Re: Boot time avc messages

Re: Boot time avc messages

[Dale Amon]

Okay Stephen, here's what is left after I've disabled most nonstandard daemons. 
System is 2.6.0-test5, patched for reiserfs but not using it yet; root is
ext3; debian packages are current with sid dist as of about 5 hours ago.


avc:  denied  { write } for  pid=303 exe=/usr/sbin/setfiles path=/dev/tty1 dev=sda2 ino=946919 scontext=root:sysadm_r:setfiles_t tcontext=system_u:object_r:tty_device_t tclass=chr_file

# REBOOT

# DEVFSD was disincluded from this test kernel but daemon is here
avc:  denied  { sys_tty_config } for  pid=319 exe=/bin/bash capability=26 scontext=system_u:system_r:devfsd_t tcontext=system_u:system_r:devfsd_t tclass=capability

avc:  denied  { sys_tty_config } for  pid=328 exe=/sbin/hwclock capability=26 scontext=system_u:system_r:hwclock_t tcontext=system_u:system_r:hwclock_t tclass=capability

# There does not seem to be any bootlogd policy
avc:  denied  { read write } for  pid=48 exe=/sbin/bootlogd dev=sda2 ino=946402 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t tclass=chr_file

avc:  denied  { ioctl } for  pid=48 exe=/sbin/bootlogd path=/dev/ptyp0 dev=sda2 ino=946402 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t tclass=chr_file

avc:  denied  { read } for  pid=50 exe=/sbin/bootlogd path=/dev/ptyp0 dev=sda2 ino=946402 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t tclass=chr_file


avc:  denied  { write } for  pid=72 exe=/sbin/fsck path=/dev/ttyp0 dev=sda2 ino=946403 scontext=system_u:system_r:fsadm_t tcontext=system_u:object_r:tty_device_t tclass=chr_file

avc:  denied  { rename } for  pid=50 exe=/sbin/bootlogd dev=sda2 ino=929847 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:var_log_t tclass=file

avc:  denied  { write } for  pid=95 exe=/sbin/fsck path=/dev/ttyp0 dev=sda2 ino=946403 scontext=system_u:system_r:fsadm_t tcontext=system_u:object_r:tty_device_t tclass=chr_file

avc:  denied  { write } for  pid=113 exe=/bin/mount path=/dev/ttyp0 dev=sda2 ino=946403 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:tty_device_t tclass=chr_file

avc:  denied  { mounton } for  pid=113 exe=/bin/mount path=/dev/pts dev= ino=1 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:devpts_t tclass=dir

avc:  denied  { setattr } for  pid=193 exe=/bin/chmod dev=sda2 ino=946755 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:tty_device_t tclass=chr_file

avc:  denied  { setattr } for  pid=214 exe=/bin/touch dev=sda2 ino=1679395 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:var_run_t tclass=dir


# I'm using syslog-ng instead with minor policy changes. Perhaps 
# Russ's latest have these items fixed?
avc:  denied  { read } for  pid=220 exe=/sbin/syslog-ng path=pipe:[1143] dev= ino=1143 scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t tclass=fifo_file

avc:  denied  { syslog_mod } for  pid=221 exe=/sbin/syslog-ng scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:kernel_t tclass=system

avc:  denied  { name_bind } for  pid=221 exe=/sbin/syslog-ng port=999 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:port_t tclass=tcp_socket

avc:  denied  { write } for  pid=221 exe=/sbin/syslog-ng path=pipe:[1143] dev= ino=1143 scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t tclass=fifo_file

avc:  denied  { fsetid } for  pid=221 exe=/sbin/syslog-ng capability=4 scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t tclass=capability

avc:  denied  { setattr } for  pid=221 exe=/sbin/syslog-ng dev=sda2 ino=946940 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tty_device_t tclass=chr_file


# DEVFSD was disincluded from this test kernel but daemon is here
avc:  denied  { sys_tty_config } for  pid=231 exe=/bin/bash capability=26 scontext=system_u:system_r:devfsd_t tcontext=system_u:system_r:devfsd_t tclass=capability


avc:  denied  { search } for  pid=230 exe=/usr/sbin/inetd dev=sda2 ino=903169 scontext=system_u:system_r:inetd_t tcontext=system_u:object_r:var_lib_t tclass=dir

avc:  denied  { name_bind } for  pid=230 exe=/usr/sbin/inetd port=25 scontext=system_u:system_r:inetd_t tcontext=system_u:object_r:smtp_port_t tclass=tcp_socket

avc:  denied  { unlink } for  pid=258 exe=/bin/rm dev=sda2 ino=929844 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:var_log_t tclass=file


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Boot time avc messages

[Russell Coker]

On Wed, 17 Sep 2003 00:53, Dale Amon wrote:
> avc:  denied  { write } for  pid=303 exe=/usr/sbin/setfiles path=/dev/tty1
> dev=sda2 ino=946919 scontext=root:sysadm_r:setfiles_t
> tcontext=system_u:object_r:tty_device_t tclass=chr_file

I guess that setfiles relabeled /dev which includes your terminal device.  
Your shell can still write to it because it runs as sysadm_t, but setfiles_t 
can't.  I'll give setfiles such access.  Normally it won't make any 
difference, but in some situations it can make relabeling work correctly.

> # DEVFSD was disincluded from this test kernel but daemon is here
> avc:  denied  { sys_tty_config } for  pid=319 exe=/bin/bash capability=26
> scontext=system_u:system_r:devfsd_t tcontext=system_u:system_r:devfsd_t
> tclass=capability

Strange.  What script is this?  Is it /sbin/devfsd_make_links?

> avc:  denied  { sys_tty_config } for  pid=328 exe=/sbin/hwclock
> capability=26 scontext=system_u:system_r:hwclock_t
> tcontext=system_u:system_r:hwclock_t tclass=capability

I can't understand why hwclock would want to do that.  Bug in hwclock?

> # There does not seem to be any bootlogd policy
> avc:  denied  { read write } for  pid=48 exe=/sbin/bootlogd dev=sda2
> ino=946402 scontext=system_u:system_r:initrc_t
> tcontext=system_u:object_r:device_t tclass=chr_file

True, such policy needs to be written.

> avc:  denied  { ioctl } for  pid=48 exe=/sbin/bootlogd path=/dev/ptyp0
> dev=sda2 ino=946402 scontext=system_u:system_r:initrc_t
> tcontext=system_u:object_r:device_t tclass=chr_file

Don't use them, use unix98 pty's.  I don't think that SE Linux will ever 
support old pty's.

I do:
rm -f /dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f]

See: http://www.coker.com.au/selinux/tweaks.html

> avc:  denied  { mounton } for  pid=113 exe=/bin/mount path=/dev/pts dev=
> ino=1 scontext=system_u:system_r:mount_t
> tcontext=system_u:object_r:devpts_t tclass=dir

Having the /dev/pts directory may be a bad thing, but I'll add an allow rule 
for that to my policy (for the moment at least).

> # I'm using syslog-ng instead with minor policy changes. Perhaps
> # Russ's latest have these items fixed?
> avc:  denied  { read } for  pid=220 exe=/sbin/syslog-ng path=pipe:[1143]
> dev= ino=1143 scontext=system_u:system_r:syslogd_t
> tcontext=system_u:system_r:syslogd_t tclass=fifo_file

I'll add that to my policy, it does no harm, and a future version of the 
regular syslogd may want to do the same.

> avc:  denied  { syslog_mod } for  pid=221 exe=/sbin/syslog-ng
> scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:kernel_t
> tclass=system

I'll add that to my policy too.

> avc:  denied  { name_bind } for  pid=221 exe=/sbin/syslog-ng port=999
> scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:port_t
> tclass=tcp_socket

What is port 999 for?

> avc:  denied  { fsetid } for  pid=221 exe=/sbin/syslog-ng capability=4
> scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t
> tclass=capability

Which of the following does syslog-ng do and why?

/* Overrides the following restrictions that the effective user ID
   shall match the file owner ID when setting the S_ISUID and S_ISGID
   bits on that file; that the effective group ID (or one of the
   supplementary group IDs) shall match the file owner ID when setting
   the S_ISGID bit on that file; that the S_ISUID and S_ISGID bits are
   cleared on successful return from chown(2) (not implemented). */

> avc:  denied  { setattr } for  pid=221 exe=/sbin/syslog-ng dev=sda2
> ino=946940 scontext=system_u:system_r:syslogd_t
> tcontext=system_u:object_r:tty_device_t tclass=chr_file

Looks like you have configured it to log stuff to a special virtual console.  
I do the same, but it's not a default config so not something we want in 
policy.

> avc:  denied  { search } for  pid=230 exe=/usr/sbin/inetd dev=sda2
> ino=903169 scontext=system_u:system_r:inetd_t
> tcontext=system_u:object_r:var_lib_t tclass=dir

What was it looking for under /var/lib?  Put in the following:
allow inetd_t var_lib_t:dir search;
auditallow inetd_t var_lib_t:dir search;

Then we'll get more info about what's happening.

> avc:  denied  { name_bind } for  pid=230 exe=/usr/sbin/inetd port=25
> scontext=system_u:system_r:inetd_t tcontext=system_u:object_r:smtp_port_t
> tclass=tcp_socket

What mail server are you using?  Is that a default config or some unusual 
custom config?

> avc:  denied  { unlink } for  pid=258 exe=/bin/rm dev=sda2 ino=929844
> scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:var_log_t
> tclass=file

bootlogd?

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Boot time avc messages

[Russell Coker]

[-- Attachment #1: Type: text/plain, Size: 371 bytes --]

On Wed, 17 Sep 2003 00:53, Dale Amon wrote:

Here's a new syslogd.te that should solve most of the problems you had.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: syslogd.te --]
[-- Type: text/plain, Size: 2426 bytes --]

#DESC Syslogd - System log daemon
#
# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser  
# X-Debian-Packages: sysklogd syslog-ng
#

#################################
#
# Rules for the syslogd_t domain.
#
# syslogd_t is the domain of syslogd.
# syslogd_exec_t is the type of the syslogd executable.
# devlog_t is the type of the Unix domain socket created 
# by syslogd.
#
ifdef(`klogd.te', `
daemon_domain(syslogd)
', `
daemon_domain(syslogd, `, privmem')
')

# can_network is for the UDP socket
can_network(syslogd_t)

type devlog_t, file_type, sysadmfile;

# if something can log to syslog they should be able to log to the console
allow privlog console_device_t:chr_file { ioctl read write getattr };

tmp_domain(syslogd)

# read files in /etc
allow syslogd_t etc_t:file r_file_perms;
allow syslogd_t resolv_conf_t:{ file lnk_file } r_file_perms;

# Use capabilities.
allow syslogd_t syslogd_t:capability { net_bind_service dac_override };

# Inherit and use descriptors from init.
allow syslogd_t init_t:fd use;
allow syslogd_t { initrc_devpts_t console_device_t }:chr_file { read write };

# Modify/create log files.
create_append_log_file(syslogd_t, var_log_t)

# Create and bind to /dev/log or /var/run/log.
file_type_auto_trans(syslogd_t, { device_t var_run_t }, devlog_t, sock_file)
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_dgram_socket { sendto };
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
allow syslogd_t self:fifo_file rw_file_perms;
allow syslogd_t devlog_t:unix_stream_socket name_bind;
allow syslogd_t devlog_t:unix_dgram_socket name_bind;

# Domains with the privlog attribute may log to syslogd.
allow privlog devlog_t:sock_file rw_file_perms;
can_unix_send(privlog,syslogd_t)
can_unix_connect(privlog,syslogd_t)
# allow /dev/log to be a link elsewhere for chroot setup
allow privlog devlog_t:lnk_file read;

ifdef(`crond.te', `
# Write to the cron log.
allow syslogd_t crond_log_t:file rw_file_perms;
')

ifdef(`logrotate.te', `
allow logrotate_t syslogd_exec_t:file r_file_perms;
')

# uncomment this to allow syslogd to log to virtual consoles
#allow syslogd_t tty_device_t:chr_file rw_file_perms;

ifdef(`klogd.te', `', `
# Allow access to /proc/kmsg for syslog-ng
allow syslogd_t proc_t:dir search;
allow syslogd_t proc_kmsg_t:file { getattr read };
allow syslogd_t kernel_t:system { syslog_mod syslog_console };
')

Re: Boot time avc messages

[Dale Amon]

On Wed, Sep 17, 2003 at 08:14:59PM +1000, Russell Coker wrote:
> On Wed, 17 Sep 2003 00:53, Dale Amon wrote:
> 
> Here's a new syslogd.te that should solve most of the problems you had.

Will this work with Colin's or should I try to interpolate the two?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Boot time avc messages

[Russell Coker]

On Wed, 17 Sep 2003 22:37, Dale Amon wrote:
> On Wed, Sep 17, 2003 at 08:14:59PM +1000, Russell Coker wrote:
> > On Wed, 17 Sep 2003 00:53, Dale Amon wrote:
> >
> > Here's a new syslogd.te that should solve most of the problems you had.
>
> Will this work with Colin's or should I try to interpolate the two?

It will work on any recent policy tree of mine or of a NSA tree with the 
patches and revisions I have recently posted to the list.

I am not sure of what is in Colin's tree at the moment.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Boot time avc messages

[Dale Amon]

On Wed, Sep 17, 2003 at 08:14:59PM +1000, Russell Coker wrote:
> On Wed, 17 Sep 2003 00:53, Dale Amon wrote:
> 
> Here's a new syslogd.te that should solve most of the problems you had.

I'm working on a merged policy and I'm curious why you ifdef on
klogd.te. syslog-ng subsumes klogd, so I've not installed it and 
thus not installed klogd.te.




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Boot time avc messages

[Russell Coker]

On Thu, 18 Sep 2003 23:07, Dale Amon wrote:
> On Wed, Sep 17, 2003 at 08:14:59PM +1000, Russell Coker wrote:
> > On Wed, 17 Sep 2003 00:53, Dale Amon wrote:
> >
> > Here's a new syslogd.te that should solve most of the problems you had.
>
> I'm working on a merged policy and I'm curious why you ifdef on
> klogd.te. syslog-ng subsumes klogd, so I've not installed it and
> thus not installed klogd.te.

Which is why you need the ifdef so that syslogd_t gets the access that klogd_t 
would have if it was installed.

Check out the results of the policy once the macros are expanded.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Boot time avc messages

[Dale Amon]

On Wed, Sep 17, 2003 at 10:45:18PM +1000, Russell Coker wrote:
> It will work on any recent policy tree of mine or of a NSA tree with the 
> patches and revisions I have recently posted to the list.
> I am not sure of what is in Colin's tree at the moment.

Okay, I merged it, although I had to comment out the crond_log_t
dependance since that type isn't here.

Still loads of messages from syslog-ng. I wonder if I'm the
first user of this policy who actually uses the full capability
of remote logging with syslog-ng? I'm going to see if I can
figure out how much of the error output is related to that.
I know at least the one complaining about port=999 is due
to that.

Colin seems to have left out newrules.pl from his packages,
or else it's in one I don't know about.


 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Boot time avc messages

[Russell Coker]

On Sat, 20 Sep 2003 01:41, Dale Amon wrote:
> On Wed, Sep 17, 2003 at 10:45:18PM +1000, Russell Coker wrote:
> > It will work on any recent policy tree of mine or of a NSA tree with the
> > patches and revisions I have recently posted to the list.
> > I am not sure of what is in Colin's tree at the moment.
>
> Okay, I merged it, although I had to comment out the crond_log_t
> dependance since that type isn't here.

For best results change that to cron_log_t or whatever the cron logfile type 
is in your policy.

> Still loads of messages from syslog-ng. I wonder if I'm the
> first user of this policy who actually uses the full capability
> of remote logging with syslog-ng? I'm going to see if I can

Probably.  Let me know what you are getting and I'll change my policy 
accordingly.

> figure out how much of the error output is related to that.
> I know at least the one complaining about port=999 is due
> to that.

Why does it use port 999?

> Colin seems to have left out newrules.pl from his packages,
> or else it's in one I don't know about.

It should be named newrules-selinux.  Having binaries ending in .pl is a bad 
idea, when you run a program you don't want to concern yourself with what 
language it was written in.  Also when you upgrade to a new version of a 
program you shouldn't be bothered by any change in language.

Calling the program simply "newrules" is a bad idea, it's too ambiguous, there 
could be hundreds of programs that require new rules.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Boot time avc messages

[Dale Amon]

On Sat, Sep 20, 2003 at 04:32:59PM +1000, Russell Coker wrote:
> > Still loads of messages from syslog-ng. I wonder if I'm the
> > first user of this policy who actually uses the full capability
> > of remote logging with syslog-ng? I'm going to see if I can
> 
> Probably.  Let me know what you are getting and I'll change my policy 
> accordingly.

The test machine is a particularly simple setup and doesn't
use as much of the capabilities of the remote logging as some
of my "real" machines. However, this is what I have at the moment:

allow syslogd_t port_t:tcp_socket { name_bind };
allow syslogd_t syslogd_t:capability { fsetid };
allow syslogd_t tty_device_t:chr_file { setattr };

avc:  denied  { name_bind } for  pid=221 
      exe=/sbin/syslog-ng 
      port=999 
      scontext=system_u:system_r:syslogd_t 
      tcontext=system_u:object_r:port_t 
      tclass=tcp_socket

avc:  denied  { fsetid } for  pid=221 
      exe=/sbin/syslog-ng 
      capability=4 
      scontext=system_u:system_r:syslogd_t 
      tcontext=system_u:system_r:syslogd_t 
      tclass=capability

avc:  denied  { setattr } for  pid=221 
      exe=/sbin/syslog-ng 
      dev=sda2 
      ino=946940 
      scontext=system_u:system_r:syslogd_t 
      tcontext=system_u:object_r:tty_device_t 
      tclass=chr_file

> Why does it use port 999?

There are 3 ports discussed in the manual
(found at http://www.balabit.com/products/syslog_ng/reference/book1.html).

The internal default is to listen on 514 tcp and/or udp or send to
that port. However it is also used by rshell, so many people
use the document's example ports instead and place this line in 
syslog-ng.conf:

	    destination d_tcp { tcp("10.1.2.3" port(1999); localport(999)); };
 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Boot time avc messages

[Dale Amon]

On Sat, Sep 20, 2003 at 04:32:59PM +1000, Russell Coker wrote:
> For best results change that to cron_log_t or whatever the cron logfile type 
> is in your policy.

Yes, that one exists. 

To tell the truth, now that I've gotten back up the learning
curve again, I've half a mind to just swap your policy tree for
Colin's, sans package. I think he's got too much class work
going right now to keep these things up on a timely fashion
and I have to do this work while time is available.

Can you see any potential gotcha's in swapping your 
policy/current and policy/default for his on 2.6.0 test5
kernel with sid packages?

I'm talking about completely bypassing the packaging system
for now, just manually replacing his policy tree with
yours.



 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Boot time avc messages

[Russell Coker]

On Sat, 20 Sep 2003 23:13, Dale Amon wrote:
> To tell the truth, now that I've gotten back up the learning
> curve again, I've half a mind to just swap your policy tree for
> Colin's, sans package.

> Can you see any potential gotcha's in swapping your
> policy/current and policy/default for his on 2.6.0 test5
> kernel with sid packages?

It should work.  I already have a couple of 2.6 machines running with my 
policy tree.  If it doesn't work then let me know and I'll fix my policy.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Boot time avc messages

[Russell Coker]

On Sat, 20 Sep 2003 22:21, Dale Amon wrote:
> The test machine is a particularly simple setup and doesn't
> use as much of the capabilities of the remote logging as some
> of my "real" machines. However, this is what I have at the moment:
>
> allow syslogd_t port_t:tcp_socket { name_bind };

That's not what we want of course, if we know the port then we can assign a 
type to it.

> allow syslogd_t syslogd_t:capability { fsetid };

I still can't work out why syslogd would need fsetid.  What stops working if 
you deny it?

> allow syslogd_t tty_device_t:chr_file { setattr };

If we could make it some sort of standard to write to /dev/tty12 (for example) 
then we could relabel the terminal device(s) in question to a syslog specific 
type and allow syslog to write to it.

Also how does syslog-ng handle ^S on the terminal it's writing to?

> > Why does it use port 999?
>
> There are 3 ports discussed in the manual
> (found at http://www.balabit.com/products/syslog_ng/reference/book1.html).
>
> The internal default is to listen on 514 tcp and/or udp or send to
> that port. However it is also used by rshell, so many people
> use the document's example ports instead and place this line in
> syslog-ng.conf:

So syslog-ng has it's own special method of logging in addition to the 
standard ways?  :(

> 	    destination d_tcp { tcp("10.1.2.3" port(1999); localport(999)); };

What is port 1999 for?

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Boot time avc messages

[Dale Amon]

On Sat, Sep 20, 2003 at 11:35:09PM +1000, Russell Coker wrote:
> It should work.  I already have a couple of 2.6 machines running with my 
> policy tree.  If it doesn't work then let me know and I'll fix my policy.

cat flask/security_classes flask/initial_sids flask/access_vectors tmp/te-rbac.m4 users tmp/constraints-contexts.m4 > policy.conf
/usr/bin/checkpolicy -o policy.15 policy.conf
/usr/bin/checkpolicy:  loading policy configuration from policy.conf
ERROR 'syntax error' at token 'fs_use_task' on line 29587:
# type as the creating task.  
fs_use_task pipefs system_u:object_r:fs_t;
/usr/bin/checkpolicy:  error(s) encountered while parsing configuration
make: *** [policy.15] Error 1

I had to modify the makefile to match Colin's setup with
FLASKDIR=flask/ since the directory you pointed to doesn't exist.

I'll keep digging, but thought I'd pass that right along to you.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Boot time avc messages

[Dale Amon]

False alarm. Entirely my fault.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Boot time avc messages

[Dale Amon]

On Sat, Sep 20, 2003 at 11:39:52PM +1000, Russell Coker wrote:
> > allow syslogd_t syslogd_t:capability { fsetid };
> 
> I still can't work out why syslogd would need fsetid.  What stops working if 
> you deny it?

In syslog-ng's affile.c it seems to twiddle file ownerships if
necessary when opening a log file, if I correctly understood what
is going on around a chown() call after all of 30 seconds of code
scanning...

> > allow syslogd_t tty_device_t:chr_file { setattr };
> 
> If we could make it some sort of standard to write to /dev/tty12 (for example) 
> then we could relabel the terminal device(s) in question to a syslog specific 
> type and allow syslog to write to it.

Trouble is, this is user configurable, for example, I have this on some of
my machines:

# Virtual console.
#
destination console_all { file("/dev/tty8"); };

> Also how does syslog-ng handle ^S on the terminal it's writing to?

Haven't checked yet. I'm still sipping coffee and the only machine
here in my home office with this running would be the firewall for
which I have to find a keyboard and crawl under the table to connect
it first. Later. :-)

> > There are 3 ports discussed in the manual
> > (found at http://www.balabit.com/products/syslog_ng/reference/book1.html).
> >
> > The internal default is to listen on 514 tcp and/or udp or send to
> > that port. However it is also used by rshell, so many people
> > use the document's example ports instead and place this line in
> > syslog-ng.conf:
> 
> So syslog-ng has it's own special method of logging in addition to the 
> standard ways?  :(
> 
> > 	    destination d_tcp { tcp("10.1.2.3" port(1999); localport(999)); };
> 
> What is port 1999 for?

A server listens on 1999, clients rcv on 999. Sometimes you can have a
machine acting as both, ie a host that consolidates from a local LAN 
as a server and then connects over a tunnel as a logging client to a 
master server.

Here's what a connection looks like in iptstate:

Source IP             Destination IP        Proto   State        TTL    
xx.xx.xx.xx,999       yy.yy.yy.yy,1999        tcp     ESTABLISHED  119:59:42


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Boot time avc messages

[Dale Amon]

On Sat, Sep 20, 2003 at 11:39:52PM +1000, Russell Coker wrote:
> Also how does syslog-ng handle ^S on the terminal it's writing to?

This seems to have no effect.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.