FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 08-22-2012, 07:36 PM
Michael Hampton
 
Default Daemon started from init script runs as unconfined_u

I am trying to write a SELinux policy for a daemon which will be started from an init script on CentOS 6. I seem to be most of the way there, except when running its init script (with "service bitcoin start"), the daemon starts and runs as unconfined_u:

ps -eZ | grep bitcoin
unconfined_u:system_r:bitcoin_t:s0 19993 ? 00:00:00 bitcoind

I generated the policy using selinux-polgengui which was included with CentOS 6 selecting "Standard Init Daemon".

The init script seems to be correctly labeled:

root@buildbox-el6 ~ # ls -Z /etc/rc.d/init.d/bitcoin
-rwxr-xr-x. root root system_ubject_r:bitcoin_initrc_exec_t:s0 /etc/rc.d/init.d/bitcoin

The daemon also seems to be correctly labeled:

root@buildbox-el6 ~ # ls -Z /usr/sbin/bitcoind
-rwxr-xr-x. root root system_ubject_r:bitcoin_exec_t:s0 /usr/sbin/bitcoind

The bitcoin.if and bitcoin.te are as generated by the tool, though I can provide them if necessary.

I expected the daemon to run as system_u. When the system boots, the daemon is started as system_u as expected, but not when I start or restart it with 'service bitcoin restart'. What's going on here and how do I fix it?
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 08-22-2012, 08:00 PM
Miroslav Grepl
 
Default Daemon started from init script runs as unconfined_u

On 08/22/2012 09:36 PM, Michael Hampton wrote:

I am trying to write a SELinux policy for a daemon which will be started from an init script on CentOS 6. I seem to be most of the way there, except when running its init script (with "service bitcoin start"), the daemon starts and runs as unconfined_u:

ps -eZ | grep bitcoin
unconfined_u:system_r:bitcoin_t:s0 19993 ? 00:00:00 bitcoind

I generated the policy using selinux-polgengui which was included with CentOS 6 selecting "Standard Init Daemon".

The init script seems to be correctly labeled:

root@buildbox-el6 ~ # ls -Z /etc/rc.d/init.d/bitcoin
-rwxr-xr-x. root root system_ubject_r:bitcoin_initrc_exec_t:s0 /etc/rc.d/init.d/bitcoin

The daemon also seems to be correctly labeled:

root@buildbox-el6 ~ # ls -Z /usr/sbin/bitcoind
-rwxr-xr-x. root root system_ubject_r:bitcoin_exec_t:s0 /usr/sbin/bitcoind

The bitcoin.if and bitcoin.te are as generated by the tool, though I can provide them if necessary.

I expected the daemon to run as system_u. When the system boots, the daemon is started as system_u as expected, but not when I start or restart it with 'service bitcoin restart'. What's going on here and how do I fix it?
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

If you execute

# run_init service bitcoin restart

on CentOS 6 you will end up with system_u as you expect. Basically if
you execute a service script as unconfined_u, then your identity is not
supposed to be changed.


Regards,
Miroslav



--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 08-22-2012, 08:08 PM
Dominick Grift
 
Default Daemon started from init script runs as unconfined_u

Long story but in redhat distro's you can ignore that.

By default he identity field in a security context is only used to map
roles, sensitivities and compartments to linux logins.

The system_u identity is used for init and its children.

Back in the old days one was required to restart processes on behalf of
the system with the run_init command (example: run_init service httpd
restart)

The run_init command would make sure that the process was started with
the right context.

Later when the unconfined domain was introduced, for some reason, this
was abandoned and instead unconfined_r:unconfined_t was allowed to role
and domain transition to system_r:initrc_t upon executing init script
executable files, among other things like role and domain transitioning
to system_r:rpm_t upon running yum or rpm executable files.

The identity field however isnt changed if you dont use run_init.

It does not matter often since by default the identity field is only
used to map roles, sensitivities and compartments to linux users.

There are almost no rules or constraints that use this field.

Unless one enabled the optional user based access control security
model. This is a security model that uses the identity field to isolate
processes with the selected identities. Isolate users.

But this ubac security model is not enabled in redhat distributions.

So the tl;dr is:

if you really want processes you run on behalf of the system to have the
system_u identity then use run_init:

run_init service bla restart
run_init yum update
run_init newaliases

This is mandatory if you tuned your targeted policy to require confined
users.

But in a stock redhat distro where users are not targeted and are mapped
to unconfined_u by default this is not required and you can ignore the
first field in security contexts.

I hope this helps

On Wed, 2012-08-22 at 15:36 -0400, Michael Hampton wrote:
> I am trying to write a SELinux policy for a daemon which will be started from an init script on CentOS 6. I seem to be most of the way there, except when running its init script (with "service bitcoin start"), the daemon starts and runs as unconfined_u:
>
> ps -eZ | grep bitcoin
> unconfined_u:system_r:bitcoin_t:s0 19993 ? 00:00:00 bitcoind
>
> I generated the policy using selinux-polgengui which was included with CentOS 6 selecting "Standard Init Daemon".
>
> The init script seems to be correctly labeled:
>
> root@buildbox-el6 ~ # ls -Z /etc/rc.d/init.d/bitcoin
> -rwxr-xr-x. root root system_ubject_r:bitcoin_initrc_exec_t:s0 /etc/rc.d/init.d/bitcoin
>
> The daemon also seems to be correctly labeled:
>
> root@buildbox-el6 ~ # ls -Z /usr/sbin/bitcoind
> -rwxr-xr-x. root root system_ubject_r:bitcoin_exec_t:s0 /usr/sbin/bitcoind
>
> The bitcoin.if and bitcoin.te are as generated by the tool, though I can provide them if necessary.
>
> I expected the daemon to run as system_u. When the system boots, the daemon is started as system_u as expected, but not when I start or restart it with 'service bitcoin restart'. What's going on here and how do I fix it?
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 10:40 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org