On 05/14/2015 09:07 AM, SZIGETVÁRI János wrote:
> Hello Everyone,
>
> I work for a company which develops an rsyslog alternative logging
> service, and we recently have encountered an interesting problem around
> the SELinux process transitions of our product.
>
> I and most of my colleagues have little to marginal experience with
> SELinux, and we have done most of the investigation we could do on our own.
>
> The problem that one of our customers experienced is that our product
> (when started by it's init script, or through the service ... utility)
> will be stuck in the initrc_t context, and not transition into the
> syslogd_t context. This causes the /dev/log socket not to have the
> proper selinux context, which leads to even further problems.
> The system they are working on is running CentOS 6.6.
>
> To describe the problem in a bit more detail:
> - we have an init script with the selinux context of
> system_u:object_r:syslogd_initrc_exec_t:s0
> - this init script calls the binary, which has the context of:
> system_u:object_r:syslogd_exec_t:s0
>
> - the necessary process transtition definitions are in place:
> [root@centos-test ~]# sesearch -T -s initrc_t -t syslogd_initrc_exec_t
> -c process -p transition -A
> Found 1 semantic te rules:
> type_transition initrc_t syslogd_initrc_exec_t : process initrc_t;
> [root@centos-test ~]# sesearch -T -s initrc_t -t syslogd_exec_t -c
> process -p transition -A
> Found 1 semantic te rules:
> type_transition initrc_t syslogd_exec_t : process syslogd_t;
>
> - the necessary execution permissions are present
> [root@centos-test ~]# sesearch -s initrc_t -t syslogd_exec_t -c file -p
> execute -A
> Found 3 semantic av rules:
> allow initrc_t exec_type : file { ioctl read getattr lock execute
> execute_no_trans open } ;
> allow initrc_t syslogd_exec_t : file { read getattr execute open } ;
> allow files_unconfined_type file_type : file { ioctl read write
> create getattr setattr lock relabelfrom relabelto append unlink link
> rename execute swapon quotaon mounton execute_no_trans entrypoint open } ;
>
> - the necessary types are defined as the domain entry points
> [root@centos-test ~]# sesearch -s syslogd_t -t syslogd_exec_t -c file -p
> entrypoint -A
> Found 1 semantic av rules:
> allow syslogd_t syslogd_exec_t : file { ioctl read getattr lock
> execute entrypoint open } ;
>
> - the target domain is allowed for the proper role:
> [root@centos-test ~]# seinfo -rsystem_r -x | fgrep syslogd_t
> syslogd_t
>
>
> But despite all the above, the transition doesn't occur to syslogd_t,
> the process remains in initrc_t.
>
> I even have created a script to reproduce the issue (find it attached).
> The script simply
> - puts down two shell scripts and sets their rights and selinux contexts
> (system_u:object_r:syslogd_initrc_exec_t:s0 and
> system_u:object_r:syslogd_exec_t:s0) ,
> - creates a copy of bash, sets it's context (to
> system_u:object_r:syslogd_initrc_exec_t:s0),
> - tries to run the script with the syslogd_initrc_exec_t context,
> - which in turn will run the other script with context syslogd_exec_t
>
> The resulting output shows that the script with the syslogd_exec_t
> context will run as initrc_t even though it's parent was initrc_t as
> well, and the type transition should have occurred.
>
>
> Some sample output:
>
> [root@centos-test ~]# bash selinux_test.sh
> -rwxr-xr-x. root root system_u:object_r:syslogd_initrc_exec_t:s0
> /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t
> -rwxr-xr-x. root root system_u:object_r:syslogd_exec_t:s0
> /tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh
> -rwxr-xr-x. root root system_u:object_r:syslogd_initrc_exec_t:s0
> /tmp/tmp.efz1wH7wpL/syslogd_initrc_exec_t_starter.sh
> ======================== STARTING
> ===============================================
> Authenticating root.
> Jelszó:
> system_u:system_r:initrc_t:s0 root 3352 0.0 0.0 106056 1296
> pts/0 S+ 14:50 0:00 \_
> /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t
> /tmp/tmp.efz1wH7wpL/syslogd_initrc_exec_t_starter.sh
> ======================== STARTED
> ===============================================
> system_u:system_r:initrc_t:s0 root 3359 0.0 0.0 106056 1340
> pts/0 S+ 14:50 0:00 /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t
> /tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh
> system_u:system_r:initrc_t:s0 root 3362 0.0 0.0 106056 1336
> pts/0 S+ 14:50 0:00 /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t
> /tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh end
> ============================= first
> ==========================================
> system_u:system_r:initrc_t:s0 root 3359 0.0 0.0 106056 1340
> pts/0 S+ 14:50 0:00 /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t
> /tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh
> system_u:system_r:initrc_t:s0 root 3362 0.0 0.0 106056 1336
> pts/0 S+ 14:50 0:00 /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t
> /tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh end
> ============================= end ==========================================
> system_u:system_r:initrc_t:s0 root 3359 0.0 0.0 106060 1360
> pts/0 S+ 14:50 0:00 /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t
> /tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh
> system_u:system_r:initrc_t:s0 root 3362 0.0 0.0 106060 1352
> pts/0 S+ 14:50 0:00 /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t
> /tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh end
> [root@centos-test ~]#
>
>
> We would appreciate if we could get some guidance on what we should
> check, in order to get to the end of this problem.
> We have tried running setroubleshootd, disabling noaudit rules (semodule
> -DB), but we saw no error messages about failed transitions, or
> whatsoever. The only logs we saw related to the scripts were the
> authentication and accounting messages about the run_init command.
SELinux domain transitions are suppressed on nosuid mounts for the same
reasons that setuid/setgid is suppressed.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
