LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-11-2013, 10:03 AM   #16
rbees
Member
 
Registered: Mar 2004
Location: northern michigan usa
Distribution: Debian Squeeze, Whezzy, Jessie
Posts: 681

Original Poster
Rep: Reputation: 42

Not that I am any kind of expert but I don't understand why the script is changing directories at the end to /root. If the script is copied to and executed from /root why should it need to change back there? I don't see that it .... never mind. After looking at it I think I get it. The script has a loop of sorts in it from "do" to "done" until all the variables in the array CONTEXTLIST are used. So after it inserts the module it made for, say dhcpc_t it's working directory would be something like /root/selinux_dhcpc_t.whatever and so it has to cd's back to /root before the next loop.

How much space will this use on /root? The partitions were set up automatically by the debian installer and they are encrypted and lvm so resizing them is not so easy even on a machine that boots easily from usb/cd but this particular machine has to have the case opened and a cd drive has to be hooked up via ide because it does not like to boot usb very well. Currently /root is 321MB with 190 free, so there is not a lot of space there to play with

Last edited by rbees; 01-11-2013 at 10:05 AM.
 
Old 01-11-2013, 10:10 AM   #17
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,541
Blog Entries: 54

Rep: Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924
Not prohibitive AFAIK: the local policy directories I've created take up about 24K per.
 
Old 01-12-2013, 07:47 PM   #18
rbees
Member
 
Registered: Mar 2004
Location: northern michigan usa
Distribution: Debian Squeeze, Whezzy, Jessie
Posts: 681

Original Poster
Rep: Reputation: 42
I had to modify the script slightly to reflect the current avc's in /var/log messages
Code:
dhcpc_t exim_t  fsadm_t hostname_t ifconfig_t lvm_t nagios_checkdisk_plugin_t nagios_services_plugin_t nagios_system_plugin_t nagios_t named_t ping_t portmap_t rpcd_t sshd_t syslogd_t udev_t
after force rotating the log files and a reboot so that there were no stray avc's from before.

Aside from that the script, I named seperate.script is returning an error. I really wish I had good bash scripting skills, I might be able to figure out what is wrong. But normally I am only able to get the basic idea of what the script is doing and not fix it.
Code:
# ./seperate.script
compilation failed:
20130112CONTEXTLIST.te:2:ERROR 'syntax error' at token '20130112' on line 2:
module 20130112CONTEXTLIST 1.0;

/usr/bin/checkmodule:  error(s) encountered while parsing configuration
/usr/bin/checkmodule:  loading policy configuration from 20130112CONTEXTLIST.te
root@external:~#
The file 20130112CONTEXTLIST.te contains
Code:
 ${this is a blank line}$                                                                                                       
module 20130112CONTEXTLIST 1.0;
If I remember correctly one time when I ran audit2allow it complained about numbers being in the module name but I can't be sure. I was running in screen console at the time and that screen console has been closed and the buffer is gone.

The current mydmesg.te
Code:
module mydmesg 1.0;

require {
        type nagios_system_plugin_t;
        type home_root_t;
        type crond_tmp_t;
        type usr_t;
        type ping_t;
        type syslogd_t;
        type tty_device_t;
        type sysfs_t;
        type var_lock_t;
        type tmp_t;
        type dhcpc_var_run_t;
        type dhcpc_t;
        type nagios_checkdisk_plugin_t;
        type hostname_t;
        type snort_log_t;
        type exim_t;
        type nagios_services_plugin_t;
        type ifconfig_t;
        type devpts_t;
        type lvm_t;
        type initrc_tmp_t;
        type portmap_t;
        type fsadm_t;
        type boot_t;
        type named_t;
        type var_lib_t;
        type nagios_t;
        type udev_t;
        type tmpfs_t;
        type ntp_drift_t;
        type sshd_t;
        type crond_t;
        type file_t;
        type initrc_var_run_t;
        type var_t;
        type rpcd_t;
        class fifo_file read;
        class chr_file { write getattr read open };
        class file { rename setattr read lock create ioctl write getattr link unlink open append };
        class sock_file { create setattr };
        class lnk_file read;
        class dir { write search getattr read remove_name add_name };
        
}

#============= dhcpc_t ==============
allow dhcpc_t ntp_drift_t:dir search;

#============= exim_t ==============
allow exim_t crond_tmp_t:file { read write getattr };
allow exim_t dhcpc_var_run_t:file { read getattr open };
allow exim_t initrc_tmp_t:file { read getattr };

#============= fsadm_t ==============
allow fsadm_t tty_device_t:chr_file { read write };

#============= hostname_t ==============
allow hostname_t crond_t:fifo_file read;
allow hostname_t dhcpc_var_run_t:file { read getattr open };
allow hostname_t initrc_var_run_t:file write;
allow hostname_t snort_log_t:file read;
allow hostname_t tty_device_t:chr_file { read write };

#============= ifconfig_t ==============
allow ifconfig_t crond_t:fifo_file read;
allow ifconfig_t tty_device_t:chr_file { read write };

#============= lvm_t ==============
allow lvm_t file_t:dir { read write add_name remove_name };
allow lvm_t file_t:file { getattr read lock create open append };

#============= nagios_checkdisk_plugin_t ==============
allow nagios_checkdisk_plugin_t boot_t:dir getattr;
allow nagios_checkdisk_plugin_t devpts_t:dir getattr;
allow nagios_checkdisk_plugin_t home_root_t:dir getattr;
allow nagios_checkdisk_plugin_t sysfs_t:dir getattr;
allow nagios_checkdisk_plugin_t tmp_t:dir getattr;
allow nagios_checkdisk_plugin_t tmpfs_t:dir getattr;
allow nagios_checkdisk_plugin_t var_lib_t:file { read write };

#============= nagios_services_plugin_t ==============
allow nagios_services_plugin_t var_lib_t:file { read write };

#============= nagios_system_plugin_t ==============
allow nagios_system_plugin_t var_lib_t:file { read write };

#============= nagios_t ==============
allow nagios_t dhcpc_var_run_t:file { read getattr open };
allow nagios_t usr_t:file { read getattr open ioctl };
allow nagios_t usr_t:lnk_file read;
allow nagios_t var_lib_t:dir { write remove_name add_name };
allow nagios_t var_lib_t:file { rename write getattr read create unlink open };
allow nagios_t var_t:dir { write remove_name add_name };
allow nagios_t var_t:file { rename setattr read create write getattr unlink open };

#============= named_t ==============
allow named_t var_t:chr_file { read getattr open };

#============= ping_t ==============
allow ping_t var_lib_t:file { read write };

#============= portmap_t ==============
allow portmap_t tty_device_t:chr_file { read write };

#============= rpcd_t ==============
allow rpcd_t tty_device_t:chr_file { read write };

#============= sshd_t ==============
allow sshd_t dhcpc_var_run_t:file { read getattr open };

#============= syslogd_t ==============
allow syslogd_t dhcpc_var_run_t:file { read getattr open };
allow syslogd_t var_t:dir { write add_name };
allow syslogd_t var_t:sock_file { create setattr };

#============= udev_t ==============
allow udev_t var_lock_t:dir { write remove_name add_name };
allow udev_t var_lock_t:file { write open create unlink link };
 
Old 01-12-2013, 08:27 PM   #19
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,541
Blog Entries: 54

Rep: Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924
Two problems: I forgot (sorry) to put a dollar sign in front of the CONTEXT variable name and secondly it appears 'audit2allow' doesn't like it if the module name starts with a number ("20130112portmap") so I swapped the creation date with the policy module name so it'll be "portmap20130112". I also added comments so you get at least some idea of what it does:
Code:
#!/bin/bash
# Generate CONTEXTLIST contents from file instead:
awk -F'scontext=' '/type=AVC.*denied/ {print $2}' /var/log/messages|awk '{print $1}'|sort -u | while read CONTEXT; do
# Create output policy module name from variable:
 PPNAME=${CONTEXT//_t/}; PPNAME=${PPNAME//_/}
# Create a temporary directory in /root. Name starts with "selinux_", then "policy module name" and some random chars.
# cd into the directory, parse output and echo a module load command:
_MYTMPDIR=`mktemp -p /root -d selinux_${PPNAME}.XXXXXXXXXX` && { cd "${_MYTMPDIR}" || exit 1
 grep "scontext=.*:.*:${CONTEXT}:" /var/log/messages|audit2allow -M "${PPNAME}$(/bin/date +'%Y%m%d')" && \
echo "semodule -i "${PWD}/$(/bin/date +'%Y%m%d')${PPNAME}".pp"; }
# cd back to root isn't really necessary as mktemp is anchored in /root anyway.
done; exit 0
 
Old 01-12-2013, 09:14 PM   #20
rbees
Member
 
Registered: Mar 2004
Location: northern michigan usa
Distribution: Debian Squeeze, Whezzy, Jessie
Posts: 681

Original Poster
Rep: Reputation: 42
K I ran the script but there was no output. How do I determine that in installed the modules? There are not any left over directories in /root.
 
Old 01-12-2013, 10:15 PM   #21
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,541
Blog Entries: 54

Rep: Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924
OK, I'll simplify things as much as possible. This means you'll have to create a directory yourself and be in it before executing this script as
Code:
/path/to/script 2>&1 | tee /path/to/logfile
the script itself is in debug mode, audit2allow should process input verbosely and the script lists all policy files when it finishes. You can read back the output from 'less /path/to/logfile'.
Code:
#!/bin/bash -vx
CONTEXTS="dhcpc_t exim_t  fsadm_t hostname_t ifconfig_t lvm_t nagios_checkdisk_plugin_t nagios_services_plugin_t nagios_system_plugin_t nagios_t named_t ping_t portmap_t rpcd_t sshd_t syslogd_t udev_t"
for CONTEXT in $CONTEXTS; do PPNAME=${CONTEXT//_t/}; PPNAME=${PPNAME//_/};
 grep -e "scontext=.*:.*:${CONTEXT}:" /var/log/messages | audit2allow -v -M "${PPNAME}"
done; ls -al "*.pp"; exit 0
*Note only the first iteration of this script did actually try to 'semodule -i'. IMHO it's better to do that yourself, per module, to ensure it loads OK.

Last edited by unSpawn; 01-12-2013 at 10:18 PM.
 
Old 01-13-2013, 09:34 AM   #22
rbees
Member
 
Registered: Mar 2004
Location: northern michigan usa
Distribution: Debian Squeeze, Whezzy, Jessie
Posts: 681

Original Poster
Rep: Reputation: 42
unSpawn

Thanks again for your guidance. Sorry to have been so thick headed, 's kind a hard to teach an old man new concepts. I hope I have all the avc's fixed now. Couple days running this way should tell.
 
Old 01-13-2013, 09:44 AM   #23
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,541
Blog Entries: 54

Rep: Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924
No need to be sorry about anything. I mean we tackled the problem, did we? If you don't post back in a few days then at least mark the thread solved to indicate success=yes.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SELINUX -- Enabled means BIND not working Why so?? anishkumarv Linux - Newbie 3 07-27-2011 07:23 PM
Does SELinux allow Non-root user bind to port <1024 suddenlyalice Linux - Security 4 10-26-2010 05:59 AM
not able to start bind:SELinux is preventing the named daemon from writing to the zon abhijit_mohanta Fedora 5 09-01-2009 06:03 PM
fedora bind start problem: SELinux is preventing the named daemon from writing to the abhijit_mohanta Linux - Networking 1 08-31-2009 09:03 AM
Is chrooted bind really necessary? jarco Linux - Security 2 01-15-2009 01:32 PM


All times are GMT -5. The time now is 08:26 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration