On Tue, 2012-02-07 at 22:39 +0000, Christina Plummer wrote:

> Hi there,

Hi

> To start with, I've run "sudo semanage -i likewise-cmds", where likewise-cmds
> contains the following (based on what I found in the likewise.fc from git as
> well as Dominick's notes above -- replacing /usr/sbin
> with /opt/likewise/sbin, and all instances of "likewise-open" with "likewise"):
>
> fcontext -a -t likewise_var_lib_t "/var/lib/likewise(/.*)?"
> fcontext -a -t lsassd_var_socket_t /var/lib/likewise/.lsassd
> fcontext -a -t lwiod_var_socket_t /var/lib/likewise/.lwiod
> fcontext -a -t lwsmd_var_socket_t /var/lib/likewise/.lwsm
> fcontext -a -t lwsmd_var_lib_t /var/lib/likewise/.lwsmd-lock
> fcontext -a -t lwregd_var_socket_t /var/lib/likewise/.regsd
> fcontext -a -t netlogond_var_socket_t /var/lib/likewise/.netlogond
> fcontext -a -t lsassd_var_socket_t /var/lib/likewise/.ntlmd
> fcontext -a -t netlogond_var_lib_t /var/lib/likewise/krb5-affinity.conf
> fcontext -a -t lsassd_var_lib_t "/var/lib/likewise/krb5cc_lsass(.*)?"
> fcontext -a -t eventlogd_var_lib_t /var/lib/likewise/db/lwi_events.db
> fcontext -a -t lsassd_var_lib_t /var/lib/likewise/db/sam.db
> fcontext -a -t lsassd_var_lib_t "/var/lib/likewise/db/lsass-adcache.filedb.
> (.*)?"
> fcontext -a -t lwregd_var_lib_t /var/lib/likewise/db/registry.db
> fcontext -a -t lsassd_var_socket_t /var/lib/likewise/rpc/lsass
> fcontext -a -t likewise_krb5_ad_t /etc/likewise/likewise-krb5-ad.conf
> fcontext -a -t likewise_etc_t "/etc/likewise(/.*)?"
> fcontext -a -t dcerpcd_exec_t /opt/likewise/sbin/dcerpcd
> fcontext -a -t eventlogd_exec_t /opt/likewise/sbin/eventlogd
> fcontext -a -t lsassd_exec_t /opt/likewise/sbin/lsassd
> fcontext -a -t lwiod_exec_t /opt/likewise/sbin/lwiod
> fcontext -a -t lwregd_exec_t /opt/likewise/sbin/lwregd
> fcontext -a -t lwsmd_exec_t /opt/likewise/sbin/lwsmd
> fcontext -a -t netlogond_exec_t /opt/likewise/sbin/netlogond

A lot of the above file context specifications are wrong because you
have not specified what classof object it is for.

The -f option allows you to specify what type of object the
specificationis for

example -f -- is a file, -f -d is a dir, -f -s is a sock file
(those are the most common objects but there are also character,
block,fifo and link files.

> I added some wildcards in there because some of the files get created with the
> Active Directory domain name appended to them, namely:
>
> /var/lib/likewise/krb5cc_lsass.MYDOMAIN.NET
> /var/lib/likewise/db/lsass-adcache.filedb.MYDOMAIN.NET

Yes that is good. Just append .* to the file name or so.


> After running "restorecon -R -F -v" on all those directories and rebooting, I
> just got these denials:
>
> type=AVC msg=audit(02/07/2012 21:55:59.592:23979) : avc: denied { open } for
> pid=1671 comm=lsassd name=krb5cc_1040237070 dev=dm-4 ino=17
> scontext=system_u:system_r:lsassd_t:s0
> tcontext=system_ubject_r:initrc_tmp_t:s0 tclass=file

Looks like a init script (or a process running in the init script
domain) created a file with name krb5cc_1040237070 in /tmp (inode 17 on
device dm-4 to be exact)

/tmp should not be used by system wide services. I am not sure where and
if you can configure whatever created that file and tell it to use a
proper place like /var/lib/$APP but if possible then that is best

Also you should figure out what created this (was it some init script?).
It might be that some process was running in the init script domain due
to a mislabeled executable file (ps auxZ | grep initrc_t)

> type=AVC msg=audit(02/07/2012 21:55:59.592:23979) : avc: denied { read } for
> pid=1671 comm=lsassd name=krb5cc_1040237070 dev=dm-4 ino=17
> scontext=system_u:system_r:lsassd_t:s0
> tcontext=system_ubject_r:initrc_tmp_t:s0 tclass=file
> type=AVC msg=audit(02/07/2012 21:55:59.600:23980) : avc: denied { lock } for
> pid=1671 comm=lsassd path=/tmp/krb5cc_1040237070 dev=dm-4 ino=17
> scontext=system_u:system_r:lsassd_t:s0
> tcontext=system_ubject_r:initrc_tmp_t:s0 tclass=file
> type=AVC msg=audit(02/07/2012 21:55:59.609:23981) : avc: denied { unlink }
> for pid=1671 comm=lsassd name=krb5cc_1040237070 dev=dm-4 ino=17
> scontext=system_u:system_r:lsassd_t:s0
> tcontext=system_ubject_r:initrc_tmp_t:s0 tclass=file
>
> There were also a bunch of getattr denials on stuff in /proc.

Yes i know.

> Those files in /tmp are owned by me, apparently created when I logged in. They
> might have been left over from before.
> Otherwise, everything looks good so far.
>
> I haven't tried building the additional "mylikewise" policy yet, but I can do
> that next. I can also start over on a fresh box if that would be helpful.

I can create a loadable module based off of the patch that i will attach
below that will take care of the file context specs as well as the
additional policy you might need to get this to work.

Would be great if you could apply that and see if that works for you.

Unfortunately it is a bit late currently here and i need my rest now but
i will work tomorrow on the loadable policy module and send it to the
list. So you should be able to apply it tomorrow.

> Thanks,
> Christina
>

Thank you

On Wed, 2012-02-08 at 00:09 +0100, Dominick Grift wrote:

> >
> > type=AVC msg=audit(02/07/2012 21:55:59.592:23979) : avc: denied { open } for
> > pid=1671 comm=lsassd name=krb5cc_1040237070 dev=dm-4 ino=17
> > scontext=system_u:system_r:lsassd_t:s0
> > tcontext=system_ubject_r:initrc_tmp_t:s0 tclass=file
>
> Looks like a init script (or a process running in the init script
> domain) created a file with name krb5cc_1040237070 in /tmp (inode 17 on
> device dm-4 to be exact)
>
> /tmp should not be used by system wide services. I am not sure where and
> if you can configure whatever created that file and tell it to use a
> proper place like /var/lib/$APP but if possible then that is best
>
> Also you should figure out what created this (was it some init script?).
> It might be that some process was running in the init script domain due
> to a mislabeled executable file (ps auxZ | grep initrc_t)

I am actually pretty sure it was created by either lsassd or maybe but
less likely the lsassd init script (or the main likewise init script if
you do not have a separate lsassd init script). May also be a left over
from earlier before you applied the proper file contexts (that is
actually what i suspect)

> > type=AVC msg=audit(02/07/2012 21:55:59.592:23979) : avc: denied { read } for
> > pid=1671 comm=lsassd name=krb5cc_1040237070 dev=dm-4 ino=17
> > scontext=system_u:system_r:lsassd_t:s0
> > tcontext=system_ubject_r:initrc_tmp_t:s0 tclass=file
> > type=AVC msg=audit(02/07/2012 21:55:59.600:23980) : avc: denied { lock } for
> > pid=1671 comm=lsassd path=/tmp/krb5cc_1040237070 dev=dm-4 ino=17
> > scontext=system_u:system_r:lsassd_t:s0
> > tcontext=system_ubject_r:initrc_tmp_t:s0 tclass=file
> > type=AVC msg=audit(02/07/2012 21:55:59.609:23981) : avc: denied { unlink }
> > for pid=1671 comm=lsassd name=krb5cc_1040237070 dev=dm-4 ino=17
> > scontext=system_u:system_r:lsassd_t:s0
> > tcontext=system_ubject_r:initrc_tmp_t:s0 tclass=file
> >

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

On Tue, 2012-02-07 at 22:39 +0000, Christina Plummer wrote:

< snip>

Attached you will find the mylikewise1 policy source module.
This should take care of both file context specs as well as known policy
that is additionally needed.

Please first remove the file context specs that you have added manually
with semanage earlier.

To build:

make -f /usr/share/selinux/devel/Makefile mylikewise1.pp

To install:

sudo semodule -i mylikewise1.pp

To apply file context specs:

restorecon -v /etc/rc.d/init.d/likewise
restorecon -R -v /var/lib/likewise
restorecon -R -v /opt/likewise/sbin


/etc/rc.d/init.d/likewise -- gen_context(system_ubject_r:likewise_initrc_exec _t,s0)

/opt/likewise/sbin/dcerpcd -- gen_context(system_ubject_r:dcerpcd_exec_t,s0)
/opt/likewise/sbin/eventlogd -- gen_context(system_ubject_r:eventlogd_exec_t,s0)
/opt/likewise/sbin/lsassd -- gen_context(system_ubject_r:lsassd_exec_t,s0)
/opt/likewise/sbin/lwiod -- gen_context(system_ubject_r:lwiod_exec_t,s0)
/opt/likewise/sbin/lwregd -- gen_context(system_ubject_r:lwregd_exec_t,s0)
/opt/likewise/sbin/lwsmd -- gen_context(system_ubject_r:lwsmd_exec_t,s0)
/opt/likewise/sbin/netlogond -- gen_context(system_ubject_r:netlogond_exec_t,s0)
/opt/likewise/sbin/srvsvcd -- gen_context(system_ubject_r:srvsvcd_exec_t,s0)

/var/lib/likewise(/.*)? gen_context(system_ubject_r:likewise_var_lib_t,s 0)
/var/lib/likewise/.eventlog -s gen_context(system_ubject_r:eventlogd_var_socket _t,s0)
/var/lib/likewise/.lsassd -s gen_context(system_ubject_r:lsassd_var_socket_t, s0)
/var/lib/likewise/.lwiod -s gen_context(system_ubject_r:lwiod_var_socket_t,s 0)
/var/lib/likewise/.regsd -s gen_context(system_ubject_r:lwregd_var_socket_t, s0)
/var/lib/likewise/.lwsm -s gen_context(system_ubject_r:lwsmd_var_socket_t,s 0)
/var/lib/likewise/.lwsmd-lock -- gen_context(system_ubject_r:lwsmd_var_lib_t,s0)
/var/lib/likewise/.netlogond -s gen_context(system_ubject_r:netlogond_var_socket _t,s0)
/var/lib/likewise/.ntlmd -s gen_context(system_ubject_r:lsassd_var_socket_t, s0)
/var/lib/likewise/.pstore.lock -- gen_context(system_ubject_r:likewise_pstore_lock _t,s0)
/var/lib/likewise/krb5-affinity.conf -- gen_context(system_ubject_r:netlogond_var_lib_t, s0)
/var/lib/likewise/krb5cc.* -- gen_context(system_ubject_r:lsassd_var_lib_t, s0)
/var/lib/likewise/krb5cc\_lsass..* -- gen_context(system_ubject_r:lsassd_var_lib_t, s0)
/var/lib/likewise/krb5ccr_lsass -- gen_context(system_ubject_r:lsassd_var_lib_t, s0)
/var/lib/likewise/LWNetsd.err -- gen_context(system_ubject_r:netlogond_var_lib_t, s0)
/var/lib/likewise/lsasd.err -- gen_context(system_ubject_r:lsassd_var_lib_t,s0)
/var/lib/likewise/regsd.err -- gen_context(system_ubject_r:lwregd_var_lib_t,s0)
/var/lib/likewise/db -d gen_context(system_ubject_r:likewise_var_lib_t,s 0)
/var/lib/likewise/db/lwi_events.db -- gen_context(system_ubject_r:eventlogd_var_lib_t, s0)
/var/lib/likewise/db/sam.db -- gen_context(system_ubject_r:lsassd_var_lib_t,s0)
/var/lib/likewise/db/lsass-adcache.filedb..* -- gen_context(system_ubject_r:lsassd_var_lib_t,s0)
/var/lib/likewise/db/lsass-adcache.db -- gen_context(system_ubject_r:lsassd_var_lib_t,s0)
/var/lib/likewise/db/lsass-adstate.filedb -- gen_context(system_ubject_r:lsassd_var_lib_t,s0)
/var/lib/likewise/db/registry.db -- gen_context(system_ubject_r:lwregd_var_lib_t,s0)
/var/lib/likewise/rpc -d gen_context(system_ubject_r:likewise_var_lib_t,s 0)
/var/lib/likewise/rpc/epmapper -s gen_context(system_ubject_r:dcerpcd_var_socket_t , s0)
/var/lib/likewise/rpc/lsass -s gen_context(system_ubject_r:lsassd_var_socket_t, s0)
/var/lib/likewise/rpc/socket -s gen_context(system_ubject_r:eventlogd_var_socket _t, s0)
/var/lib/likewise/run -d gen_context(system_ubject_r:likewise_var_lib_t,s 0)
/var/lib/likewise/run/rpcdep.dat -- gen_context(system_ubject_r:dcerpcd_var_lib_t, s0)

policy_module(mylikewise1, 1.0.0)

gen_require(`

attribute likewise_domains;

type likewise_initrc_exec_t, dcerpcd_exec_t, eventlogd_exec_t, lsassd_exec_t;
type lwiod_exec_t, lwregd_exec_t, lwsmd_exec_t, netlogond_exec_t, srvsvcd_exec_t;

type likewise_var_lib_t, eventlogd_var_socket_t, lsassd_var_socket_t, lwiod_var_socket_t;
type lwregd_var_socket_t, lwsmd_var_socket_t, lwsmd_var_lib_t, netlogond_var_socket_t;
type likewise_pstore_lock_t, netlogond_var_lib_t, lsassd_var_lib_t, lwregd_var_lib_t;
type eventlogd_var_lib_t, dcerpcd_var_socket_t, dcerpcd_var_lib_t, likewise_krb5_ad_t;

type eventlogd_t, lsassd_t, lwiod_t, netlogond_t, lwsmd_t;
')

kernel_read_system_state(likewise_domains)

corenet_tcp_connect_epmap_port(eventlogd_t)
corenet_tcp_sendrecv_epmap_port(eventlogd_t)
corenet_sendrecv_epmap_client_packets(eventlogd_t)

domain_dontaudit_search_all_domains_state(lsassd_t )

allow lwiod_t selfrocess setrlimit;
allow lwiod_t self:capability sys_resource;

allow lwiod_t { likewise_krb5_ad_t netlogond_var_lib_t }:file read_file_perms;

stream_connect_pattern(lwiod_t, likewise_var_lib_t, netlogond_var_socket_t, netlogond_t)

allow lwsmd_t selfrocess setpgid;

allow lwsmd_t { likewise_krb5_ad_t netlogond_var_lib_t }:file read_file_perms;

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

> Also you should figure out what created this (was it some init script?).
> It might be that some process was running in the init script domain due
> to a mislabeled executable file (ps auxZ | grep initrc_t)


I am actually pretty sure it was created by either lsassd or maybe but
less likely the lsassd init script (or the main likewise init script if
you do not have a separate lsassd init script). May also be a left over

from earlier before you applied the proper file contexts (that is
actually what i suspect)

*
Yes, it is created by lsassd, and I think it was leftover from before.* The number in the filename is my uid - the files are*owned by me.* I logged out, I removed*both files*as root, and then when I next logged in as myself,*a new file*was created as such:

*
system_ubject_r:user_tmp_t:s0* krb5cc_1040237070_CeTgk16875
*
When I logged back out, it looks like it was renamed by lsassd:
*
system_ubject_r:lsassd_tmp_t:s0 krb5cc_1040237070
*
When I logged in again, a new file with a random string appended was created*with user_tmp_t context.* I repeated the whole experiment, and the file without the random string appended never re-appeared.* So, I'm not entirely sure what it's doing (something with Kerberos tickets* - it did grow in size when I*SSHed to another box), but I haven't seen any AVC messages about it since that first time.

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

On Wed, 2012-02-08 at 09:44 -0500, Christina Plummer wrote:

>
>
> Yes, it is created by lsassd, and I think it was leftover from before.
> The number in the filename is my uid - the files are owned by me. I
> logged out, I removed both files as root, and then when I next logged
> in as myself, a new file was created as such:
>
> system_ubject_r:user_tmp_t:s0 krb5cc_1040237070_CeTgk16875
>
> When I logged back out, it looks like it was renamed by lsassd:
>
> system_ubject_r:lsassd_tmp_t:s0 krb5cc_1040237070
>
> When I logged in again, a new file with a random string appended was
> created with user_tmp_t context. I repeated the whole experiment, and
> the file without the random string appended never re-appeared. So,
> I'm not entirely sure what it's doing (something with Kerberos
> tickets - it did grow in size when I SSHed to another box), but I
> haven't seen any AVC messages about it since that first time.

Right, type lsassd_tmp_t looks good.

I said before that lsassd shouldnt be creating files in /tmp but i think
there is probably a valid reason for this one so ignore that.



> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

2012/2/7 Dominick Grift <dominick.grift@gmail.com>

Attached you will find the mylikewise1 policy source module.
This should take care of both file context specs as well as known policy

that is additionally needed.

Please first remove the file context specs that you have added manually
with semanage earlier.

*
Thanks!* I made a couple slight modifications to add back in the /etc/likewise lines (since, after I removed my fcontext specs and ran restorecon on all the affected directories,*/etc/likewise ended up as "etc_t" instead of "likewise_etc_t"), to escape a period and to unescape the underscore (since it didn't seem to be necessary and I like consistency).* See attached

*
*So far, so good.*
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

On Feb 4, 2012, at 1:11 PM, Dominick Grift wrote:


On Sat, 2012-02-04 at 11:01 -0500, Maria Iano wrote:



Some of the additional file contexts were missing. I've added them to
the patch file. I've also attached my te and fc files. Please note,
my
new diff compared directory trees that were different from yours.
Here

a line from the updated patch that shows what I'm talking about:

diff --git a/current/policy/modules/services/likewise.fc b/new/
policy/

modules/services/likewise.fc

Thanks!
Maria


Yes i see some minor differences, for example you have a likewise init
script and have the ps store lock file in /var/lib rather than /etc.

There was another change that i suggested with regard to escaped
characters but after thinking about that i do not think that was
needed

after all (i was confused about the path differences)

Attached is a modified patch:

I would like a Fedora maintainer to have a look (ACK) at it before i
consider to commit this to the git repository. I am especially unsure
about entries like these i added:

/var/lib/likewise(-open)?(/.*)?
gen_context(system_ubject_r:likewise_var_lib_t,s 0)

Not sure if those regular expressions will work.

Also i think it would be even better if someone could test this once
more from scratch (e.g. with a totally clean /var/lib) to see whether
all objects are created with the proper types.

And then also to see whether all file context specifications are
proper

now.

Thanks for your help

<Likewise-redone.patch>


I could completely remove likewise and then install it again if that
would be a useful test.


Thank you very much - the new policy has continued to work for my
server thus far - I have had no AVC messages!


Maria

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

On Wed, 2012-02-08 at 16:33 -0500, Maria Iano wrote:

>
> I could completely remove likewise and then install it again if that
> would be a useful test.
>
> Thank you very much - the new policy has continued to work for my
> server thus far - I have had no AVC messages!
>
> Maria
>

Maria, that would indeed be useful as that would be a confirmation that
the modifications work and are sufficient.

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux