Policies for openlmi-* packages will be a bit complicated (maybe not). Openlmi is using pegasus, which is dynamically loading providers (shared libraries) and we need to set policy for each such library in openlmi. For setting selinux context we are using wrapping script and the final execution process looks like this: 1) pegasus execute /usr/sbin/cimprovagt. Previously it was ELF executable, now changed to script 2a) script in 1 executes script for given provider/library. In the case of openlmi-account it is /usr/libexec/pegasus/cmpiLMI_Account-cimprovagt. And this script executes the original ELF binary cimprovagt. 2b) if the script in 2a (/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt) doest not exist execute original ELF binary cimprovagt directly. So I guess, setting policy for /usr/libexec/pegasus/cmpiLMI_Account-cimprovagt would make it work. I will attach what AVC denials are now generated and what is needed to enable.
Created attachment 680328 [details] audit.log This audit.log was generated when I run several tests.
Created attachment 680355 [details] Output from sealert -a audit.log > audit.log.sealert.txt This is more readable. Generally all needs to be enabled. Just one is false: """ SELinux is preventing /usr/sbin/userdel from rmdir access on the directory account_test_user. """ That above is false and is a bug in the openlmi-account.
When I tried suggested steps: # grep cimprovagt /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp the things don't work. I'm open to testing and suggestions.
Output from audit2allow: #============= pegasus_t ============== #!!!! The source type 'pegasus_t' can write to a 'dir' of the following types: # pegasus_var_run_t, pegasus_cache_t, pegasus_data_t, pegasus_tmp_t, samba_etc_t allow pegasus_t home_root_t:dir { write create add_name setattr }; allow pegasus_t passwd_file_t:file { write setattr }; allow pegasus_t shadow_t:file { write setattr }; allow pegasus_t wtmp_t:file { read open }; #============= useradd_t ============== allow useradd_t home_root_t:dir rmdir; That useradd_t should be ignored. For those above I suppose we will introduce some new type (openlmi_account_pegasus_t is quite long).
Yes, we will need to create new domains set for openlmi-* packages so we will have pegasus_t @bin_t(/usr/sbin/cimprovag) -> pegasus_t @pegasus_openlmi_whatever_exec_t(/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt) -> pegasus_openlmi_whatever_t
Created attachment 684235 [details] pegasus_openlmi_account test policy Steps for Fedora18. 1. Download it 2. semodule -i mypegasus.pp 3. chcon -t pegasus_openlmi_account_exec_t /usr/libexec/pegasus/cmpiLMI_Account-cimprovagt and re-test it. We should see AVC msgs for pegasus_openlmi_account_t.
Created attachment 685010 [details] audit.log when applied suggested semodule Here are results. Looks like it generates more AVCs than assumed.
Created attachment 685017 [details] Output from sealert -a audit.log > audit.log.sealert.version2.txt Output from sealert.
Actually we wanted to see them. Basically it works correctly because we ended up with pegasus_openlmi_account_t domain. Good start point.
Roman, does it execute useradd? I don't see AVC msgs for it. Or does it directly handle with users accounts?
It does not execute useradd. Maybe there is some of useradd because the audit.log is produced from testing script in which I use several external binaries. But openlmi-account should not execute any other binary.
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle. Changing version to '19'. (As we did not run this process for some time, it could affect also pre-Fedora 19 development cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.) More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19
commit e24fa4a13908d2238886deb7b15c8f156e91f5ea Author: Miroslav Grepl <mgrepl> Date: Mon Jun 24 16:17:03 2013 +0200 Activate policy for cmpiLMI_Account-cimprovagt
selinux-policy-3.12.1-57.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-57.fc19
Package selinux-policy-3.12.1-57.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-57.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-11846/selinux-policy-3.12.1-57.fc19 then log in and leave karma (feedback).
selinux-policy-3.12.1-57.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.