FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 03-18-2008, 01:48 PM
Daniel J Walsh
 
Default dansguardian and selinux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Vikram Goyal wrote:
> Hi,
>
> I am running dansguardian ( content filter ) and squid. Versions:
>
> dansguardian-2.8.0.6-1.2.fc8.rf
> squid-2.6.STABLE17-1.fc8
> selinux-policy-targeted-3.0.8-87.fc8
>
> Well, I want to run dansguardian under selinux enforcing mode but due
> some avcs I have to go to permissive mode or allow the blocked accesses,
> neither of which I want.
>
> Bug reporting is also not an option since it is not in the fedora repos.
>
> The avcs are:
>
> type=AVC msg=audit(1205054238.538:28): avc: denied { write } for pid=5640 comm="dansguardian" name="run" dev=dm-1 ino=5186 57 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_ubject_r:var_run_t:s0 tclass=dir
>
> type=AVC msg=audit(1205054238.538:29): avc: denied { write } for pid=5640 comm="dansguardian" name="dansguardian.pid" dev=dm-1 ino=518711 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_ubject_r:initrc_var_run_t:s0 tclass=file
>
> type=AVC msg=audit(1205054238.870:30): avc: denied { read write } for pid=5652 comm="squid" path="/var/log/dansguardian/access.log-20080309" dev=dm-1 ino=1102242 scontext=system_u:system_r:squid_t:s0 tcontext=system_ubject_r:var_log_t:s0 tclass=file
>
> type=AVC msg=audit(1205054238.870:30): avc: denied { read write } for pid=5652 comm="squid" path="/var/log/dbmail.log-20080309" dev=dm-1 ino=1102187 scontext=system_u:system_r:squid_t:s0 tcontext=system_ubject_r:var_log_t:s0 tclass=file
>
> type=AVC msg=audit(1205054238.870:30): avc: denied { read write } for pid=5652 comm="squid" path="/var/log/dovecot.log-20080309" dev=dm-1 ino=1102273 scontext=system_u:system_r:squid_t:s0 tcontext=system_ubject_r:dovecot_var_log_t:s0 tclass=file
>
> type=AVC msg=audit(1205054238.870:30): avc: denied { read write } for pid=5652 comm="squid" path="/var/log/rpmpkgs-20080309" dev=dm-1 ino=1102254 scontext=system_u:system_r:squid_t:s0 tcontext=system_ubject_r:cron_log_t:s0 tclass=file
>
> type=AVC msg=audit(1205054238.870:30): avc: denied { read write } for pid=5652 comm="squid" path="/var/log/messages-20080309" dev=dm-1 ino=1102211 scontext=system_u:system_r:squid_t:s0 tcontext=system_ubject_r:var_log_t:s0 tclass=file
>
> type=AVC msg=audit(1205054238.870:30): avc: denied { read write } for pid=5652 comm="squid" path="/var/log/secure-20080309" dev=dm-1 ino=1102245 scontext=system_u:system_r:squid_t:s0 tcontext=system_ubject_r:var_log_t:s0 tclass=file
>
> type=AVC msg=audit(1205054238.870:30): avc: denied { read write } for pid=5652 comm="squid" path="/var/log/maillog-20080309" dev=dm-1 ino=1102246 scontext=system_u:system_r:squid_t:s0 tcontext=system_ubject_r:var_log_t:s0 tclass=file
>
> type=AVC msg=audit(1205054238.870:30): avc: denied { read write } for pid=5652 comm="squid" path="/var/log/spooler-20080309" dev=dm-1 ino=1102272 scontext=system_u:system_r:squid_t:s0 tcontext=system_ubject_r:var_log_t:s0 tclass=file
>
> type=AVC msg=audit(1205054238.870:30): avc: denied { read write } for pid=5652 comm="squid" path="/var/log/boot.log-20080309" dev=dm-1 ino=1102291 scontext=system_u:system_r:squid_t:s0 tcontext=system_ubject_r:var_log_t:s0 tclass=file
>
> type=AVC msg=audit(1205054238.870:30): avc: denied { read write } for pid=5652 comm="squid" path="/var/log/cron-20080309" dev=dm-1 ino=1102292 scontext=system_u:system_r:squid_t:s0 tcontext=system_ubject_r:var_log_t:s0 tclass=file
>
> type=AVC msg=audit(1205054238.870:30): avc: denied { read write } for pid=5652 comm="squid" path="/var/log/setroubleshoot/setroubleshootd.log-20080309" dev=dm-1 ino=1102249 scontext=system_u:system_r:squid_t:s0 tcontext=system_ubject_r:setroubleshoot_var_log_ t:s0 tclass=file
>
> As you may see, except for the first three, the rest of the avcs show it
> running wild and messing with a number of unrelated logs, which I don't
> want to allow.
>
> I am confused as to how it should be handeled.
>
> Thanks!

I have attached a policy te file to handle these avc;s

These look like leaked file descriptors and I think dansguardian must be
starting up squid.

dansguardian should close open file descriptors on exec

fcntl(fd, F_SETFD, FD_CLOEXEC)

To use and install this policy extract the mysquid.te file into a
directory and execute
# yum -y install selinux-policy-devel
# make -f /usr/share/selinux/devel/Makefile
# semodule -i mysquid.pp
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkff1ioACgkQrlYvE4MpobOyiwCeIBamj58IGK J7bc70tMcgS4w6
JesAoIaM7xO+yiER2GTsWellnLbCrIRw
=ORuY
-----END PGP SIGNATURE-----

module mysquid 1.0;

require {
type var_log_t;
type cron_log_t;
type dovecot_var_log_t;
type logrotate_t;
type var_run_t;
type initrc_var_run_t;
type squid_t;
type setroubleshoot_var_log_t;
class dir write;
class file { read write };
}

#============= logrotate_t ==============
dontaudit logrotate_t initrc_var_run_t:file write;
allow logrotate_t var_run_t:dir write;

#============= squid_t ==============
dontaudit squid_t cron_log_t:file { read write };
dontaudit squid_t dovecot_var_log_t:file { read write };
dontaudit squid_t setroubleshoot_var_log_t:file { read write };
dontaudit squid_t var_log_t:file { read write };
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 03-21-2008, 12:51 PM
Vikram Goyal
 
Default dansguardian and selinux

On Tue, Mar 18, 2008 at 10:48:10AM -0400, Daniel J Walsh wrote:

Hello Daniel,

> Vikram Goyal wrote:
> > Hi,
> >
> > I am running dansguardian ( content filter ) and squid. Versions:
> >
> > dansguardian-2.8.0.6-1.2.fc8.rf
> > squid-2.6.STABLE17-1.fc8
<snip>
>
> I have attached a policy te file to handle these avc;s
>
> These look like leaked file descriptors and I think dansguardian must be
> starting up squid.
>
> dansguardian should close open file descriptors on exec
>
> fcntl(fd, F_SETFD, FD_CLOEXEC)
>
<snip>

The avcs have vanished after the recent update, I waited for the system
to go through its cron cycle to confirm. I believe you incorporated them
in the new policy as always.

Thanks a lot,
--
vikram...
||||||||
||||||||
^^'^^||root||^^^'^^
// ))
//(( //
// / ||
|| / )) ((
--
Fishbowl, n.:
A glass-enclosed isolation cell where newly promoted managers are
kept for observation.
--
_
~|~
=

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 03-23-2008, 07:36 AM
Vikram Goyal
 
Default dansguardian and selinux

On Fri, Mar 21, 2008 at 07:21:14PM +0530, Vikram Goyal wrote:
> On Tue, Mar 18, 2008 at 10:48:10AM -0400, Daniel J Walsh wrote:
>
> Hello Daniel,
>
> > Vikram Goyal wrote:
> > > Hi,
> > >
> > > I am running dansguardian ( content filter ) and squid. Versions:
> > >
> > > dansguardian-2.8.0.6-1.2.fc8.rf
> > > squid-2.6.STABLE17-1.fc8
> <snip>
> >
> > I have attached a policy te file to handle these avc;s
> >
> > These look like leaked file descriptors and I think dansguardian must be
> > starting up squid.
> >
> > dansguardian should close open file descriptors on exec
> >
> > fcntl(fd, F_SETFD, FD_CLOEXEC)
> >
> <snip>
>
> The avcs have vanished after the recent update, I waited for the system
> to go through its cron cycle to confirm. I believe you incorporated them
> in the new policy as always.
>
> Thanks a lot,

Hi,

Spoke too soon. The avcs were back and I applied the module as you said.

Thanks!
--
vikram...
||||||||
||||||||
^^'^^||root||^^^'^^
// ))
//(( //
// / ||
|| / )) ((
--
Fast ship? You mean you've never heard of the Millennium Falcon?
-- Han Solo
--
#
~|~
=

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 

Thread Tools




All times are GMT. The time now is 02:53 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org