FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 02-02-2012, 11:10 PM
Dominick Grift
 
Default making a file context change work for initrc_t and unconfined_t

On Thu, 2012-02-02 at 17:58 -0500, Maria Iano wrote:

Alright let's walk through this:
( A few rules may be duplicate rules, there might also be some typo's )

mkdir ~/mylikewise; cd ~/mylikewise; echo "policy_module(mylikewise,
1.0.0)" > mylikewise.te;

> Here is the list:
>
> type=AVC msg=audit(1328198424.686:20): avc: denied { write } for
> pid=1165 comm="lwiod" name=".netlogond" dev=dm-0 ino=393091
> scontext=system_u:system_r:lwiod_t:s0
> tcontext=system_ubject_r:netlogond_var_socket_t: s0 tclass=sock_file

> type=AVC msg=audit(1328198424.686:20): avc: denied { connectto }
> for pid=1165 comm="lwiod" path="/var/lib/likewise/.netlogond"
> scontext=system_u:system_r:lwiod_t:s0
> tcontext=system_u:system_r:netlogond_t:s0 tclass=unix_stream_socket

echo "optional_policy(` gen_require(` type lwiod_t, netlogond_t,
netlogond_var_socket_t, likewise_var_lib_t; ')
stream_connect_pattern(lwiod_t, likewise_var_lib_t,
netlogond_var_socket_t, netlogond_t)')" >> mylikewise.te;

> type=AVC msg=audit(1328203534.556:16): avc: denied { getattr } for
> pid=1141 comm="lwsmd" path="/etc/likewise/likewise-krb5-ad.conf"
> dev=dm-0 ino=786321 scontext=system_u:system_r:lwsmd_t:s0
> tcontext=system_ubject_r:likewise_krb5_ad_t:s0 tclass=file

> type=AVC msg=audit(1328203534.536:14): avc: denied { getattr } for
> pid=1141 comm="lwsmd" path="/var/lib/likewise/krb5-affinity.conf"
> dev=dm-0 ino=395410 scontext=system_u:system_r:lwsmd_t:s0
> tcontext=system_ubject_r:netlogond_var_lib_t:s0 tclass=file

echo "optional_policy(` gen_require(` type lwsmd_t,
netlogond_var_lib_t, likewise_krb5_ad_t; ') allow lwsmd_t
{ netlogond_var_lib_t likewise_krb5_ad_t }:file getattr_file_perms; ')"
>> mylikewise.te;

> type=AVC msg=audit(1328203534.221:9): avc: denied { getattr } for
> pid=1143 comm="eventlogd" path="/var/lib/likewise/db/lwi_events.db"
> dev=dm-0 ino=395386 scontext=system_u:system_r:eventlogd_t:s0
> tcontext=unconfined_ubject_r:likewise_var_lib_t: s0 tclass=file

!!!! Something wrong here this file should have been created with type
eventlogd_var_lib_t

echo "optional_policy(` gen_require(` type eventlogd_t,
likewise_var_lib_t; ') allow eventlogd_t likewise_var_lib_t:file
getattr_file_perms; ')" >> mylikewise.te;

> type=AVC msg=audit(1328200531.030:128): avc: denied { getattr } for
> pid=1486 comm="lsassd" path="/proc/1043" dev=proc ino=10798
> scontext=system_u:system_r:lsassd_t:s0
> tcontext=system_u:system_r:auditd_t:s0 tclass=dir

echo "optional_policy(` gen_require(` type lsassd_t; ')
domain_dontaudit_search_all_domains_state(lsassd_t )')" >> mylikewise.te;

> type=AVC msg=audit(1328198423.037:5): avc: denied { lock } for
> pid=1108 comm="lwsmd" path="/var/lib/likewise/.lwsmd-lock" dev=dm-0
> ino=395380 scontext=system_u:system_r:lwsmd_t:s0
> tcontext=unconfined_ubject_r:likewise_var_lib_t: s0 tclass=file

??? i was expecting a private type for .lwsmd-lock.

echo "optional_policy(` gen_require(` type lwsmd_t,
likewise_var_lib_t; ') allow lwsmd_t likewise_var_lib_t:file lock;')" >>
mylikewise.te;

>
> type=AVC msg=audit(1328198424.260:19): avc: denied { lock } for
> pid=1151 comm="eventlogd" path="/var/lib/likewise/db/lwi_events.db"
> dev=dm-0 ino=395386 scontext=system_u:system_r:eventlogd_t:s0
> tcontext=unconfined_ubject_r:likewise_var_lib_t: s0 tclass=file

!!! something is wrong here, this file should have been created with type eventlogd_var_lib_t

echo "optional_policy(` gen_require(` type eventlogd_t,
likewise_var_lib_t; ') allow eventlogd_t likewise_var_lib_t:file lock;
')" >> mylikewise.te;

> type=AVC msg=audit(1328198423.032:4): avc: denied { write } for
> pid=1108 comm="lwsmd" name=".lwsmd-lock" dev=dm-0 ino=395380
> scontext=system_u:system_r:lwsmd_t:s0
> tcontext=unconfined_ubject_r:likewise_var_lib_t: s0 tclass=file
> type=AVC msg=audit(1328198423.032:4): avc: denied { open } for
> pid=1108 comm="lwsmd" name=".lwsmd-lock" dev=dm-0 ino=395380
> scontext=system_u:system_r:lwsmd_t:s0
> tcontext=unconfined_ubject_r:likewise_var_lib_t: s0 tclass=file

??? i was expecting a private type for this file

echo "optional_policy(` gen_require(` type lwsmd_t,
likewise_var_lib_t; ') allow lwsmd_t likewise_var_lib_t:file
write_file_perms; ')" >> mylikewise.te

> type=AVC msg=audit(1328198423.043:6): avc: denied { read } for
> pid=1108 comm="lwsmd" name="stat" dev=proc ino=4026532032
> scontext=system_u:system_r:lwsmd_t:s0
> tcontext=system_ubject_rroc_t:s0 tclass=file
> type=AVC msg=audit(1328198423.043:6): avc: denied { open } for
> pid=1108 comm="lwsmd" name="stat" dev=proc ino=4026532032
> scontext=system_u:system_r:lwsmd_t:s0
> tcontext=system_ubject_rroc_t:s0 tclass=file

echo "optional_policy(` gen_require(` type lwsmd_t; ')
kernel_read_system_state(lwsmd_t)')" >> mylikewise.te;

> type=AVC msg=audit(1328198423.343:8): avc: denied { read } for
> pid=1112 comm="lwregd" name="stat" dev=proc ino=4026532032
> scontext=system_u:system_r:lwregd_t:s0
> tcontext=system_ubject_rroc_t:s0 tclass=file
> type=AVC msg=audit(1328198423.343:8): avc: denied { open } for
> pid=1112 comm="lwregd" name="stat" dev=proc ino=4026532032
> scontext=system_u:system_r:lwregd_t:s0
> tcontext=system_ubject_rroc_t:s0 tclass=file

echo "optional_policy(` gen_require(` type lwregd_t; ')
kernel_read_system_state(lwregd_t)')" >> mylikewise.te;

> type=AVC msg=audit(1328203534.538:15): avc: denied { read } for
> pid=1141 comm="lwsmd" name="krb5-affinity.conf" dev=dm-0 ino=395410
> scontext=system_u:system_r:lwsmd_t:s0
> tcontext=system_ubject_r:netlogond_var_lib_t:s0 tclass=file
> type=AVC msg=audit(1328203534.538:15): avc: denied { open } for
> pid=1141 comm="lwsmd" name="krb5-affinity.conf" dev=dm-0 ino=395410
> scontext=system_u:system_r:lwsmd_t:s0
> tcontext=system_ubject_r:netlogond_var_lib_t:s0 tclass=file

> type=AVC msg=audit(1328203534.557:17): avc: denied { read } for
> pid=1141 comm="lwsmd" name="likewise-krb5-ad.conf" dev=dm-0 ino=786321
> scontext=system_u:system_r:lwsmd_t:s0
> tcontext=system_ubject_r:likewise_krb5_ad_t:s0 tclass=file
> type=AVC msg=audit(1328203534.557:17): avc: denied { open } for
> pid=1141 comm="lwsmd" name="likewise-krb5-ad.conf" dev=dm-0 ino=786321
> scontext=system_u:system_r:lwsmd_t:s0
> tcontext=system_ubject_r:likewise_krb5_ad_t:s0 tclass=file

echo "optional_policy(` gen_require(` type lwsmd_t,
netlogond_var_lib_t, likewise_krb5_ad_t; ') allow lwsmd_t
{ netlogond_var_lib_t likewise_krb5_ad_t }:file read_file_perms; ')" >>
mylikewise.te;

>
> type=AVC msg=audit(1328203534.223:10): avc: denied { read } for
> pid=1143 comm="eventlogd" name="stat" dev=proc ino=4026532032
> scontext=system_u:system_r:eventlogd_t:s0
> tcontext=system_ubject_rroc_t:s0 tclass=file
> type=AVC msg=audit(1328203534.223:10): avc: denied { open } for
> pid=1143 comm="eventlogd" name="stat" dev=proc ino=4026532032
> scontext=system_u:system_r:eventlogd_t:s0
> tcontext=system_ubject_rroc_t:s0 tclass=file

echo "optional_policy(` gen_require(` type eventlogd_t; ')
kernel_read_system_state(eventlogd_t)')" >> mylikewise.te;

>
> type=AVC msg=audit(1328203534.286:11): avc: denied { read } for
> pid=1150 comm="netlogond" name="stat" dev=proc ino=4026532032
> scontext=system_u:system_r:netlogond_t:s0
> tcontext=system_ubject_rroc_t:s0 tclass=file
> type=AVC msg=audit(1328203534.286:11): avc: denied { open } for
> pid=1150 comm="netlogond" name="stat" dev=proc ino=4026532032
> scontext=system_u:system_r:netlogond_t:s0
> tcontext=system_ubject_rroc_t:s0 tclass=file


echo "optional_policy(` gen_require(` type netlogond_t; ')
kernel_read_system_state(netlogond_t)')" >> mylikewise.te;

>
> type=AVC msg=audit(1328198424.259:18): avc: denied { read write }
> for pid=1151 comm="eventlogd" name="lwi_events.db" dev=dm-0
> ino=395386 scontext=system_u:system_r:eventlogd_t:s0
> tcontext=unconfined_ubject_r:likewise_var_lib_t: s0 tclass=file
> type=AVC msg=audit(1328198424.259:18): avc: denied { open } for
> pid=1151 comm="eventlogd" name="lwi_events.db" dev=dm-0 ino=395386
> scontext=system_u:system_r:eventlogd_t:s0
> tcontext=unconfined_ubject_r:likewise_var_lib_t: s0 tclass=file

mislabeled: should by eventlogd_var_lib_t

echo "optional_policy(` gen_require(` type eventlogd_t,
likewise_var_lib_t; ') allow eventlogd_t likewise_var_lib_t:file
rw_file_perms; ')" >> mylikewise.te;

>
> type=AVC msg=audit(1328198423.936:12): avc: denied { read } for
> pid=1164 comm="lwiod" name="stat" dev=proc ino=4026532032
> scontext=system_u:system_r:lwiod_t:s0
> tcontext=system_ubject_rroc_t:s0 tclass=file
> type=AVC msg=audit(1328198423.936:12): avc: denied { open } for
> pid=1164 comm="lwiod" name="stat" dev=proc ino=4026532032
> scontext=system_u:system_r:lwiod_t:s0

echo "optional_policy(` gen_require(` type lwiod_t; ')
kernel_read_system_state(lwiod_t)')" >> mylikewise.te;

>
> type=AVC msg=audit(1328198350.869:21213): avc: denied { read } for
> pid=1912 comm="lwsmd" name="krb5-affinity.conf" dev=dm-0 ino=395406
> scontext=system_u:system_r:lwsmd_t:s0
> tcontext=system_ubject_r:netlogond_var_lib_t:s0 tclass=file
> type=AVC msg=audit(1328198350.869:21213): avc: denied { open } for
> pid=1912 comm="lwsmd" name="krb5-affinity.conf" dev=dm-0 ino=395406
> scontext=system_u:system_r:lwsmd_t:s0
> tcontext=system_ubject_r:netlogond_var_lib_t:s0 tclass=file

>
> type=AVC msg=audit(1328198350.873:21215): avc: denied { read } for
> pid=1912 comm="lwsmd" name="likewise-krb5-ad.conf" dev=dm-0 ino=786321
> scontext=system_u:system_r:lwsmd_t:s0
> tcontext=system_ubject_r:likewise_krb5_ad_t:s0 tclass=file
> type=AVC msg=audit(1328198350.873:21215): avc: denied { open } for
> pid=1912 comm="lwsmd" name="likewise-krb5-ad.conf" dev=dm-0 ino=786321
> scontext=system_u:system_r:lwsmd_t:s0
> tcontext=system_ubject_r:likewise_krb5_ad_t:s0 tclass=file

echo "optional_policy(` gen_require(` type lwsmd_t,
likewise_krb5_ad_t, netlogond_var_lib_t; ') allow lwsmd_t
{ likewise_krb5_ad_t netlogond_var_lib_t }:file read_file_perms; ')" >>
mylikewise.te;

> type=AVC msg=audit(1328198423.053:7): avc: denied { setpgid } for
> pid=1112 comm="lwsmd" scontext=system_u:system_r:lwsmd_t:s0
> tcontext=system_u:system_r:lwsmd_t:s0 tclass=process

echo "optional_policy(` gen_require(` type lwsmd_t; ') allow lwsmd_t
selfrocess setpgid; ')" >> mylikewise.te;

>
> type=AVC msg=audit(1328198423.945:13): avc: denied { setrlimit }
> for pid=1164 comm="lwiod" scontext=system_u:system_r:lwiod_t:s0
> tcontext=system_u:system_r:lwiod_t:s0 tclass=process
> type=AVC msg=audit(1328198423.945:13): avc: denied { sys_resource }
> for pid=1164 comm="lwiod" capability=24
> scontext=system_u:system_r:lwiod_t:s0
> tcontext=system_u:system_r:lwiod_t:s0 tclass=capability

echo "optional_policy(` gen_require(` type lwiod_t; ') allow lwiod_t
self:capability setrlimit; ')" >> mylikewise.te;


>
>
>

There is one file that somehow was created with the wrong type or
mislabeled otherwise:

/var/lib/likewise/db/lwi_events.db (should have type eventlogd_var_lib_t
and not likewise_var_lib_t)

This file should have been created by eventlogd, and if it was i would
have been created with the right type? strange...

make -f /usr/share/selinux/devel/Makefile mylikewise.pp
sudo semodule -i mylikewise.pp

Please test again (make sure you restore all locations
including /var/lib/likewise)

if any questions or comments please do not hesitate to ask.

I am looking forward to your reply.


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-03-2012, 08:02 AM
Dominick Grift
 
Default making a file context change work for initrc_t and unconfined_t

On Thu, 2012-02-02 at 18:36 -0500, Maria Iano wrote:

> I just noticed that I missed some duplicates. Here is a slightly
> shorter list. Now I know I can attach them so I won't paste them in
> again.
>

Alright. I have cleaned up my policy patch as well. It was very late
last night when i did it (or early this morning) There were some dupes,
typo's and other issues. Generally it was just a mess.

This is what your mylikewise.te file should look like: (except for the
line breaks, that is due to my e-mail client)

policy_module(mylikewise, 1.0.0)

optional_policy(`
gen_require(`
attribute likewise_domains;
type lwiod_t, netlogond_t, netlogond_var_socket_t, likewise_var_lib_t;
type lsassd_t, lwsmd_t, netlogond_var_lib_t, likewise_krb5_ad_t,
eventlogd_t;
')

stream_connect_pattern(lwiod_t, likewise_var_lib_t,
netlogond_var_socket_t, netlogond_t)

kernel_read_system_state(likewise_domains)
domain_dontaudit_search_all_domains_state(lsassd_t )

allow lwsmd_t likewise_var_lib_t:file write_file_perms;
allow lwsmd_t { netlogond_var_lib_t likewise_krb5_ad_t }:file
read_file_perms;

allow eventlogd_t likewise_var_lib_t:file rw_file_perms;

allow lwsmd_t selfrocess setpgid;
allow lwiod_t selfrocess setrlimit;
allow lwiod_t self:capability sys_resource;
')

..

To build it:

make -f /usr/share/selinux/devel/Makefile mylikewise.pp

to install it:

sudo semodule -i mylikewise.pp


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-03-2012, 08:43 AM
Dominick Grift
 
Default making a file context change work for initrc_t and unconfined_t

On Fri, 2012-02-03 at 10:02 +0100, Dominick Grift wrote:

>
> policy_module(mylikewise, 1.0.0)
>
> optional_policy(`
> gen_require(`
> attribute likewise_domains;
> type lwiod_t, netlogond_t, netlogond_var_socket_t, likewise_var_lib_t;
> type lsassd_t, lwsmd_t, netlogond_var_lib_t, likewise_krb5_ad_t,
> eventlogd_t;
> ')
>
> stream_connect_pattern(lwiod_t, likewise_var_lib_t,
> netlogond_var_socket_t, netlogond_t)
>
> kernel_read_system_state(likewise_domains)
> domain_dontaudit_search_all_domains_state(lsassd_t )
>
> allow lwsmd_t likewise_var_lib_t:file write_file_perms;
> allow lwsmd_t { netlogond_var_lib_t likewise_krb5_ad_t }:file
> read_file_perms;
>
> allow eventlogd_t likewise_var_lib_t:file rw_file_perms;
>
> allow lwsmd_t selfrocess setpgid;
> allow lwiod_t selfrocess setrlimit;
> allow lwiod_t self:capability sys_resource;
> ')
>
> ..
>
> To build it:
>
> make -f /usr/share/selinux/devel/Makefile mylikewise.pp
>
> to install it:
>
> sudo semodule -i mylikewise.pp
>
>

Actually, i think i figured out why /var/lib/likewise/db/lwi_events.db
and /var/lib/likewise/.lwsmd-lock might have been mislabeled.

The "lwi_events.db" has chars that need to be escaped. (either the dot
or underscore or both)

The .lwsmd-lock has not file context specification at all currently

Please try the following (watch the line breaks though this e-mail
client messes up the lay out):

mylikewise.te:

policy_module(mylikewise, 1.0.0)

optional_policy(`
gen_require(`
attribute likewise_domains;
type lwiod_t, netlogond_t, netlogond_var_socket_t, likewise_var_lib_t;
type lsassd_t, lwsmd_t, netlogond_var_lib_t, likewise_krb5_ad_t;
')

stream_connect_pattern(lwiod_t, likewise_var_lib_t,
netlogond_var_socket_t, netlogond_t)

kernel_read_system_state(likewise_domains)
domain_dontaudit_search_all_domains_state(lsassd_t )
allow lwsmd_t { netlogond_var_lib_t likewise_krb5_ad_t }:file
read_file_perms;

allow lwsmd_t selfrocess setpgid;
allow lwiod_t selfrocess setrlimit;
allow lwiod_t self:capability sys_resource;
')

mylikewise.fc:

/var/lib/likewise/db/lwi\_events.db --
gen_context(system_ubject_r:eventlogd_var_lib_t, s0)

/var/lib/likewise/.lwsmd-lock --
gen_context(system_ubject_r:lwsmd_var_lib_t,s0)

to build:

make -f /usr/share/selinux/devel/Makefile mylikewise.pp

to install

sudo semodule -i mylikewise.pp

restore contexts

restorecon -R -v /var/lib/likewise

See if the two paths above have the right type:

ls -alZ /var/lib/likewise/.lwsmd-lock
ls -alZ /var/lib/likewise/db/lwi_events.db

(also see if , when you remove them, they get created with the right
type)

If this is fixed then please test the app again. This change may
introduce some new AVC denials.

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-03-2012, 07:41 PM
Maria Iano
 
Default making a file context change work for initrc_t and unconfined_t

On Feb 3, 2012, at 4:43 AM, Dominick Grift wrote:


On Fri, 2012-02-03 at 10:02 +0100, Dominick Grift wrote:



policy_module(mylikewise, 1.0.0)

optional_policy(`
gen_require(`
attribute likewise_domains;
type lwiod_t, netlogond_t, netlogond_var_socket_t,
likewise_var_lib_t;

type lsassd_t, lwsmd_t, netlogond_var_lib_t, likewise_krb5_ad_t,
eventlogd_t;
')

stream_connect_pattern(lwiod_t, likewise_var_lib_t,
netlogond_var_socket_t, netlogond_t)

kernel_read_system_state(likewise_domains)
domain_dontaudit_search_all_domains_state(lsassd_t )

allow lwsmd_t likewise_var_lib_t:file write_file_perms;
allow lwsmd_t { netlogond_var_lib_t likewise_krb5_ad_t }:file
read_file_perms;

allow eventlogd_t likewise_var_lib_t:file rw_file_perms;

allow lwsmd_t selfrocess setpgid;
allow lwiod_t selfrocess setrlimit;
allow lwiod_t self:capability sys_resource;
')

..

To build it:

make -f /usr/share/selinux/devel/Makefile mylikewise.pp

to install it:

sudo semodule -i mylikewise.pp




Actually, i think i figured out why /var/lib/likewise/db/lwi_events.db
and /var/lib/likewise/.lwsmd-lock might have been mislabeled.

The "lwi_events.db" has chars that need to be escaped. (either the dot
or underscore or both)

The .lwsmd-lock has not file context specification at all currently

Please try the following (watch the line breaks though this e-mail
client messes up the lay out):

mylikewise.te:

policy_module(mylikewise, 1.0.0)

optional_policy(`
gen_require(`
attribute likewise_domains;
type lwiod_t, netlogond_t, netlogond_var_socket_t, likewise_var_lib_t;
type lsassd_t, lwsmd_t, netlogond_var_lib_t, likewise_krb5_ad_t;
')

stream_connect_pattern(lwiod_t, likewise_var_lib_t,
netlogond_var_socket_t, netlogond_t)

kernel_read_system_state(likewise_domains)
domain_dontaudit_search_all_domains_state(lsassd_t )
allow lwsmd_t { netlogond_var_lib_t likewise_krb5_ad_t }:file
read_file_perms;

allow lwsmd_t selfrocess setpgid;
allow lwiod_t selfrocess setrlimit;
allow lwiod_t self:capability sys_resource;
')

mylikewise.fc:

/var/lib/likewise/db/lwi\_events.db --
gen_context(system_ubject_r:eventlogd_var_lib_t, s0)

/var/lib/likewise/.lwsmd-lock --
gen_context(system_ubject_r:lwsmd_var_lib_t,s0)

to build:

make -f /usr/share/selinux/devel/Makefile mylikewise.pp

to install

sudo semodule -i mylikewise.pp

restore contexts

restorecon -R -v /var/lib/likewise

See if the two paths above have the right type:

ls -alZ /var/lib/likewise/.lwsmd-lock
ls -alZ /var/lib/likewise/db/lwi_events.db

(also see if , when you remove them, they get created with the right
type)

If this is fixed then please test the app again. This change may
introduce some new AVC denials.


I installed the mylikewise policy. those two files do have the right
type now. After I remove them they do get created with the right type.


After installing the new policy there were some additional AVCs. Here
they are:


type=AVC msg=audit(1328288896.867:124): avc: denied { name_connect }
for pid=1803 comm="eventlogd" dest=135
scontext=system_u:system_r:eventlogd_t:s0
tcontext=system_ubject_r:epmap_port_t:s0 tclass=tcp_socket


type=AVC msg=audit(1328288705.888:70): avc: denied { unlink } for
pid=1803 comm="eventlogd" name=".eventlog" dev=dm-0 ino=392489
scontext=system_u:system_r:eventlogd_t:s0
tcontext=system_ubject_r:likewise_var_lib_t:s0 tclass=sock_file


type=AVC msg=audit(1328288542.603:69): avc: denied { write } for
pid=1162 comm="lsassd" name=".eventlog" dev=dm-0 ino=392489
scontext=system_u:system_r:lsassd_t:s0
tcontext=system_ubject_r:likewise_var_lib_t:s0 tclass=sock_file


type=AVC msg=audit(1328288896.867:124): avc: denied { name_connect }
for pid=1803 comm="eventlogd" dest=135
scontext=system_u:system_r:eventlogd_t:s0
tcontext=system_ubject_r:epmap_port_t:s0 tclass=tcp_socket


type=AVC msg=audit(1328288542.586:68): avc: denied { getattr } for
pid=1161 comm="lsassd"
path
=
2F7661722F6C69622F6C696B65776973652F6B72623563635F 6C736173732E55532E41442E47414E4E4554542E434F4D2028 64656C6574656429
dev=dm-0 ino=394337 scontext=system_u:system_r:lsassd_t:s0
tcontext=system_ubject_r:likewise_var_lib_t:s0 tclass=file


type=AVC msg=audit(1328288542.585:66): avc: denied { read write
open } for pid=1161 comm="lsassd" name="krb5cc_lsass.AD.DOMAIN"
dev=dm-0 ino=394337 scontext=system_u:system_r:lsassd_t:s0
tcontext=system_ubject_r:likewise_var_lib_t:s0 tclass=file


type=AVC msg=audit(1328288542.586:67): avc: denied { unlink } for
pid=1161 comm="lsassd" name="krb5cc_lsass.AD.DOMAIN" dev=dm-0
ino=394337 scontext=system_u:system_r:lsassd_t:s0
tcontext=system_ubject_r:likewise_var_lib_t:s0 tclass=file


type=AVC msg=audit(1328287031.471:5): avc: denied { read } for
pid=1165 comm="lsassd" name="lsass-adcache.filedb.AD.DOMAIN" dev=dm-0
ino=395406 scontext=system_u:system_r:lsassd_t:s0
tcontext=system_ubject_r:likewise_var_lib_t:s0 tclass=file


type=AVC msg=audit(1328287031.471:5): avc: denied { open } for
pid=1165 comm="lsassd" name="lsass-adcache.filedbAD.DOMAIN" dev=dm-0
ino=395406 scontext=system_u:system_r:lsassd_t:s0
tcontext=system_ubject_r:likewise_var_lib_t:s0 tclass=file


type=AVC msg=audit(1328288893.067:123): avc: denied { unlink } for
pid=1849 comm="lsassd" name="lsass-adcache.filedb.AD.DOMAIN" dev=dm-0
ino=395406 scontext=system_u:system_r:lsassd_t:s0
tcontext=system_ubject_r:likewise_var_lib_t:s0 tclass=file


Thank you,
Maria

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-03-2012, 07:59 PM
Dominick Grift
 
Default making a file context change work for initrc_t and unconfined_t

On Fri, 2012-02-03 at 15:41 -0500, Maria Iano wrote:

> I installed the mylikewise policy. those two files do have the right
> type now. After I remove them they do get created with the right type.
>
> After installing the new policy there were some additional AVCs. Here
> they are:
>
> type=AVC msg=audit(1328288896.867:124): avc: denied { name_connect }
> for pid=1803 comm="eventlogd" dest=135
> scontext=system_u:system_r:eventlogd_t:s0
> tcontext=system_ubject_r:epmap_port_t:s0 tclass=tcp_socket

add this to the mylikewise.te file:

corenet_tcp_connect_epmap_port(eventlogd_t)


then just: make -f /usr/share/selinux/devel/Makefile mylikewise.pp; sudo
semodule -i mylikewise.pp

> type=AVC msg=audit(1328288705.888:70): avc: denied { unlink } for
> pid=1803 comm="eventlogd" name=".eventlog" dev=dm-0 ino=392489
> scontext=system_u:system_r:eventlogd_t:s0
> tcontext=system_ubject_r:likewise_var_lib_t:s0 tclass=sock_file
>
> type=AVC msg=audit(1328288542.603:69): avc: denied { write } for
> pid=1162 comm="lsassd" name=".eventlog" dev=dm-0 ino=392489
> scontext=system_u:system_r:lsassd_t:s0
> tcontext=system_ubject_r:likewise_var_lib_t:s0 tclass=sock_file
>

> type=AVC msg=audit(1328288542.586:68): avc: denied { getattr } for
> pid=1161 comm="lsassd"
> path
> =
> 2F7661722F6C69622F6C696B65776973652F6B72623563635F 6C736173732E55532E41442E47414E4E4554542E434F4D2028 64656C6574656429
> dev=dm-0 ino=394337 scontext=system_u:system_r:lsassd_t:s0
> tcontext=system_ubject_r:likewise_var_lib_t:s0 tclass=file
>
> type=AVC msg=audit(1328288542.585:66): avc: denied { read write
> open } for pid=1161 comm="lsassd" name="krb5cc_lsass.AD.DOMAIN"
> dev=dm-0 ino=394337 scontext=system_u:system_r:lsassd_t:s0
> tcontext=system_ubject_r:likewise_var_lib_t:s0 tclass=file
>
> type=AVC msg=audit(1328288542.586:67): avc: denied { unlink } for
> pid=1161 comm="lsassd" name="krb5cc_lsass.AD.DOMAIN" dev=dm-0
> ino=394337 scontext=system_u:system_r:lsassd_t:s0
> tcontext=system_ubject_r:likewise_var_lib_t:s0 tclass=file
>
> type=AVC msg=audit(1328287031.471:5): avc: denied { read } for
> pid=1165 comm="lsassd" name="lsass-adcache.filedb.AD.DOMAIN" dev=dm-0
> ino=395406 scontext=system_u:system_r:lsassd_t:s0
> tcontext=system_ubject_r:likewise_var_lib_t:s0 tclass=file
>
> type=AVC msg=audit(1328287031.471:5): avc: denied { open } for
> pid=1165 comm="lsassd" name="lsass-adcache.filedbAD.DOMAIN" dev=dm-0
> ino=395406 scontext=system_u:system_r:lsassd_t:s0
> tcontext=system_ubject_r:likewise_var_lib_t:s0 tclass=file
>
> type=AVC msg=audit(1328288893.067:123): avc: denied { unlink } for
> pid=1849 comm="lsassd" name="lsass-adcache.filedb.AD.DOMAIN" dev=dm-0
> ino=395406 scontext=system_u:system_r:lsassd_t:s0
> tcontext=system_ubject_r:likewise_var_lib_t:s0 tclass=file


All of these are somehow wrong. There should be no files or sock files
with the generic likewise_var_lib_t. Only some directories.

I wonder how these got created and or labeled this way.

None of the confined likewise processes should be allowed to create
these with this type.

The strange thing is that i also do not see any AVC denials of their
actual creation.

This leads me to suspect that these are mislabeled left overs. Could i
be right?


> Thank you,
> Maria
>


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-03-2012, 08:08 PM
Dominick Grift
 
Default making a file context change work for initrc_t and unconfined_t

On Fri, 2012-02-03 at 21:59 +0100, Dominick Grift wrote:
> On Fri, 2012-02-03 at 15:41 -0500, Maria Iano wrote:
>
> > I installed the mylikewise policy. those two files do have the right
> > type now. After I remove them they do get created with the right type.
> >
> > After installing the new policy there were some additional AVCs. Here
> > they are:
> >
> > type=AVC msg=audit(1328288896.867:124): avc: denied { name_connect }
> > for pid=1803 comm="eventlogd" dest=135
> > scontext=system_u:system_r:eventlogd_t:s0
> > tcontext=system_ubject_r:epmap_port_t:s0 tclass=tcp_socket
>
> add this to the mylikewise.te file:
>
> corenet_tcp_connect_epmap_port(eventlogd_t)
>
>
> then just: make -f /usr/share/selinux/devel/Makefile mylikewise.pp; sudo
> semodule -i mylikewise.pp
>
> > type=AVC msg=audit(1328288705.888:70): avc: denied { unlink } for
> > pid=1803 comm="eventlogd" name=".eventlog" dev=dm-0 ino=392489
> > scontext=system_u:system_r:eventlogd_t:s0
> > tcontext=system_ubject_r:likewise_var_lib_t:s0 tclass=sock_file
> >
> > type=AVC msg=audit(1328288542.603:69): avc: denied { write } for
> > pid=1162 comm="lsassd" name=".eventlog" dev=dm-0 ino=392489
> > scontext=system_u:system_r:lsassd_t:s0
> > tcontext=system_ubject_r:likewise_var_lib_t:s0 tclass=sock_file
> >
>
> > type=AVC msg=audit(1328288542.586:68): avc: denied { getattr } for
> > pid=1161 comm="lsassd"
> > path
> > =
> > 2F7661722F6C69622F6C696B65776973652F6B72623563635F 6C736173732E55532E41442E47414E4E4554542E434F4D2028 64656C6574656429
> > dev=dm-0 ino=394337 scontext=system_u:system_r:lsassd_t:s0
> > tcontext=system_ubject_r:likewise_var_lib_t:s0 tclass=file
> >
> > type=AVC msg=audit(1328288542.585:66): avc: denied { read write
> > open } for pid=1161 comm="lsassd" name="krb5cc_lsass.AD.DOMAIN"
> > dev=dm-0 ino=394337 scontext=system_u:system_r:lsassd_t:s0
> > tcontext=system_ubject_r:likewise_var_lib_t:s0 tclass=file
> >
> > type=AVC msg=audit(1328288542.586:67): avc: denied { unlink } for
> > pid=1161 comm="lsassd" name="krb5cc_lsass.AD.DOMAIN" dev=dm-0
> > ino=394337 scontext=system_u:system_r:lsassd_t:s0
> > tcontext=system_ubject_r:likewise_var_lib_t:s0 tclass=file
> >
> > type=AVC msg=audit(1328287031.471:5): avc: denied { read } for
> > pid=1165 comm="lsassd" name="lsass-adcache.filedb.AD.DOMAIN" dev=dm-0
> > ino=395406 scontext=system_u:system_r:lsassd_t:s0
> > tcontext=system_ubject_r:likewise_var_lib_t:s0 tclass=file
> >
> > type=AVC msg=audit(1328287031.471:5): avc: denied { open } for
> > pid=1165 comm="lsassd" name="lsass-adcache.filedbAD.DOMAIN" dev=dm-0
> > ino=395406 scontext=system_u:system_r:lsassd_t:s0
> > tcontext=system_ubject_r:likewise_var_lib_t:s0 tclass=file
> >
> > type=AVC msg=audit(1328288893.067:123): avc: denied { unlink } for
> > pid=1849 comm="lsassd" name="lsass-adcache.filedb.AD.DOMAIN" dev=dm-0
> > ino=395406 scontext=system_u:system_r:lsassd_t:s0
> > tcontext=system_ubject_r:likewise_var_lib_t:s0 tclass=file
>
>
> All of these are somehow wrong. There should be no files or sock files
> with the generic likewise_var_lib_t. Only some directories.
>
> I wonder how these got created and or labeled this way.
>
> None of the confined likewise processes should be allowed to create
> these with this type.
>
> The strange thing is that i also do not see any AVC denials of their
> actual creation.
>
> This leads me to suspect that these are mislabeled left overs. Could i
> be right?
>

It is still a bug though because there are no file contexts specified
for these files and so we should specify them.

It means we need the actual full paths of the files.

example;

.eventlog
find /var/lib -inum 392489
find /var/lib -inum 394337
find /var/lib -inum 395406

it is important that all files have the proper file context
specification so that if for some reason the file system needs to be
relabeled the files will still have the proper type to avoid breakage
like we witnessed above.

> > Thank you,
> > Maria
> >
>
>


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-04-2012, 01:41 AM
Maria Iano
 
Default making a file context change work for initrc_t and unconfined_t

On Feb 3, 2012, at 4:08 PM, Dominick Grift wrote:


On Fri, 2012-02-03 at 21:59 +0100, Dominick Grift wrote:

On Fri, 2012-02-03 at 15:41 -0500, Maria Iano wrote:


I installed the mylikewise policy. those two files do have the right
type now. After I remove them they do get created with the right
type.


After installing the new policy there were some additional AVCs.
Here

they are:

type=AVC msg=audit(1328288896.867:124): avc: denied
{ name_connect }

for pid=1803 comm="eventlogd" dest=135
scontext=system_u:system_r:eventlogd_t:s0
tcontext=system_ubject_r:epmap_port_t:s0 tclass=tcp_socket


add this to the mylikewise.te file:

corenet_tcp_connect_epmap_port(eventlogd_t)


then just: make -f /usr/share/selinux/devel/Makefile mylikewise.pp;
sudo

semodule -i mylikewise.pp


type=AVC msg=audit(1328288705.888:70): avc: denied { unlink } for
pid=1803 comm="eventlogd" name=".eventlog" dev=dm-0 ino=392489
scontext=system_u:system_r:eventlogd_t:s0
tcontext=system_ubject_r:likewise_var_lib_t:s0 tclass=sock_file

type=AVC msg=audit(1328288542.603:69): avc: denied { write } for
pid=1162 comm="lsassd" name=".eventlog" dev=dm-0 ino=392489
scontext=system_u:system_r:lsassd_t:s0
tcontext=system_ubject_r:likewise_var_lib_t:s0 tclass=sock_file




type=AVC msg=audit(1328288542.586:68): avc: denied { getattr } for
pid=1161 comm="lsassd"
path
=
2F7661722F6C69622F6C696B65776973652F6B72623563635F 6C736173732E55532E41442E47414E4E4554542E434F4D2028 64656C6574656429
dev=dm-0 ino=394337 scontext=system_u:system_r:lsassd_t:s0
tcontext=system_ubject_r:likewise_var_lib_t:s0 tclass=file

type=AVC msg=audit(1328288542.585:66): avc: denied { read write
open } for pid=1161 comm="lsassd" name="krb5cc_lsass.AD.DOMAIN"
dev=dm-0 ino=394337 scontext=system_u:system_r:lsassd_t:s0
tcontext=system_ubject_r:likewise_var_lib_t:s0 tclass=file

type=AVC msg=audit(1328288542.586:67): avc: denied { unlink } for
pid=1161 comm="lsassd" name="krb5cc_lsass.AD.DOMAIN" dev=dm-0
ino=394337 scontext=system_u:system_r:lsassd_t:s0
tcontext=system_ubject_r:likewise_var_lib_t:s0 tclass=file

type=AVC msg=audit(1328287031.471:5): avc: denied { read } for
pid=1165 comm="lsassd" name="lsass-adcache.filedb.AD.DOMAIN"
dev=dm-0

ino=395406 scontext=system_u:system_r:lsassd_t:s0
tcontext=system_ubject_r:likewise_var_lib_t:s0 tclass=file

type=AVC msg=audit(1328287031.471:5): avc: denied { open } for
pid=1165 comm="lsassd" name="lsass-adcache.filedbAD.DOMAIN" dev=dm-0
ino=395406 scontext=system_u:system_r:lsassd_t:s0
tcontext=system_ubject_r:likewise_var_lib_t:s0 tclass=file

type=AVC msg=audit(1328288893.067:123): avc: denied { unlink } for
pid=1849 comm="lsassd" name="lsass-adcache.filedb.AD.DOMAIN"
dev=dm-0

ino=395406 scontext=system_u:system_r:lsassd_t:s0
tcontext=system_ubject_r:likewise_var_lib_t:s0 tclass=file



All of these are somehow wrong. There should be no files or sock
files

with the generic likewise_var_lib_t. Only some directories.

I wonder how these got created and or labeled this way.

None of the confined likewise processes should be allowed to create
these with this type.

The strange thing is that i also do not see any AVC denials of their
actual creation.

This leads me to suspect that these are mislabeled left overs.
Could i

be right?



It is still a bug though because there are no file contexts specified
for these files and so we should specify them.

It means we need the actual full paths of the files.

example;

.eventlog
find /var/lib -inum 392489
find /var/lib -inum 394337
find /var/lib -inum 395406

it is important that all files have the proper file context


Those files are
/var/lib/likewise/.eventlog
/var/lib/likewise/krb5cc_lsass.AD.DOMAIN
/var/lib/likewise/db/lsass-adcache.filedb.AD.DOMAIN

What happened was that I ran restorecon on them after they had been
created but before those AVCs. I added these rules to the fc file:


/var/lib/likewise/.eventlog -s
gen_context(system_ubject_r:eventlogd_var_socket _t,s0)
/var/lib/likewise/krb5cc\_lsass..* --
gen_context(system_ubject_r:lsassd_var_lib_t, s0)
/var/lib/likewise/db/lsass-adcache.filedb..* --
gen_context(system_ubject_r:lsassd_var_lib_t,s0)


and matchpathcon gives the correct type for them now.

I haven't had any new AVC messages since those last changes.



--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-04-2012, 07:56 AM
Dominick Grift
 
Default making a file context change work for initrc_t and unconfined_t

On Fri, 2012-02-03 at 21:41 -0500, Maria Iano wrote:

> Those files are
> /var/lib/likewise/.eventlog
> /var/lib/likewise/krb5cc_lsass.AD.DOMAIN
> /var/lib/likewise/db/lsass-adcache.filedb.AD.DOMAIN
>
> What happened was that I ran restorecon on them after they had been
> created but before those AVCs. I added these rules to the fc file:
>
> /var/lib/likewise/.eventlog -s
> gen_context(system_ubject_r:eventlogd_var_socket _t,s0)
> /var/lib/likewise/krb5cc\_lsass..* --
> gen_context(system_ubject_r:lsassd_var_lib_t, s0)
> /var/lib/likewise/db/lsass-adcache.filedb..* --
> gen_context(system_ubject_r:lsassd_var_lib_t,s0)
>
> and matchpathcon gives the correct type for them now.
>
> I haven't had any new AVC messages since those last changes.
>
>
>

Thanks. Attached patch is what i think might be the proper fixes for
upstream.
 
Old 02-04-2012, 03:01 PM
Maria Iano
 
Default making a file context change work for initrc_t and unconfined_t

On Feb 4, 2012, at 3:56 AM, Dominick Grift wrote:


On Fri, 2012-02-03 at 21:41 -0500, Maria Iano wrote:


Those files are
/var/lib/likewise/.eventlog
/var/lib/likewise/krb5cc_lsass.AD.DOMAIN
/var/lib/likewise/db/lsass-adcache.filedb.AD.DOMAIN

What happened was that I ran restorecon on them after they had been
created but before those AVCs. I added these rules to the fc file:

/var/lib/likewise/.eventlog -s
gen_context(system_ubject_r:eventlogd_var_socket _t,s0)
/var/lib/likewise/krb5cc\_lsass..* --
gen_context(system_ubject_r:lsassd_var_lib_t, s0)
/var/lib/likewise/db/lsass-adcache.filedb..* --
gen_context(system_ubject_r:lsassd_var_lib_t,s0)

and matchpathcon gives the correct type for them now.

I haven't had any new AVC messages since those last changes.





Thanks. Attached patch is what i think might be the proper fixes for
upstream.


<Likewise.patch>


Some of the additional file contexts were missing. I've added them to
the patch file. I've also attached my te and fc files. Please note, my
new diff compared directory trees that were different from yours. Here
a line from the updated patch that shows what I'm talking about:


diff --git a/current/policy/modules/services/likewise.fc b/new/policy/
modules/services/likewise.fc


Thanks!
Maria


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-04-2012, 05:11 PM
Dominick Grift
 
Default making a file context change work for initrc_t and unconfined_t

On Sat, 2012-02-04 at 11:01 -0500, Maria Iano wrote:

>
> Some of the additional file contexts were missing. I've added them to
> the patch file. I've also attached my te and fc files. Please note, my
> new diff compared directory trees that were different from yours. Here
> a line from the updated patch that shows what I'm talking about:
>
> diff --git a/current/policy/modules/services/likewise.fc b/new/policy/
> modules/services/likewise.fc
>
> Thanks!
> Maria

Yes i see some minor differences, for example you have a likewise init
script and have the ps store lock file in /var/lib rather than /etc.

There was another change that i suggested with regard to escaped
characters but after thinking about that i do not think that was needed
after all (i was confused about the path differences)

Attached is a modified patch:

I would like a Fedora maintainer to have a look (ACK) at it before i
consider to commit this to the git repository. I am especially unsure
about entries like these i added:

/var/lib/likewise(-open)?(/.*)?
gen_context(system_ubject_r:likewise_var_lib_t,s 0)

Not sure if those regular expressions will work.

Also i think it would be even better if someone could test this once
more from scratch (e.g. with a totally clean /var/lib) to see whether
all objects are created with the proper types.

And then also to see whether all file context specifications are proper
now.

Thanks for your help
 

Thread Tools




All times are GMT. The time now is 04:13 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org