Hello Everyone,
I work for a company which develops an rsyslog alternative logging service, and we recently have encountered an interesting problem around the SELinux process transitions of our product.To describe the problem in a bit more detail:
- we have an init script with the selinux context of system_u:object_r:syslogd_initrc_exec_t:s0
- this init script calls the binary, which has the context of: system_u:object_r:syslogd_exec_t:s0
- the necessary process transtition definitions are in place:
[root@centos-test ~]# sesearch -T -s initrc_t -t syslogd_initrc_exec_t -c process -p transition -A
Found 1 semantic te rules:
type_transition initrc_t syslogd_initrc_exec_t : process initrc_t;
[root@centos-test ~]# sesearch -T -s initrc_t -t syslogd_exec_t -c process -p transition -A
Found 1 semantic te rules:
type_transition initrc_t syslogd_exec_t : process syslogd_t;
- the necessary execution permissions are present
[root@centos-test ~]# sesearch -s initrc_t -t syslogd_exec_t -c file -p execute -A
Found 3 semantic av rules:
allow initrc_t exec_type : file { ioctl read getattr lock execute execute_no_trans open } ;
allow initrc_t syslogd_exec_t : file { read getattr execute open } ;
allow files_unconfined_type file_type : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton execute_no_trans entrypoint open } ;
- the necessary types are defined as the domain entry points
[root@centos-test ~]# sesearch -s syslogd_t -t syslogd_exec_t -c file -p entrypoint -A
Found 1 semantic av rules:
allow syslogd_t syslogd_exec_t : file { ioctl read getattr lock execute entrypoint open } ;
- the target domain is allowed for the proper role:
[root@centos-test ~]# seinfo -rsystem_r -x | fgrep syslogd_t
syslogd_t
syslogd_t
But despite all the above, the transition doesn't occur to syslogd_t, the process remains in initrc_t.
I even have created a script to reproduce the issue (find it attached).
The script simply
- puts down two shell scripts and sets their rights and selinux contexts (system_u:object_r:syslogd_initrc_exec_t:s0 and system_u:object_r:syslogd_exec_t:s0) ,
- creates a copy of bash, sets it's context (to system_u:object_r:syslogd_initrc_exec_t:s0),
- puts down two shell scripts and sets their rights and selinux contexts (system_u:object_r:syslogd_initrc_exec_t:s0 and system_u:object_r:syslogd_exec_t:s0) ,
- creates a copy of bash, sets it's context (to system_u:object_r:syslogd_initrc_exec_t:s0),
- tries to run the script with the syslogd_initrc_exec_t context,
- which in turn will run the other script with context syslogd_exec_t
- which in turn will run the other script with context syslogd_exec_t
The resulting output shows that the script with the syslogd_exec_t context will run as initrc_t even though it's parent was initrc_t as well, and the type transition should have occurred.
Some sample output:
[root@centos-test ~]# bash selinux_test.sh
-rwxr-xr-x. root root system_u:object_r:syslogd_initrc_exec_t:s0 /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t
-rwxr-xr-x. root root system_u:object_r:syslogd_exec_t:s0 /tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh
-rwxr-xr-x. root root system_u:object_r:syslogd_initrc_exec_t:s0 /tmp/tmp.efz1wH7wpL/syslogd_initrc_exec_t_starter.sh
======================== STARTING ===============================================
Authenticating root.
Jelszó:
system_u:system_r:initrc_t:s0 root 3352 0.0 0.0 106056 1296 pts/0 S+ 14:50 0:00 \_ /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t /tmp/tmp.efz1wH7wpL/syslogd_initrc_exec_t_starter.sh
======================== STARTED ===============================================
system_u:system_r:initrc_t:s0 root 3359 0.0 0.0 106056 1340 pts/0 S+ 14:50 0:00 /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t /tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh
system_u:system_r:initrc_t:s0 root 3362 0.0 0.0 106056 1336 pts/0 S+ 14:50 0:00 /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t /tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh end
============================= first ==========================================
system_u:system_r:initrc_t:s0 root 3359 0.0 0.0 106056 1340 pts/0 S+ 14:50 0:00 /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t /tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh
system_u:system_r:initrc_t:s0 root 3362 0.0 0.0 106056 1336 pts/0 S+ 14:50 0:00 /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t /tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh end
============================= end ==========================================
system_u:system_r:initrc_t:s0 root 3359 0.0 0.0 106060 1360 pts/0 S+ 14:50 0:00 /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t /tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh
system_u:system_r:initrc_t:s0 root 3362 0.0 0.0 106060 1352 pts/0 S+ 14:50 0:00 /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t /tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh end
[root@centos-test ~]#
[root@centos-test ~]# bash selinux_test.sh
-rwxr-xr-x. root root system_u:object_r:syslogd_initrc_exec_t:s0 /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t
-rwxr-xr-x. root root system_u:object_r:syslogd_exec_t:s0 /tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh
-rwxr-xr-x. root root system_u:object_r:syslogd_initrc_exec_t:s0 /tmp/tmp.efz1wH7wpL/syslogd_initrc_exec_t_starter.sh
======================== STARTING ===============================================
Authenticating root.
Jelszó:
system_u:system_r:initrc_t:s0 root 3352 0.0 0.0 106056 1296 pts/0 S+ 14:50 0:00 \_ /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t /tmp/tmp.efz1wH7wpL/syslogd_initrc_exec_t_starter.sh
======================== STARTED ===============================================
system_u:system_r:initrc_t:s0 root 3359 0.0 0.0 106056 1340 pts/0 S+ 14:50 0:00 /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t /tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh
system_u:system_r:initrc_t:s0 root 3362 0.0 0.0 106056 1336 pts/0 S+ 14:50 0:00 /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t /tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh end
============================= first ==========================================
system_u:system_r:initrc_t:s0 root 3359 0.0 0.0 106056 1340 pts/0 S+ 14:50 0:00 /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t /tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh
system_u:system_r:initrc_t:s0 root 3362 0.0 0.0 106056 1336 pts/0 S+ 14:50 0:00 /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t /tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh end
============================= end ==========================================
system_u:system_r:initrc_t:s0 root 3359 0.0 0.0 106060 1360 pts/0 S+ 14:50 0:00 /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t /tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh
system_u:system_r:initrc_t:s0 root 3362 0.0 0.0 106060 1352 pts/0 S+ 14:50 0:00 /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t /tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh end
[root@centos-test ~]#
We would appreciate if we could get some guidance on what we should check, in order to get to the end of this problem.
We have tried running setroubleshootd, disabling noaudit rules (semodule -DB), but we saw no error messages about failed transitions, or whatsoever. The only logs we saw related to the scripts were the authentication and accounting messages about the run_init command.
Kind regards,
János Szigetvári
--
Janos SZIGETVARI
__@__˚V˚
Make the switch to open (source) applications, protocols, formats now:
- windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice.org
- msn -> jabber protocol (Pidgin, Google Talk)
- mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp
__@__˚V˚
Make the switch to open (source) applications, protocols, formats now:
- windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice.org
- msn -> jabber protocol (Pidgin, Google Talk)
- mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp
Attachment:
selinux-test.sh
Description: Bourne shell script
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
