[CentOS] SELinux and access across 'similar types'

Bennett Haselton bennett at peacefire.org
Fri Jan 6 14:57:04 UTC 2012


On 1/6/2012 5:55 AM, RILINDO FOSTER wrote:
> On Jan 6, 2012, at 7:40 AM, Philippe Naudin wrote:
>
>> Le ven 06 jan 2012 04:21:14 CET, Bennett Haselton a écrit:
>>
>>> On 1/6/2012 4:11 AM, Philippe Naudin wrote:
>>>> Le ven 06 jan 2012 02:41:02 CET, Bennett Haselton a écrit:
>>>>
>>>>> On 1/6/2012 2:24 AM, Philippe Naudin wrote:
>>>>>> Apache running as "init_t" is a call for troubles.
>>>>> Is it?  OK, any idea what caused that and how to fix it?
>>>> No, sorry. Your httpd comes from CentOS ?
>>> Yes
>>>> Afaik, you should not have any process running in context init_t except
>>>> init itself. If "ps awuxZ | grep [i]nit_t" returns more than only init
>>>> and httpd, your problem is likely to be more complicated than a broken
>>>> configuration of apache.
>>> I've got a few...
>>>
>>> [root at g6950-21025 ~]# ps auwxZ | grep init_t
>>> system_u:system_r:init_t        root         1  0.6  0.0  10368   712
>>> ?        Ss   04:17   0:00 init [3]
>>>
>>> system_u:system_r:init_t        root       537  0.2  0.1  13728  1976
>>> ?        S<s  04:17   0:00 /sbin/udevd -d
>>> system_u:system_r:init_t        root      1684  0.0  0.0  38880   456
>>> ?        Ssl  04:18   0:00 brcm_iscsiuio
>>> system_u:system_r:init_t        root      1690  0.0  0.0  12152   476
>>> ?        Ss   04:18   0:00 iscsid
>>> system_u:system_r:init_t        root      1691  0.0  0.4  12648  4460
>>> ?        S<Ls 04:18   0:00 iscsid
>>> system_u:system_r:init_t        dbus      2081  0.0  0.1  31520  1144
>>> ?        Ssl  04:18   0:00 dbus-daemon --system
>>> system_u:system_r:init_t        root      2215  0.0  0.1  52372  1492
>>> ?        Ssl  04:18   0:00 automount
>>> system_u:system_r:init_t        root      2254  0.0  0.1  62656  1212
>>> ?        Ss   04:18   0:00 /usr/sbin/sshd
>>> system_u:system_r:init_t        ntp       2273  0.0  0.4  23412  5044
>>> ?        SLs  04:18   0:00 ntpd -u ntp:ntp -p /var
>>> /run/ntpd.pid -g
>>> system_u:system_r:init_t        root      2287  0.1  1.0 253312 10580
>>> ?        Ss   04:18   0:00 /usr/sbin/httpd
>>> system_u:system_r:init_t        apache    2315  0.3  1.3 259488 13376
>>> ?        S    04:18   0:00 /usr/sbin/httpd
>>> system_u:system_r:init_t        apache    2316  0.0  1.0 257436 11124
>>> ?        S    04:18   0:00 /usr/sbin/httpd
>>> system_u:system_r:init_t        apache    2317  0.1  1.1 257436 11288
>>> ?        S    04:18   0:00 /usr/sbin/httpd
>>> system_u:system_r:init_t        apache    2318  0.1  1.1 257436 11292
>>> ?        S    04:18   0:00 /usr/sbin/httpd
>>> system_u:system_r:init_t        apache    2319  0.0  1.0 256720 10504
>>> ?        S    04:18   0:00 /usr/sbin/httpd
>>> system_u:system_r:init_t        apache    2320  0.1  1.0 257436 10752
>>> ?        S    04:18   0:00 /usr/sbin/httpd
>>> system_u:system_r:init_t        apache    2321  0.0  1.1 257436 11272
>>> ?        S    04:18   0:00 /usr/sbin/httpd
>>> system_u:system_r:init_t        apache    2322  0.1  1.1 257436 11356
>>> ?        S    04:18   0:00 /usr/sbin/httpd
>>> system_u:system_r:init_t        root      2386  0.0  0.0   3812   492
>>> tty1     Ss+  04:18   0:00 /sbin/mingetty tty1
>>> system_u:system_r:init_t        root      2387  0.0  0.0   3812   488
>>> tty2     Ss+  04:18   0:00 /sbin/mingetty tty2
>>> system_u:system_r:init_t        root      2390  0.0  0.0   3812   488
>>> tty3     Ss+  04:18   0:00 /sbin/mingetty tty3
>>> system_u:system_r:init_t        root      2392  0.0  0.0   3812   492
>>> tty4     Ss+  04:18   0:00 /sbin/mingetty tty4
>>> system_u:system_r:init_t        root      2394  0.0  0.0   3812   488
>>> tty5     Ss+  04:18   0:00 /sbin/mingetty tty5
>>> system_u:system_r:init_t        root      2397  0.0  0.0   3812   488
>>> tty6     Ss+  04:18   0:00 /sbin/mingetty tty6
>>> system_u:system_r:init_t        apache    2405  0.1  1.0 256412 11008
>>> ?        S    04:18   0:00 /usr/sbin/httpd
>>> system_u:system_r:init_t        root      2406  0.3  0.3  90156  3456
>>> ?        Ss   04:18   0:00 sshd: root at pts/0
>>> root:system_r:initrc_t:SystemLow-SystemHigh root 2458 0.0  0.0 61176 768
>>> pts/0 S+   04:18   0:00 grep init_t
>>>
>>>
>>>
>>> I also found at least one file (the audit.log file) which has file type
>>> file_t, even though I thought the filesystem had been re-labeled
>>> successfully because /var/www/html/robots.txt had the correct type:
>>>
>>> [root at g6950-21025 ~]# ls -lZ /var/www/html/robots.txt
>>> -rw-rw-rw-  root root system_u:object_r:httpd_sys_content_t
>>> /var/www/html/robots.txt
>>> [root at g6950-21025 ~]# ls -lZ /var/log/audit/audit.log
>>> -rw-------  root root system_u:object_r:file_t
>>> /var/log/audit/audit.log
>>>
>>>
>>> Any idea (1) what could be causing that and (2) whether it could be
>>> related to the problem with all those init_t processes?
>> It's easy : your init process is broken, all these daemons but init
>> are mis-labeled, so all the files they create (such as log files) are
>> mis-labeled.
>>
>> And if the next question is "how to fix it ?", the answer is easy
>> too : "I don't have any clue..."
>>
>>
> Assuming that httpd came from CentOS, it should be appropriate relabeled. If not, using the semanage -f context would fix it.
Are you talking about changing the security context on the 
/usr/sbin/httpd file itself?  What should it be set to?  Right now it's
[root at g6950-21025 ~]# ls -lZ /usr/sbin/httpd
-rwxr-xr-x  root root system_u:object_r:file_t         /usr/sbin/httpd

> This requires some thought. I'll respond back later.
>

Thanks!



More information about the CentOS mailing list