[CentOS] SELinux and access across 'similar types'
Bennett Haselton
bennett at peacefire.org
Fri Jan 6 14:57:04 UTC 2012
On 1/6/2012 5:55 AM, RILINDO FOSTER wrote:
> On Jan 6, 2012, at 7:40 AM, Philippe Naudin wrote:
>
>> Le ven 06 jan 2012 04:21:14 CET, Bennett Haselton a écrit:
>>
>>> On 1/6/2012 4:11 AM, Philippe Naudin wrote:
>>>> Le ven 06 jan 2012 02:41:02 CET, Bennett Haselton a écrit:
>>>>
>>>>> On 1/6/2012 2:24 AM, Philippe Naudin wrote:
>>>>>> Apache running as "init_t" is a call for troubles.
>>>>> Is it? OK, any idea what caused that and how to fix it?
>>>> No, sorry. Your httpd comes from CentOS ?
>>> Yes
>>>> Afaik, you should not have any process running in context init_t except
>>>> init itself. If "ps awuxZ | grep [i]nit_t" returns more than only init
>>>> and httpd, your problem is likely to be more complicated than a broken
>>>> configuration of apache.
>>> I've got a few...
>>>
>>> [root at g6950-21025 ~]# ps auwxZ | grep init_t
>>> system_u:system_r:init_t root 1 0.6 0.0 10368 712
>>> ? Ss 04:17 0:00 init [3]
>>>
>>> system_u:system_r:init_t root 537 0.2 0.1 13728 1976
>>> ? S<s 04:17 0:00 /sbin/udevd -d
>>> system_u:system_r:init_t root 1684 0.0 0.0 38880 456
>>> ? Ssl 04:18 0:00 brcm_iscsiuio
>>> system_u:system_r:init_t root 1690 0.0 0.0 12152 476
>>> ? Ss 04:18 0:00 iscsid
>>> system_u:system_r:init_t root 1691 0.0 0.4 12648 4460
>>> ? S<Ls 04:18 0:00 iscsid
>>> system_u:system_r:init_t dbus 2081 0.0 0.1 31520 1144
>>> ? Ssl 04:18 0:00 dbus-daemon --system
>>> system_u:system_r:init_t root 2215 0.0 0.1 52372 1492
>>> ? Ssl 04:18 0:00 automount
>>> system_u:system_r:init_t root 2254 0.0 0.1 62656 1212
>>> ? Ss 04:18 0:00 /usr/sbin/sshd
>>> system_u:system_r:init_t ntp 2273 0.0 0.4 23412 5044
>>> ? SLs 04:18 0:00 ntpd -u ntp:ntp -p /var
>>> /run/ntpd.pid -g
>>> system_u:system_r:init_t root 2287 0.1 1.0 253312 10580
>>> ? Ss 04:18 0:00 /usr/sbin/httpd
>>> system_u:system_r:init_t apache 2315 0.3 1.3 259488 13376
>>> ? S 04:18 0:00 /usr/sbin/httpd
>>> system_u:system_r:init_t apache 2316 0.0 1.0 257436 11124
>>> ? S 04:18 0:00 /usr/sbin/httpd
>>> system_u:system_r:init_t apache 2317 0.1 1.1 257436 11288
>>> ? S 04:18 0:00 /usr/sbin/httpd
>>> system_u:system_r:init_t apache 2318 0.1 1.1 257436 11292
>>> ? S 04:18 0:00 /usr/sbin/httpd
>>> system_u:system_r:init_t apache 2319 0.0 1.0 256720 10504
>>> ? S 04:18 0:00 /usr/sbin/httpd
>>> system_u:system_r:init_t apache 2320 0.1 1.0 257436 10752
>>> ? S 04:18 0:00 /usr/sbin/httpd
>>> system_u:system_r:init_t apache 2321 0.0 1.1 257436 11272
>>> ? S 04:18 0:00 /usr/sbin/httpd
>>> system_u:system_r:init_t apache 2322 0.1 1.1 257436 11356
>>> ? S 04:18 0:00 /usr/sbin/httpd
>>> system_u:system_r:init_t root 2386 0.0 0.0 3812 492
>>> tty1 Ss+ 04:18 0:00 /sbin/mingetty tty1
>>> system_u:system_r:init_t root 2387 0.0 0.0 3812 488
>>> tty2 Ss+ 04:18 0:00 /sbin/mingetty tty2
>>> system_u:system_r:init_t root 2390 0.0 0.0 3812 488
>>> tty3 Ss+ 04:18 0:00 /sbin/mingetty tty3
>>> system_u:system_r:init_t root 2392 0.0 0.0 3812 492
>>> tty4 Ss+ 04:18 0:00 /sbin/mingetty tty4
>>> system_u:system_r:init_t root 2394 0.0 0.0 3812 488
>>> tty5 Ss+ 04:18 0:00 /sbin/mingetty tty5
>>> system_u:system_r:init_t root 2397 0.0 0.0 3812 488
>>> tty6 Ss+ 04:18 0:00 /sbin/mingetty tty6
>>> system_u:system_r:init_t apache 2405 0.1 1.0 256412 11008
>>> ? S 04:18 0:00 /usr/sbin/httpd
>>> system_u:system_r:init_t root 2406 0.3 0.3 90156 3456
>>> ? Ss 04:18 0:00 sshd: root at pts/0
>>> root:system_r:initrc_t:SystemLow-SystemHigh root 2458 0.0 0.0 61176 768
>>> pts/0 S+ 04:18 0:00 grep init_t
>>>
>>>
>>>
>>> I also found at least one file (the audit.log file) which has file type
>>> file_t, even though I thought the filesystem had been re-labeled
>>> successfully because /var/www/html/robots.txt had the correct type:
>>>
>>> [root at g6950-21025 ~]# ls -lZ /var/www/html/robots.txt
>>> -rw-rw-rw- root root system_u:object_r:httpd_sys_content_t
>>> /var/www/html/robots.txt
>>> [root at g6950-21025 ~]# ls -lZ /var/log/audit/audit.log
>>> -rw------- root root system_u:object_r:file_t
>>> /var/log/audit/audit.log
>>>
>>>
>>> Any idea (1) what could be causing that and (2) whether it could be
>>> related to the problem with all those init_t processes?
>> It's easy : your init process is broken, all these daemons but init
>> are mis-labeled, so all the files they create (such as log files) are
>> mis-labeled.
>>
>> And if the next question is "how to fix it ?", the answer is easy
>> too : "I don't have any clue..."
>>
>>
> Assuming that httpd came from CentOS, it should be appropriate relabeled. If not, using the semanage -f context would fix it.
Are you talking about changing the security context on the
/usr/sbin/httpd file itself? What should it be set to? Right now it's
[root at g6950-21025 ~]# ls -lZ /usr/sbin/httpd
-rwxr-xr-x root root system_u:object_r:file_t /usr/sbin/httpd
> This requires some thought. I'll respond back later.
>
Thanks!
More information about the CentOS
mailing list