I am new to compiling selinux policy modules. When I sesearch for source domain init_t for httpd_sys_contect_t I get 5 replies:
$sesearch -T -s init_t -t httpd_sys_content_t type_transition init_t httpd_sys_content_t:dir httpd_sys_rw_content_t "smarty"; type_transition init_t httpd_sys_content_t:dir httpd_sys_rw_content_t "upgrade"; type_transition init_t httpd_sys_content_t:dir httpd_sys_rw_content_t "uploads"; type_transition init_t httpd_sys_content_t:dir httpd_sys_rw_content_t "wp-content"; type_transition init_t httpd_sys_content_t:file httpd_sys_rw_content_t "settings.php";
If I read this correctly, init_t has access to 4 directories; smarty, upgrade, uploads and wp-content. One file settings.php
I created a systemd service file running as a timer. The service just executes a script. Selinux denies with these errors;
type=AVC msg=audit(1570329687.437:218): avc: denied { execute } for pid=1079 comm="(index.sh)" name="make_index.sh" dev="md127" ino=4295130138 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570329687.437:219): avc: denied { read open } for pid=1079 comm="(index.sh)" path="/srv/www/sites/linux.montclaire.lan/make_index.sh" dev="md127" ino=4295130138 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570329687.437:220): avc: denied { execute_no_trans } for pid=1079 comm="(index.sh)" path="/srv/www/sites/linux.montclaire.lan/make_index.sh" dev="md127" ino=4295130138 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570329687.450:221): avc: denied { ioctl } for pid=1079 comm="make_index.sh" path="/srv/www/sites/linux.montclaire.lan/make_index.sh" dev="md127" ino=4295130138 ioctlcmd=0x5401 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570329691.303:222): avc: denied { create } for pid=1081 comm="make_index.sh" name="index.html" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570329691.322:223): avc: denied { write } for pid=1081 comm="make_index.sh" name="index.html" dev="md127" ino=4295112722 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570329691.322:224): avc: denied { open } for pid=1081 comm="make_index.sh" path="/srv/www/sites/linux.montclaire.lan/index.html" dev="md127" ino=4295112722 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570329691.322:225): avc: denied { append } for pid=1081 comm="make_index.sh" name="index.html" dev="md127" ino=4295112722 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
How can I create a type translation that says; it this correct?
type_transition init_t httpd_sys_content_t:file httpd_sys_rw_content_t "make_index.sh";
Hi Louis,
On 10/7/19 4:59 PM, Louis Garcia wrote:
I am new to compiling selinux policy modules. When I sesearch for source domain init_t for httpd_sys_contect_t I get 5 replies:
$sesearch -T -s init_t -t httpd_sys_content_t type_transition init_t httpd_sys_content_t:dir httpd_sys_rw_content_t "smarty"; type_transition init_t httpd_sys_content_t:dir httpd_sys_rw_content_t "upgrade"; type_transition init_t httpd_sys_content_t:dir httpd_sys_rw_content_t "uploads"; type_transition init_t httpd_sys_content_t:dir httpd_sys_rw_content_t "wp-content"; type_transition init_t httpd_sys_content_t:file httpd_sys_rw_content_t "settings.php";
If I read this correctly, init_t has access to 4 directories; smarty, upgrade, uploads and wp-content. One file settings.php
This doesn't mean that all processes labeled as init_t has access to these dirs. But it means that all processes labeled as init_t when create directories "smarty", "upgrade", "uploads", "wp-content" and file "settings.php" in directory labeled as httpd_sys_content_t, the label of dirs and file mentioned above will have httpd_sys_rw_content_t.
I created a systemd service file running as a timer. The service just executes a script. Selinux denies with these errors;
|type=AVC msg=audit(1570329687.437:218): avc: denied { execute } for pid=1079 comm="(index.sh)" name="make_index.sh" dev="md127" ino=4295130138 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1 type=AVC msg=audit(1570329687.437:219): avc: denied { read open } for pid=1079 comm="(index.sh)" path="/srv/www/sites/linux.montclaire.lan/make_index.sh" dev="md127" ino=4295130138 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1 type=AVC msg=audit(1570329687.437:220): avc: denied { execute_no_trans } for pid=1079 comm="(index.sh)" path="/srv/www/sites/linux.montclaire.lan/make_index.sh" dev="md127" ino=4295130138 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1 type=AVC msg=audit(1570329687.450:221): avc: denied { ioctl } for pid=1079 comm="make_index.sh" path="/srv/www/sites/linux.montclaire.lan/make_index.sh" dev="md127" ino=4295130138 ioctlcmd=0x5401 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1 type=AVC msg=audit(1570329691.303:222): avc: denied { create } for pid=1081 comm="make_index.sh" name="index.html" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1 type=AVC msg=audit(1570329691.322:223): avc: denied { write } for pid=1081 comm="make_index.sh" name="index.html" dev="md127" ino=4295112722 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1 type=AVC msg=audit(1570329691.322:224): avc: denied { open } for pid=1081 comm="make_index.sh" path="/srv/www/sites/linux.montclaire.lan/index.html" dev="md127" ino=4295112722 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1 type=AVC msg=audit(1570329691.322:225): avc: denied { append } for pid=1081 comm="make_index.sh" name="index.html" dev="md127" ino=4295112722 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
|
|How can I create a type translation that says; it this correct?
type_transition init_t httpd_sys_content_t:file httpd_sys_rw_content_t "make_index.sh";|
No really, You ideally need to create custom SELinux policy for your timer service, where you add domain transition that timer gets own SELinux domain and then you'll allow this domain to access httpd_sys_content_t dirs/files.
You can use following workshop as example how to create new policy: http://redhatgov.io/workshops/selinux_policy/
Thanks, Lukas.
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or...
selinux@lists.fedoraproject.org