Re: [CentOS-docs] SELinux, Amavis, Clamav
All ok, thank you, Harald Am 08.11.2012 23:41, schrieb Ralph Angenendt: > On 28.10.2012 09:52, Harald Oehlmann wrote: >> Am 27.10.2012 23:33, schrieb Ralph Angenendt: >> 1) I would put the test chapter after the SELinux chapter > > Okay. > > >> 2) The first sentence in 5.1 suggestes (for me), that the settings for >> CentOS 5 are not required for CentOS 6. I don't think this is the case. >> >> Proposed change: >> Current phrase: "For CentOS 6 a slightly different approach is needed." >> New phrase: "For CentOS 6, additional steps are required." > > Changed that. > >> 3) Are you shure, this is CentOS 6 specific ? How do you know ? > > I tested this on CentOS 5 way back when that content was written. :) > >> 4) I personally would add some explanation in 5.1, what this is for. >> The reason for explanation is, that this scheme may be used for eventual >> other virus scanners in an analoguous way. > > Added that, too. > >> 5) I am not shure, if the "Harald Oehlmann" and the link to the post is >> very helpful... > > I just wanted to give credit, where credit is due :) Plus: Your mail has > some reasoning as to why that was added, which I don't know if that > should belong on that page. > > I can take that out, if you want. > > Regards, > > Ralph > > ___ > CentOS-docs mailing list > CentOS-docs@centos.org > http://lists.centos.org/mailman/listinfo/centos-docs > -- ELMICRON Dr. Harald Oehlmann GmbH Koesener Str. 85 D - 06618 Naumburg Phone: +49 (0)3445 78112 0 Fax: +49 (0)3445 78112 19 www.Elmicron.de German legal references: Geschaeftsfuehrer: Dr. Harald Oehlmann, Jens Oehlmann UST Nr. / VAT ID No.: DE206105272 HRB 212803 Stendal ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] SELinux, Amavis, Clamav
On 28.10.2012 09:52, Harald Oehlmann wrote: > Am 27.10.2012 23:33, schrieb Ralph Angenendt: > 1) I would put the test chapter after the SELinux chapter Okay. > 2) The first sentence in 5.1 suggestes (for me), that the settings for > CentOS 5 are not required for CentOS 6. I don't think this is the case. > > Proposed change: > Current phrase: "For CentOS 6 a slightly different approach is needed." > New phrase: "For CentOS 6, additional steps are required." Changed that. > 3) Are you shure, this is CentOS 6 specific ? How do you know ? I tested this on CentOS 5 way back when that content was written. :) > 4) I personally would add some explanation in 5.1, what this is for. > The reason for explanation is, that this scheme may be used for eventual > other virus scanners in an analoguous way. Added that, too. > 5) I am not shure, if the "Harald Oehlmann" and the link to the post is > very helpful... I just wanted to give credit, where credit is due :) Plus: Your mail has some reasoning as to why that was added, which I don't know if that should belong on that page. I can take that out, if you want. Regards, Ralph ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] SELinux, Amavis, Clamav
Am 27.10.2012 23:33, schrieb Ralph Angenendt: > On 02.10.2012 10:19, Harald Oehlmann wrote: > > Sorry for the massivly late response. > > I incorporated your changes into the wiki page (and pointed to your list > post here). Thank you, Ralph, acting on it. I am absolute beginner, so I was quite happy someone checks it. Nevertheless, here are my additional remarks on: http://wiki.centos.org/HowTos/Amavisd 1) I would put the test chapter after the SELinux chapter 2) The first sentence in 5.1 suggestes (for me), that the settings for CentOS 5 are not required for CentOS 6. I don't think this is the case. Proposed change: Current phrase: "For CentOS 6 a slightly different approach is needed." New phrase: "For CentOS 6, additional steps are required." 3) Are you shure, this is CentOS 6 specific ? How do you know ? 4) I personally would add some explanation in 5.1, what this is for. The reason for explanation is, that this scheme may be used for eventual other virus scanners in an analoguous way. Proposed text: Amavis is storing the message body and all attachements (subfolder "parts") in a subfolder of "/var/amavis/tmp". The virus scanner is scanning those files and writes its result in files in this folder. Virus Scanner action on this folder is stopped by SELinux, resulting in errors like "(!)run_av (ClamAV-clamscan) FAILED" in "/var/log/mail". Do the following to allow this interface with clam-av: ... 5) I am not shure, if the "Harald Oehlmann" and the link to the post is very helpful... Thank you, Harald ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] SELinux, Amavis, Clamav
On 02.10.2012 10:19, Harald Oehlmann wrote: Sorry for the massivly late response. I incorporated your changes into the wiki page (and pointed to your list post here). > N.B. I was not able to edit the wiki nor leave something like a > discussion comment, strange wiki... There's two reasons for that: We hate spam and we'd like to see changes beforehand, so we just have to care about wiki rot and not about wrong entries in the wiki. http://wiki.centos.org/Contribute#head-42b3d8e26400a106851a61aebe5c2cca54dd79e5 shows some reasons for that. Thank you for helping out, Ralph ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] SELinux
Ned Slider wrote: > I don't see an obvious existing category to add it under. > > Any thoughts? Open a Security subsection and also move the securing SSH page to there :) IMO. Ralph pgpS4uqfZhFzQ.pgp Description: PGP signature ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] SELinux
Ned Slider wrote: Hi list, I've knocked up a contribution on SELinux here: http://wiki.centos.org/HowTos/SELinux Any suggestions as to where this should be linked under http://wiki.centos.org/HowTos ? I don't see an obvious existing category to add it under. Any thoughts? ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] SELinux
On 08/12/2008 10:09 PM, Ned Slider wrote: Thanks. One wonders why postdrop is interested in /var/log/httpd/error_log? one plus me equal two people wondering. but I do not trust before understanding, hence the dontaudit versus allow. ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] SELinux
Manuel Wolfshant wrote: On 08/12/2008 07:12 PM, Ned Slider wrote: Manuel Wolfshant wrote: Ned Slider wrote: Hi list, I've knocked up a contribution on SELinux here: http://wiki.centos.org/HowTos/SELinux I've tried to pitch it as an introduction for those not already familiar with SELinux but also hopefully a useful reference. I'm relatively new to SELinux and have covered pretty much everything I know to the limits of my limited knowledge. If folks think other material needs to be covered then it may be more appropriate for them to make the additions rather than me. Consider it a "get the ball rolling" contribution that the community can add to as necessary :) Comments welcomed, I would add the following just before "Sumamry" (in case one wants to edit the rules suggested by audit2allow): Building module policy manually - grep sendmail /var/log/audit/audit.log | audit2allow -M postfix - while reviewing the generated postfix.te module local 1.0; require { type httpd_log_t; type postfix_postdrop_t; class dir getattr; class file { read getattr }; } #= postfix_postdrop_t == allow postfix_postdrop_t httpd_log_t:file getattr; Wolfy, Are you able to supply an example of the audit.log AVC message(s) that are used to create this .te policy? It might be useful to show the actual AVC error messages in explaining this process. Thanks, here you are. I hope I have not trashed anything valuable but most of the info must be here Thanks. One wonders why postdrop is interested in /var/log/httpd/error_log? PS, for those who might be tempted to comment about the kernel version: I already know what you want to say. ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] SELinux
On 08/12/2008 07:12 PM, Ned Slider wrote: Manuel Wolfshant wrote: Ned Slider wrote: Hi list, I've knocked up a contribution on SELinux here: http://wiki.centos.org/HowTos/SELinux I've tried to pitch it as an introduction for those not already familiar with SELinux but also hopefully a useful reference. I'm relatively new to SELinux and have covered pretty much everything I know to the limits of my limited knowledge. If folks think other material needs to be covered then it may be more appropriate for them to make the additions rather than me. Consider it a "get the ball rolling" contribution that the community can add to as necessary :) Comments welcomed, I would add the following just before "Sumamry" (in case one wants to edit the rules suggested by audit2allow): Building module policy manually - grep sendmail /var/log/audit/audit.log | audit2allow -M postfix - while reviewing the generated postfix.te module local 1.0; require { type httpd_log_t; type postfix_postdrop_t; class dir getattr; class file { read getattr }; } #= postfix_postdrop_t == allow postfix_postdrop_t httpd_log_t:file getattr; Wolfy, Are you able to supply an example of the audit.log AVC message(s) that are used to create this .te policy? It might be useful to show the actual AVC error messages in explaining this process. Thanks, here you are. I hope I have not trashed anything valuable but most of the info must be here PS, for those who might be tempted to comment about the kernel version: I already know what you want to say. Summary: SELinux is preventing postdrop (postfix_postdrop_t) "getattr" to /var/log/httpd/error_log (httpd_log_t). Detailed Description: SELinux denied access requested by postdrop. It is not expected that this access is required by postdrop and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /var/log/httpd/error_log, restorecon -v '/var/log/httpd/error_log' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Contextsystem_u:system_r:postfix_postdrop_t Target Contextroot:object_r:httpd_log_t Target Objects/var/log/httpd/error_log [ file ] Sourcepostdrop Source Path /usr/sbin/postdrop Port Host sanitized Source RPM Packages postfix-2.3.3-2 Target RPM Packages Policy RPMselinux-policy-2.4.6-137.1.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing ModeEnforcing Plugin Name catchall_file Host Name sanitized Platform Linux sanitized 2.6.18-53.1.21.el5 #1 SMP Tue May 20 09:35:07 EDT 2008 x86_64 x86_64 Alert Count 599 First SeenWed Jul 2 08:27:15 2008 Last Seen Sun Aug 10 22:47:52 2008 Local ID c303a4ea-8e7a-4acc-9118-9cc61c6a2ec8 Line Numbers Raw Audit Messages host=sanitized type=AVC msg=audit(1218397672.372:352): avc: denied { getattr } for pid=4262 comm="postdrop" path="/var/log/httpd/error_log" dev=md2 ino=117005 scontext=system_u:system_r:postfix_postdrop_t:s0 tcontext=root:object_r:httpd_log_t:s0 tclass=file host=sanitized type=SYSCALL msg=audit(1218397672.372:352): arch=c03e syscall=5 success=no exit=-13 a0=2 a1=7fffd6febca0 a2=7fffd6febca0 a3=0 items=0 ppid=4261 pid=4262 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=90 sgid=90 fsgid=90 tty=(none) comm="postdrop" exe="/usr/sbin/postdrop" subj=system_u:system_r:postfix_postdrop_t:s0 key=(null) ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] SELinux
Manuel Wolfshant wrote: Ned Slider wrote: Hi list, I've knocked up a contribution on SELinux here: http://wiki.centos.org/HowTos/SELinux I've tried to pitch it as an introduction for those not already familiar with SELinux but also hopefully a useful reference. I'm relatively new to SELinux and have covered pretty much everything I know to the limits of my limited knowledge. If folks think other material needs to be covered then it may be more appropriate for them to make the additions rather than me. Consider it a "get the ball rolling" contribution that the community can add to as necessary :) Comments welcomed, I would add the following just before "Sumamry" (in case one wants to edit the rules suggested by audit2allow): Building module policy manually - grep sendmail /var/log/audit/audit.log | audit2allow -M postfix - while reviewing the generated postfix.te module local 1.0; require { type httpd_log_t; type postfix_postdrop_t; class dir getattr; class file { read getattr }; } #= postfix_postdrop_t == allow postfix_postdrop_t httpd_log_t:file getattr; Wolfy, Are you able to supply an example of the audit.log AVC message(s) that are used to create this .te policy? It might be useful to show the actual AVC error messages in explaining this process. Thanks, Ned ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] SELinux
Manuel Wolfshant wrote: Ned Slider wrote: Hi list, I've knocked up a contribution on SELinux here: http://wiki.centos.org/HowTos/SELinux I've tried to pitch it as an introduction for those not already familiar with SELinux but also hopefully a useful reference. I'm relatively new to SELinux and have covered pretty much everything I know to the limits of my limited knowledge. If folks think other material needs to be covered then it may be more appropriate for them to make the additions rather than me. Consider it a "get the ball rolling" contribution that the community can add to as necessary :) Comments welcomed, I would add the following just before "Sumamry" (in case one wants to edit the rules suggested by audit2allow): Building module policy manually - grep sendmail /var/log/audit/audit.log | audit2allow -M postfix - while reviewing the generated postfix.te module local 1.0; require { type httpd_log_t; type postfix_postdrop_t; class dir getattr; class file { read getattr }; } #= postfix_postdrop_t == allow postfix_postdrop_t httpd_log_t:file getattr; we decide that we do not want either to *relabel* the files or to *allow* the action, but it is safe to *ignore* the warnings. Therefore we edit the action rule, like below: dontaudit postfix_postdrop_t httpd_log_t:file getattr; We now need to compile and load the policy: $ checkmodule -M -m -o postfix.mod postfix.te $ semodule_package -o local.pp -m postfix.mod $ semodule -i postfix.pp Thanks Wolfy :) I think I need to read up some more and expand section(s) at the end of the document on policy modules. I'll incorporate the above into that process. Also, does anyone know if there are any guidelines/best practice on the naming of custom policy modules? I'm wondering if it's wise to create local policy modules with names like postfix or postgrey etc, as conceivably these may later get overwritten by policy modules supplied from elsewhere? Maybe something like postfix.local.pp might be more appropriate? ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] SELinux
Ralph Angenendt wrote: Ned Slider wrote: Hi list, I've knocked up a contribution on SELinux here: http://wiki.centos.org/HowTos/SELinux I've tried to pitch it as an introduction for those not already familiar with SELinux but also hopefully a useful reference. Great article. What maybe should be added to the article is the fact, that SELinux doesn't need programs to be changed, meaning that programs do not (need to) know about SELinux at all for it to work. So a SELinux denial just looks like a normal "access denied" to any program. Cheers, Ralph Thanks Ralph. Added the following sentence: Because SELinux is implemented within the kernel, individual applications do not need to be especially written or modified to work with SELinux. If SELinux blocks an action, this appears as just a normal "access denied" type error to the application. ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] SELinux
On 11/08/2008, Ned Slider <[EMAIL PROTECTED]> wrote: > > > I've knocked up a contribution on SELinux here: > > http://wiki.centos.org/HowTos/SELinux > > I've tried to pitch it as an introduction for those not already familiar > with SELinux but also hopefully a useful reference. Excellent work and, IMO, a very valuable reference guide. :-D Alan. ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] SELinux
Ned Slider wrote: > Hi list, > > I've knocked up a contribution on SELinux here: > > http://wiki.centos.org/HowTos/SELinux > > I've tried to pitch it as an introduction for those not already familiar > with SELinux but also hopefully a useful reference. Great article. What maybe should be added to the article is the fact, that SELinux doesn't need programs to be changed, meaning that programs do not (need to) know about SELinux at all for it to work. So a SELinux denial just looks like a normal "access denied" to any program. Cheers, Ralph pgpzgwBcALnpb.pgp Description: PGP signature ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] SELinux
Ned Slider wrote: Hi list, I've knocked up a contribution on SELinux here: http://wiki.centos.org/HowTos/SELinux I've tried to pitch it as an introduction for those not already familiar with SELinux but also hopefully a useful reference. I'm relatively new to SELinux and have covered pretty much everything I know to the limits of my limited knowledge. If folks think other material needs to be covered then it may be more appropriate for them to make the additions rather than me. Consider it a "get the ball rolling" contribution that the community can add to as necessary :) Comments welcomed, I would add the following just before "Sumamry" (in case one wants to edit the rules suggested by audit2allow): Building module policy manually - grep sendmail /var/log/audit/audit.log | audit2allow -M postfix - while reviewing the generated postfix.te module local 1.0; require { type httpd_log_t; type postfix_postdrop_t; class dir getattr; class file { read getattr }; } #= postfix_postdrop_t == allow postfix_postdrop_t httpd_log_t:file getattr; we decide that we do not want either to *relabel* the files or to *allow* the action, but it is safe to *ignore* the warnings. Therefore we edit the action rule, like below: dontaudit postfix_postdrop_t httpd_log_t:file getattr; We now need to compile and load the policy: $ checkmodule -M -m -o postfix.mod postfix.te $ semodule_package -o local.pp -m postfix.mod $ semodule -i postfix.pp ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs