FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor


 
 
LinkBack Thread Tools
 
Old 06-28-2010, 02:08 AM
Vadym Chepkov
 
Default svnsync

Hi,

I configured svnsync to be triggered from a subversion hook, to maintain remote replicas.
I had my own type for hooks defined, so audit2allow shows it.

This is what it suggests:

require {
type httpd_svn_script_t;
class netlink_route_socket { write getattr read bind create nlmsg_read };
}

#============= httpd_svn_script_t ==============
allow httpd_svn_script_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
kernel_read_kernel_sysctls(httpd_svn_script_t)


I am kind of concerned about kernel bits, why would svnsync need it, I have no clue.
Also I can see a boolean httpd_can_network_relay, which is set to off by default and is not documented in man httpd_selinux.
Could it be related somehow?

Thanks,
Vadym Chepkov

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 06-28-2010, 08:07 AM
Dominick Grift
 
Default svnsync

On 06/28/2010 04:08 AM, Vadym Chepkov wrote:
> Hi,
>
> I configured svnsync to be triggered from a subversion hook, to maintain remote replicas.
> I had my own type for hooks defined, so audit2allow shows it.
>
> This is what it suggests:
>
> require {
> type httpd_svn_script_t;
> class netlink_route_socket { write getattr read bind create nlmsg_read };
> }
>
> #============= httpd_svn_script_t ==============
> allow httpd_svn_script_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
> kernel_read_kernel_sysctls(httpd_svn_script_t)
>
>
> I am kind of concerned about kernel bits, why would svnsync need it, I have no clue.
> Also I can see a boolean httpd_can_network_relay, which is set to off by default and is not documented in man httpd_selinux.
> Could it be related somehow?

That boolean seems to not be related:


$ sesearch -SC --allow -s httpd_t | grep httpd_can_network_relay | less
DT allow httpd_t gopher_port_t : tcp_socket name_connect ; [
httpd_can_network_relay ]
DT allow httpd_t memcache_client_packet_t : packet { send recv } ; [
httpd_can_network_relay ]
DT allow httpd_t http_cache_client_packet_t : packet { send recv } ; [
httpd_can_network_relay ]
DT allow httpd_t ftp_port_t : tcp_socket name_connect ; [
httpd_can_network_relay ]
DT allow httpd_t ftp_client_packet_t : packet { send recv } ; [
httpd_can_network_relay ]
DT allow httpd_t http_client_packet_t : packet { send recv } ; [
httpd_can_network_relay ]
DT allow httpd_t http_cache_port_t : tcp_socket name_connect ; [
httpd_can_network_relay ]
DT allow httpd_t http_port_t : tcp_socket name_connect ; [
httpd_can_network_relay ]
DT allow httpd_t gopher_client_packet_t : packet { send recv } ; [
httpd_can_network_relay ]
DT allow httpd_t memcache_port_t : tcp_socket name_connect ; [
httpd_can_network_relay ]

Although i am currently not using fedoras' httpd policy, so yours may
differ.

I couldnt find tthe svn module on short notice either so i am not able
to verify either.

so with the information i do have, httpd domains currently arent able to
create_netlink_sockets.

Try to figure out why your web app needs it, and if legit use
audit2allow to permit it.




> Thanks,
> Vadym Chepkov
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 06-28-2010, 03:33 PM
Daniel J Walsh
 
Default svnsync

On 06/27/2010 10:08 PM, Vadym Chepkov wrote:
> Hi,
>
> I configured svnsync to be triggered from a subversion hook, to maintain remote replicas.
> I had my own type for hooks defined, so audit2allow shows it.
>
> This is what it suggests:
>
> require {
> type httpd_svn_script_t;
> class netlink_route_socket { write getattr read bind create nlmsg_read };
> }
>
> #============= httpd_svn_script_t ==============
> allow httpd_svn_script_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
> kernel_read_kernel_sysctls(httpd_svn_script_t)
>
Do you have the Raw AVC output. Some times the tools pick too much access.

Did you build local policy? httpd_svn_script_t does not exist in the
Fedora Policy package.
>
> I am kind of concerned about kernel bits, why would svnsync need it, I have no clue.
> Also I can see a boolean httpd_can_network_relay, which is set to off by default and is not documented in man httpd_selinux.
> Could it be related somehow?
>
> Thanks,
> Vadym Chepkov
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 06-28-2010, 04:13 PM
Vadym Chepkov
 
Default svnsync

On Jun 28, 2010, at 11:33 AM, Daniel J Walsh wrote:

> On 06/27/2010 10:08 PM, Vadym Chepkov wrote:
>> Hi,
>>
>> I configured svnsync to be triggered from a subversion hook, to maintain remote replicas.
>> I had my own type for hooks defined, so audit2allow shows it.
>>
>> This is what it suggests:
>>
>> require {
>> type httpd_svn_script_t;
>> class netlink_route_socket { write getattr read bind create nlmsg_read };
>> }
>>
>> #============= httpd_svn_script_t ==============
>> allow httpd_svn_script_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
>> kernel_read_kernel_sysctls(httpd_svn_script_t)
>>
> Do you have the Raw AVC output. Some times the tools pick too much access.
>
> Did you build local policy? httpd_svn_script_t does not exist in the
> Fedora Policy package.

Correct, I did, standard policy is not sufficient for subversion's hooks and I don't expect it to be.

This is what I have:

# grep svn local.te
apache_content_template(svn)
domain_auto_trans(httpd_svn_script_t, sendmail_exec_t, sendmail_t)
allow httpd_t httpd_svn_script_exec_t:lnk_file { read getattr };
allow httpd_svn_script_t httpd_svn_script_exec_t:lnk_file { read getattr };
files_search_var_lib(httpd_svn_script_t)
allow httpd_svn_script_t httpd_reviewboard_log_t:file append;

# grep svn local.fc
# svn
/var/svn(/.*)? gen_context(system_ubject_r:httpd_svn_script_ro_ t,s0)
/var/svn/(.*/)?hooks(/.*)? gen_context(system_ubject_r:httpd_svn_script_exe c_t,s0)
/var/svn/(.*/)?dav(/.*)? gen_context(system_ubject_r:httpd_svn_script_rw_ t,s0)
/var/svn/(.*/)?locks(/.*)? gen_context(system_ubject_r:httpd_svn_script_rw_ t,s0)
/var/svn/(.*/)?db(/.*)? gen_context(system_ubject_r:httpd_svn_script_rw_ t,s0)
/var/lib/apache(/.*)? gen_context(system_ubject_r:httpd_svn_script_rw_ t,s0)

# ausearch -m avc -ts yesterday
----
time->Sun Jun 27 23:44:12 2010
type=SYSCALL msg=audit(1277682252.265:79349): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=3 a2=0 a3=0 items=0 ppid=31750 pid=31751 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="svnsync" exe="/usr/bin/svnsync" subj=user_u:system_r:httpd_svn_script_t:s0 key=(null)
type=AVC msg=audit(1277682252.265:79349): avc: denied { create } for pid=31751 comm="svnsync" scontext=user_u:system_r:httpd_svn_script_t:s0 tcontext=user_u:system_r:httpd_svn_script_t:s0 tclass=netlink_route_socket
----
time->Mon Jun 28 01:37:57 2010
type=SYSCALL msg=audit(1277689077.355:79537): arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=7fffdf7eebf0 a2=c a3=0 items=0 ppid=32628 pid=32629 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="svnsync" exe="/usr/bin/svnsync" subj=user_u:system_r:httpd_svn_script_t:s0 key=(null)
type=AVC msg=audit(1277689077.355:79537): avc: denied { bind } for pid=32629 comm="svnsync" scontext=user_u:system_r:httpd_svn_script_t:s0 tcontext=user_u:system_r:httpd_svn_script_t:s0 tclass=netlink_route_socket
----
time->Mon Jun 28 01:38:04 2010
type=SYSCALL msg=audit(1277689084.599:79543): arch=c000003e syscall=49 success=no exit=-13 a0=4 a1=7fffdf7ee9a0 a2=c a3=0 items=0 ppid=32628 pid=32629 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="svnsync" exe="/usr/bin/svnsync" subj=user_u:system_r:httpd_svn_script_t:s0 key=(null)
type=AVC msg=audit(1277689084.599:79543): avc: denied { bind } for pid=32629 comm="svnsync" scontext=user_u:system_r:httpd_svn_script_t:s0 tcontext=user_u:system_r:httpd_svn_script_t:s0 tclass=netlink_route_socket
----
time->Mon Jun 28 01:42:46 2010
type=SYSCALL msg=audit(1277689366.029:79554): arch=c000003e syscall=51 success=no exit=-13 a0=3 a1=7fff4846b650 a2=7fff4846b65c a3=0 items=0 ppid=32742 pid=32743 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="svnsync" exe="/usr/bin/svnsync" subj=user_u:system_r:httpd_svn_script_t:s0 key=(null)
type=AVC msg=audit(1277689366.029:79554): avc: denied { getattr } for pid=32743 comm="svnsync" scontext=user_u:system_r:httpd_svn_script_t:s0 tcontext=user_u:system_r:httpd_svn_script_t:s0 tclass=netlink_route_socket
----
time->Mon Jun 28 01:42:53 2010
type=SYSCALL msg=audit(1277689373.236:79555): arch=c000003e syscall=51 success=no exit=-13 a0=4 a1=7fff4846b400 a2=7fff4846b40c a3=0 items=0 ppid=32742 pid=32743 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="svnsync" exe="/usr/bin/svnsync" subj=user_u:system_r:httpd_svn_script_t:s0 key=(null)
type=AVC msg=audit(1277689373.236:79555): avc: denied { getattr } for pid=32743 comm="svnsync" scontext=user_u:system_r:httpd_svn_script_t:s0 tcontext=user_u:system_r:httpd_svn_script_t:s0 tclass=netlink_route_socket
----
time->Mon Jun 28 01:59:08 2010
type=SYSCALL msg=audit(1277690348.206:79788): arch=c000003e syscall=2 success=yes exit=3 a0=7fe6c3f60a12 a1=0 a2=515384 a3=ffffffff items=0 ppid=1232 pid=1258 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="post-commit-syn" exe="/bin/ksh93" subj=user_u:system_r:httpd_svn_script_t:s0 key=(null)
type=AVC msg=audit(1277690348.206:79788): avc: denied { read } for pid=1258 comm="post-commit-syn" scontext=user_u:system_r:httpd_svn_script_t:s0 tcontext=system_ubject_r:sysctl_kernel_t:s0 tclass=file
----
time->Mon Jun 28 01:59:08 2010
type=SYSCALL msg=audit(1277690348.290:79789): arch=c000003e syscall=44 success=yes exit=20 a0=3 a1=7fffd01ba510 a2=14 a3=0 items=0 ppid=1261 pid=1262 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="svnsync" exe="/usr/bin/svnsync" subj=user_u:system_r:httpd_svn_script_t:s0 key=(null)
type=AVC msg=audit(1277690348.290:79789): avc: denied { nlmsg_read } for pid=1262 comm="svnsync" scontext=user_u:system_r:httpd_svn_script_t:s0 tcontext=user_u:system_r:httpd_svn_script_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1277690348.290:79789): avc: denied { write } for pid=1262 comm="svnsync" scontext=user_u:system_r:httpd_svn_script_t:s0 tcontext=user_u:system_r:httpd_svn_script_t:s0 tclass=netlink_route_socket
----
time->Mon Jun 28 01:59:08 2010
type=SYSCALL msg=audit(1277690348.290:79790): arch=c000003e syscall=47 success=yes exit=108 a0=3 a1=7fffd01ba4d0 a2=0 a3=0 items=0 ppid=1261 pid=1262 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="svnsync" exe="/usr/bin/svnsync" subj=user_u:system_r:httpd_svn_script_t:s0 key=(null)
type=AVC msg=audit(1277690348.290:79790): avc: denied { read } for pid=1262 comm="svnsync" scontext=user_u:system_r:httpd_svn_script_t:s0 tcontext=user_u:system_r:httpd_svn_script_t:s0 tclass=netlink_route_socket


Thank you,
Vadym


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 05:56 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org