[CentOS] SELinux and access across 'similar types'

Fri Jan 6 13:58:14 UTC 2012
RILINDO FOSTER <rilindo at me.com>

On Jan 5, 2012, at 7:37 PM, Bennett Haselton wrote:

> On 1/5/2012 3:14 PM, RILINDO FOSTER wrote:
>> On Jan 5, 2012, at 4:46 PM, Daniel J Walsh wrote:
>> 
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>> 
>>> On 01/05/2012 04:36 PM, Bennett Haselton wrote:
>>>> http://wiki.centos.org/HowTos/SELinux says: "Access is only allowed
>>>> between similar types, so Apache running as httpd_t can read
>>>> /var/www/html/index.html of type httpd_sys_content_t."
>>>> 
>>>> however the doc doesn't define what "similar types" means.  I
>>>> assumed it just meant "beginning with the same prefix".  However
>>>> that can't be right because on my system with SELinux turned on,
>>>> httpd runs as type init_t:
>>>> 
>>>> [root at peacefire04 - /root # ps awuxZ | grep httpd | head -n 3
>>>> system_u:system_r:init_t:s0     root      2521  0.1  0.4  21680
>>>> 8820 ?        Ss   05:05   0:00 /usr/sbin/httpd
>>>> system_u:system_r:init_t:s0     apache    2550  0.0  0.4  23364
>>>> 8920 ?        S    05:05   0:00 /usr/sbin/httpd
>>>> system_u:system_r:init_t:s0     apache    2551  0.1  0.4  22736
>>>> 8212 ?        S    05:05   0:00 /usr/sbin/httpd
>>>> 
>>>> and the robots.txt file has type file_t: [root at peacefire04 - /root
>>>> # ls -lZ /var/www/html/robots.txt -rw-rw-rw-  root root
>>>> system_u:object_r:file_t:s0 /var/www/html/robots.txt
>>>> 
>>>> but Apache can of course access that file.  So in Type Enforcement,
>>>> what determines what process type can access what file type?
>>>> 
>>>> Bennett _______________________________________________ CentOS
>>>> mailing list CentOS at centos.org
>>>> http://lists.centos.org/mailman/listinfo/centos
>>> 
>>> Your machine needs to be relabeled.
>>> 
>>> touch /.autorelabel
>>> reboot
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.4.11 (GNU/Linux)
>>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>> 
>>> iEYEARECAAYFAk8GGk4ACgkQrlYvE4MpobMVkgCfVagwQqbzB2UW1+TEsrrCVhF5
>>> lFkAnjLTi3zphekGomv04ZyMu0sOuopg
>>> =cIvM
>>> -----END PGP SIGNATURE-----
>>> _______________________________________________
>>> CentOS mailing list
>>> CentOS at centos.org
>>> http://lists.centos.org/mailman/listinfo/centos
>> WARNING: If you have never enabled SELinux for long time, the boot is going to take a while as the system relabels the whole machine. Do not do this unless you can plan for an extend downtime.
>> 
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
> I did do
> touch /.autorelabel
> reboot
> 
> The machine booted back up in just a few minutes, what looked like 
> normal reboot time.  And then I ran the same commands as before and got 
> what looks to me like the same output:
> 
> [root at peacefire04 - /root # ls -lZ /var/www/html/robots.txt
> -rw-rw-rw-  root root system_u:object_r:file_t:s0      
> /var/www/html/robots.txt
> [root at peacefire04 - /root # ps awuxZ | grep httpd | head -n 3
> system_u:system_r:init_t:s0     root      2530  0.0  0.4  21680  8820 
> ?        Ss   16:23   0:00 /usr/sbin/httpd
> system_u:system_r:init_t:s0     apache    2558  0.8  0.8  28308 16392 
> ?        S    16:23   0:03 /usr/sbin/httpd
> system_u:system_r:init_t:s0     apache    2560  0.5  0.5  23248 10236 
> ?        S    16:23   0:02 /usr/sbin/httpd
> 
> So I'm wondering:
> 1) How did you know that the machine needed to be relabeled, was it 
> something in the output of the commands the first time I ran them? and 
> in that case,
> 2) Why didn't it change after I created /.autorelabel and rebooted?
> (I can confirm the file /.autorelabel is no longer present, so it must 
> have been deleted when the auto-relabel was done, like the doc says.)
> 3) If the machine booted back up very quickly, should I be worried that 
> the autorelabel might not have happened?  Any idea if it logs a message 
> somewhere if it fails to start properly?
> _______________________________________________
> 

That sort of sound like a good thing. I would suggest that you do:

tail -f /var/log/audit/audit.log | audit2allow

To see what type of alerts you are getting. Likely you will get a lot, as some of the file contexts may not be labeled correctly.