On 11/20/2016 08:36 PM, Gary Tierney wrote:
> On Sat, Nov 19, 2016 at 11:35:38PM -0600, Leroy Tennison wrote:
>> Thanks, this explained some missing background which is great. I
>> combined your instructions and ran 'sesearch -CST -s init_t -t
>> rsync_exec_t -c process' after 'ls -laZ /usr/bin/rsync' to get:
>>
>> Found 1 semantic te rules:
>> type_transition init_t rsync_exec_t : process rsync_t;
>>
>> but, as I replied earlier, running 'ps -eZ | grep rsync' after running
>> 'rsync --daemon' produced:
>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2575 ? 00:00:00
>> rsync
>>
>> when I was expecting to see rsync somewhere in the response. Is this
>> due to my setup: enforcing with targeted policy? (BTW, this is
>> CentOS7 with default SELinux so MLS is enabled, policy deny_unknown
>> status is allowed and max kernel policy version is 28).
>>
>
> This is because you are executing rsync from a shell, which has a
> different context from systemd and thus different applicable
> type_transition rules.
>
> If we instead use runcon to execute rsync in the domain it would have
> been executed in if systemd launched it by doing this:
>
> $ runcon "system_u:system_r:rsync_t:s0" /usr/bin/rsync $HOME/dir1
> $HOME/dir2
>
> We can see some AVCs from the newly launched rsync process trying to
> copy those files:
>
> # ausearch -i -m AVC -ts recent
> ----
> type=AVC msg=audit(20/11/16 16:51:00.227:298) : avc: denied { search }
> for pid=1166 comm=rsync name=gtierney dev="dm-6" ino=131073
> scontext=system_u:system_r:rsync_t:s0
> tcontext=unconfined_u:object_r:user_home_t
> dir_t:s0 tclass=dir permissive=0
> ----
>
>
>> Maybe I should mention what I'm trying to do and someone will have an
>> alternative. I'm trying to gain experience working with SELinux by
>> having a daemon attempt to access a file that SELinux prohibits and
>> then resolve the issue by relabeling it. I was also wanting to avoid
>> setting up something complicated (like Apache) just for a test. I
>> thought rsync would be easy but am discovering otherwise.
>>
>
> The main problem for that is you are executing programs from your
> unconfined shell. If you were to create a service unit for the rsync
> daemon you will likely see better results.
>
> The SELinux manpage for rsync gives some more information on how to
> configure rsync to access files with SELinux when you have it running in
> the correct domain: https://fedoraproject.org/wiki/SELinux/rsync
>
>> On 11/18/2016 08:30 PM, Gary Tierney wrote:
>>> On Fri, Nov 18, 2016 at 04:26:45AM -0000, leroy.tennison@xxxxxxxxxxx
>>> wrote:
>>>> I just beginning to learn SELinux and have numerous questions (I've
>>>> read roughly half of the "Red Hat Enterprise Linux 7 SELinux User's
>>>> and Administrator's Guide"). The first one is how to determine the
>>>> domain of a daemon if it isn't running. If there's documentation on
>>>> this and I've just missed it just point me to it. Thanks for your
>>>> help.
>>>> __
>>>
>>> Hi,
>>>
>>> The context of a process usually depends on the domain which started
>>> it. In Fedora's current policy systemd runs as init_t, so to find
>>> out what the context of a daemon it starts would be we need to look
>>> for type_transition rules with init_t as the source type. You can do
>>> this by using sesearch from setools-console:
>>>
>>> $ sesearch -CST -s init_t -c process
>>> Found 721 semantic te rules:
>>> type_transition init_t cgconfig_exec_t : process cgconfig_t;
>>> type_transition init_t deltacloudd_exec_t : process deltacloudd_t;
>>> ... snip ...
>>>
>>> The target type in these rules is the type of the programs executable
>>> file, so to filter the sesearch results to a single program we can do
>>> this:
>>>
>>> $ ls -laZ /sbin/dnsmasq
>>> -rwxr-xr-x. 1 root root system_u:object_r:dnsmasq_exec_t:s0 373928
>>> Jul 15 13:57 /sbin/dnsmasq
>>>
>>> $ sesearch -CST -s init_t -t dnsmasq_exec_t -c process
>>> Found 1 semantic te rules:
>>> type_transition init_t dnsmasq_exec_t : process dnsmasq_t;
>>>
>>> So we know that when init_t execve()'s a program with a type of
>>> dnsmasq_exec_t it will transition to dnsmasq_t [1]. You can also
>>> achieve the same result by using selinuxexeccon from libselinux-utils:
>>>
>>> $ selinuxexeccon /usr/sbin/dnsmasq "system_u:system_r:init_t:s0"
>>> system_u:system_r:dnsmasq_t:s0
>>>
>>> [1] - A process can also call setexeccon() to set the context for a
>>> new process before it calls execve().
Gary,
great answer, thank you. Also it looks like a great material for a new
blog post and probably we could also update the guide.
>>> _____________________________________________
>>>> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>>> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
>>>
>>>
>>>
>>> _______________________________________________
>>> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
>>
>
>
>
> _______________________________________________
> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
>
--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
