Joshua Brindle | 1 Dec 01:19 2007

Re: PATCH: peersid capability support

Paul Moore wrote:
> On Friday 30 November 2007 2:06:10 pm Paul Moore wrote:
>> On Friday 30 November 2007 12:34:20 pm Todd C. Miller wrote:
>>> I see what happened.  When generating the patch I did an svn revert not
>>> realizing that of course it wouldn't revert a new file it knew nothing
>>> about.  So effectively the new files were duplicated--one copy in the
>>> patch and one on the filesystem.
>>>
>>> Here's a fixed diff that applies to a fresh checkout.
>> Thanks, that applied without problem.
> 
> Probably user error on my end but I'm running into problems trying to make use 
> of the new code.  Here is what I did, please point out if I'm missing 
> something ...
> 
> 1. Compiled the new bits
> 2. Replaced checkmodule, checkpolicy, load_policy, libsepol and libsemanage 
> with the patched versions (wasn't really sure what needed to be replaced, do 
> I need any others?)
> 3. Created a simple policy module (did I get the syntax for the policycap 
> right? ... it's been a while since I looked at lex/yacc code):
>  policy_module(peer_test,0.0.1)
>  policycap network_peer_controls;
>  type peer_test_t;
> 4. Compiled the new module using the unmodified policy Makefile from Rawhide
>  Compiling targeted peer_test module
>  /usr/bin/checkmodule:  loading policy configuration from tmp/peer_test.tmp
>  /usr/bin/checkmodule:  policy configuration loaded
>  /usr/bin/checkmodule:  writing binary representation (version 7) to 
>                         tmp/peer_test.mod
(Continue reading)

Shintaro Fujiwara | 1 Dec 09:15 2007
Picon

libsepol.expand_terule_helper: duplicate TE rule

When I try to install apache.pp,

libsepol.expand_terule_helper: duplicate TE rule for httpd_t
exim_exec_t:process system_mail_t
libsepol.expand_module: Error during expand
libsemanage.semanage_expand_sandbox: Expand module failed
semodule:  Failed!

I can't find any lines concerning exim_exec_t anywhere...
Please help.

--

-- 
Shintaro Fujiwara
segatex project (SELinux policy tool)
http://sourceforge.net/projects/segatex/
Home page
http://intrajp.no-ip.com/
Blog
http://intrajp.no-ip.com/nucleus/
CMS
http://intrajp.no-ip.com/xoops/
Wiki
http://intrajp.no-ip.com/pukiwiki/

Chris PeBenito | 1 Dec 22:57 2007
Picon

Re: libsepol.expand_terule_helper: duplicate TE rule

On Sat, 2007-12-01 at 17:15 +0900, Shintaro Fujiwara wrote:
> When I try to install apache.pp,
> 
> libsepol.expand_terule_helper: duplicate TE rule for httpd_t
> exim_exec_t:process system_mail_t
> libsepol.expand_module: Error during expand
> libsemanage.semanage_expand_sandbox: Expand module failed
> semodule:  Failed!
> 
> I can't find any lines concerning exim_exec_t anywhere...
> Please help.

Which distro policy are you using?

--

-- 
Chris PeBenito
<pebenito@...>
Developer,
Hardened Gentoo Linux

Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243
Chris PeBenito | 2 Dec 00:21 2007
Picon

Re: refpolicy HEAD, Debian, patch for udev.te

On Fri, 2007-11-30 at 17:24 +0000, Martin Orr wrote:
> On 30/11/07 15:55, Christopher J. PeBenito wrote:
> > On Fri, 2007-11-30 at 16:30 +0100, Václav Ovsík wrote:
> >> On Fri, Nov 30, 2007 at 09:38:33AM -0500, Christopher J. PeBenito wrote:
> >>>> Corresponding code is in udev_node.c, function node_symlink().
> >>>>     if (strcmp(target, buf) == 0) {
> >>>> 	    info("preserve already existing symlink '%s' to '%s'", slink,
> >>>> target);
> >>>> 	    selinux_setfilecon(slink, NULL, S_IFLNK);
> >>>> 	    goto exit;
> >>>>     }
> >>> I'll add the rule.  Perhaps someone should send up a patch to remove the
> >>> setfilecon, and update the info message.
> >> Mean you to compare the context of symlink and no setfilecon if it is
> >> ok?
> > 
> > Yes.  Unless there's a good reason to keep it as-is that I don't know
> > about.
> 
> Well I'll send a patch to udev.  Should it just be the below, or should udev
> be relabelling symlinks if it finds that they exist but are wrongly
> labelled?  How do I test for equality of security contexts?
> 
> --- a/udev_node.c
> +++ b/udev_node.c
>  <at>  <at>  -146,7 +146,6  <at>  <at>  static int node_symlink(const char *node, const char *slink)
>  				buf[len] = '\0';
>  				if (strcmp(target, buf) == 0) {
>  					info("preserve already existing symlink '%s' to '%s'", slink, target);
> -					selinux_setfilecon(slink, NULL, S_IFLNK);
(Continue reading)

Shintaro Fujiwara | 2 Dec 00:18 2007
Picon

Re: libsepol.expand_terule_helper: duplicate TE rule

Well, as a matter of fact, I installed apache from source.
So, I installed apche into /usr/local/apache2.

I set /etc/selinux/config permissive and found that apache
runs in initrc_t.
But, of course I want to make it run httpd_t.

So, I tried to edit your refpolicy downloading from repository,
newest version.
I commented every

type ...
bool ...
atribute...

including .if of templates.

and set them require {}.

I succeeded make apache.pp all-right, but when I tried to install by
semodule -i apache.pp,
expand_terule_helper says it has an error.

I found exim module in services directory but could not found
anything like process system_mail_t
I could not found those in tmp/apache.mod either.

It's first time I see this error and don't know what it is.

I messed up policy apache or some kind of bug ?
(Continue reading)

Crispin Cowan | 2 Dec 02:07 2007

Re: [PATCH 2/2] hijack: update task_alloc_security

Serge E. Hallyn wrote:
> Quoting Crispin Cowan (crispin <at> crispincowan.com):
>   
>> I find that ptrace, specifically CAP_SYS_PTRACE, is overloaded. AppArmor
>> is having problems because we have to choose between granting
>> cap_sys_ptrace, or not allowing the process to read /proc/pid/self &
>> such like. So there, the problem is that we have to grant too much power
>> to a process to just let it read some /proc stuff about itself.
>>
>> Here the problem appears to be the other way. cap_sys_ptrace is powerful
>> enough to mess with other user's processes on the system, but if ptrace
>> gives you hijack, then that seems to give you the power to control
>> processes in someone else's namespace.
>>     
> The user namespace patchset I'm working on right now to start having
> signals respect user namespaces introduces CAP_NS_OVERRIDE.  Once that
> is in, then hijack would require CAP_NS_OVERRIDE|CAP_SYS_PTRACE.
>
> Of course, since we're considering only allowing HIJACK_NS which is
> only allowed into a different namespace, hijack would then always
> require CAP_NS_OVERRIDE...
>
> Does that suffice?
>   
I think that CAP_NS_OVERRIDE|CAP_SYS_PTRACE is a problem because of the
| making ptrace more powerful than it is now. If you make it
CAP_NS_OVERRIDE only, then the problem goes away.

Crispin

(Continue reading)

Shintaro Fujiwara | 2 Dec 21:27 2007
Picon

[ANN] segatex-4.00 RPM,SRPM released !!

I released RPM,SRPM version of segatex-4.00.tgz.

segatex is a program even if not knowing much about SELinux commands,
can easily set SELinux commands by GUI. Written in C++. Requires Qt (
qt-devel package ).

Thank you very much for your attention.

p.s.
I want to wrap semanage next.
Any comments appreciated to me.

--

-- 
Shintaro Fujiwara
segatex project (SELinux policy tool)
http://sourceforge.net/projects/segatex/
Home page
http://intrajp.no-ip.com/
Blog
http://intrajp.no-ip.com/nucleus/
CMS
http://intrajp.no-ip.com/xoops/
Wiki
http://intrajp.no-ip.com/pukiwiki/

Christopher J. PeBenito | 3 Dec 15:17 2007

Re: libsepol.expand_terule_helper: duplicate TE rule

On Sun, 2007-12-02 at 08:18 +0900, Shintaro Fujiwara wrote:
> Well, as a matter of fact, I installed apache from source.
> So, I installed apche into /usr/local/apache2.
> 
> I set /etc/selinux/config permissive and found that apache
> runs in initrc_t.
> But, of course I want to make it run httpd_t.
> 
> So, I tried to edit your refpolicy downloading from repository,
> newest version.

And the remainder of the policy is which fedora policy version?

> I commented every
> 
> type ...
> bool ...
> atribute...
> 
> including .if of templates.
> 
> and set them require {}.
> 
> I succeeded make apache.pp all-right, but when I tried to install by
> semodule -i apache.pp,
> expand_terule_helper says it has an error.
> 
> I found exim module in services directory but could not found
> anything like process system_mail_t
> I could not found those in tmp/apache.mod either.
(Continue reading)

Serge E. Hallyn | 3 Dec 15:50 2007
Picon

Re: [PATCH 2/2] hijack: update task_alloc_security

Quoting Crispin Cowan (crispin <at> crispincowan.com):
> Serge E. Hallyn wrote:
> > Quoting Crispin Cowan (crispin <at> crispincowan.com):
> >   
> >> I find that ptrace, specifically CAP_SYS_PTRACE, is overloaded. AppArmor
> >> is having problems because we have to choose between granting
> >> cap_sys_ptrace, or not allowing the process to read /proc/pid/self &
> >> such like. So there, the problem is that we have to grant too much power
> >> to a process to just let it read some /proc stuff about itself.
> >>
> >> Here the problem appears to be the other way. cap_sys_ptrace is powerful
> >> enough to mess with other user's processes on the system, but if ptrace
> >> gives you hijack, then that seems to give you the power to control
> >> processes in someone else's namespace.
> >>     
> > The user namespace patchset I'm working on right now to start having
> > signals respect user namespaces introduces CAP_NS_OVERRIDE.  Once that
> > is in, then hijack would require CAP_NS_OVERRIDE|CAP_SYS_PTRACE.
> >
> > Of course, since we're considering only allowing HIJACK_NS which is
> > only allowed into a different namespace, hijack would then always
> > require CAP_NS_OVERRIDE...
> >
> > Does that suffice?
> >   
> I think that CAP_NS_OVERRIDE|CAP_SYS_PTRACE is a problem because of the

Oops, yeah I meant &.

> | making ptrace more powerful than it is now. If you make it
(Continue reading)

Christopher J. PeBenito | 3 Dec 16:32 2007

RE: missing rules in newrole domain (RHEL5.1)

On Fri, 2007-11-30 at 09:21 -0800, Clarkson, Mike R (US SSA) wrote:
> > -----Original Message-----
> > From: Christopher J. PeBenito [mailto:cpebenito@...]
> > Sent: Friday, November 30, 2007 6:11 AM
> > To: Clarkson, Mike R (US SSA)
> > Cc: selinux@...
> > Subject: Re: missing rules in newrole domain (RHEL5.1)
> > 
> > On Thu, 2007-11-29 at 17:49 -0800, Clarkson, Mike R (US SSA) wrote:
> > > I recently switched from a targeted-mls policy to the RHEL5.1 mls
> > > policy. I found that "newrole -r sysadm" failed in enforcing mode,
> even
> > > though my selinux user was "root".
> > >
> > > I had to add "files_search_default(newrole_t)" and
> > > "files_getattr_default_dirs(newrole_t)" to the selinuxutil.te file
> to
> > > allow newrole to getattr and search the /tmp-inst directory (type
> > > default_t).
> > >
> > > This was happening even with the read_default_t boolean set to true.
> > >
> > > Here are the avc denial messages that I was getting:
> > >
> > > type=AVC msg=audit(1196385320.559:722): avc:  denied  { getattr }
> for
> > > pid=5092 comm="newrole" path="/tmp-inst" dev=sda1 ino=5341337
> > > scontext=root:staff_r:newrole_t:s0-s4:c0.c255
> > > tcontext=system_u:object_r:default_t:s0 tclass=dir
> > >
(Continue reading)


Gmane