FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 03-05-2010, 06:38 AM
Robert Nichols
 
Default SELinux is preventing /bin/gawk "execute" access on /var/home/rnichols/mail/spamstrings.awk

On 03/04/2010 11:52 PM, Chuck Anderson wrote:
> On Thu, Mar 04, 2010 at 09:29:14PM -0600, Robert Nichols wrote:
>> And, it appears that I have to remember to re-install all local policy
>> modules every time there is a policy update, right?? :-((
>
> I don't have either of these problems, and I've been using procmail on
> (admittedly older) Fedora for years.

I think I know what happened to make it appear that the local policy
module got dropped. A simple mistake on my part that just happened to
occur at the time an update got installed.

As for the execute permission problem, you probably aren't executing any
user-written scripts from within your home directory. In fact, I know
you're not -- SELinux won't allow that.

I'm once again finding SELinux to be absolutely hopeless, and I'm barely
getting started with the things I want this system to do. Right now I'm
trying to set up my mail processing. I do quite a bit of processing on
my personal incoming mail. Messages get classified (partly by that awk
filter that prompted this thread), and then processed in a variety of
ways. Files get decoded and stored where I want them. Processes get
started to evaluate incoming data based on information in a local
database. That sort of thing. SELinux wants to block all of that. The
only alternative I can see is to start a continuously running background
process that runs audit2allow on every AVC that shows up in the log and
let that continue for a few months, and I probably still won't dare go
into enforcing mode for fear that some rare but important event will
cause yet another denial and leave me with a mess to clean up.

SELinux works well and unobtrusively if you use only the software that
comes with your distribution and don't go much beyond clicking on icons
in your use of it. My laptop falls into that category. I'm trying to
bring up a server right now, where SELinux would actually be useful,
but dealing with SELinux there is looking to be way beyond what I can
undertake.

--
Bob Nichols RNichols42@comcast.net
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-05-2010, 12:48 PM
Daniel J Walsh
 
Default SELinux is preventing /bin/gawk "execute" access on /var/home/rnichols/mail/spamstrings.awk

On 03/04/2010 10:25 PM, Robert Nichols wrote:
> This occurs as the result of a procmail rule. Hopefully, the result
> from audit2allow is the right thing here:
>
> allow procmail_t user_home_t:file execute_no_trans;
>
> Am I going to have to jump through SELinux hoops every time I want to use
> a bit of my own code??? Right now I'm spending far more time fighting
> with SELinux than I would _ever_ have to spend cleaning up from an
> unlikely breakin. With little hope of ever getting to enforcing mode,
> perhaps it would be best just to disable entirely.
>
> Summary:
>
> SELinux is preventing /bin/gawk "execute" access on
> /var/home/rnichols/mail/spamstrings.sh.
>
> Detailed Description:
>
> [SELinux is in permissive mode. This access was not denied.]
>
> SELinux denied access requested by spamstrings.sh. It is not expected that this
> access is required by spamstrings.sh and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration of the
> application is causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
> report.
>
> Additional Information:
>
> Source Context system_u:system_rrocmail_t:s0
> Target Context unconfined_ubject_r:user_home_t:s0
> Target Objects /var/home/rnichols/mail/spamstrings.sh [ file ]
> Source spamstrings.sh
> Source Path /bin/gawk
> Port<Unknown>
> Host omega-3x.local
> Source RPM Packages gawk-3.1.7-1.fc12
> Target RPM Packages
> Policy RPM selinux-policy-3.6.32-89.fc12
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Permissive
> Plugin Name catchall
> Host Name omega-3x.local
> Platform Linux omega-3x.local
> 2.6.31.12-174.2.22.fc12.x86_64 #1 SMP Fri Feb 19
> 18:55:03 UTC 2010 x86_64 x86_64
> Alert Count 2
> First Seen Thu 04 Mar 2010 08:49:24 PM CST
> Last Seen Thu 04 Mar 2010 08:49:24 PM CST
> Local ID d067376f-66e5-49b7-8fa7-e22aa5388dae
> Line Numbers
>
> Raw Audit Messages
>
> node=omega-3x.local type=AVC msg=audit(1267757364.768:30045): avc: denied {
> execute } for pid=19477 comm="procmail" name="spamstrings.sh" dev=sda6
> ino=351952 scontext=system_u:system_rrocmail_t:s0
> tcontext=unconfined_ubject_r:user_home_t:s0 tclass=file
>
> node=omega-3x.local type=AVC msg=audit(1267757364.768:30045): avc: denied {
> execute_no_trans } for pid=19477 comm="procmail"
> path="/home/rnichols/mail/spamstrings.sh" dev=sda6 ino=351952
> scontext=system_u:system_rrocmail_t:s0
> tcontext=unconfined_ubject_r:user_home_t:s0 tclass=file
>
> node=omega-3x.local type=SYSCALL msg=audit(1267757364.768:30045): arch=c000003e
> syscall=59 success=yes exit=0 a0=95e320 a1=95fa40 a2=95fee0 a3=8 items=0
> ppid=19476 pid=19477 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500
> egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="spamstrings.sh"
> exe="/bin/gawk" subj=system_u:system_rrocmail_t:s0 key=(null)
>
>
>
>
>
Simplest fix would be to change the context to bin_t

chcon -t bin_t /home/rnichols/mail/spamstrings.sh


Will make this work. Is this a normal behavour to have procmail
executing content in the homedir?


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-05-2010, 01:20 PM
Paul Howarth
 
Default SELinux is preventing /bin/gawk "execute" access on /var/home/rnichols/mail/spamstrings.awk

On 05/03/10 13:55, Robert Nichols wrote:
> On 03/05/2010 03:09 AM, Dominick Grift wrote:
>> On 03/05/2010 04:29 AM, Robert Nichols wrote:
>>> And, it appears that I have to remember to re-install all local policy
>>> modules every time there is a policy update, right?? :-((
>>
>> Not in all cases but in the case where user domains are involved that
>> may be true. semodule -B may also do the trick.
>>
>> It may be a better idea to label /var/home/rnichols/mail/spamstrings.sh
>> type bin_t
>>
>> semanage fcontext -a -t bin_t /var/home/rnichols/mail/spamstrings.sh
>> restorecon -R -v /var/home/rnichols/mail/spamstrings.sh
>
> So, if I move that file to my $HOME/bin directory and make that whole
> directory type bin_t, that should take care of it??

Should do. In fact I have a local policy module that makes all user home
directories bin_t:

localmisc.fc:
# Need to be able to run scripts from procmail, cron etc.
HOME_DIR/bin(/.*)? gen_context(unconfined_ubject_r:bin_t,s0)

Paul.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-05-2010, 01:36 PM
Dominick Grift
 
Default SELinux is preventing /bin/gawk "execute" access on /var/home/rnichols/mail/spamstrings.awk

On 03/05/2010 08:38 AM, Robert Nichols wrote:
> SELinux works well and unobtrusively if you use only the software that
> comes with your distribution and don't go much beyond clicking on icons
> in your use of it. My laptop falls into that category. I'm trying to
> bring up a server right now, where SELinux would actually be useful,
> but dealing with SELinux there is looking to be way beyond what I can
> undertake.
>

That is because the user domain by default is for the most part exempt.
Some system services are targeted, and managing this requires some
knowledge/awareness about the matter.

Its like Fedora default iptables/netfilter configuration. As long as you
do not have any exotic services listening on the network or have any
nat/routing requirements, things just work.

Else you are required to have some knowledge about iptables or whatever
you use to configure netfilter.

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-05-2010, 02:13 PM
Daniel J Walsh
 
Default SELinux is preventing /bin/gawk "execute" access on /var/home/rnichols/mail/spamstrings.awk

Yes I think labeling the bin directory in your homedir as bin_t will
allow almost all confined applications on your system to execute them.

The problem with SELinux is people think first of adding allow rules
rather then fixing the labeling.
In this case you want to treat files in your homedir as binraries that
system processes can execute, so you can need to label them bin_t. If
you set up ~/bin to be labeled bin_t, all files copied to that directory
or created in that directory will be labeled bin_t. If you mv a file to
this directory you might have to run restorecon on it. restorecon -R -v
~/bin

procmail_t can currently write to your home dir, so this should not be a
problem.

You can set the labeling of ~/bin to bin_t using the method Paul Howarth
suggested or just use the semanage command


# semanage fcontext -a -t bin_t '/home/rnichols/bin(/.*)?'
# restorecon -R -v /home/rnichols/bin

If you do not want to change the labeling at all you can use the
audit2allow method you first described
# grep procmail_t /var/log/audit/audit.log | audit2allow -M myprocmail
# semodule -i myprocmail.pp

Which would then allow procmail_t to execute user_home_t.

This rules says procmail_t can execute almost any file in your homedir,
since this is the default label for the homedir. You should not have to
add more rules to handle this problem.

http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf

This docment explains the four things SELinux is trying to tell you.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-09-2010, 01:59 PM
Paul Howarth
 
Default SELinux is preventing /bin/gawk "execute" access on /var/home/rnichols/mail/spamstrings.awk

On 05/03/10 14:16, Stephen Smalley wrote:
> On Fri, 2010-03-05 at 15:04 +0100, Dominick Grift wrote:
>> On 03/05/2010 02:53 PM, Stephen Smalley wrote:
>>> On Fri, 2010-03-05 at 10:09 +0100, Dominick Grift wrote:
>>>> On 03/05/2010 04:29 AM, Robert Nichols wrote:
>>>>> And, it appears that I have to remember to re-install all local policy
>>>>> modules every time there is a policy update, right?? :-((
>>>>
>>>> Not in all cases but in the case where user domains are involved that
>>>> may be true. semodule -B may also do the trick.
>>>
>>> What's an example where that is required, and why?
>>>
>>
>> Well i dont remember exactly but i use to have a custom user domain, and
>> when fedora's selinux-policy had an update that affected interfaces in
>> the userdomain, that my custom user domain calls. Then this change would
>> not reflect in my custom user domain.
>>
>> I had to reinstall my custom user domain after fedora selinux policy
>> updates that made relevant changes to the userdomain.
>>
>> I think the explanation was that its works like static libraries and not
>> like dynamic libraries.
>
> Ah, yes - refpolicy interfaces are merely m4 macros presently and thus
> are expanded at module compilation time. So if your module uses a
> refpolicy interface and the internals of that interface definition
> change and you want to pick up those changes, you might have to
> recompile your module (merely re-inserting the already compiled one or
> merely running semodule -B won't help). But I don't think that is
> commonly needed for local modules, particularly ones that are
> audit2allow-generated.

I had an issue with this last week, where the update from -89 to -92 on
Fedora 12 appeared to remove the "etcfile" attribute, an "ABI change"
that broke at least two of my local modules despite there being no "API
change" (a recompile of the modules worked without problems).

These were hand-written modules as it happens but the problem could as
easily come up for people using "audit2allow -R", which is what I
usually do.

The full details are a bit long-winded to post here but I documented my
experience in the hope it would prove useful to someone:

http://www.city-fan.org/tips/PaulHowarth/Blog/2010-03-04

Cheers, Paul.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 07:43 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org