selinux-query

selinux-query

[Naina Emmanuel]

[-- Attachment #1: Type: text/plain, Size: 5031 bytes --]

Good evening!
I am master's student and working on SELinux... As a project
Scenario: I had mysql policy module and in mysql.te file made some changes
(commented some allow rules, bold in the code below) and then tried to
reload it through <semodule. -R mysql.pp> but everytime I get the failed
message. "failed on mysql.pp"
Even in my own created modules I get the failed message (not a base module)
and i am using centos 7.
Please guide me through this.

Thanks in advance

# Copyright (C) 2007 MySQL AB
# Use is subject to license terms
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
USA

policy_module(mysql,1.0.0)

########################################
#
# Declarations
#

type mysqld_t;
type mysqld_exec_t;
init_daemon_domain(mysqld_t,mysqld_exec_t)

type mysqld_var_run_t;
files_pid_file(mysqld_var_run_t)

type mysqld_db_t;
files_type(mysqld_db_t)

type mysqld_etc_t alias etc_mysqld_t;
files_config_file(mysqld_etc_t)

type mysqld_log_t;
logging_log_file(mysqld_log_t)

type mysqld_tmp_t;
files_tmp_file(mysqld_tmp_t)

########################################
#
# Local policy
#

allow mysqld_t self:capability { dac_override setgid setuid sys_resource
net_bind_service };
dontaudit mysqld_t self:capability sys_tty_config;
allow mysqld_t self:process { setsched getsched setrlimit signal_perms
rlimitinh };
allow mysqld_t self:fifo_file { read write };
allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
allow mysqld_t self:tcp_socket create_stream_socket_perms;
allow mysqld_t self:udp_socket create_socket_perms;


*#allow mysqld_t mysqld_db_t:dir create_dir_perms;#allow mysqld_t
mysqld_db_t:file create_file_perms;*
allow mysqld_t mysqld_db_t:lnk_file create_lnk_perms;
files_var_lib_filetrans(mysqld_t,mysqld_db_t,{ dir file })

allow mysqld_t mysqld_etc_t:file { getattr read };
allow mysqld_t mysqld_etc_t:lnk_file { getattr read };
allow mysqld_t mysqld_etc_t:dir list_dir_perms;

allow mysqld_t mysqld_log_t:file create_file_perms;
logging_log_filetrans(mysqld_t,mysqld_log_t,file)

allow mysqld_t mysqld_tmp_t:dir create_dir_perms;
allow mysqld_t mysqld_tmp_t:file create_file_perms;
files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })

allow mysqld_t mysqld_var_run_t:dir rw_dir_perms;
allow mysqld_t mysqld_var_run_t:sock_file create_file_perms;
allow mysqld_t mysqld_var_run_t:file create_file_perms;
files_pid_filetrans(mysqld_t,mysqld_var_run_t,file)

kernel_read_system_state(mysqld_t)
kernel_read_kernel_sysctls(mysqld_t)

corenet_non_ipsec_sendrecv(mysqld_t)
corenet_tcp_sendrecv_all_if(mysqld_t)
corenet_udp_sendrecv_all_if(mysqld_t)
corenet_tcp_sendrecv_all_nodes(mysqld_t)
corenet_udp_sendrecv_all_nodes(mysqld_t)
corenet_tcp_sendrecv_all_ports(mysqld_t)
corenet_udp_sendrecv_all_ports(mysqld_t)
corenet_tcp_bind_all_nodes(mysqld_t)
corenet_tcp_bind_mysqld_port(mysqld_t)
corenet_tcp_connect_mysqld_port(mysqld_t)
corenet_sendrecv_mysqld_client_packets(mysqld_t)
corenet_sendrecv_mysqld_server_packets(mysqld_t)

dev_read_sysfs(mysqld_t)

fs_getattr_all_fs(mysqld_t)
fs_search_auto_mountpoints(mysqld_t)

term_dontaudit_use_console(mysqld_t)

domain_use_interactive_fds(mysqld_t)

files_getattr_var_lib_dirs(mysqld_t)
files_read_etc_runtime_files(mysqld_t)
files_read_etc_files(mysqld_t)
files_read_usr_files(mysqld_t)
files_search_var_lib(mysqld_t)

auth_use_nsswitch(mysqld_t)

init_use_fds(mysqld_t)
init_use_script_ptys(mysqld_t)

libs_use_ld_so(mysqld_t)
libs_use_shared_libs(mysqld_t)

logging_send_syslog_msg(mysqld_t)

miscfiles_read_localization(mysqld_t)

sysnet_read_config(mysqld_t)

userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
# for /root/.my.cnf - should not be needed:
userdom_read_sysadm_home_content_files(mysqld_t)

ifdef(`distro_redhat',`
    # because Fedora has the sock_file in the database directory
    type_transition mysqld_t mysqld_db_t:sock_file mysqld_var_run_t;
')

ifdef(`targeted_policy',`
    term_dontaudit_use_unallocated_ttys(mysqld_t)
    term_dontaudit_use_generic_ptys(mysqld_t)
    files_dontaudit_read_root_files(mysqld_t)
')

optional_policy(`
    daemontools_service_domain(mysqld_t, mysqld_exec_t)
')

optional_policy(`
    seutil_sigchld_newrole(mysqld_t)
')

optional_policy(`
    udev_read_db(mysqld_t)
')








*Engr. Naina Emmanuel*
*Linux Essential Certified (LEPDC)*
*Cisco Certified Network Associate (CCNA)*

*Computer Engineering Department, UET Taxila*

*Information Security, CS Department, CIIT Islamabad*

[-- Attachment #2: Type: text/html, Size: 15994 bytes --]

Re: selinux-query

[Naina Emmanuel]

[-- Attachment #1: Type: text/plain, Size: 6058 bytes --]

Good evening!
i am working on selinux, centos 7... i have downloaded some .te files from
the internet (squid.te, ftp.te, rpc.te, samba.te .. etc)
but when i compile these .te file through #make -f
/usr/share/selinux/devel/include/MakeFile
but shows error in all mentioned .te files
not even getting installed through #semodule -i ftp.pp   (for all mentioned
.te files) plz help me regarding this..
thanks in advanced









*Engr. Naina Emmanuel*
*Linux Essential Certified (LEPDC)*
*Cisco Certified Network Associate (CCNA)*

*Computer Engineering Department, UET Taxila*

*Information Security, CS Department, CIIT Islamabad*

On Tue, Mar 22, 2016 at 10:35 AM, Naina Emmanuel <nemmanuel1992@gmail.com>
wrote:

>
> Good evening!
> I am master's student and working on SELinux... As a project
> Scenario: I had mysql policy module and in mysql.te file made some changes
> (commented some allow rules, bold in the code below) and then tried to
> reload it through <semodule. -R mysql.pp> but everytime I get the failed
> message. "failed on mysql.pp"
> Even in my own created modules I get the failed message (not a base
> module) and i am using centos 7.
> Please guide me through this.
>
> Thanks in advance
>
> # Copyright (C) 2007 MySQL AB
> # Use is subject to license terms
> #
> # This program is free software; you can redistribute it and/or modify
> # it under the terms of the GNU General Public License as published by
> # the Free Software Foundation; version 2 of the License.
> #
> # This program is distributed in the hope that it will be useful,
> # but WITHOUT ANY WARRANTY; without even the implied warranty of
> # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> # GNU General Public License for more details.
> #
> # You should have received a copy of the GNU General Public License
> # along with this program; if not, write to the Free Software
> # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
> 02110-1301, USA
>
> policy_module(mysql,1.0.0)
>
> ########################################
> #
> # Declarations
> #
>
> type mysqld_t;
> type mysqld_exec_t;
> init_daemon_domain(mysqld_t,mysqld_exec_t)
>
> type mysqld_var_run_t;
> files_pid_file(mysqld_var_run_t)
>
> type mysqld_db_t;
> files_type(mysqld_db_t)
>
> type mysqld_etc_t alias etc_mysqld_t;
> files_config_file(mysqld_etc_t)
>
> type mysqld_log_t;
> logging_log_file(mysqld_log_t)
>
> type mysqld_tmp_t;
> files_tmp_file(mysqld_tmp_t)
>
> ########################################
> #
> # Local policy
> #
>
> allow mysqld_t self:capability { dac_override setgid setuid sys_resource
> net_bind_service };
> dontaudit mysqld_t self:capability sys_tty_config;
> allow mysqld_t self:process { setsched getsched setrlimit signal_perms
> rlimitinh };
> allow mysqld_t self:fifo_file { read write };
> allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
> allow mysqld_t self:tcp_socket create_stream_socket_perms;
> allow mysqld_t self:udp_socket create_socket_perms;
>
>
> *#allow mysqld_t mysqld_db_t:dir create_dir_perms;#allow mysqld_t
> mysqld_db_t:file create_file_perms;*
> allow mysqld_t mysqld_db_t:lnk_file create_lnk_perms;
> files_var_lib_filetrans(mysqld_t,mysqld_db_t,{ dir file })
>
> allow mysqld_t mysqld_etc_t:file { getattr read };
> allow mysqld_t mysqld_etc_t:lnk_file { getattr read };
> allow mysqld_t mysqld_etc_t:dir list_dir_perms;
>
> allow mysqld_t mysqld_log_t:file create_file_perms;
> logging_log_filetrans(mysqld_t,mysqld_log_t,file)
>
> allow mysqld_t mysqld_tmp_t:dir create_dir_perms;
> allow mysqld_t mysqld_tmp_t:file create_file_perms;
> files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })
>
> allow mysqld_t mysqld_var_run_t:dir rw_dir_perms;
> allow mysqld_t mysqld_var_run_t:sock_file create_file_perms;
> allow mysqld_t mysqld_var_run_t:file create_file_perms;
> files_pid_filetrans(mysqld_t,mysqld_var_run_t,file)
>
> kernel_read_system_state(mysqld_t)
> kernel_read_kernel_sysctls(mysqld_t)
>
> corenet_non_ipsec_sendrecv(mysqld_t)
> corenet_tcp_sendrecv_all_if(mysqld_t)
> corenet_udp_sendrecv_all_if(mysqld_t)
> corenet_tcp_sendrecv_all_nodes(mysqld_t)
> corenet_udp_sendrecv_all_nodes(mysqld_t)
> corenet_tcp_sendrecv_all_ports(mysqld_t)
> corenet_udp_sendrecv_all_ports(mysqld_t)
> corenet_tcp_bind_all_nodes(mysqld_t)
> corenet_tcp_bind_mysqld_port(mysqld_t)
> corenet_tcp_connect_mysqld_port(mysqld_t)
> corenet_sendrecv_mysqld_client_packets(mysqld_t)
> corenet_sendrecv_mysqld_server_packets(mysqld_t)
>
> dev_read_sysfs(mysqld_t)
>
> fs_getattr_all_fs(mysqld_t)
> fs_search_auto_mountpoints(mysqld_t)
>
> term_dontaudit_use_console(mysqld_t)
>
> domain_use_interactive_fds(mysqld_t)
>
> files_getattr_var_lib_dirs(mysqld_t)
> files_read_etc_runtime_files(mysqld_t)
> files_read_etc_files(mysqld_t)
> files_read_usr_files(mysqld_t)
> files_search_var_lib(mysqld_t)
>
> auth_use_nsswitch(mysqld_t)
>
> init_use_fds(mysqld_t)
> init_use_script_ptys(mysqld_t)
>
> libs_use_ld_so(mysqld_t)
> libs_use_shared_libs(mysqld_t)
>
> logging_send_syslog_msg(mysqld_t)
>
> miscfiles_read_localization(mysqld_t)
>
> sysnet_read_config(mysqld_t)
>
> userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
> # for /root/.my.cnf - should not be needed:
> userdom_read_sysadm_home_content_files(mysqld_t)
>
> ifdef(`distro_redhat',`
>     # because Fedora has the sock_file in the database directory
>     type_transition mysqld_t mysqld_db_t:sock_file mysqld_var_run_t;
> ')
>
> ifdef(`targeted_policy',`
>     term_dontaudit_use_unallocated_ttys(mysqld_t)
>     term_dontaudit_use_generic_ptys(mysqld_t)
>     files_dontaudit_read_root_files(mysqld_t)
> ')
>
> optional_policy(`
>     daemontools_service_domain(mysqld_t, mysqld_exec_t)
> ')
>
> optional_policy(`
>     seutil_sigchld_newrole(mysqld_t)
> ')
>
> optional_policy(`
>     udev_read_db(mysqld_t)
> ')
>
>
>
>
>
>
>
>
> *Engr. Naina Emmanuel*
> *Linux Essential Certified (LEPDC)*
> *Cisco Certified Network Associate (CCNA)*
>
> *Computer Engineering Department, UET Taxila*
>
> *Information Security, CS Department, CIIT Islamabad*
>

[-- Attachment #2: Type: text/html, Size: 18183 bytes --]

Re: selinux-query

[Stephen Smalley]

On 03/22/2016 01:51 PM, Naina Emmanuel wrote:
> Good evening!
> i am working on selinux, centos 7... i have downloaded some .te files
> from the internet (squid.te, ftp.te, rpc.te, samba.te .. etc)
> but when i compile these .te file through #make -f
> /usr/share/selinux/devel/include/MakeFile but shows error in all
> mentioned .te files
> not even getting installed through #semodule -i ftp.pp   (for all
> mentioned .te files) plz help me regarding this..
> thanks in advanced

Please show the actual commands that you ran, and the actual error
output from those commands.

However, downloading random .te files from the Internet and expecting
them to build or install on your system is probably not a good strategy.
 On CentOS, you should be able to download the .src.rpm file for
selinux-policy-targeted and work with the files it contains in order to
ensure that they match your base policy.

Re: selinux-query

[Miroslav Grepl]

On 03/22/2016 08:48 PM, Stephen Smalley wrote:
> On 03/22/2016 01:51 PM, Naina Emmanuel wrote:
>> Good evening!
>> i am working on selinux, centos 7... i have downloaded some .te files
>> from the internet (squid.te, ftp.te, rpc.te, samba.te .. etc)
>> but when i compile these .te file through #make -f
>> /usr/share/selinux/devel/include/MakeFile but shows error in all
>> mentioned .te files
>> not even getting installed through #semodule -i ftp.pp   (for all
>> mentioned .te files) plz help me regarding this..
>> thanks in advanced
> 
> Please show the actual commands that you ran, and the actual error
> output from those commands.
> 
> However, downloading random .te files from the Internet and expecting
> them to build or install on your system is probably not a good strategy.
>  On CentOS, you should be able to download the .src.rpm file for
> selinux-policy-targeted and work with the files it contains in order to
> ensure that they match your base policy.

Even more if you want to replace a module shipped by a distribution
policy and you will miss some definitions which are used in other
modules, you will also fail.

So I would go with .src.rpm how Stephen wrote above. You can ask on
selinux@lists.fedoraproject.org for more details.

Thanks.

> 
> 
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
> 


-- 
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.

Re: selinux-query

[Dennis Sherrell]

[-- Attachment #1: Type: text/plain, Size: 2355 bytes --]

Miroslav,

We are intetested in the approved SELinux config listed in the NSA
Commercial Solutions for Classified Program.

Our goal is to eventually conduct research as a NISP Corporation. How do we
get hardcopies of sourced software and policies for Information Assurance?

Dennis Sherrell
Sherrell Consulting
Company #136601
Cisco Certified Wireless Specialist

On Wed, Mar 23, 2016, 12:56 AM Miroslav Grepl <mgrepl@redhat.com> wrote:

> On 03/22/2016 08:48 PM, Stephen Smalley wrote:
> > On 03/22/2016 01:51 PM, Naina Emmanuel wrote:
> >> Good evening!
> >> i am working on selinux, centos 7... i have downloaded some .te files
> >> from the internet (squid.te, ftp.te, rpc.te, samba.te .. etc)
> >> but when i compile these .te file through #make -f
> >> /usr/share/selinux/devel/include/MakeFile but shows error in all
> >> mentioned .te files
> >> not even getting installed through #semodule -i ftp.pp   (for all
> >> mentioned .te files) plz help me regarding this..
> >> thanks in advanced
> >
> > Please show the actual commands that you ran, and the actual error
> > output from those commands.
> >
> > However, downloading random .te files from the Internet and expecting
> > them to build or install on your system is probably not a good strategy.
> >  On CentOS, you should be able to download the .src.rpm file for
> > selinux-policy-targeted and work with the files it contains in order to
> > ensure that they match your base policy.
>
> Even more if you want to replace a module shipped by a distribution
> policy and you will miss some definitions which are used in other
> modules, you will also fail.
>
> So I would go with .src.rpm how Stephen wrote above. You can ask on
> selinux@lists.fedoraproject.org for more details.
>
> Thanks.
>
> >
> >
> > _______________________________________________
> > Selinux mailing list
> > Selinux@tycho.nsa.gov
> > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> > To get help, send an email containing "help" to
> Selinux-request@tycho.nsa.gov.
> >
>
>
> --
> Miroslav Grepl
> Senior Software Engineer, SELinux Solutions
> Red Hat, Inc.
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to
> Selinux-request@tycho.nsa.gov.
>

[-- Attachment #2: Type: text/html, Size: 3457 bytes --]