[CentOS] SELinux and access across 'similar types'

Fri Jan 6 13:55:37 UTC 2012
RILINDO FOSTER <rilindo at me.com>

On Jan 6, 2012, at 7:40 AM, Philippe Naudin wrote:

> Le ven 06 jan 2012 04:21:14 CET, Bennett Haselton a écrit:
> 
>> On 1/6/2012 4:11 AM, Philippe Naudin wrote:
>>> Le ven 06 jan 2012 02:41:02 CET, Bennett Haselton a écrit:
>>> 
>>>> On 1/6/2012 2:24 AM, Philippe Naudin wrote:
>>>>> Apache running as "init_t" is a call for troubles.
>>>> Is it?  OK, any idea what caused that and how to fix it?
>>> No, sorry. Your httpd comes from CentOS ?
>> Yes
>>> Afaik, you should not have any process running in context init_t except
>>> init itself. If "ps awuxZ | grep [i]nit_t" returns more than only init
>>> and httpd, your problem is likely to be more complicated than a broken
>>> configuration of apache.
>> 
>> I've got a few...
>> 
>> [root at g6950-21025 ~]# ps auwxZ | grep init_t
>> system_u:system_r:init_t        root         1  0.6  0.0  10368   712 
>> ?        Ss   04:17   0:00 init [3]
>> 
>> system_u:system_r:init_t        root       537  0.2  0.1  13728  1976 
>> ?        S<s  04:17   0:00 /sbin/udevd -d
>> system_u:system_r:init_t        root      1684  0.0  0.0  38880   456 
>> ?        Ssl  04:18   0:00 brcm_iscsiuio
>> system_u:system_r:init_t        root      1690  0.0  0.0  12152   476 
>> ?        Ss   04:18   0:00 iscsid
>> system_u:system_r:init_t        root      1691  0.0  0.4  12648  4460 
>> ?        S<Ls 04:18   0:00 iscsid
>> system_u:system_r:init_t        dbus      2081  0.0  0.1  31520  1144 
>> ?        Ssl  04:18   0:00 dbus-daemon --system
>> system_u:system_r:init_t        root      2215  0.0  0.1  52372  1492 
>> ?        Ssl  04:18   0:00 automount
>> system_u:system_r:init_t        root      2254  0.0  0.1  62656  1212 
>> ?        Ss   04:18   0:00 /usr/sbin/sshd
>> system_u:system_r:init_t        ntp       2273  0.0  0.4  23412  5044 
>> ?        SLs  04:18   0:00 ntpd -u ntp:ntp -p /var
>> /run/ntpd.pid -g
>> system_u:system_r:init_t        root      2287  0.1  1.0 253312 10580 
>> ?        Ss   04:18   0:00 /usr/sbin/httpd
>> system_u:system_r:init_t        apache    2315  0.3  1.3 259488 13376 
>> ?        S    04:18   0:00 /usr/sbin/httpd
>> system_u:system_r:init_t        apache    2316  0.0  1.0 257436 11124 
>> ?        S    04:18   0:00 /usr/sbin/httpd
>> system_u:system_r:init_t        apache    2317  0.1  1.1 257436 11288 
>> ?        S    04:18   0:00 /usr/sbin/httpd
>> system_u:system_r:init_t        apache    2318  0.1  1.1 257436 11292 
>> ?        S    04:18   0:00 /usr/sbin/httpd
>> system_u:system_r:init_t        apache    2319  0.0  1.0 256720 10504 
>> ?        S    04:18   0:00 /usr/sbin/httpd
>> system_u:system_r:init_t        apache    2320  0.1  1.0 257436 10752 
>> ?        S    04:18   0:00 /usr/sbin/httpd
>> system_u:system_r:init_t        apache    2321  0.0  1.1 257436 11272 
>> ?        S    04:18   0:00 /usr/sbin/httpd
>> system_u:system_r:init_t        apache    2322  0.1  1.1 257436 11356 
>> ?        S    04:18   0:00 /usr/sbin/httpd
>> system_u:system_r:init_t        root      2386  0.0  0.0   3812   492 
>> tty1     Ss+  04:18   0:00 /sbin/mingetty tty1
>> system_u:system_r:init_t        root      2387  0.0  0.0   3812   488 
>> tty2     Ss+  04:18   0:00 /sbin/mingetty tty2
>> system_u:system_r:init_t        root      2390  0.0  0.0   3812   488 
>> tty3     Ss+  04:18   0:00 /sbin/mingetty tty3
>> system_u:system_r:init_t        root      2392  0.0  0.0   3812   492 
>> tty4     Ss+  04:18   0:00 /sbin/mingetty tty4
>> system_u:system_r:init_t        root      2394  0.0  0.0   3812   488 
>> tty5     Ss+  04:18   0:00 /sbin/mingetty tty5
>> system_u:system_r:init_t        root      2397  0.0  0.0   3812   488 
>> tty6     Ss+  04:18   0:00 /sbin/mingetty tty6
>> system_u:system_r:init_t        apache    2405  0.1  1.0 256412 11008 
>> ?        S    04:18   0:00 /usr/sbin/httpd
>> system_u:system_r:init_t        root      2406  0.3  0.3  90156  3456 
>> ?        Ss   04:18   0:00 sshd: root at pts/0
>> root:system_r:initrc_t:SystemLow-SystemHigh root 2458 0.0  0.0 61176 768 
>> pts/0 S+   04:18   0:00 grep init_t
>> 
>> 
>> 
>> I also found at least one file (the audit.log file) which has file type 
>> file_t, even though I thought the filesystem had been re-labeled 
>> successfully because /var/www/html/robots.txt had the correct type:
>> 
>> [root at g6950-21025 ~]# ls -lZ /var/www/html/robots.txt
>> -rw-rw-rw-  root root system_u:object_r:httpd_sys_content_t 
>> /var/www/html/robots.txt
>> [root at g6950-21025 ~]# ls -lZ /var/log/audit/audit.log
>> -rw-------  root root system_u:object_r:file_t         
>> /var/log/audit/audit.log
>> 
>> 
>> Any idea (1) what could be causing that and (2) whether it could be 
>> related to the problem with all those init_t processes?
> 
> It's easy : your init process is broken, all these daemons but init
> are mis-labeled, so all the files they create (such as log files) are
> mis-labeled.
> 
> And if the next question is "how to fix it ?", the answer is easy
> too : "I don't have any clue..."
> 
> 

Assuming that httpd came from CentOS, it should be appropriate relabeled. If not, using the semanage -f context would fix it.

This requires some thought. I'll respond back later.