SELinux blocking synce

MrMagoo · #1 10th July 2009, 12:14 PM

Hi all,

I just installed synce on my Fedora 11 following these instructions:
http://www.synce.org/moin/SynceInstallation/Fedora

Now I get an SELinux error when I put the PDA in the cradle:
node=dirklap.ntdom.tk.informatik.tu-darmstadt.de type=AVC msg=audit(1247223946.64:81): avc: denied { write } for pid=3513 comm="ip" path="pipe:[44646]" dev=pipefs ino=44646 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:hald_t:s0 tclass=fifo_file node=dirklap.ntdom.tk.informatik.tu-darmstadt.de type=AVC msg=audit(1247223946.64:81): avc: denied { write } for pid=3513 comm="ip" path="pipe:[44646]" dev=pipefs ino=44646 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:hald_t:s0 tclass=fifo_file

I do not know much about SELinux and this makes it hard for me to unsderstand what is going on here.
SELinux is set to enforcing mode.

Did somebody solve this problem?

Dirk

domg472 · #2 10th July 2009, 12:39 PM

Looks like ifconfig or some program executed by ifconfig wants to write to a named pipe for hald_t.

I think you could allow this, but i think that after this it may need more permissions.

A way to test this is to make ifconfig_t a permissive domain (semanage permissive -a ifconfig_t). Then test your issue. and then collect all the selinux avc denials at once. So that you have a good idea of what all access it required.

After testing you can remove the ifconfig_t permissive domain again (semanage permissive -d ifconfig_t)

Show us all the avc denials, then we can implement a good solution.

To allow this single access vector :

echo "avc: denied { write } for pid=3513 comm="ip" path="pipe:[44646]" dev=pipefs ino=44646 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:hald_t:s0 tclass=fifo_file node=dirklap.ntdom.tk.informatik.tu-darmstadt.de type=AVC msg=audit(1247223946.64:81): avc: denied { write } for pid=3513 comm="ip" path="pipe:[44646]" dev=pipefs ino=44646 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:hald_t:s0 tclass=fifo_file" | audit2allow -RM mysysnetwork; semodule -i mysysnetwork.pp

( but again, you should first check to see if it doesnt need more access before implementing any fix)

MrMagoo · #3 10th July 2009, 01:00 PM

Thanks for the fast reply.

These are the denials that I get when I put it in:
avc: denied { getsched } for pid=4491 comm="hal-dccm" scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:hald_t:s0 tclass=process

avc: denied { read write } for pid=4492 comm="dhclient" path="socket:[131705]" dev=sockfs ino=131705 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:hald_t:s0 tclass=unix_dgram_socket

avc: denied { write } for pid=4596 comm="ip" path="pipe:[135513]" dev=pipefs ino=135513 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:hald_t:s0 tclass=fifo_file

These are the denials that I get when I get it off:
avc: denied { read } for pid=4521 comm="dhclient" name="dhclient.conf" dev=dm-0 ino=416640 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file

I hope that I did not forget something.

Dirk

domg472 · #4 10th July 2009, 01:25 PM

Quote:

Originally Posted by MrMagoo

Thanks for the fast reply.

These are the denials that I get when I put it in:
avc: denied { getsched } for pid=4491 comm="hal-dccm" scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:hald_t:s0 tclass=process

This could probably be allowed i believe

Quote:

avc: denied { read write } for pid=4492 comm="dhclient" path="socket:[131705]" dev=sockfs ino=131705 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:hald_t:s0 tclass=unix_dgram_socket

This looks like a leaked file descriptor i believe (should probably be silently denied)

Quote:

avc: denied { write } for pid=4596 comm="ip" path="pipe:[135513]" dev=pipefs ino=135513 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:hald_t:s0 tclass=fifo_file

This could probably be allowed i believe

Quote:

These are the denials that I get when I get it off:
avc: denied { read } for pid=4521 comm="dhclient" name="dhclient.conf" dev=dm-0 ino=416640 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file

I hope that I did not forget something.

Dirk

This may be a mislabelled file:

Find the file:

locate dhclient.conf or find /usr -inum 416640 and try restoring the file context of the file (restorecon /usr/.../dhclient.conf

To allow this stuff you could create a module:

Code:

mkdir ~/mysysnetwork; cd ~/mysysnetwork;
echo "policy_module(mysysnetwork, 0.0.1)" > mysysnetwork.te;
echo "require { type dhcpc_t, hald_t, ifconfig_t; }" >> mysysnetwork.te; 
echo "dontaudit dhcpc_t hald_t:unix_dgram_socket { read write };" >> mysysnetwork.te;
echo "allow hald_t self:process getsched;" >> mysysnetwork.te;
echo "hal_rw_pipes(ifconfig_t)" >> mysysnetwork.te;
echo "files_read_usr_files(dhcpc_t)" >> mysysnetwork.te;
make -f /usr/share/selinux/devel/Makefile mysysnetwork.pp
semodule -i mysysnetwork.pp

See if this solves you issues

MrMagoo · #5 10th July 2009, 01:58 PM

Hi,

it seems that I oversaw some of the messages. New messages appear.

Here they are:

avc: denied { search } for pid=5525 comm="ifconfig" scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir

avc: denied { name_bind } for pid=5490 comm="hal-dccm" src=990 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:ftps_port_t:s0 tclass=tcp_socket

avc: denied { name_bind } for pid=5490 comm="hal-dccm" src=5679 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:dccm_port_t:s0 tclass=tcp_socket

Thanks for the help so far.

Dirk

domg472 · #6 10th July 2009, 02:10 PM

Quote:

Originally Posted by MrMagoo

Hi,

it seems that I oversaw some of the messages. New messages appear.

Here they are:

No, you made ifconfig permissive before and not hald_t so since now that these issues related to hald_t they a new.

Quote:

avc: denied { search } for pid=5525 comm="ifconfig" scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir

This could be allowed but i think it wants more after this. Best to make hald_t permissive (semanage permissive hald_t) and see what it really wants.
(put it back to: semanage permissive -d hald_t, after testing)

Quote:

avc: denied { name_bind } for pid=5490 comm="hal-dccm" src=990 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:ftps_port_t:s0 tclass=tcp_socket

Looks like hal-dccm wants to bind tcp sockets to port 990

Quote:

avc: denied { name_bind } for pid=5490 comm="hal-dccm" src=5679 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:dccm_port_t:s0 tclass=tcp_socket

Thanks for the help so far.

Dirk

Looks like hal_dccm wants to bind tcp socket to port 5679

You could probably add these to your current module already:

cd ~/mysysnetwork;
echo "corenet_tcp_bind_dccm_port(hald_t)" >> mysysnetwork.te;
echo "corenet_tcp_bind_ftps_port(hald_t)" >> mysysnetwork.te;
make -f /usr/share/selinux/devel/Makefile mysysnetwork.pp
semodule -i mysysnetwork.pp

As to the first denials; we should first try to figure out what hald_t is searching for, by making hald_t a permissive domain and testing. then look at the avc denials again and extend our module.

Since now also hald_t is in the mix might probably as well testing with the whole system in permissive mode instead of adding single permissive domains. This way all involved domains are allowed to do that they want. So that we can see the even bigger picture)

To put the full system in permissive mode: setenforce 0
to view selinux status: getenforce
to put the full system in enforcing mode: setenforce 1

so test in permissive mode, then back to enforcing mode.

MrMagoo · #7 13th July 2009, 01:58 PM

Hi,

although in permissive mode I still get these messages:

avc: denied { search } for pid=7726 comm="ifconfig" scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir

avc: denied { read write } for pid=7690 comm="consoletype" path="socket:[484284]" dev=sockfs ino=484284 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:system_r:hald_t:s0 tclass=unix_dgram_socket

avc: denied { read write } for pid=7703 comm="ip" path="socket:[484284]" dev=sockfs ino=484284 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:hald_t:s0 tclass=unix_dgram_socket

I just saw that it also says that it would be forbidden but that it is allowed, though.

Dirk

domg472 · #8 13th July 2009, 03:28 PM

Quote:

Originally Posted by MrMagoo

Hi,

although in permissive mode I still get these messages:

avc: denied { search } for pid=7726 comm="ifconfig" scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir

This can be allowed i guess

add to mysysnetwork.te :

require { type sysctl_net_t; }
allow hald_t sysctl_net_t:dir search;

Quote:

avc: denied { read write } for pid=7690 comm="consoletype" path="socket:[484284]" dev=sockfs ino=484284 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:system_r:hald_t:s0 tclass=unix_dgram_socket

avc: denied { read write } for pid=7703 comm="ip" path="socket:[484284]" dev=sockfs ino=484284 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:hald_t:s0 tclass=unix_dgram_socket

These look like leaked file descriptors to me. Should probably be silently denied:

add to mysysnetwork.te:

require { type consoletype_t; }
dontaudit consoletype_t hald_t:unix_dgram_socket { read write };
dontaudit ifconfig_t hald_t:unix_dgram_socket { read write };

Then rebuild /reinstall your module:
cd ~/mysysnetwork
make -f /usr/share/selinux/devel/Makefile mysysnetwork.pp
semodule -i mysysnetwork.pp

Quote:

I just saw that it also says that it would be forbidden but that it is allowed, though.

Dirk

Yes that is what permissive mode does. it allows what normally would have been denied, but it still logs the "would be denials"

MrMagoo · #9 13th July 2009, 03:47 PM

Hi,

thanks for you help.

Now I do no get any messages any more. The contents of mysysnetwork.te is now

Code:

policy_module(mysysnetwork, 0.0.1)
require { type dhcpc_t, hald_t, ifconfig_t; }
dontaudit dhcpc_t hald_t:unix_dgram_socket { read write };
allow hald_t self:process getsched;
hal_rw_pipes(ifconfig_t)
files_read_usr_files(dhcpc_t)
corenet_tcp_bind_dccm_port(hald_t)
corenet_tcp_bind_ftps_port(hald_t)
require { type sysctl_net_t; }
allow hald_t sysctl_net_t:dir search;
require { type consoletype_t; }
dontaudit consoletype_t hald_t:unix_dgram_socket { read write };
dontaudit ifconfig_t hald_t:unix_dgram_socket { read write };

SynCE still does not get a connection, but this may be another problem.

Thanks for your fast and precise help.

Dirk

domg472 · #10 13th July 2009, 07:09 PM

Well see if it works in permissive. if it does then it IS a SELinux issue.

You might try replacing the "dontaudit" by "allow" to see if that makes any difference.

There may also be hidden avc denials which you can expose by running semodule -DB