[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: making a file context change work for initrc_t and unconfined_t



On Wed, 2012-02-01 at 15:05 -0500, Maria Iano wrote:
> On Feb 1, 2012, at 1:32 PM, Dominick Grift wrote:
> 
> > On Tue, 2012-01-31 at 17:33 -0500, Maria Iano wrote:
> >> I have a RHEL 6.2 server running LikewiseOpen. It appears to me  
> >> that I
> >> will take care of a large number of denials if I can change the type
> >> of /var/lib/likewise/.lsassd to be lsassd_var_socket_t.
> >>
> >> I added the file context rule with semanage, and used restorecon to
> >> change it to lsassd_var_socket_t as desired. But later I found that /
> >> var/lib/likewise/.lsassd had type var_lib_t again. I assume that is
> >> because the likewise processes run as initrc_t.
> >
> > Why are the likewise processes running in initrc_t?
> >
> > Are the likewise executable files in their proper location:
> >
> > /usr/sbin/dcerpcd			--	 
> > gen_context(system_u:object_r:dcerpcd_exec_t,s0)
> > /usr/sbin/eventlogd			--
> > gen_context(system_u:object_r:eventlogd_exec_t,s0)
> > /usr/sbin/lsassd			--	gen_context(system_u:object_r:lsassd_exec_t,s0)
> > /usr/sbin/lwiod				--	gen_context(system_u:object_r:lwiod_exec_t,s0)
> > /usr/sbin/lwregd			--	gen_context(system_u:object_r:lwregd_exec_t,s0)
> > /usr/sbin/lwsmd				--	gen_context(system_u:object_r:lwsmd_exec_t,s0)
> > /usr/sbin/netlogond			--
> > gen_context(system_u:object_r:netlogond_exec_t,s0)
> > /usr/sbin/srvsvcd			--	 
> > gen_context(system_u:object_r:srvsvcd_exec_t,s0)
> >
> >> I'd like to change the policy and tell it that services running in
> >> either initrc_t or unconfined_t domains should create the file /var/
> >> lib/likewise/.lsassd with type lsassd_var_socket_t. (A command line
> >> tool lwsm for managing the processes runs in unconfined_t so I'd like
> >> to include that domain to be safe. ) How can I go about doing that in
> >> RHEL 6 (or can I)?
> >
> > That is not possible but if you label /var/lib/likewise:
> >
> > semanage fcontext -a -t likewise_var_lib_t "/var/lib/likewise(/.*)?"
> >
> > And configure restorecond to watch /var/lib/likewise then the file  
> > will
> > be reset to the proper type when restorecond notices that its
> > mislabeled.
> >
> > The policy for likewise was written by the people of likewise. I  
> > helped
> > with it a bit. I think we collaborated on the selinux maillist but i
> > could not find the thread about it in short noticed. (i was looking  
> > for
> > the e-mail address of the likewise policy author so that i can ask him
> > to see if the policy is still up-to-date)
> >
> > It may be that the policy is not maintained optimally.
> >
> > Maybe you can help us revisit it?
> 
> Those files are all under /opt/likewise/sbin on this system (although  
> there is no srvsvcd):
> /opt/likewise/sbin/dcerpcd
> /opt/likewise/sbin/eventlogd
> /opt/likewise/sbin/lsassd
> /opt/likewise/sbin/lwiod
> /opt/likewise/sbin/lwregd
> /opt/likewise/sbin/lwsmd
> /opt/likewise/sbin/netlogond
> 
> Also the directories corresponding to /etc/likewise-open and /var/lib/ 
> likewise-open are actually /etc/likewise and /var/lib/likewise on my  
> system.
> 
> My system is RHEL 6.2 and I installed LikewiseOpen by downloading  
> LikewiseOpen-6.1.0.8729-linux-x86_64-rpm.sh, making it executable, and  
> typing:
> ./LikewiseOpen-6.1.0.8729-linux-x86_64-rpm.sh install
> 
> So I think it is installed with all the defaults.
> 
> I would be very happy to help. I would really like for selinux and  
> likewise to coexist comfortably.

Why that's great

Here is a list with all file contexts for likewise files:

http://git.fedorahosted.org/git/?p=selinux-policy.git;a=blob;f=policy/modules/services/likewise.fc;h=57491fc406f6d309b258f6be978524a0b916d531;hb=6a8b33a937d800e1f7ec5a148b73abedc1ea4f09

Basically what i would do if i were you is add file context
specifications using "semanage fcontext" or a custom .fc file of all the
entries in there matching files on your system:

example:

/usr/sbin/lsassd			--	gen_context(system_u:object_r:lsassd_exec_t,s0)

would be:

semanage fcontext -a -t lsassd_exec_t -f -- "/opt/likewise/sbin/lsassd"

and:

/var/lib/likewise-open/\.lsassd         -s
gen_context(system_u:object_r:lsassd_var_socket_t,s0)

would be:

semanage fcontext -a -t lsassd_var_socket_t -f -s
"/var/lib/likewise-open/\.lsassd"

When all is added you can use matchpathcon to verify whether the type
matches what youve specified. Example:

matchpathcon /opt/likewise/sbin/lsassd

and if that is verified to be correct actually apply the contexts by
running for example:

restorecon -R -v /opt/likewise/sbin/lsassd

Then you should try it out, collect any AVC denials that you are seeing
and enclose those so that we can analyze them and fix bugs where
possible.

If you have any questions or comments do not hesitate to ask.

I am looking forward to your reply. 

> Thanks!
> Maria


--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux



[Fedora Users]     [Fedora Legacy]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite Photos]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

Powered by Linux

Google
  Web www.spinics.net