<div dir="ltr"><div>Thanks for pointing this out (I didn't know about that), but it seems that our problem is not affected by this.<br>Our /tmp directory resides on the root filesystem, for which the nosuid mount option is not specified.<br><br>[root@centos-test ~]# mount<br>/dev/mapper/vg_centostest-lv_root on / type ext4 (rw)<br>proc on /proc type proc (rw)<br>sysfs on /sys type sysfs (rw)<br>devpts on /dev/pts type devpts (rw,gid=5,mode=620)<br>tmpfs on /dev/shm type tmpfs (rw,rootcontext="system_u:object_r:tmpfs_t:s0")<br>/dev/sda1 on /boot type ext4 (rw)<br>none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)<br><br></div>Janos<br><div><div class="gmail_extra"><br><div class="gmail_quote">2015-05-14 15:10 GMT+02:00 Stephen Smalley <span dir="ltr"><<a href="mailto:sds@tycho.nsa.gov" target="_blank">sds@tycho.nsa.gov</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On 05/14/2015 09:07 AM, SZIGETVÁRI János wrote:<br>
> Hello Everyone,<br>
><br>
> I work for a company which develops an rsyslog alternative logging<br>
> service, and we recently have encountered an interesting problem around<br>
> the SELinux process transitions of our product.<br>
><br>
> I and most of my colleagues have little to marginal experience with<br>
> SELinux, and we have done most of the investigation we could do on our own.<br>
><br>
> The problem that one of our customers experienced is that our product<br>
> (when started by it's init script, or through the service ... utility)<br>
> will be stuck in the initrc_t context, and not transition into the<br>
> syslogd_t context. This causes the /dev/log socket not to have the<br>
> proper selinux context, which leads to even further problems.<br>
> The system they are working on is running CentOS 6.6.<br>
><br>
> To describe the problem in a bit more detail:<br>
> - we have an init script with the selinux context of<br>
> system_u:object_r:syslogd_initrc_exec_t:s0<br>
> - this init script calls the binary, which has the context of:<br>
> system_u:object_r:syslogd_exec_t:s0<br>
><br>
> - the necessary process transtition definitions are in place:<br>
> [root@centos-test ~]# sesearch -T -s initrc_t -t syslogd_initrc_exec_t<br>
> -c process -p transition -A<br>
> Found 1 semantic te rules:<br>
> type_transition initrc_t syslogd_initrc_exec_t : process initrc_t;<br>
> [root@centos-test ~]# sesearch -T -s initrc_t -t syslogd_exec_t -c<br>
> process -p transition -A<br>
> Found 1 semantic te rules:<br>
> type_transition initrc_t syslogd_exec_t : process syslogd_t;<br>
><br>
> - the necessary execution permissions are present<br>
> [root@centos-test ~]# sesearch -s initrc_t -t syslogd_exec_t -c file -p<br>
> execute -A<br>
> Found 3 semantic av rules:<br>
> allow initrc_t exec_type : file { ioctl read getattr lock execute<br>
> execute_no_trans open } ;<br>
> allow initrc_t syslogd_exec_t : file { read getattr execute open } ;<br>
> allow files_unconfined_type file_type : file { ioctl read write<br>
> create getattr setattr lock relabelfrom relabelto append unlink link<br>
> rename execute swapon quotaon mounton execute_no_trans entrypoint open } ;<br>
><br>
> - the necessary types are defined as the domain entry points<br>
> [root@centos-test ~]# sesearch -s syslogd_t -t syslogd_exec_t -c file -p<br>
> entrypoint -A<br>
> Found 1 semantic av rules:<br>
> allow syslogd_t syslogd_exec_t : file { ioctl read getattr lock<br>
> execute entrypoint open } ;<br>
><br>
> - the target domain is allowed for the proper role:<br>
> [root@centos-test ~]# seinfo -rsystem_r -x | fgrep syslogd_t<br>
> syslogd_t<br>
><br>
><br>
> But despite all the above, the transition doesn't occur to syslogd_t,<br>
> the process remains in initrc_t.<br>
><br>
> I even have created a script to reproduce the issue (find it attached).<br>
> The script simply<br>
> - puts down two shell scripts and sets their rights and selinux contexts<br>
> (system_u:object_r:syslogd_initrc_exec_t:s0 and<br>
> system_u:object_r:syslogd_exec_t:s0) ,<br>
> - creates a copy of bash, sets it's context (to<br>
> system_u:object_r:syslogd_initrc_exec_t:s0),<br>
> - tries to run the script with the syslogd_initrc_exec_t context,<br>
> - which in turn will run the other script with context syslogd_exec_t<br>
><br>
> The resulting output shows that the script with the syslogd_exec_t<br>
> context will run as initrc_t even though it's parent was initrc_t as<br>
> well, and the type transition should have occurred.<br>
><br>
><br>
> Some sample output:<br>
><br>
> [root@centos-test ~]# bash selinux_test.sh<br>
> -rwxr-xr-x. root root system_u:object_r:syslogd_initrc_exec_t:s0<br>
> /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t<br>
> -rwxr-xr-x. root root system_u:object_r:syslogd_exec_t:s0<br>
> /tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh<br>
> -rwxr-xr-x. root root system_u:object_r:syslogd_initrc_exec_t:s0<br>
> /tmp/tmp.efz1wH7wpL/syslogd_initrc_exec_t_starter.sh<br>
> ======================== STARTING<br>
> ===============================================<br>
> Authenticating root.<br>
> Jelszó:<br>
> system_u:system_r:initrc_t:s0 root 3352 0.0 0.0 106056 1296<br>
> pts/0 S+ 14:50 0:00 \_<br>
> /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t<br>
> /tmp/tmp.efz1wH7wpL/syslogd_initrc_exec_t_starter.sh<br>
> ======================== STARTED<br>
> ===============================================<br>
> system_u:system_r:initrc_t:s0 root 3359 0.0 0.0 106056 1340<br>
> pts/0 S+ 14:50 0:00 /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t<br>
> /tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh<br>
> system_u:system_r:initrc_t:s0 root 3362 0.0 0.0 106056 1336<br>
> pts/0 S+ 14:50 0:00 /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t<br>
> /tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh end<br>
> ============================= first<br>
> ==========================================<br>
> system_u:system_r:initrc_t:s0 root 3359 0.0 0.0 106056 1340<br>
> pts/0 S+ 14:50 0:00 /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t<br>
> /tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh<br>
> system_u:system_r:initrc_t:s0 root 3362 0.0 0.0 106056 1336<br>
> pts/0 S+ 14:50 0:00 /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t<br>
> /tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh end<br>
> ============================= end ==========================================<br>
> system_u:system_r:initrc_t:s0 root 3359 0.0 0.0 106060 1360<br>
> pts/0 S+ 14:50 0:00 /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t<br>
> /tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh<br>
> system_u:system_r:initrc_t:s0 root 3362 0.0 0.0 106060 1352<br>
> pts/0 S+ 14:50 0:00 /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t<br>
> /tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh end<br>
> [root@centos-test ~]#<br>
><br>
><br>
> We would appreciate if we could get some guidance on what we should<br>
> check, in order to get to the end of this problem.<br>
> We have tried running setroubleshootd, disabling noaudit rules (semodule<br>
> -DB), but we saw no error messages about failed transitions, or<br>
> whatsoever. The only logs we saw related to the scripts were the<br>
> authentication and accounting messages about the run_init command.<br>
<br>
</div></div>SELinux domain transitions are suppressed on nosuid mounts for the same<br>
reasons that setuid/setgid is suppressed.<br>
<br>
<br>
<br>
</blockquote></div><br><br></div></div></div>