[CentOS] SELinux - way of the future or good idea but !!!

Daniel J Walsh dwalsh at redhat.com
Tue Dec 7 16:12:59 UTC 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/07/2010 10:59 AM, Benjamin Franz wrote:
> On 12/07/2010 07:36 AM, Benjamin Franz wrote:
>> On 12/06/2010 06:47 AM, Daniel J Walsh wrote:
>>>
>>> I agree, and would like to look at the AVC's to understand what could
>>> have broken the labeling
>>
>> Well - since it happened again this morning, here you go. On further 
>> investigation in backups, I previously had the user account that I use 
>> for the FTP based update with its home directory set to a location 
>> inside the /var/www/html tree. Since that unknowingly passed this 
>> rule, it silently worked. It was changed to a /home/ based directory 
>> instead a while ago - tripping this rule. But not consistently: FTP 
>> appears to at least partially work outside the home tree even with the 
>> rule active.
>>
>> I *really* dislike landmines when doing routine system tasks.
>>
> 
> 
> Ok. SELinux blew up something else that was previously working on that 
> machine (yes - I've already done something to fix it for now. I don't 
> need anyone saying 'well run sealert'. Been there - done that. Things 
> are running now.)  This repeated time suckage is why people routinely 
> turn it off.
> 
> 
> sealert -l e6e017f5-9c2b-4e7b-895e-51a232042588
> 
> Summary:
> 
> SELinux is preventing the httpd from using potentially mislabeled files
> /var/XXXXXXXXXX/misc/manage_clients/config.xml (var_t).
> 
> Detailed Description:
> 
> SELinux has denied the httpd access to potentially mislabeled files
> /var/XXXXXXXXXX/misc/manage_clients/config.xml. This means that SELinux 
> will not
> allow httpd to use these files. Many third party apps install html files in
> directories that SELinux policy cannot predict. These directories have to be
> labeled with a file context which httpd can access.
> 
> Allowing Access:
> 
> If you want to change the file context of
> /var/XXXXXXXXXX/misc/manage_clients/config.xml so that the httpd daemon can
> access it, you need to execute it using chcon -t httpd_sys_content_t
> '/var/XXXXXXXXXX/misc/manage_clients/config.xml'. You can look at the
> httpd_selinux man page for additional information.
> 
> Additional Information:
> 
> Source Context                system_u:system_r:httpd_t
> Target Context                user_u:object_r:var_t
> Target Objects                
> /var/XXXXXXXXXX/misc/manage_clients/config.xml [
>                                file ]
> Source                        httpd
> Source Path                   /usr/sbin/httpd
> Port <Unknown>
> Host                          XXXXXXXXXX
> Source RPM Packages           httpd-2.2.3-43.el5.centos.3
> Target RPM Packages
> Policy RPM                    selinux-policy-2.4.6-279.el5_5.2
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   httpd_bad_labels
> Host Name                     XXXXXXXXXX
> Platform                      Linux XXXXXXXXXX 2.6.18-194.26.1.el5 #1 SMP
>                                Tue Nov 9 12:54:40 EST 2010 i686 i686
> Alert Count                   3
> First Seen                    Mon Apr 26 10:20:36 2010
> Last Seen                     Tue Dec  7 07:38:17 2010
> Local ID                      e6e017f5-9c2b-4e7b-895e-51a232042588
> Line Numbers
> 
> Raw Audit Messages
> 
> host=XXXXXXXXXX type=AVC msg=audit(1291736297.720:6786): avc:  denied  { 
> getattr } for  pid=21363 comm="httpd" 
> path="/var/XXXXXXXXXX/misc/manage_clients/config.xml" dev=dm-0 
> ino=5355222 scontext=system_u:system_r:httpd_t:s0 
> tcontext=user_u:object_r:var_t:s0 tclass=file
> 
> host=XXXXXXXXXX type=SYSCALL msg=audit(1291736297.720:6786): 
> arch=40000003 syscall=195 success=no exit=-13 a0=82e7380 a1=8297c68 
> a2=296ff4 a3=82e7380 items=0 ppid=3398 pid=21363 auid=4294967295 uid=48 
> gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) 
> ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" 
> subj=system_u:system_r:httpd_t:s0 key=(null)
> 
> 
> 
> 

Yes SELinux and all MAC systems require that if the administrator puts
files in non default directories, then they have to have to be told.  In
the case of SELinux, this involves correcting the labeling.  DAC has
similar problems, in that you need to make sure the permission flags and
ownership is correct.  Of course admins have been dealing with DAC for
years so they understand it, and the number of UID/Permision
combinations is more limited then the amounts of labels that SELinux
presents.

I wrote this paper to try to explain what SELinux tends to complain about.

http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkz+XQsACgkQrlYvE4MpobNrgACfZduLdW/ISac6otm8SRO+c4Za
S0QAn3l00KRGtNmnaVAy4cFpL/jjrwuz
=7ega
-----END PGP SIGNATURE-----



More information about the CentOS mailing list