RHEL5 initrc_t vs. unconfined_t

RHEL5 initrc_t vs. unconfined_t

[Jan-Frode Myklebust]

I'm running IBM's GPFS filesystem on RHEL5, and am having some
problems with selinux blocking some ifconfig's the GPFS daemons wants
to launch. GPFS works fine if launched manually, but not when started
from the initscripts. So, is there any way to say that this initscript
should run unconfined, instead of as initrc_t where things might
transition to other domains ?


  -jf

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: RHEL5 initrc_t vs. unconfined_t

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jan-Frode Myklebust wrote:
| I'm running IBM's GPFS filesystem on RHEL5, and am having some
| problems with selinux blocking some ifconfig's the GPFS daemons wants
| to launch. GPFS works fine if launched manually, but not when started
| from the initscripts. So, is there any way to say that this initscript
| should run unconfined, instead of as initrc_t where things might
| transition to other domains ?
|
The problem is exactly the opposite of what you are asking.
unconfined_t transitions to very few domains currently while initrc_t
transitions to many.  unconfined_t is a logged in user domain.  So I
would not run init scripts as unconfined_t.

The better answer is to fix the avc's that you are seeing when trying to
run ifconfig from initrc.  What avc's are you seeing?
Dan
|
|   -jf
|
| --
| This message was distributed to subscribers of the selinux mailing list.
| If you no longer wish to subscribe, send mail to
majordomo@tycho.nsa.gov with
| the words "unsubscribe selinux" without quotes as the message.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkgq66gACgkQrlYvE4MpobNknACeIgsW7idj8zE+QQJXTvHN333H
y4wAoIG1cYKwU2zfhpGB5YWJqOjJHtYI
=CrWK
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: RHEL5 initrc_t vs. unconfined_t

[Jan-Frode Myklebust]

On Wed, May 14, 2008 at 09:39:52AM -0400, Daniel J Walsh wrote:
> The problem is exactly the opposite of what you are asking.
> unconfined_t transitions to very few domains currently while initrc_t
> transitions to many.  unconfined_t is a logged in user domain.  So I
> would not run init scripts as unconfined_t.

Please, please, pretty please, may I be allowed to run a critical filesystem
and high availability solution unconfined until the vendors of these implement
and certify them for selinux? ;-)

> The better answer is to fix the avc's that you are seeing when trying to
> run ifconfig from initrc.  What avc's are you seeing?

I haven't tried running in permissive, so there will likely be more than
these, but that's what I've got right now:

type=AVC msg=audit(1210760976.747:24): avc:  denied  { read write } for pid=4739 comm="ifconfig" path="socket:[17163]" dev=sockfs ino=17163 scontext=user_u:system_r:ifconfig_t:s0 tcontext=user_u:system_r:initrc_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1210758692.381:10): avc:  denied  { read } for pid=4137 comm="mount" path="eventpoll:[17363]" dev=eventpollfs ino=17363 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=file
type=AVC msg=audit(1210758684.281:6): avc:  denied  { append } for pid=3763 comm="umount" path="/var/adm/ras/mmfs.log.2008.05.14.11.51.24.lagring2" dev=dm-2 ino=720912 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1210758692.378:9): avc:  denied  { relabelfrom } for pid=4136 comm="mount" scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem
type=AVC msg=audit(1210758692.381:10): avc:  denied  { read } for  pid=4137 comm="mount" path="eventpoll:[17360]" dev=eventpollfs ino=17360 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=file



  -jf

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: RHEL5 initrc_t vs. unconfined_t

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jan-Frode Myklebust wrote:
| On Wed, May 14, 2008 at 09:39:52AM -0400, Daniel J Walsh wrote:
|> The problem is exactly the opposite of what you are asking.
|> unconfined_t transitions to very few domains currently while initrc_t
|> transitions to many.  unconfined_t is a logged in user domain.  So I
|> would not run init scripts as unconfined_t.
|
| Please, please, pretty please, may I be allowed to run a critical
filesystem
| and high availability solution unconfined until the vendors of these
implement
| and certify them for selinux? ;-)
|
|> The better answer is to fix the avc's that you are seeing when trying to
|> run ifconfig from initrc.  What avc's are you seeing?
|
| I haven't tried running in permissive, so there will likely be more than
| these, but that's what I've got right now:
|
| type=AVC msg=audit(1210760976.747:24): avc:  denied  { read write }
for pid=4739 comm="ifconfig" path="socket:[17163]" dev=sockfs ino=17163
scontext=user_u:system_r:ifconfig_t:s0
tcontext=user_u:system_r:initrc_t:s0 tclass=unix_stream_socket
| type=AVC msg=audit(1210758692.381:10): avc:  denied  { read } for
pid=4137 comm="mount" path="eventpoll:[17363]" dev=eventpollfs ino=17363
scontext=system_u:system_r:mount_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=file
| type=AVC msg=audit(1210758684.281:6): avc:  denied  { append } for
pid=3763 comm="umount"
path="/var/adm/ras/mmfs.log.2008.05.14.11.51.24.lagring2" dev=dm-2
ino=720912 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:var_t:s0 tclass=file
| type=AVC msg=audit(1210758692.378:9): avc:  denied  { relabelfrom }
for pid=4136 comm="mount" scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem
| type=AVC msg=audit(1210758692.381:10): avc:  denied  { read } for
pid=4137 comm="mount" path="eventpoll:[17360]" dev=eventpollfs ino=17360
scontext=system_u:system_r:mount_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=file
|
|
|
|   -jf
You are running unconfined.  But your application is execing confined
applications.  ifconfig and mount.

Looking at the above AVC messages Most seem to be leaked file
descriptors from your application and can be ignored.


The one to be concerned about is mounting of the unlabeled_t file
system.  This looks like you have a file system that SELinux does not
know about?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkgq/foACgkQrlYvE4MpobOMvACcDDWEOGburB5E1M7syyqVNLfm
XlsAn0tBo1q6NwnrPT3zTk+hO9sL/MK6
=srG9
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: RHEL5 initrc_t vs. unconfined_t

[Jan-Frode Myklebust]

On Wed, May 14, 2008 at 4:58 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:
>
> The one to be concerned about is mounting of the unlabeled_t file
> system.  This looks like you have a file system that SELinux does not
> know about?


Yes, GPFS doesn't support the selinux extended attributes, so the
filesystems has to be mounted with f.ex. "-o
"fscontext=user_u:object_r:httpd_var_run_t" for static labelling.


  -jf

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: RHEL5 initrc_t vs. unconfined_t

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jan-Frode Myklebust wrote:
| On Wed, May 14, 2008 at 4:58 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:
|> The one to be concerned about is mounting of the unlabeled_t file
|> system.  This looks like you have a file system that SELinux does not
|> know about?
|
|
| Yes, GPFS doesn't support the selinux extended attributes, so the
| filesystems has to be mounted with f.ex. "-o
| "fscontext=user_u:object_r:httpd_var_run_t" for static labelling.
|
|
|   -jf
The other ones are just leaked file descriptors and can be ignored.

The third party provider should close the file descriptors on exec

C code do to this is:

fcntl(fd, F_SETFD, FD_CLOSEXEC)


Or you can add a custom policy module to either donataudit or allow this.

ausearch -M avc | audit2allow -M mypol
semodule -i mypol.pp

will create and install a policy package.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkgrZDQACgkQrlYvE4MpobO5gACfQovDnbkKerk3zA+WyD5TcKOK
9q4AoNlf8Mzq9igLo+0BiBNqZk10uBj1
=iJTZ
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: RHEL5 initrc_t vs. unconfined_t

[Jan-Frode Myklebust]

On Wed, May 14, 2008 at 06:14:12PM -0400, Daniel J Walsh wrote:
> |
> | Yes, GPFS doesn't support the selinux extended attributes, so the
> | filesystems has to be mounted with f.ex. "-o
> | "fscontext=user_u:object_r:httpd_var_run_t" for static labelling.
> |

> The other ones are just leaked file descriptors and can be ignored.

So what about the mount/umount and everything else GPFS might want to
do in the lifetime of the system. I have no way of guessing all things
it might want to do that could possibly be denied in a transitioning
domain. Is my only option to manually start the fs from an interactive
shell to get it running as unconfined ?


  -jf

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: RHEL5 initrc_t vs. unconfined_t

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jan-Frode Myklebust wrote:
| On Wed, May 14, 2008 at 06:14:12PM -0400, Daniel J Walsh wrote:
|> |
|> | Yes, GPFS doesn't support the selinux extended attributes, so the
|> | filesystems has to be mounted with f.ex. "-o
|> | "fscontext=user_u:object_r:httpd_var_run_t" for static labelling.
|> |
|
|> The other ones are just leaked file descriptors and can be ignored.
|
| So what about the mount/umount and everything else GPFS might want to
| do in the lifetime of the system. I have no way of guessing all things
| it might want to do that could possibly be denied in a transitioning
| domain. Is my only option to manually start the fs from an interactive
| shell to get it running as unconfined ?
|
|
|   -jf
You might be able to use the runcon command, or write a simple policy
modules for it.

Something like

...

# cat myapp.te
policy_module(myapp, 1.0)

type myapp_t;
type myapp_exec_t;
init_daemon_domain(myapp_t, myapp_exec_t)

unconfined_domains(myapp_exec_t)

#cat myapp.fc

/usr/bin/myapp  gen_context("system_u:object_r:myapp_exec_t:s0)



# make -f /usr/share/selinux/devel/Makefile
# semodule -i myapp.pp




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkgraqYACgkQrlYvE4MpobP68gCgoBRwcHg1+xGq++qyZCT6bhf+
YTEAn2kGm+rkgq/3uwGz9J77c8hysijo
=vF4t
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.