[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Selinux error help



On 2/7/07, Stephen Smalley <sds tycho nsa gov> wrote:
On Wed, 2007-02-07 at 12:40 +0000, Dan Track wrote:
> Hi
>
> I'm hoping someone can help me with this. I'm running a process that's
> getting the following violations:
>
> Feb  7 11:54:34 jupiter kernel: audit(1170849274.441:2160): avc:
> denied  { getattr } for  pid=11754 comm="beltane_cp" name="yule"
> dev=sda3 ino=145930 scontext=root:system_r:httpd_sys_script_t
> tcontext=system_u:object_r:var_lib_t tclass=dir
> Feb  7 11:54:35 jupiter kernel: audit(1170849275.859:2161): avc:
> denied  { getsession } for  pid=27224 comm="httpd"
> scontext=root:system_r:httpd_t tcontext=root:system_r:unconfined_t
> tclass=process
>
> What I did next was to run the following:
>
> audit2allow -i /var/log/messages
>
> and I get the following output
>
> allow httpd_sys_script_t var_lib_t:dir getattr;
> allow httpd_t unconfined_t:process getsession;
>
> Which I enter into
>
> /etc/selinux/targeted/src/policy/domains/misc/local.te

Suggestion:  Take such questions to fedora-selinux-list in the future.

So this is a FC4 system?  In FC5 and later, you would instead be
creating a loadable policy module.

> Then from the policy directory I run
>
> make load
>
> Upon which I get the following error
>
> /usr/bin/checkpolicy -o /etc/selinux/targeted/policy/policy.18 policy.conf
> /usr/bin/checkpolicy:  loading policy configuration from policy.conf
> security:  3 users, 4 roles, 355 types, 26 bools
> security:  55 classes, 22619 rules
> assertion on line 25169 violated by allow httpd_t unconfined_t:process
> { getsession };
> make: *** [/etc/selinux/targeted/policy/policy.18] Error 1
>
> I don't know what this means, I've tried to look it up i.e google
> search, but to no avail. Any ideas?

The policy includes a set of assertions (neverallow rules) to catch
common errors and potentially unsafe rules.  In a FC4 or earlier policy,
they would live in the file policy/assert.te.  In this case, the
neverallow rule is guarding against accidentally allowing a confined
process like httpd from operating on an unconfined process, as that
could open you up to an attack, although this particular access
(getsession i.e. getsid(2)) is relatively benign unto itself - the more
interesting question is what will your process then try to do with the
session ID it gets for the unconfined process.

If you truly need to allow it, you can adjust or remove the neverallow
rule from policy/assert.te.
-
--
Stephen Smalley
National Security Agency

--
fedora-list mailing list
fedora-list redhat com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Hi Stephen

Firstly apologies for sending to the wrong list.

Thanks for the advice it was really an eye opener. I trawlled through
the assert.te file in my selinux src directory, however I can tell
which rule to remove, could you please guide to which rule it is.
Currently my file looks like this:

neverallow { domain -unrestricted -snmpd_t -pegasus_t }
unconfined_t:process ~sigchld;

# Confined domains must never see unconfined domain's /proc/pid entries.
neverallow { domain -unrestricted -snmpd_t -pegasus_t }
unconfined_t:dir { getattr search };

#
# Verify that every type that can be entered by
# a domain is also tagged as a domain.
#
neverallow domain ~domain:process transition;

# for gross mistakes in policy
neverallow domain domain:dir ~r_dir_perms;
neverallow domain domain:file_class_set ~{ setattr rw_file_perms };
neverallow domain file_type:process *;
neverallow ~{ domain unlabeled_t } *:process *;


Many thanks
Dan


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]