[prev in list] [next in list] [prev in thread] [next in thread]
List: fedora-selinux-list
Subject: Re: Zoneminder and Selinux and the Infinite Story of Doom
From: Tristan Santore <tristan.santore () internexusconnect ! net>
Date: 2013-05-21 15:41:39
Message-ID: 519B95B3.7030206 () internexusconnect ! net
[Download RAW message or body]
On 21/05/13 15:00, Miroslav Grepl wrote:
> On 05/21/2013 03:47 PM, Tristan Santore wrote:
>> Dear All,
>>
>> For the last few days Dominick and I have been trying to write a
>> policy for Zoneminder, as the current policy does not seem to be working.
>>
>> I will append what we gathered up so far below, however before I do,
>> there seems to be an inherent problem with apache and sudo/su/pam,
>> which seems to work in permissive mode, but as soon as I enable
>> enforcing, b00m, I get these.
>>
>> May 21 14:18:23 hq su: pam_unix(su:auth): auth could not identify
>> password for [apache]
>> May 21 14:18:23 hq su: pam_succeed_if(su:auth): requirement "uid >=
>> 1000" not met by user "apache"
>> May 21 14:18:23 hq su: pam_unix(su:auth): auth could not identify
>> password for [apache]
>> May 21 14:18:23 hq su: pam_succeed_if(su:auth): requirement "uid >=
>> 1000" not met by user "apache"
>>
>> In permissive mode all is fine:
>>
>> May 21 14:32:03 hq su: pam_unix(su:session): session opened for user
>> apache by (uid=0)
>> May 21 14:32:03 hq su: pam_unix(su:session): session closed for user
>> apache
>> May 21 14:32:03 hq su: pam_unix(su:session): session opened for user
>> apache by (uid=0)
>> May 21 14:32:03 hq su: pam_unix(su:session): session closed for user
>> apache
>> May 21 14:32:03 hq su: pam_unix(su:session): session opened for user
>> apache by (uid=0)
>>
>> type=USER_CMD msg=audit(1369143877.597:513): pid=2196 uid=0
>> auid=4294967295 ses=4294967295 subj=system_u:system_r:zoneminder_t:s0
>> msg='cwd="/usr/share/zoneminder/www" cmd="true" terminal=? res=failed'
>> type=USER_AUTH msg=audit(1369143877.611:514): pid=2197 uid=0
>> auid=4294967295 ses=4294967295 subj=system_u:system_r:zoneminder_t:s0
>> msg='op=PAM:authentication acct="apache" exe="/usr/bin/su" hostname=?
>> addr=? terminal=? res=failed'
>> type=USER_AUTH msg=audit(1369143877.625:515): pid=2199 uid=0
>> auid=4294967295 ses=4294967295 subj=system_u:system_r:zoneminder_t:s0
>> msg='op=PAM:authentication acct="apache" exe="/usr/bin/su" hostname=?
>> addr=? terminal=? res=failed'
>> type=SERVICE_START msg=audit(1369143877.642:516): pid=1 uid=0
>> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='
>> comm="zoneminder" exe="/usr/lib/systemd/systemd" hostname=? addr=?
>> terminal=? res=failed'
>>
>>
>> Any insights would be most appreciated, as I would really like to see
>> a policy for zoneminder that works, not only for myself, but so that
>> we can have it in the Fedora stock policy.
>>
>>
>> Thank you for all your help, especially Dominick Grift's.
>>
>> Regards,
>>
>> Tristan
>>
>>
>> And the policy we have so far:
>>
>> policy_module(myzonem, 1.0.0)
>> gen_require(` type zoneminder_t; ')
>> domain_read_all_domains_state(zoneminder_t)
>> logging_send_audit_msgs(zoneminder_t)
>> sudo_exec(zoneminder_t)
>> su_exec(zoneminder_t)
>> allow zoneminder_t self:process setrlimit;
>> allow zoneminder_t self:capability { setuid setgid sys_resource };
>> gen_require(`type httpd_zoneminder_script_exec_t; ')
>> can_exec(zoneminder_t, httpd_zoneminder_script_exec_t)
>> gen_require(` type zoneminder_var_lib_t; ')
>> manage_lnk_files_pattern(zoneminder_t, zoneminder_var_lib_t,
>> zoneminder_var_lib_t)
>> dbus_system_bus_client(zoneminder_t)
>> selinux_compute_access_vector(zoneminder_t)
>> allow zoneminder_t self:process setsched;
>>
>>
>> allow zoneminder_t self:key write;
>> auth_rw_lastlog(zoneminder_t)
>> systemd_write_inherited_logind_sessions_pipes(zoneminder_t)
>> auth_domtrans_chk_passwd(zoneminder_t)
>> systemd_dbus_chat_logind(zoneminder_t)
>> gen_require(` type chkpwd_t; ')
>> allow zoneminder_t chkpwd_t:process { rlimitinh noatsecure siginh };
>> auth_read_shadow(zoneminder_t)
>> auth_domtrans_upd_passwd(zoneminder_t)
>> #gen_require(` type systemd_logind_t; ')
>> #permissive systemd_logind_t;
>> gen_require(` type unconfined_t; role system_r; type
>> zoneminder_exec_t; role unconfined_r; ')
>> domtrans_pattern(unconfined_t, zoneminder_exec_t, zoneminder_t)
>> role_transition unconfined_r zoneminder_exec_t:file system_r;
>> domain_entry_file(zoneminder_t, httpd_zoneminder_script_exec_t)
>> domtrans_pattern(unconfined_t, httpd_zoneminder_script_exec_t,
>> zoneminder_t)
>> gen_require(` type httpd_t; ')
>> gen_require(` type httpd_zoneminder_script_t; type zoneminder_tmpfs_t;')
>> init_read_utmp(httpd_t)
>> read_files_pattern(httpd_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
>> rw_files_pattern(httpd_zoneminder_script_t, zoneminder_tmpfs_t,
>> zoneminder_tmpfs_t)
>> manage_dirs_pattern(httpd_zoneminder_script_t, zoneminder_var_lib_t,
>> zoneminder_var_lib_t)
>> manage_files_pattern(httpd_zoneminder_script_t, zoneminder_var_lib_t,
>> zoneminder_var_lib_t)
>> allow httpd_t zoneminder_var_lib_t:dir list_dir_perms;
>> init_daemon_domain(zoneminder_t, httpd_zoneminder_script_exec_t)
>>
>> require {
>> type chkpwd_t;
>> type httpd_t;
>> type httpd_zoneminder_script_t;
>> type sshd_t;
>> class process { siginh noatsecure rlimitinh };
>> class unix_stream_socket { read write };
>> }
>>
>> #============= httpd_t ==============
>> allow httpd_t httpd_zoneminder_script_t:process { siginh noatsecure
>> rlimitinh };
>>
>> #============= httpd_zoneminder_script_t ==============
>> allow httpd_zoneminder_script_t httpd_t:unix_stream_socket { read
>> write };
>>
>> require {
>> type passwd_t;
>> }
>> allow passwd_t chkpwd_t:process { noatsecure siginh rlimitinh };
>> allow httpd_zoneminder_script_t httpd_t:unix_stream_socket { read
>> write };
>> allow httpd_t httpd_zoneminder_script_t:process { noatsecure siginh
>> rlimitinh };
>>
>>
> After the quick review I see that this policy is coming to be unconfined
> probably. For example, it runs su/sudo directly.
>
> Could you open a new bug?
>
> Thank you.
>
> Regards,
> Miroslav
Miroslav,
Thanks to Dan, we found out what was lacking. Policy complete see below
bugzilla's for fix and PAM bug, for pam_rootok.
The fix was:
allow zoneminder_t self:passwd rootok;
Bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=965723
https://bugzilla.redhat.com/show_bug.cgi?id=965714
Big thank you to Dominick for help with the policy write up and
debugging and also for Dan for the PAM pam_rootok issue, where it does
not log to auditd.
Regards,
Tristan
--
Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
Tristan.Santore@internexusconnect.net
Former Thawte Notary
(Please note: Thawte has closed its WoT programme down,
and I am therefore no longer able to accredit trust)
For Fedora related issues, please email me at:
TSantore@fedoraproject.org
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic