nastavení SELinux - nechodí mi: squirrelmail + vacation_local SUID

haf · listopadu 9, 2006, 8:37am

Zdravím.

prokousal jsem se skrz nejake SELinux FAQ pro Fedora Core 5 a porad mi to nejde rozebehnout.

libsepol.check_assertion_helper: assertion on line 0 violated by allow httpd_sys_script_t shadow_t:file { read };

Zatim jsem vyzkousel:

cd /usr/share/selinux/devel
audit2allow -m local -l -i /var/log/messages > local2.te

module local 1.0;
require {
class file { execute execute_no_trans read };
type httpd_sys_script_t;
type httpd_t;
type shadow_t;
type usr_t;
role system_r;
};
allow httpd_sys_script_t httpd_t:file read;
allow httpd_sys_script_t shadow_t:file read;
allow httpd_sys_script_t usr_t:file { execute execute_no_trans };

checkmodule -M -m -o local2.mod local2.te

checkmodule: loading policy configuration from local2.te
checkmodule: policy configuration loaded
checkmodule: writing binary representation (version 6) to local2.mod

semodule_package -o local2.pp -m local2.mod
semodule -i local2.pp

libsepol.check_assertion_helper: assertion on line 0 violated by allow httpd_sys_script_t shadow_t:file { read };
libsepol.check_assertions: 1 assertion violations occured
libsemanage.semanage_expand_sandbox: Expand module failed
semodule: Failed!

V squirrelmail_vacation_proxy.c je blokovano:
if ((spw=getspnam(puid))==NULL)
{
printf("Invalid user\n ");
exit(1);
}

A tohle se mi vubec nedari, porad se to chova stejne, asi necemu nerozumim:

Q: How do I write policy to allow a domain to use pam_unix.so?

A: Very few domains in the SELinux world are allowed to read the /etc/shadow file. There are constraint rules that prevent policy writers from writing code like

allow mydomain_t shadow_t:file read;

In RHEL4 you can setup your domain to use the unix_chkpwd command. The easiest way is to use the unix_chkpwd attribute. So if you were writing policy for an ftpd daemon you would write something like

daemon_domain(vsftpd, `auth_chkpwd’)

This would create a context where vsftpd_t -> chkpwd_exec_t -> system_chkpwd_t which can read /etc/shadow, while vsftpd_t is not able to read it.

In Fedora Core 5/RHEL5, add the rule

auth_domtrans_chk_passwd(vsftpd_t)

balicek: squirrelmail-1.4.8-1.fc5
plugin: Vacation Local http://www.squirrelmail.org/plugin_view.php?id=51
mnohem radsi bych SUID nez FTP

–
S pozdravem

Ing. Zdeněk Havránek, HAF

covex · listopadu 9, 2006, 4:36pm

Uprimne bych vam doporucoval zkusit se obratit spise na nejakou odbornejsi konferenci, zde se zpravidla resi pouze znacne zacatecnike dotazy.

Michal · listopadu 12, 2006, 12:24am

Já bych ještě dodal že SELINUX pro pracovní stanici je skoro zbytečný, význam to má spíš na serverech.

haf · listopadu 20, 2006, 6:22pm

Vsak ja mam linux jen na serverech. Spousta ostatniho softu me nuti zustat na stanicich u MS Windows.

Kde byste mi doporučili se zeptat? Krome konzultaci s Googlem a s kolegou jsem se naposledy pred lety ptal na linux@linux.cz, ale tam uz to taky moc nadejne nevypada.