Friday, May 17, 2013

SELinux is preventing /sbin/iptables-multi-1.4.7 from read access on the file

Error message :
Check the /var/log/messages to get idea of error
=========================================================================
May 12 04:05:40 mail setroubleshoot: SELinux is preventing /sbin/iptables-multi-1.4.7 from read access on the file . For complete SELinux messages. run
sealert -l 1a33e373-0b4e-4e1c-8cf7-38636b5acbde
May 12 04:05:40 mail setroubleshoot: SELinux is preventing /sbin/iptables-multi-1.4.7 from create access on the rawip_socket . For complete SELinux mes
sages. run sealert -l c2931169-d03b-4758-92d4-f22275f7f391
May 12 04:05:40 mail setroubleshoot: SELinux is preventing /sbin/iptables-multi-1.4.7 from create access on the rawip_socket . For complete SELinux mes
sages. run sealert -l c2931169-d03b-4758-92d4-f22275f7f391
May 12 04:05:40 mail setroubleshoot: SELinux is preventing /sbin/iptables-multi-1.4.7 from read access on the file . For complete SELinux messages. run
sealert -l 1a33e373-0b4e-4e1c-8cf7-38636b5acbde
May 12 04:05:37 mail fail2ban.actions: WARNING [dovecot-pop3imap] Unban 125.19.48.106
May 12 04:05:37 mail fail2ban.actions.action: ERROR iptables -n -L INPUT | grep -q 'fail2ban-dovecot-pop3imap[ \t]' returned 100
May 12 04:05:37 mail fail2ban.actions.action: ERROR Invariant check failed. Trying to restore a sane environment
May 12 04:05:37 mail fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports pop3,pop3s,imap,imaps -j fail2ban-dovecot-pop3imap#
012iptables -F fail2ban-dovecot-pop3imap#012iptables -X fail2ban-dovecot-pop3imap returned 300
May 12 04:05:37 mail fail2ban.actions.action: ERROR iptables -N fail2ban-dovecot-pop3imap#012iptables -A fail2ban-dovecot-pop3imap -j RETURN#012iptabl
es -I INPUT -p tcp -m multiport --dports pop3,pop3s,imap,imaps -j fail2ban-dovecot-pop3imap returned 100
May 12 04:05:37 mail fail2ban.actions.action: ERROR iptables -n -L INPUT | grep -q 'fail2ban-dovecot-pop3imap[ \t]' returned 100
May 12 04:05:37 mail fail2ban.actions.action: CRITICAL Unable to restore environment
================================================================================

This error propagate with the Selinux, you can run the below command to get fully idea about selinux error.
sealert -l 1a33e373-0b4e-4e1c-8cf7-38636b5acbde

Check the audit.log file and find below deined messages.
type=AVC msg=audit(1368773459.619:3055): avc: denied { read } for pid=6627 comm="iptables" scontext=unconfined_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:sysctl_modprobe_t:s0 tclass=file
type=AVC msg=audit(1368773459.620:3056): avc: denied { create } for pid=6625 comm="iptables" scontext=unconfined_u:system_r:fail2ban_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=rawip_socket
type=AVC msg=audit(1368773459.620:3057): avc: denied { read } for pid=6625 comm="iptables" scontext=unconfined_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:sysctl_modprobe_t:s0 tclass=file
type=AVC msg=audit(1368773459.622:3058): avc: denied { create } for pid=6629 comm="iptables" scontext=unconfined_u:system_r:fail2ban_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0


Resolution :


Once I check the context of /sbin/iptables-multi-1.4.7 it will show the incorrect context as below

  • ls -lZ /sbin/iptables-multi-1.4.7
output
  • -rwxr-xr-x. root root system_u:object_r:bin_t:s0       /sbin/iptables-multi-1.4.7
Run the below command to correct the Selinux context

  • restorecon -R -v /sbin/

then run the ls -lZ command which show the correct context

  • -rwxr-xr-x. root root system_u:object_r:iptables_exec_t:s0 /sbin/iptables-multi-1.4.7

Then restart the fail2ban service.


Posted by at No comments:

Tuesday, May 14, 2013

Samba Server configuration -CentOS 6.3 with SeLinux

You must installs below packages in order to configure as samba server
yum install cups-libs samba samba-common

Initially you must allow firewall to access to samba server. Below ports should be allowed. In my server I have used iptables as firewall so below rules will allow the samba from firewall

-A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.1.0/24 --dport 137 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.1.0/24 --dport 138 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.1.0/24 --dport 139 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.1.0/24 --dport 445 -j ACCEPT
you can restrict by source IP from better security.

Then you need to concern about SeLinux values. Since if you not enable boolean value then even home directory not be able to share.

If you want to share the default home directory, type this command: 
setsebool -P samba_enable_home_dirs on
If you want samba to be a domain controller: 
setsebool -P samba_domain_controller on
If you want to share files/directories other than home directories or standard directory. You should label these files/directories as samba_share_t. For example if you created the directory /home/fileserver, you can label the directory and its contents with the chcon tool.

# chcon -R -t samba_share_t /home/fileserver
To make this label permanent issue the below commands.
# semanage fcontext -a -t samba_share_t ’/home/fileserver(/.*)?’
# restorecon -R -v /home/fileserver

There are two booleans that you can set to allow the sharing of standard directories. If you want to share any standard directory read/only you can set the boolean samba_export_all_ro.
# setsebool -P samba_export_all_ro 1
This boolean will allow Samba to read every file on the system.Similarly if you want to share all files and directories via Samba, you set the samba_export_all_rw
# setsebool -P samba_export_all_rw 1
This boolean would allow Samba to read and write every file on your system.  So a compromised Samba server would be very dangerous.

for more details please refer below link :

Then you need to configure the smb.conf file as you want.

I have configured home and other shared directories and my configuration file should be as below.

[Common]
comment = All Users
path = /home/common
valid users =@users
force group = users
create mask = 0765
directory mask = 0775
writable = yes

If you need to enable home directories that users can read and write to it below entry should be included.

[homes]
   comment = Home Directories
   browseable = no
   valid users = %S
   writable = yes
   create mask = 0700
   directory mask = 0700
Now add the user to the Samba user database:
smbpasswd -a tom

Posted by at No comments:
Subscribe to: Posts (Atom)