making a file context change work for initrc_t and unconfined_t
Maria Iano
maria at iano.org
Thu Feb 2 23:36:45 UTC 2012
On Feb 2, 2012, at 5:58 PM, Maria Iano wrote:
>
> On Feb 1, 2012, at 4:53 PM, Dominick Grift wrote:
>
>> On Wed, 2012-02-01 at 15:05 -0500, Maria Iano wrote:
>>> On Feb 1, 2012, at 1:32 PM, Dominick Grift wrote:
>>>
>>>> On Tue, 2012-01-31 at 17:33 -0500, Maria Iano wrote:
>>>>> I have a RHEL 6.2 server running LikewiseOpen. It appears to me
>>>>> that I
>>>>> will take care of a large number of denials if I can change the
>>>>> type
>>>>> of /var/lib/likewise/.lsassd to be lsassd_var_socket_t.
>>>>>
>>>>> I added the file context rule with semanage, and used restorecon
>>>>> to
>>>>> change it to lsassd_var_socket_t as desired. But later I found
>>>>> that /
>>>>> var/lib/likewise/.lsassd had type var_lib_t again. I assume that
>>>>> is
>>>>> because the likewise processes run as initrc_t.
>>>>
>>>> Why are the likewise processes running in initrc_t?
>>>>
>>>> Are the likewise executable files in their proper location:
>>>>
>>>> /usr/sbin/dcerpcd --
>>>> gen_context(system_u:object_r:dcerpcd_exec_t,s0)
>>>> /usr/sbin/eventlogd --
>>>> gen_context(system_u:object_r:eventlogd_exec_t,s0)
>>>> /usr/sbin/lsassd --
>>>> gen_context(system_u:object_r:lsassd_exec_t,s0)
>>>> /usr/sbin/lwiod --
>>>> gen_context(system_u:object_r:lwiod_exec_t,s0)
>>>> /usr/sbin/lwregd --
>>>> gen_context(system_u:object_r:lwregd_exec_t,s0)
>>>> /usr/sbin/lwsmd --
>>>> gen_context(system_u:object_r:lwsmd_exec_t,s0)
>>>> /usr/sbin/netlogond --
>>>> gen_context(system_u:object_r:netlogond_exec_t,s0)
>>>> /usr/sbin/srvsvcd --
>>>> gen_context(system_u:object_r:srvsvcd_exec_t,s0)
>>>>
>>>>> I'd like to change the policy and tell it that services running in
>>>>> either initrc_t or unconfined_t domains should create the file /
>>>>> var/
>>>>> lib/likewise/.lsassd with type lsassd_var_socket_t. (A command
>>>>> line
>>>>> tool lwsm for managing the processes runs in unconfined_t so I'd
>>>>> like
>>>>> to include that domain to be safe. ) How can I go about doing
>>>>> that in
>>>>> RHEL 6 (or can I)?
>>>>
>>>> That is not possible but if you label /var/lib/likewise:
>>>>
>>>> semanage fcontext -a -t likewise_var_lib_t "/var/lib/
>>>> likewise(/.*)?"
>>>>
>>>> And configure restorecond to watch /var/lib/likewise then the file
>>>> will
>>>> be reset to the proper type when restorecond notices that its
>>>> mislabeled.
>>>>
>>>> The policy for likewise was written by the people of likewise. I
>>>> helped
>>>> with it a bit. I think we collaborated on the selinux maillist
>>>> but i
>>>> could not find the thread about it in short noticed. (i was looking
>>>> for
>>>> the e-mail address of the likewise policy author so that i can
>>>> ask him
>>>> to see if the policy is still up-to-date)
>>>>
>>>> It may be that the policy is not maintained optimally.
>>>>
>>>> Maybe you can help us revisit it?
>>>
>>> Those files are all under /opt/likewise/sbin on this system
>>> (although
>>> there is no srvsvcd):
>>> /opt/likewise/sbin/dcerpcd
>>> /opt/likewise/sbin/eventlogd
>>> /opt/likewise/sbin/lsassd
>>> /opt/likewise/sbin/lwiod
>>> /opt/likewise/sbin/lwregd
>>> /opt/likewise/sbin/lwsmd
>>> /opt/likewise/sbin/netlogond
>>>
>>> Also the directories corresponding to /etc/likewise-open and /var/
>>> lib/
>>> likewise-open are actually /etc/likewise and /var/lib/likewise on my
>>> system.
>>>
>>> My system is RHEL 6.2 and I installed LikewiseOpen by downloading
>>> LikewiseOpen-6.1.0.8729-linux-x86_64-rpm.sh, making it executable,
>>> and
>>> typing:
>>> ./LikewiseOpen-6.1.0.8729-linux-x86_64-rpm.sh install
>>>
>>> So I think it is installed with all the defaults.
>>>
>>> I would be very happy to help. I would really like for selinux and
>>> likewise to coexist comfortably.
>>
>> Why that's great
>>
>> Here is a list with all file contexts for likewise files:
>>
>> http://git.fedorahosted.org/git/?p=selinux-policy.git;a=blob;f=policy/modules/services/likewise.fc;h=57491fc406f6d309b258f6be978524a0b916d531;hb=6a8b33a937d800e1f7ec5a148b73abedc1ea4f09
>>
>> Basically what i would do if i were you is add file context
>> specifications using "semanage fcontext" or a custom .fc file of
>> all the
>> entries in there matching files on your system:
>>
>> example:
>>
>> /usr/sbin/lsassd -- gen_context(system_u:object_r:lsassd_exec_t,s0)
>>
>> would be:
>>
>> semanage fcontext -a -t lsassd_exec_t -f -- "/opt/likewise/sbin/
>> lsassd"
>>
>> and:
>>
>> /var/lib/likewise-open/\.lsassd -s
>> gen_context(system_u:object_r:lsassd_var_socket_t,s0)
>>
>> would be:
>>
>> semanage fcontext -a -t lsassd_var_socket_t -f -s
>> "/var/lib/likewise-open/\.lsassd"
>>
>> When all is added you can use matchpathcon to verify whether the type
>> matches what youve specified. Example:
>>
>> matchpathcon /opt/likewise/sbin/lsassd
>>
>> and if that is verified to be correct actually apply the contexts by
>> running for example:
>>
>> restorecon -R -v /opt/likewise/sbin/lsassd
>>
>> Then you should try it out, collect any AVC denials that you are
>> seeing
>> and enclose those so that we can analyze them and fix bugs where
>> possible.
>>
>> If you have any questions or comments do not hesitate to ask.
>>
>> I am looking forward to your reply.
>
> On a CentOS 6.2 system which had never had likewise installed, I ran
> the corresponding semanage commands to these file contexts:
>
> /etc/likewise(/.*)?
> gen_context(system_u:object_r:likewise_etc_t,s0)
> /etc/likewise/.pstore.lock --
> gen_context(system_u:object_r:likewise_pstore_lock_t,s0)
> /etc/likewise/likewise-krb5-ad.conf --
> gen_context(system_u:object_r:likewise_krb5_ad_t,s0)
>
> /etc/rc\.d/init\.d/likewise --
> gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
> /etc/rc\.d/init\.d/lwsmd --
> gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
> /etc/rc\.d/init\.d/netlogond --
> gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
>
> /opt/likewise/sbin/dcerpcd --
> gen_context(system_u:object_r:dcerpcd_exec_t,s0)
> /opt/likewise/sbin/eventlogd --
> gen_context(system_u:object_r:eventlogd_exec_t,s0)
> /opt/likewise/sbin/lsassd --
> gen_context(system_u:object_r:lsassd_exec_t,s0)
> /opt/likewise/sbin/lwiod --
> gen_context(system_u:object_r:lwiod_exec_t,s0)
> /opt/likewise/sbin/lwregd --
> gen_context(system_u:object_r:lwregd_exec_t,s0)
> /opt/likewise/sbin/lwsmd --
> gen_context(system_u:object_r:lwsmd_exec_t,s0)
> /opt/likewise/sbin/netlogond --
> gen_context(system_u:object_r:netlogond_exec_t,s0)
>
> /var/lib/likewise(/.*)?
> gen_context(system_u:object_r:likewise_var_lib_t,s0)
> /var/lib/likewise/\.lsassd -s
> gen_context(system_u:object_r:lsassd_var_socket_t,s0)
> /var/lib/likewise/\.lwiod -s
> gen_context(system_u:object_r:lwiod_var_socket_t,s0)
> /var/lib/likewise/\.regsd -s
> gen_context(system_u:object_r:lwregd_var_socket_t,s0)
> /var/lib/likewise/\.lwsm -s
> gen_context(system_u:object_r:lwsmd_var_socket_t,s0)
> /var/lib/likewise/\.netlogond -s
> gen_context(system_u:object_r:netlogond_var_socket_t,s0)
> /var/lib/likewise/\.ntlmd -s
> gen_context(system_u:object_r:lsassd_var_socket_t,s0)
> /var/lib/likewise/krb5-affinity.conf --
> gen_context(system_u:object_r:netlogond_var_lib_t, s0)
> /var/lib/likewise/krb5ccr_lsass --
> gen_context(system_u:object_r:lsassd_var_lib_t, s0)
> /var/lib/likewise/LWNetsd\.err --
> gen_context(system_u:object_r:netlogond_var_lib_t,s0)
> /var/lib/likewise/lsasd\.err --
> gen_context(system_u:object_r:lsassd_var_lib_t,s0)
> /var/lib/likewise/regsd\.err --
> gen_context(system_u:object_r:lwregd_var_lib_t,s0)
> /var/lib/likewise/db -d
> gen_context(system_u:object_r:likewise_var_lib_t,s0)
> /var/lib/likewise/db/lwi_events.db --
> gen_context(system_u:object_r:eventlogd_var_lib_t,s0)
> /var/lib/likewise/db/sam\.db --
> gen_context(system_u:object_r:lsassd_var_lib_t,s0)
> /var/lib/likewise/db/lsass-adcache\.db --
> gen_context(system_u:object_r:lsassd_var_lib_t,s0)
> /var/lib/likewise/db/lsass-adstate\.filedb --
> gen_context(system_u:object_r:lsassd_var_lib_t,s0)
> /var/lib/likewise/db/registry\.db --
> gen_context(system_u:object_r:lwregd_var_lib_t,s0)
> /var/lib/likewise/rpc -d
> gen_context(system_u:object_r:likewise_var_lib_t,s0)
> /var/lib/likewise/rpc/epmapper -s
> gen_context(system_u:object_r:dcerpcd_var_socket_t, s0)
> /var/lib/likewise/rpc/lsass -s
> gen_context(system_u:object_r:lsassd_var_socket_t, s0)
> /var/lib/likewise/rpc/socket -s
> gen_context(system_u:object_r:eventlogd_var_socket_t, s0)
> /var/lib/likewise/run -d
> gen_context(system_u:object_r:likewise_var_lib_t,s0)
> /var/lib/likewise/run/rpcdep.dat --
> gen_context(system_u:object_r:dcerpcd_var_lib_t, s0)
>
> I then installed LikewiseOpen with LikewiseOpen-6.1.0.8729-linux-
> x86_64-rpm.sh. I joined the computer to the AD domain and rebooted.
>
> The first two denials were due to incorrect labeling of /var/lib/
> likewise/db/registry.db and /var/lib/likewise/db/sam.db. Both were
> labeled as unconfined_u:object_r:likewise_var_lib_t:s0. They should
> be unconfined_u:object_r:lwregd_var_lib_t:s0 and
> unconfined_u:object_r:lsassd_var_lib_t:s0 respectively. I ran
> restorecon on both and have not had any of those type of denials
> since. So far they have retained their correct context through a
> reboot, so perhaps it's just something that doesn't work correctly
> during the installation.
>
> I've attached the remaining AVCs to this message, but since I'm not
> sure the mailing list will allow that through I'll also paste them
> in below. I removed duplicates. Also there were a large number of
> entries where lsassd tried to getattr for many different /proc/xxxx
> but I only included one. It didn't just try to do that for likewise
> processes, but every process running at the time (or maybe almost
> every). I can forward all of those as well if you'd like.
I just noticed that I missed some duplicates. Here is a slightly
shorter list. Now I know I can attach them so I won't paste them in
again.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: likewise-avcs.txt
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20120202/9bdc83d1/attachment.txt>
-------------- next part --------------
More information about the selinux
mailing list