Many Thanks Stephen , it indeed worked !
Your support helped me a lot in doing my Masters thesis which is based on SELinux MLS , I will definitely reach out to you which would require your expertise .
Thanks again from Sri Lanka !!
On Thu, Nov 8, 2018 at 7:20 PM Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
On 11/8/18 8:33 AM, Ishara Fernando wrote:
> Dear Stephen ,
>
> Many thanks for the detailed information , it has been very useful .
> Infact I have tested your steps in a similar environment (CentOS 6.10 ,
> see versions below) as of yours in a Virtual machine based on
> Virtualbox , I have reached to the step where the *selinux module is
> installed* on doing the range transition to enforce httpd to run on
> s4-s5:c1,c2 .
>
> Unfortunately I still see the range transition denied errors in the
> audit logs (After installing the selinux module) and I do not see any
> errors related to *httpd trying to perform writes* on various
> directories/files that are labeled s0 as per your explanation .
>
> Kindly see the details below
>
> [root@msc-ishara-system1 ~]# sestatus -v
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: enforcing
> Mode from config file: enforcing
> Policy version: 24
> Policy from config file: mls
>
> Process contexts:
> Current context: staff_u:sysadm_r:sysadm_t:s4-s5:c1,c2
> Init context: system_u:system_r:init_t:s0-s15:c0.c1023
> /sbin/mingetty system_u:system_r:getty_t:s0-s15:c0.c1023
> /usr/sbin/sshd system_u:system_r:sshd_t:s0-s15:c0.c1023
>
> File contexts:
> Controlling term: staff_u:object_r:user_devpts_t:s4
> /etc/passwd system_u:object_r:etc_t:s0
> /etc/shadow system_u:object_r:shadow_t:s0
> /bin/bash system_u:object_r:shell_exec_t:s0
> /bin/login system_u:object_r:login_exec_t:s0
> /bin/sh system_u:object_r:bin_t:s0 ->
> system_u:object_r:shell_exec_t:s0
> /sbin/agetty system_u:object_r:getty_exec_t:s0
> /sbin/init system_u:object_r:init_exec_t:s0
> /sbin/mingetty system_u:object_r:getty_exec_t:s0
> /usr/sbin/sshd system_u:object_r:sshd_exec_t:s0
>
>
>
> Dist: CentOS release 6.10 (Final)
> Kernel : 2.6.32-754.6.3.el6.x86_64
> SELinux MLS Policy RPM: selinux-policy-mls-3.7.19-312.el6.noarch
> SELinux Policy version: 24
>
>
> [root@msc-ishara-system1 ~]# id -Z
> staff_u:sysadm_r:sysadm_t:s4-s5:c1,c2
This is the problem - you switched levels before running run_init.
And run_init tries to do an explicit transition to the context
configured in /etc/selinux/$SELINUXTYPE/contexts/initrc_context. Just
leave your shell in s0-s15:c0.1023, and let the range_transition rule
handle transitioning httpd into s4-s5:c1,c2 for you automatically.
>
>
> [root@msc-ishara-system1 ~]# ls -lZ /usr/sbin/httpd
> -rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd
>
>
>
> [root@msc-ishara-system1 ~]# which run_init
> /usr/sbin/run_init
> [root@msc-ishara-system1 ~]# ls -lZ /usr/sbin/run_init
> -rwxr-xr-x. root root system_u:object_r:run_init_exec_t:s0
> /usr/sbin/run_init
>
>
>
> [root@msc-ishara-system1 /]# cat httpdtrans.te
> policy_module(httpdtrans, 1.0)
>
> require {
> type initrc_t;
> type httpd_exec_t;
> type httpd_t;
> }
>
> range_transition initrc_t httpd_exec_t:process s4 - s5:c1,c2;
>
> mls_rangetrans_source(initrc_t)
> mls_rangetrans_target(httpd_t)
>
>
>
> [root@msc-ishara-system1 /]# semodule -l | grep -i httpd
> httpdtrans 1.0
>
>
>
> [root@msc-ishara-system1 ~]# sesearch --type | grep -i initrc_t | grep
> -i httpd_exec
> type_transition initrc_t httpd_exec_t : process httpd_t;
>
>
> [root@msc-ishara-system1 ~]# id -Z
> staff_u:sysadm_r:sysadm_t:s4-s5:c1,c2
>
>
> [root@msc-ishara-system1 ~]# run_init /etc/init.d/httpd start
> Authenticating root.
> Password:
> execvp: Permission denied
>
>
> [root@msc-ishara-system1 ~]# ausearch -i -m AVC -ts recent
> ----
> type=SYSCALL msg=audit(11/08/2018 18:32:36.457:160) : arch=x86_64
> syscall=execve success=no exit=-13(Permission denied) a0=0x7ffd2309581a
> a1=0x7ffd230949b0 a2=0x7ffd230949c8 a3=0x7ffd23094610 items=0 ppid=1802
> pid=3074 auid=root uid=root gid=root euid=root suid=root fsuid=root
> egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=run_init
> exe=/usr/sbin/run_init subj=staff_u:sysadm_r:run_init_t:s4-s5:c1,c2
> key=(null)
> type=AVC msg=audit(11/08/2018 18:32:36.457:160) :*avc: denied {
> transition } f*or pid=3074 comm=run_init path=/etc/rc.d/init.d/httpd
> dev=dm-0 ino=262967 scontext=staff_u:sysadm_r:run_init_t:s4-s5:c1,c2
> tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=process
>
>
> [root@msc-ishara-system1 /]# cat /var/log/audit/audit.log | grep -i
> httpd | grep -i write
> [root@msc-ishara-system1 /]#
>
> [root@msc-ishara-system1 /]# cat /var/log/audit/audit.log | grep -i
> httpd | grep -i append
> [root@msc-ishara-system1 /]#
>
>
>
> I followed all your steps but not sure whether I have missed something
> which I still couldn't point out
>
>
> Also regarding the constraint rules , now I understand how it works
> after your explanation about the httpd process running in the sshd_t
> domain :) . So therefore I have installed the SRC rpm to see the types
> for mlsfileread attribute to understand how it works .
>
>
> [root@msc-ishara-system1 serefpolicy-3.7.19]# cd
> /root/rpmbuild/BUILD/serefpolicy-3.7.19
>
> [root@msc-ishara-system1 serefpolicy-3.7.19]# grep -ir 'mlsfileread'
> ./tmp/all_te_files.conf | grep -v toclr | sed -e 's/typeattribute//g' |
> sed -e 's/mlsfileread//g' | sed -e 's/attribute//g' | grep -i ssh
> * sshd_t ;*
>
>
> So in that case If i have understood it right , I need to run the httpd
> process in a domain (type) which does NOT belong to the 'mlsfileread'
> attribute right ? Can we have it done using the same "httpdtrans.te"
> file you shared ?
Just getting it running in httpd_t would suffice. Or you could just run
the equivalent test for your own custom network daemon running in user_t
or any other domains that doesn't have mlsfileread.
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
