[CentOS] SELinux and access across 'similar types'

Sat Jan 7 14:02:21 UTC 2012
Bennett Haselton <bennett at peacefire.org>

On 1/7/2012 5:57 AM, Marko Vojinovic wrote:
> On Saturday 07 January 2012 04:43:31 Bennett Haselton wrote:
>> On 1/7/2012 4:16 AM, Marko Vojinovic wrote:
>>> IMHO, if a hosting company does that sort of things (especially turning
>>> off SELinux), I wouldn't touch them with a ten-foot pole. Who knows
>>> what else they might have customized, in their infinite wisdom... :-)
>>>
>>> Care to share the name of that hosting company?
>> Virtually every hosting company I've ever bought a CentOS server from
>> has had SELinux turned off by default.  (So, a partial list would
>> include FDCServers, Superb.net, SiteGenie, SecuredServers (ho, ho),
>> AeroVPS (sells dedicated servers despite their name), Netelligent,
>> ServerBeach and I don't remember all the others).  Don't hold me to that
>> list 100% since some might have changed their policies for new servers
>> but it's pretty universal.
>>
>> What hosting company sells sub-$100 unmanaged CentOS dedicated servers
>> and *doesn't* have SELinux turned off?
> I wouldn't know, I don't use such services (typically I have my production
> systems on my own hardware). And now that you say most of them turn SELinux off
> by default, I am discuraged to even consider having my system hosted by such
> companies... ;-)
>
>>>> As for the original question -- when the docs say that access is
>>>> allowed
>>>> only across "similar types", what determines what counts as "similar
>>>> types"?  How do you know for example that httpd running as type
>>>> httpd_t
>>>> can access /var/www/html/robots.txt which has type
>>>> httpd_sys_content_t?
>>> AFAIK, the interactions between various labels (ie. rules "who can
>>> access
>>> what") are determined by the SELinux targeted policy (the
>>> selinux-policy-
>>> targeted package). These rules evolve over time (the package sometimes
>>> gets updated and your filesystem autorelabeled to match), and IIRC they
>>> can get pretty complicated. You want to look inside that package to
>>> find all the rules.
>> OK.  Is it easy to "look inside the package" and where would I look?
> Well, a "rpm -ql selinux-policy-targeted" lists a whole bunch of files, mostly
> all residing under /etc/selinux/targeted/ directory. So you can take a look at
> what is in there. If that is not enough (ie. if you want to look "inside" the
> binary modules), you'll probably want to read the corresponding srpm. Use the
> Source, Luke! ;-)
>
> Btw, your question is about some quite low-level-inside-guts of the SELinux
> policy. I cannot imagine why you would want to know the detailed relationships
> between labels, unless you are a SELinux developer. Or is it just curiosity?
I think it's because the doc page said "Access is allowed only between 
similar types" and I took that to mean that I should look at the type of 
a process and the type of a file to figure out if something was going to 
be allowed, if writing a script to do something unusual and hoping for 
it to work under SELinux.

However, maybe the more useful answer is that because SELinux's error 
reporting is so thorough and human-readable -- you can convert every 
error message into a mini-article using audit2allow or sealert, telling 
you exactly what to do -- that you don't need to code "defensively", you 
can just run a program, see what errors are logged, and look at the 
report to see exactly what needs to be changed.  This takes some getting 
used to since SELinux is the only thing I've seen that comes with tools 
to explain its error messages so helpfully.  Everything else, the error 
messages are usually so obscure that it's easier to code defensively and 
follow guidelines for what you know *will* work.
> HTH, :-)
> Marko
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos