selinux process transition not taking place

SZIGETVÁRI János jszigetvari at gmail.com
Thu May 14 13:24:01 UTC 2015 

Thanks for pointing this out (I didn't know about that), but it seems that
our problem is not affected by this.
Our /tmp directory resides on the root filesystem, for which the nosuid
mount option is not specified.

[root at centos-test ~]# mount
/dev/mapper/vg_centostest-lv_root on / type ext4 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
tmpfs on /dev/shm type tmpfs (rw,rootcontext="system_u:object_r:tmpfs_t:s0")
/dev/sda1 on /boot type ext4 (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)

Janos

2015-05-14 15:10 GMT+02:00 Stephen Smalley <sds at tycho.nsa.gov>:

> On 05/14/2015 09:07 AM, SZIGETVÁRI János wrote:
> > Hello Everyone,
> >
> > I work for a company which develops an rsyslog alternative logging
> > service, and we recently have encountered an interesting problem around
> > the SELinux process transitions of our product.
> >
> > I and most of my colleagues have little to marginal experience with
> > SELinux, and we have done most of the investigation we could do on our
> own.
> >
> > The problem that one of our customers experienced is that our product
> > (when started by it's init script, or through the service ... utility)
> > will be stuck in the initrc_t context, and not transition into the
> > syslogd_t context. This causes the /dev/log socket not to have the
> > proper selinux context, which leads to even further problems.
> > The system they are working on is running CentOS 6.6.
> >
> > To describe the problem in a bit more detail:
> > - we have an init script with the selinux context of
> > system_u:object_r:syslogd_initrc_exec_t:s0
> > - this init script calls the binary, which has the context of:
> > system_u:object_r:syslogd_exec_t:s0
> >
> > - the necessary process transtition definitions are in place:
> > [root at centos-test ~]# sesearch -T -s initrc_t -t syslogd_initrc_exec_t
> > -c process -p transition -A
> > Found 1 semantic te rules:
> >    type_transition initrc_t syslogd_initrc_exec_t : process initrc_t;
> > [root at centos-test ~]# sesearch -T -s initrc_t -t syslogd_exec_t -c
> > process -p transition -A
> > Found 1 semantic te rules:
> >    type_transition initrc_t syslogd_exec_t : process syslogd_t;
> >
> > - the necessary execution permissions are present
> > [root at centos-test ~]# sesearch -s initrc_t -t syslogd_exec_t -c file -p
> > execute -A
> > Found 3 semantic av rules:
> >    allow initrc_t exec_type : file { ioctl read getattr lock execute
> > execute_no_trans open } ;
> >    allow initrc_t syslogd_exec_t : file { read getattr execute open } ;
> >    allow files_unconfined_type file_type : file { ioctl read write
> > create getattr setattr lock relabelfrom relabelto append unlink link
> > rename execute swapon quotaon mounton execute_no_trans entrypoint open }
> ;
> >
> > - the necessary types are defined as the domain entry points
> > [root at centos-test ~]# sesearch -s syslogd_t -t syslogd_exec_t -c file -p
> > entrypoint -A
> > Found 1 semantic av rules:
> >    allow syslogd_t syslogd_exec_t : file { ioctl read getattr lock
> > execute entrypoint open } ;
> >
> > - the target domain is allowed for the proper role:
> > [root at centos-test ~]# seinfo -rsystem_r -x | fgrep syslogd_t
> >          syslogd_t
> >
> >
> > But despite all the above, the transition doesn't occur to syslogd_t,
> > the process remains in initrc_t.
> >
> > I even have created a script to reproduce the issue (find it attached).
> > The script simply
> > - puts down two shell scripts and sets their rights and selinux contexts
> > (system_u:object_r:syslogd_initrc_exec_t:s0 and
> > system_u:object_r:syslogd_exec_t:s0) ,
> > - creates a copy of bash, sets it's context (to
> > system_u:object_r:syslogd_initrc_exec_t:s0),
> > - tries to run the script with the syslogd_initrc_exec_t context,
> > - which in turn will run the other script with context syslogd_exec_t
> >
> > The resulting output shows that the script with the syslogd_exec_t
> > context will run as initrc_t even though it's parent was initrc_t as
> > well, and the type transition should have occurred.
> >
> >
> > Some sample output:
> >
> > [root at centos-test ~]# bash selinux_test.sh
> > -rwxr-xr-x. root root system_u:object_r:syslogd_initrc_exec_t:s0
> > /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t
> > -rwxr-xr-x. root root system_u:object_r:syslogd_exec_t:s0
> > /tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh
> > -rwxr-xr-x. root root system_u:object_r:syslogd_initrc_exec_t:s0
> > /tmp/tmp.efz1wH7wpL/syslogd_initrc_exec_t_starter.sh
> > ======================== STARTING
> > ===============================================
> > Authenticating root.
> > Jelszó:
> > system_u:system_r:initrc_t:s0   root      3352  0.0  0.0 106056  1296
> > pts/0    S+   14:50   0:00              \_
> > /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t
> > /tmp/tmp.efz1wH7wpL/syslogd_initrc_exec_t_starter.sh
> > ======================== STARTED
> > ===============================================
> > system_u:system_r:initrc_t:s0   root      3359  0.0  0.0 106056  1340
> > pts/0    S+   14:50   0:00 /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t
> > /tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh
> > system_u:system_r:initrc_t:s0   root      3362  0.0  0.0 106056  1336
> > pts/0    S+   14:50   0:00 /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t
> > /tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh end
> > ============================= first
> > ==========================================
> > system_u:system_r:initrc_t:s0   root      3359  0.0  0.0 106056  1340
> > pts/0    S+   14:50   0:00 /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t
> > /tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh
> > system_u:system_r:initrc_t:s0   root      3362  0.0  0.0 106056  1336
> > pts/0    S+   14:50   0:00 /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t
> > /tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh end
> > ============================= end
> ==========================================
> > system_u:system_r:initrc_t:s0   root      3359  0.0  0.0 106060  1360
> > pts/0    S+   14:50   0:00 /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t
> > /tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh
> > system_u:system_r:initrc_t:s0   root      3362  0.0  0.0 106060  1352
> > pts/0    S+   14:50   0:00 /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t
> > /tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh end
> > [root at centos-test ~]#
> >
> >
> > We would appreciate if we could get some guidance on what we should
> > check, in order to get to the end of this problem.
> > We have tried running setroubleshootd, disabling noaudit rules (semodule
> > -DB), but we saw no error messages about failed transitions, or
> > whatsoever. The only logs we saw related to the scripts were the
> > authentication and accounting messages about the run_init command.
>
> SELinux domain transitions are suppressed on nosuid mounts for the same
> reasons that setuid/setgid is suppressed.
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20150514/43fb5b01/attachment.html>

More information about the selinux mailing list