Fred Smith
2015-Nov-08 01:00 UTC
[CentOS] After reboot of web-server accessing website shows "Forbidden", restarting httpd all is fine
On Fri, Nov 06, 2015 at 07:23:59PM -0800, Gordon Messmer wrote:> On 11/06/2015 06:30 PM, Jobst Schmalenbach wrote: > >What troubles me that a simple restart of the daemon fixes everything but it does not come up on reboot. > > Running the service script manually may not give you the same > selinux context as on boot. Services should be started using > "run_init" to ensure they get the correct context.How long has this been the case? I have never heard of this before, it seems a very well-kept secret!> > I think this is legitimately the most confusing aspect of SELinux, > and it's one of the things that systemd fixed properly.-- ---- Fred Smith -- fredex at fcshome.stoneham.ma.us ----------------------------- The eyes of the Lord are everywhere, keeping watch on the wicked and the good. ----------------------------- Proverbs 15:3 (niv) -----------------------------
Mark Milhollan
2015-Nov-09 14:08 UTC
[CentOS] After reboot of web-server accessing website shows "Forbidden", restarting httpd all is fine
On Sat, 7 Nov 2015, Fred Smith wrote:>On Fri, Nov 06, 2015 at 07:23:59PM -0800, Gordon Messmer wrote: >>On 11/06/2015 06:30 PM, Jobst Schmalenbach wrote:>>>What troubles me that a simple restart of the daemon fixes everything but it does not come up on reboot. >> >>Running the service script manually may not give you the same >>selinux context as on boot. Services should be started using >>"run_init" to ensure they get the correct context.Yet it isn't really documented anywhere that you can or should use it, certainly not in the RHEL Administration or SELinux documentation, not even as a footnote. Only in a few bug reports and errata notices can you even find mention of the command.>How long has this been the case? I have never heard of this before, >it seems a very well-kept secret!Always, i.e., since SELinux appeared in RHEL and thus CentOS. The service command has never done what is expected of it -- properly (re)start a service. This is noted here and there in the documentation. It usually does well enough for the other management tasks, reloading, stopping and providing status. But start and restart is almost totally wrong. It allows (even forces) a "dirty" environment to be provided to the service (which is seldom wanted or expected), does not ensure that the current tty cannot be the controlling tty for the service (which sometimes matters) and leaves the CWD unchanged instead of ensuring / is used (which sometimes matters). No revision of the service command took place to cope with context when SELinux appeared and so the service inherits the current context, usually unconfined (which is wildly wrong). Sometimes doing it this way is useful, but not often and when it is one can invoke the service's init script directly. So even before SELinux (or with it disabled) a mere "/sbin/service whichever start" does not always suffice. But building a boot environment is a bit tedious, you'd almost want some command to take care of that for you -- alas none exists. However the boot environment is usually very simple, which can be approximated with something like: ( cd / && setsid env -i /sbin/service whichever start ) With SELinux it is critical to run it in a more useful context: ( cd / && /usr/sbin/run_init setsid env -i /sbin/service whichever start ) If run_init isn't installed the following gives a similar result: ( cd / && runcon -u system_u setsid env -i /sbin/service whichever start ) Also for restart, condrestart, try-restart or --full-restart. And for some services reload or force-reload too, thus easiest to always use one of these for all service management needs. (To be fair, I don't usually use it for status or stop, but I was bitten once.) Alas the latter two fail if SELinux is disabled at which point you trim it back to the first. Patching the service command locally is a hassle -- it is a shell script so not at all difficult to change, merely difficult to remember to re-patch after system updates lest you go back to being surprised (though a custom RPM with a trigger can do it) or go elsewhere where it hasn't ever been patched. Or produce your own script that does all that, so that only when it isn't available do you need to type a long line to (re)start a service. I leave the service command unpatched and didn't write my own script, instead I have the subshell things as muscle memory. With systemd (CentOS 7) this changes. If you know systemd handles the service -- which is most of the time -- you can use the bare service command (or systemctl) to (re)start the service, in an environment that is the same as at boot, i.e., as expected. But not everything is controlled by systemd, and there you are back where this started. /mark
Jonathan Billings
2015-Nov-09 14:33 UTC
[CentOS] After reboot of web-server accessing website shows "Forbidden", restarting httpd all is fine
On Mon, Nov 09, 2015 at 06:08:11AM -0800, Mark Milhollan wrote:> It allows (even forces) a "dirty" environment to be provided to the > service (which is seldom wanted or expected), does not ensure that the > current tty cannot be the controlling tty for the service (which > sometimes matters) and leaves the CWD unchanged instead of ensuring / is > used (which sometimes matters).A quick viewing of /sbin/service on C6 makes me think you might be mistaken here. There's clearly a 'cd /' and an 'env -i' there. It does preserve $PATH though (also $TERM), which I view as a dirty environment.> No revision of the service command took > place to cope with context when SELinux appeared and so the service > inherits the current context, usually unconfined (which is wildly > wrong). Sometimes doing it this way is useful, but not often and when > it is one can invoke the service's init script directly.I'm pretty sure that what happens is that service runs the service scripts in /etc/rc.d/init.d/, which all have labels on them that indicate what entrypoint type they run under, which is by default 'initrc_exec_t' but I see several have their own special label, such as sshd having sshd_initrc_exec_t. If 'service' were just sourcing the init.d files instead of executing them, it would be different, but it does execute them, and since the init scripts have an entrypoint type to transition to the appropriate initrc domain. -- Jonathan Billings <billings at negate.org>
Apparently Analagous Threads
- After reboot of web-server accessing website shows "Forbidden", restarting httpd all is fine
- After reboot of web-server accessing website shows "Forbidden", restarting httpd all is fine
- After reboot of web-server accessing website shows "Forbidden", restarting httpd all is fine
- After reboot of web-server accessing website shows "Forbidden", restarting httpd all is fine
- After reboot of web-server accessing website shows "Forbidden", restarting httpd all is fine