On 11/8/18 8:33 AM, Ishara Fernando wrote:
Dear Stephen ,
Many thanks for the detailed information , it has been very useful .
Infact I have tested your steps in a similar environment (CentOS 6.10 ,
see versions below) as of yours in a Virtual machine based on
Virtualbox , I have reached to the step where the *selinux module is
installed* on doing the range transition to enforce httpd to run on
s4-s5:c1,c2 .
Unfortunately I still see the range transition denied errors in the
audit logs (After installing the selinux module) and I do not see any
errors related to *httpd trying to perform writes* on various
directories/files that are labeled s0 as per your explanation .
Kindly see the details below
[root@msc-ishara-system1 ~]# sestatus -v
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: mls
Process contexts:
Current context: staff_u:sysadm_r:sysadm_t:s4-s5:c1,c2
Init context: system_u:system_r:init_t:s0-s15:c0.c1023
/sbin/mingetty system_u:system_r:getty_t:s0-s15:c0.c1023
/usr/sbin/sshd system_u:system_r:sshd_t:s0-s15:c0.c1023
File contexts:
Controlling term: staff_u:object_r:user_devpts_t:s4
/etc/passwd system_u:object_r:etc_t:s0
/etc/shadow system_u:object_r:shadow_t:s0
/bin/bash system_u:object_r:shell_exec_t:s0
/bin/login system_u:object_r:login_exec_t:s0
/bin/sh system_u:object_r:bin_t:s0 ->
system_u:object_r:shell_exec_t:s0
/sbin/agetty system_u:object_r:getty_exec_t:s0
/sbin/init system_u:object_r:init_exec_t:s0
/sbin/mingetty system_u:object_r:getty_exec_t:s0
/usr/sbin/sshd system_u:object_r:sshd_exec_t:s0
Dist: CentOS release 6.10 (Final)
Kernel : 2.6.32-754.6.3.el6.x86_64
SELinux MLS Policy RPM: selinux-policy-mls-3.7.19-312.el6.noarch
SELinux Policy version: 24
[root@msc-ishara-system1 ~]# id -Z
staff_u:sysadm_r:sysadm_t:s4-s5:c1,c2
This is the problem - you switched levels before running run_init.
And run_init tries to do an explicit transition to the context
configured in /etc/selinux/$SELINUXTYPE/contexts/initrc_context. Just
leave your shell in s0-s15:c0.1023, and let the range_transition rule
handle transitioning httpd into s4-s5:c1,c2 for you automatically.
[root@msc-ishara-system1 ~]# ls -lZ /usr/sbin/httpd
-rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd
[root@msc-ishara-system1 ~]# which run_init
/usr/sbin/run_init
[root@msc-ishara-system1 ~]# ls -lZ /usr/sbin/run_init
-rwxr-xr-x. root root system_u:object_r:run_init_exec_t:s0
/usr/sbin/run_init
[root@msc-ishara-system1 /]# cat httpdtrans.te
policy_module(httpdtrans, 1.0)
require {
type initrc_t;
type httpd_exec_t;
type httpd_t;
}
range_transition initrc_t httpd_exec_t:process s4 - s5:c1,c2;
mls_rangetrans_source(initrc_t)
mls_rangetrans_target(httpd_t)
[root@msc-ishara-system1 /]# semodule -l | grep -i httpd
httpdtrans 1.0
[root@msc-ishara-system1 ~]# sesearch --type | grep -i initrc_t | grep
-i httpd_exec
type_transition initrc_t httpd_exec_t : process httpd_t;
[root@msc-ishara-system1 ~]# id -Z
staff_u:sysadm_r:sysadm_t:s4-s5:c1,c2
[root@msc-ishara-system1 ~]# run_init /etc/init.d/httpd start
Authenticating root.
Password:
execvp: Permission denied
[root@msc-ishara-system1 ~]# ausearch -i -m AVC -ts recent
----
type=SYSCALL msg=audit(11/08/2018 18:32:36.457:160) : arch=x86_64
syscall=execve success=no exit=-13(Permission denied) a0=0x7ffd2309581a
a1=0x7ffd230949b0 a2=0x7ffd230949c8 a3=0x7ffd23094610 items=0 ppid=1802
pid=3074 auid=root uid=root gid=root euid=root suid=root fsuid=root
egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=run_init
exe=/usr/sbin/run_init subj=staff_u:sysadm_r:run_init_t:s4-s5:c1,c2
key=(null)
type=AVC msg=audit(11/08/2018 18:32:36.457:160) :*avc: denied {
transition } f*or pid=3074 comm=run_init path=/etc/rc.d/init.d/httpd
dev=dm-0 ino=262967 scontext=staff_u:sysadm_r:run_init_t:s4-s5:c1,c2
tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=process
[root@msc-ishara-system1 /]# cat /var/log/audit/audit.log | grep -i
httpd | grep -i write
[root@msc-ishara-system1 /]#
[root@msc-ishara-system1 /]# cat /var/log/audit/audit.log | grep -i
httpd | grep -i append
[root@msc-ishara-system1 /]#
I followed all your steps but not sure whether I have missed something
which I still couldn't point out
Also regarding the constraint rules , now I understand how it works
after your explanation about the httpd process running in the sshd_t
domain :) . So therefore I have installed the SRC rpm to see the types
for mlsfileread attribute to understand how it works .
[root@msc-ishara-system1 serefpolicy-3.7.19]# cd
/root/rpmbuild/BUILD/serefpolicy-3.7.19
[root@msc-ishara-system1 serefpolicy-3.7.19]# grep -ir 'mlsfileread'
./tmp/all_te_files.conf | grep -v toclr | sed -e 's/typeattribute//g' |
sed -e 's/mlsfileread//g' | sed -e 's/attribute//g' | grep -i ssh
* sshd_t ;*
So in that case If i have understood it right , I need to run the httpd
process in a domain (type) which does NOT belong to the 'mlsfileread'
attribute right ? Can we have it done using the same "httpdtrans.te"
file you shared ?
Just getting it running in httpd_t would suffice. Or you could just run
the equivalent test for your own custom network daemon running in user_t
or any other domains that doesn't have mlsfileread.
