FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 07-26-2012, 01:10 PM
"Dave Stoner"
 
Default Proprietary telnet daemon fails login when SELinux is enabled

I apologise in advance for asking questions which I feel I should have been able to answer from sources on the internet. If you could possibly give me some pointers on where to look it would be so much appreciated.
*
My system is centos 6.2 –
Linux MyHostName 2.6.32-220.el6.x86_64 #1 SMP Tue Dec 6 19:48:22
GMT 2011 x86_64 x86_64 x86_64 GNU/Linux
*
SELinux mode is set ‘enforced’.
*
I have a proprietary telnet daemon which upon a telnet to port 52000, is started OK when SELinux is disabled. But when it is enabled the same telnet results in /var/log/audit/audit.log showing:
*
type=USER_LOGIN msg=audit(1343048458.345:69): user pid=2536 uid=0 auid=799 ses=7 subj=system_u:system_r:inetd_t:s0-s0:c0.c1023 msg='op=login id=799 exe="/bin/login" hostname=0.0.0.0 addr=0.0.0.0 termi
nal=pts/2 res=success'
*
A normal telnet gives a message similar to above, my telnet adds the following:
*
type=AVC msg=audit(1343048458.353:70): avc:* denied* { entrypoint } for* pid=2543 comm="login" path="/bin/bash" dev=sda2 ino=135083 scontext=unconfined_u:system_r:qmail_tcp_env_t:s0-s0:c0.c1023 tconte
xt=system_ubject_r:shell_exec_t:s0 tclass=file
*
I believe I can create a policy to overcome this using audit2allow, i.e. it comes up with:
*
module mypola 1.0;
*
require {
******* type qmail_tcp_env_t;
******* type shell_exec_t;
******* class file entrypoint;
}
*
#============= qmail_tcp_env_t ==============
allow qmail_tcp_env_t shell_exec_t:file entrypoint;
*
But it seems to me what I ought to be doing is somehow to get my daemon to run with a domain of ‘remote_logon_t’ as is used by the standard telnet daemon, as here:
*
type=USER_LOGIN msg=audit(1343058924.928:212): user pid=3759 uid=0 auid=799 ses=29 subj=system_u:system_r:remote_login_t:s0-s0:c0.c1023 msg='op=login id=799 exe="/bin/login" hostname=localhost addr=::
1 terminal=pts/2 res=success'
*
This is unfamiliar territory and any hints or pointers would really be appreciated.
*
Dave.
*
*
Dave Stoner
Principal Systems Architect
Northgate Reality

Direct:*** +44 (0)1442 272071 - VPN: 872 2071

www.northgate-is.com/reality
*

*


This email is sent on behalf of
Northgate Information Solutions Limited and its associated companies
("Northgate") and is strictly confidential and intended solely for the
addressee(s).*

*If you are not the intended recipient
of this email you must: (i) not disclose, copy or distribute its contents to any
other person nor use its contents in any way or you may be acting
unlawfully;* (ii) contact Northgate immediately on +44 (0)1442 232424
quoting the name of the sender and the addressee then delete it from your
system.

*Northgate has taken reasonable
precautions to ensure that no viruses are contained in this email, but does not
accept any responsibility once this email has been transmitted.* You should
scan attachments (if any) for viruses.

*Northgate Information Solutions
Limited. Registered in England no. 06442582 *-
*Northgate Information Solutions UK Limited. Registered in
England no. 968498 *-
*NorthgateArinso UK Limited. Registered in England
no. 1587537 *- *Moorepay Limited.* Registered in
England no. 891686 *-
First Business Support Limited. Registered in England no. 3056267 -**
Registered Office: Peoplebuilding 2, Peoplebuilding Estate, Maylands Avenue,
Hemel Hempstead, Hertfordshire HP2 4NW


*Northgate Managed Services Limited
(NI).* Registered in Northern Ireland no. NI032979*
-* LearnServe Limited (NI).* Registered in Northern Ireland
no. NI043825 Registered
Office: Hillview House, 61 Church Road, Newtownabbey, Co. Antrim, BT36
7LQ











--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 07-26-2012, 01:52 PM
Ted Toth
 
Default Proprietary telnet daemon fails login when SELinux is enabled

You could try using the exist telnet policy in ref policy by chconing
your executable to telnetd_exec_t. However depending on what your
custom telnet daemon does you may still get AVCs.

Ted

On Thu, Jul 26, 2012 at 8:10 AM, Dave Stoner
<dave.stoner@northgate-is.com> wrote:
> I apologise in advance for asking questions which I feel I should have been
> able to answer from sources on the internet. If you could possibly give me
> some pointers on where to look it would be so much appreciated.
>
>
>
> My system is centos 6.2 –
>
> Linux MyHostName 2.6.32-220.el6.x86_64 #1 SMP Tue Dec 6 19:48:22
>
> GMT 2011 x86_64 x86_64 x86_64 GNU/Linux
>
>
>
> SELinux mode is set ‘enforced’.
>
>
>
> I have a proprietary telnet daemon which upon a telnet to port 52000, is
> started OK when SELinux is disabled. But when it is enabled the same telnet
> results in /var/log/audit/audit.log showing:
>
>
>
> type=USER_LOGIN msg=audit(1343048458.345:69): user pid=2536 uid=0 auid=799
> ses=7 subj=system_u:system_r:inetd_t:s0-s0:c0.c1023 msg='op=login id=799
> exe="/bin/login" hostname=0.0.0.0 addr=0.0.0.0 termi
>
> nal=pts/2 res=success'
>
>
>
> A normal telnet gives a message similar to above, my telnet adds the
> following:
>
>
>
> type=AVC msg=audit(1343048458.353:70): avc: denied { entrypoint } for
> pid=2543 comm="login" path="/bin/bash" dev=sda2 ino=135083
> scontext=unconfined_u:system_r:qmail_tcp_env_t:s0-s0:c0.c1023 tconte
>
> xt=system_ubject_r:shell_exec_t:s0 tclass=file
>
>
>
> I believe I can create a policy to overcome this using audit2allow, i.e. it
> comes up with:
>
>
>
> module mypola 1.0;
>
>
>
> require {
>
> type qmail_tcp_env_t;
>
> type shell_exec_t;
>
> class file entrypoint;
>
> }
>
>
>
> #============= qmail_tcp_env_t ==============
>
> allow qmail_tcp_env_t shell_exec_t:file entrypoint;
>
>
>
> But it seems to me what I ought to be doing is somehow to get my daemon to
> run with a domain of ‘remote_logon_t’ as is used by the standard telnet
> daemon, as here:
>
>
>
> type=USER_LOGIN msg=audit(1343058924.928:212): user pid=3759 uid=0 auid=799
> ses=29 subj=system_u:system_r:remote_login_t:s0-s0:c0.c1023 msg='op=login
> id=799 exe="/bin/login" hostname=localhost addr=::
>
> 1 terminal=pts/2 res=success'
>
>
>
> This is unfamiliar territory and any hints or pointers would really be
> appreciated.
>
>
>
> Dave.
>
>
>
>
>
> Dave Stoner
>
> Principal Systems Architect
> Northgate Reality
>
> Direct: +44 (0)1442 272071 - VPN: 872 2071
>
> www.northgate-is.com/reality
>
>
>
>
> ________________________________
>
> This email is sent on behalf of Northgate Information Solutions Limited and
> its associated companies ("Northgate") and is strictly confidential and
> intended solely for the addressee(s).
>
> If you are not the intended recipient of this email you must: (i) not
> disclose, copy or distribute its contents to any other person nor use its
> contents in any way or you may be acting unlawfully; (ii) contact Northgate
> immediately on +44 (0)1442 232424 quoting the name of the sender and the
> addressee then delete it from your system.
>
> Northgate has taken reasonable precautions to ensure that no viruses are
> contained in this email, but does not accept any responsibility once this
> email has been transmitted. You should scan attachments (if any) for
> viruses.
>
> Northgate Information Solutions Limited. Registered in England no. 06442582
> - Northgate Information Solutions UK Limited. Registered in England no.
> 968498 - NorthgateArinso UK Limited. Registered in England no. 1587537 -
> Moorepay Limited. Registered in England no. 891686 - First Business
> Support Limited. Registered in England no. 3056267 - Registered Office:
> Peoplebuilding 2, Peoplebuilding Estate, Maylands Avenue, Hemel Hempstead,
> Hertfordshire HP2 4NW
>
> Northgate Managed Services Limited (NI). Registered in Northern Ireland
> no. NI032979 - LearnServe Limited (NI). Registered in Northern Ireland
> no. NI043825 Registered Office: Hillview House, 61 Church Road,
> Newtownabbey, Co. Antrim, BT36 7LQ
>
> ________________________________
>
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 07-26-2012, 02:34 PM
Tristan Santore
 
Default Proprietary telnet daemon fails login when SELinux is enabled

On 26/07/12 14:52, Ted Toth wrote:
> You could try using the exist telnet policy in ref policy by chconing
> your executable to telnetd_exec_t. However depending on what your
> custom telnet daemon does you may still get AVCs.
>
> Ted
>
> On Thu, Jul 26, 2012 at 8:10 AM, Dave Stoner
> <dave.stoner@northgate-is.com> wrote:
>> I apologise in advance for asking questions which I feel I should have been
>> able to answer from sources on the internet. If you could possibly give me
>> some pointers on where to look it would be so much appreciated.
>>
>>
>>
>> My system is centos 6.2 –
>>
>> Linux MyHostName 2.6.32-220.el6.x86_64 #1 SMP Tue Dec 6 19:48:22
>>
>> GMT 2011 x86_64 x86_64 x86_64 GNU/Linux
>>
>>
>>
>> SELinux mode is set ‘enforced’.
>>
>>
>>
>> I have a proprietary telnet daemon which upon a telnet to port 52000, is
>> started OK when SELinux is disabled. But when it is enabled the same telnet
>> results in /var/log/audit/audit.log showing:
>>
>>
>>
>> type=USER_LOGIN msg=audit(1343048458.345:69): user pid=2536 uid=0 auid=799
>> ses=7 subj=system_u:system_r:inetd_t:s0-s0:c0.c1023 msg='op=login id=799
>> exe="/bin/login" hostname=0.0.0.0 addr=0.0.0.0 termi
>>
>> nal=pts/2 res=success'
>>
>>
>>
>> A normal telnet gives a message similar to above, my telnet adds the
>> following:
>>
>>
>>
>> type=AVC msg=audit(1343048458.353:70): avc: denied { entrypoint } for
>> pid=2543 comm="login" path="/bin/bash" dev=sda2 ino=135083
>> scontext=unconfined_u:system_r:qmail_tcp_env_t:s0-s0:c0.c1023 tconte
>>
>> xt=system_ubject_r:shell_exec_t:s0 tclass=file
>>
>>
>>
>> I believe I can create a policy to overcome this using audit2allow, i.e. it
>> comes up with:
>>
>>
>>
>> module mypola 1.0;
>>
>>
>>
>> require {
>>
>> type qmail_tcp_env_t;
>>
>> type shell_exec_t;
>>
>> class file entrypoint;
>>
>> }
>>
>>
>>
>> #============= qmail_tcp_env_t ==============
>>
>> allow qmail_tcp_env_t shell_exec_t:file entrypoint;
>>
>>
>>
>> But it seems to me what I ought to be doing is somehow to get my daemon to
>> run with a domain of ‘remote_logon_t’ as is used by the standard telnet
>> daemon, as here:
>>
>>
>>
>> type=USER_LOGIN msg=audit(1343058924.928:212): user pid=3759 uid=0 auid=799
>> ses=29 subj=system_u:system_r:remote_login_t:s0-s0:c0.c1023 msg='op=login
>> id=799 exe="/bin/login" hostname=localhost addr=::
>>
>> 1 terminal=pts/2 res=success'
>>
>>
>>
>> This is unfamiliar territory and any hints or pointers would really be
>> appreciated.
>>
>>
>>
>> Dave.
>>
>>
>>
>>
>>
>> Dave Stoner
>>
>> Principal Systems Architect
>> Northgate Reality
>>
>> Direct: +44 (0)1442 272071 - VPN: 872 2071
>>
>> www.northgate-is.com/reality
>>
>>
>>
>>
>> ________________________________
>>
>> This email is sent on behalf of Northgate Information Solutions Limited and
>> its associated companies ("Northgate") and is strictly confidential and
>> intended solely for the addressee(s).
>>
>> If you are not the intended recipient of this email you must: (i) not
>> disclose, copy or distribute its contents to any other person nor use its
>> contents in any way or you may be acting unlawfully; (ii) contact Northgate
>> immediately on +44 (0)1442 232424 quoting the name of the sender and the
>> addressee then delete it from your system.
>>
>> Northgate has taken reasonable precautions to ensure that no viruses are
>> contained in this email, but does not accept any responsibility once this
>> email has been transmitted. You should scan attachments (if any) for
>> viruses.
>>
>> Northgate Information Solutions Limited. Registered in England no. 06442582
>> - Northgate Information Solutions UK Limited. Registered in England no.
>> 968498 - NorthgateArinso UK Limited. Registered in England no. 1587537 -
>> Moorepay Limited. Registered in England no. 891686 - First Business
>> Support Limited. Registered in England no. 3056267 - Registered Office:
>> Peoplebuilding 2, Peoplebuilding Estate, Maylands Avenue, Hemel Hempstead,
>> Hertfordshire HP2 4NW
>>
>> Northgate Managed Services Limited (NI). Registered in Northern Ireland
>> no. NI032979 - LearnServe Limited (NI). Registered in Northern Ireland
>> no. NI043825 Registered Office: Hillview House, 61 Church Road,
>> Newtownabbey, Co. Antrim, BT36 7LQ
>>
>> ________________________________
>>
>>
>> --
>> selinux mailing list
>> selinux@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Maybe this will help you as a starting guide.

http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html

http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/index.html

There are details there how to obtain denials and make a custom policy.


Regards,
Tristan


--
Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
Tristan.Santore@internexusconnect.net

Former Thawte Notary
(Please note: Thawte has closed its WoT programme down,
and I am therefore no longer able to accredit trust)

For Fedora related issues, please email me at:
TSantore@fedoraproject.org
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 07-26-2012, 06:38 PM
Dominick Grift
 
Default Proprietary telnet daemon fails login when SELinux is enabled

On Thu, 2012-07-26 at 08:52 -0500, Ted Toth wrote:
> You could try using the exist telnet policy in ref policy by chconing
> your executable to telnetd_exec_t. However depending on what your
> custom telnet daemon does you may still get AVCs.
>
> Ted

I agree. i am not familiar with telnet but it might also need
pam/pam_selinux to tell telnet in what context the user should log in.

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 08-01-2012, 08:43 AM
"Dave Stoner"
 
Default Proprietary telnet daemon fails login when SELinux is enabled

Many thanks to you all on this subject. The Fedora SELinux User Guide suggested by Tristan:

http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/index.html

was particularly useful, wish I had found that a week earlier. Coverage of the policy language at:

http://selinuxproject.org/page/PolicyLanguage

Was useful. And the suggestions for applying the telnetd_exec_t type to my executable took me forward. I then ran into other problems, like write access to files. It seems to me at this time that I need to set up profiles for the whole of our comms product which looks like being a project for the next release unfortunately.

Once again, thanks for your assistance.

Dave.

On Thu, 2012-07-26 at 08:52 -0500, Ted Toth wrote:
> You could try using the exist telnet policy in ref policy by chconing
> your executable to telnetd_exec_t. However depending on what your
> custom telnet daemon does you may still get AVCs.
>
> Ted

I agree. i am not familiar with telnet but it might also need pam/pam_selinux to tell telnet in what context the user should log in.

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

-----------------------------------------------------------------------------------------
This email is sent on behalf of Northgate Information Solutions Limited and its associated companies ("Northgate") and is strictly confidential and intended solely for the addressee(s).

If you are not the intended recipient of this email you must: (i) not disclose, copy or distribute its contents to any other person nor use its contents in any way or you may be acting unlawfully; (ii) contact Northgate immediately on +44 (0)1442 232424 quoting the name of the sender and the addressee then delete it from your system.

Northgate has taken reasonable precautions to ensure that no viruses are contained in this email, but does not accept any responsibility once this email has been transmitted. You should scan attachments (if any) for viruses.

Northgate Information Solutions Limited. Registered in England no. 06442582 - Northgate Information Solutions UK Limited. Registered in England no. 968498 - NorthgateArinso UK Limited .Registered in England no. 1587537 - Moorepay Limited. Registered in England no. 891686 - First Business Support Limited. Registered in England no. 3056267 - Registered Office: Peoplebuilding 2, Peoplebuilding Estate, Maylands Avenue, Hemel Hempstead, Hertfordshire HP2 4NW

Northgate Managed Services Limited (NI). Registered in Northern Ireland no. NI032979 - LearnServe Limited (NI). Registered in Northern Ireland no. NI043825
Registered Office: Hillview House, 61 Church Road, Newtownabbey, Co. Antrim, BT36 7LQ

-----------------------------------------------------------------------------------------
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 12:56 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org