Re: init_t translation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Louis,

On 10/7/19 4:59 PM, Louis Garcia wrote:
> I am new to compiling selinux policy modules. When I sesearch for source
> domain init_t for httpd_sys_contect_t I get 5 replies:
> 
> $sesearch -T -s init_t -t httpd_sys_content_t
> type_transition init_t httpd_sys_content_t:dir httpd_sys_rw_content_t
> "smarty";
> type_transition init_t httpd_sys_content_t:dir httpd_sys_rw_content_t
> "upgrade";
> type_transition init_t httpd_sys_content_t:dir httpd_sys_rw_content_t
> "uploads";
> type_transition init_t httpd_sys_content_t:dir httpd_sys_rw_content_t
> "wp-content";
> type_transition init_t httpd_sys_content_t:file httpd_sys_rw_content_t
> "settings.php";
> 
> If I read this correctly, init_t has access to 4 directories; smarty,
> upgrade, uploads and  wp-content. One file settings.php
>

This doesn't mean that all processes labeled as init_t has access to
these dirs. But it means that all processes labeled as init_t when
create directories "smarty", "upgrade", "uploads", "wp-content" and file
"settings.php" in directory labeled as httpd_sys_content_t, the label of
dirs and file mentioned above will have httpd_sys_rw_content_t.


> I created a systemd service file running as a timer. The service just
> executes a script. Selinux denies with these errors;
> 
> |type=AVC msg=audit(1570329687.437:218): avc: denied { execute } for
> pid=1079 comm="(index.sh)" name="make_index.sh" dev="md127"
> ino=4295130138 scontext=system_u:system_r:init_t:s0
> tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
> permissive=1 type=AVC msg=audit(1570329687.437:219): avc: denied { read
> open } for pid=1079 comm="(index.sh)"
> path="/srv/www/sites/linux.montclaire.lan/make_index.sh" dev="md127"
> ino=4295130138 scontext=system_u:system_r:init_t:s0
> tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
> permissive=1 type=AVC msg=audit(1570329687.437:220): avc: denied {
> execute_no_trans } for pid=1079 comm="(index.sh)"
> path="/srv/www/sites/linux.montclaire.lan/make_index.sh" dev="md127"
> ino=4295130138 scontext=system_u:system_r:init_t:s0
> tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
> permissive=1 type=AVC msg=audit(1570329687.450:221): avc: denied { ioctl
> } for pid=1079 comm="make_index.sh"
> path="/srv/www/sites/linux.montclaire.lan/make_index.sh" dev="md127"
> ino=4295130138 ioctlcmd=0x5401 scontext=system_u:system_r:init_t:s0
> tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
> permissive=1 type=AVC msg=audit(1570329691.303:222): avc: denied {
> create } for pid=1081 comm="make_index.sh" name="index.html"
> scontext=system_u:system_r:init_t:s0
> tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
> permissive=1 type=AVC msg=audit(1570329691.322:223): avc: denied { write
> } for pid=1081 comm="make_index.sh" name="index.html" dev="md127"
> ino=4295112722 scontext=system_u:system_r:init_t:s0
> tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
> permissive=1 type=AVC msg=audit(1570329691.322:224): avc: denied { open
> } for pid=1081 comm="make_index.sh"
> path="/srv/www/sites/linux.montclaire.lan/index.html" dev="md127"
> ino=4295112722 scontext=system_u:system_r:init_t:s0
> tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
> permissive=1 type=AVC msg=audit(1570329691.322:225): avc: denied {
> append } for pid=1081 comm="make_index.sh" name="index.html" dev="md127"
> ino=4295112722 scontext=system_u:system_r:init_t:s0
> tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
> 
> |
> 
> |How can I create a type translation that says; it this correct?
> 
> type_transition init_t httpd_sys_content_t:file httpd_sys_rw_content_t
> "make_index.sh";|
> 

No really, You ideally need to create custom SELinux policy for your
timer service, where you add domain transition that timer gets own
SELinux domain and then you'll allow this domain to access
httpd_sys_content_t dirs/files.

You can use following workshop as example how to create new policy:
http://redhatgov.io/workshops/selinux_policy/

Thanks,
Lukas.

> 
> _______________________________________________
> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
> 


-- 
Lukas Vrabec
SELinux Evangelist,
Senior Software Engineer, Security Technologies
Red Hat, Inc.

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux