Monday 13 January 2014

a bit of selinux for noobs

So, once again, you've added an initscript that works fine in test to a prod server. It fails. And you get permission denied to write to a directory - but waitaminute, the process starts as root?

The obvious suspect: selinux. Turning it off is the stupid way out and not an option.

[root@gnuff ~]# grep denied /var/log/audit/audit.log
type=AVC msg=audit(1389617233.067:1073936): avc:  denied  { write } for  pid=34988 comm="tcpdump" name="ts" dev=dm-2 ino=1572884 scontext=unconfined_u:system_r:netutils_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir

So tcpdump isn't allowed to write to a var_t directory. Fair enough, really. What is it allowed to write to, from a confined user?

sesearch to the rescue! (yum install setools-console)

[root@gnuff ~]# sesearch -T -s netutils_t
Found 3 semantic te rules:
   type_transition netutils_t tmp_t : file netutils_tmp_t;
   type_transition netutils_t tmp_t : dir netutils_tmp_t;
   type_transition netutils_t abrt_helper_exec_t : process abrt_helper_t;

This searches for allowed type transitions from the netutils_t context. Aha!

[root@gnuff ~]# chcon -t netutils_tmp_t /var/cache/ts

And restart ... and voila! No more permission denied.

[root@gnuff ~]# semanage fcontext -a -t netutils_tmp_t /var/cache/ts

makes it permanent. (yum install policycoreutils-python if you have no semanage)

Better do it via puppet, of course. (selinux_fcontext)

PS. The strictly correct option is rather:
 [root@gnuff ~]# sesearch -A -s netutils_t | grep dir | grep write
   allow netutils_t netutils_tmp_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ;
   allow netutils_t dirsrv_var_run_t : sock_file { write getattr append open } ;
   allow netutils_t tmp_t : dir { ioctl read write getattr lock add_name remove_name search open } ;

which searches for allow rules. But the type transition rule search gets far fewer hits and is worth a try as a first approximation when doing a sysadmin fix-it-fast search. Few apps transition to a type they can't read/write.

([root@gnuff ~]# sesearch -A -s netutils_t | wc -l
365
)

No comments: