pomoc so SElinuxom

Ahojte SElinux mi vypísal upozornenia neviem čo s tým mám robiť. Dík za pomoc.

1,
SELinux is preventing /usr/lib64/xulrunner/plugin-container from create access on the directory .macromedia.

***** Plugin mozplugger (99.1 confidence) suggests *************************

If you want to use the plugin package
Then you must turn off SELinux controls on the Firefox plugins.
Do

setsebool unconfined_mozilla_plugin_transition 0

***** Plugin catchall (1.81 confidence) suggests ***************************

If you believe that plugin-container should be allowed create access on the .macromedia directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:

grep plugin-containe /var/log/audit/audit.log | audit2allow -M mypol

semodule -i mypol.pp

Additional Information:
Source Context unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
0.c1023
Target Context unconfined_u:object_r:user_home_dir_t:s0
Target Objects .macromedia [ dir ]
Source plugin-containe
Source Path /usr/lib64/xulrunner/plugin-container
Port <Neznáme>
Host localhost.localdomain
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.12.1-69.fc19.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name steve-comp
Platform Linux steve-comp 3.10.4-300.fc19.x86_64 #1 SMP Tue
Jul 30 11:29:05 UTC 2013 x86_64 x86_64
Alert Count 246
First Seen 2013-08-08 09:42:57 CEST
Last Seen 2013-08-08 11:29:31 CEST
Local ID 5a35f06b-1be9-4d7d-8114-9a3a52b3a263

Raw Audit Messages
type=AVC msg=audit(1375954171.386:1499): avc: denied { create } for pid=10118 comm=“plugin-containe” name=".macromedia" scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir

Hash: plugin-containe,mozilla_plugin_t,user_home_dir_t,dir,create

2,
SELinux is preventing /opt/google/chrome/chrome from create access on the file libpeerconnection.log.

***** Plugin chrome (98.5 confidence) suggests *****************************

If you want to use the plugin package
Then you must turn off SELinux controls on the Chrome plugins.
Do

setsebool unconfined_chrome_sandbox_transition 0

***** Plugin catchall (2.46 confidence) suggests ***************************

If you believe that chrome should be allowed create access on the libpeerconnection.log file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:

grep chrome /var/log/audit/audit.log | audit2allow -M mypol

semodule -i mypol.pp

Additional Information:
Source Context unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
0.c1023
Target Context unconfined_u:object_r:user_home_dir_t:s0
Target Objects libpeerconnection.log [ file ]
Source chrome
Source Path /opt/google/chrome/chrome
Port <Neznáme>
Host localhost.localdomain
Source RPM Packages google-chrome-stable-28.0.1500.95-213514.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.12.1-69.fc19.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name steve-comp
Platform Linux steve-comp 3.10.4-300.fc19.x86_64 #1 SMP Tue
Jul 30 11:29:05 UTC 2013 x86_64 x86_64
Alert Count 4
First Seen 2013-08-08 11:33:36 CEST
Last Seen 2013-08-08 11:38:34 CEST
Local ID 098f9ab7-bf87-429e-b1d3-cd7eab2dac7d

Raw Audit Messages
type=AVC msg=audit(1375954714.842:1572): avc: denied { create } for pid=15403 comm=“chrome” name=“libpeerconnection.log” scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=file

type=SYSCALL msg=audit(1375954714.842:1572): arch=x86_64 syscall=open success=no exit=EACCES a0=7f76d3cd2dc8 a1=441 a2=1b6 a3=0 items=0 ppid=0 pid=15403 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 ses=8 tty=(none) comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

Hash: chrome,chrome_sandbox_t,user_home_dir_t,file,create

Zdravim

Nevim jak jses na tom s anglictinou, ale mas v tom primo reseni. S vytvarenim Policy modulu bych pockal, dokud si s linuxem trochu vic nepotykas. Byt tebou zkusim setsebool prikazy co ti vypsal selinux:

1/

# setsebool unconfined_mozilla_plugin_transition 0

2/

# setsebool unconfined_chrome_sandbox_transition 0

Pokud je chces mit persistentne pridej k nim jeste ‘-P’. Pokud selinux nepotrebujes, tak jej klidne disabluj, usetris si starosti. Jak na to bys mel najit i tu na foru (nevim zda i ve wiki), prip. zkus google :slight_smile:

kuku.mp3

Treba u toho mozilla pluginu mi to prijde trochu divne. Pokud mas distribucni mozillu pak by nemel zadny takovy AVC za normalnich okolnosti vznikat. Pokud to dela nejaky doinstalovany doplnek, tak je potreba se zamyslet nad tim, zda to co chce delat vim ze ma delat. Co se chrome tyce, tak tam se tomu vubec nedivim, pro ten zrejme zadna selinux politika neni.

A urobil by som chybu, keby som vypol SElinux?

Systém by byl teoreticky méně bezpečný, ale na desktopu to není nic zásadního. Nicméně já už jsem neměl se SELinuxem problém hodně dlouho a pokud mám, tak to řeším nahlášením problému místo vypnutí. Security tým reaguje rychle a tyto problémy opravuje.

Ano, reaguji opravdu rychle a vetsino vydaji opravenou politiku, problem je, ze k tomu potrebuji znat prave AVC, ovsem pokud existuje aplikace jako munin, ktery ma spoustu pluginu, tak vzdy opravy jen ten konkretni, ktery se nahlasi, ale pak zapnu jiny plugin a zase to nejde, takze jsem munin prehodil do permissive zony, protoze uz jsem an to nemel silu.