Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Gentoo>
  3. Hardened
SELinux ddclient and ca-certificates
selinux at sharp
Jun 15, 2017, 3:58 AM
Post #1 of 5 (1672 views)
Permalink
I have been enforcingon my SELinux box for a while without incident,
until yesterday. Ddclient started spamming me with emails about SSL
connect failures. I checked the audit log for AVCs and found the one
below. The context for /etc/ssl/certs/ca-certificates is cert_t and it
looks like the interface needed to access this type is
"miscfiles_manage_generic_cert_files". I can test if this is the right
approach? May take a while cos I am not sure how to force ddclient into
attempting an update.

Thanks,
Robert

|type=AVC msg=audit(1497448811.326:13013): avc: denied { search } for
pid=3311 comm=6464636C69656E74202D20636F6E6E name="ca-certificates"
dev="dm-0" ino=2630168 scontext=system_u:system_r:ddclient_t
tcontext=system_u:object_r:cert_t tclass=dir permissive=0 |||
Re: SELinux ddclient and ca-certificates [ In reply to ]
swift at gentoo
Jun 17, 2017, 3:47 AM
Post #2 of 5 (1667 views)
Permalink
On Thu, Jun 15, 2017 at 11:58:49AM +0100, Robert Sharp wrote:
> I have been enforcing on my SELinux box for a while without incident,
> until yesterday. Ddclient started spamming me with emails about SSL
> connect failures. I checked the audit log for AVCs and found the one
> below. The context for /etc/ssl/certs/ca-certificates is cert_t and it
> looks like the interface needed to access this type is
> "miscfiles_manage_generic_cert_files". I can test if this is the right
> approach? May take a while cos I am not sure how to force ddclient into
> attempting an update.
>
> Thanks,
> Robert
> type=AVC msg=audit(1497448811.326:13013): avc: denied { search } for pid=3311
>
> comm=6464636C69656E74202D20636F6E6E name="ca-certificates" dev="dm-0" ino=2630
> 168
> scontext=system_u:system_r:ddclient_t tcontext=system_u:object_r:cert_t tclass
> =dir
> permissive=0

I generally try to make sure that it is the right domain before adding the
privilege. In the denial, the command that is being denied access is
"ca-certificates". Is that a script from ddclient, or does ddclient trigger
an (external) script and should we perhaps look at a potential domain
transition here?

Wkr,
Sven Vermeulen
Re: SELinux ddclient and ca-certificates [ In reply to ]
selinux at sharp
Jun 17, 2017, 10:20 AM
Post #3 of 5 (1666 views)
Permalink
On 17/06/17 11:47, Sven Vermeulen wrote:
> I generally try to make sure that it is the right domain before adding the
> privilege. In the denial, the command that is being denied access is
> "ca-certificates". Is that a script from ddclient, or does ddclient trigger
> an (external) script and should we perhaps look at a potential domain
> transition here?

Hi and thanks for the reply.

I had assumed this was the file of that name in /etc/ssl/certs but your
comment made me check the inode and I was wrong. It is actually a
directory "/usr/share/ca-certificates" which also has the "cert_t"
context. There is no script by that name associated with ddclient so I
guess ddclient is trying to (via openssl) access this directory/path?

Robert
Re: SELinux ddclient and ca-certificates [ In reply to ]
swift at gentoo
Jun 18, 2017, 9:29 AM
Post #4 of 5 (1665 views)
Permalink
On Sat, Jun 17, 2017 at 06:20:40PM +0100, Robert Sharp wrote:
> I had assumed this was the file of that name in /etc/ssl/certs but your
> comment made me check the inode and I was wrong. It is actually a
> directory "/usr/share/ca-certificates" which also has the "cert_t"
> context. There is no script by that name associated with ddclient so I
> guess ddclient is trying to (via openssl) access this directory/path?

The context on that directory is correct. If it is indeed ddclient that is
trying to manipulate that directory content, then by all means, add in the
privilege to do so.

Now, if I look at the current description of ddclient (i.e. perl client used
to update dynamic DNS entries) then I personally wonder if ddclient is
actually trying to *manipulate* the certificates (or add certificates to it)
rather than just use it.

It's okay to use it. Manipulating the directory seems to be something I
would want to verify with the application itself first. If it is a Perl
script, then it might be easy to find out why.

Wkr,
Sven Vermeulen
Re: SELinux ddclient and ca-certificates [ In reply to ]
selinux at sharp
Jun 19, 2017, 2:20 PM
Post #5 of 5 (1657 views)
Permalink
On 18/06/17 17:29, Sven Vermeulen wrote:
> It's okay to use it. Manipulating the directory seems to be something I
> would want to verify with the application itself first. If it is a Perl
> script, then it might be easy to find out why.

Looking at the error messages and the script itself the problem occurs
within the Perl module IO::Socket::SSL. Looks like if a call to new does
not work then ddclient raises the message. A quick search led me to
http://search.cpan.org/~sullr/IO-Socket-SSL-2.049/lib/IO/Socket/SSL.pod
<http://search.cpan.org/%7Esullr/IO-Socket-SSL-2.049/lib/IO/Socket/SSL.pod>
and a little way down there is a good description of "Essential
Information About SSL/TLS". Seems to me that the module is acting as
expected and I cannot see that ddclient is doing anything else that
might be suspect.

So I will add the privilege and try to force ddclient to update to see
what happens.

Best,
Robert

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal