[CentOS] SELinux and access across 'similar types'

Fri Jan 6 15:35:40 UTC 2012
Bennett Haselton <bennett at peacefire.org>

On 1/6/2012 7:13 AM, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 01/06/2012 09:57 AM, Bennett Haselton wrote:
>> On 1/6/2012 5:55 AM, RILINDO FOSTER wrote:
>>> On Jan 6, 2012, at 7:40 AM, Philippe Naudin wrote:
>>>
>>>> Le ven 06 jan 2012 04:21:14 CET, Bennett Haselton a écrit:
>>>>
>>>>> On 1/6/2012 4:11 AM, Philippe Naudin wrote:
>>>>>> Le ven 06 jan 2012 02:41:02 CET, Bennett Haselton a écrit:
>>>>>>
>>>>>>> On 1/6/2012 2:24 AM, Philippe Naudin wrote:
>>>>>>>> Apache running as "init_t" is a call for troubles.
>>>>>>> Is it?  OK, any idea what caused that and how to fix it?
>>>>>> No, sorry. Your httpd comes from CentOS ?
>>>>> Yes
>>>>>> Afaik, you should not have any process running in context
>>>>>> init_t except init itself. If "ps awuxZ | grep [i]nit_t"
>>>>>> returns more than only init and httpd, your problem is
>>>>>> likely to be more complicated than a broken configuration
>>>>>> of apache.
>>>>> I've got a few...
>>>>>
>>>>> [root at g6950-21025 ~]# ps auwxZ | grep init_t
>>>>> system_u:system_r:init_t        root         1  0.6  0.0
>>>>> 10368   712 ?        Ss   04:17   0:00 init [3]
>>>>>
>>>>> system_u:system_r:init_t        root       537  0.2  0.1
>>>>> 13728  1976 ?        S<s  04:17   0:00 /sbin/udevd -d
>>>>> system_u:system_r:init_t        root      1684  0.0  0.0
>>>>> 38880   456 ?        Ssl  04:18   0:00 brcm_iscsiuio
>>>>> system_u:system_r:init_t        root      1690  0.0  0.0
>>>>> 12152   476 ?        Ss   04:18   0:00 iscsid
>>>>> system_u:system_r:init_t        root      1691  0.0  0.4
>>>>> 12648  4460 ?        S<Ls 04:18   0:00 iscsid
>>>>> system_u:system_r:init_t        dbus      2081  0.0  0.1
>>>>> 31520  1144 ?        Ssl  04:18   0:00 dbus-daemon --system
>>>>> system_u:system_r:init_t        root      2215  0.0  0.1
>>>>> 52372  1492 ?        Ssl  04:18   0:00 automount
>>>>> system_u:system_r:init_t        root      2254  0.0  0.1
>>>>> 62656  1212 ?        Ss   04:18   0:00 /usr/sbin/sshd
>>>>> system_u:system_r:init_t        ntp       2273  0.0  0.4
>>>>> 23412  5044 ?        SLs  04:18   0:00 ntpd -u ntp:ntp -p
>>>>> /var /run/ntpd.pid -g system_u:system_r:init_t        root
>>>>> 2287  0.1  1.0 253312 10580 ?        Ss   04:18   0:00
>>>>> /usr/sbin/httpd system_u:system_r:init_t        apache
>>>>> 2315  0.3  1.3 259488 13376 ?        S    04:18   0:00
>>>>> /usr/sbin/httpd system_u:system_r:init_t        apache
>>>>> 2316  0.0  1.0 257436 11124 ?        S    04:18   0:00
>>>>> /usr/sbin/httpd system_u:system_r:init_t        apache
>>>>> 2317  0.1  1.1 257436 11288 ?        S    04:18   0:00
>>>>> /usr/sbin/httpd system_u:system_r:init_t        apache
>>>>> 2318  0.1  1.1 257436 11292 ?        S    04:18   0:00
>>>>> /usr/sbin/httpd system_u:system_r:init_t        apache
>>>>> 2319  0.0  1.0 256720 10504 ?        S    04:18   0:00
>>>>> /usr/sbin/httpd system_u:system_r:init_t        apache
>>>>> 2320  0.1  1.0 257436 10752 ?        S    04:18   0:00
>>>>> /usr/sbin/httpd system_u:system_r:init_t        apache
>>>>> 2321  0.0  1.1 257436 11272 ?        S    04:18   0:00
>>>>> /usr/sbin/httpd system_u:system_r:init_t        apache
>>>>> 2322  0.1  1.1 257436 11356 ?        S    04:18   0:00
>>>>> /usr/sbin/httpd system_u:system_r:init_t        root
>>>>> 2386  0.0  0.0   3812   492 tty1     Ss+  04:18   0:00
>>>>> /sbin/mingetty tty1 system_u:system_r:init_t        root
>>>>> 2387  0.0  0.0   3812   488 tty2     Ss+  04:18   0:00
>>>>> /sbin/mingetty tty2 system_u:system_r:init_t        root
>>>>> 2390  0.0  0.0   3812   488 tty3     Ss+  04:18   0:00
>>>>> /sbin/mingetty tty3 system_u:system_r:init_t        root
>>>>> 2392  0.0  0.0   3812   492 tty4     Ss+  04:18   0:00
>>>>> /sbin/mingetty tty4 system_u:system_r:init_t        root
>>>>> 2394  0.0  0.0   3812   488 tty5     Ss+  04:18   0:00
>>>>> /sbin/mingetty tty5 system_u:system_r:init_t        root
>>>>> 2397  0.0  0.0   3812   488 tty6     Ss+  04:18   0:00
>>>>> /sbin/mingetty tty6 system_u:system_r:init_t        apache
>>>>> 2405  0.1  1.0 256412 11008 ?        S    04:18   0:00
>>>>> /usr/sbin/httpd system_u:system_r:init_t        root
>>>>> 2406  0.3  0.3  90156  3456 ?        Ss   04:18   0:00 sshd:
>>>>> root at pts/0 root:system_r:initrc_t:SystemLow-SystemHigh root
>>>>> 2458 0.0  0.0 61176 768 pts/0 S+   04:18   0:00 grep init_t
>>>>>
>>>>>
>>>>>
>>>>> I also found at least one file (the audit.log file) which has
>>>>> file type file_t, even though I thought the filesystem had
>>>>> been re-labeled successfully because /var/www/html/robots.txt
>>>>> had the correct type:
>>>>>
>>>>> [root at g6950-21025 ~]# ls -lZ /var/www/html/robots.txt
>>>>> -rw-rw-rw-  root root system_u:object_r:httpd_sys_content_t
>>>>> /var/www/html/robots.txt [root at g6950-21025 ~]# ls -lZ
>>>>> /var/log/audit/audit.log -rw-------  root root
>>>>> system_u:object_r:file_t /var/log/audit/audit.log
>>>>>
>>>>>
>>>>> Any idea (1) what could be causing that and (2) whether it
>>>>> could be related to the problem with all those init_t
>>>>> processes?
>>>> It's easy : your init process is broken, all these daemons but
>>>> init are mis-labeled, so all the files they create (such as log
>>>> files) are mis-labeled.
>>>>
>>>> And if the next question is "how to fix it ?", the answer is
>>>> easy too : "I don't have any clue..."
>>>>
>>>>
>>> Assuming that httpd came from CentOS, it should be appropriate
>>> relabeled. If not, using the semanage -f context would fix it.
>> Are you talking about changing the security context on the
>> /usr/sbin/httpd file itself?  What should it be set to?  Right now
>> it's [root at g6950-21025 ~]# ls -lZ /usr/sbin/httpd -rwxr-xr-x  root
>> root system_u:object_r:file_t         /usr/sbin/httpd
>>
>>> This requires some thought. I'll respond back later.
>>>
>> Thanks! _______________________________________________ CentOS
>> mailing list CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
> What does
>
> restorecon -R -v /usr/sbin
>
>
> Say?
I ran that with the additional "-n" flag so it would just tell me what 
it *would* change (without actually changing anything) and it listed 
almost all the files in there (including httpd).

But then I tried something else first, the page at
http://wiki.centos.org/HowTos/SELinux
says that "if the system has been upgraded to CentOS-5.2 with SELinux 
disabled, and SELinux is then enabled", then the relabel will fail, and 
you have to run these three commands:

# genhomedircon
# touch /.autorelabel
# reboot

I tried that and it worked -- the httpd processes are now listed with 
"httpd_t" as their context, the /var/log/audit/audit.log file is listed 
with auditd_log_t as its type instead if file_t, etc.

I'm pretty sure this machine was never "upgraded to CentOS 5.2", it was 
just imaged with 5.7 when the hosting company set it up, but SELinux 
*was* off until I turned it on.  So probably the doc should say, if the 
"system was *installed* with 5.2, then do this" (and presumably it's 5.2 
or later, not just 5.2).
> If this changes the label, then execute
>
> fixfiles restore
>
> Which should relabel the system.
>
> If restorecon does nothing or prints error messages,
>
> What file system are you using?
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk8HD6EACgkQrlYvE4MpobNGOwCgl9VK72f8XQbQVhL7IPHu5J6l
> kE4AoLBVPrjUduuboqfdgnNfEkrwMi2m
> =//xT
> -----END PGP SIGNATURE-----