Package: selinux-policy-default
Version: 2:0.2.20100524-7+squeeze1
Hi,
i get some avc denied messages for some services:
mysql: (normal aptitude install mysql-server mysql-client)
type=1400 audit(1316624875.607:6): avc: denied { write } for pid=2238
comm="mysqladmin" name="mysqld.sock" dev=sda1 ino=141075
scontext=system_u:system_r:mysqld_safe_t:s0
tcontext=system_u:object_r:mysqld_var_run_t:s0 tclass=sock_file
#allow mysqld_safe_t mysqld_var_run_t:sock_file write;
type=1400 audit(1316624999.835:8): avc: denied { connectto } for
pid=2503 comm="mysqladmin" path="/var/run/mysqld/mysqld.sock"
scontext=system_u:system_r:mysqld_safe_t:s0
tcontext=system_u:system_r:mysqld_t:s0 tclass=unix_stream_socket
#allow mysqld_safe_t mysqld_t:unix_stream_socket connectto;
type=1400 audit(1316624873.859:5): avc: denied { write } for pid=2073
comm="mysqld_safe" name="/" dev=sda1 ino=2
scontext=system_u:system_r:mysqld_safe_t:s0
tcontext=system_u:object_r:root_t:s0 tclass=dir
#dontaudit mysqld_safe_t root_t:dir write;
quota: (I think already in sid selinux-policy-default(2:0.2.20100524-12)
*Allow quota_t to load kernel modules.)
type=1400 audit(1316625130.782:4): avc: denied { module_request } for
pid=734 comm="quotaon" scontext=system_u:system_r:quota_t:s0
tcontext=system_u:system_r:kernel_t:s0 tclass=system
#allow quota_t kernel_t:system module_request;
proftpd: (installed like
http://www.howtoforge.com/how-to-integrate-clamav-through-mod_clamav-into-proftpd-for-virus-scanning-on-debian-lenny)
selinux does not recognize my proftpd installation, so i has to manually
install the ftp.pp policy-package.
Perhaps, because i have no (virtual) "proftpd "package", only
"proftpd-basic" and "proftpd-mysql"
Some access denied:
type=1400 audit(1316269380.269:131): avc: denied { search } for
pid=2931 comm="proftpd" name="proftpd" dev=sda1 ino=98618
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:ftpd_etc_t:s0 tclass=dir
#allow ftpd_t ftpd_etc_t:dir search;
type=1400 audit(1316439944.643:109): avc: denied { search } for
pid=2944 comm="proftpd" name="mysql" dev=sda1 ino=34078
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=dir
#dontaudit ftpd_t mysqld_etc_t:dir search;
I also use the following policy:
#type_transition ftpd_t var_run_t:{ file dir sock_file } ftpd_var_run_t;
so that /var/run/profptd/ and /var/run/proftpd.sock has a type of
ftpd_var_run_t and not var_run_t (so that ftpd_t needs no access to
var_run_t)
I recognized, that the default user/role/type of ssh users (include
root) is unconfined_t.
On my systems this type/role has unlimited rights (beyond the
user:group:other permissions) and a very high security range.
So i limited it:
#semanage login -m -s staff_u root
#semanage login -m -s user_u -r s0 "__default__"
Now every user ssh-user has user_u:user_r:user_t, this is more limited
than unconfined_u:unconfined_r:unconfined_t,
and root hat staff_u:staff_r:staff_t, and this is also limited (e.g. no
access to /var/log/messages and no setenforce),
so he needs to get a higher role with "newrole -r sysadm_r" and retype
his password.
I do not know if this default behavior is wanted, maybe i'am too
paranoid :).
Best Regards,
Christian Göttsche
reportbug:
Package: selinux-policy-default
Version: 2:0.2.20100524-7+squeeze1
Severity: normal
-- System Information:
Debian Release: 6.0.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages selinux-policy-default depends on:
ii libpam-modules 1.1.1-6.1 Pluggable Authentication
Modules f
ii libselinux1 2.0.96-1 SELinux runtime shared
libraries
ii libsepol1 2.0.41-1 SELinux library for
manipulating b
ii policycoreutils 2.0.82-3 SELinux core policy utilities
ii python 2.6.6-3+squeeze6 interactive high-level
object-orie
Versions of packages selinux-policy-default recommends:
ii checkpolicy 2.0.22-1 SELinux policy compiler
ii setools 3.3.6.ds-7.2+b1 tools for Security Enhanced
Linux
Versions of packages selinux-policy-default suggests:
pn logcheck <none> (no description available)
pn syslog-summary <none> (no description available)
-- Configuration Files:
/etc/selinux/default/modules/active/file_contexts.local [Errno 13]
Permission denied:
u'/etc/selinux/default/modules/active/file_contexts.local' #at the end
/etc/selinux/default/modules/semanage.read.LOCK [Errno 13] Permission
denied: u'/etc/selinux/default/modules/semanage.read.LOCK' #empty
/etc/selinux/default/modules/semanage.trans.LOCK [Errno 13] Permission
denied: u'/etc/selinux/default/modules/semanage.trans.LOCK' #empty
-- no debconf information
Content of /etc/selinux/default/modules/active/file_contexts.local:
# This file is auto-generated by libsemanage
# Do not edit directly.
/home/ftpuser(/.*)? system_u:object_r:ftp_data_client_packet_t:s0
/usr/sbin/proftpd system_u:object_r:ftpd_exec_t:s0
/etc/init.d/proftpd system_u:object_r:ftpd_initrc_exec_t:s0
/var/log/proftpd/*.log system_u:object_r:xferlog_t:s0
/etc/proftpd(/.*)? system_u:object_r:ftpd_etc_t:s0
/var/www/squeezetest/conf_squeezetest system_u:object_r:httpd_suexec_t:s0
/var/lib/apache2/fcgid(/.*)? system_u:object_r:httpd_var_run_t:s0
/etc/alternatives/php-cgi-bin
system_u:object_r:httpd_sys_script_exec_t:s0
/home system_u:object_r:default_t:s0
/etc/alternatives/php-cgi system_u:object_r:httpd_sys_script_exec_t:s0
/var/www/squeezetest/php.ini system_u:object_r:httpd_config_t:s0
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
