danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Add to Memories Share Next Entry
New Features in Fedora 8 - disable dontaudit rules
danwalsh
One of the features of SELinux is the ability to dontaudit certain access checks by a confined application.   dontaudit rules are handy to force applications to take different code paths. 

For example, the pam_unix module attempts to read /etc/shadow directly when verifying your password.  So every application that prompts you for a password and uses pam will try to read the /etc/shadow file.   Reading the /etc/shadow file is not secure.  A compromised application that can read /etc/shadow can run password crackers against it.    But pam was designed to recognize that some applications (non-root) can not read /etc/shadow.  Pam provides a setuid application called /sbin/unix_chkpwd.  The pam libraries execute this helper application whenever they can not read the /etc/shadow. 

In SELinux we prevent almost every application from reading the /etc/shadow file directly, causing pam to use it's help application.  But this would cause a ton of AVC messages that look like sshd, login or apache are trying to read /etc/shadow.  So we dontaudit these messages.

Sometimes applications have bugs that cause AVC messages to be generated.  A common  cause of this is leaked file descriptors.  So rather then fill your log files with AVC messages while we wait for these buggy applications to be fixed, we add dontaudit rules.

Sometimes policy writers have been a little to liberal with the dontaudit rules.  The policy writer writes a dontaudit rule which covers up a access denial that is causing an application to break.  The administrator is left with little information on why his application is breaking. 

We have built  a couple of different ways to turn off the dontaudit rules.  In Red Hat Enterprise Linux 4 you need to install selinux-policy-sources and go into the src directory and execute make enableaudit; make reload.

In Red Hat Enterprise Linux 5/Fedora Core 6 and Fedora 7, we have shipped a secondary base policy package called /usr/share/selinux/targeted/enableaudit.pp.  You can install this package using the following command:

# semodule -b /usr/share/selinux/targeted/enableaudit.pp

To restore the defaults you would execute:

# semodule -b /usr/share/selinux/targeted/base.pp

There is a problem with this in that it only turns off the dontaudit rules for domains that are in the base policy.  So any dontaudit rules in policy modules are not removed.

This is fixed in Fedora 8 (Rawhide).  You can now temporarily disable dontaudit rules by executing:

# semodule -DB

You can re-enable them using

#semodule -B

semodule -DB, recompiles the policy without the dontaudit rules and reloads it.  This will then be in effect until the next time the policy is rebuild (setsepool -P, semodule -i, semodule -B all rebuild policy).  It will survive a reboot.

Note:
This is just for debugging potential SELinux problrms.  Disabling dontaudit rules will cause a lot more avc messages to show up and setroubleshoot will go nuts, until it sees a message about itself and commits suicide.

That's really great and makes life easier! Since the modular policy I only missed this feature.

To enable this one on other distributions too what version of semodule is needed? Does it only depend on a new semodule version or also a new checkmodule package etc.?

I did not know there were other distributions :^)

danwalsh

2007-08-23 08:40 pm (UTC)

I think you need these.

rpm -q libsepol libsemanage policycoreutils
libsepol-2.0.6-1.fc8
libsemanage-2.0.4-1.fc8
policycoreutils-2.0.23-1.fc8


Re: I did not know there were other distributions :^)

the_olo

2007-08-30 12:22 pm (UTC)

There are also dependencies on libselinux-2, which depends on python-2.5, while older distros (including RHEL5) depend in large part on python 2.4 (python(abi) = 2.4 is needed by { awful_lot_of_packages})

So installing them on RHEL5 seems impossible without upgrading almost all of the distro RPMs to Fedora Core 8 - you'd end up with some nightmarich hybrid of RHEL5/FC8...

Do you know whether this will be incorporated into RHEL5 (e.g. with U2 revision)?

Re: I did not know there were other distributions :^)

the_olo

2007-08-31 11:07 am (UTC)

My problem was mostly due to the fact that I run x86_64 arch. After uninstalling libsepol.i386 and all dependencies, I was able to gradually rebuild from SRPMS and install all of the following:

audit-1.5.3-1.x86_64.rpm
audit-debuginfo-1.5.3-1.x86_64.rpm
audit-libs-1.5.3-1.x86_64.rpm
audit-libs-devel-1.5.3-1.x86_64.rpm
audit-libs-python-1.5.3-1.x86_64.rpm
checkpolicy-2.0.3-3.x86_64.rpm
checkpolicy-debuginfo-2.0.3-3.x86_64.rpm
libselinux-2.0.31-2.x86_64.rpm
libselinux-debuginfo-2.0.31-2.x86_64.rpm
libselinux-devel-2.0.31-2.x86_64.rpm
libselinux-python-2.0.31-2.x86_64.rpm
libsemanage-2.0.4-1.x86_64.rpm
libsemanage-debuginfo-2.0.4-1.x86_64.rpm
libsemanage-devel-2.0.4-1.x86_64.rpm
libsepol-2.0.7-1.x86_64.rpm
libsepol-debuginfo-2.0.7-1.x86_64.rpm
libsepol-devel-2.0.7-1.x86_64.rpm
policycoreutils-2.0.25-4.x86_64.rpm
policycoreutils-debuginfo-2.0.25-4.x86_64.rpm
policycoreutils-gui-2.0.25-4.x86_64.rpm
policycoreutils-newrole-2.0.25-4.x86_64.rpm

The problem is, the resulting policy modules don't load correctly:

$ semodule -i courier.pp
libsepol.module_package_read_offsets: offsets are not increasing (at 1, offset 780790694674452 -> 0
libsemanage.parse_module_headers: Could not parse module data.
semodule: Failed on courier.pp!

Could it be compatibility problem with the kernel in RHEL 5? Changing the RHEL 5 kernel to FC8 would be way too much...

uk viagra sales

(Anonymous)

2007-11-20 08:05 am (UTC)

Why you should buy viaga uk?
First of all, if you buy us viagr you get quality service and great discounts!
Why would you need viara?
Viagra in the first place make a uverenost, most of the problems are solved in the privacy of using our products. We will help you learn infinite possibilities in the intimate lives.
Why do you have to use our shop?
You pay only real value of the goods, without deductions resellers percent! Ordering viagr us, you get free delivery and discounts on other products.
On our site you can order evitra. The lowest price. Large discounts. Full anonymity. Free shipping.
More info about vigra online you can be found on our website http://buy-viagra-for-love.info/over-the-conter-viagra.html

Re: uk viagra sales

(Anonymous)

2008-03-12 09:02 pm (UTC)

Dr.Paul Smith http://all.stimulhosting.com/
How can we guarantee a good quality of the medications we offer? We often get this question from our future customers. We know that a good quality of the product is the basic element of a successful company. This is why we do our best to find the most reliable suppliers in India who offer the medications produced from the best raw materials and manufactured to meet the highest quality control standards. We do business with several Indian pharmaceutical factories that were thoroughly selected by our experts. All the medicines our suppliers provide go with quality tests results and quality control certificates. The high quality of the products is appreciated in value not only by professionals but by our customers as well. http://all.stimulhosting.com/

My blog about pharma care

(Anonymous)

2008-01-25 07:10 pm (UTC)

Why you should buy geneic viagra?
First of all, if you buy us viagra sal you get quality service and great discounts!
Why would you need fee viagra sample?
Viagra in the first place make a uverenost, most of the problems are solved in the privacy of using our products. We will help you learn infinite possibilities in the intimate lives.
Why do you have to use our shop?
You pay only real value of the goods, without deductions resellers percent! Ordering viara price us, you get free delivery and discounts on other products.
On our site you can order levira. The lowest price. Large discounts. Full anonymity. Free shipping.
More info about viara online you can be found on our website http://buy-viagra-online-pharmacy-in-canada.info/buy-cheap-viagra-online-now/3blogspotcom-buy-viagra.php

About ipb mods

(Anonymous)

2008-01-26 01:43 pm (UTC)

Read please my blog about ipbcustomization and ipb mods. Thank you.
http://ipbcustomization.com/invision-power-board-template/sitemap.php

Info for mens. Thank you

(Anonymous)

2008-01-28 12:02 pm (UTC)

Why you should buy viaga uk?
First of all, if you buy us viaga sale you get quality service and great discounts!
Why would you need fee viagra sample?
Viagra in the first place make a uverenost, most of the problems are solved in the privacy of using our products. We will help you learn infinite possibilities in the intimate lives.
Why do you have to use our shop?
You pay only real value of the goods, without deductions resellers percent! Ordering femle viagra us, you get free delivery and discounts on other products.
On our site you can order viaga. The lowest price. Large discounts. Full anonymity. Free shipping.
More info about vagra you can be found on our website http://buy-viagra-online-pharmacy-in-canada.info/buy-cheap-viagra-online-now/viagra-picture.php

Info for mens. Thank you

(Anonymous)

2008-01-31 01:43 am (UTC)

Why you should buy free viagra ample?
First of all, if you buy us heral viagra you get quality service and great discounts!
Why would you need buy viagr on line?
Viagra in the first place make a uverenost, most of the problems are solved in the privacy of using our products. We will help you learn infinite possibilities in the intimate lives.
Why do you have to use our shop?
You pay only real value of the goods, without deductions resellers percent! Ordering cialis vs vagra us, you get free delivery and discounts on other products.
On our site you can order evitra. The lowest price. Large discounts. Full anonymity. Free shipping.
More info about femae viagra you can be found on our website http://buy-viagra-online-pharmacy-in-canada.info/buy-cheap-viagra-online-now/buy-cheap-viagra-online-now-style.css

no overnight prescription tramadol

(Anonymous)

2008-02-02 08:02 pm (UTC)

discount cheap tramadol no prescription
and free shipping
tramadol prescription!

i need help - application bad credit loan online

(Anonymous)

2008-02-03 04:04 pm (UTC)

i need help - advance cash loan payday quick...
no fax please...

How to fix hair loss?

(Anonymous)

2008-02-13 11:50 am (UTC)

I am 57 years old.
For the past 10 years my hair has become a lot thinner. Does anybody know a cure from this?

Help needed...

(Anonymous)

2008-02-23 02:38 am (UTC)

Hi, nice post. Thanks.
Continue writing...

Для мобильных телефонов - java игры, темы, видео 3gp, Mp3.

(Anonymous)

2008-03-10 06:41 pm (UTC)

Отличный ссайт на катором можно скачать: java игры, фильмы, мультфильмы, видеоклипы для телефонов, смартфонов, КПК, видео приколами 3gp, мелодий Mp3, клёвые темки и картинки для мобильных телефонов разных моделей. Постоянно обновляется!
Всем советую;)
http://mobilrai.com






I finally caved in and replaced a adyqevo 15 year old Sony TV with a Panasonic 32? LCD TV (TX32LXD700) for Christmas. Although the aging Sony still worked fine, it did cycle through Red/Green/Blue and took 5 minutes to fully warm up.

Before taking the plunge,essenmotorshow I read various reviews and looked at the televisions on my shortlist in shops. Most stores (understandably) use High Definition (HD) broadcasts or Blu-ray discs to show the digital technology at its best. Cartoons are another popular choice ohysuwa to demonstrate LCD TV’s displaying a very high quality picture.

As the range and number of programs actually downloadmusicavril broadcast in HD on Virgin Media is currently relatively limited, I explicitly asked to see a conventional TV channel which was enlightening. You could often see pixellation and blurring which was disappointing but not wholly unexpected.

The sender of this email You-D is listed in the manner that: eBay Limb and the email bring under rule extended mark reads: Inquiry from eBay Limb. . The email begins: Wherefore-You-D"Interrogation from eBay Limb -- Answer At present.The-Alternative . eBay sent this intimatiup on benefit of one eBay limb by way of My Messages. That-Which-Does. Responses sent using email volition not extend the eBay limb. Powering-From-O. Employment the Answer At this moment button under to answer to this communication.

pilatessandiego The court judge said "this is the end of the matter" and that Gere was ree to enter India. jan Last year, arrest warrants were issued for Gere after he embraced and kissed Bollywood actress Shilpa Shetty during a public appearance. jansportlaptopbags Kissing in public is widely considered taboo in India. weddingchapelcalifornia Gere plans to visit India soon and his lawyer had appealed to the court to stop the arrest warrants against him. challengechangelife

GERPES , what cure?

(Anonymous)

2008-04-04 11:31 am (UTC)

the physicians be suffering with said this close by me herpes ,
take as this cures?

Interesting comments - not too sure what they have to do with fedora tho...

John.

slurix - hi tech news

Thanks for sharing your thoughts in that last post. You have a talent for making a hard subject clear to others. I enjoy reading the posts from a guy who has the same flair for explaining things.

- Jurex, Bad Credit Loans

Fedora 9 - The package manager changed

althingthatsuck

2008-06-04 05:01 pm (UTC)

Hi everyone,

The package manager, used by default at Fedora 9 - changed. If earlier it was Yum, that now it is - PackageKit. PackageKit is a system service, which can execute the commands for installing and removing package. Now Fedora 9 for its work uses other system based on Yum backend.
The Fedora 9 for control package from command line, you may or continue to use Yum, or use PackageKit, but more exactly, its console version - pkcon, which work functioning looks like functioning Yum, but already through interface of the service PackageKit.

allthingsthatsuck

Thanks you for information about Fedora 8.
Fedora 8..come to papa!!

Regards
Smystery

References:
- bricosoft computer
-
seo freedom
-
diet product
-
japan toys
-
anime manga figure


You are viewing danwalsh