2015-05-20 19:01 GMT+02:00 Stephen Smalley <sds@xxxxxxxxxxxxx>:
In order for a script to transition, it has to be passed directly in an
execve() call to the kernel, and this only happens if:
1. The script has an appropriate header so the kernel can figure out
how to find the interpreter, i.e.
#!/bin/sh
2. The script has an executable mode, e.g.
chmod 0755 /path/to/scriptfile
3. The script is directly invoked by the caller, not indirectly via sh,
e.g.
$ /path/to/scriptfile
Under those three conditions, scripts can transition just fine under
SELinux (although Linux refuses to honor setuid/setgid on them for
security reasons; we permit domain transitions but advise only using
them when the caller is more trusted than the new domain).
But if you fail to fulfill any of those conditions, then it will instead
devolve into the shell being exec'd and just being passed the script as
an argument, and at that point the kernel won't ever see anything other
than an exec of the shell and an open with read access to the script,
neither of which will trigger the transition.
Interestingly enough, seemingly all the conditions you listed above seem to be fulfilled, but for some reason, I get a "permission denied":
[root@centos-test ~]# export LANG=en_US.UTF8
[root@centos-test ~]# run_init /bin/bash
Authenticating root.
Password:
[root@centos-test /]# ps auxfZ | fgrep $$
system_u:system_r:initrc_t:s0 root 5891 0.0 0.1 108300 1896 pts/0 S 14:15 0:00 \_ /bin/bash
system_u:system_r:initrc_t:s0 root 5916 0.0 0.0 100944 692 pts/0 S+ 14:15 0:00 \_ fgrep 5891
[root@centos-test /]# ls -lZ /root/aaa/syslogd_exec_t_runner.sh
-rwxr-xr-x. root root system_u:object_r:syslogd_exec_t:s0 /root/aaa/syslogd_exec_t_runner.sh
[root@centos-test /]# head -n 1 /root/aaa/syslogd_exec_t_runner.sh
#!/bin/sh
[root@centos-test /]# /root/aaa/syslogd_exec_t_runner.sh
/bin/sh: /root/aaa/syslogd_exec_t_runner.sh: Permission denied
[root@centos-test /]# exit
[root@centos-test ~]# export LANG=en_US.UTF8
[root@centos-test ~]# run_init /bin/bash
Authenticating root.
Password:
[root@centos-test /]# ps auxfZ | fgrep $$
system_u:system_r:initrc_t:s0 root 5891 0.0 0.1 108300 1896 pts/0 S 14:15 0:00 \_ /bin/bash
system_u:system_r:initrc_t:s0 root 5916 0.0 0.0 100944 692 pts/0 S+ 14:15 0:00 \_ fgrep 5891
[root@centos-test /]# ls -lZ /root/aaa/syslogd_exec_t_runner.sh
-rwxr-xr-x. root root system_u:object_r:syslogd_exec_t:s0 /root/aaa/syslogd_exec_t_runner.sh
[root@centos-test /]# head -n 1 /root/aaa/syslogd_exec_t_runner.sh
#!/bin/sh
[root@centos-test /]# /root/aaa/syslogd_exec_t_runner.sh
/bin/sh: /root/aaa/syslogd_exec_t_runner.sh: Permission denied
[root@centos-test /]# exit
To add to my confusion:
[root@centos-test ~]# sesearch -s initrc_t -t syslogd_exec_t -c file -p execute -A
Found 3 semantic av rules:
allow initrc_t exec_type : file { ioctl read getattr lock execute execute_no_trans open } ;
allow initrc_t syslogd_exec_t : file { read getattr execute open } ;
...
[root@centos-test ~]# sesearch -s syslogd_t -t syslogd_exec_t -c file -p entrypoint -A
Found 1 semantic av rules:
allow syslogd_t syslogd_exec_t : file { ioctl read getattr lock execute entrypoint open } ;
[root@centos-test ~]# sesearch -s initrc_t -t syslogd_exec_t -c file -p execute -A
Found 3 semantic av rules:
allow initrc_t exec_type : file { ioctl read getattr lock execute execute_no_trans open } ;
allow initrc_t syslogd_exec_t : file { read getattr execute open } ;
...
[root@centos-test ~]# sesearch -s syslogd_t -t syslogd_exec_t -c file -p entrypoint -A
Found 1 semantic av rules:
allow syslogd_t syslogd_exec_t : file { ioctl read getattr lock execute entrypoint open } ;
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
