a few questions about selinux

a few questions about selinux

[max barwell]

[-- Attachment #1: Type: text/plain, Size: 1266 bytes --]

I have just started using selinux and find it very interesting, I also
saw Russel Cokers interview at The Age and was pleased to note that
selinux is being adopted by the "smarter linux users".

I am using Debian sid, with debian kernel source 2.4.20.

I notice I get alot of avc denied errors on boot, and wondered if they
were normal, I have attached my dmesg output, so if someone could please
look at that.

Another couple of errors I have noticed are:

psidfile_init : contexts did not exist, initialisation failed, error 2

and

id: can't get process context

are these serious?

Also I must have changed something unwittingly, because it worked in the
beginning, the default context in /etc/security/default_contexts are not
being honoured, because when sshing into this machine, you still get a
choice of role, and can change role.

A couple more things, are there policies for apache php modules, and/or
netatalk, or are these things you have to write yourself. I also can't
start X, being told a number of things depending on role and user.

As sysadm_r there are errors about xauth and Xauthority being denied,
and as user_r i get an error about /dev/tty0 not existing.

sorry for the huge list of problems, but I would love to these sorted.

regards Max

[-- Attachment #2: dmesg.txt --]
[-- Type: text/plain, Size: 15720 bytes --]

ATAPI CD/DVD-ROM drive
hdd: SAMSUNG CD-R/RW SW-252B, ATAPI CD/DVD-ROM drive
ide0 at 0x1f0-0x1f7,0x3f6 on irq 14
ide1 at 0x170-0x177,0x376 on irq 15
blk: queue e0838d24, I/O limit 4095Mb (mask 0xffffffff)
hda: 156301488 sectors (80026 MB) w/2048KiB Cache, CHS=155061/16/63, UDMA(100)
Partition check:
 /dev/ide/host0/bus0/target0/lun0: [PTBL] [9729/255/63] p1 p2 p3 p4 < p5 p6 p7 p8 p9 p10 >
Journalled Block Device driver loaded
EXT3-fs: INFO: recovery required on readonly filesystem.
EXT3-fs: write access will be enabled during recovery.
kjournald starting.  Commit interval 5 seconds
EXT3-fs: ide0(3,2): orphan cleanup on readonly fs
ext3_orphan_cleanup: deleting unreferenced inode 32
ext3_orphan_cleanup: deleting unreferenced inode 26
EXT3-fs: ide0(3,2): 2 orphan inodes deleted
EXT3-fs: recovery complete.
EXT3-fs: mounted filesystem with ordered data mode.
SELinux:  Completing initialization.
security:  loading policy configuration from /etc/security/selinux/policy.12
security:  policydb is compressed, decompressing...
security:  decompressed 1626216 bytes
security:  4 users, 5 roles, 664 types
security:  29 classes, 66308 rules
SELinux: initialized (dev 03:02, type ext3), uses PSIDs
SELinux: initialized (dev 01:00, type cramfs), not configured for labeling
SELinux: initialized (dev 00:07, type devpts), uses transition SIDs
SELinux: initialized (dev 00:06, type devfs), uses genfs_contexts
SELinux: initialized (dev 00:05, type pipefs), uses task SIDs
SELinux: initialized (dev 00:04, type tmpfs), uses transition SIDs
SELinux: initialized (dev 00:03, type sockfs), uses task SIDs
SELinux: initialized (dev 00:02, type proc), uses genfs_contexts
SELinux: initialized (dev 00:01, type bdev), not configured for labeling
SELinux: initialized (dev 00:00, type rootfs), not configured for labeling
Adding Swap: 498004k swap-space (priority -1)
EXT3 FS 2.4-0.9.19, 19 August 2002 on ide0(3,2), internal journal

avc:  denied  { read } for  pid=65 exe=/sbin/hwclock path=/etc/ld.so.cache dev=03:02 ino=31 scontext=system_u:system_r:hwclock_t tcontext=maxb:object_r:etc_t tclass=file

avc:  denied  { getattr } for  pid=65 exe=/sbin/hwclock path=/etc/ld.so.cache dev=03:02 ino=31 scontext=system_u:system_r:hwclock_t tcontext=maxb:object_r:etc_t tclass=file

avc:  denied  { read } for  pid=66 exe=/sbin/modprobe path=/etc/ld.so.cache dev=03:02 ino=31 scontext=system_u:system_r:insmod_t tcontext=maxb:object_r:etc_t tclass=file

avc:  denied  { getattr } for  pid=66 exe=/sbin/modprobe path=/etc/ld.so.cache dev=03:02 ino=31 scontext=system_u:system_r:insmod_t tcontext=maxb:object_r:etc_t tclass=file

avc:  denied  { search } for  pid=66 exe=/sbin/insmod.modutils path=/var dev=03:02 ino=2129 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:file_t tclass=dir
Real Time Clock Driver v1.10e
spurious 8259A interrupt: IRQ7.
usb.c: registered new driver usbdevfs
usb.c: registered new driver hub
PCI: Found IRQ 5 for device 00:01.3
PCI: Sharing IRQ 5 with 00:01.2
usb-ohci.c: USB OHCI at membase 0xe08bc000, IRQ 5
usb-ohci.c: usb-00:01.3, Silicon Integrated Systems [SiS] 7001 (#2)
usb.c: new USB bus registered, assigned bus number 1
hub.c: USB hub found
hub.c: 3 ports detected
PCI: Found IRQ 5 for device 00:01.2
PCI: Sharing IRQ 5 with 00:01.3
usb-ohci.c: USB OHCI at membase 0xe08be000, IRQ 5
usb-ohci.c: usb-00:01.2, Silicon Integrated Systems [SiS] 7001
usb.c: new USB bus registered, assigned bus number 2
hub.c: USB hub found
hub.c: 3 ports detected
usb.c: registered new driver hiddev
usb.c: registered new driver hid
hid-core.c: v1.8.1 Andreas Gal, Vojtech Pavlik <vojtech@suse.cz>
hid-core.c: USB HID support drivers
mice: PS/2 mouse device common for all mice
Trident 4DWave/SiS 7018/ALi 5451,Tvia CyberPro 5050 PCI Audio, version 0.14.10h, 01:49:09 Jul  6 2003
PCI: Found IRQ 11 for device 00:01.4
trident: SiS 7018 PCI Audio found at IO 0xd800, IRQ 11
ac97_codec: AC97 Audio codec, id: VIA97(Unknown)
sis900.c: v1.08.06 9/24/2002
PCI: Found IRQ 3 for device 00:01.1
eth0: Unknown PHY transceiver found at address 1.
eth0: Using transceiver found at address 1 as default
eth0: SiS 900 PCI Fast Ethernet at 0xd400, IRQ 3, 00:07:95:36:bf:c0.
SCSI subsystem driver Revision: 1.00
scsi0 : SCSI host adapter emulation for IDE ATAPI devices
  Vendor: SAMSUNG   Model: DVD-ROM SD-616Q   Rev: F403
  Type:   CD-ROM                             ANSI SCSI revision: 02
  Vendor: SAMSUNG   Model: CD-R/RW SW-252B   Rev: R700
  Type:   CD-ROM                             ANSI SCSI revision: 02
usb.c: registered new driver usblp
printer.c: v0.11: USB Printer Device Class driver
hub.c: new USB device 00:01.2-1, assigned address 2
printer.c: usblp0: USB Bidirectional printer dev 2 if 0 alt 0 proto 2 vid 0x04A9 pid 0x107B
hub.c: new USB device 00:01.2-3, assigned address 3
input0: USB HID v1.00 Mouse [Microsoft Microsoft IntelliMouse ® with IntelliEye] on usb2:3.0
kjournald starting.  Commit interval 5 seconds
EXT3 FS 2.4-0.9.19, 19 August 2002 on ide0(3,5), internal journal
EXT3-fs: mounted filesystem with ordered data mode.
SELinux: initialized (dev 03:05, type ext3), uses PSIDs

avc:  denied  { mounton } for  pid=124 exe=/bin/mount path=/tmp dev=03:02 ino=1153 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:tmp_t tclass=dir
kjournald starting.  Commit interval 5 seconds
EXT3 FS 2.4-0.9.19, 19 August 2002 on ide0(3,6), internal journal
EXT3-fs: mounted filesystem with ordered data mode.
psidfiles_init:  contexts did not exist
psidfiles_init:  initialization failed, error 2
superblock_doinit: psid_init returned 2... (filesystem=/, pid=124)
kjournald starting.  Commit interval 5 seconds
EXT3 FS 2.4-0.9.19, 19 August 2002 on ide0(3,7), internal journal
EXT3-fs: mounted filesystem with ordered data mode.
SELinux: initialized (dev 03:07, type ext3), uses PSIDs
kjournald starting.  Commit interval 5 seconds
EXT3 FS 2.4-0.9.19, 19 August 2002 on ide0(3,8), internal journal
EXT3-fs: mounted filesystem with ordered data mode.
SELinux: initialized (dev 03:08, type ext3), uses PSIDs
kjournald starting.  Commit interval 5 seconds
EXT3 FS 2.4-0.9.19, 19 August 2002 on ide0(3,9), internal journal
EXT3-fs: mounted filesystem with ordered data mode.
SELinux: initialized (dev 03:09, type ext3), uses PSIDs
kjournald starting.  Commit interval 5 seconds
EXT3 FS 2.4-0.9.19, 19 August 2002 on ide0(3,10), internal journal
EXT3-fs: mounted filesystem with ordered data mode.
SELinux: initialized (dev 03:0a, type ext3), uses PSIDs

avc:  denied  { read } for  pid=144 exe=/sbin/ifconfig path=/etc/ld.so.cache dev=03:02 ino=31 scontext=system_u:system_r:ifconfig_t tcontext=maxb:object_r:etc_t tclass=file

avc:  denied  { getattr } for  pid=144 exe=/sbin/ifconfig path=/etc/ld.so.cache dev=03:02 ino=31 scontext=system_u:system_r:ifconfig_t tcontext=maxb:object_r:etc_t tclass=file

avc:  denied  { ioctl } for  pid=148 exe=/sbin/route path=socket:[187] dev=00:00 ino=187 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=udp_socket

avc:  denied  { setsched } for  pid=192 exe=/usr/sbin/ntpdate scontext=system_u:system_r:ntpd_t tcontext=system_u:system_r:ntpd_t tclass=process

avc:  denied  { setattr } for  pid=234 exe=/bin/chmod path=/dev/ttya0 dev=03:02 ino=6248 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:tty_device_t tclass=chr_file

avc:  denied  { setattr } for  pid=258 exe=/bin/chmod path=/dev/xconsole dev=03:02 ino=6970 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t tclass=fifo_file

avc:  denied  { read write } for  pid=261 exe=/sbin/syslogd path=/dev/xconsole dev=03:02 ino=6970 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:device_t tclass=fifo_file

avc:  denied  { ioctl } for  pid=261 exe=/sbin/syslogd path=/dev/xconsole dev=03:02 ino=6970 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:device_t tclass=fifo_file

avc:  denied  { read } for  pid=266 exe=/usr/bin/perl path=/etc/resolv.conf dev=03:02 ino=1161 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:resolv_conf_t tclass=file

avc:  denied  { ioctl } for  pid=266 exe=/usr/bin/perl path=/etc/resolv.conf dev=03:02 ino=1161 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:resolv_conf_t tclass=file

avc:  denied  { read } for  pid=266 exe=/usr/bin/perl path=/etc/shadow dev=03:02 ino=40 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:shadow_t tclass=file

avc:  denied  { ioctl } for  pid=266 exe=/usr/bin/perl path=socket:[339] dev=00:00 ino=339 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=tcp_socket
parport0: PC-style at 0x378 (0x778) [PCSPP,TRISTATE]
parport0: irq 7 detected

avc:  denied  { append } for  pid=267 exe=/usr/bin/perl path=/razor-agent.log dev=03:02 ino=17 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t tclass=file

avc:  denied  { ioctl } for  pid=267 exe=/usr/bin/perl path=/razor-agent.log dev=03:02 ino=17 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t tclass=file
lp0: using parport0 (polling).

avc:  denied  { read } for  pid=272 exe=/usr/lib/cups/backend/parallel path=/sys/dev/parport/parport0/autoprobe dev=00:02 ino=4527 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:sysctl_dev_t tclass=file

avc:  denied  { getattr } for  pid=272 exe=/usr/lib/cups/backend/parallel path=/sys/dev/parport/parport0/autoprobe dev=00:02 ino=4527 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:sysctl_dev_t tclass=file

avc:  denied  { write } for  pid=272 exe=/usr/lib/cups/backend/parallel path=/dev/par1 dev=03:02 ino=6615 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:device_t tclass=chr_file

avc:  denied  { write } for  pid=278 exe=/usr/lib/cups/backend/serial path=/dev/ttyS0 dev=03:02 ino=6602 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:tty_device_t tclass=chr_file

avc:  denied  { sid_to_context } for  pid=287 exe=/usr/bin/id scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:security_t tclass=security

avc:  denied  { read } for  pid=288 exe=/usr/sbin/gpm path=/etc/ld.so.cache dev=03:02 ino=31 scontext=system_u:system_r:gpm_t tcontext=maxb:object_r:etc_t tclass=file

avc:  denied  { getattr } for  pid=288 exe=/usr/sbin/gpm path=/etc/ld.so.cache dev=03:02 ino=31 scontext=system_u:system_r:gpm_t tcontext=maxb:object_r:etc_t tclass=file

avc:  denied  { read } for  pid=267 exe=/usr/bin/perl path=socket:[416] dev=00:00 ino=416 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=tcp_socket

avc:  denied  { write } for  pid=267 exe=/usr/bin/perl path=socket:[416] dev=00:00 ino=416 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=tcp_socket

avc:  denied  { unlink } for  pid=289 exe=/usr/sbin/gpm path=/dev/gpmctl dev=03:02 ino=4091 scontext=system_u:system_r:gpm_t tcontext=system_u:object_r:device_t tclass=sock_file

avc:  denied  { create } for  pid=289 exe=/usr/sbin/gpm path=/dev/gpmctl scontext=system_u:system_r:gpm_t tcontext=system_u:object_r:device_t tclass=sock_file

avc:  denied  { setattr } for  pid=289 exe=/usr/sbin/gpm path=/dev/gpmctl dev=03:02 ino=4091 scontext=system_u:system_r:gpm_t tcontext=system_u:object_r:device_t tclass=sock_file

avc:  denied  { getattr } for  pid=267 exe=/usr/bin/perl path=socket:[521] dev=00:00 ino=521 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=udp_socket

avc:  denied  { read } for  pid=356 exe=/sbin/modprobe path=/etc/ld.so.cache dev=03:02 ino=31 scontext=system_u:system_r:insmod_t tcontext=maxb:object_r:etc_t tclass=file

avc:  denied  { getattr } for  pid=356 exe=/sbin/modprobe path=/etc/ld.so.cache dev=03:02 ino=31 scontext=system_u:system_r:insmod_t tcontext=maxb:object_r:etc_t tclass=file

avc:  denied  { execute } for  pid=358 exe=/sbin/start-stop-daemon path=/share/webmin/miniserv.pl dev=03:08 ino=383591 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:usr_t tclass=file

avc:  denied  { execute_no_trans } for  pid=358 exe=/sbin/start-stop-daemon path=/share/webmin/miniserv.pl dev=03:08 ino=383591 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:usr_t tclass=file
NET4: AppleTalk 0.18a for Linux NET4.0

avc:  denied  { read } for  pid=358 exe=/usr/bin/perl path=/etc/shadow dev=03:02 ino=40 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:shadow_t tclass=file

avc:  denied  { ioctl } for  pid=376 exe=/usr/sbin/atalkd path=socket:[669] dev=00:00 ino=669 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=socket

avc:  denied  { search } for  pid=393 exe=/usr/sbin/apache path=/tmp dev=03:02 ino=1153 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:tmp_t tclass=dir

avc:  denied  { write } for  pid=393 exe=/usr/sbin/apache path=/tmp dev=03:02 ino=1153 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:tmp_t tclass=dir

avc:  denied  { add_name } for  pid=393 exe=/usr/sbin/apache path=/tmp/session_mm_apache0.mem scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:tmp_t tclass=dir

avc:  denied  { create } for  pid=393 exe=/usr/sbin/apache path=/tmp/session_mm_apache0.mem scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:tmp_t tclass=file

avc:  denied  { setattr } for  pid=393 exe=/usr/sbin/apache path=/tmp/session_mm_apache0.mem dev=03:02 ino=15 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:tmp_t tclass=file

avc:  denied  { write } for  pid=393 exe=/usr/sbin/apache path=/tmp/session_mm_apache0.mem dev=03:02 ino=15 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:tmp_t tclass=file

avc:  denied  { read } for  pid=393 exe=/usr/sbin/apache path=/tmp/session_mm_apache0.mem dev=03:02 ino=15 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:tmp_t tclass=file

avc:  denied  { lock } for  pid=393 exe=/usr/sbin/apache path=/tmp/session_mm_apache0.sem dev=03:02 ino=33 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:tmp_t tclass=file

avc:  denied  { remove_name } for  pid=394 exe=/usr/sbin/apache path=/tmp/session_mm_apache0.mem dev=03:02 ino=15 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:tmp_t tclass=dir

avc:  denied  { unlink } for  pid=394 exe=/usr/sbin/apache path=/tmp/session_mm_apache0.mem dev=03:02 ino=15 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:tmp_t tclass=file

avc:  denied  { read } for  pid=404 exe=/usr/bin/fetchmail path=/etc/resolv.conf dev=03:02 ino=1161 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:resolv_conf_t tclass=file

avc:  denied  { getattr } for  pid=411 exe=/sbin/getty path=/dev/tty3 dev=03:02 ino=6419 scontext=system_u:system_r:getty_t tcontext=root:object_r:unlabeled_t tclass=chr_file

avc:  denied  { read write } for  pid=411 exe=/sbin/getty path=/dev/tty3 dev=03:02 ino=6419 scontext=system_u:system_r:getty_t tcontext=root:object_r:unlabeled_t tclass=chr_file

avc:  denied  { ioctl } for  pid=411 exe=/sbin/getty path=/dev/tty3 dev=03:02 ino=6419 scontext=system_u:system_r:getty_t tcontext=root:object_r:unlabeled_t tclass=chr_file

avc:  denied  { setattr } for  pid=411 exe=/sbin/getty path=/dev/tty3 dev=03:02 ino=6419 scontext=system_u:system_r:getty_t tcontext=root:object_r:unlabeled_t tclass=chr_file

avc:  denied  { read } for  pid=404 exe=/usr/bin/fetchmail path=socket:[930] dev=00:00 ino=930 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=tcp_socket

avc:  denied  { write } for  pid=404 exe=/usr/bin/fetchmail path=socket:[930] dev=00:00 ino=930 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=tcp_socket

Re: a few questions about selinux

[Russell Coker]

On Thu, 10 Jul 2003 13:32, max barwell wrote:
> I have just started using selinux and find it very interesting, I also
> saw Russel Cokers interview at The Age and was pleased to note that
> selinux is being adopted by the "smarter linux users".

;)

> I notice I get alot of avc denied errors on boot, and wondered if they
> were normal, I have attached my dmesg output, so if someone could please
> look at that.

/etc/ld.so.cache has the wrong type, it's context should be 
system_u:object_r:ld_so_cache_t (it's etc_t on your system).

insmod is being run before /var is mounted (a common occurance, many modules 
may be loaded early in the boot process, and the file system module for the 
/var file system may be a module), in my latest policy tree I have the 
following:
dontaudit insmod_t file_t:dir search;

For mounting the /tmp file system add the following to your policy (I'll add 
it to my tree too):
allow mount_t tmp_t:dir mounton;

Not sure about the route lines, I'll have to look into that.

For ntpdate add the following to your policy (I've just added it to my tree):
allow ntpd_t self:process setsched;

What is ttya0?

For /dev/xconsole the best thing to do is to remove it from /etc/syslog.conf 
and remove it from /etc/init.d/sysklogd.

It looks like you are running a daemon as part of the Razor spam catching 
system.  You need to write a policy for this based on the daemon_domain() 
macro.

For gpm change this:
file_type_auto_trans(gpm_t, device_t, gpmctl_t, fifo_file)
To this:
file_type_auto_trans(gpm_t, device_t, gpmctl_t, { sock_file fifo_file })

miniserv.pl looks like another daemon that needs a policy.

What is atalkd?  It's another daemon that needs policy.

For apache add the following:
tmp_domain(httpd)

Fetchmail needs policy.

/dev/tty3 is not labeled.  At a guess you had a user with context 
user:foo_r:foo_t who logged in on /dev/tty3, then you loaded a new policy 
with no foo_t defined.  NB  The current Debian setup does not have the 
terminal device relabeled on logout, this is something we have to fix.  
However the same bad result would be achieved if you loaded the new policy 
while the user was logged in.

I haven't dealt with cups.  Let's sort out the other things first.  BTW  
Having non-standard device names such as /dev/par1 will cause you pain with 
SE Linux...

> psidfile_init : contexts did not exist, initialisation failed, error 2
>
> and
>
> id: can't get process context
>
> are these serious?

They correspond to errors reported in the dmesg.  Solve the dmesg problems and 
they will go away.

> Also I must have changed something unwittingly, because it worked in the
> beginning, the default context in /etc/security/default_contexts are not
> being honoured, because when sshing into this machine, you still get a
> choice of role, and can change role.

If sshing gives you a choice of role then you must have sshd configured to run 
/bin/login.

> A couple more things, are there policies for apache php modules, and/or
> netatalk, or are these things you have to write yourself. I also can't
> start X, being told a number of things depending on role and user.

There is no policy for netatalk, look to the samba policy for ideas.

php should mostly just work when run via the Apache shared objects.  If you 
run it as a cgi-bin script then there is policy, not sure whether it works.

> As sysadm_r there are errors about xauth and Xauthority being denied,
> and as user_r i get an error about /dev/tty0 not existing.

After most of the errors discussed above are fixed, please tell us about the 
details of these.

Also please CC me on messages related to Debian.  Messages about 
Debian/unstable tend to be delayed on the list as the mailing list software 
thinks that they are unsubscribe requests...

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: a few questions about selinux

[Tom]

On Thu, Jul 10, 2003 at 03:32:20PM +1200, max barwell wrote:
> A couple more things, are there policies for apache php modules, and/or
> netatalk, or are these things you have to write yourself. I also can't
> start X, being told a number of things depending on role and user.

PHP is something that Russel and me have battled repeatedly.

First off, since context changes happen only on exec, PHP as a module
will always run in the webserver context. This is already much more
secure than a non-SE system could get, but it's far from perfect and
does, in fact, reduce the security of both the webserver and the PHP
scripts.

Running PHP as a CGI works and allows for context changes. In fact,
I've had a test system running in that configuration for quite some
time. It was a hack, but it worked. I've always meant to come back to
doing a proper policy, but priorities and projects at work change so
rapidly at the moment that SE has been restricted to my spare time.



-- 
PGP/GPG key: http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: a few questions about selinux, update on progress

[max barwell]

[-- Attachment #1: Type: text/plain, Size: 7003 bytes --]

On Thu, 2003-07-10 at 16:51, Russell Coker wrote:

> /etc/ld.so.cache has the wrong type, it's context should be 
> system_u:object_r:ld_so_cache_t (it's etc_t on your system).

fixed

> insmod is being run before /var is mounted (a common occurance, many modules 
> may be loaded early in the boot process, and the file system module for the 
> /var file system may be a module), in my latest policy tree I have the 
> following:
> dontaudit insmod_t file_t:dir search;

fixed

> For mounting the /tmp file system add the following to your policy (I'll add 
> it to my tree too):
> allow mount_t tmp_t:dir mounton;

fixed

> Not sure about the route lines, I'll have to look into that.

Ok, still have avc messages there, but not to worry

> For ntpdate add the following to your policy (I've just added it to my tree):
> allow ntpd_t self:process setsched;

fixed

> What is ttya0?

I don't know, I deleted all /dev/ttya* entries but now get errors about
/dev/ttyb0, I assume it's something to do with the setattr, and read
denied avc messages for /dev.

> For /dev/xconsole the best thing to do is to remove it from /etc/syslog.conf 
> and remove it from /etc/init.d/sysklogd.

fixed

> It looks like you are running a daemon as part of the Razor spam catching 
> system.  You need to write a policy for this based on the daemon_domain() 
> macro.

I was using razor, but I ditched it, I am using spamassassin, this gives
me errors, and then get errors relating to procmail, I think this is
because procmail is called from the spamassassin config, not sure
though, because procmail does have a policy loaded.

I have attached these as a file mail_errors.txt

> For gpm change this:
> file_type_auto_trans(gpm_t, device_t, gpmctl_t, fifo_file)
> To this:
> file_type_auto_trans(gpm_t, device_t, gpmctl_t, { sock_file fifo_file })

fixed

> miniserv.pl looks like another daemon that needs a policy.

Thats the daemon that webmin runs, I have removed webmin anyway so it
doesn't matter.

> What is atalkd?  It's another daemon that needs policy.

atalkd is the apple talk daemon, run by netatalk, as you mention further
on I need to write a policy for netatalk.

> For apache add the following:
> tmp_domain(httpd)

fixed

> Fetchmail needs policy.

just starting to read about creating my own policies, so either i'll
eventually make one, or someone else will.

> /dev/tty3 is not labeled.  At a guess you had a user with context 
> user:foo_r:foo_t who logged in on /dev/tty3, then you loaded a new policy 
> with no foo_t defined.  NB  The current Debian setup does not have the 
> terminal device relabeled on logout, this is something we have to fix.  
> However the same bad result would be achieved if you loaded the new policy 
> while the user was logged in.

I think this is fixed, well dont appear to have the problem anymore.

> 
> I haven't dealt with cups.  Let's sort out the other things first.  BTW  
> Having non-standard device names such as /dev/par1 will cause you pain with 
> SE Linux...

Yes I see cups is still a problem, unfortunately I need cups for my
printer, a canon i320, I had to use the turboprint drivers to get this
going, perhaps turboprint made the /dev/par1 devices, I am using a
standard Debian sid install otherwise.

> > psidfile_init : contexts did not exist, initialisation failed, error 2
> >
> > and
> >
> > id: can't get process context

still have these erorrs, but like you say below, if I sort out
everything else they should go away.
> 
> They correspond to errors reported in the dmesg.  Solve the dmesg problems and 
> they will go away.
> 
> > Also I must have changed something unwittingly, because it worked in the
> > beginning, the default context in /etc/security/default_contexts are not
> > being honoured, because when sshing into this machine, you still get a
> > choice of role, and can change role.
> 
> If sshing gives you a choice of role then you must have sshd configured to run 
> /bin/login.

no ssh is set /bin/false, so at a loss for this one

> > A couple more things, are there policies for apache php modules, and/or
> > netatalk, or are these things you have to write yourself. I also can't
> > start X, being told a number of things depending on role and user.
> 
> There is no policy for netatalk, look to the samba policy for ideas.

will do

> php should mostly just work when run via the Apache shared objects.  If you 
> run it as a cgi-bin script then there is policy, not sure whether it works.

ok will look into this, it's not essential

> > As sysadm_r there are errors about xauth and Xauthority being denied,
> > and as user_r i get an error about /dev/tty0 not existing.
> 
> After most of the errors discussed above are fixed, please tell us about the 
> details of these.

OK

> Also please CC me on messages related to Debian.  Messages about 
> Debian/unstable tend to be delayed on the list as the mailing list software 
> thinks that they are unsubscribe requests...

have cc'ed you this as requested.

Ok now for my new problems, these are regarding users, if you have
existing users do they have to have anything done to them, I added one
of them to /etc/selinux/users because I wanted to specify multiple
roles, but that's all I've done.

I tried to add a new user, suseradd jdoe, will add this user, but when I
do sadminpasswd jdoe, it says 

passwd: Module is unknown
Child returned an error.

and these are the errors in /var/log/messages

Jul 14 18:02:15 orac kernel:
Jul 14 18:02:15 orac kernel: avc:  denied  { read } for  pid=768
exe=/usr/bin/passwd path=/self dev=00:02 ino=2
scontext=maxb:sysadm_r:sysadm_passwd_t tcontext=system_u:object_r:proc_t
tclass=lnk_file
Jul 14 18:02:15 orac kernel:
Jul 14 18:02:15 orac kernel: avc:  denied  { lock } for  pid=768
exe=/usr/bin/passwd path=/run/utmp dev=03:07 ino=6664
scontext=maxb:sysadm_r:sysadm_passwd_t
tcontext=system_u:object_r:initrc_var_run_t tclass=file
Jul 14 18:02:46 orac kernel:
Jul 14 18:02:46 orac kernel: avc:  denied  { read write } for  pid=770
exe=/usr/sbin/useradd path=/log/faillog dev=03:07 ino=3814
scontext=maxb:sysadm_r:useradd_t tcontext=system_u:object_r:faillog_t
tclass=file
Jul 14 18:02:46 orac kernel:
Jul 14 18:02:46 orac kernel: avc:  denied  { read write } for  pid=770
exe=/usr/sbin/useradd path=/log/lastlog dev=03:07 ino=3793
scontext=maxb:sysadm_r:useradd_t tcontext=system_u:object_r:lastlog_t
tclass=file

I have also attached my a new dmesg, which has alot less errors than the
last time.

I have set up alot of things using Linux before, ldap, samba, web
servers, proxies etc, but am finding selinux about 1000 times more
challenging, with most things you can generally find answers on the web,
newsgroups etc, but I guess the small user base of selinux makes this
different.

I am trying to understand it all, have read most of the docs available
etc, but still feel like I can't solve alot of my problems by myself,
its frustrating. anyway keep up the good work all, and thanks for your
help.

max









[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: dmesg.txt --]
[-- Type: text/plain; name=dmesg.txt; charset=UTF-8, Size: 13343 bytes --]

Linux version 2.4.20 (root@orac.lite.net.nz) (gcc version 3.3.1 20030626 (Debian prerelease)) #1 Sun Jul 6 01:29:07 NZST 2003
BIOS-provided physical RAM map:
 BIOS-e820: 0000000000000000 - 000000000009fc00 (usable)
 BIOS-e820: 000000000009fc00 - 00000000000a0000 (reserved)
 BIOS-e820: 00000000000f0000 - 0000000000100000 (reserved)
 BIOS-e820: 0000000000100000 - 000000001fff0000 (usable)
 BIOS-e820: 000000001fff0000 - 000000001fff8000 (ACPI data)
 BIOS-e820: 000000001fff8000 - 0000000020000000 (ACPI NVS)
 BIOS-e820: 00000000fffc0000 - 0000000100000000 (reserved)
0MB HIGHMEM available.
511MB LOWMEM available.
On node 0 totalpages: 131056
zone(0): 4096 pages.
zone(1): 126960 pages.
zone(2): 0 pages.
Kernel command line: root=/dev/hda2 ro
Local APIC disabled by BIOS -- reenabling.
Found and enabled local APIC!
Initializing CPU#0
Detected 1460.173 MHz processor.
Console: colour VGA+ 80x25
Calibrating delay loop... 2916.35 BogoMIPS
Memory: 512776k/524224k available (1088k kernel code, 11060k reserved, 407k data, 100k init, 0k highmem)
Security Scaffold v1.0.0 initialized
SELinux:  Initializing.
SELinux:  Starting in permissive mode
Dentry cache hash table entries: 65536 (order: 7, 524288 bytes)
Inode cache hash table entries: 32768 (order: 6, 262144 bytes)
Mount-cache hash table entries: 8192 (order: 4, 65536 bytes)
Buffer-cache hash table entries: 32768 (order: 5, 131072 bytes)
Page-cache hash table entries: 131072 (order: 7, 524288 bytes)
CPU: L1 I Cache: 64K (64 bytes/line), D cache 64K (64 bytes/line)
CPU: L2 Cache: 256K (64 bytes/line)
Intel machine check architecture supported.
Intel machine check reporting enabled on CPU#0.
CPU:     After generic, caps: 0383fbff c1c3fbff 00000000 00000000
CPU:             Common caps: 0383fbff c1c3fbff 00000000 00000000
CPU: AMD Athlon(tm) XP 1700+ stepping 01
Enabling fast FPU save and restore... done.
Enabling unmasked SIMD FPU exception support... done.
Checking 'hlt' instruction... OK.
POSIX conformance testing by UNIFIX
enabled ExtINT on CPU#0
ESR value before enabling vector: 00000000
ESR value after enabling vector: 00000000
Using local APIC timer interrupts.
calibrating APIC timer ...
..... CPU clock speed is 1460.1958 MHz.
..... host bus clock speed is 265.4902 MHz.
cpu: 0, clocks: 2654902, slice: 1327451
CPU0<T0:2654896,T1:1327440,D:5,S:1327451,C:2654902>
mtrr: v1.40 (20010327) Richard Gooch (rgooch@atnf.csiro.au)
mtrr: detected mtrr type: Intel
PCI: PCI BIOS revision 2.10 entry at 0xfdb01, last bus=1
PCI: Using configuration type 1
PCI: Probing PCI hardware
PCI: Using IRQ router SIS [1039/0008] at 00:01.0
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
Starting kswapd
VFS: Diskquotas version dquot_6.4.0 initialized
devfs: v1.12c (20020818) Richard Gooch (rgooch@atnf.csiro.au)
devfs: boot_options: 0x0
There is already a security framework initialized, register_security failed.
Failure registering capabilities with the kernel
selinux_register_security:  Registering secondary module capability
Capability LSM initialized
pty: 256 Unix98 ptys configured
Serial driver version 5.05c (2001-07-08) with HUB-6 MANY_PORTS MULTIPORT SHARE_IRQ SERIAL_PCI enabled
ttyS00 at 0x03f8 (irq = 4) is a 16550A
RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize
Cronyx Ltd, Synchronous PPP and CISCO HDLC (c) 1994
Linux port (c) 1998 Building Number Three Ltd & Jan "Yenya" Kasprzak.
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP, IGMP
IP: routing cache hash table of 4096 buckets, 32Kbytes
TCP: Hash tables configured (established 32768 bind 65536)
Linux IP multicast router 0.06 plus PIM-SM
RAMDISK: cramfs filesystem found at block 0
RAMDISK: Loading 3020 blocks [1 disk] into ram disk... |\b/\b-\b\\b|\b/\b-\b\\b|\b/\b-\b\\b|\b/\b-\b\\b|\b/\b-\b\\b|\b/\b-\b\\b|\b/\b-\b\\b|\b/\b-\b\\b|\b/\b-\b\\b|\b/\b-\b\\b|\b/\b-\b\\b|\b/\b-\b\\b|\b/\b-\b\\b|\b/\b-\b\\b|\b/\b-\b\\b|\b/\b-\b\\b|\b/\b-\b\\b|\b/\b-\b\\b|\b/\b-\b\\b|\b/\b-\b\\b|\b/\b-\b\\b|\b/\b-\b\\b|\b/\b-\b\\b|\b/\b-\b\\b|\b/\b-\b\\b|\b/\b-\b\\b|\b/\b-\b\\b|\b/\b-\b\\b|\b/\b-\b\\b|\b/\b-\b\\b|\b/\b-\b\\b|\b/\b-\b\\b|\b/\b-\b\\b|\b/\b-\b\\b|\b/\b-\b\\b|\b/\b-\b\\b|\b/\b-\b\\b|\b/\b-\b\\b|\b/\b-\b\\b|\b/\b-\b\\b|\b/\b-\b\\b|\b/\b-\b\\b|\b/\b-\b\\b|\b/\b-\b\\b|\b/\b-\b\\b|\b/\b-\b\\b|\b/\b-\b\\b|\bdone.
Freeing initrd memory: 3020k freed
VFS: Mounted root (cramfs filesystem).
SELinux:  Completing initialization.
SELinux:  Unable to load the policy.
Freeing unused kernel memory: 100k freed
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
Uniform Multi-Platform E-IDE driver Revision: 6.31
ide: Assuming 33MHz system bus speed for PIO modes; override with idebus=xx
SIS5513: IDE controller on PCI bus 00 dev 01
SIS5513: chipset revision 208
SIS5513: not 100% native mode: will probe irqs later
SiS730
    ide0: BM-DMA at 0xff00-0xff07, BIOS settings: hda:DMA, hdb:DMA
    ide1: BM-DMA at 0xff08-0xff0f, BIOS settings: hdc:DMA, hdd:DMA
hda: ST380023A, ATA DISK drive
hdc: SAMSUNG DVD-ROM SD-616Q, ATAPI CD/DVD-ROM drive
hdd: SAMSUNG CD-R/RW SW-252B, ATAPI CD/DVD-ROM drive
ide0 at 0x1f0-0x1f7,0x3f6 on irq 14
ide1 at 0x170-0x177,0x376 on irq 15
blk: queue e0838d24, I/O limit 4095Mb (mask 0xffffffff)
hda: 156301488 sectors (80026 MB) w/2048KiB Cache, CHS=155061/16/63, UDMA(100)
Partition check:
 /dev/ide/host0/bus0/target0/lun0: [PTBL] [9729/255/63] p1 p2 p3 p4 < p5 p6 p7 p8 p9 p10 >
Journalled Block Device driver loaded
kjournald starting.  Commit interval 5 seconds
EXT3-fs: mounted filesystem with ordered data mode.
SELinux:  Completing initialization.
security:  loading policy configuration from /etc/security/selinux/policy.12
security:  policydb is compressed, decompressing...
security:  decompressed 2297285 bytes
security:  4 users, 5 roles, 852 types
security:  29 classes, 93832 rules
SELinux: initialized (dev 03:02, type ext3), uses PSIDs
SELinux: initialized (dev 01:00, type cramfs), not configured for labeling
SELinux: initialized (dev 00:07, type devpts), uses transition SIDs
SELinux: initialized (dev 00:06, type devfs), uses genfs_contexts
SELinux: initialized (dev 00:05, type pipefs), uses task SIDs
SELinux: initialized (dev 00:04, type tmpfs), uses transition SIDs
SELinux: initialized (dev 00:03, type sockfs), uses task SIDs
SELinux: initialized (dev 00:02, type proc), uses genfs_contexts
SELinux: initialized (dev 00:01, type bdev), not configured for labeling
SELinux: initialized (dev 00:00, type rootfs), not configured for labeling
Adding Swap: 498004k swap-space (priority -1)
EXT3 FS 2.4-0.9.19, 19 August 2002 on ide0(3,2), internal journal
Real Time Clock Driver v1.10e
spurious 8259A interrupt: IRQ7.
usb.c: registered new driver usbdevfs
usb.c: registered new driver hub
PCI: Found IRQ 5 for device 00:01.3
PCI: Sharing IRQ 5 with 00:01.2
usb-ohci.c: USB OHCI at membase 0xe08bc000, IRQ 5
usb-ohci.c: usb-00:01.3, Silicon Integrated Systems [SiS] 7001 (#2)
usb.c: new USB bus registered, assigned bus number 1
hub.c: USB hub found
hub.c: 3 ports detected
PCI: Found IRQ 5 for device 00:01.2
PCI: Sharing IRQ 5 with 00:01.3
usb-ohci.c: USB OHCI at membase 0xe08be000, IRQ 5
usb-ohci.c: usb-00:01.2, Silicon Integrated Systems [SiS] 7001
usb.c: new USB bus registered, assigned bus number 2
hub.c: USB hub found
hub.c: 3 ports detected
usb.c: registered new driver hiddev
usb.c: registered new driver hid
hid-core.c: v1.8.1 Andreas Gal, Vojtech Pavlik <vojtech@suse.cz>
hid-core.c: USB HID support drivers
mice: PS/2 mouse device common for all mice
Trident 4DWave/SiS 7018/ALi 5451,Tvia CyberPro 5050 PCI Audio, version 0.14.10h, 01:49:09 Jul  6 2003
PCI: Found IRQ 11 for device 00:01.4
trident: SiS 7018 PCI Audio found at IO 0xd800, IRQ 11
ac97_codec: AC97 Audio codec, id: VIA97(Unknown)
sis900.c: v1.08.06 9/24/2002
PCI: Found IRQ 3 for device 00:01.1
eth0: Unknown PHY transceiver found at address 1.
eth0: Using transceiver found at address 1 as default
eth0: SiS 900 PCI Fast Ethernet at 0xd400, IRQ 3, 00:07:95:36:bf:c0.
SCSI subsystem driver Revision: 1.00
scsi0 : SCSI host adapter emulation for IDE ATAPI devices
  Vendor: SAMSUNG   Model: DVD-ROM SD-616Q   Rev: F403
  Type:   CD-ROM                             ANSI SCSI revision: 02
  Vendor: SAMSUNG   Model: CD-R/RW SW-252B   Rev: R700
  Type:   CD-ROM                             ANSI SCSI revision: 02
usb.c: registered new driver usblp
printer.c: v0.11: USB Printer Device Class driver

avc:  denied  { read } for  pid=105 exe=/bin/bash path=/dev dev=03:02 ino=5585 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t tclass=dir
hub.c: new USB device 00:01.2-3, assigned address 2
input0: USB HID v1.00 Mouse [Microsoft Microsoft IntelliMouse ® with IntelliEye] on usb2:2.0
kjournald starting.  Commit interval 5 seconds
EXT3 FS 2.4-0.9.19, 19 August 2002 on ide0(3,5), internal journal
EXT3-fs: mounted filesystem with ordered data mode.
SELinux: initialized (dev 03:05, type ext3), uses PSIDs
kjournald starting.  Commit interval 5 seconds
EXT3 FS 2.4-0.9.19, 19 August 2002 on ide0(3,6), internal journal
EXT3-fs: mounted filesystem with ordered data mode.
psidfiles_init:  contexts did not exist
psidfiles_init:  initialization failed, error 2
superblock_doinit: psid_init returned 2... (filesystem=/, pid=122)
kjournald starting.  Commit interval 5 seconds
EXT3 FS 2.4-0.9.19, 19 August 2002 on ide0(3,7), internal journal
EXT3-fs: mounted filesystem with ordered data mode.
SELinux: initialized (dev 03:07, type ext3), uses PSIDs
kjournald starting.  Commit interval 5 seconds
EXT3 FS 2.4-0.9.19, 19 August 2002 on ide0(3,8), internal journal
EXT3-fs: mounted filesystem with ordered data mode.
SELinux: initialized (dev 03:08, type ext3), uses PSIDs
kjournald starting.  Commit interval 5 seconds
EXT3 FS 2.4-0.9.19, 19 August 2002 on ide0(3,9), internal journal
EXT3-fs: mounted filesystem with ordered data mode.
SELinux: initialized (dev 03:09, type ext3), uses PSIDs
kjournald starting.  Commit interval 5 seconds
EXT3 FS 2.4-0.9.19, 19 August 2002 on ide0(3,10), internal journal
EXT3-fs: mounted filesystem with ordered data mode.
SELinux: initialized (dev 03:0a, type ext3), uses PSIDs

avc:  denied  { ioctl } for  pid=147 exe=/sbin/route path=socket:[177] dev=00:00 ino=177 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=udp_socket

avc:  denied  { setattr } for  pid=211 exe=/bin/chmod path=/dev/ttyb0 dev=03:02 ino=6280 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:tty_device_t tclass=chr_file

avc:  denied  { read } for  pid=241 exe=/usr/bin/perl path=/etc/resolv.conf dev=03:02 ino=1161 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:resolv_conf_t tclass=file

avc:  denied  { ioctl } for  pid=241 exe=/usr/bin/perl path=/etc/resolv.conf dev=03:02 ino=1161 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:resolv_conf_t tclass=file

avc:  denied  { read } for  pid=241 exe=/usr/bin/perl path=/etc/shadow dev=03:02 ino=150 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:shadow_t tclass=file

avc:  denied  { ioctl } for  pid=241 exe=/usr/bin/perl path=socket:[326] dev=00:00 ino=326 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=tcp_socket
parport0: PC-style at 0x378 (0x778) [PCSPP,TRISTATE]
parport0: irq 7 detected
lp0: using parport0 (polling).

avc:  denied  { read } for  pid=247 exe=/usr/lib/cups/backend/parallel path=/sys/dev/parport/parport0/autoprobe dev=00:02 ino=4527 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:sysctl_dev_t tclass=file

avc:  denied  { getattr } for  pid=247 exe=/usr/lib/cups/backend/parallel path=/sys/dev/parport/parport0/autoprobe dev=00:02 ino=4527 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:sysctl_dev_t tclass=file

avc:  denied  { write } for  pid=247 exe=/usr/lib/cups/backend/parallel path=/dev/par1 dev=03:02 ino=6615 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:device_t tclass=chr_file

avc:  denied  { write } for  pid=253 exe=/usr/lib/cups/backend/serial path=/dev/ttyS0 dev=03:02 ino=6602 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:tty_device_t tclass=chr_file

avc:  denied  { read } for  pid=344 exe=/bin/hostname path=/etc/resolv.conf dev=03:02 ino=1161 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:resolv_conf_t tclass=file
NET4: AppleTalk 0.18a for Linux NET4.0

avc:  denied  { ioctl } for  pid=348 exe=/usr/sbin/atalkd path=socket:[623] dev=00:00 ino=623 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=tcp_socket

avc:  denied  { ioctl } for  pid=348 exe=/usr/sbin/atalkd path=socket:[622] dev=00:00 ino=622 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=socket

avc:  denied  { read } for  pid=374 exe=/bin/su path=/etc/shadow dev=03:02 ino=150 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:shadow_t tclass=file

avc:  denied  { getattr } for  pid=375 exe=/usr/bin/fetchmail path=socket:[854] dev=00:00 ino=854 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=udp_socket

avc:  denied  { read } for  pid=375 exe=/usr/bin/fetchmail path=socket:[857] dev=00:00 ino=857 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=tcp_socket

avc:  denied  { write } for  pid=375 exe=/usr/bin/fetchmail path=socket:[857] dev=00:00 ino=857 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=tcp_socket

[-- Attachment #3: mail_errors.txt --]
[-- Type: text/plain, Size: 4374 bytes --]

Jul 14 17:54:24 orac kernel: avc:  denied  { write } for  pid=602 exe=/usr/bin/perl path=/maxb/.spamassassin dev=03:0a ino=41455 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:user_home_t tclass=dir
Jul 14 17:54:24 orac kernel: 
Jul 14 17:54:24 orac kernel: avc:  denied  { add_name } for  pid=602 exe=/usr/bin/perl path=/maxb/.spamassassin/bayes.lock.orac.lite.net.nz.602 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:user_home_t tclass=dir
Jul 14 17:54:24 orac kernel: 
Jul 14 17:54:24 orac kernel: avc:  denied  { create } for  pid=602 exe=/usr/bin/perl path=/maxb/.spamassassin/bayes.lock.orac.lite.net.nz.602 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:user_home_t tclass=file
Jul 14 17:54:24 orac kernel: 
Jul 14 17:54:24 orac kernel: avc:  denied  { write } for  pid=602 exe=/usr/bin/perl path=/maxb/.spamassassin/bayes.lock.orac.lite.net.nz.602 dev=03:0a ino=33589 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:user_home_t tclass=file
Jul 14 17:54:24 orac kernel: 
Jul 14 17:54:24 orac kernel: avc:  denied  { link } for  pid=602 exe=/usr/bin/perl path=/maxb/.spamassassin/bayes.lock.orac.lite.net.nz.602 dev=03:0a ino=33589 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:user_home_t tclass=file
Jul 14 17:54:24 orac kernel: 
Jul 14 17:54:24 orac kernel: avc:  denied  { remove_name } for  pid=602 exe=/usr/bin/perl path=/maxb/.spamassassin/bayes.lock.orac.lite.net.nz.602 dev=03:0a ino=33589 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:user_home_t tclass=dir
Jul 14 17:54:24 orac kernel: 
Jul 14 17:54:24 orac kernel: avc:  denied  { unlink } for  pid=602 exe=/usr/bin/perl path=/maxb/.spamassassin/bayes.lock.orac.lite.net.nz.602 dev=03:0a ino=33589 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:user_home_t tclass=file
Jul 14 17:54:24 orac kernel: 
Jul 14 17:54:24 orac kernel: avc:  denied  { append } for  pid=602 exe=/usr/bin/perl path=/maxb/.spamassassin/bayes_msgcount dev=03:0a ino=41460 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:user_home_t tclass=file
Jul 14 17:54:24 orac kernel: 
Jul 14 17:54:24 orac kernel: avc:  denied  { write } for  pid=599 exe=/usr/bin/procmail path=/mail dev=03:07 ino=6705 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:mail_spool_t tclass=dir
Jul 14 17:54:24 orac kernel: 
Jul 14 17:54:24 orac kernel: avc:  denied  { add_name } for  pid=599 exe=/usr/bin/procmail path=/mail/_XJ.QWkE_.orac.lite.net.nz scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:mail_spool_t tclass=dir
Jul 14 17:54:24 orac kernel: 
Jul 14 17:54:24 orac kernel: avc:  denied  { create } for  pid=599 exe=/usr/bin/procmail path=/mail/_XJ.QWkE_.orac.lite.net.nz scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:mail_spool_t tclass=file
Jul 14 17:54:24 orac kernel: 
Jul 14 17:54:24 orac kernel: avc:  denied  { write } for  pid=599 exe=/usr/bin/procmail path=/mail/_XJ.QWkE_.orac.lite.net.nz dev=03:07 ino=386 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:mail_spool_t tclass=file
Jul 14 17:54:24 orac kernel: 
Jul 14 17:54:24 orac kernel: avc:  denied  { link } for  pid=599 exe=/usr/bin/procmail path=/mail/_XJ.QWkE_.orac.lite.net.nz dev=03:07 ino=386 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:mail_spool_t tclass=file
Jul 14 17:54:24 orac kernel: 
Jul 14 17:54:24 orac kernel: avc:  denied  { remove_name } for  pid=599 exe=/usr/bin/procmail path=/mail/_XJ.QWkE_.orac.lite.net.nz dev=03:07 ino=386 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:mail_spool_t tclass=dir
Jul 14 17:54:24 orac kernel: 
Jul 14 17:54:24 orac kernel: avc:  denied  { unlink } for  pid=599 exe=/usr/bin/procmail path=/mail/_XJ.QWkE_.orac.lite.net.nz dev=03:07 ino=386 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:mail_spool_t tclass=file
Jul 14 17:54:24 orac kernel: 
Jul 14 17:54:24 orac kernel: avc:  denied  { append } for  pid=599 exe=/usr/bin/procmail path=/mail/maxb dev=03:07 ino=6706 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:mail_spool_t tclass=file
Jul 14 17:54:24 orac kernel: 
Jul 14 17:54:24 orac kernel: avc:  denied  { lock } for  pid=599 exe=/usr/bin/procmail path=/mail/maxb dev=03:07 ino=6706 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:mail_spool_t tclass=file

Re: a few questions about selinux, update on progress

[Russell Coker]

On Mon, 14 Jul 2003 17:34, max barwell wrote:
> > It looks like you are running a daemon as part of the Razor spam catching
> > system.  You need to write a policy for this based on the daemon_domain()
> > macro.
>
> I was using razor, but I ditched it, I am using spamassassin, this gives
> me errors, and then get errors relating to procmail, I think this is
> because procmail is called from the spamassassin config, not sure
> though, because procmail does have a policy loaded.

It seems that you have spamassasin running as a daemon.  You need to write 
policy for it as discussed in my previous message, and grant it access to the 
user home directories too.

> > What is atalkd?  It's another daemon that needs policy.
>
> atalkd is the apple talk daemon, run by netatalk, as you mention further
> on I need to write a policy for netatalk.

OK.  It sounds like the smbd/nmbd type of operation that Samba uses.

> > I haven't dealt with cups.  Let's sort out the other things first.  BTW
> > Having non-standard device names such as /dev/par1 will cause you pain
> > with SE Linux...
>
> Yes I see cups is still a problem, unfortunately I need cups for my
> printer, a canon i320, I had to use the turboprint drivers to get this
> going, perhaps turboprint made the /dev/par1 devices, I am using a
> standard Debian sid install otherwise.

OK.  Edit lpd.fc to have /dev/par1 get type printer_t.

> > > Also I must have changed something unwittingly, because it worked in
> > > the beginning, the default context in /etc/security/default_contexts
> > > are not being honoured, because when sshing into this machine, you
> > > still get a choice of role, and can change role.
> >
> > If sshing gives you a choice of role then you must have sshd configured
> > to run /bin/login.
>
> no ssh is set /bin/false, so at a loss for this one

What do you mean by that?

> Ok now for my new problems, these are regarding users, if you have
> existing users do they have to have anything done to them, I added one
> of them to /etc/selinux/users because I wanted to specify multiple
> roles, but that's all I've done.

With the current setup if you don't add a user to the "users" file then they 
will be unable to change their password.  This can be a good or bad thing 
depending on your requirements.  ;)

> I tried to add a new user, suseradd jdoe, will add this user, but when I
> do sadminpasswd jdoe, it says
>
> passwd: Module is unknown
> Child returned an error.
>
> and these are the errors in /var/log/messages
>
> Jul 14 18:02:15 orac kernel:
> Jul 14 18:02:15 orac kernel: avc:  denied  { read } for  pid=768
> exe=/usr/bin/passwd path=/self dev=00:02 ino=2
> scontext=maxb:sysadm_r:sysadm_passwd_t tcontext=system_u:object_r:proc_t
> tclass=lnk_file

Normally it won't even have search access to proc_t:dir (/proc), so it can't 
access /proc/self.  Therefore the fact that it can get to /proc/self 
indicates that you are running in permissive mode, in which case SE Linux 
won't stop it from working.

The "Module is unknown" error seems to suggest a PAM configuration error.

> I have also attached my a new dmesg, which has alot less errors than the
> last time.

It seems that there is a Perl daemon running at boot which needs policy, is 
that part of Spamassasin?

For cups add the following rule:
allow cupsd_t sysctl_dev_t:file { getattr read };
Then change the type of /dev/par1 as discussed.

As for /dev/ttyS0, I am not sure whether we want to grant cups access to 
tty_device_t or change the type of the device node to printer_t.  
Suggestions?

You have su being run from an init.d script, this is a broken script.  Maybe 
it's an old version of Postgresql.

> I have set up alot of things using Linux before, ldap, samba, web
> servers, proxies etc, but am finding selinux about 1000 times more
> challenging, with most things you can generally find answers on the web,
> newsgroups etc, but I guess the small user base of selinux makes this
> different.

Speaking for myself I found SE Linux to be easier to get started with than 
Sendmail configuration, general Unix administration, Unix systems 
programming, ISP administration, and lots of other things I've done.

As you correctly note there are some issues related to the small user-base.  
Part of which is that there is not yet a complete SE distribution.

I think that once we get bootable CDs containing SE Linux and only packages of 
software that have SE policy then things will become a lot easier.

Also another issue is that as SE Linux is still relatively new there are a 
number of issues to be ironed out with applications.  Many applications have 
bugs which comprise minor security, reliability, or functionality issues on 
non-SE systems but which no-one has really noticed.  With SE Linux we force 
applications to perform only a specified set of operations, applications 
which do strange and unusual things may not work correctly with any sane 
policy and need to be fixed.

I have filed bug reports against many such applications and got them fixed.  
Things are improving, but there is still a long way to go.  We will only get 
there by having enough users so that it's likely that someone else will 
report the bug and get it fixed before it hits you.

One example of such bugs is programs that create a file in /tmp and then mv it 
to /etc or another directory.  This is a potential risk to the reliability of 
the system when /tmp is on a different file system, and also may have 
security issues if it does not correctly check to make sure that there's no 
race conditions, so is a bad thing to do in any case.  In SE Linux such an 
application may result in incorrectly labeled files under /etc and a lack of 
functionality.

This is a real pain for us now.  But when such bugs are fixed everyone will 
benefit.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.