http://wiki.centos.org/HowTos/SELinux says: "Access is only allowed between similar types, so Apache running as httpd_t can read /var/www/html/index.html of type httpd_sys_content_t." however the doc doesn't define what "similar types" means. I assumed it just meant "beginning with the same prefix". However that can't be right because on my system with SELinux turned on, httpd runs as type init_t: [root at peacefire04 - /root # ps awuxZ | grep httpd | head -n 3 system_u:system_r:init_t:s0 root 2521 0.1 0.4 21680 8820 ? Ss 05:05 0:00 /usr/sbin/httpd system_u:system_r:init_t:s0 apache 2550 0.0 0.4 23364 8920 ? S 05:05 0:00 /usr/sbin/httpd system_u:system_r:init_t:s0 apache 2551 0.1 0.4 22736 8212 ? S 05:05 0:00 /usr/sbin/httpd and the robots.txt file has type file_t: [root at peacefire04 - /root # ls -lZ /var/www/html/robots.txt -rw-rw-rw- root root system_u:object_r:file_t:s0 /var/www/html/robots.txt but Apache can of course access that file. So in Type Enforcement, what determines what process type can access what file type? Bennett
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/05/2012 04:36 PM, Bennett Haselton wrote:> http://wiki.centos.org/HowTos/SELinux says: "Access is only allowed > between similar types, so Apache running as httpd_t can read > /var/www/html/index.html of type httpd_sys_content_t." > > however the doc doesn't define what "similar types" means. I > assumed it just meant "beginning with the same prefix". However > that can't be right because on my system with SELinux turned on, > httpd runs as type init_t: > > [root at peacefire04 - /root # ps awuxZ | grep httpd | head -n 3 > system_u:system_r:init_t:s0 root 2521 0.1 0.4 21680 > 8820 ? Ss 05:05 0:00 /usr/sbin/httpd > system_u:system_r:init_t:s0 apache 2550 0.0 0.4 23364 > 8920 ? S 05:05 0:00 /usr/sbin/httpd > system_u:system_r:init_t:s0 apache 2551 0.1 0.4 22736 > 8212 ? S 05:05 0:00 /usr/sbin/httpd > > and the robots.txt file has type file_t: [root at peacefire04 - /root > # ls -lZ /var/www/html/robots.txt -rw-rw-rw- root root > system_u:object_r:file_t:s0 /var/www/html/robots.txt > > but Apache can of course access that file. So in Type Enforcement, > what determines what process type can access what file type? > > Bennett _______________________________________________ CentOS > mailing list CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centosYour machine needs to be relabeled. touch /.autorelabel reboot -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8GGk4ACgkQrlYvE4MpobMVkgCfVagwQqbzB2UW1+TEsrrCVhF5 lFkAnjLTi3zphekGomv04ZyMu0sOuopg =cIvM -----END PGP SIGNATURE-----
On 1/5/2012 1:36 PM, Bennett Haselton wrote:> http://wiki.centos.org/HowTos/SELinux > says: > "Access is only allowed between similar types, so Apache running as > httpd_t can read /var/www/html/index.html of type httpd_sys_content_t." > > however the doc doesn't define what "similar types" means. I assumed > it just meant "beginning with the same prefix". However that can't be > right because on my system with SELinux turned on, httpd runs as type > init_t: > > [root at peacefire04 - /root # ps awuxZ | grep httpd | head -n 3 > system_u:system_r:init_t:s0 root 2521 0.1 0.4 21680 8820 > ? Ss 05:05 0:00 /usr/sbin/httpd > system_u:system_r:init_t:s0 apache 2550 0.0 0.4 23364 8920 > ? S 05:05 0:00 /usr/sbin/httpd > system_u:system_r:init_t:s0 apache 2551 0.1 0.4 22736 8212 > ? S 05:05 0:00 /usr/sbin/httpd > > and the robots.txt file has type file_t: > [root at peacefire04 - /root # ls -lZ /var/www/html/robots.txt > -rw-rw-rw- root root system_u:object_r:file_t:s0 > /var/www/html/robots.txt > > but Apache can of course access that file. So in Type Enforcement, > what determines what process type can access what file type?OK, notwithstanding the fact that the filesystem on the above machine needs to be re-labeled and I don't know why that's failing -- I have another CentOS 5.7 machine where I've enabled SELinux (permissive mode) and relabeled the filesystem and it actually worked, so that the above commands are now giving the expected outputs: [root at g6950-21025 ~]# ps awuxZ | grep httpd | head -n 3 system_u:system_r:init_t root 2302 0.0 1.0 253056 10576 ? Ss 00:12 0:00 /usr/sbin/httpd system_u:system_r:init_t apache 4201 0.1 2.0 274804 20968 ? S 01:26 0:02 /usr/sbin/httpd system_u:system_r:init_t apache 4392 0.2 1.2 257308 12512 ? S 01:39 0:01 /usr/sbin/httpd [root at g6950-21025 ~]# ls -lZ /var/www/html/robots.txt -rw-rw-rw- root root system_u:object_r:httpd_sys_content_t /var/www/html/robots.txt [root at g6950-21025 ~]# So, same question -- the documentation says "Access is only allowed between similar types", but what does "similar" mean? What determines that the httpd process, running under the "init_t" domain, can access the robots.txt file, which has type "httpd_sys_content_t"?
On Saturday, January 07, 2012 11:15:35 AM Bennett Haselton wrote:> Hence the idea for having SELinux send messages to the terminal saying > "SELinux blocked such-and-such". There's probably some better way.Huh? CentOS has done this by default since CentOS 4. At least I see SELinux-generated 'denied' AVC's on a couple of internal C4 machines where I'm running SELinux in permissive mode and I see the denials on a text console. All my CentOS 5 boxes have SELinux on and enforcing, but I haven't seen any avc denials in the logs or on the console, nor have I done anything 'wierd' on those boxes.... The graphical GNOME installation pops up a tooltip-style balloon when SELinux denials are found, at least with CentOS 6. Haven't tried with C5. Now, nowhere in the logged message does it say 'SELinux' but a google for the text found in such an avc denial log entry brings up what you need to know. Here's an example: audit(1325941406.515:467): avc: denied { write } for pid=6609 comm="postmaster" name="1262" dev=dm-0 ino=2016007 scontext=root:system_r:postgresql_t tcontext=user_u:object_r:var_t tclass=file (I know how to fix it, I just haven't). This by default comes to the /dev/console device along with being logged in dmesg and elsewhere.
On 01/05/2012 01:36 PM, Bennett Haselton wrote:> http://wiki.centos.org/HowTos/SELinux > says: > "Access is only allowed between similar types, so Apache running as > httpd_t can read /var/www/html/index.html of type httpd_sys_content_t." > > however the doc doesn't define what "similar types" means.That is a gross oversimplification. Access is allowed based on a policy, and no "similarity" between types is required. If you'd like to see what is allowed, you'll have to get the selinux-policy src.rpm and unpack it to examine the source for the policy. It sucks, but as far as I know, no more user-friendly method exists.> and the robots.txt file has type file_t: > [root at peacefire04 - /root # ls -lZ /var/www/html/robots.txt > -rw-rw-rw- root root system_u:object_r:file_t:s0 > /var/www/html/robots.txt > > but Apache can of course access that file.If apache can access a mislabeled file, then either SELinux is disabled or in permissive mode. Use "getenforce" to determine which.
On Tuesday, January 10, 2012 04:38:27 PM Les Mikesell wrote:> But the hardest part is that these things are application specific and > there is no standardization for locations where applications do > things. In fact, distributions intentionally move those locations > around in their packaging.Good morning, Les. Distribution differences are the price we pay for choice. Distributions are (and should be) free to put things where they see fit. Each major distribution I've looked at has had good reasons for the different choices that they have made.> That reputation is well deserved. Would it not have made sense to > have the needed diagnostic tools before shipping the thing that needs > it?No, it wouldn't have. With open source being a 'scratch your own itch' thing, and with Fedora well-placed in the 'hobbyist/enthusiast/not a normal user' domain, this somewhat 'forces' the issue of getting things fixed. Otherwise things would likely not have been fixed at all.> And wouldn't it have been a good idea to have the documentation before > turning on something non-standard that breaks things?If Fedora were a commercial product, sure. It isn't; documentation follows code in open source, full stop. Whether that's the way it should be or not, it is the way it is, and I for one prefer true developer freedom to choose the way to develop. If an open source development group wants to write docs first, and then implement, they have the freedom to do so. If a development group doesn't want to write any documentation at all, but just hand out the source, then that development group has the freedom to do so (and users have the freedom to use or not use that software). Companies wanting to productize open source should do their homework and write their own docs; Red Hat for one has done that, and the docs are quite good.> Yeah, the whole idea seems like what a car company would have to do to > come back after selling a model that gets a lot of publicity for > crashing and burning. The earlier opinions weren't wrong, after all.You have the wrong analogy. Linux today is in a state quite similar to the state of the automotive industry before Henry Ford. Every car was unique, parts didn't interchange, roads were a mess, and people as hobbyists/enthusiasts built their oen cars (not from kit parts like most of today's auto enthusiasts) from scratch. Or the days of airplanes prior to World War I. Things did crash and burn, and it was an enthusiast's world. And thus far no one of whom I am aware has died due to an SELinux problem.
On Wednesday, January 11, 2012 11:42:08 AM Les Mikesell wrote:> On Wed, Jan 11, 2012 at 9:15 AM, Lamar Owen <lowen at pari.edu> wrote: > > On Tuesday, January 10, 2012 04:38:27 PM Les Mikesell wrote: > >> But the hardest part is that these things are application specific and > >> there is no standardization for locations where applications do > >> things. In fact, distributions intentionally move those locations > >> around in their packaging.> > Distribution differences are the price we pay for choice.> If the first thing you saw on a unix-like system was the horror of > autoconf, would you have taken a second look?The first thing I saw on a unix-like system was hand-edited Makefiles; I got into this thing before autoconf came into being, a 68k at 10MHz was fast, and 768K of RAM was enough to work with the eight-inch 1.2MB floppies and 5.25 inch full-height 12MB hard drives of the day. Having owned three different unix-like systems of that era, I'm well aware of the difficulties; and all were 680x0 systems, but all different.> This is an even worse > situation, because there is no equivalent way to describe what you > want across flavors.Yes, there is, actually. SELinux policies.> How is the application developer > (unquestionably the expert on the application needs) supposed to > describe those needs to SELinux in a way that can work across > distributions without 'less-expert' people guessing about them?This is a problem that each upstream project will need to work out for themselves.> I guess you are right about the state of the art and that it is as > wrong to expect things to work as it was to expect flying cars by now.I wish I were wrong, honestly, but it is the current state of the art.> But it would have been fun.No doubt; I'm waiting on my George Jetson air-scooter-in-a-briefcase myself.