Log in

No account? Create an account

Previous Entry Share Next Entry
(no subject)
One  of the great strengths of SELinux and other MAC architectures is that applications do not have to be modified to be protected by SELinux. This allows us to write policy for a great many services without going through the process of modifying code and getting upstream acceptance.  It also allows flexibility in that different vendors or different users can have different security profiles for an application without having to modify the application.

While this is a great benefit to the developers it is not necessarily a great benefit to usability.  Since applications do not understand what SELinux is doing, they can not report that SELinux is preventing them from doing something.  As an example if you are running an Apache Web Server and SELinux denies access to a file, the apache web server reports permission denied.  Users of Unix and other operating systems have gained experience through the years, understand that permission denied means that there is a problem with either the files ownership or file permissions (DAC).  But when they go look at the file they see that apache has ownership and can read it.  This leads them to scratching their heads.  They go back to the log file and all it says is permission denied. 

Some may suspect that SELinux is the problem, but how do they tell?  If they figure that SELinux is causing the denial, how do they fix it?  Could this be a security violation attempt?  Could this be a configuration problem?  Is the file mislabeled?

We have created a new tool in FC6 and RHEL5 called the SELinux Troubleshooter. (setroubleshoot).  This tool watches the
audit log files for AVC messages.  When an AVC messages arrives the tool runs through the SELinux plugins database
looking for a match and then sends a message to the user with a description, and a suggested fix.

As an example, say you create a file index.html in your homedir and mv it to /var/html/www directory.  If you try to access this file via a web browser you will receive an avc message that looks like:

type=AVC msg=audit(1155056960.933:208967): avc:  denied  { getattr } for  pid=12321 comm="httpd" name="index.html" dev=dm-0 ino=6260297 scontext=user_u:system_r:httpd_t:s0-s0:c1,c2 tcontext=system_u:object_r:user_home_t:s0 tclass=file

Obviously this tells you that apache web server is not allowed to look at files labeled with the users home directory label.:^)

With setroubleshoot you receive a message like the following:
SELinux image showing alert message

You can also configure the setroubleshoot daemon to send mail when it receives an AVC.  So you will get them even on servers or when
not logged in. 

There are currently 56 Plugins which map to all of the booleans along with several known situations that come up.  There is also
a catchall plugin (disable_trans) which will look for avc's with no match and will suggest either writing a loadable policy module or
disable trans.

You can read more about this tool at


The Plugin code to generate the above message is fairly simple and looks like this:

from setroubleshoot.util import *
from setroubleshoot.Plugin import Plugin
from rhpl.translate import _
import re

class plugin(Plugin):
    summary =_('''
    SELinux is preventing the http daemon from using potentially mislabeled files ($

    problem_description = _('''
    SELinux has denied the http daemon access to potentially
    mislabeled files ($TARGET_PATH).  This means that SELinux will not
    allow http to use these files.  It is common for users to edit
    files in their home directory or tmp directories and then move
    (mv) them to the httpd directory tree.  The problem is that they
    end up with a file context which http is not allowed to access.

    fix_description = _('''
    If you want the http daemon to access this files, you need to
    relabel them using restorecon if they are under the standard
    httpdirectory tree, or use chcon -t http_sys_content_t.  You can
    look at the httpd_selinux man page for addtional information.

    def __init__(self):

    def analyze(self):
        if self.avc.sourceTypeMatch("httpd_t httpd_sys_script_t httpd_user_script_t
httpd_staff_script_t") and \
               self.avc.targetTypeMatch("user_home_t staff_home_t user_tmp_t staff_t
mp_t tmp_t"):
            return True
        return False

Now if you are interested in helping in this effort.  We could use help:
* proof reading thes plugins.  They are in /usr/share/setroubleshoot/plugins directory.
* If you have ideas about additional plugins, bring them up on the fedora-selinux list.  Patches Welcome.
* Testing.  

This tool is a work in progress.

There are some gotchas in this tool and it has been known to go into an infinite loop.  Usually when it reports bugs about itself.

Sounds nice. SElinux is a good thing, but it is very unfriendly to inexperienced users. I suppose this tool can replace quite a lot of documentation, which many users may not have time to read.

This tool seems to be really helpful.

A modest proposal.....

This idea on a contestual Knowledge Base for SELinux is very good in its simplicity.
Anyway, I firmly believe this tool needs a marketing appeal. In my genial mind, I though about a killer, VERY ORIGINAL idea: using metaphora of a virtual speaking mentor. That is, suggestions about SELinux should come from a silhouette, such as a clip, a dog, or Albert Einstein...

Re: A modest proposal.....

broarband broardband (http://www.broardband.net)

I would just call them access denials instead on the Popup

Error code?

Why not patch the kernel to return a different errno value? Ideally one would add a new one like say EALLOW but also one could just use EBADTYPE or ENOTSUPP or EBADF or the ultimate in Unix tradition, ENOTTY =P. At least then the user would get a different error if it was DAC or MAC preventing them (ie "Operation not permitted" vs "Permission denied").

Interesting solution.


I am going to Singapore in just one week. All I know is that people have referred to it
as "Disneyland run by a Dictator". This is supposed to be a VACATION! Has anyone on here acually gone there for vacation?


Do you ever wonder "why bother paying for broadband when -- and it's an particularly big number in my case-- their are 6 wireless networks I
can connect to in my apartment building and I have no ill intent?


Do you ever think "why should I be paying $35 a monthy for broadband when -- and it's an especiallly big number in my case-- their are 5 wireless networks I
can connect to in my apartment building and I have no ill intent?

who has a zune?

I came across zune-boards.com. Great resource! I'd recommend to anyone who has purchased
or acquired a zune.

Cannot find anythig on topic.

anyone tried this game?

i found this web site http://collectionofsouls.com they promise to give away money if you generate click
anyone willing to give it a shot? I dont want to risk my time.

Who using pheromons?

Somebody using pheromons to attract women, whether is real it?
Where they can be got?

SJL Space Secret myspace

http://www.sjlspace.com is a myspace resource site, which deals with myspace templates, modifications and etc.

Don't miss this opportunity to make your myspace even better !

again visit us at www.sjlspace.com

Re: Display messages for other computers

Is it on the topic?

Display messages for other computers

I have a small lan with 3 servers in the basement, a few workstations and a "master control center" -- the computer I use. Is there a way to have the sealert tool display avc dbus messages from the other hosts, primarily the servers which run in runlevel 3?

Re: Display messages for other computers

You can setup setroublshoot to send email messages
Take a look in the /etc/setroubleshoot/setroubleshoot.cfg file.

Thanks Danwalsh. Keep up the good work.

Very helpful tool. Thanks