SELinux Policies

[P4rD0nM3]

The only thing that it is preventing right now is httpd sending forum e-mails and I'm almost done reading all the SELinux policies tutorials/threads/whatever and I'm pretty sure I can write something that will allow it in the future. It doesn't affect me that much really, just my users complaining that they don't recieve e-mails from my community forum.

[pete_1967]

Afaik, there's policy for Postfix and it being easier to configure and more secure overall, you'd probably be better off using it instead of Sendmail.

[ADD]
Sorry, forgot:
If you're using GUI, in SELinux Adminstration, select Boolean options and HTTPD, there's an option called "Allow httpd send mail", select that and close the administrator.

On command line you can do (as root of course):
`chcon -t httpd_sys_content_t /usr/sbin/sendmail.sendmail`
[/ADD]

[P4rD0nM3]

Hmm might try that MTA, Postfix+HTTPD policy? Is that what you were saying when you said 'there's policy'?

[pete_1967]

Quote:

Originally Posted by P4rD0nM3

Is that what you were saying when you said 'there's policy'?

SELinux policy module for Postfix (you have to install it with Yum after you've installed Postfix).

Also see my previous post, added what I forgot to mention at first go.

[ADDSOMEMORE]
You can also download/ install

selinux-policy-strict-sources-* (SELinux example policy configuration source files)
and
selinux-policy-targeted-sources-* (SELinux example policy configuration source files)

packages, latter at least contains sendmail policy example
[/ADDSOMEMORE]

[P4rD0nM3]

OOooh, I didn't know that. Thanks.

[P4rD0nM3]

Bump, pete, where do I find those new policies?

[pete_1967]

http://rpmfind.net/linux/rpm2html/se...&system=&arch=

I think they're now in selinux-policy-devel and seedit-policy has sample simple policy (both in Yum). You have to check what's in them yourself though.

[P4rD0nM3]

I'm currently making my own local policy. For the people familiar with SELinux policies, please contribute! Tell me if I'm making it less secure by allowing certain things to happen when they're not supposed too! Thanks!

If you have any other suggestions or comments, I'd appreciate it a lot, thanks.

Quote:

module local 1.0;

require {
type sysctl_net_unix_t;
type mount_t;
type file_t;
type ldconfig_t;
type sysctl_vm_t;
type load_policy_t;
type initrc_t;
type etc_mail_t;
type sysctl_irq_t;
type setfiles_t;
type udev_t;
type bluetooth_t;
type insmod_t;
type sysctl_net_t;
type init_t;
type ifconfig_t;
type proc_mdstat_t;
type proc_net_t;
type sysctl_dev_t;
type httpd_t;
type iptables_t;
type squid_t;
type sshd_devpts_t;
type lvm_t;
type kernel_t;
type nscd_t;
type proc_kcore_t;
type mysqld_port_t;
type proc_kmsg_t;
type sysctl_kernel_t;
type avahi_t;
class chr_file { read write };
class capability audit_write;
class tcp_socket { read write name_connect };
class file { write read getattr unlink };
class netlink_audit_socket { write nlmsg_relay create read };
class lnk_file getattr;
class dir { search read getattr };
}

#============= avahi_t ==============
allow avahi_t sshd_devpts_t:chr_file { read write };

#============= bluetooth_t ==============
allow bluetooth_t sshd_devpts_t:chr_file { read write };

#============= httpd_t ==============
allow httpd_t etc_mail_t:dir { search getattr };
allow httpd_t mysqld_port_t:tcp_socket name_connect;
allow httpd_t sshd_devpts_t:chr_file { read write };

#============= ifconfig_t ==============
allow ifconfig_t initrc_t:tcp_socket { read write };

#============= insmod_t ==============
allow insmod_t sshd_devpts_t:chr_file { read write };

#============= iptables_t ==============
allow iptables_t sshd_devpts_t:chr_file { read write };

#============= ldconfig_t ==============
allow ldconfig_t sshd_devpts_t:chr_file { read write };

#============= load_policy_t ==============
allow load_policy_t sshd_devpts_t:chr_file { read write };

#============= lvm_t ==============
allow lvm_t file_t:file read;

#============= mount_t ==============
allow mount_t file_t:file { write unlink };

#============= nscd_t ==============
allow nscd_t sshd_devpts_t:chr_file { read write };

#============= setfiles_t ==============
allow setfiles_t init_t:dir { read getattr search };
allow setfiles_t init_t:file getattr;
allow setfiles_t init_t:lnk_file getattr;
allow setfiles_t initrc_t:dir { read getattr search };
allow setfiles_t initrc_t:file getattr;
allow setfiles_t initrc_t:lnk_file getattr;
allow setfiles_t kernel_t:dir { read getattr search };
allow setfiles_t kernel_t:file getattr;
allow setfiles_t kernel_t:lnk_file getattr;
allow setfiles_t proc_kcore_t:file getattr;
allow setfiles_t proc_kmsg_t:file getattr;
allow setfiles_t proc_mdstat_t:file getattr;
allow setfiles_t proc_net_t:dir { read getattr search };
allow setfiles_t proc_net_t:file getattr;
allow setfiles_t self:capability audit_write;
allow setfiles_t self:netlink_audit_socket { write nlmsg_relay create read };
allow setfiles_t sysctl_dev_t:dir search;
allow setfiles_t sysctl_dev_t:file read;
allow setfiles_t sysctl_irq_t:dir { read getattr search };
allow setfiles_t sysctl_irq_t:file getattr;
allow setfiles_t sysctl_kernel_t:dir search;
allow setfiles_t sysctl_kernel_t:file read;
allow setfiles_t sysctl_net_t:dir search;
allow setfiles_t sysctl_net_t:file read;
allow setfiles_t sysctl_net_unix_t:dir search;
allow setfiles_t sysctl_net_unix_t:file read;
allow setfiles_t sysctl_vm_t:dir search;
allow setfiles_t sysctl_vm_t:file read;
allow setfiles_t udev_t:dir { read getattr search };
allow setfiles_t udev_t:file getattr;
allow setfiles_t udev_t:lnk_file getattr;

#============= squid_t ==============
allow squid_t sshd_devpts_t:chr_file { read write };

[pete_1967]

This is what I used for allowing Apache to send mail via Sendmail (I'd completely forgotten it until now):

Code:

module local 1.0;

require {
        type httpd_sys_content_t;
        type system_mail_t;
        class dir { search getattr };
}

#============= system_mail_t ==============
allow system_mail_t httpd_sys_content_t:dir { search getattr };

[P4rD0nM3]

Hmm, I thought it would be

#============= httpd_t ==============
allow httpd_t etc_mail_t:dir { search getattr };
allow httpd_t mysqld_port_t:tcp_socket name_connect;
allow httpd_t sshd_devpts_t:chr_file { read write };

But I see what you mean now...just took a look at the log file again...

Quote:

Feb 27 19:48:32 linux-P4RD0NM3DEDICATED kernel: audit(1204166912.356:789): avc: denied { search } for pid=13706 comm="sendmail" name="mail" dev=sda1 ino=1179640 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:etc_mail_t:s0 tclass=dir
Feb 27 19:48:32 linux-P4RD0NM3DEDICATED kernel: audit(1204166912.357:790): avc: denied { getattr } for pid=13706 comm="sendmail" path="/etc/mail" dev=sda1 ino=1179640 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:etc_mail_t:s0 tclass=dir

For this Denial...which is munin-node by the way.

Quote:

avc: denied { read write } for pid=2935 comm="ethtool" path="socket:[10417]" dev=sockfs ino=10417 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=tcp_socket

#============= ifconfig_t ==============
allow ifconfig_t initrc_t:tcp_socket { read write };

I also did a /sbin/fixfiles relabel, after I made those policies...

And here's the log from it.

Quote:

Feb 27 20:34:48 linux-P4RD0NM3DEDICATED setfiles: relabeling /var/run/munin/munin-node.pid from system_u:object_r:initrc_var_run_t:s0 to system_u:object_r:var_run_t:s0
Feb 27 20:34:48 linux-P4RD0NM3DEDICATED setfiles: relabeling /var/run/sshd.pid from system_u:object_r:sshd_var_run_t:s0 to system_u:object_r:var_run_t:s0
Feb 27 20:34:48 linux-P4RD0NM3DEDICATED setfiles: relabeling /var/run/console-kit-daemon.pid from system_u:object_r:consolekit_var_run_t:s0 to system_u:object_r:var_run_t:s0
Feb 27 20:34:48 linux-P4RD0NM3DEDICATED setfiles: relabeling /var/run/rpcbind.lock from system_u:object_r:initrc_var_run_t:s0 to system_u:object_r:var_run_t:s0
Feb 27 20:34:48 linux-P4RD0NM3DEDICATED setfiles: relabeling /var/run/messagebus.pid from system_u:object_r:system_dbusd_var_run_t:s0 to system_u:object_r:var_run_t:s0
Feb 27 20:34:48 linux-P4RD0NM3DEDICATED setfiles: relabeling /var/run/gpm.pid from system_u:object_r:gpm_var_run_t:s0 to system_u:object_r:var_run_t:s0
Feb 27 20:34:48 linux-P4RD0NM3DEDICATED setfiles: relabeling /var/run/dhcdbd.pid from system_u:object_r:dhcpc_var_run_t:s0 to system_u:object_r:var_run_t:s0
Feb 27 20:34:48 linux-P4RD0NM3DEDICATED setfiles: relabeling /var/log/rpmpkgs from user_u:object_r:var_log_t:s0 to system_u:object_r:rpm_log_t:s0
Feb 27 20:34:48 linux-P4RD0NM3DEDICATED setfiles: relabeling /var/empty/sshd/etc/localtime from system_u:object_r:etc_t:s0 to system_u:object_r:var_t:s0

From the looks of that log file, I think it fixed the munin-node problem don't you think?

[P4rD0nM3]

Nevermin, I know how to do it now!

Please refer to this thread for future reference! SELinux Inquiry

SELinux isn't at all that bad!

[P4rD0nM3]

Hmm another question. Do I have to do everything in order? Because this is what I did...

1. Make local.te policy, compile...load to kernel (semodule -i local.pp }
2. /sbin/fixfiles relabel
3. reboot

Does relabel overwrite your custom policy? Do I have to switch 2 and 1...and then whenever I append anything to local.te, I should never use relabel ever?

Quote:

# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0

I have that one set too.

You only need to open one thread per topic. I'm merging this with your other thread on the subject.

Wayne

[P4rD0nM3]

Yes I know, but the first one was just about the denial problems only and the 2nd thread was asking people about their opinion on SELinux and my dedicated server (Which then turned into the 1st thread).

Can you move this one into Security? Because if this one is in General Support, people will most like just tell me to turn it off (Which I do not like since I already know how to solve most of the denials!).

Quote:

Originally Posted by sauny

Simple answer... turn it off setenforce 0

I am about to tame this beast!

Thanks Wayne!

[P4rD0nM3]

Quote:

# semodule -i local.pp
libsepol.check_assertion_helper: assertion on line 0 violated by allow setfiles_t setfiles_t:netlink_audit_socket { nlmsg_relay };
libsepol.check_assertion_helper: assertion on line 0 violated by allow setfiles_t setfiles_t:capability { audit_write };
libsepol.check_assertions: 2 assertion violations occured
libsemanage.semanage_expand_sandbox: Expand module failed
semodule: Failed!

Does anyone get this error at all?