From sits@sucs.org Fri Aug 25 07:15:52 2006
Date: Fri, 25 Aug 2006 07:15:50 +0100
From: Sitsofe Wheeler <sits@sucs.org>
To: Peter Berry <pwb@sucs.org>
Cc:  <admin@sucs.org>
Subject: Re: mw on newsilver

On Fri, 2006-08-25 at 03:40 +0100, Peter Berry wrote:
> Currently mw on newsilver is giving selinux errors such as the following 
> when you try to run it:
> 
> audit(1156466406.032:12497): avc:  denied  { entrypoint } for  pid=21416 comm="bash" name="mw" dev=sdb3 ino=15555074 scontext=user_u:system_r:mw_t:s0 tcontext=system_u:object_r:mw_exec_t:s0 tclass=file
> 
> I would be interested in not only getting this fixed, but knowing why it's 
> happening and how to fix it. Right now I have almost no idea how selinux 
> works!

I am more than happy to have people work with me on getting selinux to
work for us. I am in the midst of learning it too and don't have a
complete view of how selinux works but I'll give a summary of what I
understand here.

In selinux all files have labels that they carry around. There are rules
dictating what labels a file gets if it is created and moving a file
does not change its label (it keeps the one it had). man 8 selinux has a
good overview and mentions the commands for doing a simple reset of
labels at the bottom. Just for the record we run selinux in targeted
mode.

New in FC5 is the ability to load new selinux modules on the fly. It is
now possible to amend the running rules without having to recompile the
whole ruleset. A simple example of this process is
in /root/http-selinux/pg_ldap on newsilver. There is a command called
audit2allow that can take selinux warnings and produce rules that allow
the actions given by those warnings. I've been using
audit2allow -m local -l -d
which works off dmesg from the last selinux reload. You have to be aware
that not all the possible steps may have been tried if selinux stops
access straight away and so several runs are often necessary. People
often switch selinux to permissive mode to try and gather as many
warnings as possible.

In the given directory pg_ldap.te is the interesting file as that is
where the rules go. To compile that policy module you can cd into it and
use:
make -f /usr/share/selinux/devel/Makefile
to make the module active use:
/usr/sbin/semodule -i pg_ldap.pp
(/usr/sbin/semodule -r modulename can be use to remove a running module
and -l lists the in use ones)

The mw policy is somewhat more advanced because it creates new labels.
You can see my crude attempts in /root/http-selinux/mw . mw.fc tells
selinux what labels newly created files in mw default places should
get. 

mw.te is very long and uses the new types to set up the access controls.
The idea is that you switch into a a mw domain and once you do this
switch what you can then do and access is limited. If you aren't in this
domain there may well be files that you are not allowed to access. The
ability to enter these domains is effectively done by these rules:
mw_domtrans(unconfined_t);
mw_domtrans(httpd_sys_script_t);

(mw_domtrans is actually a macro and the rule says if you are coming
from either unconfined_t or httpd_sys_script_t you should automatically
switch to the mw domain upon running the mw's binary. For some reason
ssh bbs@ does not appear to be doing this transition and winds up still
in the unconfined_t domain and thus is a problem).

The rule I added to fix the warning you were given was:
allow mw_t mw_exec_t:file entrypoint;
as suggested by audit2allow.

I don't have much more time to cover this and the documentation I have
found so far is quite weak at describing things like what macros are
available for allowing command tasks (e.g. I wound up finding a macro
to allow access to the locale files because those were causing a warning
after the above problem was fixed). Links to the reference policy are
often out of date and wrong and it currently appears to be here:
http://oss.tresys.com/docs/refpolicy/api/admin.html
The FC5 selinux FAQ may be of use to you
http://fedora.redhat.com/docs/selinux-faq-fc5/ (I found the section on
local.te policy to be especially useful). The IRC channel may be a good
place to get help. This link was useful
http://seedit.sourceforge.net/doc/access_vectors/ . If you can lay your
hands on the o'reilly selinux book there is some good stuff in there.
http://danwalsh.livejournal.com/ is the blog of one of the selinux
developers.

As people come across stuff do ask questions (after you've exhausted
other means of course) and I'll try my best to answer them). If you know
more than I do then feel free to educate me too!

-- 
Sitsofe | http://sucs.org/~sits/