selinux novice
hello,
I have just installed selinux on my gentoo box, and getting difficulties in permissive mode. If someone can have a look at this and point me somewhere... Emerge doesn't work If i run it from terminal in X11 - it call traces,* cant merge anything. In dmesg I can find: ---------------- type=1400 audit(1342877962.365:424): avc:* denied* { read write } for* pid=15719 comm="sh" name="1" dev="devpts" ino=4 scontext=system_u:system_r:portage_fetch_t tcontext=system_u:object_r:devpts_t tclass=chr_file type=1400 audit(1342877962.367:425): avc:* denied* { search } for* pid=15719 comm="sh" name="ivan" dev="dm-3" ino=20709377 scontext=system_u:system_r:portage_fetch_t tcontext=staff_u:object_r:user_home_dir_t tclass=dir type=1400 audit(1342877962.394:426): avc:* denied* { search } for* pid=15720 comm="id" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:portage_fetch_t tcontext=system_u:object_r:sysfs_t tclass=dir type=1400 audit(1342878036.496:428): avc:* denied* { read write } for* pid=15894 comm="emerge" name="1" dev="devpts" ino=4 scontext=system_u:system_r:portage_t tcontext=system_u:object_r:devpts_t tclass=chr_file type=1400 audit(1342878036.500:429): avc:* denied* { ioctl } for* pid=15894 comm="emerge" path="/dev/pts/1" dev="devpts" ino=4 scontext=system_u:system_r:portage_t tcontext=system_u:object_r:devpts_t tclass=chr_file type=1400 audit(1342878036.505:430): avc:* denied* { getattr } for* pid=15894 comm="emerge" path="/dev/pts/1" dev="devpts" ino=4 scontext=system_u:system_r:portage_t tcontext=system_u:object_r:devpts_t tclass=chr_file type=1400 audit(1342878083.667:431): avc:* denied* { read write } for* pid=16890 comm="sh" name="1" dev="devpts" ino=4 scontext=system_u:system_r:portage_fetch_t tcontext=system_u:object_r:devpts_t tclass=chr_file type=1400 audit(1342878083.671:432): avc:* denied* { search } for* pid=16892 comm="id" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:portage_fetch_t tcontext=system_u:object_r:sysfs_t tclass=dir ---------------- I'm running xdm - gdm3 to be more accurate - and as normal user in terminal I switch to root and then do newrole -t sysadm_t - after that I'm trying to emerge something. Ofcourse from raw console a.k.a. non X env, emerging works. Additional info: ---------------- # sestatus SELinux status:**************** enabled SELinuxfs mount:*************** /sys/fs/selinux SELinux root directory:******** /etc/selinux Loaded policy name:************ targeted Current mode:****************** permissive Mode from config file:********* permissive Policy MLS status:************* disabled Policy deny_unknown status:**** denied Max kernel policy version:***** 26 ---------------- # id -Z // after switching to root and changing newrole system_u:system_r:sysadm_t ---------------- all installed sec-policy packages are from hardened-devel overlay = 2.20120215-r14 ---------------- I did rlpkg -a -r so many times.. :-) thanks in advance Ivan Gooten |
selinux novice
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 On 21.07.2012 15:51, Ivan Gooten wrote: > hello, > > I have just installed selinux on my gentoo box, and getting > difficulties in permissive mode. If someone can have a look at this > and point me somewhere... > > Emerge doesn't work If i run it from terminal in X11 - it call > traces, cant merge anything. In dmesg I can find: > > ---------------- type=1400 audit(1342877962.365:424): avc: denied > { read write } for pid=15719 comm="sh" name="1" dev="devpts" ino=4 > scontext=system_u:system_r:portage_fetch_t > tcontext=system_u:object_r:devpts_t tclass=chr_file type=1400 > audit(1342877962.367:425): avc: denied { search } for pid=15719 > comm="sh" name="ivan" dev="dm-3" ino=20709377 > scontext=system_u:system_r:portage_fetch_t > tcontext=staff_u:object_r:user_home_dir_t tclass=dir type=1400 > audit(1342877962.394:426): avc: denied { search } for pid=15720 > comm="id" name="/" dev="sysfs" ino=1 > scontext=system_u:system_r:portage_fetch_t > tcontext=system_u:object_r:sysfs_t tclass=dir type=1400 > audit(1342878036.496:428): avc: denied { read write } for > pid=15894 comm="emerge" name="1" dev="devpts" ino=4 > scontext=system_u:system_r:portage_t > tcontext=system_u:object_r:devpts_t tclass=chr_file type=1400 > audit(1342878036.500:429): avc: denied { ioctl } for pid=15894 > comm="emerge" path="/dev/pts/1" dev="devpts" ino=4 > scontext=system_u:system_r:portage_t > tcontext=system_u:object_r:devpts_t tclass=chr_file type=1400 > audit(1342878036.505:430): avc: denied { getattr } for pid=15894 > comm="emerge" path="/dev/pts/1" dev="devpts" ino=4 > scontext=system_u:system_r:portage_t > tcontext=system_u:object_r:devpts_t tclass=chr_file type=1400 > audit(1342878083.667:431): avc: denied { read write } for > pid=16890 comm="sh" name="1" dev="devpts" ino=4 > scontext=system_u:system_r:portage_fetch_t > tcontext=system_u:object_r:devpts_t tclass=chr_file type=1400 > audit(1342878083.671:432): avc: denied { search } for pid=16892 > comm="id" name="/" dev="sysfs" ino=1 > scontext=system_u:system_r:portage_fetch_t > tcontext=system_u:object_r:sysfs_t tclass=dir ---------------- I'm > running xdm - gdm3 to be more accurate - and as normal user in > terminal I switch to root and then do newrole -t sysadm_t - after > that I'm trying to emerge something. Ofcourse from raw console > a.k.a. non X env, emerging works. > > Additional info: ---------------- # sestatus SELinux status: > enabled SELinuxfs mount: /sys/fs/selinux SELinux > root directory: /etc/selinux Loaded policy name: > targeted Current mode: permissive Mode from > config file: permissive Policy MLS status: > disabled Policy deny_unknown status: denied Max kernel policy > version: 26 ---------------- # id -Z // after switching to > root and changing newrole system_u:system_r:sysadm_t > ---------------- all installed sec-policy packages are from > hardened-devel overlay = 2.20120215-r14 ---------------- I did > rlpkg -a -r so many times.. :-) > > thanks in advance > > Ivan Gooten > Hi, the first few things I notice are that it's "newrole -r sysadm_r" - "newrole -t" just switches the type. You shouldn't be in system_u, either, but in staff_u. Since you are using a targeted policy you acually would have more rights, if you remove the selinux usermapping for your user at all, because you would be in "unconfined_r:unconfined_t" which means that there aren't really any restrictions for you user except they're stated explicitly. WKR Hinnerk -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJQCrYjAAoJEJwwOFaNFkYcbysH/37pEdkLN/kp8S+Hr9O7rrbI 20cQI6IoDnWc4KtzBK9lhbI8RV3xSvsKSG2/nS8kY9CmMEwEdrXnnRrOtPDuxOez 4KXCQH4CSVARmU3YW/HxPDfm5/PL2h4npOuPjGU2ZQ9oQNt89CKS6zPc/OmWhqJe PnTZwioVdRH5bHvcsjAsO2niSYCvoex7mjxTZB2RzniRHV0ZsG RzCHj6qiVwQeE4 xAP1Rk3Gzr9kwfIDOWDq47/mlhnUEIp3E6fNmsscta8FcZjh/kGxtOwNlfxwu1hg +zS/Q7iREffLAsBOGlICbMkm4859bW1dDi9IW+VT5CzTQkUygTbQ/t2dYQJ3NUU= =Lvu6 -----END PGP SIGNATURE----- |
selinux novice
On Sat, Jul 21, 2012 at 03:51:52PM +0200, Ivan Gooten wrote:
> I have just installed selinux on my gentoo box, and getting difficulties in > permissive mode. If someone can have a look at this and point me > somewhere... > > Emerge doesn't work If i run it from terminal in X11 - it call traces, > cant merge anything. In dmesg I can find: > > ---------------- > type=1400 audit(1342877962.365:424): avc: denied { read write } for > pid=15719 comm="sh" name="1" dev="devpts" ino=4 > scontext=system_u:system_r:portage_fetch_t > tcontext=system_u:object_r:devpts_t tclass=chr_file Looking at this first message already shows something weird: it sais that the source context is "system_u:system_r:portage_fetch_t", whereas this should be either "staff_u:sysadm_r:portage_fetch_t" or "root:sysadm_r:portage_fetch_t". [...] > I switch to root and then do newrole -t sysadm_t - after that I'm trying to > emerge something. > Ofcourse from raw console a.k.a. non X env, emerging works. [...] > # id -Z // after switching to root and changing newrole > system_u:system_r:sysadm_t It looks like there is no proper transitioning after logon. First, make sure you ran "dispatch-conf" or "etc-update" to make sure changes are made to your PAM configuration files. Next, for the graphical logon (including GDM), you might need to manually update to add in pam_selinux.so (see http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2&chap=2#doc_chap5_sect3) Make sure that, when logged on, your "id -Z" shows you as being staff_u (or user_u, but then you won't be able to adminster the system), or if you log on as root, probably the "root" SELinux user. Only then can we go further. And as already mentioned, it's "newrole -r sysadm_r" as we need to change our (operational) role towards the system administration role. Wkr, Sven Vermeulen |
selinux novice
On Sat, Jul 21, 2012 at 7:14 PM, Sven Vermeulen <swift@gentoo.org> wrote:
On Sat, Jul 21, 2012 at 03:51:52PM +0200, Ivan Gooten wrote: > I have just installed selinux on my gentoo box, and getting difficulties in > permissive mode. If someone can have a look at this and point me > somewhere... > > Emerge doesn't work If i run it from terminal in X11 - it call traces, > cant merge anything. In dmesg I can find: > > ---------------- > type=1400 audit(1342877962.365:424): avc: *denied *{ read write } for > pid=15719 comm="sh" name="1" dev="devpts" ino=4 > scontext=system_u:system_r:portage_fetch_t > tcontext=system_u:object_r:devpts_t tclass=chr_file Looking at this first message already shows something weird: it sais that the source context is "system_u:system_r:portage_fetch_t", whereas this should be either "staff_u:sysadm_r:portage_fetch_t" or "root:sysadm_r:portage_fetch_t". [...] > I switch to root and then do newrole -t sysadm_t - after that I'm trying to > emerge something. > Ofcourse from raw console a.k.a. non X env, emerging works. [...] > # id -Z // after switching to root and changing newrole > system_u:system_r:sysadm_t It looks like there is no proper transitioning after logon. First, make sure you ran "dispatch-conf" or "etc-update" to make sure changes are made to your PAM configuration files. Next, for the graphical logon (including GDM), you might need to manually update to add in pam_selinux.so (see http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2&chap=2#doc_chap5_sect3) Make sure that, when logged on, your "id -Z" shows you as being staff_u (or user_u, but then you won't be able to adminster the system), or if you log on as root, probably the "root" SELinux user. Thank all you for your replies :-) So after messing with semanage/pam I have: -------------------- #semanage login -l Login Name*************** SELinux User************ __default__************** user_u****************** root********************* root******************** system_u***************** system_u**************** ivan ******************* staff_u**** -------------------- which results in console for user root context like "root:sysadm_r:sysadm_t", whereas in X11 terminal, (after switching from ivan user to root by su -) -> "staff_u:staff_r:staff_t". I understand that in X11 term I'll have to "newrole -r sysadm_r" for root everytime, when I will want to administrate the system? And what about the context's difference between root (root:...) logged from console and root (staff_u:...) logged via x11 terminal - is that wrong? Ivan * Only then can we go further. And as already mentioned, it's "newrole -r sysadm_r" as we need to change our (operational) role towards the system administration role. Wkr, * * * * Sven Vermeulen |
selinux novice
On Sun, Jul 22, 2012 at 01:55:08PM +0200, Ivan Gooten wrote:
[...] > which results in console for user root context like > "root:sysadm_r:sysadm_t", That's good. > whereas in X11 terminal, (after switching from ivan user to root by su -) > -> "staff_u:staff_r:staff_t". That's almost good ;-) > I understand that in X11 term I'll have to "newrole -r sysadm_r" for root > everytime, when I will want to administrate the system? Yes, you need to switch roles (first switch roles, then use su(do)) every time you need to do administrative changes (or queries) on the system. The staff_r role is for regular operations (user) whereas sysadm_r is for system administration. > And what about the context's difference between root (root:...) logged from > console and root (staff_u:...) logged via x11 terminal - is that wrong? No, that's not wrong. If you log on directly as root, then your SELinux user (the first part in the context) is "root". If you log on as someone else, you get that SELinux user (such as "staff_u") which remains throughout your session (SELinux users don't change, even when you do "su"). Wkr, Sven Vermeulen |
selinux novice
ok so now I get it a bit, anyway selinux is still misconfigured here.
I've created a pastebin with my current denials, if could you look at it: http://pastebin.com/uNRcaeUT and semodule -l prints out: ------ alsa*** 1.11.0*** application*** 1.2.0*** arpwatch*** 1.10.0*** authlogin*** 2.3.0*** automount*** 1.13.0*** bootloader*** 1.13.0*** cgroup*** 1.1.0*** clock*** 1.6.0*** consolekit*** 1.8.0*** consoletype*** 1.10.0*** courier*** 1.12.0*** cpufreqselector*** 1.3.0*** cron*** 2.4.0*** daemontools*** 1.2.0*** dbus*** 1.16.0*** dhcp*** 1.9.0*** dmesg*** 1.3.0*** dnsmasq*** 1.9.0*** fstools*** 1.15.0*** getty*** 1.9.0*** gnome*** 2.2.0*** gpg*** 2.5.0*** gpm*** 1.8.0*** hostname*** 1.7.0*** hotplug*** 1.15.0*** init*** 1.18.0*** iptables*** 1.13.0*** java*** 2.5.0*** libraries*** 2.8.0*** locallogin*** 1.11.0*** logging*** 1.18.0*** logrotate*** 1.14.0*** lvm*** 1.13.0*** miscfiles*** 1.9.0*** modutils*** 1.12.0*** mono*** 1.8.0*** mount*** 1.14.0*** mozilla*** 2.5.0*** mplayer*** 2.4.0*** mta*** 2.4.0*** netutils*** 1.11.0*** networkmanager*** 1.14.0*** nscd*** 1.10.0*** openvpn*** 1.11.0*** policykit*** 1.2.0*** portage*** 1.12.0*** privoxy*** 1.11.0*** psad*** 1.0.0*** qemu*** 1.6.0*** qmail*** 1.5.0*** raid*** 1.11.0*** rsync*** 1.11.0*** samba*** 1.14.0*** screen*** 2.5.0*** selinuxutil*** 1.16.0*** ssh*** 2.3.0*** staff*** 2.3.0*** storage*** 1.10.0*** su*** 1.12.0*** sudo*** 1.9.0*** sysadm*** 2.4.0*** sysnetwork*** 1.13.0*** thunderbird*** 2.3.0*** tor*** 1.8.0*** ucspitcp*** 1.3.0*** udev*** 1.14.0*** ulogd*** 1.2.0*** unconfined*** 3.4.0*** unprivuser*** 2.3.0*** userdomain*** 4.7.0*** usermanage*** 1.17.0*** virt*** 1.4.0*** wine*** 1.10.0*** wireshark*** 2.3.0*** xdg*** 1.0.0*** xfs*** 1.6.0*** xscreensaver*** 1.1.0*** xserver*** 3.7.0*** ------ thanks Ivan On Sun, Jul 22, 2012 at 6:07 PM, Sven Vermeulen <swift@gentoo.org> wrote: On Sun, Jul 22, 2012 at 01:55:08PM +0200, Ivan Gooten wrote: [...] > which results in console for user root context like > "root:sysadm_r:sysadm_t", That's good. > whereas in X11 terminal, (after switching from ivan user to root by su -) > -> "staff_u:staff_r:staff_t". That's almost good ;-) > I understand that in X11 term I'll have to "newrole -r sysadm_r" for root > everytime, when I will want to administrate the system? Yes, you need to switch roles (first switch roles, then use su(do)) every time you need to do administrative changes (or queries) on the system. The staff_r role is for regular operations (user) whereas sysadm_r is for system administration. > And what about the context's difference between root (root:...) logged from > console and root (staff_u:...) logged via x11 terminal - is that wrong? No, that's not wrong. If you log on directly as root, then your SELinux user (the first part in the context) is "root". If you log on as someone else, you get that SELinux user (such as "staff_u") which remains throughout your session (SELinux users don't change, even when you do "su"). Wkr, * * * * Sven Vermeulen |
selinux novice
On Fri, Jul 27, 2012 at 11:59:14AM +0200, Ivan Gooten wrote:
> ok so now I get it a bit, anyway selinux is still misconfigured here. > I've created a pastebin with my current denials, if could you look at it: > http://pastebin.com/uNRcaeUT Can you please take a look at http://www.gentoo.org/proj/en/hardened/selinux-bugreporting.xml ? It describes the information we need in order to structurally solve problems you might be facing. With denials alone we can't do much - there is no proof that the denials are actually interfering something (which is why we also need the errors you get from the applications) and they're not filtered so we don't know what to look for first (which is why we suggest to structure issues one at a time). Wkr, Sven Vermeulen |
| All times are GMT. The time now is 12:12 PM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.