Help with selinux. Allow file execution in /etc/security

Support for security such as Firewalls and securing linux
Post Reply
borisconrado
Posts: 4
Joined: 2013/12/03 12:03:07

Help with selinux. Allow file execution in /etc/security

Post by borisconrado » 2014/05/21 07:19:16

Hi

I need help with setting up selinux. I want to allow bash script execution:

Code: Select all

/etc/security/onsessionclose
This script is executed by PAM module pam_script, when user session is closed. Inside script there are commands that remove /home/domains/user directory.
I was trying to change file context, but truly i can not understand how it works. Below there are some entries from audit.log reffering to onsessionclose script:

Code: Select all

type=AVC msg=audit(1400655248.256:337): avc:  denied  { execute_no_trans } for  pid=11695 comm="login" path="/etc/security/onsessionclose" dev=dm-0 ino=394211 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0 tclass=file
type=AVC msg=audit(1400655661.345:356): avc:  denied  { execute } for  pid=11780 comm="crond" name="onsessionclose" dev=dm-0 ino=394211 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0 tclass=file
type=AVC msg=audit(1400655917.496:359): avc:  denied  { execute } for  pid=11797 comm="su" name="onsessionclose" dev=dm-0 ino=394211 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0 tclass=file
type=AVC msg=audit(1400656299.827:362): avc:  denied  { execute } for  pid=11801 comm="su" name="onsessionclose" dev=dm-0 ino=394211 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0 tclass=file
type=AVC msg=audit(1400656451.035:364): avc:  denied  { execute } for  pid=11835 comm="gdm-session-wor" name="onsessionclose" dev=dm-0 ino=394211 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0 tclass=file

unspawn
Posts: 172
Joined: 2006/12/11 12:28:52

Re: Help with selinux. Allow file execution in /etc/security

Post by unspawn » 2014/05/24 11:13:24

Running the AVC messages through audit2allow yields four rules:

Code: Select all

allow crond_t local_login_t:file execute;
allow unconfined_t local_login_t:file execute;
allow xdm_t local_login_t:file execute;
allow local_login_t self:file execute_no_trans;
basically allowing three domains, including unconfined_t, to execute the file and one for the local_login_t domain to execute the file but without domain transitioning (execute_no_trans), and what's missing from your post is a '\ls -alZ /etc/security/onsessionclose;' to confirm the file is already in the local_login_t domain. (I wonder though why the file should be in /etc/security? FSSTND-wise (or whatever else scheme is current) I'd rather prefer local additions to be in /usr/local/(s?)bin...) crond and the DM will run as their own user (be careful though: why cron should run the script?) so that leaves the unconfined_t domain, which is the default for unprivileged users. While I'm no SELinux guru the change doesn't seem a risk to me, hope somebody corrects me, though I wonder about the script itself: say if I log into my DE and then SSH into the same account and log out, will the script then remove my home directory prematurely? ;-p

Post Reply

Return to “CentOS 6 - Security Support”