From sits@sucs.org Fri Aug 25 07:15:52 2006 Date: Fri, 25 Aug 2006 07:15:50 +0100 From: Sitsofe Wheeler To: Peter Berry Cc: Subject: Re: mw on newsilver On Fri, 2006-08-25 at 03:40 +0100, Peter Berry wrote: > Currently mw on newsilver is giving selinux errors such as the following > when you try to run it: > > audit(1156466406.032:12497): avc: denied { entrypoint } for pid=21416 comm="bash" name="mw" dev=sdb3 ino=15555074 scontext=user_u:system_r:mw_t:s0 tcontext=system_u:object_r:mw_exec_t:s0 tclass=file > > I would be interested in not only getting this fixed, but knowing why it's > happening and how to fix it. Right now I have almost no idea how selinux > works! I am more than happy to have people work with me on getting selinux to work for us. I am in the midst of learning it too and don't have a complete view of how selinux works but I'll give a summary of what I understand here. In selinux all files have labels that they carry around. There are rules dictating what labels a file gets if it is created and moving a file does not change its label (it keeps the one it had). man 8 selinux has a good overview and mentions the commands for doing a simple reset of labels at the bottom. Just for the record we run selinux in targeted mode. New in FC5 is the ability to load new selinux modules on the fly. It is now possible to amend the running rules without having to recompile the whole ruleset. A simple example of this process is in /root/http-selinux/pg_ldap on newsilver. There is a command called audit2allow that can take selinux warnings and produce rules that allow the actions given by those warnings. I've been using audit2allow -m local -l -d which works off dmesg from the last selinux reload. You have to be aware that not all the possible steps may have been tried if selinux stops access straight away and so several runs are often necessary. People often switch selinux to permissive mode to try and gather as many warnings as possible. In the given directory pg_ldap.te is the interesting file as that is where the rules go. To compile that policy module you can cd into it and use: make -f /usr/share/selinux/devel/Makefile to make the module active use: /usr/sbin/semodule -i pg_ldap.pp (/usr/sbin/semodule -r modulename can be use to remove a running module and -l lists the in use ones) The mw policy is somewhat more advanced because it creates new labels. You can see my crude attempts in /root/http-selinux/mw . mw.fc tells selinux what labels newly created files in mw default places should get. mw.te is very long and uses the new types to set up the access controls. The idea is that you switch into a a mw domain and once you do this switch what you can then do and access is limited. If you aren't in this domain there may well be files that you are not allowed to access. The ability to enter these domains is effectively done by these rules: mw_domtrans(unconfined_t); mw_domtrans(httpd_sys_script_t); (mw_domtrans is actually a macro and the rule says if you are coming from either unconfined_t or httpd_sys_script_t you should automatically switch to the mw domain upon running the mw's binary. For some reason ssh bbs@ does not appear to be doing this transition and winds up still in the unconfined_t domain and thus is a problem). The rule I added to fix the warning you were given was: allow mw_t mw_exec_t:file entrypoint; as suggested by audit2allow. I don't have much more time to cover this and the documentation I have found so far is quite weak at describing things like what macros are available for allowing command tasks (e.g. I wound up finding a macro to allow access to the locale files because those were causing a warning after the above problem was fixed). Links to the reference policy are often out of date and wrong and it currently appears to be here: http://oss.tresys.com/docs/refpolicy/api/admin.html The FC5 selinux FAQ may be of use to you http://fedora.redhat.com/docs/selinux-faq-fc5/ (I found the section on local.te policy to be especially useful). The IRC channel may be a good place to get help. This link was useful http://seedit.sourceforge.net/doc/access_vectors/ . If you can lay your hands on the o'reilly selinux book there is some good stuff in there. http://danwalsh.livejournal.com/ is the blog of one of the selinux developers. As people come across stuff do ask questions (after you've exhausted other means of course) and I'll try my best to answer them). If you know more than I do then feel free to educate me too! -- Sitsofe | http://sucs.org/~sits/