Thursday, December 27, 2007

SELinux Violations

Yesterday I introduced SELinux and explained how to begin using it in 'Permissive' mode without affecting any existing processes on a server. Today I'm going to cover how to interpret a violation in the logs and how to find more information which might help to resolve the issue and allow you to run in 'Enforcing' mode. Enforcing mode is where the real security comes into play and mandatory access controls are enforced.

As I showed in my previous post, a violation will show up in /var/log/messages like the following:

Dec 26 07:30:26 f7-laptop setroubleshoot: SELinux is preventing the /bin/vi from using potentially mislabeled files (ftp). For complete SELinux messages. run sealert -l 0621a8c3-b182-49cf-9116-c78a9dd52199

This message indicates that when executing 'vipw' it does not get access to my personalized vi config file (.exrc). This warning is valid since no system process should be accessing a file not labeled as a system file. To determine the context of a file, use the '-Z' flag with ls:

$ ls -Z ~/.exrc
-rw-r--r-- josh josh user_u:object_r:user_home_t /home/josh/.exrc


You can see the context is 'user_u:object_r:user_home_t'. This is clearly not a system file and that is why SELinux is preventing vipw from accessing it. To see more information about this error, run the 'sealert' command above:

sealert -l 0621a8c3-b182-49cf-9116-c78a9dd52199

Now, to include only the relevant portions, see the following:

Detailed Description
SELinux has denied /bin/vi access to potentially mislabeled file(s) (ftp).
This means that SELinux will not allow /bin/vi to use these files. It is
common for users to edit files in their home directory or tmp directories
and then move (mv) them to system directories. The problem is that the
files end up with the wrong file context which confined applications are not
allowed to access.

Allowing Access
If you want /bin/vi to access this files, you need to relabel them using
restorecon -v ftp. You might want to relabel the entire directory using
restorecon -R -v .

Additional Information

Source Context user_u:system_r:sysadm_passwd_t
Target Context user_u:object_r:user_home_t
Target Objects ftp [ dir ]
Affected RPM Packages vim-minimal-7.1.12-1.fc7 [application]
Policy RPM selinux-policy-2.6.4-46.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive


You can see from the above message that the process trying to access the file has a security context of 'user_u:system_r:sysadm_passwd_t' and it's fairly evident from this context that it's a system process related to authentication. Further up in the description you see the details of the violation and why it would refuse access.

If the file would have been a valid file for this process to access, and I wanted to grant that access, I could do so with the 'chcon' command:

chcon user_u:system_r:sysadm_passwd_t ~/.exrc
$ ls -Z !$
ls -Z ~/.exrc
-rw-r--r-- josh josh user_u:system_r:sysadm_passwd_t /home/josh/.exrc


This action would have failed if SELinux was in enforcing mode since it would not make sense to assign a sysadm_passwd_t context to a file in this location. This is a great example of how SELinux helps to keep your system secure without letting you mis-label files! This example also show how SELinux prevents mis-steps while giving you the opportunity to troubleshoot and find out what the real problem is.

Another great SELinux resource is the Unofficial SELinux FAQ.

No comments: