[CentOS] selinux blocks rsync client in systemd service

[Kenneth Porter]

I'm trying to slurp a CentOS 7's filesystem to another CentOS 7 system 
using rsyncd on the supplying side and rsync running as a client in a timer 
unit on the client side. My backup script on the backup system runs fine 
from the command line. When run from a systemd timer unit, rsync sends 
nothing to the systemd log and I see a denial in the audit log for a Unix 
domain socket in init_t context. I'm guessing it's trying to write to 
stdout which is getting redirected to systemd's log. The service unit file 
has StandardOutput=syslog in order to capture the list of files backed up.


The following selinux rule seems to fix this:

allow rsync_t init_t:unix_stream_socket { getattr read write };

I also found it necessary to add --no-devices and --no-specials to my 
backup script, but I can live with that. A few devices show up in chroots 
and postfix has some sockets in its package. Those are easily recreated if 
I need to do a restore.


So is this selinux rule an oversight? Should there be an rsync bool for it? 
Or was this fixed in a more recent version of systemd?


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] selinux / duplicate subject to a custom named one

[Leon Fauster via CentOS]

Hey everyone,

I wonder if I could copy an selinux subject (processes / httpd) to a 
local named one. So that it gets the same configuration as the source

e.g.:

httpd_exec_t -> httpd_microservice_exec_t

The problem here: Some http microservices written in golang do get the 
same label as apache httpd (this is intentional for having a confined 
service):


# ls -laZ /usr/libexec/myservice
-rwxr-xr-x. 1 root root system_u:object_r:httpd_exec_t:s0 5168952 22. 
Jul 17:11 /usr/libexec/myservice


Unfortunately, these webservices need access to /proc (e.g. for 
enumerating the sending queue via /proc/sys/net/core/somaxconn).


Instead installing a module that allows this for all "httpd_t"

allow httpd_t sysctl_net_t:file read;

I would like to have a custom configuration thats a duplication of the 
http_t one. The module would then only allow read access for 
applications that really need it.


Is that possible? Any other straight approach available?

--
Thanks
Leon







___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux relabeling for a diffeerernt mount point

[Leon Fauster via CentOS]

Am 01.04.22 um 04:03 schrieb Kenneth Porter:
I'm preparing a disk mounted at /mnt/tmp to later be mounted at 
/var/lib/BackupPC. Is there some magic invocation to get the selinux 
labels for the structure I create to assume the final mount point, so 
that I don't have to relabel it when it's finally mounted at its target 
location? Or is there an argument to restorecon that will do the 
equivalent of chroot so that restorecon assumes the final location?




Check

$ man semanage-fcontext

for the "equal" switch.

--
Leon

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] SELinux relabeling for a diffeerernt mount point

[Kenneth Porter]

I'm preparing a disk mounted at /mnt/tmp to later be mounted at 
/var/lib/BackupPC. Is there some magic invocation to get the selinux labels 
for the structure I create to assume the final mount point, so that I don't 
have to relabel it when it's finally mounted at its target location? Or is 
there an argument to restorecon that will do the equivalent of chroot so 
that restorecon assumes the final location?


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] selinux modules compat

[Leon Fauster via CentOS]

Hey, after some time not touching any selinux config, I wonder about
the bin format of selinux modules.

Theoretically question: When I compile some selinux modules on
my workstation (el8). Are these modules (forward/backward) compatible
for usage on other EL major releases?

EL8 mod --deploy2--> EL6, EL7, EL9

--
Thanks,
Leon
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELINUX blocks procmail from executing perl script without logging

[Strahil Nikolov via CentOS]

Have you checked with 'semodule -DB' ?
Source: Chapter 5. Troubleshooting problems related to SELinux Red Hat 
Enterprise Linux 8 | Red Hat Customer Portal  
|  
|   
|   
|   ||

   |

  |
|  
|   |  
Chapter 5. Troubleshooting problems related to SELinux Red Hat Enterprise Linux 
8 | Red Hat Customer Portal
 
The Red Hat Customer Portal delivers the knowledge, expertise, and guidance 
available through your Red Hat subscription.
  |   |

  |

  |

  

Best Regards,Strahil Nikolov 
 
  On Thu, Apr 1, 2021 at 14:43, Radu Radutiu wrote:   Hi,

I'm upgrading our request tracker from Centos 7 to 8 and found some
unexpected SELINUX issues with procmail. Even after I create a policy which
allows all denied operations, procmail is still not allowed to run a perl
script (in my case rt-mailgate). I get the following error in the procmail
log: "Can't open perl script "/opt/rt5/bin/rt-mailgate": Permission denied"
but I have no denied audit entry in /var/log/audit/audit.log.
If I set selinux to permissive, everything works fine. Any idea how to
debug this?

Best regards,
Radu
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
  
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] SELINUX blocks procmail from executing perl script without logging

[Radu Radutiu]

Hi,

I'm upgrading our request tracker from Centos 7 to 8 and found some
unexpected SELINUX issues with procmail. Even after I create a policy which
allows all denied operations, procmail is still not allowed to run a perl
script (in my case rt-mailgate). I get the following error in the procmail
log: "Can't open perl script "/opt/rt5/bin/rt-mailgate": Permission denied"
but I have no denied audit entry in /var/log/audit/audit.log.
If I set selinux to permissive, everything works fine. Any idea how to
debug this?

Best regards,
Radu
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux policy (& engine) broken in C7

[H]

On 11/21/2020 02:50 AM, Marc Balmer via CentOS wrote:
>
>> Am 20.11.2020 um 19:50 schrieb lejeczek via CentOS :
>>
>> hi guys
>>
>> I've just gotten a bunch of updates via yum and something
>> weird seems to be going on after the update.
>> System has:
>>
>> selinux-policy-3.13.1-268.el7_9.2.noarch
>> selinux-policy-targeted-3.13.1-268.el7_9.2.noarch
>>
>> actually three different boxes, all the same:
>>
>> $ semodule -l
>> No modules.
>>
>> and an attempt to install modules fails:
>>
>> $ semodule -i openvpn.pp
>> Failed to resolve typeattributeset statement at
>> /etc/selinux/targeted/tmp/modules/400/pe-openvpn/cil:1
>> semodule:  Failed!
> I have a smilar issue after the latest CentOS 7 update on my gitlab server:
>
> # semodule -l
> libsemanage.semanage_direct_get_module_info: Unable to read 
> gitlab-7.2.0-ssh-keygen module lang ext file.
> semodule:  Failed on list!
>
> I am since unable to access the gitlab server using ssh, I had to turn off 
> selinux for using gitlab.
>
> Don't know, however, if the two issues are related.
>
> - mb
>
>> Does above "usual" work for you?
>> many thanks, L.
>> ___
>> CentOS mailing list
>> CentOS@centos.org
>> https://lists.centos.org/mailman/listinfo/centos
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos

Oddly enough, it looks like I have a similar issue when booting the latest 
kernel for CentOS 7 except it locks up during the boot process with the message 
"semodule: Failed [...]"

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux policy (& engine) broken in C7

[Marc Balmer via CentOS]

> Am 20.11.2020 um 19:50 schrieb lejeczek via CentOS :
> 
> hi guys
> 
> I've just gotten a bunch of updates via yum and something
> weird seems to be going on after the update.
> System has:
> 
> selinux-policy-3.13.1-268.el7_9.2.noarch
> selinux-policy-targeted-3.13.1-268.el7_9.2.noarch
> 
> actually three different boxes, all the same:
> 
> $ semodule -l
> No modules.
> 
> and an attempt to install modules fails:
> 
> $ semodule -i openvpn.pp
> Failed to resolve typeattributeset statement at
> /etc/selinux/targeted/tmp/modules/400/pe-openvpn/cil:1
> semodule:  Failed!

I have a smilar issue after the latest CentOS 7 update on my gitlab server:

# semodule -l
libsemanage.semanage_direct_get_module_info: Unable to read 
gitlab-7.2.0-ssh-keygen module lang ext file.
semodule:  Failed on list!

I am since unable to access the gitlab server using ssh, I had to turn off 
selinux for using gitlab.

Don't know, however, if the two issues are related.

- mb

> 
> Does above "usual" work for you?
> many thanks, L.
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] selinux policy (& engine) broken in C7

[lejeczek via CentOS]

hi guys

I've just gotten a bunch of updates via yum and something
weird seems to be going on after the update.
System has:

selinux-policy-3.13.1-268.el7_9.2.noarch
selinux-policy-targeted-3.13.1-268.el7_9.2.noarch

actually three different boxes, all the same:

$ semodule -l
No modules.

and an attempt to install modules fails:

$ semodule -i openvpn.pp
Failed to resolve typeattributeset statement at
/etc/selinux/targeted/tmp/modules/400/pe-openvpn/cil:1
semodule:  Failed!

Does above "usual" work for you?
many thanks, L.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] SELinux denies login

[Gordon Messmer]

We have a CentOS 7 workstation whose user has started reporting periodic 
login failures.  This seems to be the result of the krb5 cache aging 
out, and sssd's krb5_child attempting and failing to remove the old 
cache file.  The AVC follows:



type=AVC msg=audit(1586670874.327:73041): avc:  denied  { unlink } for 
pid=28735 comm="krb5_child" name="krb5cc_1985100122_oxJnH7" dev="dm-0" 
ino=67978294 scontext=system_u:system_r:sssd_t:s0 
tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0



The policy allows sssd_t to unlink user_tmp_type:


 sesearch -s sssd_t --allow:
   allow sssd_t user_tmp_type : file { ioctl read write create getattr 
setattr lock relabelfrom relabelto append unlink link rename open } ;



Is the problem that the credential cache files in /tmp are being created 
with the wrong label, or is there some other problem I'm not seeing?

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] SELinux is preventing 11-dhclient from add_name access on the directory chrony.servers.wlp8s0.

[Ger van Dijck]

SELinux is preventing 11-dhclient from add_name access on the directory
chrony.servers.wlp8s0.

*  Plugin catchall (100. confidence) suggests
**

If you believe that 11-dhclient should be allowed add_name access on the
chrony.servers.wlp8s0 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c '11-dhclient' --raw | audit2allow -M my-11dhclient
# semodule -X 300 -i my-11dhclient.pp

Additional Information:
Source Contextsystem_u:system_r:NetworkManager_t:s0
Target Contextsystem_u:object_r:dhcpc_state_t:s0
Target Objectschrony.servers.wlp8s0 [ dir ]
Source11-dhclient
Source Path   11-dhclient
Port  
Host  castor
Source RPM Packages
Target RPM Packages
Policy RPMselinux-policy-3.14.4-40.fc31.noarch
Selinux Enabled   True
Policy Type   targeted
Enforcing ModeEnforcing
Host Name castor
Platform  Linux castor 5.3.12-300.fc31.x86_64 #1 SMP
Thu Nov
  21 22:52:07 UTC 2019 x86_64 x86_64
Alert Count   2
First Seen2019-11-30 18:03:35 CET
Last Seen 2019-12-01 11:16:46 CET
Local ID  0370e7fd-a826-4c80-8239-747a7528c5af

Raw Audit Messages
type=AVC msg=audit(1575195406.740:277): avc:  denied  { add_name } for
pid=1466 comm="11-dhclient" name="chrony.servers.wlp8s0"
scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=dir permissive=0


Hash: 11-dhclient,NetworkManager_t,dhcpc_state_t,dir,add_name
--
Using Opera's mail client: http://www.opera.com/mail/
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] selinux reports

[Fred Smith]

Hi all!

I keep getting reports from selinux, like below, and I have no clue
what the app is it's talking about, nor how do figure out if it should
be allowed access or not. 

Anyone got any advice to offer?

It says:

The source process: /usr/sbin/xtables-multi
attempted this access: open
on this file: /run/xtables.lock

Having no clue what xtables-multi is, or why or even if it should be
able to open that file, I am at a loss:

should I take action to enable it, or not?

Thanks in advance!

Fred
-- 
 Fred Smith -- fre...@fcshome.stoneham.ma.us -
   I can do all things through Christ 
  who strengthens me.
-- Philippians 4:13 ---
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux settings for directory shared via NFS and samba?

[hw]

On 7/19/19 3:43 PM, Monty Shinn wrote:



On Jul 19, 2019, at 8:27 AM, Leon Fauster via CentOS  wrote:

Am 19.07.2019 um 14:51 schrieb hw :

Hi,

what do I need to do to share the same directory with both NFS and samba?
SElinux requires 'samba_share_t' for samba and 'nfs_t' for NFS, and AFAIC
I can't set both at the same time on a directory.


Maybe samba_share_nfs boolean? (not tested)

--
LF



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


Might look into “public_content_rw_t” context as well.


Thanks!  Maybe I can still get around it; if not, I'll try those.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux settings for directory shared via NFS and samba?

[Monty Shinn]

> On Jul 19, 2019, at 8:27 AM, Leon Fauster via CentOS  
> wrote:
> 
> Am 19.07.2019 um 14:51 schrieb hw :
>> Hi,
>> 
>> what do I need to do to share the same directory with both NFS and samba?
>> SElinux requires 'samba_share_t' for samba and 'nfs_t' for NFS, and AFAIC
>> I can't set both at the same time on a directory.
> 
> Maybe samba_share_nfs boolean? (not tested)
> 
> --
> LF
> 
> 
> 
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos

Might look into “public_content_rw_t” context as well.

ms
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux settings for directory shared via NFS and samba?

[Leon Fauster via CentOS]

Am 19.07.2019 um 14:51 schrieb hw :
> Hi,
> 
> what do I need to do to share the same directory with both NFS and samba?
> SElinux requires 'samba_share_t' for samba and 'nfs_t' for NFS, and AFAIC
> I can't set both at the same time on a directory.

Maybe samba_share_nfs boolean? (not tested)

--
LF



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] SELinux settings for directory shared via NFS and samba?

[hw]

Hi,

what do I need to do to share the same directory with both NFS and samba?
SElinux requires 'samba_share_t' for samba and 'nfs_t' for NFS, and AFAIC
I can't set both at the same time on a directory.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux policy vs. static web content

[Gordon Messmer]

On 1/30/19 7:57 AM, Nicolas Kovacs wrote:

The tl;dr version of my last post is : Apache is not supposed to show
static web pages with a user_tmp_t SELinux context. So why does it show
them anyway ?



Policy allows that, currently:

# sesearch -A -s httpd_t -t user_tmp_t
Found 15 semantic av rules:
   allow daemon user_tmp_t : file { getattr append } ;
   allow httpd_t user_tmp_t : file { ioctl read write getattr lock 
append map } ;

   allow domain tmpfile : file { ioctl read getattr lock append open } ;
   allow httpd_t file_type : dir { getattr search open } ;
   allow httpd_t user_tmp_t : dir { ioctl read write getattr lock 
add_name remove_name search open } ;

   allow httpd_t file_type : filesystem getattr ;
   allow httpd_t user_home_type : file { ioctl read getattr lock open } ;
   allow httpd_t user_home_type : dir { getattr search open } ;
   allow httpd_t user_home_type : dir { ioctl read getattr lock search 
open } ;

   allow httpd_t user_home_type : dir { getattr search open } ;
   allow httpd_t user_home_type : dir { getattr search open } ;
   allow domain file_type : file map ;
   allow domain file_type : chr_file map ;
   allow domain file_type : blk_file map ;
   allow httpd_t user_home_type : lnk_file { read getattr } ;

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux policy vs. static web content

[Nicolas Kovacs]

Le 30/01/2019 à 16:22, Nicolas Kovacs a écrit :
> Some time ago I wrote an introductory article about SELinux on my blog.
> I'm currently updating it for my new blog, and I found a curious change
> in SELinux policy. Here goes.
> 
> For demonstration purposes, I'm using some static webpages, more exactly
> the default pages found in /usr/share/httpd/noindex, which I simply
> copied over to /var/www/html.
> 
> As a first practical example, I'm copying this stuff over to /tmp/backup
> and then move it back again. A vaguely similar example has been given by
> Thomas Cameron in his presentation "SELinux for mere mortals", and I'm
> reproducing it here with some minor modifications.
> 
>   $ cd /var/www/html/
>   $ mkdir /tmp/backup
>   $ cp -R * /tmp/backup/
>   $ rm -rf *
>   $ mv /tmp/backup/* .
>   $ find . -type d -exec chmod 0755 {} \;
>   $ find . -type f -exec chmod 0644 {} \;
> 
> When I wrote the article back in november 2017, this resulted in a
> classic "Forbidden" error, since the SELinux context of these files is
> not httpd_sys_content_t as it should be, but user_tmp_t.
> 
> But when I try to repeat the experiment now, Apache shows no error.
> Which seems strange.
> 
> Any idea what's going on ?

The tl;dr version of my last post is : Apache is not supposed to show
static web pages with a user_tmp_t SELinux context. So why does it show
them anyway ?

Cheers,

Niki

-- 
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : i...@microlinux.fr
Tél. : 04 66 63 10 32
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] SELinux policy vs. static web content

[Nicolas Kovacs]

Hi,

Some time ago I wrote an introductory article about SELinux on my blog.
I'm currently updating it for my new blog, and I found a curious change
in SELinux policy. Here goes.

For demonstration purposes, I'm using some static webpages, more exactly
the default pages found in /usr/share/httpd/noindex, which I simply
copied over to /var/www/html.

As a first practical example, I'm copying this stuff over to /tmp/backup
and then move it back again. A vaguely similar example has been given by
Thomas Cameron in his presentation "SELinux for mere mortals", and I'm
reproducing it here with some minor modifications.

  $ cd /var/www/html/
  $ mkdir /tmp/backup
  $ cp -R * /tmp/backup/
  $ rm -rf *
  $ mv /tmp/backup/* .
  $ find . -type d -exec chmod 0755 {} \;
  $ find . -type f -exec chmod 0644 {} \;

When I wrote the article back in november 2017, this resulted in a
classic "Forbidden" error, since the SELinux context of these files is
not httpd_sys_content_t as it should be, but user_tmp_t.

But when I try to repeat the experiment now, Apache shows no error.
Which seems strange.

Any idea what's going on ?

Niki
-- 
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : i...@microlinux.fr
Tél. : 04 66 63 10 32
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SElinux AVC signull

[Leon Fauster via CentOS]

Am 18.01.2019 um 16:17 schrieb Sean :
> 
> I don't have access to a CentOS 6.10 system handy, but it looks like a
> policy issue.  If I take you're ausearch output and pipe it to
> audit2allow on my CentOS 7.6 system, I get the following:
> 
> #= httpd_t ==
> 
> # This avc is allowed in the current policy
> allow httpd_t httpd_sys_script_t:process signull;


Hi Sean, thanks to crosscheck this under EL7.

As showed under EL6 its denied:

# grep signull /var/log/audit/audit.log | audit2allow -m test

module test 1.0;

require {
type httpd_t;
type httpd_sys_script_t;
class process signull;
}

#= httpd_t ==
allow httpd_t httpd_sys_script_t:process signull;

 
but this brings some insights. It seems therefore to be a allowable policy
as it is already allowed under el7. I even found a related changelog entry
in the newer EL7 package:

# rpm -qp --changelog selinux-policy-targeted-3.13.1-229.el7.noarch.rpm |egrep 
'signul.*apache script'
- Allow httpd to send signull to apache script domains and don't audit leaks

So, this let me build and load a custom module with confidence. Thanks!



> Noting that on my 7.6 system with selinux enforcing with selinux
> policy packages at version 3.13.1-229, it notes that your denial would
> not happen.  If you don't have it installed policycoreutils-python
> provides the audit2allow and audit2why binaries which can help you
> generate a policy to avoid this denial if you want.
> 
> Also, I often find that to truly diagnose the issue, I need to run the
> following:
> 
> # semodule --disable_dontaudit --build
> # setenforce permissive
> # tail -f /var/log/audit/audit.log | grep denied | tee ~/denials.out
> 
> ... then reproduce the problem, and kill the tail.  The resulting
> denials.out file will have a lot of unrelated denials, but if you run
> audit2allow against the entire file, you'll be able to determine which
> ones are not relevant by the comments produced (much like above where
> it told us the "avc is allowed").  You can also use this to generate a
> custom policy module for your system.
> 
> Sometimes there are denials that are not audited which are relevant to
> the problem, which seems problematic to me...that there is a default
> set of things that get denied but do not appear in the audit logs.
> That's a different conversation though.
> 
> Anyway, after the data is collected for the denials.out file you can
> reset to your normal operating stance...
> 
> # semodule --build
> # setenforce enforcing

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SElinux AVC signull

[Sean]

Hi Leon,

I don't have access to a CentOS 6.10 system handy, but it looks like a
policy issue.  If I take you're ausearch output and pipe it to
audit2allow on my CentOS 7.6 system, I get the following:

#= httpd_t ==

# This avc is allowed in the current policy
allow httpd_t httpd_sys_script_t:process signull;

Noting that on my 7.6 system with selinux enforcing with selinux
policy packages at version 3.13.1-229, it notes that your denial would
not happen.  If you don't have it installed policycoreutils-python
provides the audit2allow and audit2why binaries which can help you
generate a policy to avoid this denial if you want.

Also, I often find that to truly diagnose the issue, I need to run the
following:

# semodule --disable_dontaudit --build
# setenforce permissive
# tail -f /var/log/audit/audit.log | grep denied | tee ~/denials.out

... then reproduce the problem, and kill the tail.  The resulting
denials.out file will have a lot of unrelated denials, but if you run
audit2allow against the entire file, you'll be able to determine which
ones are not relevant by the comments produced (much like above where
it told us the "avc is allowed").  You can also use this to generate a
custom policy module for your system.

Sometimes there are denials that are not audited which are relevant to
the problem, which seems problematic to me...that there is a default
set of things that get denied but do not appear in the audit logs.
That's a different conversation though.

Anyway, after the data is collected for the denials.out file you can
reset to your normal operating stance...

# semodule --build
# setenforce enforcing

From: Leon Fauster 
To: CentOS mailing list 
Cc:
Bcc:
Date: Thu, 17 Jan 2019 18:35:23 +0100
Subject: [CentOS] SElinux AVC signull
I have some perl scripts running via CGI to print some monitoring
informations out.

# cat /etc/redhat-release
CentOS release 6.10 (Final)

# getenforce
Enforcing

# LANG=C ausearch -m avc --start today
type=SYSCALL msg=audit(1547733474.941:28): arch=c03e syscall=62
success=no exit=-13 a0=641 a1=0 a2=7f33500079b0 a3=31372f656d6f7268
items=0 ppid=1399 pid=1439 auid=4294967295 uid=48 gid=48 euid=48
suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
comm="httpd" exe="/opt/rh/httpd24/root/usr/sbin/httpd"
subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1547733474.941:28): avc:  denied  { signull } for
pid=1439 comm="httpd" scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process


I see a lot of such entries but I don't see any service misbehaviour.
All scripts are running fine.

Any hints how to classify this AVC; "Denied Signull"?
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] SElinux AVC signull

[Leon Fauster via CentOS]

I have some perl scripts running via CGI to print some monitoring informations 
out.

# cat /etc/redhat-release 
CentOS release 6.10 (Final)

# getenforce 
Enforcing

# LANG=C ausearch -m avc --start today
type=SYSCALL msg=audit(1547733474.941:28): arch=c03e syscall=62 success=no 
exit=-13 a0=641 a1=0 a2=7f33500079b0 a3=31372f656d6f7268 items=0 ppid=1399 
pid=1439 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 
fsgid=48 tty=(none) ses=4294967295 comm="httpd" 
exe="/opt/rh/httpd24/root/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 
key=(null)
type=AVC msg=audit(1547733474.941:28): avc:  denied  { signull } for  pid=1439 
comm="httpd" scontext=system_u:system_r:httpd_t:s0 
tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process


I see a lot of such entries but I don't see any service misbehaviour. All 
scripts are running fine.

Any hints how to classify this AVC; "Denied Signull"?

--
LF





___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] selinux, sendmail, and disable_ipv6

[mark]

Just started seeing this on one server:
python: SELinux is preventing sendmail from read access on the file
disable_ipv6.

It recommends a local policy. Now, searching, I see someone filed a bug
for CentOS last year, 0012914, and they wound up creating a policy.

Cmts?

Note, btw, that the system has two IPv6 addresses - my manager has fallen
for slack. Both valid.

mark

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux question

[Nataraj]

On 08/21/2018 05:45 PM, Warren Young wrote:
>
>> I could be convinced otherwise if I could see where running the php as the 
>> app users, would make more sense.
> That depends on whether the boundary between user php and this unknown 
> “appuser” is bidirectional or not.
>
> If there are things owned by user “php” that “appuser” should not see, then 
> continuing to run the web app as two separate users makes sense.  
>
> If “appuser” can be said to own everything in the web app, and the only 
> reason you’re converting user php privileges to “appuser” privileges is so 
> you don’t have to give user php access to everything in the web app, then I’d 
> say my prior suggestion holds.
>
> Now that I know you’re using PHP, I can recommend something like PHP-FPM:
>
> https://php-fpm.org/
>
> That’s the old external project.  It’s now part of the PHP core:
>
> https://secure.php.net/manual/en/install.fpm.php
>
> You’ll have to use the old version with C5, though, as that happened after C5 
> was released.
>
> FPM isn’t the only way to go, just one idea, which happens to be 
> well-supported within the PHP community.
>
> Regardless of the exact method, this lets you run your PHP code as a non-php 
> user, letting Apache proxy to it using mod_fcgi.  Now you’ve got strong 
> separation between things Apache is allowed to read and things it must talk 
> down through PHP to get access to.
>
>> It could be that giving sudo sys_ptrace access could increase the risk to 
>> the security of the system
> Once you give a process ptrace ability, it’s pretty much game over when it 
> comes to security.  The scope of what one process can do to another via 
> ptrace(2) is HGE.  I’d very much resist placating SELinux in this way.
>
> SELinux might in fact be warning you about a real attack here, which would 
> explain why it’s intermittent.
> ___

Thank you, this information was helpful.  I will solve the problem
without allowing ptrace capability.

Nataraj


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux question

[Warren Young]

On Aug 21, 2018, at 4:34 PM, Nataraj  wrote:
> 
> On 08/21/2018 02:20 PM, Warren Young wrote:
>> On Aug 21, 2018, at 1:27 PM, Nataraj  wrote:
>>> I have a web application which uses sudo to invoke python scripts as the
>>> user under which the application runs (NO root access).
>> Why is the web app not running with that user’s permissions in the first 
>> place?
>> 
> The php code runs as user apache under the webserver.

Okay, that’s useful to know, and it’s something we’re just now learning.  
You’ll get better advice if you include such details when using for help.

> If the php ran as the app users it would have full access to all of the data 
> in the app.

…and that’s a problem why, exactly?  What could happen if that were allowed?

I understand that you’re creating a privilege separation scheme here, but if 
you want good advice, we need to know what you want to achieve with the scheme 
and why that is necessary.

What resources does this non-php user own that user php must not be allowed to 
have access to?  Once we know that, we can advise on how to protect those 
resources.

> Using sudo the app can only invoke one specific python script (which is the 
> command name in the sudoers file) to do what it needs to do, without having 
> access to the rest of the apps data and other python scripts used by other 
> functions in the app).

Another way to go about it would be to have the background service running as 
the non-php user, then provide access to it over the many IPC mechanisms 
available in a Linux system: named pipes, SysV message queues, shared memory…  
Add to that all of the higher-level services available like message-oriented 
middleware:

   https://en.wikipedia.org/wiki/Category:Message-oriented_middleware

Such services let one process tell another, “Hey, I need you to do something 
for me,” then wait for the answer, received as a single coherent message.  Many 
of these schemes let you split that worker process off into a separate machine, 
or even a cluster of machines.  

That could help you to get off CentOS 5: move the worker process onto a C7 box, 
then when that’s well-validated, move the PHP bits over.  

Or, move the PHP bits to a *second* C7 box, and now you’ve got much stronger 
privilege separation.  You may remember all of the ways that Shellshock — a 
local-only exploit — was able to be exploited over HTTP, because local web app 
code was using the shell, thus converting it into a remote-exploitable security 
hole.  By separating the worker processes to a separate machine, that now can’t 
happen on the second box.  If the front-end box has no sensitive material on 
it, that’s enough security: just wipe it and re-image it if it’s ever 
compromised.

However you do this, these mechanisms give you hard privilege separation 
without SELinux bugging you.

> I could be convinced otherwise if I could see where running the php as the 
> app users, would make more sense.

That depends on whether the boundary between user php and this unknown 
“appuser” is bidirectional or not.

If there are things owned by user “php” that “appuser” should not see, then 
continuing to run the web app as two separate users makes sense.  

If “appuser” can be said to own everything in the web app, and the only reason 
you’re converting user php privileges to “appuser” privileges is so you don’t 
have to give user php access to everything in the web app, then I’d say my 
prior suggestion holds.

Now that I know you’re using PHP, I can recommend something like PHP-FPM:

https://php-fpm.org/

That’s the old external project.  It’s now part of the PHP core:

https://secure.php.net/manual/en/install.fpm.php

You’ll have to use the old version with C5, though, as that happened after C5 
was released.

FPM isn’t the only way to go, just one idea, which happens to be well-supported 
within the PHP community.

Regardless of the exact method, this lets you run your PHP code as a non-php 
user, letting Apache proxy to it using mod_fcgi.  Now you’ve got strong 
separation between things Apache is allowed to read and things it must talk 
down through PHP to get access to.

> It could be that giving sudo sys_ptrace access could increase the risk to the 
> security of the system

Once you give a process ptrace ability, it’s pretty much game over when it 
comes to security.  The scope of what one process can do to another via 
ptrace(2) is HGE.  I’d very much resist placating SELinux in this way.

SELinux might in fact be warning you about a real attack here, which would 
explain why it’s intermittent.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux question

[Nataraj]

On 08/21/2018 02:20 PM, Warren Young wrote:
> On Aug 21, 2018, at 1:27 PM, Nataraj  wrote:
>> I have a web application which uses sudo to invoke python scripts as the
>> user under which the application runs (NO root access).
> Why is the web app not running with that user’s permissions in the first 
> place?
>
> If your answer is that it needs root access to bind to port 80, there are two 
> common solutions:
>
> 1. Start the service as root, set up the port 80 listener, then drop 
> privileges internally with getpwent(“myuser”) and setuid(my_uid).
>
> 2. Use an HTTP[S] proxy server, such as Apache with mod_proxy configured.  
> Bind the actual web app to localhost and a high-numbered random port, then 
> forward external port 80 hits to the internal service.  This method has the 
> additional advantage that you can use the path part of the URL to relieves 
> the web app of having to serve hits for the static resources — *.js, *.png, 
> *.css… — which can speed the application up.
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos

The php code runs as user apache under the webserver.  If the php ran as the 
app users it would have full access to all of the data in the app.  Using sudo 
the app can only invoke one specific python script (which is the command name 
in the sudoers file) to do what it needs to do, without having access to the 
rest of the apps data and other python scripts used by other functions in the 
app). Could be that I'm not seeing something, but this approach seems sensible 
to me, though I could be convinced otherwise if I could see where running the 
php as the app users, would make more sense.

It could be that giving sudo sys_ptrace access could increase the risk to the 
security of the system, but giving the php code app user access, increases the 
risk of data compromise in the app.



Thank You,
Nataraj


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux question

[Warren Young]

On Aug 21, 2018, at 1:27 PM, Nataraj  wrote:
> 
> I have a web application which uses sudo to invoke python scripts as the
> user under which the application runs (NO root access).

Why is the web app not running with that user’s permissions in the first place?

If your answer is that it needs root access to bind to port 80, there are two 
common solutions:

1. Start the service as root, set up the port 80 listener, then drop privileges 
internally with getpwent(“myuser”) and setuid(my_uid).

2. Use an HTTP[S] proxy server, such as Apache with mod_proxy configured.  Bind 
the actual web app to localhost and a high-numbered random port, then forward 
external port 80 hits to the internal service.  This method has the additional 
advantage that you can use the path part of the URL to relieves the web app of 
having to serve hits for the static resources — *.js, *.png, *.css… — which can 
speed the application up.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux question

[Nataraj]

On 08/21/2018 12:41 PM, Jonathan Billings wrote:
> On Tue, Aug 21, 2018 at 12:27:53PM -0700, Nataraj wrote:
>> Source RPM Packages   sudo-1.7.2p1-29.el5_10
>> Policy RPMselinux-policy-2.4.6-351.el5
>> Platform  Linux myhost.mydomain.com 2.6.18-419.el5 #1 
>> SMP Fri Feb 24 22:06:09 UTC 2017 i686 i686
> CentOS 5 was end of life on 31 March, 2017.  There have bee no
> updates for over a year.
>
> Might as well turn off SELinux, you're so behind on security updates
> it probably doesn't matter.
>
Thank you.  I'm well aware that CentOS 5 is eol, and hoping to replace
this server soon.  I'm sitting here right now in heavy smoke (which has
been going on since early June) in Northern Ca, just miles from huge
fires and have spent the last 3 years rebuilding after damage in a 2015
fire.  It kind of shakes up ones life a little bit.  In the meantime,
keeping selinux enabled helps me to keep the server from getting broken
into.    Since incoming services are limited for the most part to my
userbase, I am doing very well so far.  There is no remote login access.

Thank you,

Nataraj


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux question

[Jonathan Billings]

On Tue, Aug 21, 2018 at 12:27:53PM -0700, Nataraj wrote:
> Source RPM Packages   sudo-1.7.2p1-29.el5_10
> Policy RPMselinux-policy-2.4.6-351.el5
> Platform  Linux myhost.mydomain.com 2.6.18-419.el5 #1 SMP 
> Fri Feb 24 22:06:09 UTC 2017 i686 i686

CentOS 5 was end of life on 31 March, 2017.  There have bee no
updates for over a year.

Might as well turn off SELinux, you're so behind on security updates
it probably doesn't matter.

-- 
Jonathan Billings 
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux question

[Daniel Walsh]

On 08/21/2018 12:27 PM, Nataraj wrote:

I have a web application which uses sudo to invoke python scripts as the
user under which the application runs (NO root access).  Is there any
reason why sudo would would require sys_ptrace access for this?  I only
get this violation intermittenly, and not with every call to sudo.
Here's the violation:
Most likely you can just dontaudit this access.  sys_ptrace is often 
caused by processes trying to read content in /proc.

Summary:

SELinux is preventing sudo (httpd_t) "sys_ptrace" to  (httpd_t).

Detailed Description:

SELinux denied access requested by sudo. It is not expected that this access is
required by sudo and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Contextsystem_u:system_r:httpd_t
Target Contextsystem_u:system_r:httpd_t
Target ObjectsNone [ capability ]
Sourcesudo
Source Path   /usr/bin/sudo
Port  
Host  myhost.mydomain.com
Source RPM Packages   sudo-1.7.2p1-29.el5_10
Target RPM Packages
Policy RPMselinux-policy-2.4.6-351.el5
Selinux Enabled   True
Policy Type   targeted
MLS Enabled   True
Enforcing ModeEnforcing
Plugin Name   catchall
Host Name myhost.mydomain.com
Platform  Linux myhost.mydomain.com 2.6.18-419.el5 #1 SMP 
Fri Feb
   24 22:06:09 UTC 2017 i686 i686
Alert Count   359
First SeenTue Oct  8 09:24:50 2013
Last Seen Tue Aug 21 10:26:26 2018
Local ID  717eb9a4-cc7f-4ed1-b638-5db1a841abe4
Line Numbers

Raw Audit Messages

host=myhost.mydomain.com type=AVC msg=audit(1534872386.726:9642): avc:  denied  { 
sys_ptrace } for  pid=8458 comm="sudo" capability=19 
scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 
tclass=capability

host=myhost.mydomain.com type=SYSCALL msg=audit(1534872386.726:9642): arch=4003 syscall=3 
success=yes exit=166 a0=1a a1=b7ff4000 a2=400 a3=89cabf0 items=0 ppid=8979 pid=8458 auid=4294967295 
uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 
comm="sudo" exe="/usr/bin/sudo" subj=system_u:system_r:httpd_t:s0 key=(null)


Thank You,

Nataraj



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] selinux question

[Nataraj]

I have a web application which uses sudo to invoke python scripts as the
user under which the application runs (NO root access).  Is there any
reason why sudo would would require sys_ptrace access for this?  I only
get this violation intermittenly, and not with every call to sudo. 
Here's the violation:

Summary:

SELinux is preventing sudo (httpd_t) "sys_ptrace" to  (httpd_t).

Detailed Description:

SELinux denied access requested by sudo. It is not expected that this access is
required by sudo and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Contextsystem_u:system_r:httpd_t
Target Contextsystem_u:system_r:httpd_t
Target ObjectsNone [ capability ]
Sourcesudo
Source Path   /usr/bin/sudo
Port  
Host  myhost.mydomain.com
Source RPM Packages   sudo-1.7.2p1-29.el5_10
Target RPM Packages   
Policy RPMselinux-policy-2.4.6-351.el5
Selinux Enabled   True
Policy Type   targeted
MLS Enabled   True
Enforcing ModeEnforcing
Plugin Name   catchall
Host Name myhost.mydomain.com
Platform  Linux myhost.mydomain.com 2.6.18-419.el5 #1 SMP 
Fri Feb
  24 22:06:09 UTC 2017 i686 i686
Alert Count   359
First SeenTue Oct  8 09:24:50 2013
Last Seen Tue Aug 21 10:26:26 2018
Local ID  717eb9a4-cc7f-4ed1-b638-5db1a841abe4
Line Numbers  

Raw Audit Messages

host=myhost.mydomain.com type=AVC msg=audit(1534872386.726:9642): avc:  denied  
{ sys_ptrace } for  pid=8458 comm="sudo" capability=19 
scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 
tclass=capability

host=myhost.mydomain.com type=SYSCALL msg=audit(1534872386.726:9642): 
arch=4003 syscall=3 success=yes exit=166 a0=1a a1=b7ff4000 a2=400 
a3=89cabf0 items=0 ppid=8979 pid=8458 auid=4294967295 uid=48 gid=48 euid=0 
suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sudo" 
exe="/usr/bin/sudo" subj=system_u:system_r:httpd_t:s0 key=(null)


Thank You,

Nataraj



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux: how to allow access?

[John Hodrien]

On Tue, 20 Mar 2018, hw wrote:


which is what access rights are for


Yes and no.  You can run firefox and let it download files into the Downloads
directory, but not elsewhere.  You can run apache on port 80/443 but not let
it open up a different port.  You can stop apache reading files outside of its
webroot even though they're readable by all users.

You can't do all that with simple file permissions.

It still doesn´t allow me as a user to make it so that a program I´m running 
can only access the files I want it to access.  Why isn´t that a common thing 
for users to do?  Gimp doesn´t need to have access to my emails and fvwm 
doesn´t need to access anything but it´s configuration, etc..  Since those 
are common things, why doesn´t selinux do it --- and in such a way that it is 
easy to manage?


You want a *user* to be able to confine applications in this way, not an
administrator?

jh
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux: how to allow access?

[hw]

On 03/20/2018 01:42 PM, Peter Kjellström wrote:

On Tue, 20 Mar 2018 13:07:12 +0100
hw  wrote:

...

So what do you really gain from selinux, and is that worthwhile all
the trouble and the hours spent to fix the problems it creates?  What
about the impact on performance?


The main feature is that lots of software is indeed confined (even
though your normal login or desktop remains unconfined).

This is exactly what happens to exim in your case. It is exim_t not
unconfined_t which means when/if it goes crazy (or is exploited) the
damage can be limited.


which is what access rights are for


For some people it's also useful that it provides the ability to define
user types (see "semanage user --list").


How is this useful?  It makes things much more complicated and more 
unmanageable.


It still doesn´t allow me as a user to make it so that a program I´m 
running can only access the files I want it to access.  Why isn´t that a 
common thing for users to do?  Gimp doesn´t need to have access to my 
emails and fvwm doesn´t need to access anything but it´s configuration, 
etc..  Since those are common things, why doesn´t selinux do it --- and 
in such a way that it is easy to manage?

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux: how to allow access?

[Peter Kjellström]

On Tue, 20 Mar 2018 13:07:12 +0100
hw  wrote:

...
> So what do you really gain from selinux, and is that worthwhile all
> the trouble and the hours spent to fix the problems it creates?  What
> about the impact on performance?

The main feature is that lots of software is indeed confined (even
though your normal login or desktop remains unconfined).

This is exactly what happens to exim in your case. It is exim_t not
unconfined_t which means when/if it goes crazy (or is exploited) the
damage can be limited.

For some people it's also useful that it provides the ability to define
user types (see "semanage user --list").

/Peter K
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux: how to allow access?

[John Hodrien]

On Tue, 20 Mar 2018, hw wrote:

That depends.  If the anti-theft system of your car prevents you from driving 
it, wouldn´t you turn it off so you can drive to work?


How many of us tape the immobiliser transponder to the base of the lock?

I don´t believe that.  First you need to figure out if it´s a selinux related 
thing, and to do that, you need to figure out how to figure that out.  Once 
you figured it out, you need to figure out how to solve it. That usually 
takes hours or even days.


If you don't learn how to use SELinux, it takes ages to solve anything.  If
you learn it, it takes a short while to get things working, and a little
longer to configure things as you want.  When was security supposed to be zero
cost?  I'm not sure when I last spent an hour solving an SELinux issue, and
I'm not claiming to be highly proficient.

That looks promising, though it seems to make quite a hype of it.  It even 
says wrong things, like: Mandatory access control "enables information to be 
protected from legitimate users with limited authorization as well as from 
authorized users who have unwittingly executed malicious applications."[1] 

Perhaps there are implementations of MAC which do that; selinux does not. 
It´s even a thing I´ve asked about quite a while ago, and there didn´t seem 
to be a way to achieve it with selinux.


When you confine an unconfined process, is that not what you're doing?

What is it you're trying to do that you believe SELinux can't do?

So what do you really gain from selinux, and is that worthwhile all the 
trouble and the hours spent to fix the problems it creates?  What about the 
impact on performance?


In the general case, you'd struggle to point your finger convincingly at the
SELinux performance hit.  Probably the worst performance hit you're likely to
see is with a badly configured permissive configuration, due to excessive
logging.

jh
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux: how to allow access?

[hw]

On 03/16/2018 10:38 PM, Phil Perry wrote:

On 16/03/18 18:37, Alexander Dalloz wrote:

Am 16.03.2018 um 13:09 schrieb hw:

On 03/16/2018 12:14 PM, Richard Grainger wrote:
Yet again I could not find any documentation explaining how to do 
basic
things like this :(  Selinux is more like a curse than anything 
else :( Why

is there not even a good documentation?


More trolling?


Show me a good documentation and/or name good reasons not to disable 
selinux.  Considering how much trouble it gives, there have to be 
*very* good reasons to keep it enabled.


Would you turn off your firewall because you don't understand how it 
works? Or any security feature for that matter?


That depends.  If the anti-theft system of your car prevents you from 
driving it, wouldn´t you turn it off so you can drive to work?


Invest a few hours of your life reading the documentation. There are 
plenty of good examples listed below.


You can´t read documentation when you can´t find it.

I've never had an SELinux problem I couldn't solve or work around in 2 
minutes. Sometimes figuring out the *right* solution might take a little 
longer, but turning it off is very rarely going to be the right solution.


I don´t believe that.  First you need to figure out if it´s a selinux 
related thing, and to do that, you need to figure out how to figure that 
out.  Once you figured it out, you need to figure out how to solve it. 
That usually takes hours or even days.



Useful resources for SELinux:

http://wiki.centos.org/HowTos/SELinux

http://wiki.centos.org/TipsAndTricks/SelinuxBooleans

http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/ 



http://www.youtube.com/watch?v=bQqX3RWn0Yw

http://opensource.com/business/13/11/selinux-policy-guide


https://lists.centos.org/mailman/listinfo/centos


I´ve seen some of those, finding a hint here and there, but not a really 
good documentation yet.



and don't forget the definitive Red Hat documentation here:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/

SELinux User's and Administrator's Guide at the bottom of the page. 
Download it and read it.


That looks promising, though it seems to make quite a hype of it.  It 
even says wrong things, like: Mandatory access control "enables 
information to be protected from legitimate users with limited 
authorization as well as from authorized users who have unwittingly 
executed malicious applications."[1]  Perhaps there are implementations 
of MAC which do that; selinux does not.  It´s even a thing I´ve asked 
about quite a while ago, and there didn´t seem to be a way to achieve it 
with selinux.


So what do you really gain from selinux, and is that worthwhile all the 
trouble and the hours spent to fix the problems it creates?  What about 
the impact on performance?



[1]: 
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/chap-security-enhanced_linux-introduction

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux: how to allow access?

[Phil Perry]

On 16/03/18 18:37, Alexander Dalloz wrote:

Am 16.03.2018 um 13:09 schrieb hw:

On 03/16/2018 12:14 PM, Richard Grainger wrote:

Yet again I could not find any documentation explaining how to do basic
things like this :(  Selinux is more like a curse than anything else 
:( Why

is there not even a good documentation?


More trolling?


Show me a good documentation and/or name good reasons not to disable 
selinux.  Considering how much trouble it gives, there have to be 
*very* good reasons to keep it enabled.


Would you turn off your firewall because you don't understand how it 
works? Or any security feature for that matter?


Invest a few hours of your life reading the documentation. There are 
plenty of good examples listed below.


I've never had an SELinux problem I couldn't solve or work around in 2 
minutes. Sometimes figuring out the *right* solution might take a little 
longer, but turning it off is very rarely going to be the right solution.




Useful resources for SELinux:

http://wiki.centos.org/HowTos/SELinux

http://wiki.centos.org/TipsAndTricks/SelinuxBooleans

http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/

http://www.youtube.com/watch?v=bQqX3RWn0Yw

http://opensource.com/business/13/11/selinux-policy-guide


https://lists.centos.org/mailman/listinfo/centos


and don't forget the definitive Red Hat documentation here:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/

SELinux User's and Administrator's Guide at the bottom of the page. 
Download it and read it.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux: how to allow access?

[Leon Fauster]

> Am 16.03.2018 um 13:09 schrieb hw :
> 
> On 03/16/2018 12:14 PM, Richard Grainger wrote:
>>> Yet again I could not find any documentation explaining how to do basic
>>> things like this :(  Selinux is more like a curse than anything else :( Why
>>> is there not even a good documentation?
>> More trolling?
> 
> Show me a good documentation and/or name good reasons not to disable selinux.
> Considering how much trouble it gives, there have to be *very* good reasons 
> to keep it enabled.


$ rpm -q --qf "%{URL}\n" libselinux

--
LF





___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux: how to allow access?

[Alexander Dalloz]

Am 16.03.2018 um 13:09 schrieb hw:

On 03/16/2018 12:14 PM, Richard Grainger wrote:

Yet again I could not find any documentation explaining how to do basic
things like this :(  Selinux is more like a curse than anything else 
:( Why

is there not even a good documentation?


More trolling?


Show me a good documentation and/or name good reasons not to disable 
selinux.  Considering how much trouble it gives, there have to be *very* 
good reasons to keep it enabled.


Useful resources for SELinux:

http://wiki.centos.org/HowTos/SELinux

http://wiki.centos.org/TipsAndTricks/SelinuxBooleans

http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/

http://www.youtube.com/watch?v=bQqX3RWn0Yw

http://opensource.com/business/13/11/selinux-policy-guide

Alexander
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux: how to allow access?

[hw]

On 03/16/2018 12:14 PM, Richard Grainger wrote:

Yet again I could not find any documentation explaining how to do basic
things like this :(  Selinux is more like a curse than anything else :( Why
is there not even a good documentation?


More trolling?


Show me a good documentation and/or name good reasons not to disable 
selinux.  Considering how much trouble it gives, there have to be *very* 
good reasons to keep it enabled.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux: how to allow access?

[Richard Grainger]

> Yet again I could not find any documentation explaining how to do basic
> things like this :(  Selinux is more like a curse than anything else :( Why
> is there not even a good documentation?

More trolling?
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] selinux: how to allow access?

[hw]

Hi,

how do I allow exim access to a socket in order to be able to do local 
deliveries to cyrus?



type=AVC msg=audit(1521179280.845:1920270): avc:  denied  { name_connect 
} for  pid=319 comm="exim" dest=24 scontext=system_u:system_r:exim_t:s0 
tcontext=system_u:object_r:lmtp_port_t:s0 tclass=tcp_socket



Yet again I could not find any documentation explaining how to do basic 
things like this :(  Selinux is more like a curse than anything else :( 
Why is there not even a good documentation?

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux breaks Squid's ssl_crtd helper

[Nicolas Kovacs]

Le 10/03/2018 à 18:18, Gordon Messmer a écrit :
> Start by running "ausearch -c 'ssl_crtd' --raw" by itself.  Try to
> determine whether or not all of the affected files are mentioned in that
> output.
> 
> Typically, to generate a complete policy, you'll need to run in
> permissive mode while you operate the system, so that all of the things
> that you want to allow are recorded.  Many services that need a new
> policy will generate more than one AVC denial, and in enforcing mode
> they'll terminate or at least cease processing the labeled resources
> that they need after the first denial.  In permissive mode, you should
> get a better list of exceptions that are required, because AVCs are
> recorded, but the application isn't actually denied permission to those
> resources.
> 
> When your logs are complete, remove the old module and generate a new
> one according to the directions from sealert.

OK, I found the solution. This is actually a bug in Squid's default
SELinux policy, but it can be corrected manually.

https://blog.microlinux.fr/squid-https-centos/#configuration

Cheers,

Niki

-- 
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : i...@microlinux.fr
Tél. : 04 66 63 10 32
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux breaks Squid's ssl_crtd helper

[Gordon Messmer]

On 03/09/2018 05:18 AM, Nicolas Kovacs wrote:

Do allow this
access for now by executing:
# ausearch -c 'ssl_crtd' --raw | audit2allow -M my-sslcrtd
# semodule -i my-sslcrtd.pp

Unfortunately the suggested solution doesn't work



Start by running "ausearch -c 'ssl_crtd' --raw" by itself.  Try to 
determine whether or not all of the affected files are mentioned in that 
output.


Typically, to generate a complete policy, you'll need to run in 
permissive mode while you operate the system, so that all of the things 
that you want to allow are recorded.  Many services that need a new 
policy will generate more than one AVC denial, and in enforcing mode 
they'll terminate or at least cease processing the labeled resources 
that they need after the first denial.  In permissive mode, you should 
get a better list of exceptions that are required, because AVCs are 
recorded, but the application isn't actually denied permission to those 
resources.


When your logs are complete, remove the old module and generate a new 
one according to the directions from sealert.



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux breaks Squid's ssl_crtd helper

[peter.winterflood]

The ausearch is only identifying issues that there are logs for at that time.
Best to create a file context for that path permanantly.
Theres an example of how to do this in the selinux man pages. Typing on my 
phone im tryinf to remember the command that the example in its man page.  
Semanage fcontext is what you are looking for followed by a restorecon on 
the path you added.

Regards peter

Sent with AquaMail for Android
http://www.aqua-mail.com


On 9 March 2018 13:18:45 "Nicolas Kovacs"  wrote:


Hi,

I've setup a transparent HTTP+HTTPS proxy on my server running CentOS 7,
using Squid. Here's my configuration file.

--8<
# /etc/squid/squid.conf



# Définitions

acl localnet src 192.168.2.0/24

acl SSL_ports port 443

acl Safe_ports port 80  # http

acl Safe_ports port 21  # ftp

acl Safe_ports port 443 # https

acl Safe_ports port 70  # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

# Règles d'accès
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all

# Ports du proxy
http_port 3130
http_port 3128 intercept
https_port 3129 intercept ssl-bump \
  cert=/etc/squid/ssl_cert/nestor.microlinux.lan.pem \
  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

# Emplacement de ssl_crtd et du cache des certificats TLS
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1

# SSL-Bump
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all

# Taille du cache dans la RAM
cache_mem 2048 MB

# Emplacement et taille du cache sur le disque
# cache_dir ufs /var/spool/squid 100 16 256

# Vidage système
coredump_dir /var/spool/squid

# Durée de vie des fichiers sans date d'expiration
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320
--8<

First, I tested the configuration in permissive mode, where it works
perfectly. After running it a while, I get the following SELinux alert.

# sealert -a /var/log/audit/audit.log
* Plugin catchall (17.1 confidence) suggests *
If you believe that ssl_crtd should be allowed read access on the
index.txt file by default. Then you should report this as a bug. You can
generate a local policy module to allow this access. Do allow this
access for now by executing:
# ausearch -c 'ssl_crtd' --raw | audit2allow -M my-sslcrtd
# semodule -i my-sslcrtd.pp

Unfortunately the suggested solution doesn't work, because the problem
reappears, and I get all sorts of errors in /var/log/squid/cache.log,
all due to ssl_crtd not being able to access stuff under /var/lib/ssl_db.

Any idea how I can solve this problem permanently ?

Cheers,

Niki

--
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : i...@microlinux.fr
Tél. : 04 66 63 10 32
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] SELinux breaks Squid's ssl_crtd helper

[Nicolas Kovacs]

Hi,

I've setup a transparent HTTP+HTTPS proxy on my server running CentOS 7,
using Squid. Here's my configuration file.

--8<
# /etc/squid/squid.conf



# Définitions

acl localnet src 192.168.2.0/24

acl SSL_ports port 443

acl Safe_ports port 80  # http

acl Safe_ports port 21  # ftp

acl Safe_ports port 443 # https

acl Safe_ports port 70  # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

# Règles d'accès
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all

# Ports du proxy
http_port 3130
http_port 3128 intercept
https_port 3129 intercept ssl-bump \
  cert=/etc/squid/ssl_cert/nestor.microlinux.lan.pem \
  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

# Emplacement de ssl_crtd et du cache des certificats TLS
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1

# SSL-Bump
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all

# Taille du cache dans la RAM
cache_mem 2048 MB

# Emplacement et taille du cache sur le disque
# cache_dir ufs /var/spool/squid 100 16 256

# Vidage système
coredump_dir /var/spool/squid

# Durée de vie des fichiers sans date d'expiration
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320
--8<

First, I tested the configuration in permissive mode, where it works
perfectly. After running it a while, I get the following SELinux alert.

# sealert -a /var/log/audit/audit.log
* Plugin catchall (17.1 confidence) suggests *
If you believe that ssl_crtd should be allowed read access on the
index.txt file by default. Then you should report this as a bug. You can
generate a local policy module to allow this access. Do allow this
access for now by executing:
# ausearch -c 'ssl_crtd' --raw | audit2allow -M my-sslcrtd
# semodule -i my-sslcrtd.pp

Unfortunately the suggested solution doesn't work, because the problem
reappears, and I get all sorts of errors in /var/log/squid/cache.log,
all due to ssl_crtd not being able to access stuff under /var/lib/ssl_db.

Any idea how I can solve this problem permanently ?

Cheers,

Niki

-- 
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : i...@microlinux.fr
Tél. : 04 66 63 10 32
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux policy with rsyslog and tls/certs

[John Ratliff]

On 2/13/2018 4:48 PM, John Ratliff wrote:
I've setup my rsyslog server to forward traffic to another rsyslog 
server on my network. It's using gTLS to encrypt the messages in transit.


selinux is not allowing rsyslogd to read the certificates. They are 
world readable, so I don't think that is the problem. When I turn 
selinux mode to permissive, it works fine.


What context should the ssl certificates be in for rsyslog to be able to 
read them?




It worked when I set it to syslog_conf_t. Not sure if that's correct, 
but it functions.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] selinux policy with rsyslog and tls/certs

[John Ratliff]

I've setup my rsyslog server to forward traffic to another rsyslog 
server on my network. It's using gTLS to encrypt the messages in transit.


selinux is not allowing rsyslogd to read the certificates. They are 
world readable, so I don't think that is the problem. When I turn 
selinux mode to permissive, it works fine.


What context should the ssl certificates be in for rsyslog to be able to 
read them?


thanks.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] SELinux - Re: how to prevent files and directories from being deleted?

[Andrew Holway]

> Well, what am I supposed to do?  The socket (or what it was) needs to be
> put somewhere, and IIRC, it wasn´t my choice to put it there but is a
> default.

I am confused why you would want persistence for these objects in any
operating system. Could you show us the relevant errors you are getting
when rebooting?

You mentioned SELinux. Is the problem that you have SELinux enabled and the
packages that you are using do not come with an appropriate SELinux policy
making them unable to open sockets / write pid files? Which SELinux context
are these applications running in?
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux prevents lighttpd from printing

[Daniel Walsh]

On 09/22/2017 08:24 AM, hw wrote:

Daniel Walsh wrote:

On 09/22/2017 06:58 AM, hw wrote:


PS: Now I found this:


type=PROCTITLE msg=audit(09/22/2017 12:08:29.911:1023) : 
proctitle=/usr/lib/sendmail -t -oi -oem -fwawi-genimp
type=SYSCALL msg=audit(09/22/2017 12:08:29.911:1023) : arch=x86_64 
syscall=setgroups success=no exit=EPERM(Operation not permitted) 
a0=0x1 a1=0x7ffc1df3b0d0 a2=0x0 a3=0x7f5d77c3a300 items=0 ppid=19417 
pid=19418 auid=unset uid=lighttpd gid=lighttpd euid=root suid=root 
fsuid=root egid=lighttpd sgid=lighttpd fsgid=lighttpd tty=(none) 
ses=unset comm=sendmail exe=/usr/sbin/exim 
subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(09/22/2017 12:08:29.911:1023) : avc: denied  { 
setgid } for  pid=19418 comm=sendmail capability=setgid 
scontext=system_u:system_r:httpd_sys_script_t:s0 
tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=capability


type=SYSCALL msg=audit(09/15/2017 12:12:14.551:31746) : arch=x86_64 
syscall=open success=yes exit=7 a0=0x7ffd1659ec70 a1=O_RDONLY a2=0x0 
a3=0x9 items=0 ppid=27605 pid=27633 auid=unset uid=lighttpd 
gid=lighttpd euid=lighttpd suid=lighttpd fsuid=lighttpd 
egid=lighttpd sgid=lighttpd fsgid=lighttpd tty=(none) ses=unset 
comm=lpr exe=/usr/bin/lpr.cups 
subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(09/15/2017 12:12:14.551:31746) : avc: denied { 
open } for  pid=27633 comm=lpr path=/etc/cups/lpoptions dev="sdb2" 
ino=153957 scontext=system_u:system_r:httpd_sys_script_t:s0 
tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file
type=AVC msg=audit(09/15/2017 12:12:14.551:31746) : avc: denied { 
read } for  pid=27633 comm=lpr name=lpoptions dev="sdb2" ino=153957 
scontext=system_u:system_r:httpd_sys_script_t:s0 
tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file



So I can see that sending email and printing was denied -- which I 
already

found out --- and I don´t have any idea how to allow it.


hw wrote:

Johnny Hughes wrote:

On 09/20/2017 07:19 AM, hw wrote:

hw wrote:


Hi,

how do I allow CGI programs to print (using 'lpr -P some-printer
some-file.pdf') when
lighttpd is being used for a web server?

When selinux is permissive, the printer prints; when it´s 
enforcing,

the printer
does not print, and I´m getting the log message '/bin/lpr: 
Permission

denied'.

'getsebool -a | grep http' doesn´t show any boolean I could make 
out

to be responsible
for this.

Any idea what I need to do/change to allow printing without 
disabling

selinux?
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


Nobody knows?



Look in your audit logs while in permissive mode and you should 
see the

issue in there, the wiki has details:

https://wiki.centos.org/HowTos/SELinux#head-798c98ef37cb8a00425a048152113b7a7dc14f1b 



Thanks!  I´m guessing I´m supposed to use ausearch to search for 
something, and

I don´t know what to search for.

So far, lighttpd can not print and can not send emails (using 
MIME::Lite) unless

selinux is permissive.  Using

'ausearch -c "httpd" -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -i'

, I only get


type=PROCTITLE msg=audit(09/21/2017 14:08:40.569:559) : 
proctitle=/usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf
type=SYSCALL msg=audit(09/21/2017 14:08:40.569:559) : arch=x86_64 
syscall=open success=no exit=EACCES(Permission denied) 
a0=0x559fc8094740 
a1=O_WRONLY|O_CREAT|O_EXCL|O_NOCTTY|O_TRUNC|O_CLOEXEC a2=0644 
a3=0x7 items=0 ppid=1 pid=14081 auid=unset uid=root gid=root 
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root 
tty=(none) ses=unset comm=lighttpd exe=/usr/sbin/lighttpd 
subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(09/21/2017 14:08:40.569:559) : avc: denied { 
write } for  pid=14081 comm=lighttpd name=www dev="sda2" ino=64608 
scontext=system_u:system_r:httpd_t:s0 
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir



Any idea what I would need to search for, or how to figure out what 
I would

need to allow?
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


First thing to enable httpd to send mail, you can turn on the send 
mail boolean.


# setsebool -P httpd_can_sendmail 1


Oh I looked at these variables and somehow didn´t see it.


The ability to print you would need to add custom rules.

# grep lpr /var/log/audit/audit.log | audit2allow -R -M myprint

# semodule -i myprint.pp

If you get another failure on lpt, you might have to run these 
commands a couple of times.


Thank you very much!  Both problems are now fixed :)

However:

grep lpr /var/log/audit/audit.log | audit2allow -R -M myprint
could not open interface info [/var/lib/sepolgen/interface_info]


I don´t know what´s missing, so I 

Re: [CentOS] selinux prevents lighttpd from printing

[hw]

Daniel Walsh wrote:

On 09/22/2017 06:58 AM, hw wrote:


PS: Now I found this:


type=PROCTITLE msg=audit(09/22/2017 12:08:29.911:1023) : 
proctitle=/usr/lib/sendmail -t -oi -oem -fwawi-genimp
type=SYSCALL msg=audit(09/22/2017 12:08:29.911:1023) : arch=x86_64 
syscall=setgroups success=no exit=EPERM(Operation not permitted) a0=0x1 
a1=0x7ffc1df3b0d0 a2=0x0 a3=0x7f5d77c3a300 items=0 ppid=19417 pid=19418 
auid=unset uid=lighttpd gid=lighttpd euid=root suid=root fsuid=root 
egid=lighttpd sgid=lighttpd fsgid=lighttpd tty=(none) ses=unset comm=sendmail 
exe=/usr/sbin/exim subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(09/22/2017 12:08:29.911:1023) : avc:  denied  { setgid } for 
 pid=19418 comm=sendmail capability=setgid 
scontext=system_u:system_r:httpd_sys_script_t:s0 
tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=capability

type=SYSCALL msg=audit(09/15/2017 12:12:14.551:31746) : arch=x86_64 
syscall=open success=yes exit=7 a0=0x7ffd1659ec70 a1=O_RDONLY a2=0x0 a3=0x9 
items=0 ppid=27605 pid=27633 auid=unset uid=lighttpd gid=lighttpd euid=lighttpd 
suid=lighttpd fsuid=lighttpd egid=lighttpd sgid=lighttpd fsgid=lighttpd 
tty=(none) ses=unset comm=lpr exe=/usr/bin/lpr.cups 
subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(09/15/2017 12:12:14.551:31746) : avc:  denied { open } for  pid=27633 
comm=lpr path=/etc/cups/lpoptions dev="sdb2" ino=153957 
scontext=system_u:system_r:httpd_sys_script_t:s0 
tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file
type=AVC msg=audit(09/15/2017 12:12:14.551:31746) : avc:  denied { read } for  pid=27633 
comm=lpr name=lpoptions dev="sdb2" ino=153957 
scontext=system_u:system_r:httpd_sys_script_t:s0 
tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file


So I can see that sending email and printing was denied -- which I already
found out --- and I don´t have any idea how to allow it.


hw wrote:

Johnny Hughes wrote:

On 09/20/2017 07:19 AM, hw wrote:

hw wrote:


Hi,

how do I allow CGI programs to print (using 'lpr -P some-printer
some-file.pdf') when
lighttpd is being used for a web server?

When selinux is permissive, the printer prints; when it´s enforcing,
the printer
does not print, and I´m getting the log message '/bin/lpr: Permission
denied'.

'getsebool -a | grep http' doesn´t show any boolean I could make out
to be responsible
for this.

Any idea what I need to do/change to allow printing without disabling
selinux?
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


Nobody knows?



Look in your audit logs while in permissive mode and you should see the
issue in there, the wiki has details:

https://wiki.centos.org/HowTos/SELinux#head-798c98ef37cb8a00425a048152113b7a7dc14f1b


Thanks!  I´m guessing I´m supposed to use ausearch to search for something, and
I don´t know what to search for.

So far, lighttpd can not print and can not send emails (using MIME::Lite) unless
selinux is permissive.  Using

'ausearch -c "httpd" -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -i'

, I only get


type=PROCTITLE msg=audit(09/21/2017 14:08:40.569:559) : 
proctitle=/usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf
type=SYSCALL msg=audit(09/21/2017 14:08:40.569:559) : arch=x86_64 syscall=open 
success=no exit=EACCES(Permission denied) a0=0x559fc8094740 
a1=O_WRONLY|O_CREAT|O_EXCL|O_NOCTTY|O_TRUNC|O_CLOEXEC a2=0644 a3=0x7 items=0 
ppid=1 pid=14081 auid=unset uid=root gid=root euid=root suid=root fsuid=root 
egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lighttpd 
exe=/usr/sbin/lighttpd subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(09/21/2017 14:08:40.569:559) : avc:  denied { write } for  pid=14081 
comm=lighttpd name=www dev="sda2" ino=64608 
scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 
tclass=dir


Any idea what I would need to search for, or how to figure out what I would
need to allow?
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


First thing to enable httpd to send mail, you can turn on the send mail boolean.

# setsebool -P httpd_can_sendmail 1


Oh I looked at these variables and somehow didn´t see it.


The ability to print you would need to add custom rules.

# grep lpr /var/log/audit/audit.log | audit2allow -R -M myprint

# semodule -i myprint.pp

If you get another failure on lpt, you might have to run these commands a 
couple of times.


Thank you very much!  Both problems are now fixed :)

However:

grep lpr /var/log/audit/audit.log | audit2allow -R -M myprint
could not open interface info [/var/lib/sepolgen/interface_info]


I don´t know what´s missing, so I omitted the -R option, and it worked.

Re: [CentOS] selinux prevents lighttpd from printing

[Daniel Walsh]

On 09/22/2017 06:58 AM, hw wrote:


PS: Now I found this:


type=PROCTITLE msg=audit(09/22/2017 12:08:29.911:1023) : 
proctitle=/usr/lib/sendmail -t -oi -oem -fwawi-genimp
type=SYSCALL msg=audit(09/22/2017 12:08:29.911:1023) : arch=x86_64 
syscall=setgroups success=no exit=EPERM(Operation not permitted) 
a0=0x1 a1=0x7ffc1df3b0d0 a2=0x0 a3=0x7f5d77c3a300 items=0 ppid=19417 
pid=19418 auid=unset uid=lighttpd gid=lighttpd euid=root suid=root 
fsuid=root egid=lighttpd sgid=lighttpd fsgid=lighttpd tty=(none) 
ses=unset comm=sendmail exe=/usr/sbin/exim 
subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(09/22/2017 12:08:29.911:1023) : avc:  denied  { 
setgid } for  pid=19418 comm=sendmail capability=setgid 
scontext=system_u:system_r:httpd_sys_script_t:s0 
tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=capability


type=SYSCALL msg=audit(09/15/2017 12:12:14.551:31746) : arch=x86_64 
syscall=open success=yes exit=7 a0=0x7ffd1659ec70 a1=O_RDONLY a2=0x0 
a3=0x9 items=0 ppid=27605 pid=27633 auid=unset uid=lighttpd 
gid=lighttpd euid=lighttpd suid=lighttpd fsuid=lighttpd egid=lighttpd 
sgid=lighttpd fsgid=lighttpd tty=(none) ses=unset comm=lpr 
exe=/usr/bin/lpr.cups subj=system_u:system_r:httpd_sys_script_t:s0 
key=(null)
type=AVC msg=audit(09/15/2017 12:12:14.551:31746) : avc:  denied { 
open } for  pid=27633 comm=lpr path=/etc/cups/lpoptions dev="sdb2" 
ino=153957 scontext=system_u:system_r:httpd_sys_script_t:s0 
tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file
type=AVC msg=audit(09/15/2017 12:12:14.551:31746) : avc:  denied { 
read } for  pid=27633 comm=lpr name=lpoptions dev="sdb2" ino=153957 
scontext=system_u:system_r:httpd_sys_script_t:s0 
tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file



So I can see that sending email and printing was denied -- which I 
already

found out --- and I don´t have any idea how to allow it.


hw wrote:

Johnny Hughes wrote:

On 09/20/2017 07:19 AM, hw wrote:

hw wrote:


Hi,

how do I allow CGI programs to print (using 'lpr -P some-printer
some-file.pdf') when
lighttpd is being used for a web server?

When selinux is permissive, the printer prints; when it´s enforcing,
the printer
does not print, and I´m getting the log message '/bin/lpr: Permission
denied'.

'getsebool -a | grep http' doesn´t show any boolean I could make out
to be responsible
for this.

Any idea what I need to do/change to allow printing without disabling
selinux?
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


Nobody knows?



Look in your audit logs while in permissive mode and you should see the
issue in there, the wiki has details:

https://wiki.centos.org/HowTos/SELinux#head-798c98ef37cb8a00425a048152113b7a7dc14f1b 



Thanks!  I´m guessing I´m supposed to use ausearch to search for 
something, and

I don´t know what to search for.

So far, lighttpd can not print and can not send emails (using 
MIME::Lite) unless

selinux is permissive.  Using

'ausearch -c "httpd" -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -i'

, I only get


type=PROCTITLE msg=audit(09/21/2017 14:08:40.569:559) : 
proctitle=/usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf
type=SYSCALL msg=audit(09/21/2017 14:08:40.569:559) : arch=x86_64 
syscall=open success=no exit=EACCES(Permission denied) 
a0=0x559fc8094740 
a1=O_WRONLY|O_CREAT|O_EXCL|O_NOCTTY|O_TRUNC|O_CLOEXEC a2=0644 a3=0x7 
items=0 ppid=1 pid=14081 auid=unset uid=root gid=root euid=root 
suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) 
ses=unset comm=lighttpd exe=/usr/sbin/lighttpd 
subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(09/21/2017 14:08:40.569:559) : avc:  denied { 
write } for  pid=14081 comm=lighttpd name=www dev="sda2" ino=64608 
scontext=system_u:system_r:httpd_t:s0 
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir



Any idea what I would need to search for, or how to figure out what I 
would

need to allow?
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


First thing to enable httpd to send mail, you can turn on the send mail 
boolean.


# setsebool -P httpd_can_sendmail 1

The ability to print you would need to add custom rules.

# grep lpr /var/log/audit/audit.log | audit2allow -R -M myprint

# semodule -i myprint.pp

If you get another failure on lpt, you might have to run these commands 
a couple of times.



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux prevents lighttpd from printing

[hw]

PS: Now I found this:


type=PROCTITLE msg=audit(09/22/2017 12:08:29.911:1023) : 
proctitle=/usr/lib/sendmail -t -oi -oem -fwawi-genimp
type=SYSCALL msg=audit(09/22/2017 12:08:29.911:1023) : arch=x86_64 
syscall=setgroups success=no exit=EPERM(Operation not permitted) a0=0x1 
a1=0x7ffc1df3b0d0 a2=0x0 a3=0x7f5d77c3a300 items=0 ppid=19417 pid=19418 
auid=unset uid=lighttpd gid=lighttpd euid=root suid=root fsuid=root 
egid=lighttpd sgid=lighttpd fsgid=lighttpd tty=(none) ses=unset comm=sendmail 
exe=/usr/sbin/exim subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(09/22/2017 12:08:29.911:1023) : avc:  denied  { setgid } for 
 pid=19418 comm=sendmail capability=setgid  
scontext=system_u:system_r:httpd_sys_script_t:s0 
tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=capability

type=SYSCALL msg=audit(09/15/2017 12:12:14.551:31746) : arch=x86_64 
syscall=open success=yes exit=7 a0=0x7ffd1659ec70 a1=O_RDONLY a2=0x0 a3=0x9 
items=0 ppid=27605 pid=27633 auid=unset uid=lighttpd gid=lighttpd euid=lighttpd 
suid=lighttpd fsuid=lighttpd egid=lighttpd sgid=lighttpd fsgid=lighttpd 
tty=(none) ses=unset comm=lpr exe=/usr/bin/lpr.cups 
subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(09/15/2017 12:12:14.551:31746) : avc:  denied  { open } for  pid=27633 
comm=lpr path=/etc/cups/lpoptions dev="sdb2" ino=153957 
scontext=system_u:system_r:httpd_sys_script_t:s0 
tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file
type=AVC msg=audit(09/15/2017 12:12:14.551:31746) : avc:  denied  { read } for  pid=27633 
comm=lpr name=lpoptions dev="sdb2" ino=153957 
scontext=system_u:system_r:httpd_sys_script_t:s0 
tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file


So I can see that sending email and printing was denied -- which I already
found out --- and I don´t have any idea how to allow it.


hw wrote:

Johnny Hughes wrote:

On 09/20/2017 07:19 AM, hw wrote:

hw wrote:


Hi,

how do I allow CGI programs to print (using 'lpr -P some-printer
some-file.pdf') when
lighttpd is being used for a web server?

When selinux is permissive, the printer prints; when it´s enforcing,
the printer
does not print, and I´m getting the log message '/bin/lpr: Permission
denied'.

'getsebool -a | grep http' doesn´t show any boolean I could make out
to be responsible
for this.

Any idea what I need to do/change to allow printing without disabling
selinux?
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


Nobody knows?



Look in your audit logs while in permissive mode and you should see the
issue in there, the wiki has details:

https://wiki.centos.org/HowTos/SELinux#head-798c98ef37cb8a00425a048152113b7a7dc14f1b


Thanks!  I´m guessing I´m supposed to use ausearch to search for something, and
I don´t know what to search for.

So far, lighttpd can not print and can not send emails (using MIME::Lite) unless
selinux is permissive.  Using

'ausearch -c "httpd" -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -i'

, I only get


type=PROCTITLE msg=audit(09/21/2017 14:08:40.569:559) : 
proctitle=/usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf
type=SYSCALL msg=audit(09/21/2017 14:08:40.569:559) : arch=x86_64 syscall=open 
success=no exit=EACCES(Permission denied) a0=0x559fc8094740 
a1=O_WRONLY|O_CREAT|O_EXCL|O_NOCTTY|O_TRUNC|O_CLOEXEC a2=0644 a3=0x7 items=0 
ppid=1 pid=14081 auid=unset uid=root gid=root euid=root suid=root fsuid=root 
egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lighttpd 
exe=/usr/sbin/lighttpd subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(09/21/2017 14:08:40.569:559) : avc:  denied  { write } for  pid=14081 
comm=lighttpd name=www dev="sda2" ino=64608 
scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 
tclass=dir


Any idea what I would need to search for, or how to figure out what I would
need to allow?
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux prevents lighttpd from printing

[hw]

Johnny Hughes wrote:

On 09/20/2017 07:19 AM, hw wrote:

hw wrote:


Hi,

how do I allow CGI programs to print (using 'lpr -P some-printer
some-file.pdf') when
lighttpd is being used for a web server?

When selinux is permissive, the printer prints; when it´s enforcing,
the printer
does not print, and I´m getting the log message '/bin/lpr: Permission
denied'.

'getsebool -a | grep http' doesn´t show any boolean I could make out
to be responsible
for this.

Any idea what I need to do/change to allow printing without disabling
selinux?
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


Nobody knows?



Look in your audit logs while in permissive mode and you should see the
issue in there, the wiki has details:

https://wiki.centos.org/HowTos/SELinux#head-798c98ef37cb8a00425a048152113b7a7dc14f1b


Thanks!  I´m guessing I´m supposed to use ausearch to search for something, and
I don´t know what to search for.

So far, lighttpd can not print and can not send emails (using MIME::Lite) unless
selinux is permissive.  Using

'ausearch -c "httpd" -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -i'

, I only get


type=PROCTITLE msg=audit(09/21/2017 14:08:40.569:559) : 
proctitle=/usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf
type=SYSCALL msg=audit(09/21/2017 14:08:40.569:559) : arch=x86_64 syscall=open 
success=no exit=EACCES(Permission denied) a0=0x559fc8094740 
a1=O_WRONLY|O_CREAT|O_EXCL|O_NOCTTY|O_TRUNC|O_CLOEXEC a2=0644 a3=0x7 items=0 
ppid=1 pid=14081 auid=unset uid=root gid=root euid=root suid=root fsuid=root 
egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lighttpd 
exe=/usr/sbin/lighttpd subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(09/21/2017 14:08:40.569:559) : avc:  denied  { write } for  pid=14081 
comm=lighttpd name=www dev="sda2" ino=64608 
scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 
tclass=dir


Any idea what I would need to search for, or how to figure out what I would
need to allow?
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux prevents lighttpd from printing

[Johnny Hughes]

On 09/20/2017 07:19 AM, hw wrote:
> hw wrote:
>>
>> Hi,
>>
>> how do I allow CGI programs to print (using 'lpr -P some-printer
>> some-file.pdf') when
>> lighttpd is being used for a web server?
>>
>> When selinux is permissive, the printer prints; when it´s enforcing,
>> the printer
>> does not print, and I´m getting the log message '/bin/lpr: Permission
>> denied'.
>>
>> 'getsebool -a | grep http' doesn´t show any boolean I could make out
>> to be responsible
>> for this.
>>
>> Any idea what I need to do/change to allow printing without disabling
>> selinux?
>> ___
>> CentOS mailing list
>> CentOS@centos.org
>> https://lists.centos.org/mailman/listinfo/centos
> 
> Nobody knows?


Look in your audit logs while in permissive mode and you should see the
issue in there, the wiki has details:

https://wiki.centos.org/HowTos/SELinux#head-798c98ef37cb8a00425a048152113b7a7dc14f1b



signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux prevents lighttpd from printing

[hw]

hw wrote:


Hi,

how do I allow CGI programs to print (using 'lpr -P some-printer 
some-file.pdf') when
lighttpd is being used for a web server?

When selinux is permissive, the printer prints; when it´s enforcing, the printer
does not print, and I´m getting the log message '/bin/lpr: Permission denied'.

'getsebool -a | grep http' doesn´t show any boolean I could make out to be 
responsible
for this.

Any idea what I need to do/change to allow printing without disabling selinux?
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


Nobody knows?
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] selinux prevents lighttpd from printing

[hw]

Hi,

how do I allow CGI programs to print (using 'lpr -P some-printer 
some-file.pdf') when
lighttpd is being used for a web server?

When selinux is permissive, the printer prints; when it´s enforcing, the printer
does not print, and I´m getting the log message '/bin/lpr: Permission denied'.

'getsebool -a | grep http' doesn´t show any boolean I could make out to be 
responsible
for this.

Any idea what I need to do/change to allow printing without disabling selinux?
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux denial of cgi script with httpd using ssl

[Gregory P. Ennis]

On Tue, Sep 5, 2017 at 9:49 AM, Gregory P. Ennis  wrote:

> Thanks for your help.
>
> I did pick up an additional entry in the audit file :
>
>
> type=AVC msg=audit(1504561395.709:10196): avc:  denied  { execute } for
> pid=19163 comm="/usr/sbin/httpd" name="s.check.cgi" dev="dm-0"
> ino=537182029 scontext=system_u:system_r:httpd_t:s0
> tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
>
> Unfortunately, I am not sure how the above tells me what is wrong.
>


Hi,

Have you then tried passing this message though audit2why ?

Maybe read through https://wiki.centos.org/HowTos/SELinux if you haven't
already.

If you want something simpler maybe try installing setroubleshoot and
setroubleshoot-server.



Thanks to everyone, I am in the process of working through everyone's
suggestions, will post what I find that works.

Greg

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux denial of cgi script with httpd using ssl

[James Hogarth]

On 4 September 2017 at 23:12, Alexander Dalloz  wrote:

> Am 04.09.2017 um 23:49 schrieb Gregory P. Ennis:
>
>> Thanks for your help.
>>
>> I did pick up an additional entry in the audit file :
>>
>>
>> type=AVC msg=audit(1504561395.709:10196): avc:  denied  { execute } for
>> pid=19163 comm="/usr/sbin/httpd" name="s.check.cgi" dev="dm-0"
>> ino=537182029 scontext=system_u:system_r:httpd_t:s0
>> tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
>>
>> Unfortunately, I am not sure how the above tells me what is wrong.
>>
>> Greg
>>
>
> From above log entry you see that the file object denied to execute
> ('/var/www/cgi-bin/name.of.script.cgi) has the SELinux context type
> httpd_sys_content_t.
>
> # semanage fcontext -l | grep '/var/www/cgi-bin'
> /var/www/cgi-bin(/.*)? all files
> system_u:object_r:httpd_sys_script_exec_t:s0
> [ ... ]
>
> The permitted type is httpd_sys_script_exec_t.
>
> `restorecon -Rv /var/www/cgi-bin/' can fix it. Or more targeted `chcon -t
> httpd_sys_script_exec_t /var/www/cgi-bin/name.of.script.cgi'.
>
> Both audit2why and audit2allow suggest to activate a boolean which you may
> not want to set as it disables a more fine grained priviledge separation in
> the context of httpd actions.
>
>
>
Don't ever use chcon unless you hate future you or random future team
member when they wonder why things break after a relabelling!
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux denial of cgi script with httpd using ssl

[James Hogarth]

On 4 September 2017 at 22:49, Gregory P. Ennis  wrote:

> Thanks for your help.
>
> I did pick up an additional entry in the audit file :
>
>
> type=AVC msg=audit(1504561395.709:10196): avc:  denied  { execute } for
> pid=19163 comm="/usr/sbin/httpd" name="s.check.cgi" dev="dm-0"
> ino=537182029 scontext=system_u:system_r:httpd_t:s0
> tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
>
> Unfortunately, I am not sure how the above tells me what is wrong.
>
>
Odd it was in the don't audit logs, as I think that should be logged
normally.

Executable scripts should be httpd_sys_script_exec_t rather than
 httpd_sys_content_t, as the latter is just read only content files rather
than something to be executed.

The default policy has the cgi-bin directory contents labelled correctly by
default though ...

Could you please post the output of 'semanage fcontext -lC' ... this will
list any local file context modifications.

You could try restorecon -Rv /var/www to see if that fixes your labelling,
if you've not made any local modifications.

If you have made local modifications to set the contents of cgi-bin to
httpd_sys_content_t then you should remove those with semanage fcontext -d
'/var/www/cgi-bin' or whatever the pattern for the local modification is as
that's incorrect labelling.

While you're checking selinux configuration do a quick
getsebool httpd_enable_cgi ... it's on by default but worth verifying :)
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux denial of cgi script with httpd using ssl

[Alexander Dalloz]

Am 04.09.2017 um 23:49 schrieb Gregory P. Ennis:

Thanks for your help.

I did pick up an additional entry in the audit file :


type=AVC msg=audit(1504561395.709:10196): avc:  denied  { execute } for
pid=19163 comm="/usr/sbin/httpd" name="s.check.cgi" dev="dm-0"
ino=537182029 scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file

Unfortunately, I am not sure how the above tells me what is wrong.

Greg


From above log entry you see that the file object denied to execute 
('/var/www/cgi-bin/name.of.script.cgi) has the SELinux context type 
httpd_sys_content_t.


# semanage fcontext -l | grep '/var/www/cgi-bin'
/var/www/cgi-bin(/.*)? all files 
system_u:object_r:httpd_sys_script_exec_t:s0

[ ... ]

The permitted type is httpd_sys_script_exec_t.

`restorecon -Rv /var/www/cgi-bin/' can fix it. Or more targeted `chcon 
-t httpd_sys_script_exec_t /var/www/cgi-bin/name.of.script.cgi'.


Both audit2why and audit2allow suggest to activate a boolean which you 
may not want to set as it disables a more fine grained priviledge 
separation in the context of httpd actions.


Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux denial of cgi script with httpd using ssl

[Clint Dilks]

On Tue, Sep 5, 2017 at 9:49 AM, Gregory P. Ennis  wrote:

> Thanks for your help.
>
> I did pick up an additional entry in the audit file :
>
>
> type=AVC msg=audit(1504561395.709:10196): avc:  denied  { execute } for
> pid=19163 comm="/usr/sbin/httpd" name="s.check.cgi" dev="dm-0"
> ino=537182029 scontext=system_u:system_r:httpd_t:s0
> tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
>
> Unfortunately, I am not sure how the above tells me what is wrong.
>


Hi,

Have you then tried passing this message though audit2why ?

Maybe read through https://wiki.centos.org/HowTos/SELinux if you haven't
already.

If you want something simpler maybe try installing setroubleshoot and
setroubleshoot-server.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux denial of cgi script with httpd using ssl

[Gregory P. Ennis]

Thanks for your help.

I did pick up an additional entry in the audit file :


type=AVC msg=audit(1504561395.709:10196): avc:  denied  { execute } for
pid=19163 comm="/usr/sbin/httpd" name="s.check.cgi" dev="dm-0"
ino=537182029 scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file

Unfortunately, I am not sure how the above tells me what is wrong.

Greg

-Original Message-From: Clint Dilks <cli...@scms.waikato.ac.nz>
Reply-to: CentOS mailing list <centos@centos.org>
To: CentOS mailing list <centos@centos.org>
Subject: Re: [CentOS] selinux denial of cgi script with httpd using ssl
Date: Tue, 5 Sep 2017 09:38:27 +1200

HI,

Try disabling Don't Audit rules

semodule -DB

Then check /var/log/audit.log

To re-enable

semodule -B






On Tue, Sep 5, 2017 at 5:07 AM, Gregory P. Ennis <po...@pomec.net> wrote:

> Everyone,
>
> I am trying to use a cgi perl script for a CentOs 7 website that works
> fine with selinux in permissive mode but fails with selinux in enforcing
> mode.
>
> The problem I have is that I can not find where the selinux error
> message is being recorded.
>
> It does not appear to be in the /var/log/messages
> or /var/log/audit/audit.log.  I do not get
> any /var/log/httpd/ssl_error_log entries. I do get a successful entry
> into /var/log/httpd/ssl_access_log and ssl_request_log when selinux is
> in permissive mode, but not when selinux is in enforcing mode.
>
> The only place I can see that I am getting an error message is in the
> /var/log/httpd/error_log which is as follows :
>
> Mon Sep 04 11:40:24.216569 2017] [cgi:error] [pid 2290] [client
> x.x.x.x:55748] AH01215: (13)Permission denied: exec of
> '/var/www/cgi-bin/name.of.script.cgi' failed, referer:
> https://name.domain.com/
>
> When selinux is in permissive mode the above error does not occur and
> the script works fine.  When selinux is in enforcing mode the above
> error occurs, and the cgi script fails to execute.
>
> Is there a way to increase the sensitivity of selinux loging, or is
> there a different place to look for the error that prevents the
> execution of the script.
>
> Your help would be appreciated.
>
> Thanks,
>
> Greg Ennis
>
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux denial of cgi script with httpd using ssl

[Clint Dilks]

HI,

Try disabling Don't Audit rules

semodule -DB

Then check /var/log/audit.log

To re-enable

semodule -B






On Tue, Sep 5, 2017 at 5:07 AM, Gregory P. Ennis  wrote:

> Everyone,
>
> I am trying to use a cgi perl script for a CentOs 7 website that works
> fine with selinux in permissive mode but fails with selinux in enforcing
> mode.
>
> The problem I have is that I can not find where the selinux error
> message is being recorded.
>
> It does not appear to be in the /var/log/messages
> or /var/log/audit/audit.log.  I do not get
> any /var/log/httpd/ssl_error_log entries. I do get a successful entry
> into /var/log/httpd/ssl_access_log and ssl_request_log when selinux is
> in permissive mode, but not when selinux is in enforcing mode.
>
> The only place I can see that I am getting an error message is in the
> /var/log/httpd/error_log which is as follows :
>
> Mon Sep 04 11:40:24.216569 2017] [cgi:error] [pid 2290] [client
> x.x.x.x:55748] AH01215: (13)Permission denied: exec of
> '/var/www/cgi-bin/name.of.script.cgi' failed, referer:
> https://name.domain.com/
>
> When selinux is in permissive mode the above error does not occur and
> the script works fine.  When selinux is in enforcing mode the above
> error occurs, and the cgi script fails to execute.
>
> Is there a way to increase the sensitivity of selinux loging, or is
> there a different place to look for the error that prevents the
> execution of the script.
>
> Your help would be appreciated.
>
> Thanks,
>
> Greg Ennis
>
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] selinux denial of cgi script with httpd using ssl

[Gregory P. Ennis]

Everyone,

I am trying to use a cgi perl script for a CentOs 7 website that works
fine with selinux in permissive mode but fails with selinux in enforcing
mode.

The problem I have is that I can not find where the selinux error
message is being recorded.

It does not appear to be in the /var/log/messages
or /var/log/audit/audit.log.  I do not get
any /var/log/httpd/ssl_error_log entries. I do get a successful entry
into /var/log/httpd/ssl_access_log and ssl_request_log when selinux is
in permissive mode, but not when selinux is in enforcing mode.

The only place I can see that I am getting an error message is in the
/var/log/httpd/error_log which is as follows :

Mon Sep 04 11:40:24.216569 2017] [cgi:error] [pid 2290] [client
x.x.x.x:55748] AH01215: (13)Permission denied: exec of
'/var/www/cgi-bin/name.of.script.cgi' failed, referer:
https://name.domain.com/

When selinux is in permissive mode the above error does not occur and
the script works fine.  When selinux is in enforcing mode the above
error occurs, and the cgi script fails to execute.

Is there a way to increase the sensitivity of selinux loging, or is
there a different place to look for the error that prevents the
execution of the script.

Your help would be appreciated.

Thanks,

Greg Ennis



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux problem policies

[Günther J . Niederwimmer]

Hello,

Thanks for the Help!

On Montag, 1. Mai 2017 04:47:21 CEST Gordon Messmer wrote:
> On 04/30/2017 07:24 PM, Günther J. Niederwimmer wrote:
> > when I like to set this Rule ?
> > semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html(/.*)?/
> > typo3conf(/.*)?"
> > 
> > This Errors are displayd ?
> > neverallow check failed at
> > /etc/selinux/targeted/tmp/modules/100/selinuxutil/ cil:244
> 
> I see, now.  What happens if you run "find /etc/selinux/targeted/tmp"?
> I'm not sure if you're getting an error because a tmp file was left
> behind earlier, or because something is wrong with the command you're
> running.

nothing ?

but now I have make a new installation from the server and the rule is working 
without errors and is installed ??

semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html(/.*)?/
typo3conf(/.*)?"
-- 
mit freundlichen Grüssen / best regards

  Günther J. Niederwimmer
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux problem policies

[Gordon Messmer]

On 04/30/2017 07:24 PM, Günther J. Niederwimmer wrote:

when I like to set this Rule ?
semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html(/.*)?/
typo3conf(/.*)?"

This Errors are displayd ?
neverallow check failed at /etc/selinux/targeted/tmp/modules/100/selinuxutil/
cil:244


I see, now.  What happens if you run "find /etc/selinux/targeted/tmp"?  
I'm not sure if you're getting an error because a tmp file was left 
behind earlier, or because something is wrong with the command you're 
running.



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux problem policies

[Günther J . Niederwimmer]

Hello,

On Sonntag, 30. April 2017 18:40:23 CEST Gordon Messmer wrote:
> On 04/30/2017 07:03 AM, Günther J. Niederwimmer wrote:
> >   I write this!
> > 
> > semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html(/.*)?/
> > typo3conf(/.*)?"
> 
> OK.  Did you get an error?
I have only Errors ;-).

when I like to set this Rule ?
semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html(/.*)?/
typo3conf(/.*)?" 

This Errors are displayd ?
neverallow check failed at /etc/selinux/targeted/tmp/modules/100/selinuxutil/
cil:244
  (neverallow selinuxutil_typeattr_1 semanage_store_t (file (relabelto)))

allow at /etc/selinux/targeted/tmp/modules/100/selinuxutil/cil:675
  (allow restorecond_t non_auth_file_type (file (getattr relabelfrom 
relabelto)))

allow at /etc/selinux/targeted/tmp/modules/100/systemd/cil:1108
  (allow systemd_tmpfiles_t non_auth_file_type (file (getattr relabelfrom 
relabelto)))

But the Rule are not added/set ?

> > I have more instances from typo3
> > I found this construct in the selinux policies
> > "/var/www/html(/.*)?/uploads(/.*)?"
> > 
> > but my is not working ?
> 
> Can you be specific about what "not working" means?  Did you get an
> error from the semanage command?  Are files not labeled correctly?
> 
> After setting context rules, you can "restorecon -R -v /var/www/html/"
> to fix the labels of any existing files.  You can see their current
> labels using "ls -lZ /var/www/html".
> 
> > and I have only errors?
> > 
> > neverallow check failed at
> > /etc/selinux/targeted/tmp/modules/100/selinuxutil/ cil:244
> 
> When do you see that error?
> 
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos


-- 
mit freundlichen Grüssen / best regards

  Günther J. Niederwimmer
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux problem policies

[James A. Peltier]

If the content is located under /var/www then you could use restorcon -Rvv to 
restore the context of all content under /var/www to the default context label 
as provided by Apache.

- On 30 Apr, 2017, at 07:03, Günther J. Niederwimmer g...@gjn.priv.at wrote:

| Hello,
| 
| My problem is to add selinux policies
| can any help to say what is wrong with my policies
| I write this!
| 
| semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html(/.*)?/
| typo3conf(/.*)?"
| 
| I have more instances from typo3
| I found this construct in the selinux policies
| "/var/www/html(/.*)?/uploads(/.*)?"
| 
| but my is not working ?
| 
| and I have only errors?
| 
| neverallow check failed at /etc/selinux/targeted/tmp/modules/100/selinuxutil/
| cil:244
|  (neverallow selinuxutil_typeattr_1 semanage_store_t (file (relabelto)))
|
|allow at /etc/selinux/targeted/tmp/modules/100/selinuxutil/cil:675
|  (allow restorecond_t non_auth_file_type (file (getattr relabelfrom
| relabelto)))
|
|allow at /etc/selinux/targeted/tmp/modules/100/systemd/cil:1108
|  (allow systemd_tmpfiles_t non_auth_file_type (file (getattr relabelfrom
| relabelto)))
| 
| neverallow check failed at /etc/selinux/targeted/tmp/modules/100/base/cil:
| 13121
|  (neverallow base_typeattr_18 scsi_generic_device_t (blk_file (read)))
|
|allow at /etc/selinux/targeted/tmp/modules/100/munin/cil:581
|  (allow disk_munin_plugin_t device_node (blk_file (ioctl read getattr lock
| open)))
| .
| 
| or is a other way to include policies better ?
| --
| mit freundlichen Grüssen / best regards
| 
|  Günther J. Niederwimmer
| ___
| CentOS mailing list
| CentOS@centos.org
| https://lists.centos.org/mailman/listinfo/centos

-- 
James A. Peltier
IT Services - Research Computing Group
Simon Fraser University - Burnaby Campus
Phone   : 604-365-6432
Fax : 778-782-3045
E-Mail  : jpelt...@sfu.ca
Website : http://www.sfu.ca/itservices
Twitter : @sfu_rcg
Powering Engagement Through Technology
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux problem policies

[Gordon Messmer]

On 04/30/2017 07:03 AM, Günther J. Niederwimmer wrote:

  I write this!

semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html(/.*)?/
typo3conf(/.*)?"


OK.  Did you get an error?


I have more instances from typo3
I found this construct in the selinux policies
"/var/www/html(/.*)?/uploads(/.*)?"

but my is not working ?


Can you be specific about what "not working" means?  Did you get an 
error from the semanage command?  Are files not labeled correctly?


After setting context rules, you can "restorecon -R -v /var/www/html/" 
to fix the labels of any existing files.  You can see their current 
labels using "ls -lZ /var/www/html".



and I have only errors?

neverallow check failed at /etc/selinux/targeted/tmp/modules/100/selinuxutil/
cil:244


When do you see that error?

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] selinux problem policies

[Günther J . Niederwimmer]

Hello,

My problem is to add selinux policies 
can any help to say what is wrong with my policies 
 I write this!

semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html(/.*)?/
typo3conf(/.*)?"

I have more instances from typo3
I found this construct in the selinux policies
"/var/www/html(/.*)?/uploads(/.*)?"

but my is not working ?

and I have only errors?

neverallow check failed at /etc/selinux/targeted/tmp/modules/100/selinuxutil/
cil:244
  (neverallow selinuxutil_typeattr_1 semanage_store_t (file (relabelto)))

allow at /etc/selinux/targeted/tmp/modules/100/selinuxutil/cil:675
  (allow restorecond_t non_auth_file_type (file (getattr relabelfrom 
relabelto)))

allow at /etc/selinux/targeted/tmp/modules/100/systemd/cil:1108
  (allow systemd_tmpfiles_t non_auth_file_type (file (getattr relabelfrom 
relabelto)))

neverallow check failed at /etc/selinux/targeted/tmp/modules/100/base/cil:
13121
  (neverallow base_typeattr_18 scsi_generic_device_t (blk_file (read)))

allow at /etc/selinux/targeted/tmp/modules/100/munin/cil:581
  (allow disk_munin_plugin_t device_node (blk_file (ioctl read getattr lock 
open)))
.

or is a other way to include policies better ?
-- 
mit freundlichen Grüssen / best regards

  Günther J. Niederwimmer
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] SELinux policy to allow Dovecot to connect to Mysql

[Robert Moskowitz]

I have been getting the following on my new mailserver:

Apr  7 10:17:27 z9m9z dovecot: dict: Error: mysql(localhost): Connect 
failed to database (postfix): Can't connect to local MySQL server 
through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 25 seconds 
before retry


They go away when I setenforce 0.

So I googled dovecot mysql selinux and the only worthwhile hit was:

http://zszsit.blogspot.com/2012/12/dovecot-mysql-selinux-issue-on-centos6.html

that provides a /etc/selinux/dovecot2mysql.te

Is there a simpler way like a setsbool option?

With all the howtos on dovecot with mysql, it is interesting that none 
of them seem to have this problem.  Maybe because they connect to mysql 
through TCP port 3306 which has ITS set of problems (like MariaDB 
defaults to not listening on TCP).


thanks!

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELInux conflict with Postfixadmin

[Robert Moskowitz]

On 02/21/2017 12:06 PM, Daniel J Walsh wrote:


On 02/21/2017 11:52 AM, Robert Moskowitz wrote:


On 02/21/2017 11:46 AM, Zdenek Sedlak wrote:

On 2017-02-21 17:30, Robert Moskowitz wrote:

postfixadmin setup.php is claiming:

*Error: Smarty template compile directory templates_c is not writable.*
*Please make it writable.*
*If you are using SELinux or AppArmor, you might need to adjust their
setup to allow write access.*


This goes away with 'setenforce 0', so it is an SELinux issue.  I have
tried both:

restorecon -Rv /usr/share/postfixadmin

and

chcon -R -t httpd_sys_content_t /usr/share/postfixadmin

and they are not the problem.  Googling this message doe snot produce
any SELinux advice.

Any ideas?

thanks

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Hi,

after 'setenforce 0' check the /var/log/audit/audit.log:

# grep /var/log/audit/audit.log | audit2why

Don't I need a search string in that grep command?


to see where  the problem could be.

Anyway the last three entries are:

type=AVC msg=audit(1487695678.704:128): avc:  denied  { write } for
pid=2055 comm="httpd" name="templates_c" dev="sda3" ino=786958
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir
permissive=1


If you want to allow apache processes to write to the templates_c
directory you need to label it httpd_sys_content_rw_t.


Thanks!

I undid the httpd_unified with:

setsebool -P httpd_unified 0

Then did

chcon -R -t httpd_sys_content_rw_t /usr/share/postfixadmin/templates_c

And SELinux appears to be happy.


type=SYSCALL msg=audit(1487695678.704:128): arch=4028 syscall=33
per=80 success=yes exit=0 a0=813c3ed0 a1=2 a2=0 a3=0 items=0
ppid=2053 pid=2055 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0
key=(null)

type=PROCTITLE msg=audit(1487695678.704:128):
proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELInux conflict with Postfixadmin

[Daniel J Walsh]

On 02/21/2017 11:52 AM, Robert Moskowitz wrote:
>
>
> On 02/21/2017 11:46 AM, Zdenek Sedlak wrote:
>> On 2017-02-21 17:30, Robert Moskowitz wrote:
>>> postfixadmin setup.php is claiming:
>>>
>>> *Error: Smarty template compile directory templates_c is not writable.*
>>> *Please make it writable.*
>>> *If you are using SELinux or AppArmor, you might need to adjust their
>>> setup to allow write access.*
>>>
>>>
>>> This goes away with 'setenforce 0', so it is an SELinux issue.  I have
>>> tried both:
>>>
>>> restorecon -Rv /usr/share/postfixadmin
>>>
>>> and
>>>
>>> chcon -R -t httpd_sys_content_t /usr/share/postfixadmin
>>>
>>> and they are not the problem.  Googling this message doe snot produce
>>> any SELinux advice.
>>>
>>> Any ideas?
>>>
>>> thanks
>>>
>>> ___
>>> CentOS mailing list
>>> CentOS@centos.org
>>> https://lists.centos.org/mailman/listinfo/centos
>> Hi,
>>
>> after 'setenforce 0' check the /var/log/audit/audit.log:
>>
>> # grep /var/log/audit/audit.log | audit2why
>
> Don't I need a search string in that grep command?
>
>> to see where  the problem could be.
>
> Anyway the last three entries are:
>
> type=AVC msg=audit(1487695678.704:128): avc:  denied  { write } for
> pid=2055 comm="httpd" name="templates_c" dev="sda3" ino=786958
> scontext=system_u:system_r:httpd_t:s0
> tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir
> permissive=1
>
If you want to allow apache processes to write to the templates_c
directory you need to label it httpd_sys_content_rw_t.
> type=SYSCALL msg=audit(1487695678.704:128): arch=4028 syscall=33
> per=80 success=yes exit=0 a0=813c3ed0 a1=2 a2=0 a3=0 items=0
> ppid=2053 pid=2055 auid=4294967295 uid=48 gid=48 euid=48 suid=48
> fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
> comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0
> key=(null)
>
> type=PROCTITLE msg=audit(1487695678.704:128):
> proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELInux conflict with Postfixadmin

[Robert Moskowitz]

On 02/21/2017 11:46 AM, Zdenek Sedlak wrote:

On 2017-02-21 17:30, Robert Moskowitz wrote:

postfixadmin setup.php is claiming:

*Error: Smarty template compile directory templates_c is not writable.*
*Please make it writable.*
*If you are using SELinux or AppArmor, you might need to adjust their
setup to allow write access.*


This goes away with 'setenforce 0', so it is an SELinux issue.  I have
tried both:

restorecon -Rv /usr/share/postfixadmin

and

chcon -R -t httpd_sys_content_t /usr/share/postfixadmin

and they are not the problem.  Googling this message doe snot produce
any SELinux advice.

Any ideas?

thanks

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Hi,

after 'setenforce 0' check the /var/log/audit/audit.log:

# grep /var/log/audit/audit.log | audit2why


Don't I need a search string in that grep command?


to see where  the problem could be.


Anyway the last three entries are:

type=AVC msg=audit(1487695678.704:128): avc:  denied  { write } for 
pid=2055 comm="httpd" name="templates_c" dev="sda3" ino=786958 
scontext=system_u:system_r:httpd_t:s0 
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir 
permissive=1


type=SYSCALL msg=audit(1487695678.704:128): arch=4028 syscall=33 
per=80 success=yes exit=0 a0=813c3ed0 a1=2 a2=0 a3=0 items=0 
ppid=2053 pid=2055 auid=4294967295 uid=48 gid=48 euid=48 suid=48 
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" 
exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)


type=PROCTITLE msg=audit(1487695678.704:128): 
proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELInux conflict with Postfixadmin

[Robert Moskowitz]

On 02/21/2017 11:46 AM, Zdenek Sedlak wrote:

On 2017-02-21 17:30, Robert Moskowitz wrote:

postfixadmin setup.php is claiming:

*Error: Smarty template compile directory templates_c is not writable.*
*Please make it writable.*
*If you are using SELinux or AppArmor, you might need to adjust their
setup to allow write access.*


This goes away with 'setenforce 0', so it is an SELinux issue.  I have
tried both:

restorecon -Rv /usr/share/postfixadmin

and

chcon -R -t httpd_sys_content_t /usr/share/postfixadmin

and they are not the problem.  Googling this message doe snot produce
any SELinux advice.

Any ideas?

thanks

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Hi,

after 'setenforce 0' check the /var/log/audit/audit.log:

# grep /var/log/audit/audit.log | audit2why

to see where  the problem could be.


Playing around a little with this, I added templates_c as the grep 
string and got:


type=AVC msg=audit(1487695678.704:128): avc:  denied  { write } for 
pid=2055 comm="httpd" name="templates_c" dev="sda3" ino=786958 
scontext=system_u:system_r:httpd_t:s0 
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir 
permissive=1


Was caused by:
The boolean httpd_unified was set incorrectly.
Description:
Allow httpd to unified

Allow access by executing:
# setsebool -P httpd_unified 1

So I tried that, and the error went away.  Going to have to add 
audit2why in my notes.


thanks

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELInux conflict with Postfixadmin

[Zdenek Sedlak]

On 2017-02-21 17:30, Robert Moskowitz wrote:
> postfixadmin setup.php is claiming:
>
> *Error: Smarty template compile directory templates_c is not writable.*
> *Please make it writable.*
> *If you are using SELinux or AppArmor, you might need to adjust their
> setup to allow write access.*
>
>
> This goes away with 'setenforce 0', so it is an SELinux issue.  I have
> tried both:
>
> restorecon -Rv /usr/share/postfixadmin
>
> and
>
> chcon -R -t httpd_sys_content_t /usr/share/postfixadmin
>
> and they are not the problem.  Googling this message doe snot produce
> any SELinux advice.
>
> Any ideas?
>
> thanks
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
Hi,

after 'setenforce 0' check the /var/log/audit/audit.log:

# grep /var/log/audit/audit.log | audit2why

to see where  the problem could be.

//Zdenek
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] SELInux conflict with Postfixadmin

[Robert Moskowitz]

postfixadmin setup.php is claiming:

*Error: Smarty template compile directory templates_c is not writable.*
*Please make it writable.*
*If you are using SELinux or AppArmor, you might need to adjust their 
setup to allow write access.*



This goes away with 'setenforce 0', so it is an SELinux issue.  I have 
tried both:


restorecon -Rv /usr/share/postfixadmin

and

chcon -R -t httpd_sys_content_t /usr/share/postfixadmin

and they are not the problem.  Googling this message doe snot produce 
any SELinux advice.


Any ideas?

thanks

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] selinux contexts for openntpd portable

[Jordan Ladora]

I was wondering if someone could help with selinux context for the portable
openntpd library on centos7.

I compiled openntpd-6.0p1 and it runs great on centos7, but have not had
much luck with selinux contexts for it.

This is what I tried-

semanage fcontext -a -t ntp_conf_t /usr/local/etc/ntpd.conf  # seems to work
semanage fcontext -a -t ntpd_exec_t /usr/local/sbin/ntpd# gets reset on
reboot to bin_t and/or stops ntpd from working
semanage fcontext -a -t ntpd_exec_t /usr/local/sbin/ntpctl# stops ntpd
from working
semanage fcontext -a -t ntp_drift_t /usr/local/var/db/ntpd.drift   # seems
ok

No idea about context for /usr/local/var/db/ntpd.sock

Thanks in advance for any help,
jl
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux file permissions

[Tim Smith]

> Did you define my_postfixauth_private_t yourself? And if so, why?
>
> All my sockets inside /var/spool/postfix/private/ have the type
> postfix_private_t. I don't see why you think a non-standard type would fit.
> And postfix_private_t gets automatically assigned and a custom fcontext
> should not be necessary.
>
> Alexander
>

I just gave up in the end and did what you're (apparently) not
supposed to do .

fgrep dovecot_t /var/log/audit/audit.log | audit2allow

The output moaned about base types, but googling that just led me into
the murky depths of even more confusing selinux wizardry. So I gave up
trying to fix that too by that point I had wasted three days
trying to get Dovecot working and wasn't about to waste another three
figuring how to get around the "base types" complaints.

I love the concept of selinux but boy do I wish the developers
wouldn't have made it quite so obscure and complicated to work with !!
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux file permissions

[Alexander Dalloz]

Am 23.01.2017 um 23:44 schrieb Tim Smith:

Thanks for the pointer, will take a look down that route.

Could you confirm the below is expected behaviour on Centos ?

# semanage fcontext -a -t my_postfixauth_private_t
"/var/spool/postfix/private(/.*)?"
ValueError: Type my_postfixauth_private_t is invalid, must be a file
or device type


Did you define my_postfixauth_private_t yourself? And if so, why?

All my sockets inside /var/spool/postfix/private/ have the type 
postfix_private_t. I don't see why you think a non-standard type would 
fit. And postfix_private_t gets automatically assigned and a custom 
fcontext should not be necessary.


Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux file permissions

[Mike McCarthy, W1NR]

This last update caused numerous services to stop working for me. I
fixed them with a relabel.

touch /.autorelabel
reboot

Try that and see...
Mike

On 01/23/2017 01:57 PM, Tim Smith wrote:
> Hi,
>
> I'm trying to grant dovecot the ability to manage its socket within
> the postfix spool directory.
>
> I have added the below to file_contexts.local :
>
> /var/spool/postfix/private/dovecot-auth system_u:system_r:dovecot_t:s0
>
>
> However, running "restorecon -v
> /var/spool/postfix/private/dovecot-auth" gives me the following error
> :
>
> restorecon:  lstat(/var/spool/postfix/private/dovecot-auth) failed:
> No such file or directory
>
>
> I cannot create the socket file in advance, because dovecot manages
> it, and if you "touch" the file, dovecot complains.
>
> Where am I going wrong ?
>
> Thanks !
>
> Tim
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux file permissions

[Tim Smith]

Thanks for the pointer, will take a look down that route.

Could you confirm the below is expected behaviour on Centos ?

# semanage fcontext -a -t my_postfixauth_private_t
"/var/spool/postfix/private(/.*)?"
ValueError: Type my_postfixauth_private_t is invalid, must be a file
or device type

On 23 January 2017 at 19:06, Lukas Zapletal  wrote:
> Hello,
>
> restorecon works only for existing files, for new files you are looking for
> file transition rule.
>
> Google that out, there is plenty of articles on that topic, for example:
>
> https://fedoraproject.org/wiki/Features/SELinuxFileNameTransition
>
> LZ
>
> 2017-01-23 19:57 GMT+01:00 Tim Smith :
>
>> Hi,
>>
>> I'm trying to grant dovecot the ability to manage its socket within
>> the postfix spool directory.
>>
>> I have added the below to file_contexts.local :
>>
>> /var/spool/postfix/private/dovecot-auth system_u:system_r:dovecot_t:s0
>>
>>
>> However, running "restorecon -v
>> /var/spool/postfix/private/dovecot-auth" gives me the following error
>> :
>>
>> restorecon:  lstat(/var/spool/postfix/private/dovecot-auth) failed:
>> No such file or directory
>>
>>
>> I cannot create the socket file in advance, because dovecot manages
>> it, and if you "touch" the file, dovecot complains.
>>
>> Where am I going wrong ?
>>
>> Thanks !
>>
>> Tim
>> ___
>> CentOS mailing list
>> CentOS@centos.org
>> https://lists.centos.org/mailman/listinfo/centos
>>
>
>
>
> --
> S pozdravem / Best regards
>   Lukas Zapletal
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux file permissions

[Lukas Zapletal]

Hello,

restorecon works only for existing files, for new files you are looking for
file transition rule.

Google that out, there is plenty of articles on that topic, for example:

https://fedoraproject.org/wiki/Features/SELinuxFileNameTransition

LZ

2017-01-23 19:57 GMT+01:00 Tim Smith :

> Hi,
>
> I'm trying to grant dovecot the ability to manage its socket within
> the postfix spool directory.
>
> I have added the below to file_contexts.local :
>
> /var/spool/postfix/private/dovecot-auth system_u:system_r:dovecot_t:s0
>
>
> However, running "restorecon -v
> /var/spool/postfix/private/dovecot-auth" gives me the following error
> :
>
> restorecon:  lstat(/var/spool/postfix/private/dovecot-auth) failed:
> No such file or directory
>
>
> I cannot create the socket file in advance, because dovecot manages
> it, and if you "touch" the file, dovecot complains.
>
> Where am I going wrong ?
>
> Thanks !
>
> Tim
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>



-- 
S pozdravem / Best regards
  Lukas Zapletal
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] SELinux file permissions

[Tim Smith]

Hi,

I'm trying to grant dovecot the ability to manage its socket within
the postfix spool directory.

I have added the below to file_contexts.local :

/var/spool/postfix/private/dovecot-auth system_u:system_r:dovecot_t:s0


However, running "restorecon -v
/var/spool/postfix/private/dovecot-auth" gives me the following error
:

restorecon:  lstat(/var/spool/postfix/private/dovecot-auth) failed:
No such file or directory


I cannot create the socket file in advance, because dovecot manages
it, and if you "touch" the file, dovecot complains.

Where am I going wrong ?

Thanks !

Tim
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] SELinux upgrade

[Scott Robbins]

Well, got hit by this too. Ironically, I don't use docker, I think I had it
installed being pulled in for something else.

So, tried the yum remove docker* but no go.  When I do semanage port -a -t
ssh_port_t -p tcp  I get an error


Bad type declaration at /etc/selinux/targeted/tmp/modules/100/docker/cil:1

which is something that doesn't exist. Tried installing container-selinux,
but so far, the only way to get SSH to work on a default port is to
setenforce 0.  

This isn't a really important machine, but it is certainly annoying.

-- 
Scott Robbins
PGP keyID EB3467D6
( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 )
gpg --keyserver pgp.mit.edu --recv-keys EB3467D6

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux upgrade

[Daniel J Walsh]

On 01/19/2017 08:57 AM, Marcin Trendota wrote:
> W dniu 19.01.2017 o 14:54, Johnny Hughes pisze:
>
>>> So, it looks like something with docker-selinux and container-selinux...
>> Right, I wanted to mention that docker-selinux was replaced with
>> container-selinux in the lasest version.
> Shouldn't be docker-selinux automatically removed then?
>
container-selinux should disable docker policy and then install its own.

container-selinux-1.12.5-14
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux upgrade

[Gordon Messmer]

On 01/19/2017 12:43 AM, Marcin Trendota wrote:

After recent system upgrade (this night) i lost access to two servers
through SSH, because of change in SELinux policy - i have ssh there on
different port and now it's gone.


Which release?  I also run ssh on an alternate port on one host, and 
that host didn't break following yesterday's updates.


Can you get the AVCs from /var/log/audit/audit.log?  What is currently 
the content of /etc/selinux/targeted/modules/active/ports.local?  Does 
it describe the same ports as the output of "semanage port -l -C"?



Or maybe "semanage port -a -t ssh_port_t -p tcp port" isn't enough to
ensure persistency?



It should be.  You should see that port labeled in the file above.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux upgrade

[Marcin Trendota]

W dniu 19.01.2017 o 14:54, Johnny Hughes pisze:

>> So, it looks like something with docker-selinux and container-selinux...
> Right, I wanted to mention that docker-selinux was replaced with
> container-selinux in the lasest version.

Shouldn't be docker-selinux automatically removed then?

-- 
Over And Out
MoonWolf
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux upgrade

[Johnny Hughes]

On 01/19/2017 04:47 AM, Marcin Trendota wrote:
> W dniu 19.01.2017 o 10:17, Hal Wigoda pisze:
>> I have experienced this myself.   It is very upsetting.  
> 
> 
> It happened on servers with docker installed. I got error message there:
> # semanage port -a -t ssh_port_t -p tcp 
> Re-declaration of type docker_t
> Failed to create node
> Bad type declaration at /etc/selinux/targeted/tmp/modules/100/docker/cil:1
> OSError: Error
> 
> After uninstalling:
> # yum remove docker*
> Wczytane wtyczki: fastestmirror, langpacks, priorities, versionlock
> Rozwiązywanie zależności
> --> Wykonywanie sprawdzania transakcji
> ---> Pakiet docker.x86_64 2:1.10.3-59.el7.centos zostanie usunięty
> ---> Pakiet docker-common.x86_64 2:1.10.3-59.el7.centos zostanie usunięty
> ---> Pakiet docker-forward-journald.x86_64 0:1.10.3-44.el7.centos
> zostanie usunięty
> ---> Pakiet docker-registry.x86_64 0:0.9.1-7.el7 zostanie usunięty
> ---> Pakiet docker-selinux.x86_64 0:1.10.3-46.el7.centos.14 zostanie
> usunięty
> --> Ukończono rozwiązywanie zależności
> [...]
> 
> And then:
> # semanage port -a -t ssh_port_t -p tcp 
> Re-declaration of type docker_t
> Failed to create node
> Bad type declaration at /etc/selinux/targeted/tmp/modules/100/docker/cil:1
> OSError: Error
> 
> 
> # yum remove docker-selinux
> Wczytane wtyczki: fastestmirror, langpacks, priorities, versionlock
> Rozwiązywanie zależności
> --> Wykonywanie sprawdzania transakcji
> ---> Pakiet container-selinux.x86_64 2:1.10.3-59.el7.centos zostanie
> usunięty
> --> Ukończono rozwiązywanie zależności
> [...]
> 
> # semanage port -a -t ssh_port_t -p tcp 
> ValueError: Port tcp/ został już określony
> # semanage port -l | grep ssh
> ssh_port_t tcp  , 22
> 
> 
> So, it looks like something with docker-selinux and container-selinux...
> 

Right, I wanted to mention that docker-selinux was replaced with
container-selinux in the lasest version.



signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux upgrade

[Marcin Trendota]

W dniu 19.01.2017 o 10:17, Hal Wigoda pisze:
> I have experienced this myself.   It is very upsetting.  


It happened on servers with docker installed. I got error message there:
# semanage port -a -t ssh_port_t -p tcp 
Re-declaration of type docker_t
Failed to create node
Bad type declaration at /etc/selinux/targeted/tmp/modules/100/docker/cil:1
OSError: Error

After uninstalling:
# yum remove docker*
Wczytane wtyczki: fastestmirror, langpacks, priorities, versionlock
Rozwiązywanie zależności
--> Wykonywanie sprawdzania transakcji
---> Pakiet docker.x86_64 2:1.10.3-59.el7.centos zostanie usunięty
---> Pakiet docker-common.x86_64 2:1.10.3-59.el7.centos zostanie usunięty
---> Pakiet docker-forward-journald.x86_64 0:1.10.3-44.el7.centos
zostanie usunięty
---> Pakiet docker-registry.x86_64 0:0.9.1-7.el7 zostanie usunięty
---> Pakiet docker-selinux.x86_64 0:1.10.3-46.el7.centos.14 zostanie
usunięty
--> Ukończono rozwiązywanie zależności
[...]

And then:
# semanage port -a -t ssh_port_t -p tcp 
Re-declaration of type docker_t
Failed to create node
Bad type declaration at /etc/selinux/targeted/tmp/modules/100/docker/cil:1
OSError: Error


# yum remove docker-selinux
Wczytane wtyczki: fastestmirror, langpacks, priorities, versionlock
Rozwiązywanie zależności
--> Wykonywanie sprawdzania transakcji
---> Pakiet container-selinux.x86_64 2:1.10.3-59.el7.centos zostanie
usunięty
--> Ukończono rozwiązywanie zależności
[...]

# semanage port -a -t ssh_port_t -p tcp 
ValueError: Port tcp/ został już określony
# semanage port -l | grep ssh
ssh_port_t tcp  , 22


So, it looks like something with docker-selinux and container-selinux...

-- 
Over And Out
MoonWolf
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux upgrade

[Hal Wigoda]

I have experienced this myself.   It is very upsetting.  

(Sent from iPhone, so please accept my apologies in advance for any spelling or 
grammatical errors.)

> On Jan 19, 2017, at 2:57 AM, Fabian Arrotin  wrote:
> 
> log
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux upgrade

[Fabian Arrotin]

On 19/01/17 09:43, Marcin Trendota wrote:
> Hello All
> 
> After recent system upgrade (this night) i lost access to two servers
> through SSH, because of change in SELinux policy - i have ssh there on
> different port and now it's gone.
> 
> Thanks to puppet i was able to change SSH port back to default and log
> in, but is this expected behavior? I thought minor upgrade shouldn't
> break up things?
> 
> Or maybe "semanage port -a -t ssh_port_t -p tcp port" isn't enough to
> ensure persistency?
> 

It's normally enough, there is no need to do it again, except if it lost
all custom settings and booleans. Something to try on a VM (setup CentOS
7.3.1611, modify it without updating it, verify that it works, and then
update it)
If problem can be reproduced, I'd say open a bug on bugs.centos.org
*and* upstream bugzilla.redhat.com and link the two together

-- 
Fabian Arrotin
The CentOS Project | http://www.centos.org
gpg key: 56BEC54E | twitter: @arrfab



signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] SELinux upgrade

[Marcin Trendota]

Hello All

After recent system upgrade (this night) i lost access to two servers
through SSH, because of change in SELinux policy - i have ssh there on
different port and now it's gone.

Thanks to puppet i was able to change SSH port back to default and log
in, but is this expected behavior? I thought minor upgrade shouldn't
break up things?

Or maybe "semanage port -a -t ssh_port_t -p tcp port" isn't enough to
ensure persistency?

-- 
Over And Out
MoonWolf
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux & rsyncd: Allowing global read for backup

[Kenneth Porter]

More digging and "getsebool -a | grep rsync" revealed the 
rsync_export_all_ro bool. I set that and now it looks like I can rsync from 
my BackupPC system.


setsebool -P rsync_export_all_ro 1


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] selinux & rsyncd: Allowing global read for backup

[Kenneth Porter]

I want to set up rsyncd to expose the whole drive read-only to BackupPC 
running on another machine. So I need to set selinux to allow this. 
According to the Fedora wiki I can do so like this:


setsebool -P rsync_disable_trans 1



But when I run the command on CentOS 7.3 it tells me that this bool is not 
defined. So what do I do now?


(Everything works fine if I set SELinux to permissive.)

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SElinux suggestions needed: migrating backup service

[Gordon Messmer]

On 10/24/2016 04:43 PM, Leon Fauster wrote:

Using rsync -aHA (without X) circumvent the output but its still unclear what 
exactly triggers
the above output.



The '-X' flag attempts to make attributes match on the source and 
destination files.  Since the source files have no SELinux attribute, 
rsync will try to remove it from the destination, where an attribute has 
been inherited.


I'm not entirely certain why a file couldn't have no SELinux label, but 
since you don't have any extended attributes to preserve, the simple 
solution would be to stop telling rsync to preserve extended attributes.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SElinux suggestions needed: migrating backup service

[Leon Fauster]

Am 24.10.2016 um 23:44 schrieb Gordon Messmer :
> On 10/24/2016 09:53 AM, Leon Fauster wrote:
>> Any suggestions to avoid the default labeling 
>> "unconfined_u:object_r:locale_t:s0"?
> 
> 
> Not off the top of my head.  I think you need to either a) not try to 
> preserve the labels or b) run the backup as a user which can manage labels.  
> What is the rsync command you are currently using, and what user does rsync 
> run as on the backup server?


Plain rsync -aHAX with some excludes and executed as root on the backup system.

Doing so I get:

rsync: rsync_xal_clear: 
lremovexattr("lib/modules/2.6.18-412.el5/modules.alias","security.selinux") 
failed: Permission denied (13)
rsync: rsync_xal_clear: 
lremovexattr("lib/modules/2.6.18-412.el5/modules.ccwmap","security.selinux") 
failed: Permission denied (13)
rsync: rsync_xal_clear: 
lremovexattr("lib/modules/2.6.18-412.el5/modules.dep","security.selinux") 
failed: Permission denied (13)
rsync: rsync_xal_clear: 
lremovexattr("lib/modules/2.6.18-412.el5/modules.ieee1394map","security.selinux")
 failed: Permission denied (13)
rsync: rsync_xal_clear: 
lremovexattr("lib/modules/2.6.18-412.el5/modules.inputmap","security.selinux") 
failed: Permission denied (13)
rsync: rsync_xal_clear: 
lremovexattr("lib/modules/2.6.18-412.el5/modules.isapnpmap","security.selinux") 
failed: Permission denied (13)
rsync: rsync_xal_clear: 
lremovexattr("lib/modules/2.6.18-412.el5/modules.ofmap","security.selinux") 
failed: Permission denied (13)
rsync: rsync_xal_clear: 
lremovexattr("lib/modules/2.6.18-412.el5/modules.pcimap","security.selinux") 
failed: Permission denied (13)

 

The thing is, that files from the source system that doesn't have a label get a 
new 
one on the destination system. Here is some kind of inheritance in place.

client# ls -laZ /lib/modules/2.6.18-412.el5/modules.*
-rw-r--r--  root root  
/lib/modules/2.6.18-412.el5/modules.alias
-rw-r--r--  root root  
/lib/modules/2.6.18-412.el5/modules.ccwmap
-rw-r--r--  root root  
/lib/modules/2.6.18-412.el5/modules.dep
-rw-r--r--  root root  
/lib/modules/2.6.18-412.el5/modules.ieee1394map
-rw-r--r--  root root  
/lib/modules/2.6.18-412.el5/modules.inputmap
-rw-r--r--  root root  
/lib/modules/2.6.18-412.el5/modules.isapnpmap
-rw-r--r--  root root  
/lib/modules/2.6.18-412.el5/modules.ofmap
-rw-r--r--  root root  
/lib/modules/2.6.18-412.el5/modules.pcimap
-rw-r--r--  root root  
/lib/modules/2.6.18-412.el5/modules.seriomap
-rw-r--r--  root root  
/lib/modules/2.6.18-412.el5/modules.symbols
-rw-r--r--  root root  
/lib/modules/2.6.18-412.el5/modules.usbmap


backupserver# ls -laZ daily.0/ee-sl1/lib/modules/2.6.18-412.el5/modules.*
-rw-r--r--. root root unconfined_u:object_r:modules_object_t:s0 
daily.0/ee-sl1/lib/modules/2.6.18-412.el5/modules.alias
-rw-r--r--. root root unconfined_u:object_r:modules_object_t:s0 
daily.0/ee-sl1/lib/modules/2.6.18-412.el5/modules.ccwmap
-rw-r--r--. root root unconfined_u:object_r:modules_object_t:s0 
daily.0/ee-sl1/lib/modules/2.6.18-412.el5/modules.dep
-rw-r--r--. root root unconfined_u:object_r:modules_object_t:s0 
daily.0/ee-sl1/lib/modules/2.6.18-412.el5/modules.ieee1394map
-rw-r--r--. root root unconfined_u:object_r:modules_object_t:s0 
daily.0/ee-sl1/lib/modules/2.6.18-412.el5/modules.inputmap
-rw-r--r--. root root unconfined_u:object_r:modules_object_t:s0 
daily.0/ee-sl1/lib/modules/2.6.18-412.el5/modules.isapnpmap
-rw-r--r--. root root unconfined_u:object_r:modules_object_t:s0 
daily.0/ee-sl1/lib/modules/2.6.18-412.el5/modules.ofmap
-rw-r--r--. root root unconfined_u:object_r:modules_object_t:s0 
daily.0/ee-sl1/lib/modules/2.6.18-412.el5/modules.pcimap
-rw-r--r--. root root unconfined_u:object_r:modules_object_t:s0 
daily.0/ee-sl1/lib/modules/2.6.18-412.el5/modules.seriomap
-rw-r--r--. root root unconfined_u:object_r:modules_object_t:s0 
daily.0/ee-sl1/lib/modules/2.6.18-412.el5/modules.symbols
-rw-r--r--. root root unconfined_u:object_r:modules_object_t:s0 
daily.0/ee-sl1/lib/modules/2.6.18-412.el5/modules.usbmap


Using rsync -aHA (without X) circumvent the output but its still unclear what 
exactly triggers 
the above output.  The next weekend seems to be reserved for a SElinux dive 
thought ...

--
LF









___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SElinux suggestions needed: migrating backup service

[Gordon Messmer]

On 10/24/2016 09:53 AM, Leon Fauster wrote:

Any suggestions to avoid the default labeling 
"unconfined_u:object_r:locale_t:s0"?



Not off the top of my head.  I think you need to either a) not try to 
preserve the labels or b) run the backup as a user which can manage 
labels.  What is the rsync command you are currently using, and what 
user does rsync run as on the backup server?


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos