FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor


 
 
LinkBack Thread Tools
 
Old 04-22-2010, 08:25 PM
 
Default Impact?

I've got the java wants to write, and execmem errors. audit2allow gives me
this:
allow httpd_sys_script_t nfs_t:file { execute execute_no_trans };
allow httpd_sys_script_t selfrocess { execmem getsched };
allow httpd_sys_script_t usr_t:file { execute execute_no_trans };

What would be the impact of implementing this policy on a server visible
to the world? Would it open up some huge, known hole?

mark

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-22-2010, 08:53 PM
Dominick Grift
 
Default Impact?

On Thu, Apr 22, 2010 at 04:25:58PM -0400, m.roth@5-cent.us wrote:
> I've got the java wants to write, and execmem errors. audit2allow gives me
> this:
> allow httpd_sys_script_t nfs_t:file { execute execute_no_trans };
> allow httpd_sys_script_t selfrocess { execmem getsched };
> allow httpd_sys_script_t usr_t:file { execute execute_no_trans };

label the target in this interaction (usr_t file) with type bin_t. You can find the location and/or the inode of the location in the AVC denial.

>
> What would be the impact of implementing this policy on a server visible
> to the world? Would it open up some huge, known hole?

The impact would be that all generic httpd system scripts will be able to execute files with type nfs_t (nfs mount files) and run it in the callers (httpd_sys_script_t) domain.

By allowing the second line of policy you allow all generic httpd system scripts to execute anonymous memory and you allow then to set schedule on its own process.

info about execmem:

http://people.redhat.com/drepper/selinux-mem.html

The third and last rule signals a mislabeled file. You should label that file with the generic type for binaries (bin_t)
If you would allow httpd_sys_script_t (generic httpd system scripts) to execute files with type usr_t, then generic httpd system scripts will be allowed to execute generic files in /usr (not encouraged).

>
> mark
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-22-2010, 09:24 PM
 
Default Impact?

Dominick wrote:
> On Thu, Apr 22, 2010 at 04:25:58PM -0400, m.roth@5-cent.us wrote:
>> I've got the java wants to write, and execmem errors. audit2allow gives
>> me this:
>> allow httpd_sys_script_t nfs_t:file { execute execute_no_trans };
>> allow httpd_sys_script_t selfrocess { execmem getsched };
>> allow httpd_sys_script_t usr_t:file { execute execute_no_trans };
>
> label the target in this interaction (usr_t file) with type bin_t. You can
> find the location and/or the inode of the location in the AVC denial.

Right, *thank* you. Took care of both files (from rule one and three).
>>
>> What would be the impact of implementing this policy on a server visible
>> to the world? Would it open up some huge, known hole?
<snip>
> By allowing the second line of policy you allow all generic httpd system
> scripts to execute anonymous memory and you allow then to set schedule on
> its own process.
>
> info about execmem:
>
> http://people.redhat.com/drepper/selinux-mem.html

Thanks, I'll look at that tomorrow (I'm getting ready to leave for the day).

How about this one: we're stuck with CA's SiteMinder, and it wants,
apparently, to rotate its logs. The AVC is
type=AVC msg=audit(1271964387.568:10240): avc: denied { rename } for
pid=7171 comm="LLAWP" name="smagent.log.69" dev=sda3 ino=46108075
scontext=system_u:system_r:httpd_t:s0
tcontext=system_ubject_r:httpd_log_t:s0 tclass=file

I'm in permissive mode on this box, but I've got several others that
aren't. audit2allow gives me
<snip>
allow httpd_t httpd_log_t:file rename;
allow httpd_t java_exec_t:file { read getattr execute execute_no_trans };
allow httpd_t proc_net_t:dir search;
allow httpd_t proc_net_t:file { read getattr };
allow httpd_t selfrocess { execstack execmem };

Do I have mislabeled files there, as well; if not, would would be the
impact of, say, the java rule, or the dir search rule?

mark

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-22-2010, 10:01 PM
Dominick Grift
 
Default Impact?

On Thu, Apr 22, 2010 at 05:24:48PM -0400, m.roth@5-cent.us wrote:
> Dominick wrote:
> > On Thu, Apr 22, 2010 at 04:25:58PM -0400, m.roth@5-cent.us wrote:
> >> I've got the java wants to write, and execmem errors. audit2allow gives
> >> me this:
> >> allow httpd_sys_script_t nfs_t:file { execute execute_no_trans };
> >> allow httpd_sys_script_t selfrocess { execmem getsched };
> >> allow httpd_sys_script_t usr_t:file { execute execute_no_trans };
> >
> > label the target in this interaction (usr_t file) with type bin_t. You can
> > find the location and/or the inode of the location in the AVC denial.
>
> Right, *thank* you. Took care of both files (from rule one and three).
> >>
> >> What would be the impact of implementing this policy on a server visible
> >> to the world? Would it open up some huge, known hole?
> <snip>
> > By allowing the second line of policy you allow all generic httpd system
> > scripts to execute anonymous memory and you allow then to set schedule on
> > its own process.
> >
> > info about execmem:
> >
> > http://people.redhat.com/drepper/selinux-mem.html
>
> Thanks, I'll look at that tomorrow (I'm getting ready to leave for the day).
>
> How about this one: we're stuck with CA's SiteMinder, and it wants,
> apparently, to rotate its logs. The AVC is
> type=AVC msg=audit(1271964387.568:10240): avc: denied { rename } for
> pid=7171 comm="LLAWP" name="smagent.log.69" dev=sda3 ino=46108075
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_ubject_r:httpd_log_t:s0 tclass=file
>
> I'm in permissive mode on this box, but I've got several others that
> aren't. audit2allow gives me
> <snip>
> allow httpd_t httpd_log_t:file rename;

Well its probably better to write policy for the "LLAWP" application. Because by allowing these vectors you also allow
httpd this access and everything else that might run in httpd's security domain. (not just LLAWP)

But i can imagine that you may not know how to implement policy for it. Is this a redhat rpm?

Allowing httpd_t to rename files with type httpd_t is not such a big deal i believe. so allowing this shouldnt cause too much trouble.

> allow httpd_t java_exec_t:file { read getattr execute execute_no_trans };

This is your app (probably LLAWP executing java. If you would implement policy for your app then it wouldnt be httpd_t needing to execute this but your apps domain.

If you allow this then httpd and everything that runs in httpd's domain is able to run java.

Not really a big deal depending on that else your app and jva needs to operate since it will run in httpds sandbox.

> allow httpd_t proc_net_t:dir search;
> allow httpd_t proc_net_t:file { read getattr };

Thisi is probably your LLAWP app reading network state. If you allow this then you allow httpd as well as everything running in httpd's domain to read network state.

> allow httpd_t selfrocess { execstack execmem };

This is a pretty big deal execmem and execstack can cause buffer overflows i believe.

>
> Do I have mislabeled files there, as well; if not, would would be the
> impact of, say, the java rule, or the dir search rule?

Well except for the execstack and execmem the impact isnt so great. The problem is that by allowing it you broaden the httpd_t sandbox domain (you give httpd and stuff running in the httpd_t domain more access)

It would be best to implement a domain transition from httpd_t to whatever app needs this access (LLAWP?) This way you do not have to allow httpd_t this access but you can instead allow this access for your app alone.

That basically means that LLAWP cannot compromize the httpd domain.

But writing policy is not a trivial task. I would be willing to help write policy if that is at all possible.

I would need some information:

- Is is a redhat package (rpm?)
- Can you provide a rpm -ql of the package
- would you be able to test the policy and provide feedback?

>
> mark
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-22-2010, 11:25 PM
mark
 
Default Impact?

Dominick Grift wrote:
> On Thu, Apr 22, 2010 at 05:24:48PM -0400, m.roth@5-cent.us wrote:
>> Dominick wrote:
>>> On Thu, Apr 22, 2010 at 04:25:58PM -0400, m.roth@5-cent.us wrote:
<snip>
>> How about this one: we're stuck with CA's SiteMinder, and it wants,
>> apparently, to rotate its logs. The AVC is type=AVC
>> msg=audit(1271964387.568:10240): avc: denied { rename } for pid=7171
>> comm="LLAWP" name="smagent.log.69" dev=sda3 ino=46108075
>> scontext=system_u:system_r:httpd_t:s0
>> tcontext=system_ubject_r:httpd_log_t:s0 tclass=file
>>
>> I'm in permissive mode on this box, but I've got several others that
>> aren't. audit2allow gives me <snip> allow httpd_t httpd_log_t:file rename;
>>
>
> Well its probably better to write policy for the "LLAWP" application.
> Because by allowing these vectors you also allow httpd this access and
> everything else that might run in httpd's security domain. (not just LLAWP)
>
> But i can imagine that you may not know how to implement policy for it. Is
> this a redhat rpm?

Um, let's try this again: Computer Associates, a mega-billion dollar
international software firm, was selling to mainframes decades ago, and is
*everywhere*, it's their product, proprietary, $$$$.

I've tried contact the folks that run the server at work who serve its policy
and license, and all they found was what I found via google, and I don't have
the authority to go talk to our CA account rep.
<snip>
>> allow httpd_t selfrocess { execstack execmem };
>
> This is a pretty big deal execmem and execstack can cause buffer overflows i
> believe.
>
>> Do I have mislabeled files there, as well; if not, would would be the
>> impact of, say, the java rule, or the dir search rule?
>
> Well except for the execstack and execmem the impact isnt so great. The
> problem is that by allowing it you broaden the httpd_t sandbox domain (you
> give httpd and stuff running in the httpd_t domain more access)
>
> It would be best to implement a domain transition from httpd_t to whatever
> app needs this access (LLAWP?) This way you do not have to allow httpd_t
> this access but you can instead allow this access for your app alone.
>
> That basically means that LLAWP cannot compromize the httpd domain.
>
> But writing policy is not a trivial task. I would be willing to help write
> policy if that is at all possible.
>
> I would need some information:
<snip>

Thanks a *lot* Dominick - I've been on and off playing with this for months.
And it doesn't help that selinux *fails* to handle errors correctly - sealert
on these things claims setting httpd_unified on will fix it, and it does *not*,
so very clearly it's falling through to a false default error.

mark
--
A clear view of the libertarian view of the world: our lives are merely
capital's way of reproducing itself.
- whitroth, 2003
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-23-2010, 08:17 AM
Dominick Grift
 
Default Impact?

On Thu, Apr 22, 2010 at 07:25:33PM -0400, mark wrote:
> Dominick Grift wrote:
> > On Thu, Apr 22, 2010 at 05:24:48PM -0400, m.roth@5-cent.us wrote:
> >> Dominick wrote:
> >>> On Thu, Apr 22, 2010 at 04:25:58PM -0400, m.roth@5-cent.us wrote:
> <snip>
> >> How about this one: we're stuck with CA's SiteMinder, and it wants,
> >> apparently, to rotate its logs. The AVC is type=AVC
> >> msg=audit(1271964387.568:10240): avc: denied { rename } for pid=7171
> >> comm="LLAWP" name="smagent.log.69" dev=sda3 ino=46108075
> >> scontext=system_u:system_r:httpd_t:s0
> >> tcontext=system_ubject_r:httpd_log_t:s0 tclass=file
> >>
> >> I'm in permissive mode on this box, but I've got several others that
> >> aren't. audit2allow gives me <snip> allow httpd_t httpd_log_t:file rename;
> >>
> >
> > Well its probably better to write policy for the "LLAWP" application.
> > Because by allowing these vectors you also allow httpd this access and
> > everything else that might run in httpd's security domain. (not just LLAWP)
> >
> > But i can imagine that you may not know how to implement policy for it. Is
> > this a redhat rpm?
>
> Um, let's try this again: Computer Associates, a mega-billion dollar
> international software firm, was selling to mainframes decades ago, and is
> *everywhere*, it's their product, proprietary, $$$$.
>
> I've tried contact the folks that run the server at work who serve its policy
> and license, and all they found was what I found via google, and I don't have
> the authority to go talk to our CA account rep.
> <snip>
> >> allow httpd_t selfrocess { execstack execmem };
> >
> > This is a pretty big deal execmem and execstack can cause buffer overflows i
> > believe.
> >
> >> Do I have mislabeled files there, as well; if not, would would be the
> >> impact of, say, the java rule, or the dir search rule?
> >
> > Well except for the execstack and execmem the impact isnt so great. The
> > problem is that by allowing it you broaden the httpd_t sandbox domain (you
> > give httpd and stuff running in the httpd_t domain more access)
> >
> > It would be best to implement a domain transition from httpd_t to whatever
> > app needs this access (LLAWP?) This way you do not have to allow httpd_t
> > this access but you can instead allow this access for your app alone.
> >
> > That basically means that LLAWP cannot compromize the httpd domain.
> >
> > But writing policy is not a trivial task. I would be willing to help write
> > policy if that is at all possible.
> >
> > I would need some information:
> <snip>
>
> Thanks a *lot* Dominick - I've been on and off playing with this for months.
> And it doesn't help that selinux *fails* to handle errors correctly - sealert
> on these things claims setting httpd_unified on will fix it, and it does *not*,
> so very clearly it's falling through to a false default error.

In my view it is CA that is failing.

To quote Drepper on Execstack:

"As the name suggests, this error is raised if a program tries to make its stack (or parts thereof) executable with an mprotect call. This should never, ever be necessary. Stack memory is not executable on most OSes these days and this won't change. Executable stack memory is one of the biggest security problems. An execstack error might in fact be most likely raised by malicious code."

Audit2allow cannot make security decisions for you and its advice may in fact be your best option. Note that i said:

"But writing policy is not a trivial task. I would be willing to help write policy if that is at all possible."

A domain transition may or may not be possible. If it is not possible you will have to settle with audit2allows" suggestions.

>
> mark
> --
> A clear view of the libertarian view of the world: our lives are merely
> capital's way of reproducing itself.
> - whitroth, 2003
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-23-2010, 06:44 PM
 
Default Impact?

> Date: Thu, 22 Apr 2010 22:53:01 +0200
> From: Dominick Grift <domg472@gmail.com>
> On Thu, Apr 22, 2010 at 04:25:58PM -0400, m.roth@5-cent.us wrote:

>> I've got the java wants to write, and execmem errors. audit2allow gives
>> me
>> this:
>> allow httpd_sys_script_t nfs_t:file { execute execute_no_trans };
>> allow httpd_sys_script_t selfrocess { execmem getsched };
>> allow httpd_sys_script_t usr_t:file { execute execute_no_trans };
>
> By allowing the second line of policy you allow all generic httpd system
> scripts to execute anonymous memory and you allow then to set schedule
> on its own process.
<snip>
Looking futher: that second one, I see, is also being caused by matlab,
which is not an unintelligent package. How serious is it to allow that...
or is there a policy rule that's been tightened recently that used to
allow this?

mark


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-23-2010, 06:55 PM
Dominick Grift
 
Default Impact?

On Fri, Apr 23, 2010 at 02:44:26PM -0400, m.roth@5-cent.us wrote:
> > Date: Thu, 22 Apr 2010 22:53:01 +0200
> > From: Dominick Grift <domg472@gmail.com>
> > On Thu, Apr 22, 2010 at 04:25:58PM -0400, m.roth@5-cent.us wrote:
>
> >> I've got the java wants to write, and execmem errors. audit2allow gives
> >> me
> >> this:
> >> allow httpd_sys_script_t nfs_t:file { execute execute_no_trans };
> >> allow httpd_sys_script_t selfrocess { execmem getsched };
> >> allow httpd_sys_script_t usr_t:file { execute execute_no_trans };
> >
> > By allowing the second line of policy you allow all generic httpd system
> > scripts to execute anonymous memory and you allow then to set schedule
> > on its own process.
> <snip>
> Looking futher: that second one, I see, is also being caused by matlab,
> which is not an unintelligent package. How serious is it to allow that...
> or is there a policy rule that's been tightened recently that used to
> allow this?


I am not familiar with matlab but are you sure the AVC denial is related to matlab? Why would matlab run in the httpd generic system script domain?(what runs it)

Eitherway httpd_sys_script_t was never allowed execmem. However if you run matlab as in unconfined domain (instead of the confined httpd_sys_script_t domain), then execmem may or may not be allowed depending on the allow_execmem boolean and or the matlab executable file type.
>
> mark
>
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-23-2010, 07:43 PM
 
Default Impact?

> On Fri, Apr 23, 2010 at 02:44:26PM -0400, m.roth@5-cent.us wrote:
>> > Date: Thu, 22 Apr 2010 22:53:01 +0200
>> > From: Dominick Grift <domg472@gmail.com>
>> > On Thu, Apr 22, 2010 at 04:25:58PM -0400, m.roth@5-cent.us wrote:
>>
>> >> I've got the java wants to write, and execmem errors. audit2allow
>> >> gives me this:

>> >> allow httpd_sys_script_t selfrocess { execmem getsched };
<snip>
>> > By allowing the second line of policy you allow all generic httpd
> >> system scripts to execute anonymous memory and you allow then to set
>> > schedule on its own process.
>> <snip>
>> Looking futher: that second one, I see, is also being caused by matlab,
>> which is not an unintelligent package. How serious is it to allow
>> that...or is there a policy rule that's been tightened recently that
>> used to allow this?
>
> I am not familiar with matlab but are you sure the AVC denial is related
> to matlab? Why would matlab run in the httpd generic system script
> domain?(what runs it)

Matlab is the 900 kg gorilla of serious math software. No idea why it's
running this way, I'm not the scientists running it.
>
> Eitherway httpd_sys_script_t was never allowed execmem. However if you run
> matlab as in unconfined domain (instead of the confined httpd_sys_script_t
> domain), then execmem may or may not be allowed depending on the
> allow_execmem boolean and or the matlab executable file type.
>>
Hmmm...,
ll -Z /usr/local/opt/matlab-2008b/bin/glnxa64/MATLAB
-rwxr-xr-x root root system_ubject_r:bin_t
/usr/local/opt/matlab-2008b/bin/glnxa64/MATLAB

And yes, that's an executable binary.

getsebool -a | grep execmem
allow_execmem --> on
allow_unconfined_execmem_dyntrans --> off

So, given this, I'm not sure how that relates to what you say, above.

mark


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-23-2010, 08:05 PM
Dominick Grift
 
Default Impact?

On Fri, Apr 23, 2010 at 03:43:50PM -0400, m.roth@5-cent.us wrote:
> > On Fri, Apr 23, 2010 at 02:44:26PM -0400, m.roth@5-cent.us wrote:
> >> > Date: Thu, 22 Apr 2010 22:53:01 +0200
> >> > From: Dominick Grift <domg472@gmail.com>
> >> > On Thu, Apr 22, 2010 at 04:25:58PM -0400, m.roth@5-cent.us wrote:
> >>
> >> >> I've got the java wants to write, and execmem errors. audit2allow
> >> >> gives me this:
>
> >> >> allow httpd_sys_script_t selfrocess { execmem getsched };
> <snip>
> >> > By allowing the second line of policy you allow all generic httpd
> > >> system scripts to execute anonymous memory and you allow then to set
> >> > schedule on its own process.
> >> <snip>
> >> Looking futher: that second one, I see, is also being caused by matlab,
> >> which is not an unintelligent package. How serious is it to allow
> >> that...or is there a policy rule that's been tightened recently that
> >> used to allow this?
> >
> > I am not familiar with matlab but are you sure the AVC denial is related
> > to matlab? Why would matlab run in the httpd generic system script
> > domain?(what runs it)
>
> Matlab is the 900 kg gorilla of serious math software. No idea why it's
> running this way, I'm not the scientists running it.
> >
> > Eitherway httpd_sys_script_t was never allowed execmem. However if you run
> > matlab as in unconfined domain (instead of the confined httpd_sys_script_t
> > domain), then execmem may or may not be allowed depending on the
> > allow_execmem boolean and or the matlab executable file type.
> >>
> Hmmm...,
> ll -Z /usr/local/opt/matlab-2008b/bin/glnxa64/MATLAB
> -rwxr-xr-x root root system_ubject_r:bin_t
> /usr/local/opt/matlab-2008b/bin/glnxa64/MATLAB
>
> And yes, that's an executable binary.

Basically if you say the following vector related to matlab:

allow httpd_sys_script_t selfrocess { execmem setsched };

That would mean that matlab is not run by a user but by a process that was start by httpd_t or a generic httpd system script or by a program that was started by a generic httpd system script.

So question then would be what started matlab in that context and maybe even what started the process that started matlab in that context or what started the process that started the process that started the matlab process. (lol)

The AVC denial has information that can answer these questions.

>
> getsebool -a | grep execmem
> allow_execmem --> on
> allow_unconfined_execmem_dyntrans --> off
>
> So, given this, I'm not sure how that relates to what you say, above.
>
> mark
>
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 05:05 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org