[gentoo-hardened] mysql 4.1 requires shlib_t:file execmod?

[gentoo-hardened] mysql 4.1 requires shlib_t:file execmod?

[Antoine Martin]

Hi,

I've upgraded a (gentoo x86 selinux) system from MySQL 4.0 to 4.1, and
since then some of the software that uses mysql-libs refuse to run
without 'shlib_t:file execmod'.

ie: when starting postfix (built and rebuilt with mysql support):
postfix: error while loading shared
libraries: /usr/lib/libmysqlclient.so.14: cannot restore segment prot
after reloc: Permission denied

And here is the audit message:
[ 3159.289877] audit(1130082418.254:1085): avc:  denied  { execmod } for
pid=7905 comm="postfix" name="libmysqlclient.so.14.0.0" dev=md3
ino=84506 scontext=root:sysadm_r:postfix_postdrop_t
tcontext=system_u:object_r:shlib_t tclass=file

But other software does not needed it (mysql client, pdns, etc) even
though they are linked to the same library file...
What gives?

Thanks
Antoine

-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] mysql 4.1 requires shlib_t:file execmod?

[Dave Strydom]

[-- Attachment #1: Type: text/plain, Size: 1044 bytes --]

try run this:

revdep-rebuild --soname libmysqlclient.so.12

On 10/22/05, Antoine Martin <antoine@nagafix.co.uk> wrote:
>
> Hi,
>
> I've upgraded a (gentoo x86 selinux) system from MySQL 4.0 to 4.1, and
> since then some of the software that uses mysql-libs refuse to run
> without 'shlib_t:file execmod'.
>
> ie: when starting postfix (built and rebuilt with mysql support):
> postfix: error while loading shared
> libraries: /usr/lib/libmysqlclient.so.14: cannot restore segment prot
> after reloc: Permission denied
>
> And here is the audit message:
> [ 3159.289877] audit(1130082418.254:1085): avc: denied { execmod } for
> pid=7905 comm="postfix" name="libmysqlclient.so.14.0.0" dev=md3
> ino=84506 scontext=root:sysadm_r:postfix_postdrop_t
> tcontext=system_u:object_r:shlib_t tclass=file
>
> But other software does not needed it (mysql client, pdns, etc) even
> though they are linked to the same library file...
> What gives?
>
> Thanks
> Antoine
>
> --
> gentoo-hardened@gentoo.org mailing list
>
>

[-- Attachment #2: Type: text/html, Size: 1428 bytes --]

Re: [gentoo-hardened] mysql 4.1 requires shlib_t:file execmod?

[Antoine Martin]

On Sat, 2005-10-22 at 16:39 +0200, Dave Strydom wrote:
> try run this:
> 
> revdep-rebuild --soname libmysqlclient.so.12
^libmysqlclient.so.12^libmysqlclient.so.14, right?

This does a:
emerge --oneshot --nodeps  =dev-db/mysql-4.1.14
=dev-perl/DBD-mysql-2.9007 =mail-mta/postfix-2.1.5-r2
=net-dns/pdns-2.9.18

Which failed during the installation phase of postfix, with the same
message as before..
Then I switched to non-enforcing mode, rebuilt as above and now it's ok.
No idea why...

Antoine


> 
> On 10/22/05, Antoine Martin <antoine@nagafix.co.uk> wrote:
>         Hi,
>         
>         I've upgraded a (gentoo x86 selinux) system from MySQL 4.0 to
>         4.1, and
>         since then some of the software that uses mysql-libs refuse to
>         run
>         without 'shlib_t:file execmod'.
>         
>         ie: when starting postfix (built and rebuilt with mysql
>         support):
>         postfix: error while loading shared
>         libraries: /usr/lib/libmysqlclient.so.14: cannot restore
>         segment prot 
>         after reloc: Permission denied
>         
>         And here is the audit message:
>         [ 3159.289877] audit(1130082418.254:1085):
>         avc:  denied  { execmod } for
>         pid=7905 comm="postfix" name="libmysqlclient.so.14.0.0 "
>         dev=md3
>         ino=84506 scontext=root:sysadm_r:postfix_postdrop_t
>         tcontext=system_u:object_r:shlib_t tclass=file
>         
>         But other software does not needed it (mysql client, pdns,
>         etc) even
>         though they are linked to the same library file... 
>         What gives?
>         
>         Thanks
>         Antoine
>         
>         --
>         gentoo-hardened@gentoo.org mailing list
>         
> 

-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] mysql 4.1 requires shlib_t:file execmod?

[Antoine Martin]

On Sat, 2005-10-22 at 17:33 +0100, Antoine Martin wrote:
> On Sat, 2005-10-22 at 16:39 +0200, Dave Strydom wrote:
> > try run this:
> > 
> > revdep-rebuild --soname libmysqlclient.so.12
> ^libmysqlclient.so.12^libmysqlclient.so.14, right?
> 
> This does a:
> emerge --oneshot --nodeps  =dev-db/mysql-4.1.14
> =dev-perl/DBD-mysql-2.9007 =mail-mta/postfix-2.1.5-r2
> =net-dns/pdns-2.9.18
> 
> Which failed during the installation phase of postfix, with the same
> message as before..
> Then I switched to non-enforcing mode, rebuilt as above and now it's ok.
DOH
No it's not, when I switch back to enforcing it is still broken...

> No idea why...
Still

> 
> Antoine
> 
> 
> > 
> > On 10/22/05, Antoine Martin <antoine@nagafix.co.uk> wrote:
> >         Hi,
> >         
> >         I've upgraded a (gentoo x86 selinux) system from MySQL 4.0 to
> >         4.1, and
> >         since then some of the software that uses mysql-libs refuse to
> >         run
> >         without 'shlib_t:file execmod'.
> >         
> >         ie: when starting postfix (built and rebuilt with mysql
> >         support):
> >         postfix: error while loading shared
> >         libraries: /usr/lib/libmysqlclient.so.14: cannot restore
> >         segment prot 
> >         after reloc: Permission denied
> >         
> >         And here is the audit message:
> >         [ 3159.289877] audit(1130082418.254:1085):
> >         avc:  denied  { execmod } for
> >         pid=7905 comm="postfix" name="libmysqlclient.so.14.0.0 "
> >         dev=md3
> >         ino=84506 scontext=root:sysadm_r:postfix_postdrop_t
> >         tcontext=system_u:object_r:shlib_t tclass=file
> >         
> >         But other software does not needed it (mysql client, pdns,
> >         etc) even
> >         though they are linked to the same library file... 
> >         What gives?
> >         
> >         Thanks
> >         Antoine
> >         
> >         --
> >         gentoo-hardened@gentoo.org mailing list
> >         
> > 

-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] mysql 4.1 requires shlib_t:file execmod?

[pageexec]

On 22 Oct 2005 at 15:15, Antoine Martin wrote:
> I've upgraded a (gentoo x86 selinux) system from MySQL 4.0 to 4.1, and
> since then some of the software that uses mysql-libs refuse to run
> without 'shlib_t:file execmod'.
> 
> ie: when starting postfix (built and rebuilt with mysql support):
> postfix: error while loading shared
> libraries: /usr/lib/libmysqlclient.so.14: cannot restore segment prot
> after reloc: Permission denied

the reason might be text relocations, even though they should have
been fixed already upstream. see long story at

  http://bugs.gentoo.org/show_bug.cgi?id=42968
  http://bugs.mysql.com/bug.php?id=11642

what does scanelf -T /usr/lib/libmysqlclient.so.14 report?
if it's not text relocs, then post an strace please.

-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] mysql 4.1 requires shlib_t:file execmod?

[Antoine Martin]

On Sat, 2005-10-22 at 16:53 +0200, pageexec@freemail.hu wrote:
> On 22 Oct 2005 at 15:15, Antoine Martin wrote:
> > I've upgraded a (gentoo x86 selinux) system from MySQL 4.0 to 4.1, and
> > since then some of the software that uses mysql-libs refuse to run
> > without 'shlib_t:file execmod'.
> > 
> > ie: when starting postfix (built and rebuilt with mysql support):
> > postfix: error while loading shared
> > libraries: /usr/lib/libmysqlclient.so.14: cannot restore segment prot
> > after reloc: Permission denied
> 
> the reason might be text relocations, even though they should have
> been fixed already upstream. see long story at
> 
>   http://bugs.gentoo.org/show_bug.cgi?id=42968
>   http://bugs.mysql.com/bug.php?id=11642
>From the two threads above it looks like the fix should have gone in
4.1.14 (which is what I am running now)

> 
> what does scanelf -T /usr/lib/libmysqlclient.so.14 report?
> if it's not text relocs, then post an strace please.
Is scanelf a PaX tool?

Antoine

-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] mysql 4.1 requires shlib_t:file execmod?

[pageexec]

On 22 Oct 2005 at 16:45, Antoine Martin wrote:
> > what does scanelf -T /usr/lib/libmysqlclient.so.14 report?
> > if it's not text relocs, then post an strace please.
> Is scanelf a PaX tool?

app-misc/pax-utils

-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] mysql 4.1 requires shlib_t:file execmod?

[Antoine Martin]

On Sat, 2005-10-22 at 17:53 +0200, pageexec@freemail.hu wrote:
> On 22 Oct 2005 at 16:45, Antoine Martin wrote:
> > > what does scanelf -T /usr/lib/libmysqlclient.so.14 report?
> > > if it's not text relocs, then post an strace please.
> > Is scanelf a PaX tool?
> 
> app-misc/pax-utils
Thanks,

scanelf -T /usr/lib/libmysqlclient.so.14
shows nothing at all.
(I also tried adding a -R, even -a shows nothing!)

Antoine

-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] mysql 4.1 requires shlib_t:file execmod?

[pageexec]

On 22 Oct 2005 at 17:37, Antoine Martin wrote:
> scanelf -T /usr/lib/libmysqlclient.so.14
> shows nothing at all.
> (I also tried adding a -R, even -a shows nothing!)

ok, so it's not textrels, can you post an strace output then?

-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] mysql 4.1 requires shlib_t:file execmod?

[Antoine Martin]

On Sat, 2005-10-22 at 19:24 +0200, pageexec@freemail.hu wrote:
> On 22 Oct 2005 at 17:37, Antoine Martin wrote:
> > scanelf -T /usr/lib/libmysqlclient.so.14
> > shows nothing at all.
> > (I also tried adding a -R, even -a shows nothing!)
> 
> ok, so it's not textrels, can you post an strace output then?
Ah, I thought I could, but strace won't run in enforcing mode (which is needed to make it break)
strace: ptrace(PTRACE_TRACEME, ...): Permission denied

And since there is no audit message, I don't know how to allow it.

Thanks
Antoine

-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] mysql 4.1 requires shlib_t:file execmod?

[Petre Rodan]

[-- Attachment #1: Type: text/plain, Size: 877 bytes --]

On Sat, Oct 22, 2005 at 06:31:35PM +0100, Antoine Martin wrote:
> On Sat, 2005-10-22 at 19:24 +0200, pageexec@freemail.hu wrote:
> > On 22 Oct 2005 at 17:37, Antoine Martin wrote:
> > > scanelf -T /usr/lib/libmysqlclient.so.14
> > > shows nothing at all.
> > > (I also tried adding a -R, even -a shows nothing!)
> > 
> > ok, so it's not textrels, can you post an strace output then?
> Ah, I thought I could, but strace won't run in enforcing mode (which is needed to make it break)
> strace: ptrace(PTRACE_TRACEME, ...): Permission denied
> 
> And since there is no audit message, I don't know how to allow it.

allow sysadm_t domain:process ptrace;
allow initrc_t domain:process ptrace;

> Thanks
> Antoine
> 
> -- 
> gentoo-hardened@gentoo.org mailing list
> 

bye,
peter

-- 
petre rodan
<kaiowas@gentoo.org>
Developer,
Hardened Gentoo Linux 

[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-hardened] mysql 4.1 requires shlib_t:file execmod?

[Antoine Martin]

On Sat, 2005-10-22 at 20:56 +0300, Petre Rodan wrote:
> On Sat, Oct 22, 2005 at 06:31:35PM +0100, Antoine Martin wrote:
> > On Sat, 2005-10-22 at 19:24 +0200, pageexec@freemail.hu wrote:
> > > On 22 Oct 2005 at 17:37, Antoine Martin wrote:
> > > > scanelf -T /usr/lib/libmysqlclient.so.14
> > > > shows nothing at all.
> > > > (I also tried adding a -R, even -a shows nothing!)
> > > 
> > > ok, so it's not textrels, can you post an strace output then?
execve("/usr/sbin/postfix", ["postfix"], [/* 26 vars */]) = 0
uname({sys="Linux", node="removed", ...}) = 0
brk(0)                                  = 0x805a000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=12039, ...}) = 0
mmap2(NULL, 12039, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7fd8000
close(3)                                = 0
open("/usr/lib/libpcre.so.0", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300\22"...,
512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=186644, ...}) = 0
mmap2(NULL, 188080, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
0) = 0xb7faa000
mmap2(0xb7fc1000, 94208, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_DENYWRITE, 3, 0x16) = 0xb7fc1000
close(3)                                = 0
open("/lib/libdl.so.2", O_RDONLY)       = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\0\f\0\000"...,
512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=10440, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb7fa9000
mmap2(NULL, 12392, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0)
= 0xb7fa5000
mmap2(0xb7fa7000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_DENYWRITE, 3, 0x1) = 0xb7fa7000
close(3)                                = 0
open("/lib/libcrypt.so.1", O_RDONLY)    = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\200\10"...,
512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=22424, ...}) = 0
mmap2(NULL, 184636, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
0) = 0xb7f77000
mprotect(0xb7f7b000, 168252, PROT_NONE) = 0
mmap2(0xb7f7c000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_DENYWRITE, 3, 0x4) = 0xb7f7c000
mmap2(0xb7f7e000, 155964, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_ANONYMOUS, -1, 0) = 0xb7f7e000
close(3)                                = 0
open("/lib/libpthread.so.0", O_RDONLY)  = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\0C\0\000"...,
512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=141357, ...}) = 0
mmap2(NULL, 332928, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
0) = 0xb7f25000
mmap2(0xb7f33000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_DENYWRITE, 3, 0xd) = 0xb7f33000
mmap2(0xb7f35000, 267392, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_ANONYMOUS, -1, 0) = 0xb7f35000
close(3)                                = 0
open("/lib/libpam.so.0", O_RDONLY)      = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\0\24\0"...,
512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=31820, ...}) = 0
mmap2(NULL, 33608, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0)
= 0xb7f1c000
mmap2(0xb7f24000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_DENYWRITE, 3, 0x7) = 0xb7f24000
close(3)                                = 0
open("/usr/lib/libmysqlclient.so.14", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\0\254\3"...,
512) = 512fstat64(3, {st_mode=S_IFREG|0755, st_size=2065804, ...}) = 0
mmap2(NULL, 2061732, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
0) = 0xb7d24000
mmap2(0xb7e2a000, 966656, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_DENYWRITE, 3, 0x106) = 0xb7e2a000
mmap2(0xb7f16000, 21924, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_ANONYMOUS, -1, 0) = 0xb7f16000
close(3)                                = 0
open("/lib/libm.so.6", O_RDONLY)        = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\2003\0"...,
512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=153240, ...}) = 0
mmap2(NULL, 139424, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
0) = 0xb7d01000
mmap2(0xb7d22000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_DENYWRITE, 3, 0x20) = 0xb7d22000
close(3)                                = 0
open("/lib/libz.so.1", O_RDONLY)        = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\200\22"...,
512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=67304, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb7d00000
mmap2(NULL, 68788, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0)
= 0xb7cef000
mmap2(0xb7cff000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_DENYWRITE, 3, 0xf) = 0xb7cff000
close(3)                                = 0
open("/usr/lib/libsasl2.so.2", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0@1\0\000"...,
512) = 512fstat64(3, {st_mode=S_IFREG|0755, st_size=85968, ...}) = 0
mmap2(NULL, 84840, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0)
= 0xb7cda000
mmap2(0xb7cee000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_DENYWRITE, 3, 0x14) = 0xb7cee000
close(3)                                = 0
open("/usr/lib/libdb-4.2.so", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300\204"...,
512) = 512fstat64(3, {st_mode=S_IFREG|0755, st_size=893788, ...}) = 0
mmap2(NULL, 880156, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
0) = 0xb7c03000
mmap2(0xb7cd8000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_DENYWRITE, 3, 0xd5) = 0xb7cd8000
close(3)                                = 0
open("/lib/libnsl.so.1", O_RDONLY)      = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0@5\0\000"...,
512) = 512fstat64(3, {st_mode=S_IFREG|0755, st_size=75176, ...}) = 0
mmap2(NULL, 83968, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0)
= 0xb7bee000
mmap2(0xb7bff000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_DENYWRITE, 3, 0x10) = 0xb7bff000
mmap2(0xb7c01000, 6144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_ANONYMOUS, -1, 0) = 0xb7c01000
close(3)                                = 0
open("/lib/libresolv.so.2", O_RDONLY)   = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300%\0"...,
512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=64568, ...}) = 0
mmap2(NULL, 76052, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0)
= 0xb7bdb000
mmap2(0xb7bea000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_DENYWRITE, 3, 0xe) = 0xb7bea000
mmap2(0xb7bec000, 6420, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_ANONYMOUS, -1, 0) = 0xb7bec000
close(3)                                = 0
open("/lib/libc.so.6", O_RDONLY)        = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0000V\1\000"...,
512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1191456, ...}) = 0
mmap2(NULL, 1137972, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
0) = 0xb7ac5000
mprotect(0xb7bd4000, 27956, PROT_NONE)  = 0
mmap2(0xb7bd5000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_DENYWRITE, 3, 0x10f) = 0xb7bd5000
mmap2(0xb7bd9000, 7476, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_ANONYMOUS, -1, 0) = 0xb7bd9000
close(3)                                = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb7ac4000
mprotect(0xb7bd5000, 4096, PROT_READ)   = 0
mprotect(0xb7d24000, 1073152, PROT_READ|PROT_WRITE) = 0
mprotect(0xb7d24000, 1073152, PROT_READ|PROT_EXEC) = -1 EACCES
(Permission denied)
writev(2, [{"postfix", 7}, {": ", 2}, {"error while loading shared
libra"..., 36}, {": ", 2}, {"/usr/lib/libmysqlclient.so.14", 29}, {": ",
2}, {"cannot restore segment prot afte"..., 39}, {": ", 2}, {"Permission
denied", 17}, {"\n", 1}], 10postfix: error while loading shared
libraries: /usr/lib/libmysqlclient.so.14: cannot restore segment prot
after reloc: Permission denied
) = 137
exit_group(127)                         = ?

-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] mysql 4.1 requires shlib_t:file execmod?

[pageexec]

On 23 Oct 2005 at 21:42, Antoine Martin wrote:

ok, so this is the story of the textrelocs in libmysqlclient:

> open("/usr/lib/libmysqlclient.so.14", O_RDONLY) = 3
> mmap2(NULL, 2061732, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
> 0) = 0xb7d24000
> mprotect(0xb7d24000, 1073152, PROT_READ|PROT_WRITE) = 0
> mprotect(0xb7d24000, 1073152, PROT_READ|PROT_EXEC) = -1 EACCES
> (Permission denied)

this is either PaX (if you have NOELFRELOCS on) or SELinux,
i think they call it execmem or something like that.

what do 'scanelf -T /usr/lib/libmysqlclient.so.14' or
        'eu-findtextrel /usr/lib/libmysqlclient.so.14'
say (it can't be 'nothing' for sure ;-)? eu-findtexrel
is in dev-libs/elfutils.

-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] mysql 4.1 requires shlib_t:file execmod?

[Antoine Martin]

On Mon, 2005-10-24 at 15:47 +0200, pageexec@freemail.hu wrote:
> On 23 Oct 2005 at 21:42, Antoine Martin wrote:
> 
> ok, so this is the story of the textrelocs in libmysqlclient:
> 
> > open("/usr/lib/libmysqlclient.so.14", O_RDONLY) = 3
> > mmap2(NULL, 2061732, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
> > 0) = 0xb7d24000
> > mprotect(0xb7d24000, 1073152, PROT_READ|PROT_WRITE) = 0
> > mprotect(0xb7d24000, 1073152, PROT_READ|PROT_EXEC) = -1 EACCES
> > (Permission denied)
> 
> this is either PaX (if you have NOELFRELOCS on) or SELinux,
> i think they call it execmem or something like that.
Yes, I started this thread and CCed the SELinux list.
I can make this work by allowing postfix to execmem all shlibs.
ie for all the postfix domains:
allow postfix_{domain}_t shlib_t:file execmod;

But this is not the right way to do it, I admit this is only a very tiny
security risk, but I would much rather figure out a way to fix the
library to not require execmod. No other library requires it, and the
previous version of mysql I was using (4.0) didn't either.

> what do 'scanelf -T /usr/lib/libmysqlclient.so.14' or
>         'eu-findtextrel /usr/lib/libmysqlclient.so.14'
> say (it can't be 'nothing' for sure ;-)? eu-findtexrel
> is in dev-libs/elfutils.
# scanelf -T /usr/lib/libmysqlclient.so.14
 TYPE   TEXTRELS FILE
        TEXTREL libmysqlclient.so.14: DES_encrypt2 [0xDAD5C] in
DES_encrypt3 [0xDACD0]
        TEXTREL libmysqlclient.so.14: DES_encrypt2 [0xDAD70] in
DES_encrypt3 [0xDACD0]
        TEXTREL libmysqlclient.so.14: DES_encrypt2 [0xDAD84] in
DES_encrypt3 [0xDACD0]
        TEXTREL libmysqlclient.so.14: DES_encrypt2 [0xDAE8C] in
DES_decrypt3 [0xDAE00]
        TEXTREL libmysqlclient.so.14: DES_encrypt2 [0xDAEA0] in
DES_decrypt3 [0xDAE00]
        TEXTREL libmysqlclient.so.14: DES_encrypt2 [0xDAEB4] in
DES_decrypt3 [0xDAE00]
        TEXTREL libmysqlclient.so.14: DES_encrypt1 [0xDAF82] in
DES_ncbc_encrypt [0xDAF30]
        TEXTREL libmysqlclient.so.14: DES_encrypt1 [0xDAFEA] in
DES_ncbc_encrypt [0xDAF30]
        TEXTREL libmysqlclient.so.14: DES_encrypt1 [0xDB01B] in
DES_ncbc_encrypt [0xDAF30]
        TEXTREL libmysqlclient.so.14: DES_encrypt1 [0xDB067] in
DES_ncbc_encrypt [0xDAF30]
        TEXTREL libmysqlclient.so.14: DES_encrypt3 [0xDB14B] in
DES_ede3_cbc_encrypt [0xDB0F0]
        TEXTREL libmysqlclient.so.14: DES_encrypt3 [0xDB1B3] in
DES_ede3_cbc_encrypt [0xDB0F0]
        TEXTREL libmysqlclient.so.14: DES_decrypt3 [0xDB1EB] in
DES_ede3_cbc_encrypt [0xDB0F0]
        TEXTREL libmysqlclient.so.14: DES_decrypt3 [0xDB237] in
DES_ede3_cbc_encrypt [0xDB0F0]
        TEXTREL libmysqlclient.so.14: RC5_32_encrypt [0xDD461] in
RC5_32_cbc_encrypt [0xDD410]
        TEXTREL libmysqlclient.so.14: RC5_32_encrypt [0xDD4C9] in
RC5_32_cbc_encrypt [0xDD410]
        TEXTREL libmysqlclient.so.14: RC5_32_decrypt [0xDD4FB] in
RC5_32_cbc_encrypt [0xDD410]
        TEXTREL libmysqlclient.so.14: RC5_32_decrypt [0xDD547] in
RC5_32_cbc_encrypt [0xDD410]
        TEXTREL libmysqlclient.so.14: BF_encrypt [0xDFB45] in
BF_cbc_encrypt [0xDFAF0]
        TEXTREL libmysqlclient.so.14: BF_encrypt [0xDFBB5] in
BF_cbc_encrypt [0xDFAF0]
        TEXTREL libmysqlclient.so.14: BF_decrypt [0xDFBEF] in
BF_cbc_encrypt [0xDFAF0]
        TEXTREL libmysqlclient.so.14: BF_decrypt [0xDFC43] in
BF_cbc_encrypt [0xDFAF0]
ET_DYN  /usr/lib/libmysqlclient.so.14

Hope this helps...

Many thanks
Antoine

-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] mysql 4.1 requires shlib_t:file execmod?

[pageexec]

On 24 Oct 2005 at 20:15, Antoine Martin wrote:
> But this is not the right way to do it, I admit this is only a very tiny
> security risk, but I would much rather figure out a way to fix the
> library to not require execmod. No other library requires it, and the
> previous version of mysql I was using (4.0) didn't either.

indeed, the underlying reason is what we remedied, or so i
thought so i'm all the more curious how you ended up with
textrels again. fwiw, i can't find any DES related symbols
in 4.1.14 and 5.0.13, so i'm wondering if it's USE flag
dependent maybe (in which case mysql is probably statically
linking a crypto library). what are yours?

-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] mysql 4.1 requires shlib_t:file execmod?

[Antoine Martin]

On Mon, 2005-10-24 at 23:23 +0200, pageexec@freemail.hu wrote:
> On 24 Oct 2005 at 20:15, Antoine Martin wrote:
> > But this is not the right way to do it, I admit this is only a very tiny
> > security risk, but I would much rather figure out a way to fix the
> > library to not require execmod. No other library requires it, and the
> > previous version of mysql I was using (4.0) didn't either.
> 
> indeed, the underlying reason is what we remedied, or so i
> thought so i'm all the more curious how you ended up with
> textrels again. fwiw, i can't find any DES related symbols
> in 4.1.14 and 5.0.13, so i'm wondering if it's USE flag
> dependent maybe (in which case mysql is probably statically
> linking a crypto library). what are yours?
USE="-X mysql sasl ipv6 nptl hardened"

dev-db/mysql-4.1.14  +berkdb -big-tables -cluster -debug -doc -extraengine -geometry -minimal +perl +readline +selinux +ssl -static +tcpd -utf8


Antoine

-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] mysql 4.1 requires shlib_t:file execmod?

[pageexec]

On 24 Oct 2005 at 22:29, Antoine Martin wrote:
> USE="-X mysql sasl ipv6 nptl hardened"
> 
> dev-db/mysql-4.1.14  +berkdb -big-tables -cluster -debug -doc -extraengine
> -geometry -minimal +perl +readline +selinux +ssl -static +tcpd -utf8

ok, mine's exactly the same except for +selinux (no selinux here).
so it's either that or the hardened toolchain that causes this,
although i don't see from the ebuild nor from the toolchain how
that extra crypto enters the picture. anyone has ideas? also, can
you try to emerge it without selinux and/or the hardened toolchain
(set gcc-config to the normal specs file) and see what happens? if
that cures it, comparing compile/emerge logs might shed a light on
this.

-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] mysql 4.1 requires shlib_t:file execmod?

[Antoine Martin]

On Tue, 2005-10-25 at 01:05 +0200, pageexec@freemail.hu wrote:
> On 24 Oct 2005 at 22:29, Antoine Martin wrote:
> > USE="-X mysql sasl ipv6 nptl hardened"
> > 
> > dev-db/mysql-4.1.14  +berkdb -big-tables -cluster -debug -doc -extraengine
> > -geometry -minimal +perl +readline +selinux +ssl -static +tcpd -utf8
> 
> ok, mine's exactly the same except for +selinux (no selinux here).
> so it's either that or the hardened toolchain that causes this,
> although i don't see from the ebuild nor from the toolchain how
> that extra crypto enters the picture. anyone has ideas? also, can
> you try to emerge it without selinux and/or the hardened toolchain
> (set gcc-config to the normal specs file) and see what happens?
Sure. But how do I do that?
(good thing that box is not a proper live one!)

>  if
> that cures it, comparing compile/emerge logs might shed a light on
> this.
Also, do you know how I can contribute some selinux policy files to gentoo?

Thanks
Antoine

-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] mysql 4.1 requires shlib_t:file execmod?

[pageexec]

On 25 Oct 2005 at 11:45, Antoine Martin wrote:
> Sure. But how do I do that?
> (good thing that box is not a proper live one!)

> > also, can you try to emerge it without selinux

USE=-selinux emerge mysql

> > and/or the hardened toolchain (set gcc-config to the normal specs
> > file) and see what happens?

in general: gcc-config -h

in particular: 'gcc-config -l' will give you a list of gcc profiles,
a * marks the current one, then select the -vanilla or -hardenednopiessp
one via gcc-config <number>.

> Also, do you know how I can contribute some selinux policy files to gentoo?

no idea, probably you'll have to talk to the gentoo/selinux guys.

-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] mysql 4.1 requires shlib_t:file execmod?

[solar]

On Tue, 2005-10-25 at 01:05 +0200, pageexec@freemail.hu wrote:
> On 24 Oct 2005 at 22:29, Antoine Martin wrote:
> > USE="-X mysql sasl ipv6 nptl hardened"
> > 
> > dev-db/mysql-4.1.14  +berkdb -big-tables -cluster -debug -doc -extraengine
> > -geometry -minimal +perl +readline +selinux +ssl -static +tcpd -utf8
> 
> ok, mine's exactly the same except for +selinux (no selinux here).
> so it's either that or the hardened toolchain that causes this,
> although i don't see from the ebuild nor from the toolchain how
> that extra crypto enters the picture. anyone has ideas? also, can
> you try to emerge it without selinux and/or the hardened toolchain
> (set gcc-config to the normal specs file) and see what happens? if
> that cures it, comparing compile/emerge logs might shed a light on
> this.

Well I cant reproduce this on any other box using a hgcc, so I'm stumped
how this user is even hitting this. A proper bug report is probably the
best place to take the rest of this thread up.

-- 
solar <solar@gentoo.org>
Gentoo Linux

-- 
gentoo-hardened@gentoo.org mailing list

[gentoo-hardened] Re: mysql 4.1 requires shlib_t:file execmod?

[Antoine Martin]

On Tue, 2005-10-25 at 14:52 -0400, solar wrote:
> On Tue, 2005-10-25 at 01:05 +0200, pageexec@freemail.hu wrote:
> > On 24 Oct 2005 at 22:29, Antoine Martin wrote:
> > > USE="-X mysql sasl ipv6 nptl hardened"
> > > 
> > > dev-db/mysql-4.1.14  +berkdb -big-tables -cluster -debug -doc -extraengine
> > > -geometry -minimal +perl +readline +selinux +ssl -static +tcpd -utf8
> > 
> > ok, mine's exactly the same except for +selinux (no selinux here).
> > so it's either that or the hardened toolchain that causes this,
> > although i don't see from the ebuild nor from the toolchain how
> > that extra crypto enters the picture. anyone has ideas? also, can
> > you try to emerge it without selinux and/or the hardened toolchain
> > (set gcc-config to the normal specs file) and see what happens? if
> > that cures it, comparing compile/emerge logs might shed a light on
> > this.
> 
> Well I cant reproduce this on any other box using a hgcc, so I'm stumped
> how this user is even hitting this. A proper bug report is probably the
> best place to take the rest of this thread up.
I've rebuilt gcc and glibc and now everything works fine...
(just when I was about to give up too!)

Thanks to all of you for your time and effort.
Antoine

-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] mysql 4.1 requires shlib_t:file execmod?

[solar]

On Sat, 2005-10-22 at 17:37 +0100, Antoine Martin wrote:
> On Sat, 2005-10-22 at 17:53 +0200, pageexec@freemail.hu wrote:
> > On 22 Oct 2005 at 16:45, Antoine Martin wrote:
> > > > what does scanelf -T /usr/lib/libmysqlclient.so.14 report?
> > > > if it's not text relocs, then post an strace please.
> > > Is scanelf a PaX tool?
> > 
> > app-misc/pax-utils
> Thanks,
> 
> scanelf -T /usr/lib/libmysqlclient.so.14
> shows nothing at all.
> (I also tried adding a -R, even -a shows nothing!)


This should help pinpoint whats up. Post the results of the following
commands.


emerge portage-utils pax-utils ; # If you don't already have both.

#1
qlist mysql | scanelf -qtf -

#2 
scanelf -a /usr/lib/libmysqlclient.so.14

#3 
scanelf -a $(qfile -C $(scanelf -BF%n /usr/lib/libmysqlclient.so.14 \
  | awk '{print $1}'| tr , ' ' ) | cut -d '(' -f 2 | tr ')' ' ' )

-- 
solar <solar@gentoo.org>
Gentoo Linux

-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] mysql 4.1 requires shlib_t:file execmod?

[Antoine Martin]

On Sat, 2005-10-22 at 13:31 -0400, solar wrote:
> On Sat, 2005-10-22 at 17:37 +0100, Antoine Martin wrote:
> > On Sat, 2005-10-22 at 17:53 +0200, pageexec@freemail.hu wrote:
> > > On 22 Oct 2005 at 16:45, Antoine Martin wrote:
> > > > > what does scanelf -T /usr/lib/libmysqlclient.so.14 report?
> > > > > if it's not text relocs, then post an strace please.
> > > > Is scanelf a PaX tool?
> > > 
> > > app-misc/pax-utils
> > Thanks,
> > 
> > scanelf -T /usr/lib/libmysqlclient.so.14
> > shows nothing at all.
> > (I also tried adding a -R, even -a shows nothing!)
> 
> 
> This should help pinpoint whats up. Post the results of the following
> commands.
> 
> 
> emerge portage-utils pax-utils ; # If you don't already have both.
I didn't.
> 
> #1
> qlist mysql | scanelf -qtf -
TEXTREL  /usr/lib/mysql/libmysqlclient.so
TEXTREL  /usr/lib/mysql/libmysqlclient_r.so
TEXTREL  /usr/lib/libmysqlclient.so
TEXTREL  /usr/lib/libmysqlclient.so.14.0.0
TEXTREL  /usr/lib/libmysqlclient_r.so
TEXTREL  /usr/lib/libmysqlclient_r.so.14.0.0

> 
> #2 
> scanelf -a /usr/lib/libmysqlclient.so.14
Nothing here
> 
> #3 
> scanelf -a $(qfile -C $(scanelf -BF%n /usr/lib/libmysqlclient.so.14 \
>   | awk '{print $1}'| tr , ' ' ) | cut -d '(' -f 2 | tr ')' ' ' )
scanelf: Unknown option

> 
> -- 
> solar <solar@gentoo.org>
> Gentoo Linux
> 

-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] mysql 4.1 requires shlib_t:file execmod?

[solar]

On Sat, 2005-10-22 at 18:41 +0100, Antoine Martin wrote:
> On Sat, 2005-10-22 at 13:31 -0400, solar wrote:
> > On Sat, 2005-10-22 at 17:37 +0100, Antoine Martin wrote:
> > > On Sat, 2005-10-22 at 17:53 +0200, pageexec@freemail.hu wrote:
> > > > On 22 Oct 2005 at 16:45, Antoine Martin wrote:
> > > > > > what does scanelf -T /usr/lib/libmysqlclient.so.14 report?
> > > > > > if it's not text relocs, then post an strace please.
> > > > > Is scanelf a PaX tool?
> > > > 
> > > > app-misc/pax-utils
> > > Thanks,
> > > 
> > > scanelf -T /usr/lib/libmysqlclient.so.14
> > > shows nothing at all.
> > > (I also tried adding a -R, even -a shows nothing!)
> > 
> > 
> > This should help pinpoint whats up. Post the results of the following
> > commands.
> > 
> > 
> > emerge portage-utils pax-utils ; # If you don't already have both.
> I didn't.
> > 
> > #1
> > qlist mysql | scanelf -qtf -
> TEXTREL  /usr/lib/mysql/libmysqlclient.so
> TEXTREL  /usr/lib/mysql/libmysqlclient_r.so
> TEXTREL  /usr/lib/libmysqlclient.so
> TEXTREL  /usr/lib/libmysqlclient.so.14.0.0
> TEXTREL  /usr/lib/libmysqlclient_r.so
> TEXTREL  /usr/lib/libmysqlclient_r.so.14.0.0

Looks like you do infact have textrels in your mysql. 
I've seen this happen before when linked with a miscompiled
libcrypto.so 
 
> > #2 
> > scanelf -a /usr/lib/libmysqlclient.so.14
> Nothing here

If nothing here then chances are your running scanelf while trying to
enforce and no such policy exists for scanelf.


> > 
> > #3 
> > scanelf -a $(qfile -C $(scanelf -BF%n /usr/lib/libmysqlclient.so.14 \
> >   | awk '{print $1}'| tr , ' ' ) | cut -d '(' -f 2 | tr ')' ' ' )
> scanelf: Unknown option

Perhaps you typo something here.
You should be able to copy + paste the command.

It should look something like the following.

tinderbox ~ # scanelf -a -- $(qfile -C $(scanelf -BF%
n /usr/lib/libmysqlclient.so.14 | awk '{print $1}'| tr , ' ' ) | cut -d
'(' -f 2 | tr ')' ' ' )
 TYPE    PAX   STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_DYN ---xe- RW- R-- RW-    -      -   NOW /lib/libcrypt.so.1 
ET_DYN ---xe- RW- R-- RW-    -      -   NOW /lib/libnsl.so.1 
ET_DYN ---xe- RW- R-- RW-    -      -   NOW /lib/libm.so.6 
ET_DYN ---xe- RW- R-- RW-    -      -   NOW /lib/libz.so.1 
ET_DYN ---xe- RW- R-- RW-    -      -   NOW /lib/libc.so.6 
ET_DYN ---xe- RW- R-- RW-    -      -   NOW /usr/lib/libssl.so.0.9.7 
ET_DYN ---xe- RW- R-- RW-    -      -   NOW /usr/lib/libcrypto.so.0.9.7 

-- 
solar <solar@gentoo.org>
Gentoo Linux

-- 
gentoo-hardened@gentoo.org mailing list

[gentoo-hardened] SELinux n00b questions

[Dale Pontius]

I've already done some searching on these, to no avail. I have several 
years experience with Linux, but only about a week, part-time with SELinux.

1: Probably most severe... I'm used to syslog-ng, but for some reason 
decided to do my SELinux install with metalog. After using it a little, 
I decided to remove it and install syslog-ng. That appeared to work at 
first. But as far as I can tell, nothing has been logged since the first 
time I put the systeminto enforcing mode. At shutdown I still get a 
little piece of hatemail about metalog, and I suspect I should have shut 
down metalog during the emerge -C - I suspect there are some droppings 
of it left over in /var. But I don't see why syslog-ng wouldn't work, 
when ps shows it's in there and running.

2: Can't ssh in when the system is enforcing. I've checked the sestatus 
-v results, and everything looks ok. I've never seen a bogus console or 
log message, but then again, see (1). Here's what I get:
user1@here ~ $ ssh -v user2@there
OpenSSH_4.2p1, OpenSSL 0.9.7e 25 Oct 2004
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to there [192.168.154.38] port 22.
debug1: Connection established.
debug1: identity file /home/user1/.ssh/identity type -1
debug1: identity file /home/user1/.ssh/id_rsa type -1
debug1: identity file /home/user1/.ssh/id_dsa type -1
ssh_exchange_identification: Connection closed by remote host
user1@here ~ $

3: There isn't much about "standard practice".
What kinds of admin tasks can I perform while the system is enforcing?
What kinds of admin tasks do I have to drop out of enforcing for?
I presume emerging a new policy requres "make load". What requires "make 
relabel"?
What about things that don't have a policy? Like dovecot, leafnode, etc?
On my old system I ran things chroot'ed. Can I still, under SELinux?

Thanks,
Dale Pontius
-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] SELinux n00b questions

[Chris PeBenito]

[-- Attachment #1: Type: text/plain, Size: 2317 bytes --]

On Sun, 2005-10-23 at 13:54 -0400, Dale Pontius wrote:
> I decided to remove it and install syslog-ng. That appeared to work at 
> first. But as far as I can tell, nothing has been logged since the first 
> time I put the systeminto enforcing mode.

Need to see some denials to better understand whats going on.

> 2: Can't ssh in when the system is enforcing. I've checked the sestatus 
> -v results, and everything looks ok. I've never seen a bogus console or 
> log message, but then again, see (1). Here's what I get:
> user1@here ~ $ ssh -v user2@there

Again, need to see some denials on the server, and logs from sshd if
they have anything interesting other than the failed login message.

> 3: There isn't much about "standard practice".
> What kinds of admin tasks can I perform while the system is enforcing?
> What kinds of admin tasks do I have to drop out of enforcing for?

The goal is to always enforce.  Ideally, you should never have to switch
to permissive to do admin tasks.

> I presume emerging a new policy requres "make load". What requires "make 
> relabel"?

You should generally relabel after switching from permissive back to
enforcing.  That may also mean restarting if processes aren't in the
right context.  Other than that, you shouldn't need a complete relabel
except in recovery type situations.  Or massive policy changes.

> What about things that don't have a policy? Like dovecot, leafnode, etc?
> On my old system I ran things chroot'ed. Can I still, under SELinux?

Our policy is a little stagnant, since the NSA example policy will be on
its way out, and we will be switching to Reference Policy
(http://serefpolicy.sf.net/) when its ready in a couple months.  It will
be a significanly easier policy to manage and develop.  It'll also bring
along with it the targeted policy, for desktops.

You can run stuff chrooted, but it will likely require extra policy work
to get things labeled right.  Though, with a good MAC system like
SELinux, the usefulness of chroot is questionable.

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
Embedded Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-hardened] SELinux n00b questions

[Dale Pontius]

Chris PeBenito wrote:

>On Sun, 2005-10-23 at 13:54 -0400, Dale Pontius wrote:
>  
>
>>I decided to remove it and install syslog-ng. That appeared to work at 
>>first. But as far as I can tell, nothing has been logged since the first 
>>time I put the systeminto enforcing mode.
>>    
>>
>
>Need to see some denials to better understand whats going on.
>  
>
I get no denials. Once I go enforcing, I get no logging, whatsoever.
Even after switching back to non-enforcing, logging doesn't start
up, again.

However, I think I've got a clue. My basic system has 4 partitions:
/ (root) - ext3
swap
/home - xfs (I planned for maildirs and news spool to end up, here.)
/tmpvar - ext3

I suspect the last entry is my problem. The tmpvar partition has
3 directories, tmp, var, and chroot. From the root directory, all
3 of those entries are symlinks into tmpvar. The idea was to keep
root read-mostly, possibly read-only, and have the read/write stuff
on tmpvar.

However, if I do a ls -Z / and look at tmpvar, tmp, and var I see:
lrwxr-xr-x  root     root     system_u:object_r:default_t      tmp
(->../tmpvar/tmp)
drwxr-xr-x  root     root     system_u:object_r:default_t      tmpvar
lrwxr-xr-x  root     root     system_u:object_r:var_t          var
(->../tmpvar/var)
If I look inside /var, everything is system_u:object_r:default_t. I
suspect that last part is wrong, and they should have been var_t.

Does this sound like it might be my problem?

One workaround might be to mount the volume as /var, and then
symlink /tmp and /chroot into directories there, since they appear
to have no special labelling.

Another possiblity might be to us bind mounts instead of symlinks.
A peek around google suggested that "overlabeling" might be a
problem, but other than a nondescript/unused mount point, access
to the directories is exclusive. I'd prefer to keep the separation, and
I'd rather not crack into more partitions, since too many has always
given me slack space in the wrong partition.

>>2: Can't ssh in when the system is enforcing. I've checked the sestatus 
>>-v results, and everything looks ok. I've never seen a bogus console or 
>>log message, but then again, see (1). Here's what I get:
>>user1@here ~ $ ssh -v user2@there
>>    
>>
>
>Again, need to see some denials on the server, and logs from sshd if
>they have anything interesting other than the failed login message.
>
>  
>
Again, no logging, no denials. I did notice one anomoly, going through
the FAQ. Everything was correct according to "sestatus -v" except that
there was no file context entry for /sbin/unix_chkpwd. In fact, there was
no file at all called /sbin/unix_chkpwd, but there was a
/usr/sbin/unix_chkpwd.
Nor was there a file context entry for /usr/sbin/unix_chkpwd, although
"ls -Z /usr/sbin/unix_chkpwd" showed the right context. It just wasn't
"active???" For jollies, I copied /usr/sbin/unix_chkpwd to
/sbin/unix_chkpwd,
and did a "make relabel" and got the right label on it, and the file
context
is correct now. But still no-go on ssh while enforcing.

At this point, I'll mention that I'm using 2005.1, and one post dated
during the Summer mentioned that it wasn't quite ready for prime-
time. But given that there were 2004.1 and 2005.1 profiles available,
I had chosen the most recent.

>>3: There isn't much about "standard practice".
>>What kinds of admin tasks can I perform while the system is enforcing?
>>What kinds of admin tasks do I have to drop out of enforcing for?
>>    
>>
>
>The goal is to always enforce.  Ideally, you should never have to switch
>to permissive to do admin tasks.
>  
>
This includes updating packages? I believe I've seen something fly by
about relabeling individual packages.

>>I presume emerging a new policy requres "make load". What requires "make 
>>relabel"?
>>    
>>
>
>You should generally relabel after switching from permissive back to
>enforcing.  That may also mean restarting if processes aren't in the
>right context.  Other than that, you shouldn't need a complete relabel
>except in recovery type situations.  Or massive policy changes.
>  
>
You do "make relable" while in enforcing mode? I inferred from the
handbook that it should be done before changing over.

>>What about things that don't have a policy? Like dovecot, leafnode, etc?
>>On my old system I ran things chroot'ed. Can I still, under SELinux?
>>    
>>
>
>Our policy is a little stagnant, since the NSA example policy will be on
>its way out, and we will be switching to Reference Policy
>(http://serefpolicy.sf.net/) when its ready in a couple months.  It will
>be a significanly easier policy to manage and develop.  It'll also bring
>along with it the targeted policy, for desktops.
>
>You can run stuff chrooted, but it will likely require extra policy work
>to get things labeled right.  Though, with a good MAC system like
>SELinux, the usefulness of chroot is questionable.
>
>  
>
At some point I'd like to learn more about writing policy, if only
because that may be what it takes to get leafnode support. In the
meantime, will my software with no policy work, and what are the
implications?

As for chroot, I'd like to consider SELinux another layer, not a silver
bullet. That says I'd like to keep the chroot, even if it means doing
the policy work myself, someday.

Thanks for taking the time to answer. SELinux is a complex-looking
beast, and it's taken me some time to decide to jump in. I guess I'd
consider myself part of the "next wave" where less-than-experts
start to use it.

Dale Pontius
-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] SELinux n00b questions

[Chris PeBenito]

[-- Attachment #1: Type: text/plain, Size: 6417 bytes --]

On Wed, 2005-10-26 at 21:33 -0400, Dale Pontius wrote:
> Chris PeBenito wrote:
> >On Sun, 2005-10-23 at 13:54 -0400, Dale Pontius wrote: 
> >
> >>I decided to remove it and install syslog-ng. That appeared to work at 
> >>first. But as far as I can tell, nothing has been logged since the first 
> >>time I put the systeminto enforcing mode.
> >
> >Need to see some denials to better understand whats going on.>  
> >
> I get no denials. Once I go enforcing, I get no logging, whatsoever.
> Even after switching back to non-enforcing, logging doesn't start
> up, again.
> 
> However, I think I've got a clue. My basic system has 4 partitions:
> / (root) - ext3
> swap
> /home - xfs (I planned for maildirs and news spool to end up, here.)
> /tmpvar - ext3
> 
> I suspect the last entry is my problem. The tmpvar partition has
> 3 directories, tmp, var, and chroot. From the root directory, all
> 3 of those entries are symlinks into tmpvar. The idea was to keep
> root read-mostly, possibly read-only, and have the read/write stuff
> on tmpvar.
> 
> However, if I do a ls -Z / and look at tmpvar, tmp, and var I see:
> lrwxr-xr-x  root     root     system_u:object_r:default_t      tmp
> (->../tmpvar/tmp)
> drwxr-xr-x  root     root     system_u:object_r:default_t      tmpvar
> lrwxr-xr-x  root     root     system_u:object_r:var_t          var
> (->../tmpvar/var)
> If I look inside /var, everything is system_u:object_r:default_t. I
> suspect that last part is wrong, and they should have been var_t.
> 
> Does this sound like it might be my problem?

Default_t is a label you never want to see.  It means that when
labeling, the file had no match in file_contexts.  You need to add
matches for all of the files in /tmpvar/var and /tmpvar/tmp since they
are in nonstandard locations.  You can add them to
file_contexts/misc/local.fc (creating it is ok).  You can look at the
other .fc's for more info.

> One workaround might be to mount the volume as /var, and then
> symlink /tmp and /chroot into directories there, since they appear
> to have no special labelling.

No, you'll just have to have a different nonstandard labeling
configuration.  /var will be right, but you'll still have to add matches
for tmp and chroot.  However, this is probably the easiest to do,
since /tmp has few matches to fix whereas /var has many, and you have to
provide matches for /chroot anyway.

> Another possiblity might be to us bind mounts instead of symlinks.

This won't help in this case since setfiles will ignore bind mounts.

> >>2: Can't ssh in when the system is enforcing. I've checked the sestatus 
> >>-v results, and everything looks ok. I've never seen a bogus console or 
> >>log message, but then again, see (1). Here's what I get:
> >>user1@here ~ $ ssh -v user2@there
> >
> >Again, need to see some denials on the server, and logs from sshd if
> >they have anything interesting other than the failed login message.
> >
> Again, no logging, no denials.

Won't be able to fix this until logging is fixed.

>  I did notice one anomoly, going through
> the FAQ. Everything was correct according to "sestatus -v" except that
> there was no file context entry for /sbin/unix_chkpwd. In fact, there was
> no file at all called /sbin/unix_chkpwd, but there was a
> /usr/sbin/unix_chkpwd.

An entry for /usr/sbin/unix_chkpwd just needs to be added
in /etc/sestatus.conf.  /sbin/unix_chkpwd was moved to /usr/sbin.

> >>3: There isn't much about "standard practice".
> >>What kinds of admin tasks can I perform while the system is enforcing?
> >>What kinds of admin tasks do I have to drop out of enforcing for?
> >
> >The goal is to always enforce.  Ideally, you should never have to switch
> >to permissive to do admin tasks.  
> >
> This includes updating packages? I believe I've seen something fly by
> about relabeling individual packages.

If you merge apache for example, but the apache policy isn't loaded,
it's files won't have the right context.  You have to relabel it before
using it, which is what you're being warned about.

> >>I presume emerging a new policy requres "make load". What requires "make 
> >>relabel"?
> >
> >You should generally relabel after switching from permissive back to
> >enforcing.  That may also mean restarting if processes aren't in the
> >right context.  Other than that, you shouldn't need a complete relabel
> >except in recovery type situations.  Or massive policy changes.
> >  
> >
> You do "make relabel" while in enforcing mode? I inferred from the
> handbook that it should be done before changing over.

Very much depends on the state of the system, and the circumstances.
Generally, the shorter amount of time in permissive, the better.

> >>What about things that don't have a policy? Like dovecot, leafnode, etc?
> >>On my old system I ran things chroot'ed. Can I still, under SELinux?
> >
> >Our policy is a little stagnant, since the NSA example policy will be on
> >its way out, and we will be switching to Reference Policy
> >(http://serefpolicy.sf.net/) when its ready in a couple months.  It will
> >be a significanly easier policy to manage and develop.  It'll also bring
> >along with it the targeted policy, for desktops.
> >
> >You can run stuff chrooted, but it will likely require extra policy work
> >to get things labeled right.  Though, with a good MAC system like
> >SELinux, the usefulness of chroot is questionable.
> >
> At some point I'd like to learn more about writing policy, if only
> because that may be what it takes to get leafnode support. In the
> meantime, will my software with no policy work, and what are the
> implications?

Any access that is not explicitly allowed is denied.  Without a proper
policy, the process will be running in some other context, and thus be
subject to those rules.  Unless its a pretty simple program, it will
most likely be broken.

> As for chroot, I'd like to consider SELinux another layer, not a silver
> bullet. That says I'd like to keep the chroot, even if it means doing
> the policy work myself, someday.

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
Embedded Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-hardened] SELinux n00b questions

[Dale Pontius]

Most of this is replies to specific sections, below. But given greater 
functionality, I have
a new question, too.

I decided to try running BIND on the SELinux system. I get this message:
 * Starting named ...
named: capset failed: Operation not permitted: please ensure that the 
capset kernel module is loaded.  see insmod(8)

I've made sure that "commoncap" was built and loaded prior to trying to 
start BIND. A bit
of google searching, and this seemed to have helped everyone else, but 
not me. Or might
this be linked into the fact that I don't have /tmp properly labeled, 
yet? I don't see anything
in /tmp on this system, and looking with "lsof -c named" on another 
system currently
running BIND,I don't see any files in /tmp.

I'm not trying to chroot bind at this point, just get it running.

Chris PeBenito wrote:

> <snip>
>
>
>No, you'll just have to have a different nonstandard labeling
>configuration.  /var will be right, but you'll still have to add matches
>for tmp and chroot.  However, this is probably the easiest to do,
>since /tmp has few matches to fix whereas /var has many, and you have to
>provide matches for /chroot anyway.
>  
>
Shuffling my partitions worked wonders. Logging now works, and I can ssh 
in while the
system is in enforcing mode. To date, I've just gotten the /var stuff 
into the right place. I
haven't fiddled with /tmp or /chroot yet, but things are much more 
functional. (But not
yet fully)

><snip>
>  
>
>> I did notice one anomoly, going through
>>the FAQ. Everything was correct according to "sestatus -v" except that
>>there was no file context entry for /sbin/unix_chkpwd. In fact, there was
>>no file at all called /sbin/unix_chkpwd, but there was a
>>/usr/sbin/unix_chkpwd.
>>    
>>
>
>An entry for /usr/sbin/unix_chkpwd just needs to be added
>in /etc/sestatus.conf.  /sbin/unix_chkpwd was moved to /usr/sbin.
>  
>
I'd changed the entry in /etc/sestatus.conf, (and removed the 
/sbin/unix_chkpwd) and
I believe this is part of getting ssh running while in enforcing mode. 
But it brings up
another question... It appears to me that /etc/sestatus.conf is really 
derived when the
policy is compiled, and that I need to go into the original source in 
order to make this
change persist. Correct? At one point, I could have sworn I saw a 
notation like:
"(/usr)?/sbin/unix_chkpwd" that looks like it should have matched either
"/sbin/unix_chkpwd" or "/usr/sbin/unix_chkpwd". But looking now, I can't 
find it, and
it should have prevented my problem from ever happening.

Along those lines, I should go looking for /tmp and /chroot in the src 
tree, I presume?
Update there and "make load", etc?

>  
>
>>>>3: There isn't much about "standard practice".
>>>>What kinds of admin tasks can I perform while the system is enforcing?
>>>>What kinds of admin tasks do I have to drop out of enforcing for?
>>>>        
>>>>
>>>The goal is to always enforce.  Ideally, you should never have to switch
>>>to permissive to do admin tasks.  
>>>
>>>      
>>>
>>This includes updating packages? I believe I've seen something fly by
>>about relabeling individual packages.
>>    
>>
>
>If you merge apache for example, but the apache policy isn't loaded,
>it's files won't have the right context.  You have to relabel it before
>using it, which is what you're being warned about.
>  
>
Now that I have the /var working right, I can "emerge sync" and "emerge 
-atuvDN world"
without problems. The system spends most of its time in enforcing mode.


<snip>

>>>>What about things that don't have a policy? Like dovecot, leafnode, etc?
>>>>On my old system I ran things chroot'ed. Can I still, under SELinux?
>>>>        
>>>>
>>>Our policy is a little stagnant, since the NSA example policy will be on
>>>its way out, and we will be switching to Reference Policy
>>>(http://serefpolicy.sf.net/) when its ready in a couple months.  It will
>>>be a significanly easier policy to manage and develop.  It'll also bring
>>>along with it the targeted policy, for desktops.
>>>      
>>>
I see where Fedora Core 3/4 has a policy for Dovecot. Is this likely 
based on the example
policy, in which case I could grab it and try working with it, or is FC4 
likely already on
the Reference Policy?

>>>You can run stuff chrooted, but it will likely require extra policy work
>>>to get things labeled right.  Though, with a good MAC system like
>>>SELinux, the usefulness of chroot is questionable.
>>>
>>>      
>>>
>>At some point I'd like to learn more about writing policy, if only
>>because that may be what it takes to get leafnode support. In the
>>meantime, will my software with no policy work, and what are the
>>implications?
>>    
>>
>
>Any access that is not explicitly allowed is denied.  Without a proper
>policy, the process will be running in some other context, and thus be
>subject to those rules.  Unless its a pretty simple program, it will
>most likely be broken.
>
>  
>
>>As for chroot, I'd like to consider SELinux another layer, not a silver
>>bullet. That says I'd like to keep the chroot, even if it means doing
>>the policy work myself, someday.
>>    
>>
Just glancing through the policy source, I see where policy provisions 
are already made
for using named and dhcpd chrooted. Obviously I'll need to update for my 
mount mess.

Thanks,
Dale
-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] SELinux n00b questions

[Peter Shaw]

On Monday 14 November 2005 02:51, Dale Pontius wrote:
> I decided to try running BIND on the SELinux system. I get this message:
>  * Starting named ...
> named: capset failed: Operation not permitted: please ensure that the
> capset kernel module is loaded.  see insmod(8)
>
> I've made sure that "commoncap" was built and loaded prior to trying to
> start BIND. A bit
> of google searching, and this seemed to have helped everyone else, but
> not me. 
I had the same problem and googled it, and the module I found I had to put 
into /etc/modules.autoload.d/kernel-2.6 was ¨capability¨, not ¨commoncap¨. 
But perhaps you´re using a 2.4 kernel and it´s different - i just subscribed 
to the mailing list and didn´t see the original post.
__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] SELinux n00b questions

[Dale Pontius]

Peter Shaw wrote:

>On Monday 14 November 2005 02:51, Dale Pontius wrote:
>  
>
>>I decided to try running BIND on the SELinux system. I get this message:
>> * Starting named ...
>>named: capset failed: Operation not permitted: please ensure that the
>>capset kernel module is loaded.  see insmod(8)
>>
>>I've made sure that "commoncap" was built and loaded prior to trying to
>>start BIND. A bit
>>of google searching, and this seemed to have helped everyone else, but
>>not me. 
>>    
>>
>I had the same problem and googled it, and the module I found I had to put 
>into /etc/modules.autoload.d/kernel-2.6 was ¨capability¨, not ¨commoncap¨. 
>But perhaps you´re using a 2.4 kernel and it´s different - i just subscribed 
>to the mailing list and didn´t see the original post.
>  
>
I saw the "capability" stuff too, and thought that was the same as 
"commoncap". So
now I have to ask... Where do you turn on "capability"? I did a "grep 
CAP .config"
and got only 2 entries, the one that produced commoncap, and another 
that was
completely unrelated. (sound, maybe?) I'm running 2.6, by the way.

Dale
-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] SELinux n00b questions

[Antoine Martin]

On Mon, 2005-11-14 at 17:37 -0500, Dale Pontius wrote:
> Peter Shaw wrote:
> 
> >On Monday 14 November 2005 02:51, Dale Pontius wrote:
> >  
> >
> >>I decided to try running BIND on the SELinux system. I get this message:
> >> * Starting named ...
> >>named: capset failed: Operation not permitted: please ensure that the
> >>capset kernel module is loaded.  see insmod(8)
> >>
> >>I've made sure that "commoncap" was built and loaded prior to trying to
> >>start BIND. A bit
> >>of google searching, and this seemed to have helped everyone else, but
> >>not me. 
> >>    
> >>
> >I had the same problem and googled it, and the module I found I had to put 
> >into /etc/modules.autoload.d/kernel-2.6 was ¨capability¨, not ¨commoncap¨. 
> >But perhaps you´re using a 2.4 kernel and it´s different - i just subscribed 
> >to the mailing list and didn´t see the original post.
> >  
> >
> I saw the "capability" stuff too, and thought that was the same as 
> "commoncap". So
> now I have to ask... Where do you turn on "capability"? I did a "grep 
> CAP .config"
> and got only 2 entries, the one that produced commoncap, and another 
> that was
> completely unrelated. (sound, maybe?) I'm running 2.6, by the way.
in the kernel security options:
CONFIG_SECURITY_CAPABILITIES=y
module name: 'capability'

Antoine

-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] SELinux n00b questions

[Dale Pontius]

Dale Pontius wrote:

> Peter Shaw wrote:
>
>> On Monday 14 November 2005 02:51, Dale Pontius wrote:
>>  
>>
>>> I decided to try running BIND on the SELinux system. I get this 
>>> message:
>>> * Starting named ...
>>> named: capset failed: Operation not permitted: please ensure that the
>>> capset kernel module is loaded.  see insmod(8)
>>>
>>> I've made sure that "commoncap" was built and loaded prior to trying to
>>> start BIND. A bit
>>> of google searching, and this seemed to have helped everyone else, but
>>> not me.   
>>
>> I had the same problem and googled it, and the module I found I had 
>> to put into /etc/modules.autoload.d/kernel-2.6 was ¨capability¨, not 
>> ¨commoncap¨. But perhaps you´re using a 2.4 kernel and it´s different 
>> - i just subscribed to the mailing list and didn´t see the original 
>> post.
>>  
>>
> I saw the "capability" stuff too, and thought that was the same as 
> "commoncap". So
> now I have to ask... Where do you turn on "capability"? I did a "grep 
> CAP .config"
> and got only 2 entries, the one that produced commoncap, and another 
> that was
> completely unrelated. (sound, maybe?) I'm running 2.6, by the way.

Never mind... Found it, and it was already built with my current 
configuration. I just
had to modprobe it, and BIND starts. But I still don't know which kernel 
config switch
turned it on. Oh well, my Gentoo SELinux server is now serving 
something, instead of
just consuming electricity and teaching me.

Dale
-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] mysql 4.1 requires shlib_t:file execmod?

[Antoine Martin]

> > > #1
> > > qlist mysql | scanelf -qtf -
> > TEXTREL  /usr/lib/mysql/libmysqlclient.so
> > TEXTREL  /usr/lib/mysql/libmysqlclient_r.so
> > TEXTREL  /usr/lib/libmysqlclient.so
> > TEXTREL  /usr/lib/libmysqlclient.so.14.0.0
> > TEXTREL  /usr/lib/libmysqlclient_r.so
> > TEXTREL  /usr/lib/libmysqlclient_r.so.14.0.0
> 
> Looks like you do infact have textrels in your mysql. 
> I've seen this happen before when linked with a miscompiled
> libcrypto.so 
I've rebuilt openssl, but this hasn't helped...

> > > #2 
> > > scanelf -a /usr/lib/libmysqlclient.so.14
> > Nothing here
> 
> If nothing here then chances are your running scanelf while trying to
> enforce and no such policy exists for scanelf.
I must have done it wrong (it works even in enforcing mode now):

 TYPE    PAX   STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN ---xe- RW- --- RW- TEXTREL   -
LAZY /usr/lib/libmysqlclient.so.14

> > > 
> > > #3 
 TYPE    PAX   STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN ---xe- RW- R-- RW-    -      -   LAZY /lib/libcrypt.so.1
ET_DYN ---xe- RW- R-- RW-    -      -   LAZY /lib/libnsl.so.1
ET_DYN ---xe- RW- R-- RW-    -      -   LAZY /lib/libm.so.6
ET_DYN ---xe- RW- --- RW-    -      -   LAZY /lib/libz.so.1
ET_DYN ---xe- RW- R-- RW-    -      -   NOW /lib/libc.so.6


-- 
gentoo-hardened@gentoo.org mailing list