Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   Daemon started from init script runs as unconfined_u (http://www.linux-archive.org/fedora-selinux-support/696796-daemon-started-init-script-runs-unconfined_u.html)

Michael Hampton 08-22-2012 07:36 PM

Daemon started from init script runs as unconfined_u
 
I am trying to write a SELinux policy for a daemon which will be started from an init script on CentOS 6. I seem to be most of the way there, except when running its init script (with "service bitcoin start"), the daemon starts and runs as unconfined_u:

ps -eZ | grep bitcoin
unconfined_u:system_r:bitcoin_t:s0 19993 ? 00:00:00 bitcoind

I generated the policy using selinux-polgengui which was included with CentOS 6 selecting "Standard Init Daemon".

The init script seems to be correctly labeled:

root@buildbox-el6 ~ # ls -Z /etc/rc.d/init.d/bitcoin
-rwxr-xr-x. root root system_u:object_r:bitcoin_initrc_exec_t:s0 /etc/rc.d/init.d/bitcoin

The daemon also seems to be correctly labeled:

root@buildbox-el6 ~ # ls -Z /usr/sbin/bitcoind
-rwxr-xr-x. root root system_u:object_r:bitcoin_exec_t:s0 /usr/sbin/bitcoind

The bitcoin.if and bitcoin.te are as generated by the tool, though I can provide them if necessary.

I expected the daemon to run as system_u. When the system boots, the daemon is started as system_u as expected, but not when I start or restart it with 'service bitcoin restart'. What's going on here and how do I fix it?
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Miroslav Grepl 08-22-2012 08:00 PM

Daemon started from init script runs as unconfined_u
 
On 08/22/2012 09:36 PM, Michael Hampton wrote:

I am trying to write a SELinux policy for a daemon which will be started from an init script on CentOS 6. I seem to be most of the way there, except when running its init script (with "service bitcoin start"), the daemon starts and runs as unconfined_u:

ps -eZ | grep bitcoin
unconfined_u:system_r:bitcoin_t:s0 19993 ? 00:00:00 bitcoind

I generated the policy using selinux-polgengui which was included with CentOS 6 selecting "Standard Init Daemon".

The init script seems to be correctly labeled:

root@buildbox-el6 ~ # ls -Z /etc/rc.d/init.d/bitcoin
-rwxr-xr-x. root root system_u:object_r:bitcoin_initrc_exec_t:s0 /etc/rc.d/init.d/bitcoin

The daemon also seems to be correctly labeled:

root@buildbox-el6 ~ # ls -Z /usr/sbin/bitcoind
-rwxr-xr-x. root root system_u:object_r:bitcoin_exec_t:s0 /usr/sbin/bitcoind

The bitcoin.if and bitcoin.te are as generated by the tool, though I can provide them if necessary.

I expected the daemon to run as system_u. When the system boots, the daemon is started as system_u as expected, but not when I start or restart it with 'service bitcoin restart'. What's going on here and how do I fix it?
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

If you execute

# run_init service bitcoin restart

on CentOS 6 you will end up with system_u as you expect. Basically if
you execute a service script as unconfined_u, then your identity is not
supposed to be changed.


Regards,
Miroslav



--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Dominick Grift 08-22-2012 08:08 PM

Daemon started from init script runs as unconfined_u
 
Long story but in redhat distro's you can ignore that.

By default he identity field in a security context is only used to map
roles, sensitivities and compartments to linux logins.

The system_u identity is used for init and its children.

Back in the old days one was required to restart processes on behalf of
the system with the run_init command (example: run_init service httpd
restart)

The run_init command would make sure that the process was started with
the right context.

Later when the unconfined domain was introduced, for some reason, this
was abandoned and instead unconfined_r:unconfined_t was allowed to role
and domain transition to system_r:initrc_t upon executing init script
executable files, among other things like role and domain transitioning
to system_r:rpm_t upon running yum or rpm executable files.

The identity field however isnt changed if you dont use run_init.

It does not matter often since by default the identity field is only
used to map roles, sensitivities and compartments to linux users.

There are almost no rules or constraints that use this field.

Unless one enabled the optional user based access control security
model. This is a security model that uses the identity field to isolate
processes with the selected identities. Isolate users.

But this ubac security model is not enabled in redhat distributions.

So the tl;dr is:

if you really want processes you run on behalf of the system to have the
system_u identity then use run_init:

run_init service bla restart
run_init yum update
run_init newaliases

This is mandatory if you tuned your targeted policy to require confined
users.

But in a stock redhat distro where users are not targeted and are mapped
to unconfined_u by default this is not required and you can ignore the
first field in security contexts.

I hope this helps

On Wed, 2012-08-22 at 15:36 -0400, Michael Hampton wrote:
> I am trying to write a SELinux policy for a daemon which will be started from an init script on CentOS 6. I seem to be most of the way there, except when running its init script (with "service bitcoin start"), the daemon starts and runs as unconfined_u:
>
> ps -eZ | grep bitcoin
> unconfined_u:system_r:bitcoin_t:s0 19993 ? 00:00:00 bitcoind
>
> I generated the policy using selinux-polgengui which was included with CentOS 6 selecting "Standard Init Daemon".
>
> The init script seems to be correctly labeled:
>
> root@buildbox-el6 ~ # ls -Z /etc/rc.d/init.d/bitcoin
> -rwxr-xr-x. root root system_u:object_r:bitcoin_initrc_exec_t:s0 /etc/rc.d/init.d/bitcoin
>
> The daemon also seems to be correctly labeled:
>
> root@buildbox-el6 ~ # ls -Z /usr/sbin/bitcoind
> -rwxr-xr-x. root root system_u:object_r:bitcoin_exec_t:s0 /usr/sbin/bitcoind
>
> The bitcoin.if and bitcoin.te are as generated by the tool, though I can provide them if necessary.
>
> I expected the daemon to run as system_u. When the system boots, the daemon is started as system_u as expected, but not when I start or restart it with 'service bitcoin restart'. What's going on here and how do I fix it?
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


All times are GMT. The time now is 07:11 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.