5d933e81-2ab5-4529-8dce-9e554a59f0e3
> Line Numbers:
>
> Raw Audit Messages :
> host=hostname type=AVC msg=audit(1266885887.400:4313): avc: denied {
> getattr } for pid=16382 comm="smbd" path="/home/$user/.ssh/config"
> dev=dm-4 ino=10453601 scontext=system_u:system_r:smbd_t:s0
> tcontext=user_ubject_r:sshd_key_t:s0 tclass=file
>
> host=hostname type=SYSCALL msg=audit(1266885887.400:4313): arch=c000003e
> syscall=4 success=yes exit=0 a0=7fff2dc9f270 a1=7fff2dc9e9a0
> a2=7fff2dc9e9a0 a3=7fff2dc9ee70 items=0 ppid=4352 pid=16382
> auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0
> fsgid=500 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd"
> subj=system_u:system_r:smbd_t:s0 key=(null)
>
>


# cat > mysmbd.te << _EOF
policy_module(mysmbd, 1.0)

require {
type smbd_t;
type sshd_key_t;
}

dontaudit smbd_t sshd_key_t:file getattr;
_EOF
# make -f /usr/share/selinux/devel/Makefile
# semodule -i mysmbd.pp


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-24-2010, 02:47 PM
Trevor Hemsley
 
Default Dontaudit rule for $HOME/.ssh and samba

Thanks everyone that replied. I've added something akin to this and it
appears to be working - at least no AVCs for ~18 hours now so I think
so.



On 23/02/2010 18:06, Daniel J Walsh wrote:


# cat > mysmbd.te << _EOF


policy_module(mysmbd, 1.0)




require {


******* type smbd_t;


******* type sshd_key_t;


}




dontaudit smbd_t sshd_key_t:file getattr;


_EOF


# make -f /usr/share/selinux/devel/Makefile


# semodule -i mysmbd.pp



--








Trevor
Hemsley

Infrastructure
Engineer

.................................................


C
A L Y P S O

Brighton,
UK **







OFFICE
+44
(0) 1273 666 350


FAX
+44
(0) 1273 666 351





.................................................

www.calypso.com




This
electronic-mail might contain confidential information intended only
for the use by the entity named. If the reader of this message is not
the intended recipient, the reader is hereby notified that any
dissemination, distribution or copying is strictly prohibited.





P Please
consider the environment before printing this e-mail





--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 06:47 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org