Hmm...then I'm not sure what the cause is. Common causes are use of nosuid on the filesystem, failure to make the script file executable (so that it ends up being opened and read by sh rather than handled via kernel execve), or a policy problem (but those should manifest as a SELINUX_ERR or AVC audit message). On 05/14/2015 09:24 AM, SZIGETVÁRI János wrote: > Thanks for pointing this out (I didn't know about that), but it seems > that our problem is not affected by this. > Our /tmp directory resides on the root filesystem, for which the nosuid > mount option is not specified. > > [root@centos-test ~]# mount > /dev/mapper/vg_centostest-lv_root on / type ext4 (rw) > proc on /proc type proc (rw) > sysfs on /sys type sysfs (rw) > devpts on /dev/pts type devpts (rw,gid=5,mode=620) > tmpfs on /dev/shm type tmpfs (rw,rootcontext="system_u:object_r:tmpfs_t:s0") > /dev/sda1 on /boot type ext4 (rw) > none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw) > > Janos > > 2015-05-14 15:10 GMT+02:00 Stephen Smalley <sds@xxxxxxxxxxxxx > <mailto:sds@xxxxxxxxxxxxx>>: > > On 05/14/2015 09:07 AM, SZIGETVÁRI János wrote: > > Hello Everyone, > > > > I work for a company which develops an rsyslog alternative logging > > service, and we recently have encountered an interesting problem > around > > the SELinux process transitions of our product. > > > > I and most of my colleagues have little to marginal experience with > > SELinux, and we have done most of the investigation we could do on > our own. > > > > The problem that one of our customers experienced is that our product > > (when started by it's init script, or through the service ... utility) > > will be stuck in the initrc_t context, and not transition into the > > syslogd_t context. This causes the /dev/log socket not to have the > > proper selinux context, which leads to even further problems. > > The system they are working on is running CentOS 6.6. > > > > To describe the problem in a bit more detail: > > - we have an init script with the selinux context of > > system_u:object_r:syslogd_initrc_exec_t:s0 > > - this init script calls the binary, which has the context of: > > system_u:object_r:syslogd_exec_t:s0 > > > > - the necessary process transtition definitions are in place: > > [root@centos-test ~]# sesearch -T -s initrc_t -t syslogd_initrc_exec_t > > -c process -p transition -A > > Found 1 semantic te rules: > > type_transition initrc_t syslogd_initrc_exec_t : process initrc_t; > > [root@centos-test ~]# sesearch -T -s initrc_t -t syslogd_exec_t -c > > process -p transition -A > > Found 1 semantic te rules: > > type_transition initrc_t syslogd_exec_t : process syslogd_t; > > > > - the necessary execution permissions are present > > [root@centos-test ~]# sesearch -s initrc_t -t syslogd_exec_t -c > file -p > > execute -A > > Found 3 semantic av rules: > > allow initrc_t exec_type : file { ioctl read getattr lock execute > > execute_no_trans open } ; > > allow initrc_t syslogd_exec_t : file { read getattr execute > open } ; > > allow files_unconfined_type file_type : file { ioctl read write > > create getattr setattr lock relabelfrom relabelto append unlink link > > rename execute swapon quotaon mounton execute_no_trans entrypoint > open } ; > > > > - the necessary types are defined as the domain entry points > > [root@centos-test ~]# sesearch -s syslogd_t -t syslogd_exec_t -c > file -p > > entrypoint -A > > Found 1 semantic av rules: > > allow syslogd_t syslogd_exec_t : file { ioctl read getattr lock > > execute entrypoint open } ; > > > > - the target domain is allowed for the proper role: > > [root@centos-test ~]# seinfo -rsystem_r -x | fgrep syslogd_t > > syslogd_t > > > > > > But despite all the above, the transition doesn't occur to syslogd_t, > > the process remains in initrc_t. > > > > I even have created a script to reproduce the issue (find it > attached). > > The script simply > > - puts down two shell scripts and sets their rights and selinux > contexts > > (system_u:object_r:syslogd_initrc_exec_t:s0 and > > system_u:object_r:syslogd_exec_t:s0) , > > - creates a copy of bash, sets it's context (to > > system_u:object_r:syslogd_initrc_exec_t:s0), > > - tries to run the script with the syslogd_initrc_exec_t context, > > - which in turn will run the other script with context syslogd_exec_t > > > > The resulting output shows that the script with the syslogd_exec_t > > context will run as initrc_t even though it's parent was initrc_t as > > well, and the type transition should have occurred. > > > > > > Some sample output: > > > > [root@centos-test ~]# bash selinux_test.sh > > -rwxr-xr-x. root root system_u:object_r:syslogd_initrc_exec_t:s0 > > /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t > > -rwxr-xr-x. root root system_u:object_r:syslogd_exec_t:s0 > > /tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh > > -rwxr-xr-x. root root system_u:object_r:syslogd_initrc_exec_t:s0 > > /tmp/tmp.efz1wH7wpL/syslogd_initrc_exec_t_starter.sh > > ======================== STARTING > > =============================================== > > Authenticating root. > > Jelszó: > > system_u:system_r:initrc_t:s0 root 3352 0.0 0.0 106056 1296 > > pts/0 S+ 14:50 0:00 \_ > > /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t > > /tmp/tmp.efz1wH7wpL/syslogd_initrc_exec_t_starter.sh > > ======================== STARTED > > =============================================== > > system_u:system_r:initrc_t:s0 root 3359 0.0 0.0 106056 1340 > > pts/0 S+ 14:50 0:00 /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t > > /tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh > > system_u:system_r:initrc_t:s0 root 3362 0.0 0.0 106056 1336 > > pts/0 S+ 14:50 0:00 /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t > > /tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh end > > ============================= first > > ========================================== > > system_u:system_r:initrc_t:s0 root 3359 0.0 0.0 106056 1340 > > pts/0 S+ 14:50 0:00 /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t > > /tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh > > system_u:system_r:initrc_t:s0 root 3362 0.0 0.0 106056 1336 > > pts/0 S+ 14:50 0:00 /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t > > /tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh end > > ============================= end > ========================================== > > system_u:system_r:initrc_t:s0 root 3359 0.0 0.0 106060 1360 > > pts/0 S+ 14:50 0:00 /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t > > /tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh > > system_u:system_r:initrc_t:s0 root 3362 0.0 0.0 106060 1352 > > pts/0 S+ 14:50 0:00 /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t > > /tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh end > > [root@centos-test ~]# > > > > > > We would appreciate if we could get some guidance on what we should > > check, in order to get to the end of this problem. > > We have tried running setroubleshootd, disabling noaudit rules > (semodule > > -DB), but we saw no error messages about failed transitions, or > > whatsoever. The only logs we saw related to the scripts were the > > authentication and accounting messages about the run_init command. > > SELinux domain transitions are suppressed on nosuid mounts for the same > reasons that setuid/setgid is suppressed. > > > > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux