Re: [CentOS-docs] SELinux
On 08/12/2008 10:09 PM, Ned Slider wrote: Thanks. One wonders why postdrop is interested in /var/log/httpd/error_log? one plus me equal two people wondering. but I do not trust before understanding, hence the dontaudit versus allow. ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] SELinux
Manuel Wolfshant wrote:
On 08/12/2008 07:12 PM, Ned Slider wrote:
Manuel Wolfshant wrote:
Ned Slider wrote:
Hi list,
I've knocked up a contribution on SELinux here:
http://wiki.centos.org/HowTos/SELinux
I've tried to pitch it as an introduction for those not already
familiar with SELinux but also hopefully a useful reference.
I'm relatively new to SELinux and have covered pretty much
everything I know to the limits of my limited knowledge. If folks
think other material needs to be covered then it may be more
appropriate for them to make the additions rather than me. Consider
it a "get the ball rolling" contribution that the community can add
to as necessary :)
Comments welcomed,
I would add the following just before "Sumamry" (in case one wants to
edit the rules suggested by audit2allow):
Building module policy manually
- grep sendmail /var/log/audit/audit.log | audit2allow -M postfix
- while reviewing the generated postfix.te
module local 1.0;
require {
type httpd_log_t;
type postfix_postdrop_t;
class dir getattr;
class file { read getattr };
}
#= postfix_postdrop_t ==
allow postfix_postdrop_t httpd_log_t:file getattr;
Wolfy,
Are you able to supply an example of the audit.log AVC message(s) that
are used to create this .te policy? It might be useful to show the
actual AVC error messages in explaining this process.
Thanks,
here you are. I hope I have not trashed anything valuable but most of
the info must be here
Thanks.
One wonders why postdrop is interested in /var/log/httpd/error_log?
PS, for those who might be tempted to comment about the kernel version:
I already know what you want to say.
___
CentOS-docs mailing list
CentOS-docs@centos.org
http://lists.centos.org/mailman/listinfo/centos-docs
___
CentOS-docs mailing list
CentOS-docs@centos.org
http://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] SELinux
On 08/12/2008 07:12 PM, Ned Slider wrote:
Manuel Wolfshant wrote:
Ned Slider wrote:
Hi list,
I've knocked up a contribution on SELinux here:
http://wiki.centos.org/HowTos/SELinux
I've tried to pitch it as an introduction for those not already
familiar with SELinux but also hopefully a useful reference.
I'm relatively new to SELinux and have covered pretty much
everything I know to the limits of my limited knowledge. If folks
think other material needs to be covered then it may be more
appropriate for them to make the additions rather than me. Consider
it a "get the ball rolling" contribution that the community can add
to as necessary :)
Comments welcomed,
I would add the following just before "Sumamry" (in case one wants to
edit the rules suggested by audit2allow):
Building module policy manually
- grep sendmail /var/log/audit/audit.log | audit2allow -M postfix
- while reviewing the generated postfix.te
module local 1.0;
require {
type httpd_log_t;
type postfix_postdrop_t;
class dir getattr;
class file { read getattr };
}
#= postfix_postdrop_t ==
allow postfix_postdrop_t httpd_log_t:file getattr;
Wolfy,
Are you able to supply an example of the audit.log AVC message(s) that
are used to create this .te policy? It might be useful to show the
actual AVC error messages in explaining this process.
Thanks,
here you are. I hope I have not trashed anything valuable but most of
the info must be here
PS, for those who might be tempted to comment about the kernel version:
I already know what you want to say.
Summary:
SELinux is preventing postdrop (postfix_postdrop_t) "getattr" to
/var/log/httpd/error_log (httpd_log_t).
Detailed Description:
SELinux denied access requested by postdrop. It is not expected that this access
is required by postdrop and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /var/log/httpd/error_log,
restorecon -v '/var/log/httpd/error_log'
If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Contextsystem_u:system_r:postfix_postdrop_t
Target Contextroot:object_r:httpd_log_t
Target Objects/var/log/httpd/error_log [ file ]
Sourcepostdrop
Source Path /usr/sbin/postdrop
Port
Host sanitized
Source RPM Packages postfix-2.3.3-2
Target RPM Packages
Policy RPMselinux-policy-2.4.6-137.1.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing ModeEnforcing
Plugin Name catchall_file
Host Name sanitized
Platform Linux sanitized 2.6.18-53.1.21.el5 #1 SMP Tue
May 20 09:35:07 EDT 2008 x86_64 x86_64
Alert Count 599
First SeenWed Jul 2 08:27:15 2008
Last Seen Sun Aug 10 22:47:52 2008
Local ID c303a4ea-8e7a-4acc-9118-9cc61c6a2ec8
Line Numbers
Raw Audit Messages
host=sanitized type=AVC msg=audit(1218397672.372:352): avc: denied { getattr
} for pid=4262 comm="postdrop" path="/var/log/httpd/error_log" dev=md2
ino=117005 scontext=system_u:system_r:postfix_postdrop_t:s0
tcontext=root:object_r:httpd_log_t:s0 tclass=file
host=sanitized type=SYSCALL msg=audit(1218397672.372:352): arch=c03e
syscall=5 success=no exit=-13 a0=2 a1=7fffd6febca0 a2=7fffd6febca0 a3=0 items=0
ppid=4261 pid=4262 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
egid=90 sgid=90 fsgid=90 tty=(none) comm="postdrop" exe="/usr/sbin/postdrop"
subj=system_u:system_r:postfix_postdrop_t:s0 key=(null)
___
CentOS-docs mailing list
CentOS-docs@centos.org
http://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] SELinux
Manuel Wolfshant wrote:
Ned Slider wrote:
Hi list,
I've knocked up a contribution on SELinux here:
http://wiki.centos.org/HowTos/SELinux
I've tried to pitch it as an introduction for those not already
familiar with SELinux but also hopefully a useful reference.
I'm relatively new to SELinux and have covered pretty much everything
I know to the limits of my limited knowledge. If folks think other
material needs to be covered then it may be more appropriate for them
to make the additions rather than me. Consider it a "get the ball
rolling" contribution that the community can add to as necessary :)
Comments welcomed,
I would add the following just before "Sumamry" (in case one wants to
edit the rules suggested by audit2allow):
Building module policy manually
- grep sendmail /var/log/audit/audit.log | audit2allow -M postfix
- while reviewing the generated postfix.te
module local 1.0;
require {
type httpd_log_t;
type postfix_postdrop_t;
class dir getattr;
class file { read getattr };
}
#= postfix_postdrop_t ==
allow postfix_postdrop_t httpd_log_t:file getattr;
Wolfy,
Are you able to supply an example of the audit.log AVC message(s) that
are used to create this .te policy? It might be useful to show the
actual AVC error messages in explaining this process.
Thanks,
Ned
___
CentOS-docs mailing list
CentOS-docs@centos.org
http://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] SELinux
Manuel Wolfshant wrote:
Ned Slider wrote:
Hi list,
I've knocked up a contribution on SELinux here:
http://wiki.centos.org/HowTos/SELinux
I've tried to pitch it as an introduction for those not already
familiar with SELinux but also hopefully a useful reference.
I'm relatively new to SELinux and have covered pretty much everything
I know to the limits of my limited knowledge. If folks think other
material needs to be covered then it may be more appropriate for them
to make the additions rather than me. Consider it a "get the ball
rolling" contribution that the community can add to as necessary :)
Comments welcomed,
I would add the following just before "Sumamry" (in case one wants to
edit the rules suggested by audit2allow):
Building module policy manually
- grep sendmail /var/log/audit/audit.log | audit2allow -M postfix
- while reviewing the generated postfix.te
module local 1.0;
require {
type httpd_log_t;
type postfix_postdrop_t;
class dir getattr;
class file { read getattr };
}
#= postfix_postdrop_t ==
allow postfix_postdrop_t httpd_log_t:file getattr;
we decide that we do not want either to *relabel* the files or to
*allow* the action, but it is safe to *ignore* the warnings. Therefore
we edit the action rule, like below:
dontaudit postfix_postdrop_t httpd_log_t:file getattr;
We now need to compile and load the policy:
$ checkmodule -M -m -o postfix.mod postfix.te
$ semodule_package -o local.pp -m postfix.mod
$ semodule -i postfix.pp
Thanks Wolfy :)
I think I need to read up some more and expand section(s) at the end of
the document on policy modules. I'll incorporate the above into that
process.
Also, does anyone know if there are any guidelines/best practice on the
naming of custom policy modules? I'm wondering if it's wise to create
local policy modules with names like postfix or postgrey etc, as
conceivably these may later get overwritten by policy modules supplied
from elsewhere? Maybe something like postfix.local.pp might be more
appropriate?
___
CentOS-docs mailing list
CentOS-docs@centos.org
http://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] SELinux
Ralph Angenendt wrote: Ned Slider wrote: Hi list, I've knocked up a contribution on SELinux here: http://wiki.centos.org/HowTos/SELinux I've tried to pitch it as an introduction for those not already familiar with SELinux but also hopefully a useful reference. Great article. What maybe should be added to the article is the fact, that SELinux doesn't need programs to be changed, meaning that programs do not (need to) know about SELinux at all for it to work. So a SELinux denial just looks like a normal "access denied" to any program. Cheers, Ralph Thanks Ralph. Added the following sentence: Because SELinux is implemented within the kernel, individual applications do not need to be especially written or modified to work with SELinux. If SELinux blocks an action, this appears as just a normal "access denied" type error to the application. ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
