[CentOS] Type enforcement / mechanism not clear

Sun Sep 23 05:55:42 UTC 2018
Gordon Messmer <gordon.messmer at gmail.com>

On 9/9/18 9:23 AM, Gordon Messmer wrote:
> I don't see sesearch mentioned in the SELinux FAQ hosted by Fedora, 
> and the mention in CentOS's FAQ appears to be the invocation that Leon 
> used, which was less than helpful.  I think both would be improved if 
> they started from an AVC log entry (which does appear in Fedora's 
> FAQ), and walked through the very simple steps of getting the type 
> from a running process, the type from a file or other resource, and 
> then using sesearch to find out what rules connect those two things, 
> whether allowed or disallowed. 

Dan, if you happen to see this, could you comment on the following with 
any clarifications?  This is the best of my understanding, which isn't 
very good.

To determine what types of access are allowed by policy, first determine 
the context in which the process is running.  Use the "Z" flag to the 
"ps" command to get context info for processes. In the following 
example, the httpd process is running in the httpd_t context.

# ps axZ | grep httpd
system_u:system_r:httpd_t:s0    16821 ?        S      0:00 
/usr/sbin/httpd -DFOREGROUND

Next, get the context of the resource you'd like to examine.  The 
"seinfo" command can tell you the context applied to IP ports. The "ps" 
command with the "Z" argument can tell you the context of processes 
(which might tell you whether a signal can be sent). The "ls" command 
with the "-Z" argument can tell you the context for files.

# seinfo --portcon=443 --protocol=tcp
     portcon tcp 443 system_u:object_r:http_port_t:s0
     portcon tcp 1-511 system_u:object_r:reserved_port_t:s0
# ps axZ | grep /spamd
system_u:system_r:spamd_t:s0    12993 ?        Ss     0:06 
/usr/bin/spamd --pidfile /var/run/spamd.pid -d -m5 -H -u daemon
# ls -lZ /etc/passwd
-rw-r--r--. root root system_u:object_r:passwd_file_t:s0 /etc/passwd

Finally, use "sesearch" to print the list of rules that allow access 
from the source process to the target resource.  If access is not 
allowed, then it will be denied.

# sesearch -A -s httpd_t -t http_port_t
Found 11 semantic av rules:
    allow httpd_t http_port_t : tcp_socket name_bind ;
    allow httpd_t http_port_t : udp_socket name_bind ;
    allow httpd_t port_type : tcp_socket { recv_msg send_msg } ;
    allow httpd_t port_type : udp_socket { recv_msg send_msg } ;
    allow httpd_t http_port_t : tcp_socket name_connect ;
    allow httpd_t http_port_t : tcp_socket name_connect ;
    allow nsswitch_domain port_type : udp_socket recv_msg ;
    allow nsswitch_domain port_type : udp_socket send_msg ;
    allow httpd_t port_type : tcp_socket name_connect ;
    allow nsswitch_domain reserved_port_type : tcp_socket name_connect ;
    allow nsswitch_domain port_type : tcp_socket { recv_msg send_msg } ;

# sesearch -A -s httpd_t -t spamd_t
Found 4 semantic av rules:
    allow domain domain : key { search link } ;
    allow domain domain : fd use ;
    allow httpd_t domain : process getpgid ;
    allow daemon daemon : unix_stream_socket connectto ;

# sesearch -A -s httpd_t -t passwd_file_t
Found 3 semantic av rules:
    allow nsswitch_domain passwd_file_t : file { ioctl read getattr lock 
open } ;
    allow httpd_t file_type : filesystem getattr ;
    allow httpd_t file_type : dir { getattr search open } ;

In the case that you would like to change the context of a resource so 
that it is allowed by the existing policy, rather than adding a new 
policy module, start with the AVC from /var/log/audit/audit.log:

type=AVC msg=audit(1537676446.333:11424): avc:  denied  { write } for  
pid=12997 comm=7370616D64206368696C64 name="razor" dev="dm-0" ino=133311 
tcontext=unconfined_u:object_r:spamd_etc_t:s0 tclass=dir

In this example, the spamd_t source context (scontext) is not allowed to 
write to a target class, directory, (tclass) in the spamd_etc_t 
context.  You can print a list of the contexts for directories that 
spamd_t is allowed to write to:

# sesearch  -A -s spamd_t -p write -c dir

If it is more appropriate for that directory to have another context, 
you can set that with semanage:

# semanage fcontext -at spamd_log_t /path/