[CentOS] SELinux and access across 'similar types'

Fri Jan 6 14:58:42 UTC 2012
Bennett Haselton <bennett at peacefire.org>

On 1/6/2012 5:58 AM, RILINDO FOSTER wrote:
> On Jan 5, 2012, at 7:37 PM, Bennett Haselton wrote:
>
>> On 1/5/2012 3:14 PM, RILINDO FOSTER wrote:
>>> On Jan 5, 2012, at 4:46 PM, Daniel J Walsh wrote:
>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> On 01/05/2012 04:36 PM, Bennett Haselton wrote:
>>>>> http://wiki.centos.org/HowTos/SELinux says: "Access is only allowed
>>>>> between similar types, so Apache running as httpd_t can read
>>>>> /var/www/html/index.html of type httpd_sys_content_t."
>>>>>
>>>>> however the doc doesn't define what "similar types" means.  I
>>>>> assumed it just meant "beginning with the same prefix".  However
>>>>> that can't be right because on my system with SELinux turned on,
>>>>> httpd runs as type init_t:
>>>>>
>>>>> [root at peacefire04 - /root # ps awuxZ | grep httpd | head -n 3
>>>>> system_u:system_r:init_t:s0     root      2521  0.1  0.4  21680
>>>>> 8820 ?        Ss   05:05   0:00 /usr/sbin/httpd
>>>>> system_u:system_r:init_t:s0     apache    2550  0.0  0.4  23364
>>>>> 8920 ?        S    05:05   0:00 /usr/sbin/httpd
>>>>> system_u:system_r:init_t:s0     apache    2551  0.1  0.4  22736
>>>>> 8212 ?        S    05:05   0:00 /usr/sbin/httpd
>>>>>
>>>>> and the robots.txt file has type file_t: [root at peacefire04 - /root
>>>>> # ls -lZ /var/www/html/robots.txt -rw-rw-rw-  root root
>>>>> system_u:object_r:file_t:s0 /var/www/html/robots.txt
>>>>>
>>>>> but Apache can of course access that file.  So in Type Enforcement,
>>>>> what determines what process type can access what file type?
>>>>>
>>>>> Bennett _______________________________________________ CentOS
>>>>> mailing list CentOS at centos.org
>>>>> http://lists.centos.org/mailman/listinfo/centos
>>>> Your machine needs to be relabeled.
>>>>
>>>> touch /.autorelabel
>>>> reboot
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG v1.4.11 (GNU/Linux)
>>>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>>>
>>>> iEYEARECAAYFAk8GGk4ACgkQrlYvE4MpobMVkgCfVagwQqbzB2UW1+TEsrrCVhF5
>>>> lFkAnjLTi3zphekGomv04ZyMu0sOuopg
>>>> =cIvM
>>>> -----END PGP SIGNATURE-----
>>>> _______________________________________________
>>>> CentOS mailing list
>>>> CentOS at centos.org
>>>> http://lists.centos.org/mailman/listinfo/centos
>>> WARNING: If you have never enabled SELinux for long time, the boot is going to take a while as the system relabels the whole machine. Do not do this unless you can plan for an extend downtime.
>>>
>>> _______________________________________________
>>> CentOS mailing list
>>> CentOS at centos.org
>>> http://lists.centos.org/mailman/listinfo/centos
>> I did do
>> touch /.autorelabel
>> reboot
>>
>> The machine booted back up in just a few minutes, what looked like
>> normal reboot time.  And then I ran the same commands as before and got
>> what looks to me like the same output:
>>
>> [root at peacefire04 - /root # ls -lZ /var/www/html/robots.txt
>> -rw-rw-rw-  root root system_u:object_r:file_t:s0
>> /var/www/html/robots.txt
>> [root at peacefire04 - /root # ps awuxZ | grep httpd | head -n 3
>> system_u:system_r:init_t:s0     root      2530  0.0  0.4  21680  8820
>> ?        Ss   16:23   0:00 /usr/sbin/httpd
>> system_u:system_r:init_t:s0     apache    2558  0.8  0.8  28308 16392
>> ?        S    16:23   0:03 /usr/sbin/httpd
>> system_u:system_r:init_t:s0     apache    2560  0.5  0.5  23248 10236
>> ?        S    16:23   0:02 /usr/sbin/httpd
>>
>> So I'm wondering:
>> 1) How did you know that the machine needed to be relabeled, was it
>> something in the output of the commands the first time I ran them? and
>> in that case,
>> 2) Why didn't it change after I created /.autorelabel and rebooted?
>> (I can confirm the file /.autorelabel is no longer present, so it must
>> have been deleted when the auto-relabel was done, like the doc says.)
>> 3) If the machine booted back up very quickly, should I be worried that
>> the autorelabel might not have happened?  Any idea if it logs a message
>> somewhere if it fails to start properly?
>> _______________________________________________
>>
> That sort of sound like a good thing. I would suggest that you do:
>
> tail -f /var/log/audit/audit.log | audit2allow
>
> To see what type of alerts you are getting. Likely you will get a lot, as some of the file contexts may not be labeled correctly.

I did that but it produces descriptions all beginning with

"Summary:

SELinux is preventing access to files with the label, file_t."


In other words, it's describing errors that are the result of the 
relabeling failure, but it doesn't appear to say anything about what 
*caused* the relabeling failure (or if it does it's buried in so many 
other errors I don't know how to find it).

Bennett