Linux Archive - runcon Invalid argument

Linux Archive (http://www.linux-archive.org/)

- Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)

- - runcon Invalid argument (http://www.linux-archive.org/fedora-selinux-support/655668-runcon-invalid-argument.html)

runcon Invalid argument

On 04/13/2012 10:39 AM, Moray Henderson (ICT) wrote:
> I'm trying to debug an httpd-nfs-selinux issue, and it would be _really_
> useful to be able to execute commands in context httpd_t while trying out
> combinations of the nfs_export_all_rw Boolean and public_content_rw_t
> type.
>
> If I can do
>
> [root@kojihub ~]# runcon unconfined_u:unconfined_r:unconfined_t:s0 bash
> [root@kojihub ~]# exit
>
> why can't I do
>
> [root@kojihub ~]# runcon unconfined_u:unconfined_r:httpd_t:s0 bash runcon:
> invalid context: unconfined_u:unconfined_r:httpd_t:s0: Invalid argument
>
Because httpd_t is not allowed to run as the unconfined_r and bash is not an
entrypoint for the httpd_t domain.

You can write policy for this, but basically

SELinux expects the transitions to work like

unconfined_t @initrc_exec_t -> initrc_t @ httpd_exec_t -> httpd_t

You can do

runcon -t initrc_t -r system_r id -Z
staff_u:system_r:initrc_t:s0-s0:c0.c1023

But sadly

runcon -t initrc_t -r system_r runcon -t httpd_t id -Z
runcon: invalid context: staff_u:system_r:httpd_t:s0-s0:c0.c1023: Permission
denied

Still fails because of you are missing these rules

#============= httpd_t ==============
allow httpd_t bin_t:file entrypoint;

#============= initrc_t ==============
allow initrc_t self:process setexec;

You can do the following

# cat /usr/bin/httpd.sh
#!/bin/sh
id -Z
chmod +x /usr/bin/httpd.sh
# chcon -t httpd_exec_t /usr/bin/httpd.sh
# runcon -t initrc_t -r system_r sh -c /bin/httpd.sh
# staff_u:system_r:httpd_t:s0-s0:c0.c1023

> The actual issue is that I've set up a new koji hub with /mnt/koji on an
> nfs mount; with SELinux in permissive mode I get
>
> AVC Report ================================================== ====== # date
> time comm subj syscall class permission obj event
> ================================================== ====== 1. 04/13/2012
> 14:23:36 httpd unconfined_u:system_r:httpd_t:s0 4 dir getattr
> system_u:object_r:nfs_t:s0 denied 494 2. 04/13/2012 14:23:36 httpd
> unconfined_u:system_r:httpd_t:s0 4 dir search system_u:object_r:nfs_t:s0
> denied 493 3. 04/13/2012 14:23:36 httpd unconfined_u:system_r:httpd_t:s0 83
> dir write system_u:object_r:nfs_t:s0 denied 495 4. 04/13/2012 14:23:36
> httpd unconfined_u:system_r:httpd_t:s0 83 dir add_name
> system_u:object_r:nfs_t:s0 denied 495 5. 04/13/2012 14:23:36 httpd
> unconfined_u:system_r:httpd_t:s0 83 dir create
> unconfined_u:object_r:nfs_t:s0 denied 495 6. 04/13/2012 14:23:36 httpd
> unconfined_u:system_r:httpd_t:s0 2 file create
> unconfined_u:object_r:nfs_t:s0 denied 496 7. 04/13/2012 14:23:36 httpd
> unconfined_u:system_r:httpd_t:s0 2 file open system_u:object_r:nfs_t:s0
> denied 496
>
>
> Moray. "To err is human; to purr, feline."
>
>
>
>
> OM International Limited - Unit B Clifford Court, Cooper Way - Carlisle CA3
> 0JG - United Kingdom Charity reg no: 1112655 - Company reg no: 5649412
> (England and Wales)
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

runcon Invalid argument

On 04/13/2012 05:33 PM, Daniel J Walsh wrote:

On 04/13/2012 10:39 AM, Moray Henderson (ICT) wrote:

I'm trying to debug an httpd-nfs-selinux issue, and it would be _really_
useful to be able to execute commands in context httpd_t while trying out
combinations of the nfs_export_all_rw Boolean and public_content_rw_t
type.

If I can do

[root@kojihub ~]# runcon unconfined_u:unconfined_r:unconfined_t:s0 bash
[root@kojihub ~]# exit

why can't I do

[root@kojihub ~]# runcon unconfined_u:unconfined_r:httpd_t:s0 bash runcon:
invalid context: unconfined_u:unconfined_r:httpd_t:s0: Invalid argument

Because httpd_t is not allowed to run as the unconfined_r and bash is not an
entrypoint for the httpd_t domain.

You can write policy for this, but basically

SELinux expects the transitions to work like

unconfined_t @initrc_exec_t -> initrc_t @ httpd_exec_t -> httpd_t

You can do

runcon -t initrc_t -r system_r id -Z
staff_u:system_r:initrc_t:s0-s0:c0.c1023

But sadly

runcon -t initrc_t -r system_r runcon -t httpd_t id -Z
runcon: invalid context: staff_u:system_r:httpd_t:s0-s0:c0.c1023: Permission
denied

Still fails because of you are missing these rules

#============= httpd_t ==============
allow httpd_t bin_t:file entrypoint;

#============= initrc_t ==============
allow initrc_t self:process setexec;
You won't see this one if you don't disable unconfined module. So just
try to execute the following

You can do the following

# cat /usr/bin/httpd.sh
#!/bin/sh
id -Z
chmod +x /usr/bin/httpd.sh
# chcon -t httpd_exec_t /usr/bin/httpd.sh
# runcon -t initrc_t -r system_r sh -c /bin/httpd.sh
# staff_u:system_r:httpd_t:s0-s0:c0.c1023

The actual issue is that I've set up a new koji hub with /mnt/koji on an
nfs mount; with SELinux in permissive mode I get

AVC Report ================================================== ====== # date
time comm subj syscall class permission obj event
================================================== ====== 1. 04/13/2012
14:23:36 httpd unconfined_u:system_r:httpd_t:s0 4 dir getattr
system_u:object_r:nfs_t:s0 denied 494 2. 04/13/2012 14:23:36 httpd
unconfined_u:system_r:httpd_t:s0 4 dir search system_u:object_r:nfs_t:s0
denied 493 3. 04/13/2012 14:23:36 httpd unconfined_u:system_r:httpd_t:s0 83
dir write system_u:object_r:nfs_t:s0 denied 495 4. 04/13/2012 14:23:36
httpd unconfined_u:system_r:httpd_t:s0 83 dir add_name
system_u:object_r:nfs_t:s0 denied 495 5. 04/13/2012 14:23:36 httpd
unconfined_u:system_r:httpd_t:s0 83 dir create
unconfined_u:object_r:nfs_t:s0 denied 495 6. 04/13/2012 14:23:36 httpd
unconfined_u:system_r:httpd_t:s0 2 file create
unconfined_u:object_r:nfs_t:s0 denied 496 7. 04/13/2012 14:23:36 httpd
unconfined_u:system_r:httpd_t:s0 2 file open system_u:object_r:nfs_t:s0
denied 496

Moray. "To err is human; to purr, feline."

OM International Limited - Unit B Clifford Court, Cooper Way - Carlisle CA3
0JG - United Kingdom Charity reg no: 1112655 - Company reg no: 5649412
(England and Wales)

-- selinux mailing list selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

runcon Invalid argument

(sorry - my reply didn't get copied to the list)

> -----Original Message-----
> From: Daniel J Walsh [mailto:dwalsh@redhat.com]
> Sent: 13 April 2012 17:52
> >
> > I can do this:
> >
> > [root@kojihub ~]# setenforce 0 [root@kojihub ~]# runcon
> > unconfined_u:system_r:httpd_t:s0 bash [root@kojihub ~]# setenforce 1
> > [root@kojihub ~]# id uid=0(root) gid=0(root)
> > groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(di sk),10(wheel)
> > context=unconfined_u:system_r:httpd_t:s0

(those lines should not have joined - 2 spaces at the beginning of each line are supposed to prevent an email client "helpfully" removing line breaks)

> > However, I think I have a problem. My nfs server has to have SELinux
> > disabled for other reasons, so I can't set nfs_export_all_rw there.
> It has
> > to be on the nfs server, doesn't it? Even if I set everything in the
> tree
> > I'm exporting to public_content_rw_t on the server and unmount and
> remount
> > the client filesystem everything still comes out as nfs_t. Is that
> because
> > it's not getting the proper information from the nfs server?
> >
> > Other than leaving my Koji server in permissive mode or using
> > httpd_disable_trans=1 (if that works on CentOS 6), is there a way to
> make
> > this work? If not, I'll have to rearrange some disk space.
> >
> >
> > Moray. “To err is human; to purr, feline.”
> >
> >
> >
> >
> The remove client does not have to have SELinux enabled or not. Lets
> step back
> to the beginning, what problem are you trying to solve?
>
> SELinux is enforced at the client side, so it treats all files as
> nfs_t. If
> you are trying to share content on an NFS Server using apache, you have
> to
> turn on a couple of booleans depending on the OS you are running
> SELinux on.

My apache server is on the nfs client machine. That machine does not have enough disk space, so I was hoping to have it write to a filesystem mounted from another machine. The machine that I was trying to use as the nfs server has lots of disk space, but has to have SELinux disabled.

Moray.
“To err is human; to purr, feline.”

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

runcon Invalid argument

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/16/2012 05:37 AM, Moray Henderson wrote:
> (sorry - my reply didn't get copied to the list)
>
>> -----Original Message----- From: Daniel J Walsh
>> [mailto:dwalsh@redhat.com] Sent: 13 April 2012 17:52
>>>
>>> I can do this:
>>>
>>> [root@kojihub ~]# setenforce 0 [root@kojihub ~]# runcon
>>> unconfined_u:system_r:httpd_t:s0 bash [root@kojihub ~]# setenforce 1
>>> [root@kojihub ~]# id uid=0(root) gid=0(root)
>>> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(di sk),10(wheel)
>>> context=unconfined_u:system_r:httpd_t:s0
>
> (those lines should not have joined - 2 spaces at the beginning of each
> line are supposed to prevent an email client "helpfully" removing line
> breaks)
>
>>> However, I think I have a problem. My nfs server has to have SELinux
>>> disabled for other reasons, so I can't set nfs_export_all_rw there.
>> It has
>>> to be on the nfs server, doesn't it? Even if I set everything in the
>> tree
>>> I'm exporting to public_content_rw_t on the server and unmount and
>> remount
>>> the client filesystem everything still comes out as nfs_t. Is that
>> because
>>> it's not getting the proper information from the nfs server?
>>>
>>> Other than leaving my Koji server in permissive mode or using
>>> httpd_disable_trans=1 (if that works on CentOS 6), is there a way to
>> make
>>> this work? If not, I'll have to rearrange some disk space.
>>>
>>>
>>> Moray. “To err is human; to purr, feline.”
>>>
>>>
>>>
>>>
>> The remove client does not have to have SELinux enabled or not. Lets step
>> back to the beginning, what problem are you trying to solve?
>>
>> SELinux is enforced at the client side, so it treats all files as nfs_t.
>> If you are trying to share content on an NFS Server using apache, you
>> have to turn on a couple of booleans depending on the OS you are running
>> SELinux on.
>
> My apache server is on the nfs client machine. That machine does not have
> enough disk space, so I was hoping to have it write to a filesystem mounted
> from another machine. The machine that I was trying to use as the nfs
> server has lots of disk space, but has to have SELinux disabled.
>
>
> Moray. “To err is human; to purr, feline.”
>
>
>
>
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

You do not need runcon. you need to mount the nfs share with a context mount
Something like

mount -t nfs -o context="system_:object_r:httpd_sys_content_rw_t:s 0"
remotenfs:/MOUNTPOINT /LOCALMOUNTPOINT

Or you can turn on the httpd_use_nfs boolean

setsebool -P httpd_use_nfs 1

If that boolean does not exist you could turn on.

setsebool -P use_nfs_home_dirs=1 httpd_enable_homedirs=1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+MOh8ACgkQrlYvE4MpobOaMQCghpYzzBhwzu gsPsW+QKRJCgq3
vIgAnR9Grh40UUVgDwxSXEaw4rVaHPrB
=K2qt
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

runcon Invalid argument

> From: Daniel J Walsh [mailto:dwalsh@redhat.com]
> Sent: 16 April 2012 16:26
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 04/16/2012 05:37 AM, Moray Henderson wrote:
> > (sorry - my reply didn't get copied to the list)
> >
> >> -----Original Message----- From: Daniel J Walsh
> >> [mailto:dwalsh@redhat.com] Sent: 13 April 2012 17:52
> >>>
> >>> I can do this:
> >>>
> >>> [root@kojihub ~]# setenforce 0 [root@kojihub ~]# runcon
> >>> unconfined_u:system_r:httpd_t:s0 bash [root@kojihub ~]# setenforce
> 1
> >>> [root@kojihub ~]# id uid=0(root) gid=0(root)
> >>> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(di sk),10(wheel)
> >>> context=unconfined_u:system_r:httpd_t:s0
> >
> > (those lines should not have joined - 2 spaces at the beginning of
> each
> > line are supposed to prevent an email client "helpfully" removing
> line
> > breaks)
> >
> >>> However, I think I have a problem. My nfs server has to have
> SELinux
> >>> disabled for other reasons, so I can't set nfs_export_all_rw there.
> >> It has
> >>> to be on the nfs server, doesn't it? Even if I set everything in
> the
> >> tree
> >>> I'm exporting to public_content_rw_t on the server and unmount and
> >> remount
> >>> the client filesystem everything still comes out as nfs_t. Is that
> >> because
> >>> it's not getting the proper information from the nfs server?
> >>>
> >>> Other than leaving my Koji server in permissive mode or using
> >>> httpd_disable_trans=1 (if that works on CentOS 6), is there a way
> to
> >> make
> >>> this work? If not, I'll have to rearrange some disk space.
> >>>
> >>>
> >>> Moray. “To err is human; to purr, feline.”
> >>>
> >>>
> >>>
> >>>
> >> The remove client does not have to have SELinux enabled or not. Lets
> step
> >> back to the beginning, what problem are you trying to solve?
> >>
> >> SELinux is enforced at the client side, so it treats all files as
> nfs_t.
> >> If you are trying to share content on an NFS Server using apache,
> you
> >> have to turn on a couple of booleans depending on the OS you are
> running
> >> SELinux on.
> >
> > My apache server is on the nfs client machine. That machine does not
> have
> > enough disk space, so I was hoping to have it write to a filesystem
> mounted
> > from another machine. The machine that I was trying to use as the
> nfs
> > server has lots of disk space, but has to have SELinux disabled.
> >
> >
> > Moray. “To err is human; to purr, feline.”
> >
> >
> >
> >
> >
> > -- selinux mailing list selinux@lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
> You do not need runcon. you need to mount the nfs share with a context
> mount
> Something like
>
> mount -t nfs -o context="system_:object_r:httpd_sys_content_rw_t:s 0"
> remotenfs:/MOUNTPOINT /LOCALMOUNTPOINT
>
> Or you can turn on the httpd_use_nfs boolean
>
> setsebool -P httpd_use_nfs 1
>
> If that boolean does not exist you could turn on.
>
> setsebool -P use_nfs_home_dirs=1 httpd_enable_homedirs=1

Ah, THAT's how it's done! Thank you. (I was relying on CentOS 5 man pages, which don't mention httpd_use_nfs.)

Moray.
“To err is human; to purr, feline.”

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux