transition from init_rc

Tracy Reed treed at ultraviolet.org
Wed Nov 11 23:35:42 UTC 2015 

dgrift suggested on IRC that I try the domain_obj_id_change_exemption attribute.

I tried that and it didn't work. For example I added the following (including
trying the extra unnecessary attributes):

# Adding lines to try and overcome the constraint violation for initrc starting nodes.
domain_obj_id_change_exemption(initrc_t)
domain_subj_id_change_exemption(initrc_t)
domain_role_change_exemption(initrc_t)
domain_system_change_exemption(initrc_t)
domain_user_exemption_target(initrc_t)

# Guess this really shouldn't be necessary, but just in case.
allow initrc_t myapp_exec_t:file execute;
allow initrc_t myapp_java_t:file { execute read execmod open getattr execute_no_trans };
allow initrc_t myapp_java_t:file { relabelfrom relabelto getattr };
allow initrc_t myapp_api_t:file { relabelfrom relabelto getattr };
allow initrc_t myapp_bin_t:file { relabelfrom relabelto getattr };
allow initrc_t myapp_conf_t:file { relabelfrom relabelto getattr };
allow initrc_t myapp_exec_t:file { relabelfrom relabelto getattr };
allow initrc_t myapp_lib_t:file { relabelfrom relabelto getattr };
allow initrc_t myapp_logs_t:file { relabelfrom relabelto getattr };
allow initrc_t myapp_nodes_t:file { relabelfrom relabelto getattr };
allow initrc_t myapp_release_t:file { relabelfrom relabelto getattr };
allow initrc_t myapp_scripts_t:file { relabelfrom relabelto getattr };
allow initrc_t myapp_util_t:file { relabelfrom relabelto getattr };
allow initrc_t myapp_var_t:file { relabelfrom relabelto getattr };
allow initrc_t myapp_webapps_t:file { relabelfrom relabelto getattr };

Policy loads, but on reboot when the init.d starts the web application:  

type=AVC msg=audit(1447281933.532:76): avc:  denied  { relabelto } for  pid=1429 comm="chcon" name="select2_doctype.css" dev=dm-0 ino=614732 scontext=system_u:system_r:initrc_t:s0 tcontext=myapp_u:object_r:myapp_webapps_t:s0:c18 tclass=file
type=AVC msg=audit(1447281933.607:77): avc:  denied  { relabelto } for  pid=1429 comm="chcon" name="myapp-release" dev=dm-0 ino=508002 scontext=system_u:system_r:initrc_t:s0 tcontext=myapp_u:object_r:myapp_release_t:s0:c18 tclass=file
type=AVC msg=audit(1447281933.936:78): avc:  denied  { relabelto } for  pid=1429 comm="chcon" name="README" dev=dm-0 ino=1296427 scontext=system_u:system_r:initrc_t:s0 tcontext=myapp_u:object_r:myapp_logs_t:s0:c18 tclass=file

Still getting the constraint messages.
#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
#Contraint rule:
allow initrc_t myapp_logs_t:file relabelto;

Ideas?

On Tue, Nov 10, 2015 at 03:48:35PM PST, Tracy Reed spake thusly:
> Hello all! 
> 
> Way back in May I wrote to the list and got some, but not all, of the problems
> fixed in my policy. This project was on the back-burner mostly working for a
> while but now I need to get it perfected.
> 
> We use MCS and have an automated process to deploy web application instances to
> machines with a separate category per application instance to protect them from
> each other. When the application starts the init script does a chcon to set the
> category/context. initrc_t is supposedly unconstrained from what I'm reading in
> the docs so why is it being prohibited from relabeling?
> 
> type=AVC msg=audit(11/09/2015 04:22:43.045:3126812) : avc: denied { relabelto }
> for pid=13753 comm=chcon name=tomcat-server.xml dev=dm-0 ino=16900514
> scontext=system_u:system_r:initrc_t:s0
> tcontext=myapp_u:object_r:myapp_conf_t:s0:c50 tclass=file 
> 
> On Tue, May 26, 2015 at 02:04:59AM PDT, Tracy Reed spake thusly:
> > #!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
> > #Contraint rule: 
> > allow initrc_t default_t:file relabelto;
> > 
> > #!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
> > #Contraint rule: 
> > allow initrc_t myapp_api_t:file relabelto;
> > 
> > The init script which starts the service relabels the files when the service
> > starts. I suspect this is a bad idea and I'm not sure why they are doing it. I
> > think they may be applying security categories here. We may have to find a
> > different way to approach that.
> > 
> > But how would I allow this if I wanted to? 
> > 
> > Similarly:
> > 
> > #!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
> > #Contraint rule: 
> > allow setfiles_t default_t:file relabelfrom;
> > 
> > #!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
> > #Contraint rule: 
> > allow setfiles_t myapp_api_t:file relabelfrom;
> > 
> > etc...
> > 
> > This is all on CentOS 6.5.
> 
> -- 
> Tracy Reed



> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20151111/8712909f/attachment.sig>

More information about the selinux mailing list