Re: Determine SELinux domain of daemon which isn't running

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, Nov 19, 2016 at 11:35:38PM -0600, Leroy Tennison wrote:
Thanks, this explained some missing background which is great. I combined your instructions and ran 'sesearch -CST -s init_t -t rsync_exec_t -c process' after 'ls -laZ /usr/bin/rsync' to get:

Found 1 semantic te rules:
  type_transition init_t rsync_exec_t : process rsync_t;

but, as I replied earlier, running 'ps -eZ | grep rsync' after running 'rsync --daemon' produced: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2575 ? 00:00:00 rsync

when I was expecting to see rsync somewhere in the response. Is this due to my setup: enforcing with targeted policy? (BTW, this is CentOS7 with default SELinux so MLS is enabled, policy deny_unknown status is allowed and max kernel policy version is 28).


This is because you are executing rsync from a shell, which has a different context from systemd and thus different applicable type_transition rules.

If we instead use runcon to execute rsync in the domain it would have been executed in if systemd launched it by doing this:

$ runcon "system_u:system_r:rsync_t:s0" /usr/bin/rsync $HOME/dir1 $HOME/dir2

We can see some AVCs from the newly launched rsync process trying to copy those files:

# ausearch -i -m AVC -ts recent
----
type=AVC msg=audit(20/11/16 16:51:00.227:298) : avc:  denied  { search } for  pid=1166 comm=rsync name=gtierney dev="dm-6" ino=131073 scontext=system_u:system_r:rsync_t:s0 tcontext=unconfined_u:object_r:user_home_t
dir_t:s0 tclass=dir permissive=0
----


Maybe I should mention what I'm trying to do and someone will have an alternative. I'm trying to gain experience working with SELinux by having a daemon attempt to access a file that SELinux prohibits and then resolve the issue by relabeling it. I was also wanting to avoid setting up something complicated (like Apache) just for a test. I thought rsync would be easy but am discovering otherwise.


The main problem for that is you are executing programs from your unconfined shell. If you were to create a service unit for the rsync daemon you will likely see better results.

The SELinux manpage for rsync gives some more information on how to configure rsync to access files with SELinux when you have it running in the correct domain: https://fedoraproject.org/wiki/SELinux/rsync

On 11/18/2016 08:30 PM, Gary Tierney wrote:
On Fri, Nov 18, 2016 at 04:26:45AM -0000, leroy.tennison@xxxxxxxxxxx wrote:
I just beginning to learn SELinux and have numerous questions (I've read roughly half of the "Red Hat Enterprise Linux 7 SELinux User's and Administrator's Guide"). The first one is how to determine the domain of a daemon if it isn't running. If there's documentation on this and I've just missed it just point me to it. Thanks for your help.
__

Hi,

The context of a process usually depends on the domain which started it. In Fedora's current policy systemd runs as init_t, so to find out what the context of a daemon it starts would be we need to look for type_transition rules with init_t as the source type. You can do this by using sesearch from setools-console:

$ sesearch -CST -s init_t -c process
Found 721 semantic te rules:
 type_transition init_t cgconfig_exec_t : process cgconfig_t;
 type_transition init_t deltacloudd_exec_t : process deltacloudd_t;
 ... snip ...

The target type in these rules is the type of the programs executable file, so to filter the sesearch results to a single program we can do this:

$ ls -laZ /sbin/dnsmasq
-rwxr-xr-x. 1 root root system_u:object_r:dnsmasq_exec_t:s0 373928 Jul 15 13:57 /sbin/dnsmasq

$ sesearch -CST -s init_t -t dnsmasq_exec_t -c process
Found 1 semantic te rules:
 type_transition init_t dnsmasq_exec_t : process dnsmasq_t;

So we know that when init_t execve()'s a program with a type of dnsmasq_exec_t it will transition to dnsmasq_t [1]. You can also achieve the same result by using selinuxexeccon from libselinux-utils:

$ selinuxexeccon /usr/sbin/dnsmasq "system_u:system_r:init_t:s0"
system_u:system_r:dnsmasq_t:s0

[1] - A process can also call setexeccon() to set the context for a new process before it calls execve().
_____________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx



_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx


--
Gary Tierney

GPG fingerprint: 412C 0EF9 C305 68E6 B660BDAF 706E D765 85AA 79D8
https://sks-keyservers.net/pks/lookup?op=get&search=0x706ED76585AA79D8

Attachment: signature.asc
Description: PGP signature

_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux