Ali’s Notes

Notes on SELinux

Posted in Linux by aghoras on August 16, 2011

For an explanation of SE Linux log files, see: here

Let’s say you get a log error like:

type=AVC msg=audit(1313516426.864:1706): avc: denied { search } for pid=29034 comm="httpd" name="/" dev=dm-2 ino=2 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=dir

followed immediately by:

type=SYSCALL msg=audit(1313515666.226:1676): arch=c000003e syscall=4 success=no exit=-13 a0=7fe2ebad17f0 a1=7fff0ca3b680 a2=7fff0ca3b680 a3=0 items=0 ppid=29030 pid=29033 auid=4294967295 uid=48 gid=487 euid=48 suid=48 fsuid=48 egid=487 sgid=487 fsgid=487 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)

The scontext field is the process context that’s doing the search action to tcontext. The second line says the process httpd lives at /usr/sbin/httpd.

Let’s look at the context fields like: system_u:system_r:httpd_t. This field is broken up into three sub-fields with the following format: user:role:type:mls. When looking at processes, the mls field is often omitted. Within the default targeted policy, type is the important field used to implement Type Enforcement. In the above error message, the type http_t does not have search permission on “/”. Now this is a bit strange because httpd should be accessing /www only. Let’s look at the permissions on /www by doing ls -lZd /www. We get

drwxr-xr-x. apache apache system_u:object_r:etc_runtime_t:s0 /www

We can see that there’s a conflict between the “type” fields. So we need to change the type context of /www (and all of its contents). How do we know what context type to change it to. The obvious answer of “httpd_t” will not work because it is not a type that goes with a file or directory.

To see what the httpd_t is allowed to access, try

sesearch -A -s httpd_t

The -A tells sesearch to list all the ‘allow’ policies starting with what follows -s. The parameter after -s is a RegEx so you go crazy with this thing. You can also use the -t option to see what types can manipulate another type. So we get an output like:

allow httpd_t httpd_sys_content_t : file { ioctl read getattr lock open } ;
allow httpd_t httpd_sys_content_t : dir { ioctl read getattr lock search open } ;
allow httpd_t httpd_sys_content_t : lnk_file { read getattr } ;

So we change the context of /www with the command:

chcon -R -t "httpd_sys_content_t" /www

This change is not permanent, however. chcon changes the labeling of the files/directories, but does not tell the system about this alternate labeling. If a relabel gets triggered on the system, for any reason, these labels could get changed back to the default. You need to tell the system about the alternate labeling using the "semanage fcontext" command.


semanage fcontext -a -t httpd_sys_content_t '/www(/.*)?'

Advertisement

leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.