Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing List
subject: audit bug in fd handling Date: Wed, 10 Jul 2002 09:45:50 +0200
Here's the dmesg log:
Here's a grep from policy.conf:
Incidentally I'm changing the way mail sending operates. Having daemons send mail as sysadm_mail_t is ugly, and having them send mail as user_mail_t is wrong. I've created a new system_mail_t for this. -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in theFrom: Stephen Smalley <sds_at_tislabs.com> subject: Re: audit bug in fd handling Date: Wed, 10 Jul 2002 07:55:50 -0400 (EDT)
On Wed, 10 Jul 2002, Russell Coker wrote:
> It seems that when a file handle open read/write is inherited by a domain Congratulations, you've found a bug. It isn't limited to file descriptor inheritance - it occurs whenever multiple permissions are checked simultaneously and at least one of the permissions is allowed. A workaround would be to specify the full set of permissions in the dontaudit rule, e.g. 'dontaudit system_mail_t system_crond_tmp_t:file { read write };'. I'll post a patch for the SELinux module shortly. -- Stephen D. Smalley, NAI Labs ssmalley@nai.com -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Ed Street <blacknet_at_simplyaquatics.com> subject: RE: audit bug in fd handling Date: Wed, 10 Jul 2002 09:23:20 -0400
Perhaps this is why mail is the #1 exploited service. So what's the solution? Ed
=> -----Original Message----- -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Russell Coker <russell_at_coker.com.au> subject: Re: audit bug in fd handling Date: Wed, 10 Jul 2002 16:40:11 +0200
I'm not sure what you mean by this. The bug I found was just a case of excessive logging and does no harm (apart from possibly encouraging inexperienced SE Linux administrators to grant excessive permissions). The issue of an application granting write access to the file is annoying, however it is apparently operating on an open file handle pointing to a deleted file, after deleting the file you can't re-open it in read-only mode. In this case fcron could either open the file twice before deleting it (once for read and once for write), or it could pipe the data to /usr/bin/mail (either directly from the cron job, or it could spool it in RAM). What should it do? I am happy to write a patch for fcron and get it submitted through the Debian bug tracking system if a consensus of opinion is reached here on the right way of doing it.
> => -----Original Message----- -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field. -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Ed Street <blacknet_at_simplyaquatics.com> subject: sysadm_tty_device_t Date: Thu, 11 Jul 2002 12:13:06 -0400
Was working with putting syslog on /dev/tty24 (entry in /etc/syslog.conf
is
Selinux shows /dev/tty1 as syadm_tty_device_t but /dev/tty24 is just tty_device_t. I started poking around looking for sysadm_tty_device_t but not exactly sure what tty's are being set to this. My question is where is the control file, is it /etc/securetty? Ed -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Stephen Smalley <sds_at_tislabs.com> subject: Re: sysadm_tty_device_t Date: Thu, 11 Jul 2002 13:21:52 -0400 (EDT)
On Thu, 11 Jul 2002, Ed Street wrote:
> Was working with putting syslog on /dev/tty24 (entry in /etc/syslog.conf ttys are initialized to tty_device_t by 'make relabel'. They are then relabeled by the modified login program based on the user's context for user sessions, and are also relabeled by the newrole program for shells in different roles. -- Stephen D. Smalley, NAI Labs ssmalley@nai.com -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Ed Street <blacknet_at_simplyaquatics.com> subject: RE: sysadm_tty_device_t Date: Thu, 11 Jul 2002 13:24:32 -0400
And sysadm_tty_device_t? Ed
=> -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Stephen Smalley <sds_at_tislabs.com> subject: RE: sysadm_tty_device_t Date: Thu, 11 Jul 2002 13:39:16 -0400 (EDT)
On Thu, 11 Jul 2002, Ed Street wrote:
> And sysadm_tty_device_t? That was my point. The ttys start in tty_device_t. If login or newrole creates a sysadm_r:sysadm_t shell, then it relabels the tty to sysadm_tty_device_t. If login or newrole creates a user_r:user_t shell, then it relabels the tty to user_tty_device_t. These relabeling operations are based on type_change rules in the policy configuration. -- Stephen D. Smalley, NAI Labs ssmalley@nai.com -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Ed Street <blacknet_at_simplyaquatics.com> subject: RE: sysadm_tty_device_t Date: Thu, 11 Jul 2002 13:55:50 -0400
Forgot one thing. *.* /dev/tty1-3 does work correctly (from /etc/syslog.conf) Ed -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Ed Street <blacknet_at_simplyaquatics.com> subject: RE: sysadm_tty_device_t Date: Thu, 11 Jul 2002 13:54:27 -0400
OK my /etc/syslogd.conf file contains this *.* /dev/tty24 when I boot or run-init I get this allow syslogd_t tty_device_t:chr_file { append }; #EXE=/sbin/syslogd PATH=/dev/tty24 : append The avc from kern.log is this
Jul 11 13:51:17 debian kernel: avc: denied { append } for pid=160
exe=/sbin/syslogd path=/dev/tty24 dev=72:01 ino=2175725
scontext=system_u:system_r:syslogd_t
Syntax is this:
run_init /etc/init.d/sysklogd restart Also states permission denied for /dev/tty24. BTW in case anyone is wondering /dev/tty1-12 is the left alt key, /dev/tty13-24 is the right alt key. Ed
=> -----Original Message----- -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Stephen Smalley <sds_at_tislabs.com> subject: RE: sysadm_tty_device_t Date: Thu, 11 Jul 2002 14:19:49 -0400 (EDT)
On Thu, 11 Jul 2002, Ed Street wrote:
> Hello, Right, this is what I would expect to happen. What is your question, exactly? If you want syslogd to be able to write to a tty, you need to grant syslogd_t the necessary permission. If you want to ensure that only syslogd can write to the tty, then define a new type, assign it to the tty in types.fc (or use chcon directly), and grant syslogd_t permission to the new type. Otherwise, just allow syslogd_t tty_device_t:chr_file append; -- Stephen D. Smalley, NAI Labs ssmalley@nai.com -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Ed Street <blacknet_at_simplyaquatics.com> subject: RE: sysadm_tty_device_t Date: Thu, 11 Jul 2002 14:24:41 -0400
Should the /dev/tty24 be sysadm_tty_device_t instead of tty_device_t? Now here's the odd thing, I change /dev/tty24 to tty1, tty2 or tt3 and I get sysadm_tty_device_t and there's no denied messages Ed
=> -----Original Message----- -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Stephen Smalley <sds_at_tislabs.com> subject: RE: sysadm_tty_device_t Date: Thu, 11 Jul 2002 14:35:49 -0400 (EDT)
On Thu, 11 Jul 2002, Ed Street wrote:
> Should the /dev/tty24 be sysadm_tty_device_t instead of tty_device_t?
So this suggests that:
You can certainly assign sysadm_tty_device_t to /dev/tty24 if you want. -- Stephen D. Smalley, NAI Labs ssmalley@nai.com -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Timothy Wood <timothy_at_hallcomp.com> subject: RE: sysadm_tty_device_t Date: 11 Jul 2002 15:55:03 -0400
So no matter what the file context is login and newrole relabel them when they take control of the tty, correct? If so, then it is really up to the controlling program (or program that needs control in this case) and so syslog needs premissions to relabel and/or control the tty, yes/no? Timothy, -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Ed Street <blacknet_at_simplyaquatics.com> subject: RE: sysadm_tty_device_t Date: Thu, 11 Jul 2002 15:53:44 -0400
That's what it seems to be. It does look like an accident waiting to happen as well. Ed
=> -----Original Message----- -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Timothy Wood <timothy_at_hallcomp.com> subject: RE: sysadm_tty_device_t Date: 11 Jul 2002 16:12:52 -0400
I would not nessicarily call it an accident waiting to happen. More like something that needs configured if you want it. You have to remember that basic idea here is no access to something you don't need (as far as processes are concerned). Syslog really only needs access to the log files it writes to, with the exception of severe kernel messages. The latter I suppose works (/dev/console not /dev/tty*) but I have never noticed any kernel warnings or avc messages denying syslog write to /dev/console. So I could easily be wrong about that. Timothy,
> -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Stephen Smalley <sds_at_tislabs.com> subject: RE: sysadm_tty_device_t Date: Thu, 11 Jul 2002 16:07:02 -0400 (EDT)
On Thu, 11 Jul 2002, Ed Street wrote:
> That's what it seems to be. It does look like an accident waiting to I'm not sure what you mean. The relabeling of the terminal devices by login is just like the setting of the uid on the device by login. Nothing unusual here. -- Stephen D. Smalley, NAI Labs ssmalley@nai.com -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Stephen Smalley <sds_at_tislabs.com> subject: RE: sysadm_tty_device_t Date: Thu, 11 Jul 2002 16:05:35 -0400 (EDT)
On 11 Jul 2002, Timothy Wood wrote:
> So no matter what the file context is login and newrole relabel them The modified login and newrole programs (and sshd program, but it only deals with ptys) relabel the terminal device based on the user's context and the original context on the device. The proper SID is obtained via the security_change_sid call, which computes a SID based on the type_change rules in the policy configuration. This is only necessary when you have a dynamic situation where the proper context for the device needs to be adjusted for the current "owner" of the device, and is parallel to the existing Linux handling of setting the uid on such devices. If you are dedicating a terminal for syslogd output, then you can statically label it with a type, grant syslogd permission to append to that type, and be done with it. -- Stephen D. Smalley, NAI Labs ssmalley@nai.com -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Charles R. Fuller <charlesrfuller_at_netscape.net> subject: Re: booting problem Date: Fri, 19 Jul 2002 17:27:00 -0400
I am having a problem of booting selinux on my machine. I have modified the kernel and finished off with a the quick install command. The specific error is a kernel panic on boot of the selinux kernel and an error point to correcting the referrence for "ROOT=" The reference "ROOT=" is the same for the none linux kernels. Thanks for the help in advance. Also I originally used GRUB as the boot loader the first time I ran Redhat 7.2 with SE-linux. If you know how to change the boot loader from lilo to GRUB that could be one option. Charles R. Fuller -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Stephen Smalley <sds_at_tislabs.com> subject: Re: booting problem Date: Mon, 22 Jul 2002 07:59:57 -0400 (EDT)
On Fri, 19 Jul 2002, Charles R. Fuller wrote:
> The specific error is a kernel panic on boot of the selinux kernel and Could you provide the exact output, along with a copy of your lilo.conf or grub.conf (omitting any passwords, of course)? -- Stephen D. Smalley, NAI Labs ssmalley@nai.com -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Timothy Wood <timothy_at_hallcomp.com> subject: Re: sysadm_tty_device_t Date: 11 Jul 2002 14:28:26 -0400
you need to edit the file context for the tty devices. I think it is in /usr/src/selinux/policy/file_contexts/dev.fc (I do not have my SE box up and running at the moment so I do not know for certain. Can any acknowledge if that is the right file please). Now changing it there will make the change permanent but you still need to either relabel the file system (do a make relabel from the policy directory) or use chcon to change just the one device (eg chcon <file_context> /dev/tty24) -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Stephen Smalley <sds_at_tislabs.com> subject: Re: audit bug in fd handling Date: Wed, 10 Jul 2002 09:12:21 -0400 (EDT)
On Wed, 10 Jul 2002, Russell Coker wrote:
> It seems that when a file handle open read/write is inherited by a domain The attached patch (also committed to the sourceforge CVS tree) fixes this bug in the auditdeny logic. To apply, save the patch to ~/auditdeny.patch, cd lsm-2.4, and patch -p0 < ~/auditdeny.patch. Then, rebuild your kernel. -- Stephen D. Smalley, NAI Labs ssmalley@nai.com
|
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |