Initial context for init
by Philip Seeley
Hi all,
Quick question is:
In the targeted policy should init run SystemHigh as it does in the mls
policy?
The background:
We're setting up a targeted system where we confine all users and remove
the unconfined policy module, but we also enable polyinstantiation of /tmp
and /var/tmp.
If we ssh in as a staff_u user phil and elevate to root/sysadm_r then we
have a context of:
staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
And therefore /var/tmp is:
drwxrwxrwt. root root system_u:object_r:tmp_t:s0-s0:c0.c1023 /var/tmp
Which is really:
drwxrwxrwt. root root
system_u:object_r:tmp_t:s0-s0:c0.c1023 /var/tmp-inst/system_u:object_r:tmp_t:s0-s0:c0.c1023_phil
The real /var/tmp is:
drwxrwxrwt. root root system_u:object_r:tmp_t:s0 /var/tmp
Now if we use run_init to update an RPM that contains a post install
script, rpm can't create the temporary script file:
# run_init bash -c 'rpm -i
--force /root/libselinux-2.0.94-7.el6.x86_64.rpm'
Authenticating phil.
Password:
error: error creating temporary file /var/tmp/rpm-tmp.atkHTf: Permission
denied
error: Couldn't create temporary file for %post
(libselinux-2.0.94-7.el6.x86_64): Permission denied
Note: you need to use run_init as the rpm might restart a service, e.g. the
sssd rpm.
We've traced this to the /etc/selinux/targeted/contexts/initrc_context file
which contains:
system_u:system_r:initrc_t:s0
So we transition to initrc_t and then to rpm_t without any categories, but
because the polyinstantiated /var/tmp directory has c0.c1023 we get denied.
Normally in targeted init runs unconfined, but we've removed this.
type=AVC msg=audit(1467342325.016:716): avc: denied { read } for
pid=2779 comm="rpm" name="system_u:object_r:tmp_t:s0-s0:c0.c1023_phil"
dev=dm-0 ino=1966082 scontext=system_u:system_r:rpm_t:s0
tcontext=system_u:object_r:tmp_t:s0-s0:c0.c1023 tclass=dir
It works if we change initrc_context to:
system_u:system_r:initrc_t:s0-s0:c0.c1023
We don't see the issue under mls because the default initrc_context is:
system_u:system_r:initrc_t:s0-s15:c0.c1023
We've traces this back through the selinux-policy src RPM and to the
upstream refpolicy and see that config/appconfig-mcs/initrc_context is:
system_u:system_r:initrc_t:s0
whereas config/appconfig-mls/initrc_context is:
system_u:system_r:initrc_t:s0-mls_systemhigh
So under mls init's context is SystemHigh, but under mcs/targeted it
doesn't have any categories.
So the long question is should config/appconfig-mcs/initrc_context really
be:
system_u:system_r:initrc_t:mcs_systemhigh
as it seems odd that the more secure mls policy would run init at
SystemHigh but targeted doesn't.
Thanks
Phil Seeley
3 years, 10 months
Re: Policy issue: C7 and motion
by mark
> Subject: Re: Policy issue: C7 and motion
> Date: Tue, 26 Feb 2019 09:31:18 +0100
> From: Lukas Vrabec <lvrabec(a)redhat.com>
> Organization: Red Hat, Inc.
> To: selinux(a)lists.fedoraproject.org
>
> On 2/25/19 7:20 PM, mark wrote:
>
>> Not sure who's package let an error slip in, but I don't believe I've
>> had this issue before: SELinux is preventing /usr/bin/motion from map
>> access on the chr_file /dev/video1
>>
>> Yes, that should be allowed by default.
>
> Yes, it should be allowed by default, but do you have raw AVCs related
> to this issue?
>
type=AVC msg=audit(1551118810.099:136938): avc: denied { map } for
pid=5076 comm="motion" path="/dev/video1" dev="devtmpfs" ino=27287
scontext=system_u:system_r:motion_t:s0
tcontext=system_u:object_r:v4l_device_t:s0 tclass=chr_file permissive=1
Does that help?
mark
4 years, 3 months
Policy issue: C7 and motion
by mark
Not sure who's package let an error slip in, but I don't believe I've had
this issue before: SELinux is preventing /usr/bin/motion from map access
on the chr_file /dev/video1
Yes, that should be allowed by default.
mark
4 years, 3 months
SELinux blocking Dovecot from mysqld socket
by Robert Moskowitz
I am working with Centos7:
I have configured Dovecot to connect to mysqld via socket:
connect = host=/var/lib/mysql/mysql.sock dbname=postfix user=postfix
password=Postfix_Database_Password
I test sending a message with
sendmail -i rgm(a)test.htt-consult.com < README
This fails with the following message in maillog
Feb 4 11:28:48 klovia dovecot: dict(13122): Error:
mysql(/var/lib/mysql/mysql.sock): Connect failed to database (postfix):
Can't connect to local MySQL server through socket
'/var/lib/mysql/mysql.sock' (13) - waiting for 25 seconds before retry
If I setenforce to 0, the connection works. So it clearly is an SELinux
problem. I worked on this almost 2 years ago on another system and found:
http://zszsit.blogspot.com/2012/12/dovecot-mysql-selinux-issue-on-centos6...
But I was hoping that there were better tools now with Centos7. I
checked for setsebool at:
https://linux.die.net/man/8/mysqld_selinux
and tried:
setsebool -P allow_user_mysql_connect 1
But the mail still does not go unless I setenforce to 0.
Is there someway to get SELinux to allow dovecot (and postfix) to
connect to mysqld?
thank you
4 years, 3 months
