TuXHaT» Selinux Archives – Blog Title http://www.tuxhat.com Linux / sysadmin / Debian / Ubuntu / Red Hat / Centos Tue, 13 Oct 2009 07:25:21 +0000 http://wordpress.org/?v=2.9.2 en hourly 1 selinux denials on 3ware RAID SMART check http://www.tuxhat.com/linux/selinux-denials-and-smartd-in-linux/ http://www.tuxhat.com/linux/selinux-denials-and-smartd-in-linux/#comments Fri, 04 Sep 2009 10:02:40 +0000 tux http://www.tuxhat.com/?p=54 If you have a selinux enabled linux machine and is using smartd to check hard drives connected to 3ware RAID controller, you may encounter with couple of denials as below,

kernel: type=1400 audit(1252046658.420:122): avc: denied { ioctl } for pid=28988 comm=”smartd” path=”/dev/twa0″ dev=tmpfs ino=7729 scontext=root:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file

kernel: type=1400 audit(1252049165.256:123): avc: denied { getattr } for pid=18264 comm=”smartd” path=”/dev/twa0″ dev=tmpfs ino=7729 scontext=user_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file

kernel: type=1400 audit(1252049165.258:124): avc: denied { read } for pid=18264 comm=”smartd” name=”twa0″ dev=tmpfs ino=7729 scontext=user_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file

kernel: type=1400 audit(1252049165.258:125): avc: denied { ioctl } for pid=18264 comm=”smartd” path=”/dev/twa0″ dev=tmpfs ino=7729 scontext=user_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file

For default the 3ware RAID controller device /dev/twa0 will be having generic filecontext for /dev which is device_t. But smartd runs under context fsdaemon_t, which do not have access to object type device_t.

So you need to relabel /dev/twa0 as below,

chcon -t fixed_disk_device_t /dev/twa*

Conclusion:

fsdaemon_t can operate on object types fixed_disk_device_t

]]> http://www.tuxhat.com/linux/selinux-denials-and-smartd-in-linux/feed/ 0 Troubleshooting selinux http://www.tuxhat.com/linux/troubleshooting-selinux/ http://www.tuxhat.com/linux/troubleshooting-selinux/#comments Fri, 19 Jun 2009 06:45:37 +0000 tux http://www.tuxhat.com/?p=36 I have been recently working on Selinux. It was way invented on 1970’s, but it is getting great acceptance as a user space security standard these days.

So I was implementing selinux for my production servers, I can’t go directly with enforcing mode. But stay with permissive mode and watch avc denials from selinux and justify it for it to be allowed / denied. The tiering thing is you need to go through each and every selinux denials from the kernel log facility in syslog. More over one type of denial will be repeated thousands time a day. So I thought of a simple script to unique the duplicate denials. Please see below,

Usage : avc_uniquer.sh <file containing selinux denials>

avc_uniquer.sh

for n in `cat -n $1 | sed  's/\(\ *[[:digit:]]\{1,\}\ *\)\(.*\)\({.*}\)\(.*\)\(scontext.*\)/\1\ \3\ \5/; '|sort -k3|uniq -f 2|awk {'print $1'}`;
do
sed -n "$n p" $1;
done

TIP1:

avc_uniquer.sh <filename>|audit2allow

The above will give you the selinux rules corresponding to the denials.

Eg:

Tue Jul 21 11:11:39 IST 2009$avc_uniquer.sh selinux_denial |audit2allow
allow smbd_t httpd_sys_content_t:dir { add_name create write };
allow smbd_t httpd_sys_content_t:file { create getattr lock read write };

Hope it will be helpful for some :)

]]> http://www.tuxhat.com/linux/troubleshooting-selinux/feed/ 0