Welcome to my website. I am always posting links to photo albums, art, technology and other creations. Everything that you will see on my numerous personal sites is powered by the formVistaTM Website Management Engine.

icon.linkedin.jpgicon.twitter.jpg

  • HowTo Compile and Install New SELinux Plicy Modules
    02/02/2018 4:31PM
    Following is a quick how-to on compiling and adding addition SELinux modules.

    When configuring and deploying new and/or custom services on systems that are enforcing SELinux you will likely have to compile addition SELinux modules.

    This how-to includes how to go through each step of compiling a new module one-by-one; similar to the model of breaking down the compilation of C and C++ into it's composite steps.

    Step 1:  Gather the audit.log entries

    You will need to determine which action(s) that SELinux is blocking.  To do so, you can tail the /var/log/audit/audit.log file.  You will see something similar to the following

    type=AVC msg=audit(1517605342.101:88032): avc:  denied  { write } for  pid=7236 comm="check_zookeeper" path="/tmp/sh-thd-1517587323" dev="dm-0" ino=308042 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
    type=SYSCALL msg=audit(1517605342.101:88032): arch=c000003e syscall=2 success=no exit=-13 a0=1e2df10 a1=2c1 a2=180 a3=0 items=0 ppid=7232 pid=7236 auid=4294967295 uid=997 gid=994 euid=997 suid=997 fsuid=997 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="check_zookeeper" exe="/usr/bin/bash" subj=system_u:system_r:nrpe_t:s0 key=(null)
    type=PROCTITLE msg=audit(1517605342.101:88032): proctitle=2F62696E2F62617368002F7573722F6C6F63616C2F6E6167696F732F706C7567696E732F636865636B5F7A6F6F6B65657065722E7368002D2D73746174

    Take that output and save it into a file.


    Step 2: Generate the Type Enforcement (te) File From the Log Output

    audit2allow -m new-module > new-module.te < audit-log-output


    Step 3:  Check and Compile the SELinux Security Policy Module (mod) File From the .te File

    checkmodule -M -m -o new-module.mod new-module.te


    Step 4:  Create the SELinux Policy Module Packet (pp) File From the .mod File

    semodule_package -o new-module.pp -m new-module.mod


    Step 5:  Install the SELinux Policy Module

    semodule -i new-module.pp
  • How to See SELinux Denials That Do Not Show In the audit.log
    07/20/2017 4:43PM
    Or, otherwise know as: SELinux and Silent Denials.

    Sometimes when troubleshooting SELinux issues, you will have added new policies for each of the denial causes written to the audit.log, but SELinux will still be denying access . . . and not giving you any further information about it in the audit.log.

    Various processes often execute additional system calls that are above an beyond what they need to do for normal operation.  Many of them are blocked, and in order to keep filling the audit.log with harmless denials they are silently dropped.  These are defined by a set of dontaudit rules.

    In order to temporarily disable them, issue the following command as root

    # semodule -DB

    The -D option disables dontaudit rules and the B option will rebuild the policy.  After this runs, you should see additional information in the auditlog and with that information use audit2allow -i input-file -M output-file to build your .te and .pp files.

    After debugging is complete run the following to re-enable the dontaudit rules.

    # semodule -B
  • Setting Up Passwordless SSH Under CentOS 6 Running Selinux
    08/22/2013 8:52PM

    I am setting up a cluster of KVM virtual machines and want to be able to ssh to them as the root user on the vm without having to enter a password.

    The first thing that I did was create keys on the box from which I was going to make connections (A):

    [rchapin@A .ssh]$ ssh-keygen
    Generating public/private rsa key pair.
    Enter file in which to save the key (/usr/local2/home/rchapin/.ssh/id_rsa):
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:
    Your identification has been saved in /usr/local2/home/rchapin/.ssh/id_rsa.
    Your public key has been saved in /usr/local2/home/rchapin/.ssh/id_rsa.pub.
    The key fingerprint is:
    6a:ca:57:31:23:30:67:8c:9d:de:78:53:14:90:16:6e rchapin@A
    The key's randomart image is:
    +--[ RSA 2048]----+
    |     + .o=o.     |
    |    + *.o .      |
    |     * +E.       |
    |      +.B        |
    |       oS=       |
    |       ..        |
    |      o.         |
    |   . o.          |
    |    o.           |
    +-----------------+

    After which I scp the id_rsa.pub file to the remote box

    [rchapin@A ~]$ scp ./id_rsa.pub root@B:/root/

    Then ssh to the remote box, create the ~/.ssh directory, copy the contents of the id_rsa.pub file into ~/.ssh/authorized_keys and set the permissions on all of the files.

    [root@B ~]# mkdir .ssh
    [root@B ~]# chmod 700 .ssh
    [root@B ~]# cat ~/id_rsa.pub > authorized_keys
    [root@B ~]# chmod 600 authorized_keys

    The first problem was that it wasn't accepting the key and was giving me the password prompt.

    After a quick search regarding passwordless ssh and Selinux I did the following:

    [root@B .ssh]# restorecon -R -v /root/.ssh/
    restorecon reset /root/.ssh context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:ssh_home_t:s0
    restorecon reset /root/.ssh/authorized_keys2 context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:ssh_home_t:s0

    Now I received the error:

    [rchapin@A .ssh]$ ssh root@B
    Agent admitted failure to sign using the key.

    Another quick search and all I had to do was add the key on the A box and I was all set

    [rchapin@A.ssh]$ ssh-add
    [rchapin@A.ssh]$ ssh root@B
    Last login: Thu Aug 22 20:40:54 2013 from A
    [root@B ~]#


  • Configuring CentOS to run SELinux in Strict Mode
    08/29/2011 5:05PM

    I am in the process of setting up some CentOS/RHEL 6 servers to run SELinux in strict mode.? What follows are notes, links to online resources and things that I am discovering along the way.? Once I am finished I will go back and re-write it to follow more of a how-to/guide type format.? In the meantime, it might seem a bit disjointed.

    Links/Resources:

    • http://wiki.centos.org/HowTos/SELinux
    • http://fedoraproject.org/wiki/SELinux
    • http://www.centos.org/docs/5/html/Deployment_Guide-en-US/rhlcommon-chapter-0001.html
    • http://www.nsa.gov/research/selinux/index.shtml

    MaintLog Notes:

    • Make sure that the selinux-policy-strict package (and deps) are installed:
    • # yum install selinux-policy-strict
    • After installing the policy I was unable to reboot as I hadn't relabeled the file system properly.? If having problems booting try:
    • # genhomedircon
    • # touch /.autorelabel
    • # reboot
    • After successfully booting with strict mode enabled you will not be able to do the things that you would normally expect as a root user.?This is because your root shell does not have access to the system administrator role.? To do so invoke the newrole command:
    • # newrole -r sysadmin_r
    • LEFTOFF: it seems semanage isn't installed.? I'll need to restart with selinux disabled to install it so that I can sort out running newrole properly:? see: http://www.spinics.net/lists/selinux/msg09681.html
    • Make sure that the semanage package is installed: # yum install libsemanage


Advanced Search

Categories

Archives