SELinux drives me up the wall!
Posted: 2012/01/04 03:14:38
Hey there, SELinux is driving me up the walls, is anyone able to help me out I'd greatly appreciate it.
My server is running cPanel, and we're trying our best to get SELinux running. We're only having a few problems though:
[code]audit2allow -dv
#============= dovecot_auth_t ==============
# src="dovecot_auth_t" tgt="bin_t" class="file", perms="{ read execute execute_no_trans }"
# comm="dovecot-auth" exe="" path=""
allow dovecot_auth_t bin_t:file { read execute execute_no_trans };
# src="dovecot_auth_t" tgt="initrc_t" class="unix_stream_socket", perms="connectto"
# comm="dovecot-auth" exe="" path=""
allow dovecot_auth_t initrc_t:unix_stream_socket connectto;
# src="dovecot_auth_t" tgt="var_run_t" class="sock_file", perms="{ write getattr }"
# comm="dovecot-auth" exe="" path=""
allow dovecot_auth_t var_run_t:sock_file { write getattr };
# src="dovecot_auth_t" tgt="var_t" class="file", perms="{ read write getattr }"
# comm="dovecot-auth" exe="" path=""
allow dovecot_auth_t var_t:file { read write getattr };
#============= dovecot_t ==============
# src="dovecot_t" tgt="dovecot_var_run_t" class="lnk_file", perms="{ create unlink }"
# comm="dovecot" exe="" path=""
allow dovecot_t dovecot_var_run_t:lnk_file { create unlink };
# src="dovecot_t" tgt="dovecot_t" class="process", perms="setcap"
# comm="dovecot" exe="" path=""
allow dovecot_t self:process setcap;
# src="dovecot_t" tgt="var_t" class="file", perms="{ read getattr }"
# comm="dovecot" exe="" path=""
allow dovecot_t var_t:file { read getattr };
#============= hwclock_t ==============
# src="hwclock_t" tgt="file_t" class="file", perms="{ read getattr }"
# comm="hwclock" exe="" path=""
allow hwclock_t file_t:file { read getattr };
#============= ifconfig_t ==============
# src="ifconfig_t" tgt="initrc_tmp_t" class="file", perms="write"
# comm="ifconfig" exe="" path=""
allow ifconfig_t initrc_tmp_t:file write;
# src="ifconfig_t" tgt="usr_t" class="file", perms="append"
# comm="ifconfig" exe="" path=""
allow ifconfig_t usr_t:file append;
# src="ifconfig_t" tgt="var_t" class="file", perms="read"
# comm="ifconfig" exe="" path=""
allow ifconfig_t var_t:file read;
#============= initrc_t ==============
# src="initrc_t" tgt="lib_t" class="file", perms="execmod"
# comm="php" exe="" path=""
allow initrc_t lib_t:file execmod;
# src="initrc_t" tgt="usr_t" class="file", perms="execmod"
# comm="php" exe="" path=""
allow initrc_t usr_t:file execmod;
#============= named_t ==============
# src="named_t" tgt="named_zone_t" class="dir", perms="write"
# comm="named" exe="" path=""
allow named_t named_zone_t:dir write;
# src="named_t" tgt="var_run_t" class="file", perms="write"
# comm="named-checkconf" exe="" path=""
allow named_t var_run_t:file write;
#============= pam_console_t ==============
# src="pam_console_t" tgt="file_t" class="file", perms="{ read getattr }"
# comm="pam_console_app" exe="" path=""
allow pam_console_t file_t:file { read getattr };
#============= setroubleshootd_t ==============
# src="setroubleshootd_t" tgt="lib_t" class="dir", perms="{ write remove_name add_name }"
# comm="setroubleshootd" exe="" path=""
allow setroubleshootd_t lib_t:dir { write remove_name add_name };
# src="setroubleshootd_t" tgt="lib_t" class="file", perms="{ write create unlink }"
# comm="setroubleshootd" exe="" path=""
allow setroubleshootd_t lib_t:file { write create unlink };
#============= spamd_t ==============
# src="spamd_t" tgt="spamd_t" class="process", perms="setrlimit"
# comm="spamd" exe="" path=""
allow spamd_t self:process setrlimit;
# src="spamd_t" tgt="spamd_var_lib_t" class="file", perms="execute"
# comm="spamd" exe="" path=""
allow spamd_t spamd_var_lib_t:file execute;
# src="spamd_t" tgt="var_run_t" class="file", perms="{ write ioctl }"
# comm="spamd" exe="" path=""
allow spamd_t var_run_t:file { write ioctl };
#============= system_mail_t ==============
# src="system_mail_t" tgt="usr_t" class="file", perms="{ read getattr ioctl }"
# comm="exim" exe="" path=""
allow system_mail_t usr_t:file { read getattr ioctl };
#============= unconfined_t ==============
# src="unconfined_t" tgt="lib_t" class="file", perms="execmod"
# comm="php" exe="" path=""
allow unconfined_t lib_t:file execmod;
# src="unconfined_t" tgt="usr_t" class="file", perms="execmod"
# comm="php" exe="" path=""
allow unconfined_t usr_t:file execmod;[/code]
If you want something a bit more ugly: http://pastebin.com/EhmtMwnC
SELinux would be a great way for us to allow users to have SSH access to our server without having them access file's they don't need, and open up PHP functions such as popen and shell_exec (we basically want to limit what bash commands they can access, and what files they can access).
Thanks for your time!
My server is running cPanel, and we're trying our best to get SELinux running. We're only having a few problems though:
[code]audit2allow -dv
#============= dovecot_auth_t ==============
# src="dovecot_auth_t" tgt="bin_t" class="file", perms="{ read execute execute_no_trans }"
# comm="dovecot-auth" exe="" path=""
allow dovecot_auth_t bin_t:file { read execute execute_no_trans };
# src="dovecot_auth_t" tgt="initrc_t" class="unix_stream_socket", perms="connectto"
# comm="dovecot-auth" exe="" path=""
allow dovecot_auth_t initrc_t:unix_stream_socket connectto;
# src="dovecot_auth_t" tgt="var_run_t" class="sock_file", perms="{ write getattr }"
# comm="dovecot-auth" exe="" path=""
allow dovecot_auth_t var_run_t:sock_file { write getattr };
# src="dovecot_auth_t" tgt="var_t" class="file", perms="{ read write getattr }"
# comm="dovecot-auth" exe="" path=""
allow dovecot_auth_t var_t:file { read write getattr };
#============= dovecot_t ==============
# src="dovecot_t" tgt="dovecot_var_run_t" class="lnk_file", perms="{ create unlink }"
# comm="dovecot" exe="" path=""
allow dovecot_t dovecot_var_run_t:lnk_file { create unlink };
# src="dovecot_t" tgt="dovecot_t" class="process", perms="setcap"
# comm="dovecot" exe="" path=""
allow dovecot_t self:process setcap;
# src="dovecot_t" tgt="var_t" class="file", perms="{ read getattr }"
# comm="dovecot" exe="" path=""
allow dovecot_t var_t:file { read getattr };
#============= hwclock_t ==============
# src="hwclock_t" tgt="file_t" class="file", perms="{ read getattr }"
# comm="hwclock" exe="" path=""
allow hwclock_t file_t:file { read getattr };
#============= ifconfig_t ==============
# src="ifconfig_t" tgt="initrc_tmp_t" class="file", perms="write"
# comm="ifconfig" exe="" path=""
allow ifconfig_t initrc_tmp_t:file write;
# src="ifconfig_t" tgt="usr_t" class="file", perms="append"
# comm="ifconfig" exe="" path=""
allow ifconfig_t usr_t:file append;
# src="ifconfig_t" tgt="var_t" class="file", perms="read"
# comm="ifconfig" exe="" path=""
allow ifconfig_t var_t:file read;
#============= initrc_t ==============
# src="initrc_t" tgt="lib_t" class="file", perms="execmod"
# comm="php" exe="" path=""
allow initrc_t lib_t:file execmod;
# src="initrc_t" tgt="usr_t" class="file", perms="execmod"
# comm="php" exe="" path=""
allow initrc_t usr_t:file execmod;
#============= named_t ==============
# src="named_t" tgt="named_zone_t" class="dir", perms="write"
# comm="named" exe="" path=""
allow named_t named_zone_t:dir write;
# src="named_t" tgt="var_run_t" class="file", perms="write"
# comm="named-checkconf" exe="" path=""
allow named_t var_run_t:file write;
#============= pam_console_t ==============
# src="pam_console_t" tgt="file_t" class="file", perms="{ read getattr }"
# comm="pam_console_app" exe="" path=""
allow pam_console_t file_t:file { read getattr };
#============= setroubleshootd_t ==============
# src="setroubleshootd_t" tgt="lib_t" class="dir", perms="{ write remove_name add_name }"
# comm="setroubleshootd" exe="" path=""
allow setroubleshootd_t lib_t:dir { write remove_name add_name };
# src="setroubleshootd_t" tgt="lib_t" class="file", perms="{ write create unlink }"
# comm="setroubleshootd" exe="" path=""
allow setroubleshootd_t lib_t:file { write create unlink };
#============= spamd_t ==============
# src="spamd_t" tgt="spamd_t" class="process", perms="setrlimit"
# comm="spamd" exe="" path=""
allow spamd_t self:process setrlimit;
# src="spamd_t" tgt="spamd_var_lib_t" class="file", perms="execute"
# comm="spamd" exe="" path=""
allow spamd_t spamd_var_lib_t:file execute;
# src="spamd_t" tgt="var_run_t" class="file", perms="{ write ioctl }"
# comm="spamd" exe="" path=""
allow spamd_t var_run_t:file { write ioctl };
#============= system_mail_t ==============
# src="system_mail_t" tgt="usr_t" class="file", perms="{ read getattr ioctl }"
# comm="exim" exe="" path=""
allow system_mail_t usr_t:file { read getattr ioctl };
#============= unconfined_t ==============
# src="unconfined_t" tgt="lib_t" class="file", perms="execmod"
# comm="php" exe="" path=""
allow unconfined_t lib_t:file execmod;
# src="unconfined_t" tgt="usr_t" class="file", perms="execmod"
# comm="php" exe="" path=""
allow unconfined_t usr_t:file execmod;[/code]
If you want something a bit more ugly: http://pastebin.com/EhmtMwnC
SELinux would be a great way for us to allow users to have SSH access to our server without having them access file's they don't need, and open up PHP functions such as popen and shell_exec (we basically want to limit what bash commands they can access, and what files they can access).
Thanks for your time!