On Fri, May 07, 2010 at 04:25:35PM -0400, fred.schnittke@xxxxxxxxxx wrote:
> Hi:
>
> Not sure if this is the right place to post a question like this, but I'll
> give it a shot.
>
> I've been following the "Guide to the Secure Configuration of Red Hat
> Enterprise Linux 5" (which has been a great resource) in setting up our
> new server. However I ran into problems chrooting, apache, php and mysql.
> So it was suggested to remove the applications and compile from source.
> After that was done, I moved the three applications to my chroot, and with
> a bit of effort, it all works. The only thing is, I don't think SELINUX is
> monitoring any of the files in the chroot. For instance, it still thinks
> the web directory is in /var/www/ instead of /chroot/httpd/usr/local/www.
>
> When I run the following command:
>
> ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' |
> awk '{ print $NF }'
SELinux is much about the labeling of objects. File context specifications, specify what label to assign to what object in what location.
By chrooting apache and mysql, you change their objects locations. Which in this case SElinux seems not aware about.
The only objects that remain in place is the services init script. When init runs an init script the init domain, domain transitions to the init script domain.
The init script domain would usually transition to the service domain, if the service domain executable file is properly labeled.
The init script domain is unrestricted and unprotected.
So what is happening is the following.
You have moved objects owned by apache and mysql to a new mountpoint called /chroot.
The command: semanage fcontext -l | grep /chroot, tells us that there is currently no context specified for this location.
Thus the location would be labeled either default_t or root_t.
you start the service, init transitions to the unconfined init script domain initrc_t and initrc_t, the init script executes the apache /mysql executable file which is somewhere in /chroot and labeled with a generic type for unspecified locations. Thus initrc_t does not domain transition to the apache/mysql domain as it would usually do if the apache/mysql executable files were labeled properly. So you end up with a chrooted services but you lost selinux protection.
To solve this issue you must change the labeling to reflect their usual location. You can list contexts of the various object using semanage fcontext -l and use similar command to add, modify, delete file context entries.
>
> I get this output:
>
> mysqld
> httpd
> httpd
> httpd
> httpd
> httpd
> httpd
> httpd
> httpd
>
> So my question is:
>
> Is there a (an easy) way to confine these daemons?
>
>
> Regards,
>
>
> Fred Schnittke MCSE, MCP,
> Network Engineer
> VETERINARY PURCHASING company limited
Attachment:
pgpFpegXpyGne.pgp
Description: PGP signature
