Welcome to my website. I am always posting links to photo albums, art, technology and other creations. Everything that you will see on my numerous personal sites is powered by the formVistaTM Website Management Engine.

icon.linkedin.jpgicon.twitter.jpg

  • How to See SELinux Denials That Do Not Show In the audit.log
    07/20/2017 4:43PM
    Or, otherwise know as: SELinux and Silent Denials.

    Sometimes when troubleshooting SELinux issues, you will have added new policies for each of the denial causes written to the audit.log, but SELinux will still be denying access . . . and not giving you any further information about it in the audit.log.

    Various processes often execute additional system calls that are above an beyond what they need to do for normal operation.  Many of them are blocked, and in order to keep filling the audit.log with harmless denials they are silently dropped.  These are defined by a set of dontaudit rules.

    In order to temporarily disable them, issue the following command as root

    # semodule -DB

    The -D option disables dontaudit rules and the B option will rebuild the policy.  After this runs, you should see additional information in the auditlog and with that information use audit2allow -i input-file -M output-file to build your .te and .pp files.

    After debugging is complete run the following to re-enable the dontaudit rules.

    # semodule -B
  • Setting Up Passwordless SSH Under CentOS 6 Running Selinux
    08/22/2013 8:52PM

    I am setting up a cluster of KVM virtual machines and want to be able to ssh to them as the root user on the vm without having to enter a password.

    The first thing that I did was create keys on the box from which I was going to make connections (A):

    [rchapin@A .ssh]$ ssh-keygen
    Generating public/private rsa key pair.
    Enter file in which to save the key (/usr/local2/home/rchapin/.ssh/id_rsa):
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:
    Your identification has been saved in /usr/local2/home/rchapin/.ssh/id_rsa.
    Your public key has been saved in /usr/local2/home/rchapin/.ssh/id_rsa.pub.
    The key fingerprint is:
    6a:ca:57:31:23:30:67:8c:9d:de:78:53:14:90:16:6e rchapin@A
    The key's randomart image is:
    +--[ RSA 2048]----+
    |     + .o=o.     |
    |    + *.o .      |
    |     * +E.       |
    |      +.B        |
    |       oS=       |
    |       ..        |
    |      o.         |
    |   . o.          |
    |    o.           |
    +-----------------+

    After which I scp the id_rsa.pub file to the remote box

    [rchapin@A ~]$ scp ./id_rsa.pub root@B:/root/

    Then ssh to the remote box, create the ~/.ssh directory, copy the contents of the id_rsa.pub file into ~/.ssh/authorized_keys and set the permissions on all of the files.

    [root@B ~]# mkdir .ssh
    [root@B ~]# chmod 700 .ssh
    [root@B ~]# cat ~/id_rsa.pub > authorized_keys
    [root@B ~]# chmod 600 authorized_keys

    The first problem was that it wasn't accepting the key and was giving me the password prompt.

    After a quick search regarding passwordless ssh and Selinux I did the following:

    [root@B .ssh]# restorecon -R -v /root/.ssh/
    restorecon reset /root/.ssh context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:ssh_home_t:s0
    restorecon reset /root/.ssh/authorized_keys2 context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:ssh_home_t:s0

    Now I received the error:

    [rchapin@A .ssh]$ ssh root@B
    Agent admitted failure to sign using the key.

    Another quick search and all I had to do was add the key on the A box and I was all set

    [rchapin@A.ssh]$ ssh-add
    [rchapin@A.ssh]$ ssh root@B
    Last login: Thu Aug 22 20:40:54 2013 from A
    [root@B ~]#


  • Configuring CentOS to run SELinux in Strict Mode
    08/29/2011 5:05PM

    I am in the process of setting up some CentOS/RHEL 6 servers to run SELinux in strict mode.? What follows are notes, links to online resources and things that I am discovering along the way.? Once I am finished I will go back and re-write it to follow more of a how-to/guide type format.? In the meantime, it might seem a bit disjointed.

    Links/Resources:

    • http://wiki.centos.org/HowTos/SELinux
    • http://fedoraproject.org/wiki/SELinux
    • http://www.centos.org/docs/5/html/Deployment_Guide-en-US/rhlcommon-chapter-0001.html
    • http://www.nsa.gov/research/selinux/index.shtml

    MaintLog Notes:

    • Make sure that the selinux-policy-strict package (and deps) are installed:
    • # yum install selinux-policy-strict
    • After installing the policy I was unable to reboot as I hadn't relabeled the file system properly.? If having problems booting try:
    • # genhomedircon
    • # touch /.autorelabel
    • # reboot
    • After successfully booting with strict mode enabled you will not be able to do the things that you would normally expect as a root user.?This is because your root shell does not have access to the system administrator role.? To do so invoke the newrole command:
    • # newrole -r sysadmin_r
    • LEFTOFF: it seems semanage isn't installed.? I'll need to restart with selinux disabled to install it so that I can sort out running newrole properly:? see: http://www.spinics.net/lists/selinux/msg09681.html
    • Make sure that the semanage package is installed: # yum install libsemanage


Advanced Search

Categories

Archives