Many Thanks Stephen , it indeed worked ! Your support helped me a lot in doing my Masters thesis which is based on SELinux MLS , I will definitely reach out to you which would require your expertise .
Thanks again from Sri Lanka !! On Thu, Nov 8, 2018 at 7:20 PM Stephen Smalley <[email protected]> wrote: > On 11/8/18 8:33 AM, Ishara Fernando wrote: > > Dear Stephen , > > > > Many thanks for the detailed information , it has been very useful . > > Infact I have tested your steps in a similar environment (CentOS 6.10 , > > see versions below) as of yours in a Virtual machine based on > > Virtualbox , I have reached to the step where the *selinux module is > > installed* on doing the range transition to enforce httpd to run on > > s4-s5:c1,c2 . > > > > Unfortunately I still see the range transition denied errors in the > > audit logs (After installing the selinux module) and I do not see any > > errors related to *httpd trying to perform writes* on various > > directories/files that are labeled s0 as per your explanation . > > > > Kindly see the details below > > > > [root@msc-ishara-system1 ~]# sestatus -v > > SELinux status: enabled > > SELinuxfs mount: /selinux > > Current mode: enforcing > > Mode from config file: enforcing > > Policy version: 24 > > Policy from config file: mls > > > > Process contexts: > > Current context: staff_u:sysadm_r:sysadm_t:s4-s5:c1,c2 > > Init context: system_u:system_r:init_t:s0-s15:c0.c1023 > > /sbin/mingetty system_u:system_r:getty_t:s0-s15:c0.c1023 > > /usr/sbin/sshd system_u:system_r:sshd_t:s0-s15:c0.c1023 > > > > File contexts: > > Controlling term: staff_u:object_r:user_devpts_t:s4 > > /etc/passwd system_u:object_r:etc_t:s0 > > /etc/shadow system_u:object_r:shadow_t:s0 > > /bin/bash system_u:object_r:shell_exec_t:s0 > > /bin/login system_u:object_r:login_exec_t:s0 > > /bin/sh system_u:object_r:bin_t:s0 -> > > system_u:object_r:shell_exec_t:s0 > > /sbin/agetty system_u:object_r:getty_exec_t:s0 > > /sbin/init system_u:object_r:init_exec_t:s0 > > /sbin/mingetty system_u:object_r:getty_exec_t:s0 > > /usr/sbin/sshd system_u:object_r:sshd_exec_t:s0 > > > > > > > > Dist: CentOS release 6.10 (Final) > > Kernel : 2.6.32-754.6.3.el6.x86_64 > > SELinux MLS Policy RPM: selinux-policy-mls-3.7.19-312.el6.noarch > > SELinux Policy version: 24 > > > > > > [root@msc-ishara-system1 ~]# id -Z > > staff_u:sysadm_r:sysadm_t:s4-s5:c1,c2 > > This is the problem - you switched levels before running run_init. > And run_init tries to do an explicit transition to the context > configured in /etc/selinux/$SELINUXTYPE/contexts/initrc_context. Just > leave your shell in s0-s15:c0.1023, and let the range_transition rule > handle transitioning httpd into s4-s5:c1,c2 for you automatically. > > > > > > > [root@msc-ishara-system1 ~]# ls -lZ /usr/sbin/httpd > > -rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd > > > > > > > > [root@msc-ishara-system1 ~]# which run_init > > /usr/sbin/run_init > > [root@msc-ishara-system1 ~]# ls -lZ /usr/sbin/run_init > > -rwxr-xr-x. root root system_u:object_r:run_init_exec_t:s0 > > /usr/sbin/run_init > > > > > > > > [root@msc-ishara-system1 /]# cat httpdtrans.te > > policy_module(httpdtrans, 1.0) > > > > require { > > type initrc_t; > > type httpd_exec_t; > > type httpd_t; > > } > > > > range_transition initrc_t httpd_exec_t:process s4 - s5:c1,c2; > > > > mls_rangetrans_source(initrc_t) > > mls_rangetrans_target(httpd_t) > > > > > > > > [root@msc-ishara-system1 /]# semodule -l | grep -i httpd > > httpdtrans 1.0 > > > > > > > > [root@msc-ishara-system1 ~]# sesearch --type | grep -i initrc_t | grep > > -i httpd_exec > > type_transition initrc_t httpd_exec_t : process httpd_t; > > > > > > [root@msc-ishara-system1 ~]# id -Z > > staff_u:sysadm_r:sysadm_t:s4-s5:c1,c2 > > > > > > [root@msc-ishara-system1 ~]# run_init /etc/init.d/httpd start > > Authenticating root. > > Password: > > execvp: Permission denied > > > > > > [root@msc-ishara-system1 ~]# ausearch -i -m AVC -ts recent > > ---- > > type=SYSCALL msg=audit(11/08/2018 18:32:36.457:160) : arch=x86_64 > > syscall=execve success=no exit=-13(Permission denied) a0=0x7ffd2309581a > > a1=0x7ffd230949b0 a2=0x7ffd230949c8 a3=0x7ffd23094610 items=0 ppid=1802 > > pid=3074 auid=root uid=root gid=root euid=root suid=root fsuid=root > > egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=run_init > > exe=/usr/sbin/run_init subj=staff_u:sysadm_r:run_init_t:s4-s5:c1,c2 > > key=(null) > > type=AVC msg=audit(11/08/2018 18:32:36.457:160) :*avc: denied { > > transition } f*or pid=3074 comm=run_init path=/etc/rc.d/init.d/httpd > > dev=dm-0 ino=262967 scontext=staff_u:sysadm_r:run_init_t:s4-s5:c1,c2 > > tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=process > > > > > > [root@msc-ishara-system1 /]# cat /var/log/audit/audit.log | grep -i > > httpd | grep -i write > > [root@msc-ishara-system1 /]# > > > > [root@msc-ishara-system1 /]# cat /var/log/audit/audit.log | grep -i > > httpd | grep -i append > > [root@msc-ishara-system1 /]# > > > > > > > > I followed all your steps but not sure whether I have missed something > > which I still couldn't point out > > > > > > Also regarding the constraint rules , now I understand how it works > > after your explanation about the httpd process running in the sshd_t > > domain :) . So therefore I have installed the SRC rpm to see the types > > for mlsfileread attribute to understand how it works . > > > > > > [root@msc-ishara-system1 serefpolicy-3.7.19]# cd > > /root/rpmbuild/BUILD/serefpolicy-3.7.19 > > > > [root@msc-ishara-system1 serefpolicy-3.7.19]# grep -ir 'mlsfileread' > > ./tmp/all_te_files.conf | grep -v toclr | sed -e 's/typeattribute//g' | > > sed -e 's/mlsfileread//g' | sed -e 's/attribute//g' | grep -i ssh > > * sshd_t ;* > > > > > > So in that case If i have understood it right , I need to run the httpd > > process in a domain (type) which does NOT belong to the 'mlsfileread' > > attribute right ? Can we have it done using the same "httpdtrans.te" > > file you shared ? > > Just getting it running in httpd_t would suffice. Or you could just run > the equivalent test for your own custom network daemon running in user_t > or any other domains that doesn't have mlsfileread. > >
_______________________________________________ Selinux mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
