LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-13-2016, 09:54 AM   #1
TripelM
LQ Newbie
 
Registered: Oct 2016
Posts: 6

Rep: Reputation: Disabled
SELinux: semodule -i


Hello,

now when i install my .pp i get this messags:

Quote:
Full path required for exclude: net:[4026532639].
Full path required for exclude: net:[4026532639].
Full path required for exclude: net:[4026532710].
Full path required for exclude: net:[4026532710].
Full path required for exclude: net:[4026532789].
Full path required for exclude: net:[4026532789].
Full path required for exclude: net:[4026532864].
Full path required for exclude: net:[4026532864].
Full path required for exclude: net:[4026532942].
Full path required for exclude: net:[4026532942].
Full path required for exclude: net:[4026533020].
Full path required for exclude: net:[4026533020].
Full path required for exclude: net:[4026533094].
Full path required for exclude: net:[4026533094].
Full path required for exclude: net:[4026533169].
Full path required for exclude: net:[4026533169].
Full path required for exclude: net:[4026533242].
Full path required for exclude: net:[4026533242].
Full path required for exclude: net:[4026533327].
Full path required for exclude: net:[4026533327].
Full path required for exclude: net:[4026533708].
Full path required for exclude: net:[4026533708].
Full path required for exclude: net:[4026533782].
Full path required for exclude: net:[4026533782].
Does anyone know how i get rid of this?

Thank you in advance for your help.
(Please excuse my bad english)
 
Old 10-13-2016, 01:02 PM   #2
c0wb0y
Member
 
Registered: Jan 2012
Location: Inside the oven
Distribution: Windows
Posts: 417

Rep: Reputation: 74
How did you compile your module? Also, can you post your custom TE?
 
Old 10-14-2016, 02:56 AM   #3
TripelM
LQ Newbie
 
Registered: Oct 2016
Posts: 6

Original Poster
Rep: Reputation: Disabled
i compiled it like this:

- i get the rules from audit2allow -a
- then i wrote a .te file
- then i created a .mod out of the .te file with checkmodule -M -m -o zabbix_sudo.mod zabbix_sudo.te
- then compiled a .pp with semodule_package -m zabbix_sudo.mod -o zabbix_sudo.pp
- after that semodule -i zabbix_sudo.pp

Quote:
module zabbix_sudo 1.0;

require {
type tmp_t;
type sudo_exec_t;
type zabbix_agent_t;
type cluster_tmpfs_t;
class netlink_audit_socket { read write nlmsg_relay create };
class unix_dgram_socket { write create connect sendto };
class file { write execute read create unlink open execute_no_trans };
class dir { write remove_name add_name };
class capability { sys_resource audit_write dac_override };
class sock_file write;

}

#============= zabbix_agent_t ==============
allow zabbix_agent_t sudo_exec_t:file { execute execute_no_trans };
allow zabbix_agent_t self:netlink_audit_socket {read write nlmsg_relay create };
allow zabbix_agent_t self:unix_dgram_socket { write create connect };
allow zabbix_agent_t tmp_t:dir { write remove_name add_name };
allow zabbix_agent_t tmp_t:file { write create unlink open };
allow zabbix_agent_t self:capability { sys_resource audit_write dac_override };
allow zabbix_agent_t cluster_tmpfs_t:file { read write open };
 
Old 10-14-2016, 04:25 AM   #4
c0wb0y
Member
 
Registered: Jan 2012
Location: Inside the oven
Distribution: Windows
Posts: 417

Rep: Reputation: 74
By the looks, you're trying to provide an unprivileged user capability to run zabbix through sudo. Let me know if my understanding is correct. I think that is like shoe-horning sudo to selinux way of granting privilege. Is your user already member of staff_r or sysadm_r?

I've just checked zabbix provided by CentOS and it comes with its own selinux policy.
 
Old 10-14-2016, 07:37 AM   #5
TripelM
LQ Newbie
 
Registered: Oct 2016
Posts: 6

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by c0wb0y View Post
By the looks, you're trying to provide an unprivileged user capability to run zabbix through sudo. Let me know if my understanding is correct. I think that is like shoe-horning sudo to selinux way of granting privilege. Is your user already member of staff_r or sysadm_r?

I've just checked zabbix provided by CentOS and it comes with its own selinux policy.
Yes thats it zabbix is in sudoers.d

Quote:
zabbix ALL = (root) NOPASSWD:ALL
I got the slinux policys from zabbix installed but root and zabbix cant run the script without my custom policys.
 
Old 10-14-2016, 03:25 PM   #6
c0wb0y
Member
 
Registered: Jan 2012
Location: Inside the oven
Distribution: Windows
Posts: 417

Rep: Reputation: 74
Thanks for the info and I guessed it quite right.

With SELinux, even root can be restricted to what it can do and that is determined by his SELinux role. By default, root is running under unconfined domain which means unrestricted. However, if root is not within the confines of privilege roles (ie sysadm_r, staff_r, or unconfined_r) he is pretty limited.

The commands id, seinfo, newrole and semanage can help you reassign privileges and in turn resolve your issues.

By the way, it would be helpful if you can post vital info such as distro, release. etc

Last edited by c0wb0y; 10-14-2016 at 04:08 PM.
 
Old 10-17-2016, 01:15 AM   #7
TripelM
LQ Newbie
 
Registered: Oct 2016
Posts: 6

Original Poster
Rep: Reputation: Disabled
But how can i solve my problem that i mentioned at the top?
 
Old 10-17-2016, 01:41 AM   #8
c0wb0y
Member
 
Registered: Jan 2012
Location: Inside the oven
Distribution: Windows
Posts: 417

Rep: Reputation: 74
Learning SELinux require a bit of learning and understanding the concept behind it. No amount of sequence of commands I can try to show you and if you don't have a conceptual understanding of SELinux, then it's going to be quite difficult. I am still a SELinux newbie too. But I decided one day to give it a go and learn the concepts. There are tons of online help that can get you started.

So, don't take it too personal but may I ask. What do you think the SELinux does to complement traditional DAC?

Last edited by c0wb0y; 10-17-2016 at 02:22 AM.
 
Old 11-06-2016, 12:57 PM   #9
dac.override
LQ Newbie
 
Registered: Oct 2016
Posts: 15

Rep: Reputation: Disabled
Quote:
Originally Posted by TripelM View Post
Hello,

now when i install my .pp i get this messags:



Does anyone know how i get rid of this?

Thank you in advance for your help.
(Please excuse my bad english)
This does not seem to be directly related to semodule. I suspect that your module is incomplete and that this is causing these messages.

The usual procedure to deal with issue like these is:

1. reproduce the issue in permissive mode:
rationale: By reproducing the issue in permissive mode, SELinux will allow the process to do what it wants to do but at the same time log what SELinux would have blocked if it were in permissive mode. This will allow you to see (usually) all the events and these events can be used to generate a policy module.
steps:
setenforce 0
<reproduce the issue>
setenforce 1
ausearch -m avc,user_avc,selinux_err -ts recent | audit2allow -M mymodule && semodule -i mymodule.pp
(you might want to review your module before loading it with semodule)

2. if after (1.) the application is still blocked or if it logging that it has a problem:
1. Does it work in permissive mode? if yes then SELinux is not the problem, if no then SELinux is still interfering
2. Are there any new AVC denials? ausearch -m avc,user_avc,selinux_err -ts recent
3. If there are no new avc denials but SELinux is still blocking:
1. run semodule -DB to load the policy without "dontaudit" rules
"dontaudit" rules are rules telling SELinux to silently block specified events
2. reproduce the issue in permissive mode (setenforce 0)
3. after issue reproduced put SELinux back into enforcing mode (setenforce 1)
4. Look for any recent AVC denials, but bear in mind that these events were meant to be hidden.
The policy author may have made a mistake and told SELinux to hide the event in error
5. Process the avc denials (make a module with the rules needed to fix the issue)
6. run semodule -B to load the policy with "dontaudit" rules re-inserted.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
semodule -i mypol.pp shaikhnavid14 Linux - General 1 01-19-2012 08:45 AM
Implementing SeLinux on Debian 5 (Lenny) -- can't install "selinux-basics" bashFUL Linux - Security 3 10-17-2011 01:16 AM
SELinux errors, SELinux and wine ziphem Linux - Security 10 01-27-2011 04:15 PM
Selinux-how do i find out what domains have permissions on what type?(selinux policy) vishyc88 Linux - Security 2 11-22-2010 04:27 AM
SELinux : semodule -i local.pp is loading very very slow (up to 4-5 minutes) oc77 Linux - Kernel 7 11-06-2008 02:02 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:54 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration