Re: SELinux question
On Thu, Jun 25, 2020 at 8:54 PM Samuel Sieb wrote: > On 6/24/20 12:03 PM, Iñaki Ucar wrote: > > Thanks. I found another tutorial (from RedHat) which basically says: > > > > 1. Implement your service, give it a new SELinux type and run it. > > 2. Collect all the complaints from SELinux. > > 3. Use audit2allow to convert them to rules. > > 4. Repeat until you don't get any more complaints. > > > > And I cannot believe my eyes. Is this *really* the way to implement > > SELinux policies? It seems like a joke to me. Isn't there any notion > > of inheritance or something like that? Like, I want my type to have > > I suppose that's the "easy" way. The better way would be to figure out > what permissions and transitions your service needs and write the rules > for that. > You are right as nobody else but the developer can be aware of which permissions are actually needed: SELinux can also help with finding bugs in the app so it is not always reasonable to allow every permission audited. There are tools which can support you in the beginning, like sepolicy generate. Some of the audited denials are easy to understand, for some it needs to be figured out what they mean: https://selinuxproject.org/page/ObjectClassesPerms If your goal is to confine the application, you should follow this documentation: https://fedoraproject.org/wiki/SELinux/IndependentPolicy The selinux-policy devel package, e. g. the example.?? files, can work as a source of inspiration. ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > -- Zdenek Pytela Security controls team ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: SELinux question
On 6/24/20 12:03 PM, Iñaki Ucar wrote: Thanks. I found another tutorial (from RedHat) which basically says: 1. Implement your service, give it a new SELinux type and run it. 2. Collect all the complaints from SELinux. 3. Use audit2allow to convert them to rules. 4. Repeat until you don't get any more complaints. And I cannot believe my eyes. Is this *really* the way to implement SELinux policies? It seems like a joke to me. Isn't there any notion of inheritance or something like that? Like, I want my type to have I suppose that's the "easy" way. The better way would be to figure out what permissions and transitions your service needs and write the rules for that. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: SELinux question
Dne 24. 06. 20 v 21:03 Iñaki Ucar napsal(a): > 3. Use audit2allow to convert them to rules. > 4. Repeat until you don't get any more complaints. > > And I cannot believe my eyes. Is this *really* the way to implement > SELinux policies? It seems like a joke to me. No. It is a bit complicated. You should run audit2allow with -R option. And you should actually review what audit2allow produce. But otherwise... yes, it is that simple. -- Miroslav Suchy, RHCA Red Hat, Associate Manager ABRT/Copr, #brno, #fedora-buildsys ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: SELinux question
El mié., 24 jun. 2020 21:15, Jared K. Smith escribió: > On Wed, Jun 24, 2020 at 4:55 AM Iñaki Ucar > wrote: > >> I need some help from a SELinux guru. TL;DR, I've developed a small >> service. An app talks to this service, the service does some stuff >> and, in the meanwhile, it reports the progress to the app user by >> writing some messages into the stderr (/proc//fd/2) of that app. >> > > Search on YouTube for one of Thomas Cameron's presentations entitled > "SELinux for Mere Mortals" -- I've found his presentations to be very > informative and approachable. > Thanks, Jared, will do. Iñaki > ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: SELinux question
On Wed, Jun 24, 2020 at 4:55 AM Iñaki Ucar wrote: > I need some help from a SELinux guru. TL;DR, I've developed a small > service. An app talks to this service, the service does some stuff > and, in the meanwhile, it reports the progress to the app user by > writing some messages into the stderr (/proc//fd/2) of that app. > Search on YouTube for one of Thomas Cameron's presentations entitled "SELinux for Mere Mortals" -- I've found his presentations to be very informative and approachable. -Jared ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: SELinux question
On Wed, 24 Jun 2020 at 20:45, Nathanael D. Noblet wrote: > > On Wed, 2020-06-24 at 12:12 +0200, Iñaki Ucar wrote: > > Thanks, I got [1] and [2] more or less covered thanks to the output > > of > > the SELinux troubleshooter. The missing parts were how to get > > policies > > into a subpackage (and [3] explains this, thanks), and how to write a > > rule just for my script, not for the whole python3 stack, and I'm > > still missing that bit. > > So I can't exactly point you to some documents but the link below may > help. The basic idea is you need to label your script and give it a > type and then allow that type to access the type/action its trying to > do. Like the httpd daemon has a type and there are then file types. and > a process running in the httpd_t domain can read files but not talk to > the network for example... Hope that helps. > > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/chap-Security-Enhanced_Linux-SELinux_Contexts Thanks. I found another tutorial (from RedHat) which basically says: 1. Implement your service, give it a new SELinux type and run it. 2. Collect all the complaints from SELinux. 3. Use audit2allow to convert them to rules. 4. Repeat until you don't get any more complaints. And I cannot believe my eyes. Is this *really* the way to implement SELinux policies? It seems like a joke to me. Isn't there any notion of inheritance or something like that? Like, I want my type to have the permissions of this other type plus these two more rules. Also, audit2allow tells me that a bunch of rules can be substituted by just flipping a boolean, but I cannot include booleans in the .te file? Everything is very confusing to me. -- Iñaki Úcar ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: SELinux question
On Wed, 2020-06-24 at 12:12 +0200, Iñaki Ucar wrote: > Thanks, I got [1] and [2] more or less covered thanks to the output > of > the SELinux troubleshooter. The missing parts were how to get > policies > into a subpackage (and [3] explains this, thanks), and how to write a > rule just for my script, not for the whole python3 stack, and I'm > still missing that bit. So I can't exactly point you to some documents but the link below may help. The basic idea is you need to label your script and give it a type and then allow that type to access the type/action its trying to do. Like the httpd daemon has a type and there are then file types. and a process running in the httpd_t domain can read files but not talk to the network for example... Hope that helps. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/chap-Security-Enhanced_Linux-SELinux_Contexts > > > [1] https://fedoraproject.org/wiki/SELinux/audit2why > > [2] https://fedoraproject.org/wiki/SELinux/audit2allow > > [3] https://fedoraproject.org/wiki/SELinux/IndependentPolicy > > -- > Iñaki Úcar > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: SELinux question
On Wed, 24 Jun 2020 at 11:05, Qiyu Yan wrote: > > Run your program in permissive mode and use audit2why [1], to see what's > wrong. > If you have to allow that, you can use audit2allow [2] to produce a > policy package to allow that behavior in package. > I don't know how to make this into a package, maybe [3] will help. Thanks, I got [1] and [2] more or less covered thanks to the output of the SELinux troubleshooter. The missing parts were how to get policies into a subpackage (and [3] explains this, thanks), and how to write a rule just for my script, not for the whole python3 stack, and I'm still missing that bit. > [1] https://fedoraproject.org/wiki/SELinux/audit2why > [2] https://fedoraproject.org/wiki/SELinux/audit2allow > [3] https://fedoraproject.org/wiki/SELinux/IndependentPolicy -- Iñaki Úcar ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: SELinux question
Run your program in permissive mode and use audit2why [1], to see what's wrong. If you have to allow that, you can use audit2allow [2] to produce a policy package to allow that behavior in package. I don't know how to make this into a package, maybe [3] will help. [1] https://fedoraproject.org/wiki/SELinux/audit2why [2] https://fedoraproject.org/wiki/SELinux/audit2allow [3] https://fedoraproject.org/wiki/SELinux/IndependentPolicy ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
SELinux question
Hi, I need some help from a SELinux guru. TL;DR, I've developed a small service. An app talks to this service, the service does some stuff and, in the meanwhile, it reports the progress to the app user by writing some messages into the stderr (/proc//fd/2) of that app. So far so good. Now, I keep receiving SELinux reports: "SELinux is preventing python3 from write access on the directory fd" (because the service is written in Python). First, I see the output in the app, so I don't really know what SELinux is preventing. Second, what can I do to tell SELinux that this is ok? I mean, I would like to package the service and put some SELinux rule along with it. Any pointer would be appreciated. Regards, -- Iñaki Úcar ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
