[CentOS] SELinux vs. virsh

Thu Aug 28 13:16:58 UTC 2014
Bill Gee <bgee at campercaver.net>

On Thursday, August 28, 2014 08:24:32 Jonathan Billings wrote:
> On Thu, Aug 28, 2014 at 07:05:49AM -0500, Bill Gee wrote:
> > Another curious thing is that it all works perfectly when I "run-parts
> > /etc/cron.daily" from a root login.  Why should SELinux regard that as
> > different from when it is run by cron???
> 
> Cron runs processes in a different SELinux domain (crond_t I think?)
> than processes started by the root user, so this is entirely expected
> behavior.


But that means that SELinux contexts are NOT stable ...  They are NOT the same 
for all instances of a process.  It seems to me that defeats the whole purpose 
of SELinux.

How does the SELinux inheritance work?  How is it related to the user context 
under which a process runs?  As I look at it, I see this chain ...

== Cron run under the crond_t context and chrony user account.  It calls 
logwatch.

==== Logwatch runs under the logwatch_t context and user account of the 
caller.  It calls various binaries such as uptime and hddtemp and virsh.

======  Uptime is bin_t.  hddtemp is bin_t.  virsh is virsh_exec_t.  They all 
run under the user account of the caller.

If I run-parts from a root login, then the cron service is not involved.  The 
processes all run in the root user account.  That does not change their 
SELinux types, but it sure changes what they can do!

I know this issue is in SELinux somewhere because if I set the system to 
permissive, then it all works.

Bill Gee