SELinux drives me up the wall!

Support for security such as Firewalls and securing linux

SELinux drives me up the wall!

Postby MarkehMe » 2012/01/04 03:14:38

Hey there, SELinux is driving me up the walls, is anyone able to help me out I'd greatly appreciate it.

My server is running cPanel, and we're trying our best to get SELinux running. We're only having a few problems though:
Code: Select all
audit2allow -dv


#============= dovecot_auth_t ==============
# src="dovecot_auth_t" tgt="bin_t" class="file", perms="{ read execute execute_no_trans }"
# comm="dovecot-auth" exe="" path=""
allow dovecot_auth_t bin_t:file { read execute execute_no_trans };
# src="dovecot_auth_t" tgt="initrc_t" class="unix_stream_socket", perms="connectto"
# comm="dovecot-auth" exe="" path=""
allow dovecot_auth_t initrc_t:unix_stream_socket connectto;
# src="dovecot_auth_t" tgt="var_run_t" class="sock_file", perms="{ write getattr }"
# comm="dovecot-auth" exe="" path=""
allow dovecot_auth_t var_run_t:sock_file { write getattr };
# src="dovecot_auth_t" tgt="var_t" class="file", perms="{ read write getattr }"
# comm="dovecot-auth" exe="" path=""
allow dovecot_auth_t var_t:file { read write getattr };

#============= dovecot_t ==============
# src="dovecot_t" tgt="dovecot_var_run_t" class="lnk_file", perms="{ create unlink }"
# comm="dovecot" exe="" path=""
allow dovecot_t dovecot_var_run_t:lnk_file { create unlink };
# src="dovecot_t" tgt="dovecot_t" class="process", perms="setcap"
# comm="dovecot" exe="" path=""
allow dovecot_t self:process setcap;
# src="dovecot_t" tgt="var_t" class="file", perms="{ read getattr }"
# comm="dovecot" exe="" path=""
allow dovecot_t var_t:file { read getattr };

#============= hwclock_t ==============
# src="hwclock_t" tgt="file_t" class="file", perms="{ read getattr }"
# comm="hwclock" exe="" path=""
allow hwclock_t file_t:file { read getattr };

#============= ifconfig_t ==============
# src="ifconfig_t" tgt="initrc_tmp_t" class="file", perms="write"
# comm="ifconfig" exe="" path=""
allow ifconfig_t initrc_tmp_t:file write;
# src="ifconfig_t" tgt="usr_t" class="file", perms="append"
# comm="ifconfig" exe="" path=""
allow ifconfig_t usr_t:file append;
# src="ifconfig_t" tgt="var_t" class="file", perms="read"
# comm="ifconfig" exe="" path=""
allow ifconfig_t var_t:file read;

#============= initrc_t ==============
# src="initrc_t" tgt="lib_t" class="file", perms="execmod"
# comm="php" exe="" path=""
allow initrc_t lib_t:file execmod;
# src="initrc_t" tgt="usr_t" class="file", perms="execmod"
# comm="php" exe="" path=""
allow initrc_t usr_t:file execmod;

#============= named_t ==============
# src="named_t" tgt="named_zone_t" class="dir", perms="write"
# comm="named" exe="" path=""
allow named_t named_zone_t:dir write;
# src="named_t" tgt="var_run_t" class="file", perms="write"
# comm="named-checkconf" exe="" path=""
allow named_t var_run_t:file write;

#============= pam_console_t ==============
# src="pam_console_t" tgt="file_t" class="file", perms="{ read getattr }"
# comm="pam_console_app" exe="" path=""
allow pam_console_t file_t:file { read getattr };

#============= setroubleshootd_t ==============
# src="setroubleshootd_t" tgt="lib_t" class="dir", perms="{ write remove_name add_name }"
# comm="setroubleshootd" exe="" path=""
allow setroubleshootd_t lib_t:dir { write remove_name add_name };
# src="setroubleshootd_t" tgt="lib_t" class="file", perms="{ write create unlink }"
# comm="setroubleshootd" exe="" path=""
allow setroubleshootd_t lib_t:file { write create unlink };

#============= spamd_t ==============
# src="spamd_t" tgt="spamd_t" class="process", perms="setrlimit"
# comm="spamd" exe="" path=""
allow spamd_t self:process setrlimit;
# src="spamd_t" tgt="spamd_var_lib_t" class="file", perms="execute"
# comm="spamd" exe="" path=""
allow spamd_t spamd_var_lib_t:file execute;
# src="spamd_t" tgt="var_run_t" class="file", perms="{ write ioctl }"
# comm="spamd" exe="" path=""
allow spamd_t var_run_t:file { write ioctl };

#============= system_mail_t ==============
# src="system_mail_t" tgt="usr_t" class="file", perms="{ read getattr ioctl }"
# comm="exim" exe="" path=""
allow system_mail_t usr_t:file { read getattr ioctl };

#============= unconfined_t ==============
# src="unconfined_t" tgt="lib_t" class="file", perms="execmod"
# comm="php" exe="" path=""
allow unconfined_t lib_t:file execmod;
# src="unconfined_t" tgt="usr_t" class="file", perms="execmod"
# comm="php" exe="" path=""
allow unconfined_t usr_t:file execmod;


If you want something a bit more ugly: http://pastebin.com/EhmtMwnC

SELinux would be a great way for us to allow users to have SSH access to our server without having them access file's they don't need, and open up PHP functions such as popen and shell_exec (we basically want to limit what bash commands they can access, and what files they can access).

Thanks for your time!
MarkehMe
 
Posts: 1
Joined: 2012/01/04 03:08:09

SELinux drives me up the wall!

Postby pschaff » 2012/01/04 03:36:57

Welcome to the CentOS fora. Please see the recommended reading for new users linked in my signature.

Sorry, but if you have a specific question it escapes me. :-)
pschaff
Retired Moderator
 
Posts: 18277
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America

Re: SELinux drives me up the wall!

Postby Black_Heart » 2012/01/10 18:32:21

Not knowing anything about running a public server, I'll nonetheless offer an opinion. You will never get cPanel to work with SElinux.

Any NAT, firewall or internal IP's have to be disabled in order to use cPanel. cPanel has to be installed onto a fresh server-install BEFORE a desktop, gui stuff or, especially SElinux, is installed. The beauty of all this is that the only way to fix things will be to wipe the harddrive(s) and start over. If I am wrong, I apologize. But I'm not.

http://docs.cpanel.net/twiki/bin/view/A ... ationGuide
http://docs.cpanel.net/twiki/bin/view/A ... leShooting


Just found the nail in the coffin:
http://docs.cpanel.net/twiki/bin/view/1 ... de#Disable SELinux Security Feature
Black_Heart
 
Posts: 16
Joined: 2011/12/23 05:40:00

Re: SELinux drives me up the wall!

Postby pschaff » 2012/01/10 18:43:46

A fresh server install will include SELinux unless one goes to a lot of trouble to exclude it. Those links and statements seem to me to be reasons to avoid cPanel and similar control panels. To see some of the many issues with such products just try a forum search for cPanel.
pschaff
Retired Moderator
 
Posts: 18277
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America

Re: SELinux drives me up the wall!

Postby Black_Heart » 2012/01/10 18:51:48

pschaff wrote:
...Those links and statements seem to me to be reasons to avoid cPanel and similar control panels. To see some of the many issues with such products just try a forum search for cPanel.


Righto. Why would anyone want to use a server such as cPanel? The thing sounds like a security disaster in waiting.
Black_Heart
 
Posts: 16
Joined: 2011/12/23 05:40:00


Return to CentOS 5 - Security Support

Who is online

Users browsing this forum: No registered users and 1 guest