 |
 |
 |
 |
| Security and Privacy Sadly, malware, spyware, hackers and privacy threats abound in today's world. Let's be paranoid and secure our penguins, and slam the doors on privacy exploits. |
4th March 2009, 01:51 PM
|
|
Registered User
|
|
Join Date: Feb 2006
Posts: 184
|
|
SELinux is preventing iptables-save (iptables_t) "read write" unconfined_t.
Getting these SE Linux warnings on a fresh install:
Code:
Summary:
SELinux is preventing iptables-save (iptables_t) "read write" unconfined_t.
Detailed Description:
SELinux denied access requested by iptables-save. It is not expected that this
access is required by iptables-save and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context unconfined_u:unconfined_r:iptables_t:s0
Target Context unconfined_u:unconfined_r:unconfined_t:s0
Target Objects socket [ unix_stream_socket ]
Source iptables
Source Path /sbin/iptables
Port <Unknown>
Host F500.localdomain
Source RPM Packages iptables-1.4.1.1-2.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.13-46.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name F500.localdomain
Platform Linux F500.localdomain
2.6.27.19-170.2.35.fc10.x86_64 #1 SMP Mon Feb 23
13:00:23 EST 2009 x86_64 x86_64
Alert Count 7
First Seen Tue 03 Mar 2009 07:51:10 AM EST
Last Seen Wed 04 Mar 2009 05:44:10 AM EST
Local ID f4c6c561-26b4-4950-a1ae-969e3b7847ef
Line Numbers
Raw Audit Messages
node=F500.localdomain type=AVC msg=audit(1236163450.294:607): avc: denied { read write } for pid=3920 comm="iptables-save" path="socket:[10727]" dev=sockfs ino=10727 scontext=unconfined_u:unconfined_r:iptables_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket
node=F500.localdomain type=AVC msg=audit(1236163450.294:607): avc: denied { read write } for pid=3920 comm="iptables-save" path="socket:[10508]" dev=sockfs ino=10508 scontext=unconfined_u:unconfined_r:iptables_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket
node=F500.localdomain type=AVC msg=audit(1236163450.294:607): avc: denied { read write } for pid=3920 comm="iptables-save" path="socket:[10508]" dev=sockfs ino=10508 scontext=unconfined_u:unconfined_r:iptables_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket
node=F500.localdomain type=AVC msg=audit(1236163450.294:607): avc: denied { read write } for pid=3920 comm="iptables-save" path="socket:[10508]" dev=sockfs ino=10508 scontext=unconfined_u:unconfined_r:iptables_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket
node=F500.localdomain type=AVC msg=audit(1236163450.294:607): avc: denied { read write } for pid=3920 comm="iptables-save" path="socket:[10508]" dev=sockfs ino=10508 scontext=unconfined_u:unconfined_r:iptables_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket
node=F500.localdomain type=AVC msg=audit(1236163450.294:607): avc: denied { read write } for pid=3920 comm="iptables-save" path="socket:[10508]" dev=sockfs ino=10508 scontext=unconfined_u:unconfined_r:iptables_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket
node=F500.localdomain type=AVC msg=audit(1236163450.294:607): avc: denied { read write } for pid=3920 comm="iptables-save" path="socket:[10508]" dev=sockfs ino=10508 scontext=unconfined_u:unconfined_r:iptables_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket
node=F500.localdomain type=SYSCALL msg=audit(1236163450.294:607): arch=c000003e syscall=59 success=yes exit=0 a0=c33e10 a1=c350a0 a2=c0a9c0 a3=8 items=2 ppid=4618 pid=3920 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="iptables-save" exe="/sbin/iptables-save" subj=unconfined_u:unconfined_r:iptables_t:s0 key=(null)
node=F500.localdomain type=CWD msg=audit(1236163450.294:607): cwd="/etc/snort/rules"
node=F500.localdomain type=PATH msg=audit(1236163450.294:607): item=0 name="/sbin/iptables-save" inode=131402 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:iptables_exec_t:s0
node=F500.localdomain type=PATH msg=audit(1236163450.294:607): item=1 name=(null) inode=32794 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0
Code:
root@F500 log]# tail -f /var/log/messages
Mar 4 08:41:08 F500 setroubleshoot: SELinux is preventing iptables (iptables_t) "read write" unconfined_t. For complete SELinux messages. run sealert -l 89e268ce-4908-423a-8be2-fa8a13c7fade
Mar 4 08:41:08 F500 setroubleshoot: SELinux is preventing iptables (iptables_t) "read write" unconfined_t. For complete SELinux messages. run sealert -l 89e268ce-4908-423a-8be2-fa8a13c7fade
Mar 4 08:41:09 F500 setroubleshoot: SELinux is preventing iptables (iptables_t) "read write" unconfined_t. For complete SELinux messages. run sealert -l 89e268ce-4908-423a-8be2-fa8a13c7fade
Mar 4 08:41:27 F500 setroubleshoot: SELinux is preventing iptables-restor (iptables_t) "read write" unconfined_t. For complete SELinux messages. run sealert -l 89e268ce-4908-423a-8be2-fa8a13c7fade
Mar 4 08:41:51 F500 dhclient: DHCPREQUEST on wlan0 to 192.168.0.100 port 67
Mar 4 08:41:55 F500 dhclient: DHCPREQUEST on wlan0 to 192.168.0.100 port 67
Mar 4 08:41:55 F500 dhclient: DHCPACK from 192.168.0.100
Mar 4 08:41:55 F500 dhclient: bound to 192.168.0.101 -- renewal in 4446 seconds.
Mar 4 08:45:55 F500 setroubleshoot: SELinux is preventing passwd (passwd_t) "read write" unconfined_t. For complete SELinux messages. run sealert -l a5fb5b6a-b394-4a7c-905d-9ef1d45a17af
Mar 4 08:46:54 F500 setroubleshoot: SELinux is preventing passwd (passwd_t) "read write" unconfined_t. For complete SELinux messages. run sealert -l a5fb5b6a-b394-4a7c-905d-9ef1d45a17af
Any ideas on what to do?
|
4th March 2009, 02:11 PM
|
|
Registered User
|
|
Join Date: Aug 2007
Age: 41
Posts: 226
|
|
Maybe this will help.
http://fedoraproject.org/wiki/PackagingDrafts/SELinux
Quote:
Adding an existing SELinux policy to an application
Problem: There are applications in Extras that perform the same task as applications in Core. They should be protected by SELinux in the same way.
Solution: Label the new binaries the same way as the already-protected ones. Check that all the functionalities still work and that you have no AVC messages. If you do, extend the policy with an SELinux module.
Example: Pure-FTPd is an FTP server available in Extras. It should be protected is the same manner that vsftpd is in Core. Thus the file /usr/sbin/pure-ftpd should be labelled ftpd_exec_t. But Pure-FTPd has additional features: it is capable of taking its user list from MySQL, PostgreSQL or LDAP. We have to write a module to allow it to connect to these servers. To do that, we ship the file pureftpd.te (the filename cannot contain dashes) in the package, containing this:
policy_module(pureftpd, 1.0)
require {
type ftpd_t;
};
init_read_utmp(ftpd_t)
init_dontaudit_write_utmp(ftpd_t)
<!--# Allow connect to mysql
-->
corenet_tcp_connect_mysqld_port(ftpd_t)
mysql_stream_connect(ftpd_t);
mysql_rw_db_sockets(ftpd_t)
<!--# Allow connect to postgresql
-->
corenet_tcp_connect_postgresql_port(ftpd_t)
postgresql_stream_connect(ftpd_t)
sysnet_use_ldap(ftpd_t)
|
I'd also recommend http://docs.fedoraproject.org/selinu...0/html-single/
|
4th March 2009, 02:19 PM
|
|
Registered User
|
|
Join Date: Feb 2006
Posts: 184
|
|
Quote:
Originally Posted by JonathanR
|
This is happening for multiple system services... i do not think this is an issue that can be resolved by adding an application policy. It is a freash install so something must have got screwed up after I did a yum update.
|
4th March 2009, 04:40 PM
|
|
Registered User
|
|
Join Date: Aug 2007
Age: 41
Posts: 226
|
|
Quote:
Originally Posted by Thaidog
This is happening for multiple system services... i do not think this is an issue that can be resolved by adding an application policy. It is a freash install so something must have got screwed up after I did a yum update.
|
Exactly. It probably is something that got changed as a result of the update. SELinux uses policykit. If you had read the entire document of the first link, you'd know that. I don't think a roll back will help. Either disable SELinux, or add policies. And, fyi, an install that has upgrades/updates applied, is not a fresh install.
|
4th March 2009, 09:20 PM
|
|
SELinux Contributor
|
|
Join Date: May 2008
Posts: 621
|
|
Looks like leaked file descriptors. You can implement custom policy modules to allow this acess untill the issues are solved upstream.
workaround for the iptables-save issue:
Code:
echo "avc: denied { read write } for pid=3920 comm="iptables-save" path="socket:[10508]" dev=sockfs ino=10508 scontext=unconfined_u:unconfined_r:iptables_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket" | audit2allow -M myiptables; /usr/sbin/semodule -i myiptables.pp
|
5th March 2009, 05:59 AM
|
|
Registered User
|
|
Join Date: Feb 2006
Posts: 184
|
|
Quote:
Originally Posted by domg472
Looks like leaked file descriptors. You can implement custom policy modules to allow this acess untill the issues are solved upstream.
workaround for the iptables-save issue:
Code:
echo "avc: denied { read write } for pid=3920 comm="iptables-save" path="socket:[10508]" dev=sockfs ino=10508 scontext=unconfined_u:unconfined_r:iptables_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket" | audit2allow -M myiptables; /usr/sbin/semodule -i myiptables.pp
|
Thanks! What about one for iptables restore? Would it simply be:
echo "avc: denied { read write } for pid=3920 comm="iptables-restore" path="socket:[10508]" dev=sockfs ino=10508 scontext=unconfined_u:unconfined_r:iptables_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket" | audit2allow -M myiptables; /usr/sbin/semodule -i myiptables.pp
|
5th March 2009, 08:47 AM
|
|
SELinux Contributor
|
|
Join Date: May 2008
Posts: 621
|
|
|
Should already be allowed by our module to allow iptables-save. But yes, in theory you pipe the avc denial line in question in to the input stream of audit2allow -M to lets it build a module and you use semodule -i to install the module.
|
5th March 2009, 09:20 AM
|
|
Registered User
|
|
Join Date: Feb 2006
Posts: 184
|
|
Quote:
Originally Posted by domg472
Should already be allowed by our module to allow iptables-save. But yes, in theory you pipe the avc denial line in question in to the input stream of audit2allow -M to lets it build a module and you use semodule -i to install the module.
|
Ok here is the iptables-restore alert:
Code:
Summary:
SELinux is preventing the iptables-restor from using potentially mislabeled
files (./iptables.bak).
Detailed Description:
SELinux has denied iptables-restor access to potentially mislabeled file(s)
(./iptables.bak). This means that SELinux will not allow iptables-restor to use
these files. It is common for users to edit files in their home directory or tmp
directories and then move (mv) them to system directories. The problem is that
the files end up with the wrong file context which confined applications are not
allowed to access.
Allowing Access:
If you want iptables-restor to access this files, you need to relabel them using
restorecon -v './iptables.bak'. You might want to relabel the entire directory
using restorecon -R -v '.'.
Additional Information:
Source Context unconfined_u:unconfined_r:iptables_t:s0
Target Context unconfined_u:object_r:user_home_t:s0
Target Objects ./iptables.bak [ file ]
Source iptables-restor
Source Path /sbin/iptables-restore
Port <Unknown>
Host Fedora.Nostro
Source RPM Packages iptables-1.4.1.1-2.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.13-45.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name home_tmp_bad_labels
Host Name Fedora.Nostro
Platform Linux Fedora.Nostro 2.6.27.15-170.2.24.fc10.i686
#1 SMP Wed Feb 11 23:58:12 EST 2009 i686 i686
Alert Count 8
First Seen Wed 04 Mar 2009 09:44:22 AM EST
Last Seen Thu 05 Mar 2009 04:19:10 AM EST
Local ID 4ef9007d-2ac8-4b9b-ae78-1b54f11f6ace
Line Numbers
Raw Audit Messages
node=Fedora.Nostro type=AVC msg=audit(1236244750.178:1138): avc: denied { read } for pid=7471 comm="iptables-restor" name="iptables.bak" dev=dm-0 ino=141214 scontext=unconfined_u:unconfined_r:iptables_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
node=Fedora.Nostro type=SYSCALL msg=audit(1236244750.178:1138): arch=40000003 syscall=5 success=no exit=-13 a0=bfc01664 a1=88000 a2=1b6 a3=80000 items=1 ppid=3130 pid=7471 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="iptables-restor" exe="/sbin/iptables-restore" subj=unconfined_u:unconfined_r:iptables_t:s0 key=(null)
node=Fedora.Nostro type=CWD msg=audit(1236244750.178:1138): cwd="/home/tylerm"
node=Fedora.Nostro type=PATH msg=audit(1236244750.178:1138): item=0 name="iptables.bak" inode=141214 dev=fd:00 mode=0100777 ouid=500 ogid=500 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0
|
5th March 2009, 09:46 AM
|
|
SELinux Contributor
|
|
Join Date: May 2008
Posts: 621
|
|
|
Are you using those iptables-save. iptables-restore commands manually?
Consider filing a bug report because we do not want iptables_t to have access to usre_home_t (generic user home content)
In my view unconfined_t should not transition to iptables_t upon execution of iptables-save/restore in the first place.
The unconfined_t domain is designed to be unconfined and so for it to transition to a confined domain (iptables_t) defeats it' s purpose.
Sure you can allow iptables_t to read user_home_t by piping the above avc denial line into the input stream of audit2allow -M and by installing the module using semodule but you must understand that then iptables can read most of your home content. This is not something i would not want.
echo "avc: denied { read } for pid=7471 comm="iptables-restor" name="iptables.bak" dev=dm-0 ino=141214 scontext=unconfined_u:unconfined_r:iptables_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file" | audit2allow -M myiptables1; /usr/sbin/semodule -i myiptables1.pp
Again, consider a bug report
|
5th March 2009, 09:54 AM
|
|
Registered User
|
|
Join Date: Feb 2006
Posts: 184
|
|
Quote:
Originally Posted by domg472
Are you using those iptables-save. iptables-restore commands manually?
Consider filing a bug report because we do not want iptables_t to have access to usre_home_t (generic user home content)
In my view unconfined_t should not transition to iptables_t upon execution of iptables-save/restore in the first place.
The unconfined_t domain is designed to be unconfined and so for it to transition to a confined domain (iptables_t) defeats it' s purpose.
Sure you can allow iptables_t to read user_home_t by piping the above avc denial line into the input stream of audit2allow -M and by installing the module using semodule but you must understand that then iptables can read most of your home content. This is not something i would not want.
echo "avc: denied { read } for pid=7471 comm="iptables-restor" name="iptables.bak" dev=dm-0 ino=141214 scontext=unconfined_u:unconfined_r:iptables_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file" | audit2allow -M myiptables1; /usr/sbin/semodule -i myiptables1.pp
Again, consider a bug report
|
Ok I will file a bug report since there is obviously something strange with all of these commands generating selinux popups.
Is it possible to just switch off selinux for a second to assimilate the iptables restore?
|
5th March 2009, 10:13 AM
|
|
SELinux Contributor
|
|
Join Date: May 2008
Posts: 621
|
|
|
There is no need to do that:
you can just install a custom module and uninstall it when youre done
man semodule:
1 to install a module: semodule -i <module.pp>
2. to list a installed module: semodule -l | grep <module.pp>
3. to uninstall a installed module: semodule -r <module.pp>
You can also put the offending domain into a permissive state. permissive mode allow the violation but will log the would be denial.
for examples to enable a permissive state for iptables_t domain:
semanage permissive -a iptables_t
to disable a permissive mode for iptables_t domain:
semanage pemissive -d iptables_t
You can also put the whole system in a permissive state:
setenforce 0
and toggle it to enforce policy again:
setenforce 1
|
5th March 2009, 10:22 AM
|
|
Registered User
|
|
Join Date: Feb 2006
Posts: 184
|
|
Quote:
Originally Posted by domg472
There is no need to do that:
you can just install a custom module and uninstall it when youre done
man semodule:
1 to install a module: semodule -i <module.pp>
2. to list a installed module: semodule -l | grep <module.pp>
3. to uninstall a installed module: semodule -r <module.pp>
You can also put the offending domain into a permissive state. permissive mode allow the violation but will log the would be denial.
for examples to enable a permissive state for iptables_t domain:
semanage permissive -a iptables_t
to disable a permissive mode for iptables_t domain:
semanage pemissive -d iptables_t
You can also put the whole system in a permissive state:
setenforce 0
and toggle it to enforce policy again:
setenforce 1
|
I'll try the semanage permissive -a iptables_t thanks 
|
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
 Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
Current GMT-time: 01:09 (Wednesday, 19-06-2013)
|
|
 |
 |
 |
 |
|
|
